What are best practices for asset management?

Once a week, look through your asset list and track/merge or open an incident on any untracked assets.  Doing this on a regular basis keeps your asset list clean and tidy.  See our Assets article for more recommendations and instructions.

What do I do if I see a suspicious untracked asset?

If you see an untracked asset that you believe should not be sending data to your network, the best way to investigate is to create a ticket directly from the untracked asset, naming
TRAC as the owner. Once the ticket is created, an email is sent to the TRAC Team where they look for malicious activity.

Data Retention

What is cold storage?

As part of DefenseStorm’s data retention, we keep 90 days worth of searchable event data as live storage. Any event data after 90 days is considered cold storage. If you need data from cold storage any reason, such as auditing or investigative purposes, simply submit a request to DefenseStorm.

How do I request my data stored in cold storage?

Open a new Connect Support Ticket to DefenseStorm with the specific information regarding the data you wish to have restored. The specific information could simply be a date range, certain users within a date range, or even certain machines within a date range.

How long does it take to restore requested data?

The time frame for restoring cold data is dependent on how much data is requested and other network factors. Estimates are provided on a case-by-case basis after DefenseStorm has an opportunity to review all relevant and necessary details. This ensures accuracy and that your estimate is specific to you and your restore needs.

Event Fields and Descriptions

Field Name


Similar Fields


The action



The DefenseStorm API key used to send the message. Usually one per DefenseStorm Virtual Machine. For Cloud integrations, a unique ID per integration.



The type of the message, app_name dependent

type, subcategory, event_type, channel


DefenseStorm's best guess at whether or not this is an outbound, inbound, or internal connection


Destination port


The Windows domain associated with the request

user_domain, target_domain, account_domain, used_account_domain, caller_domain, group_domain, network_account_domain, ad_domain, subject_domain_name, new_account_domain, target_domain_name


All the IP addresses that could be considered on your network


The event ID (if any) associated with the event


The MD5, SHA1, SHA256 or similar hash value of the file



The name or path of the file associated with the event

file_path, src_file_name, dest_file_name, target_filename, old_file_path, new_file_path


Destination Geographic Information


Source Geographic Information


The name of a group that the event invoked acts on


Usually the name for the machine sending the message.

src_hostname, dest_hostname, client_hostname, sensor_hostname, global_hostname, local_hostname, src_translated_hostname, dest_translated_hostname, real_hostname, map_hostname


The HTTP hostname of the HTTP request



The HTTP path of the URI



The HTTP URI of the request



The User Agent associated with the request



The path to the executable being run

process, process_name, process_command_line


The actual time DefenseStorm received the message


Destination IP address





Source IP address


Private, Public, Reserved, or Multicast IP Address for Destination


Private, Public, Reserved, or Multicast IP Address for Source


The Windows logon type


The MAC address for the event


A human readable description of the event

unparsed_message, expanded_message, short_message


Usually TCP or UDP

ip_protocol, layer6_protocol, layer7_protocol



The IP address of the machine generating the message





Source port


The time the message was allegedly generated

nx_timestamp, event_received_timestamp, creation_timestamp, logged_timestamp, registration_timestamp



The name of the user involved in the event

user, account_name, target_user_name, username, user_id, subject_user_name, new_account_name

unparsed_extended_messageThe windows event log messages may have a section Windows names "extended message”. The unparsed_extended_message is a specific windows event log message that contains sections of the long form windows event log message for which the DefenseStorm platform did not have specific matches (i.e. could not parse completely)unparsed_message

Input Token

What is an Input Token?

An input token is a system generated administrative user account created during the initial setup and configuration of DefenseStorm ground services. The system uses your email and password to create the tokens. The input token also contains the DefenseStorm Key and Secret; which may be necessary for some application integrations.

Click the Setting tab (gear icon) > Input Tokens 


How does it relate?

The Input Token is how events are authenticated. You can use the aggregate feature to filter down your events to display which Input Token is generating the most events. The api_key filter name is the Input Token key.  


What do I do after my user has been created?

When your User ID is set up in the console you receive an email with a link (or copy and paste the link into your browser) to complete the setup. This displays a field for your desired password.

I forgot my password

If you forget your password, follow these steps to set a new one.

STEP 1: Go to the https://console.defensestorm.com/#/login

STEP 2: Select “Forget your password?.”

STEP 3: Enter your email address and select Reset Password.

Sending Data to DefenseStorm

Log into the DVM box (via SSH, or through VM terminal method of choice), and select option #12, "Send Diagnostic Information" in the DVM menu (edited).

Supported Parsers

Parsers displaying as bold are either new or have updated parser fields. 

