You are here: Home > Management

Management

The Alert Logic console Management page allows you to manage asset information, users, groups, and more. Common tasks performed through the Management page include grouping assets and configuring them for management and identification, defining users and delegating permissions so users can view or modify information as needed, creating groups to improve case management and asset ownership, and setting up blocks to prevent attackers from accessing your network.

Users & Groups

You can create a user account to allow an individual user access to the Alert Logic console. When you create a new account, you can define the specific permissions for this individual.

Alert Logic allows you to use groups to improve case management and asset ownership.

Work with users

Create a user account

To help with the integration process of a new company, the Alert Logic Provisioning team creates a customer account for the company. You then create a user account under your customer account.

A user account has permission to see other user accounts under the same customer account.

By default, the user account created by the Provisioning team can view and manage data for a customer account. This permission also includes the ability to view and manage all user accounts associated with the customer account. You can change these permissions.

To create a user account:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under General, click Users & Groups.
  3. If you manage more than one customer, select the desired customer from the Customer drop-down menu.
  4. Click Add New User.
  5. Complete the Account Details fields.
  1. Under Permissions, select the check boxes for the permissions you want to assign to the user account.

If you previously created a user profile, you can select a saved profile to apply the saved permissions to the new account. Though you selected a saved profile, you can customize the permissions for this new account, as detailed in the remaining steps. For more information about user profiles, see Create a user profile.

  1. Under Zone Limitation, select whether you want to limit account access to specific zones.
  2. Click Add New User.

Create a user profile

A user profile defines a set of permissions to save and apply to new users. User profiles allow you to quickly assign common sets of permissions to many user accounts.

Your customer account includes a set of five users responsible for managing your product. You can create a profile called "management" with permissions associated with the management role. You can select the profile when creating all five user accounts to apply all the permissions to each user.

To create a user profile:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under General, click Users & Groups.
  3. If you manage more than one customer, from the Customer drop-down menu, select the customer.
  4. From the Users drop-down menu, select a user, and then click Go.
  5. Under Permissions, select your desired permissions.
  6. In the Profile Name box, enter a name for the set of permissions.
  7. Click Save Profile.

Modify a user account

You can modify and update the permissions for existing user accounts.

Regardless of permission settings, a user account holder can see the full customer account list, as well as the summary and dashboard pages for those customer accounts.

To modify an existing user account:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under General, click Users & Groups.
  3. If you manage more than one customer, in the Customer drop-down menu, select the customer.
  4. In the Users drop-down menu, select the user account you want to modify, and then click Go.
  5. Modify the Account Details fields.
  6. Under Permissions, select the check boxes for the permissions you want to assign to the user account.

If you previously created a user profile, you can select a saved profile to apply the saved permissions to the new account. Though you selected a saved profile, you can customize the permissions for this new account, as detailed in the remaining steps. For more information about user profiles, see Create a user profile.

  1. Click Save.

Delete a user account

To simplify user account management, delete old user accounts that are no longer in use.

To delete a user account:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under General, click Users & Groups.
  3. If you manage more than one customer, from the Customer drop-down menu, select the customer.
  4. In the Users drop-down menu, select the user account you want to delete, and then click Go.
  5. Click Delete User.
  6. Click OK.

Work with user groups

Create a user group

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under General, click Users & Groups.
  3. If you manage more than one customer, in the Customer list, select the customer.
  4. Click Add New Group.
  5. In the Group Name box, type a name for the new group.
  6. From the Available Users list, select the appropriate users to the Selected Values list.
  7. Click Add.

Modify a user group name and membership

Use this user group feature to add members to, and remove members from, a group. You can also change the user group name.

To modify a user group:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under General, click Users & Groups.
  3. If you manage more than one customer, in the Customer drop-down menu, select the customer.
  4. In the Users drop-down menu, click the name of the group you want to modify, and then click Go.
  5. Add to, and remove members from, the Selected Values list.
  6. (Optional) To change a group name, type the new group name in the Group Name field.
  7. Click Save.

Delete a user group

You can delete user groups you no longer need.

When you delete a user group, that group is removed from the list of owners for all cases and assets, which may cause some cases and assets to no longer have an owner assigned.

Before you delete a group, search for all cases and assets owned by the group, and reassign those cases and assets.

To delete a user group:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under General, click Users & Groups.
  3. If you manage more than one customer, in the Customer drop-down menu, select the customer.
  4. In the Users drop-down menu, select the name of the group you want to delete, and then click Go.
  5. Click Delete Group.

Assets

Appliances

Add IP addresses to the home net for an appliance

A home net defines the set of IP addresses that are local to an Alert Logic appliance. The Alert Logic console displays IP addresses in the home net with green text, and displays IP addresses not in the home net with black text. This convention helps you quickly recognize IP addresses as internal or external. You can click external IP addresses to view WHOIS information about that IP address.

Only Threat Manager customers can perform this task.

To add IP addresses to the Home Net for an appliance:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the Appliance drop-down menu, select the appliance you want to set as the home net, and then click Go.
  3. Click Add Home Net.
  4. Under Home Net Details, specify one or more IP addresses and netmasks to add, and then click Add Home Net.

Specify the zone for an appliance

An Alert Logic appliance appears in one zone. That appliance can perform defense activities, such as blocking and containment, for assets only in that zone.

To specify the zone for an appliance:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. If you manage more than one customer, in the Customer drop-down menu, select the customer.
  3. In the Appliances drop-down menu, select the appliance for which you want to set the zone, and then click Go.
  4. From the Zone drop-down menu, select the zone to which you want to assign the appliance.
  5. Click Update.

Devices

Create a host group

A host group is a set of one or more hosts. You identify which zone contains the host group and the importance (criticality) of hosts in that host group. You also specify whether assets in that host group contain financial or medical information.

To create a host group:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, click Devices.
  3. In the left navigation area, click Host Groups.
  4. Click Add Host Group.
  5. In the Add Host Group window, specify the information for the new host group, and then click Add Host Group.

Add hosts to a host group

After you create the host groups you need, you can add one or more hosts to those host groups.

A host can be in only one host group.

To add one or more hosts to a host group:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, click Devices.
  3. In the left navigation area, click Add Hosts.
  4. If you manage more than one customer, in the Customer drop-down menu, select the name of the customer.
  5. From the Host Group drop-down menu, select the host group to which you want to add hosts.
  6. Specify one or more IP addresses in the IP Address box.
  7. Click Add Host.

Create a zone

A zone is a set of one or more host groups. Alert Logic creates default zones for your account, based on your initial configuration discussions. You can add and modify zones to logically group hosts and apply policies in your environment. You can also use zones to limit the information users can view.

Zones restrict the collected data that a user account can view. In Threat Manager, the restricted collected data are events. In Log Manager, the restricted collected data are log messages.

If you are a LM3 Customer Account managing LM2 Child customer data, please contact a Product Specialist at support@alertlogic.com for additional assistance.

Zones do not restrict access to customer account configuration information, such as user accounts, appliances, etc. You cannot use zones to restrict access to the Summary pages. Zones do not control the functionality of user account access. User account permissions control this functionality.

Your Alert Logic appliance is in one zone. That appliance can perform defense activities, such as blocking and containment, only for assets in that zone. A host group can be in only one zone.

To create a zone:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, click Devices.
  3. Click Add Zone.
  4. If you manage more than one customer, in the Customer Name drop-down menu, select the customer, and then click Go.
  5. Click Add Zone.
  6. In the Add Zone window, specify a name and asset owner/group, and then click Add Zone.

Identify critical assets

A critical asset is a specific entity of such importance that tampering with, destroying, or incapacitating the asset, seriously affects your security posture.

In Threat Manager, critical assets include hosts and host groups. To manage risk, you can flag hosts and host groups as containing financial or medical information, and you can filter those flagged assets in searches, or view them in compliance reports.

The compliance reports generated by Threat Manager include information for only the hosts you identify as critical assets. The compliance reports do not include information for hosts not identified as critical assets.

To identify a host or host group as a critical asset:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, click Devices.
  3. In the left navigation area, under Overview, click Host Groups.
  4. If you manage more than one customer, in the Company Name drop-down Menu, select the name of the customer, and then click Go.
    A list of host groups appears.
  5. To identify a host as having critical information:
    1. Click the host group that contains the asset you want to identify as critical.
    2. Click the IP address of the critical host.
    3. Select one or more of the following check boxes:
      • Financial Data
      • Patient Health
      • Credit Card Information
  6. To identify a host group as having critical information:
    1. Click Edit next to the host group that you want to identify as having critical assets.
    2. Select the Stores financial data, Stores patient health information, and/or Stores Credit Card information check boxes.
    3. Click Edit Group, and then click Close this window.

