We like to make sure our customers are getting as much value from us as possible - here are a few simple things you can do to ensure the health of your account, and to get maximum value from Alert Logic.
1. Ensure coverage/visibility is correct
Environments change over time, so ensure your environment is fully covered by Alert Logic. Do you have agents on all the VMs you want coverage for? Have you configured additional log collection, beyond the defaults? Review the 'Deployments' section of the Alert Logic console to ensure you see all of the protected hosts and log sources that you expect. Also check for anything that is not in "OK" status, and remediate.
2. Leverage additional functionality for AWS and Azure
If you are running in AWS or Azure, ensure you have a deployment configured in the Alert Logic console. This allows us to automate various functions such as appliance and agent claim, assignment, and offline agent cleanup. This functionality requires an IAM or RBAC role - see documentation on this here: https://docs.alertlogic.com/userGuides/deployments.htm
Customers should also configure CloudTrail or Azure Activity log collection - see documentation on this here: https://docs.alertlogic.com/userGuides/log-manager-collection-sources.htm
3. Perform regular vulnerability scans
Provided your entitlement includes Threat Manager, you have unlimited access to our scanning engines, including PCI ASV scans. Scanning and remediating your environment on a regular basis will help reduce your attack surface, and in doing so decrease your chances of being the victim of an attacker. Documentation for scanning is available here: https://docs.alertlogic.com/gsg/get-started-scans.htm
If you are running in AWS, you should leverage Cloud Insight for scans, as this is pre-approved by AWS. In addition to scanning for vulnerabilities on your EC2 instances, Cloud Insight also checks your AWS config against best practice, and enhances GuardDuty findings. Cloud Insight is available to all Cloud Defender customers, and is also available on the AWS Marketplace. Further information is available here: https://www.alertlogic.com/solutions/aws-vulnerability-scanning-and-management/
It's also important to note that our ActiveIntelligence teams leverage scan results to inform decisions about how much of our customer base may be impacted by a new vulnerability or threat. Running regular scans ensures that we have the knowledge about what you run in your environment, so that we can produce content that is relevant to you.
4. Upload and review SSL certificates
Depending on how you handle SSL within your environment, it may be necessary to provide us with SSL certificates and private keys so that we can decrypt and inspect this traffic. This visibility is essential to detecting attacks against the web application. Remember to update these, as your certificates expire and are replaced. Documentation for managing certificates is available here: https://docs.alertlogic.com/userGuides/threat-manager-detection.htm#certsKeysAndSSLDecryptor
5. Review your incidents
We generate an incident whenever we detect a threat or an attack within your environment. This is what we are all about, so it's important that you review these when we raise them. More information about the various incident severities and how they are handled is available here: https://support.alertlogic.com/hc/en-us/articles/115001451547-Incident-Handling-Policy
6. Run and review reports
Customers who have joined us in the past 9 months or so should be receiving a regular Service Review Report, which is detailed here: https://support.alertlogic.com/hc/en-us/articles/115002446903-Service-Review-Report
However, if you are a longer-term Alert Logic customer, or if you have procured our services via a partner, you may not be receiving this automatically. If this is the case, please get in touch with Alert Logic Support, who will be able to get this set up for you.
In addition, there is a large amount of reporting available in the Reports section of the console - all of these can be run interactively, or configured to run on a schedule. We encourage all customers to review the available report templates and configure regular reporting to ensure you have good visibility of what Alert Logic is detecting within your environments.
Any other tips for getting the most from Alert Logic? Join the discussion in the comments below.
Please sign in to leave a comment.