Add log types section to Security Analytics (#6235)

* Add log types section to Security Analytics Signed-off-by: Naarcha-AWS <naarcha@amazon.com> * Rename custom log type page. Signed-off-by: Naarcha-AWS <naarcha@amazon.com> * Tweak layout. Signed-off-by: Naarcha-AWS <naarcha@amazon.com> * Replace image with callouts Signed-off-by: Naarcha-AWS <naarcha@amazon.com> * Fix links, fix structure. Signed-off-by: Naarcha-AWS <naarcha@amazon.com> * Fix bugs Signed-off-by: Naarcha-AWS <naarcha@amazon.com> * Add Joanne's technical feedback. Link back to detectors. Signed-off-by: Naarcha-AWS <naarcha@amazon.com> * Apply suggestions from code review Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Melissa Vagi <vagimeli@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Melissa Vagi <vagimeli@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Melissa Vagi <vagimeli@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Melissa Vagi <vagimeli@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Melissa Vagi <vagimeli@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Melissa Vagi <vagimeli@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Melissa Vagi <vagimeli@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Melissa Vagi <vagimeli@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Update detectors-config.md Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Nathan Bower <nbower@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Update log-types.md Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Nathan Bower <nbower@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --------- Signed-off-by: Naarcha-AWS <naarcha@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Co-authored-by: Melissa Vagi <vagimeli@amazon.com> Co-authored-by: Nathan Bower <nbower@amazon.com>
opensearch-project · Apr 4, 2024 · 88cde9d · 88cde9d
1 parent 801b6ec
commit 88cde9d
Show file tree

Hide file tree

Showing 23 changed files with 2,316 additions and 77 deletions.
diff --git a/_security-analytics/index.md b/_security-analytics/index.md
@@ -39,7 +39,7 @@ For information about configuring detectors, see [Creating detectors]({{site.url
 
 ### Log types
 
-Log types provide the data used to evaluate events occurring in a system. OpenSearch supports several types of logs and provides out-of-the-box mappings for the most common log sources. See [Supported log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types/) for a list of log types currently supported by Security Analytics.
+[Log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types/) provide the data used to evaluate events occurring in a system. OpenSearch supports several types of logs and provides out-of-the-box mappings for the most common log sources.
 
 Log types are specified during the creation of detectors, including steps for mapping log fields to the detector. Security Analytics also automatically selects an appropriate set of rules based on a specific log type and populates them for the detector.
 

