Protection Dashboard

Topics Discussed

1 Review Widgets and Graph
2 Understand Service Health
3 Health Rules
4 Improve your Protection Score
5 Export Protection Screen Data

In the Protection screen, the Protection score focuses on the stability of Armor services to determine if

The agent is responding (hearbeating) to Armor
The agent has registered properly

For Armor Anywhere, the Protection scores focuses on the following services:

Malware Protection
FIM
IDS
Filebeat (for Windows and Linux)
Winlogbeat (for Windows)
Vulnerability Scanning

Review Widgets and Graph

Widget and Graph Type	Description

Widget and Graph Type	Description
Protection Score	This widget displays a calculated score that includes the number of subagents in an unhealthy state. For Armor Enterprise Cloud, only virtual machines that are in a Powered On state are included. For Armor Anywhere, only virtual machines that have communicated (heartbeated) with Armor in the last 4 hours are included. Scores in the security dashboards are calculated and updated every night at 2:00 AM UTC.
Assets Protected	This widget displays the number of virtual machines that contain the Armor agent. Newly created virtual machines will not be reflected in the number of Assets Protected until the following day.
Healthy Services	This widget displays the percentage of agents and subagents that are working properly.
Protection Score Trend	This graph displays the history of your protection scores.

Understand Service Health

The Service Health section displays the virtual machines that contain the installed Armor agent.

To view this section, you must have the Read Virtual Machines(s) permission assigned to your account.

Column	Description

Column	Description
Asset Name	This column displays the name of the virtual machine. You can click the name of the virtual machine to access the Virtual Machine details screen.
Status	This column displays the security status of the virtual machine. Unprotected indicates the agent is not installed in the instance. Instances without an agent will be labeled as Unprotected. All instances from the public cloud account will be displayed. Needs Attention indicates that the agent is installed, but has not properly communicated (heartbeated) with Armor. To troubleshoot a specific error message under Needs Attention, see Troubleshoot Protection Scores. OK indicates that the agent is installed and has communicated (hearbeated) with Armor.
Location	For Armor Enterprise Cloud, this column will display name of the Armor virtual site. For Armor Anywhere, this column will display the name of the public cloud provider.
Ticket	This column displays the support ticket that troubleshoots the Protection issue. A Protection issue will automatically generate a support ticket.

Health Rules

Health Rules calculates the status of several managed services provided or orchestrated by Armor. The status of these checks roll into AMP's Protection and help guide our support and remediation efforts.

The health rules are grouped under each Rule Family.

Types of Rule Family

Armor Agent
File Logging
FIM
IDS
Log Collector
Malware Protection
OS Monitoring
Vulnerability Scanning
Windows Event Logging

