The most common health remediations customers encounter in their Alert Logic environments surround a common theme: visibility. Visibility is integral in allowing Alert Logic to protect you from potential attacks that could lead to data breaches. Use the below information on the most common health remediations customers encounter to maintain Alert Logic visibility into and protection of your environments.
Review and resolve remediations frequently to manage security risks to your environment. Remediations, such as those highlighted below, can be found in the Alert Logic console at Respond > Health > Unhealthy > View drop-down > Remediations for Managed Detection & Response customers and Remediations > List for Cloud Insight customers.
In This Article
Common Health Remediations and Resolutions
1. Offline Appliance
An offline appliance remediation may go by the following title: “Alert Logic recommends that you re-enable this appliance.”
Issue
This remediation communicates to you that your Alert Logic appliance is either offline or unable to reach Alert Logic.
Impact
An offline or unreachable appliance is an issue because, while the appliance is offline or unreachable, Alert Logic loses all visibility and monitoring into the environment that the appliance is covering.
Resolution
Ensure that the appliance is online and that the correct firewall rules are in place, which should allow the appliance to connect back to the Alert Logic backend.
Firewall rules can be found within the following Alert Logic documentation:
- US customers – United States Firewall Rules
- UK customers – United Kingdom and European Union Firewall Rules
2. Agent Errors Affecting IDS
These kinds of remediations may go by the following titles:
- “Resolve network capture problems on agent.”
- “Alert Logic recommends that you verify connectivity between Agents and Alert Logic Appliances.”
“Resolve network capture problems on agent.”
Issue
Network capture problems on an agent can mean that the Alert Logic agent is unable to send network traffic to the Threat Manager due to issues with the WinPCAP Network capture library.
Impact
Network capture problems on an agent are impactful because, due to the WinPCAP issue, the agent is unable to connect to the Threat Manager, which in turn is reducing visibility for that host, as we are unable to monitor the network traffic from that host.
Resolution
Reinstall WinPCAP on the host to resolve this issue.
“Alert Logic recommends that you verify connectivity between Agents and Alert Logic Appliances”
Issue
A recommendation to verify agent and appliance connectivity can mean that the agent is unable to connect to the assigned Threat Manager on port 7777.
Impact
A potential disconnection between an agent and an appliance is an issue because when an agent is unable to connect to the Threat Manager, network traffic visibility is reduced.
Resolution
Ensure that the correct firewall rules and routes are in place to allow the agent to talk to its assigned appliance over port 7777.
Firewall rules can be found within the following Alert Logic documentation:
- US customers – United States Firewall Rules
- UK customers – United Kingdom and European Union Firewall Rules
3. No Logs Seen in 24 Hours
A remediation reporting no logs seen in 24 hours may go by the following title: “Verify Agent Configuration Does Not Prevent Log Collection.”
Issue
This remediation communicates that no logs have been collected from the specified host in the last 24 hours.
Impact
This remediation is an issue because not receiving logs for 24 hours can mean that there is a loss of visibility to the host, which can lead to additional security issues, such as missed incidents.
Resolution
Start by checking that the agent is online and that the service is running. If the agent is running, there are two possible issues that could be preventing Alert Logic from collecting logs. Check that you have completed the following:
- Perform step #7of the agent installation guide to add the syslog forwarder rule, which allows agents to collect logs.
- If using SELinux, run step #2 of the agent installation guide.
Additional troubleshooting information can be found in the Troubleshoot the “Verify Agent Configuration Does Not Prevent Log Collection” Remediation knowledge base article.
4. Adding Appliance to Network
This remediation can go by many titles:
- “Alert Logic recommends that you add an Alert Logic scanning appliance to this VPC.” (AWS)
- “Alert Logic recommends that you add an Alert Logic IDS Appliance to this VPC.” (AWS)
- “Alert Logic recommends that you add an Alert Logic appliance to this network.” (Data center)
- “Alert Logic recommends that you add an Alert Logic appliance to this VNet.” (Azure)
- “Alert Logic recommends that you add an Alert Logic scanning appliance to the protecting VPC.” (AWS)
- “Alert Logic recommends that you add an Alert Logic scanning appliance to the protecting network.” (Data center)
- “Alert Logic recommends that you add an Alert Logic IDS appliance to the protecting VPC.” (AWS)
- “Alert Logic recommends that you add an Alert Logic appliance to the protecting VNet.” (Azure)
Issue
This remediation can mean that a network configured to have an Alert Logic Professional entitlement Scope of Protection is missing an Alert Logic appliance.
Impact
A missing appliance can be an issue because it means that Alert Logic is missing intrusion detection and scanning visibility into your environment.
Resolution
Several resolution options are available for this remediation:
- Deploy an Alert Logic appliance (intrusion detection or scan) into the network. Appliance deployment details can be found within the following pieces of Alert Logic documentation:
- Amazon Web Services - requires separate appliances for intrusion detection and scanning
- Microsoft Azure - one appliance performs both intrusion detection and scan functions
- Data center - one appliance performs both intrusion detection and scan functions - Set up cross-network protection so the network is monitored by an appliance in another network. See the Cross-Network Protection documentation for details on requirements and configuration steps.
- Remove the scope of protection from the network. Details on how to do this can be found in our Change Protection Level of an Asset documentation.
5. Cross-Account Role Issue
The cross-account role issue remediation may go by the following titles:
- “Update the policy documentation for the IAM role associated with the deployment.”
- “Update the permissions for the credentials associated with the deployment.”
- “Update the provided Azure credential with the required privileges.”
Issue
The cross-account role issue remediation can mean that the Amazon Web Services Identity and Access Management (IAM) or Microsoft Azure role-based access control (RBAC) you are using for your deployment platform is out of date.
Impact
A cross-account role issue can be impactful because Alert Logic is unable to discover new assets, scan, or monitor your environment. This can also cause issues such as the automatic claiming of agents and/or appliances stops, as well as the automatic removal of the hosts once they have been terminated within AWS or Azure.
Resolution
Update the policy documentation for the IAM or RBAC role associated with the deployment.
Information on updating your IAM role can be found in the Update Your IAM Policy knowledge base article. RBAC details are available in the Update Your Azure Deployment with User Credentials for CIS Foundation Benchmarks documentation.
Comments
0 comments
Please sign in to leave a comment.