Update field mapping documentation for Security Analytics #2422
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: cwillum <[email protected]>
cwillum
added
1 - Backlog
|
I created this PR to address the requirement for 1.2 in issue #2400 (the other updates to docs are complete). I need to speak with an SME to understand the purpose of these mappings and get more context. @AWSHurneyt appears to be out today. The 2.5 release is slated for 1/19/23. If I can't find another SME for explanation, we can handle this update after the release. |
Signed-off-by: cwillum <[email protected]>
petardz
reviewed
Jan 19, 2023
| @@ -36,11 +36,12 @@ Defining a new detector involves naming the detector, selecting a data source an | |||
|
|
|||
| ## Step 2. Make field mappings | |||
|
|
|||
| Field mapping matches field names for the rule with field names from the log being used to provide data. The mappings are automatically applied once the detector is defined in previous steps. This page offers the user the option to map log-specific field names to the internal rule field names. | |||
| The field mapping step matches field names for the rule with field names for the log index being used to provide data. Correctly mapping the log field names with rule field names allows the system to accurately convey event data from the log to the detector and then use the data for triggering alerts. | |||
There was a problem hiding this comment.
nit: field names from the rules with field names from the log
Naarcha-AWS
added
2 - In progress
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
cwillum
added
3 - Tech review
|
@AWSHurneyt @Naarcha-AWS |
alicejw1
reviewed
Jan 20, 2023
| {: .tip } | ||
|
|
||
| 1. In the **Detector schedule** section, set how often the detector will run. Specify a unit of time and a corresponding number to set the interval. | ||
| 1. Select the **Next** button in the lower-right corner of the screen to continue. The Configure field mapping page appears. | ||
|
|
||
| ## Step 2. Make field mappings | ||
|
|
||
| Field mapping matches field names for the rule with field names from the log being used to provide data. The mappings are automatically applied once the detector is defined in previous steps. This page offers the user the option to map log-specific field names to the internal rule field names. | ||
| The field mapping step matches field names from the rule with field names from the log index being used to provide data. Correctly mapping the log field names with rule field names allows the system to accurately convey event data from the log to the detector and then use the data for triggering alerts. |
There was a problem hiding this comment.
suggestion:
To trigger alerts, the log event data needs to be mapped to the detector. The field mapping step maps the log field names from the index that provides the data with the rule field names to set up detectors to trigger alerts.
There was a problem hiding this comment.
Agree with Alice. I would just change the second sentence to "Creating field mappings maps the log field names..."
alicejw1
reviewed
Jan 20, 2023
| Once you navigate to the Configure field mapping page, the system attempts to automatically map fields between the two sources. Those field names that are not automatically mapped appear in the **Pending field mapping** table. In this table you can manually map rule fields to log fields. | ||
| <br><img src="{{site.url}}{{site.baseurl}}/images/Security/pending-mappings.png" alt="Field mapping example for pending mappings" width="900"> | ||
|
|
||
| This process requires that the user or administrator have some familiarity with the field names in the log index and an understanding of the data contained in those fields. Rule fields are named to promote their standardization and normalize them in the industry, and the names themselves are typically self explanatory. If a user has an understanding of the log data contained in a particular log field, the mapping is typically a simple and straightforward process. |
There was a problem hiding this comment.
maybe change "the user" to "you" ?
"If you have an understanding . . . "
There was a problem hiding this comment.
Agree with Alice. Also,
This process requires you to have some familiarity...
Also, not sure what "promote their standardization and normalize them in the industry" means in this context. Can we say "Rule fields are named according to industry standards"?
There was a problem hiding this comment.
Good suggestions. Thanks.
