Security Analytics—additional updates following 2.5 release (#2515)
* fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * Update _security-analytics/sec-analytics-config/detectors-config.md Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Update _security-analytics/sec-analytics-config/detectors-config.md Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> --------- Signed-off-by: cwillum <cwmmoore@amazon.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
This commit is contained in:
parent
7992ec0196
commit
8b8d9685d7
|
@ -45,7 +45,7 @@ Log types are specified during the creation of detectors, including steps for ma
|
||||||
|
|
||||||
### Rules
|
### Rules
|
||||||
|
|
||||||
Rules, or threat detection rules, define the conditional logic applied to ingested log data that allows the system to identify an event of interest. Security Analytics uses pre-packaged, open source [Sigma rules](https://github.com/SigmaHQ/sigma) as a starting point for describing relevant log events. But with their inherently flexible format and easy portability, Sigma rules provide users of Security Analytics with options for importing and customizing the rules. You can take advantage of these options using either Dashboards or the API.
|
Rules, or threat detection rules, define the conditional logic applied to ingested log data that allows the system to identify an event of interest. Security Analytics uses prepackaged, open source [Sigma rules](https://github.com/SigmaHQ/sigma) as a starting point for describing relevant log events. But with their inherently flexible format and easy portability, Sigma rules provide users of Security Analytics with options for importing and customizing the rules. You can take advantage of these options using either Dashboards or the API.
|
||||||
|
|
||||||
For information on configuring rules, see [Working with rules]({{site.url}}{{site.baseurl}}/security-analytics/usage/rules/).
|
For information on configuring rules, see [Working with rules]({{site.url}}{{site.baseurl}}/security-analytics/usage/rules/).
|
||||||
|
|
||||||
|
|
|
@ -9,30 +9,30 @@ nav_order: 15
|
||||||
|
|
||||||
Security Analytics provides the options and functionality to monitor and respond to a wide range of security threats. Detectors are the essential components that determine what to look for and how to respond to those threats. This section covers their creation and configuration.
|
Security Analytics provides the options and functionality to monitor and respond to a wide range of security threats. Detectors are the essential components that determine what to look for and how to respond to those threats. This section covers their creation and configuration.
|
||||||
|
|
||||||
## Step 1. Define the detector
|
## Step 1. Define a detector
|
||||||
|
|
||||||
Defining a new detector involves naming the detector, selecting a data source and detector type, and specifying a detector schedule. You can also create alerts for the detector at this stage, although there are options to create alerts in other areas of the interface. Follow the steps in this section to define a new detector.
|
You can define a new detector by naming the detector, selecting a data source and detector type, and specifying a detector schedule. After defining a detector, you can also configure field mappings and set up alerts. Follow the steps in this section to accomplish all three of these setup tasks.
|
||||||
|
|
||||||
1. On the Detectors page, select the **Create detector** button. The Define detector page opens.
|
1. On the Detectors page, select the **Create detector** button. The Define detector page opens.
|
||||||
1. Give the detector a name and, as an option, add a description for the detector.
|
1. Give the detector a name and, as an option, add a description for the detector.
|
||||||
1. In the Data source section, select the dropdown arrow and select a source for the log data.
|
1. In the Data source section, select the dropdown arrow and select a source for the log data.
|
||||||
1. In the threat detection type section, select the data type. The Sigma security rules associated with the log data are automatically populated in the Detection rules section below it.
|
1. In the threat detection type section, select the data type. The Sigma security rules associated with the log data are automatically populated in the Detection rules section below it.
|
||||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/detector_rules.png" alt="Selecting threat detector type to auto-populate rules">
|
<img src="{{site.url}}{{site.baseurl}}/images/Security/detector_rules.png" alt="Selecting threat detector type to auto-populate rules" width="80%">
|
||||||
|
|
||||||
You can skip the next step for mapping rules if you are satisfied with those automatically populated by the system. Otherwise, go to the next step to specify select rules.
|
You can skip the next step for mapping rules if you are satisfied with those automatically populated by the system. Otherwise, go to the next step to specify select rules.
|
||||||
{: .note }
|
{: .note }
|
||||||
|
|
||||||
1. In the **Detection rules** section, specify only those rules you want mapped to the detector.
|
1. In the **Detection rules** section, specify only those rules you want mapped to the detector.
|
||||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/select_rules.png" alt="Select or deselect rules that detector will use for findings">
|
<img src="{{site.url}}{{site.baseurl}}/images/Security/select_rules.png" alt="Select or deselect rules that detector will use for findings" width="85%">
|
||||||
* Use the toggle to the left of the rule name to select or deselect rules.
|
* Use the toggle to the left of the rule name to select or deselect rules.
|
||||||
* Use the **Log type**, **Rule severity**, and **Source** dropdown menus to filter the rules you want to select from.
|
* Use the **Log type**, **Rule severity**, and **Source** dropdown lists to filter the rules you want to select from.
|
||||||
* Use the **Search** bar to search for specific rules.
|
* Use the **Search** bar to search for specific rules.
|
||||||
|
|
||||||
To quickly select one or more known rules and dismiss others, first deselect all rules by moving the **Rule name** toggle to the left, then search for your target rule names and select each individually by moving its toggle to the right.
|
To quickly select one or more known rules and dismiss others, first deselect all rules by moving the **Rule name** toggle to the left, then search for your target rule names and select each individually by moving its toggle to the right.
|
||||||
{: .tip }
|
{: .tip }
|
||||||
|
|
||||||
1. In the **Detector schedule** section, set how often the detector will run. Specify a unit of time and a corresponding number to set the interval.
|
1. In the **Detector schedule** section, set how often the detector will run. Specify a unit of time and a corresponding number to set the interval.
|
||||||
1. Select the **Next** button in the lower-right corner of the screen to continue. The Configure field mapping page appears.
|
1. Select the **Next** button in the lower-right corner of the screen to continue. The **Configure field mapping** page appears.
|
||||||
|
|
||||||
## Step 2. Create field mappings
|
## Step 2. Create field mappings
|
||||||
|
|
||||||
|
@ -40,6 +40,8 @@ The field mapping step matches field names from the rule with field names from t
|
||||||
|
|
||||||
The data source (log index), log type, and detection rules specified in the first step determine which fields are available for mapping. For example, when "Windows logs" is selected as the log type, this parameter, along with the specific detection rules, determines the list of rule field names available for the mapping. Similarly, the selected data source (log index) determines the list of log field names that are available for the mapping.
|
The data source (log index), log type, and detection rules specified in the first step determine which fields are available for mapping. For example, when "Windows logs" is selected as the log type, this parameter, along with the specific detection rules, determines the list of rule field names available for the mapping. Similarly, the selected data source (log index) determines the list of log field names that are available for the mapping.
|
||||||
|
|
||||||
|
Because the system uses prepackaged Sigma rules for detector creation, it can automatically map important fields for a specific log type with the corresponding fields in the Sigma rules. The field mapping step presents a view of automatically mapped fields while also providing the option to customize, change, or add new field mappings. When a detector includes custom rules, you can follow this step to manually map rule field names to log field names.
|
||||||
|
|
||||||
#### A note on field names
|
#### A note on field names
|
||||||
|
|
||||||
The field mapping process requires that you are familiar with the field names in the log index and have an understanding of the data contained in those fields. If you have an understanding of the log fields in the index, the mapping is typically a straightforward process.
|
The field mapping process requires that you are familiar with the field names in the log index and have an understanding of the data contained in those fields. If you have an understanding of the log fields in the index, the mapping is typically a straightforward process.
|
||||||
|
@ -48,9 +50,16 @@ Security Analytics takes advantage of prepackaged Sigma rules for security event
|
||||||
|
|
||||||
Although the ECS rule field names are largely self-explanatory, you can find predefined mappings of the Sigma rule field names with ECS rule field names, for all supported log types, in the GitHub Security Analytics repository. Navigate to the [OSMappings](https://github.com/opensearch-project/security-analytics/tree/main/src/main/resources/OSMapping) folder, select the folder named for the log type, and open the `fieldmappings.yml` file. For example, to see the Sigma rule fields that correspond to ECS rule fields for the Windows log type, open the [fieldmappings.yml file](https://github.com/opensearch-project/security-analytics/blob/main/src/main/resources/OSMapping/windows/fieldmappings.yml) in the **windows** folder.
|
Although the ECS rule field names are largely self-explanatory, you can find predefined mappings of the Sigma rule field names with ECS rule field names, for all supported log types, in the GitHub Security Analytics repository. Navigate to the [OSMappings](https://github.com/opensearch-project/security-analytics/tree/main/src/main/resources/OSMapping) folder, select the folder named for the log type, and open the `fieldmappings.yml` file. For example, to see the Sigma rule fields that correspond to ECS rule fields for the Windows log type, open the [fieldmappings.yml file](https://github.com/opensearch-project/security-analytics/blob/main/src/main/resources/OSMapping/windows/fieldmappings.yml) in the **windows** folder.
|
||||||
|
|
||||||
|
### Default field mappings
|
||||||
|
|
||||||
|
Once you navigate to the **Configure field mapping** page, the system attempts to automatically map fields between the two sources. The **Default mapped fields** table contains mappings that the system created automatically after defining the detector. As shown in the image that follows, when the field names are similar to one another the system can successfully match the two.
|
||||||
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/default-mappings.png" alt="Field mapping example for pending mappings" width="85%">
|
||||||
|
|
||||||
|
Although these automatic matches are normally dependable, it's still a good idea to review the mappings in the **Default mapped fields** table and verify that they are correct and matched as expected. If you find a mapping that doesn't appear to be accurate, you can use the dropdown list as described in the [Pending field mappings](#pending-field-mappings) section that follows to correct the field mapping.
|
||||||
|
|
||||||
### Pending field mappings
|
### Pending field mappings
|
||||||
|
|
||||||
Once you navigate to the **Configure field mapping** page, the system attempts to automatically map fields between the two sources. Those field names that are not automatically mapped appear in the **Pending field mapping** table. In this table you can manually map rule fields to log fields, as shown in the following image.
|
The field names that are not automatically mapped appear in the **Pending field mappings** table. In this table you can manually map rule fields to log fields, as shown in the following image.
|
||||||
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/pending-mappings.png" alt="Field mapping example for pending mappings" width="85%">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/pending-mappings.png" alt="Field mapping example for pending mappings" width="85%">
|
||||||
|
|
||||||
While mapping fields, consider the following:
|
While mapping fields, consider the following:
|
||||||
|
@ -59,35 +68,30 @@ While mapping fields, consider the following:
|
||||||
* To map a rule field name to a log field name, use the dropdown arrow to open the list of log fields and select the log field name from the list. To search for names in the log field list, enter text in the **Select a mapping field** box.
|
* To map a rule field name to a log field name, use the dropdown arrow to open the list of log fields and select the log field name from the list. To search for names in the log field list, enter text in the **Select a mapping field** box.
|
||||||
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/log-field.png" alt="Field mapping example for pending mappings" width="60%">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/log-field.png" alt="Field mapping example for pending mappings" width="60%">
|
||||||
* Once the log field name is selected and mapped to the rule field name, the icon in the Status column to the right changes to a green check mark.
|
* Once the log field name is selected and mapped to the rule field name, the icon in the Status column to the right changes to a green check mark.
|
||||||
* Make as many matches between field names as possible to complete an accurate mapping for rule and log fields.
|
* Make as many matches between field names as possible to complete an accurate mapping for rule and log fields.
|
||||||
|
|
||||||
### Default field mappings
|
|
||||||
|
|
||||||
The **Default mapped fields** table contains mappings that the system created automatically after defining the detector. As shown in the image that follows, when the field names are similar to one another the system can successfully match the two.
|
|
||||||
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/default-mappings.png" alt="Field mapping example for pending mappings" width="85%">
|
|
||||||
|
|
||||||
Although these automatic matches are normally dependable, it's still a good idea to review the mappings and verify that they are correct and matched as expected. If you find a mapping that doesn't appear to be accurate, you can use the dropdown list as described in the [Pending field mappings](#pending-field-mappings) section above to correct the field mapping.
|
|
||||||
|
|
||||||
After completing the mappings, select the **Next** button in the lower-right corner of the screen. The **Set up alerts** page appears and displays settings for an alert trigger.
|
After completing the mappings, select the **Next** button in the lower-right corner of the screen. The **Set up alerts** page appears and displays settings for an alert trigger.
|
||||||
|
|
||||||
## Step 3. Set up alerts
|
## Step 3. Set up alerts
|
||||||
|
|
||||||
At this stage, setting up alerts is optional for creating a new detector. Alerts can be configured at any time, including from the Findings window. This section describes the process for defining the alert conditions during creation of a detector. To see how to initiate creation of alerts from the Findings window, see [The findings list]({{site.url}}{{site.baseurl}}/security-analytics/usage/findings/#the-findings-list).
|
The third step in creating a detector involves setting up alerts. Alerts are configured to create triggers that, when matched with a set of detection rule criteria, send a notification of a possible security event. You can select rule names, rule severity, and tags in any combination to define a trigger. Once a trigger is defined, the alert setup lets you choose the channel on which to be notified and provides options for customizing a message for the notification.
|
||||||
|
|
||||||
To skip directly to generating findings from the detector, select the **Remove alert trigger** button and then the **Next** button in the lower-right corner of the screen. Review the detector's definition and then select the **Create** button in the lower-right corner of the screen. The detector is created.
|
At least one alert condition is required before a detector can begin generating findings.
|
||||||
{: .tip }
|
{: .note }
|
||||||
|
|
||||||
To set up an alert for the detector at this stage of detector creation, continue with the following steps:
|
You can also configure alerts from the **Findings** window. To see how to set up alerts from the **Findings** window, see [The findings list]({{site.url}}{{site.baseurl}}/security-analytics/usage/findings/#the-findings-list). A final option for adding additional alerts is to edit a detector and navigate to the **Alert triggers** tab, where you can edit existing alerts as well as add new ones. For details, see [Editing a detector]({{site.url}}{{site.baseurl}}security-analytics/usage/detectors/#editing-a-detector).
|
||||||
|
|
||||||
|
To set up an alert for a detector, continue with the following steps:
|
||||||
|
|
||||||
1. In the **Trigger name** box, enter a name for the trigger.
|
1. In the **Trigger name** box, enter a name for the trigger.
|
||||||
1. To define rule matches for the alert, select security rules, severity levels, and tags.
|
1. To define rule matches for the alert, select security rules, severity levels, and tags.
|
||||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/alert_rules.png" alt="Rules used to define an alert">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/alert_rules.png" alt="Rules used to define an alert" width="70%">
|
||||||
* Select one rule or multiple rules that will trigger the alert. Put the cursor in the **Rule names** box and type a name to search for it. To remove a rule name, select the **X** beside the name. To remove all rule names, select the **X** beside the dropdown menu's down arrow.
|
* Select one rule or multiple rules that will trigger the alert. Put the cursor in the **Rule names** box and type a name to search for it. To remove a rule name, select the **X** beside the name. To remove all rule names, select the **X** beside the dropdown list's down arrow.
|
||||||
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/rule_name_delete.png" alt="Deletes all selected rules">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/rule_name_delete.png" alt="Deletes all selected rules" width="45%">
|
||||||
* Select one or more rule severities as conditions for the alert.
|
* Select one or more rule severities as conditions for the alert.
|
||||||
* Select from a list of tags to include as conditions for the alert.
|
* Select from a list of tags to include as conditions for the alert.
|
||||||
1. To define a notification for the alert, assign an alert severity, select a channel for the notification, and customize a message generated for the alert.
|
1. To define a notification for the alert, assign an alert severity, select a channel for the notification, and customize a message generated for the alert.
|
||||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/alert_notify.png" alt="Notification settings for the alert">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/alert_notify.png" alt="Notification settings for the alert" width="45%">
|
||||||
* Assign a level of severity for the alert to give the recipient an indication of its urgency.
|
* Assign a level of severity for the alert to give the recipient an indication of its urgency.
|
||||||
* Select a channel for the notification. Examples include Slack, Chime, or email. Select the **Manage channels** link to the right of the field to link the notification to a preferred channel.
|
* Select a channel for the notification. Examples include Slack, Chime, or email. Select the **Manage channels** link to the right of the field to link the notification to a preferred channel.
|
||||||
* Select the **Show notify message** label to expand message preferences. You can add a subject for the message and a note to inform recipients of the nature of the message.
|
* Select the **Show notify message** label to expand message preferences. You can add a subject for the message and a note to inform recipients of the nature of the message.
