Alert Logic Threat Manager for Microsoft Azure IaaS Manual Deployment (Linux) 

Alert Logic recommends the Alert Logic Threat Manager - Bring your own license (BYOL) deployment through the Azure Marketplace as the preferred deployment method. This method is intended for expert-level users who need to install manually for control or customization purposes.

Deployment overview

This following sections provide an overview of manually deploying Threat Manager in Azure.

Azure Resource Manager (ARM) template

Threat Manager deployment in Azure uses an Azure Resource Manager (ARM) custom template to deploy its appliance on a virtual machine. The Threat Manager ARM template handles many of the details of the deployment automatically for you, including the following:

  • Creates the virtual machine which serves as the Threat Manager virtual appliance. The Threat Manager virtual appliance collects events from the agent and performs threat analysis.
  • Creates an availability set.
  • Creates the required Network Security Group and defines all necessary inbound and outbound rules.
  • The rules defined with manual deployment differ from those defined through the Azure Marketplace deployment.

You can deploy the ARM template through the Azure portal or the Azure Command Line Interface (CLI).

For more details on the Threat Manager ARM template, see the following:

ARM deployment is the only supported method for the Threat Manager Virtual Machine (VM) in Azure. Classic deployment is no longer supported.

Process Overview

The following list describes the overall process of manually deploying Threat Manager in Azure:

  1. Review Prerequisites. Make sure you have your Azure account created and have reviewed requirements.
  2. Prepare for deployment. In this step, you set up Azure CLI, create required resources, and copy the Threat Manager vhd to your Azure environment.
  3. Deploy Threat Manager VM. You can deploy using the Azure Portal or Azure CLI.
  4. Claim your appliance.
  5. Download and install the agent.
  6. Create and apply assignment policy.

Prerequisites

  • Azure account—Microsoft Azure account used to deploy Threat Manager VM
  • Requirements—Requirements specific to the deployment of Threat Manager in Azure, including firewall rules, virtual machine sizing specifications, endpoints and Access Control List (ACL) entries

Prepare for deployment

Preparing for deployment requires steps in both the Azure CLI 1.0 and the Azure Portal. Use the following processes to prepare for deployment:

  1. Set up Microsoft Azure Command Line Interface (CLI).
  2. Create required resources in Azure portal:.
  3. Copy Alert Logic Threat Manager vhd to your storage account.

Set up Microsoft Azure Command Line Interface (CLI)

To set up Azure CLI:

  1. Install Azure CLI 1.0, and open a session.
  2. Authenticate your CLI session with your Azure account as follows:
    1. Using the CLI, enter the following command:
      # azure login

      The following response appears:

      info:    Executing command login
      info:    To sign in, use a web browser to open the page https://aka.ms/devicelogin.
      Enter the code XXXXXXXXX to authenticate.
    2. As described in the response, use a browser to open the provided page, enter the provided code, and then log into your Azure account.
      The following response appears in the CLI:
      info:    Added subscription Your Subscription
      info:    Setting subscription "Your Subscription" as default
      +
      info:    login command OK
      #

Required resources

The following Azure resources are required and must exist prior to Threat Manager VM deployment:

  • Resource group—A container, or logical grouping, of resources related to your Threat Manager deployment.
    • Storage account—The location in Azure where your containers, Threat Manager vhd, and Alert Logic security appliances are stored and deployed.
      • Storage account access key—When you create a storage account, Microsoft Azure creates a primary and secondary 512-bit storage access key. Use the primary key to transfer the Threat Manager appliance image from Alert Logic to your Azure environment.
      • Blob container—The container to store the virtual machine and Threat Manager virtual appliance image.
  • Virtual Network—Threat Manager VM becomes part of a virtual network in your Azure account.
    • Subnet—A subnet within the specified virtual network.
    • Virtual network resource group—The resource group that contains the virtual network and subnet. The virtual network resource group must be in the same region as the resource group you are deploying your VM instances to.

This list of resources is comprehensive. You may already have some of these resources defined in your Azure environment which you can use; if not, you must create them before you can create your VM.

