Incidents



If your account subscriptions provide you with the new Alert Logic Incident console and its features (pictured above), see Incidents to view documentation for that console.

All other customers will receive the updated Incident console in the coming months and can continue using the documentation on this page. Contact Technical Support with any questions about the availability of these new features.

An incident is an entity in the Alert Logic system that identifies a potential security problem in your environment. An incident comprises correlated suspicious events that require attention to maintain your security posture, achieve regulatory compliance, or both. Alert Logic generates incidents based on various predefined scenarios.

An incident can be dynamic, changing as more information is discovered. This process is called incident evolution. An incident evolves when Alert Logic receives additional events and creates an incident of a higher threat rating, for which the Alert Logic Security Operations Center (SOC) sends another incident notification.

Incident classification types

Each incident is classified by the type of attack. Alert Logic uses the following descriptions to classify attacks.

Class Description
application-attack An application-attack incident identifies attacks that target application-specific vulnerabilities. Alert Logic creates an application-attack incident when an attacker attempts to compromise an application with a buffer overflow, race condition, directory traversal, SQL injection, cross-site scripting, /usr/bin/perl or other UNIX command attempts.
brute-force A brute-force incident identifies repeated authentication attempts and related activities. Alert Logic triggers a brute-force incident when sufficient events indicate attempts to systematically compromise a system by brute-force guessing valid user name and password combinations.
denial-of-service

A denial-of-service incident, which includes denial-of-service (DoS) attacks and distributed denial-of-service (DDoS) attacks, identifies an attempt to make computer resources or services unavailable either temporarily or indefinitely. Attackers typically use DoS and DDoS either to prevent e-commerce retailers from conducting business, or to send a social message.

Alert Logic creates a denial-of-service incident when events indicate this type of attack.

info-leak An information-leak incident identifies generally successful recon attempts. Alert Logic creates an information-leak incident when events indicate attempts at such reconnaissance activities as port scans used to identify open and closed ports, or obtaining information from a secure system.
log-policy

A log-policy incident uses Log Manager log correlation policies to identify potential issues. Log Manager can create a log policy incident automatically based on selected correlated log messages and specific conditions you define.

For example, you can specify for Alert Logic to identify log messages containing five failed login events in a 60-second time period and create a log-policy incident.

misconfiguration A misconfiguration incident identifies a possible system misconfiguration. Alert Logic triggers a misconfiguration incident when events indicate that a system is incorrectly configured. Attackers can use the misconfiguration to compromise the system.
policy-violation A policy-violation incident identifies activities that violate the acceptable use policies of most companies. These activities include viewing inappropriate material, peer-to-peer activity, and firewall policy changes.
recon A recon incident identifies attempts by someone to evaluate a target. Alert Logic creates a recon incident when events indicate reconnaissance activities against a network or set of hosts. The activities that trigger this incident include gathering information about a server operating system, software versions, or the existence of debugging or demonstration scripts.
suspicious-activity

A suspicious-activity incident identifies activity not included in another category and that requires further research. Alert Logic creates a suspicious-activity incident when anomalous activities, which could indicate a compromise, occur.

For example, the addition of a new domain administrator without the intent and knowledge of existing administrators may indicate an attacker added the admin role to gain control over the environment or to provide a backdoor entry into the systems.

trojan-activity A trojan-activity incident identifies activity that indicates a host is infected by a Trojan horse or other type of backdoor malware. Alert Logic creates a Trojan-activity incident when events indicate a Trojan in the network. This type of malware masquerades as a legitimate program but actually steals information or harms the system.
worm-activity A worm-activity incident identifies hosts that display signs of worm infection. A computer worm is self-replicating malware that uses a network to propagate and copy itself to other nodes, with or without your intervention. A worm typically uses a known vulnerability, and can cause damage by altering the system in question and consuming valuable network bandwidth. Alert Logic creates a worm-activity incident when events indicate a network worm is traversing the network.

Monitor incidents

Events, log messages, and web violations can generate incidents. You can access incidents on the Incidents page, where you can view details for each incident and make updates.

View incidents

You can access most incident-related features, including a list of existing incidents, on the Incidents page in the Alert Logic console.

To view incidents:

  1. Access the Incidents tab and click List.
  2. Click Search or Search Filters to bring up your incidents.
  3. (Optional) To display incidents based on when they were created, select a value in the Range drop-down list. To increase the range to greater than a day, select Enable range greater than 1 day. Using a range greater than one day may decrease performance.
  4. (Optional) To acknowledge incidents, select the box next to each incident to update or click Select all to select all displayed incidents, and then, click Mark as acknowledged.
    The Review state of the selected incidents changes to "Acknowledged - No Analysis Required".
  5. (Optional) To display incidents by state and/or review status, at the bottom of the list of incidents, next to Show Incidents, select one or more of the following options and click Apply:
    • Closed—Shows only incidents that are closed
    • Acknowledged—Shows incidents that have been acknowledged
    • In Analysis —Shows incidents that are in analysis
  6. (Optional) To view the details of an incident, see View incident details.

Search incidents

You can search existing incidents from the Incidents page using any combination of the available search features: the search box, search filters, and right-click options. Each method provides a different type of search capability.

Search box

The Search box provides a simple way to search for incidents by incident ID number.

To search for incidents using the search box:

  1. Access the Incidents tab and click List.
  2. In the Search box, which is located above the list of incidents, type the incident ID number for the incident you want to find. You can also use the '*' wildcard character (for example, 456789*) to retrieve multiple incidents.

  3. Click Search.

Search filters

The most detailed way to search incidents is to use search filters. You can use search filters to combine different search parameters, such as incident classification, threat rating, and status.

To search incidents using search filters:

  1. Access the Incidents tab and click List.
  2. (Optional) In the Saved Filters drop-down list, select a previously saved filter if applicable, and click Load or Load in New Window.
    Previously defined filters appear.
  3. In the drop-down list of columns, select a column to filter by.
  4. In the drop-down list of operations, select an operation for the search term for the selected column (for example, does not contain).
  5. For the search term, enter a search value. The type of entry field that is used depends on the selected column; for example, a text box is used for Summary, a list of defined values is used for Classification, and date and time fields are used for Due Date.
  6. (Optional) Click Add another filter to add an additional search parameter, and repeat steps 5 - 7. If you have created several filters and want to delete one, click Remove for the filter to discard.
  7. Click Apply Filters to run your search query.
    Only those incidents that satisfy the search criteria are displayed.
  8. (Optional) To save your defined filters, specify a name in the Save filters as: box, and click Save.
  9. (Optional) To discard defined filters and applied results, click Clear.
  10. (Optional) To hide the Search Filters configuration area, click Search Filters.

Right-click options

Right-click options let you filter and sort displayed incidents using columns and defined values.

If you right-click a value in an incident that is not selected, only options for sorting and filtering are available. If you right-click a value in an incident that is selected, options that let you modify the incident or add the incident to a case are also available. 

To filter and sort incidents using right-click options:

  1. Access the Incidents tab and click List.
  2. Click Search or Search Filters to bring up your incidents.
  3. In the displayed list of incidents, right-click a value for an incident and select one of the following options:

    • Only show rows with this value
    • Hide rows with this value
    • Clear show/hide/sort settings for this column—This option returns the column to its default view.
    • Sort list by this column
    • Roll up by this column

    You can also click on the column heading to sort the list by the column.

    The list of displayed incidents is updated.

  4. (Optional) To discard applied filters and results, click Clear.

View incident details

Within each incident is information such as events associated with the incident, and notes created by team members researching and responding to the incident. When investigating threats on your network, view the details of incidents to gain a better understanding of why each incident was created.

To view the details of an incident:

  1. Access the Incidents tab and click List.
  2. Click Search or Search Filters to bring up your incidents.
  3. In the displayed list of incidents, click the ID value for the incident to view.
    Incident details appear.
  4. Use the tabs at the bottom of the page to view the respective details. The following tabs are available:
    • Associated Events—Lists the events generated by the Threat Manager appliance.

    This tab is visible to Web Security Manager Out-of-Band WAF users only.

    • Threat Scenario Logs—Summarizes the associated events for the incident.
    • Associated Log Messages—Displays log messages generated upon detection of any web violation, which creates both an incident and a log message. In the list of displayed messages, click a link in the Message column to open the Log Message detail page.
    • Related Log Messages—Lists log messages that occurred but were not involved in the incident creation.
    • Web Violations—Lists web violations logged by Web Security Manager Out-of-Band WAF. You can also open the Web Security Manager application and navigate to the Web Violations page. To open the Log Message detail page, click Details in the Details column for the row.

    This tab is visible to Web Security Manager users only.

    • NetBIOS Scans—Displays hostname look-up information.
    • Whois Requests—Displays detailed IP address information.
    • Defense Status—Displays blocking actions associated with the incident.
    • Incident Evolution—Lists events in the incident evolution.
    • Related Events—Lists events that occurred on the incident IP address but were not involved in the incident creation.
    • Analysis Assistance—Provides analysis assistance.
  5. (Optional) To modify an incident, see Update an incident.

If you are a Threat Manager customer, on the Incidents Detail page, you can view Associated Events. This is a popular feature to help with threat investigation.

