Complete the Hyper-V Sensor Setup

When you move forward to Asset Discovery, a dialog box automatically opens and prompts you to allow asset scanning. USM Anywhere must discover your assets to enable security monitoring on them.

To complete the asset discovery task

1. Click Yes to start the automatic asset discovery.

   

   Or if you prefer to add the assets manually or scan another network, click No and skip to the next step.

   During the automated scan, the Scan Networks status bar opens and displays the number of assets detected in your network range.

   

   When the scan stops, you have these options:

   • Click Scan Another to scan a different set of assets
   • Click Next to continue with asset discovery setup options

   When the initial asset scan dialog box closes, the Asset Discovery page displays status information for an ongoing scan or any discovered assets for completed scans.

   

2. (Optional.) Add assets manually

   Enter the name and IP address or fully qualified domain name (FQDN) to specify an asset for discovery. The scan option is selected by default. Click Save to add the asset.

   You can repeat this for each individual asset you want to add.

3. (Optional.) Add assets by scanning network range

   Click Scan Networks to scan a network range that you specify. This runs asset discovery to scan hosts and services running on the specified network range.

4. When all the needed assets are discovered, click Next at the bottom of the page.

   The wizard opens the next page in the setup process, Active Directory.

The optional Active Directory (AD) Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. setup page configures USM Anywhere to collect information from your AD account. To monitor Microsoft Windows systems effectively, USM Anywhere needs access to the AD server to collect inventory information.

LevelBlue recommends that you create a dedicated AD account with membership in the Domain Admins group to be used by USM Anywhere to log in to the Windows systems. You also need to activate Microsoft Windows Remote Management (WinRM) in the domain controller and in all the hosts that you want to scan. You can do this by using a group policy for all the systems in your AD.

To complete the AD access configuration

1. Provide the AD credentials for USM Anywhere:

   • Active Directory IP Address: Enter the IP address for the AD server.
   • Username: Enter your username as admin of the account.
   • Password: Enter your admin's password.
   • Domain: Enter the domain for the AD instance.

   

2. Click Scan Active Directory.

   After a successful launch of the scan, a confirmation dialog box opens.

   

3. Click Accept.

   The scan continues in the background.

   Upon completion, another dialog box opens and provides information about the number of assets USM Anywhere discovered. It also prompts you to decide if you want to scan for hosts and services running in your environment.

   

   Click Cancel to opt out of this scan.

4. (Optional.) If you want to scan for other hosts and services, click OK.

5. Click Next after the scan ends.

   The wizard opens the next page in the setup process, Network Security Monitoring.

The Network Security Monitoring page shows the status of the network interfaces monitored by the sensor (it could take a few moments to load the interfaces). All network adapters are configured for network monitoring by default.

You must manually enable port mirroring or port spanning Method of network monitoring in which a system passively collects network traffic on the same ports as other network devices., promiscuous mode Mode in which network IDS monitoring operates in passive listening mode, checking all IP packet traffic passing through it for threats., or both in a virtual switch to send a copy of the network traffic you want to analyze to these interfaces. This page provides links to documentation about how to configure your networking to allow for the interfaces to see the network traffic and perform network intrusion detection.

USM Anywhere connectivity and communications are handled by the first network interface connection on the Network Security Monitoring page. This is the primary network that provides asset scanning and log collection for the particular network.

You can connect additional interfaces to other networks for monitoring, or connect them to individual vSwitch port groups for virtual networks. Each interface should be connected to a vSwitch that mirrors a different subnet within your network.

Use this page to verify that USM Anywhere can monitor your network traffic for security events.

To access detailed information about port mirroring set up

1. Click How do I set up port mirroring.

   This opens a dialog box that can direct you to specific information about your VM.

   If you have not yet set up port mirroring, see Direct Traffic from Your Physical Network to the Hyper-V Sensor for more information.

2. Click Next.

On the Log Management page are syslog port numbers. (These ports are the same for all USM Anywhere Sensors.)

USM Anywhere collects third-party device, system, and application data through syslog An industry standard message logging system that is used on many devices and platforms. over UDP on port 514 and over TCP on ports 601 or 602 by default. It collects Transport Layer Security (TLS)-encrypted Transport layer security. Successor to Secure Sockets Layer (SSL) protocol. Provides security for communication over the Internet between client and server applications. data through TCP on ports 6514 or 6515 by default. These ports support the RFC 3164 and RFC 5424 formats. To configure any third-party devices to send data to USM Anywhere, you must provide the IP address and the port number of your USM Anywhere Sensor.

To enable log collection and configure your log management

1. Make sure that you have granted the necessary permissions for your OS to allow USM Anywhere to access its logs. You can also integrate a wide variety of data sources to send log data over syslog to the USM Anywhere Sensor.

   To learn how to configure your operating systems and supported third-party devices to forward syslog log data, see the following related topics:

• The Syslog Server Sensor App: Log collection (UDP, TCP, and TLS-encrypted TCP) from rsyslog
• Collecting Linux System Logs: Log collection from a Linux system
• Collecting Windows System Logs: Log collection from a Windows system
• Go to the specific BlueApp in USM Anywhere for instructions about syslog forwarding

Note: Because the log scan can take some time, you might not see all of the automatically discovered log sources immediately after deploying the first USM Anywhere Sensor.

2. When you have finished the log collection setup and integrated any needed plugins, verify that the data transfer is occurring.
3. Click Next when this step is complete.

Use the Cloud Services page to configure USM Anywhere to collect information from any of the supported cloud services apps. These apps allow you to monitor and detect threats against your cloud services accounts, such as G Suite (Google Apps) and Office 365, directly from USM Anywhere. When configured , the BlueApp collects log data from via the cloud service API and analyzes that data against our built-in threat intelligence to look for anomalies and intrusions.

To setup cloud services in USM Anywhere

1. Select the BlueApp for each cloud service where you want to monitor activity.

   

2. Click Next.

   USM Anywhere displays a configuration page for each cloud service you selected.

3. Complete the form for its configuration and click Save Credentials.

   The following topics provide detailed information about these BlueApps:

   • BlueApp for G Suite
   • BlueApp for Office 365
   • BlueApp for SpyCloud Dark Web Monitoring
   • BlueApp for McAfee ePO
   • BlueApp for Cisco Umbrella

4. Click Next. when this step is complete.

LevelBlue Labs™ Open Threat Exchange® (OTX™) is an open information-sharing and analysis network providing users with the ability to collaborate, research, and receive alerts on emerging threats and indicators of compromise (IoCs) such as IP addresses, file hashes, and domains.

You must have an OTX account to receive alerts based on threats identified in OTX. This account is separate from your USM Anywhere account. Go to The World’s First Truly Open Threat Intelligence Community to create an OTX account.

To enable USM Anywhere to evaluate event data against the latest OTX intelligence

1. Log in to OTX and open the API page (https://otx.alienvault.com/api).

2. In the DirectConnect API Usage pane, click the icon to copy your unique OTX connection key.

   

3. Return to the Open Threat Exchange (OTX) page of the USM Anywhere Sensor Setup Wizard and paste the value in the OTX Key text box.

   

4. Click Validate OTX Subscription Key.

   With a successful validation of the key, the status at the top of the page changes to "Valid OTX key".

5. Click Next when this task is complete.

The Congratulations page summarizes the status of your configuration.

Click Start Using USM Anywhere, which takes you to the Overview dashboard.