The Service Review report, sent to customers by Alert Logic®, provides an analysis of the health and value of the customer’s Alert Logic services. This report provides you with insight into areas that are working well and areas that may need improvement and can be used to determine the value that Alert Logic is providing.
This report is broken down into numerous sections to create an easy-to-read report that highlights various details about your Alert Logic service. This article can be used as a guide to reading the report, including potential action items for each section and related Knowledge Base articles that may be helpful.
You can find the timeframe for the report in the top right corner and Alert Logic contact information at the bottom of each page of the report.
In This Article
- Customer Information Section
- Visibility Section
- Monitoring Section
- Support Section
- Log Review Cases Section
- Appendix
Customer Information Section
The Customer Information section of the report provides you with basic information about your account, such as how long you have been using Alert Logic products and services, what products and services you are currently subscribed to, and your escalation contacts.
Action Items
Review the escalation contacts (name, phone number, email) and create a ticket in the Alert Logic Support Center if there are any changes needed.
Related Knowledge Base articles:
- What are the levels of authorization that I can give contacts for my account? - This article describes the levels of escalation contacts and what account access they are provided.
Visibility Section
The Visibility section provides insight into what Alert Logic can monitor within your environment. This section is divided into two subsections:
Collection Status Subsection
The Collection Status subsection shows the status of collection for Alert Logic agents for Alert Logic Log Manager™ and Alert Logic Threat Manager™. Details for Log Manager and Threat Manager are displayed separately for four areas:
- Log Collection Agents: Refers to Log Manager and the collection of log data using the Alert Logic Agent.
- Remote Log Sources: Refers to the collection of log data without the presence of a local Log Manager appliance. This means that Log Manager agents are sending log data to an Alert Logic cloud-based collector.
- Monitored Networks: Refers to Threat Manager and the process of receiving a copy of the target network traffic from a span port (mirror port) or from a network tap.
- Protected Hosts: Refers to Threat Manager and the process of collecting network traffic from individual hosts using the Alert Logic agent.
For each collection type, data is shown in a pie chart, where the size and color for each section of the pie represent counts for the OK, Warning, New, Error, and Offline states.
Action Items
Review your network and agent configuration within the Alert Logic console and remediate any issues, such as agents in an Error state or unexpected Offline state. If you need additional assistance, contact the Support team by creating a ticket in the Alert Logic Support Center.
Related Knowledge Base articles:
- How the Log Manager and Threat Manager Agent Works - The article provides an overview of how Alert Logic agents are used in customer environments.
- Check the Status of the Alert Logic Agent - This article provides step-by-step instruction on how to verify the Alert Logic agent is properly connected and configured.
Log Manager and Threat Manager Traffic Trending Subsection
Alert Logic provides host agents for Log Manager and Threat Manager products that enable log collection on hosts where agent installation is desired for Log Manager and collection of network traffic for Threat Manager. Traffic trending provides insight into usage changes in volume over time, allowing you to identify unexpected peaks and valleys in traffic.
Action Items
If you notice anomalous trends in your traffic, review your network and agent configuration within the Alert Logic console and remediate any issues. If you need additional assistance, contact the Support team by creating a ticket in the Alert Logic Support Center.
Monitoring Section
An incident is a correlation of events that imply harm to an information system, violate acceptable use policies, or circumvent standard security practices. Alert Logic classifies these incidents into four threat severity levels: Low, Medium, High, and Critical, as determined by the Alert Logic ActiveAnalytics™ platform and/or a Security Operations Center (SOC) analyst.
The generation and escalation of incidents and cases are the key deliverables of Alert Logic services. This section displays what Alert Logic found for you while monitoring your critical infrastructure. The reports in this section reflect the value of our products (Threat Manager, Web Security Manager, ActiveWatch for Log Manager, ActiveWatch for Threat Manager) and highlight the value of the security analysts in our SOC who provide detection, analysis, and escalation of security incidents.
The Monitoring section is divided into the following subsections:
- Incident Counts by Day
- Incident Classification Distribution
- Incident Threat Severity Level Distribution
- Incidents by Classification and Threat Severity Level
- Incident Distribution by Detection Source
Incident Counts by Day Subsection
The Incident Counts by Day subsection displays the daily counts of incidents for a given month. The volume of incidents shown side by side is a key indicator of the value that Alert Logic provides. This report can also be used to identify monthly trends for threats and how Alert Logic dealt with the threats.
Action Items
If you notice unexpectedly high or low incident counts, review your incidents within the Alert Logic console. To discuss your incidents further, contact the Support team by creating a ticket in the Alert Logic Support Center.
Related Knowledge Base articles:
- Incident Handling Policy - This article provides an overview of how Alert Logic identifies, classifies, and records incidents.
- How the Log Manager and Threat Manager Agent Works - This article provides an overview of how Alert Logic agents are used in customer environments.
- Check the Status of the Alert Logic Agent - This article provides step-by-step instruction on how to verify the Alert Logic agent is properly connected and configured.
Incident Classification Distribution Subsection
The Incident Classification Distribution subsection displays data about the types of attacks creating incidents and the associated incident counts for a given month. In addition, you can compare the types of threats that you are receiving to the averages for all Alert Logic customers.
