05/03/2022: Agent-Based Scanning Enhancements

Alert Logic agent-based scanning was made available to Alert Logic Managed Detection and Response (MDR) customers using the Alert Logic agent for Windows and Linux in November 2021. Agent-based scanning continues to be available for MDR customers to opt in at their own pace, and additional enhancements have been added, including support for host-only scanning without an appliance and agent-based scan scheduling options.

These enhancements to agent-based scanning directly support several common use cases identified by customers - environments with hardened systems that prevent network scanning, environments with hosts on low bandwidth networks, and environments with mobile and transient hosts.

Note: To enable agent-based scanning on a deployment follow these steps in the Alert Logic console - (navigation menu) > Configure > Deployments > choose a deployment > Agent-Based Scanning > Enable agent-based scanning.

Support for Host-Only Scan

As part of Alert Logic agent-based scanning enhancements, internal network scans are no longer required to trigger vulnerability consolidation of agent-based and internal network scans. An agent-based scan can execute on a host independently of an internal network scan and will combine with the latest available internal network scan results.

Note: If there are no internal network scan results, or results are older than 100 days, the scan results will not be consolidated and only agent-based scan results will be posted.

This enhancement supports customer scenarios in which there is a desire to complete vulnerability assessments without an appliance, such as in an MDR Essentials-only deployment that would not have log collection or network intrusion detection enabled. You are now able to run an agent-based scan on nodes without appliances - with Alert Logic agent-configured hosts - and view those results in Alert Logic console reports.

Agent-Based Scan Schedules

New scheduling options are available for agent-based scans. Agent-based scans can now be configured to run on a separate schedule than internal network scanning. If you prefer your agent-based scan to be linked directly with an internal network scan schedule, you also have the option to override active agent-based scan schedules.

Standalone Agent-Based Scan Schedule

Agent-based scan schedules can now be decoupled from internal network scan schedules. Previously, agent-based scans ran every 12 hours by default or were required to run at the same time as internal network scans. Now, you can schedule agent-based scans to run in their own scan windows and without the previously required internal network scan trigger. Within the Alert Logic console at > Configure > Deployments > choose a deployment > Scan Schedules > Agent-Based Scans, you can create scan schedules for agent-based scans.

A default scan schedule is automatically enabled for agent-based scans, which is set to scan twice a day at any time and will scan all hosts in the deployment with the Alert Logic agent installed. This default scan schedule cannot be deleted, but it can be disabled by setting the toggle on Default Agent-Based Vulnerability Scan to Inactive.

Managing an agent-based scan schedule that is separate from your internal network scan schedule can be especially helpful if your deployment has multiple networks at different subscription levels and each network does not need internal network scanning. For example, a Professionals-level network may need both internal network and agent-based scanning while an Essentials-only network would only need agent-based scanning.

Creating a Standalone Scan Schedule

You can create a standalone agent-based scan schedule within the Alert Logic console at > Configure > Deployments > choose a deployment > Scan Schedules > Agent-Based Scans > + Create a Scan Schedule (). Complete the required fields in the Create a Scan Schedule pop-up Schedule tab, including a name for the scan, whether the scan should be active immediately, the scan frequency, and any desired scan window. Switch to the Scope tab and select from a list of your assets which should be scanned.

Note: If you only want to scan hosts with the Alert Logic agent installed, look for the agent icon - - which indicates that a host has the Alert Logic agent installed.

Override Agent-Based Scan Schedule

If you do not wish to manage your agent-based and internal network scans separately and want to configure both scan types to run on the same schedule, you can override all agent-based scan schedules. At > Configure > Deployments > Scan Schedules > Agent-Based Scans, toggle Use internal network scan schedule(s) to the right to activate. This overrides any agent-based scan schedules and ensures that both agent-based scans and internal network scans follow the internal network scan schedule you have set. On the other hand, if this option has been automatically enabled, you can choose to toggle it to the left to deactivate.

Scan Report Filters

All scan schedule-related reports, found in the Alert Logic console at > Validate > Reports > Vulnerabilities > Scan Schedule Breakdown, now have additional filters to help you review agent-based scan data more efficiently. Any agent-based scan schedules you have created and that are active will be available in the Scan Schedule Name drop-down list. With the new Category filter, you can also now isolate Agent or Network vulnerabilities from the consolidated results within your reports.

Additional Resources

For additional details on agent-based scanning, see these support resources:

Articles in this section

Support for Host-Only Scan