Deployment Assets: Protected Hosts

A host maps directly to an agent installed in your environment. When you create a protected host, you assign an assignment policy and a protected host policy to the host, which communicates Network IDS instructions to the agent. Policies applied to a protected host dictate how the agent running on the host interacts with its network environment. If you do not see an option to create a protected host, the host is offline. For more information about hosts, see Deployment Assets: Hosts.

Protected hosts appear on the table, sorted by host name. To narrow the list of protected hosts, you can use the search field to search for a specific protected host name or tag, or you can use the filters to list protected hosts with the following characteristics:

  • Source Status
    • Hosts in Offline state
    • Hosts in Warning state
    • Hosts in Error state
    • Hosts in New state
    • Hosts in OK state
  • Source Collection Method
    • Agent
    • Discovered
  • Tags

Create and modify protected hosts

Under most circumstances, Alert Logic automatically creates protected hosts when you install an agent, and those hosts automatically receive the default protected host policy. Some protected hosts also automatically receive an assignment policy as well. If a protected host is not automatically created after agent installation, or if a protected host was deleted but needs to be added again, you can manually add a host as a protected host.

You can create a protected host only from the Hosts page. You can edit a protected host only from the Protected Hosts page.

When you create a protected host, you assign an assignment policy and a protected host policy to the host, which communicates Network IDS instructions to the agent.

An assignment policy is a set of rules that indicates the traffic that appliances should either accept or ignore. An assignment policy directs protected hosts to encrypt traffic and send traffic to specific appliances. In a dynamic environment where IP addresses often change, an assignment policy ensures that hosts always correspond to their appliances.

To create a protected host:

  1. On the Hosts page, find a host you want to add as a protected host.
  2. Under the Actions column, click the plus icon (), and then click Add as Protected Host.
  3. In the New Protected Host slideout panel, provide the appropriate values. Use the table below for guidance.
  4. Click SAVE.

To modify a protected host:

  1. On the left navigation menu of the selected deployment, click Networks and Protected Hosts.
  2. Click Protected Hosts.
  3. In the list of protected hosts, select the protected host you want to update, and then click the pencil icon ( ).
  4. In the slideout panel, make the appropriate changes. Use the table below for guidance.
  5. Click SAVE.
Field/Option Description Sample Value

Visible

Source Name Name of this source. It will show on the display list and other areas of this product. Server-tmdocs Always
Use an existing Assignment Policy Select this option to choose a policy from the existing Assignment Policy list. Not applicable Always
Create a new Assignment Policy Select this option to open the Create a new Assignment Policy section. Not applicable Always
Existing Assignment Policy list Select a policy from this list to assign it to the protected host. cali-ngtm-01 Assignment Visible when Use an existing Assignment Policy is selected.

Create new Assignment Policy mini-form

Visible when you select Create new Assignment Policy

Field/Option Description Sample Value

Visible

Appliance Assignment Policy Name Policy name. This name will be added to the Existing Assignment Policy list. cali-ngtm-01 Assignment Visible when Create a new Assignment Policy is selected.
Appliances/
Secondary Appliances
An appliance on your network. i-27273bcb Visible when Create a new Assignment Policy is selected.
Restrict Network Select this option if you want to include a netmask. Not applicable Visible when Create a new Assignment Policy is selected.
Netmask One CIDR address. 10.0.0.0/16; partial address specifications are not acceptable. Visible when Create a new Assignment Policy is selected.
Use existing Whitelist Policies Select this option to choose a policy from the Existing Whitelist Policy list. Not applicable Visible when Create a new Assignment Policy is selected.
Create a new Whitelist Policy Select this option to open the Create a new Whitelist Policy section. Not applicable Visible when Create a new Assignment Policy is selected.
Existing Whitelist Policy list Select a policy from this list to assign it to the protected host. SF01183529 Pentest Visible when Create a new Assignment Policy and Use existing Whitelist Policies is selected.