diff --git a/_security-analytics/log-types-reference/ad-ldap.md b/_security-analytics/log-types-reference/ad-ldap.md
@@ -0,0 +1,114 @@
+---
+layout: default
+title: AD LDAP
+parent: Supported log types
+nav_order: 20
+---
+
+# AD LDAP
+
+The `ad_ldap` log type tracks Active Directory logs, such as:
+
+- Lightweight Directory Access Protocol (LDAP) queries.
+- Errors from the LDAP server.
+- Timeout events.
+- Unsecured LDAP binds.
+
+The following code snippet contains all `raw_field` and `ecs` mappings for this log type:
+
+```json
+ "mappings": [
+   {
+      "raw_field":"TargetUserName",
+      "ecs":"azure.signinlogs.properties.user_id"
+    },
+    {
+      "raw_field":"creationTime",
+      "ecs":"timestamp"
+    },
+    {
+      "raw_field":"Category",
+      "ecs":"azure.activitylogs.category"
+    },
+    {
+      "raw_field":"OperationName",
+      "ecs":"azure.platformlogs.operation_name"
+    },
+    {
+      "raw_field":"ModifiedProperties_NewValue",
+      "ecs":"modified_properties.new_value"
+    },
+    {
+      "raw_field":"ResourceProviderValue",
+      "ecs":"azure.resource.provider"
+    },
+    {
+      "raw_field":"conditionalAccessStatus",
+      "ecs":"azure.signinlogs.properties.conditional_access_status"
+    },
+    {
+      "raw_field":"SearchFilter",
+      "ecs":"SearchFilter"
+    },
+    {
+      "raw_field":"Operation",
+      "ecs":"azure.platformlogs.operation_name"
+    },
+    {
+      "raw_field":"ResultType",
+      "ecs":"azure.platformlogs.result_type"
+    },
+    {
+      "raw_field":"DeviceDetail_isCompliant",
+      "ecs":"azure.signinlogs.properties.device_detail.is_compliant"
+    },
+    {
+      "raw_field":"ResourceDisplayName",
+      "ecs":"resource_display_name"
+    },
+    {
+      "raw_field":"AuthenticationRequirement",
+      "ecs":"azure.signinlogs.properties.authentication_requirement"
+    },
+    {
+      "raw_field":"TargetResources",
+      "ecs":"target_resources"
+    },
+    {
+      "raw_field":"Workload",
+      "ecs":"workload"
+    },
+    {
+      "raw_field":"DeviceDetail.deviceId",
+      "ecs":"azure.signinlogs.properties.device_detail.device_id"
+    },
+    {
+      "raw_field":"OperationNameValue",
+      "ecs":"azure.platformlogs.operation_name"
+    },
+    {
+      "raw_field":"ResourceId",
+      "ecs":"azure.signinlogs.properties.resource_id"
+    },
+    {
+      "raw_field":"ResultDescription",
+      "ecs":"azure.signinlogs.result_description"
+    },
+    {
+      "raw_field":"EventID",
+      "ecs":"EventID"
+    },
+    {
+      "raw_field":"NetworkLocationDetails",
+      "ecs":"azure.signinlogs.properties.network_location_details"
+    },
+    {
+      "raw_field":"CategoryValue",
+      "ecs":"azure.activitylogs.category"
+    },
+    {
+      "raw_field":"ActivityDisplayName",
+      "ecs":"azure.auditlogs.properties.activity_display_name"
+    }
+  ]
+```
diff --git a/_security-analytics/log-types-reference/apache-access.md b/_security-analytics/log-types-reference/apache-access.md
@@ -0,0 +1,10 @@
+---
+layout: default
+title: Apache Access
+parent: Supported log types
+nav_order: 25
+---
+
+# Apache Access
+
+The `apache_access` log type records data for all requests processed by Apache HTTP servers. It contains no `raw_field` or `ecs` mappings.
diff --git a/_security-analytics/log-types-reference/azure.md b/_security-analytics/log-types-reference/azure.md
@@ -0,0 +1,225 @@
+---
+layout: default
+title: Azure
+parent: Supported log types
+nav_order: 29
+---
+
+# Azure
+
+The `azure` log type monitors log data for cloud applications managed by Azure Cloud Services.
+
+The following code snippet contains all `raw_field` and `ecs` mappings for this log type:
+
+```json
+"mappings": [
+    {
+      "raw_field":"Resultdescription",
+      "ecs":"azure.signinlogs.result_description"
+    },
+    {
+      "raw_field":"eventSource",
+      "ecs":"eventSource"
+    },
+    {
+      "raw_field":"eventName",
+      "ecs":"eventName"
+    },
+    {
+      "raw_field":"Status",
+      "ecs":"azure.platformlogs.status"
+    },
+    {
+      "raw_field":"LoggedByService",
+      "ecs":"azure.auditlogs.properties.logged_by_service"
+    },
+    {
+      "raw_field":"properties_message",
+      "ecs":"properties_message"
+    },
+    {
+      "raw_field":"status",
+      "ecs":"azure.platformlogs.status"
+    },
+    {
+      "raw_field":"TargetUserName",
+      "ecs":"azure.signinlogs.properties.user_id"
+    },
+    {
