Get Started with Alert Logic Scans
A scan detects and identifies network and host vulnerabilities in your environment. Scans can perform external attack simulations as well as comprehensive vulnerability checks including registry evaluation. Alert Logic scans can also help you meet PCI compliance requirements through Fortra VM. For more information, see the detailed Scanning best practices documentation.
Scan types
There are three types of supported scans:
Internal scans
An internal scan runs from an Alert Logic appliance in your environment. When you define a scan, you can specify credentials to use with the internal scan. If you provide credentials, Threat Manager can log on to each host on your network and collect information about the host while it performs comprehensive vulnerability checks including registry setting evaluation. If you do not provide credentials, Threat Manager scans your network without logging on to each host and performs as many checks as possible.
External scans
An external scan runs from the Alert Logic data centers against your environment. This type of scan simulates attacks from outside your network and identifies potential issues from these attack types.
PCI scans (through Fortra VM)
A PCI scan is a type of external scan that is used specifically for Payment Card Industry (PCI) compliance requirements. Alert Logic customers can use the self-service PCI Approved Scanning Vendor (ASV) capabilities in Fortra VM. For more information on PCI scans, refer to the PCI scan documentation.
Scanning best practices
When configuring your scans, use the following guidelines to create successful scans and scan results. For more in-depth best practices, see the detailed Scanning best practices documentation.
- Scan often.
- Scan everything in your network.
- Scan at the right times.
- Scan your servers, firewalls, and routers during off-peak times.
- Scan your workstations during working hours.
- Do not scan during service windows.
- Make sure each scan is manageable.
- Run open-ended scans.
- Split up long scans into reasonable pieces.
Suggested scan frequency
The following table shows the recommended frequency for internal and external scans on different sets of ports.
| Scan frequency | Common TCP and UDP ports | Typically Vulnerable TCP and UDP ports | All TCP and UDP ports | |||
|---|---|---|---|---|---|---|
| Internal scan | External scan | Internal scan | External scan | Internal scan | External scan | |
| Daily | x | |||||
| Weekly | x | x | ||||
| Monthly | x | x | ||||
| Quarterly | x | |||||
| After configuration change | x | x | ||||
| Suspicion of break or infection | x | x | ||||
Originating IP addresses
The following table contains the range of IP addresses owned by Alert Logic. Alert Logic scans originate from a subset of the following IP addresses. Make sure that your firewalls allow scanning traffic from all of the following IP addresses.
| IP/CIDR | # of addresses | Included addresses |
|---|---|---|
| 204.110.218.0/23 | 512 | 204.110.218.0 — 204.110.219.255 |
| 208.71.208.0/22 | 1024 | 208.71.208.0 — 208.71.211.255 |
| 185.54.124.0/22 | 1024 | 185.54.124.0 — 185.54.127.255 |
Explore Alert Logic scans
You can access most scan-related features from the Scans page in the Alert Logic console. From the Scans page, you can create and schedule scans, manage scan results, and complete steps for PCI compliance. For scans that have completed, you can view results, download a CSV file of the results, and get help with scans or individual vulnerabilities. For more information on these tasks, see the detailed Scanning best practices documentation.
Access Alert Logic scans
To access scans and scan results:
- In the Alert Logic console, click OVERVIEW, and then click Scans.
- On the Scans page, use the tabs to access scan features, as follows:
- Statistics—Access summarized vulnerability information for your environment from overall scan results. See View vulnerability statistics.
- Scans—Create and update scan definitions, and access scan results. See Manage scans.
- PCI Compliance—Create PCI scans and access PCI scan results. See Manage PCI scans.
- Search—Search scan results for criteria such as vulnerability name and risk levels. See Search scan results.
Download scan reports
To download a report after a scan has finished:
- In the Alert Logic console, click OVERVIEW, and then click Scans.
- Navigate to the Scans tab on the Scans page.
- Click Results next to the scan title. The table that appears shows all completed reports for the selected scan.
-
Click the icons in the Export column to download reports in various formats.
- Click the green CSV icon (
) to download a .csv file with vulnerability and exposure details. - Click the blue CSV icon (
) to download a .csv file with host details.
The industry-standard CSV downloads include detailed host and vulnerability information. The format allows you to analyze, sort, and filter the information externally in the software of your choice. Alert Logic recommends the use of the CSV downloads for all scan analysis.
- Click the green CSV icon (
Scan help
If you need help with scan results, you can create a support case either at the scan level or at the individual vulnerability level.
To get help at the scan level:
- In the Alert Logic console, click OVERVIEW, and then click Scans.
- Select your desired scan from the list and then click Results.
- In the Log ID column of the table, click the support icon (
) for the specific scan run date. - An email form appears in your default email application. The email is pre-filled with the following information:
- Product
- Account Name
- Account ID
- Policy Name
- Policy ID
- Add a description of your issue to the email, and then send it. An Alert Logic engineer will address your case.
To get help at the vulnerability level:
- In the Alert Logic console, click OVERVIEW, and then click Scans.
- Select your desired scan from the list, and then click Results.
- Locate the specific scan run date, and then click the number of hosts listed in the Results column.
- Click the support icon () next to the individual vulnerability.
- An email form appears in your default email application. The email is pre-filled with the following information:
- Product
- Account Name
- Account ID
- Policy Name
- Policy ID
- Vulnerability Name
- Vulnerability ID
- Exposure ID
- Host IP
- Host ID
- Add a description of your issue to the email, and then send it. An Alert Logic engineer will address your case.
Related topics
