Add documentation for OCSF field mapping and correlation engine API #4549
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: cwillum <[email protected]>
cwillum
added
2 - In progress
cwillum
requested review from
hdhalter,
kolchfa-aws,
Naarcha-AWS,
vagimeli,
ananzh,
seanneumann,
AMoo-Miki and
natebower
as code owners
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
|
the |
Signed-off-by: cwillum <[email protected]>
sbcd90
approved these changes
Jul 13, 2023
getsaurabh02
approved these changes
Jul 13, 2023
getsaurabh02
requested changes
Jul 13, 2023
Comment on lines
27
to
28
| | `query` | String | TBD. | | ||
| | `category` | String | TBD. | |
There was a problem hiding this comment.
Can we provide description for TBDs here?
| | :--- | :--- |:--- | | ||
| | `finding` | String | The finding ID. | | ||
| | `detector_type` | String | The log type for the detector. | | ||
| | `nearby_findings` | Number | TBD. | |
Signed-off-by: cwillum <[email protected]>
|
@sbcd90 @getsaurabh02 Yes, I could use some help with a few field/parameter descriptions. Those will be conspicuous with the "TBD" placeholder. The last thing I need is a screenshot that shows the log type selectors with |
Signed-off-by: cwillum <[email protected]>
cwillum
added
3 - Tech review
Naarcha-AWS
approved these changes
Jul 14, 2023
Signed-off-by: Subhobrata Dey <[email protected]>
Signed-off-by: cwillum <[email protected]>
This reverts commit c6db296. merge conflict with same edits on another branch#
Signed-off-by: cwillum <[email protected]>
|
Merge conflicts from same edits on different branches. |
cwillum
added
5 - Editorial review
This reverts commit 7a70dc3. merge conflict with second branch :wq
This reverts commit ef13a74.
Signed-off-by: cwillum <[email protected]>
natebower
reviewed
Jul 16, 2023
|
|
||
| # Correlation engine APIs | ||
|
|
||
| Correlation engine APIs allow you to create new correlation rules, view findings and correlations within a certain span of time, and perform other tasks. |
There was a problem hiding this comment.
Suggested change
| Correlation engine APIs allow you to create new correlation rules, view findings and correlations within a certain span of time, and perform other tasks. | |
| Correlation engine APIs allow you to create new correlation rules, view findings and correlations within a certain time window, and perform other tasks. |
|
|
||
| ## List all findings and their correlations within a time window | ||
|
|
||
| Provides a list of all findings and their correlations within a specified window of time. |
There was a problem hiding this comment.
Suggested change
| Provides a list of all findings and their correlations within a specified window of time. | |
| Provides a list of all findings and their correlations within a specified time window: |
| @@ -11,6 +11,17 @@ The following APIs can be used for a number of tasks related to mappings, from c | |||
|
|
|||
| ## Get Mappings View | |||
|
|
|||
| Returns a view of the fields contained in an index used as a log source. | |||
There was a problem hiding this comment.
Please rephrase as a complete sentence naming the noun (what is used to do this?).
| @@ -11,7 +11,7 @@ The following APIs can be used for a number of tasks related to rules, from sear | |||
|
|
|||
| ## Create Custom Rule | |||
|
|
|||
| The Create custom rule API uses Sigma security rule formatting to create a custom rule. For information on how to write a rule in Sigma format, see information provided at [Sigma's GitHub repository](https://github.com/SigmaHQ/sigma). | |||
| The Create custom rule API uses Sigma security rule formatting to create a custom rule. For information about how to write a rule in Sigma format, see information provided at [Sigma's GitHub repository](https://github.com/SigmaHQ/sigma). | |||
There was a problem hiding this comment.
Suggested change
| The Create custom rule API uses Sigma security rule formatting to create a custom rule. For information about how to write a rule in Sigma format, see information provided at [Sigma's GitHub repository](https://github.com/SigmaHQ/sigma). | |
| The Create custom rule API uses Sigma security rule formatting to create a custom rule. For information about how to write a rule in Sigma format, see the information provided in [Sigma's GitHub repository](https://github.com/SigmaHQ/sigma). |
| @@ -60,6 +60,15 @@ Security Analytics takes advantage of prepackaged Sigma rules for security event | |||
|
|
|||
| Although the ECS rule field names are largely self-explanatory, you can find predefined mappings of the Sigma rule field names to ECS rule field names, for all supported log types, in the GitHub Security Analytics repository. Navigate to the [OSMappings](https://github.com/opensearch-project/security-analytics/tree/main/src/main/resources/OSMapping) folder, choose the folder named for the log type, and open the `fieldmappings.yml` file. For example, to see the Sigma rule fields that correspond to ECS rule fields for the Windows log type, open the [fieldmappings.yml file](https://github.com/opensearch-project/security-analytics/blob/main/src/main/resources/OSMapping/windows/fieldmappings.yml) in the **windows** folder. | |||
|
|
|||
| #### Amazon Security Lake logs | |||
|
|
|||
| [Amazon Security Lake](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html) service converts security log and event data to the [Open Cybersecurity Schema Framework](https://docs.aws.amazon.com/security-lake/latest/userguide/open-cybersecurity-schema-framework.html) (OCSF) to normalize combined data and facilitate its management. OpenSearch supports ingestion of log data from Security Lake in the OCSF format, and Security Analytics can automatically map fields from OCSF to ECS (the default field-mapping schema). | |||
There was a problem hiding this comment.
Suggested change
| [Amazon Security Lake](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html) service converts security log and event data to the [Open Cybersecurity Schema Framework](https://docs.aws.amazon.com/security-lake/latest/userguide/open-cybersecurity-schema-framework.html) (OCSF) to normalize combined data and facilitate its management. OpenSearch supports ingestion of log data from Security Lake in the OCSF format, and Security Analytics can automatically map fields from OCSF to ECS (the default field-mapping schema). | |
| [Amazon Security Lake](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html) converts security log and event data to the [Open Cybersecurity Schema Framework](https://docs.aws.amazon.com/security-lake/latest/userguide/open-cybersecurity-schema-framework.html) (OCSF) to normalize combined data and facilitate its management. OpenSearch supports ingestion of log data from Security Lake in the OCSF format, and Security Analytics can automatically map fields from OCSF to ECS (the default field-mapping schema). |
|
|
||
| [Amazon Security Lake](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html) service converts security log and event data to the [Open Cybersecurity Schema Framework](https://docs.aws.amazon.com/security-lake/latest/userguide/open-cybersecurity-schema-framework.html) (OCSF) to normalize combined data and facilitate its management. OpenSearch supports ingestion of log data from Security Lake in the OCSF format, and Security Analytics can automatically map fields from OCSF to ECS (the default field-mapping schema). | ||
|
|
||
| The log types from Security Lake that can be used as log sources for detector creation include CloudTrail, Route 53, and VPC Flow. Given that Route 53 is a log that captures DNS activity, its log type should be specified as **DNS logs** when [defining a detector](#step-1-define-a-detector). Furthermore, since logs such as CloudTrail can be captured conceivably in both raw format and OCSF, it's good practice to name indexes in a way that keeps these logs separate and easily identifiable. This becomes helpful when specifying an index name in any of the APIs associated with Security Analytics. |
There was a problem hiding this comment.
Suggested change
| The log types from Security Lake that can be used as log sources for detector creation include CloudTrail, Route 53, and VPC Flow. Given that Route 53 is a log that captures DNS activity, its log type should be specified as **DNS logs** when [defining a detector](#step-1-define-a-detector). Furthermore, since logs such as CloudTrail can be captured conceivably in both raw format and OCSF, it's good practice to name indexes in a way that keeps these logs separate and easily identifiable. This becomes helpful when specifying an index name in any of the APIs associated with Security Analytics. | |
| The Security Lake log types that can be used as log sources for detector creation include CloudTrail, Route 53, and VPC Flow. Given that Route 53 is a log that captures DNS activity, its log type should be specified as **DNS logs** when [defining a detector](#step-1-define-a-detector). Furthermore, because logs such as CloudTrail can conceivably be captured in both raw format and OCSF, it's good practice to name indexes in a way that keeps these logs separate and easily identifiable. This becomes helpful when specifying an index name in any of the APIs associated with Security Analytics. |
| @@ -11,7 +11,7 @@ The following APIs can be used for a number of tasks related to rules, from sear | |||
|
|
|||
| ## Create Custom Rule | |||
|
|
|||
| The Create custom rule API uses Sigma security rule formatting to create a custom rule. For information on how to write a rule in Sigma format, see information provided at [Sigma's GitHub repository](https://github.com/SigmaHQ/sigma). | |||
| The Create custom rule API uses Sigma security rule formatting to create a custom rule. For information about how to write a rule in Sigma format, see information provided at [Sigma's GitHub repository](https://github.com/SigmaHQ/sigma). | |||
There was a problem hiding this comment.
Confirm capitalization of the API name.
Signed-off-by: cwillum <[email protected]>
…search-project/documentation-website into fix#4500-sec-analytics-ocsf
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
4 tasks
prudhvigodithi
added
release-notes
harshavamsi
pushed a commit
to harshavamsi/documentation-website
that referenced
this pull request
Oct 31, 2023
…pensearch-project#4549) * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> * add missing param descriptions (opensearch-project#4555) Signed-off-by: Subhobrata Dey <[email protected]> * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> * Revert "fix#4500 ocsf fields and api" This reverts commit c6db296. merge conflict with same edits on another branch# * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> * Revert "fix#4500 ocsf fields and api" This reverts commit 7a70dc3. merge conflict with second branch :wq * Revert "fix#4500 ocsf fields and api" This reverts commit ef13a74. * fix#4500 edits post merge conflict Signed-off-by: cwillum <[email protected]> * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> --------- Signed-off-by: cwillum <[email protected]> Signed-off-by: Subhobrata Dey <[email protected]> Co-authored-by: Subhobrata Dey <[email protected]>
vagimeli
pushed a commit
that referenced
this pull request
Dec 21, 2023
…4549) * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> * add missing param descriptions (#4555) Signed-off-by: Subhobrata Dey <[email protected]> * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> * Revert "fix#4500 ocsf fields and api" This reverts commit c6db296. merge conflict with same edits on another branch# * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> * Revert "fix#4500 ocsf fields and api" This reverts commit 7a70dc3. merge conflict with second branch :wq * Revert "fix#4500 ocsf fields and api" This reverts commit ef13a74. * fix#4500 edits post merge conflict Signed-off-by: cwillum <[email protected]> * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> * fix#4500 ocsf fields and api Signed-off-by: cwillum <[email protected]> --------- Signed-off-by: cwillum <[email protected]> Signed-off-by: Subhobrata Dey <[email protected]> Co-authored-by: Subhobrata Dey <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Adds documentation for OCSF field mapping types, and adds APIs for correlation engine.
Issues Resolved
Fixes #4500
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.