Tutorial: Run Your First Scan and Audit

In this tutorial, we will stand up a working inventory for an office network from scratch. Along the way you will encounter the Audit Service, Segments, Scans, Audits, and the device form in Inventory.

By the end, you will have a Segment named Office Network covering the IP range 192.168.1.0/24, a completed scan that lists discovered devices, a completed audit on one of them, and a populated device record in your Inventory.

Before you begin

• You have an AlloyScan account with the Administrator role on a Site.
• An Audit Service is installed on a Windows host inside the network you intend to scan, registered to your Site, and showing as Active under Admin Center > Site Settings > Tasks and services > Audit services.
• The Audit Service host can reach the target IP range over the relevant ports (TCP 5985 for WinRM, TCP 22 for SSH, UDP 161 for SNMP, etc.). See System Requirements for the full list.
• A Windows credential record exists in the Audit Service's credentials pool, with a domain user that can authenticate to the target Windows machines.

Note: If you do not yet have an Audit Service, install one through Admin Center > Site Settings > Tasks and services > Audit services > + Install, then return to this tutorial.

Step 1 — Create an Address List Segment

We will start by creating a Segment for the office network.

1. From the left sidebar, navigate to Network > Segments.
2. Click + New segment.
3. On the Segment type picker, leave Address list selected (it is the default) and click Next.
4. In the wizard's Select or install audit service step, choose your existing Audit Service from the combobox.
5. In the Address list step, enter a name: Office Network.
6. In the address field, enter: 192.168.1.0/24.

You should now see your Segment listed on the Segments page with its type chip set to Address list and Last scan showing as empty.

Notice that the Segment card shows No last scan — we have not scanned it yet.

Step 2 — Run a scan on the Segment

We will now run a scan to discover what is on the network.

1. On the Segments page, click the name of your Office Network segment to open the Segment Open view.
2. In the left rail of the Segment Open view, click the blue Scan button.
3. A task is queued. You can watch it under Admin Center > Site Settings > Tasks and services > Active tasks.

You should now see the Scan results grid populate as the scan completes. The left rail updates with Last scan showing the timestamp and Last scan statistics showing the count of total discovered nodes, ignored nodes, new nodes, and known inventory.

Notice that each row in the grid has a Ready for audit column. A green check means the device has the prerequisites (such as reachable management ports) for a full audit; a red icon means it does not.

Step 3 — Run an audit on a discovered device

We will now collect detailed data for one of the discovered devices.

1. Still in the Segment Open view, locate a row with Ready for audit showing a green check.
2. Tick the row's checkbox.
3. In the action toolbar above the grid, click Audit.

The audit task is queued and assigned a Task number. When the audit completes:

• The device's Last audit status column updates.
• A new entry appears in the Audit log at Admin Center > Site Settings > Logs > Audit log with your account as the Initiator and the Errors count for the operation.
• The audited device appears in the Site Inventory.

Note: First audit results typically appear within 10–15 minutes after queuing.

Step 4 — Open the device in Inventory

We will now open the audited device's record.

1. From the left sidebar, navigate to Inventory.
2. Click the Computers card, then the appropriate sub-card (for example Windows computers).
3. Locate the row for the device you just audited and click its name.

You should now see the device form with four tabs:

• General — at-a-glance summary.
• Details — six categories of audit data with sub-forms (about 18 in total).
• Audit — Audit ID (UUID), Audit date, Audit source, the Schedule row, and the Credentials and tags panel. Use the Data and Raw data buttons here when you need the underlying snapshot for forensics.
• Change history — accumulated change events for this device (populated only while Change tracking is on).

Notice the Audit tab now shows a fresh Audit ID and Audit date for the audit you just ran.

What you have accomplished

You have a Segment that defines the office network, a completed scan listing the devices on it, a completed audit on one of those devices, and a populated record in your Inventory. From here, you can:

• Schedule recurring scans so the Segment is rediscovered automatically.
• Schedule recurring audits so device data stays current.
• Apply tags to group devices by role, location, or owner.
• Deploy an Audit Agent on endpoints that leave the office network.
• Learn more about how discovery works.

Related

• Deploy an Audit Agent on a Windows endpoint
• Key Concepts
• System Requirements