Installing a Modular Sensor in Azure

This topic describes how to install a Modular Sensor in a Microsoft Azure environment. Refer to the following sections for details:

Use our example as a guideline, as you might be using a different software version.

Stellar Cyber does not support the installation of third-party software on its virtual or physical device sensors.

About Modular Sensors

Sensors provide the data gathering foundation for Stellar Cyber's OpenXDR platform, gathering the right data with context. Modular sensors are purpose-built Stellar Cyber sensors that include both the host and the Stellar Cyber monitoring software. They are provided as both physical devices (Photon sensors) and virtual machine images for different target environments.

Previous releases provided a variety of different types of device sensors, including Network, Security, and Modular. Going forward, the only type of device sensor is Modular. You can use the Modular Sensor Profile to enable whatever sensor features you like, creating the same functionality provided by the different sensor types in previous releases.

A modular sensor lets you easily add the features you like to your sensor. This helps simplify your deployment and lets you manage the VM requirements for the sensors based on the modular features they use.

Modular Sensors always include log ingestion. From there, you can enable different features as part of your modular sensor profile:

  • Enable the Network Traffic feature to monitor the virtual environment, the physical environment if connected to the span port of a physical switch, or the LAN segment via a mirror port on a switch. The sensor monitors network and server response times and can identify applications.

    The sensor converts that information to metadata and forwards it to the DP as Interflow. The DP can then provide security, DDoS, and breach attempt detections.

  • Enable the Sandbox and IDS features to improve your security posture:

    • Sandbox lets you detect malware in files and network traffic through Stellar Cyber's integrated cloud service and also provides anti-virus services.
    • IDS lets you detect intrusion attempts using both files and network traffic.

Keep in mind that VM resource requirements increase as you add more features to the Modular Sensor Profile. Refer to Modular Sensor Specifications for details on the resources required to run different combinations of features in a Modular Sensor Profile, as well as how to use the show module and show module request CLI commands to compare provisioned resources against those required to run specific feature combinations. Stellar Cyber only enables a Modular Sensor Profile on a sensor if the host VM's resources can support it.

Site Preparation

Click to see the minimum system requirements for installing a modular sensor. Then, select an Azure instance type that meets the stated requirements for your expected sensor workload.

The Azure instance types in the script provided below use the instance type listed below:

Keep in mind that these are example instance types that meet the requirements stated in Virtual Appliance Sizing Specifications. You can select other instance types with the necessary vCPUs and RAM to perform your expected workload, as stated in the system requirements.

  • Modular Sensor – Standard_B12ms

To prepare for the installation:

  1. Open firewall ports for log ingestion.

  2. Open firewall ports for the features you plan on enabling in the Modular Sensor Profile for this sensor.

  3. Contact Stellar Cyber support (support@stellarcyber.ai) to have the SaaS Modular sensor image for Azure deployed in your region. You will need to provide the Azure region for the sensors your are installing.

    Do this at least a day before installing, so we have enough time to deploy the images to your region.

Authorizing the Stellar Cyber Software Images

You must authorize the Stellar Cyber software images so that they are available in the Azure portal:

Use our example as a guideline, as you might be using a different software version.

  1. Log in to your Azure portal at https://portal.azure.com/. The Dashboard appears.

  2. Click Azure Active Directory. The Overview appears.

  3. Click Properties.

    The Properties page appears.

  4. Copy the Tenant ID.

    You need the Tenant ID both in the following step and later in the procedure.

  5. Put your Tenant ID in the following URL and paste it in your browser:

    https://login.microsoftonline.com/<tenant id>/oauth2/authorize?client_id=58238038-43b4-4446-8260-0fa97ace1085&response_type=code&redirect_uri=https%3A%2F%2Fwww.microsoft.com%2F

    The Permissions requested message appears.

  6. Click Consent on behalf of your organization.

  7. Click Accept.

  8. Click Enterprise Applications.

    The Enterprise applications | All applications page appears.