Create required resources in Azure portal:

  1. Log in to the Azure portal.
  2. Create a new storage account (and resource group, if needed) using the following steps.
    Note: See Azure Storage Account for more information.
    1. On the Hub menu, select New, Data + Storage, Storage account.
    2. Enter the following information on the Create storage account resource management page (blade):
      • Name—Type a unique descriptive name for the storage account.
      • Deployment model—Select Resource Manager. (Classic deployment is not supported.)
      • Account kind—Select General purpose.
      • Performance—Select the type of storage you prefer: Standard or Premium.
      • Replication—Select Geo-Redundant storage, which replicates your data to a secondary location within the same region, providing failover protection.
      • Subscription—Select the subscription in which you want to create the new storage account.
      • Resource group—Specify a new resource group or select an existing resource group.
      • Location—Select the geographic location for your storage account. The appliance must be created in the same virtual network where the agents are located. This enables network communication between the appliances and agents.
    3. Click Create to create the storage account.
    The new storage account and resource group (if applicable) are created.
  3. After your storage account has been created, copy your storage account access key, as follows:
    Note: See Azure storage access key for more information.
    1. Locate your storage account and open its resource management page.
    2. Click the Keys icon.
    3. On the Access keys blade, click the copy button to copy your primary key (key1) and paste it into a plain text editor. You will need this information later.
  4. Create a Blob storage container within your storage account, as follows:
    1. On your storage account blade, under Services, click Blobs.
    2. On the Blob service blade, click the + Container icon.
    3. Enter the following information on the New container blade:
      • Name—Type a name for your new container.
      • Access type—Select Private.
    4. Click Create.
    The new Blob storage container is created.
  5. Create your virtual network, as follows:
    1. On the Hub menu, select New, Networking, Virtual Network.
    2. On the Virtual Network blade, select Resource Manager for the deployment model, and click Create.
    3. Enter the following information on the Create virtual network blade:
      • Name—Enter a descriptive name for your virtual network.
      • Address space—Enter the address range for your virtual network.
      • Subnet name—Enter the name for a subnet.
      • Subnet address range—Enter the address range for the subnet.
      • Subscription—Select the subscription in which you want to create the new virtual network.
      • Resource group—Specify a new resource group or select an existing resource group. This resource group must be in the same region as the resource group where your storage account exists.
        Alert Logic recommends the you use the same resource group for all your Threat Manager resources.
      • Location—Select the geographic location for your virtual network.

      The virtual network resource group must be in the same region as the resource group you are deploying your instances to.

    4. Click Create.
      The new virtual network and resource group (if applicable) are created, which completes the creation of all required resources prior to VM deployment.

Copy Alert Logic Threat Manager vhd to your storage account

Alert Logic maintains the Threat Manager appliance image as a .vhd file in the Microsoft Azure environment.

To copy the Alert Logic Threat Manager vhd to your storage account:

  1. In an Azure CLI session, enter the following command to set mode to Azure Service Management (asm):
    # azure config mode asm
    The following response appears:
    info:    Executing command config mode
    info:    New mode is asm
    info:    config mode command OK
    #
  2. Copy the Alert Logic Threat Manager vhd to your storage account, as follows:
    1. Locate the following information for the upload command:
      • Storage account name/URL (for example, http://storageaccountname.blob.core.windows.net)
      • Blob container name
      • Target file name (for example, al-tmc-image_latest.vhd)
      • Storage account key
      The following command shows the required syntax:
      azure vm disk upload http://alertlogic.blob.core.windows.net/tmcimage/al-tmc-image_latest.vhd [storage account URL]/[blob container name]/[filename.vhd] [storage-account-key]
    2. Use a plain text editor to construct your command, replacing the variables.
    3. Enter your upload command, similar to the following example:
      # azure vm disk upload http://alertlogic.blob.core.windows.net/tmcimage/al-tmc-image_latest.vhd http://storageaccountname.blob.core.windows.net/blobcontainername/al-tmc-image_latest.vhd [your-storage-access-key]
      
      The following response appears:
      info:    Executing command vm disk upload
      warn:    Any existing blob will be overwritten at 
      http://storageaccountname.blob.core.windows.net/
      blobcontainername/al-tmc-image_latest.vhd
      +  Copying image: 100% (42949673472/42949673472)
      info:    vm disk upload command OK
      #
      

Deploy Threat Manager VM

To deploy your Threat Manager VM, Alert Logic provides a custom Azure Resource Manager (ARM) template. You can deploy the template from the Azure portal or the Azure CLI.

