Incident Notifications
The Notifications feature in the Alert Logic console can alert you, other subscribed users, or a third-pary application incidents that meet specific criteria occur. Notifications to a third-party application require a templated connection.
For example, you can subscribe recipients to receive email notifications about escalated incidents for a single account or all incidents in all the managed accounts of a partner. You can also send incident notifications to a ticketing system, reducing manual effort.
For more information about the Notifications feature, see Notifications and Manage Notifications.
Create an incident notification
You can create an incident notification from the Incidents List or the Notifications page. Whichever method you use, the process is the same after you open the Create an Incident Notification page.
To create an incident notification from the Incident List:
- On the Incidents page in the Alert Logic console, click the Lists tab.
- Click ADD NOTIFICATION.
- Complete the fields in the Create an Incident Notification page.
To create an incident notification from the Notifications page:
- In the Alert Logic console, click the Settings icon (
), and then click Notifications. - On the Alert Notifications tab, click the add icon (
) , and then click Incident. - Complete the fields in the Create an Incident Notification page.
To complete the Create an Incident Notification page:
- Type a descriptive name for the incident notification—for example, "Critical Incidents for On-Call Team."
- If you want to send the notification, leave Notification Is Active turned on. Turn it off if you want to save the definition but not activate the notification yet.
For an account without managed accounts, your customer account is preselected, and the account selector does not appear. If your account is a managing (parent) account, select one or more accounts for which you want to send notifications. You can use the search bar to help you find:
- Individual accounts, such as your account and managed accounts
- Managed Accounts—This option selects all your managed accounts, excluding your own account, plus any managed accounts added later on.
- My Account and Managed Accounts—This option selects your account and all your managed accounts, plus any managed accounts added later.
If you choose Managed Accounts or My Account and Managed Accounts, future managed accounts will be automatically subscribed to receive the notification. You will not need to edit the notification later to add them manually.
- (Optional) If you do not want to receive a notification for incidents escalated by Alert Logic, turn off Escalated Incidents. Alert Logic escalates an incident to bring it to your attention, based on the severity and validity of the incident, and recommends that you leave this setting turned on.
- (Optional) Under Threat Levels, select one or more incident threat levels for which you want to receive notifications.
-
Critical -
High -
Medium -
Low -
Info - To subscribe users to receive a notification email, click User(s), and then, under Notification Delivery:
- Select the users that you want to receive the notification. The list includes your name and user names in the managed accounts selected above, if applicable. You can use the search bar to help you find recipients.
- (Optional) Customize the Email Subject. You can change the text and insert variables enclosed with double braces: {{variable}}. For the variable list, see Email subject variables.
- To subscribe a templated connection, click Templated Connection, and then, under Notification Delivery, select a configured templated connection. The URL or email address in the templated connection will receive the payload listed.
- Click SAVE.
Incident threat levels convey the severity of each incident raised for protected assets, which allows you to assess and prioritize the actions to take toward threat remediation. Alert Logic categorizes incidents with the following icons and colors:
Email subject variables
To customize the subject line of an email notification, you can add the following variables to the Email Subject field:
| Variable | Description | Example |
|---|---|---|
| {{attack_summary}} | Brief description of the incident | Brute force attempt from 203.0.113.1 |
| {{cid}} | Customer account ID | 12345678 |
| {{class}} | Incident classification type | brute-force |
| {{correlation_rule_name}} | Name of the correlation that triggered the incident | Admin Failed Login Correlation |
| {{create_date}} | Incident creation date and time | 24th May 2020 22:35:26 GMT |
| {{customer_name}} | Name of customer affected by the incident | XYZ Corporation |
| {{deployment_name}} | Name of deployment affected by the incident | AWS Production Deployment |
| {{incident_id}} | Short incident ID | 8fn5sf |
| {{is_escalated}} | Escalation status | true |
| {{location_ip}} | One or more IP addresses, if determined, of the attacker for this incident | 192.0.2.1 192.0.2.25 |
| {{start_date}} | Date and time that incident automated analysis started. For some incidents, start_date equals create_date. | 24th May 2020 22:36:06 GMT |
| {{target_host}} | IP address, if determined, of the target affected by the incident | 10.1.2.3 |
| {{threat}} | Incident threat level | Critical |
View and manage incident notifications
You can view and manage incident notifications from the Notifications page. See Manage Notifications for information about how to:
- Filter the list of notifications
- View notification details
- Edit notifications
- Delete notifications
Alert Logic processes each notification rule independently, so it is possible to receive multiple notifications for a single incident.