After you initialize a new USM Anywhere Sensor, you must configure it in the Setup Wizard. As you configure the sensor, you can enable USM Anywhere to perform specific actions through scheduled jobs, such as running an asset discovery scan or collecting security eventsInformation collected and displayed that describes a single system or user level activity that took place. from a predefined cloud storage location.
About Accessing the Setup Wizard
The Setup Wizard is accessible under the following circumstances:
- After you first log in to the USM Anywhere web user interface (UI) and see the Welcome to USM Anywhere page, click Get Started to launch the Setup Wizard.
If you have already registered one USM Anywhere Sensor but did not complete the setup before logging out, the USM Anywhere Sensor Configuration page launches automatically at your next login to remind you to finalize configuration of the Sensor. From that page, you click Configure to launch the Setup Wizard and complete the sensor configuration.
If you registered an additional USM Anywhere Sensor, but did not complete the setup, the Sensors page displays an error ( ) in the Configured column.
Click the to launch the Setup Wizard and complete the sensor configuration.
Configuring the Sensor in the Setup Wizard
The first time you log in from the Welcome to USM Anywhere web page, the Setup Wizard prompts you to complete the configuration of the first deployed sensor. Thereafter, you can use the Sensors page to configure an additional sensor or to change the configuration options for a deployed sensor.
The Google Cloud Platform Configuration page provides information about the asset discovery that occurs upon the initial deployment of the USM Anywhere Sensor, summarizing the number of instances, instance types, and regions in your environment.
Click Next to proceed with the Setup Wizard and complete additional configuration on each page.
USM Anywhere automatically discovers a number of out-of-box logs as long as you have enabled them within your GCP subscription. For more information about these logs and how they function within the GCP environment, see GCP Log Discovery and Collection in USM Anywhere.
To enable the out-of-box log collection jobs
USM Anywhere uses subscriptions to collect log data from your environment and produce the corresponding events and alarms. For more information about enabling these subscriptions and how they function within the GCP environment, see GCP Log Discovery and Collection in USM Anywhere.
If you don't yet have any subscriptions in your GCP environment, this table will be empty at this step. The steps in GCP Log Discovery and Collection in USM Anywhere will create the subscriptions your sensor needs for Cloud Pub/Sub.
Note: Unless you have previously configured your GCP environment for Cloud Pub/Sub integration (as described in GCP Log Discovery and Collection in USM Anywhere), this step will discover any subscriptions that currently exist in your GCP environment. While you may have valid subscriptions already created in your environment for other services, you can only use a subscription created with the configuration we describe for Cloud Pub/Sub.
The optional Active Directory setup page configures USM Anywhere to collect information from your Active Directory (AD)Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. account. To monitor Windows systems effectively, USM Anywhere needs access to AD server to collect inventory information.
Note: This configuration is only for one AD server. If you want to scan different AD servers, you must create an AD scan job for each of them. See Running Active Directory Scans for details.
AT&T Cybersecurity recommends that you create a dedicated AD account with membership in the Domain Admins group to be used by USM Anywhere to log in into the Windows systems. You also need to activate WinRM in the domain controller and in all the hosts that you want to scan. You can do this by using a group policy for all the systems in your Active Directory.
Important: Before this feature is fully functional, you must configure access to the USM Anywhere Sensor on the Active Directory server. For more information, see Granting Access to Active Directory for USM Anywhere.
To complete the AD access configuration
Provide the AD credentials for USM Anywhere
- Active Directory IP Address — Enter the IP address for the AD server.
- Username — Enter your username as administrator of the account.
- Password — Enter your administrator's password.
- Domain — Enter the domain for the AD instance.
Click Scan Active Directory.
After a successful launch of the scan, a confirmation dialog box appears.
The scan continues in the background.
Upon completion, another dialog box appears and provides information about the number of assets USM Anywhere discovered. It also prompts you to decide if you want to scan for hosts and services running in your environment.
Click Cancel to opt out of this scan.
(Optional) If you want to scan for other hosts and services, click OK.
Click Next after the scan ends.
The wizard displays the next page in the setup process, Network Security Monitoring.
The wizard displays the next page in the setup process, Log Management.
On the Log Management page are syslog port numbers. (These ports are the same for all USM Anywhere Sensors.)
USM Anywhere collects third-party device, system, and application data through syslogAn industry standard message logging system that is used on many devices and platforms. over User Datagram Program (UDP) on port 514 and over Transmission Control Protocol (TCP) on port 601 by default. It collects TLS-encryptedTransport layer security. Successor to Secure Sockets Layer (SSL) protocol. Provides security for communication over the Internet between client and server applications. data through TCP on port 6514 by default. To configure any third-party devices to send data to USM Anywhere, you must provide the IP address and the port number of your USM Anywhere Sensor.
To enable log collection and configure your log management
- Make sure that you have granted the necessary permissions for your operating system to allow USM Anywhere to access its logs. You can also integrate a wide variety of data sources to send log data over syslog to the USM Anywhere Sensor.
To learn how to configure your operating systems and supported third-party devices to forward syslog log data, see the following related topics:
- The Syslog Server Sensor App: Log collection (UDP, TCP, and TLS-encrypted TCP) from rsyslog
- Collecting Linux System Logs: Log collection from a Linux System
- Collecting Windows System Logs: Log collection from a Windows System
- Supported USM Anywhere Plugins for Common Data Sources: Log collection integrations for various data sources
Note: Because the log scan can take some time, you might not see all of the automatically discovered log sources immediately after deploying the first USM Anywhere Sensor.
- When you've finished the log collection setup and integrated any needed plugins, verify that the data transfer is occurring.
- Click Next when this step is complete.
AT&T Alien Labs™ (OTX™) is an open information-sharing and analysis network providing users with the ability to collaborate, research, and receive alerts on emerging threats and indicators of compromise (IoC) such as IPs, file hashes, and domains.
You must have an OTX account to receive alerts based on threats identified in OTX. This account is separate from your USM Anywhere account. Go to The World’s First Truly Open Threat Intelligence Community to create an OTX account.
Note: If you do not already have an OTX account, click the Sign up link. This opens another browser tab or window that displays the OTX signup page. After you confirm your email address, you can log into OTX and retrieve the unique application programming interface (API) key for your account.
For more information about OTX integration in USM Anywhere, see Open Threat Exchange® and USM Anywhere.
To allow USM Anywhere to evaluate event data against the latest OTX intelligence
- Log in to OTX and open the API page (https://otx.alienvault.com/api/).
In the DirectConnect API Usage pane, click the icon to copy your unique OTX connection key.
Return to the Threat Intelligence page of the USM Anywhere Sensor Setup Wizard and paste the value in the OTX Key text box.
Click Validate OTX Key.
With a successful validation of the key, the status at the top of the page changes to Valid OTX key.
- Click Next when this task is complete.
The Congratulations page summarizes the status of your configuration.
Click Start Using USM Anywhere, which takes you to the Overview dashboard.
Now is a great time to run a vulnerability scan. See Vulnerability Assessment for detailed information about running a vulnerability scan.