NDR: Deploying a Virtual Sensor in Azure

Description

Notice

  • This guide is intended to serve as an example only. Users must modify applicable details, such as IP addresses, subnets, and device names, to align with their specific environment.

  •  

    Exercise caution when making changes to your firewall or environment, as unplanned modifications can result in downtime, depending on the complexity of the configuration and infrastructure.

  •  

    Your experience may vary if you are using a different software version or a product from another brand or manufacturer. Please note that you are solely responsible for the configuration and management of your devices.

Azure Modular Sensor Deployment

CAUTION: The examples below are intended to be serve as general guidelines. Your platform or software version may differ, resulting in variations in images, screens, options, or other elements. 

Preparing

The Azure instance types in the az create commands in the procedure below use the instance types listed below:

Keep in mind that these are example instance types that meet the requirements stated in the Virtual Appliance Sizing Specifications section. You can select other instance types with the necessary vCPUs and RAM to perform your expected workload, as stated in the system requirements.

  • Network Traffic – Standard_B12ms
  • Sandbox and IDS Enabled – Standard_F16s_v2

To prepare for the installation:

  1. Open firewall ports for log ingestion.
  2. Open firewall ports for Network Traffic, Sandbox, and IDS features, as necessary.
  3. Reply to your NDR integration ticket to have the sensor images deployed in your region.
    1. You will need to provide the Azure region for the sensors your are installing.
    2. Do this at least 3-5 business days before installing, so that there is enough time to deploy the images to your region.

Current Azure Sensor Versions

The current sensor versions for Azure deployments are as follows:

  • Network Sensor – 5.1.1
  • Security Sensor – 5.1.1
  • Modular Sensor – 5.1.1

Authorizing the Stellar Cyber Software Images

You must authorize the Stellar Cyber software images so that they are available in the Azure portal:

  1. Log in to your Azure portal at https://portal.azure.com/ .
  2. Click the hamburger menu at the upper left and select the entry for Microsoft Entra ID.

image-20240513-152302.png

  1. Your Microsoft Entra Overview page appears.
  1. Scroll down and click Properties.

image-20240513-152431.png

  1. The Properties page appears.
  1. Copy the value shown for Tenant ID. You need this for the next step and also when creating the VM, so keep it handy.

image-20240513-152441.png

  1. Put your Tenant ID in the following URL and paste it in your browser:
    1. https://login.microsoftonline.com/<tenant id>/oauth2/authorize?client_id=58238038-43b4-4446-8260-0fa97ace1085&response_type=code&redirect_uri=https%3A%2F%2Fwww.microsoft.com%2F
    2. The Permissions requested message appears.
  2. Click Consent on behalf of your organization.

image-20240513-152448.png

  1. Click Accept.
  2. Click Enterprise Applications.

image-20240513-152458.png

  1. The Enterprise applications | All applications page appears.
  1. Search for Stellar. The Stellar Cyber applications that you authorized appear.

image-20240513-152506.png

  1. If you don't see any Stellar Cyber applications, contact Stellar Cyber support.
  1. You can either create a new Resource Group for the deployment or deploy into an existing group. Use this step to create a new Resource Group. Otherwise, you can skip to the next step.
    1. Click Resource Groups.

image-20240513-152514.png

  1. The Resource groups page appears.

image-20240513-152520.png

  1. Click Add. The Create a resource group page appears.

image-20240513-152529.png

  1. Choose your Subscription.
  2. Enter the name of your group in the Resource group field.
  3. Choose the Region where you want to deploy the resource.
  4. Click Review create.
  5. Click Create. The resource group is created and the Resource groups page appears.
  1. Click the name of the resource group where you want to deploy the sensor. This is either the resource group you just created or an existing resource group.

image-20240513-152536.png

  1. The group details appear.
  1. Click Access control (IAM).

image-20240513-152545.png

  1. The Access control (IAM) page appears.
  1. Click Add role assignments to display the Add role assignment controls.

image-20240513-152551.png

  1. Click on Privileged administrator roles and choose the Contributor option, as illustrated below:

image-20240513-152559.png

  1. Leave the default selection of User, group, or service principal in the Assign access to drop-down.
  2. Enter Stellar in the Select field. The available Stellar Cyber software packages appear.
  3. Choose Stellar Cyber Software Packages.
  4. Click Save. The Resource groups page appears again.
  5. Click Home. The Azure services page appears.

image-20240513-152608.png

  1. Click Subscriptions. The Subscriptions page appears.

image-20240513-152616.png

  1. Choose your subscription. The subscription details appear.
  2. Click Resource providers.

image-20240513-152626.png

  1. The Resource providers page appears.

image-20240513-152635.png

  1. Select Microsoft.Network.
  2. Click Register.
  3. Select Microsoft.Compute.
  4. Click Register.
  5. Click Cloud Shell.

image-20240513-152644.png

  1. A PowerShell windows opens and connects.
  1. Enter the following 3 commands to get an access token from the Stellar Cyber Azure portal:
    1. az account clear
    2. az login --service-principal -u '58238038-43b4-4446-8260-0fa97ace1085' -p '3238Q~KMtVAIyuC6gDVMhboKEW7w6W~bXYQhFcZx' --tenant '2f580e30-1cc1-4c08-9e80-704999508e1a'
    3. az account get-access-token
  2. Enter the following commands to get the access token from your tenant ID. Replace Tenant ID with the value you copied earlier.
    1. Make sure you use your Tenant ID, copied from your Azure Portal.
    2. az login --service-principal -u '58238038-43b4-4446-8260-0fa97ace1085' -p '3238Q~KMtVAIyuC6gDVMhboKEW7w6W~bXYQhFcZx' --tenant '<Tenant ID>'
    3. az account get-access-token
  3. If you have multiple Azure subscriptions, use the az account list --output table command to make sure that the subscription where you want to deploy the sensor is currently the default. For example:

PS /home/j> az account list --output table

Name              CloudName    SubscriptionId                        State    IsDefault

Pay-As-You-Go     AzureCloud   xxxxxxxx-f477-4f2d-94bc-35c00d3d5fd8  Enabled  False

Subscription-Dev  AzureCloud   xxxxxxxx-ac50-4d82-a6ea-a14db86f3957  Enabled  True

Subscription-QA   AzureCloud   xxxxxxxx-9114-4cb0-a044-7e01f074575c  Enabled  False

  1. In this example, Subscription-Dev has IsDefault set to True and is where the deployment will take place. You can change the default subscription with the az account set --subscription <subscription> command. Let's change the default subscription to Subscription-QA:

PS /home/j> az account set --subscription xxxxxxxx-9114-4cb0-a044-7e01f074575c

PS /home/j> az account list --output table

Name              CloudName    SubscriptionId                        State    IsDefault

Pay-As-You-Go     AzureCloud   xxxxxxxx-f477-4f2d-94bc-35c00d3d5fd8  Enabled  False

Subscription-Dev  AzureCloud   xxxxxxxx-ac50-4d82-a6ea-a14db86f3957  Enabled  False

Subscription-QA   AzureCloud   xxxxxxxx-9114-4cb0-a044-7e01f074575c  Enabled  True

  1. After changing the default subscription, the sensor will now be deployed in Subscription-QA.
  1. Create a sensor VM.
    1. This command points to the most recent sensor image. You can install different versions by changing the version number in the command below.\
    2. Keep in mind that these commands use an instance type that meet the system requirements. You can specify a different instance type with sufficient vCPUs and RAM to handle your expected workload.
      1. Enter the following command to create a modular sensor VM. Replace <resource-group> with an existing resource group in your deployment and  <version> with the version of software you want to install (for example, 5.1.1:

az vm create --size Standard_B12ms --resource-group <resource-group> --name StellarModularSensor --image "/subscriptions/0e28f851-f477-4f2d-94bc-35c00d3d5fd8/resourceGroups/Stellar/providers/Microsoft.Compute/galleries/StellarCyberSoftwares/images/Stellar-ModularSensor/versions/<version>" --admin-username azureuser --admin-password P@ssw0rd#2022 --os-disk-size-gb 128

  1. Note that you can optionally specify the virtual network and subnet to be used by the VM by including the --vnet-name and --subnet arguments. The networks you specify must exist in the same resource group where you are creating the VM. For example, for a modular sensor:

az vm create --size Standard_B12ms --resource-group <resource-group> --name StellarModularSensor --vnet-name <vnet-name> --subnet <subnet-name> --subnet-address-prefix <subnet-cidr> --image "/subscriptions/0e28f851-f477-4f2d-94bc-35c00d3d5fd8/resourceGroups/Stellar/providers/Microsoft.Compute/galleries/StellarCyberSoftwares/images/Stellar-ModularSensor/versions/<version>" --admin-username azureuser --admin-password P@ssw0rd#2022 --os-disk-size-gb 128

  1. Create inbound security groups for the sensor using the commands below, replacing <resource-group> with the name of your resource group and <NSG NAME> with the name of your network security group
    1. Enter the following command for a modular sensor:

az network nsg rule create -g <resource-group> --nsg-name <NSG NAME> -n StellarPort1 --direction Inbound --protocol Udp --destination-port-ranges 8472 --priority 500

Related Articles

  • SentinelOne (S1) MDR: Frequently Asked Questions (FAQs)
    Read More
  • Avanan: IRaaS SOP
    Read More
  • Infocyte: Exclusions
    Read More

Categories

Managed Security Services
Network Detection and Response
not finding your answers?
Ask the Community
was this article helpful?
YesNo