AlienVault® USM Anywhere™

Host System Configuration for Scans and Functions

To run an authenticated scanAuthenticated scans are performed from inside the machine using a user account with appropriate privileges. or run an AlienApp for AT&T Cybersecurity Forensics and Response actionIn USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured AlienApp. for the assets in your USM Anywhere environment, you must perform a series of preparatory tasks on your host systems, specific to the operating system.

For each asset with the required configuration, you must also assign a credential set in USM Anywhere that is used for authentication on the host system. For information about these credentials, see

Configure Microsoft Windows for Authenticated Scans

Make sure that the host system meets these requirements:

  • Network connectivity between the USM Anywhere instance and port 5985
  • The Windows host must accept remote connections from the USM Anywhere Sensor for the Windows Remote Management (WinRM) service over a private or domain network. This may require you to add the Sensor's IP address to the WinRM Inbound Rules.

Important: You must start the WinRM service for each machine that you want to run authenticated scans. The user account for the scan can be a local administrator or a member of the Remote Management Users group.

For a Windows server that is hardened according to the Center for Internet Security (CIS) benchmarks, such as the CIS Amazon Machine Image (AMI) for Microsoft Windows Server 2016 available in the AWS Marketplace, there are local group policies that block these connectivity requirements. For these servers, you must open the port and re-enable WinRM and remote access on each boot of the server.

Note: For further information on Windows authentication permissions, see Microsoft's guide on authentication for remote connections.

To start the Windows RM service

  1. Open the Windows Command Prompt using administrator privledges and run the command winrm qc.

  2. Accept the default settings.

    The command starts the WinRM service and configures a listener for the port 5985.

  3. Create a windows firewall rule to allow incoming connections to port 5985.

For more information about WinRM, you can refer to these articles:

Configure Linux for Authenticated Scans


  • OpenSSH server must be installed on your Linux host.
  • Network connectivity between the USM Anywhere Sensor and the SSH port on the Linux host.

Installing the OpenSSH Server

Refer to the vendor documentation for your Linux distribution for instructions on how to install and configure OpenSSH Server.