Reports

Overview

The REPORTS tab in the Alert Logic console provides access to data related to exposures and incidents Alert Logic found within your deployments. You can also view data related to your product usage within your accounts.

Report data is cached and refreshed on regular intervals, so delays in reflecting the latest data seen in the console are possible.

Depending on your Alert Logic subscriptions, you will see some or all of the following report types:

  • Threat reports—Provide interactive filtering options, visual representations of the data, and informative tooltips. All subscriptions see this content.
  • Scheduled reports—Allow you to schedule reports on a regular basis. To see this content, you must have a Cloud Defender, Threat Manager, Log Manager, Managed WAF, or Web Security Manager subscription.
  • WAF reports—Provide policy configuration settings and WAF activity statistics. To see this content, you must have a Managed WAF subscription.
  • Usage reports—Provide data related to log collegtion and network IDS traffic volumes. To see this content, you must have a Cloud Defender, Threat Manager, or Log Manager subscription.

Each report allows you to share its data by email, or to download the report as an image, data, crosstab or PDF format.

Threat reports

Threat Reports provide convenient access to analysis, statistics, and trending data related to the configuration, status, and outcomes from your subscribed products and services. Each report provides interactive filtering options, visual representations of the data, and informative tooltips.

Report data is cached and refreshed on regular intervals, so delays in reflecting the latest data seen in the console are possible.

Alert Logic provides interactive reports within the following categories:

  • AWS Incident Analysis Reports—Provide valuable insights and trending data for incidents discovered in your AWS environments by from Network IDS and incidents generated by Amazon GuardDuty security findings.
  • CIS Benchmarks—Provide assessments of how your environment conforms to configuration guidelines developed by the Center for Internet Security (CIS).
  • Environment Exposure Trends—Provide summary trending data for exposures within Cloud Insight environments, and provides you with at-a-glance statistics for changes over a specified time period, and for specified environments.
  • Reports—Provide valuable insights and trending data for incidents created from all subscribed detection sources (Network IDS, Log Management, Web Application IDS, Amazon GuardDuty).
  • Product Usage—Provide information regarding the billable size of your scoped Cloud Insightdeployments, which correlate to the amount billed for a given usage period. To generate the same information for Log Manager or Threat Manager subscriptions, see Usage reports.
  • Service Review—Provides summary information and visibility into product configuration, product status, and security outcomes from your subscribed services.
  • Vulnerability Analysis—Allows you to visualize and group vulnerabilities to identify patterns and outliers for assets within a Cloud Insight environment.
  • Vulnerability Reports—Provide tabular reports that list the vulnerabilities discovered withing your scoped Cloud Insight environments.

AWS Incident Analysis Reports

You can run the following reports that provide information about incidents in your AWS environments generated by Network IDS.

  • AWS Incident Daily Digest: Displays the incidents received the previous day for the selected deployments. You can view the List of Incidents by threat level, classification type, or by GuardDuty findings. You can filter this report by deployment, VPC, container image, and detection source.
  • AWS Incident Daily Digest Trends: Allows you to view a histogram chart that displays the incident daily digests for specified date range, and by deployment, VPC, container image, and detection source.
  • AWS Risk Summary: Displays the risk level for a selected group of assets, by incident count and average exposure score. The quadrant in which the selected asset group appears, and its color, indicates the risk level for the assets. You can filter the report by detection source, AWS asset, AWS account ID, date range, deployment, threat level, and CVSS Score.
  • AWS Incident Distribution Explorer: Displays incidents by threat level, classification, and incident type for a specified time period. You can filter the report by date range, detection source, deployment, and AWS account ID, container image, subnet, security group, and tag.
  • AWS Targeted Deployment Explorer: Displays the GuardDuty and Network IDS incident distribution for a specified target (AWS account ID, regions, VPC, container image, security group or subnet), filtered by AWS account ID, date range, detection source, deployment, and AWS asset within your deployments.
  • AWS Targeted Deployment Trends: Displays an interactive graph depicting incident distribution for a specified time period, by account ID, AWS region, and AWS asset.

CIS Benchmarks

Center for Internet Security (CIS) Benchmarks provide assessments of how your environment conforms to CIS Foundations Benchmark Level 2. For more information about CIS Benchmarks, see the CIS Benchmarks FAQ.

