The USM Anywhere Sensor provides operational visibility into the security of your Amazon Web Services (AWS) environment. Based on the collected log information, USM Anywhere analyzes the data generated by your AWS environment and provides real-time alerting to identify malicious activity. When the sensor is deployed into your AWS environment, it provides ultimate control over the installation and the data contained within it, and also prevents any external access to your environment. All USM Anywhere Sensors allow for authenticated scans of by leveraging stored credentials that you define in USM Anywhere. This enables USM Anywhere to detect potential vulnerabilities, installed software packages, and running processes and services. Unlike the other USM Anywhere Sensors, the Amazon Web Services (AWS) Sensor queries AWS directly to discover assets using an AWS API.

Log Collection and Scans

The AWS Sensor collects AWS logs and system logs, and generates asset scans and assessments, consisting of the following:
  • AWS CloudTrail logs
  • AWS Elastic Load Balancing (ELB) logs
  • Amazon Simple Storage Service (S3) access logs
  • Amazon CloudWatch log collection
  • Amazon S3 log collection
  • Operational logs for critical software packages deployed, such as HTTP servers and database servers
  • Asset scans on your virtual machines (VMs) to inventory installed software packages, running processes, and services
  • Periodic vulnerability assessments

Log Analysis

USM Anywhere analyzes these logs in these stages: Stage 1: Collects logs from systems and software running in your environment Stage 2: Configures log line processing and generates events
  • Includes IP addresses and timestamps culled from extracted log-line data
  • Adds other data to the event, such as security context and environmental information
Stage 3: Analyzes events and stores them

Deployment Overview

LevelBlue distributes the AWS Sensor as a Template in a virtual private cloud (VPC). The deployment process for an initial USM Anywhere Sensor in your AWS environment consists of these primary tasks:
  1. Review requirements for an AWS Sensor deployment.
  2. Deploy the USM Anywhere Sensor within your AWS environment.
  3. Register the sensor with your sensor authentication code to provision the USM Anywhere instance and connect the deployed sensor.
  4. Complete your AWS Sensor configuration, including initial asset discovery.

Related Video Content

To view other related training videos, click here.