Alert Logic Machine Learning Log Review allows Professional and Enterprise Managed Detection & Response and Cloud Defender customers and partners to continue to meet log review compliance requirements while also receiving new security value. Machine Learning Log Review pairs machine learning and experts to more effectively detect log-based incidents based on your organization’s trends and patterns at the account, user, and host levels within machine learning capabilities and provide guidance, custom tuning, and manual checks via our expert teams.
The following information describes the capabilities of Machine Learning Log Review and how to get the most out of this Alert Logic capability.
Benefits of Machine Learning Log Review
Alert Logic utilizes a machine learning-trained threshold that is customized for each customer and considers relative high message count, unusual location, and unusual hostnames, while experts handle special customer requests.
Several benefits of the machine learning model for reviewing logs include:
- Fast and efficient review of logs
- Strong anomaly detection capabilities and security value
- Rule-based detection to 100+ anomaly scenarios based on time series, location, and unusual names
- Detection of any anomalies automatically and reliably based on customer data trends
Log Review Experience
Log Review incidents can be found within the Alert Logic console at (navigation menu) > Respond > Incidents. You can filter to view only Log Review information by clicking Log Review under Detection Source in the filter sidebar. Incident classification of Log Review incidents, titled Log Review Summary incidents, includes:
- Threat Level: Info
- Escalation: Not escalated
- Classification: Log Review
Each day, one Log Review Summary incident is raised - if there are any log anomalies detected in the customer environment by the machine learning models or rule-based detection. Both Machine Learning log anomaly and rule-based detection incorporate automation of any detection for Windows, UNIX/Linux, Amazon Web Services (AWS), Microsoft Azure, Network, and database logs. Examples of log data Alert Logic reviews include:
- Windows: Failed logins, changes to privileges, changes to accounts, Active Directory global catalog changes, and others
- UNIX/Linux: Sudo access, SSH failed logins, switched user common success/fails, and others
- AWS: MFA, security group changes, IAM, EC2, S3 changes, user account and access changes, network control changes, and others
- Azure: Backup user file access, user login activity, user network security events, OsAuth2 grant activity, object access, user roll modification activity, service principal activity, user file access, user group modification.
Incident details contain the list of anomalous users and hosts that received anomalies, as well as the different types of alerts triggered, based on the log anomaly aggregation. On the incident Evidence page – found in the Alert Logic console at Respond > Incidents > check the Log Review box under Detection Source in the filter sidebar > select an incident > Evidence - additional information around the Log Review anomaly type summary, user summary, and host summary are available. Two machine learning detection techniques can trigger an anomaly:
- Anomaly detection: Anomalies are triggered based on the machine learning model computed for the user or host; no specific logs will be listed as evidence within a Log Review Summary incident.
- Pattern matching: Logs associated to a suspicious command or IP address will trigger an anomaly; these logs will be listed within the Log Review Summary incident evidence.
Log Review in the Alert Logic Console
Log Review information can be found in the Alert Logic console at > Respond > Incidents. To see only Log Review incidents, filter the Incident List under Detection to Log Review. For an at-a-glance experience, you can choose which columns you want to appear in your Incident List table by dragging, resizing, and sorting each column. Further, a preview panel to the Incident List table’s right shows additional information around the incident at the top of the page and will change as you scroll.
Status and other filters are available for multi-selection and very granular filtering, and these can be reset quickly by clicking Clear All Filters above the filters. You can also download all incidents that match your current filters to CSV by clicking Download All.
To see detailed information of a Log Review Summary incident, click into the incident on the Incident List table – this will take you to the Incident Detail page. The Investigation and Recommendation tab provides a topology view, an attack summary, an overview of log alerts and anomalies, a recommended course of action, and audit log and notification history of the incident.
The Evidence page contains a timeline of all notable occurrences regarding the Log Review Summary incident and allows you to dig into each piece of evidence for more granular data. Machine learning-generated Log Review Summary incidents contain three tiers of analytics – customers can review top-level incident details like alert types, alert counts, and anomalous hosts, as well as drill down into any piece of evidence for more layers of observation and evidence like user summary and aggregator summary data and anomaly observations like enrichment data and facts.
Note: Within aggregator summary data, you can download available observations and observation evidence to CSV with Download Observation and Download Observation Evidence. You can also access and download to CSV available enrichment data and facts for a Log Review Summary incident with Download Enrichment Data and Download Facts.
For additional details, see the following knowledge base articles and pieces of documentation: