Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 14 Next »

Understanding the Datalake

The Armor data lake is a centralized repository for storing Armor collected data. With regards to EDR, the data lake contains data for incidents in every environment, including endpoints. This can be a lot of data so narrowing down the scope of information is critical to making sense of it all.

Accessing the Datalake

  1. In the Armor Management Portal (AMP), navigate to Security -> Log Search and SSO into ChaosSearch.

    AMP nav menu showing Log Search

  2. Create a filter by doing the following:

    1. Click on Add filter.

    2. In Field select index.type.

    3. Select is for Operator.

    4. In the Value field, type endpoint-detections.

    5. Click Save.

      add filter example

  3. Now set the date range to encompass the incident date or dates to show and click Refresh.

    Refresh button in Log Search

Data Presentation

Data consists of documents stored in the datalake. Each document contains all the data related to that particular rule and resource. Below are examples of the table and JSON views:

 Table Example



 JSON Example


Helpful Fields for Searching the Datalake

Field

Filter By

event.type

This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.

host.hostname

Hostname of the host.

host.os.name

OS fields contain information about the operating system.

Adding a Filter

To add additional filters, click on the Add Filter Button.

Additional filters example

Then set the field to one of the helpful fields above, select the operator, put in the value and hit save.

  • No labels