In addition to identifying hosts and host groups with critical financial, medical, and credit card information, you should also set the criticality level of your host.

To set criticality, click Edit in the row of the host or host group. In the Criticality box, enter your desired number, and then click Save.

Manage IDS whitelist

With the appropriate account permissions, you can view or add one or more hosts to an IDS whitelist. When you add one or more hosts to an IDS whitelist:

  • Alert Logic generates and sends an email to the Alert Logic Security Operations Center (SOC) for review.
  • A SOC analyst reviews the IDS whitelist addition.
  • When you add a host to a whitelist, Alert Logic no longer generates events, and ignores all traffic for the hosts.

To view or add hosts to an IDS whitelist:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Assets, click IDS Whitelist.
  3. If you manage more than one customer, from the Customer drop-down menu, select the customer.
  4. From the Appliance drop-down menu, select the appliance, and then click Go. The current IDS Whitelist displays for viewing.
  5. Click Add Host.
  6. Enter information for Add Single Host or Add Multiple Hosts.
  7. Click Save.

Advanced Threat Manager Configuration

Items to configure before you set up automated blocking policies

Automated blocking policies require the following configurations.

Complete these configuration items in the order provided.

Select a zone

Before you set up blocking policies, you must determine and select the zone(s) on which you want to use the blocking functions. The default behavior of Threat Manager is to apply the blocking settings to all zones. If you do not want to apply blocking settings to all zones, you can select a specific zone.

Before you can select which zone(s) to use, you must first create the zones.

To set Threat Manager to use blocking features on specific zones:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Threat Manager, select Blocking Configuration.
  3. Under Apply these settings to, click Edit.
  4. In the Select zone drop-down menu, select the zone on which you want to use blocking features, and then click Select.

Set up a whitelist

A whitelist is an approved list of IP addresses allowed to communicate with hosts protected by Threat Manager. Using a whitelist as part of your defense strategy makes it harder for threats to infiltrate your network and remain there.

Whitelist all important infrastructure devices before configuring an automatic blocking policy. Failure to do so may result in unwanted downtime of these systems or unintentional Denial of Service.

To add a whitelist:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Threat Manager, select Blocking Configuration.
  3. Select the Whitelist tab, and then click Add Host.
  4. In the appropriate fields, type your information as follows:
    • To add a single host, in the IPv4/IPv6 Address and Netmask/Prefix boxes, enter the appropriate information.
    • To add multiple hosts, in the Add Multiple Hosts box, enter the IP addresses, separated by commas. A range of hosts can be specified using slash notation, for example, 192.168.1.0/24.

Add a firewall and associated credentials

After you have selected which zones you want to use blocking functions on, you need to set up and test the communications between Threat Manager and the firewall. This is accomplished by adding a firewall and associated credentials.

To add a firewall and associated credentials:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Threat Manager, select Blocking Configuration.
  3. Select the Configuration tab.
  4. Under Add a Blocking Firewall, enter and select the appropriate credentials, and then click Save.
    • Appliance—Select the Threat Manager appliance connected to the firewall where you want the rule implemented.
    • Name—Enter a name to help identify the firewall or rule you want to add (Example: ASA-01-port8080).
    • Firewall and Connection Type—Choose the firewall and connection type used by your firewall. The fields displayed in the Alert Logic console vary depending on the firewall type selected. Enter the appropriate information in the fields displayed.
      • IPv4/IPv6 Address—Enter the IPv4 or IPv6 address of the firewall where you want to implement the blocking configuration rule.
      • Username—Enter a user name to have access to the firewall where you want to implement the blocking configuration rule.
      • Password/Confirm Password—Enter a password to be associated with the user name you selected.
      • IPv4/IPv6 Group Name—If applicable, enter the IPv4/IPv6 group name.
      • Group Name—If applicable, enter the group name.
      • Enable Password/Confirm Enable Password—Use this password for privileged mode access.
      • Port—Specify the port to be used to connect to the firewall.

Test the firewall configuration

After saving your firewall and associated credentials, test the configuration.

To test the firewall configuration:

Next to the firewall configuration you set up, click test credentials. A successful test displays "Success" in the Credential Test column of the firewall you tested.

