Data Center Deployment Configuration (Professional Subscription)

Alert Logic allows you to add deployments to the Alert Logic console. You can access the Deployments page from the Configure menu item in the Alert Logic console. To add a Data Center deployment, click the add icon (), and then click Data Center.

Name your deployment

In the Deployment Name field, type a descriptive name for the deployment you want to create, and then click SAVE AND CONTINUE.

Add assets

Add your assets by network, subnet, domain name, or IP address to be scanned.

To add a network:

  1. In the Networks tab, click the add icon (), and then select Network.
  2. Type a name for the network, add the Private CIDR(s) and the Public CIDR(s) for each subnet.

    Alert Logic recommends you add multiple /24 or smaller subnets instead of a CIDR over /16 to allow Alert Logic to operate and scan faster.

  3. Select Do not use agents for IDS traffic. My network automatically forwards traffic to my appliances through a port mirroring feature. if your network equipment is configured to SPAN or another port mirroring feature.
  4. A SPAN configured network forwards your Network IDS traffic to Alert Logic appliances, which allows Alert Logic to analyze that traffic.

  5. Click SAVE.

To add a subnet:

  1. In the Networks tab, click the add icon (), and then select Subnet.
  2. Name the subnet, select the network, add the Private CIDR, and then click SAVE.

To add a domain name:

  1. In the DNS Names and Public IPs tab, click the add icon (), and then select DNS Name.
  2. Add the domain name, and then click SAVE.

To add an IP address:

  1. In the DNS Names and Public IPs tab, click the add icon (), and then select Public IP.
  2. Name the IP address, add the CIDR, and then click SAVE.

When you are finished, click NEXT.

Scope of protection

Alert Logic discovers and organizes deployments into a visual topology where you can select the desired levels of protection for your assets.

You can define the scope of your protection per network or per region. Each network appears within its protected region. Click a region or individual network to set the service level or leave it unprotected, and then click SAVE. You must choose one of the following levels of coverage:

  • Unprotected
  • Alert Logic Essentials coverage
  • Alert Logic Professional coverage
  • Alert Logic Enterprise coverage

The choices available for scope of protection correspond directly with your entitlement. Although a Professional subscription includes all the features of Essentials, a Professional customer cannot set the protection scope to Essentials unless the account has a separate Essentials subscription.

You can change the protection level later as needed.

Exclusions

You also have the option to exclude assets or tags from external scanning, internal scanning, and Network IDS.

External scanning

To exclude assets from external scanning:

  1. Click EXCLUSIONS.
  2. Select the External Scanning tab to view assets available to exclude.
  3. Click EXCLUDE for the asset you want to exclude.
    You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click CANCEL.
  4. After you apply your exclusions, close the Exclusions window.
  5. On the Scope of Protection page, click SAVE.
If you exclude assets that are selected in the Scope tab in an existing scan schedule, the assets remain selected but will no longer be scanned.

Internal scanning

To exclude assets or tags for internal scanning:

  1. Click EXCLUSIONS.
  2. Select the Internal Scanning tab, and then click ASSETS or TAGS to search for assets or tags available to exclude.
  3. Click EXCLUDE for the asset or tag you want to exclude.
    You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click CANCEL.
  4. After you apply all the necessary exclusions, close the Exclusions window.
  5. On the Scope of Protection page, click SAVE.
If you exclude assets that are selected in the Scope tab in an existing scan schedule, the assets remain selected but will no longer be scanned.

Network IDS Whitelist

To whitelist assets from Network IDS:

  1. Click EXCLUSIONS.
  2. Select the Network IDS Whitelist tab to exclude CIDRs.
  3. In the Network(s) field, click the drop-down menu to select a network or leave All networks selected.
  4. In the Protocol(s) field, click the drop-down menu to select a protocol. Select TCP, UDP, or ICMP, or select * to select all IP protocols.
  5. Enter the network CIDR network address you want to exclude. You must enter a range of network addresses using CIDR format.

