Content
- Example Command
- Key Fields to Parse
- Example Output with No Findings
- Example Output with Errors
- Automating Responses
- Recommendations
Once an iScan job completes, the output is provided in JSON format, enabling automated parsing to detect threats and trigger responses. To capture the output correctly, use the following flags when executing the elastio iscan
command:
-
--no-progress
: Suppresses progress output from the CLI. -
--output-format json
: Ensures the scan results are presented in JSON format. - Redirect job progress to a file for debugging using
2>> <filename>
.
Example Command
To scan a local path /tmp/resources/ransomware/
and save the progress to a log file while outputting results in JSON format:
Key Fields to Parse
In the JSON output, you should focus on specific fields for malware and ransomware detection:
-
Ransomware Scan Results:
-
"detected_rans"
: A list of ransomware detected.
-
-
Malware Scan Results:
-
"infected"
: A count of infected files. -
"suspicious"
: A count of suspicious files.
-
If these fields show values greater than zero or contain entries, a potential threat has been identified.
Example Output with No Findings
Below is an example of a clean scan result:
Example Output with Errors
If a job fails, the output will include error details. Example:
Automating Responses
You can parse the JSON output using tools like Python, jq, or similar utilities to automate responses:
Python Example:
import json with open("iscan_output.json") as file: data = json.load(file) infected_count = data["results"]["succeeded_scans"][0]["malware"]["summary"]["infected"] ransomware_detected = data["results"]["succeeded_scans"][0]["ransomware"]["summary"]["detected_rans"] if infected_count > 0 or ransomware_detected: print("Threat detected! Initiating response...") else: print("No threats detected.")
Recommendations
-
Log Analysis: Use the redirected
stderr.log
file to troubleshoot any issues that occur during the scan. - Integration: Combine the parsing logic with incident response workflows or send findings to a SOC, SIEM, or CNAPP for further analysis and action.
-
Error Handling: Monitor the
"error"
field in the output to diagnose and resolve scan failures promptly.
Parsing iScan results ensures actionable insights and enables robust automation for ransomware and malware detection in your environment.