diff --git a/_security-analytics/index.md b/_security-analytics/index.md index c4bdae9748..c9cdcbee1b 100644 --- a/_security-analytics/index.md +++ b/_security-analytics/index.md @@ -39,7 +39,7 @@ For information about configuring detectors, see [Creating detectors]({{site.url ### Log types -Log types provide the data used to evaluate events occurring in a system. OpenSearch supports several types of logs and provides out-of-the-box mappings for the most common log sources. See [Supported log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types/) for a list of log types currently supported by Security Analytics. +[Log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types/) provide the data used to evaluate events occurring in a system. OpenSearch supports several types of logs and provides out-of-the-box mappings for the most common log sources. Log types are specified during the creation of detectors, including steps for mapping log fields to the detector. Security Analytics also automatically selects an appropriate set of rules based on a specific log type and populates them for the detector. diff --git a/_security-analytics/log-types-reference/ad-ldap.md b/_security-analytics/log-types-reference/ad-ldap.md new file mode 100644 index 0000000000..823bcf4c62 --- /dev/null +++ b/_security-analytics/log-types-reference/ad-ldap.md @@ -0,0 +1,114 @@ +--- +layout: default +title: AD LDAP +parent: Supported log types +nav_order: 20 +--- + +# AD LDAP + +The `ad_ldap` log type tracks Active Directory logs, such as: + +- Lightweight Directory Access Protocol (LDAP) queries. +- Errors from the LDAP server. +- Timeout events. +- Unsecured LDAP binds. + +The following code snippet contains all `raw_field` and `ecs` mappings for this log type: + +```json + "mappings": [ + { + "raw_field":"TargetUserName", + "ecs":"azure.signinlogs.properties.user_id" + }, + { + "raw_field":"creationTime", + "ecs":"timestamp" + }, + { + "raw_field":"Category", + "ecs":"azure.activitylogs.category" + }, + { + "raw_field":"OperationName", + "ecs":"azure.platformlogs.operation_name" + }, + { + "raw_field":"ModifiedProperties_NewValue", + "ecs":"modified_properties.new_value" + }, + { + "raw_field":"ResourceProviderValue", + "ecs":"azure.resource.provider" + }, + { + "raw_field":"conditionalAccessStatus", + "ecs":"azure.signinlogs.properties.conditional_access_status" + }, + { + "raw_field":"SearchFilter", + "ecs":"SearchFilter" + }, + { + "raw_field":"Operation", + "ecs":"azure.platformlogs.operation_name" + }, + { + "raw_field":"ResultType", + "ecs":"azure.platformlogs.result_type" + }, + { + "raw_field":"DeviceDetail_isCompliant", + "ecs":"azure.signinlogs.properties.device_detail.is_compliant" + }, + { + "raw_field":"ResourceDisplayName", + "ecs":"resource_display_name" + }, + { + "raw_field":"AuthenticationRequirement", + "ecs":"azure.signinlogs.properties.authentication_requirement" + }, + { + "raw_field":"TargetResources", + "ecs":"target_resources" + }, + { + "raw_field":"Workload", + "ecs":"workload" + }, + { + "raw_field":"DeviceDetail.deviceId", + "ecs":"azure.signinlogs.properties.device_detail.device_id" + }, + { + "raw_field":"OperationNameValue", + "ecs":"azure.platformlogs.operation_name" + }, + { + "raw_field":"ResourceId", + "ecs":"azure.signinlogs.properties.resource_id" + }, + { + "raw_field":"ResultDescription", + "ecs":"azure.signinlogs.result_description" + }, + { + "raw_field":"EventID", + "ecs":"EventID" + }, + { + "raw_field":"NetworkLocationDetails", + "ecs":"azure.signinlogs.properties.network_location_details" + }, + { + "raw_field":"CategoryValue", + "ecs":"azure.activitylogs.category" + }, + { + "raw_field":"ActivityDisplayName", + "ecs":"azure.auditlogs.properties.activity_display_name" + } + ] +``` \ No newline at end of file diff --git a/_security-analytics/log-types-reference/apache-access.md b/_security-analytics/log-types-reference/apache-access.md new file mode 100644 index 0000000000..381c13f0bf --- /dev/null +++ b/_security-analytics/log-types-reference/apache-access.md @@ -0,0 +1,10 @@ +--- +layout: default +title: Apache Access +parent: Supported log types +nav_order: 25 +--- + +# Apache Access + +The `apache_access` log type records data for all requests processed by Apache HTTP servers. It contains no `raw_field` or `ecs` mappings. \ No newline at end of file diff --git a/_security-analytics/log-types-reference/azure.md b/_security-analytics/log-types-reference/azure.md new file mode 100644 index 0000000000..f8c9fb18fb --- /dev/null +++ b/_security-analytics/log-types-reference/azure.md @@ -0,0 +1,225 @@ +--- +layout: default +title: Azure +parent: Supported log types +nav_order: 29 +--- + +# Azure + +The `azure` log type monitors log data for cloud applications managed by Azure Cloud Services. + +The following code snippet contains all `raw_field` and `ecs` mappings for this log type: + +```json +"mappings": [ + { + "raw_field":"Resultdescription", + "ecs":"azure.signinlogs.result_description" + }, + { + "raw_field":"eventSource", + "ecs":"eventSource" + }, + { + "raw_field":"eventName", + "ecs":"eventName" + }, + { + "raw_field":"Status", + "ecs":"azure.platformlogs.status" + }, + { + "raw_field":"LoggedByService", + "ecs":"azure.auditlogs.properties.logged_by_service" + }, + { + "raw_field":"properties_message", + "ecs":"properties_message" + }, + { + "raw_field":"status", + "ecs":"azure.platformlogs.status" + }, + { + "raw_field":"TargetUserName", + "ecs":"azure.signinlogs.properties.user_id" + }, + { + "raw_field":"creationTime", + "ecs":"timestamp" + }, + { + "raw_field":"Category", + "ecs":"azure.activitylogs.category" + }, + { + "raw_field":"OperationName", + "ecs":"azure.platformlogs.operation_name" + }, + { + "raw_field":"ModifiedProperties_NewValue", + "ecs":"modified_properties.new_value" + }, + { + "raw_field":"ResourceProviderValue", + "ecs":"azure.resource.provider" + }, + { + "raw_field":"conditionalAccessStatus", + "ecs":"azure.signinlogs.properties.conditional_access_status" + }, + { + "raw_field":"SearchFilter", + "ecs":"search_filter" + }, + { + "raw_field":"Operation", + "ecs":"azure.platformlogs.operation_name" + }, + { + "raw_field":"ResultType", + "ecs":"azure.platformlogs.result_type" + }, + { + "raw_field":"DeviceDetail_isCompliant", + "ecs":"azure.signinlogs.properties.device_detail.is_compliant" + }, + { + "raw_field":"ResourceDisplayName", + "ecs":"resource_display_name" + }, + { + "raw_field":"AuthenticationRequirement", + "ecs":"azure.signinlogs.properties.authentication_requirement" + }, + { + "raw_field":"TargetResources", + "ecs":"target_resources" + }, + { + "raw_field":"Workload", + "ecs":"Workload" + }, + { + "raw_field":"DeviceDetail_deviceId", + "ecs":"azure.signinlogs.properties.device_detail.device_id" + }, + { + "raw_field":"OperationNameValue", + "ecs":"azure.platformlogs.operation_name" + }, + { + "raw_field":"ResourceId", + "ecs":"azure.signinlogs.properties.resource_id" + }, + { + "raw_field":"ResultDescription", + "ecs":"azure.signinlogs.result_description" + }, + { + "raw_field":"EventID", + "ecs":"EventID" + }, + { + "raw_field":"NetworkLocationDetails", + "ecs":"azure.signinlogs.properties.network_location_details" + }, + { + "raw_field":"CategoryValue", + "ecs":"azure.activitylogs.category" + }, + { + "raw_field":"ActivityDisplayName", + "ecs":"azure.auditlogs.properties.activity_display_name" + }, + { + "raw_field":"Initiatedby", + "ecs":"azure.activitylogs.identity.claims_initiated_by_user.name" + }, + { + "raw_field":"Count", + "ecs":"Count" + }, + { + "raw_field":"ResourceTenantId", + "ecs":"azure.signinlogs.properties.resource_tenant_id" + }, + { + "raw_field":"failure_status_reason", + "ecs":"failure_status_reason" + }, + { + "raw_field":"AppId", + "ecs":"azure.signinlogs.properties.app_id" + }, + { + "raw_field":"properties.message", + "ecs":"properties.message" + }, + { + "raw_field":"ClientApp", + "ecs":"azure.signinlogs.properties.client_app_used" + }, + { + "raw_field":"ActivityDetails", + "ecs":"ActivityDetails" + }, + { + "raw_field":"Target", + "ecs":"Target" + }, + { + "raw_field":"DeviceDetail.trusttype", + "ecs":"azure.signinlogs.properties.device_detail.trust_type" + }, + { + "raw_field":"HomeTenantId", + "ecs":"azure.signinlogs.properties.home_tenant_id" + }, + { + "raw_field":"ConsentContext.IsAdminConsent", + "ecs":"ConsentContext.IsAdminConsent" + }, + { + "raw_field":"InitiatedBy", + "ecs":"InitiatedBy" + }, + { + "raw_field":"ActivityType", + "ecs":"azure.auditlogs.properties.activity_display_name" + }, + { + "raw_field":"operationName", + "ecs":"azure.activitylogs.operation_name" + }, + { + "raw_field":"ModifiedProperties{}.NewValue", + "ecs":"modified_properties.new_value" + }, + { + "raw_field":"userAgent", + "ecs":"user_agent.name" + }, + { + "raw_field":"RiskState", + "ecs":"azure.signinlogs.properties.risk_state" + }, + { + "raw_field":"Username", + "ecs":"azure.activitylogs.identity.claims_initiated_by_user.name" + }, + { + "raw_field":"DeviceDetail.deviceId", + "ecs":"azure.signinlogs.properties.device_detail.device_id" + }, + { + "raw_field":"DeviceDetail.isCompliant", + "ecs":"azure.signinlogs.properties.device_detail.is_compliant" + }, + { + "raw_field":"Location", + "ecs":"azure.signinlogs.properties.network_location_details" + } + ] +``` \ No newline at end of file diff --git a/_security-analytics/log-types-reference/cloudtrail.md b/_security-analytics/log-types-reference/cloudtrail.md new file mode 100644 index 0000000000..24edfe10ab --- /dev/null +++ b/_security-analytics/log-types-reference/cloudtrail.md @@ -0,0 +1,232 @@ +--- +layout: default +title: AWS CloudTrail +parent: Supported log types +nav_order: 28 +--- + +# AWS CloudTrail + +The `cloudtrail` log type monitors events from the [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) accounts. OpenSearch can ingest AWS CloudTrail log data from both [Amazon Simple Storage Service](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) (Amazon S3) accounts and [Amazon Security Lake](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html) accounts. + +The following code snippet contains all the `raw_field`, `ecs`, and `ocsf` mappings for this log type: + +```json + "mappings": [ + { + "raw_field":"eventName", + "ecs":"aws.cloudtrail.event_name", + "ocsf": "api.operation" + }, + { + "raw_field":"eventSource", + "ecs":"aws.cloudtrail.event_source", + "ocsf": "api.service.name" + }, + { + "raw_field":"eventVersion", + "ecs":"aws.cloudtrail.event_version", + "ocsf": "metadata.product.version" + }, + { + "raw_field":"eventID", + "ecs":"aws.cloudtrail.event_id", + "ocsf": "metadata.uid" + }, + { + "raw_field":"eventType", + "ecs":"aws.cloudtrail.event_type", + "ocsf": "unmapped.eventType" + }, + { + "raw_field":"eventCategory", + "ecs":"aws.cloudtrail.event_category", + "ocsf": "metadata.product.feature.name" + }, + { + "raw_field":"errorMessage", + "ecs":"aws.cloudtrail.error_message", + "ocsf": "api.response.message" + }, + { + "raw_field":"errorCode", + "ecs":"aws.cloudtrail.error_code", + "ocsf": "api.response.error" + }, + { + "raw_field":"apiVersion", + "ecs":"aws.cloudtrail.api_version", + "ocsf": "api.version" + }, + { + "raw_field":"awsRegion", + "ecs":"aws.cloudtrail.aws_region", + "ocsf": "cloud.region" + }, + { + "raw_field":"additionalEventData.LoginTo", + "ecs":"aws.cloudtrail.additional_event_data.loginTo", + "ocsf": "dst_endpoint.svc_name" + }, + { + "raw_field":"additionalEventData.MFAUsed", + "ecs":"aws.cloudtrail.additional_event_data.mfaUsed", + "ocsf": "mfa" + }, + { + "raw_field":"responseElements", + "ecs":"aws.cloudtrail.response_elements.text", + "ocsf": "unmapped.responseElements" + }, + { + "raw_field":"requestID", + "ecs":"aws.cloudtrail.request_id", + "ocsf": "api.request.uid" + }, + { + "raw_field":"sourceIPAddress", + "ecs":"aws.cloudtrail.source_ip_address", + "ocsf": "src_endpoint.ip" + }, + { + "raw_field":"userAgent", + "ecs":"aws.cloudtrail.user_agent", + "ocsf": "http_request.user_agent" + }, + { + "raw_field":"vpcEndpointId", + "ecs":"aws.cloudtrail.vpc_endpoint_id", + "ocsf": "src_endpoint.uid" + }, + { + "raw_field":"responseElements.pendingModifiedValues.masterUserPassword", + "ecs":"aws.cloudtrail.response_elements.pending_modified_values.master_user_password", + "ocsf": "unmapped.responseElements.pendingModifiedValues.masterUserPassword" + }, + { + "raw_field":"responseElements.publiclyAccessible", + "ecs":"aws.cloudtrail.response_elements.publicly_accessible", + "ocsf": "unmapped.responseElements.publiclyAccessible" + }, + { + "raw_field":"responseElements.ConsoleLogin", + "ecs":"aws.cloudtrail.response_elements.publicly_accessible", + "ocsf": "status_id" + }, + { + "raw_field":"requestParameters.arn", + "ecs":"aws.cloudtrail.request_parameters.arn", + "ocsf": "unmapped.requestParameters.arn" + }, + { + "raw_field":"requestParameters.attribute", + "ecs":"aws.cloudtrail.request_parameters.attribute", + "ocsf": "unmapped.requestParameters.attribute" + }, + { + "raw_field":"requestParameters.userName", + "ecs":"aws.cloudtrail.request_parameters.username", + "ocsf": "unmapped.requestParameters.userName" + }, + { + "raw_field":"requestParameters.roleArn", + "ecs":"aws.cloudtrail.request_parameters.roleArn", + "ocsf": "user.uuid" + }, + { + "raw_field":"requestParameters.roleSessionName", + "ecs":"aws.cloudtrail.request_parameters.roleSessionName", + "ocsf": "user.name" + }, + { + "raw_field":"requestParameters.containerDefinitions.command", + "ecs":"aws.cloudtrail.request_parameters.container_definitions.command", + "ocsf": "unmapped.requestParameters.containerDefinitions.command" + }, + { + "raw_field":"userIdentity.type", + "ecs":"aws.cloudtrail.user_identity.type", + "ocsf": "actor.user.type" + }, + { + "raw_field":"userIdentity.principalId", + "ecs":"aws.cloudtrail.user_identity.principalId", + "ocsf": "actor.user.uid" + }, + { + "raw_field":"userIdentity.arn", + "ecs":"aws.cloudtrail.user_identity.arn", + "ocsf": "actor.user.uuid" + }, + { + "raw_field":"userIdentity.accountId", + "ecs":"aws.cloudtrail.user_identity.accountId", + "ocsf": "actor.user.account_uid" + }, + { + "raw_field":"userIdentity.accessKeyId", + "ecs":"aws.cloudtrail.user_identity.accessKeyId", + "ocsf": "actor.user.credential_uid" + }, + { + "raw_field":"userIdentity.identityProvider", + "ecs":"aws.cloudtrail.user_identity.identityProvider", + "ocsf": "actor.idp.name" + }, + { + "raw_field":"userIdentity.userName", + "ecs":"aws.cloudtrail.user_identity.userName", + "ocsf": "actor.user.name" + }, + { + "raw_field":"userIdentity.invokedBy", + "ecs":"aws.cloudtrail.user_identity.invokedBy", + "ocsf": "actor.invoked_by" + }, + { + "raw_field":"userIdentity.sessionContext.sessionIssuer.type", + "ecs":"aws.cloudtrail.user_identity.session_context.session_issuer.type", + "ocsf": "unmapped.userIdentity.sessionContext.sessionIssuer.type" + }, + { + "raw_field":"userIdentity.sessionContext.sessionIssuer.arn", + "ecs":"aws.cloudtrail.user_identity.session_context.session_issuer.arn", + "ocsf": "actor.session.issuer" + }, + { + "raw_field":"userIdentity.sessionContext.attributes.creationDate", + "ecs":"aws.cloudtrail.user_identity.session_context.attributes.creationDate", + "ocsf": "actor.session.created_time" + }, + { + "raw_field":"userIdentity.sessionContext.attributes.mfaAuthenticated", + "ecs":"aws.cloudtrail.user_identity.session_context.attributes.mfaAuthenticated", + "ocsf": "actor.session.mfa" + }, + { + "raw_field":"userIdentity.webIdFederationData.federatedProvider", + "ecs":"aws.cloudtrail.user_identity.web_id_federation_data.federatedProvider", + "ocsf": "actor.idp.name" + }, + { + "raw_field":"resources[].ARN", + "ecs":"aws.cloudtrail.resources.ARN", + "ocsf": "resources[].uid" + }, + { + "raw_field":"resources[].accountId", + "ecs":"aws.cloudtrail.resources.account_uid", + "ocsf": "resources[].account_uid" + }, + { + "raw_field":"resources[].type", + "ecs":"aws.cloudtrail.resources.type", + "ocsf": "resources[].type" + }, + { + "raw_field":"eventTime", + "ecs":"timestamp", + "ocsf": "time" + } + ] +``` \ No newline at end of file diff --git a/_security-analytics/log-types-reference/dns.md b/_security-analytics/log-types-reference/dns.md new file mode 100644 index 0000000000..2e10868d17 --- /dev/null +++ b/_security-analytics/log-types-reference/dns.md @@ -0,0 +1,127 @@ +--- +layout: default +title: DNS +parent: Supported log types +nav_order: 35 +--- + +# DNS + +The `dns` log type stores DNS activity. + +The following code snippet contains all the `raw_field`, `ecs`, and `ocsf` mappings for this log type: + +```json + "mappings": [ + { + "raw_field":"record_type", + "ecs":"dns.answers.type", + "ocsf": "unmapped.record_type" + }, + { + "raw_field":"answers[].Type", + "ecs":"aws.route53.answers.Type", + "ocsf": "answers[].type" + }, + { + "raw_field":"answers[].Rdata", + "ecs":"aws.route53.answers.Rdata", + "ocsf": "answers[].rdata" + }, + { + "raw_field":"answers[].Class", + "ecs":"aws.route53.answers.Class", + "ocsf": "answers[].class" + }, + { + "raw_field":"query", + "ecs":"dns.question.name", + "ocsf": "unmapped.query" + }, + { + "raw_field":"query_name", + "ecs":"aws.route53.query_name", + "ocsf": "query.hostname" + }, + { + "raw_field":"parent_domain", + "ecs":"dns.question.registered_domain", + "ocsf": "unmapped.parent_domain" + }, + { + "raw_field":"version", + "ecs":"aws.route53.version", + "ocsf": "metadata.product.version" + }, + { + "raw_field":"account_id", + "ecs":"aws.route53.account_id", + "ocsf": "cloud.account_uid" + }, + { + "raw_field":"region", + "ecs":"aws.route53.region", + "ocsf": "cloud.region" + }, + { + "raw_field":"vpc_id", + "ecs":"aws.route53.vpc_id", + "ocsf": "src_endpoint.vpc_uid" + }, + { + "raw_field":"query_timestamp", + "ecs":"aws.route53.query_timestamp", + "ocsf": "time" + }, + { + "raw_field":"query_class", + "ecs":"aws.route53.query_class", + "ocsf": "query.class" + }, + { + "raw_field":"query_type", + "ecs":"aws.route53.query_type", + "ocsf": "query.type" + }, + { + "raw_field":"srcaddr", + "ecs":"aws.route53.srcaddr", + "ocsf": "src_endpoint.ip" + }, + { + "raw_field":"srcport", + "ecs":"aws.route53.srcport", + "ocsf": "src_endpoint.port" + }, + { + "raw_field":"transport", + "ecs":"aws.route53.transport", + "ocsf": "connection_info.protocol_name" + }, + { + "raw_field":"srcids.instance", + "ecs":"aws.route53.srcids.instance", + "ocsf": "src_endpoint.instance_uid" + }, + { + "raw_field":"srcids.resolver_endpoint", + "ecs":"aws.route53.srcids.resolver_endpoint", + "ocsf": "dst_endpoint.instance_uid" + }, + { + "raw_field":"srcids.resolver_network_interface", + "ecs":"aws.route53.srcids.resolver_network_interface", + "ocsf": "dst_endpoint.interface_uid" + }, + { + "raw_field":"firewall_rule_action", + "ecs":"aws.route53.srcids.firewall_rule_action", + "ocsf": "disposition_id" + }, + { + "raw_field":"creationTime", + "ecs":"timestamp", + "ocsf": "unmapped.creationTime" + } + ] +``` \ No newline at end of file diff --git a/_security-analytics/log-types-reference/github.md b/_security-analytics/log-types-reference/github.md new file mode 100644 index 0000000000..fd0b4067e0 --- /dev/null +++ b/_security-analytics/log-types-reference/github.md @@ -0,0 +1,21 @@ +--- +layout: default +title: GitHub +parent: Supported log types +nav_order: 40 +--- + +# GitHub + +The `github` log type monitors workflows created by [GitHub Actions](https://docs.github.com/en/actions/learn-github-actions/understanding-github-actions). + +The following code snippet contains all the `raw_field` and `ecs` mappings for this log type: + +```json + "mappings": [ + { + "raw_field":"action", + "ecs":"github.action" + } + ] +``` \ No newline at end of file diff --git a/_security-analytics/log-types-reference/gworkspace.md b/_security-analytics/log-types-reference/gworkspace.md new file mode 100644 index 0000000000..43172f684a --- /dev/null +++ b/_security-analytics/log-types-reference/gworkspace.md @@ -0,0 +1,33 @@ +--- +layout: default +title: Google Workspace +parent: Supported log types +nav_order: 45 +--- + +# Google Workspace + +The `gworkspace` log type monitors Google Workspace log entries, such as the following: + +- Admin actions +- Group and group membership actions +- Events related to logins + +The following code snippet contains all the `raw_field` and `ecs` mappings for this log type: + +```json + "mappings": [ + { + "raw_field":"eventSource", + "ecs":"google_workspace.admin.service.name" + }, + { + "raw_field":"eventName", + "ecs":"google_workspace.event.name" + }, + { + "raw_field":"new_value", + "ecs":"google_workspace.admin.new_value" + } + ] +``` \ No newline at end of file diff --git a/_security-analytics/log-types-reference/index.md b/_security-analytics/log-types-reference/index.md new file mode 100644 index 0000000000..bd98bb3982 --- /dev/null +++ b/_security-analytics/log-types-reference/index.md @@ -0,0 +1,17 @@ +--- +layout: default +title: Supported log types +has_children: yes +nav_order: 16 +redirect_from: + - /security-analytics/sec-analytics-config/log-types/ +--- + +# Supported log types + +Logs contain raw data about events that happen throughout a system and within its separate parts. This reference describes the standard log types supported by Security Analytics and the automatic mappings they contain. + +For more information about field mappings, refer to the [About field mappings]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types#about-field-mappings) section in the [Working with log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types/) documentation. + +For more information about log types and detectors, refer to the [Creating detectors]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/detectors-config/) documentation. + diff --git a/_security-analytics/log-types-reference/linux.md b/_security-analytics/log-types-reference/linux.md new file mode 100644 index 0000000000..ed18e8f8bc --- /dev/null +++ b/_security-analytics/log-types-reference/linux.md @@ -0,0 +1,73 @@ +--- +layout: default +title: Linux +parent: Supported log types +nav_order: 50 +--- + +# Linux + +The `linux` log type records Linux syslog events. + +The following code snippet contains all the `raw_field` and `ecs` mappings for this log type: + +```json + "mappings": [ + { + "raw_field":"name", + "ecs":"user.filesystem.name" + }, + { + "raw_field":"a0", + "ecs":"auditd.log.a0" + }, + { + "raw_field":"comm", + "ecs":"auditd.log.comm" + }, + { + "raw_field":"exe", + "ecs":"auditd.log.exe" + }, + { + "raw_field":"uid", + "ecs":"auditd.log.uid" + }, + { + "raw_field":"USER", + "ecs":"system.auth.user" + }, + { + "raw_field":"User", + "ecs":"system.auth.user" + }, + { + "raw_field":"Image", + "ecs":"process.exe" + }, + { + "raw_field":"DestinationHostname", + "ecs":"rsa.web.remote_domain" + }, + { + "raw_field":"CommandLine", + "ecs":"process.command_line" + }, + { + "raw_field":"ParentImage", + "ecs":"process.parent.executable" + }, + { + "raw_field":"CurrentDirectory", + "ecs":"process.working_directory" + }, + { + "raw_field":"LogonId", + "ecs":"process.real_user.id" + }, + { + "raw_field":"creationTime", + "ecs":"timestamp" + } + ] +``` \ No newline at end of file diff --git a/_security-analytics/log-types-reference/m365.md b/_security-analytics/log-types-reference/m365.md new file mode 100644 index 0000000000..679ffc3137 --- /dev/null +++ b/_security-analytics/log-types-reference/m365.md @@ -0,0 +1,39 @@ +--- +layout: default +title: Microsoft 365 +parent: Supported log types +nav_order: 55 +--- + +# Microsoft 365 + +The `m365` log type collects a range of data for Microsoft 365, such as the following: + +- Records from call details +- Performance data +- SQL Server events +- Security events +- Access control activity + +The following code snippet contains all the `raw_field` and `ecs` mappings for this log type: + +```json +"mappings": [ + { + "raw_field":"eventSource", + "ecs":"rsa.misc.event_source" + }, + { + "raw_field":"eventName", + "ecs":"rsa.misc.event_desc" + }, + { + "raw_field":"status", + "ecs":"rsa.misc.status" + }, + { + "raw_field":"Payload", + "ecs":"rsa.misc.payload_dst" + } + ] +``` \ No newline at end of file diff --git a/_security-analytics/log-types-reference/netflow.md b/_security-analytics/log-types-reference/netflow.md new file mode 100644 index 0000000000..8e920ab494 --- /dev/null +++ b/_security-analytics/log-types-reference/netflow.md @@ -0,0 +1,45 @@ +--- +layout: default +title: NetFlow +parent: Supported log types +nav_order: 60 +--- + +# NetFlow + +The `netflow` log type records NetFlow events used during integration testing. + +The following code snippet contains all the `raw_field` and `ecs` mappings for this log type: + +```json +"mappings": [ + { + "raw_field":"netflow.source_ipv4_address", + "ecs":"source.ip" + }, + { + "raw_field":"netflow.source_transport_port", + "ecs":"source.port" + }, + { + "raw_field":"netflow.destination_ipv4_address", + "ecs":"destination.ip" + }, + { + "raw_field":"netflow.destination_transport_port", + "ecs":"destination.port" + }, + { + "raw_field":"http.request.method", + "ecs":"http.request.method" + }, + { + "raw_field":"http.response.status_code", + "ecs":"http.response.status_code" + }, + { + "raw_field":"timestamp", + "ecs":"timestamp" + } + ] +``` \ No newline at end of file diff --git a/_security-analytics/log-types-reference/network.md b/_security-analytics/log-types-reference/network.md new file mode 100644 index 0000000000..11a9e7c9c8 --- /dev/null +++ b/_security-analytics/log-types-reference/network.md @@ -0,0 +1,145 @@ +--- +layout: default +title: Network +parent: Supported log types +nav_order: 70 +--- + +# Network + +The `network` log type records events that happen in a system's network, such as login attempts and application events. + +The following code snippet contains all the `raw_field` and `ecs` mappings for this log type: + +```json + "mappings": [ + { + "raw_field":"action", + "ecs":"netflow.firewall_event" + }, + { + "raw_field":"certificate.serial", + "ecs":"zeek.x509.certificate.serial" + }, + { + "raw_field":"name", + "ecs":"zeek.smb_files.name" + }, + { + "raw_field":"path", + "ecs":"zeek.smb_files.path" + }, + { + "raw_field":"dst_port", + "ecs":"destination.port" + }, + { + "raw_field":"qtype_name", + "ecs":"zeek.dns.qtype_name" + }, + { + "raw_field":"operation", + "ecs":"zeek.dce_rpc.operation" + }, + { + "raw_field":"endpoint", + "ecs":"zeek.dce_rpc.endpoint" + }, + { + "raw_field":"zeek.dce_rpc.endpoint", + "ecs":"zeek.dce_rpc.endpoint" + }, + { + "raw_field":"answers", + "ecs":"zeek.dns.answers" + }, + { + "raw_field":"query", + "ecs":"zeek.dns.query" + }, + { + "raw_field":"client_header_names", + "ecs":"zeek.http.client_header_names" + }, + { + "raw_field":"resp_mime_types", + "ecs":"zeek.http.resp_mime_types" + }, + { + "raw_field":"cipher", + "ecs":"zeek.kerberos.cipher" + }, + { + "raw_field":"request_type", + "ecs":"zeek.kerberos.request_type" + }, + { + "raw_field":"creationTime", + "ecs":"timestamp" + }, + { + "raw_field":"method", + "ecs":"http.request.method" + }, + { + "raw_field":"id.resp_p", + "ecs":"id.resp_p" + }, + { + "raw_field":"blocked", + "ecs":"blocked-flag" + }, + { + "raw_field":"id.orig_h", + "ecs":"id.orig_h" + }, + { + "raw_field":"Z", + "ecs":"Z-flag" + }, + { + "raw_field":"id.resp_h", + "ecs":"id.resp_h" + }, + { + "raw_field":"uri", + "ecs":"url.path" + }, + { + "raw_field":"c-uri", + "ecs":"url.path" + }, + { + "raw_field":"c-useragent", + "ecs":"user_agent.name" + }, + { + "raw_field":"status_code", + "ecs":"http.response.status_code" + }, + { + "raw_field":"rejected", + "ecs":"rejected" + }, + { + "raw_field":"dst_ip", + "ecs":"destination.ip" + }, + { + "raw_field":"src_ip", + "ecs":"source.ip" + }, + { + "raw_field":"user_agent", + "ecs":"user_agent.name" + }, + { + "raw_field":"request_body_len", + "ecs":"http.request.body.bytes" + }, + { + "raw_field":"service", + "ecs":"service" + } + ] +``` \ No newline at end of file diff --git a/_security-analytics/log-types-reference/okta.md b/_security-analytics/log-types-reference/okta.md new file mode 100644 index 0000000000..72097f0741 --- /dev/null +++ b/_security-analytics/log-types-reference/okta.md @@ -0,0 +1,25 @@ +--- +layout: default +title: Okta +parent: Supported log types +nav_order: 80 +--- + +# Okta + +The `okta` log type records Okta events generated from a range of actions, such as downloading an export file, requesting application access, or revoking privileges. + +The following code snippet contains all the `raw_field` and `ecs` mappings for this log type: + +```json + "mappings": [ + { + "raw_field":"eventtype", + "ecs":"okta.event_type" + }, + { + "raw_field":"displaymessage", + "ecs":"okta.display_message" + } + ] +``` \ No newline at end of file diff --git a/_security-analytics/log-types-reference/other.md b/_security-analytics/log-types-reference/other.md new file mode 100644 index 0000000000..acf23c10c0 --- /dev/null +++ b/_security-analytics/log-types-reference/other.md @@ -0,0 +1,40 @@ +--- +layout: default +title: Other log type mappings +parent: Supported log types +nav_order: 110 +--- + +# Other log type mappings + +Security Analytics supports field mappings that are not specific to a single service or system. These mapping types are separated into the following categories: + +- Application: Records application logs. +- Advanced Persistent Threat (APT): Records logs commonly associated with APT attacks. +- Compliance: Records logs related to compliance. +- macOS: Records event logs when using a Mac device to access a network. +- Proxy: Records logs related to proxy events. +- Web: Records logs related to network access from the web. + +Each log type contains the same field mappings, as shown in the following code snippet: + +```json + "mappings": [ + { + "raw_field":"record_type", + "ecs":"dns.answers.type" + }, + { + "raw_field":"query", + "ecs":"dns.question.name" + }, + { + "raw_field":"parent_domain", + "ecs":"dns.question.registered_domain" + }, + { + "raw_field":"creationTime", + "ecs":"timestamp" + } + ] +``` \ No newline at end of file diff --git a/_security-analytics/log-types-reference/s3.md b/_security-analytics/log-types-reference/s3.md new file mode 100644 index 0000000000..945370031e --- /dev/null +++ b/_security-analytics/log-types-reference/s3.md @@ -0,0 +1,29 @@ +--- +layout: default +title: Amazon S3 +parent: Supported log types +nav_order: 24 +--- + +# Amazon S3 + +The `s3` log type tracks network requests for access to Amazon S3 buckets. + +The following code snippet contains all the `raw_field` and `ecs` mappings for this log type: + +```json + "mappings": [ + { + "raw_field":"eventName", + "ecs":"aws.cloudtrail.event_name" + }, + { + "raw_field":"eventSource", + "ecs":"aws.cloudtrail.event_source" + }, + { + "raw_field":"eventTime", + "ecs":"timestamp" + } + ] +``` \ No newline at end of file diff --git a/_security-analytics/log-types-reference/vpc.md b/_security-analytics/log-types-reference/vpc.md new file mode 100644 index 0000000000..781bef16a9 --- /dev/null +++ b/_security-analytics/log-types-reference/vpc.md @@ -0,0 +1,143 @@ +--- +layout: default +title: VPC Flow +parent: Supported log types +nav_order: 90 +--- + +# VPC Flow + +The `vpcflow` log type records data about the IP traffic flowing to and from the network interfaces within a virtual private cloud (VPC). This data is stored using the [VPC Flow Logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html) feature. + +The following code snippet contains all the `raw_field`, `ecs`, and `ocsf` mappings for this log type: + +```json + "mappings": [ + { + "raw_field":"version", + "ecs":"netflow.version", + "ocsf": "metadata.product.version" + }, + { + "raw_field":"account_id", + "ecs":"netflow.account_id", + "ocsf": "cloud.account_uid" + }, + { + "raw_field":"region", + "ecs":"netflow.region", + "ocsf": "cloud.region" + }, + { + "raw_field":"az_id", + "ecs":"netflow.az_id", + "ocsf": "cloud.zone" + }, + { + "raw_field":"srcport", + "ecs":"netflow.srcport", + "ocsf": "src_endpoint.port" + }, + { + "raw_field":"dstport", + "ecs":"netflow.dstport", + "ocsf": "dst_endpoint.port" + }, + { + "raw_field":"protocol", + "ecs":"netflow.protocol", + "ocsf": "connection_info.protocol_num" + }, + { + "raw_field":"packets", + "ecs":"netflow.packets", + "ocsf": "traffic.packets" + }, + { + "raw_field":"bytes", + "ecs":"netflow.bytes", + "ocsf": "traffic.bytes" + }, + { + "raw_field":"end", + "ecs":"netflow.end", + "ocsf": "end_time" + }, + { + "raw_field":"tcp_flags", + "ecs":"netflow.tcp_flags", + "ocsf": "connection_info.tcp_flags" + }, + { + "raw_field":"protocol_ver", + "ecs":"netflow.protocol_ver", + "ocsf": "connection_info.protocol_ver" + }, + { + "raw_field":"pkt_src_aws_service", + "ecs":"netflow.pkt_src_aws_service", + "ocsf": "src_endpoint.svc_name" + }, + { + "raw_field":"pkt_dst_aws_service", + "ecs":"netflow.pkt_dst_aws_service", + "ocsf": "dst_endpoint.svc_name" + }, + { + "raw_field":"log_status", + "ecs":"netflow.log_status", + "ocsf": "status_code" + }, + { + "raw_field":"action", + "ecs":"netflow.action", + "ocsf": "disposition_id" + }, + { + "raw_field":"traffic_path", + "ecs":"netflow.traffic_path", + "ocsf": "boundary_id" + }, + { + "raw_field":"flow_direction", + "ecs":"netflow.flow_direction", + "ocsf": "connection_info.direction_id" + }, + { + "raw_field":"dstaddr", + "ecs":"netflow.dstaddr", + "ocsf": "dst_endpoint.ip" + }, + { + "raw_field":"srcaddr", + "ecs":"netflow.srcaddr", + "ocsf": "src_endpoint.ip" + }, + { + "raw_field":"interface_id", + "ecs":"netflow.interface_id", + "ocsf": "dst_endpoint.interface_uid" + }, + { + "raw_field":"vpc_id", + "ecs":"netflow.vpc_id", + "ocsf": "dst_endpoint.vpc_uid" + }, + { + "raw_field":"instance_id", + "ecs":"netflow.instance_id", + "ocsf": "dst_endpoint.instance_uid" + }, + { + "raw_field":"subnet_id", + "ecs":"netflow.subnet_id", + "ocsf": "dst_endpoint.subnet_uid" + }, + { + "raw_field":"start", + "ecs":"timestamp", + "ocsf": "time" + } + ] +``` + diff --git a/_security-analytics/log-types-reference/waf.md b/_security-analytics/log-types-reference/waf.md new file mode 100644 index 0000000000..ffa8c45e95 --- /dev/null +++ b/_security-analytics/log-types-reference/waf.md @@ -0,0 +1,63 @@ +--- +layout: default +title: WAF +parent: Supported log types +nav_order: 95 +--- + +The `waf` log type monitors web application firewall (WAF) logs. The role of a WAF is to monitor and filter HTTP traffic flowing between a web application and the internet. A WAF prevents common security attacks, such as cross-site scripting (XSS) and SQL injection (SQLi). + +The following code snippet contains all the `raw_field` and `ecs` mappings for this log type: + +```json + "mappings": [ + { + "raw_field":"cs-method", + "ecs":"waf.request.method" + }, + { + "raw_field":"httpRequest.httpMethod", + "ecs":"waf.request.method" + }, + { + "raw_field":"cs-uri-query", + "ecs":"waf.request.uri_query" + }, + { + "raw_field":"httpRequest.uri", + "ecs":"waf.request.uri_query" + }, + { + "raw_field":"httpRequest.args", + "ecs":"waf.request.uri_query" + }, + { + "raw_field":"cs-user-agent", + "ecs":"waf.request.headers.user_agent" + }, + { + "raw_field":"httpRequest.headers", + "ecs":"waf.request.headers" + }, + { + "raw_field":"sc-status", + "ecs":"waf.response.code" + }, + { + "raw_field":"responseCodeSent", + "ecs":"waf.response.code" + }, + { + "raw_field":"timestamp", + "ecs":"timestamp" + }, + { + "raw_field":"httpRequest.headers.value", + "ecs":"waf.request.headers.value" + }, + { + "raw_field":"httpRequest.headers.name", + "ecs":"waf.request.headers.name" + } + ] +``` \ No newline at end of file diff --git a/_security-analytics/log-types-reference/windows.md b/_security-analytics/log-types-reference/windows.md new file mode 100644 index 0000000000..e5eef0b0ee --- /dev/null +++ b/_security-analytics/log-types-reference/windows.md @@ -0,0 +1,845 @@ +--- +layout: default +title: Windows +parent: Supported log types +nav_order: 100 +--- + +# Windows + +The `windows` log type records events that happen in Windows applications, system services, and the Windows operating system. + +The following code snippet contains all the `raw_field` and `ecs` mappings for this log type: + +```json + "mappings":[ + { + "raw_field":"AccountName", + "ecs":"winlog.computerObject.name" + }, + { + "raw_field":"AuthenticationPackageName", + "ecs":"winlog.event_data.AuthenticationPackageName" + }, + { + "raw_field":"Channel", + "ecs":"winlog.channel" + }, + { + "raw_field":"Company", + "ecs":"winlog.event_data.Company" + }, + { + "raw_field":"ComputerName", + "ecs":"winlog.computer_name" + }, + { + "raw_field":"Description", + "ecs":"winlog.event_data.Description" + }, + { + "raw_field":"Details", + "ecs":"winlog.event_data.Detail" + }, + { + "raw_field":"Device", + "ecs":"winlog.event_data.Device" + }, + { + "raw_field":"FileName", + "ecs":"winlog.event_data.FileName" + }, + { + "raw_field":"FileVersion", + "ecs":"winlog.event_data.FileVersion" + }, + { + "raw_field":"IntegrityLevel", + "ecs":"winlog.event_data.IntegrityLevel" + }, + { + "raw_field":"IpAddress", + "ecs":"winlog.event_data.IpAddress" + }, + { + "raw_field":"KeyLength", + "ecs":"winlog.event_data.KeyLength" + }, + { + "raw_field":"Keywords", + "ecs":"winlog.keywords" + }, + { + "raw_field":"LogonId", + "ecs":"winlog.event_data.LogonId" + }, + { + "raw_field":"LogonProcessName", + "ecs":"winlog.event_data.LogonProcessName" + }, + { + "raw_field":"LogonType", + "ecs":"winlog.event_data.LogonType" + }, + { + "raw_field":"OriginalFilename", + "ecs":"winlog.event_data.OriginalFileName" + }, + { + "raw_field":"Path", + "ecs":"winlog.event_data.Path" + }, + { + "raw_field":"PrivilegeList", + "ecs":"winlog.event_data.PrivilegeList" + }, + { + "raw_field":"ProcessId", + "ecs":"winlog.event_data.ProcessId" + }, + { + "raw_field":"Product", + "ecs":"winlog.event_data.Product" + }, + { + "raw_field":"Provider", + "ecs":"winlog.provider_name" + }, + { + "raw_field":"ProviderName", + "ecs":"winlog.provider_name" + }, + { + "raw_field":"ScriptBlockText", + "ecs":"winlog.event_data.ScriptBlockText" + }, + { + "raw_field":"ServerName", + "ecs":"winlog.event_data.TargetServerName" + }, + { + "raw_field":"Service", + "ecs":"winlog.event_data.ServiceName" + }, + { + "raw_field":"Signed", + "ecs":"winlog.event_data.Signed" + }, + { + "raw_field":"State", + "ecs":"winlog.event_data.State" + }, + { + "raw_field":"Status", + "ecs":"winlog.event_data.Status" + }, + { + "raw_field":"SubjectDomainName", + "ecs":"winlog.event_data.SubjectDomainName" + }, + { + "raw_field":"SubjectLogonId", + "ecs":"winlog.event_data.SubjectLogonId" + }, + { + "raw_field":"SubjectUserName", + "ecs":"winlog.event_data.SubjectUserName" + }, + { + "raw_field":"SubjectUserSid", + "ecs":"winlog.event_data.SubjectUserSid" + }, + { + "raw_field":"TargetLogonId", + "ecs":"winlog.event_data.TargetLogonId" + }, + { + "raw_field":"TargetName", + "ecs":"winlog.event_data.TargetUserName" + }, + { + "raw_field":"TargetServerName", + "ecs":"winlog.event_data.TargetServerName" + }, + { + "raw_field":"TargetUserName", + "ecs":"winlog.event_data.TargetUserName" + }, + { + "raw_field":"TargetUserSid", + "ecs":"winlog.event_data.TargetUserSid" + }, + { + "raw_field":"TaskName", + "ecs":"winlog.task" + }, + { + "raw_field":"Type", + "ecs":"winlog.user.type" + }, + { + "raw_field":"User", + "ecs":"winlog.user.name" + }, + { + "raw_field":"UserName", + "ecs":"winlog.user.name" + }, + { + "raw_field":"Workstation", + "ecs":"winlog.event_data.Workstation" + }, + { + "raw_field":"WorkstationName", + "ecs":"winlog.event_data.Workstation" + }, + { + "raw_field":"event_uid", + "ecs":"winlog.event_id" + }, + { + "raw_field":"CommandLine", + "ecs":"process.command_line" + }, + { + "raw_field":"hostname", + "ecs":"host.hostname" + }, + { + "raw_field":"message", + "ecs":"windows.message" + }, + { + "raw_field":"Provider_Name", + "ecs":"winlog.provider_name" + }, + { + "raw_field":"EventId", + "ecs":"winlog.event_id" + }, + { + "raw_field":"processPath", + "ecs":"winlog.event_data.ProcessPath" + }, + { + "raw_field":"ProcessName", + "ecs":"winlog.event_data.ProcessName" + }, + { + "raw_field":"ObjectName", + "ecs":"winlog.computerObject.name" + }, + { + "raw_field":"param1", + "ecs":"winlog.event_data.param1" + }, + { + "raw_field":"param2", + "ecs":"winlog.event_data.param2" + }, + { + "raw_field":"creationTime", + "ecs":"timestamp" + }, + { + "raw_field":"Origin", + "ecs":"winlog.event_data.Origin" + }, + { + "raw_field":"ParentImage", + "ecs":"winlog.event_data.ParentImage" + }, + { + "raw_field":"TargetPort", + "ecs":"winlog.event_data.TargetPort" + }, + { + "raw_field":"Query", + "ecs":"winlog.event_data.Query" + }, + { + "raw_field":"DestinationPort", + "ecs":"destination.port" + }, + { + "raw_field":"StartAddress", + "ecs":"winlog.event_data.StartAddress" + }, + { + "raw_field":"TicketOptions", + "ecs":"winlog.event_data.TicketOptions" + }, + { + "raw_field":"ParentCommandLine", + "ecs":"winlog.event_data.ParentCommandLine" + }, + { + "raw_field":"AllowedToDelegateTo", + "ecs":"winlog.event_data.AllowedToDelegateTo" + }, + { + "raw_field":"HostApplication", + "ecs":"winlog.event_data.HostApplication" + }, + { + "raw_field":"AccessMask", + "ecs":"winlog.event_data.AccessMask" + }, + { + "raw_field":"Hashes", + "ecs":"winlog.event_data.Hashes" + }, + { + "raw_field":"SidHistory", + "ecs":"winlog.event_data.SidHistory" + }, + { + "raw_field":"Initiated", + "ecs":"winlog.event_data.Initiated" + }, + { + "raw_field":"DestinationIp", + "ecs":"destination.ip" + }, + { + "raw_field":"RelativeTargetName", + "ecs":"winlog.event_data.RelativeTargetName" + }, + { + "raw_field":"Source_Name", + "ecs":"winlog.event_data.Source_Name" + }, + { + "raw_field":"AttributeLDAPDisplayName", + "ecs":"winlog.event_data.AttributeLDAPDisplayName" + }, + { + "raw_field":"DeviceDescription", + "ecs":"winlog.event_data.DeviceDescription" + }, + { + "raw_field":"AttributeValue", + "ecs":"winlog.event_data.AttributeValue" + }, + { + "raw_field":"ObjectValueName", + "ecs":"winlog.event_data.ObjectValueName" + }, + { + "raw_field":"QueryStatus", + "ecs":"winlog.event_data.QueryStatus" + }, + { + "raw_field":"TargetParentProcessId", + "ecs":"winlog.event_data.TargetParentProcessId" + }, + { + "raw_field":"OldUacValue", + "ecs":"winlog.event_data.OldUacValue" + }, + { + "raw_field":"FailureCode", + "ecs":"winlog.event_data.FailureCode" + }, + { + "raw_field":"OldTargetUserName", + "ecs":"winlog.event_data.OldTargetUserName" + }, + { + "raw_field":"NewUacValue", + "ecs":"winlog.event_data.NewUacValue" + }, + { + "raw_field":"ServiceName", + "ecs":"winlog.event_data.ServiceName" + }, + { + "raw_field":"Imphash", + "ecs":"winlog.event_data.Imphash" + }, + { + "raw_field":"NewValue", + "ecs":"winlog.event_data.NewValue" + }, + { + "raw_field":"Action", + "ecs":"winlog.event_data.Action" + }, + { + "raw_field":"SourceImage", + "ecs":"winlog.event_data.SourceImage" + }, + { + "raw_field":"QNAME", + "ecs":"winlog.event_data.QNAME" + }, + { + "raw_field":"Properties", + "ecs":"winlog.event_data.Properties" + }, + { + "raw_field":"AuditPolicyChanges", + "ecs":"winlog.event_data.AuditPolicyChanges" + }, + { + "raw_field":"Accesses", + "ecs":"winlog.event_data.Accesses" + }, + { + "raw_field":"ClassName", + "ecs":"winlog.event_data.ClassName" + }, + { + "raw_field":"ObjectClass", + "ecs":"winlog.event_data.ObjectClass" + }, + { + "raw_field":"PipeName", + "ecs":"winlog.event_data.PipeName" + }, + { + "raw_field":"HiveName", + "ecs":"winlog.event_data.HiveName" + }, + { + "raw_field":"StartModule", + "ecs":"winlog.event_data.StartModule" + }, + { + "raw_field":"HostVersion", + "ecs":"winlog.event_data.HostVersion" + }, + { + "raw_field":"DestinationHostname", + "ecs":"winlog.event_data.DestinationHostname" + }, + { + "raw_field":"QueryName", + "ecs":"winlog.event_data.QueryName" + }, + { + "raw_field":"RemoteName", + "ecs":"winlog.event_data.RemoteName" + }, + { + "raw_field":"PasswordLastSet", + "ecs":"winlog.event_data.PasswordLastSet" + }, + { + "raw_field":"ErrorCode", + "ecs":"winlog.event_data.ErrorCode" + }, + { + "raw_field":"AccessList", + "ecs":"winlog.event_data.AccessList" + }, + { + "raw_field":"Address", + "ecs":"winlog.event_data.Address" + }, + { + "raw_field":"PossibleCause", + "ecs":"winlog.event_data.PossibleCause" + }, + { + "raw_field":"DestPort", + "ecs":"destination.port" + }, + { + "raw_field":"Image", + "ecs":"winlog.event_data.Image" + }, + { + "raw_field":"CertThumbprint", + "ecs":"winlog.event_data.CertThumbprint" + }, + { + "raw_field":"TicketEncryptionType", + "ecs":"winlog.event_data.TicketEncryptionType" + }, + { + "raw_field":"ServiceType", + "ecs":"winlog.event_data.ServiceType" + }, + { + "raw_field":"ObjectServer", + "ecs":"winlog.event_data.ObjectServer" + }, + { + "raw_field":"ImagePath", + "ecs":"winlog.event_data.ImagePath" + }, + { + "raw_field":"NewName", + "ecs":"winlog.event_data.NewName" + }, + { + "raw_field":"CallTrace", + "ecs":"winlog.event_data.CallTrace" + }, + { + "raw_field":"SamAccountName", + "ecs":"winlog.event_data.SamAccountName" + }, + { + "raw_field":"GrantedAccess", + "ecs":"winlog.event_data.GrantedAccess" + }, + { + "raw_field":"EngineVersion", + "ecs":"winlog.event_data.EngineVersion" + }, + { + "raw_field":"OriginalName", + "ecs":"winlog.event_data.OriginalName" + }, + { + "raw_field":"AuditSourceName", + "ecs":"winlog.event_data.AuditSourceName" + }, + { + "raw_field":"sha1", + "ecs":"hash.sha1" + }, + { + "raw_field":"SourceIp", + "ecs":"source.ip" + }, + { + "raw_field":"Payload", + "ecs":"winlog.event_data.Payload" + }, + { + "raw_field":"Level", + "ecs":"winlog.event_data.Level" + }, + { + "raw_field":"Application", + "ecs":"winlog.event_data.Application" + }, + { + "raw_field":"RemoteAddress", + "ecs":"winlog.event_data.RemoteAddress" + }, + { + "raw_field":"SearchFilter", + "ecs":"winlog.event_data.SearchFilter" + }, + { + "raw_field":"ApplicationPath", + "ecs":"winlog.event_data.ApplicationPath" + }, + { + "raw_field":"TargetFilename", + "ecs":"winlog.event_data.TargetFilename" + }, + { + "raw_field":"CurrentDirectory", + "ecs":"winlog.event_data.CurrentDirectory" + }, + { + "raw_field":"ObjectType", + "ecs":"winlog.event_data.ObjectType" + }, + { + "raw_field":"ServicePrincipalNames", + "ecs":"winlog.event_data.ServicePrincipalNames" + }, + { + "raw_field":"TemplateContent", + "ecs":"winlog.event_data.TemplateContent" + }, + { + "raw_field":"QueryResults", + "ecs":"winlog.event_data.QueryResults" + }, + { + "raw_field":"ServiceStartType", + "ecs":"winlog.event_data.ServiceStartType" + }, + { + "raw_field":"EventType", + "ecs":"winlog.event_data.EventType" + }, + { + "raw_field":"TargetSid", + "ecs":"winlog.event_data.TargetSid" + }, + { + "raw_field":"ParentUser", + "ecs":"winlog.event_data.ParentUser" + }, + { + "raw_field":"NewTargetUserName", + "ecs":"winlog.event_data.NewTargetUserName" + }, + { + "raw_field":"DestAddress", + "ecs":"winlog.event_data.DestAddress" + }, + { + "raw_field":"ContextInfo", + "ecs":"winlog.event_data.ContextInfo" + }, + { + "raw_field":"HostName", + "ecs":"host.name" + }, + { + "raw_field":"NewTemplateContent", + "ecs":"winlog.event_data.NewTemplateContent" + }, + { + "raw_field":"LayerRTID", + "ecs":"winlog.event_data.LayerRTID" + }, + { + "raw_field":"ImageFileName", + "ecs":"winlog.event_data.ImageFileName" + }, + { + "raw_field":"StartFunction", + "ecs":"winlog.event_data.StartFunction" + }, + { + "raw_field":"Value", + "ecs":"winlog.event_data.Value" + }, + { + "raw_field":"ModifyingApplication", + "ecs":"winlog.event_data.ModifyingApplication" + }, + { + "raw_field":"Destination", + "ecs":"winlog.event_data.Destination" + }, + { + "raw_field":"Commandline", + "ecs":"winlog.event_data.Commandline" + }, + { + "raw_field":"Message", + "ecs":"winlog.event_data.Message" + }, + { + "raw_field":"ShareName", + "ecs":"winlog.event_data.ShareName" + }, + { + "raw_field":"SourcePort", + "ecs":"source.port" + }, + { + "raw_field":"CallerProcessName", + "ecs":"winlog.event_data.CallerProcessName" + }, + { + "raw_field":"ServiceFileName", + "ecs":"winlog.event_data.ServiceFileName" + }, + { + "raw_field":"DestinationIsIpv6", + "ecs":"winlog.event_data.DestinationIsIpv6" + }, + { + "raw_field":"TargetImage", + "ecs":"winlog.event_data.TargetImage" + }, + { + "raw_field":"SourceAddress", + "ecs":"source.ip" + }, + { + "raw_field":"TargetObject", + "ecs":"winlog.event_data.TargetObject" + }, + { + "raw_field":"Caption", + "ecs":"winlog.event_data.Caption" + }, + { + "raw_field":"LocalName", + "ecs":"winlog.event_data.LocalName" + }, + { + "raw_field":"ImageLoaded", + "ecs":"winlog.event_data.ImageLoaded" + }, + { + "raw_field":"EventID", + "ecs":"winlog.event_id" + }, + { + "raw_field":"sha256", + "ecs":"hash.sha256" + }, + { + "raw_field":"ScriptBlockLogging", + "ecs":"winlog.event_data.ScriptBlockLogging" + }, + { + "raw_field":"SourceParentImage", + "ecs":"winlog.event_data.SourceParentImage" + }, + { + "raw_field":"SourceFilename", + "ecs":"winlog.event_data.SourceFilename" + }, + { + "raw_field":"Protocol", + "ecs":"winlog.event_data.Protocol" + }, + { + "raw_field":"ValidatedPolicy", + "ecs":"winlog.event_data.ValidatedPolicy" + }, + { + "raw_field":"ProcessPath", + "ecs":"winlog.event_data.ProcessPath" + }, + { + "raw_field":"OldValue", + "ecs":"winlog.event_data.OldValue" + }, + { + "raw_field":"ParentProcessId", + "ecs":"winlog.event_data.ParentProcessId" + }, + { + "raw_field":"TaskContentNew", + "ecs":"winlog.event_data.TaskContentNew" + }, + { + "raw_field":"Name", + "ecs":"winlog.event_data.Name" + }, + { + "raw_field":"payload", + "ecs":"winlog.event_data.payload" + }, + { + "raw_field":"SourceHostname", + "ecs":"winlog.event_data.SourceHostname" + }, + { + "raw_field":"ClientProcessId", + "ecs":"winlog.event_data.ClientProcessId" + }, + { + "raw_field":"TargetParentImage", + "ecs":"winlog.event_data.TargetParentImage" + }, + { + "raw_field":"ImpersonationLevel", + "ecs":"winlog.event_data.ImpersonationLevel" + }, + { + "raw_field":"ExceptionCode", + "ecs":"winlog.event_data.ExceptionCode" + }, + { + "raw_field":"FilterOrigin", + "ecs":"winlog.event_data.FilterOrigin" + }, + { + "raw_field":"PackagePath", + "ecs":"winlog.event_data.PackagePath" + }, + { + "raw_field":"SignatureStatus", + "ecs":"winlog.event_data.SignatureStatus" + }, + { + "raw_field":"Hash", + "ecs":"winlog.event_data.Hash" + }, + { + "raw_field":"AppID", + "ecs":"winlog.event_data.AppID" + }, + { + "raw_field":"SidList", + "ecs":"winlog.event_data.SidList" + }, + { + "raw_field":"ProcessNameBuffer", + "ecs":"winlog.event_data.ProcessNameBuffer" + }, + { + "raw_field":"PreviousCreationUtcTime", + "ecs":"winlog.event_data.PreviousCreationUtcTime" + }, + { + "raw_field":"Contents", + "ecs":"winlog.event_data.Contents" + }, + { + "raw_field":"TargetOutboundUserName", + "ecs":"winlog.event_data.TargetOutboundUserName" + }, + { + "raw_field":"ImageName", + "ecs":"winlog.event_data.ImageName" + }, + { + "raw_field":"md5", + "ecs":"hash.md5" + }, + { + "raw_field":"DeviceName", + "ecs":"winlog.event_data.DeviceName" + }, + { + "raw_field":"RequestedPolicy", + "ecs":"winlog.event_data.RequestedPolicy" + }, + { + "raw_field":"FileNameBuffer", + "ecs":"winlog.event_data.FileNameBuffer" + }, + { + "raw_field":"TaskContent", + "ecs":"winlog.event_data.TaskContent" + }, + { + "raw_field":"SourceCommandLine", + "ecs":"winlog.event_data.SourceCommandLine" + }, + { + "raw_field":"CreationUtcTime", + "ecs":"winlog.event_data.CreationUtcTime" + }, + { + "raw_field":"AppName", + "ecs":"winlog.event_data.AppName" + }, + { + "raw_field":"subjectName", + "ecs":"winlog.event_data.subjectName" + }, + { + "raw_field":"process", + "ecs":"winlog.event_data.process" + }, + { + "raw_field":"PackageFullName", + "ecs":"winlog.event_data.PackageFullName" + }, + { + "raw_field":"SourceName", + "ecs":"winlog.event_data.SourceName" + }, + { + "raw_field":"Data", + "ecs":"winlog.event_data.Data" + }, + { + "raw_field":"param3", + "ecs":"winlog.event_data.param3" + }, + { + "raw_field":"Signature", + "ecs":"winlog.event_data.Signature" + } + ] +``` \ No newline at end of file diff --git a/_security-analytics/sec-analytics-config/custom-log-type.md b/_security-analytics/sec-analytics-config/custom-log-type.md deleted file mode 100644 index 0bf628d85c..0000000000 --- a/_security-analytics/sec-analytics-config/custom-log-type.md +++ /dev/null @@ -1,29 +0,0 @@ ---- -layout: default -title: Creating custom log types -parent: Setting up Security Analytics -nav_order: 18 ---- - - -# Creating custom log types - -Log types represent the different sources of data used for threat detection in Security Analytics. In addition to the standard [log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types/) supported by Security Analytics, you can create custom log types for your threat detectors. - -## Creating a custom log type - -To create a custom log type: -1. From the dashboard, select **OpenSearch Plugins** > **Security Analytics**, and then select **Detectors** > **Log types**. -1. Select **Create log type**. -1. Enter a name and, optionally, a description for the log type. - - The log type name supports characters a--z (lowercase), 0--9, hyphens, and underscores. - {: .note } - -1. Select a category. The categories are listed in [Supported log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types/). -1. Select **Create log type** in the lower-right corner of the screen. The screen returns to the **Log types** page, and the new log type appears in the list. Note that the source for the new log type indicates **Custom**. - -## Log type API - -To perform operations for custom log types using the REST API, see [Log type APIs]({{site.url}}{{site.baseurl}}/security-analytics/api-tools/log-type-api/). - diff --git a/_security-analytics/sec-analytics-config/detectors-config.md b/_security-analytics/sec-analytics-config/detectors-config.md index d58721bf4b..74fa981279 100644 --- a/_security-analytics/sec-analytics-config/detectors-config.md +++ b/_security-analytics/sec-analytics-config/detectors-config.md @@ -43,7 +43,7 @@ To define a detector: To quickly select one or more known rules and dismiss others, first deselect all rules by turning off the **Rule name** toggle, then search for your target rule names and select each individually by turning its toggle on. {: .tip } -1. Review the field mappings. Field mappings allow the system to accurately pass event data from the log to the detector and then use the data to trigger alerts. For more information about field mappings, see [A note on field names](#a-note-on-field-names). +1. Review the field mappings. Field mappings allow the system to accurately pass event data from the log to the detector and then use the data to trigger alerts. For more information about field mappings, refer to the [A note on field mappings](#a-note-on-field-names) section. 1. Choose whether to enable [threat intelligence]({{site.url}}{{site.baseurl}}/security-analytics/usage/detectors#threat-intelligence-feeds) feeds. Threat intelligence feeds only work with **standard** log types. @@ -108,6 +108,8 @@ Once you select a data source and log type, the system attempts to automatically Although these automatic matches are normally dependable, it's still a good idea to review the mappings in the **Mapped fields** table and verify that they are correct and matched as expected. If you find a mapping that doesn't appear to be accurate, you can use the dropdown list to search for and select the correct field name. For more information about matching field names, see the following section. +For more information about field mappings, refer to the [About field mappings]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types#about-field-mappings) section within the [Working with log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types) documentation. + ## Available fields The field names that are not automatically mapped appear in the **Available fields** table. In this table you can manually map detection rule fields to data source fields, as shown in the following image. @@ -126,29 +128,41 @@ While mapping fields, consider the following: If you choose to perform manual field mapping, you should be familiar with the field names in the log index and have an understanding