Note: Network IDS, Log Management, and Web Application IDS customers deployed after August 7, 2018, as well as Alert Logic® Cloud Insight™ customers with Amazon GuardDuty enabled, have access to the enhanced Incident Console and all its features. All other customers will be phased into the updated Incident Console in the coming months. Contact Alert Logic Support with any questions about the availability of these new features.
In This Article
The Alert Logic console Incidents pages have been improved with a new design and several new features to make managing and remediating your incidents more efficient.
An incident is a series of events that have been identified by Alert Logic analysts in our Security Operations Center (SOC) as potentially worrisome and that may require your attention. You should take action to close all open incidents to maintain secure environments. Learn more about how best to manage your incidents with our Managing Incidents in the Alert Logic Console knowledge base article.
The following article lists the various new features that have been added to the Incident Console, as well as specific updates for customers utilizing Amazon Web Services (AWS) and containers.
Several new features have been added to the various Incidents pages to allow you to better manage and remediate incidents.
Incident Summary Bubble Chart
The Incident Summary page (Incidents > Summary) now houses a bubble chart that visualizes your environments' incidents by severity and classification for all Alert Logic customers.
You now have the ability to place an incident into the new Snoozed incident status. Snoozed incidents are those that you have chosen to put on hold for an amount of time that you determine. When you snooze an incident, it is temporarily removed from the Open incident list. At the end of the allotted amount of time, the incident will return to the Open incident list.
The new design of the Incident List allows you to more easily view an incident's data without accessing the individual incident page. By clicking Preview on the far right of an incident on the list, you can quickly get an overview of the incident details. You can also quickly update, snooze, or close the incident within the preview.
Custom Date Range Filter
A custom date range option has been added to the Date Range filter options on the Incident List (Incidents > List) filter sidebar. Utilize this filter option when you want your list of incidents to span farther in the past than one month.
If you have AWS deployments, you have access to additional filtering options in the filter sidebar for incidents that are generated from those deployments. To access these additional filters, click on your AWS deployment under the Deployment category, which is located directly under the filter categories in the filter sidebar. The additional filters - which include regions, VPCs, subnets, tags, service, and role - display below the deployment.
Filter Sidebar Statistics
The filter sidebar in the Incident List provides you with quick statistics on your incidents. At a glance, you can see how many incidents fit into each filtering option available. In the below example, you can see from the Open line that there are 74 open incidents in the span of this month. Next to the Open incident line, the number before the slash is the number of incidents in that status with the current filters, while the number after the slash is the total number of incidents in that status. You can also see that 54 of those incidents are at a High threat level and 20 are at a Medium threat level.
Flagged events are those events that the Alert Logic analyst who identified or investigated your incident found more important for you to be aware of. Flagged events are always indicated by a blue flag ().
Flagged events can be seen within the following pages:
- Incident preview in the Incident List
- Audit log in the Investigation Report (Incidents > List > incident > Investigation Report) or Recommendations (Incidents > List > incident > Recommendations)
- Within an event timeline in Evidence (Incidents > List > incident > Evidence)
From the audit list, click View Event to see the flagged event in detail. From Evidence, click on the flagged event to drop down all the available details on the event, including analyst notes on why it has been flagged.
You can now easily download the PCAP file of one or all events associated with an incident by clicking the download icon () on the far right of the event. PCAP files can be viewed in third party tools such as Wireshark and Cyber Chef.
Payload Copying & Decoding
Some pieces of evidence will container request and response information, which includes the payload of the evidence. You can now decode payloads in either Base 64 or URL by clicking one of the options.
You can also easily copy the payload information to your clipboard by clicking the copy icon () in the top right corner of the Request section.
Customers with AWS deployments will see a topology view of their AWS deployment-generated incident within their Investigation Report. The topology view provides you with a visualization of the elements of your deployment and provides a quicker way for you to identify the assets that are associated with an incident. What an asset is highlighted in red, that asset has some sort of issue - whether it be a security implication or configuration problem - that needs addressing.
Use the blue icons to the right of the topology to filter which assets are visible in the topology.
Also for customers with AWS deployments, specifically for those who utilize containers - the topology view will show you if your incident originated within a container. Click on the affected container, shown in red within the topology along with your host, to see information on your container, including what instance of your container deployment is affected by the incident. This information includes key, type, name, private IP address, current state, created and modified dates, tags, and relationships.
Incident notifications can now be handled singularly within the Alert Logic console Incidents pages. Click Notifications to access a sidebar where you can manage your subscriptions. You can decide for which accounts and severity levels you would like to receive email notifications. Manage your SOC escalation notifications here, as well.
Learn more about incident notifications within the Incident Notification Management knowledge base article.