AWSHurneyt
approved these changes
Jan 20, 2023
kolchfa-aws
approved these changes
Jan 20, 2023
| @@ -28,21 +28,41 @@ Defining a new detector involves naming the detector, selecting a data source an | |||
| * Use the **Log type**, **Rule severity**, and **Source** dropdown menus to filter the rules you want to select from. | |||
| * Use the **Search** bar to search for specific rules. | |||
|
|
|||
| To quickly select one or more known rules and dismiss others, first deselect all rules by moving the **rule name** toggle to the left, then search for your target rule names and select each individually by moving its toggle to the right. | |||
| To quickly select one or more known rules and dismiss others, first deselect all rules by moving the **Rule name** toggle to the left, then search for your target rule names and select each individually by moving its toggle to the right. | |||
| {: .tip } | |||
|
|
|||
| 1. In the **Detector schedule** section, set how often the detector will run. Specify a unit of time and a corresponding number to set the interval. | |||
| 1. Select the **Next** button in the lower-right corner of the screen to continue. The Configure field mapping page appears. | |||
|
|
|||
| ## Step 2. Make field mappings | |||
There was a problem hiding this comment.
Maybe "Create field mappings"?
There was a problem hiding this comment.
oh and remember our style change to use gerunds for all section headings? So could be
"Creating field mappings" then
There was a problem hiding this comment.
I think it's ok without gerunds because it says "step 2".
There was a problem hiding this comment.
Agree with Fanit: we are standardizing gerunds are for the TOC/nav pane.
There was a problem hiding this comment.
thanks: create field mappings. and, yes, imperative voice for instruction: do this, do that.
| {: .tip } | ||
|
|
||
| 1. In the **Detector schedule** section, set how often the detector will run. Specify a unit of time and a corresponding number to set the interval. | ||
| 1. Select the **Next** button in the lower-right corner of the screen to continue. The Configure field mapping page appears. | ||
|
|
||
| ## Step 2. Make field mappings | ||
|
|
||
| Field mapping matches field names for the rule with field names from the log being used to provide data. The mappings are automatically applied once the detector is defined in previous steps. This page offers the user the option to map log-specific field names to the internal rule field names. | ||
| The field mapping step matches field names from the rule with field names from the log index being used to provide data. Correctly mapping the log field names with rule field names allows the system to accurately convey event data from the log to the detector and then use the data for triggering alerts. |
There was a problem hiding this comment.
Agree with Alice. I would just change the second sentence to "Creating field mappings maps the log field names..."
| Once you navigate to the Configure field mapping page, the system attempts to automatically map fields between the two sources. Those field names that are not automatically mapped appear in the **Pending field mapping** table. In this table you can manually map rule fields to log fields. | ||
| <br><img src="{{site.url}}{{site.baseurl}}/images/Security/pending-mappings.png" alt="Field mapping example for pending mappings" width="900"> | ||
|
|
||
| This process requires that the user or administrator have some familiarity with the field names in the log index and an understanding of the data contained in those fields. Rule fields are named to promote their standardization and normalize them in the industry, and the names themselves are typically self explanatory. If a user has an understanding of the log data contained in a particular log field, the mapping is typically a simple and straightforward process. |
There was a problem hiding this comment.
Agree with Alice. Also,
This process requires you to have some familiarity...
Also, not sure what "promote their standardization and normalize them in the industry" means in this context. Can we say "Rule fields are named according to industry standards"?
| {: .note } | ||
|
|
||
| * The Rule field name column lists field names based on the selected log type and the rules that have been assigned to the detector. | ||
| * The log field name column includes a dropdown menu for each of the rule fields. Each dropdown menu contains a list of field names extracted from the log index. |
There was a problem hiding this comment.
Our style guide says "dropdown list"
Suggested change
| * The log field name column includes a dropdown menu for each of the rule fields. Each dropdown menu contains a list of field names extracted from the log index. | |
| * The log field name column includes a dropdown list for each of the rule fields. Each dropdown list contains a list of field names extracted from the log index. |
|
|
||
| * The Rule field name column lists field names based on the selected log type and the rules that have been assigned to the detector. | ||
| * The log field name column includes a dropdown menu for each of the rule fields. Each dropdown menu contains a list of field names extracted from the log index. | ||
| * Use the dropdown arrow to open the list of log fields and select the log field name that corresponds to the rule field name directly to the left in the Rule field name column. You can enter text in the **Select a mapping field** box at the top of the menu to search for names in the log field list. |
There was a problem hiding this comment.