If the credential test remains in progress and does not end, remove the firewall test entry and contact Alert Logic at (US: (877) 484-8383, EU: +44 (0) 203 011 5533).

Define an automatic blocking policy

You can define your blocking policies to provide automated protection and response for detected threats. Blocking policy rules can be based off signatures of detected threats, incident classes, or both.

You can use either signature-based blocking or incident class blocking, but in general, Alert Logic recommends you use both. A combination of reactionary signature-based blocking and incident class prevention blocking ensures you cover any gaps in your security process.

In addition to automated blocking, Threat Manager customers can manually block specified incidents and events.

Reasons to use signature-based blocking

If you have specific technologies or concerns that you want to actively protect against, you can use signature-based blocking. Signature-based blocking employs a targeted approach and benefits you by making your product more efficient.

This approach, however, is difficult to manage due to the manual process of signature selection. Also, signature-based blocking does not provide any defensive protection against unforeseen threats.

You receive an alert from Alert Logic stating you have a Trojan outbreak of netsky. You log into the portal and add each of the roughly 15 individual specific netsky-related signatures.

Reasons to use incident class blocking

Incident classes are logical groupings of all the signatures in the product. If you want to block an entire set of signatures, you would use incident class blocking. This approach employs a broader coverage, which is easier to manage and enables you to potentially keep a wider range of exploits/compromises from occurring on the network.

This approach could lead you to block legitimate traffic, though doing so can be mitigated by whitelisting IP addresses you do not want to block.

Define blocking policies

Before you define your blocking policies, there are a few things you must do. If you have not selected a zone, added a firewall and associated credentials, or tested the firewall configuration, please complete these steps before continuing.

Please whitelist all important infrastructure devices before configuring an automatic blocking policy. Failure to do so may result in unwanted downtime of these systems or unintentional denial of service.

To define your blocking policies:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Threat Manager, select Blocking Configuration.
  3. Select the Policies tab, select the appropriate policy values, and then click Configure.
    • To set signature-based blocking, in the Available Signatures drop-down menu, select a classification, select one or more signatures, and then click Add.
    • To set incident class blocking, in Available Incident Classes, select the appropriate check boxes.
  4. Under Configure Settings, in the Signature and Incident Class areas, specify how you want blocking to occur, then click Save.
    • You can block the Source, Destination, or Both.
    • A Severity rating of 0 (the default) instantly blocks the source and/or destination. A Severity rating other than 0 will cause the event to be rated before blocking occurs.
    • The block will stay in place for the amount of time entered in the Duration field.

Global options

The Global Options page allows you to control IP addresses in email notifications, update your vulnerability expire settings, and auto-create cases when incidents are escalated.

To access Global Options:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Threat Manager, click Global Options.
  3. If you manage more than one customer, select the desired customer from the Customer drop-down menu.
  4. Select the appropriate check boxes.

IP addresses in email notifications

Selecting the Remove IP Addresses from all alert emails check box will omit the IP address in any notification coming from Threat Manager.

To remove IP addresses from all Alert Emails:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Threat Manager, click Global Options.
  3. If you manage more than one customer, select the desired customer from the Customer drop-down menu.
  4. Under IP Addresses in Email Notifications, check the Remove IP Addresses from all Alert Emails box.
  5. Click Save.

Vulnerabilities

A vulnerability remains in the system each time it is detected. The vulnerability will expire if it has not appeared on three consecutive scans.

The web application scanning default is a more detailed and comprehensive vulnerability scan. Turning it off will allow the scan to move faster.

To turn on Slow Vulnerability Expire:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Threat Manager, click Global Options.
  3. If you manage more than one customer, select the desired customer from the Customer drop-down menu.
  4. Under Vulnerabilities, check the Slow Vulnerability Expire box.
  5. Click Save.

To turn off Web Application Scanning Default:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Threat Manager, click Global Options.
  3. If you manage more than one customer, select the desired customer from the Customer drop-down menu.
  4. Under Web Application Scanning Default, check the Turn Off Web Application Scanning box.
  5. Click Save.

Incidents

You can auto-create a case, a logical grouping of incidents, when an incident status is escalated.

To auto-create a case when an incident status is escalated:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Threat Manager, click Global Options.
  3. If you manage more than one customer, select the desired customer from the Customer drop-down menu.
  4. Under Incidents, check the Auto-create case when incident status is escalated box.
  5. Click Save.

