Alert Logic® SIEMless Threat Management™ utilizes discovery scans to identify hosts and other assets in data center deployments, where no other data sources, like cloud APIs, provide asset information. When a physical or virtual Alert Logic appliance is installed in a data center deployment, the appliance will periodically scan the local network using discovery scans. If multiple network address blocks (CIDR ranges) are associated with the network, each block will be scanned separately. The scheduling of discovery scans can be configured in the Deployments > Configuration section of the Alert Logic console.
During a discovery scan, the following actions occur for each individual address in each network block:
- An ICMP echo (ping) request is sent. If no answer is received on the first attempt, another ICMP ping is sent.
- An ICMP timestamp request is sent.
- A "TCP ping" is sent to 22 commonly used UCP ports (21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 443, 445, 993, 995, 1723, 3306, 3389, 5900, 8080, 8400, 49154). TCP pings use a deviation of the TCP standard three-way handshake to determine if a machine responds. This method sends an unsolicited TCP Synchronize (TCP SYN) to the specified port. If an active machine is listening on this port, it should send back a reset to the unsolicited request.
- The 12 most common UDP ports are tested for response (ports 53, 69, 111, 123, 137, 138, 161, 177, 445, 500, 1900, 4500).
An IP that responds to any of the above checks is considered discovered. Each discovered IP is compared with the IP addresses of hosts in the network where the discovery scan was made.
- If that IP address is already present for a host asset in the network, the last discovery time of the host is set to the current time.
- Otherwise, a new host asset is created with the IP address, and the last discovery time of the host is set to the current time.
Discovery Scan & Agents
When an Alert Logic agent is installed on a host, the host's networking configuration is transmitted to Alert Logic. That data is used to create host asset records, and any host previously discovered by a discovery scan will be replaced by a single host with all the local IP addresses.
On Monday, new host prodWebserver was started in a protected network. The host has two local IP addresses: 10.0.0.10 and 10.0.0.11. That day, those two IP addresses are discovered for the first time. Two hosts are created, one with each IP address. On Tuesday, the Alert Logic agent is installed on prodWebserver. The two existing hosts are replaced by a single host with name prodWebserver and two local IP addresses, 10.0.0.10 and 10.0.0.11.
In this example, the installation of the Alert Logic agent provided better information about the host, prodWebserver. For this reason, the installation of the Alert Logic agent is highly recommended wherever feasible. The list of known hosts with no agent installed is available in the Health Console within the Alert Logic console.
Expiration of Discovered Hosts
Periodically, hosts in data center networks are examined to delete hosts that have not been recently discovered. Hosts that have not been seen in a discovery scan for seven days (168 hours) and have no Alert Logic agent installed will be deleted.