search cancel

Understanding Cloud Workload Protection for Storage Events and Alerts on Azure and AWS

book

Article ID: 151145

calendar_today

Updated On:

Products

Cloud Workload Protection for Storage Cloud Workload Protection for Storage DLP

Issue/Introduction

 This document covers the basic details of events published by Symantec Cloud Workload Protection for Storage on Microsoft Azure and Amazon AWS, which are listed on the "Events and Alerts" page. 

Resolution

 

Events

Event Title

Event ID


 

Description

 

File Detection

 

 


 
 

8031


 
 

File Detection events report the detection and resolution
of file threats or policy violations.  

Scan Event is associated with detection event by scan_uid
  field. Detection event is associated with file response event with
  detection_uid field. There is no direct association between scan event and
  file response event. 

 

File Response


 
 

8046


 
 

File Response events report file actions taken in response
  to a detection.

Possible Actions supported For Azure are :-  

  1. Deleted
  2. Tagged
  3. Repaired 

 

 

 

Event Type


 
 

Category ID


 
 

Description


 
 

Anti-Malware


 
 

Security


 
 

Threat detection events report threats that are detected
  at a device. If a threat was detected during a scan, the scan identifier is
  included in the threat event. Otherwise, if the detection is result of real-time
  protection (emails arriving at the device, or disk files that are accessed by
  applications), no scan identifier is provided.


 

 Policy Violation
 

 Security
 
 

Non malware detection's like unscannable files and other
  policy violations 



Key Parameters from Event Schema

Category

Parameters

Description

Overview

   

 

Event ID

The system assigned unique identifier of an event occurrence.

   

Event


 

File Response : File Detection events report the detection
  and resolution of file threats or policy violations.

File Detection : File Response events report file actions
  taken in response to a detection. 

 

Event Summary

Sample Messages 

> Malware 'WM.Npad.EE' detected

>  File 'addonemore/testp/npad95-1.dot' was deleted 

 

 


 

Severity


 

The severity of the event. 

[0]  Unknown - The event severity is not known. 

[1]  Informational - Purely informational. No action needed. 

[2]  Warning - The user decides if action is needed. 

[3]  Minor - Action is required but the situation is not serious at this time.

[4]  Major - Action is required immediately.

[5]  Critical - Action is required immediately and the scope is broad.

[6]  Fatal - An error occurred but it is too late to take remedial action.

 

 


 

Type


 

The reason for the detection. 

  • Anti-malware
  • Policy  Violation

 

 Instance Details
 
   
 
 Event Source

The name of the source asset which generated event. 

For Azure Platform it is Storage Account.

 

Source Resource Group

The name of the source asset resource group.

 

Source Region Group

The region to which the source asset belongs.

 

Source Cloud Platform

The cloud platform to which the source instance belongs.

 

Scan Type

NRTS or Scheduled 

The scan type. 

[1] NRTS- the scan was  initiated
  by the user or admin based on Blob update.

[2] SCHEDULED- the scan was started based on scheduler. 

Event File Details

   
 

File Name

The name of the file that originated or caused the event. For
  Azure Cloud Platform this name is the Complete Blob name.

e.g.

  for Azure Platform

 azperfdata/10viruses/test.rar 

 

File Size

The size of the file in Bytes

Threat Details 

Threat Type

The threat type as reported by the detection engine. 

[1]  Malware

[2]  Behavioral

[3]  Potentially Unwanted Applications

[4]  Exploit (PEP)

[5]  Heuristic

[6]  Security Risk

 

Threat Name

The threat name as reported by the detection engine. 

Other Details


 
 
 

Content Version

The version of the virus definition files that are used by
  the scanning engine at the time of detection, in YYYYMMDD.RRR format.

 

Component


 

The human-readable name of the part of the data object where
  the incident was detected. 

Alerts

Event Type

Event Name

Parameter

AntiMalware Detection

Storage Antimalware Detection 

Asset Name

File Name

Policy Name

Source Cloud Platform

Source Region

Time Of Day

File Size

Severity Code

Storage Antimalware Response 

Asset Name

File Name

Policy Name

Source Cloud Platform

Source Region

Time Of Day

File Size

Severity Code

Policy Violation

 

Storage Container Violation

Asset Name

File Name

Policy Name

Source Cloud Platform

Source Region

Time Of Day

File Size

Severity Code

Storage Unscannable File 

Asset Name

File Name

Policy Name

Source Cloud Platform

Source Region

Time Of Day

File Size

Severity Code