Using the Datalake for Anti-Virus
Understanding the Datalake
The Armor data lake is a centralized repository for storing Armor collected data. With regards to vulnerabilities, the data lake contains all the data for every report created for an environment and all the historical data from when the reports are run. This can be a lot of data so narrowing down the scope of information is critical to making sense of it all.
Accessing the Datalake
Users can access the Datalake in two ways:
Data Presentation
Data consists of documents stored in the datalake. Each document contains all the data related to that particular rule and resource. Below are examples of the table and JSON views:
The schema for these documents is based on Elastic Common Schema, please refer to the below links for the details and explanation of the fields:
Vulnerability schema - https://www.elastic.co/guide/en/ecs/1.5/ecs-vulnerability.html
Custom Fields:
parsed.trendmicro.severity - the severity of the event
parsed.trendmicro.message - indicates whether the malware was detected by a Realtime or Scheduled scan
parsed.trendmicro.name - the name of the malware detected
parsed.trendmicro.file_path - the filesystem path where the malware was detected
parsed.trendmicro.action - the action taken by the AV service in response to the detected malware; one of Clean, Clean Failed, Delete, Delete Failed, Quarantine, Quarantine Failed, Access Denied, Passed
Helpful Fields for Searching the Datalake
FIELD | FILTER BY |
---|---|
hostname | the hostname of the machine on which the event was sent |
data_type | the type of the data being searched for, trend-hids in this instance |
Adding a Filter
To add additional filters, click on the Add Filter Button.
Then set the field to one of the helpful fields above, select the operator, put in the value and hit save. The data is now filtered on a specific reportId, Policy or other field selected.
Viewing Datalake Aggregations
Please refer to Reports for custom aggregations, visualizations and custom reports.