Incidents

Overview

Alert Logic displays information about incidents, how to use that information to manage and close incidents, and how to secure your environments. The Incident Summary and the Incident List under the Incidents tab in the Alert Logic console provide you with the information you need to analyze and address incidents in your environment.

An incident includes correlated suspicious events that require attention to maintain your security posture, achieve regulatory compliance, or both. Alert Logic generates incidents from information received from detection sources (Network IDS, Web Application IDS, Log Management, GuardDuty, and manually generated incidents), and then organizes incidents by threat level and classification type.

About threat levels

Incident threat levels convey the severity of each incident raised for protected assets, which allows you to assess and prioritize the actions to take toward threat remediation. Alert Logic categorizes incidents with the following icons and colors:

  • Critical
  • High
  • Medium
  • Low
  • Info (This threat level applies only to incidents created by scanning services.)

About incident classification types

Alert Logic classifies incidents based on evidence received from monitored assets. The following table lists and defines the possible classification types.

Classification Description
Application attack An application attack incident identifies attacks that target application-specific vulnerabilities. Alert Logic creates an application attack incident when an attacker attempts to compromise an application with a buffer overflow, race condition, directory traversal, SQL injection, cross-site scripting, or /usr/bin/perl or other UNIX command attempts.
Brute force A brute force incident identifies repeated authentication attempts and related activities. Alert Logic triggers a brute force incident when sufficient events indicate attempts to systematically compromise a system by brute force guessing valid user name and password combinations.
Denial-of-service

A denial-of-service incident, which includes denial-of-service (DoS) attacks and distributed denial-of-service (DDoS) attacks, identifies an attempt to make computer resources or services unavailable either temporarily or indefinitely. Attackers typically use DoS and DDoS either to prevent e-commerce retailers from conducting business, or to send a social message.

Alert Logic creates a denial-of-service incident when events indicate this type of attack.

Info leak An information leak incident is a generally successful recon attempt. Alert Logic creates an information leak incident when events indicate attempts at reconnaissance activities. For example, port scans used to identify open and closed ports or obtaining information from a secure system can trigger an incident. For more information about reconnaissance activities, see Recon.
Log policy A log policy incident is triggered when Alert Logic creates a log policy incident automatically, based on selected correlated log messages and specific conditions you define.

For example, you can specify that Alert Logic identify log messages containing five failed login events within a 60-second time period, and then create a log policy incident.
Misconfiguration Alert Logic triggers a misconfiguration incident when events indicate that a system is incorrectly configured. Attackers can use the misconfiguration to compromise the system.
Policy violation A policy violation incident identifies activities that violate the acceptable use policies of most companies. These activities include: viewing inappropriate material, peer-to-peer activity, and firewall policy changes.
Recon A recon incident identifies events that indicate reconnaissance activities against a network or set of hosts to evaluate them as a target. The activities that trigger this incident include gathering information about a server operating system, software versions, or the presence of debugging or demonstration scripts.
Suspicious activity A suspicious activity incident identifies activity not included in another category that requires further research. Alert Logic creates a suspicious activity incident when anomalous activities, which could indicate a compromise, occur.

For example, the addition of a new domain administrator without the intent and knowledge of existing administrators could indicate an attacker added the administrator role to gain control over the environment or to provide a backdoor entry into the systems.
Trojan activity A Trojan activity incident identifies activity that indicates a host is infected by a Trojan horse or other type of backdoor malware, which masquerades as a legitimate program but actually steals information or harms the system.
Worm activity A worm activity incident identifies hosts that display signs of worm infection. A computer worm is self-replicating malware that uses a network to propagate and copy itself to other nodes, with or without your intervention. A worm typically uses a known vulnerability, and can cause damage by altering the infected system and consuming valuable network bandwidth.

Incident Summary

The Incident Summary provides a high-level, interactive view of all open incidents, arranged by classification type and threat level.

The Summary displays the total number of open incidents and affected hosts. The interactive infographic allows you to hover over an incident circle to determine the number of incidents of that classification type at that severity level. Click the incident circle to open the Incident List, filtered by the specified classification and threat level. Click a classification type on the infographic to open the Incident List, filtered by incidents of that classification type.

Incident List

The Incident List displays all the open incidents in your account environment, as well as the account, deployment, date and time, the IP address of the attacker, and the target appliance name.

Incident actions

The Incident List provides you with information that helps you determine what action to take for each incident. Each incident on the list allows you to preview the incident, or open the incident to view the Investigation Report, Recommendations, or Evidence. All views allow you to take certain actions to address the incident.

Update an incident

Update () allows you to choose from a list of options to update an incident with your assessment of the threat, and add an optional note to provide additional details about your update.

The following Threat Assessment options inform others in your organization whether the threat is valid, and what action (if any) the organization should take to remediate the threat.

Threat presents a valid risk:

  • Take action to mitigate the threat.
  • Risk is acceptable. No action required.

Threat does not present a valid risk:

  • Compensating control in place. No action required.
  • The threat is not valid.
  • Other assessment.

