-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security analytics : template vs _index_template #424
Labels
bug
Something isn't working
Comments
|
@mareban Can you let know if you are still facing issue. Feel free to re-open |
riysaxen-amzn
pushed a commit
to riysaxen-amzn/security-analytics
that referenced
this issue
Feb 20, 2024
…earch-project#424) * [FEATURE] Detector must have at least one alert set opensearch-project#288 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [BUG] Create detector | Interval field can be empty opensearch-project#378 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * Adjust styling for Finding details flyout opensearch-project#369 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * unit tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * detector unit tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * detector unit tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * detector unit tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * detector unit tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * detector unit tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * detector unit tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * detector unit tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * detector unit tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * detector unit tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * unit tests review Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * unit tests review Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * unit tests review Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * unit tests review Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * unit tests review Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * unit tests review Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * unit tests review Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * unit tests review Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * Feature/update vertical domain #372 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * Unit tests for public components opensearch-project#383 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * Unit tests for public components opensearch-project#383 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * Unit tests for public components opensearch-project#383 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * Unit tests for public components opensearch-project#383 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * Unit tests for public components opensearch-project#383 [BUG] Detector Edit | Custom rule are not selected on update rules opensearch-project#406 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * Unit tests for public components opensearch-project#383 [BUG] Detector Edit | Custom rule are not selected on update rules opensearch-project#406 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * PR code review Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * PR code review Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * PR code review Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create detector | Make data source multi-select field opensearch-project#419 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create detector | Make data source multi-select field opensearch-project#419 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create detector | Make data source multi-select field opensearch-project#419 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create detector | Make data source multi-select field opensearch-project#419 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create detector | Make data source multi-select field opensearch-project#419 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create detector | Make data source multi-select field opensearch-project#419 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create detector | Make data source multi-select field opensearch-project#419 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create detector | Make data source multi-select field opensearch-project#419 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create detector | Make data source multi-select field opensearch-project#419 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * unit tests fix Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> --------- Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
Sorry but it's not clear to us how security analytics handle siem rules and alias mapping !
My undertsanding is that we need an _index_template for packetbeat e.g, and when we create a detector alias will be added to this _index_template with a component template correct ?
But packetbeat template where imported in template not _index_template, so when we create a detector a component template is created and not added to template/packetbeat , and when a new daily packetbeat is created, there is a "mess" with mapping and the template/packetbeat doesn't seem to be used anymore, and dashboard are not displayed correctly too :-( !
Is it a bug, did we miss something, if we need to have an _index_template for packetbeat, how can we do that ?
Thanks for you help
The text was updated successfully, but these errors were encountered: