Mark an Incident as Resolved

To ensure that your infrastructure remains secure, Alert Logic provides you with alerts and reports whenever a security incident takes place. To organize these alerts, you may wish to submit a response, taking notes on lessons learned and creating follow up tasks for your operations teams to reduce the risk of similar incidents in the future. This guide provides details on how to implement such a process using the Alert Logic CLI.

Supported subscription types

Managed Detection and Response Professional

Requirements

This use case requires that the Alert Logic CLI is already installed and configured.

Technical Details

Incidents are created and managed via the IRIS web service.

List Incidents by Time

The incidents_by_time command in the Alert Logic CLI can be used to retrieve a list of incidents for a given Alert Logic account. It takes the following parameters:

Parameter	Type	Definition
`account_id`	string	the UUID of the Alert Logic account to retrieve incidents from
`start_time`	string	the minimum time of retrieved incidents. Can be UNIX epoch timestamp or ISO8601 date
`end_time`	string	the time of retrieved incidents. Can be UNIX epoch timestamp or ISO8601 date

The following example retrieves a list of incidents for account with UUID 123456789 from the past week (at time of writing):

Copy

$ alcli iris incidents_by_time --account_id 123456789 --start_time 1595241349 --end_time 1595244949

Response:

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[
	{
"account_id": "134235158",
"aggregations": [],
		…
"incidentId": "5F152BD4-0000-0020-0002-4C4000000000",
"incident_attack_class": "authentication:activity",
"incident_class": "authentication:activity",
"incident_escalated": true,
"incident_threat_rating": "Medium",
"incident_type": null,
"visibility": "incident",
	}
]

Mark Incidents as Completed

After reviewing an incident and performing the recommended steps to mitigate future occurrences, you may close the incident by marking it as completed. This removes it from the list of open incidents that require your attention.

The complete_incident command can achieve this and requires the following parameters:

Parameter	Type	Definition
`account_id`	string	the UUID of the Alert Logic account to retrieve incidents from
`incident_id`	string	the UUID of the incident you wish to close
`notes`	string	a description of the reasoning for closing the incident
`reason_code`	string	Reason for marking the incident as completed. Valid values are `further_action`, `acceptable_risk`, `compensating_control`, `threat_not_valid`, `not_concluded` , and `other`

The following example retrieves a list of incidents for account with UUID 123456789 from the past week:

Copy

$ alcli iris complete_incident --account_id 134235158 --incident_id 5F156451-0000-0020-0002-07DC00000000 --notes "User forgot their password and failed to login" --reason_code "threat_not_valid"

Response

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
{
"new": {
"notes": " User forgot their password and failed to login",
"reason_code": "threat_not_valid",
"status": "completed",
"status_change_time": "2020-07-20T12:37:54.437261+00:00"
	},
"old": {
"status": "open",
"status_change_time": "2020-07-20T09:31:31.441959+00:00"
		}
	}
}