“source-ip” is not mapped Sigma field hence you don’t get any applied aliases.
This is expected workflow using APIs:
Call GET /_plugins/_security_analytics/mappings/view to get automatically mapped fields(returned in properties field) and unmapped sigma fields(returned in unmapped_field_aliases field).
You will get unmapped Sigma fields from ALL rules of rule category you selected(for example windows). If you don’t want to select ALL rules in detector, you can fetch all rule fields for rules that you want enabled. Here is query example for fetching Sigma field names for 1 rule of network category with id 286b47ed-f6fe-40b3-b3a8-35129acd43bc:
POST /.opensearch-sap-pre-packaged-rules-config/_search
{
"_source":[
"rule.query_field_names"
],
"query":{
"nested":{
"path":"rule",
"query":{
"bool":{
"must":[
{
"term":{
"rule.category":{
"value":"network"
}
}
},
{
"terms":{
"_id":[
"286b47ed-f6fe-40b3-b3a8-35129acd43bc"
]
}
}
]
}
}
}
}
}
Now that you know which fields you need to map, you will pack them in a single request and call:
POST /_plugins/_security_analytics/mappings
{
"index_name": "ntd.hunt-syslog",
"rule_topic": "network",
"alias_mappings": {
"properties": {
"some-rule-field": {
"type": "alias",
"path": "some-index-field"
},
....
}
}
}
After this call you can call Create Detector API.