Utilizing the Incident Daily Digest

Overview

Managing and responding to incidents on an individual basis can sometimes be overwhelming and time-consuming. Not every organization has the bandwidth and experience for an incident management practice; however, a good standard practice is to review any new incidents that were discovered at least once each day. To help you perform this daily review, Alert Logic® provides the Incident Daily Digest report.

The Incident Daily Digest provides you with an easy-to-use daily summary of your Amazon GuardDuty findings. The report is designed to highlight important statistics about the daily findings, with the option to filter the report down to focus on specific VPCs, incident types, and so on.

This report is broken down into three main sections – high-level totals, categorized incident counts, and individual incidents.

High-Level Totals

At the top of the Incident Daily Digest, you are presented with the total incident count, the total daily change in the number of incidents, and totals of the targets for the combined incidents. This section allows you to quickly review a very high-level summary of your incidents, so you can determine whether to look deeper into the incidents.

For example, if the total daily change indicates that a significantly higher number of incidents were found, this can be a flag to check which of your AWS assets were targeted, what kinds of incident types were found, and what remediation actions are suggested.

If you want to only see information for a specific deployment or VPC, use the Deployment field and/or the VPC field at the top of the report to filter the data. 

Categorized Incident Counts

In the middle of the report, three graphs display incidents categorized by threat level, classification type, and GuardDuty findings. For each bar in the Threat Level and Classification Types graphs, you can hover your cursor over the bar to see a summary of the findings.

In addition, you can hover over the information icons next to the Threat Level and Classification Types headings to view a list of the possible threat levels and classification types.

This section is dynamic and the information displayed will update based on where you click. For example, if you click a finding type in the GuardDuty Findings graph, the Threat Level and Classification Types graphs update to only display information for incidents for that finding type.

In addition, the table of incidents below this section will filter to only display High threat level incidents. To remove a selection, simply click the bar again.

Individual Incidents

The table at the bottom of the reports lists the individual incidents for the day of the report. The list of incidents will update based on any filtering selected for the report.  For each incident listed, general information about the incident displays, such as the date and time, incident ID, and threat level. In the Attack Description column, you can review detailed information about the incident, including remediation recommendations to resolve security issues.

If a specific incident comes to your attention, you can navigate to the Incidents page in the console and perform a search for the incident for further investigation.

By default, the list of incidents is sorted in descending or by date/time. If desired, you can flip this order by clicking the icon next to the Create Time (GMT) column heading.

Downloading the Report

To share, print, or store report data, you can download the report by clicking the Download button at the top of the report. There are two suggested options when downloading the report.

• Create a snapshot of your view (PDF) – You can create a PDF snapshot of your current report view with any filtering or selections you have made. However, with this download option, the full list of incidents is not included in the PDF. Only the incidents visible on screen when you perform the download will be included in the report. To download a PDF of your current report view, select Download > PDF.
• Export the incident list (CSV) – You can export the full list of incidents as a CSV file for use in Microsoft Excel. To export the incident list, select Download > Data. From the preview, you can select whether to download a summary of the incident list or the full data. If you have filtered the report by clicking on a graph, be sure to download the full incident list, rather than the summary.

Still have questions? Check out other customers’ posts or add your own in the Cloud Insight Essentials community.