Endpoint Security Incidents
Alert Logic can detect and generate endpoint incidents from log data collected from third-party endpoint application resources. Alert Logic collects log data through endpoint integrations. Endpoint security incidents enhances your security content by providing greater visibility into threats in your environment.
Security incidents are generated when suspicious events are detected that require attention to maintain your security posture, achieve regulatory compliance, or both. Alert Logic organizes the incidents by threat level and classification type on your Incidents page. To learn more about the Incidents page, see Incidents.
About endpoint incidents
Alert Logic generates endpoint incidents related specifically to:
- Endpoints for ransomware detected
- Audit and remediation (potential new malware or suspicious event detected)
- Outbreak of non-mitigated suspicious threats
- Non-mitigated malicious threats across multiple hosts
- Outbreak of malicious threats mitigated across multiple hosts
- Agent that failed to remediate
- Agent with a high severity alert (malicious and non-mitigated)
You can view these endpoint incidents in the Incidents page in the Alert Logic console. Alert Logic can generate security incidents from the following endpoint applications:
- Carbon Black
- SentinelOne
- Cisco Endpoint (formerly Cisco AMP)
- CrowdStrike
- Cylance
You must already have configured an Alert Logic syslog remote collector and a Cylance application. For more information, see Cylance endpoint log collection configuration.
- Sophos
For information about how to configure one of these endpoint applications, see Endpoint log configuration.
Endpoint incident examples
Alert Logic generates the following endpoint incidents in the Incidents page from endpoint log data at the indicated threshold.
Carbon Black endpoint incidents
| Name | Description | Threshold |
|---|---|---|
| Carbon Black Endpoint: Known malware detected | Known Malware file(s) Detected on %destination_host% | Single-host: One or more events in five minutes |
| Carbon BlackEndpoint: Ransomware detected | Ransomware file(s) Detected on %destination_host% | Single-host: One or more events in five minutes |
| Carbon Black Endpoint Outbreak: Potential new malware or suspicious event detected | New or Suspicious malware file Detected on multiple hosts | Multi-host: Five or more hosts in 15 minutes |
SentinelOne endpoint incidents
| Name | Description | Threshold | Classification |
|---|---|---|---|
| SentinelOne Outbreak: Non-Mitigated Suspicious Threat across Multiple Hosts | Triggers when SentinelOne has not mitigated the same suspicious threat across multiple hosts in a 30-minute period | Five or fewer unique hosts in 30 minutes | endpoint:activity |
| SentinelOne Outbreak: Non-Mitigated Malicious Threat across Multiple Hosts | Triggers when SentinelOne has not mitigated the same malicious threat across multiple hosts in a 30-minute period | Five or fewer unique hosts in 30 minutes | endpoint:activity |
| SentinelOne Outbreak: Malicious Threat Mitigated across Multiple Hosts | Triggers when SentinelOne has mitigated the same malicious threat across multiple hosts in a 30-minute period | Five or fewer unique hosts in 30 minutes | endpoint:activity |
| SentinelOne: Agent Failed to Remediate | SentinelOne: Failed Remediation of Threat(s) Detected on %destination_host% | Single-host: One or more events in five minutes | endpoint:activity |
| SentinelOne: High severity alert (malicious) (non-mitigated) | SentinelOne: Non-Mitigated Malicious Threat(s) Detected on %destination_host% | Single-host: One or more events in five minutes | endpoint:activity |
Cisco Endpoint incidents
| Name | Description | Threshold | Classification |
|---|---|---|---|
| Cisco Endpoint: Exploit Prevented | Cisco Endpoint: Exploit file(s) Prevented on $destination_host | One event in five minutes | endpoint:activity |
| Cisco Endpoint: Possible Ransomware TTPs detected | Cisco Endpoint: Possible Ransomware file(s) Detected on %destination_host% | Single-host: One or more events in five minutes | endpoint:activity |
CrowdStrike Endpoint incidents
| Name | Description | Threshold | Classification |
|---|---|---|---|
| CrowdStrike: Possible malware detected | CrowdStrike: Possible Malware file(s) Detected on $victim_hostname | One event in five minutes | endpoint:activity |
| CrowdStrike: Possible ransomware detected | CrowdStrike: Possible Ransomware file(s) Detected on $victim_hostname | One event in five minutes | endpoint:activity |
| CrowdStrike: Possible hacktool detected | CrowdStrike: Possible Hacktool Usage Detected on $victim_hostname | One event in five minutes | endpoint:activity |
Cylance Endpoint incidents
| Name | Description | Threshold | Classification |
|---|---|---|---|
| Cylance: Known hacktool detected | Cylance: Ransomware file(s) Detected on %destination_host% | Single-host: One or more events in five minutes | endpoint:activity |
| Cylance: Ransomware detected | Cylance: Ransomware file(s) Detected on %destination_host% | Single-host: One or more events in five minutes | endpoint:activity |
| Cylance: Exploit Attempt | Cylance: Exploit Attempt(s) Detected on $destination_host | One event in five minutes | endpoint:activity |
Sophos Endpoint Incidents
| Name | Description | Threshold | Classification |
|---|---|---|---|
| Sophos Endpoint - Ransomware detected | Possible Ransomware file(s) Detected on $destination_host | One event in five minutes | endpoint:activity |
Endpoint log configuration
You must configure log collection for the endpoint application in the Application Registry page in the Alert Logic console for Alert Logic to collect log data and generate incidents except for Cylance. The Application Registry page is a catalog with all of the available applications from which Alert Logic can receive log data. You can add multiple log collection instances to each application.
Configure an endpoint log collection instance
The instructions below provide a basic workflow for configuring an application. However, application requirements vary and often require different information. See the guide specific to the application you want to configure:
- Configure Carbon Black Log Collector
- Configure SentinelOne Log Collector
- Configure Cisco AMP Log Collector
- Configure Sophos Log Collector
- Configure CrowdStrike Log Collector
To see the full list of log collection instructions available, see Log Collectors Configuration Guide.
To add a new application collection:
- In the Alert Logic console, click the menu icon (
).
- Click
Configure, and then click Application Registry. - On the Application List tab, use the drop-down menu to select the application type you want to see.
- Click GET STARTED from the available application you want to configure.
- Depending on the application, the required fields and options vary. The general configuration requirements are the following:
- Under Details, type a name for the application.
- Under Collection Method and Policy, specify a location from where to collect log data, and provide the required credentials associated with your application account.
- Click ADD.
In the Application List tab, if you configured your application correctly, "Configured" appears on the application tile.
Cylance endpoint log collection configuration
You must already have configured an Alert Logic syslog remote collector and a Cylance application. To learn how to configure the Alert Logic remote collector, see Install the Remote Collector for Linux or Install the Remote Collector for Windows.
The Cylance application resources must be forwarding logs to the Alert Logic syslog remote collector on port 1515. To learn how to forward the logs, see the Cylance documentation.