Skip to content

Commit

Permalink
Add log types section to Security Analytics (#6235) (#6876)
Browse files Browse the repository at this point in the history 
* Add log types section to Security Analytics



* Rename custom log type page.



* Tweak layout.



* Replace image with callouts



* Fix links, fix structure.



* Fix bugs



* Add Joanne's technical feedback. Link back to detectors.



* Apply suggestions from code review



* Apply suggestions from code review



* Apply suggestions from code review




* Apply suggestions from code review




* Apply suggestions from code review




* Apply suggestions from code review




* Apply suggestions from code review




* Apply suggestions from code review




* Apply suggestions from code review




* Apply suggestions from code review




* Update detectors-config.md



* Apply suggestions from code review




* Apply suggestions from code review



* Update log-types.md



* Apply suggestions from code review




---------





(cherry picked from commit 88cde9d)

Signed-off-by: Naarcha-AWS <naarcha@amazon.com>
Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Melissa Vagi <vagimeli@amazon.com>
Co-authored-by: Nathan Bower <nbower@amazon.com>
  • Loading branch information
@opensearch-trigger-bot @github-actions
@vagimeli @natebower
4 people committed Apr 4, 2024
1 parent c9ef43c commit 39ecc17
Show file tree
Hide file tree
Showing 23 changed files with 2,316 additions and 77 deletions.
2 changes: 1 addition & 1 deletion _security-analytics/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ For information about configuring detectors, see [Creating detectors]({{site.url

### Log types

Log types provide the data used to evaluate events occurring in a system. OpenSearch supports several types of logs and provides out-of-the-box mappings for the most common log sources. See [Supported log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types/) for a list of log types currently supported by Security Analytics.
[Log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types/) provide the data used to evaluate events occurring in a system. OpenSearch supports several types of logs and provides out-of-the-box mappings for the most common log sources.

Log types are specified during the creation of detectors, including steps for mapping log fields to the detector. Security Analytics also automatically selects an appropriate set of rules based on a specific log type and populates them for the detector.

Expand Down
114 changes: 114 additions & 0 deletions _security-analytics/log-types-reference/ad-ldap.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
---
layout: default
title: AD LDAP
parent: Supported log types
nav_order: 20
---

# AD LDAP

The `ad_ldap` log type tracks Active Directory logs, such as:

- Lightweight Directory Access Protocol (LDAP) queries.
- Errors from the LDAP server.
- Timeout events.
- Unsecured LDAP binds.

The following code snippet contains all `raw_field` and `ecs` mappings for this log type:

```json
"mappings": [
{
"raw_field":"TargetUserName",
"ecs":"azure.signinlogs.properties.user_id"
},
{
"raw_field":"creationTime",
"ecs":"timestamp"
},
{
"raw_field":"Category",
"ecs":"azure.activitylogs.category"
},
{
"raw_field":"OperationName",
"ecs":"azure.platformlogs.operation_name"
},
{
"raw_field":"ModifiedProperties_NewValue",
"ecs":"modified_properties.new_value"
},
{
"raw_field":"ResourceProviderValue",
"ecs":"azure.resource.provider"
},
{
"raw_field":"conditionalAccessStatus",
"ecs":"azure.signinlogs.properties.conditional_access_status"
},
{
"raw_field":"SearchFilter",
"ecs":"SearchFilter"
},
{
"raw_field":"Operation",
"ecs":"azure.platformlogs.operation_name"
},
{
"raw_field":"ResultType",
"ecs":"azure.platformlogs.result_type"
},
{
"raw_field":"DeviceDetail_isCompliant",
"ecs":"azure.signinlogs.properties.device_detail.is_compliant"
},
{
"raw_field":"ResourceDisplayName",
"ecs":"resource_display_name"
},
{
"raw_field":"AuthenticationRequirement",
"ecs":"azure.signinlogs.properties.authentication_requirement"
},
{
"raw_field":"TargetResources",
"ecs":"target_resources"
},
{
"raw_field":"Workload",
"ecs":"workload"
},
{
"raw_field":"DeviceDetail.deviceId",
"ecs":"azure.signinlogs.properties.device_detail.device_id"
},
{
"raw_field":"OperationNameValue",
"ecs":"azure.platformlogs.operation_name"
},
{
"raw_field":"ResourceId",
"ecs":"azure.signinlogs.properties.resource_id"
},
{
"raw_field":"ResultDescription",
"ecs":"azure.signinlogs.result_description"
},
{
"raw_field":"EventID",
"ecs":"EventID"
},
{
"raw_field":"NetworkLocationDetails",
"ecs":"azure.signinlogs.properties.network_location_details"
},
{
"raw_field":"CategoryValue",
"ecs":"azure.activitylogs.category"
},
{
"raw_field":"ActivityDisplayName",
"ecs":"azure.auditlogs.properties.activity_display_name"
}
]
```
10 changes: 10 additions & 0 deletions _security-analytics/log-types-reference/apache-access.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
layout: default
title: Apache Access
parent: Supported log types
nav_order: 25
---

# Apache Access

The `apache_access` log type records data for all requests processed by Apache HTTP servers. It contains no `raw_field` or `ecs` mappings.
225 changes: 225 additions & 0 deletions _security-analytics/log-types-reference/azure.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,225 @@
---
layout: default
title: Azure
parent: Supported log types
nav_order: 29
---

# Azure

The `azure` log type monitors log data for cloud applications managed by Azure Cloud Services.

The following code snippet contains all `raw_field` and `ecs` mappings for this log type:

```json
"mappings": [
{
"raw_field":"Resultdescription",
"ecs":"azure.signinlogs.result_description"
},
{
"raw_field":"eventSource",
"ecs":"eventSource"
},
{
"raw_field":"eventName",
"ecs":"eventName"
},
{
"raw_field":"Status",
"ecs":"azure.platformlogs.status"
},
{
"raw_field":"LoggedByService",
"ecs":"azure.auditlogs.properties.logged_by_service"
},
{
"raw_field":"properties_message",
"ecs":"properties_message"
},
{
"raw_field":"status",
"ecs":"azure.platformlogs.status"
},
{
"raw_field":"TargetUserName",
"ecs":"azure.signinlogs.properties.user_id"
},
{
"raw_field":"creationTime",
"ecs":"timestamp"
},
{
"raw_field":"Category",
"ecs":"azure.activitylogs.category"
},
{
"raw_field":"OperationName",
"ecs":"azure.platformlogs.operation_name"
},
{
"raw_field":"ModifiedProperties_NewValue",
"ecs":"modified_properties.new_value"
},
{
"raw_field":"ResourceProviderValue",
"ecs":"azure.resource.provider"
},
{
"raw_field":"conditionalAccessStatus",
"ecs":"azure.signinlogs.properties.conditional_access_status"
},
{
"raw_field":"SearchFilter",
"ecs":"search_filter"
},
{
"raw_field":"Operation",
"ecs":"azure.platformlogs.operation_name"
},
{
"raw_field":"ResultType",
"ecs":"azure.platformlogs.result_type"
},
{
"raw_field":"DeviceDetail_isCompliant",
"ecs":"azure.signinlogs.properties.device_detail.is_compliant"
},
{
"raw_field":"ResourceDisplayName",
"ecs":"resource_display_name"
},
{
"raw_field":"AuthenticationRequirement",
"ecs":"azure.signinlogs.properties.authentication_requirement"
},
{
"raw_field":"TargetResources",
"ecs":"target_resources"
},
{
"raw_field":"Workload",
"ecs":"Workload"
},
{
"raw_field":"DeviceDetail_deviceId",
"ecs":"azure.signinlogs.properties.device_detail.device_id"
},
{
"raw_field":"OperationNameValue",
"ecs":"azure.platformlogs.operation_name"
},
{
"raw_field":"ResourceId",
"ecs":"azure.signinlogs.properties.resource_id"
},
{
"raw_field":"ResultDescription",
"ecs":"azure.signinlogs.result_description"
},
{
"raw_field":"EventID",
"ecs":"EventID"
},
{
"raw_field":"NetworkLocationDetails",
"ecs":"azure.signinlogs.properties.network_location_details"
},
{
"raw_field":"CategoryValue",
"ecs":"azure.activitylogs.category"
},
{
"raw_field":"ActivityDisplayName",
"ecs":"azure.auditlogs.properties.activity_display_name"
},
{
"raw_field":"Initiatedby",
"ecs":"azure.activitylogs.identity.claims_initiated_by_user.name"
},
{
"raw_field":"Count",
"ecs":"Count"
},
{
"raw_field":"ResourceTenantId",
"ecs":"azure.signinlogs.properties.resource_tenant_id"
},
{
"raw_field":"failure_status_reason",
"ecs":"failure_status_reason"
},
{
"raw_field":"AppId",
"ecs":"azure.signinlogs.properties.app_id"
},
{
"raw_field":"properties.message",
"ecs":"properties.message"
},
{
"raw_field":"ClientApp",
"ecs":"azure.signinlogs.properties.client_app_used"
},
{
"raw_field":"ActivityDetails",
"ecs":"ActivityDetails"
},
{
"raw_field":"Target",
"ecs":"Target"
},
{
"raw_field":"DeviceDetail.trusttype",
"ecs":"azure.signinlogs.properties.device_detail.trust_type"
},
{
"raw_field":"HomeTenantId",
"ecs":"azure.signinlogs.properties.home_tenant_id"
},
{
"raw_field":"ConsentContext.IsAdminConsent",
"ecs":"ConsentContext.IsAdminConsent"
},
{
"raw_field":"InitiatedBy",
"ecs":"InitiatedBy"
},
{
"raw_field":"ActivityType",
"ecs":"azure.auditlogs.properties.activity_display_name"
},
{
"raw_field":"operationName",
"ecs":"azure.activitylogs.operation_name"
},
{
"raw_field":"ModifiedProperties{}.NewValue",
"ecs":"modified_properties.new_value"
},
{
"raw_field":"userAgent",
"ecs":"user_agent.name"
},
{
"raw_field":"RiskState",
"ecs":"azure.signinlogs.properties.risk_state"
},
{
"raw_field":"Username",
"ecs":"azure.activitylogs.identity.claims_initiated_by_user.name"
},
{
"raw_field":"DeviceDetail.deviceId",
"ecs":"azure.signinlogs.properties.device_detail.device_id"
},
{
"raw_field":"DeviceDetail.isCompliant",
"ecs":"azure.signinlogs.properties.device_detail.is_compliant"
},
{
"raw_field":"Location",
"ecs":"azure.signinlogs.properties.network_location_details"
}
]
```

0 comments on commit 39ecc17

Please sign in to comment.