Threats Reports

The REPORTS tab in the Alert Logic console provides access to data related to exposures and incidents Alert Logic found within your deployments. You can also view data related to your product usage within your accounts. For information on all the available report groups, see Reports Guide.

The Threats reports provide convenient access to analysis, statistics, assessments, and trending data related to threats and incidents detected from your subscribed products and services. Alert Logic provides Threats reports within the following categories:

  • Incident Analysis — Provides valuable insights and trending data for incidents created from all subscribed detection sources (Network IDS, Log Management, Amazon GuardDuty).
  • AWS Incident Analysis — Provide valuable insights and trending data for incidents discovered in your AWS environments from Network IDS and incidents generated by Amazon GuardDuty security findings.
  • Azure Incident Analysis — Provides valuable insights and trending data for incidents in your Azure environments created from Network IDS detection sources.
  • Log Review Analysis— Provide valuable insights and trending data for incidents that are reviewed daily by Alert Logic security analysts.
  • Web Application Analysis — Provide valuable summary, distribution, and trending data for policy violations from your inline web application firewalls (WAF).
  • Event Analysis — Provides valuable insights and trending data for security events that were detected and processed in your environment from Network IDS sources.

To access the Threats reports, in the Alert Logic console, click the menu icon (), and then click Validate. Click Reports, and then click Threats.

Each report allows you to share its data by email, or download the report as an image, data, crosstab, PDF, or PowerPoint files. To learn how to download reports, see Report Download Option.

You can also schedule a report to run periodically and subscribe users or an integration (such as a webhook) to receive a notification when the report is generated. From the Downloads tab on the Reports page, you can download and manage reports generated from your schedules. For more information, see Scheduled Reports and Notifications.

Filtering reports

You can conveniently filter your reports quickly to refine your results and generate relevant information you need. Each report has a set of filters located at the top that you can select or clear for the filters you want to see. Alert Logic also allows you to add or remove some or all values in a filter you want to see.

By default, Alert Logic includes (All) filter values in the report.

To add or remove filter values:

  1. Click the drop-down menu in the filter, and then select or clear values.
  2. Click Apply.

Incident Analysis

You can run the following reports that provide information about incidents in your environments created from all subscribed detection sources (Network IDS, Log Management, Web App IDS, Amazon GuardDuty):

  • Monthly Incident Analysis: Provides visibility into threats and incidents in your environment, including incident statuses, threat levels, classification, daily incident count, and top ten lists for the selected month. To learn more about this report, see Monthly Incident Analysis .
  • Weekly Incident Analysis: Provides visibility into threats and incidents in your environment, including incident statuses, threat levels, classification, daily incident count, and top ten lists for the selected week. To learn more about this report, see Weekly Incident Analysis.
  • Incident Daily Digest: Presents the incidents detected on the previous day for the selected detection types. You can view visualizations and list of incidents by threat level, by classification, or by incident type. You can filter the report by detection source, status, previous days, or customer account. You can check ALL to see all values available in a filter, or select only specific ones.
  • Incident Daily Digest Trends: Presents a histogram chart that allows you to focus on the daily incident digests results within the specified date range. You can view visualizations and list of incidents by threat level, by classification, or by incident type. You can filter the report by detection source, status, previous days, or customer account. You can check ALL to see all values available in a filter, or select only specific ones.
  • Incident Distribution Explorer: Presents incidents by threat level, classification, and incident type for the selected detection sources, statuses, and a specified time period. You can filter the report by detection source, status, previous days, or customer account. You can check ALL to see all values available in a filter, or select only specific ones.
  • Incident Target Explorer: Displays the top 10 targets, with visualizations and lists of incidents by threat level, by classification, or by incident type. You can filter the report by detection source, status, previous days, or customer account. You can check ALL to see all values available in a filter, or select only specific ones.
  • Incident Attacker Explorer: Displays the top 10 attackers and geolocations, with visualizations and lists of incidents by threat level, by classification, or by incident type. You can filter the report by detection source, status, previous days, or customer account. You can check ALL to see all values available in a filter, or select only specific ones.
  • Incident Workflow Explorer:Evaluates workflow actions performed in response to incidents, including total incidents by action count and percentage, total daily workflow actions, closed and updated incidents by reason, and trends. You can filter the report by detection source, status, previous days, or customer account. You can check ALL to see all values available in a filter, or select only specific ones.

