Incidents

The Alert Logic console displays information about incidents, how to use that information to manage and close incidents, and how to secure your environments. An incident includes one or more suspicious events that require attention to maintain your security posture, achieve regulatory compliance, or both. Alert Logic generates incidents from multiple detection sources, and then organizes the incidents by threat level and MITRE type.

You can check the operational status of the Alert Logic intrusion detection services in the Service Status page in the Alert Logic console. Alert Logic recommends that you subscribe to the Service Status page and all your Alert Logic components, including Network IDS. For more information about the Service Status page and how to subscribe, see Service Status.

View incidents

The Incidents page, under Respond in the Alert Logic console, provides you with the information you need to analyze and address incidents in your environment.

The list on the Incidents page displays all the open, snoozed, or closed incidents in your account environment, as well as the account, deployment, date and time, the IP address of the attacker, and the target appliance name.

Incident list

The incident list is formatted as a table-style list that allows you to show several columns of relevant information. You can adjust the column size, remove and add columns, and drag and drop columns into the order you want. You can also sort some columns by date or alphabetical order. Click the sort icon () on the left of the column name. The default columns shown are the following:

  • Attacker
  • Date
  • Deployment
  • Incident ID
  • Status
  • Summary
  • Target
  • Threat Level

Other columns you can add to your incident list are the following:

  • Account
  • Classification
  • Correlation Name
  • Detection Source
  • Incident Note Count
  • MITRE Tactic
  • MITRE Technique
  • Role

You can remove and add columns to show only columns of information that are important to you. Click Choose Columns to see all of the available columns, and then select check boxes you want to include in or clear check boxes you want to exclude from your list. Click the reset icon () to revert to the default column view, including default columns, sorting, and size.

Incident filters

You can select multiple filters at a time to create a specific combination to find results unique to your security needs at the time. Selecting multiple filters allows you to see more than one incident status, threat level, incident classification, deployment, and other available criteria.

To apply multiple filters to the incident list:

  1. Click on a filter group on the left panel. For example, click Open, under Status.
  2. Click Show More to see all of the available filters in this filter set.
  3. Select all of the filters you want to see, or clear filters you do not want to see.

Incident preview

You can preview summary information automatically when you hover over an incident or hide the preview for all. The preview panel displays the following information:

  • Incident summary
  • Date
  • Account
  • Attacker IP address
  • MITRE Classification
  • Detection source
  • Incident ID
  • Status
  • Target
  • Threat level

To hide the preview, click the hide icon () to collapse the preview panel. If you want to see the preview again, click the show icon ().

Incident download

You can download incident data to a CSV file. The CSV file contains all of the information in your current incident list view with the applied filters and date range. Multiple options are available to export data to best suit how you want to analyze your incidents. You can download incident data for all incidents, for only incidents you select, or for all the incidents mapped in the filters you applied and for the date range you selected. These options allow you to control how many incidents you want to include and how you want to separate the data.

To download data for all incidents that matches the filters you selected:

  1. Click the download icon () at the top of the incident list.

    Downloading data for all incidents in your applied filters and date range can return a large number of incident results. This can cause a longer downloading period and a larger CSV file.

  2. Click DOWNLOAD.
  3. Wait for the download to complete.

Your results are downloaded to a compressed folder that contains the zip CSV file.

To download data for only certain incidents:

  1. Select the check boxes next to the incidents for the data you want to download.
  2. In the blue bar at the bottom of the page, click EXPORT.

Your results are downloaded to a CSV file.

To download data for 100 incidents:

  1. Select the check box at the top of the incident list to select all of the incidents visible on the page.
  2. To download 100 incidents, click SELECT 100 INCIDENTS WITH THE APPLIED FILTERS AND DATE RANGE.
  3. In the blue bar at the bottom of the page, click EXPORT.
  4. Your results are downloaded to a CSV file.

As in the existing experience, the Incidents page continues to support bulk actions to update, snooze, or close multiple incidents, alongside exporting them.

