Reports
Reports are an essential pillar of your data security strategy for several reasons:
- Compliance: Reports demonstrate compliance with security regulations and standards.
- Trend analysis: Reports help to analyze trends in malware detections and to identify patterns in infected files. This can help organizations to better understand the type of malware they are dealing with and to develop more effective defense strategies.
- Evidence gathering: In the event of a security breach, reports can provide valuable evidence to help identify the breach’s source and support investigations.
- Auditing: Reports can be used to perform regular security audits, allowing organizations to identify vulnerabilities and take corrective action.
bucketAV reports are delivered via email and contain the following information:
- Statistics about scanned files: Number of files scanned, % of clean files, % of infected files, and % of unscannable files.
- Top 10 threats.
- CSV reports include all files or only infected and unscannable files.
- Operational alarms to signal if bucketAV needs your attention.
Example report
The following shows an example report:
Reporting period: 2023-01-30 - 2023-02-05
AWS Region: eu-west-1
AWS Account ID: ***151466***
bucketAV Stack Name: bucketav
Add-On Stack Name: bucketav-reporting
==================================================
Overview
==================================================
358 scanned
49.16% clean
48.88% infected
1.96% unscannable
==================================================
Top 10 infections
==================================================
56x Win.Test.EICAR_HDB-1
35x Doc.Malware.Prince-6784184-0
7x Doc.Dropper.Agent-6460256-0
7x Doc.Dropper.Agent-6496090-0
7x Xls.Dropper.Agent-7505951-0
7x Doc.Dropper.Agent-6361752-0
7x Doc.Dropper.Agent-6507997-0
7x Doc.Dropper.Agent-6997781-0
7x Doc.Dropper.Agent-6488415-0
7x Doc.Dropper.Agent-6609394-0
==================================================
Top 10 buckets
==================================================
bucketav-demo
307 scanned
49.19% clean
48.86% infected
1.95% unscannable
bucketav-demo2
51 scanned
49.02% clean
49.02% infected
1.96% unscannable
==================================================
CSV reports
==================================================
The following CSV reports are available for 27 days:
Infected & unscannable files: <Link to Amazon S3>
All files: <Link to Amazon S3>
CSV example
The following columns are available:
- timestamp: ISO 8601 format
- bucket: Name of bucket
- key: Object key
- version: Object version or null for unversioned buckets
- status: clean, infected, no
- action: delete, tag, no
- finding: The type of malware detected or Unknown
The following shows an example data set:
"timestamp","bucket","key","version","status","action","finding"
"2023-01-30T20:19:00.051Z","bucketav-demo","clean.xlxs","null","clean","tag","Unknown"
"2023-01-30T20:19:23.674Z","bucketav-demo","infected.pdf","null","infected","delete","Win.Test.EICAR_HDB-1"
"2023-01-31T20:20:10.074Z","bucketav-demo","encrypted.pdf","null","no","tag","Heuristics.Encrypted.PDF"
Setup
Requires bucketAV for Amazon S3 powered by ClamAV® version >= 1.7.0, or bucketAV for Amazon S3 powered by Sophos® version >= 2.0.0.
To update to the latest version, follow the Update Guide.
The ReportCleanFiles configuration parameter must be set to
true
.
Install Add-On (requires a running bucketAV installation)
- Set the Stack name to
bucketav-reporting
. - Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is
bucketav
). - Set the ReportReceiver1 parameter to your email address.
- By default, the ReportingFrequency is set to
weekly
. Change that if needed. - Select I acknowledge that AWS CloudFormation might create IAM resources.
- Click on the Create stack button to save.
- You will receive an email (subject: AWS Notification - Subscription Confirmation) with a confirmation link that you have to visit.
Install Add-On (requires a running bucketAV installation)
- Set the Stack name to
bucketav-reporting
. - Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is
bucketav
). - Set the ReportReceiver1 parameter to your email address.
- By default, the ReportingFrequency is set to
weekly
. Change that if needed. - Select I acknowledge that AWS CloudFormation might create IAM resources.
