Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add log types section to Security Analytics #6235

Merged
merged 32 commits into from
Apr 4, 2024
+2,316 −77
Merged

Add log types section to Security Analytics #6235

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
1206a23
Add log types section to Security Analytics
Naarcha-AWS Jan 22, 2024
a42a741
Rename custom log type page.
Naarcha-AWS Jan 24, 2024
4d78fcf
Tweak layout.
Naarcha-AWS Jan 24, 2024
dbd91c8
Replace image with callouts
Naarcha-AWS Jan 24, 2024
0e8db5c
Fix links, fix structure.
Naarcha-AWS Jan 24, 2024
a26229b
Fix bugs
Naarcha-AWS Jan 24, 2024
ebc03fd
Add Joanne's technical feedback. Link back to detectors.
Naarcha-AWS Jan 26, 2024
ac4a2ab
Merge branch 'main' into log-types
Naarcha-AWS Mar 4, 2024
9c39cab
Merge branch 'main' into log-types
Naarcha-AWS Mar 6, 2024
0003ac5
Apply suggestions from code review
Naarcha-AWS Mar 6, 2024
6555edd
Merge branch 'main' into log-types
Naarcha-AWS Mar 8, 2024
85d4954
Apply suggestions from code review
Naarcha-AWS Mar 12, 2024
f2a097b
Merge branch 'main' into log-types
Naarcha-AWS Mar 12, 2024
83f2e05
Apply suggestions from code review
Naarcha-AWS Mar 13, 2024
6359b2b
Apply suggestions from code review
Naarcha-AWS Mar 13, 2024
513e06a
Apply suggestions from code review
Naarcha-AWS Mar 13, 2024
bdc6b13
Apply suggestions from code review
Naarcha-AWS Mar 13, 2024
b09c2de
Apply suggestions from code review
Naarcha-AWS Mar 13, 2024
5041e30
Apply suggestions from code review
Naarcha-AWS Mar 13, 2024
dfc92ca
Apply suggestions from code review
Naarcha-AWS Mar 19, 2024
f127077
Apply suggestions from code review
Naarcha-AWS Mar 19, 2024
7113387
Update detectors-config.md
Naarcha-AWS Mar 19, 2024
0ef8afb
Merge branch 'main' into log-types
Naarcha-AWS Mar 19, 2024
6890d89
Merge branch 'main' into log-types
Naarcha-AWS Mar 20, 2024
fe4f02d
Apply suggestions from code review
Naarcha-AWS Mar 26, 2024
acbbaab
Apply suggestions from code review
Naarcha-AWS Mar 26, 2024
fbbc152
Merge branch 'main' into log-types
Naarcha-AWS Mar 26, 2024
98ea11f
Merge branch 'main' into log-types
Naarcha-AWS Apr 2, 2024
4394e09
Update log-types.md
Naarcha-AWS Apr 2, 2024
a0f5f81
Apply suggestions from code review
Naarcha-AWS Apr 2, 2024
1bd4e66
Merge branch 'main' into log-types
Naarcha-AWS Apr 3, 2024
c4a5c8b
Merge branch 'main' into log-types
Naarcha-AWS Apr 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion _security-analytics/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ For information about configuring detectors, see [Creating detectors]({{site.url

### Log types

Log types provide the data used to evaluate events occurring in a system. OpenSearch supports several types of logs and provides out-of-the-box mappings for the most common log sources. See [Supported log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types/) for a list of log types currently supported by Security Analytics.
[Log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types/) provide the data used to evaluate events occurring in a system. OpenSearch supports several types of logs and provides out-of-the-box mappings for the most common log sources.

Log types are specified during the creation of detectors, including steps for mapping log fields to the detector. Security Analytics also automatically selects an appropriate set of rules based on a specific log type and populates them for the detector.

Expand Down
114 changes: 114 additions & 0 deletions _security-analytics/log-types-reference/ad-ldap.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
---
layout: default
title: AD LDAP
parent: Supported log types
nav_order: 20
---

# AD LDAP

The `ad_ldap` log type tracks Active Directory logs, such as:

- Lightweight Directory Access Protocol (LDAP) queries.
- Errors from the LDAP server.
- Timeout events.
- Unsecured LDAP binds.

