opensearch-docs-cn/_security-analytics/sec-analytics-config/index.md

---
layout: default
title: Setting up Security Analytics
nav_order: 10
has_children: true
has_toc: false
redirect_from:
  - /security-analytics/sec-analytics-config/
---

# Setting up Security Analytics

Before Security Analytics can begin generating findings and sending alerts, administrators must create detectors and make log data available to the system. Once detectors are able to generate findings, you can fine-tune your alerts to focus on specific areas of interest. The following steps outline the basic workflow for setting up components in Security Analytics.

1. Create threat detectors and alerts, and ingest log data. See [Creating detectors]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/detectors-config/) for more information.
1. Consider [creating correlation rules]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/correlation-config/) to identify connections between events and possible threats occurring in different logs throughout your system.
1. Inspect findings generated from detector output and create any additional alerts.
1. If desired, create custom rules to better focus detectors on high-priority concerns in your system. See [Creating detection rules]({{site.url}}{{site.baseurl}}/security-analytics/usage/rules/#creating-detection-rules) for more information.

## Navigate to Security Analytics

1. To get started, select the top menu on the Dashboards home page and then select **Security Analytics**. The Overview page for Security Analytics is displayed.
1. From the options on the left side of the page, select **Detectors** to begin creating a detector.

<img src="{{site.url}}{{site.baseurl}}/images/Security/secanalytics-det-nav.png" alt="Navigating to create a detector page" width="70%">
Add documentation for Security Analytics plugin (#1824) * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * Delete admin-api.md * Delete api-index.md * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics (#1901) Signed-off-by: Subhobrata Dey <sbcd90@gmail.com> Signed-off-by: Subhobrata Dey <sbcd90@gmail.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> Signed-off-by: cwillum <cwmmoore@amazon.com> Signed-off-by: Subhobrata Dey <sbcd90@gmail.com> Co-authored-by: Subhobrata Dey <sbcd90@gmail.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> 2022-11-18 13:19:06 -05:00			`---`
			`layout: default`
			`title: Setting up Security Analytics`
			`nav_order: 10`
			`has_children: true`
			`has_toc: false`
			`redirect_from:`
			`- /security-analytics/sec-analytics-config/`
			`---`

			`# Setting up Security Analytics`

			`Before Security Analytics can begin generating findings and sending alerts, administrators must create detectors and make log data available to the system. Once detectors are able to generate findings, you can fine-tune your alerts to focus on specific areas of interest. The following steps outline the basic workflow for setting up components in Security Analytics.`

Add documentation that supports custom log types (#4969) * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> --------- Signed-off-by: cwillum <cwmmoore@amazon.com> 2023-09-19 17:36:56 -04:00			`1. Create threat detectors and alerts, and ingest log data. See [Creating detectors]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/detectors-config/) for more information.`
			`1. Consider [creating correlation rules]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/correlation-config/) to identify connections between events and possible threats occurring in different logs throughout your system.`
Add documentation for Security Analytics plugin (#1824) * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * Delete admin-api.md * Delete api-index.md * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics (#1901) Signed-off-by: Subhobrata Dey <sbcd90@gmail.com> Signed-off-by: Subhobrata Dey <sbcd90@gmail.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> Signed-off-by: cwillum <cwmmoore@amazon.com> Signed-off-by: Subhobrata Dey <sbcd90@gmail.com> Co-authored-by: Subhobrata Dey <sbcd90@gmail.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> 2022-11-18 13:19:06 -05:00			`1. Inspect findings generated from detector output and create any additional alerts.`
Add documentation that supports custom log types (#4969) * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#4741 custom logtype updates Signed-off-by: cwillum <cwmmoore@amazon.com> --------- Signed-off-by: cwillum <cwmmoore@amazon.com> 2023-09-19 17:36:56 -04:00			`1. If desired, create custom rules to better focus detectors on high-priority concerns in your system. See [Creating detection rules]({{site.url}}{{site.baseurl}}/security-analytics/usage/rules/#creating-detection-rules) for more information.`
Add documentation for Security Analytics plugin (#1824) * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * Delete admin-api.md * Delete api-index.md * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics (#1901) Signed-off-by: Subhobrata Dey <sbcd90@gmail.com> Signed-off-by: Subhobrata Dey <sbcd90@gmail.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> Signed-off-by: cwillum <cwmmoore@amazon.com> Signed-off-by: Subhobrata Dey <sbcd90@gmail.com> Co-authored-by: Subhobrata Dey <sbcd90@gmail.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> 2022-11-18 13:19:06 -05:00
			`## Navigate to Security Analytics`

			`1. To get started, select the top menu on the Dashboards home page and then select Security Analytics. The Overview page for Security Analytics is displayed.`
			`1. From the options on the left side of the page, select Detectors to begin creating a detector.`

Security Analytics—additional updates following 2.5 release (#2515) * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * Update _security-analytics/sec-analytics-config/detectors-config.md Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Update _security-analytics/sec-analytics-config/detectors-config.md Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> --------- Signed-off-by: cwillum <cwmmoore@amazon.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> 2023-01-31 20:58:14 -05:00			`<img src="{{site.url}}{{site.baseurl}}/images/Security/secanalytics-det-nav.png" alt="Navigating to create a detector page" width="70%">`