Incident Notifications

The Notifications feature in the Alert Logic console can alert you, other subscribed users, or a third-party application when incidents occur that meet specific criteria. Notifications to a third-party application require a templated connection.

For example, you can subscribe recipients to receive email notifications about escalated incidents for a single account or all incidents in all the managed accounts of a partner. You can also send incident notifications to a ticketing system, reducing manual effort.

For more information about the Notifications feature, see Notifications and Manage Notifications.

Create an incident notification

You can create an incident notification from the Incidents List or the Notifications page. Whichever method you use, the process is the same after you open the Create an Incident Notification page.

To create an incident notification from the Incident List:

  1. In the Alert Logic console, click the menu icon ().
  2. Click Respond, and then click Incidents to access the Incidents page.
  3. Click NOTIFICATIONS, and then click Add Notification.
  4. Complete the fields in the Create an Incident Notification page.

To create an incident notification from the Notifications page:

  1. In the Alert Logic console, click the menu icon ().
  2. Click Manage, and then click Notifications to access the Notifications page.
  3. On the Alert Notifications tab, click the add icon () , and then click Incident.
  4. Complete the fields in the Create an Incident Notification page.

To complete the Create an Incident Notification page:

  1. Type a descriptive name for the incident notificationfor example, "Critical Incidents for On-Call Team."
  2. If you want to send the notification, leave Notification Is Active turned on. Turn it off if you want to save the definition but not activate the notification yet.

  3. For an account without managed accounts, your customer account is preselected, and the account selector does not appear. If your account is a managing (parent) account, select one or more accounts for which you want to send notifications. You can use the search bar to help you find:

    • Individual accountsYour account and individual managed accounts
    • Managed AccountsThis option selects all your managed accounts, excluding your own account, plus any managed accounts added later on.
    • My Account and Managed AccountsThis option selects your account and all your managed accounts, plus any managed accounts added later.

    If you choose Managed Accounts or My Account and Managed Accounts, future managed accounts will be automatically subscribed to send the notification. You will not need to edit the notification later to add them manually.

  4. (Optional) If you want to receive notifications for non-escalated incidents, turn off Escalated Incidents. By default, Escalated Incidents is selected, which means Alert Logic will only send notifications for incidents that have been escalated based on the severity and validity of the incident. Alert Logic recommends that you leave this setting turned on to focus your notifications on escalated incidents.
  5. (Optional) Under Threat Levels, select one or more incident threat levels for which you want to receive notifications.

    If Escalated Incidents is selected and you select specific Threat Levels, incidents must match both criteria to trigger a notification. If Escalated Incidents is selected and no Threat Levels are selected, escalated incidents of any threat level will trigger a notification.

    If Escalated Incidents is not selected, you must make a selection under Threat Levels. You will receive notifications for any incidents of the selected threat levels, regardless of whether they are escalated.

    6. Incident threat levels convey the severity of each incident raised for protected assets, which allows you to assess and prioritize the actions to take toward threat remediation. Alert Logic categorizes incidents with the following icons and colors:

    • Critical
    • High
    • Medium
    • Low
    • Info
  6. To subscribe users to receive a notification email, click User(s), and then, under Notification Delivery:
    1. Select the users that you want to receive the notification. The list includes your name and user names in the managed accounts selected above, if applicable. You can use the search bar to help you find recipients.
    2. (Optional) Customize the Email Subject. You can change the text and insert variables enclosed with double braces: {{variable}}. For the variable list, see Email subject variables.
  7. To subscribe a templated connection, click Templated Connection, and then, under Notification Delivery, select a configured templated connection. The URL or email address in the templated connection will receive the payload listed.
  8. Click SAVE.
You can configure log message correlations to generate an incident when the correlation criteria are met. If you choose to create a notification for a correlation incident, Alert Logic selects your account and the correlation rule as the criteria for the incident notification and excludes settings that are not applicable such as Escalations and Threat Levels.

Email subject variables

To customize the subject line of an email notification, you can add the following variables to the Email Subject field:

Variable Description Example
{{attack_summary}} Brief description of the incident Brute force attempt from 203.0.113.1
{{cid}} Customer account ID 12345678
{{class}} Incident classification type brute-force
{{correlation_rule_name}} Name of the correlation that triggered the incident Admin Failed Login Correlation
{{create_date}} Incident creation date and time 24th May 2020 22:35:26 GMT
{{customer_name}} Name of customer affected by the incident XYZ Corporation
{{deployment_name}} Name of deployment affected by the incident AWS Production Deployment
{{incident_id}} Short incident ID 8fn5sf
{{is_escalated}} Escalation status true
{{location_ip}} One or more IP addresses, if determined, of the attacker for this incident 192.0.2.1 192.0.2.25
{{start_date}} Date and time that incident automated analysis started. For some incidents, start_date equals create_date. 24th May 2020 22:36:06 GMT
{{target_host}} IP address, if determined, of the target affected by the incident 10.1.2.3
{{threat}} Incident threat level Critical

View and manage incident notifications

You can view and manage incident notifications from the Notifications page. See Manage Notifications for information about how to:

  • Filter the list of notifications
  • View notification details
  • Edit notifications
  • Delete notifications

Alert Logic processes each notification rule independently, so it is possible to receive multiple notifications for a single incident.