|
||||||
|
|
|
@ -21,4 +21,4 @@ Before Security Analytics can begin generating findings and sending alerts, admi
|
||||||
1. To get started, select the top menu on the Dashboards home page and then select **Security Analytics**. The Overview page for Security Analytics is displayed.
|
1. To get started, select the top menu on the Dashboards home page and then select **Security Analytics**. The Overview page for Security Analytics is displayed.
|
||||||
1. From the options on the left side of the page, select **Detectors** to begin creating a detector.
|
1. From the options on the left side of the page, select **Detectors** to begin creating a detector.
|
||||||
|
|
||||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/secanalytics-det-nav.png" alt="Navigating to create a detector page">
|
<img src="{{site.url}}{{site.baseurl}}/images/Security/secanalytics-det-nav.png" alt="Navigating to create a detector page" width="70%">
|
||||||
|
|
|
@ -15,21 +15,21 @@ You can select the **Refresh** button at any time to refresh information on the
|
||||||
|
|
||||||
## The Alerts graph
|
## The Alerts graph
|
||||||
|
|
||||||
The Alerts graph can display alerts by their status or severity. Use the **Group by** dropdown menu to specify either Alert status or Alert severity.
|
The Alerts graph can display alerts by their status or severity. Use the **Group by** dropdown list to specify either Alert status or Alert severity.
|
||||||
|
|
||||||
To specify the date range you would like the graph to display, first select the calendar dropdown arrow. The date selector window opens.
|
To specify the date range you would like the graph to display, first select the calendar dropdown arrow. The date selector window opens.
|
||||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/find-date-pick.png" alt="Date selector for findings graph">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/find-date-pick.png" alt="Date selector for findings graph" width="55%">
|
||||||
|
|
||||||
You can use the **Quick select** settings to specify an exact window of time.
|
You can use the **Quick select** settings to specify an exact window of time.
|
||||||
* Select either **Last** or **Next** in the first dropdown menu to set the window of time behind the current setting or ahead of the current setting.
|
* Select either **Last** or **Next** in the first dropdown list to set the window of time behind the current setting or ahead of the current setting.
|
||||||
* Select a number in the second dropdown menu to define a value for the range.
|
* Select a number in the second dropdown list to define a value for the range.
|
||||||
* Select a unit of time in the third dropdown menu. Available options are seconds, minutes, hours, days, weeks, months, and years.
|
* Select a unit of time in the third dropdown list. Available options are seconds, minutes, hours, days, weeks, months, and years.
|
||||||
Select the **Apply** button to apply the range of dates to the graph. Information on the graph changes accordingly.
|
Select the **Apply** button to apply the range of dates to the graph. Information on the graph changes accordingly.
|
||||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/quickset.png" alt="Quick select settings example">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/quickset.png" alt="Quick select settings example" width="40%">
|
||||||
<br>You can use the left and right arrows to move the window of time behind the current range of dates or ahead of the current range of dates. When you use these arrows, the start date and end date appear in the date range field. You can then select each one to set an absolute, relative, or current date and time. For absolute and relative changes, select the **Update** button to apply the changes.
|
<br>You can use the left and right arrows to move the window of time behind the current range of dates or ahead of the current range of dates. When you use these arrows, the start date and end date appear in the date range field. You can then select each one to set an absolute, relative, or current date and time. For absolute and relative changes, select the **Update** button to apply the changes.
|
||||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/date-pick.png" alt="Altering date range">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/date-pick.png" alt="Altering date range" width="55%">
|
||||||
|
|
||||||
As an alternative, you can select an option in the **Commonly used** section (see the preceding image of the calendar dropdown menu) to conveniently set a window of time. Options include date ranges such as **Today**, **Yesterday**, **this week**, and **week to date**.
|
As an alternative, you can select an option in the **Commonly used** section (see the preceding image of the calendar dropdown list) to conveniently set a window of time. Options include date ranges such as **Today**, **Yesterday**, **this week**, and **week to date**.
|
||||||
|
|
||||||
When one of the commonly used windows of time is selected, you can select the **Show dates** label in the date range field to populate the range of dates. Following that, you can select either the start date or end date to specify by an absolute, relative, or current date and time setting. For absolute and relative changes, select the **Update** button to apply the changes.
|
When one of the commonly used windows of time is selected, you can select the **Show dates** label in the date range field to populate the range of dates. Following that, you can select either the start date or end date to specify by an absolute, relative, or current date and time setting. For absolute and relative changes, select the **Update** button to apply the changes.
|
||||||
|
|
||||||
|
@ -38,5 +38,5 @@ As one more alternative, you can select an option from the **Recently used date
|
||||||
## The Alerts list
|
## The Alerts list
|
||||||
|
|
||||||
The Alerts list displays all findings according to the time when the alert was triggered, the alert's trigger name, the detector that triggered the alert, the alert status, and alert severity.
|
The Alerts list displays all findings according to the time when the alert was triggered, the alert's trigger name, the detector that triggered the alert, the alert status, and alert severity.
|
||||||
Use the **Alert severity** dropdown menu to filter the list of alerts by severity. Use the **Status** dropdown menu to filter the list by alert status.
|
Use the **Alert severity** dropdown list to filter the list of alerts by severity. Use the **Status** dropdown list to filter the list by alert status.
|
||||||
|
|
||||||
|
|
|
@ -8,24 +8,24 @@ nav_order: 30
|
||||||
# Working with detectors
|
# Working with detectors
|
||||||
|
|
||||||
After creating a detector, it appears on the Threat detectors page along with others saved to the system. You can then perform a number of actions for each detector, from editing its details to changing its status. See the following sections for description of the available actions.
|
After creating a detector, it appears on the Threat detectors page along with others saved to the system. You can then perform a number of actions for each detector, from editing its details to changing its status. See the following sections for description of the available actions.