Deployment of the Threat Manager VM using the provided ARM template assumes the following prerequisites have been addressed:

  • The following Azure resources exist:
    • Resource group, storage account, blob container, virtual network resource group, virtual network, subnet
  • The Threat Manager vhd has been copied to your storage account.

You can use the Azure Resource Manager Template Visualizer (ArmViz) to graphically display the deployment template.

The provided ARM template performs the following actions for you:

  • Creates virtual machine, which serves as the Threat Manager appliance
  • Creates availability set
  • Creates Network Security Group and defines necessary inbound rules. Alert Logic requires inbound access to the appliance over SSH port 22 and HTTP port 80.
    The rules defined with manual deployment differ from those defined through the Azure Marketplace deployment.

Deployment Parameters

When using the Threat Manager ARM template, you must supply values for required parameters. Refer to the following table when using the deployment procedures.

Some of the parameters are slightly different between Azure Portal deployment and Azure CLI deployment methods, as shown in the following table.

Field - Portal deployment Field - CLI deployment Description Example
Resource group myResourceGroup Enter the resource group where the VM instance will be created. myresourcegroup
Resource group location -

If you are creating a new resource group, provide the location.

Note: The resource group that you are deploying your VM instances to and the resource group containing your virtual network and subnet must be in the same region.

West US
STORAGEACCOUNTNAME storageAccountName Name of storage account where the Threat Manager VM will be deployed mystorageaccount
BLOBCONTAINERNAME blobContainerName Blob container within your storage account where to deploy Threat Manager myblobcontainer
OSDISKVHDURI osDiskVhdUri Fully qualified URL for Threat Manager VHD, which was copied to your account http://mystorageaccount.blob.core.windows.net/myblobcontainer/al-tmc-image_latest.vhd
AVAILABILITYSETNAME availabilitySetName

Availability Set name for the Threat Manager VMs

Note: Availability set will be created if it does not exist.

myavailabilityset
NUMBEROFINSTANCES numberOfInstances Number of virtual instances to deploy 1
VMNAME vmName Name of the new Threat Manager VM being deployed awesome-new-threat-manager-vm
VIRTUALNETWORKNAME virtualNetworkName Name of your Virtual Network myvnet
VIRTUALNETWORKRESOURCEGROUP virtualNetworkResourceGroup

Name of an existing resource group containing your virtual network

Note: The resource group that you are deploying your VM instances to and the resource group containing your virtual network and subnet must be in the same region.

myresourcegroup
SUBNETNAME subnetName Existing subnet within your selected virtual network. mysubnet
VMSIZE vmSize

Size of the new Threat Manager VM being deployed

Default: Standard_A3

Alert Logic recommends the A3 (4 cores, 7 GB memory) size. For more information, see Instance type sizes.

Standard_A3

Deploy from Azure portal

Use the following procedure to deploy your Threat Manger VM from the Azure portal.

To deploy Threat Manager VM from the Azure portal:

  1. (Optional) View the Threat Manager ARM template.
  2. Log in to the Azure portal.
  3. Load the Threat Manager ARM template in the Azure portal. Click here to perform this step.
  4. On the Parameters blade, enter values for the required fields, and then click OK.
  5. On Custom deployment blade, enter values for the required fields, and then click Create.
    Your new deployment should successfully create the new Threat Manager VM.

Deploy from Azure CLI

Use the following procedure to deploy your Threat Manager VM from the Azure CLI.