AWS Incident Analysis

You can run the following reports that provide information about incidents in your AWS environments generated by Network IDS:

  • AWS Incident Daily Digest: Displays the incidents received the previous day for the selected deployments. You can view the List of Incidents by threat level, classification type, or by GuardDuty findings. You can filter this report by deployment, VPC, container image, and detection source. You can check ALL to see all values available in a filter, or select only specific ones.
  • AWS Incident Daily Digest Trends: Allows you to view a histogram chart that displays the incident daily digests for specified date range, and by deployment, VPC, container image, and detection source. You can check ALL to see all values available in a filter, or select only specific ones.
  • AWS Incident Distribution Explorer: Displays incidents by threat level, classification, and incident type for a specified time period. You can filter the report by date range, detection source, deployment, and AWS account ID, container image, subnet, security group, and tag. You can check ALL to see all values available in a filter, or select only specific ones.
  • AWS Targeted Deployment Explorer: Displays the GuardDuty and Network IDS incident distribution for a specified target (AWS account ID, regions, VPC, container image, security group or subnet), filtered by AWS account ID, date range, detection source, deployment, and AWS asset within your deployments. You can check ALL to see all values available in a filter, or select only specific ones.
  • AWS Targeted Deployment Trends: Displays an interactive graph depicting incident distribution for a specified time period, by account ID, AWS region, and AWS asset. You can check ALL to see all values available in a filter, or select only specific ones.

Azure Incident Analysis

You can run the following reports that provide information about incidents in your Azure environments generated by Network IDS

  • Azure Incident Daily Digest: Displays Network IDS incidents received the previous day for the selected deployments. You can view the List of Incidents by threat level, classification, or incident type. You can filter this report by deployment, VNET, container image, and detection source. You can check ALL to see all values available in a filter, or select only specific ones.
  • Azure Incident Daily Digest Trends: Allows you to view a histogram chart that displays the Azure daily incident digests for specified date range, customer account, by deployment, VNET, container image, and detection source. You can check ALL to see all values available in a filter, or select only specific ones.
  • Azure Incident Distribution Explorer: Displays incidents by threat level, classification, and incident type for a specified time period. You can filter the report by date range, customer account, detection source, deployment, native account ID, container image name, subnet, security group, and tag. You can check ALL to see all values available in a filter, or select only specific ones.
  • Azure Targeted Deployment Explorer: Displays the Network IDS incident distribution for a specified target (Native Account ID, regions, VNET, container image, security group or subnet), filtered by Native Account ID, date range, detection source, deployment, and other Azure assets within your deployments. You can check ALL to see all values available in a filter, or select only specific ones.
  • Azure Targeted Deployment Trends: Displays an interactive graph depicting the Network IDS incident distribution for a specified time period, by Native Account ID, VNET, containers, and other Azure assets within your deployment. You can check ALL to see all values available in a filter, or select only specific ones.

Log Review Analysis

You can run the following report that provides insight into your Log Review incidents created in the Incidents page:

  • Monthly Log Review: Provides a monthly summary analysis of your Log Review incidents, including count and percentage of total incidents of each status, a daily histogram chart, and a comparison to the previous month. To learn more about this report, see Monthly Log Review Report.

Web Application Analysis

You can run the following report that provides information for policy violations from your inline Web Application Firewall (WAF).

  • WAF Violation Explorer: Provides visibility into blocked WAF requests and attempted web app attacks, including total and blocked WAF policy violations counts, violations by day, operating mode, risk level, attack class, and type. To learn more about this report, see WAF Violation Explorer Report.
  • WAF Violation Trends: Provides insights into patterns in your WAF violations, including violation distribution and trends categorized by action, risk level, attack class, violation type, response code, method, and protocol. To learn more about this report, see WAF Violation Trends.

Event Analysis

You can run the following report that provides insights for security events that were processed from Network IDS sources:

  • Monthly Event Analysis: Provides visibility into Network IDS events processed in your environment, including event classification, top signatures, and events per day for the selected month. To learn more about this report, see Monthly Event Analysis.
  • Weekly Event Analysis: Provides visibility into Network IDS events processed in your environment, including event classification, top signatures, and events per day for the selected weekly. To learn more about this report, see Weekly Event Analysis.
  • Network IDS Events Explorer: Provides visibility into Network IDS events processed in your environment, events per day, visualizations by payload and classification, and top signatures. To learn more about this report, see Network IDS Events Explorer.
  • Top Event Sources and Destinations: Lists the top source and destination IP addresses and ports for IDS events in your environment. To learn more about this report, see Top Event Sources and Destinations.