Rule Family	Rule	Description	Service	Frequency

Rule Family	Rule	Description	Service	Frequency
Armor Agent	HasRecentHeartbeat	If latest CORE heartbeat is > 4 hours	Armor Agent	Hourly
Armor Agent	HasCorrectVersion	If CORE Agent is not running latest version	Armor Agent	Hourly
File Logging	HasCorrectVersion	If Filebeat is not running the latest version	Filebeat	Hourly
File Logging	HasRecentLogs	If last received log for that CoreinstanceId is > 4 hours from ELK	Filebeat	Hourly
File Logging	IsInstalled	If Filebeat agent is not installed	Filebeat	Hourly
Window Event Logging	HasCorrectVersion	If Winlogbeat is not running the latest version	Winlogbeat	Hourly
Window Event Logging	HasRecentLogs	if last received log for that CoreinstanceId is > 4 hours from ELK	Winlogbeat	Hourly
Window Event Logging	IsInstalled	If Winlogbeat agent is not installed	Winlogbeat	Hourly
FIM	HasRecentHeartbeat	If latest Trend heartbeat is > 4 hours	Trend	Hourly
FIM	IsPluginPresent	If FIM is "On, matching module plug-in not found" Example : FIM On but Module Not Found	Trend	Hourly
FIM	IsRealtimeOrHasRules	If FIM is not "On, Realtime", or "On" with > 0 rules ( Example: FIM On but No Policy	Trend	Hourly
FIM	ModuleIsOn	If FIM is not "On"	Trend	Hourly
IDS	HasRecentHeartbeat	if latest Trend heartbeat is > 4 hours	Trend	Hourly
IDS	HasRules	If IDS is "On" and has > 0 rules Example: IDS installed but no rules	Trend	Hourly
IDS	IsOnTapMode	If IDS is "On" and has tap mode on	Trend	Hourly
IDS	ModuleIsOn	If IDS is not "On"	Trend	Hourly
Malware Protection	HasAgentFailed	if Anti-Malware update failed	Trend	Hourly
Malware Protection	HasRecentHeartbeat	If latest Trend heartbeat is > 4 hours old	Trend	Hourly
Malware Protection	IsRebootRequired	if Anti-Malware status is "Computer reboot required"	Trend	Hourly
Malware Protection	ModuleIsOn	If Anti-Malware is not "On"	Trend	Hourly
Malware Protection	ModuleOnPluginNotFound	If Anti-Malware is "On, matching module plug-in not found"	Trend	Hourly
OS Monitoring	HasCorrectVersion	If Panopta is not running the latest version	Panopta	Hourly
OS Monitoring	IsInstalled	If Panopta is not Installed	Panopta	Hourly
Vulnerability Scanning	InMostRecentScan	If IR Agent did not scan in previous scan period	IR Agent	10 PM UTC once in Sunday
Vulnerability Scanning	IsInstalled	If IR Agent is not installed	IR Agent	10 PM UTC once in Sunday
Log Collector	HasDelayedLogs	if Events from this Log Collector are averaging longer than 1 hour to be received	Logstash	Hourly
Log Collector	HasRecentLogs	if events from this Log Collector have been received > 80%	Logstash	Hourly

Improve your Protection Score

You can use the information below to troubleshoot the issues displayed in the Protection screen.

Armor recommends that you troubleshoot these issues to:

Improve your Protection scores
Improve your overall health scores
Increase the overall security of your environment

Review each step to troubleshoot your problem. If the first step does not resolve the issue, then continue to the second step until the issue has been resolved. As always, you can send a support ticket.

Logging

	Description	Command	Extra information

	Description	Command	Extra information
Windows	Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\	`cat` `C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml` `cat` `C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml`	Windows uses both winlogbeat and filebeat. Commands should run in Powershell. To review additional configurations, certificates, and service information, review a server's directory: C:\.armor\opt\winlogbeat* C:\.armor\opt\filebeat*
	To verify the operation of the logging services, look for winlogbeat, filebeat	`gsv -displayname armor-winlogbeat,armor-filebeat`
	To verify the operation of the logging service processes, look for winlogbeat	`gps` `filebeat,winlogbeat`
	Confirm the configured log endpoint	`cat` `C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml \| sls hosts`

Linux	Configurations are stored within /etc/filebeat/filebeat.yml	`cat` `/etc/filebeat/*.yml`
	Verify the operation of the filebeat service	`ps` `aux \| grep` `filebeat`
	Confirm the configured log endpoint	`grep` `-i hosts /etc/filebeat/filebeat.yml`
	Confirm the external_id	`grep` `-i external_id /etc/filebeat/filebeat.yml`
	Confirm the tenant ID	`grep` `-i tenant_id /etc/filebeat/filebeat.yml`

Step 1: Verify the status of filebeat

Description	Command	Extra Information

Description	Command	Extra Information
Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\	`cat` `C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml` `cat` `C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml`	Windows uses both winlogbeat and filebeat. Commands should run in Powershell. To review additional configurations, certificates, and service information, review a server's directory: C:\.armor\opt\winlogbeat* C:\.armor\opt\filebeat*
To verify the operation of the logging services, look for winlogbeat, filebeat	`gsv -displayname armor-winlogbeat,armor-filebeat`
To verify the operation of the logging service processes, look for winlogbeat	`gps` `filebeat,winlogbeat`
Confirm the configured log endpoint	`cat` `C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml \| sls hosts`

Step 1: Check Logging Services

	Description	Command	Extra information

	Description	Command	Extra information
Windows	Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\	`cat` `C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml` `cat` `C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml`	Windows uses both winlogbeat and filebeat. Commands should run in Powershell. To review additional configurations, certificates, and service information, review a server's directory: C:\.armor\opt\winlogbeat* C:\.armor\opt\filebeat*
	To verify the operation of the logging services, look for winlogbeat, filebeat	`gsv -displayname armor-winlogbeat,armor-filebeat`
	To verify the operation of the logging service processes, look for winlogbeat	`gps` `filebeat,winlogbeat`
	Confirm the configured log endpoint	`cat` `C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml \| sls hosts`

Linux	Configurations are stored within /etc/filebeat/filebeat.yml	`cat` `/etc/filebeat/*.yml`
	Verify the operation of the filebeat service	`ps` `aux \| grep` `filebeat`
	Confirm the configured log endpoint	`grep` `-i hosts /etc/filebeat/filebeat.yml`
	Confirm the external_id	`grep` `-i external_id /etc/filebeat/filebeat.yml`
	Confirm the tenant ID	`grep` `-i tenant_id /etc/filebeat/filebeat.yml`

Step 2: Check Connectivity

Port	Destination

Port	Destination
515/tcp	46.88.106.196 (1a.log.armor.com) 146.88.144.196 (2a.log.armor.com)

Malware Protection

Step 1: Verify the status of the agent

	Description	Command

	Description	Command
Windows	Verify that the service is running	^{gsv -displayname trend}
Linux	Verify that the service is running	^{ps_axu \| grep ds_agent}

Step 2: Check the connectivity of the agent

	Description	Command

	Description	Command
Windows	Verify the URL endpoint epsec.armor.com	^{& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus \| sls -pattern url}
	Confirm connection to the URL	`new-object` `System.Net.Sockets.TcpClient('146.88.106.210', 443)`

Linux	Verify the URL endpoint epsec.armor.com	^{/opt/ds_agent/dsa_query -c GetAgentStatus \| grep AgentStatus.dsmUrl}
	Confirm connection to the URL	`telnet 146.88.106.210` `443`

Step 3: Manually heartbeat the agent

	Description	Command

Description

Command

Windows

Verify a 200 response

PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.

Linux

Verify a 200 response

/opt/ds_agent/dsa_control -m

Step 1: Verify the status of the agent

	Description	Command

	Description	Command
Linux	Verify that the service is running	^{ps_axu \| grep ds_agent}
Windows	Verify that the service is running	^{gsv -displayname trend}

Step 2: Check the connectivity of the agent

	Description	Command

	Description	Command
Windows	Verify the URL endpoint epsec.armor.com	^{& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus \| sls -pattern url}
	Confirm connection to the URL	`new-object` `System.Net.Sockets.TcpClient('146.88.106.210', 443)`

Linux	Verify the URL endpoint epsec.armor.com	^{/opt/ds_agent/dsa_query -c GetAgentStatus \| grep AgentStatus.dsmUrl}
	Confirm connection to the URL	`telnet 146.88.106.210` `443`

Step 3: Manually heartbeat the agent

	Description	Command

Description

Command

Windows

Verify a 200 response

PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.

Linux

Verify a 200 response

Step 4: Check the components for the agent

Windows

Linux

File Integrity Monitoring (FIM)

Intrusion Detection System (IDS)

Vulnerability Scanning

To remediate Vulnerability Scanning issues, please refer to this documentation.

Export Protection Screen Data

In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Protection.
(Optional) Use the search bar to customize the data displayed.
Below the table, click CSV. You have the option to export all the data (All) or only the data that appears on the current screen (Current Set).

Column	Description

Column	Description
Column	Description
Asset Name	This column display the name of the virtual machine (or instance).
Location	This column displays the data center location for for the virtual machine (or instance).
Service	For Armor Enterprise Cloud, the Protection scores focuses on the following services:
	Malware Protection
	FIM
	Filebeat (for Linux)
	Winlogbeat (for Windows)

	For Armor Anywhere, the Protection scores focuses on the following services:

	Malware Protection
	FIM
	IDS
	Filebeat (for Linux)
	Winlogbeat (for Windows)
	Vulnerability Scanning
Status	This column displays the security status of the virtual machine (or instance), which can be:
	Warning
	Needs Attention
	OK
Message	This column displays a brief message to explain the reason for the Warning or Needs Attention status.