Reports Guide

The REPORTS tab in the Alert Logic console provides access to data related to exposures and incidents Alert Logic found within your deployments. You can also view data related to your product usage within your accounts.

Report data is cached and refreshed at regular intervals. As a result, periodic delays to reflect the latest data in the console can occur.

Depending on your Alert Logic subscriptions, you will see some or all of the following report types:

  • Risk —Provide convenient access to analysis, statistics, assessments, and trending data related to your security and health posture and threat risk index. Each report provides interactive filtering options, visual representations of the data, and informative tooltips. All subscriptions see this content.
  • Threats —Provide convenient access to analysis, statistics, assessments, and trending data related to threats and incidents detected from your subscribed products and services. Each report provides interactive filtering options, visual representations of the data, and informative tooltips. This content requires a Professional or Enterprise subscription.
  • Vulnerabilities —Provide convenient access to analysis, statistics, assessments, and trending data related to vulnerabilities discovered in your environment based on scanning outcomes. Each report provides interactive filtering options, visual representations of the data, and informative tooltips. All subscriptions see this content.
  • Remediations—Provide convenient access to analysis, statistics, assessments, and trending data related to configuration issues and security exposures from your subscribed products and services. Each report provides interactive filtering options, visual representations of the data, and informative tooltips. All subscriptions see this content.
  • Compliance—Provide convenient access to analysis, statistics, and trending data related to compliance assessment status and audit preparedness from your subscribed products and services. Each report provides interactive filtering options, visual representations of the data, and informative tooltips. All subscriptions see this content.
  • Service—Provide convenient access to data related to entitlements, capability usage, users and security content for your subscribed products and services. Each report provides interactive filtering options, visual representations of the data, and informative tooltips. This content requires a Professional or Enterprise subscription.

Each report allows you to share its data by email, or download the report as an image, data, crosstab, or PDF format.

Filtering reports

You can conveniently filter your reports quickly to refine your results and generate relevant information you need. Each report has a set of filters located at the top that you can select or clear for the filters you want to see. Alert Logic also allows you to add or remove some or all values in a filter you want to see.

By default, Alert Logic includes (All) filter values in the report.

To add or remove values in a filter:

  1. Click the drop-down menu in the filter, and then select or clear values.
  2. Click Apply.

Some filters allow you to include or exclude all selected values in a filter for quick refining.

To include or exclude all filter values:

  1. Click the drop-down menu next to the filter icon (), and then select Include Values or Exclude Values.
  2. Click Apply.

Risk

The Risk reports provide convenient access to analysis, statistics, assessments, and trending data related to your security and health posture and threat risk index.

Alert Logic provides Risk reports within the following categories:

  • Security Posture —Provide comparative trending analysis to help you improve your overall security posture, reduce threat risk index scores, and optimize the security product and service capabilities deployed in your environment.

  • Threat Risk Index —Provide valuable summary and trending data for the threat risk index scores for the deployments and networks in your environment. You can gain insight into emerging threats and learn which assets in your environment are most at risk.

To access the Risk reports, in the Alert Logic console, click the Reports tab, and then click Risk.

Security Posture

You can run the following reports that information your overall security posture:

  • Monthly Security Posture: Provides the current and historic security risk and health posture of your environment, including configuration remediations and risk posture overviews, vulnerabilities assessment, and threat analysis. To learn more about this report, see Monthly Security Posture.

Threat Risk Index

You can run the following reports that provide valuable summary and trending data for the threat risk index scores:

  • TRI Summary Report: Provides the current threat risk index (TRI) scores of your environment, including the overall TRI score and trends, score details, risk index asset distribution charts, and top ten lists. To learn more about this report, see TRI Summary.
  • TRI Trends Report: Provides insights into threat risk index (TRI) averages and trends in reducing risks, including TRI scores, total vulnerability and host counts, internet-facing vulnerabilities, exploit availability, and last scanned age. To learn more about this report, see TRI Trends.

