Application Registry provides an intuitive and efficient way to integrate multiple third-party applications that can generate logs. Application Registry is a repository of platform integrations in your Configuration group in the Alert Logic console. Integration with third-party applications adds administrative and security value to your organization. Application Registry is only available for Professional and EnterpriseManaged Detection and Response customers.
To access the Application Registry page, click the menu icon () from the Dashboards page. Click Configure, and then click Application Registry.
Alert Logic offers integration with applications in multiple ways, including API-based integration with SaaS applications and passive log collecting through syslog forwarding with most firewall platforms. Alert Logic works to continuously release more applications.
Application requirements vary and often require different information. For instructions on how to integrate a specific application, see the Log Collectors Configuration Guide.
SaaS applications include products for authentication, productivity, management and more. Alert Logic serves as a remote collector to receive log data from the SaaS application related to different incident types, depending on the product type. Alert Logic collects logs related to administrative actions, anomaly detection for user logins, user behavior, resource access, system compromise, attack outbreak, and others. SaaS applications available include the following:
- Amazon Web Services (AWS)
- Carbon Black
- Cisco Duo
- Google Cloud Platform
- G Suite
- Microsoft Office 365
Alert Logic generates security incidents for some of the authentication applications listed above based on log data. Incidents generated relate to administrative actions, user login, and user behavior. To learn more about the security incidents Alert Logic generates from log data collected from the authentication applications, see Authentication Application Security Incidents.
For Firewall logs, the Alert Logic syslog remote collector receives log data. You must configure the applications to send logs to the IP address of the Alert Logic syslog remote collector on port 1515. Firewall applications available include the following:
- Cisco Firepower
- Palo Alto
Alert Logic generates security incidents for some of the firewall applications listed above based on log data. Incidents generated relate to suspicious and malicious behavior, exposures, and new service resource discovery. To learn more about the security incidents Alert Logic generates from log data collected from the firewall application, see Firewall Incidents.
Configure your applications
The instructions below provide a basic workflow for configuring an application. Application requirements vary and often require different information. For instructions on how to integrate a specific application, see the Log Collectors Configuration Guide.
To add a new application collection:
- On the Application List tab, use the drop-down menu to select the application type you want to see.
- Click GET STARTED from the available application you want to configure.
- Depending on the application, the required fields and options will vary. The general configuration requirements are the following:
- Under Details, type a name for the application.
- Under Collection Method and Policy, specify a location from where to collect log data, and provide the required credentials associated with your application account.
- Click ADD.
- In the Application List tab, if you have configured your application correctly, the application tile will say Configured.
You can add multiple log collection instances to each application. To add a new log collection to one you previously configured, click ADD NEW. Fill out the required fields, and then click ADD.
You can view a list of your configured applications and access an application's metadata. Click the Configured Applications tab. On the left panel, you can filter which application type you want to see, and on the page, you can sort the applications by name, applications last created, or applications last modified.
The page lists the application and the log collection instances you created. Click View on the specific log collection instance to see details.
The details page provides more information of the application, including metadata for creation and modification, timestamps (if any), and collection method and policies. Click VIEW LOGS to quickly access the Search page already filtered with the log data for that log collection instance.
Edit an application collection instance
In the application collection instance you want to edit, click View, and then click the edit icon (). Make any necessary changes to the fields, and then click SAVE.
Delete an application collection instance
In the application collection instance you want to delete, click View, and then click the delete icon (). Click DELETE.