Mappings in Security Analytics Plugin

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 2.5

I was exploring the Security Analytics Plugin, and I created one detector with this rule enabled: security-analytics/aws_sts_assumerole_misuse.yml at main · opensearch-project/security-analytics · GitHub

As per the rule, I didn’t find any alert created when I am having data like this

      "eventVersion": "1.08",
      "userIdentity": {
        "type": "AssumedRole",
        "principalId": "aaa:hained-role",
        "arn": "arn:aws:sts::xxx:assumed-role/chained-role-ciem/chained-role",
        "accountId": "xxx",
        "accessKeyId": "aaa",
        "sessionContext": {
          "sessionIssuer": {
            "type": "Role",
            "principalId": "aaa",
            "arn": "arn:aws:iam::xxx:role/chained-role-ciem",
            "accountId": "xxx",
            "userName": "chained-role-ciem"
          "webIdFederationData": {},
          "attributes": {
            "creationDate": "2022-09-30T10:19:19Z",
            "mfaAuthenticated": "false"

But when I flatten the data and insert the below json in index, alert got generated

    "userIdentity.type": "AssumedRole",
    "userIdentity.sessionContext.sessionIssuer.type": "Role"

Is this the expected behavior?


Can you please re-test this?

There are few things with rules going on here:

  1. During parsing of sigma rule, each discovered field is mapped to a new field with mappings defined here: link

  2. After #1, every “.” in field name is replaced with “_”

Is there a chance that some other rule got matched?

BTW I tested query_string query(used by percolator) and it works with both variants of “nested” documents

Yeah, I got your point. But I had checked that no other rule was matched.
Are you sure that it works with nested fields without flattening the doc? Because In my case no finding was generated for the same.

@pdz Is this related to this open issue? Sigma dot conversion disable by petardz · Pull Request #376 · opensearch-project/security-analytics · GitHub Please let me know.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.