To view an incident's associated events:
At the bottom of the Incident Details page, click the Associated Events tab, and then click the name of the associated event you'd like to view.

Update an incident

As you investigate an incident, you can update the incident with details of the progress. For example, you can add a note, update the review status or threat rating, change an incident classification, summary, or description, close the incident, and more.

To update an incident:

  1. Access the Incidents tab and click List.
  2. Click Search or Search Filters to bring up your incidents.
  3. In the displayed list of incidents, click the ID value for the incident to update.
    Incident details appear.
  4. To document the progress of an incident, use the following options on the Incident details page:
    • Add tags—To add keywords to an incident, click Add tags. Type tags to add to the incident, and click Save Tags.
    • Add Note—Add a note to an incident to provide additional information such as research details, action taken, or outcome. For example, you can write, "Host was infected. Scanned, patched, and replaced on the network. Incident is closed."
      To add a note to the incident, click Add Note, type a description, and click Save.

    You can also use the Add Note option in the left navigation area.

    • Threat Rating—Update the threat rating to one of the following values, and click Update:
      • Critical
      • High
      • Medium
      • Low
      • None
    • State—To close an incident, update the state to one of the following values, and click Update:
      • Administratively Closed (No Review Needed)
      • Closed without review
      • Closed After Review–No Threat
      • Closed After Review–Valid Threat
    • Review—Update the review status to one of the following values, and click Update:
      • Not Acknowledged
      • Acknowledged–In Analysis
      • Acknowledged–No Analysis Required
      • Acknowledged–Completed Analysis
    • Action—Update the value to reflect the action taken to address the incident, and click Update.
    • Notification—Update the notification setting to one of the following values, and click Update:
      • Not Yet Approved
      • Approved
  5. To change details of the incident record, in the left navigation area under Incident, click Modify. Use the following options on the Modify Incident page, and click Save:
    • Time Frame—Enter the amount of time for incident closure.
    • Classification—Select a new incident classification value from the drop-down list.
    • Summary—Type a new incident summary.
    • Description—Type new description text.
    • Base Incident—Select the base incident type from the drop-down list.
    • Base Incident Description—Type description text for the base incident.
    • Correlation parameter—Select a new correlation parameter value from the drop-down list.

Add an incident to a case

To add an incident to a case, you must first add the incident to the Case Creation cart and then process the cart. Use the respective procedure below to select one or multiple incidents at a time. For more information on cases, see Cases.

To select an incident to add to a case:

  1. Access the Incidents tab and click List.
  2. Click Search or Search Filters to bring up your incidents.
  3. In the displayed list of incidents, click the ID of the incident to add to a case.
    The incident details appear.
  4. In the left navigation area, click Add to case.
    The incident is added to the Case Creation cart.
  5. Use one of the following procedures to add the incident to a case (process the cart):

To select multiple incidents to add to a case:

  1. Access the Incidents tab and click List.
  2. Click Search or Search Filters to bring up your incidents.
  3. In the displayed list of incidents, select the box for each incident to add to a case.
  4. Right-click an area other than the ID column and select Add to Case.
    The selected incidents are added to the Case Creation cart.
  5. Use one of the following procedures to add the incident to a case (process the cart):

View GuardDuty incidents

If you have Amazon GuardDuty enabled, and Alert Logic Cloud Insight configured to display GuardDuty findings, the GuardDuty page lists those findings as incidents in your environment.

You can click any incident on the list to learn more about it and take remediation steps. Incident detail pages include the Investigation Report, Recommendations, and Evidence. On each of these pages you can view the Audit Log, which lists the activity for the selected incident. You can also Update an incident, Close an incident, or Reopen an incident.

If the GuardDuty page contains a large number of incidents, you can apply filters to narrow the list to a specific set of incidents. Use the options on the left to choose Open, Snoozed, or Closed incidents and filter those incidents by Threat Level or Classification Type. If you have Amazon GuardDuty, you may also filter by Deployments, Regions, VPCs, and Subnets.

Investigation Report

When you select an incident from the GuardDuty page, Cloud Defender provides details about the attack from which the incident originated, including the location of the attacker and the targeted asset.

The incident details are listed across the top, followed by the buttons to Update an incident, Snooze an incident, and Close an incident. Below that is the Investigation Report and the Audit Log.

Investigation Report

The Investigation Report section includes information describing the attack type and the attack methods to help you understand the incident and its impact on your assets.

Click SEE RECOMMENDATIONS at the bottom to learn how to remediate the incident and protect the threatened asset. You can also click on Recommendations in the left navigation bar.

Recommendations

Recommendations provides one or more actions you should take to secure the asset under attack and remediate the incident. It also shows the Audit Log for the incident.

