Documentation Center
AlienVault® USM Anywhere™

Granting Access to Active Directory for USM Anywhere

If you want to run Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for Windows domain networks. scans in USM Anywhere, you need to configure your Active Directory (AD) server assets to grant access to the USM Anywhere Sensor. You also need to have the needed credentials configured in USM Anywhere to make an authenticated connection.

This consists of three tasks:

Create a Dedicated AD Account

When you configure your VMware sensor, Hyper-V sensor, or Azure sensor, you can define AD credentials that USM Anywhere can use to perform an Active Directory scan through the Sensor. These are the credentials that you define in the Credentials page and assign the credential set to the asset to support a scheduled Active Directory scan job for the asset. It is a best practice to use a dedicated account for this purpose.

To create a new dedicated account in AD

  1. Log in to your domain controller administrator account.
  2. Open Active Directory Users and Computers.
  3. Create a new user called either alienvault_usm_anywhere or any other name that's easy to associate with USM Anywhere.
  4. Add the user you’ve just created to the Domain Admins group.

Activate WinRM to Enable Windows PowerShell Remoting

For Windows systems, USM Anywhere uses WinRM framework (version 2.0 or higher) to execute the corresponding commands. Therefore, if WinRM is unavailable on a target Windows system through the account credentials, USM Anywhere will be unable to connect.

Important: Only the members of the Remote Management Users and Administrators groups can log in through WS-Management.

To activate WinRM, you can use a group policy to combine the domain controller and all the hosts in your Active Directory. (For reference, see this How to enable PowerShell Remoting via Group Policy article.)

Alternatively, if you prefer to activate WinRM manually in each system you want to scan, use this procedure to activate a Windows RM listener on port 5985.

To start the Windows RM service

  1. Open a Windows command prompt and run the command winrm qc.

  2. Accept the default settings.

    The command starts the Windows RM service and configures a listener for the port 5985.

For more information about WinRM, you can refer to these articles:

Manage Credentials for Your AD Servers

Before you run an Active Directory scan from USM Anywhere, you should make sure that each of the AD server assets has assigned credentials that are able to connect to the system. In USM Anywhere, you can assign credentials for an individual asset or for an asset groupAsset groups are administratively created objects that group similar assets for specific purposes..

Note: Credentials assigned directly to an asset have higher priority than those assigned to an asset group.

When USM Anywhere runs a scan or executes a system-level action, it uses the credential set assigned directly to the asset, if there is one. If those credentials do not connect or the asset does not have an assigned credential set, it uses the credential set assigned to the group where the asset is a member, if that asset is a member of an asset group.

To add a new credential

  1. Navigate to SETTINGS > CREDENTIALS.
  2. Click New Credentials.

    Add a new credential set for system-level access to USM Anywhere assets

  3. Enter a name for the credential in the Name field and, if desired, a description to clarify its use in the Description field.
  4. In Credential Type, select the appropriate credential type based on the operating systemSoftware that manages computer hardware resources and provides common services for computer programs. Examples include Microsoft Windows, Macintosh OS X, UNIX, and Linux. of the asset.

    This displays the fields that are applicable for that type.

  5. Click Save.

In USM Anywhere, you assign a defined credential set to an individual asset in order to use the credentials for authenticated scans, Active Directory scans, and AlienApp for Forensics and Response actions on the host. You can assign assets to a credential set in the Credentials page, or you can perform this task from the Assets page.

To assign a credential on the Credentials page

  1. Navigate to SETTINGS > CREDENTIALS.
  2. Click the Usage icon () in the line of the credential you want to assign.

    Click the Usage icon to manage the asset assignments for the credential set

  3. At the bottom of the dialog, enter part of the asset name in the field.

    This displays the matching items below the field. You can enter more text to filter the list further.

  4. Select the asset to assign to the credential set.

    Enter part of the asset name and select it from the list of matching items

    After you select the asset, the dialog displays the item at the top. If needed, you can enter text for another asset name and select it to assign multiple assets for the credential set.

  5. Next to the displayed asset name, click Test to execute a test connection to the asset using the credentials.

  6. Click the Close icon () in the dialog.

To assign a credential on the Assets page

  1. Navigate to ENVIRONMENT > ASSETS and locate the asset.
  2. Click the Menu icon () next to the asset name and select Assign Credentials.
  3. In the dialog, click Choose Credentials and select the credentials to use.

    Select Assign Credentials to use credentials for system-level access to the asset

    Note: If the needed credentials do not already exist, you can select Create New Credentials to define them in USM Anywhere. Use the information in the earlier procedure to create the new credential set.

  4. Click Test to execute a test connection to the asset using the selected credentials.

  5. Click Save.

In USM Anywhere, you assign a defined credential set to an asset group in order to use the credentials for authenticated scans, Active Directory scans, and AlienApp for Forensics and Response actions on members of the group. You can assign asset groups to a credential set in the Credentials page, or you can perform this task from the Asset Groups page.

Important: When you assign a credential to an asset group, USM Anywhere will assign the credential to the asset group instead of assigning it to all of its members.

To assign a credential on the Credentials page

  1. Navigate to SETTINGS > CREDENTIALS.
  2. Click the Usage icon () in the line of the credential you want to assign.

    Click the Usage icon to manage the asset assignments for the credential set

  3. Click the Asset Groups tab in the dialog.
  4. At the bottom of the dialog, enter part of the asset group name in the field.

    This displays the matching items below the field. You can enter more text to filter the list further.

  5. Select the asset group to assign to the credential set.

    Enter part of the asset group name and select it from the list of matching items

    After you select the asset group, the dialog displays the item at the top. If needed, you can enter text for another asset group name and select it to assign multiple asset groups for the credential set.

  6. Click the Close icon () in the dialog.

To assign a credential on the Asset Groups page

  1. Navigate to ENVIRONMENT > ASSET GROUPS.
  2. Click the Menu icon () next to the asset group name and select Assign Credentials.
  3. In the dialog, click Choose Credentials and select the credentials to use.

    Select Assign Credentials to use credentials for system-level access to the assets in the group

    Note: If the needed credentials do not already exist, you can select Create New Credentials to define them in USM Anywhere.

  4. Click Save.