Incidents Upgrade

This document is intended for early-access customers, and it is updated as Incident features are enhanced.

Alert Logic is upgrading customers to the new Alert Logic Incidents page with an enhanced and improved experience to maximize your ability to manage incidents. This upgrade enhances your experience, but still offers the same features and capabilities as the existing Incidents experience.

The upgraded Incidents page continues to display information about incidents, how to use that information to manage and close incidents, and actionable steps to secure your environments. If you want a reminder of the existing Incident features, see Incidents.

As you familiarize yourself with the new experience, you can use the toggle icon () on the upper-right side of the page to switch between the updated Incidents page and the existing Incidents page.

Changes to the Incidents page

Your new experience includes all of the same capabilities as the existing Incidents page, including improved functionality and features. In the new Incidents experience, you can see relevant and important information immediately, at a glance, and with fewer clicks. You can also customize your page view to see information that is important to you and your organization. This flexibility allows you to get to the relevant investigation and security outcome faster and more efficiently.

Refer to the table below for changes and improvements to current features:

Feature Change
Incident list Table-style list that allows you to add, remove, and rearrange columns of information

Incident filters

Ability to select multiple filters in a filter set
Incident preview Options to automatically previews summary information when you hover over an incident or hide the preview
Incident download Ability to bulk download 100 incidents at a time to a CSV file
Log Review incident upgrade Machine-learning enhanced log review incidents
Investigation Report Combined investigation and recommendation view
Evidence and grouping A separate Evidence tab that includes groupings of related activity and an evidence illustration
Activity grouping Observations from activity related to an incident grouped for an improved view in the Evidence tab

Incident list

The incident list is now formatted as a table-style list that allows you to show several columns of relevant information. You can adjust the column size, remove and add columns, and drag and drop columns into the order you want. You can also sort some columns by date or alphabetical order. Click the sort icon () on the left of the column name. The default columns shown are the following:

  • Attacker
  • Date
  • Deployment
  • Incident ID
  • Status
  • Summary
  • Target
  • Threat Level

Other columns you can add to your incident list are the following:

  • Account
  • Classification
  • Correlation Name
  • Detection Source
  • Incident Note Count

You can remove and add columns to show only columns of information that are important to you. Click Choose Columns to see all of the available columns, and then select check boxes you want to include in or clear check boxes you want to exclude from your list. Click the reset icon () to revert to the default column view, including default columns, sorting, and size.

Incident filters

You can select multiple filters at a time to create a specific combination to find results unique to your security needs at the time. Selecting multiple filters allows you to see more than one incident status, threat level, incident classification, deployment, and other available criteria.

To apply multiple filters to the incident list:

  1. Click on a filter group on the left panel. For example, click Open, under Status.
  2. Click Show More to see all of the available filters in this filter set.
  3. Select all of the filters you want to see, or clear filters you do not want to see.

Incident preview

You can preview incident summary information automatically when you hover over an incident or hide the preview for all. The preview panel displays the following information:

  • Incident summary
  • Date
  • Account
  • Attacker IP address
  • Classification
  • Detection source
  • Incident ID
  • Status
  • Target
  • Threat level

To hide the preview, click the hide icon () to collapse the preview panel. If you want to see the preview again, click the show icon ().

Incident download

You can download incident data to a CSV file. The CSV file contains all of the information in your current incident list view with the applied filters and date range. Multiple options are available to export data to best suit how you want to analyze your incidents. You can download incident data for all incidents, for only incidents you select, or for 100 incidents in the filters you applied and for the date range you selected. These options allow you to control how many incidents you want to include and how you want to separate the data.

To download data for all incidents that matches the filters you selected:

  1. Click the download icon () at the top of the incident list.

    Downloading data for all incidents in your applied filters and date range can return a large number of incident results. This can cause a longer downloading period and a larger CSV file.

  2. Click DOWNLOAD.
  3. Wait for the download to complete.

Your results are downloaded to a compressed folder that contains the CSV file.

To download data for only certain incidents:

  1. Select the check boxes next to the incidents for the data you want to download.
  2. In the blue bar at the bottom of the page, click EXPORT.

Your results are downloaded to a CSV file.

To download data for 100 incidents:

  1. Select the check box at the top of the incident list to select all of the incidents visible on the page.
  2. To download 100 incidents, click SELECT 100 INCIDENTS WITH THE APPLIED FILTERS AND DATE RANGE.
  3. In the blue bar at the bottom of the page, click EXPORT.
  4. Your results are downloaded to a CSV file.

As in the existing experience, the Incidents page continues to support bulk actions to update, snooze, or close multiple incidents, alongside exporting them.

Log Review incident upgrade

An upgrade to Log Review incidents delivers a higher level of security value to you with new machine learning algorithms, (Undefined variable: ALVariables.Log Review feature). The algorithms can automatically detect many log-based anomaly types based on unique patterns and trends learned from your organization and then create an incident. Alert Logic also includes observations in the Evidence tab of the Investigation Report based on the algorithms. For more information, see Log Review Expert-Enhanced Machine Learning Upgrade.

Investigation Report

The Investigation Report combines the investigation details, analysts notes, and recommendations view in the Investigation and Recommendation tab. The Audit Log and Notification History are also on this page as in the existing Incidents experience. The Evidence details are in a separate tab, the Evidence tab, which includes a table-style list view for observations.

Evidence and grouping

The Evidence tab groups related information, including events, correspondence, and activity that culminated into an incident, into one drop-down section that you can collapse and expand. Click the drop-down arrow () to see all of the evidence listed under an event.

If there are more than 100 evidences for an activity, click SHOW MORE EVIDENCE to load the remaining evidence. This will refresh the page to load the following 100 (or remaining) evidence.

Activity grouping

You can also find other relevant information nested under each activity, and these include log messages for Log Management detection sources and observations for (Undefined variable: ALVariables.WLA_1) and Log Review detection sources. Alert Logic notes these anomalies as relevant security information that can demonstrate security value. Click the drop-down arrow () next to an anomaly to see more details.

The table-style list that supports the activity under an event functions the same way as the new incident list. You can select which columns to see, adjust the column size, remove and add columns, and drag and drop columns into the order you want. This flexibility allows you to easily navigate through information to determine how to address incidents more quickly.