Virtual Sensor Installation in an AWS Environment

Updated Sep 27, 2023

Install a vSensor using the AWS Management Console

The Arctic Wolf® Virtual Sensor (vSensor) is a virtual appliance that performs passive network inspection and collects security-relevant data for analysis. Arctic Wolf Managed Detection and Response (MDR) uses one or more sensor deployments to monitor events in your network and identify potential threats. You can install the vSensor using the Amazon Web Services (AWS) web console.

Notes:

  • vSensor does not support auto-scaling in AWS.
  • An Amazon EC2 instance supports 10 mirror sessions per vSensor. If you require more than 10 mirror sessions per vSensor, contact your Concierge Security Team® (CST) to discuss the implementation of an AWS Network Load Balancer. See Traffic Mirroring limitations and quotas in the AWS documentation for more information.

Before you begin

Steps

  1. Provide AWS account IDs to Arctic Wolf
  2. Create a vSensor instance.
  3. Configure the vSensor instance.
    1. Configure network settings.
    2. Configure security group rules.
    3. Configure a second network interface.
    4. Launch and verify the EC2 instance.
  4. Configure the vSensor.
  5. Activate the vSensor.
  6. Configure AWS mirroring.
    1. Obtain the Elastic Network Interface ID.
    2. Create the traffic mirror target.
    3. Create the traffic mirror filter.
    4. Create the traffic mirror session.

Step 1: Provide AWS account IDs to Arctic Wolf

For the vSensor Amazon Machine Image (AMI) to appear in AWS, you must first provide your AWS account IDs to Arctic Wolf.

  1. Sign in to the Arctic Wolf Unified Portal.

  2. In the menu bar, click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, from the Account Type list, select Cloud Detection and Response.

  5. In the Search Services field, type appliance.

  6. Click vSensor AMI.

  7. On the Add Account page, configure these settings:

    1. Account Name — Enter a unique and descriptive name for the account.
    2. Account ID — Enter the AWS account number.
  8. Click Test and Submit Credentials.

Note: It may take up to 24 hours before the vSensor AMI is visible.

Step 2: Create a vSensor instance

  1. In the Amazon Machine Images (AMI) section, in the AWS console, select the vSensor AMI to use to create the instance

    Note: The name of the AMI is Arctic Wolf Appliance-<version>.

  2. Click Launch Instance from AMI.

  3. In the Name and tags section, enter the name for your vSensor.

  4. In the Application and OS Images (Amazon Machine Image) section, keep the default settings.

  5. In the Key pair (login) section, select Proceed without a key pair.

  6. In the Configure storage section, keep the default settings unless you require more storage.

  7. In the Advanced details section, for Termination Protection, select the Enable checkbox.

  8. Click Save.

  9. In the Instance Type section, configure these settings for the type of vSensor you are installing:

    • AWNv100 sensor — r5.large
    • AWNv200 sensor — c5n.2xlarge
    • AWNv1000 sensor — c5n.9xlarge

Step 3a: Configure network settings

  1. In the AWS console, in the Network settings section, click Edit, and then select one of these options:
    • VPC — The VPC to deploy the vSensor on.
    • Subnet — The subnet to deploy the vSensor on.

      Notes:

      • Whether you use a private or public subnet depends on your network. Arctic Wolf recommend using a private subnet.
      • Do not select No preference.
    • Auto-assign public IP — Select one of these options:
      • Enable
      • Disable — If you are using a private subnet, or if your environment requires you to enter a specific IP address.

Step 3b: Configure security group rules

Depending on your environment, you may need to configure new security group rules to allow outgoing and incoming traffic for the vLC.

Tip: Arctic Wolf recommends that you create a new security group to avoid having more permissions than necessary. However, you can use an existing security group if it has the required rules configured.

Note: vSensor does not support deployments that receive mirrored traffic from other VPCs, such as using a Gateway Load Balancer. See the official AWS documentation for more information on AWS traffic mirroring.

  1. Find the Firewall (security groups) section.

  2. For new or existing security groups, do one of the following:

    • If you are using an existing security group — Select Select an existing security group, choose the appropriate security group, and proceed to Configure a second network interface.
    • If you are creating a new security group — Select Create a new security group and proceed to the next step.
  3. Remove any default security rules.

  4. In the Security group name section, enter a name for the security group.

  5. In the Description section, enter a description for the security group.

  6. Add rules to allow the following:

    • All outgoing traffic

      Note: There may be a rule allowing all outgoing traffic by default.

    • Incoming traffic from the addresses or subnets of the log sources to be ingested by the vSensor the on following network ports, as applicable for the environment:

      • UDP port 514 for plaintext syslog over UDP
      • TCP port 514 for plaintext syslog over TCP
      • TCP port 6514 for TLS-encrypted syslog
      • TCP port 9081 for logs in the Bluecoat SG format
      • UDP port 4789 for VXLAN protocol, with the following traffic mirror targets:
        • EC2 network interface
        • AWS Network Load Balancer

Step 3c: Configure a second network interface

vSensors must be configured with a second network interface that is used for receiving mirrored traffic. This can be attached to the same subnet as the primary network interface, or to a different subnet, depending on your network.