The following code snippet contains all `raw_field` and `ecs` mappings for this log type:

```json
"mappings": [
{
"raw_field":"TargetUserName",
"ecs":"azure.signinlogs.properties.user_id"
},
{
"raw_field":"creationTime",
"ecs":"timestamp"
},
{
"raw_field":"Category",
"ecs":"azure.activitylogs.category"
},
{
"raw_field":"OperationName",
"ecs":"azure.platformlogs.operation_name"
},
{
"raw_field":"ModifiedProperties_NewValue",
"ecs":"modified_properties.new_value"
},
{
"raw_field":"ResourceProviderValue",
"ecs":"azure.resource.provider"
},
{
"raw_field":"conditionalAccessStatus",
"ecs":"azure.signinlogs.properties.conditional_access_status"
},
{
"raw_field":"SearchFilter",
"ecs":"SearchFilter"
},
{
"raw_field":"Operation",
"ecs":"azure.platformlogs.operation_name"
},
{
"raw_field":"ResultType",
"ecs":"azure.platformlogs.result_type"
},
{
"raw_field":"DeviceDetail_isCompliant",
"ecs":"azure.signinlogs.properties.device_detail.is_compliant"
},
{
"raw_field":"ResourceDisplayName",
"ecs":"resource_display_name"
},
{
"raw_field":"AuthenticationRequirement",
"ecs":"azure.signinlogs.properties.authentication_requirement"
},
{
"raw_field":"TargetResources",
"ecs":"target_resources"
},
{
"raw_field":"Workload",
"ecs":"workload"
},
{
"raw_field":"DeviceDetail.deviceId",
"ecs":"azure.signinlogs.properties.device_detail.device_id"
},
{
"raw_field":"OperationNameValue",
"ecs":"azure.platformlogs.operation_name"
},
{
"raw_field":"ResourceId",
"ecs":"azure.signinlogs.properties.resource_id"
},
{
"raw_field":"ResultDescription",
"ecs":"azure.signinlogs.result_description"
},
{
"raw_field":"EventID",
"ecs":"EventID"
},
{
"raw_field":"NetworkLocationDetails",
"ecs":"azure.signinlogs.properties.network_location_details"
},
{
"raw_field":"CategoryValue",
"ecs":"azure.activitylogs.category"
},
{
"raw_field":"ActivityDisplayName",
"ecs":"azure.auditlogs.properties.activity_display_name"
}
]
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved
```
10 changes: 10 additions & 0 deletions _security-analytics/log-types-reference/apache-access.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
layout: default
title: Apache Access
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved
parent: Supported log types
nav_order: 25
---

# Apache Access

Check failure on line 8 in _security-analytics/log-types-reference/apache-access.md

View workflow job for this annotation

GitHub Actions / vale

[vale] _security-analytics/log-types-reference/apache-access.md#L8 

[OpenSearch.HeadingCapitalization] 'Apache Access' is a heading and should be in sentence case.
Raw output 
{"message": "[OpenSearch.HeadingCapitalization] 'Apache Access' is a heading and should be in sentence case.", "location": {"path": "_security-analytics/log-types-reference/apache-access.md", "range": {"start": {"line": 8, "column": 3}}}, "severity": "ERROR"}

The `apache_access` log type records data for all requests processed by Apache HTTP servers. It contains no `raw_field` or `ecs` mappings.
225 changes: 225 additions & 0 deletions _security-analytics/log-types-reference/azure.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,225 @@
---
layout: default
title: Azure
parent: Supported log types
nav_order: 29
---

# Azure

The `azure` log type monitors log data for cloud applications managed by Azure Cloud Services.

The following code snippet contains all `raw_field` and `ecs` mappings for this log type:

```json
"mappings": [
{
"raw_field":"Resultdescription",
"ecs":"azure.signinlogs.result_description"
},
{
"raw_field":"eventSource",
"ecs":"eventSource"
},
{
"raw_field":"eventName",
"ecs":"eventName"
},
{
"raw_field":"Status",
"ecs":"azure.platformlogs.status"
},
{
"raw_field":"LoggedByService",
"ecs":"azure.auditlogs.properties.logged_by_service"
},
{
"raw_field":"properties_message",
"ecs":"properties_message"
},
{
"raw_field":"status",
"ecs":"azure.platformlogs.status"
},
{
"raw_field":"TargetUserName",
"ecs":"azure.signinlogs.properties.user_id"
},
{
"raw_field":"creationTime",
"ecs":"timestamp"
},
{
"raw_field":"Category",
"ecs":"azure.activitylogs.category"
},
{
"raw_field":"OperationName",
"ecs":"azure.platformlogs.operation_name"
},
{
"raw_field":"ModifiedProperties_NewValue",
"ecs":"modified_properties.new_value"
},
{
"raw_field":"ResourceProviderValue",
"ecs":"azure.resource.provider"
},
{
"raw_field":"conditionalAccessStatus",
"ecs":"azure.signinlogs.properties.conditional_access_status"
},
{
"raw_field":"SearchFilter",
"ecs":"search_filter"
},
{
"raw_field":"Operation",
"ecs":"azure.platformlogs.operation_name"
},
{
"raw_field":"ResultType",
"ecs":"azure.platformlogs.result_type"
},
{
"raw_field":"DeviceDetail_isCompliant",
"ecs":"azure.signinlogs.properties.device_detail.is_compliant"
},
{
"raw_field":"ResourceDisplayName",
"ecs":"resource_display_name"
},
{
"raw_field":"AuthenticationRequirement",
"ecs":"azure.signinlogs.properties.authentication_requirement"
},
{
"raw_field":"TargetResources",
"ecs":"target_resources"
},
{
"raw_field":"Workload",
"ecs":"Workload"
},
{
"raw_field":"DeviceDetail_deviceId",
"ecs":"azure.signinlogs.properties.device_detail.device_id"
},
{
"raw_field":"OperationNameValue",
"ecs":"azure.platformlogs.operation_name"
},
{
"raw_field":"ResourceId",
"ecs":"azure.signinlogs.properties.resource_id"
},
{
"raw_field":"ResultDescription",
"ecs":"azure.signinlogs.result_description"
},
{
"raw_field":"EventID",
"ecs":"EventID"
},
{
"raw_field":"NetworkLocationDetails",
"ecs":"azure.signinlogs.properties.network_location_details"
},
{
"raw_field":"CategoryValue",
"ecs":"azure.activitylogs.category"
},
{
"raw_field":"ActivityDisplayName",
"ecs":"azure.auditlogs.properties.activity_display_name"
},
{
"raw_field":"Initiatedby",
"ecs":"azure.activitylogs.identity.claims_initiated_by_user.name"
},
{
"raw_field":"Count",
"ecs":"Count"
},
{
"raw_field":"ResourceTenantId",
"ecs":"azure.signinlogs.properties.resource_tenant_id"
},
{
"raw_field":"failure_status_reason",
"ecs":"failure_status_reason"
},
{
"raw_field":"AppId",
"ecs":"azure.signinlogs.properties.app_id"
},
{
"raw_field":"properties.message",
"ecs":"properties.message"
},
{
"raw_field":"ClientApp",
"ecs":"azure.signinlogs.properties.client_app_used"
},
{
"raw_field":"ActivityDetails",
"ecs":"ActivityDetails"
},
{
"raw_field":"Target",
"ecs":"Target"
},
{
"raw_field":"DeviceDetail.trusttype",
"ecs":"azure.signinlogs.properties.device_detail.trust_type"
},
{
"raw_field":"HomeTenantId",
"ecs":"azure.signinlogs.properties.home_tenant_id"
},
{
"raw_field":"ConsentContext.IsAdminConsent",
"ecs":"ConsentContext.IsAdminConsent"
},
{
"raw_field":"InitiatedBy",
"ecs":"InitiatedBy"
},
{
"raw_field":"ActivityType",
"ecs":"azure.auditlogs.properties.activity_display_name"
},
{
"raw_field":"operationName",
"ecs":"azure.activitylogs.operation_name"
},
{
"raw_field":"ModifiedProperties{}.NewValue",
"ecs":"modified_properties.new_value"
},
{
"raw_field":"userAgent",
"ecs":"user_agent.name"
},
{
"raw_field":"RiskState",
"ecs":"azure.signinlogs.properties.risk_state"
},
{
"raw_field":"Username",
"ecs":"azure.activitylogs.identity.claims_initiated_by_user.name"
},
{
"raw_field":"DeviceDetail.deviceId",
"ecs":"azure.signinlogs.properties.device_detail.device_id"
},
{
"raw_field":"DeviceDetail.isCompliant",
"ecs":"azure.signinlogs.properties.device_detail.is_compliant"
},
{
"raw_field":"Location",
"ecs":"azure.signinlogs.properties.network_location_details"
}
]
```