The Monthly Service Review report can be found within the main menu tab under Reports > Service > Capability Usage in the Alert Logic® console. This report provides an analysis of the health and value of your Alert Logic products and services, and can be used to determine the value that Alert Logic is providing.
This report is broken down into numerous sections to create an easy-to-navigate report with convenient access to analysis, statistics, and trending data related to the configuration, status, and outcomes from your subscribed products and services. The report also provides interactive filtering options, visual representations of data, informative tool tips, and download and export options.
This article can be used as a guide to interact with the report, including potential action items for each section.
Note: The following information applies only to customers with Alert Logic® Cloud Defender™, Alert Logic Threat Manager™, or Alert Logic Log Manager™ entitlements.
In This Article
- Monthly Service Review
- Customer Contacts
- Collection Status
- Incident Detection & Comparison
- Support Cases
- Log Review Cases
Monthly Service Review
The Monthly Service Review dashboard provides you with summary information and headline statistics for the selected month in the following areas:
- Products and Services: Current subscribed products and services with informative tool tips listing the integrated capabilities
- Customer Contacts: Number of escalation and notification contacts
- Collection Status: Ratio of collectors with OK status to total number of collectors minus offline collectors
- Incident Detection & Comparison: Number of incidents detected by total and threat severity levels and incident distribution comparison to all Alert Logic customers
- Support Cases: Number of pending and closed Support cases
- Log Review Cases: Number of log review cases by total and status
Action Items
Click on an icon or section title to view more details in the selected area. Guidance and additional actions for each section are provided below.
Customer Contacts
This section provides you with tabular lists containing the names, titles, e-mails, and phone numbers of the individuals within your organization who will be contacted when critical incidents are escalated and who will be notified for specific alerts.
Action Items
Review the escalation contacts – name, phone number, and email – and notify Alert Logic if there are any changes needed.
Related Knowledge Base articles:
Collection Status
This section provides insight into what Alert Logic can monitor within your environment. Capability selections – including log management and network intrusion detection system (IDS) – are presented with the following data segments:
Collection Status
This subsection shows the status of collection for Alert Logic agents for log management and network IDS. Details for log management and network IDS are displayed separately for four areas:
- Log Collection Agents: Refers to log management and the collection of log data using the Alert Logic agent
- Remote Log Sources: Refers to the collection of log data without the presence of a local log management appliance; log management agents are sending log data to an Alert Logic cloud-based collector
- Monitored Networks: Refers to network IDS and the process of receiving a copy of the target network traffic from a span port (mirror port) or from a network tap
- Protected Hosts: Refers to network IDS and the process of collecting network traffic from individual hosts using the Alert Logic agent
For each capability, data is shown in a pie chart - where the size and color for each section of the pie represent counts for the OK, Warning, New, Error, and Offline states -, as well as in a table. You can hover over the pie chart to view collection definition, status, count, and percentage of total.
Action Items
Review your network and agent configurations within the Alert Logic console and remediate any issues (i.e. any states besides OK). If you need additional assistance, contact Alert Logic support.
Related Knowledge Base articles:
Traffic Trends
Alert Logic provides daily volume totals for the collection of logs (gigabyte per day) and network traffic (packets per day). Traffic data provides insight into usage changes in volume over time.
Action Items
Review your network and agent configuration with the Alert Logic console and remediate any issues. If you need additional assistance, contact Alert Logic Support.
Incident Detection & Comparison
An incident is a correlation of events that imply harm to an information system, violate acceptable use policies, or circumvent standard security practices. Alert Logic classifies these incidents into four threat severity levels: Low, Medium, High, and Critical, as determined by the ActiveAnalytics platform and/or a Security Operations Center (SOC) analyst.
The generation and escalation of incidents and cases is the key deliverable of Alert Logic services. This section displays what Alert Logic found for you while monitoring your critical infrastructure. The reports in this section reflect the value of the integrated capabilities provided with our network IDS, web app IDS, and log management services and highlight the value of the security analyst in our 24x7x365 Global SOC who provide detection, analysis, and escalation of security incidents.
