Microsoft Azure Deployment Configuration

Alert Logic allows you to add Microsoft Azure deployments to the Alert Logic console. The Deployments page appears under the Configuration tab in the Alert Logic console. To add a deployment, click the add icon (), and then enter the requested information to provide Alert Logic with third-party access to the specified cloud environment. For more information about adding deployments for other cloud environments, see Amazon Web Services (AWS) Deployment Configuration and Data Center Deployment Configuration.

Name your deployment

In the Deployment Name field, type a descriptive name for the deployment you want to create, and then click SAVE.

Allow access to Azure subscription

To protect your Azure deployment, you must set up an Azure RBAC role to allow Alert Logic to access your account. Fill out the required fields, and then click SAVE. If you need help, see Configure Role-Based Access Control (RBAC) for Microsoft Azure Resources.

Asset Discovery

Allow Alert Logic a moment to discover your assets. When discovery is complete, click CONTINUE. Alert Logic displays the assets discovered in your account in topology diagrams. To learn more about topology, click Topology.

Add external assets

You can add external assets by domain name or IP address.

External assets are also used for non-PCI external scans.

To add external assets:

  1. Click the Add icon () and choose the DNS name or IP address.
    • If you chose the DNS name, enter your fully-qualified domain name in the field.
    • If you chose IP address, name your external IP address, and then enter the IP address in the field.
  2. Click SAVE.

Scope of protection

Alert Logic discovers and organizes deployments into a visual topology where you can select the desired levels of protection for your assets.

You can define the scope of your protection per VPC or per region. Each VPC appears within its protected region. Click a region or individual VPC to set the service level or leave it unprotected, and then click SAVE.You must choose one of the following levels of coverage:

  • Unprotected
  • Alert Logic Essentials coverage
  • Alert Logic Professional coverage
  • Alert Logic Enterprise coverage

Exclusions

You also have the option to exclude assets or Azure tags from external scanning, internal scanning, and Network IDS.

External scanning

To exclude assets for external scanning:

  1. Select the External Scanning tab to view assets available to exclude.
  2. Click EXCLUDE for the asset you want to exclude.
    You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click CANCEL.
  3. After you apply your exclusions, close the Exclusions window.
  4. On the Scope of Protection page, click SAVE.

Internal scanning

To exclude assets or Azure tags for internal scanning:

  1. Select the Internal Scanning tab, and then click ASSETS or TAGS to search for assets or tags available to exclude.
  2. Click EXCLUDE for the asset or tag you want to exclude.
    You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click CANCEL.
  3. After you apply your exclusions, close the Exclusions window.
  4. On the Scope of Protection page, click SAVE.

Network IDS Whitelist

To whitelist assets from Network IDS:

  1. Select the Network IDS Whitelist tab to exclude CIDRs.
  2. In the Network(s) field, click the drop-down menu to select a network or leave All networks selected.
  3. In the Protocol(s) field, click the drop-down menu to select a protocol. Select TCP, UDP, or ICMP, or select * to select all IP protocols.
  4. Enter the network CIDR network address you want to exclude. You must enter a range of network addresses using CIDR format.

    Enter 10.0.0.0/24 to exclude IP addresses in the range 10.0.0.0-10.0.0.255.

  5. Click the drop-down menu to select the port. You can enter a single port, a part range, or * to select all ports.

    Enter 443 for a single port. Enter 1:1024 for a part range.

  6. Click EXCLUDE AND ADD ANOTHER. Repeat the steps to add more CIDRs.
    You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click REMOVE.
  7. After you apply all the necessary exclusions, close the Exclusions window.
  8. On the Scope of Protection page, click SAVE.

Scheduling

Alert Logic automatically performs certain scans. You can schedule how often and when you want Alert Logic to scan for vulnerabilities from the Internal Scans and External Scans tabs.

Internal scans and External scans

To schedule how often you want Alert Logic to scan for vulnerabilities, choose one of the following options:

  • Scan as often as necessary—Select this option if you want Alert Logic to scan known assets for vulnerabilities once a day, or twice a day, if significant changes are detected to an asset.
  • Scan once a day
  • Scan once a week
  • Scan once a month

To schedule when you want Alert Logic to scan for vulnerabilities, choose one of the following options:

  • Scan whenever necessary—Select this option if you do not want to limit Alert Logic scans to particular days or times.
  • Scan only during certain hours on certain days
  • Scan only on a certain day

Click SAVE, and then click NEXT.

Options

Configure Cross-Network Protection

You have the option to set up Cross-Network Protection to create connections across networks, in the same or different deployment, but within the same account. Cross-Network Protection allows other networks to use resources from a protecting network with an assigned network appliance.

A protecting network hosts the appliance. The network protected by the protecting network is the protected network. For more information on Cross-Network Protection, see Cross-Network Protection.