  1. Enter the following command in the Azure CLI to set to Azure Resource Manager (arm) mode:
    # azure config mode arm
    The following response appears:
    info:    Executing command config mode
    info:    New mode is arm
    info:    config mode command OK
    #
    
  2. Enter the following command to find your subscription id:
    # azure account list
    The following response appears:
    info:    Executing command account list
    data:    Name                    Id                                    Current  State
    data:    ----------------------  ------------------------------------  -------  -------
    data:    Alert Logic             xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx  true     Enabled
    info:    account list command OK
    #
    
  3. Enter the following command to set the Azure CLI to use your subscription:
    # azure config set subscription [other-subscription-id]

    The following response appears:

    info:    Executing command config set
    info:    Setting "subscription" to value "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    info:    Changes saved
    info:    config set command OK
    #
  4. If you need to create a resource group, perform the following steps:

    If your resource group already exists, you do not need to create a new one.

    1. Enter the following command to retrieve a list of locations.
      # azure location list

      The following response appears:

      info:    Executing command location list
      warn:    The "location list" commands is changed to list subscription's locations. For old information, use "provider list or show" commands.
      info:    Getting locations...
      data:    Name                Display Name         Latitude  Longitude
      data:    ------------------  -------------------  --------  ---------
      data:    eastasia            East Asia            22.267    114.188  
      data:    southeastasia       Southeast Asia       1.283     103.833  
      data:    centralus           Central US           41.5908   -93.6208 
      data:    eastus              East US              37.3719   -79.8164 
      data:    eastus2             East US 2            36.6681   -78.3889 
      data:    westus              West US              37.783    -122.417 
      data:    northcentralus      North Central US     41.8819   -87.6278 
      data:    southcentralus      South Central US     29.4167   -98.5    
      data:    northeurope         North Europe         53.3478   -6.2597  
      data:    westeurope          West Europe          52.3667   4.9      
      data:    japanwest           Japan West           34.6939   135.5022 
      data:    japaneast           Japan East           35.68     139.77   
      data:    brazilsouth         Brazil South         -23.55    -46.633  
      data:    australiaeast       Australia East       -33.86    151.2094 
      data:    australiasoutheast  Australia Southeast  -37.8136  144.9631 
      data:    southindia          South India          12.9822   80.1636  
      data:    centralindia        Central India        18.5822   73.9197  
      data:    westindia           West India           19.088    72.868   
      info:    location list command OK
      #
      
    2. Enter the following command to create a new resource group:
      azure group create -n "your-group-name" -l "location-of-new-group"

      For example,

      # azure group create -n "myResourceGroup" -l "West US"

      The following response appears:

      info:    Executing command group create
      + Getting resource group myResourceGroup                                       
      + Creating resource group myResourceGroup                                      
      info:    Created resource group myResourceGroup
      data:    Id:                  /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup
      data:    Name:                myResourceGroup
      data:    Location:            westus
      data:    Provisioning State:  Succeeded
      data:    Tags: null
      data:    
      info:    group create command OK
      #
      
  5. Enter the following command to create a group deployment:
    azure group deployment create --template-uri https://raw.githubusercontent.com/alertlogic/al-arm-templates/master/threat-manager/shared_vhd/azuredeploy.json [myResourceGroup] [myDeployment]

    where:

    • myResourceGroup—Resource group where to deploy VM
    • myDeployment—Name for your deployment

    The following response appears. When prompted, enter values for the required fields.

