Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Backport 2.13] Add log types section to Security Analytics #6876

Merged
merged 1 commit into from
Apr 4, 2024
Merged

[Backport 2.13] Add log types section to Security Analytics #6876

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion _security-analytics/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ For information about configuring detectors, see [Creating detectors]({{site.url

### Log types

Log types provide the data used to evaluate events occurring in a system. OpenSearch supports several types of logs and provides out-of-the-box mappings for the most common log sources. See [Supported log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types/) for a list of log types currently supported by Security Analytics.
[Log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types/) provide the data used to evaluate events occurring in a system. OpenSearch supports several types of logs and provides out-of-the-box mappings for the most common log sources.

Log types are specified during the creation of detectors, including steps for mapping log fields to the detector. Security Analytics also automatically selects an appropriate set of rules based on a specific log type and populates them for the detector.

Expand Down
114 changes: 114 additions & 0 deletions _security-analytics/log-types-reference/ad-ldap.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
---
layout: default
title: AD LDAP
parent: Supported log types
nav_order: 20
---

# AD LDAP

The `ad_ldap` log type tracks Active Directory logs, such as:

- Lightweight Directory Access Protocol (LDAP) queries.
- Errors from the LDAP server.
- Timeout events.
- Unsecured LDAP binds.

The following code snippet contains all `raw_field` and `ecs` mappings for this log type:

```json
"mappings": [
{
"raw_field":"TargetUserName",
"ecs":"azure.signinlogs.properties.user_id"
},
{
"raw_field":"creationTime",
"ecs":"timestamp"
},
{
"raw_field":"Category",
"ecs":"azure.activitylogs.category"
},
{
"raw_field":"OperationName",
"ecs":"azure.platformlogs.operation_name"
},
{
"raw_field":"ModifiedProperties_NewValue",
"ecs":"modified_properties.new_value"
},
{
"raw_field":"ResourceProviderValue",
"ecs":"azure.resource.provider"
},
{
"raw_field":"conditionalAccessStatus",
"ecs":"azure.signinlogs.properties.conditional_access_status"
},
{
"raw_field":"SearchFilter",
"ecs":"SearchFilter"
},
{
"raw_field":"Operation",
"ecs":"azure.platformlogs.operation_name"
},
{
"raw_field":"ResultType",
"ecs":"azure.platformlogs.result_type"
},
{
"raw_field":"DeviceDetail_isCompliant",
"ecs":"azure.signinlogs.properties.device_detail.is_compliant"
},
{
"raw_field":"ResourceDisplayName",
"ecs":"resource_display_name"
},
{
"raw_field":"AuthenticationRequirement",
"ecs":"azure.signinlogs.properties.authentication_requirement"
},
{
"raw_field":"TargetResources",
"ecs":"target_resources"
},
{
"raw_field":"Workload",
"ecs":"workload"
},
{
"raw_field":"DeviceDetail.deviceId",
"ecs":"azure.signinlogs.properties.device_detail.device_id"
},
{
"raw_field":"OperationNameValue",
"ecs":"azure.platformlogs.operation_name"
},
{
"raw_field":"ResourceId",
"ecs":"azure.signinlogs.properties.resource_id"
},
{
"raw_field":"ResultDescription",
"ecs":"azure.signinlogs.result_description"
},
{
"raw_field":"EventID",
"ecs":"EventID"
},
{
"raw_field":"NetworkLocationDetails",
"ecs":"azure.signinlogs.properties.network_location_details"
},
{
"raw_field":"CategoryValue",
"ecs":"azure.activitylogs.category"
},
{
"raw_field":"ActivityDisplayName",
"ecs":"azure.auditlogs.properties.activity_display_name"
}
]
```
10 changes: 10 additions & 0 deletions _security-analytics/log-types-reference/apache-access.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
layout: default
title: Apache Access
parent: Supported log types
nav_order: 25
---

# Apache Access

Check failure on line 8 in _security-analytics/log-types-reference/apache-access.md

View workflow job for this annotation

GitHub Actions / vale

[vale] _security-analytics/log-types-reference/apache-access.md#L8 

[OpenSearch.HeadingCapitalization] 'Apache Access' is a heading and should be in sentence case.
Raw output 
{"message": "[OpenSearch.HeadingCapitalization] 'Apache Access' is a heading and should be in sentence case.", "location": {"path": "_security-analytics/log-types-reference/apache-access.md", "range": {"start": {"line": 8, "column": 3}}}, "severity": "ERROR"}

The `apache_access` log type records data for all requests processed by Apache HTTP servers. It contains no `raw_field` or `ecs` mappings.
225 changes: 225 additions & 0 deletions _security-analytics/log-types-reference/azure.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,225 @@
---
layout: default
title: Azure
parent: Supported log types
nav_order: 29
---

# Azure

The `azure` log type monitors log data for cloud applications managed by Azure Cloud Services.

The following code snippet contains all `raw_field` and `ecs` mappings for this log type:

```json
"mappings": [
{
"raw_field":"Resultdescription",
"ecs":"azure.signinlogs.result_description"
},
{
"raw_field":"eventSource",
"ecs":"eventSource"
},
{
"raw_field":"eventName",
"ecs":"eventName"
},
{
"raw_field":"Status",
"ecs":"azure.platformlogs.status"
},
{
"raw_field":"LoggedByService",
"ecs":"azure.auditlogs.properties.logged_by_service"
},
{
"raw_field":"properties_message",
"ecs":"properties_message"
},
{
"raw_field":"status",
"ecs":"azure.platformlogs.status"
},
{
"raw_field":"TargetUserName",
"ecs":"azure.signinlogs.properties.user_id"
},
{
"raw_field":"creationTime",
"ecs":"timestamp"
},
{
"raw_field":"Category",
"ecs":"azure.activitylogs.category"
},
{
"raw_field":"OperationName",
"ecs":"azure.platformlogs.operation_name"
},
{
"raw_field":"ModifiedProperties_NewValue",
"ecs":"modified_properties.new_value"
},
{
"raw_field":"ResourceProviderValue",
"ecs":"azure.resource.provider"
},
{
"raw_field":"conditionalAccessStatus",
"ecs":"azure.signinlogs.properties.conditional_access_status"
},
{
"raw_field":"SearchFilter",
"ecs":"search_filter"
},
{
"raw_field":"Operation",
"ecs":"azure.platformlogs.operation_name"
},
{
"raw_field":"ResultType",
"ecs":"azure.platformlogs.result_type"
},
{
"raw_field":"DeviceDetail_isCompliant",
"ecs":"azure.signinlogs.properties.device_detail.is_compliant"
},
{
"raw_field":"ResourceDisplayName",
"ecs":"resource_display_name"
},
{
"raw_field":"AuthenticationRequirement",
"ecs":"azure.signinlogs.properties.authentication_requirement"
},
{
"raw_field":"TargetResources",
"ecs":"target_resources"
},
{
"raw_field":"Workload",
"ecs":"Workload"
},
{
"raw_field":"DeviceDetail_deviceId",
"ecs":"azure.signinlogs.properties.device_detail.device_id"
},
{
"raw_field":"OperationNameValue",
"ecs":"azure.platformlogs.operation_name"
},
{
"raw_field":"ResourceId",
"ecs":"azure.signinlogs.properties.resource_id"
},
{
"raw_field":"ResultDescription",
"ecs":"azure.signinlogs.result_description"
},
{
"raw_field":"EventID",
"ecs":"EventID"
},
{
"raw_field":"NetworkLocationDetails",
"ecs":"azure.signinlogs.properties.network_location_details"
},
{
"raw_field":"CategoryValue",
"ecs":"azure.activitylogs.category"
},
{
"raw_field":"ActivityDisplayName",
"ecs":"azure.auditlogs.properties.activity_display_name"
},
{
"raw_field":"Initiatedby",
"ecs":"azure.activitylogs.identity.claims_initiated_by_user.name"
},
{
"raw_field":"Count",
"ecs":"Count"
},
{
"raw_field":"ResourceTenantId",
"ecs":"azure.signinlogs.properties.resource_tenant_id"
},
{
"raw_field":"failure_status_reason",
"ecs":"failure_status_reason"
},
{
"raw_field":"AppId",
"ecs":"azure.signinlogs.properties.app_id"
},
{
"raw_field":"properties.message",
"ecs":"properties.message"
},
{
"raw_field":"ClientApp",
"ecs":"azure.signinlogs.properties.client_app_used"
},
{
"raw_field":"ActivityDetails",
"ecs":"ActivityDetails"
},
{
"raw_field":"Target",
"ecs":"Target"
},
{
"raw_field":"DeviceDetail.trusttype",
"ecs":"azure.signinlogs.properties.device_detail.trust_type"
},
{
"raw_field":"HomeTenantId",
"ecs":"azure.signinlogs.properties.home_tenant_id"
},
{
"raw_field":"ConsentContext.IsAdminConsent",
"ecs":"ConsentContext.IsAdminConsent"
},
{
"raw_field":"InitiatedBy",
"ecs":"InitiatedBy"
},
{
"raw_field":"ActivityType",
"ecs":"azure.auditlogs.properties.activity_display_name"
},
{
"raw_field":"operationName",
"ecs":"azure.activitylogs.operation_name"
},
{
"raw_field":"ModifiedProperties{}.NewValue",
"ecs":"modified_properties.new_value"
},
{
"raw_field":"userAgent",
"ecs":"user_agent.name"
},
{
"raw_field":"RiskState",
"ecs":"azure.signinlogs.properties.risk_state"
},
{
"raw_field":"Username",
"ecs":"azure.activitylogs.identity.claims_initiated_by_user.name"
},
{
"raw_field":"DeviceDetail.deviceId",
"ecs":"azure.signinlogs.properties.device_detail.device_id"
},
{
"raw_field":"DeviceDetail.isCompliant",
"ecs":"azure.signinlogs.properties.device_detail.is_compliant"
},
{
"raw_field":"Location",
"ecs":"azure.signinlogs.properties.network_location_details"
}
]
```
Loading
Loading