Getting Started


Virtualization tools and dashboards such as those in the Armor Management Portal use values of data to help security teams visualize what is occurring in each environment. Users can then process that data to develop reports and graphs, making it easier to share with others. Once data is gathered, users can then take advantage of the virtualization and reporting capabilities with just a few clicks.

With Log Search and Data Visualization capabilities, users can build customer dashboards within the Armor Management Portal. With just a few clicks, users can visualize log alerts and incident information within any environment. For example, teams may want to see where a certain malware has surfaced across multiple environments. Searches can show patterns and include artifacts for analysis. Searches can also be saved and are designed to return results based on a current time range.

Please make sure to review ChaosSearch's documentation on Log Search data and visualization.

For more information on the Log Search data and visualization tool, please see Elastic's Kibana documentation. 


Exporting Data from Log Search


Users can export small quantities of documents (logs, events, vulnerabilities, security incidents, cspm alerts, edr alerts) via a Data Table visualization within Log Search.

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Log Search
  2. In Log Search, click the Visualize tab.

  3. Click on the Create New Visualization button.

  4. In the New Visualization popup window, click on Data Table.

  5. In the New Data Table / Choose a source popup window, select the appropriate source for the query. 

  6. Customize the visualization as needed.



    Armor recommends that users add a bucket in the Buckets dropdown and configure its settings to match the screenshot above. 

  7. When finished, click the Blue Triangle just above metrics to Apply Changes.

    1. Users can use the +Add filter link (see screenshot) to limit the results that are returned to contain only the events to be exported. 

    2. Query date functionality works as it does in the ‘Discover’ page.

    3. Export links i(see screenshot) can be used to export the results in CSV format via browser download.


While filtering for the index-pattern, the behavior of the search box can be confusing. The Search Box will automatically append a wildcard to the end of a filter, but not to the beginning. To ensure that a search will return data users should only filter from Page 1 and prepend a wildcard character to the search.

e.g. *_5797 will search for *_5797* and return 5441_5797_customer as long as users are on Page 1

Never filter from any pages other than Page 1.



Log Search Field Glossary


Log Search allows for the use of both scripted and custom field names. For a complete list of all scripted field names, please see Elastic's ECS Field Reference.

The list below contains custom fields created by Armor. This list is constantly growing, so if you are unable to find what you're looking for, please reach out to your Customer Success Manager or Support.

Oops, it seems that you need to place a table or a macro generating a table within the Table Filter macro.

The table is being loaded. Please wait for a bit ...

NameDescription
@timestampRepresents the time extracted from the original event.
@versionThe document's version.
_idThe document’s ID.
_indexThe index to which the document belongs.
_scoreThe original JSON representing the body of the document.
_typeThe document’s mapping type.
armor_metadataContains information about the Armor Account.
beat.hostnameAlias to agent.hostname.
beat.nameAlias to host.name.
beat.versionElastic Filebeat version.
data_typeThe data source or type of Armor data.
destination.addressThe request's destination IP address.
document_sizeThe document’s size.
dst_geo.city_name Destination Geo IP, or user-supplied destination Geo city name.
dst_geo.continent_code Destination Geo IP, or user-supplied destination Geo continent code.
dst_geo.country_code2 Destination Geo IP, or user-supplied destination Geo country code 2.
dst_geo.country_code3 Destination Geo IP, or user-supplied destination Geo country code 3.
dst_geo.country_name Destination Geo IP, or user-supplied destination Geo country name.
dst_geo.dma_code Destination Geo IP, or user-supplied destination Geo dma code.
dst_geo.latitude Destination Geo IP, or user-supplied destination Geo latitude.
dst_geo.longitude Destination Geo IP, or user-supplied destination Geo longitude.
dst_geo.postal_code Destination Geo IP, or user-supplied destination Geo postal code.
dst_geo.region_code Destination Geo IP, or user-supplied destination Geo region code.
dst_geo.region_name Destination Geo IP, or user-supplied destination Geo region name.
dst_geo.timezone Destination Geo IP, or user-supplied destination Geo timezone.
dst_ipIP addres of the destination. Can be one or more IPv4 or IPv6 addresses. This field is available in armor ingestion supported logs for; AWS VPC Flow Logs Web Application Firewall (WAF) Brocade - Virtual Traffic Manager Imperva - SecureSphere Juniper
dst_portPort of the destination. This field is available in armor ingestion supported logs for; AWS VPC Flow Logs Web Application Firewall (WAF) Brocade - Virtual Traffic Manager Imperva - SecureSphere Juniper
event.ReportIdThe Report ID of the CSPM report.
event_timestampRepresents the date when the event started or when the activity was first observed.
event_uuidThe event's universally unique identifier (UUID).
events.countThe total count of events.
events.rate_15mThe per-second event rate in a 15-minute sliding window.
events.rate_1mThe per-second event rate in a 1-minute sliding window.
events.rate_5mThe per-second event rate in a 5-minute sliding window.
external_idA unique id assigned to the armor agent installed on a customer host machine.
host.nameThe event source's hostname.
http.request.body.bytesThe size of the request body sent to the server in bytes.
http.request.methodThe method of the HTTP request (GET, POST, PUT).
http.request.referrerThe referrer for the logged HTTP request.
http.response.body.bytesThe size of the server's response in bytes.
http.response.status_codeThe HTTP response status code.
http.versionThe version of the HTTP protocol used in the request.
iis.access.server_nameThe name of the server on which the log file entry was generated.
iis.access.site_nameThe site name and instance number.
iis.access.sub_statusThe substatus code of the HTTP request.
iis.access.win32_statusThe Windows status code returned by IIS.
index_typeDifferentiates the type of Trend data (e.g AV/FIM/IDS).
input.typeThe document's input type.
keywords
labels.parent_idContains the customer's parent Armor Account Number.
log.file.pathThe path to the log file.
logsource.hostnameThe hostname of the logsource.
logsource.originThe origin of the logsource.
logsource.relay_portThe relay port of the logsource.
logsource.timestampThe timestamp of the logsource.
messageRaw test message of entire event.
message_sizeThe size of the message.
nginx.access.remote_ip_listAn array of remote IP addresses relevant to the request; can include IP address from HTTP headers.
original_timestampThe original timestamp of the message.
parentIdThe document's parent account identifier.
parsed.sshd.eventOpenSSH server process event.
parsed.sshd.messageOpenSSH server process message.
parsed.sshd.message_codeOpenSSH server process message code.
parsed.sudo.commandThe command executed using sudo.
parsed.sudo.errorThe resulting error from command using sudo.
parsed.sudo.pwdThe print working directory (pwd) where command using sudo was executed.
parsed.sudo.ttyThe name of the device file used when command using sudo was executed.
parsed.sudo.usernameThe username of the sudoer.
parsed.trendmicro.actionThe action performed by the Anti-Malware engine or detected by the integrity rule. Possible values are: Deny Access, Quarantine, Delete, Pass, Clean, Terminate, and Unspecified. Can contain: created, updated, deleted or renamed.
parsed.trendmicro.categoryEvent category.
parsed.trendmicro.cn1The agent computer's internal unique identifier.
parsed.trendmicro.cn1_labelThe name label for the field cn1.
parsed.trendmicro.cn2The size of the quarantine file. This extension is included only when the "direct forward" from agent /appliance is selected.
parsed.trendmicro.cn2_labelThe name label for the field cn2.
parsed.trendmicro.cn3Position within packet of data that triggered the event.
parsed.trendmicro.cn3_labelThe name label for the field cn3.
parsed.trendmicro.countThe number of times this event was sequentially repeated.
parsed.trendmicro.cs1(Optional) A note field which can contain a short binary or text note associated with the payload file. If the value of the note field is all printable ASCII characters, it will be logged as text with spaces converted to underscores. If it contains binary data, it will be logged using Base-64 encoding.
parsed.trendmicro.cs1_labelThe name label for the field cs1.
parsed.trendmicro.cs2(For the TCP protocol only) The raw TCP flag byte followed by the URG, ACK, PSH, RST, SYN and FIN fields may be present if the TCP header was set.
parsed.trendmicro.cs2_labelThe name label for the field cs2.
parsed.trendmicro.cs3
parsed.trendmicro.cs3_labelThe name label for the field cs3.
parsed.trendmicro.cs5Position within stream of data that triggered the event.
parsed.trendmicro.cs5_labelThe name label for the field cs5.
parsed.trendmicro.cs6A combined value that includes the sum of the flag values: 1 - Data truncated - Data could not be logged. 2 - Log Overflow - Log overflowed after this log. 4 - Suppressed - Logs threshold suppressed after this log. 8 - Have Data - Contains packet data 16 - Reference Data - References previously logged data.
parsed.trendmicro.cs6_labelThe name label for the field cs6.
parsed.trendmicro.descriptionEvent description.
