Alert Logic allows you to use a Data Center deployment of Managed Detection & Response (MDR) to monitor laptops, workstations, and other end-user devices.
Note: This is an opt-in early adoption feature. Some features of the MDR offering may not be fully supported for end-user devices.
You can access the Deployments from the main menu () > Configure in the Alert Logic console. To add a Data Center deployment, click the add icon (), and then click Data Center. Follow the steps in the sections below to configure your Data Center deployment for end-user devices.
Note: After configuration, end-user devices in a Data Center deployment cannot be scanned using a network appliance. To scan end-user devices for vulnerabilities, you must enable agent-based scanning. See Enable agent-based scanning.
Name Your Deployment
In the Deployment Name field, type a descriptive name for the deployment you want to create, and then click SAVE AND CONTINUE.
To add assets in a Data Center deployment for end-user devices, you must create a network.
To create a network:
- In the Internal Assets tab, click the add icon (), and then select Network.
- Type a name for the network, and then add the following Private CIDR(s):
- Depending on if you want IDS collection, set Do not use agents for IDS traffic. My network automatically forwards traffic to my appliances through a port mirroring feature. as follows:
- If you want full coverage including IDS collection, do not select the option. If selected, it would prevent the Alert Logic appliance from monitoring the IDS traffic of your end-user devices.
- If you do not require IDS collection on your end-user devices, select the option. This limits the amount of remediations shown in the health console to only one for appliance not providing IDS coverage. You can dispose of this remediation, see Dispose.
- Click SAVE.
- On the Network Too Large for Scanning message, click ACCEPT RISK. The message is a warning that the deployment cannot be scanned using a network appliance. Agent-based scanning must be configured later to scan the deployment.
- If you require your end-user devices to have different levels of protection, that is some with Professional coverage and others with only Essentials coverage, then you must have a network for each protection level. Repeat steps 1 to 5 above to create a second network.
- Click NEXT to proceed to the next configuration step.
Alert Logic does not discover assets in this deployment type. Click NEXT.
Scope of Protection
Alert Logic provides a visual topology of the networks and subnets in your deployment where you can select the desired levels of protection for your assets.
For a Data Center deployment for end-user devices, scope of protection must be set at the network level. Click a network to change its service level, and then click SAVE SCOPE.
The choices available for scope of protection correspond directly with your entitlement. Although a Professional subscription includes all the features of Essentials, a Professional customer cannot set the protection scope to Essentials unless the account has a separate Essentials subscription.
You can change the protection level later as needed.
Configure Cross-Network Protection
Note: You must configure Cross-Network Protection if you want to monitor IDS traffic on you end-user devices. If you do not want IDS collection, you can skip this section.
You have the option to set up Cross-Network Protection to create connections across networks, in the same or different deployment, but within the same account. Cross-Network Protection allows other networks to use resources from a protecting network with an assigned network appliance. The common places for Cross-Network Protection use are Amazon Web Services (AWS)VPC Peering, AWS Transit Gateway, and Microsoft Azure VNet Peering.
A protecting network hosts the appliance. The network protected by the protecting network is the protected network. For more information on Cross-Network Protection, see Cross-Network Protection.
To configure Cross-Network Protection:
- On the side navigation, click Options under Protection.
- On the Cross-Network Protection tab, click the network or region you want to protect in the topology diagram, or in the Search Assets field, search for the network or region you want to protect.
- Click the search field to search or type the name of a protecting network, and then select one.
- Click SAVE.
The protecting network and protected network are now visible in the topology diagram with distinguishing icons. The Cross-Network Protection Breakdown, on the top left of the topology graph, provides an overview of your Cross-Network Protection connections.
View protected networks
To view protected networks:
- Click the protecting network icon () to see the number of protected networks currently connected.
- Click the details icon () to see a slideout panel that contains protected network names.
View protecting networks
To view protecting networks, click the protected network icon ().
Network IDS Exclusions
Note: If you are not monitoring IDS traffic on your end-user devices, you can skip this section.
Network IDS monitors network traffic and triggers incidents when it detects suspicious activity or threats on your networks. You can exclude assets from Network IDS.
To exclude assets from Network IDS:
- In the left panel, click Network IDS Exclusions.
- Click the drop-down menu to select a network or leave All networks selected.
- In the Protocol field, click the drop-down menu to select a protocol. Select TCP, UDP, or ICMP, or select * to select all IP protocols.
- In the CIDR field, enter a range of network addresses in CIDR format that you want to exclude.
