opensearch-docs-cn/_security-analytics/usage/detectors.md

67 lines
4.5 KiB
Markdown

---
layout: default
title: Working with detectors
parent: Using Security Analytics
nav_order: 30
---
# Working with detectors
After creating a detector, it appears on the Threat detectors page along with others saved to the system. You can then perform a number of actions for each detector, from editing its details to changing its status. See the following sections for description of the available actions.
<img src="{{site.url}}{{site.baseurl}}/images/Security/threat-detector.png" alt="Threat detector page" width="60%">
---
## Threat detector list
The list of threat detectors includes the search bar, the **Status** dropdown list, and the **Log type** dropdown list.
* Use the search bar to filter by detector name.
* Select the **Status** dropdown list to filter detectors in the list by Active and Inactive status.
* Select the **Log type** dropdown list to filter detectors by any log type that appears in the list (the options depend on the detectors present in the list and their log types).
### Editing a detector
To edit a detector, begin by selecting the link to the detector in the Detector name column of the list. The detector's details window opens and shows details about the detector's configuration.
<img src="{{site.url}}{{site.baseurl}}/images/Security/detector-details.png" alt="Detector details window for editig the detector" width="50%">
* In the upper-left portion of the window, the details window shows the name of the detector and its status, either Active or Inactive.
* In the upper-right corner of the window, you can select **View alerts** to go to the Alerts window or **View findings** to go to the Findings window. You can also select **Actions** to perform actions for the detector. See [Detector actions]({{site.url}}{{site.baseurl}}/security-analytics/usage/detectors/#detector-actions).
* In the lower portion of the window, select the **Edit** button for either Detector details or Detection rules to make changes accordingly.
* Finally, you can select the **Field mappings** tab to edit field mappings for the detector, or select the **Alert triggers** tab to make edits to alerts associated with the detector.
<img src="{{site.url}}{{site.baseurl}}/images/Security/detector-details2.png" alt="Field mappings and Alert triggers tabs" width="40%">
After you select the **Alert triggers** tab, you also have the option to add additional alerts for the detector by selecting **Add another alert condition** at the bottom of the page.
{: .tip }
### Threat intelligence feeds
A threat intelligence feed is a real-time, continuous data stream that gathers information related to risks or threats. A piece of information in the tactical threat intelligence feed suggesting that your cluster may have been compromised, such as a login from an unknown user or location or anomalous activity like an increase in read volume, is called an *indicator of compromise* (IoC). These IoCs can be used by investigators to help isolate security incidents.
As of OpenSearch 2.12, you can enable threat intelligence for Sigma rules related to malicious IP addresses.
To enable threat intelligence feeds, select the **Enable threat intelligence-based detection** option.
Threat intelligence feeds only work with **standard** log types.
---
## Detector actions
Threat detector actions allow you to stop and start detectors or delete a detector. To enable actions, first select the checkbox beside one or more detectors in the list.
<img src="{{site.url}}{{site.baseurl}}/images/Security/detector-action.png" alt="Threat detector actions" width="50%">
### Changing detector status
1. Select the detector or detectors in the list whose status you would like to change. The **Actions** dropdown list becomes enabled.
1. Depending on whether the detector is currently active or inactive, select either **Stop detector** or **Start detector**. After a moment, the change in status of the detector appears in the detector list as either Inactive or Active.
### Deleting a detector
1. Select the detector or detectors in the list that you would like to delete. The **Actions** dropdown list becomes enabled.
1. Select **Delete** in the dropdown list. The Delete detector popup window opens and asks you to verify that you want to delete the detector or detectors.
1. Select **Cancel** to decline the action. Select **Delete detector** to delete the detector or detectors permanently from the list.
## Related articles
[Creating detectors]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/detectors-config/)