After using AlertLogic for almost a year, I've created a few filters and alerts that help me understand an incident. Does anyone have any useful tips / filters / process that help with incident response.?
Here is mine:
1. Setup a Event Alert called Brute Force Attack which alerts on MySQL and SSH BruteForce attacks. I add signatures as more common attack types occur.
2. If I get an alert, I check events with a similar filter for signatures that contain brute. I try to understand what subnet or server is being targeted.
3. I check the source IP (or IPs) for malicious reputation via a third party site like Cymon.
4. Then I check if any events generate an Incident for further correlation.
5. I gather the time frame and check what system changes were logged prior to the 'attack' to understand what might have triggered this attack. If it wasn't a system change, I block the IP on the Firewall.
6. Finally I check the logs on hosts that were targeted to confirm nothing was affected.
Please sign in to leave a comment.