diff --git a/_security-analytics/index.md b/_security-analytics/index.md
index 0887abc1..16adc1b7 100644
--- a/_security-analytics/index.md
+++ b/_security-analytics/index.md
@@ -66,7 +66,7 @@ To learn more about findings, see [Working with findings]({{site.url}}{{site.bas
When defining a detector, you can specify certain conditions that will trigger an alert. When an event triggers an alert, the system sends a notification to a preferred channel, such as Amazon Chime, Slack, or email. The alert can be triggered when the detector matches one or multiple rules. Further conditions can be set by rule severity and tags. You can also create a notification message with a customized subject line and message body.
-For information about setting up alerts, see [Step 3. Set up alerts]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/detectors-config/#step-3-set-up-alerts) in detector creation documentation. For information about managing alerts on the Alerts window, see [Working with alerts]({{site.url}}{{site.baseurl}}/security-analytics/usage/alerts/).
+For information about setting up alerts, see [Step 4. Set up alerts]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/detectors-config/#step-4-set-up-alerts) in the detector creation documentation. For information about managing alerts in the Alerts window, see [Working with alerts]({{site.url}}{{site.baseurl}}/security-analytics/usage/alerts/).
### Correlation engine
diff --git a/_security-analytics/sec-analytics-config/detectors-config.md b/_security-analytics/sec-analytics-config/detectors-config.md
index cdaa8e96..d4c0814b 100644
--- a/_security-analytics/sec-analytics-config/detectors-config.md
+++ b/_security-analytics/sec-analytics-config/detectors-config.md
@@ -9,6 +9,7 @@ nav_order: 15
Security Analytics provides the options and functionality to monitor and respond to a wide range of security threats. Detectors are the essential components that determine what to look for and how to respond to those threats. This section covers their creation and configuration.
+
## Step 1. Define a detector
You can define a new detector by naming the detector, selecting a data source and detector type, and specifying a detector schedule. After defining a detector, you can also configure field mappings and set up alerts. Follow the steps in this section to accomplish all three of these setup tasks.
@@ -16,44 +17,44 @@ You can define a new detector by naming the detector, selecting a data source an
1. On the **Threat detectors** page, choose **Create detector**. The **Define detector** page opens.
1. In **Detector details**, give the detector a name. Adding a description for the detector is optional.
1. In the **Data source** section, select the dropdown arrow and select one or multiple sources for the log data.
-
+
When multiple data sources are selected, the logs must be of the same type. We recommend creating separate detectors for different log types.
{: .note }
+
+1. In the **Log types and rules** section, select the log type for the data source. The system automatically populates the Sigma security rules associated with the log type. The following image shows the number of associated rules populated in the **Detection rules** section.
-1. In the **Log types and rules** section, select the log type for the data source. The Sigma security rules associated with the log data are automatically populated in the **Detection rules** section, as shown in the following image.
+ 
-
-
- When selecting **Network events**, **CloudTrail logs**, or **S3 access logs** as the log type, a detector dashboard is automatically created. The dashboard offers visualizations for the detector and can provide security-related insight into log source data. For more information about visualizations, see [Building data visualizations]({{site.url}}{{site.baseurl}}/dashboards/visualize/viz-index/).
+ When you select **Network events**, **CloudTrail logs**, or **S3 access logs** as the log type, the system automatically creates a detector dashboard. The dashboard offers visualizations for the detector and can provide security-related insight into log source data. For more information about visualizations, see [Building data visualizations]({{site.url}}{{site.baseurl}}/dashboards/visualize/viz-index/).
You can skip the next step for applying select rules if you are satisfied with those automatically populated by the system. Otherwise, go to the next step to select rules individually.
{: .note }
-1. In the **Detection rules** section, specify only those rules you want applied to the detector, as shown in the following image.
+1. Expand **Detection rules** to show the list of available detection rules for the selected log type. Initially, all rules are selected by default. The following image illustrates this.
- 
+
* Use the toggle to the left of **Rule name** to select or deselect rules.
* Use the **Rule severity** and **Source** dropdown lists to filter the rules you want to select from.
* Use the **Search** bar to search for specific rules.
- To quickly select one or more known rules and dismiss others, first deselect all rules by moving the **Rule name** toggle to the left, then search for your target rule names and select each individually by moving its toggle to the right.
+ To quickly select one or more known rules and dismiss others, first deselect all rules by turning off the **Rule name** toggle, then search for your target rule names and select each individually by turning its toggle on.
{: .tip }
-1. In the **Detector schedule** section, set how often the detector will run. Specify a unit of time and a corresponding number to set the interval.
-1. Choose **Next** in the lower-right corner of the screen to continue. The **Configure field mapping** page appears.
## Step 2. Create field mappings
-The field mapping step matches field names from the rule with field names from the log index being used to provide data. Creating field mappings allows the system to accurately pass event data from the log to the detector and then use the data to trigger alerts.
+The field mapping step matches field names from the detector rule with field names from the log index being used to provide data. Creating field mappings allows the system to accurately pass event data from the log to the detector and then use the data to trigger alerts.
-The data source (log index), log type, and detection rules specified in the first step determine which fields are available for mapping. For example, when "Windows logs" is selected as the log type, this parameter, along with the specific detection rules, determines the list of rule field names available for the mapping. Similarly, the selected data source (log index) determines the list of log source field names that are available for the mapping.
+The data source (log index), log type, and detection rules specified in the first step determine which fields are available for mapping. For example, when "Windows logs" is selected as the log type, this parameter, along with the specific detection rules, determines the list of detection field names available for the mapping. Similarly, the selected data source determines the list of log source field names that are available for the mapping.
-Because the system uses prepackaged Sigma rules for detector creation, it can automatically map important fields for a specific log type with the corresponding fields in the Sigma rules. The field mapping step presents a view of automatically mapped fields while also providing the option to customize, change, or add new field mappings. When a detector includes custom rules, you can follow this step to manually map rule field names to log source field names.
+The system uses prepackaged Sigma rules for detector creation. It can automatically map important fields for a specific log type with the corresponding fields in the Sigma rules. The field mapping step presents a view of automatically mapped fields while also providing the option to customize, change, or add new field mappings. When a detector includes customized rules, you can follow this step to manually map detector rule field names to log source field names.
+
+Because the system has the ability to automatically map field names, this step is optional. However, the more fields that can be mapped between detector fields and log source fields, the greater the accuracy of generated findings.
#### A note on field names
-The field mapping process requires that you are familiar with the field names in the log index and have an understanding of the data contained in those fields. If you have an understanding of the log fields in the index, the mapping is typically a straightforward process.
+If you choose to perform manual field mapping, you should be familiar with the field names in the log index and have an understanding of the data contained in those fields. If you have an understanding of the log source fields in the index, the mapping is typically a straightforward process.
Security Analytics takes advantage of prepackaged Sigma rules for security event detection. Therefore, the field names are derived from a Sigma rule field standard. To make them easier to identify, however, we have created aliases for the Sigma rule fields based on the open-source Elastic Common Schema (ECS) specification. These alias rule field names are the field names used in these steps. They appear in the **Detector field name** column of the mapping tables.
@@ -61,7 +62,7 @@ Although the ECS rule field names are largely self-explanatory, you can find pre
### Automatically mapped fields
-Once you navigate to the **Configure field mapping** page, the system attempts to automatically map fields between the two sources. The **Automatically mapped fields** table contains mappings that the system created automatically after defining the detector. When the field names are similar to one another, the system can successfully match the two, as shown in the following image.
+Once you select a data source and log type, the system attempts to automatically map fields between the log and rule fields. Expand **Automatically mapped fields** to show the list of these mappings. When the field names are similar to one another, the system can successfully match the two, as shown in the following image.
@@ -77,17 +78,25 @@ While mapping fields, consider the following:
* The **Detector field name** column lists field names based on all of the prepackaged rules associated with the selected log type.
* The **Log source field name** column includes a dropdown list for each of the detector fields. Each dropdown list contains field names extracted from the log index.
* To map a detector field name to a log source field name, use the dropdown arrow to open the list of log source fields and select the log field name from the list. To search for names in the log field list, enter text in the **Select a mapping field** box, as shown in the following image.
-
- 
-
-* Once the log source field name is selected and mapped to the detector field name, the icon in the **Status** column to the right changes to a green check mark.
+
+
+
+* Once the log source field name is selected and mapped to the detector field name, the icon in the **Status** column to the right changes from the alert icon to a check mark.
* Make as many matches between field names as possible to complete an accurate mapping for the detector and log source fields.
-After completing the mappings, choose **Next** in the lower-right corner of the screen. The **Set up alerts** page appears and displays settings for an alert trigger.
-## Step 3. Set up alerts
+## Step 3. Create a detector schedule
-The third step in creating a detector involves setting up alerts. Alerts are configured to create triggers that, when matched with a set of detection rule criteria, send a notification of a possible security event. You can select rule names, rule severity, and tags in any combination to define a trigger. Once a trigger is defined, the alert setup lets you choose the channel on which to be notified and provides options for customizing a message for the notification.
+1. In the **Detector schedule** section, set how often the detector will run. Specify a unit of time and a corresponding number to set the interval. The following image shows that the detector runs every 3 minutes.
+
+ 
+
+1. After specifying how often the detector will run, select **Next** in the lower-right corner of the screen. The **Set up alerts** page appears and displays settings for an alert trigger.