Manage security certificates

View security certificates

Web Security Manager Premier and Threat Manager customers with administrative privileges can view security certificates in the Alert Logic console.

To view security certificates:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, click Certificates.
  3. If you manage more than one customer, in the Customer drop-down menu, select the customer, and then click Go.
  4. In the Configuration list, to the right of the certificate you want to see, click View.

Upload security certificates

Web Security Manager Premier and Threat Manager customers with administrative privileges can upload security certificates in the Alert Logic console.

After you upload your certificate, the Alert Logic Provisioning team performs a back-end installation to validate your certificate.

To upload security certificates:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, click Certificates.
  3. If you manage more than one customer, in the Customer list, select the customer, and then click Go.
  4. Click Upload Certificate.
  5. In the Name field, type a unique name.

Web Security Manager Premier website certificate names must be fully qualified domain names (FQDN).

You cannot change the certificate name after you enter and save it.

  1. Depending on your need, select either SSL Decryptor or WSM Website.
  2. (Optional) In the IP address field, enter the server-specific IP address to which you want the certificate applied.
  3. (Optional) In the Passphrase field, enter a passphrase (If you have a passphrase associated with a PEM private key, use that passphrase).
  4. In the Confirm Passphrase field, reenter your passphrase, if applicable.
  5. To upload an SSL Decryptor certificate, browse to select your file.
  6. To upload a WSM Website certificate, select either PKCS12 or PEM, and then browse to select your file(s).
  7. Click Save.
  8. Contact the Alert Logic Provisioning team to let them know you uploaded a certificate: E-mail support@alertlogic.com or call (US: (877) 484-8383, EU: +44 (0) 203 011 5533).

Once uploaded, your certificate displays on the Certificates page, under the Configuration drop-down menu.

Modify security certificates

Web Security Manager Premier and Threat Manager customers with administrative privileges can modify security certificates in the Alert Logic console. In the edit security certificates page, you can change an IP address, set a passphrase, remove a passphrase, or upload a new SSL Decryptor or WSM Website certificate. Depending on the certificate type, whether WSM PEM, WSM PKCS12, or SSDL PEM, the options for modification differ.

To modify security certificates:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, click Certificates.
  3. If you manage more than one customer, in the Customer drop-down menu, select the customer, and then click Go.
  4. In the Configuration list, to the right of the certificate you want to change, click edit.
  5. (Optional) In the IP address field, enter the server-specific IP address to which you want the certificate applied. If you want to specify more than one IP address, separate the addresses with a comma.
  6. Select either No change to current passphrase, Remove current passphrase, or Change current passphrase.
  7. Select one of following options:
    1. Change the current passphrase:
      • In the Passphrase field, enter a passphrase. (Optional) If you have a passphrase associated with a PEM private key, use that passphrase.
      • In the Confirm Passphrase field, reenter your passphrase, if applicable.
    2. Edit an SSL Decryptor certificate:
      • Browse to select your file.
    3. Edit a WSM Website certificate:
      • Select either PKCS12 or PEM, and browse to select your file(s).
      • Click Save.
  8. Contact the Alert Logic Provisioning team to let them know you edited a certificate: E-mail support@alertlogic.com or call (US: (877) 484-8383, EU: +44 (0) 203 011 5533).

Delete security certificates

Web Security Manager Premier and Threat Manager customers with administrative privileges can delete security certificates in the Alert Logic console.

When you delete a certificate, you permanently remove it.

To delete security certificates:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, click Certificates.
  3. If you manage more than one customer, in the Customer list, select the customer, and then click Go.
  4. In the Configuration list, to the right of the certificate you want to remove, click delete.
  5. Click either Yes or No.
  6. Contact the Alert Logic Provisioning team to let them know you deleted a certificate: E-mail support@alertlogic.com or call (US: (877) 484-8383, EU: +44 (0) 203 011 5533).

Notifications

The Notifications feature provides a centralized user interface to manage alerts created in Alert Rules, Scans, Reports, Case Management, and Incidents. Using the feature, you can manage the contacts to be notified when specified alerts or incidents occur. The feature also lets you specify the time and frequency of notifications, as well as set up WebHooks for notifications.

Grant permissions

You must have permissions to view and use the Notifications feature.