- Click on the Create stack button to save.
- You will receive an email (subject: AWS Notification - Subscription Confirmation) with a confirmation link that you have to visit.
CloudFormation snippet
# [...]
Resources:
# [...]
Reporting:
Type: 'AWS::CloudFormation::Stack'
Properties:
Parameters:
BucketAVStackName: 'bucketav' # if you followed the docs, the name is bucketav
ReportReceiver1: 'name@domain.todo' # TODO replace email address
TemplateURL: 'https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.15.0/bucketav-add-on-reporting.yaml'
# [...]
Resources:
# [...]
Reporting:
Type: 'AWS::CloudFormation::Stack'
Properties:
Parameters:
BucketAVStackName: 'bucketav' # if you followed the docs, the name is bucketav
ReportReceiver1: 'name@domain.todo' # TODO replace email address
TemplateURL: 'https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/cloudflare/v2.15.0/bucketav-add-on-reporting-cloudflare.yaml'
Terraform snippet
resource "aws_cloudformation_stack" "bucketav_add_on_reporting" {
name = "bucketav-reporting"
template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.15.0/bucketav-add-on-reporting.yaml"
capabilities = ["CAPABILITY_IAM"]
parameters = {
BucketAVStackName = "bucketav" # if you followed the docs, the name is bucketav
ReportReceiver1 = "name@domain.todo" # TODO replace email address
}
}
resource "aws_cloudformation_stack" "bucketav_add_on_reporting" {
name = "bucketav-reporting"
template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/cloudflare/v2.15.0/bucketav-add-on-reporting-cloudflare.yaml"
capabilities = ["CAPABILITY_IAM"]
parameters = {
BucketAVStackName = "bucketav" # if you followed the docs, the name is bucketav
ReportReceiver1 = "name@domain.todo" # TODO replace email address
}
}
Update
- To update this Add-On to version v2.15.0, go to the AWS CloudFormation Management Console.
- Double-check the region at the top right.
- Search for
bucketav-reporting
, otherwise search for the name you specified. - Select the stack and click on Update.
- Select Replace current template and set the Amazon S3 URL to
https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.15.0/bucketav-add-on-reporting.yaml
Copy - Click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Update stack.
- While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
- … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.
- To update this Add-On to version v2.15.0, go to the AWS CloudFormation Management Console.
- Double-check the region at the top right.
- Search for
bucketav-reporting
, otherwise search for the name you specified. - Select the stack and click on Update.
- Select Replace current template and set the Amazon S3 URL to
https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/cloudflare/v2.15.0/bucketav-add-on-reporting-cloudflare.yaml
Copy - Click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Update stack.
- While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
- … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.
Architecture
The following AWS services are used:
- SNS Subscription to connect to the Findings Topic.
- Kinesis Firehose Delivery Stream to store the messages from SNS on S3.
- Athena to generate CSV files.
- S3 Bucket to store the data and reports.
- StepFunction State Machine to orchestrate report generation.
- Lambda Function to send out the report email.
- EventBridge Cron Rule to trigger the report daily/weekly/monthly.
- SNS Topic & Subscription to send out report emails.
- CloudWatch Alarms to monitor the used AWS services.
- CloudWatch Logs to store logs.
On-demand report
Requires version >= 2.9.0 of this Add-On. To update to the latest version, follow the update instructions.
If you need a report now, follow these steps:
- Follow the setup instructions.
- Visit the AWS Step Functions Management Console.
- Ensure that you are in the correct region.
- Navigate to State machines.
- Click on the reporting state machine (if you followed the docs, the name is
bucketav-reporting
). - Click the Start execution button.
- Keep the defaults and click the Start execution button.
- Wait for the Execution Status to switch to
Succeeded
(this can take a few minutes).
Release Notes
Subscribe to our Atom feed or newsletter to stay up-to-date! We also publish a machine-readable JSON file.
v2.15.0
Changes:
- Reserved Concurrent Execution for Lambda functions
Release date:2024-11-19
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.15.0/bucketav-add-on-reporting.yaml
v2.14.1
Changes:
- Bug fixes
Release date:2024-09-27
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.14.1/bucketav-add-on-reporting.yaml
v2.14.0
Changes:
- Add parameters to configure report hour of day and day of week
Release date:2024-08-11
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.14.0/bucketav-add-on-reporting.yaml
v2.13.0
Changes:
- Enable SSE on Amazon Data Firehose stream
Release date:2024-07-17
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.13.0/bucketav-add-on-reporting.yaml
v2.12.1
Changes:
- Bug fixes
Release date:2024-07-09
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.12.1/bucketav-add-on-reporting.yaml
v2.12.0
Changes:
- Update Lambda runtime to Node.js 20
Release date:2024-02-14
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.12.0/bucketav-add-on-reporting.yaml
v2.11.0
Changes:
- Add Service Discovery
Release date:2023-12-07
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.11.0/bucketav-add-on-reporting.yaml
v2.10.0
Changes:
- Support for bucket scan report
Release date:2023-09-14
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.10.0/bucketav-add-on-reporting.yaml
v2.9.0
Changes:
- Update Lambda runtime to Node.js 18
Release date:2023-08-30
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.9.0/bucketav-add-on-reporting.yaml
v2.8.0
Changes:
- Support on-demand reports
Release date:2023-08-24
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.8.0/bucketav-add-on-reporting.yaml
v2.7.0
Changes:
- Update Athena engine to version 3
Release date:2023-03-31
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.7.0/bucketav-add-on-reporting.yaml
v2.6.0
Changes:
- Improve table and text
Release date:2023-01-30
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.6.0/bucketav-add-on-reporting.yaml
v2.5.0
Changes:
- Harden S3 config
- Performance improvements
Release date:2022-11-08
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.5.0/bucketav-add-on-reporting.yaml
v2.4.0
Changes:
- Update Lambda runtime to Node.js 16
Release date:2022-06-08
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.4.0/bucketav-add-on-reporting.yaml
v2.3.0
Changes:
- Comply with AWS Foundational Security Best Practices v1.0.0 S3.5 and S3.8
Release date:2022-05-12
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.3.0/bucketav-add-on-reporting.yaml
v2.2.2
Changes:
- Improve Lambda config
Release date:2021-12-22
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.2.2/bucketav-add-on-reporting.yaml
v2.2.1
Changes:
- Bug fixes
Release date:2021-10-04
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.2.1/bucketav-add-on-reporting.yaml
v2.2.0
Changes:
- Improve report message
Release date:2021-09-30
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.2.0/bucketav-add-on-reporting.yaml
v2.1.1
Changes:
- Bug fixes
Release date:2021-06-09
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.1.1/bucketav-add-on-reporting.yaml
v2.1.0
Changes:
- Add AWS context and top buckets to report
Release date:2021-06-07
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.1.0/bucketav-add-on-reporting.yaml
v2.0.0
Changes:
- Initial release
Release date:2021-06-06
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.0.0/bucketav-add-on-reporting.yaml
Subscribe to our Atom feed or newsletter to stay up-to-date! We also publish a machine-readable JSON file.
v2.15.0
Changes:
- Reserved Concurrent Execution for Lambda functions
Release date:2024-11-19
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/cloudflare/v2.15.0/bucketav-add-on-reporting-cloudflare.yaml
v2.14.1
Changes:
- Bug fixes
Release date:2024-09-27
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/cloudflare/v2.14.1/bucketav-add-on-reporting-cloudflare.yaml
v2.14.0
Changes:
- Add parameters to configure report hour of day and day of week
Release date:2024-08-11
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/cloudflare/v2.14.0/bucketav-add-on-reporting-cloudflare.yaml
v2.13.0
Changes:
- Enable SSE on Amazon Data Firehose stream
Release date:2024-07-17
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/cloudflare/v2.13.0/bucketav-add-on-reporting-cloudflare.yaml