Hello folks,
I’m a beginner with OpenSearch and Security Analytics, so please excuse me if these are basic questions:
- Is it possible to create a new log category for the Security Analytics plugin out of the box (OOTB), or would this require forking the project?
- If it is possible OOTB, could someone point me to the documentation or any guidance on how to do this?
- My use case is to ingest Oracle Cloud Infrastructure (OCI) events (Audit and Networking/Firewall) for correlation. These are JSON-formatted events following what Oracle refers to as “CNCF-style” schemas (e.g., flat JSON with consistent field names), and as far as I know, they don’t match any of the existing categories.
- Whether it’s OOTB or via forking: is there any known resource or mapping that would help normalize Oracle event fields to reuse existing security rules? Or would we need to build all new detection content for these logs from scratch?
Thanks in advance for any insights!