Alert Logic Threat Manager for Microsoft Azure IaaS Manual Deployment (Windows)

Alert Logic recommends the Alert Logic Threat Manager - BYOL deployment through the Azure Marketplace as the preferred deployment method. This method is intended for expert-level users who need to install manually for control or customization purposes.

Deployment overview

This following sections provide an overview of manually deploying Threat Manager in Azure.

Azure Resource Manager (ARM) template

Threat Manager deployment in Azure uses an Azure Resource Manager (ARM) custom template to deploy its appliance on a virtual machine. The Threat Manager ARM template handles many of the details of the deployment automatically for you, including the following:

  • Creates the virtual machine which serves as the Threat Manager virtual appliance. The Threat Manager virtual appliance collects events from the agent and performs threat analysis.
  • Creates an availability set.
  • Creates the required Network Security Group and defines all necessary inbound and outbound rules.
  • The rules defined with manual deployment differ from those defined through the Azure Marketplace deployment.

You can deploy using the ARM template through the Azure Portal or PowerShell.

For more details on the Threat Manager ARM template, see the following:

ARM deployment is the only supported method for the Threat Manager Virtual Machine (VM) in Azure. Classic deployment is no longer supported.

Process Overview

The following list describes the overall process of manually deploying Threat Manager in Azure:

  1. Review Prerequisites. Make sure you have your Azure account created and have reviewed requirements.
  2. Prepare for deployment. In this step, you set up Azure CLI, create required resources, and copy the Threat Manager vhd to your Azure environment.
  3. Deploy Threat Manager VM. You can deploy using the Azure Portal or Azure PowerShell.
  4. Claim your appliance.
  5. Download and install the agent.
  6. Create and apply assignment policy.

Prerequisites

  • Azure account—Microsoft Azure account used to deploy Threat Manager VM
  • Requirements—Requirements specific to the deployment of Threat Manager in Azure, including firewall rules, virtual machine sizing specifications, endpoints and Access Control List (ACL) entries

Prepare for deployment

Preparing for deployment requires steps in both the Azure Portal and Azure PowerShell. Use the following processes to prepare for deployment:

  1. Set up Microsoft Azure PowerShell.
  2. Create required resources in the Azure portal or Azure PowerShell.

Set up Microsoft Azure PowerShell

If you have not done so already, use the Microsoft directions to install and configure Azure PowerShell.

Required resources

The following Azure resources are required and must exist prior to Threat Manager VM deployment:

  • Resource group—A container, or logical grouping, of resources related to your Threat Manager deployment.
    • Storage account—The location in Azure where your containers, Threat Manager vhd, and Alert Logic security appliances are stored and deployed.
      • Storage account access key—When you create a storage account, Microsoft Azure creates a primary and secondary 512-bit storage access key. Use the primary key to transfer the Threat Manager appliance image from Alert Logic to your Azure environment.
      • Blob container—The container to store the virtual machine and Threat Manager virtual appliance image.
  • Virtual network—A virtual network in your Azure account which your Threat Manager VM will become part of.
    • Subnet—A subnet within the specified virtual network.
    • Virtual network resource group—The resource group that contains the virtual network and subnet. The virtual network resource group must be in the same region as the resource group you are deploying your VM instances to.

This list of resources is comprehensive. You may already have some of these resources defined in your Azure environment which you can use. If not, you must create them before you can create your VM.

If you are going to use existing resources, make sure that they are all in the same resource group, separated from other resources.

Create required resources in Azure portal:

  1. Log in to the Azure portal.
  2. Create a new storage account (and resource group, if needed) using the following steps.
    Note: See Azure Storage Account for more information.
    1. On the Hub menu, select New, Data + Storage, Storage account.
    2. Enter the following information on the Create storage account resource management page (blade):
      • Name—Type a unique descriptive name for the storage account.
      • Deployment model—Select Resource Manager. (Classic deployment is not supported.)
      • Account kind—Select General purpose.
      • Performance—Select the type of storage you prefer: Standard or Premium.
      • Replication—Select Geo-Redundant storage, which replicates your data to a secondary location within the same region, providing failover protection.
      • Subscription—Select the subscription in which you want to create the new storage account.
      • Resource group—Specify a new resource group or select an existing resource group.
      • Location—Select the geographic location for your storage account. The appliance must be created in the same virtual network where the agents are located. This enables network communication between the appliances and agents.
    3. Click Create to create the storage account.
    The new storage account and resource group (if applicable) are created.
  3. After your storage account has been created, copy your storage account access key, as follows:
    Note: See Azure storage access key for more information.
    1. Locate your storage account and open its resource management page.
    2. Click the Keys icon.
    3. On the Access keys blade, click the copy button to copy your primary key (key1) and paste it into a plain text editor. You will need this information later.
  4. Create a Blob storage container within your storage account, as follows:
    1. On your storage account blade, under Services, click Blobs.
    2. On the Blob service blade, click the + Container icon.
    3. Enter the following information on the New container blade:
      • Name—Type a name for your new container.
      • Access type—Select Private.
    4. Click Create.
    The new Blob storage container is created.
  5. Create your virtual network, as follows:
    1. On the Hub menu, select New, Networking, Virtual Network.
    2. On the Virtual Network blade, select Resource Manager for the deployment model, and click Create.
    3. Enter the following information on the Create virtual network blade:
      • Name—Enter a descriptive name for your virtual network.
      • Address space—Enter the address range for your virtual network.
      • Subnet name—Enter the name for a subnet.
      • Subnet address range—Enter the address range for the subnet.
      • Subscription—Select the subscription in which you want to create the new virtual network.
      • Resource group—Specify a new resource group or select an existing resource group. This resource group must be in the same region as the resource group where your storage account exists.
        Alert Logic recommends the you use the same resource group for all your Threat Manager resources.
      • Location—Select the geographic location for your virtual network.

      The virtual network resource group must be in the same region as the resource group you are deploying your instances to.

    4. Click Create.
      The new virtual network and resource group (if applicable) are created, which completes the creation of all required resources prior to VM deployment.

To create required resources in Azure PowerShell:

  1. Log in to your Azure account with the following command:

    Login-AzureRmAccount

    A login box pops up. Enter your login information. The following response appears, showing your account information:

    Login-AzureRmAccount
    Environment  : AzureCloud
    Account      : someone@example.com
    ...
  2. Create a resource group.

    1. To see a list of existing resource group locations, enter the following code:

      Get-AzureRmLocation | sort Location | Select Location

      The following response appears:

      Location
      --------
      australiaeast
      australiasoutheast
      brazilsouth
      canadacentral
      canadaeast
      centralindia
      centralus
      eastasia
      eastus
      eastus2
      japaneast
      japanwest
      northcentralus
      northeurope
      southcentralus
      southeastasia
      southindia
      westeurope
      westindia
      westus
    2. Choose a location from the list, for example, westus. Enter the following code to create a variable:

      $locName = "westus"
    3. Enter the following code to set a name for your new resource group, for example, myresourcegroup:

      $rgName = "myresourcegroup"
    4. Create the resource group. Enter the following code:

      New-AzureRmResourceGroup -Name $rgName -Location $locName
    5. If your command was successful, the following response appears:

      ResourceGroupName : myresourcegroup
      Location          : westus
      ProvisioningState : Succeeded
      Tags              :
      ResourceId        : /subscriptions/######/resourceGroups/myresourcegroup
  3. Create a storage account.

    1. Choose a name for your storage account. Names must be between three and 24 characters in length, and can only contain lowercase letters and/or numbers. Enter the following code to create your name:

      $stName = "mystorageaccount"
    2. Check the name of your storage account to make sure it is unique in the system. Enter the following code:

      Get-AzureRmStorageAccountNameAvailability $stName

      If the command returns True, the name is unique.

    3. Enter the following code to create the storage account:

      $storageAcc = New-AzureRmStorageAccount -ResourceGroupName $rgName -Name $stName -SkuName "Standard_LRS" -Kind "Storage" -Location $locName
  4. Create a virtual network.

    1. Enter the following code to set a name for the subnet:

      $subnetName = "mysubnet"
    2. Create the subnet. Enter the following code:

      $singleSubnet = New-AzureRmVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix 10.0.0.0/24
    3. Enter the following code to set a name for the virtual network:

      $vnetName = "myvnet"
    4. Create the virtual network with the subnet. Enter the following code:

      $vnet = New-AzureRmVirtualNetwork -Name $vnetName -ResourceGroupName $rgName -Location $locName -AddressPrefix 10.0.0.0/16 -Subnet $singleSubnet

Deploy Threat Manager VM

To deploy your Threat Manager VM, Alert Logic provides a custom Azure Resource Manager (ARM) template. You can deploy the template from the Azure portal or the Azure PowerShell.

Deployment of the Threat Manager VM using the provided ARM template assumes the following prerequisites have been addressed:

  • The following Azure resources exist:
    • Resource group, storage account, blob container, virtual network resource group, virtual network, subnet
  • The Threat Manager vhd has been copied to your storage account.

You can use the Azure Resource Manager Template Visualizer (ArmViz) to graphically display the deployment template.

The provided ARM template performs the following actions for you:

  • Creates virtual machine, which serves as the Threat Manager appliance
  • Creates availability set
  • Creates Network Security Group and defines necessary inbound rules. Alert Logic requires inbound access to the appliance over SSH port 22 and HTTP port 80.
    The rules defined with manual deployment differ from those defined through the Azure Marketplace deployment.

Deployment Parameters

When using the Threat Manager ARM template, you must supply values for required parameters. Refer to the following table when using the deployment procedures.

Some of the parameters are slightly different between Azure Portal deployment and Azure PowerShell deployment methods, as shown in the following table.

Field - Portal deployment Field - PowerShell deployment Description Example
Resource group ResourceGroupName Enter the resource group where the VM instance will be created. myresourcegroup
Resource group location Location

If you are creating a new resource group, provide the location.

Note: The resource group that you are deploying your VM instances to and the resource group containing your virtual network and subnet must be in the same region.

westus
STORAGEACCOUNTNAME storageAccountName Name of storage account where the Threat Manager VM will be deployed mystorageaccount
BLOBCONTAINERNAME blobContainerName Blob container within your storage account where to deploy Threat Manager myblobcontainer
OSDISKVHDURI osDiskVhdUri Fully qualified URL for Threat Manager VHD, which was copied to your account http://mystorageaccount.blob.core.windows.net/myblobcontainer/al-tmc-image_latest.vhd
AVAILABILITYSETNAME availabilitySetName

Availability Set name for the Threat Manager VMs

Note: Availability set will be created if it does not exist.

myavailabilityset
NUMBEROFINSTANCES numberOfInstances Number of virtual instances to deploy 1
VMNAME vmName Name of the new Threat Manager VM being deployed awesome-new-threat-manager-vm
VIRTUALNETWORKNAME virtualNetworkName Name of your Virtual Network myvnet
VIRTUALNETWORKRESOURCEGROUP virtualNetworkResourceGroup

Name of an existing resource group containing your virtual network

Note: The resource group that you are deploying your VM instances to and the resource group containing your virtual network and subnet must be in the same region.

myresourcegroup
SUBNETNAME subnetName Existing subnet within your selected virtual network. mysubnet
VMSIZE vmSize

Size of the new Threat Manager VM being deployed

Default: Standard_A3

Alert Logic recommends the A3 (4 cores, 7 GB memory) size. For more information, see Instance type sizes.

Standard_A3

Deploy from Azure portal

Use the following procedure to deploy your Threat Manger VM from the Azure portal.

  1. (Optional) View the Threat Manager ARM template.
  2. Log in to the Azure portal.
  3. Load the Threat Manager ARM template in the Azure portal. Click here to perform this step.
  4. On the Parameters blade, enter values for the required fields, and then click OK.
  5. On Custom deployment blade, enter values for the required fields, and then click Create.
    Your new deployment should successfully create the new Threat Manager VM.

Deploy from Azure PowerShell

Use the following procedure to deploy your Threat Manager VM from the Azure PowerShell.

  1. Log in to your Azure account. The following response appears, showing your account information:

    Login-AzureRmAccount
    Environment  : AzureCloud
    Account      : someone@example.com
    ...
  2. Enter the following command to provide your subscription ID:

    Select-AzureRmSubscription -SubscriptionID <YourSubscriptionID>

    Your subscription ID appeared in the PowerShell response when you logged in to your Azure account.