|
||||||
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/threat-detector.png" alt="Threat detector page" width="600">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/threat-detector.png" alt="Threat detector page" width="60%">
|
||||||
|
|
||||||
## Threat detector list
|
## Threat detector list
|
||||||
|
|
||||||
The list of threat detectors includes the search bar, the **Status** dropdown menu, and the **Log type** dropdown menu.
|
The list of threat detectors includes the search bar, the **Status** dropdown list, and the **Log type** dropdown list.
|
||||||
* Use the search bar to filter by detector name.
|
* Use the search bar to filter by detector name.
|
||||||
* Select the **Status** dropdown menu to filter detectors in the list by Active and Inactive status.
|
* Select the **Status** dropdown list to filter detectors in the list by Active and Inactive status.
|
||||||
* Select the **Log type** dropdown menu to filter detectors by any log type that appears in the list (the options depend on the detectors present in the list and their log types).
|
* Select the **Log type** dropdown list to filter detectors by any log type that appears in the list (the options depend on the detectors present in the list and their log types).
|
||||||
|
|
||||||
### Editing a detector
|
### Editing a detector
|
||||||
|
|
||||||
To edit a detector, begin by selecting the link to the detector in the Detector name column of the list. The detector's details window opens and shows details about the detector's configuration.
|
To edit a detector, begin by selecting the link to the detector in the Detector name column of the list. The detector's details window opens and shows details about the detector's configuration.
|
||||||
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/detector-details.png" alt="Detector details window for editig the detector" width="500">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/detector-details.png" alt="Detector details window for editig the detector" width="50%">
|
||||||
* In the upper-left portion of the window, the details window shows the name of the detector and its status, either Active or Inactive.
|
* In the upper-left portion of the window, the details window shows the name of the detector and its status, either Active or Inactive.
|
||||||
* In the upper-right corner of the window, you can select **View alerts** to go to the Alerts window or **View findings** to go to the Findings window. You can also select **Actions** to perform actions for the detector. See [Detector actions]({{site.url}}{{site.baseurl}}/security-analytics/usage/detectors/#detector-actions).
|
* In the upper-right corner of the window, you can select **View alerts** to go to the Alerts window or **View findings** to go to the Findings window. You can also select **Actions** to perform actions for the detector. See [Detector actions]({{site.url}}{{site.baseurl}}/security-analytics/usage/detectors/#detector-actions).
|
||||||
* In the lower portion of the window, select the **Edit** button for either Detector details or Detection rules to make changes accordingly.
|
* In the lower portion of the window, select the **Edit** button for either Detector details or Detection rules to make changes accordingly.
|
||||||
* Finally, you can select the **Field mappings** tab to edit field mappings for the detector, or select the **Alert triggers** tab to make edits to alerts associated with the detector.
|
* Finally, you can select the **Field mappings** tab to edit field mappings for the detector, or select the **Alert triggers** tab to make edits to alerts associated with the detector.
|
||||||
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/detector-details2.png" alt="Field mappings and Alert triggers tabs" width="400">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/detector-details2.png" alt="Field mappings and Alert triggers tabs" width="40%">
|
||||||
|
|
||||||
After you select the **Alert triggers** tab, you also have the option to add additional alerts for the detector by selecting **Add another alert condition** at the bottom of the page.
|
After you select the **Alert triggers** tab, you also have the option to add additional alerts for the detector by selecting **Add another alert condition** at the bottom of the page.
|
||||||
{: .tip }
|
{: .tip }
|
||||||
|
@ -33,16 +33,16 @@ To edit a detector, begin by selecting the link to the detector in the Detector
|
||||||
## Detector actions
|
## Detector actions
|
||||||
|
|
||||||
Threat detector actions allow you to stop and start detectors or delete a detector. To enable actions, first select the checkbox beside one or more detectors in the list.
|
Threat detector actions allow you to stop and start detectors or delete a detector. To enable actions, first select the checkbox beside one or more detectors in the list.
|
||||||
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/detector-action.png" alt="Threat detector actions" width="500">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/detector-action.png" alt="Threat detector actions" width="50%">
|
||||||
|
|
||||||
### Changing detector status
|
### Changing detector status
|
||||||
|
|
||||||
1. Select the detector or detectors in the list whose status you would like to change. The **Actions** dropdown menu becomes enabled.
|
1. Select the detector or detectors in the list whose status you would like to change. The **Actions** dropdown list becomes enabled.
|
||||||
1. Depending on whether the detector is currently active or inactive, select either **Stop detector** or **Start detector**. After a moment, the change in status of the detector appears in the detector list as either Inactive or Active.
|
1. Depending on whether the detector is currently active or inactive, select either **Stop detector** or **Start detector**. After a moment, the change in status of the detector appears in the detector list as either Inactive or Active.
|
||||||
|
|
||||||
### Deleting a detector
|
### Deleting a detector
|
||||||
|
|
||||||
1. Select the detector or detectors in the list that you would like to delete. The **Actions** dropdown menu becomes enabled.
|
1. Select the detector or detectors in the list that you would like to delete. The **Actions** dropdown list becomes enabled.
|
||||||
1. Select **Delete** in the dropdown menu. The Delete detector popup window opens and asks you to verify that you want to delete the detector or detectors.
|
1. Select **Delete** in the dropdown list. The Delete detector popup window opens and asks you to verify that you want to delete the detector or detectors.
|
||||||
1. Select **Cancel** to decline the action. Select **Delete detector** to delete the detector or detectors permanently from the list.
|
1. Select **Cancel** to decline the action. Select **Delete detector** to delete the detector or detectors permanently from the list.
