Manage Discovery Scan Schedules

When you create a data center deployment, Alert Logic automatically creates a default scan schedule to find new assets and asset changes on your networks. You can also schedule when you want to perform discovery scans on specific networks. From the Discover Assets page in the Alert Logic console, you can edit the default schedule and create additional schedules for selected assets within the of the deployment.

For more information about managing discovery scan schedules, see:

PCI and vulnerability scan management are not covered in this topic. For information about PCI scans, see Manage PCI Scans. For information about vulnerability scans, see Manage Vulnerability Scan Schedules.

Default scan schedule

The default discovery scan schedule for a Data Center deployment scans all assets in the scope of protection once a week, at any time. You can change the scan frequency and window when you want the discovery scan to occur, but not the schedule name or scope. You cannot deactivate or delete the default discovery scan schedule.

Create a scan schedule

You can choose the frequency of scans and when you want Alert Logic to perform discovery scans for each deployment.

Schedules with the same or overlapping scan windows result in one scan.

To create a scan schedule:

  1. In the Alert Logic console, click the menu icon ().
  2. Click Configure, click Deployments, and then click the deployment for which you want to create a scan schedule.
  3. On the left panel, click Discover Assets.
  4. Click the add icon ().
  5. Type a descriptive name for the scan schedule. The name cannot exceed 127 characters.
  6. If you want the schedule to be active, leave Schedule Is Active turned on. Turn it off if you want to save the schedule but not activate it yet.

Schedule how often to scan

To schedule how often you want to scan for new networks or asset changes on your networks, choose one of the following scan frequency options:

  • Scan as often as necessary—Select this option if you want to scan for new assets on your networks up to twice a day or when significant changes are detected, such as the addition of a network. This option automatically scans all assets selected on the Scope tab at least once in a 24-hour period. The option attempts a second scan depending on resources and changes to your environment. Scans on networks or hosts added that day, for example, occur immediately and take priority over second scans. Assets that were not scanned twice take priority the next day.
  • Scan once a day
  • Scan once a week

Schedule when to scan

To schedule when you want to scan for new networks or asset changes on your networks, choose one of the following scan window options:

  • Scan any time—Select this option if you do not want to limit scans to certain days or times.
  • Scan only during certain times—Select this option to choose the specific days and hours for this scan. You can define multiple scan windows if you chose Scan as often as necessary or Scan once a week as the frequency. If all assets are not scanned during a window, the unscanned assets take priority at the start of the next scan window.

Define the scope of the scan

Alert Logic scans all current and future assets in the scope of protection by default. You can choose to scan specific assets for this schedule instead.

If you want to scan all assets, use the default schedule for discovery scans instead.

To select specific assets that you want to scan within the scope of protection, click the Scope tab, choose Scan only selected assets, and then search for and choose assets that you want to include in the scan schedule. You can also enter IP addresses, IP address ranges, or CIDRs. When you finish selecting assets, click ADD TO SCAN SCOPE.

Alert Logic performs discovery scans on the entire CIDR block only, not on subnets.

Click SAVE, and then click NEXT.

View scan schedules and details

In the Discover Assets page, you can view a list of all the discovery scan schedules, including the default scan schedule, in your deployment. When you browse the list, you can see the following information:

  • Indication of the scan cadence, such as automatic, daily, or weekly
  • Scan progress, which includes the last scan date, an indication that the scan is in progress, or notice that the last scan was incomplete
  • Number of targets in the scan scope. This is the number of target CIDRs in the assets selected on the Scope tab.
  • Scan schedule status: Active or Inactive

You can sort the list of scan schedules by:

  • Schedule name
  • Active or inactive schedule
  • Latest scan
  • Next scan
  • Number of assets included in the scope

You can also stop a scan in progress, activate or deactivate the schedule, and view additional schedule details from the list.

