Microsoft Azure Deployment Configuration (Professional Subscription)

Alert Logic allows you to add Microsoft Azure deployments to the Alert Logic console. You can access the Deployments page from the Configure menu item in the Alert Logic console. To add a deployment, click the add icon (), and then enter the requested information to provide Alert Logic with third-party access to the specified cloud environment.

Name your deployment

In the Deployment Name field, type a descriptive name for the deployment you want to create, and then click SAVE AND CONTINUE.

Allow access to Azure subscription

To protect your Azure deployment, you must set up an Azure RBAC role to allow Alert Logic to access your account. For instructions, see Configure App Registration and RBAC for Microsoft Azure Resources.

Asset Discovery

Allow Alert Logic a moment to discover your assets. When discovery is complete, click CONTINUE. Alert Logic displays the assets discovered in your account in topology diagrams. To learn more about topology, click Topology.

Add external assets

You can add external assets by domain name or IP address. Alert Logic will scan these external assets that you define.

External assets are also used for non-PCI external scans.

To add external assets:

  1. Click the External Assets tab, click the add icon (), and then choose DNS Name or External IP.
    • If you chose DNS Name, enter your fully qualified domain name in the field.
    • If you chose External IP, name your external IP address, and then enter the IP address in the field.
  2. Click SAVE.

Scope of Protection

Alert Logic discovers and organizes deployments into a visual topology where you can select the desired levels of protection for your assets.

You can define the scope of your protection per region or network. Each network appears within its protected region. Click a region or individual network to set the service level or leave it unprotected, and then click SAVE SCOPE. You must choose one of the following levels of coverage:

  • Unprotected
  • Alert Logic Essentials coverage
  • Alert Logic Professional coverage

The choices available for scope of protection correspond directly with your entitlement. Although a Professional subscription includes all the features of Essentials, a Professional customer cannot set the protection scope to Essentials unless the account has a separate Essentials subscription.

You can change the protection level later as needed.

Network IDS Exclusions

Network IDS monitors network traffic and triggers incidents when it detects suspicious activity or threats on your networks. You can exclude assets from Network IDS.

To exclude assets from Network IDS:

  1. In the left panel, click Network IDS Exclusions.
  2. Click the drop-down menu to select a network or leave All networks selected.
  3. In the Protocol field, click the drop-down menu to select a protocol. Select TCP, UDP, or ICMP, or select * to select all IP protocols.
  4. In the CIDR field, enter a range of network addresses in CIDR format that you want to exclude.

    Enter 10.0.0.0/24 to exclude IP addresses in the range 10.0.0.0-10.0.0.255.

  5. Click the drop-down menu to select the port. You can enter a single port, a port range, or * to select all ports.

    Enter 443 for a single port. Enter 1:1024 for a port range.

  6. In the Justification/Note field, enter the reason for excluding the assets from Network IDS.
  7. Click EXCLUDE AND ADD ANOTHER. Repeat the steps to add more CIDRs.
    You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click REMOVE.
  8. After you apply all the necessary exclusions, click SAVE EXCLUSIONS.

Agent-Based Scanning

You have the option to enable agent-based scanning. Agent-based scanning improves the efficiency, accuracy, and usability of Alert Logic vulnerability scanning features. Agent-based scanning provides the vulnerability assessment coverage of authenticated network scanning without the need to manage credentials and with a reduction in network traffic and impact. To learn more about agent-based scanning, see Agent-Based Scanning.

Vulnerability Scanning

The next step is to configure vulnerability scans to protect your deployment.

Scan Schedules

Alert Logic performs scans to protect your deployment. When you create a new deployment, Alert Logic automatically creates default scan schedules to perform external and internal vulnerability scans on all non-excluded assets. The default scan schedules also perform external and internal vulnerability scans on all non-excluded TCP ports and common UDP ports. If agent-based scanning is enabled, the default agent-based scan schedule performs scans for vulnerabilities and missing patches on all non-excluded hosts with an Alert Logic agent installed. You can schedule when you want to perform specific scans for all or selected assets and ports from the Agent-Based Scans, Internal Network Scans, and External Network Scans tabs. For more information, see Manage Vulnerability Scan Schedules.

Port selection does not apply to agent-based scan schedules.

To initiate vulnerability scanning, review the schedules, make any changes, and then activate the schedules you want to use. Click NEXT.

Scan Exclusions

You can exclude assets from agent-based scans. You can exclude assets or ports from internal and external network scans.

Agent-based scans

To exclude assets from agent-based scans:

  1. On the Scan Exclusions page, click the Agent-Based Scans tab.
  2. To exclude assets, click ASSETS to search for available assets to exclude, and then click EXCLUDE for the asset you want to exclude.
    You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click CANCEL.
  3. After you apply your exclusions, click SAVE EXCLUSIONS.
If you exclude assets that are selected in an active scan schedule in the Scope tab, the items remain selected but are not included in future scans.

Internal network scans

To exclude assets or ports from internal network scans:

  1. On the Scan Exclusions page, click the Internal Network Scans tab.
  2. To exclude assets, click ASSETS to search for available assets to exclude, and then click EXCLUDE for the asset you want to exclude.
    You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click CANCEL.
  3. To exclude ports, click PORTS, and then do the following:
    1. Search for the host, subnet, or network that has the ports you want to exclude from internal scanning.
    2. In the Protocol field, select the port protocol UDP, TCP, ICMP, or select * to select all IP protocols.
    3. Enter one or more ports that you want to exclude. Use a dash or colon to indicate a range (for example, 1-10001). Separate multiple ports or port ranges with a comma (for example, 11234, 11311, 12000-12010).
    4. Click EXCLUDE AND ADD ANOTHER.
  4. You can remove ports from the exclusion list at any time to include the ports in scanning. To remove ports from the exclusion list, click REMOVE.
  5. After you apply your exclusions, click SAVE EXCLUSIONS.
If you exclude assets or ports that are selected in an active scan schedule in the Scope or Ports tab, the items remain selected but are not included in future scans.

External network scans

To exclude assets or ports from external network scans:

  1. On the Scan Exclusions page, click the External Network Scans tab.
  2. To exclude assets, click ASSETS to search for available assets to exclude, and then click EXCLUDE for the asset you want to exclude.
    You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click CANCEL.
  3. To exclude ports, click PORTS, and then do the following:
    1. Search for the host, subnet, or network that has the ports you want to exclude from external scanning.
    2. In the Protocol field, select the port protocol UDP, TCP, ICMP, or select * to select all IP protocols.
    3. Enter one or more ports that you want to exclude. Use a dash or colon to indicate a range (for example, 1-10001). Separate multiple ports or port ranges with a comma (for example, 11234, 11311, 12000-12010).
    4. Click EXCLUDE AND ADD ANOTHER.
  4. You can remove ports from the exclusion list at any time to include the ports in scanning. To remove ports from the exclusion list, click REMOVE.
  5. After you apply your exclusions, click SAVE EXCLUSIONS.
If you exclude assets or ports that are selected in the Scope or Ports tab in an active scan schedule, the assets or ports remain selected but are not included in future scans.

Scan Credentials

You can add credentials to your regions or assets to use with internal network scans. You can add multiple credential types, but only one credential of each type. If you provide credentials, Alert Logic performs comprehensive authenticated vulnerability checks for missing patches and misconfigurations using package information and other local sources of data. For hosts on which Alert Logic performs agent-based scanning, you do not need to provide credentials. If you do not provide credentials or enable agent-based scanning, scans on your assets occur using only methods available to unauthenticated users.

To add your credentials:

  1. In the left panel, click Scan Credentials.
  2. In the list of assets, click the asset for which you want to add credentials, and then click the Credentials tab in the panel that opens.

    To filter the list, you can search for characters in your asset names.

  3. Click ADD CREDENTIAL, and then enter the required fields.
  4. Click SAVE.

The credential icon () appears in the list next to assets with credentials provided.

To delete a credential, click the asset that has credentials, click the Credentials tab in the panel that opens, and then click the X next to the name.

Scan Performance

For internal and external vulnerability scans, the maximum number of IPs scanned concurrently is ten by default.

You can choose fewer concurrent scans to reduce scan traffic. A lower number results in slower scans and a longer scan duration. For faster scans and a shorter scan duration, choose a higher number of concurrent scans. The number you choose is a maximum limit. The actual number of concurrent scans does not exceed the selected amount and depends on factors such as appliance resource availability and network bandwidth during the scan window.

To adjust scan performance:

  1. In the left panel, click Scan Performance.
  2. In the list of assets, click the region or network for which you want to adjust scan performance, and then click the Scan Settings tab in the panel that opens.
  3. In the Vulnerability area, enter a number from 1 (slower scans) through 20 (faster scans). The default is 10 maximum concurrent IPs scanned.
  4. Click SAVE to save your selections.

File Integrity Monitoring (FIM)

FIM allows you to monitor changes to files and directories of assets in your deployments. You can configure monitoring or exclusions for specific file paths or entire directories in your Windows and Linux systems.

FIM is composed of two subsections: Monitoring and Exclusions. On the Monitoring page, you can set up files and directories for monitoring from the default file types listed on the page. In the Exclusions page, you can exclude files and directories from monitoring, which will override a previously configured file monitoring setup. For more information, see File Integrity Monitoring .

After creating FIM or exclusion setups, click NEXT.

Options

Configure Cross-Network Protection

You have the option to set up Cross-Network Protection to create connections across networks, in the same or different deployment, but within the same account. Cross-Network Protection allows other networks to use resources from a protecting network with an assigned network appliance. The common places for Cross-Network Protection use are Amazon Web Services (AWS) VPC Peering, AWS Transit Gateway, and Microsoft Azure VNet Peering.

