Add documentation for Security Analytics plugin (#1824)
* fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * Delete admin-api.md * Delete api-index.md * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics (#1901) Signed-off-by: Subhobrata Dey <sbcd90@gmail.com> Signed-off-by: Subhobrata Dey <sbcd90@gmail.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#939-sec-analytics Signed-off-by: cwillum <cwmmoore@amazon.com> Signed-off-by: cwillum <cwmmoore@amazon.com> Signed-off-by: Subhobrata Dey <sbcd90@gmail.com> Co-authored-by: Subhobrata Dey <sbcd90@gmail.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
|
@ -40,6 +40,9 @@ collections:
|
|||
security-plugin:
|
||||
permalink: /:collection/:path/
|
||||
output: true
|
||||
security-analytics:
|
||||
permalink: /:collection/:path/
|
||||
output: true
|
||||
search-plugins:
|
||||
permalink: /:collection/:path/
|
||||
output: true
|
||||
|
@ -100,6 +103,9 @@ just_the_docs:
|
|||
security-plugin:
|
||||
name: Security plugin
|
||||
nav_fold: true
|
||||
security-analytics:
|
||||
name: Security analytics plugin
|
||||
nav_fold: true
|
||||
search-plugins:
|
||||
name: Search plugins
|
||||
nav_fold: true
|
||||
|
|
|
@ -253,7 +253,7 @@ The following plugins are bundled with all OpenSearch distributions except for m
|
|||
| Observability | [opensearch-observability](https://github.com/opensearch-project/observability) | 1.2.0 |
|
||||
| Performance Analyzer<sup>2</sup> | [opensearch-performance-analyzer](https://github.com/opensearch-project/performance-analyzer) | 1.0.0 |
|
||||
| Security | [opensearch-security](https://github.com/opensearch-project/security) | 1.0.0 |
|
||||
| Security Analytics | [security-analytics](https://github.com/opensearch-project/security-analytics) | 2.4.0 |
|
||||
| Security Analytics | [opensearch-security-analytics](https://github.com/opensearch-project/security-analytics) | 2.4.0 |
|
||||
| SQL | [opensearch-sql](https://github.com/opensearch-project/sql) | 1.0.0 |
|
||||
|
||||
_<sup>1</sup>Dashboard Notebooks was merged in to the Observability plugin with the release of OpenSearch 1.2.0._<br>
|
||||
|
@ -290,6 +290,7 @@ Members of the OpenSearch community have built countless plugins for the service
|
|||
## Related links
|
||||
|
||||
- [About Observability]({{site.url}}{{site.baseurl}}/observability-plugin/index/)
|
||||
- [About security analytics]({{site.url}}{{site.baseurl}}/security-analytics/index/)
|
||||
- [About the security plugin]({{site.url}}{{site.baseurl}}/security-plugin/index/)
|
||||
- [Alerting]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/index/)
|
||||
- [Anomaly detection]({{site.url}}{{site.baseurl}}/monitoring-plugins/ad/index/)
|
||||
|
@ -302,4 +303,4 @@ Members of the OpenSearch community have built countless plugins for the service
|
|||
- [Notifications]({{site.url}}{{site.baseurl}}/notifications-plugin/index/)
|
||||
- [OpenSearch Dashboards]({{site.url}}{{site.baseurl}}/dashboards/index/)
|
||||
- [Performance Analyzer]({{site.url}}{{site.baseurl}}/monitoring-plugins/pa/index/)
|
||||
- [SQL]({{site.url}}{{site.baseurl}}/search-plugins/sql/index/)
|
||||
- [SQL]({{site.url}}{{site.baseurl}}/search-plugins/sql/index/)
|
||||
|
|
|
@ -0,0 +1,204 @@
|
|||
---
|
||||
layout: default
|
||||
title: Alerts and findings APIs
|
||||
parent: API tools
|
||||
nav_order: 50
|
||||
---
|
||||
|
||||
|
||||
# Alerts and findings APIs
|
||||
|
||||
The following APIs can be used for tasks related to alerts and findings.
|
||||
|
||||
## Get Alerts
|
||||
|
||||
Provides an option for retrieving alerts related to a specific detector type or detector ID.
|
||||
|
||||
### Parameters
|
||||
|
||||
You can specify the following parameters when requesting an alert.
|
||||
|
||||
Parameter | Description
|
||||
:--- | :---
|
||||
`detectorId` | The ID of the detector used to fetch alerts. Optional when the `detectorType` is specified. Otherwise required.
|
||||
`detectorType` | The type of detector used to fetch alerts. Optional when the `detectorId` is specified. Otherwise required.
|
||||
`severityLevel` | Used to filter by alert severity level. Optional.
|
||||
`alertState` | Used to filter by alert state. Possible values: ACTIVE, ACKNOWLEDGED, COMPLETED, ERROR, DELETED. Optional.
|
||||
`sortString` | This field specifies which string Security Analytics uses to sort the alerts. Optional.
|
||||
`sortOrder` | The order used to sort the list of findings, either `ascending` or `descending`. Optional.
|
||||
`missing` | A list of fields for which there are no found alias mappings. Optional.
|
||||
`size` | An optional limit for the maximum number of results returned in the response. Optional.
|
||||
`startIndex` | The pagination indicator. Optional.
|
||||
`searchString` | The alert attribute you want returned in the search. Optional.
|
||||
|
||||
### Sample request
|
||||
|
||||
```json
|
||||
GET /_plugins/_security_analytics/alerts?detectorType=windows
|
||||
```
|
||||
|
||||
### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"alerts": [{
|
||||
"detector_id": "detector_12345",
|
||||
"id": "alert_id_1",
|
||||
"version": -3,
|
||||
"schema_version": 0,
|
||||
"trigger_id": "trigger_id_1",
|
||||
"trigger_name": "my_trigger",
|
||||
"finding_ids": ["finding_id_1"],
|
||||
"related_doc_ids": ["docId1"],
|
||||
"state": "ACTIVE",
|
||||
"error_message": null,
|
||||
"alert_history": [],
|
||||
"severity": null,
|
||||
"action_execution_results": [{
|
||||
"action_id": "action_id_1",
|
||||
"last_execution_time": 1665693544996,
|
||||
"throttled_count": 0
|
||||
}],
|
||||
"start_time": "2022-10-13T20:39:04.995023Z",
|
||||
"last_notification_time": "2022-10-13T20:39:04.995028Z",
|
||||
"end_time": "2022-10-13T20:39:04.995027Z",
|
||||
"acknowledged_time": "2022-10-13T20:39:04.995028Z"
|
||||
}],
|
||||
"total_alerts": 1,
|
||||
"detectorType": "windows"
|
||||
}
|
||||
```
|
||||
|
||||
#### Response fields
|
||||
|
||||
Alerts persist until you resolve the root cause and have the following states:
|
||||
|
||||
State | Description
|
||||
:--- | :---
|
||||
`ACTIVE` | The alert is ongoing and unacknowledged. Alerts remain in this state until you acknowledge them, delete the trigger associated with the alert, or delete the monitor entirely.
|
||||
`ACKNOWLEDGED` | Someone has acknowledged the alert but not fixed the root cause.
|
||||
`COMPLETED` | The alert is no longer ongoing. Alerts enter this state after the corresponding trigger evaluates to false.
|
||||
`ERROR` | An error occurred while executing the trigger. This error is usually the result of a bad trigger or destination.
|
||||
`DELETED` | Someone deleted the detector or trigger associated with this alert while the alert was ongoing.
|
||||
|
||||
---
|
||||
## Acknowledge Alerts
|
||||
|
||||
### Sample request
|
||||
|
||||
```json
|
||||
POST /_plugins/_security_analytics/<detector_id>/_acknowledge/alerts
|
||||
|
||||
{"alerts":["4dc7f5a9-2c82-4786-81ca-433a209d5205"]}
|
||||
```
|
||||
|
||||
### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"acknowledged": [
|
||||
{
|
||||
"detector_id": "8YT5fYQBZ8IUM4axics6",
|
||||
"id": "4dc7f5a9-2c82-4786-81ca-433a209d5205",
|
||||
"version": 1,
|
||||
"schema_version": 4,
|
||||
"trigger_id": "1TP5fYQBMkkIGY6Pg-q8",
|
||||
"trigger_name": "test-trigger",
|
||||
"finding_ids": [
|
||||
"2e167f4b-8063-40ef-80f8-2afd9bf095b8"
|
||||
],
|
||||
"related_doc_ids": [
|
||||
"1|windows"
|
||||
],
|
||||
"state": "ACTIVE",
|
||||
"error_message": null,
|
||||
"alert_history": [],
|
||||
"severity": "1",
|
||||
"action_execution_results": [
|
||||
{
|
||||
"action_id": "BopdoIJKXd",
|
||||
"last_execution_time": 1668560817925,
|
||||
"throttled_count": 0
|
||||
}
|
||||
],
|
||||
"start_time": "2022-11-16T01:06:57.748Z",
|
||||
"last_notification_time": "2022-11-16T01:06:57.748Z",
|
||||
"end_time": null,
|
||||
"acknowledged_time": null
|
||||
}
|
||||
],
|
||||
"failed": [],
|
||||
"missing": []
|
||||
}
|
||||
```
|
||||
|
||||
---
|
||||
## Get Findings
|
||||
|
||||
The Get findings API based on detector attributes.