Advanced incident search

The advanced search feature allows you to create complex queries that can combine with selected filters to further refine your incident search results. To access the advanced search feature, click advanced search under the search bar.

In the advanced search field, type a query statement using available fields and operators. If needed, you can use subsequent search fields to add OR statements and create a search that tests for multiple conditions. As you type a search statement, a warning icon () appears to the left of the search field until the query contains valid syntax. You cannot submit a search with invalid syntax.

A common query you can perform with the advanced incident search is:

The query below searches for attacks from Russian IPs.

AttackerCountryName="Russia"

For a complete list of fields and additional sample search statements, see Perform Advanced Incident Searches.

Search by date and time range

The date range drop-down menu allows you to display incidents that occurred during a selected date range and within a time range for the selected dates. Select from the following to display incidents that occurred within the specified date and time range:

  • This Month— Displays a calendar of the current month with all days highlighted.
  • Today— Displays a calendar with the current day highlighted.
  • This Week— Displays a calendar with the current week highlighted.
  • All— Displays a calendar, on which you can click to select days, or a date range, for which you want to see incidents.

Each selection allows you to specify a time range to further narrow the search results.

About threat levels

Incident threat levels convey the severity of each incident raised for protected assets, which allows you to assess and prioritize the actions to take toward threat remediation. Alert Logic categorizes incidents with the following icons and colors:

  • Critical
  • High
  • Medium
  • Low
  • Info

About detection sources

Alert Logic detection sources convey the source of the incident. The following table lists and defines the possible detection sources.

Detection Source Description
Correlation Rules You can define correlation rules to perform your own analysis of log messages and configure the correlation to generate an incident. All filters are not available for this detection source. For more information, see Correlations and Notifications.
Network IDS The Network Intrusion Detection System (Network IDS) monitors your deployments and generates incidents when it detects security threats such as brute force attacks, privilege escalation, and ransomware.
Manual The Manual detection source is for incidents created manually from the Log Search page in the Alert Logic console. All filters are not available for this detection source.
Firewall Alert Logic can detect and generate firewall security incidents from log data collected from third-party firewall application resources. For more information, see Firewall Incidents and Log Configuration.
Web Log Analytics (WLA) Alert Logic generates incidents from log data collected from the WLA configuration that detects common application vulnerabilities. For more information, see About Alert Logic Web Log Analytics (WLA).
Log Mgmt Alert Logic generates incidents when the Log Management service detects suspicious activity such as unauthorized privilege escalations, brute force attempts, and access activities.
GuardDuty Amazon GuardDuty is a continuous security monitoring service that you can integrate with Alert Logic. GuardDuty uses security logic and AWS usage statistics techniques to identify unexpected and potentially unauthorized and malicious activity, like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, URLs, or domains. For more information, see Integrate Amazon GuardDuty Findings into Alert Logic Incidents.

About MITRE tactic types

Tactics represent the why behind the adversary's tactical goal, and their reason for performing an action. For more information, see MITRE. The following table lists and defines the possible MITRE tactic.

MITRE Tactic Description
Credential Access The adversary is trying to steal account names and passwords.
Initial Access The adversary is trying to get into your network.
Command and Control The adversary is trying to communicate with compromised systems to control them.
Execution The adversary is trying to run malicious code.
Resource Development The adversary is trying to establish resources they can use to support operations.
Various The adversary is using more than one tactic.
Persistence The adversary is trying to maintain their foothold.
Reconnaissance The adversary is trying to gather information they can use to plan future operations.

About MITRE technique types

Techniques represent how an adversary achieves a tactical goal by performing an action. For more information, see MITRE. The following table lists and defines the possible MITRE technique.

MITRE Technique Description
Brute Force Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
Exploit Public-Facing Application Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services. Depending on the flaw being exploited this may include Exploitation for Defense Evasion.
Various The adversary is using more than one technique.
Application Layer Protocol Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Exploitation for Client Execution Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Valid Accounts Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Exploitation for Credential Access Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions. Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.
Account Manipulation Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.
Active Scanning Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.

