Installing a Modular Sensor in Azure

This topic describes how to install a Modular Sensor in Azure.

About Modular Sensors

Sensors provide the data gathering foundation for Stellar Cyber's OpenXDR platform, gathering the right data with context. Modular sensors are purpose-built Stellar Cyber sensors that include both the host and the Stellar Cyber monitoring software. They are provided as both physical devices (Photon sensors) and virtual machine images for different target environments.

Previous releases provided a variety of different types of device sensors, including Network, Security, and Modular. Going forward, the only type of device sensor is Modular. You can use the Modular Sensor Profile to enable whatever sensor features you like, creating the same functionality provided by the different sensor types in previous releases.

A modular sensor lets you easily add the features you like to your sensor. This helps simplify your deployment and lets you manage the VM requirements for the sensors based on the modular features they use.

Modular Sensors always include log ingestion. From there, you can enable different features as part of your modular sensor profile:

  • Enable the Network Traffic feature to monitor the virtual environment, the physical environment if connected to the span port of a physical switch, or the LAN segment via a mirror port on a switch. The sensor monitors network and server response times and can identify applications.

    The sensor converts that information to metadata and forwards it to the DP as Interflow. The DP can then provide security, DDoS, and breach attempt detections.

  • Enable the Sandbox and IDS features to improve your security posture:

    • Sandbox lets you detect malware in files and network traffic through Stellar Cyber's integrated cloud service and also provides anti-virus services.
    • IDS lets you detect intrusion attempts using both files and network traffic.

Keep in mind that VM resource requirements increase as you add more features to the Modular Sensor Profile. Refer to Modular Sensor Specifications for details on the resources required to run different combinations of features in a Modular Sensor Profile, as well as how to use the show module and show module request CLI commands to compare provisioned resources against those required to run specific feature combinations. Stellar Cyber only enables a Modular Sensor Profile on a sensor if the host VM's resources can support it.

Installation Summary

You can install a Modular Sensor in Azure. To install you must:

  1. Prepare.
  2. Authorize the Stellar Cyber software image.
  3. Connect to the DP.
  4. Authorize the sensor.

Use our example as a guideline, as you might be using a different software version.

Stellar Cyber does not support the installation of third-party software on its virtual or physical device sensors.

Preparing

Click to see the minimum system requirements for installing a modular sensor. Then, select an Azure instance type that meets the stated requirements for your expected sensor workload.

The Azure instance types in the az create commands in the procedure below use the instance types listed below:

Keep in mind that these are example instance types that meet the requirements stated in Virtual Appliance Sizing Specifications. You can select other instance types with the necessary vCPUs and RAM to perform your expected workload, as stated in the system requirements.

  • Network Traffic – Standard_B12ms
  • Sandbox and IDS Enabled – Standard_F16s_v2

To prepare for the installation:

  1. Open firewall ports for log ingestion.
  2. Open firewall ports for Network Traffic, Sandbox, and IDS features, as necessary.

  3. Contact Stellar Cyber support (support@stellarcyber.ai) to have the sensor images deployed in your region. You will need to provide the Azure region for the sensors your are installing.

    Do this at least a day before installing, so we have enough time to deploy the images to your region.

Current Azure Sensor Versions

The current sensor versions for Azure deployments are as follows:

  • Modular Sensor5.3.0

Contact Stellar Cyber support (support@stellarcyber.ai) if you need a different version.

Authorizing the Stellar Cyber Software Images

You must authorize the Stellar Cyber software images so that they are available in the Azure portal:

  1. Log in to your Azure portal at https://portal.azure.com/.

  2. Click the hamburger menu at the upper left and select the entry for Microsoft Entra ID.

    Your Microsoft Entra Overview page appears.

  3. Scroll down and click Properties.

    The Properties page appears.

  4. Copy the value shown for Tenant ID. You need this for the next step and also when creating the VM, so keep it handy.

  5. Put your Tenant ID in the following URL and paste it in your browser:

    https://login.microsoftonline.com/<tenant id>/oauth2/authorize?client_id=58238038-43b4-4446-8260-0fa97ace1085&response_type=code&redirect_uri=https%3A%2F%2Fwww.microsoft.com%2F

    The Permissions requested message appears.

  6. Click Consent on behalf of your organization.

  7. Click Accept.

  8. Click Enterprise Applications.

    The Enterprise applications | All applications page appears.

