Fortra's Alert Logic has improved identification of incidents related to Alert Logic network scans. Existing identification logic is now applied to all non-summary incidents generated by Alert Logic. As a result, customers will see more incidents correctly identified as coming from an Alert Logic scan appliance, and automatically closed.
Detection of Scans
Alert Logic offers different vulnerability assessment technologies, including agent-based scanning, cloud configuration checks, and traditional appliance-based network scans. Network scans are typically detected as incidents by other Alert Logic technologies, such as network IDS or web log analytics. These incidents are expected behavior, and they demonstrate that the detection system is operating correctly.
We use different methods to determine whether an incident was the result of an Alert Logic scan, depending on the type of evidence and asset context of an incident:
- The asset associated with an attacker is a known Alert Logic scan appliance
- An attacker IP address is assigned to a known Alert Logic scan appliance
- An attacker IP address is in the network range of a known automatic-mode scan subnet in Amazon Web Services
- The evidence for an incident contains a log message with a recent, valid cryptographic token generated by an Alert Logic appliance (typically a web server with the User-Agent logging configured)
When an incident is determined to result from an expected Alert Logic scan, it is automatically closed and its severity set to Low. Incident notifications are not triggered in this case. These incidents are still available for review in the Alert Logic console. An audit log is included in the incident, noting that the incident was an Alert Logic Scan.
Note that the means of identification and the processing of these incidents was not changed in this update.
Applying Scan Detection to More Incidents
As a result of this update, Alert Logic applies the above logic to more analytics (incident types). An analysis performed in advance of this release showed that more Web Log Analytics, generic scan, and brute force incidents could be processed by the existing logic.
Additionally, customer-created correlation incidents are now processed for Alert Logic scan detection.
Summary incidents, including daily Log Review incidents, are still not processed this way, as they often include both scanning and non-scanning activity.
Additional Options for Expected Scan Activity
Alert Logic can help you identify and process expected incidents.
- Use the Alert Logic console to exclude traffic from known IP addresses from analysis
- Recommend configuration of load balancers and network devices to preserve networking information, for example by adding X-Forward-For headers
- Recommend configuration of web server logs to include User-Agent headers
- Reducing the frequency of network scans, and using agent-based scanning for routine vulnerability assessment.
Additionally, our team can help you automatically close or suppress incidents meeting known criteria. Contact us for additional help.
Additional Resources
Learn more with the following Alert Logic documentation:
Comments
0 comments
Please sign in to leave a comment.