Only manual mode deployments have the Cross-Network Protection option.

To configure Cross-Network Protection:

  1. On the side navigation, click Options under Protection.
  2. On the Cross-Network Protection tab, click the network or region you want to protect in the topology diagram, or in the Search Assets field, search for the network or region you want to protect.
  3. Click the search field to search or type the name of a protecting network, and then select one.
  4. Click SAVE.

The protecting network and protected network are now visible in the topology diagram with distinguishing icons. The Cross-Network Protection Breakdown, on the top left of the topology graph, provides an overview of your Cross-Network Protection connections.

View protected networks

To view protected networks:

  1. Click the protecting network icon () to see the number of protected networks currently connected.
  2. Click the details icon () to see a slideout panel that contains protected network names.

View protecting networks

To view protecting networks, click the protected network icon ().

Configuration Topology

This topology diagram provides an overview of your scope of protection. You can see which assets are unprotected, or being scanned at the Essentials, Professional, or Enterprise levels.

The protection breakdown displays how many assets are unprotected, excluded, and protected, along with the number of protected assets in each level.

Deploy IDS appliances

Azure deployments require that you deploy an IDS appliance into each VNet you want to protect.

You must set up your RBAC role before you deploy the IDS appliance. If you do not set up your RBAC role Alert Logic cannot claim the appliance. For more information about RBAC role configuration, see Configure Role-Based Access Control (RBAC) for Microsoft Azure Resources.

To deploy an Azure IDS appliance:

  1. Log into the Azure portal.
  2. From the Azure Dashboard, click All services, and then click Marketplace.
  3. In the Marketplace search bar, type Alert Logic, and then select one of the following:
    • Alert Logic Professional BYOL
    • Alert Logic Enterprise BYOL
    • If you are an Alert Logic Essentials customer, select Alert Logic Professional BYOL.
  4. Click Create.
  5. On the Basics page, provide the following information:
    1. From the Subscription drop-down menu, select the appropriate Azure subscription.
    2. Under the Resource group drop-down menu, click Create new.
    3. Do not choose an existing resource group. If the appliance deployment is not successful, Azure will save the changes made to an existing resource group, and you will have to manually revert all changes.
    1. In the Virtual machine name field, type a name for the IDS appliance.
    2. From the Region drop-down menu, select the region where you want to create the IDS appliance.
    3. From the Availability options drop-down menu, select No infrastructure redundancy required.
    4. From the Image drop-down menu, keep the default selection.
    5. From the Size drop-down menu you can:
      • Keep the default.
      • For an Essentials subscription, select A2_v2.
      • For a Professional subscription select A4_v2, which is the smallest fully-supported IDS appliance size.
      • For a Professional or Enterprise subscription with many hosts with agents, select, A8_v2.
        If you require additional capacity, Alert Logic recommends that you deploy another IDS appliance, which is less costly than a more powerful single appliance.
    6. For Authentication type, select Password.
    7. In the Username field, type a user name for the appliance
    8. In the Password field, type a password for the appliance, and then type the password again to confirm the password.
      The user name and password are an Azure requirement to create and deploy the appliance. Alert Logic does not use these credentials, or provide you with SSH access to the appliance.
    1. Click Next : Disks.
  6. On the Disks page, click Next : Networking.
  7. On the Networking page, provide the following information:
    1. From the Virtual network drop-down menu, select the VNet where you want to deploy the IDS appliance.
    2. When you created the resource group, you created a new VNet. Do not select the VNet created with the resource group.
    1. From the Subnet drop-down menu, select the subnet where you want to deploy the appliance.
    2. From the Public IP drop-down menu, select the public IP address you want to use, or create a new public IP if needed.
    3. If you create a new public IP, you may keep the defaults.
    1. Keep the default settings for:
      • Configure network security group
      • Accelerated networking
      • Load balancing
  8. Click Next : Management.
  9. On the Management page, click Next : Advanced.
  10. On the Advanced page, click Next : Tags.
  11. On the Tags page, you can create tags, but they are not required.
  12. Click Review + create.
  13. Review your settings, make any necessary changes, and then click Create.
Deployment of the IDS appliance can take up to five minutes. The appliance can take up to 35 minutes for Alert Logic to auto claim.

Installation instructions

Agents

Alert Logic provides a single agent that collects data used for analysis, such as log messages and network traffic, metadata, and host identification information. Click the links below for more information and to download the appropriate agent:

Log sources

If you have a Professional subscription, you can set up log collection. To add log sources for data you want to collect, see Log Sources.

Verify the health of your deployment

After you create your deployment, access the Health console in the Alert Logic console to determine the health of your networks, appliances, and agents, and then make any necessary changes.