When using the Alert Logic® Agent Container, security incidents generated from network traffic associated with containers can be consumed in multiple ways. However, varying levels of detail are provided depending on the method by which you consume incident escalations.
Alert Logic Threat Manager™ and Alert Logic Cloud Defender™ customers who are subscribed to Alert Logic ActiveWatch™ can choose any of the options described below as a method to receive incident escalations and utilize important details about the targeted container or container cluster.
Alert Logic Security Operations Center (SOC) analysts triage all incidents that are rated with Critical or High severity scores. For those incidents related to containers, the analysts include important container metadata in the incident description so that you can quickly identify the impacted container or cluster.
The analyst follows the specified escalation workflow for your organization, which includes emails and potentially phone calls. The incidents they escalate can also be viewed in the Alert Logic console.
Alert Logic Console
As a Threat Manager or Cloud Defender customer, you have access to the Alert Logic console to view intrusion detection events and incidents. For Critical and High severity incidents, Alert Logic SOC analysts add their analysis of the security issue and include specifics about the containerized environment that the attack is taking place within.
Incidents with Medium or lower severity ratings include security analysis content generated by the correlation system but do not include interpretive analysis from the analyst team or the container metadata that is injected by the analyst for higher severity incidents.
If you are looking for container asset elaboration for any incident with any severity rating, it is recommended to use the Incidents (IRIS) API.
You can integrate with the Alert Logic Incidents API in order to acquire incident details for any incident of any severity. Available data includes elaboration of the container asset with all published container metadata. Analyst descriptions for Critical and High severity incidents are also included.