Set up Alert Logic Threat Manager for Microsoft Azure IaaS Marketplace
The Alert Logic Threat Manager deployment from the Microsoft Azure Marketplace creates your virtual appliance in an Azure virtual machine. The Threat Manager virtual appliance collects events from the agent and performs threat analysis.
Before you begin
Review the Requirements for Alert Logic Threat Manager for Microsoft Azure . For your convenience, the Alert Logic agent activates collection for Threat Manager, Log Manager, and Web Security Manager. For more information, contact Technical Support: US:(877) 484-8383, EU: +44 (0) 203 011 5533.
Alert Logic updated the appearance of the Alert Logic console, though all functionality remains. If you elected to use the new console, please note that portions of the product documentation could describe the classic Alert Logic console.
Integrate Threat Manager with Azure deployments
For Alert Logic to protect assets in Microsoft Azure, you must create a user account with specific permissions. Role-Based Access Control (RBAC) enables fine-grained access management for Azure accounts. Assigning a RBAC role to the user account you create grants the minimum access required to allow Alert Logic to monitor your environments.
Deploy Alert Logic Threat Manager
To deploy Alert Logic Threat Manager from the Azure Marketplace:
- Log in to the Microsoft Azure portal.
- Click Marketplace.
- In Search Everything, type Alert Logic, and then press Enter.
- Click Alert Logic Threat Manager - BYOL.
- In the Alert Logic Threat Manager - BYOL blade, in Select a deployment model, select Resource Manager.
- Click Create.
- On the Basics blade, complete the following fields:
- Name: Type a descriptive name for your virtual machine.
- User name: Type a user name for logging in to your virtual machine.
- Authentication type: Click your preferred authentication type for logging in to your virtual machine:
- Password: If selected, provide password information.
- SSH public key: If selected, provide SSH public key.
- Subscription: Select the subscription under which to create your virtual machine.
- Resource group: Specify the resource group to contain all your Azure Threat Manager VM resources. You can create a new resource group, or select an existing resource group. Alert Logic recommends that you create a resource group to manage all your Alert Logic assets.
- Location: Select the geographic location for your virtual machine. You should select the same region as the virtual machines you plan to monitor.
Microsoft requires users to fill out the authentication fields (Authentication type and SSH public key/Password). For security purposes, Alert Logic does not allow client access to appliances. The provided credentials for the authentication fields do not grant access to the Alert Logic appliance. If this is an issue, please contact Alert LogicTechnical Support. - Click OK.
- On the Choose a size blade, select a size and pricing tier for your virtual machine, and then click Select. Alert Logic appliances require a minimum virtual machine size of 4 cores and 7 GB memory.
- On the Settings blade, review the preconfigured values for each field, and then click OK.Most fields have additional settings that are not displayed on the Settings blade. To see all settings, expand each field.
- After validation, review the Summary information, and then click OK.
- On the Purchase blade, review the details, and then click Purchase.
Update Network Security Group rules
Once the appliance runs, you must create rules that allow inbound and outbound communication with Alert Logic.
To update Network Security Group rules for the Threat Manager virtual appliance:
- Log in to the Microsoft Azure portal.
- In the left navigation, click Resource groups.
- Click your resource group.
- On your resource group blade, click your Network security group resource.
- On the Settings blade, click either Inbound security rules, or Outbound security rules.
- Click Add on the top banner of the blade.
- Enter the information for the rules according to the tables:
- Click OK.
Repeat this procedure for each of the listed inbound and outbound rules.
Claim your appliance
To claim with a RBAC role
With an RBAC role, Threat Manager automatically claims the appliance.
When an appliance is automatically provisioned, the system creates one or two assignment policies, using the following guidelines:
- Alert Logic creates an assignment policy for each appliance during the provisioning process.
- If no VNet assignment policy exists, Alert Logic creates one and assigns the appliance to it.
- If a VNet assignment policy exists, Alert Logic assigns the appliance to it.
After you set up an account with, and entered, your Azure subscription information, any additional appliances started under that subscription are claimed automatically. To check the claim status of an appliance, open a browser and navigate to http://[your-vm-ip-address].
To claim manually
To manually claim your appliance, contact Alert Logic. As part of the onboarding process, Alert Logic creates your customer account and claims your appliance.
To contact Alert Logic to claim your appliance:
- In the US, call (877) 484-8383 and select the appropriate option.
- In the EU, call +44 (0) 203 011 5533 and do the same.
After you set up an account with Alert Logic, you can claim additional appliances with the manual claim process.
To manually claim additional appliances:
- In the Alert Logic console, click the Settings icon (), and then click Support Information.
- Click the Details tab.
- Copy your unique registration key.
- Open another browser window, and then navigate to http://[your-vm-ip-address].
- Enter the unique registration key you copied, and then click Claim Appliance.
A deployed VM can take up to 15 minutes to complete initialization and for the Claim page to be available. Once the Claim page is available, the appliance can take an hour or more to automatically be claimed.
Download and install the agent
After the deployment of the virtual machine is complete, you must download and install the agent. See Install the Alert Logic agent for Windows or Install the Alert Logic agent for Linux.
If you have an active RBAC role, and have configured agents to automatically update, the agent you install automatically assigns itself to the local appliance and you need not enter the Unique Registration Key.
Create and apply assignment policy
An assignment policy is a set of rules that indicates to appliances how to handle incoming traffic; the appliance will either accept or ignore the traffic. An assignment policy directs protected hosts to encrypt traffic and send traffic to specific appliances. In a dynamic environment where IP addresses often change, an assignment policy ensures that hosts always correspond to their appliances.
To create an assignment policy:
- In the Alert Logic console, click CONFIGURATION, and then click Deployments.
- In the left navigation area, click Policies.
- Click the Assignment tab.
- Click the Add icon ().
- In Appliance Assignment Policy Name, enter a name.
- In Appliances, select an appliance.
- Click Save.
To assign a policy to a protected host:
- In the Alert Logic console, click CONFIGURATION, and then click Deployments.
- Click the All Deployments tile.
- In the left navigation pane, click Networks and Hosts, and then click the Protected Hosts tab.
- Click the pencil icon ( ) for the desired protected host.
- Select Use an Existing Assignment Policy.
- From the Existing Assignment Policy drop-down menu, select the assignment policy you want to use.
- Click SAVE.