Alert Logic® Managed Detection and Response utilizes discovery scans to identify hosts and other assets in data center deployments, where no other data sources, like cloud APIs, provide asset information. When a physical or virtual Alert Logic appliance is installed in a data center deployment, the appliance will periodically scan the local network using discovery scans. If multiple network address blocks (CIDR ranges) are associated with the network, each block will be scanned separately. The scheduling of discovery scans can be configured in the Alert Logic console at navigation menu () > Configure > Deployments > any Data Center deployment > Assets > Discover Assets.
During a discovery scan, the following actions occur for each individual address in each network block:
- An ICMP echo (ping) request is sent. If no answer is received on the first attempt, another ICMP ping is sent.
- An ICMP timestamp request is sent.
- A "TCP ping" is sent to 22 commonly used TCP ports (21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 443, 445, 993, 995, 1723, 3306, 3389, 5900, 8080, 8400, 49154). TCP pings use a deviation of the TCP standard three-way handshake to determine if a machine responds. This method sends an unsolicited TCP Synchronize (TCP SYN) to the specified port. If an active machine is listening on this port, it should send back a reset to the unsolicited request.
- The 12 most common UDP ports are tested for response (ports 53, 69, 111, 123, 137, 138, 161, 177, 445, 500, 1900, 4500).
An IP that responds to any of the above checks is considered discovered. Each discovered IP is compared with the IP addresses of hosts in the network where the discovery scan was made.
- If that IP address is already present for a host asset in the network, the last discovery time of the host is set to the current time.
- Otherwise, a new host asset is created with the IP address, and the last discovery time of the host is set to the current time.
Discovery Scan & Agents
When an Alert Logic agent is installed on a host, the host's networking configuration is transmitted to Alert Logic. That data is used to create host asset records, and any host previously discovered by a discovery scan will be replaced by a single host with all the local IP addresses.
On Monday, new host prodWebserver was started in a protected network. The host has two local IP addresses: 10.0.0.10 and 10.0.0.11. That day, those two IP addresses are discovered for the first time. Two hosts are created, one with each IP address. On Tuesday, the Alert Logic agent is installed on prodWebserver. The two existing hosts are replaced by a single host with name prodWebserver and two local IP addresses, 10.0.0.10 and 10.0.0.11.
In this example, the installation of the Alert Logic agent provided better information about the host, prodWebserver. For this reason, the installation of the Alert Logic agent is highly recommended wherever feasible. The list of known hosts with no agent installed is available in the Health Console within the Alert Logic console.
Expiration of Discovered Hosts
Asset expiration shall be based on the following discovery scan schedule for Data Center deployments:
- Scan as often as necessary
- Ten days
- Daily frequency
- Ten days (ten discovery scan cycles)
- Weekly frequency
- 30 days (four discovery scan cycles)
Asset Updates to Reflect Network Changes
Alert Logic automatically adjusts the relationship between hosts and subnets or networks, based on discovery scans and the current network topology you define.
For example, should you split a /24 subnet into two /25 subnets, you shall see hosts transition to the newly created subnets in the Topology page upon completion of the next discovery scan of that network.
Hosts remaining in the old subnet after a discovery scan has taken place is indicative of connectivity issues between your Alert Logic appliance and the host. Should this occur and you have verified connectivity between the host and appliance, submit a ticket to Alert Logic Support.