Access the list of discovery scan schedules

To access the Discover Assets page and view your list of schedules, access the deployment for which you want to view scan schedules, and then click Discover Assets on the left panel.

View the details of a scan schedule

In the Discover Assets page, click View next to a listed schedule to see scan schedule details, scan frequency and window, and asset scope.

Scan schedule details

  • Date created
  • Last scan date
  • Next scan date
  • Scan targets last scanned (number of successfully scanned assets in scope)

Scan frequency and window

  • Scan frequency
  • Scan window
  • Time Zone
  • Start date and time
  • End date and time

Stop a scan in progress

You can stop a scan that is already in progress from the Discover Assets page.

To stop a scan

  1. Access the deployment for which you want to stop the scan, and then click Discover Assets on the left panel.
  2. In the Discover Assets page, find the scheduled scan that is in progress.
  3. Click STOP THIS SCAN.
This feature stops the current scan that is in progress. If you want to stop future scans, deactivate the scan schedule instead. You can also delete a scan schedule unless it is an Alert Logic default scan, as indicated in the schedule name.

Activate or deactivate a scan schedule

You can make a schedule that you created active or inactive from the Discover Assets page. The default scan schedule that Alert Logic creates cannot be deactivated.

To activate or deactivate a scan schedule

  1. Access the deployment for which you want to activate or deactivate the scan schedule, and then click Discover Assets on the left panel.
  2. In the Discover Assets page, find the scheduled scan that you want to activate or deactivate.
  3. Choose Active to activate the schedule or Inactive to deactivate it.

Edit a scan schedule

You can edit a schedule from the Discover Assets page.

To edit a scan schedule

  1. Access the deployment for which you want to adjust scan performance, and then click Discover Assets on the left panel.
  2. In the Discover Assets page, find the scan schedule that you want to edit.
  3. Click View next to the schedule, and then click the EDIT icon.
  4. In the Edit a Scan Schedule page, change any of the settings, and then click SAVE.
The name for an Alert Logic default scan schedule cannot be changed.

Delete a scan schedule

You can delete scan schedules that you create. The default scan schedule that Alert Logic creates cannot be deleted.

To delete a scan schedule

  1. Access the deployment from which you want to delete the scan schedule, and then click Discover Assets on the left panel.
  2. In the Discover Assets page, find the scan schedule that you want to delete.
  3. Click View next to the schedule, and then click the DELETE icon.

Adjust scan performance

For discovery scans, Alert Logic scans a maximum of ten 256-IPv4 CIDR blocks concurrently by default. You can adjust scan performance from the configuration page for the deployment or from the Topology page.

You can choose fewer concurrent scans to reduce scan traffic. Choosing a lower number results in slower scans and a longer scan duration. For faster scans and a shorter scan duration, choose a higher number of concurrent scans (up to 20). The number you choose is a maximum limitthe actual number of concurrent scans does not exceed the selected amount and depends on factors such as appliance resource availability and network bandwidth during the scan window.

To adjust scan performance from the Deployments page:

  1. Access the deployment for which you want to edit the scan schedule, and then click Scan Performance on the left panel under Vulnerability Scanning.
  2. In the list of assets, click the region or network for which you want to adjust scan performance, and then click the Scan Settings tab in the panel that opens.
  3. In the Discovery area, enter a number from 1 (slower scans) through 20 (faster scans). The default is 10 maximum concurrent CIDR blocks scanned.
  4. Click SAVE to save your selections.

To adjust scan performance from the Topology page:

  1. Click the menu icon (), click Investigate, and then click Topology.
  2. In the Topology page, specify a deployment or region in the respective drop-down menus.
  3. Click the region or VPC, VNET, or network for which you want to adjust scan performance, and then click the Scan Settings tab in the panel that opens.
  4. In the Discovery area, enter a number from 1 (slower scans) through 20 (faster scans). The default is 10 maximum concurrent CIDR blocks scanned.
  5. Click SAVE to save your selections.