Remediations
The Remediations page provides you with the information you need to analyze and address security exposures in your environment. The page lists exposures found in your deployments and provides details about the exposure, evidence, and affected assets. The page also lists remediations to resolve an exposure or a group of exposures.
To access the Remediations page, click the Remediations tab.
To help you investigate security exposures in your environment, the Remediations page organizes information in the following lists:
- Open list—Lists security exposures and suggested remediation details
- Disposed list—Lists disposed security exposures
- Concluded list—Lists concluded security exposures
After you investigate one or more exposures and suggested remediations, you can dispose or conclude the exposure.
Exposure severity
The Remediations page uses colors and icons to help you easily identify the severity of the exposures.
Alert Logic assigns a severity rating based on the CVSS score set by the National Institute of Standards and Technology (NIST) and reported to the National Vulnerability Database. Alert Logic supports both CVSS v2 and CVSS v3 scores.
Severity rating | CVSS v2 score range | CVSS v3 score range |
---|---|---|
Critical | Not applicable | 9.0 - 10.0 |
High | 7.0 - 10.0 | 7.0 - 8.9 |
Medium | 4.0 - 6.9 | 4.0 - 6.9 |
Low | 0.1 - 3.9 | 0.1 - 3.9 |
Informational | 0.0 | 0.0 |
Some vulnerabilities in the National Vulnerability Database have both CVSS v2 and CVSS v3 scores. Alert Logic displays the newer CVSS v3 score and severity rating in prominent locations and both scores in detail views. If only one CVSS score exists, Alert Logic uses that score and severity rating.
Exposure and remediation categories
The Remediations page provides a list of security vulnerabilities detected by scanning your assets.
Category | Description | Exposure Example |
---|---|---|
Cloud Configuration | Security vulnerabilities detected by cloud/CIS compliance checks | Dangerous User Privileged Access to S3. |
Credentials | Security vulnerabilities detected by credentialed internal network scans | CVE-2010-0480 - MS10-026 - Microsoft - Windows - Buffer Overflow Issue. |
External | Security vulnerabilities detected by external network scans | Missing Content Security Policy (CSP) Issue. |
Network | Security vulnerabilities detected by unauthenticated internal network scans | Unrestricted Outbound Access on All Ports. |
Security | All vulnerabilities detected in your environment | All vulnerabilities in the Remediations page. |
Filters
On the Remediations page, you can select a status filter in the left navigation to narrow the list of items:
- Open—Click Open to view a list of open exposures or remediations in your deployments. The number indicates the total amount of open exposure instances that match selected filters.
- Disposed—Click Disposed to view items for each deployment that were disposed and removed from the Open list. Disposed means that a user in your organization assessed an item and indicated that it does not need to be resolved for a specified time period.
- Concluded—Click Concluded to view items for each deployment that are considered resolved.
You can also select one or more additional filters such as Category, Severity, or Platform to further narrow your list of items. Filter by Deployment to see additional asset filters such as Network, Subnet, Host, Application, and Tag.
The number of exposure instances associated with a filter appears next to the name. The active filter is in bold format. Select one or more of the active filters to remove them. You can also select CLEAR ALL FILTERS to remove all the active filters.
Sort by
Sort options vary according to the selected list and view. To change how a list is sorted, click the drop-down menu and then choose another Sort by option. To switch between descending or ascending order, click the order icon ( ).
Search
You can use the search bar to filter the list to include only items that contain specific words in the name of the exposure or the description of the remediation.
Open list
The Exposures page opens to the list of Open remediations by default. The Remediations view lists open remediations for the filters you select. Remediations provide a recommended action to resolve one or multiple exposures. You can also view exposures, which list the individual, open exposures found in your environment. From the list, you can view more details about an item, perform immediate actions to remediate the exposure, and export listed details.
Remediations view
To view the list of remediations, click Remediations in the drop-down menu above the list. Remediations provide recommended actions to resolve one exposure or a group of exposures. Addressing a remediation can usually resolve multiple exposures.
Remediations are sorted by TRI score in descending order. You can also sort by number of exposure instances, number of affected assets, or name and change to ascending or descending order. Each listed item includes the following information:
- Exposure category
- Severity counts for the exposures affected by the remediation
- TRI score
- Number of affected assets
- Number of exposure instances affected by the remediation
View more information
In the list of remediations, you can click View to see additional summary information about the remediation, including the list of exposures and their severity and Common Vulnerability Scoring System (CVSS) score, account, and affected deployments. If more than four exposures are affected by the remediation, open the remediation to see the full exposure list.
Open the remediation detail page
In the list of remediations, you can click Open to open the detail page for the remediation. To open the remediation detail page in a separate browser tab, hold down Ctrl or Command, and then click Open.
The page includes details about the recommended remediation action, a list of exposures, affected assets, and evidence for each exposure instance. You can dispose of the remediation or mark it as concluded from the detail page.
Exposures view
To view the list of exposures, click Exposures in the drop-down menu above the list. One exposure can affect multiple assets, and multiple exposures can be associated with one remediation. You can resolve an exposure by addressing the recommended remediation action and also resolve all of the exposures associated with that remediation.
Exposures are sorted by CVSS score in descending order. You can also sort by severity, number of exposure instances, number of affected assets, or name and change to ascending or descending order.