Threats

The Threats reports provide convenient access to analysis, statistics, assessments, and trending data related to threats and incidents detected from your subscribed products and services. Alert Logic provides Threats reports within the following categories:

  • Incident Analysis—Provide valuable insights and trending data for incidents created from all subscribed detection sources (Network IDS, Log Management, Web Application IDS, Amazon GuardDuty).
  • AWS Incident Analysis —Provide valuable insights and trending data for incidents discovered in your AWS environments from Network IDS and incidents generated by Amazon GuardDuty security findings.
  • AWS Incident Analysis —Provide valuable insights and trending data for incidents in your Azure environments created from Network IDS detection sources.
  • Web Application Analysis—Provide valuable summary, distribution, and trending data for policy violations from your inline web application firewalls (WAF). You can gain insight into the frequency of blocked requests, attack classes, and violation types to support your ongoing WAF policy and configuration tuning efforts.

To access the Threats reports, in the Alert Logic console, click the Reports tab, and then click Threats.

Incident Analysis

You can run the following reports that provide information about incidents in your environments created from all subscribed detection sources (Network IDS, Log Management, Web App IDS, Amazon GuardDuty):

  • Incident Daily Digest: Presents the incidents detected on the previous day for the selected detection types. You can view visualizations and list of incidents by threat level, by classification, or by incident type. You can filter the report by detection source, status, previous days, or customer account. You can check ALL to see all values available in a filter, or select only specific ones.
  • Incident Daily Digest Trends: Presents a histogram chart that allows you to focus on the daily incident digests results within the specified date range. You can view visualizations and list of incidents by threat level, by classification, or by incident type. You can filter the report by detection source, status, previous days, or customer account. You can check ALL to see all values available in a filter, or select only specific ones.
  • Incident Distribution Explorer: Presents incidents by threat level, classification, and incident type for the selected detection sources, statuses, and a specified time period. You can filter the report by detection source, status, previous days, or customer account. You can check ALL to see all values available in a filter, or select only specific ones.
  • Incident Attacker Explorer: Displays the top 10 attackers and geolocations, with visualizations and lists of incidents by threat level, by classification, or by incident type. You can filter the report by detection source, status, previous days, or customer account. You can check ALL to see all values available in a filter, or select only specific ones.
  • Incident Target Explorer: Displays the top 10 targets, with visualizations and lists of incidents by threat level, by classification, or by incident type. You can filter the report by detection source, status, previous days, or customer account. You can check ALL to see all values available in a filter, or select only specific ones.
  • Incident Workflow Explorer:Evaluates workflow actions performed in response to incidents, including total incidents by action count and percentage, total daily workflow actions, closed and updated incidents by reason, and trends. You can filter the report by detection source, status, previous days, or customer account. You can check ALL to see all values available in a filter, or select only specific ones.

AWS Incident Analysis

You can run the following reports that provide information about incidents in your AWS environments generated by Network IDS:

  • AWS Incident Daily Digest: Displays the incidents received the previous day for the selected deployments. You can view the List of Incidents by threat level, classification type, or by GuardDuty findings. You can filter this report by deployment, VPC, container image, and detection source. You can check ALL to see all values available in a filter, or select only specific ones.
  • AWS Incident Daily Digest Trends: Allows you to view a histogram chart that displays the incident daily digests for specified date range, and by deployment, VPC, container image, and detection source. You can check ALL to see all values available in a filter, or select only specific ones.
  • AWS Risk Summary: Displays the risk level for a selected group of assets, by incident count and average exposure score. The quadrant in which the selected asset group appears, and its color, indicates the risk level for the assets. You can filter the report by detection source, AWS asset, AWS account ID, date range, deployment, threat level, and CVSS Score. You can check ALL to see all values available in a filter, or select only specific ones.
  • AWS Incident Distribution Explorer: Displays incidents by threat level, classification, and incident type for a specified time period. You can filter the report by date range, detection source, deployment, and AWS account ID, container image, subnet, security group, and tag. You can check ALL to see all values available in a filter, or select only specific ones.
  • AWS Targeted Deployment Explorer: Displays the GuardDuty and Network IDS incident distribution for a specified target (AWS account ID, regions, VPC, container image, security group or subnet), filtered by AWS account ID, date range, detection source, deployment, and AWS asset within your deployments. You can check ALL to see all values available in a filter, or select only specific ones.
  • AWS Targeted Deployment Trends: Displays an interactive graph depicting incident distribution for a specified time period, by account ID, AWS region, and AWS asset. You can check ALL to see all values available in a filter, or select only specific ones.

Azure Incident Analysis

You can run the following reports that provide information about incidents in your Azure environments generated by Network IDS

  • Azure Incident Daily Digest: Displays the incidents received the previous day for the selected deployments. You can view the List of Incidents by threat level, or classification type. You can filter this report by deployment, VNET, container image, and detection source. You can check ALL to see all values available in a filter, or select only specific ones.
  • Azure Incident Daily Digest Trends: Allows you to view a histogram chart that displays the incident daily digests for specified date range, and by deployment, VNET, container image, and detection source. You can check ALL to see all values available in a filter, or select only specific ones.
  • Azure Risk Summary: Displays the risk level for a selected group of assets, by incident count and average exposure score. The quadrant in which the selected asset group appears, and its color, indicates the risk level for the assets. You can filter the report by detection source, Azure asset, Azure account ID, date range, deployment, threat level, and CVSS Score. You can check ALL to see all values available in a filter, or select only specific ones.
  • Azure Incident Distribution Explorer: Displays incidents by threat level, classification, and incident type for a specified time period. You can filter the report by date range, detection source, deployment, and Azure account ID, container image, subnet, security group, and tag. You can check ALL to see all values available in a filter, or select only specific ones.
  • Azure Targeted Deployment Explorer: Displays the Network IDS incident distribution for a specified target (Azure account ID, regions, VNET, container image, security group or subnet), filtered by Azure account ID, date range, detection source, deployment, and Azure asset within your deployments. You can check ALL to see all values available in a filter, or select only specific ones.
  • Azure Targeted Deployment Trends: Displays an interactive graph depicting incident distribution for a specified time period, by account ID, Azure region, and Azure asset. You can check ALL to see all values available in a filter, or select only specific ones.

Web Application Analysis

You can run the following report that provides information for policy violations from your inline web application firewalls (WAF).

  • Inline WAF Violation Explorer: Provides visibility into blocked WAF requests and attempted web app attacks, including total and blocked WAF policy violations counts, violations by day, operating mode, risk level, attack class, and type. To learn more about this report, see WAF Violation Explorer.

Vulnerabilities

The Vulnerability Reports provide convenient access to analysis, statistics, assessments, and trending data related to vulnerabilities discovered in your environment based on scanning outcomes. Alert Logic provides Vulnerabilities reports within the following categories:

  • Vulnerability Analysis—Provide valuable summary, distribution and trending data for vulnerabilities discovered across your environment. You can gain insight into the effectiveness of your vulnerability management and prioritization efforts.

To access the Vulnerability reports, in the Alert Logic console, click the Reports tab, and then click Vulnerabilities.

Vulnerability Analysis

You can run the following reports that provide information for vulnerabilities discovered across your environment.

  • Vulnerability Summary: Provides a summary of vulnerabilities found in your environment, including vulnerability and host counts, severity and age distribution, exportable vulnerability list, categorized trends, and top ten lists. To learn more about this report, see Vulnerability Summary.
  • Vulnerability Host Explorer: Provides a summary of the most vulnerable assets, including total host and vulnerability counts, hosts by CVSS severity ratings, top ten lists, and vulnerable host count and percentage change trends. To learn more about this report, see Vulnerability Hosts Explorer.
  • Vulnerable Distribution Explorer: Provides insights into patterns in your vulnerabilities, including vulnerability distribution and trends categorized by status, exploitability, severity, age, operating system, and asset type. To learn more about this report, see Vulnerability Distribution Explorer.
  • List of Vulnerabilities: Displays a tabular list of all current vulnerabilities, details about each vulnerability, and information about the assets affected by the vulnerability.