If you provide an update for an incident, you inform others in your organization about the status of the incident, and they can read detailed notes about any actions taken.

If you update an incident, the incident remains open.

Snooze an incident

Snooze () allows you to temporarily remove an incident from the Incident List until you remediate and close the incident. Snooze appears on the Investigation Report, Recommendations, and Evidence pages. To snooze an incident:

  1. Select from the snooze options (tomorrow, in a couple days, next week, or in two weeks) when to return the incident to the Incident List.
  2. Add an optional note about the incident.
  3. Click Snooze.

You can click the Snoozed icon () to edit your snooze options, or to cancel the snooze and return the incident to the Incident List.

Close an incident

The option to close an incident appears on the Investigation Report, Recommendations, and Evidence pages. When you close an incident, you remove it from the Incident List.

Click Close () to close an incident.

Fill out the following information to justify closing the incident:

  • Your assessment of the threat.

    The following Threat Assessment options inform others in your organization whether the threat is valid, and what action (if any) the organization should take to remediate the threat.

    Threat presents a valid risk:

    • Take action to mitigate the threat.
    • Risk is acceptable. No action required.

    Threat does not present a valid risk:

    • Compensating control in place. No action required.
    • The threat is not valid.
    • Other assessment.
  • Notes about the incident, including your reasons for closing the incident, and any steps taken to address the threat.

Reopen an incident

If you determine a closed incident merits further investigation or discussion, you can reopen the incident.

To reopen a closed incident:

  1. Filter the Incident List by Closed incidents.
  2. Click the incident you want to reopen.
  3. Click Closed.
  4. Add an optional note to explain why you reopened the incident.
  5. Click REOPEN.

Incident preview

Click Preview for an overview of the incident, including:

  • Attacker IP address
  • Target name
  • Account
  • Detection source
  • Deployment name
  • Appliance name
  • Incident classification

The preview allows you to update an incident, close an incident, or snooze an incident. For more information, see Incident actions.

Click Open to view the details of any incident on the list. Incident details appear on the Investigation Report, Recommendations, and Evidence pages. The information contained in these pages helps you decide whether to update, close, snooze, or reopen an incident.

Incident filters

If the Incident List contains a large number of incidents, you can apply filters to narrow the list to a specific set of incidents. In the left navigation, you can choose to display only Open incidents, Snoozed incidents, or Closed incidents. You can also apply the following filters those incidents:

  • Threat Level
  • Classification
  • Sources
  • Deployment

If you select the Deployment filter, and then select an AWS deployment, the following filters are also available:

  • Region
  • VPC
  • Subnet
  • Tags
  • Service
  • Role

Advanced incident search

The advanced search feature allows you to create complex queries that can combine with selected filters to further refine your incident search results. To access the advanced search feature, click advanced search under the search bar.

In the advanced search field, type a query statement using available fields and operators. If needed, you can use subsequent search fields to add OR statements and create a search that tests for multiple conditions. As you type a search statement, a warning icon () appears to the left of the search field until the query contains valid syntax. You cannot submit a search with invalid syntax.

A common query you can perform with the advanced incident search is:

The query below searches for brute force incidents.

Classification="brute-force"

For a complete list of fields and additional sample search statements, see Perform Advanced Searches.

Search by date and time range

The date range drop-down menu allows you to display incidents that occurred during a selected date range and within a time range for the selected dates. Select from the following to display incidents that occurred within the specified date and time range:

  • This Month—Displays a calendar of the current month with all days highlighted.
  • Today—Displays a calendar with the current day highlighted.
  • This Week—Displays a calendar with the current week highlighted.
  • All—Displays a calendar, on which you can click to select days, or a date range, for which you want to see incidents.

Each selection allows you to specify a time range to further narrow the search results.

Investigation Report

When you open an incident, Alert Logic displays the Investigation Report, which includes an attack summary. This page describes the attack type and the attack methods, which help you understand the incident and its impact on your assets. If Alert Logic receives metadata from your assets, the Investigation Report also displays a topology diagram, which allows you to click an asset to view its details. For more information, see Topology. In addition, the Audit Log lists the activity for the selected incident.

Click SEE RECOMMENDATIONS to learn how to remediate the incident and protect the threatened asset.

Recommendations

Recommendations provides one or more courses of action you should take to secure the asset under attack and remediate the incident. In addition, the Audit Log lists the activity for the selected incident.

After you perform the recommended courses of action, click Close to mark the incident as closed and clear it from the Incident List. For more information about closing incidents, see Close an incident.

Evidence

The Evidence page displays information about the incident, including events, correspondence, and activity. You can use the information on this page to determine how to address incidents in your environment.