  3. Enter the following command to create a deployment for your resource group:

    New-AzureRmResourceGroupDeployment -Name ExampleDeployment -TemplateFile PathOrLinkToTemplate

    If TemplateFile does not work, try TemplateUri instead.

    The following response appears:

    cmdlet New-AzureRmResourceGroupDeployment at command pipeline position 1
    Supply values for the following parameters:
  4. Enter a value for each parameter that appears, using the parameter table for reference.

  5. When the resource group deploys successfully, the following response appears:

    DeploymentName    : ExampleDeployment
    ResourceGroupName : myresourcegroup
    ProvisioningState : Succeeded
    Timestamp         : 8/14/2016 7:00:27 PM
    Mode              : Incremental
    ...
  6. If you want to run a complete deployment, set Mode to Complete. A prompt appears asking you to confirm that you want to run a complete deployment.

    New-AzureRmResourceGroupDeployment -Name ExampleDeployment -Mode Complete -ResourceGroupName myresourcegroup -TemplateFile <PathOrLinkToTemplate> 
       Confirm
       Are you sure you want to use the complete deployment mode? Resources in the resource group 'myresourcegroup' which are not included in the template will be deleted.
       [Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y
  7. If the deployment fails and you want to learn about the failure(s), enter the following command:

    Get-AzureRmResourceGroupDeployment -ResourceGroupName myresourcegroup -Name ExampleDeployment

Claim your appliance

To claim your initial appliance, contact Alert Logic. As part of the onboarding process, Alert Logic creates your customer account and claims your appliance.

To contact Alert Logic to claim your appliance: 

  • In the US, call (877) 484-8383 and select the appropriate option.
  • In the EU, call +44 (0) 203 011 5533 and do the same.

To claim additional appliances after the first:

After you have set up an account with Alert Logic, you can claim any additional appliances using the manual claim process.

  1. In a browser window, log in to the Alert Logic console and navigate to Threat Manager.
  2. Navigate to the Support page and click the Downloads tab. From the top of the Downloads screen, copy your unique registration key.
  3. In a different browser window, navigate to http://[your-vm-ip-address].
  4. Enter the unique registration key obtained in step 2 and then click Claim Appliance.

After you have set up an account with and entered your Azure subscription information, any additional appliances you start using that subscription will be claimed automatically. To check the claim status of an appliance, navigate to http://[your-vm-ip-address] in a browser.

Once a VM is deployed, it might take up to 15 minutes before it has completed initialization and the Claim page becomes available. Once the Claim page is available, it might take an hour or more before the appliance is automatically claimed.

When an appliance is automatically provisioned, the system creates one or two assignment policies, using the following guidelines:

  • Alert Logic creates an assignment policy for each appliance during the provisioning process.
  • If no VNet assignment policy exists, Alert Logic creates one and assigns the appliance to it.
  • If a VNet assignment policy exists, Alert Logic assigns the appliance to it.

Download and install the agent

After the deployment of the virtual machine has completed, you need to download and install the agent. See Install the Alert Logic agent.

If you have an active RBAC role, and have configured agents to automatically update, the agent you install automatically assigns itself to the local appliance and you need not enter the Unique Registration Key.

Create and apply assignment policy

An assignment policy is a set of rules that indicates to appliances how to handle incoming traffic; the appliance will either accept or ignore the traffic. An assignment policy directs protected hosts to encrypt traffic and send traffic to specific appliances. In a dynamic environment where IP addresses often change, an assignment policy ensures that hosts always correspond to their appliances.

To create an assignment policy:

  1. In the Alert Logic console, click CONFIGURATION, and then click Deployments.
  2. In the left navigation area, click Policies.
  3. Click the Assignment tab.
  4. Click the Add icon ().
  5. In Appliance Assignment Policy Name, enter a name.
  6. In Appliances, select an appliance.
  7. Click Save.

To assign a policy to a protected host:

  1. In the Alert Logic console, click CONFIGURATION, and then click Deployments.
  2. Click the All Deployments tile.
  3. In the left navigation pane, click Networks and Hosts, and then click the Protected Hosts tab.
  4. Click the pencil icon ( ) for the desired protected host.
  5. Select Use an Existing Assignment Policy.
  6. From the Existing Assignment Policy drop-down menu, select the assignment policy you want to use.
  7. Click SAVE.

Related topics