Health

The Health page, listed under Respond in the Alert Logic console, provides detailed information about your environment to ensure that your deployments are configured correctly. Alert Logic provides the information you need to analyze and respond to health exposures in your environment that result from configuration or connection problems.

To help you investigate the health of your environment, the Health page organizes information in the following lists:

When you have investigated one or more health exposures and suggested remediations, you can dispose or conclude the exposure.

Visuals in the Coverage and Health Dashboard link to the Health page, filtered to show relevant issues in your deployments.

Healthy versus unhealthy

The Health page displays information about assets in your deployments, which can include networks, appliances, agents, hosts with no agent, and collectors, to ensure the following:

  • Networks have an appliance provisioned and their traffic is captured.
  • Agents are assigned to an appliance, all assets are present and protected, and hosts are scanned and checked.
  • Appliances are deployed, provisioned, and capturing Network IDS traffic for protected networks.
  • Third-party applications integrated with Alert Logic through the Application Registry are connected and sending logs.
  • The configuration process is complete, and you can start gaining security value.

Alert Logic lists assets in your deployments as Healthy when they are properly configured and connected. Assets that have a connection or configuration problem, referred to as a health exposure, appear in the Unhealthy list.

Health exposure categories

For each unhealthy asset listed, you can see the health exposure category: connection or configuration.

Connection exposures

A connection exposure indicates that an asset such as a network appears to be offline. For example, an agent cannot connect to the appliance, or an appliance cannot connect to the Alert Logic back-end environment. Hosts with expired SSL certificates also appear as connection exposures.

Configuration exposures

A configuration exposure indicates an issue in your deployment that can hinder Alert Logic from delivering service properly, such as:

  • No appliance installations
  • Hosts with no agent
  • Misconfiguration preventing an appliance from connecting to the Alert Logic back-end server
  • Hosts that have not been recently scanned
  • Insufficient policy and role privileges
  • Integrated third-party applications with incorrect access credentials
  • AWS Config is not enabled in all regions

Filters

In the Health page, you can select a left navigation filter to narrow the list of items:

  • Unhealthy—Click Unhealthy to view a list of unhealthy assets and investigate health exposures in your deployments.
  • Healthy—Click Healthy to view a list of healthy assets. You can use this information to confirm which assets in your deployments are not experiencing connection or configuration issues.
  • Disposed—Click Disposed to view items removed from the Unhealthy list because a user in your organization assessed the exposure and indicated it does not need to be resolved.
  • Concluded—Click Concluded to view items that are considered resolved.

You can select one or more available filters such as Deployment, Protection Level, and Platform to narrow your list of items. The active filter is in bold format. Select one or more of the active filters to remove them. You can also select CLEAR FILTERS to remove all the active filters.

If you integrated SaaS collectors through the Application Registry, an Alert Logic Collector Support Deployment appears in the Deployment filters. Alert Logic creates this deployment to support collector filtering because collectors are outside your deployments.

Unhealthy list

The Unhealthy list displays a list of items with health exposures that Alert Logic found in your environment for the selected filters. You can view the list by asset type, remediations, or exposures. From the list, you can view more details about an item and perform immediate actions to remediate the exposure.

Asset views

To view a list of unhealthy assets, click one of these asset types in the View list:

  • NetworksAmazon Web Services (AWS) virtual private clouds (VPCs), Microsoft Azure VNets, or networks in your Data Center deployments
  • AppliancesAlert Logic appliances installed in your deployments to collect Network IDS data, provide WAF services, and in some cases, collect log data
  • AgentsAlert Logic agents deployed on your hosts to collect network traffic and log data
  • Hosts with No Agent—Hosts in your deployments with no Alert Logic agent installed. In AWS and Azure deployments, any host that you want Alert Logic to protect should have an agent installed on it. For Data Center deployments, an agent is not required if your network automatically forwards network traffic to your appliances through port mirroring. Agents are required if you want to collect logs from Windows platforms in a Data Center deployment.
  • Collectors—API-based application collectors integrated with Alert Logic through the Application Registry

Each listed item includes the exposure type, information about the asset, number of remediations, and number of exposures. For appliances and agents, a chart shows the Network IDS traffic from the last 24 hours. For agents and collectors, a chart shows the log traffic for the last 24 hours.