Incident actions

The incident list provides you with information that helps you determine what action to take for each incident. Each incident on the list allows you to preview the incident, or open the incident to view the Investigation Report, Recommended Course of Action, or Evidence. All views allow you to take certain actions to address the incident.

Update an incident

Update () allows you to choose from a list of options to update an incident with your assessment of the threat, and add an optional note to provide additional details about your update.

The following Threat Assessment options inform others in your organization whether the threat is valid, and what action (if any) the organization should take to remediate the threat.

Threat presents a valid risk:

  • Taking action to mitigate the threat.
  • Risk is acceptable. No action required.

Threat does not present a valid risk:

  • Compensating control in place. No action required.
  • The threat is not valid.
  • Other assessment.

You can also mark the incident as Not concluded yet.

If you provide an update for an incident, you inform others in your organization about the status of the incident, and they can read detailed notes about any actions taken.

If you update an incident, the incident remains open.

Snooze an incident

Snooze () allows you to temporarily remove an incident from the list until you remediate and close the incident. Snooze appears on the Investigation Report, Recommendations, and Evidence pages. To snooze an incident:

  1. Select from the snooze options (tomorrow, in a couple days, next week, or in two weeks) when to return the incident to the Incident List.
  2. Add an optional note about the incident.
  3. Click Snooze.

You can click the Snoozed icon () to edit your snooze options, or to cancel the snooze and return the incident to the list.

Close an incident

The option to close an incident appears on the Investigation Report, Recommendations, and Evidence pages. When you close an incident, you remove it from the list.

Click Close () to close an incident.

Fill out the following information to justify closing the incident:

  • Your assessment of the threat.

    The following Threat Assessment options inform others in your organization whether the threat is valid, and what action (if any) the organization should take to remediate the threat.

    Threat presents a valid risk:

    • Taking action to mitigate the threat.
    • Risk is acceptable. No action required.

    Threat does not present a valid risk:

    • Compensating control in place. No action required.
    • The threat is not valid.
    • Other assessment.
  • Notes about the incident, including your reasons for closing the incident, and any steps taken to address the threat.

Reopen an incident

If you determine a closed incident merits further investigation or discussion, you can reopen the incident.

To reopen a closed incident:

  1. Filter the list by Closed incidents.
  2. Click the incident you want to reopen.
  3. Click Closed.
  4. Add an optional note to explain why you reopened the incident.
  5. Click REOPEN.

Bulk actions and exports

The Incident List supports bulk actions if you want to update, snooze, close or export one or multiple incidents. From the list, you can click the selection box () above the incidents to select all displayed incidents. Scroll down the list to add to the selection. If you click the selection box () next to one or more incidents, you can select those incidents for a single action. The limit for closing incidents is 100 at a time. Selecting more when performing a bulk action will result in an error.

When you select one or more incidents, you can also choose to export the incident details to a CSV file to view later, or to share with others in your organization.

View Incident Details

Click a row in the incident list to view the details of any incident. Incident details appear on the Investigation Report, Recommended Course of Action, and Evidence pages. The information provided helps you decide whether to update, close, snooze, or reopen an incident. You can also respond to an incident from the incident details.

Multi-account management

The account selector allows you to monitor all the managed (child) accounts in your organization. If you use this feature to change your account selection to that of a managing (parent) account, you can monitor, assess, and compare the security posture across the entire organization.

Click the account name located in the upper right of your screen to view the full list of accounts in your organization. From the drop-down, select a parent account. You can use the search feature to narrow the list.

If your organization manages assets for other customer accounts, you could see data from child accounts on the Incidents page and the Reports page.

For all other features, the Alert Logic console displays results only for the chosen customer account. If, on any feature page, you want to view results for only a specific managed account, use the account selector to change the customer account.