Note: This article is related to the Alert Logic® Incident Console release. Network IDS, Log Management, and Web Application IDS customers deployed after August 7, 2018, as well as Alert Logic Cloud Insight™ customers with Amazon GuardDuty enabled, have access to the enhanced Incident Console and all its features. All other customers will be phased into the updated Incident Console in the coming months. Contact Alert Logic Support with any questions about the availability of these new features.
Managing your open incidents in the Alert Logic console is an important part of maintaining a secure environment for your company. The Alert Logic console Incidents pages are your hub for all things incident management. As such, we suggest that you make yourself acquainted with our Alert Logic Console Incidents Pages knowledge base article.
Once you understand the tool that you will use to manage your incidents, you should be familiar with the workflow built into the Alert Logic console to work on your incidents, which we recommend that you utilize. All generated incidents start in the Open incidents list. Work your open incidents. If you have not completed remediation of an incident and want to put it on hold and come back to it, you can move it to the Snoozed incident list. When you have completely remediated the incident, moved it to the Closed incident list.
The following article provides best practice suggestions on how to best work your incidents to manage and ultimately remediate all your open incidents.
Alert Logic recommends that you spend some time reviewing your open incidents every day. The ultimate goal is to maintain an empty Open incident list, which means that you have to work all of your incidents, and often. Of course, some incidents are more important than others - hence the assigned security levels. See the Review Critical and High Threat Incidents First section below for suggestions on working your incidents by severity level.
Alert Logic recommends that you handle incidents in the order of their severity, with critical and high severity incidents being managed first. Utilize the Organize by Threat Level option at the top of your incident list to sort your incidents from highest threat to lowest.
Critical and high threat incidents should not only be handled first, but ideally immediately - within a couple of hours of notification - as well. Subscribe to incident escalation notification emails to be notified as soon as these incidents are generated.
Once critical and high threat incidents have been successfully remediated, move onto medium severity incidents. Work medium incidents by date, starting with the oldest first. Filter your incident list with the Threat Level filter category to only show you medium incidents. Scroll to the bottom of the list of medium incidents to start remediating the oldest first. Alert Logic recommends that you review open medium incidents within 24 hours of generation.
Note: If you have open incidents that were generated over a month ago, utilize the Custom Date Range filter option to extend your list of incidents past the automatic date filter of one month.
Finally, work low severity incidents as you worked medium severity incidents before them. Filter your list to show you only low incidents and start from the bottom of the list up. Alert Logic recommends that you work low incidents within a week of generation.
Ultimately, all incidents should be remediated. Alert Logic recommends that you spend time on your incidents until they are all closed, each week. If this goal seems unattainable for your team with the number of incidents that you receive, see the Tune Out Unnecessary Incidents section below for suggestions on cutting down on incidents that may be unnecessarily generated.
When you snooze an incident, it is removed from the Open incident list. This function clears away the clutter of incidents that you currently are not able to remediate so that you can focus on actionable incidents.
The most common use case for snoozing an incident is when you have begun work on it but are waiting on a third party resource to complete an action that will allow you to work on the incident further. Remove it from your Open incident list while also setting a time frame in the future for it to reappear in your Open list, at which point you can continue to work on it without blockers. Be sure to write yourself a note on why you are snoozing your incident so that when it reappears in the Open incident list you will remember what you have done and what needs to be done next.
Note: Snoozing an incident is different that updating an open incident with notes because it removes the incident from your Open incident list and brings it back after a set amount of time. Updating an incident keeps it in your Open incident list and on your current to-do list.
Bulk actions can help you quickly and efficiently manage several incidents at once. Learn how to perform bulk actions with the Bulk Actions section of our Alert Logic Console Incidents Pages knowledge base article. Utilize the following list of potential use cases to get inspiration on how to use bulk actions in your environment:
- A type of incident has a compensating control in place or is an acceptable risk that you know you don't need to work
- An originating incident that you have successfully remediated has spawned several directly related incidents - just make sure to confirm the originating IP
- Known activity is generating several incidents that do not need to be worked
If managing all your incidents every day or week sounds daunting or even impossible due to the number of incidents that are generated in your environments, it may be time to tune out incidents that require less oversight.
The Bulk Actions section may be a good place to start in identifying incidents that you would like to be tuned out. Once you have identified the types of incidents you want tuned out, open a ticket with our Support team. Provide as much detail as possible, including example incidents, frequency of incidents, payload information, and last occurrence of that type of incident.
Making the number of incidents you need to work more manageable will allow you to focus on those incidents that are more important to the security of your environments.