The Incident Detection & Comparison section is divided into two subsections, each with its own additional data segments:
Note: To access the Incident Comparison page in the Alert Logic console, click on the Next: Incident Comparison arrow in the top right corner of the Incident Detection page.
Incident Detection
Incident by Detection Source
Incidents created by Alert Logic can originate from several detection sources:
- Network intrusion detection system
- Web application intrusion detection system
- Log management
- Amazon GuardDuty
If an incident did not originate from any of these detection sources, then it is a manually generated incident by security analysts in our SOC. You can click on the columns in the chart to filter the other data segments in the subsection and re-click to remove the filter.
Action Items
Review incidents within the Alert Logic console. To discuss your incidents further, contact Alert Logic Support.
Related Knowledge Base articles:
- How the Alert Logic Agent Works
- Check the Status of the Alert Logic Agent
- Incident Handling Policy
- Applying Whitelist Policies
- Blocking
Incident Count by Day and Detection Source
This data segment displays the daily counts of incidents for a given month. The volume of incidents stacked by detection source and shown side by side is a key indicator of the value that Alert Logic provides. This report can also be used to identify monthly trends for threats and how Alert Logic deals with those threats. You can select a range of days or click on a bar in the histogram chart to filter the other data segments in the subsection and re-click to remove the filter.
Action Items
Review incidents with the Alert Logic console. To discuss your incidents further, contact Alert Logic Support.
Related Knowledge Base articles:
- How the Alert Logic Agent Works
- Check the Status of the Alert Logic Agent
- Incident Handling Policy
- Applying Whitelist Policies
- Blocking
Incidents by Classification and Threat Severity Level
This data segment displays a bubble chart summary of the classifications and threat severity levels for your incidents. The sizes of bubbles are determined by the number of incidents for the specific classification and threat severity level. You can click on a bubble in the chart to filter the other data segments in the subsection and re-click to remove the filter.
Action Items
Review incidents in the Alert Logic console. To discuss your incidents further, contact Alert Logic Support.
Related Knowledge Base articles:
- How the Alert Logic Agent Works
- Check the Status of the Alert Logic Agent
- Incident Handling Policy
- Applying Whitelist Policies
- Blocking
Incident Comparison
Incident Classification Distribution
This data segment displays data about the type of attacks creating incidents and the associated incident counts for a given month. With this data, you can also compare the types of threats that you are receiving to averages for all Alert Logic customers.
Incident classification is a major factor in determining an incident's threat level. This determines how and when an incident is escalated, as well as what kind of remediation recommendations are provided by Alert Logic security analysts.
Action Items
Review incidents within the Alert Logic console. To discuss your incidents further, contact Alert Logic Support.
Related Knowledge Base articles:
Incident Threat Severity Level Distribution
This data segment displays a breakdown of monthly incidents by severity and compares your data with the averages for all Alert Logic customers to provide insight into incident trends.
Action Items
Review incidents within the Alert Logic console. To discuss your incidents further, contact Alert Logic Support.
Related Knowledge Base articles:
- How the Alert Logic Agent Works
- Check the Status of the Alert Logic Agent
- Incident Handling Policy
- Applying Whitelist Policies
- Blocking
Support Cases
This section summarizes Support cases you have opened with Alert Logic. The total number of pending cases is displayed at the top of the report. In addition, the report displays how many cases have been closed in up to the 12 previous months and the median time in days to close these cases, which indicates Alert Logic's efficiency in handling customer cases.
Action Items
Review your pending cases and take any necessary actions. If you need further assistance, contact Alert Logic Support.
Log Review Cases
This section displays the daily counts of Log Review cases for a given month. This information is divided into the following subsections:
- Log Review Cases Count by Day
- Log Review Cases by Status
The volume of cases shown side by side is a key indicator of the value that Alert Logic provides. This report can also be used to identify monthly trends for anomalies and suspicious activity, as well as how Alert Logic escalated or closed the case based on customer preferences.
Action Items
Review all escalated log cases within the Alert Logic console. To discuss your cases further, follow up with your contact on the Log Review team.
Comments
0 comments
Please sign in to leave a comment.