Endpoint Security Incidents

Alert Logic can detect and generate endpoint incidents from log data collected from third-party endpoint application resources. Alert Logic collects log data through endpoint integrations. Endpoint security incidents enhances your security content by providing greater visibility into threats in your environment.

Security incidents are generated when suspicious events are detected that require attention to maintain your security posture, achieve regulatory compliance, or both. Alert Logic organizes the incidents by threat level and classification type on your Incidents page. To learn more about the Incidents page, see Incidents.

About endpoint incidents

Alert Logic generates endpoint incidents related specifically to:

  • Endpoints for ransomware detected
  • Audit and remediation (potential new malware or suspicious event detected)
  • Outbreak of non-mitigated suspicious threats
  • Non-mitigated malicious threats across multiple hosts
  • Outbreak of malicious threats mitigated across multiple hosts
  • Agent that failed to remediate
  • Agent with a high severity alert (malicious and non-mitigated)

You can view these endpoint incidents in the Incidents page in the Alert Logic console. Alert Logic can generate security incidents from the following endpoint applications:

  • Carbon Black
  • SentinelOne
  • Cisco Endpoint (formerly Cisco AMP)
  • Cylance
  • Sophos

For information about how to configure one of these endpoint applications, see Endpoint log configuration.

Endpoint incident examples

Alert Logic generates the following endpoint incidents in the Incidents page from endpoint log data at the indicated threshold.

Carbon Black endpoint incidents

Name Description
Carbon Black Endpoint: Known malware detected Known Malware file(s) Detected on %destination_host%
Carbon BlackEndpoint: Ransomware detected Ransomware file(s) Detected on %destination_host%
Carbon Black Endpoint Outbreak: Potential new malware or suspicious event detected New or Suspicious malware file Detected on multiple hosts

SentinelOne endpoint incidents

Name Description Threshold
SentinelOne Outbreak: Non-Mitigated Suspicious Threat across Multiple Hosts Triggers when SentinelOne has not mitigated the same suspicious threat across multiple hosts in a 30-minute period Five or fewer unique hosts in 30 minutes
SentinelOne Outbreak: Non-Mitigated Malicious Threat across Multiple Hosts Triggers when SentinelOne has not mitigated the same malicious threat across multiple hosts in a 30-minute period Five or fewer unique hosts in 30 minutes
SentinelOne Outbreak: Malicious Threat Mitigated across Multiple Hosts Triggers when SentinelOne has mitigated the same malicious threat across multiple hosts in a 30-minute period Five or fewer unique hosts in 30 minutes
SentinelOne: Agent Failed to Remediate SentinelOne: Failed Remediation of Threat(s) Detected on %destination_host% Single-host: One or more events in five minutes
SentinelOne: High severity alert (malicious) (non-mitigated) SentinelOne: Non-Mitigated Malicious Threat(s) Detected on %destination_host% Single-host: One or more events in five minutes

Cisco Endpoint incidents

Name Description Threshold
Cisco Endpoint: Exploit Prevented Cisco Endpoint: Exploit file(s) Prevented on $destination_host One event in five minutes
Cisco Endpoint: Possible Ransomware TTPs detected Cisco Endpoint: Possible Ransomware file(s) Detected on %destination_host% Single-host: One or more events in five minutes

Cylance Endpoint incidents

Name Description Threshold
Cylance: Known hacktool detected Cylance: Ransomware file(s) Detected on %destination_host% Single-host: One or more events in five minutes
Cylance: Ransomware detected Cylance: Ransomware file(s) Detected on %destination_host% Single-host: One or more events in five minutes
Cylance: Exploit Attempt Cylance: Exploit Attempt(s) Detected on $destination_host One event in five minutes

Sophos Endpoint Incidents

Name Description Threshold
Sophos Endpoint - Ransomware detected Possible Ransomware file(s) Detected on $destination_host One event in five minutes

Endpoint log configuration

You must configure log collection for the endpoint application in the Application Registry page in the Alert Logic console for Alert Logic to collect log data and generate incidents except for Cylance. The Application Registry page is a catalog with all of the available applications from which Alert Logic can receive log data. You can add multiple log collection instances to each application.

Configure an endpoint log collection instance

The instructions below provide a basic workflow for configuring an application. However, application requirements vary and often require different information. See the guide specific to the application you want to configure:

To see the full list of log collection instructions available, see Log Collectors Configuration Guide.

To add a new application collection:

  1. In the Alert Logic console, click the menu icon () from the Dashboards page.
  2. Click  Configure, and then click Application Registry.
  3. On the Application List tab, use the drop-down menu to select the application type you want to see.
  4. Click GET STARTED from the available application you want to configure.
  5. Depending on the application, the required fields and options vary. The general configuration requirements are the following:
    • Under Details, type a name for the application.
    • Under Collection Method and Policy, specify a location from where to collect log data, and provide the required credentials associated with your application account.
  6. Click ADD.

In the Application List tab, if you configured your application correctly, "Configured" appears on the application tile.