Note: The following information applies only to customers with Alert Logic® Cloud Defender, Threat Manager, or Log Manager entitlements. Information on incidents for Alert Logic Essentials, Professional, or Enterprise customers is available at the Alert Logic Console Incident Features knowledge base article.
In This Article
- Incident Summary
- Incident List
- Individual Incident
- Incident Notification Subscription Management
- Additional Resources
The following article provides detailed information about the features available to you within the Incident Console.
The Incident Console, which resides in the Alert Logic console under the Incidents tab, houses all identified incidents within your deployed environments, as well as all details and remediation recommendations for each incident. The Incident Summary and List pages display all your incidents in easily digestible formats. Individual incident pages include all the available information on a given incident, including an investigation report, remediation recommendations, and evidence comprised of detailed events. Utilize the resources within the Incident Console to manage and close incidents to secure your environment.
Note: You can get information on the Incident Console within the Alert Logic console by clicking Tutorial in the upper right-hand corner.
The first page you land on when accessing the Incident Console is the Incident Summary page (Incidents > Summary), which houses a bubble chart that visualizes your environments' incidents by severity - critical, high, medium, or low - and classification or deployment type of incident. The larger the bubble, the more incidents there are in that category.
Filter the bubble chart by the month, week, day, or a custom date range by clicking the Period option above the chart. Filter the chart by either incident classification or deployment type by clicking the Pivot option to the right of the Period option. Hover over any bubble to see the number of incidents within that category, as well as the number of affected hosts. Click on a bubble to see a filtered list of all the incidents within that category.
The Incident List page (Incidents > List) houses every incident identified within your environment by name and with detailed information. Incidents can be viewed in one of three statuses - Open, Snoozed, and Closed - which you can choose from in the top left corner of the page.
When you've chosen a status, you will see two numbers separated by a slash (ex: 23/37) to the right of the status's title. The number before the slash is the number of incidents within that status that you can currently see based on the filters that are applied to the list, while the number behind the slash is the total number of incidents within that status (ex: filtered Snoozed incidents/all Snoozed incidents).
Open incidents are those that have not been snoozed or closed and that need your attention. This does not mean that they have not been acted on, as you have the option to update an open incident without moving it to the Snoozed or Closed statuses.
Snoozed incidents are those that you have chosen to put on hold for an amount of time that you set. When you snooze an incident, it is temporarily removed from the open incident list. At the end of the amount of time that you have set for the snooze, the incident will return to the open incident list. This status is useful if you are waiting on an outside resource to close the incident or do not have time to continue to remediate but want it removed from your current Open incidents until you can come back to it.
Closed incidents are those that you have chosen to mark as complete based on one of several Threat Assessments that you can choose from when closing the incident. When moving an incident to this status, you decide that no more action needs to be taken. Closed incidents can be reopened as needed.
There are several features available to customize your incident list and help you manage your incidents.
Within the three main statuses, you can filter on several other properties, all available in the left-hand panel. These include date range, threat level, classification, detection source, deployment, and Amazon Web Services (AWS) deployment-specific filters. Simply click on one of the choices under the filter classification and your list will reload with that filter.
Note: To access the AWS deployment-specific filters, click on an AWS deployment at the bottom of the left-hand panel's list of filters.
These filters are stackable, allowing you to choose one of the filtering options from each classification to drill down into a very specific list of incidents. As you filter, the number before the slash on the main filtering category will continue to change based on how many incidents fit within your list of filters.
You can organize your filtered list by clicking on the Organize By... drop-down menu directly above the list of incidents. The sorting options include date, threat, classification, detection source, and deployment.
When you choose one of the options, the list will automatically group and sort the incidents based on the selected option. By default, the list will sort based on the order of the filter options in the left-hand panel (ex: Organize by Threat will show Critical incidents first). If you want to start from the bottom of the left-hand panel options rather than the op, click the swapping arrows icon () to the right of the Organize By... drop-down. This will flip the results, and you can see that in the left-hand panel the options also flip to correspond with the change (ex: Organize by Threat will show Low incidents first).
You can quickly preview an incident's details without accessing the individual incident by clicking Preview on the far right of the incident.
An overview of the incident details will appear under the incident. Information within the preview includes incident ID, attacker, target, account, deployment, threat classification, detection source, appliance, associated events, and any flagged events. You can also quickly update, snooze, or close the incident within the preview.
You can take bulk actions on incidents by hovering over incidents' threat level icons () and checking the boxes that appear. You can export, update, snooze, and close incidents in bulk.
You can choose as many incidents as needed and then take actions on them using the blue bar that appears in the bottom right corner of the page.
To choose all incidents in a filtered list, check the box at the top of the list, just under the list title and to the left of the Organize By... drop-down. Only currently visible incidents will be checked at this point. To make sure all incidents in the list are checked, scroll down to the bottom of the page, at which point more incidents will load and automatically be added to the bulk group.
To choose all incidents within an organized filter (ex: all Critical threat incidents), check the box to the left of the heading within the incident list.
Note: There is a limit of 100 incidents per bulk group.
You can export one or many incidents into a CSV file by checking the incident's box and clicking the Export icon () in the blue bar that appears in the bottom right corner of the page.
You can search through your list of incidents using either the simple search bar or the advanced search feature. Both are located at the top right of the incident list.
To use the simple search, type your search parameters into the text field to the left of the magnifying glass and click Enter. Your incident list will filter based on your chosen parameter.
To use the advanced search feature, click advanced search under the search text box. Type a query statement using the available fields and operators and, if necessary, use subsequent search fields to add OR statements and create a search that tests for multiple conditions.
Note: You cannot submit a search with invalid syntax. If invalid syntax is present, a warning icon () will appear to the left of the search field.
For detailed information on performing advanced searches, see the Perform Advanced Search documentation.
Individual incident pages are dedicated solely to housing all the available information on one incident. If the preview on the Incident List page did not provide you with enough details to decide on remediation of the incident, exploring its incident page is the next step. This page houses the investigation report, recommendations by Alert Logic analysts, an interactive timeline of evidence, and an audit log on the incident.
Note: If you have AWS environments deployed, you will also see a topology view of your host, deployments, and containers, if applicable.
There are several features available to help you remediate your incidents.
When you open an incident from the Incident List page, you land on the Investigation Report, which provides you with an attack summary and various details, including threat rating, target, attacker, and connection type. Utilize this page to gain a more detailed, while still relatively high-level, understanding of the incident.
Note: If your incident was generated from an AWS environment whose host Alert Logic has asset information on, you will also see a topology view of your host and deployments. Further, if the incident was identified on a container within the AWS environment, you will have access to detailed container metadata.
Access the Recommendations page by clicking Recommendations in the left-hand panel. The Recommendations page houses any remediation recommendations that have been provided by Alert Logic. These suggestions can include both short-term and long-term structural actions to be taken.
Access the Evidence page by clicking Evidence in the left-hand panel. The Evidence page contains a timeline of all notable occurrences regarding the incident. These can include events, new sources, incident audit trails, flagged evidence, and GuardDuty findings if your deployment is in AWS. You can sort the evidence timeline by checking and unchecking the list of possible findings in the left-hand panel.
You can click on an event, log, or GuardDuty finding within the evidence timeline to expand it and review detailed information about it. For events, the evidence details that appear include event ID, protocol, source and destination IP, source and destination port, and signature. For logs, details that appear include key log properties and fields.
Within event details, you will also see request and response information, which provide the details of the initial network request that triggered the event and the network response to it. These sections provide information on network protocol information at different levels, including Frame, Ethernet II, IPV4, TCP, and HTTP. Payload information is also available and can be viewed in HEX and ASCII, or both, and with either Base 63 or URL decoding options, by selecting each option. You can also copy the payload information to your clipboard by clicking the copy icon () in the top right corner of the Request section.
Note: Anywhere you see a down carrot, you can click on the carrot and more information will appear.
You can easily download the PCAP file of one or all events associated with an incident by clicking the download icon () on the far right of the event. PCAP files can be viewed in third party tools such as Wireshark and Cyber Chef.
Flagged events can be found within the Evidence page and are identifiable by a blue flag icon (). These are specific events or logs within an incident that an Alert Logic analyst found most important for you to be aware of. You can click on the flagged event to see its details, including notes that the analyst has left for you.
The audit log and notification history widgets are located on the far right of an individual incident page within Investigation Report and Recommendations. Click between the two tabs to see each set of information.
The audit log provides you with an at-a-glance log of all changes to your incident. You can see notes that you have made, as well as flagged events and analyst notes. You can quickly access the event details from the flagged events in the audit logs by clicking View Event.
Notification history provides you with details on the time, method, subject, and recipient of an incident's notification. Note: In order to see the notification history of an incident, you must be subscribed to receive those notifications.
Administrator-level users can manage incident notifications of other users. This is not housed in the Incident Console, but rather in the Settings menu () > Notifications > Manage Subscriptions of Others > Incidents.
You can update your own incident notification preferences from the Settings menu () > Notifications > My Subscriptions > Incidents, as well as within the Incident Console from the Notifications tab. A side panel will appear on the right side of the screen, where you can choose what notifications you should receive based on incident severity.
Learn more about individual incidents and best practices on managing and remediating them with our Managing Incidents in the Alert Logic Console knowledge base article.