  9. Search for Stellar. The Stellar Cyber applications that you authorized appear.

    If you don't see any Stellar Cyber applications, contact Stellar Cyber support.

  10. You can either create a new Resource Group for the deployment or deploy into an existing group. Use this step to create a new Resource Group. Otherwise, you can skip to the next step.

    1. Click Resource Groups.

      The Resource groups page appears.

    2. Click Add. The Create a resource group page appears.

    3. Choose your Subscription.

    4. Enter the name of your group in the Resource group field.

    5. Choose the Region where you want to deploy the resource. Here's how our resource group looks so far:

    6. Click Review create.

    7. Click Create. The resource group is created and the Resource groups page appears.

  11. Click the name of the resource group where you want to deploy the sensor. This is either the resource group you just created or an existing resource group.

    The group details appear.

  12. Click Access control (IAM).

    The Access control (IAM) page appears.

  13. Click Add role assignments to display the Add role assignment controls.

  14. Click on Privileged administrator roles and choose the Contributor option, as illustrated below:

  15. Leave the default selection of User, group, or service principal in the Assign access to dropdown.

  16. Enter Stellar in the Select field. The available Stellar Cyber software packages appear.

  17. Choose Stellar Cyber Software Packages.

  18. Click Save. The Resource groups page appears again.

  19. Click Home. The Azure services page appears.

  20. Click Subscriptions. The Subscriptions page appears.

  21. Choose your subscription. The subscription details appear.

  22. Click Resource providers.

    The Resource providers page appears.

  23. Select Microsoft.Network.

  24. Click Register.

  25. Select Microsoft.Compute.

  26. Click Register.

  27. Click Cloud Shell.

  28. Select the PowerShell option in the dialog box that appears:

  29. Create an inbound security group for the sensor using the commands below, replacing <resource-group> with the name of your resource group and <NSG NAME> with the name of your network security group:

    1. Create the Network Security Group:

      az network nsg create -g <resource-group> -n <NSG NAME>

    2. Add an inbound rule for SSH (TCP 22), replacing <Trusted CIDR> with the trusted CIDR range that can SSH into the sensor (for example, 8.8.8.8/32):

      az network nsg rule create -g <resource-group> --nsg-name <NSG NAME> -n AllowSSH --direction Inbound --protocol Tcp --source-address-prefixes '<Trusted CIDR>' --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges 22 --access Allow --priority 500

    3. Add an inbound rule for UDP port 8472, replacing <Trusted CIDR> with the trusted CIDR range where the DP is deployed:

      You can skip this step if you're not using VxLAN forwarding.

      az network nsg rule create -g <resource-group> --nsg-name <NSG NAME> -n AllowUDP4872 --direction Inbound --protocol Udp --source-address-prefixes '<Trusted CIDR>' --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges 8472 --access Allow --priority 600

  30. You use a customized version of the script shown in Azure Installation Script to install a Modular Sensor in Azure. Before you use the script, you must customize it with variable definitions that match your Azure subscription and networking environment.

    1. Start by pasting the contents of the Azure Installation Script into a text editor.

    2. Customize the script with variable definitions that match your Azure subscription and networking environment for the items listed in Variables for the Azure Installation Script .

    3. Copy and paste the customized script into the Azure Cloud Shell to create the Modular Sensor.

    Refer to this article for more information on the New-AzVM cmdlet used by the script to install a Modular Sensor VM.

Azure Installation Script

Paste the contents of this script into a text editor and supply your own values for the variables shown in angle brackets ("<variable>"). The necessary variables are listed and described in Variables for the Azure Installation Script.

