This page describes how to use Kibana to view and troubleshoot Votiro Incidents.
Example of Votiro Incident
The following screenshot displays the Votiro Item/Incident sanitization information for a file that has undergone sanitization:
This screen shows the results of Votiro Cloud processing a file named KeePass-2.49-Setup.exe. The File Info pane displays some of the file properties and the Sanitization Log pane displays highlights of the file Data Processing.
Procedure
Create and Configure an Index Pattern
To begin, you must define a Kibana index pattern.
| 1. | Login to the Kibana Discover interface with the credentials provided to you by Votiro Support. |
| 2. | Select Create index pattern. Step 1 of 2 Define index pattern appears. |
| 3. | Type votiro-logs* (or similar) as the Index pattern. Kibana displays a list matching the index pattern: |
| 4. | Click on Next step. Step 2 of 2 Configure settings appears. |
| 5. | Select a Time Filter field name from the list. For example, @t: |
| 6. | Click on Create index pattern. Kibana displays every field and field type in the selected index (in this example, votiro-logs*): |
Analyze the Data
After the index pattern is created and configured, apply it to the data in Kibana's Discover mode to yield useful results by additional filtering of the data.
Discover
| 1. | Click on the Discover icon on the left side of the screen: |
| 2. | Kibana displays all hits that match the time filter criteria within the time range indicated (in this example, for the last 15 minutes): |
| 3. | To further filter the results, click on ˅ next to the index pattern (votiro-logs* by default) in the left side of the screen. The CHANGE INDEX PATTERN window opens: |
| 4. | Move the cursor down the list of Available fields to select fields to filter. Then click on the add button to add the field to the filter: |
| 5. | In the example below, the following fields are added: |
| 6. | The display of hits is now updated to show only the selected fields: |
Votiro Explore Incident & File Info
To examine a specific file that was processed by Votiro Cloud, the threat ID is obtained from the Votiro Item/Incident sanitization information.
| 1. | Open the Votiro Explore Incident: |
| 2. | Copy to the clipboard the file ID at the top of the screen, in this example: |
File Sanitization Analysis
| 1. | Return to the Kibana Discover screen. |
| 2. | In the left side of the Kibana Discover screen, click on Add filter. The EDIT FILTER window opens. |
| 3. | From the Field list, select CorrelationId. |
| 4. | From the Operator list, select is. |
| 5. | In the Value field, paste the file ID from the clipboard . |
| 6. | Click on Save. The list of hits displayed is updated to show only those hits for the relevant file, according to the CorrelationId (= Votiro item). |
| 7. | To change the time frame of the display, click on the time icon . Then select the desired time interval: |
| 8. | To view the file processing history in Votiro, scroll down the list of hits. The selected fields displayed in the columns provide more information as to what occurred during the processing. Using the @l (message level), @mt (message template) and @x (exceptions) columns provides you with detailed information that can help you to troubleshoot the incident. |
Comments
0 comments
Please sign in to leave a comment.