Topology

The Topology page, under the Investigate menu item in the Alert Logic console, displays an interactive diagram that uses color-coded icons to show the distribution of exposures and threats across your network assets.

Topology allows you to select regions or assets to see details about the item, exposures, and remediations for those exposures.

Topology page

The Topology page header allows you to specify a deployment and a region, and displays the number of VPCs, VNETs, or networks; subnets; hosts; appliances; and agents in that selected deployment.

The Topology menu bar allows you to group the assets displayed in the diagram, customize how and what assets are displayed, view details on the status of those assets, and search for specific assets.

Specify a deployment

Use the Deployment drop-down menu to switch the displayed topology diagram to another deployment.

Specify a region

By default, the displayed topology diagram includes all regions in the selected deployment. If your deployment includes multiple regions, you can click the Region drop-down menu to specify a single region for a more focused view of deployment assets.

Customize the diagram display

The Alert Logic console allows you to customize your view of the topology diagram.

Scope — Click Scope icon to only include assets within the deployment scope in the topology diagram.

Remediations — Click Remediations icon to display the topology diagram with asset icons that appear in colors that identify their security and/or configuration health exposure levels. Color codes for remediation states are:

  • Red: Critical
  • Orange: High
  • Yellow: Medium
  • Gray: Low

Scan map — Click Scan map to display the topology diagram with asset icons that appear in colors that identify their scan states. Color codes for scan states are:

  • Blue: Scanned
  • Dark gray with a blue halo: Currently being scanned
  • Dark gray: Not scanned
  • Light gray: Not in scope

Credentials map — Click Credentials map to display the topology diagram as a credentials map in which assets with assigned scan credentials are highlighted in green.

Agents map — Click Agents map to display the topology diagram with host icons that appear in colors to identify the agent health status. Color codes for agent status are:

  • Green: Ok; Healthy
  • Red: Error
  • Yellow: Warning
  • Gray: Offline
  • Dark Gray: Not installed

Add assets to view

You can add the following assets to the topology diagram:

Load balancers

Security groups

AMIs

Containers

Stopped instances

Asset details

Click a region or asset to view its information. You can also:

  • Add or delete asset credentials for internal network scans
  • Adjust scan performance at the region or network level
  • View exposures and recommended remediations for the asset
  • Scan a host with the Scan Now feature

Add or delete asset credentials

You can add credentials to your regions or assets to use with internal network scans. You can add multiple credential types, but only one credential of each type. If you provide credentials, Alert Logic performs comprehensive authenticated vulnerability checks for missing patches and misconfigurations using package information and other local sources of data. Credentials are not needed for assets protected with agent-based scans. If you do not provide credentials or enable agent-based scanning, scans on your assets occur using only methods available to unauthenticated users.

To add your credentials:

  1. On the Topology page, specify a deployment or region in the respective drop-down menus.
  2. Click the region or asset for which you want to manage credentials, and then click the Scan Settings tab in the panel that opens.
  3. Click ADD CREDENTIAL, and then enter the required fields.
  4. Click SAVE.

To delete a credential, click the asset that has credentials, click the Scan Settings tab in the panel that opens, and then click the X next to the credential name.

Adjust scan performance

For discovery scans, Alert Logic scans a maximum of ten 256-IPv4 CIDR blocks concurrently by default. For internal and external vulnerability scans, the maximum number of IPs scanned concurrently is ten by default.

You can choose fewer concurrent scans to reduce scan traffic. Choosing a lower number results in slower scans and a longer scan duration. For faster scans and a shorter scan duration, choose a higher number of concurrent scans (up to 20). The number you choose is a maximum limitthe actual number of concurrent scans does not exceed the selected amount and depends on factors such as appliance resource availability and network bandwidth during the scan window.

To adjust scan performance:

  1. On the Topology page, specify a deployment or region in the respective drop-down menus.
  2. Click the region or VPC, VNET, or network for which you want to adjust scan performance, and then click the Scan Settings tab in the panel that opens.
  3. In the Discovery area, enter a number from 1 (slower scans) through 20 (faster scans). The default is 10 maximum concurrent CIDR blocks scanned.
  4. In the Vulnerability area, enter a number from 1 (slower scans) through 20 (faster scans). The default is 10 maximum concurrent IPs scanned.
  5. Click SAVE to save your selections.

Take action on exposures and remediations

Click a region or asset, and then click the Actions tab in the panel that opens to see the security and health exposures and recommended remediations for that asset.

Scan Now

If you need to run a scan on a specific host immediately, you can use the Scan Now feature on the Topology page. This feature scans the selected host right away or as soon as possible, outside the normal schedule.

For hosts with Agent-Based Scanning, Scan Now triggers an agent-based scan at the same time as the internal network scan. The results of both scans are merged once the internal network scan completes.

To see which internal network scans are in progress, click the scan icon () to see the scan statuses of your assets. For more information about scan status, see Customize the diagram display.

To use the Scan Now feature:

  1. On the Topology page, specify a deployment or region in the respective drop-down menus.
  2. Click the host you want to scan immediately, if a scan is not in progress.
  3. In the panel that opens, click the Actions tab, and then click SCAN NOW.

    If the host is excluded from scanning in the deployment scope of protection, a message prompts you to confirm whether to continue with the scan. If ports are excluded, a message prompts you to choose whether to honor or override the exclusions. If you choose to honor exclusions, the scanner does not scan the excluded ports.

  4. Click OK to run the scan.

Scan Now prompts Alert Logic to scan the host as soon as possible. Depending on technological factors such as the current load on the scanner and the availability of a scan appliance, a delay of up to 25 minutes may occur before the internal network scan begins.