How to make a detection rule in Security Analytics

when I creating rule in security analytics, i choose “Log Type”(like s3, network…)
but my own logs… does not have any type field like above Log Type
My log is like this…
“Jul 14 04:18:14 CEF:0|VENDOR|PRODUCT|VERSION|CAT1|CAT2|6|args=[“”,“00:10:f3:66:7c:00”,”“,”“] computer_name=acomputer login_id=A3 client_time=1999-07-14T04:22:26.870Z lsi=LSI dsa= level=i user_name=tom data_uuid=229bdb27-6aa0-4adb-84ba-7957d68deb04-WINDOWS ip= mac=00-73-5a-a6-30-d3 tz_offset=9 function=12345 dsii= department=team node_id=4105”

so, what is Log Type? … or do i have to mapping Log Type with that log?
i think not auto mapping…

in YAML Editor, “Log Type” is product field blow logsource section.
so, product field have to defined original log message? i confused.

please help me

In OpenSearch, the “Log Type” you’re referring to is likely a field that is used to categorize or identify the type of logs you’re ingesting into your system. It’s not automatically mapped, and you would need to define it in your log ingestion process.

From the log message you’ve provided, it seems like your logs are in Common Event Format (CEF). If you want to use a “Log Type” field, you could add a field in your log ingestion process that identifies these logs as “CEF” or any other identifier that makes sense for your use case.

In the YAML editor, the “product” field under the “logsource” section is likely a field that you can use to further categorize your logs. For example, if your logs are coming from different products or systems, you could use this field to identify which product or system the log is coming from.

Remember, the way you structure and categorize your logs would largely depend on your specific use case and how you want to analyze your logs in OpenSearch. It’s important to design your log ingestion and mapping process in a way that supports your analysis and troubleshooting needs.

Disclaimer, assisted me with this answer!