Manage Scan Schedules

Alert Logic performs scans on all assets in your deployments. When you create a deployment, Alert Logic automatically creates default scan schedules to perform external and internal vulnerability scans on all non-excluded assets, and it creates a default discovery scan schedule to find new assets in Data Center deployments.

You can also schedule when you want to perform specific scans. From the Scan Schedules page in the Alert Logic console, you can edit the default schedule and create additional schedules for all or selected assets within the scope of protection of the deployment.

For more information about scan types you can schedule and managing scan schedules, see:

PCI scan management is not covered in this topic. For information about PCI scans, see Manage PCI Scans.

Exclusions, scan frequency, and scheduling options apply only to assets that are scanned using Alert Logic appliances. Cloud configuration checks performed using cloud APIs, such as checks that are part of the CIS Foundations benchmark, are not affected.

Scan types

You can schedule the following types of scans:

  • Discovery Scans—Scans for new assets or asset changes on your networks. Discovery scans are available for Data Center deployments only.
  • Internal Scans—Scans for vulnerable assets, internally, from an Alert Logic appliance in your environment. Internal vulnerability scans are available for all deployments.
  • External Scans—Scans for vulnerable assets, externally, from the Alert Logic system against your environment. This type of scan simulates attacks from outside your network and identifies potential issues from these attack types. External scans are available for all deployments.

After you define the scope of protection for your deployment, you can create and manage your scan schedules at any time.

Default scan schedules

Alert Logic default scan schedules vary according to deployment type.

Data Center deployment

The default discovery scan schedule for a Data Center deployment scans all assets in the scope of protection once a week, at any time. You can change the scan frequency and window when you want the discovery scan to occur, but not the schedule name or scope. You cannot deactivate or delete the default discovery scan schedule.

The default internal and external vulnerability scan schedules for a Data Center deployment scan all assets in the scope of protection once a week, at any time. You can change the scan frequency, window, and scope of the default internal and external scans but not the schedule name. You can make the default internal and external scan schedules inactive, but you cannot delete them.

AWS and Azure deployments

The default internal and external vulnerability scan schedules for AWS and Azure deployments scan all assets in the scope of protection as often as necessary (once a day, or twice a day if significant changes to an asset are detected), at any time. You can change the scan frequency, window, and scope of the default internal and external scans but not the schedule name. You can make the default internal and external scan schedules inactive, but you cannot delete them.

Create a scan schedule

You can choose the frequency of scans and when you want Alert Logic to perform scans for each deployment. For internal and external vulnerability scans, you can choose whether to scan all or selected assets within the scope of protection.

Schedules with the same or overlapping scan windows result in one scan.

To create a scan schedule:

  1. In the Alert Logic console, click Configure, click Deployments, and then click the deployment for which you want to create a scan schedule.
  2. On the side navigation, click Scan Schedules.
  3. On the Scan Schedules page, click Discovery Scanning, Internal Scanning, or External Scanning.
  4. For Amazon Web Services (AWS) deployments and Microsoft Azure deployments, internal and external vulnerability scans are the only options available.

  5. Click the add icon ().
  6. Type a descriptive name for the scan schedule. The name cannot exceed 127 characters.
  7. If you want the schedule to be active, leave Schedule Is Active turned on. Turn it off if you want to save the schedule but not activate it yet.

Discovery scans

Schedule how often to scan

To schedule how often you want to scan for new networks or asset changes on your networks, choose one of the following scan frequency options:

  • Scan as often as necessary—Select this option if you want to scan for new assets on your networks up to twice a day or when significant changes are detected, such as the addition of a network. This option automatically scans all assets selected on the Scope tab at least once in a 24-hour period. The option attempts a second scan depending on resources and changes to your environment. Scans on networks or hosts added that day, for example, occur immediately and take priority over second scans. Assets that were not scanned twice take priority the next day.
  • Scan once a day
  • Scan once a week

Schedule when to scan

To schedule when you want to scan for new networks or asset changes on your networks, choose one of the following scan window options:

  • Scan any time—Select this option if you do not want to limit scans to certain days or times.
  • Scan only during certain times—Select this option to choose the specific days and hours for this scan. You can define multiple scan windows if you chose Scan as often as necessary or Scan once a week as the frequency. If all assets are not scanned during a window, the unscanned assets take priority at the start of the next scan window.

Define the scope of the scan

Alert Logic scans all current and future assets in the scope of protection by default. You can choose to scan specific assets for this schedule instead. To exclude assets from all scans, not just this schedule, exclude them on the Scope of Protection page for the deployment.

To select specific assets that you want to scan within the scope of protection, click the Scope tab and choose one of the following options:

  • Scan all assets—Select this option to scan all current and future assets in the scope of protection.
  • Scan only selected assetsSelect this option to search for and choose assets that you want to include in the scan schedule. You can also enter IP addresses, IP address ranges, or CIDRs. When finished selecting assets, click ADD TO SCAN SCOPE.
If you select assets on this tab and later exclude them from the scope of protection, the assets remain selected but will no longer be scanned.

Click SAVE, and then click NEXT.

Internal scans and External scans

Schedule how often to scan

To schedule how often you want to scan for vulnerabilities on your internal networks, choose one of the following scan frequency options:

  • Scan as often as necessary—Select this option if you want to scan assets for vulnerabilities up to twice a day or when significant changes to an asset are detected, such as the addition of a network. This option automatically scans all the assets you selected on the Scope tab at least once in a 24-hour period. The option attempts a second scan depending on resources and changes to your environment. Scans on networks or hosts added that day, for example, occur immediately and take priority over second scans. Assets that were not scanned twice take priority the next day.
  • Scan once a day
  • Scan once a week
  • Scan once a month
  • Scan once a quarter
  • Scan once—Select this option if you want to scan assets selected on the Scope tab once, starting at a specific time. For example, to verify a patch or remediation action, you could use this option to schedule a scan of several assets to start within the next five minutes instead of waiting for the next regularly scheduled scan.

Schedule when to scan

To schedule when you want to scan for vulnerabilities, choose one of the following scan window options:

  • Scan any time—Select this option if you do not want to limit scans to certain days or times.
  • Scan only during certain times—Select this option to choose the specific days and hours for this scan. For a quarterly scan, you can also choose the specific month of the quarter for this scan. You can define multiple scan windows if you chose Scan as often as necessary, Scan once a week, Scan once a month, or Scan once a quarter as the frequency.
  • Scan only during certain times on certain days (available if you choose Scan once a month or Scan once a quarter as the scan frequency)
  • Scan only during a certain week on a certain day (available if you choose Scan once a month as the scan frequency)

If you chose Scan once as the frequency, specify the time zone, start day and time, and an option for the end day and time for the scan:

  • No end date (scan until done)
  • Specify end date and time

Define the scope of the scan

Alert Logic scans all current and future assets in the scope of protection by default. You can choose to scan specific assets for this schedule instead. To exclude assets from all scans, not just this schedule, exclude them on the Scope of Protection page for the deployment.

To select specific assets that you want to scan within the scope of protection, click the Scope tab and choose one of the following options:

  • Scan all assets—Select this option to scan all current and future assets in the scope of protection.
  • Scan only selected assetsSelect this option to search for and choose assets and AWS tags (for AWS deployments) that you want to include in the scan schedule. You can also enter IP addresses, IP address ranges, or CIDRs. When finished selecting assets, click ADD TO SCAN SCOPE.
If you select assets on this tab and later exclude them from the scope of protection, the assets remain selected but will no longer be scanned.

Click SAVE, and then click NEXT.

View scan schedules and details

In the Scan Schedules page, you can view a list of all scan schedules, including default scan schedules, in your deployment. When you browse the list, you can see the following information:

  • Indication of the scan cadence, such as automatic, daily, weekly, monthly, or once
  • Scan progress, which includes the last scan date, an indication that the scan is in progress, or notice that the last scan was incomplete
  • Number of targets in the scan scope. This is the number of target CIDRs (for a discovery scan) or target hosts (for a vulnerability scan) in the assets selected on the Scope tab.
  • Scan schedule status: Active or Inactive

You can sort the list of scan schedules by:

  • Schedule name
  • Active or inactive schedule
  • Latest scan
  • Next scan
  • Number of assets included in the scope

You can also stop a scan in progress, activate or deactivate the schedule, and view additional schedule details from the list.

Access the Scan Schedules page

To access the Scan Schedules page and view your list of schedules, access the deployment for which you want to view scan schedules, and then click Scan Schedules on the side navigation.

View the details of a scan schedule

In the Scan Schedules page, click View next to a listed schedule to see additional details, such as:

  • Date created
  • Last and next scan dates
  • Scan frequency
  • Scan window
  • List of assets included in the schedule

Stop a scan in progress

You can stop a scan that is already in progress from the Scan Schedules page.

To stop a scan

  1. Access the deployment for which you want to stop the scan, and then click Scan Schedules on the side navigation.
  2. In the Scan Schedules page, find the scheduled scan that is in progress.
  3. Click STOP THIS SCAN.
This feature stops the current scan that is in progress. If you want to stop future scans, deactivate the scan schedule instead. You can also delete a scan schedule unless it is an Alert Logic default scan, as indicated in the schedule name.

Activate or deactivate a scan schedule

You can make a schedule active or inactive from the Scan Schedules page.

To activate or deactivate a scan schedule

  1. Access the deployment for which you want to activate or deactivate the scan schedule, and then click Scan Schedules on the side navigation.
  2. In the Scan Schedules page, find the scheduled scan that you want to activate or deactivate.
  3. Choose Active to activate the schedule or Inactive to deactivate it.

Edit a scan schedule

You can edit a schedule from the Scan Schedules page.

To edit a scan schedule

  1. Access the deployment for which you want to edit the scan schedule, and then click Scan Schedules on the side navigation.
  2. In the Scan Schedules page, find the scan schedule that you want to edit.
  3. Click View next to the schedule, and then click the EDIT icon.
  4. In the Edit a Scan Schedule page, change any of the settings, and then click SAVE.
The name for an Alert Logic default scan schedule cannot be changed.

Delete a scan schedule

You can delete scan schedules that you create. The default scan schedules that Alert Logic creates cannot be deleted.

To delete a scan schedule

  1. Access the deployment from which you want to delete the scan schedule, and then click Scan Schedules on the side navigation.
  2. In the Scan Schedules page, find the scan schedule that you want to delete.
  3. Click View next to the schedule, and then click the DELETE icon.

Exclude assets from scans

You can exclude deployment assets from external and internal vulnerability scanning. Excluding an asset from scans prevents the asset from being scanned in the future, but does not stop scans in progress. Exposures from previous scans are still reflected on the excluded assets.

To access EXCLUSIONS:

  1. In the Alert Logic console, click Configure, click Deployments, and then click the deployment that contains the assets you want to exclude.
  2. On the side navigation, click Scope of Protection, and then in the page, click EXCLUSIONS.

Exclusions from external scanning

To exclude assets for external scanning:

  1. Select the External Scanning tab to view assets available to exclude.
  2. Click EXCLUDE for the asset you want to exclude.
    You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click CANCEL.
  3. After you apply all the necessary exclusions, click out of Exclusions, and then on the Scope of Protection page, click SAVE.
If you exclude assets that are selected in the Scope tab in an existing scan schedule, the assets remain selected but will no longer be scanned.

Exclusions from internal scanning

To exclude assets or tags for internal scanning:

  1. Select the Internal Scanning tab, and then click either ASSETS or TAGS to search for the available assets or tags to exclude.
  2. Click EXCLUDE for the asset or tag you want to exclude.
    You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click CANCEL.
  3. After you apply the necessary exclusions, click out of Exclusions, and then on the Scope of Protection page, click SAVE.
If you exclude assets that are selected in the Scope tab in an existing scan schedule, the assets remain selected but will no longer be scanned.