|
||||||
|
|
||||||
|
|
|
@ -15,21 +15,21 @@ You can select the **Refresh** button at any time to refresh information on the
|
||||||
|
|
||||||
## The Findings graph
|
## The Findings graph
|
||||||
|
|
||||||
The findings graph can display findings by log type or rule severity. Use the **Group by** dropdown menu to specify either log type or rule severity.
|
The findings graph can display findings by log type or rule severity. Use the **Group by** dropdown list to specify either log type or rule severity.
|
||||||
|
|
||||||
To specify the date range you would like the graph to display, first select the calendar dropdown menu. The date selector window opens.
|
To specify the date range you would like the graph to display, first select the calendar dropdown list. The date selector window opens.
|
||||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/find-date-pick.png" alt="Date selector for findings graph">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/find-date-pick.png" alt="Date selector for findings graph" width="55%">
|
||||||
|
|
||||||
You can use the **Quick select** settings to specify an exact window of time.
|
You can use the **Quick select** settings to specify an exact window of time.
|
||||||
* Select either **Last** or **Next** in the first dropdown menu to set the window of time behind the current setting or ahead of the current setting.
|
* Select either **Last** or **Next** in the first dropdown list to set the window of time behind the current setting or ahead of the current setting.
|
||||||
* Select a number in the second dropdown menu to define a value for the range.
|
* Select a number in the second dropdown list to define a value for the range.
|
||||||
* Select a unit of time in the third dropdown menu. Available options are seconds, minutes, hours, days, weeks, months, and years.
|
* Select a unit of time in the third dropdown list. Available options are seconds, minutes, hours, days, weeks, months, and years.
|
||||||
Select the **Apply** button to apply the range of dates to the graph. Information on the graph changes accordingly.
|
Select the **Apply** button to apply the range of dates to the graph. Information on the graph changes accordingly.
|
||||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/quickset.png" alt="Quick select settings example">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/quickset.png" alt="Quick select settings example" width="40%">
|
||||||
<br>You can use the left and right arrows to move the window of time behind the current range of dates or ahead of the current range of dates. When you use these arrows, the start date and end date appear in the date range field. You can then select each one to set an absolute, relative, or current date and time. For absolute and relative changes, select the **Update** button to apply the changes.
|
<br>You can use the left and right arrows to move the window of time behind the current range of dates or ahead of the current range of dates. When you use these arrows, the start date and end date appear in the date range field. You can then select each one to set an absolute, relative, or current date and time. For absolute and relative changes, select the **Update** button to apply the changes.
|
||||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/date-pick.png" alt="Altering date range">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/date-pick.png" alt="Altering date range" width="55%">
|
||||||
|
|
||||||
As an alternative, you can select an option in the **Commonly used** section (see the preceding image of the calendar dropdown menu) to conveniently set a window of time. Options include date ranges such as **Today**, **Yesterday**, **this week**, and **week to date**.
|
As an alternative, you can select an option in the **Commonly used** section (see the preceding image of the calendar dropdown list) to conveniently set a window of time. Options include date ranges such as **Today**, **Yesterday**, **this week**, and **week to date**.
|
||||||
|
|
||||||
When one of the commonly used windows of time is selected, you can select the **Show dates** label in the date range field to populate the range of dates. Following that, you can select either the start date or end date to specify by an absolute, relative, or current date and time setting. For absolute and relative changes, select the **Update** button to apply the changes.
|
When one of the commonly used windows of time is selected, you can select the **Show dates** label in the date range field to populate the range of dates. Following that, you can select either the start date or end date to specify by an absolute, relative, or current date and time setting. For absolute and relative changes, select the **Update** button to apply the changes.
|
||||||
|
|
||||||
|
@ -38,8 +38,8 @@ As one more alternative, you can select an option from the **Recently used date
|
||||||
## The Findings list
|
## The Findings list
|
||||||
|
|
||||||
The Findings list displays all findings according to time of the finding, the finding ID, the rule name that generated the finding, the detector that captured the finding, and other details.
|
The Findings list displays all findings according to time of the finding, the finding ID, the rule name that generated the finding, the detector that captured the finding, and other details.
|
||||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/finding-list.png" alt="A list of all findings">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/finding-list.png" alt="A list of all findings" width="85%">
|
||||||
Use the **Rule severity** dropdown menu to filter the list of findings by severity. Use the **log type** dropdown menu to filter the list by log type.
|
Use the **Rule severity** dropdown list to filter the list of findings by severity. Use the **log type** dropdown list to filter the list by log type.
|
||||||
Each finding in the list includes a finding ID. You can select the ID to open the Finding details pane, which describes the finding by parameters defined when creating the detector.
|
Each finding in the list includes a finding ID. You can select the ID to open the Finding details pane, which describes the finding by parameters defined when creating the detector.
|
||||||
The Actions column includes two options for each finding:
|
The Actions column includes two options for each finding:
|
||||||
* The diagonal arrow provides another way to open the Findings detail pane.
|
* The diagonal arrow provides another way to open the Findings detail pane.
|
||||||
|
|
|
@ -21,7 +21,7 @@ Each section provides a summary description for each element of Security Analyti
|
||||||
The upper portion of the Overview page contains two control buttons for refreshing information and getting started with Security Analytics. You can select the **Refresh** button to refresh all of the information on the page.
|
The upper portion of the Overview page contains two control buttons for refreshing information and getting started with Security Analytics. You can select the **Refresh** button to refresh all of the information on the page.
|
||||||
|
|
||||||
You can also select the **Getting started** link to expand the Get started with Security Analytics window, which includes a summary of the setup steps as well as control buttons that allow you to jump to any of the steps.
