Arcadia is truly concerned about trojans. One of their points of defense is a McAfee antivirus ecosystem that logs its data into the av.mcafee.epo.threat data table.
As usual, spend some time to get to know this source.
Trojans come in many sizes and shapes, so our objective is to check and plot different trojan activity.
- Open the av.mcafee.epo.threat data table.
- Go to the threatType field and get rid of everything but trojans. We want to focus just on trojans.
- Hover over the the threatName field. You should see a relatively small number of distinct values. That is, we have plenty of trojan activity but only a handful of distinct types of trojans.
- Now, what type of widget could be appropriate for plotting this kind of information? Donut and pie chart widgets excel at representing proportions over a finite set of possible values.
- But we are not ready to work with activeboards yet. It’s best practice to include aggregations in the query for widgets, and we have barely started the filtering phase.
- Instead of getting the total trojan activity, we want to exclude the three biggest hosts, as those are maintained by other team. They are “ts-server01”, “ts-server01”, and “ts-server01” and are logged in the analyzerHostname field. You may use an OR filter for that.
- We are ready for the grouping. Group by threatName every hour.
- Lastly, perform a
The query for all that could look like this:
where threatType = "trojan",
analyzerHostname /= "ts-server01" or analyzerHostname /= "ts-server03" or analyzerHostname /= "ts-server02"
group every 1h by threatName
select count() as count
We are ready for the activeboard phase.
- Add a donut/pie chart widget to your activeboard.
- Set the time range to include the last week.
- Enter the query and save the changes.
Let’s do an extra step. Even though we took some measures to have a reduced number of values in order to have a chart that was easy to read, we might still need to go full screen or resize the chart.
Instead of that, open the properties of the widget, click on the visual tab, and locate the Limit slices setting. Set it to 10.
I just started this exercise, and something caught my attention, not directly related to the exercise but I’d like to understand the fundamentals.
As I open the av.mcafee.epo.threat data table, the graphic that shows the incoming data appears like this:
If I zoom it a bit:
What does it mean? To me, it looks as if every 1/3 of a second there’s exactly one event -no more, no less, and always at this regular rate-, but I don’t know if I’m interpreting it right, or why this is happening.
Hi again Alex,
Applying an OR filter to filter out the analyzerHostname “ts-server01” “ts-server02” and “ts-server03” doesn’t work:
I managed to filter them out with an AND filter: