Add threat intelligence for 2.12 #6273
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Naarcha-AWS <naarcha@amazon.com>
Naarcha-AWS
added
3 - Tech Review
Naarcha-AWS
requested review from
hdhalter,
kolchfa-aws,
vagimeli,
AMoo-Miki,
natebower and
dlvenable
as code owners
Signed-off-by: Naarcha-AWS <naarcha@amazon.com>
jowg-amazon
reviewed
Feb 6, 2024
Naarcha-AWS
commented
Feb 6, 2024
Naarcha-AWS
commented
Feb 6, 2024
Naarcha-AWS
commented
Feb 6, 2024
Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Naarcha-AWS
added
4 - Doc Review
hdhalter
added
the
release-notes
vagimeli
approved these changes
Feb 6, 2024
There was a problem hiding this comment.
@Naarcha-AWS Doc review is complete. Please see the edits and comments to be resolved before moving this PR into editorial review.
|
|
||
| Security Analytics takes advantage of prepackaged Sigma rules for security event detection. Therefore, the field names are derived from a Sigma rule field standard. To make them easier to identify, however, we have created aliases for the Sigma rule fields based on the following specifications: | ||
|
|
||
| - For all log types, the open-source Elastic Common Schema (ECS) specification. |
There was a problem hiding this comment.
Include a link to the spec?
Co-authored-by: Melissa Vagi <vagimeli@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Naarcha-AWS
added
5 - Final Editorial Review
Naarcha-AWS
commented
Feb 6, 2024
Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
natebower
requested changes
Feb 7, 2024
There was a problem hiding this comment.
@Naarcha-AWS Please tag me when complete so I can approve line 40 in the second file. Thanks!
|
|
||
| - The [GitHub Security Analytics](https://github.com/opensearch-project/security-analytics) repository. To find the field mappings: | ||
| 1. Navigate to the [OSMappings](https://github.com/opensearch-project/security-analytics/tree/main/src/main/resources/OSMapping) folder. | ||
| 2. Select the file for the specific log type. For example, to view the Sigma rule fields that correspond to ECS rule fields for the Windows log type, select the [`windows_logtype.json` file](https://github.com/opensearch-project/security-analytics/blob/main/src/main/resources/OSMapping/windows_logtype.json). The `raw_field` value in the file represents the Sigma rule field name in the mapping. |
There was a problem hiding this comment.
"specified" instead of "specific"?
|
|
||
| [Amazon Security Lake](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html) converts security log and event data to the [Open Cybersecurity Schema Framework](https://docs.aws.amazon.com/security-lake/latest/userguide/open-cybersecurity-schema-framework.html) (OCSF) to normalize combined data and facilitate its management. OpenSearch supports ingestion of log data from Security Lake in the OCSF format, and Security Analytics can automatically map fields from OCSF to ECS (the default field-mapping schema). | ||
|
|
||
| The Security Lake log types that can be used as log sources for detector creation include AWS CloudTrail, Amazon Route 53, and Amazon VPC Flow Logs. Given that Amazon Route 53 is a log that captures DNS activity, its log type should be specified as **dns** when [defining a detector](#step-1-define-a-detector). Furthermore, because logs such as AWS CloudTrail logs can conceivably be captured in both raw format and OCSF, it is good practice to name indexes in a way that keeps these logs separate and easily identifiable. This becomes helpful when specifying an index name in any of the APIs associated with Security Analytics. |
There was a problem hiding this comment.
Amazon Route 53 is a service, not a log.
| @@ -35,6 +35,16 @@ To edit a detector, begin by selecting the link to the detector in the Detector | |||
| After you select the **Alert triggers** tab, you also have the option to add additional alerts for the detector by selecting **Add another alert condition** at the bottom of the page. | |||
| {: .tip } | |||
|
|
|||
| ### Threat intelligence feeds | |||
|
|
|||
| A threat intelligence feed is a real-time, continuous data stream that gathers information related to risks or threats. The critical information in the tactical threat intelligence feed is called an “indicator of compromise” (IoC). | |||
There was a problem hiding this comment.
I'm not a fan of the last sentence here (or my rewrite), as it's a little ambiguous. Can we be more specific about what we mean by "critical information"? In other words, what information exactly is called an IoC (what makes it critical)?
|
|
||
| As of OpenSearch 2.12, you can enable threat intelligence for Sigma rules related to malicious IP addresses. | ||
|
|
||
| To enable threat intelligence feeds, select the **Enable threat intelligence-based detection** option. |
There was a problem hiding this comment.
I know we can't change this at the moment, but just FYI, it should be "threat-intelligence-based detection".
Co-authored-by: Nathan Bower <nbower@amazon.com> Co-authored-by: Melissa Vagi <vagimeli@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Naarcha-AWS
commented
Feb 7, 2024
Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Naarcha-AWS
added
6 - Done but waiting to merge
hdhalter
added
3 - Done
oeyh
pushed a commit
to oeyh/documentation-website
that referenced
this pull request
Mar 14, 2024
* Add threat intelligence for 2.12 Signed-off-by: Naarcha-AWS <naarcha@amazon.com> * Fix broken link Signed-off-by: Naarcha-AWS <naarcha@amazon.com> * Apply suggestions from code review Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Melissa Vagi <vagimeli@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Nathan Bower <nbower@amazon.com> Co-authored-by: Melissa Vagi <vagimeli@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Update _security-analytics/usage/detectors.md Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --------- Signed-off-by: Naarcha-AWS <naarcha@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Co-authored-by: Melissa Vagi <vagimeli@amazon.com> Co-authored-by: Nathan Bower <nbower@amazon.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #5489
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.