Install a vScanner in an AWS Environment

You can install an Arctic Wolf® Virtual Scanner (vScanner) in an AWS environment.

Note:

These actions are required:

  • Make sure you have the appropriate Arctic Wolf permissions to install the appliance. Contact your Concierge Security® Team (CST) at security@arcticwolf.com to identify who in your organization has these permissions.
  • Add all necessary IP addresses, ports, and services to your allowlist for full appliance functionality.
    Tip: To see the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click Resources > Allowlist Requirements, and then view the IP addresses in the section for your product.
  • If you rate-limit the appliance with Quality of Service (QoS), remove this for best performance.
  • If your firewall provides SSL/TLS inspection, do not do this inspection on the appliance management IP address.
  • If you use an application proxy or layer 7 filter on your firewall, allow outbound traffic for the appliance management IP address.
  • Amazon GuardDuty® flags vScanners as containing malware because vScanners contain code that is used to detect vulnerabilities. To avoid this behavior, create a suppression rule to exclude the vScanner from GuardDuty monitoring. For more information, see Suppression rules in GuardDuty.
  • Schedule host identification and vulnerability scans. For more information, see Configure a scanner.

Provide AWS account IDs to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click Arctic Wolf AWS Appliance VM.
  5. Configure these settings:
    • Account Name — Enter a unique and descriptive name for the account.
    • Account ID — Enter the AWS account number.
  6. Click Test and Submit Credentials.
Note: It can take up to 24 hours for the vScanner AMI to become visible.

Create a vScanner instance

  1. Sign in to the AWS console.
  2. Do one of these actions:
    • In the Search field, enter EC2.
    • Click EC2.
  3. Under the Images section, click AMIs.
  4. Filter by Private images and then click Arctic Wolf Appliance-<version>.
  5. Click Launch Instance from AMI.
  6. In the Name and tags section, enter a name for the instance.
  7. In the Application and OS Images (Amazon Machine Image) section, keep the default settings.
  8. In the Key pair (login) section, click Proceed without a key pair.
  9. In the Configure storage section, keep the default settings.
  10. In the Advanced details section, for Termination Protection, select the Enable checkbox.
  11. Click Save.
  12. In the Instance Type section, select c5n.2xlarge.

Configure network settings for the vScanner instance

  1. In the AWS console, in the Network settings section, click Edit.
  2. Select one of these options:
    • VPC — The VPC to deploy the instance on.
    • Subnet — The subnet to deploy the instance on.
      Note:
      • The private or public subnet option depends on your network. Arctic Wolf recommends that you use a private subnet.
      • Do not select No preference.
    • Auto-assign public IP — Select one of these options:
      • Enable
      • Disable — If you use a private subnet or if your environment requires you to enter a specific IP address.

Configure security group rules for the vScanner instance

  1. Find the Firewall (security groups) section.
  2. Do one of these actions:
    • To use an existing security group — Click Select an existing security group, select the appropriate security group, and then continue to Launch and verify the EC2 instance.
    • To create a new security group — Click Create a new security group.
  3. Remove default security rules.
  4. In the Security group name section, enter a name for the security group.
  5. In the Description section, enter a description for the security group.
  6. Remove the default inbound security group rule.
  7. Add a rule to allow all outgoing traffic, if it does not already exist.

Launch and verify the EC2 instance

  1. Click Launch Instance.
  2. Click the instance ID, where the ID value is i-hexadecimals.
  3. Click the instance ID to view details.
    Note: If the instance ID does not appear, refresh the page.
  4. Verify that the Instance state is Running.

Connect to the serial console

  1. If you have not used the serial console before, complete these steps to configure serial console access:
    1. Click Actions > Account Attributes.
    2. In the Account Attributes section, select EC2 Serial Console.
    3. In the EC2 Serial Console section, select the Allow checkbox.
    4. Click Update.
  2. In the EC2 management console, select Instances, and then enter the vScanner instance ID.
  3. Click Actions > Monitor and Troubleshoot > EC2 Serial Console > Connect.

Configure the vScanner

Use the serial console to configure the vScanner. For more information on using the serial console, see Serial console.

  1. When prompted, press Enter three times to initiate the serial console session.
    Note: If you selected an unsupported EC2 instance type, an error message displays. To continue, delete the vScanner and create a new one with a supported EC2 instance type.
  2. Select Next.
  3. At the Use a proxy? prompt, select No. Proxy cannot be configured for scanners.
  4. Select Next.
  5. At the Do you want to verify your network connection? prompt, select one of these options:
    • Yes

      A series of connectivity tests run. If a connectivity check fails, edit your network settings as needed, and then complete the connectivity checks again.

    • No
  6. Select Next.
  7. At the Tell us about the application you are configuring prompt, configure these settings:
    1. In the Shorthand field, enter a shorthand name for the virtual appliance.
    2. Select Scanner.
  8. Select Next.
  9. When prompted, do one of these actions to connect the virtual appliance to Arctic Wolf:
    Note: Make sure you have the appropriate Arctic Wolf permissions to install the vScanner. You can view the permissions in the Contacts page of the Unified Portal or contact your Concierge Security® Team (CST) at security@arcticwolf.com to identify who in your organization has these permissions.
    • On a mobile device — Scan the QR code displayed in the console window, and then follow the on-screen prompts.
      Note: QR codes expire after 15 minutes. A new code appears in the console if the QR code expires.
    • In a web browser — Enter the displayed URL into the URL field, and then follow the on-screen prompts.

    After the virtual appliance successfully connects to Arctic Wolf, a prompt replaces the QR code.

Activate the vScanner

Note: Only the user who configured the vScanner can activate the vScanner.
  1. Sign in to the Arctic Wolf Unified Portal.
  2. If you are a Managed Service Provider (MSP), verify that you are viewing the correct customer organization.
  3. In the navigation menu, click Data Collection > Scanners.
  4. Find the virtual appliance that you want to activate, and then click Configure.
    Tip: Virtual appliances that are not activated have the Awaiting Activation status.
  5. Click Activate.
    The console displays Appliance activation in progress, please wait.
  6. If you are an MSP, select the same customer organization that you are currently viewing in the Unified Portal, and then Activate Virtual Appliance.
    Note: To activate the virtual appliance for a different customer, switch to that customer organization before completing this step.
    The serial console displays Appliance activation in progress, please wait.
  7. In the serial console, when prompted, press Enter three times to activate the console.