To grant notification management permissions:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under General, select Users & Groups.
  3. From the Users drop-down list, select one or more users or groups to grant notifications permissions, and then click Go.
  4. In the Permissions section of the page, select the following options:
    • Under Global Configuration, select View Management Tab.
    • Under Notifications, select Manage Notifications.
  5. Click Save.

See also

Configure notification policies

You can use the Alert Logic console to configure notifications for alerts, incidents, reports, scans, and cases. Though you create the alerts separately in the Alert Logic console, the Notification Policies page provides a central location through which you can add, edit, and remove notifications created for available alerts. This feature also lets you monitor alerts for child customers.

You cannot use Notification Policies to create an alert. You must create an alert through Alert Rules, Incident Escalations, Case Management, Scans, or Reports before you can add a notification policy to that alert.

 

Add a notification policy

To add a notification policy:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Notifications, click Policies.
  3. Click Add New.
  4. Enter the following information for the notification policy where applicable:
    • Name/Title—Enter a name for the notification policy.
    • Product/Alert Type—From the drop-down list, select the available product and alert types to create.
    • Alert Recipients—Enter contact names, group names, and/or WebHooks to receive the alerts.
    • Applies to—Specify whether the notification policy applies to all customers, child customers, parent customers, and/or your enterprise.
  5. Click Save.

Edit a notification policy

To edit the details of a notification policy:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Notifications, click Policies.
  3. Click the drop-down icon () for the notification policy to edit.
  4. Select View / Edit.
  5. Modify any of the policy information.
  6. Click Save.

Delete a notification policy

To delete a notification policy:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Notifications, click Policies.
  3. Click the drop-down icon () for the notification policy to delete.
  4. Click Delete.

Set up contacts and groups

Before you can configure notifications, you must set up one or more contacts to receive notifications. Using the list of contacts, you can create notification policies that specify the contacts to receive alerts. In addition, you can create groups of contacts to more efficiently classify and distribute notifications, sending notifications to more than one contact for each alert.

The Contacts and Groups page includes tab listing all contacts, and a tabbed display of all groups. From this page, you can add, modify, and delete contacts, and you can add, modify, and delete groups. In addition, the Search Contacts field lets you easily find a contact on any tab by typing all or part of a contact name.

Add a contact

To add a contact:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Notifications, click Contacts & Groups.
  3. To add a new contact, on the All Contacts tab, click Add New.
  4. Enter the following information for the contact:
    • First Name—Enter the first name of the contact.
    • Last Name—Enter the last name of the contact.
    • Display Name—Enter the full name of the contact as you want it displayed.
    • Position—Enter the position on the team or in the company for the contact.
    • Email Address—Enter the email address of the contact. If you list more than one email address, use the star button next to the email address to denote the default email address.
    • Advanced options—For each email address, click the gear icon next to the email address to set advanced options as follows:
      • Limits—Specify the maximum number of alerts that the contact receives within a specified time period. To use the limits set in the Notifications Options feature, select Use account settings. For more information about notifications options and preferences, see Configure notification preferences.
      • Blackout hours—Specify a time period during which the device does not send alerts to the contact.
  1. Click Save.

Edit a contact

To edit a contact:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Notifications, click Contacts & Groups.
  3. On the All Contacts tab, select the check box to the left of a contact name.
  4. Click the contact drop-down icon ().
  5. Select View / Edit.
  6. Modify any of the contact information.
  7. Click Save.

You can use this function to add a contact to one or more groups . After you select the contact drop-down icon, select the check boxes corresponding with the groups in which you want to place the contact.

Delete a contact

To delete a contact:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Notifications, click Contacts & Groups.
  3. On the All Contacts tab, select the check box to the left of a contact name.
  4. Click the contact drop-down icon ().
  5. Select View / Edit.
  6. Click Delete.

Create a group

To create a group:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Notifications, click Contacts & Groups.
  3. Click the Add Group tab.
  4. Type the name of the group to add.
  5. Click the check icon ().

Modify a group name

To modify a group name:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Notifications, click Contacts & Groups.
  3. Click the tab of the group to rename.
  4. Click the gear icon ().
  5. Type the new name for the group.
  6. Click the check icon ().

Delete a group

To delete a group:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Notifications, click Contacts & Groups.
  3. Click the tab of the group to rename.
  4. Click the trash can icon ().

Deleting a group does not delete the contacts in the group.