of the data contained in those fields. If you have an understanding of the log source fields in the index, the mapping is typically a straightforward process. -Security Analytics takes advantage of prepackaged Sigma rules for security event detection. Therefore, the field names are derived from a Sigma rule field standard. To make them easier to identify, however, we have created aliases for the Sigma rule fields based on the following specifications: - -- For all log types, go to the open-source Elastic Common Schema (ECS) specification. -- For AWS CloudTrail, Domain Name System (DNS) log types, and virtual private network (VPC) flow logs, go to the [Open Cybersecurity Framework](https://github.com/ocsf/ocsf-schema). +Security Analytics takes advantage of prepackaged Sigma rules for security event detection. Therefore, the field names are derived from a Sigma rule field standard. To make them more identifiable, aliases for the Sigma rule fields have been created based on the following specifications: -These alias rule field names are the field names used in these steps. They appear in the **Detector field name** column of the mapping tables. +- For all log types, the open-source Elastic Common Schema (ECS) +- For AWS CloudTrail and DNS log types, the [Open Cybersecurity Schema Framework](https://github.com/ocsf/ocsf-schema) (OCSF) -In the following locations, you can find predefined mappings of the Sigma rule field names to the ECS rule field names for all supported log types: +The field names for alias rules are used in the following steps and are listed in the **Detector field name** column within the mapping tables. -- The [Supported log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types/) reference documentation. +Predefined mappings that correlate the field names from Sigma rules to those of ECS rules for all supported log types are available in the following resources: -- The [GitHub Security Analytics](https://github.com/opensearch-project/security-analytics) repository. To find the field mappings: +- The [Supported log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types/) reference documentation +- The GitHub Security Analytics repository. To find the field mappings: 1. Navigate to the [OSMappings](https://github.com/opensearch-project/security-analytics/tree/main/src/main/resources/OSMapping) folder. -2. Select the file for the log type. For example, to view the Sigma rule fields that correspond to the ECS rule fields for the Windows log type, select the [`windows_logtype.json` file](https://github.com/opensearch-project/security-analytics/blob/main/src/main/resources/OSMapping/windows_logtype.json). The `raw_field` value in the file represents the Sigma rule field name in the mapping. + 2. Select the file for the specific log type. For example, for the `windows` log type, to view field names that correlate from Sigma rules to those of ECS rules, select the [`windows_logtype.json`](https://github.com/opensearch-project/security-analytics/blob/main/src/main/resources/OSMapping/windows_logtype.json) file. The `raw_field` value represents the field name for the Sigma rule in the mapping. ## Amazon Security Lake logs -[Amazon Security Lake](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html) converts security log and event data to the [Open Cybersecurity Schema Framework](https://docs.aws.amazon.com/security-lake/latest/userguide/open-cybersecurity-schema-framework.html) (OCSF) in order to normalize combined data and facilitate its management. OpenSearch supports ingestion of log data from Security Lake in the OCSF format, and Security Analytics can automatically map fields from OCSF to ECS (the default field mapping schema). +[Amazon Security Lake](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html) converts security log and event data to the [OCSF](https://docs.aws.amazon.com/security-lake/latest/userguide/open-cybersecurity-schema-framework.html) format to normalize combined data and facilitate its management. OpenSearch supports ingestion of log data from Amazon Security Lake in the OCSF format. Security Analytics can automatically map fields from OCSF to ECS (the default field mapping schema). + +The Amazon Security Lake log types that can be used as log sources for detector creation include AWS CloudTrail, Amazon Route 53, and VPC Flow Logs. Because Amazon Route 53 logs capture DNS activity, the log type must be specified as **dns** when [defining a detector](#step-1-define-a-detector). Because AWS CloudTrail logs can be captured in both raw format and OCSF, you should name indexes distinctly and identifiably. This can be helpful when specifying an index name in an API associated with Security Analytics. + +Supported log types are available in the following resources: + +- For all log types, see the open-source ECS specification. +- For AWS CloudTrail, DNS log types, and VPC Flow Logs, see the [OCSF](https://github.com/ocsf/ocsf-schema). -The Security Lake log types that can be used as log sources for detector creation include AWS CloudTrail, Amazon Route 53, and Amazon VPC Flow Logs. Given that Amazon Route 53 captures DNS activity, its log type should be specified as **dns** when [defining a detector](#step-1-define-a-detector). Furthermore, because logs such as AWS CloudTrail logs can conceivably be captured in both raw format and OCSF format, it is good practice to name indexes in a way that keeps these logs separate and easily identifiable. This becomes helpful when specifying an index name in any of the APIs associated with Security Analytics. -To reveal fields for a log index in either raw format or OCSF format, use the [Get Mappings View]({{site.url}}{{site.baseurl}}/security-analytics/api-tools/mappings-api/#get-mappings-view) API and specify the index in the `index_name` field of the request. -{: .tip } +The field names for alias rules are used in the following steps and are listed in the **Detector field name** column in the mapping tables. + +Predefined mappings that correlate the field names from Sigma rules to those of ECS rules for all supported log types are available in the following resources: + +- The [Supported log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types/) reference documentation. + +- The [GitHub Security Analytics](https://github.com/opensearch-project/security-analytics) repository. To find the field mappings: + 1. Navigate to the [OSMappings](https://github.com/opensearch-project/security-analytics/tree/main/src/main/resources/OSMapping) folder. + 2. Select the file for the specific log type. For example, for the `windows` log type, to view field names that correlate from Sigma rules to those of ECS rules, select the [`windows_logtype.json`](https://github.com/opensearch-project/security-analytics/blob/main/src/main/resources/OSMapping/windows_logtype.json) file. The `raw_field` value represents the field name for the Sigma rule in the mapping. ## What's next diff --git a/_security-analytics/sec-analytics-config/log-types.md b/_security-analytics/sec-analytics-config/log-types.md index fc016556be..7861393e23 100644 --- a/_security-analytics/sec-analytics-config/log-types.md +++ b/_security-analytics/sec-analytics-config/log-types.md @@ -1,51 +1,79 @@ --- layout: default -title: Supported log types +title: Working with log types parent: Setting up Security Analytics -nav_order: 16 +nav_order: 14 +redirect_from: + - /security-analytics/sec-analytics-config/custom-log-type/ --- +# Working with log types -# Supported log types +Log types represent the different data sources used for threat detection in Security Analytics. Log types are useful for categorizing or prepopulating [detection rules]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/detectors-config/) when creating detectors from your source. -Logs contain raw data about events that happen throughout a system and in its separate parts. As of OpenSearch 2.11, log types are grouped by category to help select, filter, and search the log types. +Security Analytics supports the following log types: -To navigate to the **Log types** page, select **Log types** under **Detectors** in the **Security Analytics** navigation menu. The page shows the name of the log type, its description, its category, and identifies whether it's a standard OpenSearch-defined log type or a custom log type. The following image shows the **Log types** landing page with the Category column selected and the **Category** filter you can use to filter the list by the category. +- [Standard log types](#standard-log-types): Security Analytics automatically generates a list of data sources, along with their field mappings and rules, based on the data indexed from each source. +- [Custom log types](#creating-custom-log-types): When your data cannot be categorized as one of the [standard log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types/), you can create a user-defined log type. For enhanced threat detection, Security Analytics supports the integration of custom log types. + +To navigate to the **Log types** page, select **Log types** under **Detectors** in the **Security Analytics** navigation menu. + +## Page actions + +The main **Log types** UI features and actions are shown in the following image. These features are described in the list following the image. The Log types landing page. -The following table