Copy 
Clear-AzContext -Force
#Supply your own values for the variables below:
$resourceGroup = "<resource group name>"
$location = "<Azure region>"
$vmNamePrefix = "StellarVM-Sensor"
$vnetName = "<virtual network name>"
$subnetName = "<subnet name>"
$nsg_name = "<network security group name>"
$tenant_customer = "<Azure tenant_id>"
$subscription_customer = "<Azure subscription_id>"
#change stellarInstanceType to install Modular Sensor or DP
$stellarInstanceType = "Stellar-ModularSensor"
#$stellarInstanceType = "Stellar-DataProcessor"
#install the specified version below
$imageVersion = "6.1.0"  
############################################################################
#Stellar Cyber parameters, do not change
$applicationId = '58238038-43b4-4446-8260-0fa97ace1085'
$secret = 'mdb8Q~2-lm0jpEF_lm24K52udUCKZDrD05e_wdmk' | ConvertTo-SecureString -AsPlainText -Force
$tenant_stellar = "2f580e30-1cc1-4c08-9e80-704999508e1a"
############################################################################

if ($stellarInstanceType -eq "Stellar-DataProcessor") {
    $osDiskSize = 512
    $osVMSize = "Standard_E16s_v3"
}else{
    $osDiskSize = 128
    $osVMSize = "Standard_B12ms"
}
$cred = New-Object -TypeName PSCredential -ArgumentList $applicationId, $secret
Connect-AzAccount -ServicePrincipal -Credential $cred -Tenant $tenant_stellar
Connect-AzAccount -ServicePrincipal -Credential $cred -Tenant $tenant_customer
az account set --subscription $subscription_customer

# Get the specific subnet object
$vnet = Get-AzVirtualNetwork -ResourceGroupName $resourceGroup -Name $vnetName
$subnet = Get-AzVirtualNetworkSubnetConfig -Name $subnetName -VirtualNetwork $vnet
# Get subnet ID
$subnetId = $subnet.Id

$randomString = [guid]::NewGuid().ToString("N").Substring(0, 8)
$vmName = "StellarVM-Sensor-$randomString"

$image = "/subscriptions/0e28f851-f477-4f2d-94bc-35c00d3d5fd8/resourceGroups/Stellar/providers/Microsoft.Compute/galleries/StellarCyberSoftwares/images/$stellarInstanceType/versions/$imageVersion"

#Networking pieces
$pip = New-AzPublicIpAddress -ResourceGroupName $resourceGroup -Location $location -Name "mypublicdns$(Get-Random)" -AllocationMethod Static -IdleTimeoutInMinutes 4
$nsg = Get-AzNetworkSecurityGroup -Name $nsg_name -ResourceGroupName $resourceGroup
$nic_name = "Stellar-nic-$randomString" 
$nic = New-AzNetworkInterface -Name $nic_name -ResourceGroupName $resourceGroup -Location $location -SubnetId $subnetId -PublicIpAddressId $pip.Id -NetworkSecurityGroupId $nsg.Id

#Create a virtual machine configuration using the $image variable to specify the image
#$vmConfig = New-AzVMConfig -VMName $vmName -VMSize $osVMSize | Set-AzVMOperatingSystem -Linux -ComputerName $vmName -Credential $cred | Set-AzVMSourceImage -Id $image | Add-AzVMNetworkInterface -Id $nic.Id
$vmConfig = New-AzVMConfig -VMName $vmName -VMSize $osVMSize |
    Set-AzVMOperatingSystem -Linux -ComputerName $vmName -Credential $cred |
    Set-AzVMSourceImage -Id $image |
    Set-AzVMOSDisk -CreateOption FromImage `
                    -DiskSizeInGB $osDiskSize `
                    -Caching ReadWrite `
                    -Name "$vmName-OSDisk" `
                    -StorageAccountType "StandardSSD_LRS" |
    Add-AzVMNetworkInterface -Id $nic.Id

#Create a virtual machine
New-AzVM -ResourceGroupName $resourceGroup -Location $location -VM $vmConfig

Variables for the Azure Installation Script

You will need to supply values for the variables in the table below in the Azure Installation Script before you use it in the Azure Cloud Shell. Keep in mind the following rules for variables:

  • The specified resourceGroup must already exist.

