Reports
Reports are an essential pillar of your data security strategy for several reasons:
- Compliance: Reports demonstrate compliance with security regulations and standards.
- Trend analysis: Reports help to analyze trends in malware detections and to identify patterns in infected files. This can help organizations to better understand the type of malware they are dealing with and to develop more effective defense strategies.
- Evidence gathering: In the event of a security breach, reports can provide valuable evidence to help identify the breach’s source and support investigations.
- Auditing: Reports can be used to perform regular security audits, allowing organizations to identify vulnerabilities and take corrective action.
bucketAV reports are delivered via email and contain the following information:
- Statistics about scanned files: Number of files scanned, % of clean files, % of infected files, and % of unscannable files.
- Top 10 threats.
- CSV reports include all files or only infected and unscannable files.
- Operational alarms to signal if bucketAV needs your attention.
Example report
The following shows an example report:
Reporting period: 2023-01-30 - 2023-02-05
AWS Region: eu-west-1
AWS Account ID: ***151466***
bucketAV Stack Name: bucketav
Add-On Stack Name: bucketav-reporting
==================================================
Overview
==================================================
358 scanned
49.16% clean
48.88% infected
1.96% unscannable
==================================================
Top 10 infections
==================================================
56x Win.Test.EICAR_HDB-1
35x Doc.Malware.Prince-6784184-0
7x Doc.Dropper.Agent-6460256-0
7x Doc.Dropper.Agent-6496090-0
7x Xls.Dropper.Agent-7505951-0
7x Doc.Dropper.Agent-6361752-0
7x Doc.Dropper.Agent-6507997-0
7x Doc.Dropper.Agent-6997781-0
7x Doc.Dropper.Agent-6488415-0
7x Doc.Dropper.Agent-6609394-0
==================================================
Top 10 buckets
==================================================
bucketav-demo
307 scanned
49.19% clean
48.86% infected
1.95% unscannable
bucketav-demo2
51 scanned
49.02% clean
49.02% infected
1.96% unscannable
==================================================
CSV reports
==================================================
The following CSV reports are available for 27 days:
Infected & unscannable files: <Link to Amazon S3>
All files: <Link to Amazon S3>
CSV example
The following columns are available:
- timestamp: ISO 8601 format
- bucket: Name of S3 bucket
- key: Object key
- version: Object version or null for unversioned buckets
- status: clean, infected, no
- action: delete, tag, no
- finding: The type of malware detected or Unknown
The following shows an example data set:
"timestamp","bucket","key","version","status","action","finding"
"2023-01-30T20:19:00.051Z","bucketav-demo","clean.xlxs","null","clean","tag","Unknown"
"2023-01-30T20:19:23.674Z","bucketav-demo","infected.pdf","null","infected","delete","Win.Test.EICAR_HDB-1"
"2023-01-31T20:20:10.074Z","bucketav-demo","encrypted.pdf","null","no","tag","Heuristics.Encrypted.PDF"
Setup
Requires bucketAV version >= 1.7.0. To update to the latest version, follow the Update Guide.
The ReportCleanFiles configuration parameter must be set to
true
.
- Set the Stack name to
bucketav-reporting
. - Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is
bucketav
). - Set the ReportReceiver1 parameter to your email address.
- By default, the ReportingFrequency is set to
weekly
. Change that if needed. - Select I acknowledge that AWS CloudFormation might create IAM resources.
- Click on the Create stack button to save.
- You will receive an email (subject: AWS Notification - Subscription Confirmation) with a confirmation link that you have to visit.
Terraform
resource "aws_cloudformation_stack" "bucketav_add_on_reporting" {
name = "bucketav-reporting"
template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.7.0/bucketav-add-on-reporting.yaml"
capabilities = ["CAPABILITY_IAM"]
parameters = {
BucketAVStackName = "bucketav" # if you followed the docs, the name is `bucketav`
ReportReceiver1= "name@domain.todo" # TODO replace email address
}
}
Update
- To update this add-on to version v2.7.0, go to the AWS CloudFormation Management Console.
- Double-check the region at the top right.
- Search for
bucketav-reporting
, otherwise search for the name you specified. - Select the stack and click on Update.
- Select Replace current template and set the Amazon S3 URL to
https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.7.0/bucketav-add-on-reporting.yaml
Copy - Click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Update stack.
- While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
- … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.
Architecture
The following AWS services are used:
- SNS Subscription to connect to the Findings Topic.
- Kinesis Firehose Delivery Stream to store the messages from SNS on S3.
- Athena to generate CSV files.
- S3 Bucket to store the data and reports.
- StepFunction State Machine to orchestrate report generation.
- Lambda Function to send out the report email.
- EventBridge Cron Rule to trigger the report daily/weekly/monthly.
- SNS Topic & Subscription to send out report emails.
- CloudWatch Alarms to monitor the used AWS services.