Greetings Everyone,
Currently, I am having problem of mapping these fields below while trying to create a detector to trigger alert for CloudTrail log source event.
requestParameters.arn: aws-cloudtrail-requestParameters-arn
requestParameters.attribute: aws-cloudtrail-requestParameters-attribute
requestParameters.userName: aws-cloudtrail-requestParameters-userName
requestParameters.containerDefinitions.command: aws-cloudtrail-requestParameters-containerDefinitions-command
Just wondering if it is possible to 1) modify the fieldmappings.yml to remove these fields and add the indexes existing fields in the event that I want to alert based on custom sigma rules selection and filtering? Basically, editing this file (https://github.com/opensearch-project/security-analytics/blob/2.5/src/main/resources/OSMapping/cloudtrail/fieldmappings.yml ) to do something similar to this Modifying the YAML files - OpenSearch documentation or 2) add the problem fields via recreating CloudTrail index?
any help would be greatly appreciated.
Thanks
Gsmitt
November 4, 2023, 12:55am
2
Hey @apaws06
Have you tried to create a template first? By default I believe Opensearch is set on dynamic mapping, meaning when it detects new fields it creates them. What I have done was create a custum template with a unique alias needed so when the log from the device with the same alias it will create the index set and use my custum template, just an idea.
Thanks Gsmitt. I have issue with the template. Currently trying to figure out this error “[security_analytics_exception] No applied aliases not found. Failed to retrieve field mappings.”
Gsmitt
November 6, 2023, 10:55pm
4
Hey @apaws06
I see others posted something similar this in GitHub.
opened 07:55PM - 02 Nov 23 UTC
enhancement
**Is your feature request related to a problem?**
When no alias mappings are ap… plied for an index, the GET mappingsView API throws an exception
`/_plugins/_security_analytics/mappings?indexName=c*`
Response:
`{"ok":false,"error":"[security_analytics_exception] No applied aliases found"}`
**What solution would you like?**
Return an empty result instead since it is not an actionable event for the user.
**What alternatives have you considered?**
N/A
**Do you have any additional context?**
N/A
opened 04:22PM - 26 Oct 23 UTC
bug
untriaged
**What is the bug?**
When trying to create a security analytics detector I get … an error "[security_analytics_exception] normalizer [lowercase_keyword] not found for field 'x'". x being <Index-identifier>_<Unique string> Ex. 25-000873_J6yHbIsBON-lwPZfCF7R
**How can one reproduce the bug?**
Steps to reproduce the behavior:
1. Go to 'Security Analytics'
2. Click on 'Create Detector'
3. Configuration is for all elastic beats data sources "elastic_windows*"
4. Log Type 'windows'
5. Select all Rules
6. All mappings automatically applied except for 'windows-message' which was manually mapped to 'event.original'
7. Alert Trigger used default settings did not add channel during testing
8. Click 'Create Detector'
9. See error
10. "[security_analytics_exception] normalizer [lowercase_keyword] not found for field"
**What is the expected behavior?**
When creating indexes we already apply normalizers like lowercase_keyword. I pasted the code we utilize in the additional context section.
**What is your host/environment?**
- OS: Windows 11
- Version: OpenSearch 2.8
- Plugins:
**Do you have any screenshots?**
**Do you have any additional context?**
When we create an index, we added the lowercase_keyword normalizer and set it as the normalizer for the message field
`{
"mappings": {
"properties": {
"message": {
"type": "keyword",
"normalizer": "lowercase_keyword"
}
}
},
"settings": {
"analysis": {
"normalizer": {
"lowercase_keyword": {
"type": "custom",
"filter": [
"lowercase"
]
}
}
}
}
}`
system
January 5, 2024, 10:55pm
5
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