To map a rule field name to a log field name, use the dropdown arrow to open the list of log fields and select the log field name from the list. To search for names in the log field list, enter text in the Select a mapping field box.
| * The log field name column includes a dropdown menu for each of the rule fields. Each dropdown menu contains a list of field names extracted from the log index. | ||
| * Use the dropdown arrow to open the list of log fields and select the log field name that corresponds to the rule field name directly to the left in the Rule field name column. You can enter text in the **Select a mapping field** box at the top of the menu to search for names in the log field list. | ||
| <br><img src="{{site.url}}{{site.baseurl}}/images/Security/log-field.png" alt="Field mapping example for pending mappings" width="600"> | ||
| * Once the log field name is selected and mapped to the rule field name, the icon in the Status colum to the right changes to a green check mark. |
There was a problem hiding this comment.
Suggested change
| * Once the log field name is selected and mapped to the rule field name, the icon in the Status colum to the right changes to a green check mark. | |
| * Once the log field name is selected and mapped to the rule field name, the icon in the Status column to the right changes to a green check mark. |
| The **Default mapped fields** table contains mappings that the system made automatically after defining the detector. As shown in the image that follows, when the field names are similar to one another the system can successfully match the two. | ||
| <br><img src="{{site.url}}{{site.baseurl}}/images/Security/default-mappings.png" alt="Field mapping example for pending mappings" width="900"> | ||
|
|
||
| Nevertheless, it's a good idea to review the mappings and verify that they are matched as expected and correct. If you find a mapping that doesn't appear to be accurate, you can use the dropdown menu as described in the **Pending field mappings** section above to correct the field mapping. |
There was a problem hiding this comment.
Suggested change
| Nevertheless, it's a good idea to review the mappings and verify that they are matched as expected and correct. If you find a mapping that doesn't appear to be accurate, you can use the dropdown menu as described in the **Pending field mappings** section above to correct the field mapping. | |
| Nevertheless, it's a good idea to review the mappings and verify that they are correct and matched as expected. If you find a mapping that doesn't appear to be accurate, you can use the dropdown list as described in the [Pending field mappings](#pending-field-mappings) section to correct the field mapping. |
|
|
||
| Nevertheless, it's a good idea to review the mappings and verify that they are matched as expected and correct. If you find a mapping that doesn't appear to be accurate, you can use the dropdown menu as described in the **Pending field mappings** section above to correct the field mapping. | ||
|
|
||
| After completing the mappings, select the **Next** button in the lower-right corner of the screen. The Set up alerts page appears and displays settings for an alert trigger. |
There was a problem hiding this comment.
Suggested change
| After completing the mappings, select the **Next** button in the lower-right corner of the screen. The Set up alerts page appears and displays settings for an alert trigger. | |
| After completing the mappings, select the **Next** button in the lower-right corner of the screen. The **Set up alerts** page appears and displays settings for an alert trigger. |
There was a problem hiding this comment.
OK, but we need to have a team talk on what we bold face in docs.
There was a problem hiding this comment.
I say bold all UI elements
petardz
reviewed
Jan 20, 2023
| This process requires that the user or administrator have some familiarity with the field names in the log index and an understanding of the data contained in those fields. Rule fields are named to promote their standardization and normalize them in the industry, and the names themselves are typically self explanatory. If a user has an understanding of the log data contained in a particular log field, the mapping is typically a simple and straightforward process. | ||
| {: .note } | ||
|
|
||
| * The Rule field name column lists field names based on the selected log type and the rules that have been assigned to the detector. |
There was a problem hiding this comment.
To be 100% factually correct here: these rule fields are coming from ALL pre-packaged rules of selected log type/category (rule category == log type)
There was a problem hiding this comment.
Changed to:
"The Rule field name column lists field names based on all of the pre-packaged rules associated with the selected log type."