Environment Exposure Trends

Environment exposure trend reports provide summary trending data for exposures within Cloud Insight Essentials deployments, and provide you with at-a-glance statistics for changes over a specified time period, and for specified deployments.

  • Exposure Assessment Trends: Allows you to analyze the overall exposure and average exposure, per vulnerability, of Cloud Insight Essentials deployments over a selected time period.
  • Severity Trends: Allows you view the percentage of hosts with the worst exposures in the high, medium, and low rating categories. Use the graph to determine whether you are adequately addressing exposures.

Incident Analysis

Incident Analysis reports provide valuable insights and trending data for incidents created from all subscribed detection sources (Network IDS, Log Management, Web App IDS, Amazon GuardDuty).

  • Incident Daily Digest: Presents the incidents detected on the previous day for the selected detection types. You can view visualizations and list of incidents by threat level, by classification, or by incident type.
  • Incident Daily Digest Trends: Presents a histogram chart that allows you to focus on the daily incident digests results within the specified date range. You can view visualizations and list of incidents by threat level, by classification, or by incident type.
  • Incident Distribution Explorer: Presents incidents by threat level, classification, and incident type for the selected detection sources, statuses, and a specified time period.
  • Incident Attacker Explorer: Displays the top 10 attackers and geolocations, with visualizations and lists of incidents by threat level, by classification, or by incident type.
  • Incident Target Explorer: Displays the top 10 targets, with visualizations and lists of incidents by threat level, by classification, or by incident type.

Product Usage

Product Usage reports provide information regarding the billable size of your scoped deployments, which correlate to the amount billed for a given usage period.

  • Deployments Usage by Day: Displays the number of deployments in your account, by day, for the specified date range.
  • Host Usage by Day: Displays billable product usage over time, by deployment, and with the option to filter to a specific time period. The report presents results by day, and as a sum over the selected time period.
  • Host Usage by Hour: Displays billable product usage over time, by deployment, and with the option to filter to a specific time period. The report presents results by day and by hour over the selected time period.
This content covers usage only for Cloud Insight Essentials. To generate usage reports for Cloud Defender products and services, see Usage reports.

Service Review

Service Review reports provide summary information and visibility into product configuration, product status, and security outcomes from your subscribed services.

Customer Contacts: Provides tabular lists of your escalation and notification contacts.

Monthly Service Review: Presents a summary of your subscribed services for the selected month, including customer contacts, collection status, and incident detection and comparison.

Vulnerability Analysis

Vulnerability Analysis reports allow you to visualize and group exposures to identify patterns and outliers for assets within a Cloud Insight Essentials deployment.

  • Vulnerability Explorer: Allows you to explore the exposures in your deployments through interactive histograms that group exposures by CVSS score. Click histogram values to see the exposures in each group.
  • Vulnerable Host Explorer: Allows you to explore patterns within host-specific exposures, and provides an interactive, visual representation of exposures, grouped by both image/AMI and VPC.

Vulnerability Reports

The List of Vulnerabilities report displays a tabular list of all current vulnerabilities, details about each vulnerability, and information about the assets affected by the vulnerability.

Scheduled reports

Scheduled reports are fixed format reports to help you analyze threats, vulnerabilities, and compliance issues in your monitored networks. You can generate content for these reports on demand, or at fixed, scheduled times.

Report types

The Scheduled reports page contains the following available reports.

Universal Report Description
Enterprise Report Provides an overview of several security aspects, such as incidents, events, and vulnerabilities, for your enterprise. This report provides the Executive Summary information for several report categories.
CIO Threat Report Provides metrics to help you measure your security posture. This report includes vulnerability counts, related risk levels, monitored network areas experiencing attacks, and incidents being escalated.
CIO Threat Trend Report Provides a view of incidents and vulnerabilities over time to help you assess and track the security of your network. This report provides a valuable historical view to help you identify trends and associated risks.
Blocked Hosts Report Provides a detailed view of blocked hosts. This report includes the hosts that are blocked most frequently with statistics related to blocks created by manual requests and automated policies.
Threat Security Report Provides an executive level summary view of customer activity. This report includes the amount of traffic monitored, number of events, incidents, scans, and vulnerabilities.
Active Users Report Provides a list of active users and permissions associated to each one.
User's Actions Log Provides a listing of actions performed by users on a time span.
Active Sources Report Details the current active Alert Logic Threat Manager protected hosts and Alert Logic Log Manager sources.