Each listed item includes the following information:
- Exposure category
- Severity rating, icon, and CVSS score
- Number of affected assets
- Number of exposure instances
View more information
In the list of exposures, you can click View to see additional summary information about the exposure, including the account, affected deployments, CVE ID, and CVSS score.
Open the exposure detail page
In the list of exposures, you can click Open to open the detail page for the exposure. To open the exposure detail page in a separate browser tab, hold down Ctrl or Command, and then click Open.
The page includes the following information:
- CVE ID
- Description of the exposure
- Severity, CVSS version, CVSS score, and metrics
- Common Weakness Enumeration (CWE)
- Impact of the exposure
- Resolution details with recommendations
- Affected assets
- Evidence for each exposure instance
If an exposure is for a vulnerability that has both a CVSS v2 and CVSS v3 score, the detail page includes both scores.
You can dispose of the exposure or mark it as concluded from this page. You can also go to the remediation from this page to resolve the exposure and other similar exposures.
Dispose
If you want to defer resolving an exposure or remediation for a certain period or forever, you can mark an item as disposed. Disposing an item moves it from the Open list to the Disposed list, and it suppresses instances of the exposure from appearing in reports during the next data refresh interval. Alert Logic excludes the calculated risk of disposed item vulnerabilities from the overall risk of your deployment.
You can specify which affected assets to dispose for the exposure or remediation. After a disposal period expires, Alert Logic no longer hides the item, which appears again in the Open list and reports if you have not resolved the exposure on the selected assets.
You can click the restore icon () on a disposed item to review items and restore them to the Open list. You can specify which affected assets to restore.
To dispose a remediation or exposure:
- In the Open list, click Open next to the item you want to dispose to open the exposure or remediation detail page.
- (Optional) On the exposure or remediation detail page, select or clear filters on the left to include more assets or narrow the list to a single asset.
- In the Affected Assets area, select one or more assets for which you want to dispose an exposure or remediation. You can click the selection box () above the list to select all listed items.
- (Optional) If you selected all assets and also want to include all assets added later that match the selected filters, select the All Future Assets check box. If you leave the check box cleared, only the current assets listed are selected for the dispose action.
- Click the dispose icon ().
- In the Dispose Remediation or Dispose Exposure slideout panel, choose an assessment type:
- Acceptable Risk
- False Positive
- Compensating Control—A compensating control is in place
- Select how long you want to dispose the remediation or exposure:
- A Day
- 1 Week
- 1 Month
- 3 Months
- 6 Months
- 1 Year
- Forever
- (Optional) Add notes about your assessment.
- Click DISPOSE.
To dispose exposures or remediations in bulk:
You can dispose one or more exposures directly from the Open list. This method disposes exposure instances for all assets currently affected by selected items. If you want to select specific assets or if you want to select future assets that match selected filters, see the previous steps instead.
- (Optional) Filter the Open list to select exposures or remediations you want to dispose.
- In the Open list, select one or more items or click the selection box () above the list to select all listed items.
- Click the dispose icon (), and then complete the Dispose Remediation or Dispose Exposure slideout panel as described in the previous procedure.
Conclude
After you remediate an exposure, you can mark the item as concluded. Concluding an exposure or remediation means that you consider it resolved. Alert Logic moves the item from the Open list to the Concluded list and removes it from reports during the next data refresh interval.
You can specify which affected assets to conclude for the remediation or exposure. Alert Logic verifies that the exposure no longer exists on selected assets during the next scan. If the next scan detects the vulnerability, the item reappears in the Open list and reports. You must retry your remediation and mark it concluded again.
You can click the restore icon () on a concluded item to review items and restore them to the Open list. You can specify which affected assets to restore.
To conclude a remediation or exposure:
- In the Open list, click Open next to the item you want to dispose to open the exposure or remediation detail page.
- (Optional) In the exposure or remediation detail page, select or clear filters on the left to include more assets or narrow the list to a single asset.
- In the Affected Assets area, select one or more assets for which you want to conclude an exposure or remediation. You can click the selection box () above the list to select all listed items.
- Leave All Future Assets cleared. This setting applies only to the dispose action.
- Click the conclude icon ().
- Click CONCLUDE to confirm.
To conclude exposures or remediations in bulk:
You can conclude one or more exposures directly from the Open list. This method disposes exposure instances for all assets currently affected by selected items. If you want to select specific assets, see the previous steps instead.
- (Optional) Filter the Open list to select exposures or remediations you want to dispose.
- In the Open list, select one or more items or click the selection box () above the list to select all listed items.
- Click the conclude icon ().
- Click CONCLUDE to confirm.
Disposed list
The Disposed list includes items removed from the Open list after a user from your organization assessed the exposure and indicated it does not need to be resolved for a certain time period or forever. You can view disposed items by remediations or exposures.
Disposed items are sorted by the date the dispose action expires in ascending order. You can also sort by other criteria and change to ascending or descending order. In addition to exposure or remediation details, each listed item includes information about when the item was disposed, who disposed it, and when the dispose action expires. For more information, see Dispose, Remediations view, or Exposures view.
Concluded list
The Concluded list includes exposures that are considered resolved. You can view concluded items by remediations or exposures. In addition to exposure or remediation details, each listed item includes information about when the item was concluded and who concluded it. For more information, see Conclude, Remediations view, or Exposures view.
Export details
You can export one or more items on the Remediations page to a CSV file to view later or to share with others in your organization. From any list, you can click the selection box () above the list to select all listed items. If you hover over or click the icon or selection box next to an item, you can select it for a single export.