Threats Reports
The REPORTS tab in the Alert Logic console provides access to data related to exposures and incidents Alert Logic found within your deployments. You can also view data related to your product usage within your accounts. For information on all the available report groups, see Reports Guide.
The Threats reports provide convenient access to analysis, statistics, assessments, and trending data related to threats and incidents detected from your subscribed products and services. Alert Logic provides Threats reports within the following categories:
- Incident Analysis — Provides valuable insights and trending data for incidents created from all subscribed detection sources (Network IDS, Log Management, Amazon GuardDuty).
- AWS Incident Analysis — Provide valuable insights and trending data for incidents discovered in your AWS environments from Network IDS and incidents generated by Amazon GuardDuty security findings.
- Azure Incident Analysis — Provides valuable insights and trending data for incidents in your Azure environments created from Network IDS detection sources.
- Incident Account Summary — Provide the current distribution and trending data for incidents detected across your customer accounts.
- Log Review Analysis— Provide valuable insights and trending data for incidents that are reviewed daily by Alert Logic security analysts.
- Event Analysis — Provides valuable insights and trending data for security events that were detected and processed in your environment from Network IDS sources.
To access the Threats reports, in the Alert Logic console, click the menu icon (), and then click Validate. Click Reports, and then click Threats.
Each report allows you to share its data by email, or download the report as a CSV or PDF file. To learn how to download reports, see Report Download Option.
You can also schedule a report to run periodically and subscribe users or an integration (such as a webhook) to receive a notification when the report is generated. From the Downloads tab on the Reports page, you can download and manage reports generated from your schedules. For more information, see Scheduled Reports and Notifications.
Filtering reports
You can filter your reports quickly to refine your results and generate relevant information you need. Each report has a set of filters located at the top that you can select or clear for the filters you want to see. Alert Logic also allows you to add or remove some or all values in a filter you want to see. Some reports also support filtering by visuals.
Filter the report using drop-down menus
By default, Alert Logic includes (All) values for most filters in the report.
To add or remove filter values:
- Click the drop-down menu in the filter, and then select or clear values.
- Click Apply.
Filter the report using visuals
To refine your findings, click an item within a visual. To filter by multiple items, hold down Ctrl or Command, and then click each item in a visual that you want to use to apply a filter. You can filter using visuals and items selected in different sections. Click on an item again to remove a filter.
Incident Analysis
You can run the following reports that provide information about incidents in your environments created from all subscribed detection sources (Network IDS, Log Management, Web App IDS, Amazon GuardDuty):
- Monthly Incident Analysis: Provides visibility into threats and incidents in your environment, including incident statuses, threat levels, MITRE classification, daily incident count, and top ten lists for the selected month. To learn more about this report, see Monthly Incident Analysis .
- Weekly Incident Analysis: Provides visibility into threats and incidents in your environment, including incident statuses, threat levels, MITRE classification, daily incident count, and top ten lists for the selected week. To learn more about this report, see Weekly Incident Analysis.
- Incident Daily Digest: Presents the incidents detected on the previous day for the selected detection types. You can view visualizations and list of incidents by threat level or by MITRE classification. You can filter the report by detection source, status, previous days, or customer account. For more information, see Incident Daily Digest.
- Incident Daily Digest Trends: Presents a histogram chart that allows you to review trends in the daily incident digest results for a selected date range. You can view visualizations and list of incidents by threat level or by MITRE classification. For more information, see Incident Daily Digest Trends.
- Incident Distribution Explorer: Provides incident trends by detection source, status, threat level, MITRE classification, and sub-type for the date range. The report presents the information in pie graphs and a series of histograms in each category for the selected date range. For more information, see Incident Distribution Explorer.
- Incident Target Explorer: Displays the top 10 targets, with visualizations and lists of incidents by threat level or by MITRE classification. You can filter the report by detection source, status, previous days, or customer account. For more information, see Incident Target Explorer Report.
- Incident Attacker Explorer: Displays the top 10 attackers and geolocations, with visualizations and lists of incidents by threat level or by MITRE classification. You can filter the report by detection source, status, previous days, or customer account. For more information, see Incident Attacker Explorer.
- Incident Workflow Explorer:Evaluates workflow actions performed in response to incidents, including total incidents by action count and percentage, total daily workflow actions, closed and updated incidents by reason, and trends. You can filter the report by detection source, status, previous days, or customer account. For more information, see Incident Workflow Explorer Report.
AWS Incident Analysis
You can run the following reports that provide information about incidents in your AWS environments generated by GuardDuty and Network IDS:
- AWS Incident Daily Digest: Displays the incidents received the previous day for the selected deployments. You can view the List of Incidents by threat level, MITRE classifications, or by GuardDuty findings. You can filter this report by deployment, VPC, container image, and detection source. For more information, see AWS Incident Daily Digest Report.