|
||||
|
||||
### Sample request
|
||||
|
||||
```json
|
||||
GET /_plugins/_security_analytics/findings/_search?*detectorType*=
|
||||
{
|
||||
"total_findings":2,
|
||||
"findings":[
|
||||
{
|
||||
"detectorId":"12345",
|
||||
"id":"2b9663f4-ae77-4df8-b84f-688a0195723b",
|
||||
"related_doc_ids":[
|
||||
"5"
|
||||
],
|
||||
"index":"sbwhrzgdlg",
|
||||
"queries":[
|
||||
{
|
||||
"id":"f1bff160-587b-4500-b60c-ab22c7abc652",
|
||||
"name":"3",
|
||||
"query":"test_field:\"us-west-2\"",
|
||||
"tags":[
|
||||
|
||||
]
|
||||
}
|
||||
],
|
||||
"timestamp":1664401088804,
|
||||
"document_list":[
|
||||
{
|
||||
"index":"sbwhrzgdlg",
|
||||
"id":"5",
|
||||
"found":true,
|
||||
"document":"{\n \"message\" : \"This is an error from IAD region\",\n \"test_strict_date_time\" : \"2022-09-28T21:38:02.888Z\",\n \"test_field\" : \"us-west-2\"\n }"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"detectorId":"12345",
|
||||
"id":"f43a2701-0ef5-4931-8254-bdf510f73952",
|
||||
"related_doc_ids":[
|
||||
"1"
|
||||
],
|
||||
"index":"sbwhrzgdlg",
|
||||
"queries":[
|
||||
{
|
||||
"id":"f1bff160-587b-4500-b60c-ab22c7abc652",
|
||||
"name":"3",
|
||||
"query":"test_field:\"us-west-2\"",
|
||||
"tags":[
|
||||
|
||||
]
|
||||
}
|
||||
],
|
||||
"timestamp":1664401088746,
|
||||
"document_list":[
|
||||
{
|
||||
"index":"sbwhrzgdlg",
|
||||
"id":"1",
|
||||
"found":true,
|
||||
"document":"{\n \"message\" : \"This is an error from IAD region\",\n \"test_strict_date_time\" : \"2022-09-28T21:38:02.888Z\",\n \"test_field\" : \"us-west-2\"\n }"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
|
@ -0,0 +1,457 @@
|
|||
---
|
||||
layout: default
|
||||
title: Detector APIs
|
||||
parent: API tools
|
||||
nav_order: 35
|
||||
---
|
||||
|
||||
# Detector APIs
|
||||
|
||||
The following APIs can be used for a number of tasks related to detectors, from creating detectors to updating and searching for detectors.
|
||||
|
||||
## Create Detector
|
||||
|
||||
Creates a new detector.
|
||||
|
||||
```json
|
||||
POST _plugins/_security_analytics/detectors
|
||||
```
|
||||
|
||||
### Parameters
|
||||
|
||||
You can specify the following parameters when creating a detector.
|
||||
|
||||
Parameter | Type | Description
|
||||
:--- | :--- |:--- |:--- |
|
||||
`enabled` | Boolean | Enables the ability to add detectors through the API.
|
||||
`type` | String | The type is specified as "detector".
|
||||
`name` | String | Name of the detector.
|
||||
`detector_type` | Object | The log type that defines the detector.
|
||||
`schedule`| Object | the schedule that determines how often the detector runs.
|
||||
`schedule`<br> `period` | Object | the frequency at which the detector runs in repetition.
|
||||
`schedule`<br> `period`<br> `interval` | Integer | The duration of the period expressed as a number.
|
||||
`schedule`<br> `period`<br> `unit` | String | The unit of measure for the interval.
|
||||
`inputs` | Object | In process
|
||||
`inputs`<br> `detector_inputs` | Object | In process
|
||||
`inputs`<br> `detector_inputs`<br> `description` | String | In process
|
||||
`inputs`<br> `detector_inputs`<br> `custom_rules` | Object | In process
|
||||
`inputs`<br> `detector_inputs`<br> `custom_rules`<br> `id` | String | In process
|
||||
`inputs`<br> `detector_inputs`<br> `indices` | String | In process
|
||||
`inputs`<br> `detector_inputs`<br> `pre_packaged_rules` | Object | In process
|
||||
`inputs`<br> `detector_inputs`<br> `pre_packaged_rules`<br> `id` | String | In process
|
||||
`triggers` | Object | In process
|
||||
`triggers`<br> `ids` | String | In process
|
||||
`triggers`<br> `types` | String | In process
|
||||
`triggers`<br> `tags` | String | In process
|
||||
`triggers`<br> `id` | String | In process
|
||||
`triggers`<br> `sev_levels` | String | In process
|
||||
`triggers`<br> `name` | String | In process
|
||||
`triggers`<br> `severity` | Integer | In process
|
||||
`triggers`<br> `actions` | Integer | In process
|
||||
`triggers`<br> `actions`<br> `id` | Integer | In process
|
||||
`triggers`<br> `actions`<br> `destination_id` | Integer | In process
|
||||
`triggers`<br> `actions`<br> `subject_template` | Object | In process
|
||||
`triggers`<br> `actions`<br> `subject_template`<br> `source` | String | In process
|
||||
`triggers`<br> `actions`<br> `subject_template`<br> `lang` | String | In process
|
||||
`triggers`<br> `actions`<br> `name` | String | In process
|
||||
`triggers`<br> `actions`<br> `throttle_enabled` | Boolean | In process
|
||||
`triggers`<br> `actions`<br> `message_template` | String | In process
|
||||
`triggers`<br> `actions`<br> `message_template`<br> `source` | String | In process
|
||||
`triggers`<br> `actions`<br> `message_template`<br> `lang` | String | In process
|
||||
`triggers`<br> `actions`<br> `throttle` | Object | In process
|
||||
`triggers`<br> `actions`<br> `throttle`<br> `unit` | String | In process
|
||||
`triggers`<br> `actions`<br> `throttle`<br> `value` | Integer | In process
|
||||
|
||||
### Sample request
|
||||
|
||||
```json
|
||||
POST _plugins/_security_analytics/detectors
|
||||
{
|
||||
"enabled": true,
|
||||
"schedule": {
|
||||
"period": {
|
||||
"interval": 1,
|
||||
"unit": "MINUTES"
|
||||
}
|
||||
},
|
||||
"detector_type": "WINDOWS",
|
||||
"type": "detector",
|
||||
"inputs": [
|
||||
{
|
||||
"detector_input": {
|
||||
"description": "windows detector for security analytics",
|
||||
"custom_rules": [
|
||||
{
|
||||
"id": "bc2RB4QBrbtylUb_1Pbm"
|
||||
}
|
||||
],
|
||||
"indices": [
|
||||
"windows"
|
||||
],
|
||||
"pre_packaged_rules": [
|
||||
{
|
||||
"id": "06724a9a-52fc-11ed-bdc3-0242ac120002"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"triggers": [
|
||||
{
|
||||
"ids": [
|
||||
"06724a9a-52fc-11ed-bdc3-0242ac120002"
|
||||
],
|
||||
"types": [],
|
||||
"tags": [
|
||||
"attack.defense_evasion"
|
||||
],
|
||||
"severity": "1",
|
||||
"actions": [{
|
||||
"id": "hVTLkZYzlA",
|
||||
"destination_id": "6r8ZBoQBKW_6dKriacQb",
|
||||
"subject_template": {
|
||||
"source": "Trigger: {{ctx.trigger.name}}",
|
||||
"lang": "mustache"
|
||||
},
|
||||
"name": "hello_world",
|
||||
"throttle_enabled": false,
|
||||
"message_template": {
|
||||
"source": "Detector {{ctx.detector.name}} just entered alert status. Please investigate the issue." +
|
||||
"- Trigger: {{ctx.trigger.name}}" +
|
||||
"- Severity: {{ctx.trigger.severity}}",
|
||||
"lang": "mustache"
|
||||
},
|
||||
"throttle": {
|
||||
"unit": "MINUTES",
|
||||
"value": 108
|
||||
}
|
||||
}
|
||||
],
|
||||
"id": "8qhrBoQBYK1JzUUDzH-N",
|
||||
"sev_levels": [],
|
||||
"name": "test-trigger"
|
||||
}
|
||||
],
|
||||
"name": "nbReFCjlfn"
|
||||
}
|
||||
```
|
||||
|
||||
### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"_id": "dc2VB4QBrbtylUb_Hfa3",
|
||||
"_version": 1,
|
||||
"detector": {
|
||||
"name": "nbReFCjlfn",
|
||||
"detector_type": "windows",
|
||||
"enabled": true,
|
||||
"schedule": {
|
||||
"period": {
|
||||
"interval": 1,
|
||||
"unit": "MINUTES"
|
||||
}
|
||||
},
|
||||
"inputs": [
|
||||
{
|
||||
"detector_input": {
|
||||
"description": "windows detector for security analytics",
|
||||
"indices": [
|
||||
"windows"
|
||||
],
|
||||
"custom_rules": [
|
||||
{
|
||||
"id": "bc2RB4QBrbtylUb_1Pbm"
|
||||
}
|
||||
],
|
||||
"pre_packaged_rules": [
|
||||
{
|
||||
"id": "06724a9a-52fc-11ed-bdc3-0242ac120002"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"triggers": [
|
||||
{
|
||||
"id": "8qhrBoQBYK1JzUUDzH-N",
|
||||
"name": "test-trigger",
|
||||
"severity": "1",
|
||||
"types": [],
|
||||
"ids": [
|
||||
"06724a9a-52fc-11ed-bdc3-0242ac120002"
|
||||
],
|
||||
"sev_levels": [],
|
||||
"tags": [
|
||||
"attack.defense_evasion"
|
||||
],
|
||||
"actions": [
|
||||
{
|
||||
"id": "hVTLkZYzlA",
|
||||
"name": "hello_world",
|
||||
"destination_id": "6r8ZBoQBKW_6dKriacQb",
|
||||
"message_template": {
|
||||
"source": "Trigger: {{ctx.trigger.name}}",
|
||||
"lang": "mustache"
|
||||
},
|
||||
"throttle_enabled": false,
|
||||
"subject_template": {
|
||||
"source": "Detector {{ctx.detector.name}} just entered alert status. Please investigate the issue." +
|
||||
"- Trigger: {{ctx.trigger.name}}" +
|
||||
"- Severity: {{ctx.trigger.severity}}",
|
||||
"lang": "mustache"
|
||||
},
|
||||
"throttle": {
|
||||
"value": 108,
|
||||
"unit": "MINUTES"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"last_update_time": "2022-10-24T01:22:03.738379671Z",
|
||||
"enabled_time": "2022-10-24T01:22:03.738376103Z"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
---
|
||||
## Update Detector
|
||||
|
||||
The Update detector API is used for updating a detector.