Remediations

The Remediations reports provide convenient access to analysis, statistics, assessments, and trending data related to configuration issues and security exposures from your subscribed products and services. Alert Logic provides Remediations reports within the following categories:

  • Configuration Remediations—Provide valuable summary, distribution, and trending data for your responsiveness of known product configuration and health issues in your environment. You can gain insight into configuration management patterns that improve prioritization and maximize your collection, scanning, detection, or response capabilities.
  • Security Remediations—Provide valuable summary, distribution, and trending data on your responsiveness of security exposures found in your environment. You can gain insight into security exposure management patterns that improve prioritization, and reduce the exposure of your assets to threats.

To access the Remediations reports, in the Alert Logic console, click the Reports tab, and then click Remediations.

Configuration Remediations

You can run the following report that provides information on the responsiveness of known product configuration and health issues in your environment:

  • Configuration Remediations Trends: Evaluates the responsiveness to issues that degrade your service capabilities, including mean time to plan and remediate issues, and categorized remediation age, status, and reason trends. To learn more about this report, see Configuration Remediation Trends.

Security Remediations

You can run the following report that provides information on the responsiveness of security exposures found in your environment.

  • Security Remediations Trends: Evaluates responses to issues that expose your assets to threats, including mean time to plan and remediate security exposures, and categorized remediation age, status, and reason trends. To learn more about this report, see Security Remediation Trends.

Compliance

The Compliance reports provide convenient access to analysis, statistics, and trending data related to compliance assessment status and audit preparedness from your subscribed products and services. Alert Logic provides Compliance reports within the following categories:

  • CIS Benchmarks —Provide assessments of how your environment conforms to configuration guidelines developed by security experts.
  • PCI Audit—Provide documentation to help you demonstrate compliance to specific requirements of the Payment Card Industry Data Security Standard (PCI DSS).

To access the Compliance reports, in the Alert Logic console, click the Reports tab, and then click Compliance.

CIS Benchmarks

You can run the following report that provides information on assessments of how your environment conforms to CIS Foundations Benchmark Level 2:

  • CIS AWS Foundations Benchmark: Displays the status of your environment to the CIS AWS Foundations Benchmark Level 2.

For more information about CIS Benchmarks, see the CIS Benchmarks FAQ.

PCI Audit

You can run the following reports that demonstrate compliance to specific requirements of the Payment Card Industry Data Security Standard (PCI DSS):

  • PCI Requirement 6.6 Report: Shows web application firewall (WAF) deployments, traffic, incidents, and attacks to help you demonstrate compliance to Requirement 6.6 of the PCI DSS.
  • PCI Requirement 10.6 Report: Shows log review cases and reporting, as well as log management incidents, to help you demonstrate compliance to Requirement 10.6 of the PCI DSS.

Service

The Service reports provide convenient access to data related to entitlements, capability usage, users and security content for your subscribed products and services. Alert Logic provides Service reports within the following categories:

  • Capability Usage—Provide valuable summary and trending data on your actual use of deployed security product and service capabilities.
  • Users—Provide valuable insight into key customer contacts and user accounts provisioned in the Alert Logic console for your subscribed services.
  • Cloud Insight—Provide information regarding the billable size of your scoped deployments, which correlate to the amount billed for a given usage period.

To access the Service reports, in the Alert Logic console, click the Reports tab, and then click Service.

Capability Usage

You can run the following reports that provide information on your actual use of deployed security product and service capabilities:

  • Service Review: Provide summary information and visibility into product configuration, product status, and security outcomes from your subscribed services.

  • WAF Traffic: Provides visibility into WAF traffic volume and requests processed in your environment, including WAF traffic per day measured by requests or megabytes, and an appliance list with traffic requests and megabytes. To learn more about this report, see WAF Traffic.

Users

You can run the following report that provides key customer contacts and user accounts:

  • Customer Contacts: Provides tabular lists of your escalation, notification and incidents notification contacts.

Cloud Insight

You can run the following reports that provide information regarding the billable size of your scoped deployments:

  • Deployments Usage by Day: Displays the number of deployments in your account, by day, for the specified date range.
  • Host Usage by Day: Displays billable product usage over time, by deployment, and with the option to filter to a specific time period. The report presents results by day, and as a sum over the selected time period.
  • Host Usage by Hour: Displays billable product usage over time, by deployment, and with the option to filter to a specific time period. The report presents results by day and by hour over the selected time period.