    info:    Executing command group deployment create
    info:    Supply values for the following parameters
    storageAccountName: storageaccountname
    blobContainerName: containername
    osDiskVhdUri: http://storageaccountname.blob.core.windows.net/containername/al-tmc-image_latest.vhd
    availabilitySetName: myavset 
    numberOfInstances: 2
    vmName: mythreatmanager
    virtualNetworkName: myvnet
    virtualNetworkResourceGroup: myvnetresourcegroup
    virtualNicName: myvirtnic
    publicNicName: mypubnic
    subnetName: mysubnet
    vmSize: Standard_A3
    + Initializing template configurations and parameters                          
    + Creating a deployment                                                        
    info:    Created template deployment "myDeployment"
    + Waiting for deployment to complete                                           
    data:    DeploymentName     : myDeployment
    data:    ResourceGroupName  : myResourceGroup
    data:    ProvisioningState  : Succeeded
    data:    Timestamp          : 2016-03-01T18:44:41.7279061Z
    data:    Mode               : Incremental
    data:    Name                         Type          Value                                                              
    data:    ---------------------------  ------------  -------------------------------------------------------------------
    data:    storageAccountName                   String        storageaccountname                                                          
    data:    blobContainerName                    String        containername                                                                
    data:    osDiskVhdUri                         String        http://storageaccountname.blob.core.windows.net/containername/al-tmc-image_latest.vhd
    data:    availabilitySetName                  String        myavset                                                        
    data:    numberOfInstances                    Int           2
    data:    adminUsername                        String        alertlogic                                                         
    data:    adminPassword                        SecureString  undefined                                                          
    data:    vmName                               String        mythreatmanager                                                          
    data:    virtualNetworkName                   String        myvnet                                                          
    data:    virtualNetworkResourceGroup          String        myvnetresourcegroup
    data:    virtualNicName                       String        myvirtnic                                                      
    data:    publicNicName                        String        mypubnic                                                      
    data:    subnetName                           String        mysubnet
    data:    vmSize                               String        Standard_A3                                                        
    info:    group deployment create command OK
    #
    

    Your new deployment should successfully create the new Threat Manager VM.

Claim your appliance

To claim your initial appliance, contact Alert Logic. As part of the onboarding process, Alert Logic creates your customer account and claims your appliance.

To contact Alert Logic to claim your appliance: 

  • In the US, call (877) 484-8383 and select the appropriate option.
  • In the EU, call +44 (0) 203 011 5533 and do the same.

To claim additional appliances after the first:

After you have set up an account with Alert Logic, you can claim any additional appliances using the manual claim process.

  1. In the AlAlert Logic console.
  2. In the Alert Logic console, click the Settings icon (), and then click Support Information.
  3. From the Details page, copy your unique registration key.
  4. In a different browser window, navigate to http://[your-vm-ip-address].
  5. Enter the unique registration key obtained in step 2 and then click Claim Appliance.

After you have set up an account with and entered your Azure subscription information, any additional appliances you start using that subscription will be claimed automatically. To check the claim status of an appliance, navigate to http://[your-vm-ip-address] in a browser.

Once a VM is deployed, it might take up to 15 minutes before it has completed initialization and the Claim page becomes available. Once the Claim page is available, it might take an hour or more before the appliance is automatically claimed.

When an appliance is automatically provisioned, the system creates one or two assignment policies, using the following guidelines:

  • Alert Logic creates an assignment policy for each appliance during the provisioning process.
  • If no VNet assignment policy exists, Alert Logic creates one and assigns the appliance to it.
  • If a VNet assignment policy exists, Alert Logic assigns the appliance to it.

Download and install the agent

After the deployment of the virtual machine has completed, you need to download and install the agent. See Install the Alert Logic agent for Linux.

If you have an active RBAC role, and have configured agents to automatically update, the agent you install automatically assigns itself to the local appliance and you need not enter the Unique Registration Key.

Create and apply assignment policy

An assignment policy is a set of rules that indicates to appliances how to handle incoming traffic; the appliance will either accept or ignore the traffic. An assignment policy directs protected hosts to encrypt traffic and send traffic to specific appliances. In a dynamic environment where IP addresses often change, an assignment policy ensures that hosts always correspond to their appliances.

To create an assignment policy:

  1. In the Alert Logic console, click CONFIGURATION, and then click Deployments.
  2. In the left navigation area, click Policies.
  3. Click the Assignment tab.
  4. Click the Add icon ().
  5. In Appliance Assignment Policy Name, enter a name.
  6. In Appliances, select an appliance.
  7. Click Save.

To assign a policy to a protected host:

  1. In the Alert Logic console, click CONFIGURATION, and then click Deployments.
  2. Click the All Deployments tile.
  3. In the left navigation pane, click Networks and Hosts, and then click the Protected Hosts tab.
  4. Click the pencil icon ( ) for the desired protected host.
  5. Select Use an Existing Assignment Policy.
  6. From the Existing Assignment Policy drop-down menu, select the assignment policy you want to use.
  7. Click SAVE.

Related topics