|
||||
|
||||
```json
|
||||
PUT /_plugins/_security_analytics/detectors/<detector_Id>
|
||||
```
|
||||
|
||||
### Sample request
|
||||
|
||||
```json
|
||||
PUT /_plugins/_security_analytics/detectors/J1RX1IMByX0LvTiGTddR
|
||||
{
|
||||
"type": "detector",
|
||||
"detector_type": "windows",
|
||||
"name": "windows_detector",
|
||||
"enabled": true,
|
||||
"createdBy": "chip",
|
||||
"schedule": {
|
||||
"period": {
|
||||
"interval": 1,
|
||||
"unit": "MINUTES"
|
||||
}
|
||||
},
|
||||
"inputs": [
|
||||
{
|
||||
"input": {
|
||||
"description": "windows detector for security analytics",
|
||||
"indices": [
|
||||
"windows"
|
||||
],
|
||||
"rules": [
|
||||
{
|
||||
"id": "46"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"triggers": [
|
||||
{
|
||||
"sev_levels": [],
|
||||
"tags": [],
|
||||
"actions": [],
|
||||
"types": [
|
||||
"windows"
|
||||
],
|
||||
"name": "test-trigger",
|
||||
"id": "fyAy1IMBK2A1DZyOuW_b"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"_id": "J1RX1IMByX0LvTiGTddR",
|
||||
"_version": 1,
|
||||
"detector": {
|
||||
"name": "windows_detector",
|
||||
"detector_type": "windows",
|
||||
"enabled": true,
|
||||
"schedule": {
|
||||
"period": {
|
||||
"interval": 1,
|
||||
"unit": "MINUTES"
|
||||
}
|
||||
},
|
||||
"inputs": [
|
||||
{
|
||||
"detector_input": {
|
||||
"description": "windows detector for security analytics",
|
||||
"indices": [
|
||||
"windows"
|
||||
],
|
||||
"rules": [
|
||||
{
|
||||
"id": "LFRY1IMByX0LvTiGZtfh"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"triggers": [],
|
||||
"last_update_time": "2022-10-14T02:36:32.909581688Z",
|
||||
"enabled_time": "2022-10-14T02:33:34.197Z"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
---
|
||||
## Delete Detector
|
||||
|
||||
This API is used for deleting a detector.
|
||||
|
||||
### Sample request
|
||||
|
||||
```json
|
||||
DELETE /_plugins/_security_analytics/detectors/J1RX1IMByX0LvTiGTddR
|
||||
```
|
||||
|
||||
---
|
||||
## Get Detector
|
||||
|
||||
The Get detector API retrieves the detector details.
|
||||
|
||||
### Sample request
|
||||
|
||||
```json
|
||||
GET /_plugins/_security_analytics/detectors/MFRg1IMByX0LvTiGHtcN
|
||||
```
|
||||
|
||||
### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"_id": "MFRg1IMByX0LvTiGHtcN",
|
||||
"_version": 1,
|
||||
"detector": {
|
||||
"name": "windows_detector",
|
||||
"detector_type": "windows",
|
||||
"enabled": true,
|
||||
"schedule": {
|
||||
"period": {
|
||||
"interval": 1,
|
||||
"unit": "MINUTES"
|
||||
}
|
||||
},
|
||||
"inputs": [
|
||||
{
|
||||
"detector_input": {
|
||||
"description": "windows detector for security analytics",
|
||||
"indices": [
|
||||
"windows"
|
||||
],
|
||||
"rules": []
|
||||
}
|
||||
}
|
||||
],
|
||||
"last_update_time": "2022-10-14T02:43:11.693Z",
|
||||
"enabled_time": "2022-10-14T02:43:11.693Z"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
---
|
||||
## Search Detector
|
||||
|
||||
The Search detector API searches for detector matches by detector ID.
|
||||
|
||||
### Sample request
|
||||
|
||||
```json
|
||||
POST /_plugins/_security_analytics/detectors/_search
|
||||
|
||||
Body:
|
||||
{
|
||||
"query": {
|
||||
"match": {
|
||||
"_id": "MFRg1IMByX0LvTiGHtcN"
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"took": 2,
|
||||
"timed_out": false,
|
||||
"_shards": {
|
||||
"total": 1,
|
||||
"successful": 1,
|
||||
"skipped": 0,
|
||||
"failed": 0
|
||||
},
|
||||
"hits": {
|
||||
"total": {
|
||||
"value": 1,
|
||||
"relation": "eq"
|
||||
},
|
||||
"max_score": 1.0,
|
||||
"hits": [
|
||||
{
|
||||
"_index": ".opensearch-detectors-config",
|
||||
"_id": "MFRg1IMByX0LvTiGHtcN",
|
||||
"_version": 1,
|
||||
"_seq_no": 6,
|
||||
"_primary_term": 1,
|
||||
"_score": 1.0,
|
||||
"_source": {
|
||||
"type": "detector",
|
||||
"name": "windows_detector",
|
||||
"detector_type": "WINDOWS",
|
||||
"enabled": true,
|
||||
"enabled_time": 1665715391693,
|
||||
"schedule": {
|
||||
"period": {
|
||||
"interval": 1,
|
||||
"unit": "MINUTES"
|
||||
}
|
||||
},
|
||||
"inputs": [
|
||||
{
|
||||
"detector_input": {
|
||||
"description": "windows detector for security analytics",
|
||||
"indices": [
|
||||
"windows"
|
||||
],
|
||||
"rules": []
|
||||
}
|
||||
}
|
||||
],
|
||||
"triggers": [
|
||||
{
|
||||
"id": "fyAy1IMBK2A1DZyOuW_b",
|
||||
"name": "test-trigger",
|
||||
"types": [
|
||||
"windows"
|
||||
],
|
||||
"sev_levels": [],
|
||||
"tags": [],
|
||||
"actions": []
|
||||
}
|
||||
],
|
||||
"last_update_time": 1665715391693,
|
||||
"monitor_id": [
|
||||
"LlRf1IMByX0LvTiGzdeX"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
```
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
layout: default
|
||||
title: API tools
|
||||
nav_order: 30
|
||||
has_children: true
|
||||
has_toc: false
|
||||
redirect_from:
|
||||
- /security-analytics/api-tools/
|
||||
---
|
||||
|
||||
# API tools
|
||||
|
||||
Security Analytics includes a number of APIs to help administrators maintain and update an implementation. The APIs often mimic the same controls available for setting up Security Analytics in OpenSearch Dashboards, and they provide another option for administering the plugin.
|
||||
|
||||
The APIs for Security Analytics are separated into the following categories:
|
||||
|
||||
* [Detector APIs]({{site.url}}{{site.baseurl}}/security-analytics/api-tools/detector-api/)
|
||||
* [Rules APIs]({{site.url}}{{site.baseurl}}/security-analytics/api-tools/rule-api/)
|
||||
* [Mappings APIs]({{site.url}}{{site.baseurl}}/security-analytics/api-tools/mappings-api/)
|
||||
* [Alerts and findings APIs]({{site.url}}{{site.baseurl}}/security-analytics/api-tools/alert-finding-api/)
|
||||
|
|
@ -0,0 +1,149 @@
|
|||
---
|
||||
layout: default
|
||||
title: Mappings APIs
|
||||
parent: API tools
|
||||
nav_order: 45
|
||||
---
|
||||
|
||||
# Mappings APIs
|
||||
|
||||
The following APIs can be used for a number of tasks related to mappings, from creating to getting and updating mappings.
|
||||
|
||||
## Get Mappings View
|
||||
|
||||
### Sample request
|
||||
|
||||
```json
|
||||
GET /_plugins/_security_analytics/mappings/view
|
||||
|
||||
{
|
||||
"index_name": "windows",
|
||||
"rule_topic": "windows"
|
||||
}
|
||||
```
|
||||
|
||||
### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"properties": {
|
||||
"windows-event_data-CommandLine": {
|
||||
"path": "CommandLine",
|
||||
"type": "alias"
|
||||
},
|
||||
"event_uid": {
|
||||
"path": "EventID",
|
||||
"type": "alias"
|
||||
}
|
||||
},
|
||||
"unmapped_index_fields": [
|
||||
"windows-event_data-CommandLine",
|
||||
"unmapped_HiveName",
|
||||
"src_ip",
|
||||
"sha1",
|
||||
"processPath",
|
||||
"CallerProcessName",
|
||||
"CallTrace",
|
||||
"AuthenticationPackageName",
|
||||
"AuditSourceName",
|
||||
"AuditPolicyChanges",
|
||||
"AttributeValue",
|
||||
"AttributeLDAPDisplayName",
|
||||
"ApplicationPath",
|
||||
"Application",
|
||||
"AllowedToDelegateTo",
|
||||
"Address",
|
||||
"Action",
|
||||
"AccountType",
|
||||
"AccountName",
|
||||
"Accesses",
|
||||
"AccessMask",
|
||||
"AccessList"
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
---
|
||||
## Create Mappings
|
||||
|
||||
### Sample request
|
||||
|
||||
```json
|
||||
POST /_plugins/_security_analytics/mappings
|
||||
|
||||
{
|
||||
"index_name": "windows",
|
||||
"rule_topic": "windows",
|
||||
"partial": true,
|
||||
"alias_mappings": {
|
||||
"properties": {
|
||||
"event_uid": {
|
||||
"type": "alias",
|
||||
"path": "EventID"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"acknowledged": true
|
||||
}
|
||||
```
|
||||
|
||||
---
|
||||
## Get Mappings
|
||||
|
||||
### Sample request
|
||||
|
||||
```json
|
||||
GET /_plugins/_security_analytics/mappings
|
||||
```
|
||||
|
||||
### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"windows": {
|
||||
"mappings": {
|
||||
"properties": {
|
||||
"windows-event_data-CommandLine": {
|
||||
"type": "alias",
|
||||
"path": "CommandLine"
|
||||
},
|
||||
"event_uid": {
|
||||
"type": "alias",
|
||||
"path": "EventID"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
---
|
||||
## Update Mappings
|
||||
|
||||
### Sample request
|
||||
|
||||
```json
|
||||
PUT /_plugins/_security_analytics/mappings
|
||||
|
||||
{
|
||||
"index_name": "windows",
|
||||
"field": "CommandLine",
|
||||
"alias": "windows-event_data-CommandLine"
|
||||
}
|
||||
```
|
||||
|
||||
### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"acknowledged": true
|
||||
}
|
||||
```
|
||||
|
|
@ -0,0 +1,501 @@
|
|||
---
|
||||
layout: default
|
||||
title: Rule APIs
|
||||
parent: API tools
|
||||
nav_order: 40
|
||||
---
|
||||
|
||||
# Rule APIs
|
||||
|
||||
The following APIs can be used for a number of tasks related to rules, from searching for pre-packaged rules to creating and updating custom rules.