parsed.trendmicro.ds_frame_typeConnection ethernet frame type.
parsed.trendmicro.ds_tenantDeep Security tenant name.
parsed.trendmicro.ds_tenant_idDeep Security tenant ID number.
parsed.trendmicro.dst_ipIP address of the destination computer.
parsed.trendmicro.dst_macDestination MAC Address.
parsed.trendmicro.dst_port(For TCP and UDP protocol only) Port number of the destination computer's connection or session.
parsed.trendmicro.dvchostThe hostname or IPv6 address for cn1. Does not appear if the source is an IPv4 address. (Uses dvc field instead.)
parsed.trendmicro.file_pathThe location of the malware file or integrity rule target entity. May contain a file or directory path, registry key, etc.
parsed.trendmicro.in(For inbound connections only) Number of inbound bytes read.
parsed.trendmicro.messageThe type of scan. Possible values are: Realtime, Scheduled, and Manual.
parsed.trendmicro.nameEvent name.
parsed.trendmicro.out(For outbound connections only) Number of outbound bytes read.
parsed.trendmicro.protoName of the connection transport protocol used.
parsed.trendmicro.severityThe severity of the event. 1 is the least severe; 10 is the most severe.
parsed.trendmicro.src_ipIP address of the source computer.
parsed.trendmicro.src_macSource computer network interface MAC address.
parsed.trendmicro.src_port(For TCP and UDP protocol only) Source computer connection port.
parsed.trendmicro.suserDeep Security Manager administrator's account.
parsed.trendmicro.targetThe subject of the event. It can be the administrator account logged into Deep Security Manager, or a computer.
parsed.trendmicro.trend_micro_ds_file_sha1The SHA1 hash of the file
parsed.trendmicro.trend_micro_ds_malware_targetThe file, process, or registry key (if any) that the malware was trying to affect. If the malware was trying to affect more than one, this field will contain the value "Multiple." Only suspicious activity monitoring and unauthorized change monitoring have values for this field.
parsed.trendmicro.trend_micro_ds_malware_target_typeThe type of system resource that this malware was trying to affect, such as the file system, a process, or Windows registry. Only suspicious activity monitoring and unauthorized change monitoring have values for this field.
parsed.trendmicro.username(If parse-able username exists) The name of the target user initiated the log entry.
prospector.typeThe type of Filebeat prospector used.
protoName of the connection transport protocol used.
received_timestampThe timestamp of when Elasticsearch received document.
sourceThe document's source.
source.addressThe event source's IP address.
src_geo.city_name Source Geo IP, or user-supplied source Geo city name.
src_geo.continent_code Source Geo IP, or user-supplied source Geo continent code.
src_geo.country_code2 Source Geo IP, or user-supplied source Geo country code 2.
src_geo.country_code3 Source Geo IP, or user-supplied source Geo country code 3.
src_geo.country_name Source Geo IP, or user-supplied source Geo country name.
src_geo.dma_code Source Geo IP, or user-supplied source Geo dma code.
src_geo.latitude Source Geo IP, or user-supplied source Geo latitude.
src_geo.longitude Source Geo IP, or user-supplied source Geo longitude.
src_geo.postal_codeSource's postal code.
src_geo.region_codeSource's region code.
src_geo.region_nameSource's region name.
src_geo.timezone Source Geo IP, or user-supplied source Geo timezone.
src_ipSource's IP address.
src_portSource's port.
syslog_facilitySyslog facility levels.
syslog_facility_codeSyslog facility level code.
syslog_pidSyslog process identification number (pid).
syslog_programSyslog program name.
syslog_severitySyslog severity level.
syslog_severity_codeSyslog severity level code.
syslog_timestampSyslog timestamp.
syslog5424_priThe name of field which passes in the extracted PRI part of the syslog message.
tenant_idThe document's tenant ID.
trendmicro.dsm.syslog_hostnameThe syslog hostname used to forward logs to the Trend Micro DSM.
trendmicro.dsm.syslog_messageThe syslog message sent to the Trend Micro DSM.
typeThe document's type
url.originalThe unmodified original url as recorded in the event source.
url.pathThe path of the request.
url.queryThe request's query string.
user.nameThe user making the request if the request is authenticated.
user_agent.device.nameThe name of the device recorded in the user agent string.
user_agent.nameThe name of the client's user agent.
user_agent.originalThe unparsed user_agent string of the request.
user_agent.os.nameThe operating system from which the client sent the request.
usernameThe document's username.
vulnerability.cveContains the URL related to a vulnerability and provides more information for the customer to read.
vulnerability.publishedContains the year that a vulnerability was first announced.
vulnerability.solutionContains the solution for a given vulnerability.
vulnerability.vulnerability_typeContains information about the type of vulnerability.
wineventlog.activity_idThe globally unique identifier (GUID) for the activity in process for which the event is involved.
wineventlog.computer_nameGets the name of the computer on which this event was logged.
wineventlog.event_data.target_user_nameThe TargetUserName of the Windows user event logged.
wineventlog.event_idThe identifier for this event.
wineventlog.levelThe level of the event. The level signifies the severity of the event.
wineventlog.log_nameThe name of the event log where this event is logged.
wineventlog.opcodeThe opcode of the event. The opcode defines a numeric value that identifies the activity or a point within an activity that the application was performing when it raised the event.
wineventlog.process_idThe process identifier for the event provider that logged this event.
wineventlog.provider_guidThe globally unique identifier (GUID) of the event provider that published this event.
wineventlog.record_numberThe event record identifier of the event in the log.
wineventlog.source_nameThe source of the event in the log.
wineventlog.taskThe display name of the task for the event.
wineventlog.thread_idThe thread identifier for the thread that the event provider is running in.
wineventlog.user.domainThe domain of the user whose context is used to publish the event.
wineventlog.user.identifierThe security descriptor of the user whose context is used to publish the event.
wineventlog.user.nameThe name of the user whose context is used to publish the event.
wineventlog.user.typeThe type of user whose context is used to publish the event.
wineventlog.versionThe version number for the event.




Was this helpful?
Your Rating: Results: 1 Star2 Star3 Star4 Star5 Star 3 rates