  1. Click Network Settings > Advanced network configuration, and then click Add network interface.

    Note: The Advanced network configuration section may not appear unless you choose a non-default VPC and subnet.

  2. Name it Mirroring or something similar.

  3. Leave all other settings the same.

Step 3d: Launch and verify the EC2 instance

  1. Click Launch Instance.
  2. Click the instance ID, where the ID value is i-<hexadecimals>.
  3. Click the instance ID to view details.

    Note: If the instance ID does not appear, refresh the page.

  4. Verify that the Instance state is Running.

Step 4: Configure the vSensor

Note: See the Serial Console User Guide for more information on using the Arctic Wolf serial console.

  1. If you have not used the serial console before, you may need to configure access. To configure serial console access:

    1. Click Actions > Account Attributes.
    2. In the Account Attributes section, select EC2 Serial Console.
    3. In the EC2 Serial Console section, select the Allow checkbox.
    4. Click Update.
  2. Locate the EC2 management console, select Instances, and then enter the vSensor instance ID.

  3. Click Actions > Monitor and Troubleshoot > EC2 Serial Console > Connect.

  4. When prompted, or if the screen is blank, press the Enter key three times.

    Note: If you selected an unsupported EC2 instance type, an error message displays after this step. To proceed, terminate the vSensor and create a new one using a supported EC2 instance type.

  5. Click Next.

    A series of connectivity checks begin.

  6. If any of the connectivity checks fail, modify the VPC, subnet, or security group as required, and then reattempt the connectivity checks.

  7. When the connectivity check passes, click Next.

  8. In the Shorthand section, enter a name for the vSensor in the Arctic Wolf Portal.

  9. Select the Mirroring deployment type.

  10. Click Next.

  11. When prompted, do one of these actions to connect the vSensor to the Arctic Wolf Platform:

    • Using a mobile device — Scan the QR code displayed in the console window, and then follow the on-screen prompts.
    • Using a web browser — Enter the displayed URL into a web browser, and then follow the on-screen prompts.

    Note: QR codes expire after 15 minutes. A new code appears in the console if the QR code expires.

    After the vSensor successfully connects to the Arctic Wolf Platform, a prompt replaces the QR code, asking you to go to the Arctic Wolf Appliance Management.

Step 5: Activate the vSensor

Note: Only the user who performed the steps to configure the vSensor can activate the vSensor.

  1. In the Arctic Wolf Portal, click Account > Arctic Wolf Appliance Management.

  2. Locate the name or the serial number of the vSensor you want to activate.

  3. In the Actions column, click Activate virtual appliance, and then click Activate Virtual Network Appliance when prompted.

    The console displays Appliance activation in progress, please wait.

  4. When prompted, press Enter three times to activate the console.

Step 6a: Obtain the Elastic Network Interface ID

Tip: See Get started with Traffic Mirroring in the Amazon documentation for more information.

Step 6b: Create a target group for the network load balancer

Note: If you have more than 10 mirrored sessions, you must add a network load balancer.

  1. Navigate to the EC2 management console.
  2. Under Load Balancing, click Target Groups.
  3. Click Create target group.
  4. In Basic configuration, configure these settings:
    • Choose a target type — Select IP addresses.
    • Target group name — Enter the name of your vSensor EC2 instance name.
    • Protocol — Select UDP.
    • Port — Enter 4789.
    • IP address type — Select IPv4.
    • VPC — Select the VPC your AWN vSensor is deployed in.
  5. Select TCP. from the Health check protocol dropdown.
  6. Expand the Advanced health check settings and configure these settings:
    • Health check port — Select Override and enter 514.
    • Healthy threshold — Enter 2.
  7. Leave the rest of the settings as default and click Next.
  8. Under IP addresses, configure these settings:
    • Network — Select the same VPC that the AWN vSensor is deployed in.
    • IPv4 — Enter the IP address of the ENI interface on the AWN vSensor you intend to mirror traffic to.
    • Ports — Enter 4789.
  9. Select Include as pending below.
  10. Review your target so that all information is correct and click Create target group.

Step 6c: Deploy a network load balancer:

  1. Navigate to the EC2 management console.
  2. Under Load Balancing, click Load Balancers.
  3. Click Create load balancer.
  4. Click Create under Network Load Balancer.
  5. In Basic configuration, configure these settings:
    • Load balancer name — Name the load balancer.
    • Scheme — Select Internal.
    • IP address type — Select IPv4.
  6. In Network mapping, configure these settings:
    • VPC — Select the VPC that the AWN vSensor is deployed to.
    • Mappings — Select the Availability Zones of the networks you plan to mirror.
  7. In Listeners and routing, configure these settings:

    Note: If you have subnets in different zones, under Attributes, enable Cross-zone load balancing.