  • The values you supply for the vnetName, subnetName, and nsg_name arguments must exist in the specified resource group.

Installation Script Variable

Definition
$resourceGroup The name of the Azure Resource Group where the Modular Sensor will be installed.
$location The Azure Region where the Modular Sensor will be installed.

$vmNamePrefix = "StellarVM-Sensor"

Optional. The Modular Sensor VM is named with this prefix followed by a random string (by default, StellarVM-Sensor-<random-string>). You can rename the VM within Azure after it is deployed. However, if you would prefer a different default prefix, you can change it here.
$vnetName The name of the virtual network for the Modular Sensor. You can use the az network vnet list command to see available virtual networks.
$subnetName The name of the subnet for the Modular Sensor. You can use the az network vnet subnet list command to see the subnets in a virtual network.
$nsg_name

The name of the Network Security Group for the Modular Sensor. You can use the az network nsg list command to see available Network Security Groups.
$tenant_customer The Azure tenant ID for the deployment. You can use the az account list --output table command to see the subscription and tenant IDs available for your account.
$subscription_customer The Azure subscription for the deployment. You can use the az account list --output table command to see the subscription and tenant IDs available for your account.

Applying a Token to the Installed Sensor

The next step is to obtain and apply the token used to authorize and configure the installed sensor.

Obtaining a Token for the Installation

Tokens are required to authorize and configure the installation of a sensor image downloaded from the DP in the System | DATA SOURCE MANAGEMENT | Sensors | Sensor Installation page. Tokens point the installed sensor to the correct DP, assign the specified tenant, optionally provision a selected sensor profile, and authorize the sensor installation.

Use the following procedure to obtain a token in the Tokens tab:

  1. Navigate to the System | DATA SOURCE MANAGEMENT | Sensors | Sensor Installation page and click on the Tokens tab.

  2. If there is already an unexpired token that you want to use for the installation, you can either use the Copy button to copy it to the clipboard or use the Download button to download it as a file.

    • Copy the token if you plan on applying it by pasting it into a set token string <token> command in the CLI.

    • Download the token as a file if you plan on hosting the file on an HTTP server and referring to it in a set token url <token url> command.

    Refer to Assigning Tokens for a summary of the different ways in which tokens can be applied to a sensor installation.

  3. You can also click the Generate button to create a new token.

    The Generate Installation Token dialog appears:

  4. Select the tenant for the token from the Tenant dropdown. This is the tenant to which all sensors authorized with this token will be automatically assigned. The dropdown lists all tenants configured for your organization in the System | ORGANIZATION MANAGEMENT | Tenants page.

  5. Select the Sensor Profile to be assigned to all sensors authorized with this token from the Sensor Profile dropdown. The dropdown lists all sensor profiles available in the System | DATA SOURCE MANAGEMENT | Sensors | Sensor Profiles page for the selected Tenant.

    If you do not want to assign a Sensor Profile with a token, you can set this field to None (no sensor profile selected). This is also the setting for any tokens migrated from a pre-5.3.0 release as part of an upgrade.

  6. Use the Expiration dropdown to select an expiration date for this token. You can select specified expiration dates ranging from two weeks to three months.

    You can also select Never expires for the expiration date. However, Stellar Cyber recommends that you specify expiration dates for your tokens in order to improve the security of your deployment.

    Remember that when a token expires, sensors authorized with the token continue to operate as normal. Once a sensor successfully registers with the Stellar Cyber platform, it no longer uses the token. It is only used for the initial authorization, registration, and configuration of the sensor.

  7. Click the Generate button.

    The system generates the token and displays its contents in the Token field. The dialog also updates to display the expiration date for the token, as illustrated below.

  8. You can use the Copy button to copy the token to the clipboard immediately, or simply close the dialog and retrieve the token from the Tokens tab later on.

Applying the Token to the Sensor

Tokens are required to complete the installation of a sensor image downloaded from the DP in the Download Image tab.