+
+
+## Step 4. Set up alerts
+
+The fourth step in creating a detector involves setting up alerts. Alerts are configured to create triggers that, when matched with a set of detection rule criteria, send notifications of possible security events. You can select rule names, rule severity, and tags in any combination to define a trigger. Once a trigger is defined, the alert setup lets you choose the channel on which to be notified and provides options for customizing a message for the notification.
At least one alert condition is required before a detector can begin generating findings.
{: .note }
@@ -99,13 +108,13 @@ To set up an alert for a detector, continue with the following steps:
1. In the **Trigger name** box, enter a name for the trigger.
1. To define rule matches for the alert, select security rules, severity levels, and tags.
- 
+
* Select one rule or multiple rules that will trigger the alert. Put the cursor in the **Rule names** box and type a name to search for it. To remove a rule name, select the **X** beside the name. To remove all rule names, select the **X** beside the dropdown list's down arrow.
- * Select one or more rule severities as conditions for the alert.
+ * Select one or more rule severity levels as conditions for the alert.
* Select from a list of tags to include as conditions for the alert.
1. To define a notification for the alert, assign an alert severity, select a channel for the notification, and customize a message generated for the alert.
@@ -113,12 +122,14 @@ To set up an alert for a detector, continue with the following steps:
* Assign a level of severity for the alert to give the recipient an indication of its urgency.
- * Select a channel for the notification. Examples include Slack, Chime, or email. Select the **Manage channels** link to the right of the field to link the notification to a preferred channel.
- * Select the **Show notify message** label to expand message preferences. You can add a subject for the message and a note to inform recipients of the nature of the message.
+ * Select a channel for the notification from the **Select channel to notify** dropdown list. Examples include Slack, Chime, or email. To create a new channel, select the **Manage channels** link to the right of the field. The **Channels** page for Notifications opens in a new tab where you can edit and create new channels. For more information about notifications, see the [Notifications]({{site.url}}{{site.baseurl}}/observing-your-data/notifications/index/) documentation.
+ * Expand **Show notify message** to show message preferences. The message subject and message body are populated with details about the current alert configuration. You can edit these text fields to customize the message. Beneath the message body text box, you can select **Generate message** to populate more details in the message, such as rule names, rule severity levels, and rule tags.
+ * Select **Add another alert trigger** to configure an additional alert.
1. After configuring the conditions in the preceding fields, select **Next** in the lower-right corner of the screen. The **Review and create** page opens.
-After reviewing the specifications for the detector, choose **Create** in the lower-right corner of the screen to create the detector. The screen returns to the list of all detectors, and the new detector appears in the list.
+1. Review the specifications for the detector and select **Create detector** in the lower-right corner of the screen. The detector details for the new detector are displayed. When you navigate to the main **Threat detectors** page, the new detector appears in the list.
+
## What's next
diff --git a/_security-analytics/usage/findings.md b/_security-analytics/usage/findings.md
index f014b171..6376c2d9 100644
--- a/_security-analytics/usage/findings.md
+++ b/_security-analytics/usage/findings.md
@@ -50,7 +50,7 @@ Use the **Rule severity** dropdown list to filter the list of findings by severi
The **Actions** column includes two options for each finding:
* The diagonal arrow provides a way to open the [**Finding details**](#finding-details) pane, which describes the finding according to parameters defined when creating the detector and includes the document that generated the finding.
* The bell icon allows you to open the **Create detector alert trigger** pane, where you can quickly set up an alert for the specific finding and modify rules and their conditions as required.
-For details on setting up an alert, see [Step 3. Set up alerts]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/detectors-config/#step-3-set-up-alerts) in detector creation documentation.
+For information about setting up alerts, see [Step 4. Set up alerts]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/detectors-config/#step-4-set-up-alerts) in the detector creation documentation.
### Finding details
diff --git a/images/Security/automatic-mappings.png b/images/Security/automatic-mappings.png
index f0699409..df5d6bec 100644
Binary files a/images/Security/automatic-mappings.png and b/images/Security/automatic-mappings.png differ
diff --git a/images/Security/detector-schedule.png b/images/Security/detector-schedule.png
new file mode 100644
index 00000000..26890f34
Binary files /dev/null and b/images/Security/detector-schedule.png differ
diff --git a/images/Security/detector_rules.png b/images/Security/detector_rules.png
index 823cae07..9f7fdd18 100644
Binary files a/images/Security/detector_rules.png and b/images/Security/detector_rules.png differ
diff --git a/images/Security/pending-mappings.png b/images/Security/pending-mappings.png
index 578d8a76..2ee43eaa 100644
Binary files a/images/Security/pending-mappings.png and b/images/Security/pending-mappings.png differ
diff --git a/images/Security/select_rules.png b/images/Security/select_rules.png
index a70f57af..f7f3b542 100644
Binary files a/images/Security/select_rules.png and b/images/Security/select_rules.png differ