Connect the Azure Sensor to USM Anywhere

After deploying the Microsoft Azure Sensor, you must connect it to USM Anywhere through registration.

Obtain the Authentication Code

You must enter an authentication code when registering the USM Anywhere Sensor. How to obtain the authentication code depends on your USM Anywhere instance and whether this is the first sensor you're deploying.

If this is your first USM Anywhere Sensor, you must register the sensor using the initial authentication code (starts with a "C") received from LevelBlue. With this code, the registration process provisions a new USM Anywhere instance and defines its attributes, such as how many sensors to allow for connection, how much storage to provide, and what email address to use for the initial user account. After registration, you will gain access to the sensor through the USM Anywhere web user interface (UI), where you can complete the sensor setup.

If you are deploying additional sensors, you must generate the authentication code (starts with an "S") for the registration. See Adding a New Sensor for more information.

LevelBlue has already provisioned the LevelBlue Threat Detection and Response for Government (LevelBlue TDR for Gov) instance for you, therefore you won't receive an authentication code for your sensor. This is true regardless if it's the first sensor or additional sensors you're deploying. However, for the first sensor, you'll receive a link to access your instance.

For every sensor you deploy, you must generate an authentication code (starts with an "S") for the registration. See Adding a New Sensor for more information.

Register Your Sensor

You perform this procedure after deploying the USM Anywhere Sensor within your Azure subscription. The IP address link is displayed after you create the virtual machine (VM) and the instance is running in your Azure environment.

To register your sensor

  1. Click the public IP address displayed for the running sensor VM in the Azure console.

    Important: This link requires that inbound port 80 is open for the sensor VM, which is not a default network setting on Azure. See Sensor Ports and Connectivity for more information.

    This opens the Welcome to USM Anywhere Sensor Setup page, which prompts you to provide the information for registering the sensor with your new USM Anywhere instance.

    Enter the name, description, and authenitication code for the initial sensor

  2. Enter a sensor name and sensor description.
  3. Paste the authentication code into the field with the key icon ().

  4. Click Start Setup to start the process of connecting the USM Anywhere Sensor.

    It takes about 20 minutes to provision your USM Anywhere instance upon registration of your initial sensor. When this instance is provisioned and running, you’ll see a welcome message that provides an access link.

    Click the link to access your USM Anywhere instance

    Use this link to open the secured web console for your USM Anywhere instance. You and the other USM Anywhere users in your organization can access this console from a web browser on any system with internet connectivity.

    Note: If this is your first deployment, you'll also receive an email from LevelBlue that provides the access link to USM Anywhere.

Configure the Initial Login Credentials

When you link to a newly provisioned USM Anywhere instance, you must configure the password for the initial user account. This is the default administrator as defined in your subscription.

To configure login credentials

  1. In the welcome message, click the link.

    This displays a prompt to set the password to use for the default administrator of USM Anywhere.

  2. Enter the password, and then enter it again to confirm.

    Keep in mind these points when you are logging in:

    • The login credentials that you set will apply to any USM Anywhere™ and USM Central™ you have access to.
    • USM Anywhere requires all passwords to have a minimum length of 8 characters and a maximum length of 128 characters.
    • The password must contain numerical digits (0-9).
    • The password must contain uppercase letters (A-Z).
    • The password must contain lowercase letters (a-z).
    • The password must contain special characters, such as hyphen (-) and underscore ( _ ).

    Note: USM Anywhere passwords expire after 90 days. When your password expires, USM Anywhere enforces a password change when you next log in. A new password must be different from the previous four passwords.After 45 days of inactivity, your user account will be locked. Manager users can unlock inactive accounts.

  3. Click Save & Continue.

  4. When the login page opens, enter the password you just set and click Login.

    Enter the username and password for the initial USM Anywhere user account

Verify That Your Sensor Is Running

It's a good idea to verify that the USM Anywhere Sensor is running. It also gives you the chance to watch the sensor actively working to find all of your assets An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. and to record events from the start.

Note: Verify that the sensor is running before performing the configuration. You can keep one web browser tab with the Welcome to USM Anywhere page in the background while you perform the verification on a different tab.

To verify that your new sensor is running

  1. In USM Anywhere, go to Data Sources > Sensors.

    You should now see your sensor in the page. See USM Anywhere Sensor Management for more information.

    After a few minutes, USM Anywhere locates your assets and starts generating events.

  2. You can review the activity in two locations:

    • From the primary task bar, select Environment > Assets.
    • From the primary task bar, select Activity > Events.

    Note: It could take up to six minutes before events appear. Make sure to refresh your browser from time to time to display the current data.

    Review the scanned assets list to verify the new USM Anywhere sensor

    See Asset List View for more information about the Assets pages. See Events List View for more information about the Events pages.

The Azure SQL Server job is deprecated. Use the Event Hub Integration to collect Azure SQL Server logs. See Collect Logs from Azure Event Hubs for more information.

Next...

You can now complete the USM Anywhere Sensor setup. See Complete the Azure Sensor Setup.