Alert Logic has released a series of enhancements to streamline working with incidents in the Alert Logic console. These updates include improvements to the Incident Console, the decommission of the older Incident Console, and expanded adoption of the MITRE ATT&CK Framework.
Improvements to the Incident Console
The Incidents Console can be found in the Alert Logic console under > Respond > Incidents. A summary of related enhancements made as part of this release is listed below.
Advanced Search Support
Alert Logic is adding additional search support for the Incident Console, allowing you to create complex queries that can combine with selected filters to further refine your incident search results.
To access the advanced search feature, click Show advanced search under the search bar.
You can then write an advanced search query in the provided field and click SEARCH to update the incident results list.
More details related to this update can be found in our Advanced Search documentation.
Status Filter Improvements
You can now immediately identify the count for all status filters – Open, Closed, and Snoozed – in the Incident Console. Previously, only the Open incidents filter and counts were shown by default. This update will help customers have a clearer understanding of the status distribution for incident count per status.
Baseline Map
Alert Logic has enhanced the baseline map for incidents containing geographic data, making it easier for customers to use this information. The baseline map displays with the incident details after clicking into an incident from the Incident Console. Improvements include:
- The map for comparing baseline and outlier activity now appears in the Attack Summary section without having to click a link. You can hide the map by clicking a button.
- The map no longer expires after two weeks.
- Visuals and performance are improved.
More details related to this update can be found in our Incident Details documentation.
Evidence Timeline
A new evidence timeline is available to simplify data on the timing of activities culminating in an incident. This new evidence timeline is available on the Investigation and Recommendation tab after clicking into an incident from the Incident Console.
The evidence timeline is a visual representation of the activities that culminated into an incident. Tooltips provide details about specific evidence. You can zoom in on an area of the timeline to display more details and then reset the zoom to the original view.
More details related to this update can be found in our Incident Details documentation.
Decommission of the Previous Incident Console
Alert Logic released the upgraded Incident Console on March 18, 2021. Since then, customers using Alert Logic Cloud Defender, Threat Manager, or Log Manager were given access to switch between the two versions of the Incident Console experience using a toggle icon. As of September 21, 2022, Alert Logic will no longer support the previous Incident Console experience. As part of this change:
- The Incident Console experience toggle has been removed
- URLs pointing to the previous Incident Console page will redirect to the upgraded Incident Console page
- Dashboard drill-downs now direct to the upgraded Incident Console page
You can learn more about all of the new and enhanced features part of the upgraded Incident Console in our Incidents documentation.
Expanded Adoption of MITRE ATT&CK Framework
Alert Logic began supporting the MITRE ATT&CK Framework on February 10, 2022. As part of that release, incidents and reports were updated with MITRE ATT&CK Tactics and Techniques. As of September 21, 2022, Alert Logic has completed the migration of incidents, reports, and notifications to support the MITRE ATT&CK Framework. With the completion of migration to the MITRE ATT&CK Framework, the legacy classification system is no longer supported.
As a result, the legacy classification system will no longer be supported as follows:
- The Incident page will no longer include “Classification” as a filter option.
- Reports with threat data will no longer include “Classification” widgets, including:
- AWS Incident Analysis Reports
- Azure Incident Analysis
- Incident Analysis Reports
- Incident Account Summary Reports
- Enterprise Risk Reports
- Partner Analysis Reports
- HIPAA-HITECH Security Audit Reports
- PCI Audit Reports
- PCI DSS Audit Reports
- Incident Notifications will no longer include the legacy incident classification. The notification has the MITRE Tactic of the incident listed.
For more information about this update, refer to our Incidents documentation.
Additional Resources
For more details on the Incident Console, see the following Alert Logic knowledge base and documentation resources:
Comments
0 comments
Please sign in to leave a comment.