|
||||
|
||||
## Create Custom Rule
|
||||
|
||||
The Create custom rule API uses Sigma security rule formatting to create a custom rule. For information on how to write a rule in Sigma format, see information provided at [Sigma's GitHub repository](https://github.com/SigmaHQ/sigma).
|
||||
|
||||
```json
|
||||
POST /_plugins/_security_analytics/rules?category=windows
|
||||
```
|
||||
|
||||
### Sample request
|
||||
|
||||
```yml
|
||||
Header:
|
||||
Content-Type: application/json
|
||||
|
||||
Body:
|
||||
|
||||
title: Moriya Rootkit
|
||||
id: 25b9c01c-350d-4b95-bed1-836d04a4f324
|
||||
description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
|
||||
status: experimental
|
||||
author: Bhabesh Raj
|
||||
date: 2021/05/06
|
||||
modified: 2021/11/30
|
||||
references:
|
||||
- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.privilege_escalation
|
||||
- attack.t1543.003
|
||||
logsource:
|
||||
product: windows
|
||||
service: system
|
||||
detection:
|
||||
selection:
|
||||
Provider_Name: 'Service Control Manager'
|
||||
EventID: 7045
|
||||
ServiceName: ZzNetSvc
|
||||
condition: selection
|
||||
level: critical
|
||||
falsepositives:
|
||||
- Unknown
|
||||
```
|
||||
|
||||
### Sample response
|
||||
|
||||
**Sample 1:**
|
||||
|
||||
```json
|
||||
{
|
||||
"_id": "M1Rm1IMByX0LvTiGvde2",
|
||||
"_version": 1,
|
||||
"rule": {
|
||||
"category": "windows",
|
||||
"title": "Moriya Rootkit",
|
||||
"log_source": "",
|
||||
"description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report",
|
||||
"tags": [
|
||||
{
|
||||
"value": "attack.persistence"
|
||||
},
|
||||
{
|
||||
"value": "attack.privilege_escalation"
|
||||
},
|
||||
{
|
||||
"value": "attack.t1543.003"
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"value": "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831"
|
||||
}
|
||||
],
|
||||
"level": "critical",
|
||||
"false_positives": [
|
||||
{
|
||||
"value": "Unknown"
|
||||
}
|
||||
],
|
||||
"author": "Bhabesh Raj",
|
||||
"status": "experimental",
|
||||
"last_update_time": "2021-05-06T00:00:00.000Z",
|
||||
"rule": "title: Moriya Rootkit\nid: 25b9c01c-350d-4b95-bed1-836d04a4f324\ndescription: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report\nstatus: experimental\nauthor: Bhabesh Raj\ndate: 2021/05/06\nmodified: 2021/11/30\nreferences:\n - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1543.003\nlogsource:\n product: windows\n service: system\ndetection:\n selection:\n Provider_Name: 'Service Control Manager'\n EventID: 7045\n ServiceName: ZzNetSvc\n condition: selection\nlevel: critical\nfalsepositives:\n - Unknown"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
**Sample 2:**
|
||||
|
||||
```json
|
||||
{
|
||||
"error": {
|
||||
"root_cause": [
|
||||
{
|
||||
"type": "security_analytics_exception",
|
||||
"reason": "{\"error\":\"Sigma rule must have a log source\",\"error\":\"Sigma rule must have a detection definitions\"}"
|
||||
}
|
||||
],
|
||||
"type": "security_analytics_exception",
|
||||
"reason": "{\"error\":\"Sigma rule must have a log source\",\"error\":\"Sigma rule must have a detection definitions\"}",
|
||||
"caused_by": {
|
||||
"type": "exception",
|
||||
"reason": "java.util.Arrays$ArrayList: {\"error\":\"Sigma rule must have a log source\",\"error\":\"Sigma rule must have a detection definitions\"}"
|
||||
}
|
||||
},
|
||||
"status": 400
|
||||
}
|
||||
```
|
||||
|
||||
---
|
||||
## Update Custom Rule (not forced)
|
||||
|
||||
### Sample request
|
||||
|
||||
```json
|
||||
PUT /_plugins/_security_analytics/rules/ZaFv1IMBdLpXWBiBa1XI?category=windows
|
||||
|
||||
Content-Type: application/json
|
||||
|
||||
Body:
|
||||
|
||||
title: Moriya Rooskit
|
||||
id: 25b9c01c-350d-4b95-bed1-836d04a4f324
|
||||
description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
|
||||
status: experimental
|
||||
author: Bhabesh Raj
|
||||
date: 2021/05/06
|
||||
modified: 2021/11/30
|
||||
references:
|
||||
- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.privilege_escalation
|
||||
- attack.t1543.003
|
||||
logsource:
|
||||
product: windows
|
||||
service: system
|
||||
detection:
|
||||
selection:
|
||||
Provider_Name: 'Service Control Manager'
|
||||
EventID: 7045
|
||||
ServiceName: ZzNetSvc
|
||||
condition: selection
|
||||
level: critical
|
||||
falsepositives:
|
||||
- Unknown
|
||||
```
|
||||
|
||||
### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"error": {
|
||||
"root_cause": [
|
||||
{
|
||||
"type": "security_analytics_exception",
|
||||
"reason": "Rule with id ZaFv1IMBdLpXWBiBa1XI is actively used by detectors. Update can be forced by setting forced flag to true"
|
||||
}
|
||||
],
|
||||
"type": "security_analytics_exception",
|
||||
"reason": "Rule with id ZaFv1IMBdLpXWBiBa1XI is actively used by detectors. Update can be forced by setting forced flag to true",
|
||||
"caused_by": {
|
||||
"type": "exception",
|
||||
"reason": "org.opensearch.OpenSearchStatusException: Rule with id ZaFv1IMBdLpXWBiBa1XI is actively used by detectors. Update can be forced by setting forced flag to true"
|
||||
}
|
||||
},
|
||||
"status": 500
|
||||
}
|
||||
```
|
||||
|
||||
---
|
||||
## Update Custom Rule (forced)
|
||||
|
||||
### Sample request
|
||||
|
||||
```json
|
||||
PUT /_plugins/_security_analytics/rules/ZaFv1IMBdLpXWBiBa1XI?category=windows&forced=true
|
||||
|
||||
Content-Type: application/json
|
||||
|
||||
Body:
|
||||
|
||||
title: Moriya Rooskit
|
||||
id: 25b9c01c-350d-4b95-bed1-836d04a4f324
|
||||
description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
|
||||
status: experimental
|
||||
author: Bhabesh Raj
|
||||
date: 2021/05/06
|
||||
modified: 2021/11/30
|
||||
references:
|
||||
- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.privilege_escalation
|
||||
- attack.t1543.003
|
||||
logsource:
|
||||
product: windows
|
||||
service: system
|
||||
detection:
|
||||
selection:
|
||||
Provider_Name: 'Service Control Manager'
|
||||
EventID: 7045
|
||||
ServiceName: ZzNetSvc
|
||||
condition: selection
|
||||
level: critical
|
||||
falsepositives:
|
||||
- Unknown
|
||||
```
|
||||
|
||||
### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"_id": "ZaFv1IMBdLpXWBiBa1XI",
|
||||
"_version": 1,
|
||||
"rule": {
|
||||
"category": "windows",
|
||||
"title": "Moriya Rooskit",
|
||||
"log_source": "",
|
||||
"description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report",
|
||||
"tags": [
|
||||
{
|
||||
"value": "attack.persistence"
|
||||
},
|
||||
{
|
||||
"value": "attack.privilege_escalation"
|
||||
},
|
||||
{
|
||||
"value": "attack.t1543.003"
|
||||
}
|
||||
],
|
||||
"references": [
|
||||
{
|
||||
"value": "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831"
|
||||
}
|
||||
],
|
||||
"level": "critical",
|
||||
"false_positives": [
|
||||
{
|
||||
"value": "Unknown"
|
||||
}
|
||||
],
|
||||
"author": "Bhabesh Raj",
|
||||
"status": "experimental",
|
||||
"last_update_time": "2021-05-06T00:00:00.000Z",
|
||||
"rule": "title: Moriya Rooskit\nid: 25b9c01c-350d-4b95-bed1-836d04a4f324\ndescription: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report\nstatus: experimental\nauthor: Bhabesh Raj\ndate: 2021/05/06\nmodified: 2021/11/30\nreferences:\n - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1543.003\nlogsource:\n product: windows\n service: system\ndetection:\n selection:\n Provider_Name: 'Service Control Manager'\n EventID: 7045\n ServiceName: ZzNetSvc\n condition: selection\nlevel: critical\nfalsepositives:\n - Unknown"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
---
|
||||
## Search Pre-Packaged Rules
|
||||
|
||||
### Sample request
|
||||
|
||||
```json
|
||||
POST /_plugins/_security_analytics/rules/_search?pre_packaged=true
|
||||
|
||||
{
|
||||
"from": 0,
|
||||
"size": 20,
|
||||
"query": {
|
||||
"nested": {
|
||||
"path": "rule",
|
||||
"query": {
|
||||
"bool": {
|
||||
"must": [
|
||||
{ "match": { "rule.category": "windows" } }
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"took": 3,
|
||||
"timed_out": false,
|
||||
"_shards": {
|
||||
"total": 1,
|
||||
"successful": 1,
|
||||
"skipped": 0,
|
||||
"failed": 0
|
||||
},
|
||||
"hits": {
|
||||
"total": {
|
||||
"value": 1580,
|
||||
"relation": "eq"
|
||||
},
|
||||
"max_score": 0.25863406,
|
||||
"hits": [
|
||||
{
|
||||
"_index": ".opensearch-pre-packaged-rules-config",
|
||||
"_id": "6KFv1IMBdLpXWBiBelZg",
|
||||
"_version": 1,
|
||||
"_seq_no": 386,
|
||||
"_primary_term": 1,
|
||||
"_score": 0.25863406,
|
||||
"_source": {
|
||||
"category": "windows",
|
||||
"title": "Change Outlook Security Setting in Registry",
|
||||
"log_source": "registry_set",
|
||||
"description": "Change outlook email security settings",
|
||||
"references": [
|
||||
{
|
||||
"value": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"
|
||||
},
|
||||
{
|
||||
"value": "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings"
|
||||
}
|
||||
],
|
||||
"tags": [
|
||||
{
|
||||
"value": "attack.persistence"
|
||||
},
|
||||
{
|
||||
"value": "attack.t1137"
|
||||
}
|
||||
],
|
||||
"level": "medium",
|
||||
"false_positives": [
|
||||
{
|
||||
"value": "Administrative scripts"
|
||||
}
|
||||
],
|
||||
"author": "frack113",
|
||||
"status": "experimental",
|
||||
"last_update_time": "2021-12-28T00:00:00.000Z",
|
||||
"queries": [
|
||||
{
|
||||
"value": "((TargetObject: *\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*) AND (TargetObject: *\\\\Outlook\\\\Security\\\\*)) AND (EventType: \"SetValue\")"
|
||||
}
|
||||
],
|
||||
"rule": "title: Change Outlook Security Setting in Registry\nid: c3cefdf4-6703-4e1c-bad8-bf422fc5015a\ndescription: Change outlook email security settings\nauthor: frack113\ndate: 2021/12/28\nmodified: 2022/03/26\nstatus: experimental\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md\n - https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings\nlogsource:\n category: registry_set\n product: windows\ndetection:\n selection:\n TargetObject|contains|all:\n - '\\SOFTWARE\\Microsoft\\Office\\'\n - '\\Outlook\\Security\\'\n EventType: SetValue\n condition: selection\nfalsepositives:\n - Administrative scripts\nlevel: medium\ntags:\n - attack.persistence\n - attack.t1137\n"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
---
|
||||
## Search Custom Rules
|
||||
|
||||
### Sample request
|
||||
|
||||
```json
|
||||
POST /_plugins/_security_analytics/rules/_search?pre_packaged=false
|
||||
|
||||
Body:
|
||||
|
||||
{
|
||||
"from": 0,
|
||||
"size": 20,
|
||||
"query": {
|
||||
"nested": {
|
||||
"path": "rule",
|
||||
"query": {
|
||||
"bool": {
|
||||
"must": [
|
||||
{ "match": { "rule.category": "windows" } }
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"took": 1,
|
||||
"timed_out": false,
|
||||
"_shards": {
|
||||
"total": 1,
|
||||
"successful": 1,
|
||||
"skipped": 0,
|
||||
"failed": 0
|
||||
},
|
||||
"hits": {
|
||||
"total": {
|
||||
"value": 1,
|
||||
"relation": "eq"
|
||||
},
|
||||
"max_score": 0.2876821,
|
||||
"hits": [
|
||||
{
|
||||
"_index": ".opensearch-custom-rules-config",
|
||||
"_id": "ZaFv1IMBdLpXWBiBa1XI",
|
||||
"_version": 2,
|
||||
"_seq_no": 1,
|
||||
"_primary_term": 1,
|
||||
"_score": 0.2876821,
|
||||
"_source": {
|
||||
"category": "windows",
|
||||
"title": "Moriya Rooskit",
|
||||
"log_source": "",
|
||||
"description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report",
|
||||
"references": [
|
||||
{
|
||||
"value": "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831"
|
||||
}
|
||||
],
|
||||
"tags": [
|
||||
{
|
||||
"value": "attack.persistence"
|
||||
},
|
||||
{
|
||||
"value": "attack.privilege_escalation"
|
||||
},
|
||||
{
|
||||
"value": "attack.t1543.003"
|
||||
}
|
||||
],
|
||||
"level": "critical",
|
||||
"false_positives": [
|
||||
{
|
||||
"value": "Unknown"
|
||||
}
|
||||
],
|
||||
"author": "Bhabesh Raj",
|
||||
"status": "experimental",
|
||||
"last_update_time": "2021-05-06T00:00:00.000Z",
|
||||
"queries": [
|
||||
{
|
||||
"value": "(Provider_Name: \"Service_ws_Control_ws_Manager\") AND (event_uid: 7045) AND (ServiceName: \"ZzNetSvc\")"
|
||||
}
|
||||
],
|
||||
"rule": "title: Moriya Rooskit\nid: 25b9c01c-350d-4b95-bed1-836d04a4f324\ndescription: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report\nstatus: experimental\nauthor: Bhabesh Raj\ndate: 2021/05/06\nmodified: 2021/11/30\nreferences:\n - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1543.003\nlogsource:\n product: windows\n service: system\ndetection:\n selection:\n Provider_Name: 'Service Control Manager'\n EventID: 7045\n ServiceName: ZzNetSvc\n condition: selection\nlevel: critical\nfalsepositives:\n - Unknown"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
---
|
||||
## Delete Custom Rule (not forced)
|
||||
|
||||
### Sample request
|
||||
|
||||
```json
|
||||
DELETE /_plugins/_security_analytics/rules/ZaFv1IMBdLpXWBiBa1XI
|
||||
```
|
||||
|
||||
### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"error": {
|
||||
"root_cause": [
|
||||
{
|
||||
"type": "security_analytics_exception",
|
||||
"reason": "Rule with id ZaFv1IMBdLpXWBiBa1XI is actively used by detectors. Deletion can be forced by setting forced flag to true"
|
||||
}
|
||||
],
|
||||
"type": "security_analytics_exception",
|
||||
"reason": "Rule with id ZaFv1IMBdLpXWBiBa1XI is actively used by detectors. Deletion can be forced by setting forced flag to true",
|
||||
"caused_by": {
|
||||
"type": "exception",
|
||||
"reason": "org.opensearch.OpenSearchStatusException: Rule with id ZaFv1IMBdLpXWBiBa1XI is actively used by detectors. Deletion can be forced by setting forced flag to true"
|
||||
}
|
||||
},
|
||||
"status": 500
|
||||
}
|
||||
```
|
||||
|
||||
---
|
||||
## Delete Custom Rule (forced)
|
||||
|
||||
### Sample request
|
||||
|
||||
```json
|
||||
DELETE /_plugins/_security_analytics/rules/ZaFv1IMBdLpXWBiBa1XI?forced=true
|
||||
```
|
||||
|
||||
### Sample response
|
||||
|
||||
```json
|
||||
{
|
||||
"_id": "ZaFv1IMBdLpXWBiBa1XI",
|
||||
"_version": 1
|
||||
}
|
||||
```
|
||||
|
|
@ -0,0 +1,68 @@
|
|||
---
|
||||
layout: default
|
||||
title: About Security Analytics
|
||||
nav_order: 1
|
||||
has_children: false
|
||||
has_toc: false
|
||||
redirect_from:
|
||||
- /security-analytics/
|
||||
---
|
||||
|
||||
|
||||
# About Security Analytics
|
||||
|
||||
Security Analytics is an experimental plugin for OpenSearch 2.4. Therefore, we do not recommend the use of Security Analytics in a production environment at this time. For updates on the progress of Security Analytics or for information on how to make contributions, visit the [Security Analytics repository](https://github.com/opensearch-project/security-analytics) on GitHub. If you would like to leave feedback that could help improve Security Analytics, join the discussion on the [OpenSearch forum](https://forum.opensearch.org/t/feedback-experimental-feature-security-analytics/11418).
|
||||
{: .warning }
|
||||
|
||||
Security Analytics is a security information and event management (SIEM) solution for OpenSearch, designed to investigate, detect, analyze, and respond to security threats that can jeopardize the success of businesses and organizations and their online operations. These threats include the potential exposure of confidential data, cyber attacks, and other adverse security events. Security Analytics provides an out-of-the-box solution that installs automatically with any OpenSearch distribution. It includes the tools and features necessary for defining detection parameters, generating alerts, and responding effectively to potential threats.
|
||||
|
||||
### Resources and information
|
||||
|
||||
As part of the OpenSearch Project, Security Analytics exists in the open source community and benefits from the feedback and contributions of that community. To learn more about proposals for its development, options for making contributions, and general information on the platform, see the [Security Analytics repository](https://github.com/opensearch-project/security-analytics) at GitHub.
|
||||
|
||||
## Components and concepts
|
||||
|
||||
Security Analytics includes a number of tools and features elemental to its operation. The major components that compose the plugin are summarized in the following sections.
|
||||
|
||||
### Detectors
|
||||
|
||||
Detectors are core components that are configured to identify a range of cybersecurity threats corresponding to an ever-growing knowldege base of adversary tactics and techniques maintained by the [MITRE ATT&CK](https://attack.mitre.org/) organization. Detectors use log data to evaluate events occuring in the system. They then apply a set of security rules specified for the detector and determine findings from these events.
|
||||
|
||||
For information on configuring detectors, see [Creating detectors]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/detectors-config/).
|
||||
|
||||
### Log types
|
||||
|
||||
Log types provide the data used to evaluate events occuring in a system. OpenSearch supports several types of logs and provides out-of-the-box mappings for the most common log sources. Currently supported log sources include:
|
||||
* Netflow
|
||||
* DNS logs
|
||||
* Apache access logs
|
||||
* Windows logs
|
||||
* AD/LDAP
|
||||
* System logs
|
||||
* AWS CloudTrail logs
|
||||
* Amazon S3 access logs
|
||||
|
||||
Log types are specified during the creation of detectors, including steps for mapping log fields to the detector. Security Analytics also automatically selects an appropriate set of rules based on a specific log type and populates them for the detector.
|
||||
|
||||
### Rules
|
||||
|
||||
Rules, or threat detection rules, define the conditional logic applied to ingested log data that allows the system to identify an event of interest. Security Analytics uses pre-packaged, open source [Sigma rules](https://github.com/SigmaHQ/sigma) as a starting point for describing relevant log events. But with their inherently flexible format and easy portability, Sigma rules provide users of Security Analytics with options for importing and customizing the rules. You can take advantage of these options using either Dashboards or the API.
|
||||
|
||||
For information on configuring rules, see [Working with rules]({{site.url}}{{site.baseurl}}/security-analytics/usage/rules/).
|
||||
|
||||
### Findings
|
||||
|
||||
Findings are generated every time a detector matches a rule with a log event. Findings do not necessarily point to imminent threats within the system, but they always isolate an event of interest. Because they represent the result of a specific definition for a detector, findings include a unique combination of select rules, a log type, and a rule severity. As such, you can search for specific findings in the Findings window, and you can filter findings in the list based on severity and log type.
|
||||
|
||||
To learn more about findings, see [Working with findings]({{site.url}}{{site.baseurl}}/security-analytics/usage/findings/).
|
||||
|
||||
### Alerts
|
||||
|
||||
When defining a detector, you can specify certain conditions that will trigger an alert. When an event triggers an alert, the system sends a notification to a channel—such as Chime, Slack, email, etc.—that you specify during configuration of the alert. The alert can be triggered when the detector matches one or multiple rules. Further conditions can be set by rule severity and tags. You can also create a notification message with a customzied subject line and message body.
|
||||
|
||||
For information on setting up alerts, see [Step 3. Set up alerts]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/detectors-config/#step-3-set-up-alerts) in detector creation documentation. For information on managing alerts on the Alerts window, see [Working with alerts]({{site.url}}{{site.baseurl}}/security-analytics/usage/alerts/).
|
||||
|
||||
## First steps
|
||||
|
||||
To get started with Security Analytics you need to define detectors, ingest log data, generate findings, and configure alerts. See [Setting up Security Analytics]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/index/) to begin configuring the platform to meet your objectives.
|
||||
|
|
@ -0,0 +1,75 @@
|
|||
---
|
||||
layout: default
|
||||
title: Creating detectors
|
||||
parent: Setting up Security Analytics
|
||||
nav_order: 15
|
||||
---
|
||||
|
||||
# Creating detectors
|
||||
|
||||
Security Analytics provides the options and functionality to monitor and respond to a wide range of security threats. Detectors are the essential components that determine what to look for and how to respond to those threats. This section covers their creation and configuration.
|
||||
|
||||
## Step 1. Define the detector
|
||||
|
||||
Defining a new detector involves naming the detector, selecting a data source and detector type, and specifying a detector schedule. You can also create alerts for the detector at this stage, although there are options to create alerts in other areas of the interface. Follow the steps in this section to define a new detector.
|
||||
|
||||
1. On the Detectors page, select the **Create detector** button. The Define detector page opens.
|
||||
1. Give the detector a name and, as an option, add a description for the detector.
|
||||
1. In the Data source section, select the dropdown arrow and select a source for the log data.
|
||||
1. In the threat detection type section, select the data type. The Sigma security rules associated with the log data are automatically populated in the Detection rules section below it.
|
||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/detector_rules.png" alt="Selecting threat detector type to auto-populate rules">
|
||||
|
||||
You can skip the next step for mapping rules if you are satisfied with those automatically populated by the system. Otherwise, go to the next step to specify select rules.
|
||||
{: .note }
|
||||
|
||||
1. In the **Detection rules** section, specify only those rules you want mapped to the detector.
|
||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/select_rules.png" alt="Select or deselect rules that detector will use for findings">
|
||||
* Use the toggle to the left of the rule name to select or deselect rules.
|
||||
* Use the **Log type**, **Rule severity**, and **Source** dropdown menus to filter the rules you want to select from.
|
||||
* Use the **Search** bar to search for specific rules.
|
||||
|
||||
To quickly select one or more known rules and dismiss others, first deselect all rules by moving the **rule name** toggle to the left, then search for your target rule names and select each individually by moving its toggle to the right.
|
||||
{: .tip }
|
||||
|
||||
1. In the **Detector schedule** section, set how often the detector will run. Specify a unit of time and a corresponding number to set the interval.
|
||||
1. Select the **Next** button in the lower-right corner of the screen to continue. The Configure field mapping page appears.
|
||||
|
||||
## Step 2. Make field mappings
|
||||
|
||||
Field mapping matches field names for the rule with field names from the log being used to provide data. The mappings are automatically applied once the detector is defined in previous steps. This page offers the user the option to map log-specific field names to the internal rule field names.
|
||||
|
||||
For example, if you prefer to have the log field name UserID rather than EventID correspond to the event_uid rule field name, you can use the **Log field name** dropdown menu to select **UserID**.
|
||||
|
||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/field_map.png" alt="Rule and log field mapping example">
|
||||
|
||||
To make any changes to the automatically populated mappings, use the dropdown arrows across from the rule field names to specify a preferred log field name for the mapping. After completing the mappings, select the **Next** button in the lower-right corner of the screen. The Set up alerts page appears and displays settings for an alert trigger.
|
||||
|
||||
## Step 3. Set up alerts
|
||||
|
||||
At this stage, setting up alerts is optional for creating a new detector. Alerts can be configured at any time, including from the Findings window. This section describes the process for defining the alert conditions during creation of a detector. To see how to initiate creation of alerts from the Findings window, see [The findings list]({{site.url}}{{site.baseurl}}/security-analytics/usage/findings/#the-findings-list).
|
||||
|
||||
To skip directly to generating findings from the detector, select the **Remove alert trigger** button and then the **Next** button in the lower-right corner of the screen. Review the detector's definition and then select the **Create** button in the lower-right corner of the screen. The detector is created.
|
||||
{: .tip }
|
||||
|
||||
To set up an alert for the detector at this stage of detector creation, continue with the following steps:
|
||||
|
||||
1. In the **Trigger name** box, enter a name for the trigger.
|
||||
1. To define rule matches for the alert, select security rules, severity levels, and tags.
|
||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/alert_rules.png" alt="Rules used to define an alert">
|
||||
* Select one rule or multiple rules that will trigger the alert. Put the cursor in the **Rule names** box and type a name to search for it. To remove a rule name, select the **X** beside the name. To remove all rule names, select the **X** beside the dropdown menu's down arrow.
|
||||
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/rule_name_delete.png" alt="Deletes all selected rules">
|
||||
* Select one or more rule severities as conditions for the alert.
|
||||
* Select from a list of tags to include as conditions for the alert.
|
||||
1. To define a notification for the alert, assign an alert severity, select a channel for the notification, and customize a message generated for the alert.
|
||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/alert_notify.png" alt="Notification settings for the alert">
|
||||
* Assign a level of severity for the alert to give the recipient an indication of its urgency.
|
||||
* Select a channel for the notification. Examples include Slack, Chime, or email. Select the **Manage channels** link to the right of the field to link the notification to a preferred channel.
|
||||
* Select the **Show notify message** label to expand message preferences. You can add a subject for the message and a note to inform recipients of the nature of the message.
|
||||
1. After configuring the conditions in the fields above, select the **Next** button in the lower-right corner of the screen. The Review and create page opens.
|
||||
|
||||
After reviewing the specifications for the detector, select the **Create** button in the lower-right corner of the screen to create the detector. The screen returns to the list of all detectors, and the new detector appears in the list.
|
||||
|
||||
## What's next
|
||||
|
||||
If you are ready to view findings for the new detector, see the [Working with findings]({{site.url}}{{site.baseurl}}/security-analytics/usage/findings/) section. If you would like to import rules or set up custom rules before working with findings, see the [Working with rules]({{site.url}}{{site.baseurl}}/security-analytics/usage/rules/) section.
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
---
|
||||
layout: default
|
||||
title: Setting up Security Analytics
|
||||
nav_order: 10
|
||||
has_children: true
|
||||
has_toc: false
|
||||
redirect_from:
|
||||
- /security-analytics/sec-analytics-config/
|
||||
---
|
||||
|
||||
# Setting up Security Analytics
|
||||
|
||||
Before Security Analytics can begin generating findings and sending alerts, administrators must create detectors and make log data available to the system. Once detectors are able to generate findings, you can fine-tune your alerts to focus on specific areas of interest. The following steps outline the basic workflow for setting up components in Security Analytics.
|
||||
|
||||
1. Create security detectors and alerts, and ingest log data. See [Creating detectors]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/detectors-config/) for details.
|
||||
1. Inspect findings generated from detector output and create any additional alerts.
|
||||
1. If desired, create custom rules by duplicating and then modifying pre-packaged rules. See [Creating a rule by duplication]({{site.url}}{{site.baseurl}}/security-analytics/usage/rules/#creating-a-rule-by-duplication) for details.
|
||||
|
||||
## Navigate to Security Analytics
|
||||
|
||||
1. To get started, select the top menu on the Dashboards home page and then select **Security Analytics**. The Overview page for Security Analytics is displayed.
|
||||
1. From the options on the left side of the page, select **Detectors** to begin creating a detector.
|
||||
|
||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/secanalytics-det-nav.png" alt="Navigating to create a detector page">
|
|
@ -0,0 +1,42 @@
|
|||
---
|
||||
layout: default
|
||||
title: Working with alerts
|
||||
parent: Using Security Analytics
|
||||
nav_order: 45
|
||||
---
|
||||
|
||||
# Working with alerts
|
||||
|
||||
The Alerts window includes features for viewing and working with alerts. The two main features are:
|
||||
* The bar graph with alert information arranged by count, date, and alert status or alert severity.
|
||||
* The Alerts list arranged by time of the alert, the alert's trigger name, which detector triggered it, and other details.
|
||||
|
||||
You can select the **Refresh** button at any time to refresh information on the Alerts page.
|
||||
|
||||
## The Alerts graph
|
||||
|
||||
The Alerts graph can display alerts by their status or severity. Use the **Group by** dropdown menu to specify either Alert status or Alert severity.
|
||||
|
||||
To specify the date range you would like the graph to display, first select the calendar dropdown arrow. The date selector window opens.
|
||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/find-date-pick.png" alt="Date selector for findings graph">
|
||||
|
||||
You can use the **Quick select** settings to specify an exact window of time.
|
||||
* Select either **Last** or **Next** in the first dropdown menu to set the window of time behind the current setting or ahead of the current setting.
|
||||
* Select a number in the second dropdown menu to define a value for the range.
|
||||
* Select a unit of time in the third dropdown menu. Available options are seconds, minutes, hours, days, weeks, months, and years.
|
||||
Select the **Apply** button to apply the range of dates to the graph. Information on the graph changes accordingly.
|
||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/quickset.png" alt="Quick select settings example">
|
||||
<br>You can use the left and right arrows to move the window of time behind the current range of dates or ahead of the current range of dates. When you use these arrows, the start date and end date appear in the date range field. You can then select each one to set an absolute, relative, or current date and time. For absolute and relative changes, select the **Update** button to apply the changes.
|
||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/date-pick.png" alt="Altering date range">
|
||||
|
||||
As an alternative, you can select an option in the **Commonly used** section (see the preceding image of the calendar dropdown menu) to conveniently set a window of time. Options include date ranges such as **Today**, **Yesterday**, **this week**, and **week to date**.
|
||||
|
||||
When one of the commonly used windows of time is selected, you can select the **Show dates** label in the date range field to populate the range of dates. Following that, you can select either the start date or end date to specify by an absolute, relative, or current date and time setting. For absolute and relative changes, select the **Update** button to apply the changes.
|
||||
|
||||
As one more alternative, you can select an option from the **Recently used date ranges** section to go back to a previous setting.
|
||||
|
||||
## The Alerts list
|
||||
|
||||
The Alerts list displays all findings according to the time when the alert was triggered, the alert's trigger name, the detector that triggered the alert, the alert status, and alert severity.
|
||||
Use the **Alert severity** dropdown menu to filter the list of alerts by severity. Use the **Status** dropdown menu to filter the list by alert status.
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
---
|
||||
layout: default
|
||||
title: Working with detectors
|
||||
parent: Using Security Analytics
|
||||
nav_order: 30
|
||||
---
|
||||
|
||||
# Working with detectors
|
||||
|
||||
After creating a detector, it appears on the Threat detectors page along with others saved to the system. You can then perform a number of actions for each detector, from editing its details to changing its status. See the following sections for description of the available actions.
|
||||
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/threat-detector.png" alt="Threat detector page" width="600">
|
||||
|
||||
## Threat detector list
|
||||
|
||||
The list of threat detectors includes the search bar, the **Status** dropdown menu, and the **Log type** dropdown menu.
|
||||
* Use the search bar to filter by detector name.
|
||||
* Select the **Status** dropdown menu to filter detectors in the list by Active and Inactive status.
|
||||
* Select the **Log type** dropdown menu to filter detectors by any log type that appears in the list (the options depend on the detectors present in the list and their log types).
|
||||
|
||||
### Editing a detector
|
||||
|
||||
To edit a detector, begin by selecting the link to the detector in the Detector name column of the list. The detector's details window opens and shows details about the detector's configuration.
|
||||
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/detector-details.png" alt="Detector details window for editig the detector" width="500">
|
||||
* In the upper-left portion of the window, the details window shows the name of the detector and its status, either Active or Inactive.
|
||||
* In the upper-right corner of the window, you can select **View alerts** to go to the Alerts window or **View findings** to go to the Findings window. You can also select **Actions** to perform actions for the detector. See [Detector actions]({{site.url}}{{site.baseurl}}/security-analytics/usage/detectors/#detector-actions).
|
||||
* In the lower portion of the window, select the **Edit** button for either Detector details or Detection rules to make changes accordingly.
|
||||
* Finally, you can select the **Field mappings** tab to edit field mappings for the detector, or select the **Alert triggers** tab to make edits to alerts associated with the detector.
|
||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/detector-details2.png" alt="Field mappings and Alert triggers tabs" width="400">
|
||||
|
||||
## Detector actions
|
||||
|
||||
Threat detector actions allow you to stop and start detectors or delete a detector. To enable actions, first select the checkbox beside one or more detectors in the list.
|
||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/detector-action.png" alt="Threat detector actions" width="500">
|
||||
|
||||
### Changing detector status
|
||||
|
||||
1. Select the detector or detectors in the list whose status you would like to change. The **Actions** dropdown menu becomes enabled.
|
||||
1. Depending on whether the detector is currently active or inactive, select either **Stop detector** or **Start detector**. After a moment, the change in status of the detector appears in the detector list as either Inactive or Active.
|
||||
|
||||
### Deleting a detector
|
||||
|
||||
1. Select the detector or detectors in the list that you would like to delete. The **Actions** dropdown menu becomes enabled.
|
||||
1. Select **Delete** in the dropdown menu. The Delete detector popup window opens and asks you to verify that you want to delete the detector or detectors.
|
||||
1. Select **Cancel** to decline the action. Select **Delete detector** to delete the detector or detectors permanently from the list.
|
||||
|
|
@ -0,0 +1,48 @@
|
|||
---
|
||||
layout: default
|
||||
title: Working with findings
|
||||
parent: Using Security Analytics
|
||||
nav_order: 35
|
||||
---
|
||||
|
||||
# Working with findings
|
||||
|
||||
The Findings window includes features for viewing and working with findings. The two main features are:
|
||||
* The bar graph with findings information arranged by count, date, and log type or rule severity.
|
||||
* The Findings list arranged by time, finding ID, rule name, and other details.
|
||||
|
||||
You can select the **Refresh** button at any time to refresh information on the Findings page.
|
||||
|
||||
## The Findings graph
|
||||
|
||||
The findings graph can display findings by log type or rule severity. Use the **Group by** dropdown menu to specify either log type or rule severity.
|
||||
|
||||
To specify the date range you would like the graph to display, first select the calendar dropdown menu. The date selector window opens.
|
||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/find-date-pick.png" alt="Date selector for findings graph">
|
||||
|
||||
You can use the **Quick select** settings to specify an exact window of time.
|
||||
* Select either **Last** or **Next** in the first dropdown menu to set the window of time behind the current setting or ahead of the current setting.
|
||||
* Select a number in the second dropdown menu to define a value for the range.
|
||||
* Select a unit of time in the third dropdown menu. Available options are seconds, minutes, hours, days, weeks, months, and years.
|
||||
Select the **Apply** button to apply the range of dates to the graph. Information on the graph changes accordingly.
|
||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/quickset.png" alt="Quick select settings example">
|
||||
<br>You can use the left and right arrows to move the window of time behind the current range of dates or ahead of the current range of dates. When you use these arrows, the start date and end date appear in the date range field. You can then select each one to set an absolute, relative, or current date and time. For absolute and relative changes, select the **Update** button to apply the changes.
|
||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/date-pick.png" alt="Altering date range">
|
||||
|
||||
As an alternative, you can select an option in the **Commonly used** section (see the preceding image of the calendar dropdown menu) to conveniently set a window of time. Options include date ranges such as **Today**, **Yesterday**, **this week**, and **week to date**.
|
||||
|
||||
When one of the commonly used windows of time is selected, you can select the **Show dates** label in the date range field to populate the range of dates. Following that, you can select either the start date or end date to specify by an absolute, relative, or current date and time setting. For absolute and relative changes, select the **Update** button to apply the changes.
|
||||
|
||||
As one more alternative, you can select an option from the **Recently used date ranges** section to go back to a previous setting.
|
||||
|
||||
## The Findings list
|
||||
|
||||
The Findings list displays all findings according to time of the finding, the finding ID, the rule name that generated the finding, the detector that captured the finding, and other details.
|
||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/finding-list.png" alt="A list of all findings">
|
||||
Use the **Rule severity** dropdown menu to filter the list of findings by severity. Use the **log type** dropdown menu to filter the list by log type.
|
||||
Each finding in the list includes a finding ID. You can select the ID to open the Finding details pane, which describes the finding by parameters defined when creating the detector.
|
||||
The Actions column includes two options for each finding:
|
||||
* The diagonal arrow provides another way to open the Findings detail pane.
|
||||
* The bell icon allows you to open the Create detector alert trigger pane, where you can quickly set up an alert for the specific finding and modify rules and their conditions as required.
|
||||
For details on setting up an alert, see [Set up alerts]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/detectors-config/#step-3-set-up-alerts) in detector creation documentation.
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
---
|
||||
layout: default
|
||||
title: Using Security Analytics
|
||||
nav_order: 20
|
||||
has_children: true
|
||||
has_toc: false
|
||||
redirect_from:
|
||||
- /security-analytics/usage/
|
||||
---
|
||||
|
||||
# Using Security Analytics
|
||||
|
||||
After creating detectors and generating findings, functionality within the several Security Analytics windows offers visualizations and tools to help you investigate and manage findings, create focused alerts and notifications, import or customize rules, and edit detectors, among other tasks. This section discusses available features, their uses, and general navigation while working in the various windows. You can use the links below to go directly to information on a specific window.
|
||||
|
||||
* [The Overview page]({{site.url}}{{site.baseurl}}/security-analytics/usage/overview/)
|
||||
* [Working with detectors]({{site.url}}{{site.baseurl}}/security-analytics/usage/detectors/)
|
||||
* [Working with findings]({{site.url}}{{site.baseurl}}/security-analytics/usage/findings/)
|
||||
* [Working with rules]({{site.url}}{{site.baseurl}}/security-analytics/usage/rules/)
|
||||
* [Working with alerts]({{site.url}}{{site.baseurl}}/security-analytics/usage/alerts/)
|
||||
|
|
@ -0,0 +1,46 @@
|
|||
---
|
||||
layout: default
|
||||
title: The Overview page
|
||||
parent: Using Security Analytics
|
||||
nav_order: 25
|
||||
---
|
||||
|
||||
# The Overview page
|
||||
|
||||
When you select **Security Analytics** from the top menu, the Overview page is displayed. The Overview page consists of five sections:
|
||||
* Findings and alert count
|
||||
* Top recent alerts
|
||||
* Top recent findings
|
||||
* Most frequent detection rules
|
||||
* Detectors
|
||||
|
||||
Each section provides a summary description for each element of Security Analytics, along with controls that let you take action for each item.
|
||||
|
||||
## Overview and getting started
|
||||
|
||||
The upper-right corner of the Overview page contains two control buttons for refreshing information and getting started with Security Analytics. You can select the **Refresh** button to refresh all of the information on the page. You can also select the **Getting started** link to expand the Get started with Security Analytics window, which inludes a summary of the steps for set up as well as control buttons that allow you to jump to any of the steps.
|
||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/get-started.png" alt="The getting started quick launch window">
|
||||
* In step 1 of setup, select **Create detector** to define a detector.
|
||||
* In step 2, select **View findings** to go to the Findings page. For more on findings, see [Working with findings]({{site.url}}{{site.baseurl}}/security-analytics/usage/findings/)
|
||||
* In step 3, select **Manage rules** to go to the Rules page. For more on rules, see [Working with rules]({{site.url}}{{site.baseurl}}/security-analytics/usage/rules/)
|
||||
|
||||
## Findings and alert count
|
||||
|
||||
The Findings and alert count section provides a graph showing data on the latest findings. Use the **Group by** dropdown menu to select between all findings and findings by log type.
|
||||
|
||||
## Top recent alerts
|
||||
|
||||
Top recent alerts displays recent alerts by time, trigger name, and alert severity. Select **View alerts** to go to the Alerts page.
|
||||
|
||||
## Top recent findings
|
||||
|
||||
Top recent findings displays recent findings by time, rule name, rule severity, and detector. Select **View all findings** to go to the Findings page.
|
||||
|
||||
## Most frequent detection rules
|
||||
|
||||
This section provides a graphical representation of detection rules that trigger findings most often and how they compare to others as a percentage of the whole. Rules are also listed to the right side of the graph.
|
||||
|
||||
## Detectors
|
||||
|
||||
Detectors displays a list of available detectors by detector name, status (active/inactive), and log type. Select **View all detectors** to go to the Detectors page. Select **Create detector** to go directly to the Define detector page.
|
||||
|
|
@ -0,0 +1,79 @@
|
|||
---
|
||||
layout: default
|
||||
title: Working with rules
|
||||
parent: Using Security Analytics
|
||||
nav_order: 40
|
||||
---
|
||||
|
||||
# Working with rules
|
||||
|
||||
The Rules window lists all security rules and provides options for filtering the list and viewing details for each rule. Further options let you import rules and create new rules by first duplicating a Sigma rule then modifying it. This section covers navigation of the Rules page and description of the actions you can perform.
|
||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/Rules.png" alt="The Rules page">
|
||||
|
||||
## Viewing and filtering rules
|
||||
|
||||
When you open the Rules page, all rules are listed in the table. Use the search bar to search for specific rules by entering a full or partial name and pressing **Return/Enter** on your keyboard. The list is filtered and displays matching results.
|
||||
|
||||
Alternatively, you can use the **Rule type**, **Rule severity**, and **Source** dropdown menus to drill down in the list of alerts and filter for preferred results. You can use all three menus in combination to narrow results. Select only one option per menu.
|
||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/rule-menu.png" alt="Rule menus for filtering results">
|
||||
|
||||
To see rule details, select the rule in the Rule name column of the list. The rule details pane opens.
|
||||
|
||||
## Importing rules
|
||||
|
||||
At this time, Security Analytics supports the import of Sigma rules in YAML format. The following sample file shows the basic formatting of a rule in YAML.
|
||||
|
||||
```yml
|
||||
title: RDP Sensitive Settings Changed
|
||||
logsource:
|
||||
product: windows
|
||||
service: system
|
||||
description: 'Detects changes to RDP terminal service sensitive settings'
|
||||
detection:
|
||||
selection_reg:
|
||||
EventType: SetValue
|
||||
TargetObject|contains:
|
||||
- \services\TermService\Parameters\ServiceDll
|
||||
- \Control\Terminal Server\fSingleSessionPerUser
|
||||
- \Control\Terminal Server\fDenyTSConnections
|
||||
- \Policies\Microsoft\Windows NT\Terminal Services\Shadow
|
||||
- \Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram
|
||||
condition: selection_reg
|
||||
level: high
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1112
|
||||
references:
|
||||
- https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html
|
||||
- https://knowledge.insourcess.com/Supporting_Technologies/Wonderware/Tech_Notes/TN_WW213_How_to_shadow_an_established_RDP_Session_on_Windows_10_Pro
|
||||
- https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03
|
||||
- http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/
|
||||
falsepositives:
|
||||
- Unknown
|
||||
author:
|
||||
- Samir Bousseaden
|
||||
- David ANDRE
|
||||
status: experimental
|
||||
```
|
||||
|
||||
1. To begin, select the **Import rule** button in the upper-right corner of the page. The Import rule page opens.
|
||||
1. Either drag a YAML-formatted Sigma rule into the window or browse for the file by selecting the link and opening it. The Import a rule window opens and the rule definition fields are automatically populated.
|
||||
1. Verify or modify the information in the fields.
|
||||
1. After you confirm the information for the rule is accurate, select the **Create** button in the lower-right corner of the window. A new rule is created, and it appears in the list of rules on the main page of the Rules window.
|
||||
|
||||
## Customizing rules
|
||||
|
||||
An alternative to importing a rule is duplicating a Sigma rule and then modifying it to create a custom rule. First search for or filter rules in the Rules list to locate the rule you want to duplicate.
|
||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/rules-dup1.png" alt="Selecting a rule in the Rules name list">
|
||||
|
||||
1. To begin, select the rule in the Rule name column. The rule details pane opens.
|
||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/rule-dup2.png" alt="Opening the rule details pane" width="400">
|
||||
1. Select the **Duplicate** button in the upper-right corner of the pane. The Duplicate rule window opens and all of the fields are automatically populated with the rule's details.
|
||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/rule-dup3.png" alt="Selecting the duplicate button" width="400">
|
||||
1. Modify any of the fields to customize the rule.
|
||||
1. After performing any modifications to the rule, select the **Create** button in the lower-right corner of the window. A new and customized rule is created, and it appears in the list of rules on the main page of the Rules window.
|
||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/custom-rule.png" alt="The custom rule now appears in the list of rules.">
|
||||
|
||||
You cannot modify the Sigma rule itself. The original Sigma rule always remains in the system. Its duplicate, after modification, becomes the custom rule that is added to the list of rules.
|
||||
{: .note }
|
||||
|
After Width: | Height: | Size: 152 KiB |
After Width: | Height: | Size: 22 KiB |
After Width: | Height: | Size: 24 KiB |
After Width: | Height: | Size: 34 KiB |
After Width: | Height: | Size: 55 KiB |
After Width: | Height: | Size: 54 KiB |
After Width: | Height: | Size: 61 KiB |
After Width: | Height: | Size: 28 KiB |
After Width: | Height: | Size: 41 KiB |
After Width: | Height: | Size: 20 KiB |
After Width: | Height: | Size: 64 KiB |
After Width: | Height: | Size: 66 KiB |
After Width: | Height: | Size: 101 KiB |
After Width: | Height: | Size: 7.3 KiB |
After Width: | Height: | Size: 78 KiB |
After Width: | Height: | Size: 79 KiB |
After Width: | Height: | Size: 20 KiB |
After Width: | Height: | Size: 29 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 71 KiB |
After Width: | Height: | Size: 43 KiB |
After Width: | Height: | Size: 69 KiB |