Download Current Health Check Results for your Alert Logic Security Infrastructure

This section describes how to retrieve a summary of health check results for your Alert Logic security infrastructure using the Alert Logic CLI.

Supported subscription types

Managed Detection and Response Essentials
Managed Detection and Response Professional

Requirements

This use case requires that the Alert Logic CLI is already installed and configured.

Technical Details

Alert Logic reports configuration remediations against a deployment’s assets when the existing configuration affects collection health; these can include (but are not limited to) remediations about agent error states, appliance connectivity, and cross-network protection.

The Alert Logic CLI can be used to retrieve a summary of collection health, with the report providing counts of healthy and unhealthy instances for each asset type (agent, appliance, network, and collector), as well as collecting a list of current exposures affecting deployment health.

Download a collection health summary using the Alert Logic CLI

This section describes how to download a summary of collection health using the Alert Logic CLI.

Use the Alert Logic CLI to retrieve a collection health summary from Assets Query, providing the Alert Logic account ID:

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
$ alcli remediations get_collection_health_summary --account_id 134235891
{
    "agents": {
        "coverage": {
            "protected": 0,
            "total": 0
        },
        "health": {
            "scores": [
                {
                    "count": 0,
                    "health_level": 0,
                    "unhealthiness": 0.0
                },
                {
                    "count": 0,
                    "health_level": 2,
                    "unhealthiness": 0.0
                }
            ]
        }
    },
    "appliances": {
        "coverage": {
                "total": 0
            },
            "health": {
                "scores": [
                    {
                        "count": 0,
                        "health_level": 0,
                        "unhealthiness": 0.0
                    },
                    {
                        "count": 0,
                        "health_level": 2,
                        "unhealthiness": 0.0
                    }
                ]
            }
        },
        "collectors": {
            "coverage": {
            "total": 28
        },
        "health": {
            "scores": [
                {
                    "count": 5,
                    "health_level": 0,
                    "unhealthiness": 0.0
                },
                {
                    "count": 23,
                    "health_level": 2,
                    "unhealthiness": 8.0
                }
            ]
        }
    },
    "networks": {
        "coverage": {
            "protected": 0,
            "total": 152
        },
        "health": {
            "scores": [
                {
                    "count": 0,
                    "health_level": 0,
                    "unhealthiness": 0.0
                },
                {
                    "count": 0,
                    "health_level": 2,
                    "unhealthiness": 0.0
                }
            ]
        }
    }
}

You can also use the --query parameter to limit the scope of the results. For example, to fetch a summary only for appliances and agents, use:

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
$ alcli --query '{agents:agents,appliances:appliances}' remediations get_collection_health_summary --account_id 134235891
{
    "agents": {
        "coverage": {
            "protected": 0,
            "total": 4
        },
        "health": {
            "scores": [
                {
                    "count": 0,
                    "health_level": 0,
                    "unhealthiness": 0.0
                },
                {
                    "count": 0,
                    "health_level": 2,
                    "unhealthiness": 0.0
                }
            ]
        }
    },
    "appliances": {
        "coverage": {
            "total": 0
        },
        "health": {
            "scores": [
                {
                    "count": 0,
                    "health_level": 0,
                    "unhealthiness": 0.0
                },
                {
                    "count": 0,
                    "health_level": 2,
                    "unhealthiness": 0.0
                }
            ]
        }
    }
}

Download current health check results using the Alert Logic CLI

You can use the Alert Logic CLI to retrieve a list of current exposures affecting deployment health. These vulnerabilities are stored in Assets, and retrieved with Assets Query.

Use the Alert Logic CLI to download a list of open configuration vulnerabilities along with their associated remediations:

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ alcli assets_query query_assets --account_id 134278880 --asset_types 'vulnerability,remediation' --filter '{"vulnerability.categories", ">>configuration"}' --qfields 'name,description,details,remediation_id,vulnerability_id'
{
    "rows": 1,
    "assets": [
        [
            {
                "vulnerability_id": "5fe231de3e31ac7064df974341cb6efc",
                "type": "vulnerability",
                "remediation_id": "ids_missing_appliance_dc",
                "name": "Network Without Alert Logic Appliance",
                "key": "/dc/network/B0A11702-20CA-4948-B4AA-FB9926A290AD/vulnerability/f126e4d15ffb769547bcd26efe8ac785",
                "details": "The network does not have a provisioned IDS appliance present.",
                "description": "Network Without Alert Logic Appliance",
                "deployment_id": "C6189132-5282-4A2D-B915-737862AB05AE",
                "categories": [
                    "configuration"
                ]
            },
            {
                "type": "remediation",
                "remediation_id": "ids_missing_appliance_dc",
                "name": "Alert Logic recommends that you add an Alert Logic Appliance to this Network.",
                "key": "/al/134278880:C6189132-5282-4A2D-B915-737862AB05AE/remediation/ids_missing_appliance_dc",
                "deployment_id": "C6189132-5282-4A2D-B915-737862AB05AE"
            }
        ]
    ]
}

Note that this request downloads all configuration remediations for the entire account; it is also possible to limit the results to a given deployment using the --deployment_id parameter.

Here is a breakdown of this query:

Parameter	Definition
`--account_id`	your Alert Logic account ID
`--asset_types`	the asset types to query for; in this case, we are querying for vulnerabilities and their associated remediations.
`--filter`	a JSON object representing property names and values to filter with. `{"vulnerability.categories": ">>configuration"}` uses the list membership operator `>>` to query for vulnerabilities belonging to the configuration category.
`--qfields`	the properties to return in the response. It is often a good idea (and convenient) to restrict the returned data to what is of interest, but this is not required