shows the log types that are currently supported by Security Analytics for ingestion, mapping, and monitoring. - -| Category | Log type | Description | -| :--- |:--- |:--- | -| Access Management | `Ad_ldap` | Active Directory logs that track LDAP queries, errors from the LDAP server, timeout events, and unsecure LDAP binds. | -| Access Management | `Apache_access` | Apache access logs that record data for all requests processed by an Apache HTTP server. | -| Access Management | `Okta` | Okta logs that record Okta events from a range of actions, such as downloading an export file, requesting application access, or revoking privileges. | -| Applications | `GitHub` | GitHub logs that monitor workflows created by [GitHub Actions](https://docs.github.com/en/actions/learn-github-actions/understanding-github-actions). | -| Applications| `Gworkspace` | Google Workspace logs that monitor log entries such as admin actions, group and group membership actions, and events related to logging in. | -| Applications| `M365` | Microsoft 365 audit logs that collect a range of data for Microsoft 365, including records from call details, performance data, SQL Server, security events, and access control activity. | -| Cloud Services | `Azure` | Microsoft Azure logs that monitor log data for cloud applications managed by Azure Cloud Services. | -| Cloud Services | `CloudTrail` | AWS CloudTrail logs that monitor events for an AWS CloudTrail account. OpenSearch can ingest CloudTrail log data from both [Amazon Simple Storage Service](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) (Amazon S3) accounts and [Amazon Security Lake](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html) service accounts. | -| Cloud Services | `S3` | Amazon S3 logs that track requests for access to an S3 bucket. | -| Network Activity| `Dns` | DNS logs that store DNS activity. | -| Network Activity | `Network` | Network logs that record events that happen in a system's network, such as login attempts and application events. | -| Network Activity | `vpcflow` | [VPC Flow Logs](https://docs.aws.amazon.com/prescriptive-guidance/latest/logging-monitoring-for-application-owners/vpc-flow-logs.html) that capture information about the IP traffic going to and from network interfaces in your virtual private cloud (VPC). | -| Security | `Waf` | Web Application Firewall (WAF) logs (introduced in OpenSearch 2.11) for users that require monitoring of the WAF use case that's provided out of the box with Security Analytics. The role of WAF is to monitor and filter HTTP traffic between a web application and the internet. WAF prevents common security attacks, such as cross-site scripting (XSS) and SQL Injection (SQi). | -| System Activity | `Linux` | Linux system logs that record Linux syslog events. | -| System Activity | `Windows` | Windows logs that record events that have happened in the operating system, applications, and other Windows system services. | -| Other | `Email` | Logs that record email activity. | +1. Search **Standard** and **Custom** log types. + - For a list of **Standard** log types, see [Supported log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types/). +2. Create a [custom log type](#creating-custom-log-types). +3. Select the log type **Name** to open the details page. The **Details** tab is shown by default. This tab includes the log type's ID. You can also select the **Detection rules** tab to show all detection rules associated with the log type. +4. Select the **Category** or **Source** dropdown menu to sort by log type category or source. +5. From the **Actions** column, select the {::nomarkdown}trash can icon{:/} icon to delete a custom log type (you cannot delete a standard OpenSearch-defined log type). Then follow the prompts to confirm and delete it. -## Page actions +## Standard log types + +As of OpenSearch 2.11, all standard log types are grouped by the following categories: + +- **Access Management** includes [AD/LDAP]({{site.url}}{{site.baseurl}}/security-analytics/log-types-reference/ad-ldap/), [Apache Access]({{site.url}}{{site.baseurl}}/security-analytics/log-types-reference/apache-access/), and [Okta]({{site.url}}{{site.baseurl}}/security-analytics/log-types-reference/okta/). +- **Applications** includes [GitHub]({{site.url}}{{site.baseurl}}/security-analytics/log-types-reference/github/), [Google Workspace]({{site.url}}{{site.baseurl}}/security-analytics/log-types-reference/gworkspace/), and [Microsoft 365]({{site.url}}{{site.baseurl}}/security-analytics/log-types-reference/m365/). +- **Cloud Services** includes [Azure]({{site.url}}{{site.baseurl}}/security-analytics/log-types-reference/azure/), [AWS CloudTrail]({{site.url}}{{site.baseurl}}/security-analytics/log-types-reference/cloudtrail/), and [Amazon S3]({{site.url}}{{site.baseurl}}/security-analytics/log-types-reference/s3/). +- **Network Activity** includes [DNS]({{site.url}}{{site.baseurl}}/security-analytics/log-types-reference/dns/), [Network]({{site.url}}{{site.baseurl}}/security-analytics/log-types-reference/network/), [NetFlow]({{site.url}}{{site.baseurl}}/security-analytics/log-types-reference/netflow/), and [VPC Flow]({{site.url}}{{site.baseurl}}/security-analytics/log-types-reference/vpc/). +- **Security** includes [WAF]({{site.url}}{{site.baseurl}}/security-analytics/log-types-reference/waf/). +- **System Activity** includes [Linux]({{site.url}}{{site.baseurl}}/security-analytics/log-types-reference/linux/) and [Windows]({{site.url}}{{site.baseurl}}/security-analytics/log-types-reference/windows/). +- **Other** includes accounts for log types that are not contained in a specific category. For more information, refer to [Other log types]({{site.url}}{{site.baseurl}}/security-analytics/log-types-reference/other/). + + +## Creating custom log types + +When connecting to a data source not supported by a standard log type, create a custom log type by following these steps: + +1. In OpenSearch Dashboards, select **OpenSearch Plugins** > **Security Analytics**, and then select **Detectors** > **Log types**. +1. Select **Create log type**. +1. Enter a name and, optionally, a description for the log type. + + The log type name supports characters a--z (lowercase), 0--9, hyphens, and underscores. + {: .note } + +1. Select a category. The categories are listed in the [Supported log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types/) documentation. +1. Select **Create log type** in the lower-right corner of the screen. The screen returns to the **Log types** page. The new log type appears in the list. Note that the source for the new log type indicates **Custom**. + +## About field mappings + +The log type specified when creating a detector determines which fields are available for mapping. For example, when **Windows logs** is selected, this parameter and the specific detection rules determine the list of detection field names available for the mapping. Similarly, the selected data source determines the list of log source field names that are available for the mapping. + +Security Analytics uses prepackaged Sigma rules for detector creation. It can automatically map important fields of a particular log type to the relevant fields in Sigma rules. The **Field Mappings** section shows fields that have been mapped automatically. In this section, you can customize, change, or add new field mappings. When a detector includes customized rules, you can manually map detector rule field names to log source field names. + +Because the system can automatically map field names, it is optional to manually map the fields when `ecs` fields exist in a document. Detector rules, however, require certain mappings in order to operate. These mapping depend on the detector rule. The more fields that can be mapped between detector fields and log source fields, the greater the accuracy of generated findings. + + + +## Log type APIs + +Use the log type APIs to perform custom log type operations using the REST API. For more information, refer to the [log type APIs]({{site.url}}{{site.baseurl}}/security-analytics/api-tools/log-type-api/) documentation. -The following list describes the main features found on the **Log types** page and the actions you can take: -* Select the log type **Name** to open the log type's details page. The **Details** tab is shown by default. This tab includes the log type's ID. You can also select the **Detection rules** tab to show all detection rules associated with the log type. -* In the **Actions** column, you can select the trash can icon ({::nomarkdown}trash can icon{:/}) to delete a custom log type (you cannot delete a standard OpenSearch-defined log type). Follow the prompts to confirm and safely remove the custom log type. -* Select **Create log type** in the upper-right corner of the screen to begin creating a custom log type. The **Create log type** page opens. Continue with the steps in the section that follows to create a custom log type. -* Using the **Category** and **Source** dropdowns, you can sort by the log type category or source, respectively. -## Related articles -[Creating custom log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/custom-log-type/) diff --git a/images/Security/c-log-type.png b/images/Security/c-log-type.png index 2ec9967d1c..5008c6655a 100644 Binary files a/images/Security/c-log-type.png and b/images/Security/c-log-type.png differ