Engineer Insights: What do you regularly look at in the Alert Logic console?
Alert Logic offers customers access to a large amount of data via our console. I frequently speak with our new customers and show them what I think are the most likely elements that they will use on a regular basis. I will cover some of these items in this post - hopefully none of these are new to you!
Incidents
The primary output from Alert Logic to our customers is security Incidents. An Incident is produced when we have seen malicious or suspicious activity occurring within your environment. Incidents are escalated to you by our Security Operations Center by phone or email depending on the severity, which indicates the seriousness of the threat and the risk to your environment.
You can read more about incident severities and how we handle them in this article: https://support.alertlogic.com/hc/en-us/articles/115001451547-Incident-Handling-Policy
When viewing Incidents, you are able to see the notes from our analysis - these can be produced both by our machine-driven analytics engines, as well as our SOC analysts. You are also able to see the raw data, or evidence, behind the incident. I expect most clients would focus mainly on the notes, rather than the evidence, but it would be great to hear if any of you are regularly looking into this detail.
Logs
If your subscription includes Log Manager, all of your logs are available to you to search within the console. You can search across all log sources going back your entire retention period (1 year for most customers). This functionality can be incredibly useful, not just to help you respond to or investigate an Incident, but for operational purposes, as well. To get started, review this article on how to use the Omnibox search function: https://support.alertlogic.com/hc/en-us/articles/115004581323-Log-Manager-OmniBox-Log-Search
This also covers the use of saved views, which allow you to schedule log queries and have the results delivered to you via email as a .CSV file.
Want to be alerted on specific activity within your logs? You can do this with a correlation policy. See https://docs.alertlogic.com/userGuides/log-manager-policies.htm#workWithCorrelationPolicies for documentation on setting these up. There is also further training for this available in the LEARN portal.
Scans
If your subscription includes Threat Manager (Network IDS), you have unlimited access to three types of vulnerability scans: Internal scans, which originate from our appliance(s) within your environment, External scans, which originate from an Alert Logic datacenter, and PCI scans, which are external scans that meet the requirements of the PCI ASV program guide. We have a great guide on using scans available here: https://docs.alertlogic.com/product-guides/scans/about-scans.htm
If your subscription includes Cloud Insight and you are an AWS customer, Cloud Insight will perform continuous, internal vulnerability scanning against your EC2 instances. Documentation on Cloud Insight is available here: https://docs.alertlogic.com/products101/cloud-insight-101.htm
Scans can help you understand and reduce your attack surface by alerting you to vulnerabilities within your environment. The majority of attacks that we see in the SOC are trying to exploit known vulnerabilities, so keeping on top of these is extremely important.
In addition, our research and content teams use data from scans to understand the systems and applications that our customers are using - this can inform the priority we assign to covering a new or emerging threat. Therefore, we strongly recommend that you have at least one scan configured to run on a regular basis, even if you are unable to review the results.
Reports
There are a large number of reports available to you in the console. These can all be run interactively, or configured to run on a regular schedule, with the report emailed to you as a PDF. There is a wide range of information available, from high-level summaries through to detailed incident reports containing the incident notes.
We will cover suggested reports in a separate post shortly, but if you are not already using the reporting functionality, now is a great time to go and take a look.
--
I'm always very interested to hear how our customers are using our console - do the items above match what you're looking at on a regular basis? Was any of this news to you? Or are you looking at other elements within the console? Please share your thoughts and experiences below.
Please sign in to leave a comment.
Comments
0 comments