Please could you suggest an efficient approach of using Elastic EDR for ad-hoc file antivirus/malware scanning. We would like to integrate our existing Elastic Security platform with the Document Management System (DMS) which supports ICAP protocol for file scanning. DMS issues a special request called REQMOD with the file to be scanned, and the antivirus should respond ok/nok. I was hoping to have a dedicated Elastic Agent running inside a container where the file to scan would be uploaded and then use “Scan a file” Kibana API endpoint (Scan a file or directory | Kibana API documentation) but it is unclear how the scanning result is available.
It’s cool to hear of how you’re automating Defend. Malware found as a result of scan appear as normal alerts in the system. Endpoint/Defend writes them to logs-endpoint.alerts-* and then the Detection Engine’s Elastic Defend rule “promotes” them to SIEM alerts if there aren’t any rule exceptions that suppress the raw alert (rule exceptions run Kibana unlike Endpoint exceptions which run on the host).
Because the alert will be generated before the scan response action completes, if the scan action is completed any generated alerts should already in logs-endpoint.alerts-* . Those alerts “promoting” to SIEM alerts will take longer since the Detection Engine runs that logic on an interval (1 minute by default). So you’re automating things and won’t be using rule exceptions (uncommon in this case) then I’d recommend querying logs-endpoint.alerts-*directly to see if any malware was detected. Scan results will contain event.action : demand in cause you want to distinguish them from other malware alerts on the same file.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.