|
You can also select the **Getting started** link to expand the Get started with Security Analytics window, which includes a summary of the setup steps as well as control buttons that allow you to jump to any of the steps.
|
||||||
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/overview.png" alt="The overview page with getting started quick launch window" width="900">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/overview.png" alt="The overview page with getting started quick launch window" width="85%">
|
||||||
* In step 1 of setup, select **Create detector** to define a detector.
|
* In step 1 of setup, select **Create detector** to define a detector.
|
||||||
* In step 2, select **View findings** to go to the Findings page. For details about this page, see [Working with findings]({{site.url}}{{site.baseurl}}/security-analytics/usage/findings/).
|
* In step 2, select **View findings** to go to the Findings page. For details about this page, see [Working with findings]({{site.url}}{{site.baseurl}}/security-analytics/usage/findings/).
|
||||||
* In step 3, select **View alerts** to go to the Security alerts page. For details about this page, see [Working with alerts]({{site.url}}{{site.baseurl}}/security-analytics/usage/alerts/).
|
* In step 3, select **View alerts** to go to the Security alerts page. For details about this page, see [Working with alerts]({{site.url}}{{site.baseurl}}/security-analytics/usage/alerts/).
|
||||||
|
@ -29,7 +29,7 @@ You can also select the **Getting started** link to expand the Get started with
|
||||||
|
|
||||||
## Findings and alert count
|
## Findings and alert count
|
||||||
|
|
||||||
The Findings and alert count section provides a graph showing data on the latest findings. Use the **Group by** menu to select either **All findings** or **Log type**.
|
The Findings and alert count section provides a graph showing data on the latest findings. Use the **Group by** dropdown list to select either **All findings** or **Log type**.
|
||||||
|
|
||||||
## Recent alerts
|
## Recent alerts
|
||||||
|
|
||||||
|
@ -42,9 +42,9 @@ The Recent findings table displays recent findings by time, rule name, rule seve
|
||||||
## Most frequent detection rules
|
## Most frequent detection rules
|
||||||
|
|
||||||
This section provides a graphical representation of detection rules that trigger findings most often and how they compare to others as a percentage of the whole. The rule names represented by the graph are listed to the right.
|
This section provides a graphical representation of detection rules that trigger findings most often and how they compare to others as a percentage of the whole. The rule names represented by the graph are listed to the right.
|
||||||
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/rule_graph.png" alt="The detection rule graph on the Overview page" width="500">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/rule_graph.png" alt="The detection rule graph on the Overview page" width="50%">
|
||||||
|
|
||||||
## Detectors
|
## Detectors
|
||||||
|
|
||||||
Detectors displays a list of available detectors by detector name, status (active/inactive), and log type. Select **View all detectors** to go to the Detectors page. Select **Create detector** to go directly to the Define detector page.
|
The Detectors section displays a list of available detectors by detector name, status (active/inactive), and log type. Select **View all detectors** to go to the Detectors page. Select **Create detector** to go directly to the Define detector page.
|
||||||
|
|
||||||
|
|
|
@ -8,29 +8,29 @@ nav_order: 40
|
||||||
# Working with rules
|
# Working with rules
|
||||||
|
|
||||||
The Rules window lists all security rules and provides options for filtering the list and viewing details for each rule. Further options let you import rules and create new rules by first duplicating a Sigma rule then modifying it. This section covers navigation of the Rules page and description of the actions you can perform.
|
The Rules window lists all security rules and provides options for filtering the list and viewing details for each rule. Further options let you import rules and create new rules by first duplicating a Sigma rule then modifying it. This section covers navigation of the Rules page and description of the actions you can perform.
|
||||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/Rules.png" alt="The Rules page">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/Rules.png" alt="The Rules page" width="90%">
|
||||||
|
|
||||||
## Viewing and filtering rules
|
## Viewing and filtering rules
|
||||||
|
|
||||||
When you open the Rules page, all rules are listed in the table. Use the search bar to search for specific rules by entering a full or partial name and pressing **Return/Enter** on your keyboard. The list is filtered and displays matching results.
|
When you open the Rules page, all rules are listed in the table. Use the search bar to search for specific rules by entering a full or partial name and pressing **Return/Enter** on your keyboard. The list is filtered and displays matching results.
|
||||||
|
|
||||||
Alternatively, you can use the **Rule type**, **Rule severity**, and **Source** dropdown menus to drill down in the list of alerts and filter for preferred results. You can select multiple options from each menu and use all three menus in combination to narrow results.
|
Alternatively, you can use the **Rule type**, **Rule severity**, and **Source** dropdown lists to drill down in the alerts and filter for preferred results. You can select multiple options from each list and use all three in combination to narrow results.
|
||||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/rule-menu.png" alt="Rule menus for filtering results">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/rule-menu.png" alt="Rule menus for filtering results" width="40%">
|
||||||
|
|
||||||
### Rule details
|
### Rule details
|
||||||
|
|
||||||
To see rule details, select the rule in the Rule name column of the list. The rule details pane opens.
|
To see rule details, select the rule in the Rule name column of the list. The rule details pane opens.
|
||||||
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/Rule_details.png" alt="The rule details pane" width="500">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/Rule_details.png" alt="The rule details pane" width="50%">
|
||||||
|
|
||||||
In Visual view, rule details are arranged in fields, and the links are active. Select **YAML** to display the rule in YAML file format.
|
In Visual view, rule details are arranged in fields, and the links are active. Select **YAML** to display the rule in YAML file format.
|
||||||
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/rule_detail_yaml.png" alt="The rule details pane in YAML file view" width="500">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/rule_detail_yaml.png" alt="The rule details pane in YAML file view" width="50%">
|
||||||
* Rule details are formatted as a YAML file according to the Sigma rule specification.