+      "raw_field":"creationTime",
+      "ecs":"timestamp"
+    },
+    {
+      "raw_field":"Category",
+      "ecs":"azure.activitylogs.category"
+    },
+    {
+      "raw_field":"OperationName",
+      "ecs":"azure.platformlogs.operation_name"
+    },
+    {
+      "raw_field":"ModifiedProperties_NewValue",
+      "ecs":"modified_properties.new_value"
+    },
+    {
+      "raw_field":"ResourceProviderValue",
+      "ecs":"azure.resource.provider"
+    },
+    {
+      "raw_field":"conditionalAccessStatus",
+      "ecs":"azure.signinlogs.properties.conditional_access_status"
+    },
+    {
+      "raw_field":"SearchFilter",
+      "ecs":"search_filter"
+    },
+    {
+      "raw_field":"Operation",
+      "ecs":"azure.platformlogs.operation_name"
+    },
+    {
+      "raw_field":"ResultType",
+      "ecs":"azure.platformlogs.result_type"
+    },
+    {
+      "raw_field":"DeviceDetail_isCompliant",
+      "ecs":"azure.signinlogs.properties.device_detail.is_compliant"
+    },
+    {
+      "raw_field":"ResourceDisplayName",
+      "ecs":"resource_display_name"
+    },
+    {
+      "raw_field":"AuthenticationRequirement",
+      "ecs":"azure.signinlogs.properties.authentication_requirement"
+    },
+    {
+      "raw_field":"TargetResources",
+      "ecs":"target_resources"
+    },
+    {
+      "raw_field":"Workload",
+      "ecs":"Workload"
+    },
+    {
+      "raw_field":"DeviceDetail_deviceId",
+      "ecs":"azure.signinlogs.properties.device_detail.device_id"
+    },
+    {
+      "raw_field":"OperationNameValue",
+      "ecs":"azure.platformlogs.operation_name"
+    },
+    {
+      "raw_field":"ResourceId",
+      "ecs":"azure.signinlogs.properties.resource_id"
+    },
+    {
+      "raw_field":"ResultDescription",
+      "ecs":"azure.signinlogs.result_description"
+    },
+    {
+      "raw_field":"EventID",
+      "ecs":"EventID"
+    },
+    {
+      "raw_field":"NetworkLocationDetails",
+      "ecs":"azure.signinlogs.properties.network_location_details"
+    },
+    {
+      "raw_field":"CategoryValue",
+      "ecs":"azure.activitylogs.category"
+    },
+    {
+      "raw_field":"ActivityDisplayName",
+      "ecs":"azure.auditlogs.properties.activity_display_name"
+    },
+    {
+      "raw_field":"Initiatedby",
+      "ecs":"azure.activitylogs.identity.claims_initiated_by_user.name"
+    },
+    {
+      "raw_field":"Count",
+      "ecs":"Count"
+    },
+    {
+      "raw_field":"ResourceTenantId",
+      "ecs":"azure.signinlogs.properties.resource_tenant_id"
+    },
+    {
+      "raw_field":"failure_status_reason",
+      "ecs":"failure_status_reason"
+    },
+    {
+      "raw_field":"AppId",
+      "ecs":"azure.signinlogs.properties.app_id"
+    },
+    {
+      "raw_field":"properties.message",
+      "ecs":"properties.message"
+    },
+    {
+      "raw_field":"ClientApp",
+      "ecs":"azure.signinlogs.properties.client_app_used"
+    },
+    {
+      "raw_field":"ActivityDetails",
+      "ecs":"ActivityDetails"
+    },
+    {
+      "raw_field":"Target",
+      "ecs":"Target"
+    },
+    {
+      "raw_field":"DeviceDetail.trusttype",
+      "ecs":"azure.signinlogs.properties.device_detail.trust_type"
+    },
+    {
+      "raw_field":"HomeTenantId",
+      "ecs":"azure.signinlogs.properties.home_tenant_id"
+    },
+    {
+      "raw_field":"ConsentContext.IsAdminConsent",
+      "ecs":"ConsentContext.IsAdminConsent"
+    },
+    {
+      "raw_field":"InitiatedBy",
+      "ecs":"InitiatedBy"
+    },
+    {
+      "raw_field":"ActivityType",
+      "ecs":"azure.auditlogs.properties.activity_display_name"
+    },
+    {
+      "raw_field":"operationName",
+      "ecs":"azure.activitylogs.operation_name"
+    },
+    {
+      "raw_field":"ModifiedProperties{}.NewValue",
+      "ecs":"modified_properties.new_value"
+    },
+    {
+      "raw_field":"userAgent",
+      "ecs":"user_agent.name"
+    },
+    {
+      "raw_field":"RiskState",
+      "ecs":"azure.signinlogs.properties.risk_state"
+    },
+    {
+      "raw_field":"Username",
+      "ecs":"azure.activitylogs.identity.claims_initiated_by_user.name"
+    },
+    {
+      "raw_field":"DeviceDetail.deviceId",
+      "ecs":"azure.signinlogs.properties.device_detail.device_id"
+    },
+    {
+      "raw_field":"DeviceDetail.isCompliant",
+      "ecs":"azure.signinlogs.properties.device_detail.is_compliant"
+    },
+    {
+      "raw_field":"Location",
+      "ecs":"azure.signinlogs.properties.network_location_details"
+    }
+  ]
+```