The time required for a scan to complete in the Alert Logic Managed Detection & Response platform is affected by several factors, such as the scope of the scan, the appliance resources available, and the network bandwidth. However, you can make changes to your scan performance settings and scan schedules to decrease (or increase) the amount of time it takes for a scan to run.
Adjust Scan Settings to Increase/Decrease Scan Maximums
In your scan settings, you can determine the maximum number of concurrent scans that can be run. By default, a maximum of 10 CIDR blocks can be concurrently scanned during discovery scans, and a maximum of 10 IPs can be concurrently scanned during vulnerability scans.
Scan settings can be accessed in the Topology view or during deployment configuration. To access the scan settings in the Topology view, navigate to navigation menu () > Investigate > Topology. Specify a deployment or region in the respective drop-down menus, and then click on the Region, VPC, VNET, or network to manage. In the slideout panel that displays, click Scan Settings. To access the scan settings during deployment configuration, navigate to navigation menu () > Configure > Deployments > select a deployment > Scan Performance, and then select an asset to modify.
Selecting a lower number (as low as 1) means fewer concurrent scans will run, which reduces scan traffic but also results in slower scans and a longer scan duration. Selecting a higher number (up to 20) results in a faster scan and shorter scan duration but increases scan traffic. Keep in mind these numbers are maximum limits – the actual number of concurrent scans will vary based on appliance resource availability and network bandwidth at the time of scan but will not exceed the defined limit.
If you are unsure of the appropriate settings to use for your environment, Alert Logic recommends reaching out to our Support team by submitting a ticket before making changes to these settings.
Adjust Scan Scope to Expand or Limit Assets Within a Scan Schedule
Another way to decrease or increase the amount of time it takes for a scan to run is to adjust the scope of a scan. Within each deployment, you can create multiple scan schedules to scan specific assets, IP ranges, and/or CIDR ranges at different times. The smaller the scope of the scan, the quicker the scan will complete. If you have limited appliance resources and network bandwidth, you may want to schedule different portions of your environment at different days and times so that all your protected assets are scanned without overloading your appliance.
Scan schedules can be created and managed using the Scan Schedules page, accessed by selecting Configure > Deployments > select a deployment > Vulnerability Scanning > Scan Schedules.
If you have not set up custom scan schedules within a deployment, default scan schedules and scopes are used. For more information on managing scan schedules including how to define the scope of a scan, refer to our Manage Scan Schedules documentation.
Additional resources that may be helpful:
- What happens if all assets are not scanned within my scan window?
- Can I include the same assets in multiple scan schedules?