- AWS Incident Daily Digest Trends: Allows you to view a histogram chart that displays the incident daily digests for specified date range, and by deployment, VPC, container image, and detection source. For more information, see AWS Incident Daily Digest Trends.
- AWS Incident Distribution Explorer: Displays incidents by threat level or MITRE classification for a specified time period. You can filter the report by date range, detection source, deployment, and AWS account ID, container image, subnet, security group, and tag. For more information, see AWS Incident Distribution Explorer.
- AWS Targeted Deployment Explorer: Displays the GuardDuty and Network IDS incident distribution for a specified target (AWS account ID, regions, VPC, container image, security group or subnet), filtered by AWS account ID, date range, detection source, deployment, and AWS asset within your deployments. For more information, see AWS Targeted Deployment Explorer.
- AWS Targeted Deployment Trends: Displays an interactive graph depicting incident distribution for a specified time period, by account ID, AWS region, and AWS asset. For more information, see AWS Targeted Deployment Trends.
Azure Incident Analysis
You can run the following reports that provide information about incidents in your Azure environments generated by Network IDS
- Azure Incident Daily Digest: Displays Network IDS incidents received the previous day for the selected deployments. You can view the List of Incidents by threat level or MITRE classification. You can filter this report by deployment, VNet, container image, and detection source. For more information, see Azure Incident Daily Digest Report.
- Azure Incident Daily Digest Trends: Allows you to view a histogram chart that displays the Azure daily incident digests for specified date range, customer account, by deployment, VNet, container image, and detection source. For more information, see Azure Incident Daily Digest Trends Report
- Azure Incident Distribution Explorer: Displays incidents by threat level or MITRE classification for a specified time period. You can filter the report by date range, customer account, detection source, deployment, native account ID, container image name, subnet, security group, and tag. For more information, see Azure Incident Distribution Explorer Report.
- Azure Targeted Deployment Explorer: Displays the Network IDS incident distribution for a specified target (Native Account ID, regions, VNet, container image, security group or subnet), filtered by Native Account ID, date range, detection source, deployment, and other Azure assets within your deployments. For more information, see Azure Targeted Deployment Explorer.
- Azure Targeted Deployment Trends: Displays an interactive graph depicting the Network IDS incident distribution for a specified time period, by Native Account ID, VNet, containers, and other Azure assets within your deployment. For more information, see Azure Targeted Deployment Trends.
Incident Account Summary
You can run the following reports that provide the current distribution and trending data for incidents detected across your customer accounts and deployments.
- Weekly Incident Account Summary: Provides the current weekly distribution and trending data for incidents detected across your customer accounts and deployments by top incident count, threat level, count by day and threat level, detection source, escalation status, type, sub-type, top attackers, and top targets. For more information, see Weekly Incident Account Summary
- Monthly Incident Account Summary: Provides the current monthly distribution and trending data for incidents detected across your customer accounts and deployments by top incident count, threat level, count by week and threat level, detection source, escalation status, type, sub-type, top attackers, and top targets. For more information, see Monthly Incident Account Summary.
Log Review Analysis
You can run the following report that provides insight into your Log Review incidents created in the Incidents page:
- Monthly Log Review: Provides a monthly summary analysis of your Log Review incidents, including count and percentage of total incidents of each status, a daily histogram chart, and a comparison to the previous month. To learn more about this report, see Monthly Log Review Report.
- Monthly Log Review Details: Provides details on anomalies and alerts detected in all daily Log Review Summary incidents for the selected month, including detected observations, a list of log alerts counts and details, and a list of log anomaly counts and details. To learn more about this report, see Monthly Log Review Details Report.
Event Analysis
You can run the following reports that provide insights for security events that were processed from Network IDS sources:
- Monthly Event Analysis: Provides visibility into Network IDS events processed in your environment, including event classification, top signatures, and events per day for the selected month. To learn more about this report, see Monthly Event Analysis.
- Weekly Event Analysis: Provides visibility into Network IDS events processed in your environment, including event classification, top signatures, and events per day for the selected weekly. To learn more about this report, see Weekly Event Analysis.
- Network IDS Events Explorer: Provides visibility into Network IDS events processed in your environment, events per day, visualizations by payload and classification, and top signatures. To learn more about this report, see Network IDS Events Explorer.
- Top Event Sources and Destinations: Lists the top source and destination IP addresses and ports for IDS events in your environment. To learn more about this report, see Top Event Sources and Destinations.