Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] SigmaRule Parser - Remove replacing "." to "_" in field names #375

Closed
petardz opened this issue Mar 16, 2023 · 3 comments
Closed

[FEATURE] SigmaRule Parser - Remove replacing "." to "_" in field names #375

petardz opened this issue Mar 16, 2023 · 3 comments
Assignees
@petardz
Labels
enhancement New feature or request v2.9.0

Comments

@petardz
Copy link
Contributor

petardz commented Mar 16, 2023

Is your feature request related to a problem?
During first release of SAP we had issues with fields containing "." in sigma rules. That issue was fixed since then and we don't have a need for replacing "." char in field names anymore.

What solution would you like?
Remove replacing "." characters.
@petardz petardz added enhancement New feature or request untriaged labels Mar 16, 2023
@petardz petardz mentioned this issue Mar 16, 2023
Closed
5 tasks
@eirsep eirsep added v2.7.0 and removed untriaged labels Mar 30, 2023
@jinalp-crest
Copy link

jinalp-crest commented Apr 4, 2023
edited
Loading

@eirsep and @petardz Just wanted to confirm that there are aliases that we see on the detector mapping screen. So, as per the configured rules, we provide mapping for the aliases against our field present in the index.

I have tried with the sigma rule while configuring the cloudtrail detector, so at that time I was not able to map the field "userIdentity.type", I see there is alias called aws-cloudtrail-user_identity-type, but I don't see any mappings for the same in security analytics repository. So, I guess this is the issue.

Also, I'm able to generate findings for all the flattened data with the sigma rule configuration. But, somehow, I am not able to generate findings/alerts for the nested json data (which is parsed and ingested as per the ECS format). So can anyone help me understand what I might be missing?

Just to share context, I am using Security Analytics Plugin from the OpenSearch version 2.6x (latest), which is running on docker image. For detector configuration, I have used cloudtrail detector with all 31 out-of-the-box sigma rules available.

References:

@petardz
Copy link
Contributor Author

petardz commented Apr 4, 2023

@jinalp-crest

You're right, mappings are buggy in 2.6. There are also other examples where this is a case. You can work around this temporary, by defining alias mappings in your index manually:

PUT my_index/_mapping
{
  "properties": {
    "aws-cloudtrail-user_identity-type": {
      "type": "alias",
      "path": "my_index_field"
    }
  }
}

Also, I'm able to generate findings for all the flattened data with the sigma rule configuration. But, somehow, I am not able to generate findings/alerts for the nested json data (which is parsed and ingested as per the ECS format). So can anyone help me understand what I might be missing?

This issue is in Alerting and it is addressed by this PR: link

@jinalp-crest jinalp-crest mentioned this issue Apr 7, 2023
Open
@getsaurabh02 getsaurabh02 added v2.9.0 and removed v2.7.0 labels Jun 6, 2023
@amsiglan
Copy link
Collaborator

Fixed in 2.9

riysaxen-amzn pushed a commit to riysaxen-amzn/security-analytics that referenced this issue Mar 25, 2024
@AWSHurneyt
Fixed a flaky test condition. (opensearch-project#375)
adcf659 
Signed-off-by: AWSHurneyt <hurneyt@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@petardz petardz

Labels
enhancement New feature or request v2.9.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@eirsep @petardz @getsaurabh02 @amsiglan @jinalp-crest