After deploying the
Obtain the Authentication Code
You must enter an authentication code when registering the USM Anywhere Sensor. How to obtain the authentication code depends on your USM Anywhere instance and whether this is the first sensor you're deploying.
If this is your first USM Anywhere Sensor, you must register the sensor using the initial authentication code (starts with a "C") received from AT&T Cybersecurity. With this code, the registration process provisions a new USM Anywhere instance and defines its attributes, such as how many sensors to allow for connection, how much storage to provide, and what email address to use for the initial user account. After registration, you will gain access to the sensor through the USM Anywhere web user interface (UI), where you can complete the sensor setup.
If you are deploying additional sensors, you must generate the authentication code (starts with an "S") for the registration. See Adding a New Sensor for more information.
AT&T Cybersecurity has already provisioned the AT&T Threat Detection and Response for Government (AT&T TDR for Gov) instance for you, therefore you won't receive an authentication code for your sensor. This is true regardless if it's the first sensor or additional sensors you're deploying. However, for the first sensor, you'll receive a link to access your instance.
For every sensor you deploy, you must generate an authentication code (starts with an "S") for the registration. See Adding a New Sensor for more information.
Register Your Sensor
You perform this procedure after deploying the USM Anywhere Sensor within your Azure subscription. The IP address link is displayed after you create the virtual machine (VM) and the instance is running in your Azure environment.
To register your sensor
Click the public IP address displayed for the running sensor VM in the Azure console.
Important: This link requires that inbound port 80 is open for the sensor VM, which is not a default network setting on Azure. See Sensor Ports and Connectivity for more information.
This opens the Welcome to USM Anywhere Sensor Setup page, which prompts you to provide the information for registering the sensor with your new USM Anywhere instance.
- Enter a sensor name and sensor description.
- Paste the authentication code into the field with the key icon ().
Click Start Setup to start the process of connecting the USM Anywhere Sensor.
It takes about 20 minutes to provision your USM Anywhere instance upon registration of your initial sensor. When this instance is provisioned and running, you’ll see a welcome message that provides an access link.
Use this link to open the secured web console for your USM Anywhere instance. You and the other USM Anywhere users in your organization can access this console from a web browser on any system with internet connectivity.
Note: If this is your first deployment, you'll also receive an email from AT&T Cybersecurity that provides the access link to USM Anywhere.
Configure the Initial Login Credentials
When you link to a newly provisioned USM Anywhere instance, you must configure the password for the initial user account. This is the default administrator as defined in your subscription.
To configure login credentials
In the welcome message, click the link.
This displays a prompt to set the password to use for the default administrator of USM Anywhere.
Enter the password, and then enter it again to confirm.
Keep in mind these points when you are logging in:
- USM Anywhere requires all passwords to have a minimum length of 8 characters and a maximum length of 128 characters.
- The password must contain numerical digits (0–9).
- The password must contain uppercase letters (A–Z).
- The password must contain lowercase letters (a–z).
- Special characters, such as hyphen (-) and underscore ( _ ) are supported but optional.
Note: USM Anywhere passwords expire after 90 days. When your password expires, USM Anywhere enforces a password change when you next log in to the system using the current (now expired) password. A new password must be different from the previous four passwords.
- Click Save & Continue.
When the login page opens, enter the password you just set and click Login.
Verify That Your Sensor Is Running
It's a good idea to verify that the USM Anywhere Sensor is running. It also gives you the chance to watch the sensor actively working to find all of your assets An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. and to record events from the start.
Note: Verify that the sensor is running before performing the configuration. You can keep one web browser tab with the Welcome to USM Anywhere page in the background while you perform the verification on a different tab.
To verify that your new sensor is running
In USM Anywhere, go to Data Sources > Sensors.
You should now see your sensor in the page. See USM Anywhere Sensor Management for more information.
After a few minutes, USM Anywhere locates your assets and starts generating events.
You can review the activity in two locations:
- From the primary task bar, select Environment > Assets.
- From the primary task bar, select Activity > Events.
Note: It could take up to six minutes before events appear. Make sure to refresh your browser from time to time to display the current data.
The Azure SQL Server job is deprecated. Use the Event Hub Integration to collect Azure SQL Server logs. See Collect Logs from Azure Event Hubs for more information.
You can now complete the USM Anywhere Sensor setup. See Complete the Azure Sensor Setup.