Incident Notifications

The Notifications feature in the Alert Logic console can alert you, other subscribed users, or a configured connector (such as a webhook) when incidents that meet specific criteria occur.

For example, you can subscribe recipients to receive email notifications about escalated incidents for a single account or all incidents in all the managed accounts of a partner. You can also send incident notifications to a ticketing system, reducing manual effort.

For more information about the Notifications feature, see Notifications and Manage Notifications.

Create an incident notification

You can create an incident notification from the Incidents List or the Notifications page. Whichever method you use, the process is the same after you open the Create an Incident Notification page.

To create an incident notification from the Incident List:

  1. In the Alert Logic console, click the menu icon ().
  2. Click Respond, and then click Incidents to access the Incidents page.
  3. Click NOTIFICATIONS, and then click Add Notification.
  4. Complete the fields in the Create an Incident Notification page.

To create an incident notification from the Notifications page:

  1. In the Alert Logic console, click the menu icon ().
  2. Click Manage, and then click Notifications to access the Notifications page.
  3. On the Alert Notifications tab, click the add icon () , and then click Incident.
  4. Complete the fields in the Create an Incident Notification page.

To complete the Create an Incident Notification page:

  1. Type a descriptive name for the incident notificationfor example, "Critical Incidents for On-Call Team."
  2. If you want to send the notification, leave Notification Is Active turned on. Turn it off if you want to save the definition but not activate the notification yet.
  3. For an account without managed accounts, your customer account is preselected, and the account selector does not appear. If your account is a managing (parent) account, select one or more accounts for which you want to send notifications. You can use the search bar to help you find:

    • Individual accounts, such as your account and managed accounts
    • Managed AccountsThis option selects all your managed accounts, excluding your own account, plus any managed accounts added later on.
    • My Account and Managed AccountsThis option selects your account and all your managed accounts, plus any managed accounts added later.

    If you choose Managed Accounts or My Account and Managed Accounts, future managed accounts will be automatically subscribed to receive the notification. You will not need to edit the notification later to add them manually.

  4. (Optional) If you do not want to receive a notification for incidents escalated by Alert Logic, turn off Escalated Incidents. Alert Logic escalates an incident to bring it to your attention, based on the severity and validity of the incident, and recommends that you leave this setting turned on.
  5. (Optional) Under Threat Levels, select one or more incident threat levels for which you want to receive notifications.
  6. Incident threat levels convey the severity of each incident raised for protected assets, which allows you to assess and prioritize the actions to take toward threat remediation. Alert Logic categorizes incidents with the following icons and colors:

    • Critical
    • High
    • Medium
    • Low
    • Info
    If you select the escalation option and a threat level, an incident must match both criteria to trigger a notification. Alert Logic sends a notification for the escalation only to prevent duplicate notifications. By combining the Threat Levels and Escalations settings, you can limit notifications for escalated incidents to only selected threat levels, regardless of whether Alert Logic considers the incidents worthy of escalation.
  7. To subscribe users to receive a notification email, click Subscribe User(s), and then, under Notification Delivery:
    1. Select the users that you want to receive the notification. The list includes your name and user names in the managed accounts selected above, if applicable. You can use the search bar to help you find recipients.
    2. (Optional) Customize the Email Subject. You can change the text and insert variables enclosed with double braces: {{variable}}. For the variable list, see Email subject variables.
  8. To subscribe a connector, click Subscribe Connector, and then, under Notification Delivery, select a configured connector. The connector URL or connector email address will receive the payload listed.
  9. Click SAVE.
You can configure log message correlations to generate an incident when the correlation criteria are met. If you choose to create a notification for a correlation incident, Alert Logic selects your account and the correlation rule as the criteria for the incident notification and excludes settings that are not applicable such as Escalations and Threat Levels.

Email subject variables

To customize the subject line of an email notification, you can add the following variables to the Email Subject field:

Variable Description Example
{{attack_summary}} Brief description of the incident Brute force attempt from 203.0.113.1
{{cid}} Customer account ID 12345678
{{class}} Incident classification type brute-force
{{correlation_rule_name}} Name of the correlation that triggered the incident Admin Failed Login Correlation
{{create_date}} Incident creation date and time 24th May 2020 22:35:26 GMT
{{customer_name}} Name of customer affected by the incident XYZ Corporation
{{deployment_name}} Name of deployment affected by the incident AWS Production Deployment
{{incident_id}} Short incident ID 8fn5sf
{{is_escalated}} Escalation status true
{{location_ip}} One or more IP addresses, if determined, of the attacker for this incident 192.0.2.1 192.0.2.25
{{start_date}} Date and time that incident automated analysis started. For some incidents, start_date equals create_date. 24th May 2020 22:36:06 GMT
{{target_host}} IP address, if determined, of the target affected by the incident 10.1.2.3
{{threat}} Incident threat level Critical

View and manage incident notifications

You can view and manage incident notifications from the Notifications page. See Manage Notifications for information about how to:

  • Filter the list of notifications
  • View notification details
  • Edit notifications
  • Delete notifications

Alert Logic processes each notification rule independently, so it is possible to receive multiple notifications for a single incident.