The Evidence page uses the following icons to display the following information about the selected incident

  •  Incident activity—The Incident Activity icon lists activity and logs associated with the selected incident. The numeral on the icon represents the number of activities associated with the attack. Click the icon to expand the section and reveal details about the attack and the assets involved, as well as all activity and logs for the incident.
  •  Flagged evidenceAlert Logic analysts can flag items of interest as supporting evidence for the attack and provide notes specific to each flagged item.
  •  System-generated event—This indicates the creation of the incident, or that the threat rating of the incident changed. The color and shading of the icon corresponds with the threat rating, as seen in About threat levels.
  •  Incident notes from Alert Logic—An Alert Logic analyst can provide notes about the incident, which appear in the Audit Log and Evidence List.
  •  Incident escalated to customer—The incident escalation icon indicates that Alert Logic notified you by email that the incident escalated. The color of the icon corresponds with the incident threat rating, as seen in About threat levels.
  •  Customer notes—Any notes you create about the incident appear in this section.

Click the incident activity icon () to view the events most relevant to the selected incident. If the incident is an IDS incident, and if you want to analyze all incident events, you can download () all the incident event information to a PCAP file, which you can view in a third-party PCAP analyzer, such as Wireshark.

Audit Log

The Audit Log, which appears on the Investigation Report, and Recommendations pages, uses the following icons to display milestone actions and information about the selected incident:

  •  Flagged evidenceAlert Logic analysts can flag items of interest as supporting evidence for the attack and provide notes specific to each flagged item.
  •  System-generated event—This indicates the creation of the incident, or that the threat rating of the incident changed. The color and shading of the icon corresponds with the threat rating, as seen in About threat levels.
  •  Incident notes from Alert Logic—An Alert Logic analyst can provide notes about the incident, which appear in the Audit Log and Evidence List.
  •  Incident escalated to customer—The incident escalation icon indicates that Alert Logic notified you by email that the incident escalated. The color of the icon corresponds with the incident threat rating, as seen in About threat levels.
  •  Customer notes—Any notes you create about the incident appear in this section.

The Audit Log information is similar to that of the Evidence page, but does not include the incident activity. Click Evidence for more information about incident activity.

Bulk actions and exports

The Incident List supports bulk actions if you want to update, snooze, close or export one or multiple incidents. From the Incident List, you can click the selection box () above the incidents to select all incidents. If you hover over and click the threat level icon for one or more incidents, you can select those incidents for a single action.

When you select one or more incidents, you can also choose to export the incident details to a CSV file to view later, or to share with others in your organization.

Multi-account management

The account selector allows you to monitor all the managed (child) accounts in your organization. If you use this feature to change your account selection to that of a managing (parent) account, you can monitor, assess, and compare the security posture across the entire organization.

Click the account name located in the upper right of your screen to view the full list of accounts in your organization. From the drop-down, select a parent account. You can use the search feature to narrow the list.

If your organization manages assets for other customer accounts, you could see data from child accounts on the Incidents page and the Reports page.

For all other features, the Alert Logic console displays results only for the chosen customer account. If, on any feature page, you want to view results for only a specific managed account, use the account selector to change the customer account.

 

Notifications

Use the Notifications feature to set up email notifications when incidents of specified threat levels and escalations occur for your account and accounts you manage. Notifications allow you to know about, and respond quickly to, threats in your environment.

If you configure notifications for both escalations and specified threat levels, you could receive notification email messages for the same incident at creation and for upon each escalation. Configure notifications for both escalations and specified threat levels to receive notification email messages when Alert Logic creates an incident and upon each escalation of that incident. Configure notifications for threat levels if you want email alerts when Alert Logic creates an incident of the specified threat level. Set up notifications for only escalations if you want email alerts any time the Alert Logic SOC escalates an incident, regardless of threat level.

You can set up a user account designated as "Notification Target Only," which exists solely to receive email notifications, and does not have the ability to log into the Alert Logic console. If you need to maintain an audit trail of all relevant escalations that you do not need to review until necessary, you can send notifications of all escalations and severity levels to the notification target. You can also configure notifications to send an email for escalations only to a notification target created with a shared email address to allow multiple people to monitor relevant escalations, even if they do not have an Alert Logic user account. For more information see Create a user account as a notification target.

To set up incident notifications:

  1. In the Notifications panel, make any combination of the following choices:
    • Escalations—Click to specify the accounts for which you want notification of incident escalations. An incident escalation indicates that the Alert Logic Security Operations Center (SOC) sent an email to the designated contact for your account that the incident escalated.
    • Critical—Click to specify the accounts for which you want notification when an incident with a threat rating of Critical occurs for assets within the specified accounts.
    • High—Click to specify the accounts for which you want notification when an incident with a threat rating of High occurs for assets within the specified accounts.
    • Medium—Click to specify the accounts for which you want notification when incident with a threat rating of Medium occurs for assets within the specified accounts.
    • Low—Click to specify the accounts for which you want notification when incident with a threat rating of Low occurs for assets within the specified accounts.
    • Info—Click to specify the accounts for which you want notification when an incident with a threat rating of Info occurs for assets within the specified accounts. This threat level applies only to incidents created by scanning services.
  2. Click SAVE.

The Notifications page in the Alert Logic console allows you to perform this task and, if your user account has the administrator role, to manage and configure the notifications for users. For more information about the Notifications page, see Notifications.