About Analytics in the Threat Intelligence Center

The Threat Intelligence Center provides a tabular list for the properties of each analytic available from Alert Logic. Use the analytics view in the Threat Intelligence Center to validate Alert Logic threat coverage, learn about analytics content, investigate content configuration requirements, and source information for automated response. To learn more about the Threat Intelligence Center, see Threat Intelligence Center.

Learn about analytics

An Alert Logic analytic refers to content that uses telemetry data to evaluate activity to produce incidents or observations. An analytic can help process one or more specific threats, and threats can require one or more analytics to process. The Threat Intelligence Center provides a tabular list for the properties of each analytic. For more information about property definitions, use cases, and examples, see Analytic properties details and use cases.

The Threat Intelligence Center displays all security content and coverage details provided by Alert Logic. Customer-defined analytics, known as correlations, are not visible in the Threat Intelligence Center. For more information on defining your own rules for incidents and observations, see Improved Correlations and Search.

Validate threat coverage

Use the analytics view to validate that Alert Logic covers specific threats. For more information about how to control filters and view specific threats, see Customize the view in the Threat Intelligence Center.

Investigate content configuration requirements

You can use the Threat Intelligence Center to verify that you configured the telemetry sources required to detect specific threats in your environment.

For example, you find an analytic that uses log telemetry to evaluate threat activity. This source indicates that collection needs to be configured for the Log Source property of the analytic on your assets. Then Alert Logic can detect the threat. For more information on configuring specific log sources, see Log Sources and Application Registry. For a more detailed look at the log messages used by an analytic for a log source, including whether you have actually collected a specific log message type in your environment, see the use case for Log Message Type

Analytic properties details and use cases

Using the Threat Intelligence Center, you can review the properties of each analytic.

Property Description Use Cases Examples
Name Alert Logic name for the incident or observation generated by the analytic. Search an incident or observation by name. bf_success/unix
Summary Brief summary of behavior identified by the analytic. Often malicious behavior. Find the analytic that corresponds to a summary, which is used in incidents and notification e-mail subjects. Successful Unix Bruteforce Login detected from ['ATTACKER']
Description Full description of the behavior identified by the analytic. Often malicious behavior. Get detailed context on the activity an analytic is evaluating. Successful Unix BruteForce Login **Attacker Information**: ['ip_address'], country Australia **Target User**: ['ip_address'] We have observed the user ['ip_address'] making repeated sudo authentication failures and an authentication success against your Unix server in a short period of time. Although multiple failures may be due to a misconfigured script or erroneous user input, it may also be indicative of a privilege escalation attempt by a malicious user.
Recommendations Recommended response actions based on the latest Alert Logic Threat Intelligence. Determine how to respond to incidents or observations generated by an analytic. We recommend investigating to determine if this activity is due to misconfigured software or user error. If unexpected, we recommended forcing all users off the machine(s) and resetting the login credentials for the affected users, as per your internal policy, as well as reviewing sudo privileges for all users.
Threat Level

Incident threat levels convey the severity of each incident raised for protected assets, which allows you to assess and prioritize the actions to take toward threat remediation. Alert Logic categorizes incidents with the following icons and colors:

  • Critical
  • High
  • Medium
  • Low
  • Info
Prioritize or group analytics based on the danger presented by their produced incidents. Critical

Analytic processing can result in two different types of visibility:

  • Incident—an outcome that requires action. For more information, see Incidents.
  • Observation—a finding of interest that does not require any type of action. A second tier analytic may develop the observation into an incident.
Determine which analytics generate incidents and which generate observations. Incident

Classification for the type of data the analytic uses as input.

Determine data types an analytic needs for Alert Logic to provide coverage for a specific threat.



Log Source

For an analytic using log telemetry, this is the name of the log source. Analytics based on IDS telemetry do not have a log source.

For more information, see Log Sources and Application Registry.

Determine if your environment is configured to receive logs from the sources associated with the analytic.


Azure Security Center

Cisco ASA Connection logs

Windows Event Logs

Log Message Types

Classification system for log messages from log source telemetry. Analytics that use log source telemetry require messages to evaluate activity.

For more information about each log message type, see About Log Parsers in the Threat Intelligence Center.

Validate that you are collecting the desired message type from a log source.

Unix SU Failed Switch User

Unix SUDO Authentication Failed

Signatures For an analytic using IDS telemetry, these are the identification number(s) for the IDS signature. Analytics that use log telemetry do not have any associated IDS Signature ID(s). Validate which IDS signatures Alert Logic analytics cover. 26557, 2012843, 2014020


Common Vulnerabilities and Exposures ID. Validate which CVEs Alert Logic analytics cover. CVE-2000-0800
MITRE Tactic Short term, tactical adversary goals during an attack. For more information, see MITRE.

Verify Alert Logic coverage.

Command and Control

Credential Access

Resource Development

MITRE Technique Means by which adversaries achieve tactical goals. For more information, see MITRE.

Verify Alert Logic coverage.

Brute Force

Create or Modify System Process

MITRE Sub-Technique More specific means by which adversaries achieve tactical goals. For more information, see MITRE.

Verify Alert Logic coverage.

Password Guessing

Launch Agent

Date Added Date that Alert Logic released the analytic . Verify the release date of an analytic or cross-reference releases with your security posture history. 12th October 2017 15:23:03 GMT-5
Last Updated Date that Alert Logic updated the analytic. Verify that Alert Logic analytics are kept up to date or cross-reference updates with your security posture history. 5th Aug 2020 14:52:34 GMT-5