|
* Rule details are formatted as a YAML file according to the Sigma rule specification.
|
||||||
* To copy the rule, select the copy icon in the top right corner of the rule. To quickly create a new and customized rule, you can paste the rule into the YAML editor and make any modifications before saving it. See [Customizing rules](#customizing-rules) for details.
|
* To copy the rule, select the copy icon in the top right corner of the rule. To quickly create a new and customized rule, you can paste the rule into the YAML editor and make any modifications before saving it. See [Customizing rules](#customizing-rules) for details.
|
||||||
|
|
||||||
## Creating rules
|
## Creating rules
|
||||||
|
|
||||||
There are several ways to create rules on the Rules page. The first is to manually fill in the necessary fields that complete the rule, using either the Visual Editor or YAML Editor. To do this, select the **Create new rule** button in the uppper-right corner of the Rules window. The Create a rule window opens.
|
There are several ways to create rules on the Rules page. The first is to manually fill in the necessary fields that complete the rule, using either the Visual Editor or YAML Editor. To do this, select the **Create new rule** button in the uppper-right corner of the Rules window. The Create a rule window opens.
|
||||||
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/create-a-rule.png" alt="The Create a rule window, which includes the Visual Editor and YAML editor." width="500">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/create-a-rule.png" alt="The Create a rule window, which includes the Visual Editor and YAML editor." width="50%">
|
||||||
|
|
||||||
If you choose to create the rule manually, you can refer to Sigma's [Rule Creation Guide](https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide) to help understand details for each field.
|
If you choose to create the rule manually, you can refer to Sigma's [Rule Creation Guide](https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide) to help understand details for each field.
|
||||||
* By default, the Visual Editor is displayed. Enter the appropriate content in each field and select **Create** in the lower-right corner of the window to save the rule.
|
* By default, the Visual Editor is displayed. Enter the appropriate content in each field and select **Create** in the lower-right corner of the window to save the rule.
|
||||||
|
@ -75,6 +75,7 @@ author:
|
||||||
- David ANDRE
|
- David ANDRE
|
||||||
status: experimental
|
status: experimental
|
||||||
```
|
```
|
||||||
|
{% include copy.html %}
|
||||||
|
|
||||||
1. To begin, select the **Import rule** button in the upper-right corner of the page. The Import rule page opens.
|
1. To begin, select the **Import rule** button in the upper-right corner of the page. The Import rule page opens.
|
||||||
1. Either drag a YAML-formatted Sigma rule into the window or browse for the file by selecting the link and opening it. The Import a rule window opens and the rule definition fields are automatically populated in both the Visual Editor and YAML Editor.
|
1. Either drag a YAML-formatted Sigma rule into the window or browse for the file by selecting the link and opening it. The Import a rule window opens and the rule definition fields are automatically populated in both the Visual Editor and YAML Editor.
|
||||||
|
@ -84,15 +85,15 @@ status: experimental
|
||||||
## Customizing rules
|
## Customizing rules
|
||||||
|
|
||||||
An alternative to importing a rule is duplicating a Sigma rule and then modifying it to create a custom rule. First search for or filter rules in the Rules list to locate the rule you want to duplicate.
|
An alternative to importing a rule is duplicating a Sigma rule and then modifying it to create a custom rule. First search for or filter rules in the Rules list to locate the rule you want to duplicate.
|
||||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/rules-dup1.png" alt="Selecting a rule in the Rules name list">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/rules-dup1.png" alt="Selecting a rule in the Rules name list" width="75%">
|
||||||
|
|
||||||
1. To begin, select the rule in the Rule name column. The rule details pane opens.
|
1. To begin, select the rule in the Rule name column. The rule details pane opens.
|
||||||
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/rule-dup2.png" alt="Opening the rule details pane" width="500">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/rule-dup2.png" alt="Opening the rule details pane" width="50%">
|
||||||
1. Select the **Duplicate** button in the upper-right corner of the pane. The Duplicate rule window opens in Visual Editor view and all of the fields are automatically populated with the rule's details. Details are also populated in YAML Editor view.
|
1. Select the **Duplicate** button in the upper-right corner of the pane. The Duplicate rule window opens in Visual Editor view and all of the fields are automatically populated with the rule's details. Details are also populated in YAML Editor view.
|
||||||
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/dupe-rule.png" alt="Selecting the duplicate button opens the Duplicate rule window" width="500">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/dupe-rule.png" alt="Selecting the duplicate button opens the Duplicate rule window" width="50%">
|
||||||
1. In either Visual Editor view or YAML Editor view, modify any of the fields to customize the rule.
|
1. In either Visual Editor view or YAML Editor view, modify any of the fields to customize the rule.
|
||||||
1. After performing any modifications to the rule, select the **Create** button in the lower-right corner of the window. A new and customized rule is created, and it appears in the list of rules on the main page of the Rules window.
|
1. After performing any modifications to the rule, select the **Create** button in the lower-right corner of the window. A new and customized rule is created, and it appears in the list of rules on the main page of the Rules window.
|
||||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/custom-rule.png" alt="The custom rule now appears in the list of rules.">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/custom-rule.png" alt="The custom rule now appears in the list of rules." width="70%">
|
||||||
|
|
||||||
You cannot modify the Sigma rule itself. The original Sigma rule always remains in the system. Its duplicate, after modification, becomes the custom rule that is added to the list of rules.
|
You cannot modify the Sigma rule itself. The original Sigma rule always remains in the system. Its duplicate, after modification, becomes the custom rule that is added to the list of rules.
|
||||||
{: .note }
|
{: .note }
|
||||||
|
|
Loading…
Reference in New Issue