  9. Search for Stellar. The Stellar Cyber applications that you authorized appear.

    If you don't see any Stellar Cyber applications, contact Stellar Cyber support.

  10. You can either create a new Resource Group for the deployment or deploy into an existing group. Use this step to create a new Resource Group. Otherwise, you can skip to the next step.

    1. Click Resource Groups.

      The Resource groups page appears.

    2. Click Add. The Create a resource group page appears.

    3. Choose your Subscription.

    4. Enter the name of your group in the Resource group field.

    5. Choose the Region where you want to deploy the resource.

    6. Click Review create.

    7. Click Create. The resource group is created and the Resource groups page appears.

  11. Click the name of the resource group where you want to deploy the sensor. This is either the resource group you just created or an existing resource group.

    The group details appear.

  12. Click Access control (IAM).

    The Access control (IAM) page appears.

  13. Click Add role assignments to display the Add role assignment controls.

  14. Click on Privileged administrator roles and choose the Contributor option, as illustrated below:

  15. Leave the default selection of User, group, or service principal in the Assign access to drop-down.

  16. Enter Stellar in the Select field. The available Stellar Cyber software packages appear.

  17. Choose Stellar Cyber Software Packages.

  18. Click Save. The Resource groups page appears again.

  19. Click Home. The Azure services page appears.

  20. Click Subscriptions. The Subscriptions page appears.

  21. Choose your subscription. The subscription details appear.

  22. Click Resource providers.

    The Resource providers page appears.

  23. Select Microsoft.Network.

  24. Click Register.

  25. Select Microsoft.Compute.

  26. Click Register.

  27. Click Cloud Shell.

    A PowerShell windows opens and connects.

  28. Enter the following 3 commands to get an access token from the Stellar Cyber Azure portal:

    az account clear

    az login --service-principal -u '58238038-43b4-4446-8260-0fa97ace1085' -p '3238Q~KMtVAIyuC6gDVMhboKEW7w6W~bXYQhFcZx' --tenant '2f580e30-1cc1-4c08-9e80-704999508e1a'

    az account get-access-token

  29. Enter the following commands to get the access token from your tenant ID. Replace Tenant ID with the value you copied earlier.

    Make sure you use your Tenant ID, copied from your Azure Portal, as described in this step.

    az login --service-principal -u '58238038-43b4-4446-8260-0fa97ace1085' -p '3238Q~KMtVAIyuC6gDVMhboKEW7w6W~bXYQhFcZx' --tenant '<Tenant ID>'

    az account get-access-token

  30. If you have multiple Azure subscriptions, use the az account list --output table command to make sure that the subscription where you want to deploy the sensor is currently the default. For example:

    Copy 
    PS /home/j> az account list --output table
    Name              CloudName    SubscriptionId                        State    IsDefault
    Pay-As-You-Go     AzureCloud   xxxxxxxx-f477-4f2d-94bc-35c00d3d5fd8  Enabled  False
    Subscription-Dev  AzureCloud   xxxxxxxx-ac50-4d82-a6ea-a14db86f3957  Enabled  True
    Subscription-QA   AzureCloud   xxxxxxxx-9114-4cb0-a044-7e01f074575c  Enabled  False

    In this example, Subscription-Dev has IsDefault set to True and is where the deployment will take place. You can change the default subscription with the az account set --subscription <subscription> command. Let's change the default subscription to Subscription-QA:

    Copy 
    PS /home/j> az account set --subscription xxxxxxxx-9114-4cb0-a044-7e01f074575c
    PS /home/j> az account list --output table
    Name              CloudName    SubscriptionId                        State    IsDefault
    Pay-As-You-Go     AzureCloud   xxxxxxxx-f477-4f2d-94bc-35c00d3d5fd8  Enabled  False
    Subscription-Dev  AzureCloud   xxxxxxxx-ac50-4d82-a6ea-a14db86f3957  Enabled  False
    Subscription-QA   AzureCloud   xxxxxxxx-9114-4cb0-a044-7e01f074575c  Enabled  True

    After changing the default subscription, the sensor will now be deployed in Subscription-QA.

  31. Create a sensor VM.

    This command points to the most recent sensor image. You can install different versions by changing the version number in the command below.

    Keep in mind that these commands use an instance type that meets the system requirements, including SSD storage. You can specify a different instance type with sufficient vCPUs and RAM to handle your expected workload while making sure to observe all system requirements.

    Note that any resources you specify in the az vm create command must already exist in the same resource group where you are creating the VM. This includes any values you supply for the resource-group, vnet-name, subnet, subnet-address-prefix, and nsg arguments.

    You can also use variables to pass values for the parameters in the az vm create command. Refer to Using Shell Variables to Create the Sensor VM for details.

    Enter the following command to create a modular sensor VM. Replace <resource-group> with an existing resource group in your deployment and  <version> with the version of software you want to install (for example, 5.3.0:

    az vm create --size Standard_B12ms --resource-group <resource-group> --name StellarModularSensor --image "/subscriptions/0e28f851-f477-4f2d-94bc-35c00d3d5fd8/resourceGroups/Stellar/providers/Microsoft.Compute/galleries/StellarCyberSoftwares/images/Stellar-ModularSensor/versions/<version>" --admin-username azureuser --admin-password P@ssw0rd#2022 --storage-sku StandardSSD_LRS --os-disk-size-gb 128

    Note that you can optionally specify the virtual network, subnet, and network security group to be used by the VM by including the --vnet-name, --subnet, and --nsg arguments. The resources you specify must exist in the same resource group where you are creating the VM. For example, for a modular sensor:

    az vm create --size Standard_B12ms --resource-group <resource-group> --name StellarModularSensor --nsg <network-security-group> --vnet-name <vnet-name> --subnet <subnet-name> --subnet-address-prefix <subnet-cidr> --image "/subscriptions/0e28f851-f477-4f2d-94bc-35c00d3d5fd8/resourceGroups/Stellar/providers/Microsoft.Compute/galleries/StellarCyberSoftwares/images/Stellar-ModularSensor/versions/<version>" --admin-username azureuser --admin-password P@ssw0rd#2022 --storage-sku StandardSSD_LRS --os-disk-size-gb 128

    You can also install the sensor without a public IP address by including the --public-ip address "" argument. For example, here's the same command from above with the --public-ip address "" argument included:

    az vm create --size Standard_B12ms --resource-group <resource-group> --name StellarModularSensor --nsg <network-security-group> --vnet-name <vnet-name> --subnet <subnet-name> --subnet-address-prefix <subnet-cidr> --public-ip address "" --image "/subscriptions/0e28f851-f477-4f2d-94bc-35c00d3d5fd8/resourceGroups/Stellar/providers/Microsoft.Compute/galleries/StellarCyberSoftwares/images/Stellar-ModularSensor/versions/<version>" --admin-username azureuser --admin-password P@ssw0rd#2022 --storage-sku StandardSSD_LRS --os-disk-size-gb 128

  32. Create inbound security groups for the sensor using the commands below, replacing <resource-group> with the name of your resource group and <NSG NAME> with the name of your network security group

    Enter the following command for a modular sensor:

    az network nsg rule create -g <resource-group> --nsg-name <NSG NAME> -n StellarPort1 --direction Inbound --protocol Udp --destination-port-ranges 8472 --priority 500

Using Shell Variables to Create the Sensor VM

The az vm create commands in the examples above all specify values for parameters directly in the command. As an alternative, you can also declare shell variables for parameters you commonly reuse and include them in the az vm create command as part of a script.

The same rules for parameters included in an az vm create command also apply when passing variables in a script:

  • The specified resource-group must already exist.

  • Any values you supply for the vnet-name, subnet, subnet-address-prefix, and nsg arguments must exist in the specified resource group.

The example below starts by defining values for many of the parameters in the az vm create command before reading them in as part of the command:

Copy 
#PowerShell script
#Assign values to variables
$RESOURCE_GROUP="<MyResourceGroup>"
$VM_NAME="<MyVM>"
$VNET_NAME="<MyVNet>"
$SUBNET_NAME="<MySubnet>"
$SUBNET_PREFIX=”<x.x.x.x/x>
$NSG_NAME=””<MyNSG>
$IMAGE=”/subscriptions/0e28f851-f477-4f2d-94bc-35c00d3d5fd8/resourceGroups/Stellar/providers/Microsoft.Compute/galleries/StellarCyberSoftwares/images/Stellar-ModularSensor/versions/<version>
$ADMIN_USERNAME="azureuser"
$ADMIN_PASSWORD="P@ssw0rd#2022"

#Create Modular Sensor VM using variable values
az vm create --size Standard_B12ms --resource-group $RESOURCE_GROUP --name $VM_NAME --vnet-name $VNET_NAME --subnet $SUBNET_NAME --subnet-address-prefix $SUBNET_PREFIX --nsg $NSG_NAME --image $IMAGE --admin-username $ADMIN_USERNAME --admin-password $ADMIN_PASSWORD --storage-sku StandardSSD_LRS --os-disk-size-gb 128

Refer to this article on Microsoft Learn for more information on using variables in the Azure CLI.

Connecting the Sensor to the Stellar Cyber Platform

To connect the sensor to the Stellar Cyber Platform:

  1. Log in to your new sensor. The default username/password is aella/changeme. You are immediately prompted to change the password.

  2. Change the password.

    After you change the password, your session closes automatically. When you log back in with your new credentials, the prompt changes to DataSensor>.

  3. Set the host name. The host name is displayed in Stellar Cyber and should be unique for each sensor:

    set hostname <new hostname>

  4. If necessary, set the proxy HTTP server:

    set proxy http://<proxy IP address:port>

    Note: The CLI prevents you from entering non-printable characters as part of the username or password for the proxy, as well as the proxy itself.

  5. Optionally assign the tenant (if you skip this, the sensor is assigned to Root Tenant):

    set tenant_id <Tenant ID from Stellar Cyber>

  6. Use the set cm command to specify the IP address to reach the management interface of the Stellar Cyber Platform. For a cluster, this is the IP address of the DL-master's management interface. For a single DP deployment, this is simply the Stellar Cyber Platform's management IP address. You can specify either an IP address or a hostname. For example:

    set cm 192.168.44.10

    or:

    set cm example.company.com

    If you specify a hostname rather than an IP address, the system attempts to verify the hostname with the DNS server. If the DNS server is not reachable, the system reports the error and lets you either proceed with the configured hostname or quit. This way, you can specify a hostname for the set cm destination in an offline environment without access to a DNS server.

  7. Verify with the show cm command. You should see the IP address of the Stellar Cyber Platform listed as the CM Controller and the Status should be Established.

  8. Use the show time command to view the time zone.

    During installation, the timezone for sensors are automatically set to UTC+0. Since the logs for some security products may only include the local time without a timezone, Stellar Cyber recommends that you set the sensor timezone to the same timezone as your security product.

  9. Log out with the quit command.

The sensor automatically contacts the DP to register itself.

Authorizing the Sensor

You must authorize the sensor when it appears in the network.

You can authorize multiple sensors at a time. So if you're installing multiple sensors, install them all, then authorize them all at once.

Enabling SSSE3 for the Sensor VM

The sensor VM must have SSSE3 enabled for its processors in order for the Modular Sensor to operate correctly. In most cases, SSSE3 will already be enabled. However, if you encounter issues with packet collection or Interflow data generation, you can use the instructions below to ensure that SSSE3 is enabled.

Sensors installed on Linux hosts must have SSSE3 enabled for their processors in order to operate correctly. This is true for Modular Sensors and Linux Server Sensors, as well as legacy Network and Security Sensors.
SSSE3 is typically supported/enabled for most vCPUs, but may not be for certain legacy AMD vCPUs. See below for instructions on enabling SSSE3.

To enable SSSE3 for a virtual machine:

  1. Start the virtual shell (virsh)

  2. Type the following command to edit the virtual machine's settings:

    edit <virtual_machine_name>

  3. Locate the <cpu> section. It should appear similar to the following:

    Copy 
    <cpu mode='custom' match='exact' check='partial'>

        <model fallback='allow'>SandyBridge</model>

    ......

     </cpu>

  4. Add the following line to the <cpu> section:

    <feature policy='require' name='ssse3'/>

    When you are done, the <cpu> section should appear similar to the following:

    Copy 
    <cpu mode='custom' match='exact' check='partial'>

        <model fallback='allow'>SandyBridge</model>

        <feature policy='require' name='ssse3'/>

    ...........

      </cpu>

  5. Save changes to the virtual machine and exist virsh.

  6. Run the following command:

    virsh define /etc/libvirt/qemu/<virtual_machine_name>.xml

    Each virtual machine has a configuration .xml file. Typically, these files are stored under /etc/libvirt/qemu, but the location may be different for your system.

  7. Stop and start the virtual machine in virsh.