  • AD Audit Plus
  • ADFS
  • ADTran
    • Switch (NetVanta)
  • Allied Telesis
  • ArubaOs
  • Barracuda
    • Barracuda SSL VPN
    • Web Security Gateway
  • Bit9
  • Bro Files
  • Carbon Black
    • CarbonBlackDefense (CBDefense)
    • Carbon Black Server 8.x (+ all previous versions)
  • Checkpoint
  • CloudTrail
  • Cisco
    • 2504 Series
    • 4500 Series
    • 2921 Parser for IOS VoIP Router
    • Prime Parser
    • SourceFire
    • 9396 NXOS Core Router
    • Security
    • Identity Services Engine (ISE)
    • C2921 VoIP Gateway
    • Meraki
    • 9396 NXOS Core Router
    • 2960 Switch
    • Small Business Router (RV____ models)
    • SG series switches
  • Defensestorm Integrations Event Format (json parser)
  • DHCP NXLog Error
  • ESXi
  • Endian Firewall
  • eDirectory
  • F5 Load Balancers
  • FireEye
    • NX-Series
  • Fortigate
  • HP
    • ProCurve Switch
  • IBM
    • Proventia Server Intrusion Protection System
  • Infoblox DNS
  • Iprism Webfilter
  • IPS Syslog
  • iSensor Message
  • iSeries PowerTech Interact parser
  • .json
  • Juniper
    • NetScreen
  • PulseSecure VPN
    • Switch
    • Firewall
  • McAfee
    • Epo
    • Web Filter
    • Web Gateway
  • Microsoft
    • IIS
    • SQL Audit event for event_Id:33205
  • Mojo Networks
  • NetFlow
  • Nimble Storage
  • PaloAlto
    • Palo Alto Panorama
  • PAN
  • Piledriver log parsing 
  • Powershell
  • Proofpoint
  • Reactor
  • RSA Authentication Manager
  • Sentinel IPS
  • Shortel Logs
  • SNMP Trap
  • Snort
  • Software versions - Instead of showing up as IP addresses, the parser displays the actual software version.
  • SonicWall
    • Messages
    • Firewall
  • Sophos
    • Sophos Cloud Installer / AutoUpdater
    • Sophos XG Firewall
  • Suricata
  • Symantec
    • SEP
    • Server
  • Sysmon (8.0)
  • S3 Log Sources (defensestorm_event_source field)
  • Tipping Point IPS
  • TrendNet
    • Switch
  • VMware
    • ESXi / vSphere
    • vCenter
    • NSX Firewall
  • WebSense
    • Websense Email Gateway
  • WebTitan
  • Windows
    • ADFS Audit Logs
    • Windows Agent DHCP (flat-file) logs
    • Windows Agent parser to parse sensor_ip
    • Application Event Logs
      • Add-on Event Provider
      • Application/MSIInstaller message
    • Security Audit Logs
    • Events
    • Event Account Change
    • Exchange Server Audit Logs
    • QRadar

Task Schedule

When a task schedule has a query, what is the maximum number of events that are presented in the task? 

100 is the maximum number of events 

Think your Network May be Compromised?

STEP 1: Disconnect the problem machine from your network

While we do not promote one solution over any other, we recommend using a sandbox solution to disconnect the host from the network. If none are available, disconnect the host from all network connections. This prevents the malware from spreading or calling home.

STEP 2: Delete any new files or programs that do not belong

New programs and files could contain malware. Deleting these newly installed programs or files could prevent the spread or increased severity of malware.

STEP 3: Re-image the machine

After uninstalling new programs and files, if you still see unsolicited calls outs or unusual application behavior and are still unsure that the malware was deleted, you can re-image the machine to remove any rootkits. *When a machine is re-imaged, user profiles need to be re-uploaded.

STEP 4: User Training

To reduce risk of malware infection, put the user through remedial training to ensure they understand malware and how it can spread. For example, spam emails, websites, contaminated drives, and it can even come pre-installed on some software packages.  

STEP 5: Continued Monitoring

After all the above steps have been completed, continue to monitor the host for a minimum of 7 days to look for unsolicited call outs.

Threat Sharing Sources

All threat sharing sources are used for anomaly detection and are found on the ThreatMatch page of your DefenseStorm console. You can subscribe or unsubscribe from each threat source individually. For more information on ThreatMatch, and how it works with your cybersecurity program, see Using ThreatMatch.

  • AlienVault
  • Bambenek

  • CrimeTracker
  • DefenseStorm
  • DNS-BH
  • DShield
  • InfraGard
  • Malcode

  • MalwareDomains
  • OpenBL

  • Tor Exit Nodes

  • ZeuS Tracker

Upgrading/Updating my DVM

How do I know when to upgrade my DVM?

DefenseStorm notifies you via Release Notes when there is a new version to be installed.

How do I upgrade my DVM?

See The DefenseStorm Virtual Machine article for instructions.

How do I send logs from a configured DVM to a new organization/account?

In order to send logs to a new organization follow these steps:

  1. Log into the DVM using the console credentials 
  2. Log onto DVM and choose Option 1 on menu: "Set DefenseStorm Credentials" 
  3. Enter the credentials for the new Organization you want to which you wan to send the logs. 
  4. Because the DVM is already configured,  it will ask you to confirm to re-enter your credentials. 
  5.  Once the  new credentials are entered, the DVM will re-configure itself to send logs to the appropriate account. 

Windows Audit Log Recommendations 

Within the Windows Operating system, there are audit logs that can be configured to track success or failure of certain events. For example, once audit logs are activated for logon attempts, you can choose to track if a logon attempt is successful, if it fails, or both. Our TRAC Team has prepared examples for each option within the Windows Operating System to help send the most useful logs to your DefenseStorm DVM and reduce noise on your system. 

The following items can be monitored:

  • Changes to user account and resource permissions.
  • Failed attempts by users to log on.
  • Failed attempts to access resources.
  • Changes to system files. 

This link provides the PDF list of TRAC Recommendations.