Note: Enter 10.0.0.0/24 to exclude IP addresses in the range 10.0.0.0-10.0.0.255.
- Click the drop-down menu to select the port. You can enter a single port, a port range, or * to select all ports.
Note: Enter 443 for a single port. Enter 1:1024 for a port range.
- In the Justification/Note field, enter the reason for excluding the assets from Network IDS.
- Click EXCLUDE AND ADD ANOTHER. Repeat the steps to add more CIDRs.
Note: You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click REMOVE.
- After you apply all the necessary exclusions, click SAVE EXCLUSIONS.
Enable Agent-Based Scanning
Agent-based scanning provides the vulnerability assessment coverage of authenticated network scanning without the need to manage credentials and with a reduction in network traffic and impact. To learn more about agent-based scanning, see Agent-Based Scanning.
Note: Agent-based scanning must be enabled to scan end-user devices in a Data Center deployment.
To enable agent-based scanning:
- Select Enable agent-based scanning (recommended).
- Click SAVE.
- On the confirmation dialog, click ENABLE.
You need to configure vulnerability scans to protect your deployment.
Note: For a Data Center deployment for end-user devices, it is recommended that you first install the agents on all devices that you are adding to the deployment before proceeding with this configuration. See Installation Instructions.
Alert Logic performs scans to protect your deployment. When you create a new Data Center deployment, Alert Logic automatically creates default scan schedules to perform external and internal vulnerability scans on all non-excluded assets.
Note: End-user devices can only be scanned using agent-based vulnerability scanning. You can leave the Internal Network Scans and External Network Scans tabs on the default settings (disabled).
The default agent-based scan schedule performs scans for vulnerabilities and missing patches on all non-excluded hosts with an Alert Logic agent installed. You can schedule when you want to perform specific scans for all or selected assets from the Agent-Based Scans tab. For more information, see Manage Vulnerability Scan Schedules.
To initiate vulnerability scanning, review the schedules, make any changes, and then activate the schedules you want to use. Click NEXT.
You can exclude assets from agent-based scans.
Note: End-user devices can only be scanned using agent-based vulnerability scanning. You can leave the Internal Network Scans and External Network Scans tabs on the default settings.
To exclude assets from agent-based scans:
- On the Scan Exclusions page, click the Agent-Based Scans tab.
- To exclude assets, click ASSETS to search for available assets to exclude, and then click EXCLUDE for the asset you want to exclude.
Note: You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click CANCEL.
- After you apply your exclusions, click SAVE EXCLUSIONS.
Note: If you exclude assets that are selected in an active scan schedule in the Scope tab, the items remain selected but are not included in future scans.
Data Center deployments for end-user devices only use agent-based vulnerability scanning. Credentials are not required for agent-based scanning.
This section is used to optimize network scanning behaviors. Data Center deployments for end-user devices do not use the network scanning appliance.
If you have a Professional subscription, you can set up log collection. To add log sources for data you want to collect, see Log Sources.
File Integrity Monitoring (FIM)
FIM allows you to monitor changes to files and directories of assets in your deployments. You can configure monitoring or exclusions for specific file paths or entire directories in your Windows and Linux systems.
FIM is composed of two subsections: Monitoring and Exclusions. On the Monitoring page, you can set up files and directories for monitoring from the default file types listed on the page. In the Exclusions page, you can exclude files and directories from monitoring, which will override a previously configured file monitoring setup. For more information, see File Integrity Monitoring.
After creating FIM or exclusion setups, click NEXT.
This topology diagram provides an overview of your scope of protection. You can see which assets are unprotected, or being scanned at the Essentials, Professional, or Enterprise levels.
The protection breakdown displays how many assets are unprotected, excluded, and protected, along with the number of protected assets in each level.
Alert Logic provides a single agent that collects data used for analysis, such as log messages and network traffic, metadata, and host identification information. If agent-based scanning is enabled, the agent also scans its host and provides scan results. Click the links below for more information and to download the appropriate agent:
Note: To monitor IDS traffic on end-user devices, you must have an appliance installed on the protecting network. For more information, see Cross-Network Protection. If you are not using IDS collection, you can skip this section.
You must assign appliances to your networks. Use the Unique Registration Key to assign one or more appliances to each network. For more information, see Install and Configure the Physical Appliance or Install and Configure the Virtual Appliances.
Verify the health of your deployment
After you create your deployment, access the Health console in the Alert Logic console to determine the health of your networks, appliances, and agents, and then make any necessary changes.