  8. Leave the remaining fields as default and click Create load balancer.

Step 6d: Create the traffic mirror target

  1. Navigate to the Amazon VPC console.
  2. In the Region selector, select the AWS Region that you used when you created the VPCs.
  3. In the navigation pane, click Traffic Mirroring > Mirror targets.
  4. Click Create traffic mirror target.
  5. In the Name tag field, enter a name for the traffic mirror target, such as AWN vSensor.
  6. (Optional) In the Description field, enter a description for the traffic mirror target.
  7. If you created a load balancer in Deploy a network load balancer:
    1. In the Target type list, select load balancer.
    2. In the Target, from the dropdown, select the load balancer you created.
  8. If you did not create a load balancer in Deploy a network load balancer:
    1. In the Target type list, select Network Interface.
    2. In the Target field, enter the ENI of the mirroring interface.
  9. (Optional) For each tag that you want to add, click Add new tag, and then enter the tag key and tag value.
  10. Click Create.

Step 6e: Create the traffic mirror filter

  1. In the navigation pane, click Traffic Mirroring > Mirror filters.
  2. Click Create traffic mirror filter.
  3. In the Name tag field, enter a name for the traffic mirror filter.
  4. (Optional) In the Description field, enter a description for the traffic mirror filter.
  5. (Optional) If you are using Route53 or have DNS requests routed through a local Amazon resolver, select the Network services checkbox for amazon-dns.
  6. (Optional) For each inbound rule, click Inbound rules > Add rule, and then specify this information:
    • Number — Enter a priority to assign to the rule.
    • Rule action — Select Accept.
    • Protocol — Select All Protocols.
    • (Optional) Source port range — Enter the source port range.
    • (Optional) Destination port range — Enter the destination port range.
    • Source CIDR block — Enter 0.0.0.0/0.
    • Destination CIDR block — Enter 0.0.0.0/0.
    • Description — Enter a description for the rule.
  7. (Optional) For each outbound rule, click Outbound rules > Add rule, and then specify this information:
    • Number — Enter a priority to assign to the rule.
    • Rule action — Select Accept.
    • Protocol — Select All Protocols.
    • (Optional) Source port range — Enter the source port range.
    • (Optional) Destination port range — Enter the destination port range.
    • Source CIDR block — Enter 0.0.0.0/0.
    • Destination CIDR block — Enter 0.0.0.0/0.
    • Description - Enter a description for the rule.
  8. (Optional) For each tag that you want to add, click Add new tag and enter the tag key and tag value.
  9. Click Create.

Step 6f: Create the traffic mirror session

Note: You need to create a new session for every EC2 instance that you wish to collect traffic from.

  1. In the navigation pane, click Traffic Mirroring > Mirror sessions.

  2. Click Create traffic mirror session.

  3. (Optional) In the Name tag field, enter a name for the traffic mirror session.

  4. (Optional) In the Description field, enter a description for the traffic mirror session.

  5. In the Mirror source field, select the network interface of the instance that you want to monitor.

  6. In the Mirror target field, select the traffic mirror target that you created in Create the traffic mirror target.

  7. In the Session number field, enter the session number. The valid values are 1 to 32,766, where 1 is the highest priority.

    The session number determines the order that traffic mirror sessions are evaluated in both of these situations:

    • When an interface is used by multiple sessions.
    • When an interface is used by different traffic mirror targets and traffic mirror filters.

    Traffic is only mirrored one time, during the first session with a matching filter.

  8. Leave the VNI field blank. AWS will assign a random unused number.

  9. Leave the Packet Length field blank so that the entire packet is mirrored.

  10. In the Filter field, select the traffic mirror filter that you created in Create the traffic mirror filter.

  11. (Optional) For each tag that you want to add, click Add new tag and enter the tag key and tag value.

  12. Click Create.

Add a vSensor to network load balancer

Complete these steps after you have created and registered a new sensor.

  1. Navigate to the EC2 management console.
  2. Under Load Balancing, click Target Groups.
  3. Select the checkbox beside the target group.
  4. Select the Targets tab.
  5. Click Register Targets.
  6. Configure these settings:
    • Network — Select the VPC that your vSensor is in.
    • IPv4 address — Enter the IP address of the mirrored interface of the vSensor.
  7. Click Include as pending below.
  8. Click Register pending targets.

Reconfigure a vSensor using the AWS Management Console

You cannot reconfigure a vSensor that was deployed using AWS. If you want a different configuration, delete the old vSensor and configure a new vSensor. See Uninstall a vSensor using the AWS Management Console for more information.

Uninstall a vSensor using the AWS Management Console

  1. Decommission the vSensor:
    1. Sign in to the Arctic Wolf Portal.

    2. Click Account > Arctic Wolf Appliance Management.

    3. Find the short name or serial number of the vSensor you want to decommission.

    4. Under Actions, click Decomission virtual appliance, and then select Decommission Virtual Appliance when prompted.

  2. Turn off termination protection:
    1. In the AWS web console, click to Instances.
    2. Click Actions > Instance Settings > Change termination protection.
    3. Clear the Enable checkbox.
    4. Click Save.
  3. Delete the EC2 instance:
    1. In the AWS web console, click Instance state.

    2. Click Terminate Instance.

      The EC2 instance shuts down and the associated disk resources are removed.

See also