Versions Compared

Old Version 9

changes.mady.by.user Emad Abualjazer

Saved on

compared with

New Version 10

changes.mady.by.user Emad Abualjazer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel3
minLevel3

Getting Started

Visualization tools and dashboards such as those in the Armor Management Portal use values of data to help security teams visualize what is occurring in each environment. Users can then process that data to develop reports and graphs, making it easier to share with others. Once data is gathered, users can then take advantage of the virtualization and reporting capabilities with just a few clicks.

With Log Search and Data Visualization capabilities, users can build customer dashboards within the Armor Management Portal. With just a few clicks, users can visualize log alerts and incident information within any environment. For example, teams may want to see where a certain malware has surfaced across multiple environments. Searches can show patterns and include artifacts for analysis. Searches can also be saved and are designed to return results based on a current time range.

Info

Please make sure to review ChaosSearch's documentation on Log Search data and visualization.


A list of Standard Visualizations has been prepared for users, including steps to configure and examples of each visualization.

Info

For more information on the Log Search data and visualization tool, please see https://www.elastic.co/guide/en/kibana/7.9/index.html

Exporting Data from Log Search

Users can export small quantities of documents (logs, events, vulnerabilities, security incidents, cspm alerts, edr alerts) via a https://www.elastic.co/guide/en/kibana/6.8/data-table.html visualization within Log Search.

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Log Search.

  2. In Log Search, click the Visualize tab.

  3. Click on the Create New Visualization button.

  4. In the New Visualization popup window, click on Data Table.

  5. In the New Data Table / Choose a source popup window, select the appropriate source for the query.

  6. Customize the visualization as needed.



    Armor recommends that users add a bucket in the Buckets dropdown and configure its settings to match the screenshot above.

  7. When finished, click the Blue Triangle just above metrics to Apply Changes.

    1. Users can use the +Add filter link (see screenshot) to limit the results that are returned to contain only the events to be exported.

    2. Query date functionality works as it does in the 'Discover' page.

    3. Export links i(see screenshot) can be used to export the results in CSV format via browser download.

Info

While filtering for the index-pattern, the behavior of the search box can be confusing. The Search Box will automatically append a wildcard to the end of a filter, but not to the beginning. To ensure that a search will return data users should only filter from Page 1 and prepend a wildcard character to the search.

e.g. *_5797 will search for *_5797* and return 5441_5797_customer as long as users are on Page 1

Never filter from any pages other than Page 1.

Anchor
Log-Search-Field-Glossary
Log-Search-Field-Glossary
Log Search Field Glossary

Log Search allows for the use of both scripted and custom field names. For a complete list of all scripted field names, please see https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html .

The list below contains custom fields created by Armor. This list is constantly growing, so if you are unable to find what you're looking for, please reach out to your Customer Success Manager or Support.

Excel
nameKibana Field Glossary By Priority 10.8.20.xlsx