Alert Logic allows you to use a Data Center deployment of Managed Detection & Response (MDR) to monitor laptops, workstations, and other end-user devices.
Note: This is an opt-in early adoption feature. Some features of the MDR offering may not be fully supported for end-user devices.
You can access the Deployments page from the main menu () > Configure in the Alert Logic console. To add a Data Center deployment, click the add icon (), and then click Data Center. Follow the steps in the sections below to configure your Data Center deployment for end-user devices.
Note: After configuration, end-user devices in a Data Center deployment cannot be scanned using a network appliance. To scan end-user devices for vulnerabilities, you must enable agent-based scanning. See Enable agent-based scanning.
Name Your Deployment
In the Deployment Name field, type a descriptive name for the deployment you want to create, and then click SAVE AND CONTINUE.
To add assets in a Data Center deployment for end-user devices, you must create a network.
To create a network:
- In the Internal Assets tab, click the add icon (), and then select Network.
- Type a name for the network, and then add the following Private CIDR(s):
- Click SAVE.
- On the Network Too Large for Scanning message, click ACCEPT RISK. The message is a warning that the deployment cannot be scanned using a network appliance. Agent-based scanning must be configured later to scan the deployment.
- If you require your end-user devices to have different levels of protection, that is some with Professional coverage and others with only Essentials coverage, then you must have a network for each protection level. Repeat steps one to four above to create a second network. For how to configure a Professional scope deployment, see Configure Data Center Deployment for End-User Devices (MDR Professional Subscription).
- Click NEXT to proceed to the next configuration step.
Alert Logic does not discover assets in this deployment type. Click NEXT.
Scope of Protection
Alert Logic provides a visual topology of the networks and subnets in your deployment where you can select the desired levels of protection for your assets.
For a Data Center deployment for end-user devices, scope of protection must be set at the network level. Click a network to change its service level, and then click SAVE SCOPE.
The choices available for scope of protection correspond directly with your entitlement. Although a Professional subscription includes all the features of Essentials, a Professional customer cannot set the protection scope to Essentials unless the account has a separate Essentials subscription.
You can change the protection level later as needed.
Enable Agent-Based Scanning
Agent-based scanning provides the vulnerability assessment coverage of authenticated network scanning without the need to manage credentials and with a reduction in network traffic and impact. To learn more about agent-based scanning, see Agent-Based Scanning.
Note: Agent-based scanning must be enabled to scan end-user devices in a Data Center deployment.
To enable agent-based scanning:
- Select Enable agent-based scanning (recommended).
- Click SAVE.
- On the confirmation dialog, click ENABLE.
You need to configure vulnerability scans to protect your deployment.
Note: For a Data Center deployment for end-user devices, it is recommended that you first install the agents on all devices that you are adding to the deployment before proceeding with this configuration. See Installation Instructions.
Alert Logic performs scans to protect your deployment. When you create a new Data Center deployment, Alert Logic automatically creates default scan schedules to perform external and internal vulnerability scans on all non-excluded assets.
Note: End-user devices can only be scanned using agent-based vulnerability scanning. You can leave the Internal Network Scans and External Network Scans tabs on the default settings (disabled).
The default agent-based scan schedule performs scans for vulnerabilities and missing patches on all non-excluded hosts with an Alert Logic agent installed. You can schedule when you want to perform specific scans for all or selected assets from the Agent-Based Scans tab. For more information, see Manage Vulnerability Scan Schedules.
To initiate vulnerability scanning, review the schedules, make any changes, and then activate the schedules you want to use. Click NEXT.
You can exclude assets from agent-based scans.
Note: End-user devices can only be scanned using agent-based vulnerability scanning. You can leave the Internal Network Scans and External Network Scans tabs on the default settings.
To exclude assets from agent-based scans:
- On the Scan Exclusions page, click the Agent-Based Scans tab.
- To exclude assets, click ASSETS to search for available assets to exclude, and then click EXCLUDE for the asset you want to exclude.
Note: You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click CANCEL.
- After you apply your exclusions, click SAVE EXCLUSIONS.
Note: If you exclude assets that are selected in an active scan schedule in the Scope tab, the items remain selected but are not included in future scans.
Data Center deployments for end-user devices only use agent-based vulnerability scanning. Credentials are not required for agent-based scanning.
This section is used to optimize network scanning behaviors. Data Center deployments for end-user devices do not use the network scanning appliance.
This topology diagram provides an overview of your scope of protection. You can see which assets are unprotected, or being scanned at the Essentials, Professional, or Enterprise levels.
The protection breakdown displays how many assets are unprotected, excluded, and protected, along with the number of protected assets in each level.
Alert Logic provides a single agent that collects data used for analysis, such as log messages and network traffic, metadata, and host identification information. If agent-based scanning is enabled, the agent also scans its host and provides scan results. Click the links below for more information and to download the appropriate agent:
Verify the health of your deployment
After you create your deployment, access the Health console in the Alert Logic console to determine the health of your networks, appliances, and agents, and then make any necessary changes.