Alert Logic agent-based scanning is now available; all Managed Detection & Response (MDR) customers can opt-in at their own pace. Agent-based scanning extends vulnerability scanning capabilities to increase visibility on the target hosts and uses locally installed programs on a host with the Alert Logic agent to identify vulnerabilities, misconfigurations, and missing patches.
Agent-based scanning provides the most effective and efficient vulnerability scan with minimal impact on a host; it requires no credentials management and offers low resource consumption. You now have the flexibility to get a complete vulnerability picture by pairing an unauthenticated network scan with the agent-based scan or by continuing to use authenticated network scans.
Note: Support for Alert Logic agent-based scanning includes Alert Logic agents for Windows and Linux. Container agents and Extended Endpoint Protection agents are not supported.
Enable Agent-Based Scanning
Agent-based scanning can be enabled within the Alert Logic console at (navigation menu) > Configure > Deployments > choose the Amazon Web Services, Microsoft Azure, or data center deployment you want agent-based scanning enabled on > Agent-based scanning.
With agent-based scanning enabled, all current and future Alert Logic agents in the deployment will download and install three scan subcomponents on MDR Essentials, Professional, and Enterprise nodes. The first agent-based scan will execute within 12 hours of the scan subcomponents being installed on the host. You should expect a significant increase in the number of vulnerabilities found if you were previously only running unauthenticated network scans.
The following scan subcomponents are installed on a deployment’s nodes to enable agent-based scanning:
- al-state-monitor, which is a status wrapper around the other scan subcomponent executables. This process runs constantly and can be monitored
- osquery, which allows for the inference of vulnerabilities and software inventory. This process returns a JSON data structure of state data and only runs during the execution of a scan.
- ovaldi, which provides deterministic detection of vulnerabilities. This process only runs during the execution of a scan.
Disable Agent-Based Scanning
If you choose to disable agent-based scanning via the agent-based scanning page in the Alert Logic console, the scan subcomponents will remain installed on the deployment’s nodes but will be inactive. No agent-based scans will execute in the deployment, and the next network scan will remove agent-based scan results from data in the Exposures page of the Alert Logic console, but the historical data will continue to be available in applicable reports and views.
Agent-Based Scan Vulnerabilities
Exposures identified from agent-based scanning can be found in the Alert Logic console at > Respond > Exposures > open View drop-down menu and select Exposures > select Agent in the Category filter. Agent-based scanning exposures are those results from the consolidation of agent-based and network scan results and with the tags Security and Agent named above the vulnerability.
Vulnerability information is also available in Vulnerability Reports at > Validate > Reports > Vulnerabilities.
Agent Topology Map
A new feature has been added to the Alert Logic console to help you identify where Alert Logic agents are installed in your environment. At > Investigate > Topology, select the deployment of your choice from the Deployment drop-down menu and select the Agents map icon. The agents installed on your hosts will appear highlighted and allow you to determine which hosts have agents installed, as well as quickly identify the status of each agent.
Within the Agents map topology view, you can use the Scan Now function, which will immediately execute an on-demand scan on a host you’ve chosen that has the Alert Logic agent installed. Click on the host you want scanned and a sidebar will appear. Click the > (arrow) until you see Actions. Select Actions and click Scan Now. A network scan and agent-based scan will be started at the same time and the results from both scan types will be merged after the network scan completes.
Learn more about agent-based scanning with the following Alert Logic knowledge base articles and documentation: