Note: This article is related to the Alert Logic® Incident Console release. Network IDS, Log Management, and Web Application IDS customers deployed after August 7, 2018, as well as Alert Logic Cloud Insight™ customers with Amazon GuardDuty enabled, have access to the enhanced Incident Console and all its features. All other customers will be phased into the updated Incident Console in the coming months. Contact Alert Logic Support with any questions about the availability of these new features.
In This Article
- Incident Summary
- Incident List
- Individual Incident
- Incident Notifications
- Additional Resources
The following article provides detailed information about the features available to you within the Incident Console.
The Alert Logic console Incidents page houses all identified incidents within your deployed environments, as well as all details and remediation recommendations for each incident. The Incident Summary and List pages display all your incidents in easily digestible formats. Individual incident pages include all the available information on a given incident, including an investigation report, remediation recommendations, and evidence comprised of detailed events. Utilize the resources within the Incidents pages to manage and close incidents to secure your environment.
Note: You can get information on the Incidents pages within the Alert Logic console by clicking Tutorial in the upper right-hand corner.
The first page you land on when accessing the Incident Console is the Incident Summary page (Incidents > Summary). This page houses a bubble chart that visualizes your environments' incidents by severity - critical, high, medium, or low - and classification of incident - brute-force, recon, etc. The larger the bubble, the more incidents there are in that category.
Filter the bubble chart by the month, week, day, or a custom date range by clicking the down arrow under Incident Summary in the top left corner of the chart. Hover over any bubble to see the number of incidents within that category, as well as the number of affected hosts. Click on a bubble to see a filtered list of all the incidents within that category.
The Incident List page (Incidents > List) houses every incident identified within your environment by name and with detailed information. Incidents can be viewed in one of three statuses - Open, Snoozed, and Closed - which you can choose from in the top left corner of the page.
When you've chosen a status, you will see two numbers separated by a slash (ex: 23/37) to the right of the status's title. The number before the slash is the number of incidents within that status that you can currently see based on the filters that are applied to the list, while the number behind the slash is the total number of incidents within that status (ex: filtered Snoozed incidents/all Snoozed incidents).
Open incidents are those that have not been snoozed or closed. This does not mean that they have not been acted on, as you have the option to update an open incident without moving it to the Snoozed or Closes statuses.
Snoozed incidents are those that you have chosen to put on hold for an amount of time that you set. When you snooze an incident, it is temporarily removed from the open incident list. At the end of the amount of time that you have set for the snooze, the incident will return to the open incident list. This status is useful if you are waiting on an outside resource to close the incident or do not have time to continue to remediate but want it removed from your current Open incidents until you can come back to it.
Closed incidents are those that you have chosen to mark as complete based on one of several Threat Assessments that you can choose from when closing the incident. When moving an incident to this status, you decide that no more action needs to be taken. Closed incidents can be reopened as needed.
There are several features available to customize your incident list and help you manage your incidents.
Within the three main statuses, you can filter on several other properties, all available in the left-hand panel. These include date range, threat level, classification, source, deployment, and Amazon Web Services (AWS) deployment-specific filters. Simply click on one of the choices under the filter classification and your list will reload with that filter.
Note: To access the AWS deployment-specific filters, click on an AWS deployment at the bottom of the left-hand panel's list of filters.
These filters are stackable, allowing you to choose one of the filtering options from each classification to drill down into a very specific list of incidents. As you filter, the number before the slash on the main filtering category will continue to change based on how many incidents fit within your list of filters.
You can organize your filtered list by clicking on the Organize By... drop-down menu directly above the list of incidents. The sorting options include date, threat, classification, detection source, and deployment.
When you choose one of the options, the list will automatically group and sort the incidents based on the selected option. By default, the list will sort based on the order of the filter options in the left-hand panel (ex: Organize by Threat will show Critical incidents first). If you want to start from the bottom of the left-hand panel options rather than the op, click the swapping arrows icon () to the right of the Organize By... drop-down. This will flip the results, and you can see that in the left-hand panel the options also flip to correspond with the change (ex: Organize by Threat will show Low incidents first).
You can quickly preview an incident's details without accessing the individual incident by clicking Preview on the far right of the incident.
An overview of the incident details will appear under the incident. Information within the preview includes incident ID, attacker, target, account, deployment, threat classification, detection source, appliance, associated events, and any flagged events. You can also quickly update, snooze, or close the incident within the preview.
