AlienVault® USM Anywhere™

Setting the Azure Sensor Connection to USM Anywhere

After accessing your running USM Anywhere Sensor VM in the Azure console, you must provision your USM Anywhere instance within the AlienVault Secure Cloud. The IP address link is displayed after you create the VM and the instance is running in your Azure environment.

For the first deployed sensor, registration provisions the USM Anywhere instance and gives you access to the sensor through the USM Anywhere web user interface (UI), where you complete the sensor setup. You perform this procedure after deploying the USM Anywhere Sensor within your Azure subscription.

After you complete the deployment of your first USM Anywhere Sensor, you must register the sensor using the initial authentication code (starts with a "C"). With this code, the registration process requests a new USM Anywhere instance and defines its attributes (such as how many sensors to allow, how much storage to provide, and what email address to use for the initial user account).

Important: USM Anywhere instance provisioning takes place only for the first deployed sensor. If you are deploying an additional sensor for your USM Anywhere environment, you can simply register the sensor using the generated authentication code (starts with an "S") and use the Setup Wizard to complete the sensor setup.

To register your sensor and provision the instance

  1. Click the Public IP address displayed for the running sensor VM in the Azure console.

    Important: This link requires that inbound port 80 is open for the sensor VM, which is not a default network setting on Azure. See Sensor Ports and Connectivity for more information.

    This opens the Welcome to USM Anywhere Sensor Setup page, which prompts you to provide the information for registering the sensor with your new USM Anywhere instance.

    Enter the name, description, and authenitication code for the initial sensor

  2. Enter a Sensor Name and Sensor Description.
  3. Paste the authentication code sent from AT&T Cybersecurity into the field with the Key ( ).

  4. Click Start Setup to start the process of connecting the USM Anywhere Sensor.

    The provisioning of your USM Anywhere instance upon registration of your initial sensor takes about 20 minutes. When this instance is provisioned and running, you’ll see a welcome message that provides an access link.

    Click the link to access your USM Anywhere instance

    Use this link to open the secured web console for your USM Anywhere instance. You and the other USM Anywhere users in your organization can access this console from a web browser on any system with internet connectivity.

    Note: You'll also receive an email from AT&T Cybersecurity that provides the access link to USM Anywhere.

When you link to a newly-provisioned USM Anywhere instance, you must configure the password for the initial user account. This is the default administrator as defined in your subscription.

To configure login credentials

  1. In the welcome message, click the link.

    This displays a prompt to set the password to use for the default administrator of USM Anywhere.

  2. Enter the password, then enter it again to confirm.

    Keep in mind these points when you are logging in:

    • USM Anywhere requires all passwords to have a minimum length of 8 characters and a maximum length of 128 characters.
    • The password must contain numerical digits (0–9).
    • The password must contain uppercase letters (A–Z).
    • The password must contain lowercase letters (a–z).
    • Special characters, such as hyphen (-) and underscore ( _ ) are supported but optional.

    Note: USM Anywhere passwords expire after 90 days. When your password expires, USM Anywhere enforces a password change when you next log in to the system using the current (now expired) password. A new password must be different from the previous four passwords.

  3. Click Save & Continue.

  4. When the login page appears, enter the password you just set, and click Login.

    Enter the username and password for the initial USM Anywhere user account

It's a good idea to verify that the USM Anywhere Sensor is running. It also gives you the chance to watch the sensor actively working to find all of your assetsAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. and to record events from the start.

Note: Make sure to verify that the sensor is running before performing configuration. You can keep one web browser tab with the Welcome to USM Anywhere page in the background while you perform the verification on a different tab.

To verify the new USM Anywhere Sensor

  1. In USM Anywhere, go to Data Sources > Sensors.

    You should now see your sensor in the page.

    After a few minutes, USM Anywhere locates your assets and starts registering events.

  2. You can review the activity in two locations:

    • From the primary task bar, select Environment > Assets.
    • From the primary task bar, select Activity > Events.

    Note: It could take up to six minutes before events appear. Make sure to refresh your browser from time to time to display the current data.

    Review the scanned assets list to verify the new USM Anywhere sensor

    For more information about the Assets pages, see Asset List View. For more information about the Events pages, see Events List View.

Next...

You can now complete the USM Anywhere Sensor setup. See Completing the Azure Sensor Setup.