Download Current Health Check Results for your Alert Logic Security Infrastructure

This section describes how to retrieve a summary of health check results for your Alert Logic security infrastructure using the Alert Logic CLI.

Supported subscription types

  • Managed Detection and Response Essentials
  • Managed Detection and Response Professional

Requirements

This use case requires that the Alert Logic CLI is already installed and configured.

Technical Details

Alert Logic reports configuration remediations against a deployment’s assets when the existing configuration affects collection health; these can include (but are not limited to) remediations about agent error states, appliance connectivity, and cross-network protection.

The Alert Logic CLI can be used to retrieve a summary of collection health, with the report providing counts of healthy and unhealthy instances for each asset type (agent, appliance, network, and collector), as well as collecting a list of current exposures affecting deployment health.

Download a collection health summary using the Alert Logic CLI

This section describes how to download a summary of collection health using the Alert Logic CLI.

Use the Alert Logic CLI to retrieve a collection health summary from Assets Query, providing the Alert Logic account ID:

Copy
$ alcli remediations get_collection_health_summary --account_id 134235891
{
    "agents": {
        "coverage": {
            "protected": 0,
            "total": 0
        },
        "health": {
            "scores": [
                {
                    "count": 0,
                    "health_level": 0,
                    "unhealthiness": 0.0
                },
                {
                    "count": 0,
                    "health_level": 2,
                    "unhealthiness": 0.0
                }
            ]
        }
    },
    "appliances": {
        "coverage": {
                "total": 0
            },
            "health": {
                "scores": [
                    {
                        "count": 0,
                        "health_level": 0,
                        "unhealthiness": 0.0
                    },
                    {
                        "count": 0,
                        "health_level": 2,
                        "unhealthiness": 0.0
                    }
                ]
            }
        },
        "collectors": {
            "coverage": {
            "total": 28
        },
        "health": {
            "scores": [
                {
                    "count": 5,
                    "health_level": 0,
                    "unhealthiness": 0.0
                },
                {
                    "count": 23,
                    "health_level": 2,
                    "unhealthiness": 8.0
                }
            ]
        }
    },
    "networks": {
        "coverage": {
            "protected": 0,
            "total": 152
        },
        "health": {
            "scores": [
                {
                    "count": 0,
                    "health_level": 0,
                    "unhealthiness": 0.0
                },
                {
                    "count": 0,
                    "health_level": 2,
                    "unhealthiness": 0.0
                }
            ]
        }
    }
}

You can also use the --query parameter to limit the scope of the results. For example, to fetch a summary only for appliances and agents, use:

Copy
$ alcli --query '{agents:agents,appliances:appliances}' remediations get_collection_health_summary --account_id 134235891
{
    "agents": {
        "coverage": {
            "protected": 0,
            "total": 4
        },
        "health": {
            "scores": [
                {
                    "count": 0,
                    "health_level": 0,
                    "unhealthiness": 0.0
                },
                {
                    "count": 0,
                    "health_level": 2,
                    "unhealthiness": 0.0
                }
            ]
        }
    },
    "appliances": {
        "coverage": {
            "total": 0
        },
        "health": {
            "scores": [
                {
                    "count": 0,
                    "health_level": 0,
                    "unhealthiness": 0.0
                },
                {
                    "count": 0,
                    "health_level": 2,
                    "unhealthiness": 0.0
                }
            ]
        }
    }
}

Download current health check results using the Alert Logic CLI

You can use the Alert Logic CLI to retrieve a list of current exposures affecting deployment health. These vulnerabilities are stored in Assets, and retrieved with Assets Query.

Use the Alert Logic CLI to download a list of open configuration vulnerabilities along with their associated remediations:

Copy
$ alcli assets_query query_assets --account_id 134278880 --asset_types 'vulnerability,remediation' --filter '{"vulnerability.categories", ">>configuration"}' --qfields 'name,description,details,remediation_id,vulnerability_id'
{
    "rows": 1,
    "assets": [
        [
            {
                "vulnerability_id": "5fe231de3e31ac7064df974341cb6efc",
                "type": "vulnerability",
                "remediation_id": "ids_missing_appliance_dc",
                "name": "Network Without Alert Logic Appliance",
                "key": "/dc/network/B0A11702-20CA-4948-B4AA-FB9926A290AD/vulnerability/f126e4d15ffb769547bcd26efe8ac785",
                "details": "The network does not have a provisioned IDS appliance present.",
                "description": "Network Without Alert Logic Appliance",
                "deployment_id": "C6189132-5282-4A2D-B915-737862AB05AE",
                "categories": [
                    "configuration"
                ]
            },
            {
                "type": "remediation",
                "remediation_id": "ids_missing_appliance_dc",
                "name": "Alert Logic recommends that you add an Alert Logic Appliance to this Network.",
                "key": "/al/134278880:C6189132-5282-4A2D-B915-737862AB05AE/remediation/ids_missing_appliance_dc",
                "deployment_id": "C6189132-5282-4A2D-B915-737862AB05AE"
            }
        ]
    ]
}

Note that this request downloads all configuration remediations for the entire account; it is also possible to limit the results to a given deployment using the --deployment_id parameter.

Here is a breakdown of this query:

Parameter Definition
--account_id your Alert Logic account ID
--asset_types the asset types to query for; in this case, we are querying for vulnerabilities and their associated remediations.
--filter

a JSON object representing property names and values to filter with. {"vulnerability.categories": ">>configuration"} uses the list membership operator >> to query for vulnerabilities belonging to the configuration category.

--qfields

the properties to return in the response. It is often a good idea (and convenient) to restrict the returned data to what is of interest, but this is not required