You can click View next to an item to see more details and perform actions to remediate listed exposures.

Remediations view

To view the list of remediations, click Remediation in the View list. Remediations provide recommended actions to resolve one exposure or a group of exposures. Addressing a remediation can usually resolve multiple exposures.

Each listed item includes the exposure type, the threat level of each exposure, and the total number of exposures affected by the remediation.

You can click View to see more details. Click Open to view details about the suggested remediation action, a list of exposures, affected assets, and evidence entries. You can dispose of the remediation or mark it as concluded from this page.

Exposures view

To view the list of exposures, click Exposures in the View list. One exposure can affect multiple assets, and multiple exposures can be associated with one remediation. You can resolve an exposure by addressing the recommended remediation action and also resolve all of the exposures associated with that remediation.

Each listed item includes the exposure type, threat level, the total number of exposures affected by the remediation, Common Vulnerability Scoring System (CVSS) score, and number of affected assets.

You can click View to see more details. Click Open to view a description of the exposure, including the resolution, affected assets, and evidence entries. You can dispose of the exposure or mark it as concluded from this page. You can also go to the remediation from this page to resolve the exposure and other similar exposures.

Detail page

In the Unhealthy assets list, you can click View next to an item to see additional details and perform actions to remediate the exposure.

For asset views, the detail page provides information about the asset, lists remediations and exposures (including the threat level icon), and indicates how many assets the exposure affects. Click a remediation and exposure to view details about the suggested remediation action, a list of exposures, affected assets, and evidence entries. You can dispose of the remediation or mark it as concluded from this page.

For the Remediations view, the detail page lists the exposures and their CVSS scores, account, affected deployments, and number of affected assets.

For the Exposures view, the detail page lists the account, affected deployments, threat level, and affected assets.

About threat levels

The Exposures view and detail view for an unhealthy asset uses colors and icons to help you easily identify the threat levels of the exposures. Alert Logic categorizes threat levels of exposures with the following icons and colors:

  • High
  • Medium
  • Low
  • Info

Dispose

You can access the option to dispose a remediation by clicking Open on an item in the Remediations view or the Exposures view. In an asset view, you can also click the remediation and exposure from the detail page to access the dispose option.

To dispose an item and move it to the Disposed list, click the dispose icon (). You must specify a period of time, and select the exposures as an acceptable risk, a false positive, or have a compensating control in place. After a disposal period expires, Alert Logic no longer hides the item, which will appear again in the Unhealthy list.

You can also click the restore icon () on a disposed item to review items and restore them to the Unhealthy list. If you mark an item as disposed, Alert Logic excludes the calculated risk of their vulnerabilities from the overall risk of your deployment.

Conclude

You can access the option to conclude a remediation by clicking Open on an item in the Remediations view or the Exposures view. In an asset view, you can also click the remediation and exposure from the detail page to access the conclude option.

To conclude an item and move it to the Concluded list, click the conclude icon (), and then confirm by clicking CONCLUDE.

You can also click the restore icon () on a concluded item to review items and restore them to the Unhealthy list. If you mark the item as concluded, Alert Logic verifies the exposure no longer exists during the next scan.

Healthy list

The Healthy list displays a list of healthy assets found in your environment for the selected filters. You can view your healthy assets by asset type. For appliances and agents, a chart shows the Network IDS traffic from the last 24 hours. For agents and collectors, a chart shows the log traffic for the last 24 hours.

Click View next to an item to see detailed information about the asset.

Disposed list

The Disposed list includes items removed from the Unhealthy list after a user from your organization assessed the exposure and indicated it does not need to be resolved. You can view disposed items by remediations or exposures. For more information, see Dispose, Remediations view, or Exposures view.

Concluded list

The Concluded list includes exposures that are considered resolved. You can view concluded items by remediations or exposures. For more information, see Conclude, Remediations view, or Exposures view.

Export details

You can export one or more items on the Health page to a CSV file to view later or to share with others in your organization. From any list, you can click the selection box () above the list to select all listed items. If you hover over or click the icon or selection box next to an item, you can select it for a single export.