Requirements for Hyper-V Sensor Deployment
Review the following prerequisites to ensure an efficient setup and configuration of a USM Anywhere Sensor on Microsoft Hyper-V.
Minimum Requirements
These are the minimum requirements needed to set up and configure a USM Anywhere Sensor on Hyper-V:
- Operating system (OS) must be Windows Server 2012 R2, 2016, 2019, or 2022
- Using Hyper-V Manager or Microsoft System Center Virtual Machine Manager (SCVMM)
-
Dedicated 178 GB of disk space (128 GB data device and 50 GB root device)
- Dedicated 4 CPUs and 12 GB of statically assigned memory
- Internet connectivity from the virtual machine
Important: Because the needs of a sensor differ based on the varying demands of different deployment environments and the complexity of events being processed, the number of events per second (EPS) a sensor can process varies.
Depending on your environment, you may need to deploy additional sensors to ensure that all events are processed.
Recommended Requirements
These are the recommended requirements needed to set up and configure a USM Anywhere Sensor on Hyper-V:
-
If Dynamic Host Configuration Protocol (DHCP Dynamic Host Configuration Protocol (DHCP) is a network protocol used to dynamically distribute network configuration parameters, such as IP addresses, for interfaces and services.) is unavailable, a static IP for the management interface and local Domain Name System (DNS) information
Important: AT&T Cybersecurity strongly recommends assigning a static IP address to deploy the USM Anywhere Sensor.
If DHCP changes the IP address of the sensor, you must update all the IP addresses on all the devices that are forwarding logs to the sensor through syslog.
- Network topology information to run asset discovery
- Port mirroring Method of network monitoring in which a system passively collects network traffic on the same ports as other network devices. setup for network monitoring (see Direct Traffic from Your Physical Network to the Hyper-V Sensor for more information)
- Administrative credentials for remote hosts to support authenticated asset scans
- Administrative credentials for devices that require configuration to forward logs to the Hyper-V Sensor
- To access network-based intrusion detection system (NIDS) functionality on the sensor, an ethernet port on the host must be available to receive data from a Switched Port Analyzer (SPAN) or Test Access Point (TAP) port
Sensor Ports and Connectivity
Before deploying a USM Anywhere Sensor, you must configure your firewall Virtual or physical device designed to defend against unauthorized access to data, resources, or a private network. A firewall’s primary purpose is to create segregation between two or more network resources, blocking undesirable traffic between them. permissions to enable the required connectivity for the new sensor. Initial deployment of a sensor requires that you open egress and outbound ports and protocols in the firewall for communication with USM Anywhere and AT&T Cybersecurity Secure Cloud resources. The sensor receives no inbound connections from outside the firewall.
Note: To launch the USM Anywhere Sensor web UI during the initial setup, you need to allow inbound traffic to the sensor IP address through TCP port 80. You can remove access to this port after the sensor successfully connects to USM Anywhere. You do not need to allow inbound traffic to this port from the Internet.
The following tables list the inbound and outbound ports.
| Type | Ports | Endpoints | Purpose |
|---|---|---|---|
| TCP | 443 | update.alienvault.cloud | Communication with AT&T Cybersecurity for initial setup and future updates of the sensor. |
| TCP | 443 | reputation.alienvault.com | Ongoing communication with AT&T Alien Labs™ Open Threat Exchange® (OTX™). |
| TCP | 443 | otx.alienvault.com |
Ongoing communication with OTX to retrieve vulnerability scores. Connecting to otx.alienvault.com is not required but highly recommended. OTX uses the AWS CloudFront services. Refer to the AWS IP address ranges page when you deploy a new sensor. This page contains the current IP address ranges for the service and instructions on how to filter the addresses. |
| TCP | 443 |
Your USM Anywhere subdomain Your USM Anywhere subdomain |
Ongoing communication with USM Anywhere. |
| SSL | 443 | storage-proxy.services.prod.alienvault.cloud | Ongoing communication with USM Anywhere in order to send and retrieve backups. |
| SSL | 443 | metrics-proxy.services.prod.alienvault.cloud | Ongoing communication with USM Anywhere in order to send metrics and messages. |
| SSL/TCP | 443 |
api-parameters-<REGION>-prod.alienvault.cloud1 api-message-proxy-<REGION>-prod.alienvault.cloud api.message-proxy.<REGION>.prod.alienvault.cloud |
Ongoing communication with USM Anywhere. It is only necessary to allowlist the address that corresponds to the region where your USM Anywhere instance is hosted. |
| SSL/TCP | 7100 |
Your USM Anywhere subdomain Your USM Anywhere subdomain |
Ongoing communication with USM Anywhere. |
| UDP | 53 | DNS Servers (Google Default) | Ongoing communication with USM Anywhere. |
| UDP | 123 |
0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org |
Sync with network time protocol (NTP) services. |
| TCP | 22 and 443 |
prod-usm-saas-tractorbeam.alienvault.cloud prod-gov-usm-saas-tractorbeam.gov.alienvault.us (for AT&T TDR for Gov) |
SSH Program to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). communications with the USM Anywhere remote support server. See Troubleshooting and Remote Sensor Support for more information about remote technical support through the USM Anywhere Sensor console. |
| TCP | 443 |
geoip-ap-northeast-1-prod.alienvault.cloud/geo-ip/sensor geoip-ap-south-1-prod.alienvault.cloud/geo-ip/sensor geoip-ap-southeast-1-prod.alienvault.cloud/geo-ip/sensor geoip-ap-southeast-2-prod.alienvault.cloud/geo-ip/sensor geoip-ca-central-1-prod.alienvault.cloud/geo-ip/sensor geoip-eu-central-1-prod.alienvault.cloud/geo-ip/sensor geoip-eu-west-1-prod.alienvault.cloud/geo-ip/sensor geoip-eu-west-2-prod.alienvault.cloud/geo-ip/sensor geoip-me-central-1-prod.alienvault.cloud/geo-ip/sensor geoip-sa-east-1-prod.alienvault.cloud/geo-ip/sensor geoip-us-east-1-prod.alienvault.cloud/geo-ip/sensor geoip-us-west-2-prod.alienvault.cloud/geo-ip/sensor
geoip-us-gov-west-1-prod-gov.gov.alienvault.us/geo-ip/sensor (for AT&T TDR for Gov) |
Allows resolution of IP addresses for geolocation services. It is only necessary to allowlist the GeoIP address that corresponds to the region where your USMA instance is hosted. |
| Type | Ports | Purpose |
|---|---|---|
| SSH | 22 | Inbound method for secure remote login from a computer to USM Anywhere. |
| HTTP | 80 | Inbound communication for HTTP traffic. |
| UDP (RFC 3164) | 514 | USM Anywhere collects data through syslog over UDP on port 514 by default. |
| TCP (RFC 3164) | 601 | Inbound communication for reliable syslog service. USM Anywhere collects data through syslog over TCP on port 601 by default. |
| TCP (RFC 5424) | 602 | USM Anywhere collects data through syslog over TCP on port 602 by default. |
| Traffic Mirroring | 4789 | Inbound communication for virtual extensible local area network (VXLAN). |
| WSMANS | 5987 | Inbound WBEM WS-Management HTTP over Secure Sockets Layer/Transport Layer Security (SSL/TLS) (NXLog). |
| TLS/TCP (RFC 3164) | 6514 | USM Anywhere collects TLS-encrypted data through syslog over TCP on port 6514 by default. |
| TLS (RFC 5424) | 6515 | USM Anywhere collects data through syslog over TLS on port 6515 by default. |
| TCP | 9000 | Inbound communication used internally for HTTP sensor traffic. |
| Graylog | 12201 | Inbound communication for Graylog Extended Log Format (GELF). |
USM Anywhere IP Addresses for Allowlisting
Important: The Update Server and the AlienVault Agent always use the 3.235.189.112/28 range no matter where your USM Anywhere is deployed. The AT&T TDR for Gov Update Server uses the 3.32.190.224/28 range.
Note: The regional IP ranges listed in this table are limited to the control nodes (subdomain). You must also meet all requirements provided in the Sensor Ports and Connectivity (Outbound Ports) table.
| Code | Name | Reserved Static IP Address Ranges |
|---|---|---|
| ap-northeast-1 | Asia Pacific (Tokyo) |
18.177.156.144/28 3.235.189.112/28 44.210.246.48/28 |
| ap-south-1 | Asia Pacific (Mumbai) |
3.7.161.32/28 3.235.189.112/28 44.210.246.48/28 |
| ap-southeast-1 | Asia Pacific (Singapore) |
18.143.203.80/28 3.235.189.112/28 44.210.246.48/28 |
| ap-southeast-2 | Asia Pacific (Sydney) |
3.25.47.48/28 3.235.189.112/28 44.210.246.48/28 |
| ca-central-1 | Canada (Central) |
3.96.2.80/28 3.235.189.112/28 44.210.246.48/28 |
| eu-central-1 | Europe (Frankfurt) |
18.156.18.32/28 3.235.189.112/28 44.210.246.48/28 |
| eu-west-1 | Europe (Ireland) |
3.250.207.0/28 3.235.189.112/28 44.210.246.48/28 |
| eu-west-2 | Europe (London) |
18.130.91.160/28 3.235.189.112/28 44.210.246.48/28 |
| me-central-1 | Middle East (UAE) |
3.29.147.0/28 3.235.189.112/28 44.210.246.48/28 |
| sa-east-1 | South America (São Paulo) |
18.230.160.128/28 3.235.189.112/28 44.210.246.48/28 |
| us-east-1 | US East (N. Virginia) |
3.235.189.112/28 44.210.246.48/28 |
| us-west-2 | US West (Oregon) |
44.234.73.192/28 3.235.189.112/28 44.210.246.48/28 |
| us-gov-west-1 | AWS GovCloud (US-West) |
3.32.190.224/28 |
Hyper-V Machine Deployment
You can deploy a Hyper-V virtual machine (VM) using either of the following management tools:
- Microsoft Hyper-V Manager, which is an administrative tool for managing local and remote Hyper-V servers. See Create the VM with Hyper-V Manager for more information.
- System Center Virtual Machine Manager 2012, which is designed for managing large numbers of virtual servers, based on Microsoft Virtual Server and Hyper-V. See Create the VM with SCVMM 2012 for more information.
Feedback