An Alert Logic deployment allows you to specify the assets—such as appliances, agents, hosts, and collectors—in your environments to monitor and protect. You must create a deployment, regardless of your subscription level, or your assets will not be monitored or protected. You can create deployments for assets found in your Amazon Web Services (AWS) and Microsoft Azure cloud platforms, and from other cloud-based or physical data centers.
Alert Logic discovers and organizes deployment assets into a visual topology where you can select the desired levels of protection, based on your Alert Logic subscription level, for the assets. Choose one of the following levels of coverage for each asset:
- Alert Logic MDR Essentials coverage
- Alert Logic MDR Professional coverage (if you have a Professional or Enterprise subscription)
When you create a deployment, the Alert Logic console prompts you through the following steps:
- Configure third-party access to cloud-based assets (AWS and Azure deployments only)
- Discover assets (AWS and Azure deployments)
- Add assets (Data Center deployments)
- Define the scope of your protection
- Configure Alert Logic services
- Network IDS
- Agent-based scanning
- Vulnerability scanning
- File Integrity Monitoring (FIM)
- Review configuration topology
- Install appliances
- Set up log sources and remote collectors
This is the general workflow for all deployments. For more detailed information and deployment creation instructions, see:
When you create an AWS or Azure deployment, you must grant Alert Logic access to your cloud environments for asset discovery and scanning. The access granted to Alert Logic provides only the amount of access required to monitor the assets in your cloud environments.
After you grant Alert Logic access to your cloud account or subscription, Alert Logic automatically discovers its internal assets. Alert Logic displays the assets discovered in your account in a visual topology diagram. To learn more about topology, see Topology.
You can add external assets by domain name or IP address.
Add assets (Data Center Deployments)
For Data Center deployments, add internal assets by CIDR range and external assets by domain name or IP address. A default discovery scan that runs at least weekly detects new assets or asset changes in your internal networks. You can create additional discovery scan schedules to scan specific networks more frequently.
You can define the scope of your protection per network basis. Each network appears within its protected region. Click a region or individual network to set the scan level or leave it unprotected. Later in the deployment configuration, you can select assets and ports to exclude from Network IDS and vulnerability scans.
Configure Network IDS
If you have a Professional subscription, Network IDS monitors network traffic and triggers incidents when it detects suspicious activity or threats on networks. You can exclude networks and CIDRs from Network IDS.
Configure agent-based scanning
You have the option to enable agent-based scanning. Agent-based scanning improves the efficiency, accuracy, and usability of Alert Logic vulnerability scanning features. Agent-based scanning provides the vulnerability assessment coverage of authenticated network scanning without the need to manage credentials and with a reduction in network traffic and impact. To learn more about agent-based scanning, see Agent-Based Scanning.
Configure vulnerability scanning
Alert Logic performs vulnerability scans on all non-excluded assets in your deployment scope of protection. You can schedule when and how often you want Alert Logic to perform agent-based scans (if enabled), internal network scans, and external network scans for vulnerabilities. You can also configure:
- Scan Exclusions—You can select assets to exclude from each type of vulnerability scan and ports to exclude from internal and external network scans.
- Scan Credentials—For assets not protected with agent-based scanning, Alert Logic recommends that you add credentials to achieve more comprehensive internal network vulnerability scans.
- Scan Performance—You can adjust the number of concurrent scans to either reduce scan traffic or achieve faster scans.
If you have a Professional subscription, FIM allows you to monitor changes to files and directories of assets in your deployments. You can configure monitoring or exclusions for specific file paths or entire directories in your Windows and Linux systems. For more information, see File Integrity Monitoring .
The topology diagram provides an overview of your scope of protection. You can see which assets are unprotected, or are scanned at the Essentials or Professional levels.
Regardless of deployment type you create, you must configure appliances for scanning and network IDS. Your deployment type and subscription determine the appliances you need to set up.
If you have a Professional subscription, you must install an agent. Alert Logic provides a single agent that collects data used for analysis, such as log messages and network traffic, metadata, and host identification information. For more information about installing agents, see Install the Alert Logic Agent for Linux, Install the Alert Logic Agent for Windows, or Automate Alert Logic Agent Installation with AWS Systems Manager Distributor.
Update the Alert Logic agent firewall rules
If you installed the Alert Logic agent, ensure the proper outbound firewall rules are in place for the node where you installed the agent. For information about firewall rules, see Alert Logic firewall rules for the US or UK/EU.
Update the Alert Logic appliance firewall rules
If you used a CloudFormation template or a Terraform template provided by Alert Logic for your appliance installation, you do not need to perform this step.
If you have a Professional subscription, you can set up log collection. For information about how to add log sources for data you want to collect, see Log Sources.