Alert Logic Console Incident Features

This article provides detailed information about the features available to you within the Alert Logic console's Incident page, found in the Navigation menu () at Respond > Incidents.

The Incidents page houses all identified incidents within your deployed environments, as well as access to all details and remediation recommendations for each incident. Individual incident pages include all th available information on a given incident, including an investigation report, remediation recommendations, and evidence - comprised of detailed events. Utilize the resources on this page to manage and close incidents to continually secure your environment.

Note: The following information is only applicable to customers with Alert Logic® Essentials™, Alert Logic Professional™, or Alert Logic Enterprise™ entitlements. If you have Alert Logic Cloud Defender™ or Alert Logic Threat Manager™ entitlements, see the Incident Console Features knowledge base article.

In This Article

• Incident List
  • Open Incidents
  • Snoozed Incidents
  • Closed Incidents
  • Features
• Individual Incident
  • Features
• Incident Notification Subscription Management

Incident List

The incident list houses every incident identified within your environment by name and with detailed information. Incidents can be viewed in one of three statuses - Open, Snoozed, and Closed - which you can choose from in the top- left corner of the page.

When you've chosen a status, you will see two numbers separated by a slash (ex: 23/37) to the right of the status's title. The number before the slash is the number of incidents within the current status and that are applicable to your current filters. The number behind the slash is the total number of incidents within that status (ex: filtered Snooze incidents/all Snoozed incidents).

Open Incidents

Open incidents are those that have not been snoozed or closed and that need your attention. This does not mean that they have not been acted on, as you have the option to update an open incident without moving it to the Snoozed or Closed statuses.

Snoozed Incidents

Snoozed incidents are those that you have chosen to put on hold for an amount of time that you set. When you snooze an incident, it is temporarily removed from the open incident list. At the end of the amount of time you have set for the snooze, the incident will return to the Open incident list. This status is useful if you are waiting on an outside resource to close the incident or do not have time to continue to remediate but want it removed from your current Open incidents until you can come back to it.

For more information on using the Snooze feature, see the Snooze Incidents section of the Managing Incidents in the Alert Logic Console knowledge base article.

Closed Incidents

Closed incidents are those that you have chosen to mark as complete based on one of several Threat Assessments that you can choose from when closing the incident. When moving an incident to this status, you decide that no more action needs to be taken. Closed incidents can be reopened as needed.

Features

There are several features available to customize your incident list and help you manage your incidents.

Filters

Filter on several properties alongside the Open/Snoozed/Closed statutes, all available in the left-hand panel. These include date range, threat level, classification, detection source, deployment, and Amazon Web Services (AWS) deployment-specific filters. Simply click on one of the choices under the filter classification and your list will reload with that filter applied. These filters are stackable, allowing you to choose one of the filtering options from each classification to drill down into a very specific list of incidents.

Note: To access the AWS deployment-specific filters, click on an AWS deployment at the bottom of the left-hand panel's list of filters.

Organize By

Organize your filtered list by clicking on the Organize by... drop-down menu directly above the list of incidents. The sorting options include date, threat, classification, detection source, and deployment.

When you choose one of the options, the list will automatically group and sort the incidents based on the selected option. By default, the list will sort based on the order of the filter options in the left-hand panel (ex: Organize by Threat will show Critical incidents first). If you want to start from the bottom of the left-hand panel options rather than the top, click the swapping arrows icon () to the right of the Organize by... drop-down. This will flip the results, and you can see that in the left-hand panel the options also flip to correspond with the change (ex. Organize by Threat will now should Low incidents first).

Incident Preview

Quickly preview an incident's details without leaving the incident list by clicking Preview on the far right of the incident. An overview of the incident details will appear under the incident. Information within the preview includes incident ID, attacker, target, account, deployment, threat classification, detection source, appliance, associated events, and any flagged events. You can also quickly update, snooze, or close the incident within the preview.

Bulk Actions

Take bulk actions on incidents by hovering over incidents' threat level icon () and checking the boxes that appear. You can export, update, snooze, and close incidents in bulk.

Choose as many incidents as needed and take actions on them using the blue bar that appears in the bottom right corner of the page.

To choose all incidents in a filtered list, check the box at the top of the list, just under the list title and to the left of the Organize by... drop-down. Only currently visible incidents will be checked. To include more incidents than those visible (but less than 100) in the bulk group, scroll down to the bottom of the page, at which point more incidents will load and automatically be added. You can bulk select up to 100 incidents at a time; to select all 100, click Select 100 from applied filters.

Export

Export one or many incidents into a CSV file by checking the incident's box and clicking the Export icon () in the blue bar that appears in the bottom right corner of the page.

Search

Search through your list of incidents using either the simple search bar or the advanced search feature. Both are located at the top right of the incident list.

Simple Search

To use the simple search, type your search parameters into the text field to the left of the magnifying glass and click Enter. Your incident list will filter based on your chosen parameter.

Advanced Search

To use the advanced search feature, click advanced search under the search text box. Type a query statement using the available fields and operators and, if necessary, use subsequent search fields to add OR statements and create a search that tests for multiple conditions.

Note: You cannot submit a search with invalid syntax. If invalid syntax is present, a warning icon () will appear to the left of the search field.

For detailed information on performing advanced searches, see the Perform Advanced Search documentation.

Individual Incident

Individual incident pages are dedicated solely to housing all the information on one incident. If the preview on the incident list page did not provide you with enough details to decide on remediation of the incident, exploring its incident page is the next step. This page houses the investigation report, recommendations by Alert Logic analysts, an interactive timeline of evidence, and an audit log on the incident.

Note: If you have AWS environments, you will also see a topology view of your host, deployments, and containers, if applicable.

Features

There are several features available to help you manage your incidents.

Investigation Report

When you open an incident from the Incident List page, you land on the Investigation Report, which provides you with an attack summary and various details, including threat rating, target, attacker, and connection type. Utilize this page to gain a more detailed, while still relatively high-level, understanding of the incident.

Note: If your incident was generated from an AWS environment whose host Alert Logic has asset information on, you will also see a topology view of your host and deployments. Further, if the incident was identified on a container within the AWS environment, you will have access to detailed container metadata. 

Recommendations

Access the Recommendations page by clicking Recommendations in the left-hand panel. The Recommendations page houses any remediation recommendations that have been provided by Alert Logic. These suggestions can include both short-term and long-term structural actions to be taken.

Evidence

Access the Evidence page by clicking Evidence in the left-hand panel. The Evidence page contains a timeline of all notable occurrences regarding the incident. These can include events, new sources, incident audit trails, flagged evidence, and GuardDuty findings if your deployment is in AWS. You can sort the evidence timeline by checking and unchecking the list of possible findings in the left-hand panel.

You can click on an event, log, or GuardDuty finding within the evidence timeline to expand it and review detailed information about it. For events, the evidence details that appear include event ID, protocol, source and destination IP, source and destination port, and signature. For logs, details that appear include key log properties and fields.

Within event details, you may also see request and response information, which provide the details of the initial network request that triggered the event and the network response to it. These sections provide information on network protocol information at different levels, including Frame, Ethernet II, IPV4, TCP, and HTTP. Payload information is also available and can be viewed in HEX and ASCII, or both, and with either Base 63 or URL decoding options, by selecting each option. You can also copy the payload information to your clipboard by clicking the copy icon () in the top right corner of the Request section.

PCAP Export

You can easily download the PCAP file of one or all events associated with an incident by clicking the download icon () on the far right of the event. PCAP files can be viewed in third party tools such as Wireshark and Cyber Chef.

Flagged Events

Flagged events can be found within the Evidence page and are identifiable by a blue flag icon (). These are specific events or logs within an incident that an Alert Logic analyst found most important for you to be aware of. You can click on the flagged event to see its details, including notes that the analyst has left for you.

Audit Log & Notification History

The audit log and notification history widgets are located on the far right of an individual incident page within Investigation Report and Recommendations. Click between the two tabs to see each set of information.

Audit Log

The audit log provides you with an at-a-glance log of all changes to your incident. You can see notes that you have made, as well as flagged events and analyst notes. You can quickly access the event details from the flagged events in the audit logs by clicking View Event.

Notification History

Notification history provides you with details on the time, method, subject, and recipient of an incident's notification.

Note: In order to see the notification history of an incident, you must be subscribed to receive those notifications.

Incident Notification Management

Administrator-level users can manage incident notifications of other users within the Alert Logic console at the Navigation menu () > Manage > Notifications > Manage Subscriptions of Others, and individual users can manage their own incident notifications at Navigation menu () > Manage > Notifications > My Subscriptions or at Navigation menu () > Respond > Incidents > Notifications > Manage Notifications.