Managing and responding to incidents on an individual basis can sometimes be overwhelming and time-consuming. Not every organization has the bandwidth and experience for an incident management practice; however, a good standard practice is to review any new incidents that were discovered at least once each day. To help you perform this daily review, Alert Logic® provides the Incident Daily Digest report.
Note: The following information applies only to those customers with Alert Logic® Essentials, Professional, or Enterprise entitlements, but customers with Alert Logic Cloud Insight Essentials entitlements will see a very similar experience.
The Incident Daily Digest provides you with an easy-to-use daily summary of your Amazon GuardDuty findings. The report is designed to highlight important statistics about the daily findings, with the option to filter the report down to focus on specific VPCs, incident types, and so on.
This report is broken down into three main sections – high-level totals, categorized incident counts, and individual incidents.
At the top of the Incident Daily Digest, you are presented with the total incident count, the total daily change in the number of incidents, and totals of the targets for the combined incidents. This section allows you to quickly review a very high-level summary of your incidents, so you can determine whether to look deeper into the incidents.
For example, if the total daily change indicates that a significantly higher number of incidents were found, this can be a flag to check which of your AWS assets were targeted, what kinds of incident types were found, and what remediation actions are suggested.
If you want to only see information for a specific detection source or status, use the Detection Source field and/or the Status field at the top of the report to filter the data.
Categorized Incident Counts
In the middle of the report, three graphs display incidents categorized by threat level, classification, and incident type. Hover over the bars in each graph to see a summary of the findings.
This section is dynamic and the information displayed will update based on where you click. For example, if you click a finding type in the Incident Type graph, the Threat Level and Classification graphs also update to only display information for incidents for that incident type.
The table at the bottom of the report lists the individual incidents for the day of the report. The list of incidents will update based on any filtering selected for the report. For each incident listed, general information about the incident displays, such as the date and time, incident ID, and threat level. If a specific incident catches your attention, you can navigate to the Incidents page (navigation menu () > Respond > Incidents) and perform a search of the incident name to further investigate.
By default, the list of incidents is sorted by date and time and from most recent to lease. If desired, you can flip this sorting order by clicking on the list icon next to the Create Time (GMT) column heading.
Downloading the Report
Alert Logic allows you to download report information as CSV data or PDF. For more information, refer to the Report Download Option documentation.