Create new Whitelist Policy mini-form

Visible when you select Create new Assignment Policy and Create a new Whitelist Policy

Field/Option Description Sample Value

Visible

Name Policy name. This name will be added to the Existing Whitelist Policy list. SF01183529 Pentest Visible when you select Create new Assignment Policy and Create a new Whitelist Policy.
Enabled Select this option to activate the policy. Not applicable Visible when you select Create new Assignment Policy and Create a new Whitelist Policy.
Rules Click to add rules to the Whitelist Policy. This includes Protocol, CIDR, and Port. Not applicable Visible when you select Create new Assignment Policy and Create a new Whitelist Policy.
Protocol Select the internet protocol for the current rule. tcp Visible when you select Create new Assignment Policy and Create a new Whitelist Policy.
CIDR Type the Classless Inter-Domain Routing address for the current rule. 10.0.0.0/16 Visible when you select Create new Assignment Policy and Create a new Whitelist Policy.
Port Type the port for the current rule. 22 Visible when you select Create new Assignment Policy and Create a new Whitelist Policy.
Field/Option Description Sample Value

Visible

Use existing Host Policies Select this option to choose a policy from the Existing Host Policy list. Not applicable Always
Create new Host Policy Select this option to open the Create a new Host Policy section. Not applicable Always
Existing Host Policy list Select a policy from this list to assign it to the protected host. Default-test Visible when Use existing Host Policies is selected.

Create new Host Policy mini-form

Visible when you select Create new Host Policy

Field/Option Description Sample Value

Visible

Name Policy name. This name will be added to the Existing Host Policy list. Default-test Visible when you select Create new Host Policy.
Encrypt Select this option to encrypt traffic from the agent to the appliance. Not applicable Visible when you select Create new Host Policy.
Tags A tag is a customer defined identifier that can be assigned to one or more sources. A customer can use tags to organize or search for specific types of sources. High usage Always

 

Mass edit protected hosts

The mass edit feature allows you to perform the same edits on one or more protected hosts.

To mass edit protected hosts:

  1. On the Protected Hosts page, click the gear icon ( ).
  2. Select Mass Edit.
  3. Make the following changes if applicable:
    1. Specify the hosts to which you want to apply changes:
      • All hosts
      • Only filtered hosts
    1. Specify an appliance assignment policy.
    1. Select which, if any, host policy setting to change.
    2. Determine whether you want to replace collection alerts.
    1. Specify one of the following tag settings:
      • Do not change tag settings
      • Append additional Tags—Type tags you want added to the networks.
      • Replace existing Tags—Type tags you want to replace those associated with the networks.
      • Remove specific Tags—Type the tags you no longer want associated with the networks.
      • Remove all Tags
  4. Select whether to delete the selected hosts.

You cannot undo this action.

  1. Click Apply.

Export protected hosts

Alert Logic allows you to export a list of your protected hosts to a file. You can choose one of the following formats for the exported file:

  • Comma separated values (.csv)
  • Tab delimited values (.txt)
  • Microsoft Excel 1997–2003 (.xls)
  • Microsoft Excel 2007 (.xlsx)

To export protected hosts:

  1. On the Protected Hosts page, click the gear icon ( ).
  2. Select Export.
  3. Specify whether your exported list contains:
    • All Hosts
    • Only Filtered Hosts
  4. Select a file format for the exported file.
    • Comma separated values (.csv)
    • Tab delimited values (.txt)
    • Microsoft Excel 1997–2003 (.xls)
    • Microsoft Excel 2007 (.xlsx)
  5. Click EXPORT.

Archive and restore protected hosts

To safeguard against permanent loss of data, Alert Logic provides the archive and unarchive features. To archive a threat host, you must delete all protected hosts data streams associated with the threat host.

To archive a host:

  1. Find the desired host in the Protected Hosts list.
  2. Click the archive icon ().
  3. Click ARCHIVE.

To restore an archived host:

  1. Above the Protected Hosts list, click the Show Archive slider.
  2. In the Protected Host list, find host you want to restore, and then click the archive icon ().
  3. Click UNARCHIVE.

Delete a protected host

Threat Manager allows you to remove existing protected hosts.

To delete a protected host:

  1. At the top of the Alert Logic console, from the drop-down menu, click Threat Manager.
  2. In the left navigation area, under Detection, click Protected Hosts.
  3. In the table of protected hosts, select the protected host you want to delete, and then click the trash icon ( ).
  4. Click Delete.