You apply tokens to sensors as the last step in the overall installation procedure:

  1. Log in to your new Sensor. The default username/password is aella/changeme. You are immediately prompted to change the password.

  2. Apply the token to the installed sensor from the sensor CLI with the set token command using one of the options in the table below:

    You only need to use one of the options in the table below. These are just two different ways to do the same thing – apply the token.

    Option 1. Copy and Paste the Token String

    Copy the token string from the Tokens tab and paste it into the CLI command. The syntax is as follows:

    set token string <pasted string>

    Option 2. Host the Token on an HTTP Server

    Download the token as a file from the Tokens tab, upload it to an HTTP server, and reference it in the set token command. The syntax is as follows:

    set token url http://<url to token>

    You can also use an HTTPS server. In that case, the specified URL must also include the username and password for the server using the following syntax:

    set token url https://<user:password>@URL>

  3. The CLI reports that the Sensor token is successfully set.

    If you receive an error message instead, it's possible that the token has expired. Refer to the Tokens tab to see the expiration date. If you are using the File technique, it's also possible that an extra space or line may have crept into your text file – check the file to make sure it includes only the token text.

  4. Wait a minute or so. Then, verify that the token was successfully applied using any combination of the following techniques:

    • Check the System | DATA SOURCE MANAGEMENT | Sensors | Sensors list in the user interface to see that the sensor has registered itself successfully.

    • Verify that the show system command shows all services as running.

    • Verify that the show receiver command displays a receiver.

    • Verify that the show json command reports some data sent in the BYTE_SENT column.

Configuring a Static IP Address (Optional)

By default, the sensor uses DHCP for the management port's IP address. For ease of troubleshooting, however, Stellar Cyber recommends that you reconfigure the management port to use a static IP address. The procedure is as follows:

  1. Log in to your sensor. The default username/password is aella/changeme, but you changed this when you applied the token in the previous section.

  2. You can set IP parameters manually using commands similar to the following (substitute your own IP parameters for the ones shown in bold below):

    set interface management ip 192.168.14.100/255.255.255.0

    set interface management gateway 192.168.14.1

    set interface management dns 8.8.8.8

  3. Verify the IP settings with the show interfaces command.

  4. Log out with the quit command.

Enabling SSSE3 for the Sensor VM

The sensor VM must have SSSE3 enabled for its processors in order for the Modular Sensor to operate correctly. In most cases, SSSE3 will already be enabled. However, if you encounter issues with packet collection or Interflow data generation, you can use the instructions below to ensure that SSSE3 is enabled.

Sensors installed on Linux hosts must have SSSE3 enabled for their processors in order to operate correctly. This is true for Modular Sensors and Linux Server Sensors, as well as legacy Network and Security Sensors.
SSSE3 is typically supported/enabled for most vCPUs, but may not be for certain legacy AMD vCPUs. See below for instructions on enabling SSSE3.

To enable SSSE3 for a virtual machine:

  1. Start the virtual shell (virsh)

  2. Type the following command to edit the virtual machine's settings:

    edit <virtual_machine_name>

  3. Locate the <cpu> section. It should appear similar to the following:

    Copy 
    <cpu mode='custom' match='exact' check='partial'>

        <model fallback='allow'>SandyBridge</model>

    ......

     </cpu>

  4. Add the following line to the <cpu> section:

    <feature policy='require' name='ssse3'/>

    When you are done, the <cpu> section should appear similar to the following:

    Copy 
    <cpu mode='custom' match='exact' check='partial'>

        <model fallback='allow'>SandyBridge</model>

        <feature policy='require' name='ssse3'/>

    ...........

      </cpu>

  5. Save changes to the virtual machine and exist virsh.

  6. Run the following command:

    virsh define /etc/libvirt/qemu/<virtual_machine_name>.xml

    Each virtual machine has a configuration .xml file. Typically, these files are stored under /etc/libvirt/qemu, but the location may be different for your system.

  7. Stop and start the virtual machine in virsh.