Report categories group related reports.

Report Categories Description
Incident Reports Provides information about incidents recorded and tracked through Threat Manager and Log Manager. You can view incidents by status, time, threat level, and other aspects.
Event Reports Provides information about threats and the related events identified by Threat Manager. You can view events by time, threat level, and other aspects. You can also analyze threats and related activities using the various reports in this category.
Vulnerability Reports Provides information about vulnerabilities identified by Threat Manager during vulnerability scans. You can view vulnerabilities by age, risk level, and other aspects. You can also analyze vulnerabilities and prioritize work using the various reports in this category.
Log Reports Provides information about log messages collected and analyzed by Log Manager. The Log Source Activity report provides information about the log collection activities.
Scan Reports Provides information about vulnerabilities found during vulnerability scanning.
Compliance Reports Provides compliance information collected by Threat Manager for the critical assets you identified with financial or medical information. You can view the Executive Summary for a compliance standard category, such as PCI Compliance, and then drill into the Full Report for detailed information about an aspect identified in the Executive Summary.
Saved Scheduled Reports Provides the scheduled reports previously run and saved. You can also manage scheduled reports in this area.

Generate a report

You can generate scheduled reports to analyze log messages, and to identify incidents, threats, vulnerabilities, and compliance issues in your network. Alert Logic deletes generated reports after you view them. If you want to save the results of a scheduled report, you can export the report to PDF or Microsoft Excel format. For more information, see Export a report.

The report you select determines the available options.

To generate a scheduled report:

  1. From the Reports page, click Scheduled.
  2. On the Scheduled Reports page, in the Available Reports list, select the report you want to generate. You may need to expand categories in the tree to find the report you want.
  3. Follow the on-screen prompts for the report you selected.
  4. Click Generate Report.

When the report completes, you can click Report(s) at the top of the Scheduled Reports page.

Export a report

In the left navigation area of a generated report, click a format to which you want to export the report: PDF Version, Legacy Excel Format, or New Excel Format. The Excel versions download immediately, the PDF version opens on screen.

To save the PDF version of the report:

  1. Click the Adobe download icon.
  2. Browse to the folder where you want to save the report, and then click Save.

Manage reports

View a saved report

When the report completes, you can click Report(s) at the top of the Scheduled Reports page to view the reports you scheduled. Alert Logic deletes generated reports after you view them. If you want to save the results of a scheduled report, you can export the report to PDF or Microsoft Excel format. For more information, see Export a report.

In some reports, you can also drill down to more details about the hosts and items in that report, once the report is open.

View scheduled reports

On the Reports page, in the left navigation area, under Saved Scheduled Reports, click Manage Scheduled Reports.

Change schedule

  1. On the Scheduled Reports page, click the name of the scheduled report you want to change, and then select one of the following options:
    • Run as soon as possible.
    • Schedule for later—Specify the date and time you want to run the report.
    • Attach Resulting PDF to notification email—View the result of your scheduled report when you receive the notification email.
  2. Click Update.

WAF reports

WAF reports include the Activity Report and the Policy Report.

Activity Report

The Activity Report provides a filtered report on activity during a slice of time. You can select recent time ranges from the drop-down (Last Hour, Last 24 Hours, Last Week, or Last Month) or a date range by entering a starting date and an ending date in the labeled fields and clicking Go.

You can filter the data by specific appliance by opening the Filters bar, selecting an appliance, and clicking Filter.

The report will show the following summaries:

  • Attack Class Summary
  • Risk Level Summary
  • Violation Summary
  • Website Activity

Policy Reports

The Policy Reports provide a summary of the WAF security configuration on a per website basis. Each report lists the security policy settings for a single website protected by the WAF. This allows a convenient review without having to go through multiple pages of settings.

It is possible to filter the list of reports by active appliance. Open the Filters bar, select an appliance in the Appliances drop-down, and then click Filter.

Usage reports

Product Usage reports provide data related to the log collection and network IDs traffic volumes.

This content covers Threat Manager and Log Manager usage.