The Malware section is designed for monitoring events related to malware, particularly its detection and the elimination of infection threats.
- Number of infected hosts / detected infections / blocked infections
- Malware statistics by type
- Dynamics of detected / blocked infections
- Top detected / blocked malware
- Top hosts by detected / blocked malware
- Infection event statistics with details by hosts
- Infection event statistics with details by malware
- Malware: Overview
- Malware: Infected Host Profile
- Malware: Malware Type Profile
The section uses the data source fields described below. Alias used: sm_cs_malware_indexes.
| Field Name | Value |
|---|
event.kind | alert |
event.category | malware |
event.action | From the source event. |
| Field Name | Value |
|---|
host.ip | IP address of the host where malware was detected. |
host.name | Name of the host where malware was detected. |
| Field Name | Value |
|---|
user.name | Username. |
user.domain | User domain. |
| Field Name | Value |
|---|
file.name | Name of the file with malware. |
file.path | Full path to the file with malware. |
file.hash | Hash of the file with malware. |
| Field Name | Value |
|---|
event.original | Original event text. |
| Field Name | Value |
|---|
message | Event description. |
malware_description | Threat description. |
Below is a table of dictionaries used by the section.
| Name | Fields | Description |
|---|
sm_cs_malware_type | malware_description
malware_type | Dictionary of threat types. |
sm_cs_malware_action | event.action
malware_action - (detected | blocked) | Dictionary of actions with threats. |