You can take bulk actions on incidents by hovering over incidents' threat level icons () and checking the boxes that appear. You can export, update, snooze, and close incidents in bulk.
You can choose as many incidents as needed and then take actions on them using the blue bar that appears in the bottom right corner of the page.
To choose all incidents in a filtered list, check the box at the top of the list, just under the list title and to the left of the Organize By... drop-down. To choose all incidents within an organized filter (ex: all Critical threat incidents), check the box to the left of the heading within the incident list.
You can export one or many incidents into a CSV file by checking the incident's box and clicking the Export icon () in the blue bar that appears in the bottom right corner of the page.
Utilize the search bar in the top right corner of the list to search on any field for an incident. You can search on fields such as host name, IP address, and incident ID. You can search on fields within the incident preview and details, as well.
Individual incident pages are dedicated solely to housing all the available information on one incident. If the preview on the Incident List page did not provide you with enough details to decide on remediation of the incident, exploring its incident page is the next step. This page houses the investigation report, recommendations by Alert Logic analysts, an interactive timeline of evidence, and an audit log on the incident.
Note: If you have AWS environments deployed, you will also see a topology view of your host, deployments, and containers, if applicable. Learn more about these features in the AWS Topology View and Container Metadata sections of our Incident Console Feature Additions knowledge base article.
There are several features available to help you remediate your incidents.
When you open an incident from the Incident List page, you land on the Investigation Report, which provides you with an attack summary and various details, including threat rating, target, attacker, and connection type. Utilize this page to gain a more detailed, while still relatively high-level, understanding of the incident.
Note: If your incident was generated from an AWS environment whose host Alert Logic has asset information on, you will also see a topology view of your host and deployments. Further, if the incident was identified on a container within the AWS environment, you will have access to detailed container metadata. Learn more about these features in the AWS Topology View and Container Metadata sections of our Incident Console Feature Additions knowledge base article.
Access the Recommendations page by clicking Recommendations in the left-hand panel. The Recommendations page houses any remediation recommendations that have been provided by Alert Logic. These suggestions can include both short-term and long-term structural actions to be taken.
Access the Evidence page by clicking Evidence in the left-hand panel. The Evidence page contains a timeline of all notable occurrences regarding the incident. These can include events, new sources, incident audit trails, flagged evidence, and GuardDuty findings if your deployment is in AWS. You can sort the evidence timeline by checking and unchecking the list of possible findings in the left-hand panel.
You can click on an event, log, or GuardDuty finding within the evidence timeline to expand it and review detailed information about it. For events, the evidence details that appear include event ID, protocol, source and destination IP, source and destination port, and signature. For logs, details that appear include key log properties and fields.
Within event details, you will also see request and response information, which provide the details of the initial network request that triggered the event and the network response to it. These sections provide information on network protocol information at different levels, including Frame, Ethernet II, IPV4, TCP, and HTTP. Payload information is also available and can be viewed in HEX and ASCII, or both, and with either Base 63 or URL decoding options, by selecting each option. You can also copy the payload information to your clipboard by clicking the copy icon () in the top right corner of the Request section.
Note: Anywhere you see a down carrot, you can click on the carrot and more information will appear.
You can easily download the PCAP file of one or all events associated with an incident by clicking the download icon () on the far right of the event. PCAP files can be viewed in third party tools such as Wireshark and Cyber Chef.
Flagged events can be found within the Evidence page and are identifiable by a blue flag icon (). These are specific events or logs within an incident that an Alert Logic analyst found most important for you to be aware of. You can click on the flagged event to see its details, including notes that the analyst has left for you.
An audit log of the actions taken by you and Alert Logic analysts on a given incident is visible on the far right of the Investigation Report and Recommendations pages. The audit log provides you with an at-a-glance log of all changes to your incident. You can see notes that you have made, as well as flagged events and analyst notes. You can quickly access the event details from the flagged events in the audit logs by clicking View Event.
You can update incident notification preferences within the Alert Logic console from the Notifications tab within the Incidents page. A side panel will appear on the right side of the screen, where you can choose what notifications you - and any other accounts you manage - should receive based on incident severity. For more information on the incident notifications, see our Incident Notification Management knowledge base article.
Learn more about individual incidents and best practices on managing and remediating them with our Managing Incidents in the Alert Logic Console knowledge base article.