After you perform the recommended course of action, click Close to mark the incident as closed and clear it from the GuardDuty List. For more information about closing incidents, see Close an incident.

Evidence

The Evidence page uses the following icons to display all information about the selected incident.

  •  Incident activity—The Incident Activity icon lists activity and logs associated with the selected incident. The numeral on the icon represents the number of activities associated with the attack. Click the icon to expand the section and reveal details about the attack and the assets involved, as well as all activity and logs for the incident.
  •  Flagged evidenceAlert Logic analysts can flag items of interest as supporting evidence for the attack and provide notes specific to each flagged evidence. (Cloud Defender only)
  •  System-generated event—This indicates the creation of the incident, or that the threat rating of the incident changed. The color and shading of the icon corresponds with the threat rating, as seen in Incidents.
  •  Incident notes from Alert Logic—An Alert Logic analyst can provide notes about the incident, which appear in the Audit Log and Evidence List. (Cloud Defender only)
  •  Incident escalated to customer—The incident escalation icon indicates that Alert Logic notified you by email that the incident escalated. The color of the icon corresponds with the incident threat rating, as seen in Incidents. (Cloud Defender only)
  •  Customer notes—Any notes you create about the incident appear in this section.

The information in Evidence can be filtered by source and provides access to relevant events or logs related to this incident.

Audit Log

The Audit Log, which appears on the Investigation Report, Recommendations, and the Evidence pages, uses the following icons to display milestone actions and information about the selected incident:

  •  Flagged evidenceAlert Logic analysts can flag items of interest as supporting evidence for the attack and provide notes specific to each flagged evidence. (Cloud Defender only)
  •  System-generated event—This indicates the creation of the incident, or that the threat rating of the incident changed. The color and shading of the icon corresponds with the threat rating, as seen in Incidents.
  •  Incident notes from Alert Logic—An Alert Logic analyst can provide notes about the incident, which appear in the Audit Log and Evidence List. (Cloud Defender only)
  •  Incident escalated to customer—The incident escalation icon indicates that Alert Logic notified you by email that the incident escalated. The color of the icon corresponds with the incident threat rating, as seen in Incidents. (Cloud Defender only)
  •  Customer notes—Any notes you create about the incident appear in this section.

Update an incident

Update, which appears on the Investigation Report, Recommendations, and Evidence pages, allows you to choose from a list of options to update an incident with your assessment of the threat, and add an optional note to provide details about your update.

The following Threat Assessment options inform others in your organization whether the threat is valid, and what action (if any) the organization should take to remediate the threat.

Threat presents a valid risk:

  • Take action to mitigate the threat.
  • Risk is acceptable. No action required.

Threat does not present a valid risk:

  • Compensating control in place. No action required.
  • The threat is not valid.
  • Other assessment.

Adding an update allows others to know the status of the incident and read detailed notes about any actions taken.

If you update an incident, the incident remains open. Close an incident is the only action that allows you to close the incident and remove it from the GuardDuty list.

Snooze an incident

Snooze allows you to temporarily remove an incident from the GuardDuty list until you remediate and close the incident. Snooze appears on the Investigation Report, Recommendations, and Evidence pages. To snooze an incident:

  1. Select from the snooze options (tomorrow, in a couple days, next week, or in two weeks) when to return the incident to the GuardDuty List.
  2. Add an optional note about the incident.
  3. Click Snooze.

When you snooze an incident the icon becomes a green "Snoozed" icon.

You can click the Snoozed icon to edit your snooze options, or to cancel the snooze and return the incident to the list.

Close an incident

The option to close an incident appears on the Investigation Report, Recommendations, and Evidence pages. When you close an incident, you remove it from the GuardDuty list.

Click Close to close an incident.

Fill out the following information to justify closing the incident:

  • Your assessment of the threat.

    The following Threat Assessment options inform others in your organization whether the threat is valid, and what action (if any) the organization should take to remediate the threat.

    Threat presents a valid risk:

    • Take action to mitigate the threat.
    • Risk is acceptable. No action required.

    Threat does not present a valid risk:

    • Compensating control in place. No action required.
    • The threat is not valid.
    • Other assessment.
  • (Optional) Notes about the incident, including your reasons for closing the incident, and any steps taken to address the threat.

Reopen an incident

If you determine a closed incident merits further investigation or discussion, you can reopen the incident.

To reopen a closed incident:

  1. Filter the GuardDuty List by Closed incidents.
  2. Click the incident you want to reopen.
  3. Click Closed.
  4. Add an optional note explaining why you are reopening the incident.
  5. In the panel that appears, click REOPEN.

Related topics