About Analytics in the Threat Intelligence Center
The Threat Intelligence Center provides a tabular list for the properties of each analytic available from Alert Logic. Use the analytics view in the Threat Intelligence Center to validate Alert Logic threat coverage, learn about analytics content, investigate content configuration requirements, and source information for automated response. To learn more about the Threat Intelligence Center, see Threat Intelligence Center.
Learn about analytics
An Alert Logic analytic refers to content that uses telemetry data to evaluate activity to produce incidents or observations. An analytic can help process one or more specific threats, and threats can require one or more analytics to process. The Threat Intelligence Center provides a tabular list for the properties of each analytic. For more information about property definitions, use cases, and examples, see Analytic properties details and use cases.
Validate threat coverage
Use the analytics view to validate that Alert Logic covers specific threats. For more information about how to control filters and view specific threats, see Customize the view in the Threat Intelligence Center.
Investigate content configuration requirements
You can use the Threat Intelligence Center to verify that you configured the telemetry sources required to detect specific threats in your environment.
Analytic properties details and use cases
Using the Threat Intelligence Center, you can review the properties of each analytic.
| Property | Description | Use Cases | Examples |
|---|---|---|---|
| Name | Alert Logic name for the incident or observation generated by the analytic. | Search an incident or observation by name. | bf_success/unix |
| Summary | Brief summary of behavior identified by the analytic. Often malicious behavior. | Find the analytic that corresponds to a summary, which is used in incidents and notification e-mail subjects. | Successful Unix Bruteforce Login detected from ['ATTACKER'] |
| Description | Full description of the behavior identified by the analytic. Often malicious behavior. | Get detailed context on the activity an analytic is evaluating. | Successful Unix BruteForce Login **Attacker Information**: ['ip_address'], country Australia **Target User**: ['ip_address'] We have observed the user ['ip_address'] making repeated sudo authentication failures and an authentication success against your Unix server in a short period of time. Although multiple failures may be due to a misconfigured script or erroneous user input, it may also be indicative of a privilege escalation attempt by a malicious user. |
| Recommendations | Recommended response actions based on the latest Alert Logic Threat Intelligence. | Determine how to respond to incidents or observations generated by an analytic. | We recommend investigating to determine if this activity is due to misconfigured software or user error. If unexpected, we recommended forcing all users off the machine(s) and resetting the login credentials for the affected users, as per your internal policy, as well as reviewing sudo privileges for all users. |
| Threat Level |
Incident threat levels convey the severity of each incident raised for protected assets, which allows you to assess and prioritize the actions to take toward threat remediation. Alert Logic categorizes incidents with the following icons and colors:
|
Prioritize or group analytics based on the danger presented by their produced incidents. |
Critical |
| Visibility |
Analytic processing can result in two different types of visibility:
|
Determine which analytics generate incidents and which generate observations. | Incident |
| Telemetry |
Classification for the type of data the analytic uses as input. |
Determine data types an analytic needs for Alert Logic to provide coverage for a specific threat. |
Log IDS |
| Log Source |
For an analytic using log telemetry, this is the name of the log source. Analytics based on IDS telemetry do not have a log source. For more information, see Log Sources and Application Registry. |
Determine if your environment is configured to receive logs from the sources associated with the analytic. |
WLA Azure Security Center Cisco ASA Connection logs Windows Event Logs |
| Log Message Types |
Classification system for log messages from log source telemetry. Analytics that use log source telemetry require messages to evaluate activity. For more information about each log message type, see About Log Parsers in the Threat Intelligence Center. |
Validate that you are collecting the desired message type from a log source. |
Unix SU Failed Switch User Unix SUDO Authentication Failed |
| Signatures | For an analytic using IDS telemetry, these are the identification number(s) for the IDS signature. Analytics that use log telemetry do not have any associated IDS Signature ID(s). | Validate which IDS signatures Alert Logic analytics cover. | 26557, 2012843, 2014020 |
|
CVE |
Common Vulnerabilities and Exposures ID. | Validate which CVEs Alert Logic analytics cover. | CVE-2000-0800 |
| MITRE Tactic | Short term, tactical adversary goals during an attack. For more information, see MITRE. |
Verify Alert Logic coverage. |
Command and Control Credential Access Resource Development |
| MITRE Technique | Means by which adversaries achieve tactical goals. For more information, see MITRE. |
Verify Alert Logic coverage. |
Brute Force Create or Modify System Process |
| MITRE Sub-Technique | More specific means by which adversaries achieve tactical goals. For more information, see MITRE. |
Verify Alert Logic coverage. |
Password Guessing Launch Agent |
| Date Added | Date that Alert Logic released the analytic . | Verify the release date of an analytic or cross-reference releases with your security posture history. | 12th October 2017 15:23:03 GMT-5 |
| Last Updated | Date that Alert Logic updated the analytic. | Verify that Alert Logic analytics are kept up to date or cross-reference updates with your security posture history. | 5th Aug 2020 14:52:34 GMT-5 |
High
Medium
Low
Info