Manage Scans and Scan Results

Alert Logic updated the appearance of the Alert Logic console, though all functionality remains. If you chose to use the beta navigation, note that the documentation below describes the current Alert Logic console. For more information about the new navigation, see Dashboard Navigation Menu.

Alert Logic performs scans on all assets in your deployments. When you create a new deployment, Alert Logic automatically performs external and internal vulnerability scans on all assets unless you apply exclusions, and scans for new assets in Data Center deployments.

Alert Logic allows you to manage the following scanning features:

Exclusions, scan frequency, and scheduling options apply only to scans of host assets by Alert Logic appliances. Cloud configuration checks performed with cloud APIs, such as checks that are part of the CIS Foundations benchmark, are not affected.

PCI scan management is not covered in this topic. For information about PCI scans, see Manage PCI Scans.

If this is your first time accessing scans, see Get Started with Alert Logic Scans to learn the basics of Alert Logic scans.

Manage scan schedules

Alert Logic automatically performs certain scans of all your assets that were discovered when you create a new deployment. To learn how to create a deployment, see Get Started with Alert Logic Deployments.

Scan frequency and scheduling

You can schedule how often and when you want Alert Logic to perform scans for each deployment. You can manage your schedules at any time, including after you have already created the deployment. You can schedule the following types of scans:

  • Discovery Scans—Scans for new assets, and are available for Data Center deployments only.
  • Internal Scans—Scans for vulnerable assets, internally, from an Alert Logic appliance in your environment. Internal vulnerability scans are available for all deployments.
  • External Scans—Scans for vulnerable assets, externally, from the Alert Logic system against your environment. This type of scan simulates attacks from outside your network and identifies potential issues from these attack types. External scans are available for all deployments.

To manage scan frequency and scheduling:

  1. In the Alert Logic console, click CONFIGURATION, and then click the deployment for which you want to manage your scans.
  2. On the side navigation, click Scheduling.
  3. Click Discovery Scans, Internal Scans, or External Scans.

For Amazon Web Services (AWS) deployments and Microsoft Azure deployments, internal and external vulnerability scans are the only options available.

Discovery scans

Schedule how often to scan

To schedule how often you want Alert Logic to scan for new assets, choose one of the following options:

  • Scan as often as necessary—Select this option if you want Alert Logic to lightly scan for new assets twice a day or when significant changes are detected.
  • Scan once a day
  • Scan twice a day
  • Scan three times a day

Schedule when to scan

To schedule when you want Alert Logic to scan for new assets, choose one of the following options:

  • Scan whenever necessary—Select this option if you do not want to limit Alert Logic scans to particular days or times.
  • Scan only during certain hours

Click SAVE, and then click NEXT.

Internal scans and External scans

Schedule how often to scan

To schedule how often you want Alert Logic to scan for vulnerabilities, choose one of the following options:

  • Scan as often as necessary—Select this option if you want Alert Logic to scan known assets for vulnerabilities once a day, or twice a day, if significant changes are detected to an asset.
  • Scan once a day
  • Scan once a week
  • Scan once a month

Schedule when to scan

To schedule when you want Alert Logic to scan for vulnerabilities, choose one of the following options:

  • Scan whenever necessary—Select this option if you do not want to limit Alert Logic scans to particular days or times.
  • Scan only during certain hours on certain days
  • Scan only on a certain day (AWS and Azure deployments only)

Click SAVE, and then click NEXT.

Exclude assets from scans

You can exclude deployment assets from external and internal vulnerability scanning. Excluding an asset from scans prevents the asset from being scanned in the future, but does not terminate scans in progress. Exposures from previous scans are still reflected on the excluded assets.

To access EXCLUSIONS:

  1. In the Alert Logic console, click CONFIGURATION, and then select the deployment that contains the assets you want to exclude.
  2. On the side navigation, click Scope of Protection, and then in the page, click EXCLUSIONS.

Exclusions from external scanning

To exclude assets for external scanning:

  1. Select the External Scanning tab to view assets available to exclude.
  2. Click EXCLUDE for the asset you want to exclude.
    You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click CANCEL.
  3. After you apply all the necessary exclusions, click out of Exclusions, and then on the Scope of Protection page, click SAVE.

Exclusions from internal scanning

To exclude assets or tags for internal scanning:

  1. Select the Internal Scanning tab, and then click either ASSETS or TAGS to search for the available assets or tags to exclude.
  2. Click EXCLUDE for the asset or tag you want to exclude.
    You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click CANCEL.
  3. After you apply the necessary exclusions, click out of Exclusions, and then on the Scope of Protection page, click SAVE.

Network details and other actions

You can view your networks, and all its assets, in an interactive diagram from the Topology page in the Alert Logic console.From the Topology page, you can customize and filter what assets you want to see and view its details, take action on incidents or remediations, manage credentials, and expedite scans for specific assets. For more information, see Topology.

Manage your credentials

You can add credentials to your assets to use with internal vulnerability scans on the Topology page. If you provide credentials, Alert Logic performs comprehensive vulnerability checks using package information and other local sources of data. If you do not provide credentials, Alert Logic scans your assets using only methods available to unauthenticated users.

To access the Topology page, click OVERVIEW, and then click Topology.

To manage your credentials:

  1. On the Topology page, specify a deployment or region in the respective drop-down menus.
  2. Click on the asset for which you want to manage credentials, and then in the slideout panel, click Credentials.
  3. Click ADD CREDENTIAL, and then enter the required fields.
  4. Click ADD CREDENTIAL to save your credentials.

Scan Now

If you need to run a scan immediately, you can use the Scan Now feature on the Topology page. This scans the selected asset right away or as soon as possible, outside of the normal schedule and ignoring any exclusions.

To see which scans are in progress, click the scan icon () to see the scan statuses of your assets. For more information about scan status, see Customize the diagram display.

To use the Scan Now feature:

  1. On the Topology page, specify a deployment or region in the respective drop-down menus.
  2. Click on the asset you want to scan immediately, if a scan is not in progress.
  3. In the slideout panel. click Actions, and then click SCAN NOW.
  4. A dialog box appears, showing a list of exclusions that the scanner will ignore to scan the asset. Click OK to run the scan.

Scan Now may delay the scan for 5-25 minutes, depending on technological factors such as the current load on the scanner and the availability of a scan appliance. Alert Logic will always scan the asset as soon as possible.

Scan results

You can use scan results to access valuable vulnerability information about your networks, including historical trends and current details. Reviewing the data helps to identify issues you can address to improve your security posture. You can review scan results and their outcomes in different pages in the Alert Logic console:

View legacy scan results

If you were subscribed to the previous version of Alert Logic products, you can view your legacy scan results from the Settings menu. Click the Settings icon (), and then click Legacy Scan Results. You can also access the legacy scan results from the Reports page.

To access legacy scan results from the Reports page:

  1. Click REPORTS, and then click Scheduled.
  2. Click Saved Scheduled Reports, and then click Archived Reports.

View vulnerability reports

Alert Logic generates several reports based on vulnerabilities detected by scans. Vulnerability reports provide valuable summary, distribution and trending data for vulnerabilities discovered across your environment. For more information, see Vulnerabilities .

Remediations against detected vulnerabilities

The Alert Logic console Remediations page lists recommended actions you can take against exposures based on vulnerabilities detected by scans. You can take several actions for the listed remediation:

  • Plan (track and address the vulnerability at a later time)
  • Dispose (remove the vulnerability from view for a period of time)
  • Complete (complete the remediation action)

The recommended remediations also provide details that include the exposures, affected assets, and evidence of the vulnerability. For more information, see Remediations.

Remediation reports

Alert Logic provides reports based on activity and actions performed in the Remediations page. For more information, see Remediations.

Scan Statistics

Health

The Health page, under the HEALTH in the Alert Logic console, provides several types of trend views and statistical data to help you better understand the health of your environment at a high level. For more information, see Health.

If you manage more than one customer, you cannot view the statistics for all of the customer accounts without logging in to each account individually.

Security Posture

The Security Posture page, under the OVERVIEW tab in the Alert Logic console, displays interactive dashboard summaries of your environment for Threat Risk Index (TRI), Remediations, and if you have an Alert Logic Professional or Alert Logic Enterprise subscription for Incidents. Use the dashboards to analyze and address issues in your environment. For more information, see Security Posture Dashboard.

Vulnerability Analysis reports

You can view and filter vulnerabilities in your environment from the Vulnerability Analysis reports, which can narrow your results to specific data and statistics. The Vulnerability Summary in the Vulnerability Summary displays all vulnerabilities according to the filters you choose.

Risk reports

Alert Logic generates several Risk reports that provide convenient access to analysis, statistics, assessments, and trending data related to your security and health posture and threat risk index. For more information, see Risk .