Add a contact to a group

To add a contact to a group:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Notifications, click Contacts & Groups.
  3. On the All Contacts tab, select the check box to the left of a contact name.
  4. Click the contact drop-down icon ().
  5. Under Groups, select the check box of one or more groups to which to assign the contact.

You can remove a contact from one or more groups by clearing check boxes of the groups from which you want to remove the contact.

Add multiple contacts to a group

To add multiple contacts to a group:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Notifications, click Contacts & Groups.
  3. On the All Contacts tab, select the check boxes for the contacts to add to specified groups.
  4. Click With Selected > Manage Groups.
  5. Click the Manage Groups for Multiple Contacts field, and then select from a list of groups to which to assign the contacts.
  6. Click Save.

Set up WebHooks

The Notifications feature provides the ability to use WebHooks to send alert notifications to any public-facing web server configured to handle HTTP callbacks. WebHooks allow Alert Logic products to send real-time data directly to a third-party application, such as your ticketing system or instant messaging system, rather than to one or more email addresses or groups.

On the WebHooks page, you can add, modify, and delete WebHooks. The Search WebHooks field lets you easily find a WebHook, to either edit or remove, by typing all or part of a WebHook name.

Add a WebHook

To set up a WebHook:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Notifications, click WebHooks.
  3. Click Add New.
  4. Enter the following information for the WebHook:
    • Name/Title—Enter a name for the WebHook.
    • URL—Enter the URL for the server where to send WebHook requests.
    • Test Request—To send a test to your web server and monitor real-time results, use or edit the sample request in this field, and then click Send Test to Server.
  5. Click Save.

Edit a WebHook

To edit the details of a WebHook:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Notifications, click WebHooks.
  3. Select the check box to the left of a WebHook name.
  4. Click the drop-down icon ().
  5. Select View / Edit.
  6. Modify any of the WebHook information.
  7. Click Save.

Delete a WebHook

To delete a WebHook:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Notifications, click WebHooks.
  3. Click the WebHook drop-down icon ().
  4. Click Delete.

View the alert history

Using the Alert History page, you can review all alerts sent to contacts and groups. You can also easily find and obtain details about specific alerts.

The Alert History page is the only way to view alerts that occur after reaching a limit set in the preferences function.

Filter alerts

Use the Search field to easily find an alert by typing all or part of an alert product, description, or details. You can narrow the search result further by using a date range.

Click the date range button to restrict the search to one of the following ranges:

  • Just today
  • The last 24 hours
  • The last seven days
  • Last month
  • A custom range

View alert details

To view the details of an alert:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Notifications, click History.
  3. Click the contact drop-down icon ().

Alert details include the following information: 

  • Alert details in either formatted or JSON output
  • Contacts or groups that received the alert
  • Any files attached to the alert.

Configure notification preferences

When you set notification preferences, you can limit the number of notifications sent to your contacts and groups, and you can specify whether notifications include IP addresses.

If the number of alerts you receive exceeds your set limit, additional notifications can only be seen in your alert history archive. See View the alert history.

Services Notifications

The Alert Logic Security Operations Center will send you an email when a security incident or Log Review report needs to be escalated. The following sections explain how to configure your email preferences in the UI.

Configure services notifications policies for Log Review

Customers also have the ability to configure Log Review notification preferences for both daily and monthly reports. Customers can choose who they would like each report sent to, directly within the UI. You can configure Log Review notification preferences in Management > Notifications > Policies.

Add a notification policy

To add a notification policy:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Notifications, click Policies.
  3. Click Add New.
  4. Enter the following information for the notification policy:
    • Name/Title—Enter a name for the notification policy.
    • Product/Alert Type—From the drop-down list, select Log Review Escalation Alert or Log Review Monthly Report Alert.
    • Alert Recipients—Enter contact names, group names, and/or WebHooks to receive the alerts.
    • Applies To—Specify whether the notification policy applies to all customers, child customers, parent customers, and/or your enterprise.
  5. Click Save.

Edit a notification policy

To edit the details of a notification policy:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Notifications, click Policies.
  3. Click the drop-down icon () for the notification policy to edit.
  4. Select View / Edit.
  5. Modify any of the policy information.
  6. Click Save.

Delete a notification policy

To delete a notification policy:

  1. At the top of the Alert Logic console, from the drop-down menu, click Management.
  2. In the left navigation area, under Notifications, click Policies.
  3. Click the drop-down icon () for the notification policy to delete.
  4. Click Delete.

Related topics