Agent-based Scanning (Beta)
Alert Logic is upgrading vulnerability scanning features to support scanning on the host by adding OSQuery and OVALdi scan components to the existing Alert Logic agent.
Upgrades to the scanning experience
The agent-based scan upgrade improves the efficiency, accuracy, and usability of Alert Logic vulnerability scanning features with the following advantages over network scanning:
No Credential Management: Agent-based scanning does not require credential management. Users of authenticated network scans had to configure access and manage credentials for assets and networks. The agent is installed on the host with all the permissions it needs and does not require any further authentication.
Reduced Network Traffic: Agent-based scanning reduces network traffic. Agent-based scanning reduces network traffic by running locally on the host before sending results to Alert Logic for final analysis.
Limited Network and Host Processing Impact: The network scan will not run redundant vulnerability assessments when agent-based scan is active on a host. Agent-based scanning reduces network impacts by running locally on the host and limits host processing impact to less than 5 minutes. For detailed information on host impacts, see Requirements for the Alert Logic agent with scan components.
Better Vulnerability Accuracy: Agent-based scanning increases the accuracy and reliability of vulnerability scan results. Improved coverage includes better operating system, application, patch, and kernel level vulnerability assessment. For more information, see Scan-based vulnerability assessment coverage details.
A host must meet the following criteria to support agent-based scanning.
Node subscription level
The host node must be configured for the Alert Logic MDR Professional or Alert Logic MDR Enterprise level of protection. You can verify or change the protection levels by using Entitlement Summary or Change Protection Level of an Asset.
Host operating system
The host must run a supported Windows or Linux operating system.
The agent-based scanning components are fully validated on the following operating systems. Older Linux and Windows operating systems may work, but will report a large amount of vulnerabilities.
|Operating System||Installation Guide|
|Amazon Linux 2||Install the Alert Logic Agent for Linux|
|CentOS 6, 7, 8||Install the Alert Logic Agent for Linux|
|Debian 9, 10||Install the Alert Logic Agent for Linux|
|Red Hat Enterprise Linux (RHEL) 7||Install the Alert Logic Agent for Linux|
|Windows 7||Install the Alert Logic Agent for Windows|
|Windows 10 (All)||Install the Alert Logic Agent for Windows|
|Windows Server 2008 (All)||Install the Alert Logic Agent for Windows|
|Windows Server 2012 (All)||Install the Alert Logic Agent for Windows|
|Windows Server 2016 (All)||Install the Alert Logic Agent for Windows|
|Windows Server 20H2||Install the Alert Logic Agent for Windows|
Installed agent and agent health
The agent must be installed on the host. The health status of the agent related to connectivity or resource issues may affect the installation and execution of agent-based scanning . You can verify the health and presence of an agent on a specific host by using the Health and the Missing Agent Digest report.
Scan components of the agent require the following in addition to the standard Requirements for the Alert Logic Agent.
|Requirement Type||Additional System Requirement for Scan Components||Total System Requirement|
Processing requirements and host impact for running an agent-based scan
The agent-based scan runs at a different time than the network scan, though the results are not enumerated and delivered until a network scan is complete with the host in scope. The host impact for processing requirements only occurs for the duration defined below, at run-time. For more information about the timing and frequency of running agent-based scanning, see Agent-based scan run-time and result visibility.
|Type||Operating Systems||Scan Components||System Requirement||Duration of Demand (Estimate)|
|RAM (Max)||Windows||OSQuery||50MB||5 seconds|
|CPU||Windows||Both||Up to 100%, running at low priority||3-4 minutes|
|Linux||Both||Up to 100%, running at low priority||4-5 minutes|
Scan using Alert Logic agents
A successful network scan of a host that meets the Requirements for agent-based scanning automatically recognizes and collects the results of the latest agent-based scan.
The initial agent-based scan will run within 12 hours after the install of the scan components on the host. Subsequent agent-based scan run-times are governed by the scan windows defined in Internal Scan schedules.
If the scan window is set to scan any time (default):
The agent-based scan runs at every 12 hour interval from the initial execution. The results of the agent-based host scan visible in the Alert Logic console once an internal network scan completes.
If the scan window is defined to specific start and end times:
The agent-based scan runs at the start of the window. The results of the agent-based host scan are visible in the Alert Logic console once the internal network scan completes for the window. For more information on asset scopes in scan schedules, see Define the scope of the assets to scan.
Scan Now: You can use the Scan Now feature from the Topology page of the Alert Logic console to collect the latest agent-based scan results from an individual host as soon as possible. For more information on the Scan Now feature, see Scan Now.
You should expect a significant increase in number of detected vulnerabilities with a new agent-based scan if you did not previously use authenticated scans on the host. Vulnerabilities detected by the agent have the "Agent" category on the Exposures page.
|Vulnerability Type||Host-based Scan (Agent)||Network Scan (no credentials)||Authenticated Network Scan (credentials)|
|System-level vulnerabilities (kernel - Windows OS)||Yes||Partial||Yes|
|Application-level exposures (RHEL)||Yes||Yes|
|Application-level exposures (Debian)||Yes||Yes|
|Application-level exposures (Windows Programs)||Yes||Yes|
|Configuration Check (TLS/Certificates, Common U/P)||Yes||Yes|
|Web Application Testing||Partial||Partial|
|Active Exploits/ SQL Injections/ Etc||Partial||Partial|
Network scanning and agent-based scanning
Agent-based scans and authenticated network scans provide similar vulnerability assessment coverage for OS, application, patch, and kernel level vulnerabilities. To reduce impact to the network and host, when an authenticated network scan begins scanning a particular host, it checks in with that host for the presence of agent-based scan configuration.
If agent-based scan is configured on the host:
The network scan will not run redundant vulnerability assessments for the host. The agent will evaluate OS, application, patch and kernel vulnerabilities. The unauthenticated network scan will evaluate vulnerabilities for configuration checks, web applications testing, and active exploit, SQL injects, etc.
If agent-based scan is not configured on the host:
The network scan runs vulnerability assessments as configured (authenticated or unauthenticated) against the host.