A protecting network hosts the appliance. The network protected by the protecting network is the protected network. For more information on Cross-Network Protection, see Cross-Network Protection.

Only manual mode deployments have the Cross-Network Protection option.

To configure Cross-Network Protection:

  1. On the side navigation, click Options under Protection.
  2. On the Cross-Network Protection tab, click the network or region you want to protect in the topology diagram, or in the Search Assets field, search for the network or region you want to protect.
  3. Click the search field to search or type the name of a protecting network, and then select one.
  4. Click SAVE.

The protecting network and protected network are now visible in the topology diagram with distinguishing icons. The Cross-Network Protection Breakdown, on the top left of the topology graph, provides an overview of your Cross-Network Protection connections.

View protected networks

To view protected networks:

  1. Click the protecting network icon () to see the number of protected networks currently connected.
  2. Click the details icon () to see a slideout panel that contains protected network names.

View protecting networks

To view protecting networks, click the protected network icon ().

Configuration Topology

This topology diagram provides an overview of your scope of protection. You can see which assets are unprotected, or being scanned at the Essentials, Professional, or Enterprise levels.

The protection breakdown displays how many assets are unprotected, excluded, and protected, along with the number of protected assets in each level.

Deploy IDS appliances

Azure deployments require that you deploy an IDS appliance into each VNet you want to protect.

You must set up your RBAC role before you deploy the IDS appliance. If you do not set up your RBAC role, Alert Logic cannot claim the appliance. For more information about RBAC role configuration, see Configure App Registration and RBAC for Microsoft Azure Resources.

To deploy an Azure IDS appliance:

  1. Log into the Azure portal.
  2. From the Azure Dashboard, click All services, and then click Marketplace.
  3. In the Marketplace search bar, type Alert Logic, and then select Alert Logic MDR Professional BYOL.
  4. Click Create.
  5. On the Basics page, provide the following information:
    1. From the Subscription drop-down menu, select the appropriate Azure subscription.
    2. Under the Resource group drop-down menu, click Create new.
    3. Do not choose an existing resource group. If the appliance deployment is not successful, Azure will save the changes made to an existing resource group, and you will have to manually revert all changes.
    1. In the Virtual machine name field, type a name for the IDS appliance.
    2. From the Region drop-down menu, select the region where you want to create the IDS appliance.
    3. From the Availability options drop-down menu, select No infrastructure redundancy required.
    4. From the Image drop-down menu, keep the default selection.
    5. From the Size drop-down menu:
      • For a Professional subscription, select F4s_v2, which is the smallest fully-supported IDS appliance size.
      • For high-throughput deployments, consider a larger instance size. For more information, see Requirements for Managed Detection and Response for Microsoft Azure.
        If you require additional capacity, Alert Logic recommends that you deploy another IDS appliance, which is less costly than a more powerful single appliance.
    6. For Authentication type, select Password.
    7. In the Username field, type a user name for the appliance.
    8. In the Password field, type a password for the appliance, and then type the password again to confirm the password.
      The user name and password are an Azure requirement to create and deploy the appliance. Alert Logic does not use these credentials or provide you with SSH access to the appliance.
    1. Click Next : Disks.
  6. On the Disks page, click Next : Networking.
  7. On the Networking page, provide the following information:
    1. From the Virtual network drop-down menu, select the VNet where you want to deploy the IDS appliance.
    2. When you created the resource group, you created a new VNet. Do not select the VNet created with the resource group.
    1. From the Subnet drop-down menu, select the subnet where you want to deploy the appliance.
    2. From the Public IP drop-down menu, select None.
    1. Keep the default settings for:
      • Configure network security group
      • Accelerated networking
      • Load balancing
  8. Click Next : Management.
  9. On the Management page, click Next : Advanced.
  10. On the Advanced page, click Next : Tags.
  11. On the Tags page, you can create tags, but they are not required.
  12. Click Review + create.
  13. Review your settings, make any necessary changes, and then click Create.
Deployment of the IDS appliance can take up to five minutes. The appliance can take up to 35 minutes for Alert Logic to auto claim.

Install the Alert Logic agent

Alert Logic provides a single agent that collects data used for analysis, such as log messages and network traffic, metadata, and host identification information. Click the links below for more information and to download the appropriate agent:

Update the Alert Logic agent firewall rules

Ensure the proper outbound firewall rules are in place for the node where you installed the agent. For information about firewall rules, see Alert Logic firewall rules for the US or UK/EU.

Update the Alert Logic appliance firewall rules

If you used a Terraform template provided by Alert Logic for your appliance installation, you do not need to perform this step.

Ensure the proper inbound and outbound firewall rules are in place for the appliance. For information about firewall rules, see Alert Logic firewall rules for the US or UK/EU.

Log sources

If you have a Professional subscription, you can set up log collection. To add log sources for data you want to collect, see Log Sources.

Verify the health of your deployment

After you create your deployment, access the Health console in the Alert Logic console to determine the health of your networks, appliances, and agents, and then make any necessary changes.