    Enter 10.0.0.0/24 to exclude IP addresses in the range 10.0.0.0-10.0.0.255.

  6. Click the drop-down menu to select the port. You can enter a single port, a port range, or * to select all ports.

    Enter 443 for a single port. Enter 1:1024 for a port range.

  7. Click EXCLUDE AND ADD ANOTHER. Repeat the steps to add more CIDRs.
    You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click REMOVE.
  8. After you apply all the necessary exclusions, close the Exclusions window.
  9. On the Scope of Protection page, click SAVE.

Scan Schedules

Alert Logic performs scans to protect your deployment. When you create a new Data Center deployment, Alert Logic automatically creates a default discovery scan schedule to find new assets, and it creates default scan schedules to perform external and internal vulnerability scans on all non-excluded assets. You can also schedule when you want to perform specific scans for all or selected assets from the Discovery Scanning, Internal Scanning, and External Scanning tabs. For more information, see Manage Scan Schedules.

After reviewing the schedules and making any changes, click NEXT.

File integrity monitoring

File Integrity Monitoring allows you to monitor changes to files and directories of assets in your deployments. You can configure monitoring or exclusions for specific file paths or entire directories in your Windows and Linux systems.

File Integrity Monitoring is composed of two subsections: Monitoring and Exclusions. On the Monitoring page, you can set up files and directories for monitoring from the default file types listed on the page. In the Exclusions page, you can exclude files and directories from monitoring, which will override a previously configured file monitoring setup. For more information, see File Integrity Monitoring .

After creating file integrity monitoring or exclusion setups, click NEXT.

Options

Configure Cross-Network Protection

You have the option to set up Cross-Network Protection to create connections across networks, in the same or different deployment, but within the same account. Cross-Network Protection allows other networks to use resources from a protecting network with an assigned network appliance. The common places for Cross-Network Protection use are Amazon Web Services (AWS) VPC Peering, AWS Transit Gateway, and Microsoft Azure VNet Peering.

A protecting network hosts the appliance. The network protected by the protecting network is the protected network. For more information on Cross-Network Protection, see Cross-Network Protection.

To configure Cross-Network Protection:

  1. On the side navigation, click Options under Protection.
  2. On the Cross-Network Protection tab, click the network or region you want to protect in the topology diagram, or in the Search Assets field, search for the network or region you want to protect.
  3. Click the search field to search or type the name of a protecting network, and then select one.
  4. Click SAVE.

The protecting network and protected network are now visible in the topology diagram with distinguishing icons. The Cross-Network Protection Breakdown, on the top left of the topology graph, provides an overview of your Cross-Network Protection connections.

View protected networks

To view protected networks:

  1. Click the protecting network icon () to see the number of protected networks currently connected.
  2. Click the details icon () to see a slideout panel that contains protected network names.

View protecting networks

To view protecting networks, click the protected network icon ().

Configuration Topology

This topology diagram provides an overview of your scope of protection. You can see which assets are unprotected, or being scanned at the Essentials, Professional, or Enterprise levels.

The protection breakdown displays how many assets are unprotected, excluded, and protected, along with the number of protected assets in each level.

You can search for specific assets. The protection breakdown updates as it finds specific assets.

Installation Instructions

Agent

Alert Logic provides a single agent that collects data used for analysis, such as log messages and network traffic, metadata, and host identification information. Click the links below for more information and to download the appropriate agent:

Appliances

You must assign appliances to your networks. Use the Unique Registration Key to assign one or more appliances to each network. For more information, see Install and Configure the Physical Appliance or Install and Configure the Virtual Appliance.

Configure log sources

If you have a Professional subscription, you can set up log collection. To add log sources for data you want to collect, see Log Sources.

Verify the health of your deployment

After you create your deployment, access the Health console in the Alert Logic console to determine the health of your networks, appliances, and agents, and then make any necessary changes.