Incident classification is a major factor in determining an incident’s threat level, which in turn determines how and when an incident is escalated, as well as what kind of remediation recommendations are provided by Alert Logic security analysts.
Action Items
If you notice an unexpectedly high count for a certain attack classification, review incidents within the Alert Logic UI. To discuss your incidents and tuning possibilities, contact the Support team by creating a ticket in the Alert Logic Support Center.
Related Knowledge Base articles:
- Incident Handling Policy - This article provides an overview of how Alert Logic identifies, classifies, and records incidents.
- How the Log Manager and Threat Manager Agent Works - This article provides an overview of how Alert Logic agents are used in customer environments.
- Check the Status of the Alert Logic Agent - This article provides step-by-step instruction on how to verify the Alert Logic agent is properly connected and configured.
Incident Threat Severity Level Distribution Subsection
The Incident Threat Severity Level Distribution subsection displays a breakdown of monthly incidents by severity and compares your data with the averages for all Alert Logic customers to provide insight into incident trends. Alert Logic classifies incidents into four threat severity ratings: Critical, High, Medium, and Low.
Action Items
If necessary, review your incidents within the Alert Logic console. To discuss your incidents further, contact the Support team by creating a ticket in the Alert Logic Support Center.
Related Knowledge Base articles:
- Incident Handling Policy - This article provides an overview of how Alert Logic identifies, classifies, and records incidents.
- How the Log Manager and Threat Manager Agent Works - This article provides an overview of how Alert Logic agents are used in customer environments.
- Check the Status of the Alert Logic Agent - This article provides step-by-step instruction on how to verify the Alert Logic agent is properly connected and configured.
- Applying Whitelist Policies- This article provides an overview of how to use whitelist policies to ensure you do not use Threat Manager resources to monitor permitted communication.
- Blocking - This article provides an overview of blocking best practices when using Threat Manager.
Incidents by Classification and Threat Severity Level Subsection
The Incidents by Classification and Threat Severity subsection displays a tabular summary of the classification types and threat levels for your incidents. With this view, you can get a quick overview of all your incidents.
Action Items
Review incidents within the Alert Logic console. To discuss your incidents further, contact the Support team by creating a ticket in the Alert Logic Support Center.
Related Knowledge Base articles:
- Incident Handling Policy - This article provides an overview of how Alert Logic identifies, classifies, and records incidents.
- How the Log Manager and Threat Manager Agent Works - This article provides an overview of how Alert Logic agents are used in customer environments.
- Check the Status of the Alert Logic Agent - This article provides step-by-step instruction on how to verify the Alert Logic agent is properly connected and configured.
- Applying Whitelist Policies - This article provides an overview of how to use whitelist policies to ensure you do not use Threat Manager resources to monitor permitted communication.
- Blocking - This article provides an overview of blocking best practices when using Threat Manager.
Incident Distribution by Source Subsection
Incidents created by Alert Logic can originate from four possible sources:
- Network IDS
- Log Management
- Web app IDS
- Amazon GuardDuty
Note: If an incident did not originate from any of these sources, then it is a manually generated incident. Manually generated incidents are not included in these charts.
Action Items
Review incidents within the Alert Logic console. To discuss your incidents further, contact the Support team by creating a ticket in the Alert Logic Support Center.
Related Knowledge Base articles:
- Incident Handling Policy - This article provides an overview of how Alert Logic identifies, classifies, and records incidents.
- How the Log Manager and Threat Manager Agent Works - This article provides an overview of how Alert Logic agents are used in customer environments.
- Check the Status of the Alert Logic Agent - This article provides step-by-step instruction on how to verify the Alert Logic agent is properly connected and configured.
- Applying Whitelist Policies - This article provides an overview of how to use whitelist policies to ensure you do not use Threat Manager resources to monitor permitted communication.
- Blocking - This article provides an overview of blocking best practices when using Threat Manager.
Support Section
The Support section summarizes support cases you have opened with Alert Logic. At the top of the report, the total number of pending cases displays. The “Pending” status means that the ticket is not yet solved and Alert Logic is waiting on information from the customer before further action can be taken.
In addition, this report displays how many cases have been closed in the last six months and the median time in days to close these cases, which indicates Alert Logic’s efficiency in handling customer cases.
Action Items
Review your pending cases and take any necessary actions. For information about viewing and adding support tickets, refer to our Getting the Most Out of the Alert Logic Support Center article. If you need further assistance, call the Support team by creating a ticket in the Alert Logic Support Center.
Log Review Cases Section
This report displays the daily counts of Log Review cases for a given month. The volume of cases shown side by side is a key indicator of the value that Alert Logic provides. This report can also be used to identify monthly trends for anomalies and suspicious activity, as well as how Alert Logic escalated or closed the cases based on customer preferences.
Action Items
Review all escalated log cases with the Alert Logic UI. To discuss your cases further, follow up with your contact on the Log Review team.
Appendix
The Service Review report also includes an appendix to provide you with definitions of terms used throughout the report. This section includes descriptions of collection statuses, incident threat severity levels, and incident classifications.
Comments
0 comments
Please sign in to leave a comment.