Feedback: Experimental Feature - Security Analytics

In OpenSearch 2.4, we are introducing the first set of Security Analytics capabilities as an experimental feature. This is an open source solution that will help users detect common threat patterns using over 2000 pre-packaged rules, while providing the flexibility to customize them to meet your requirements.Security analytics will include support for eight log sources including windows logs, AWS CloudTrail logs, S3 access logs etc. Users can create detectors using pre-packaged rule sets, to automatically generate security findings that help identify potential threats. Users can also create customized alerts from security findings and trigger workflows such as sending customized notifications on slack, email or a webhook.

To get started, check out the Github repo and documentation.The OpenSearch team is actively looking for your feedback and ideas to enhance the security analytics capabilities (including UI/UX workflows). Please include a description of your use cases to help understand the context of your feedback.

1 Like

First off, this looks promising. Glad you are working on it.

First thing I get when I go to create a detector is the following error message:

[security_analytics_exception] Custom rule index doesnt exist. Please create custom rules first.

Also, when selecting the data source, you are presented with a long list of individual indexes which does not appear to be searchable (or at lest the list is not limited to items that match what you are typing). Also, you do not appear to be able to specify an index pattern which seem to make the whole thing entirely useless as you would need to create a new detector each day if using the standard per day index naming scheme.

1 Like

If I go to create a detector for the Windows logs data type using a winlogbeat data source I get a required field mapping page which I have no idea how to fill out. The docs seem to indicate that this would be populated initially and one would only need to modify it if desired.

I am running into this same issue. @opoplawski - based on your follow up post “maybe” you have overcome some of these issues? Any steps you can share to proceed? For what it is worth my installation is an upgrade to 2.4 rather than a fresh install. Not sure if that matters.

FWIW - I haven’t made any progress on any of these issues.