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
AWSHurneyt
approved these changes
Jan 20, 2023
Signed-off-by: cwillum <[email protected]>
cwillum
added
5 - Editorial review
natebower
reviewed
Jan 23, 2023
|
|
||
| Field mapping matches field names for the rule with field names from the log being used to provide data. The mappings are automatically applied once the detector is defined in previous steps. This page offers the user the option to map log-specific field names to the internal rule field names. | ||
| The field mapping step matches field names from the rule with field names from the log index being used to provide data. Creating field mappings allows the system to accurately convey event data from the log to the detector and then use the data for triggering alerts. |
There was a problem hiding this comment.
Suggested change
| The field mapping step matches field names from the rule with field names from the log index being used to provide data. Creating field mappings allows the system to accurately convey event data from the log to the detector and then use the data for triggering alerts. | |
| The field mapping step matches field names from the rule with field names from the log index being used to provide data. Creating field mappings allows the system to accurately convey event data from the log to the detector and then use the data to trigger alerts. |
| * The Rule field name column lists field names based on all of the pre-packaged rules associated with the selected log type. | ||
| * The log field name column includes a dropdown list for each of the rule fields. Each dropdown list contains field names extracted from the log index. | ||
| * To map a rule field name to a log field name, use the dropdown arrow to open the list of log fields and select the log field name from the list. To search for names in the log field list, enter text in the **Select a mapping field** box. | ||
| <br><img src="{{site.url}}{{site.baseurl}}/images/Security/log-field.png" alt="Field mapping example for pending mappings" width="600"> |
There was a problem hiding this comment.
Reference the image in the text that precedes it. ", as shown in the following image." usually works.
| Once you navigate to the Configure field mapping page, the system attempts to automatically map fields between the two sources. Those field names that are not automatically mapped appear in the **Pending field mapping** table. In this table you can manually map rule fields to log fields. | ||
| <br><img src="{{site.url}}{{site.baseurl}}/images/Security/pending-mappings.png" alt="Field mapping example for pending mappings" width="900"> | ||
|
|
||
| * The Rule field name column lists field names based on all of the pre-packaged rules associated with the selected log type. |
There was a problem hiding this comment.
The bulleted list should ideally be introduced by a brief sentence ending in a colon.
There was a problem hiding this comment.
Added ...
"While mapping fields, consider the following:"
| The **Default mapped fields** table contains mappings that the system made automatically after defining the detector. As shown in the image that follows, when the field names are similar to one another the system can successfully match the two. | ||
| <br><img src="{{site.url}}{{site.baseurl}}/images/Security/default-mappings.png" alt="Field mapping example for pending mappings" width="900"> | ||
|
|
||
| Nevertheless, it's a good idea to review the mappings and verify that they are correct and matched as expected. If you find a mapping that doesn't appear to be accurate, you can use the dropdown list as described in the [Pending field mappings](#pending-field-mappings) section above to correct the field mapping. |
There was a problem hiding this comment.
Suggested change
| Nevertheless, it's a good idea to review the mappings and verify that they are correct and matched as expected. If you find a mapping that doesn't appear to be accurate, you can use the dropdown list as described in the [Pending field mappings](#pending-field-mappings) section above to correct the field mapping. | |
| Nevertheless, it's a good idea to review the mappings and verify that they are correct and matched as expected. If you find a mapping that doesn't appear to be accurate, you can use the dropdown list as described in the [Pending field mappings](#pending-field-mappings) section to correct the field mapping. |
There was a problem hiding this comment.
Can we use something simpler than "Nevertheless"? It may not be understood by Global English speakers.
There was a problem hiding this comment.
I added this ...
"Although these automatic matches are normally dependable, it's still a good idea to review the mappings ..."
…ch-project/documentation-website into fix#2400-field-mappings Resolves merge conflict without fast forward.
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
cwillum
commented
Jan 23, 2023
| Once you navigate to the Configure field mapping page, the system attempts to automatically map fields between the two sources. Those field names that are not automatically mapped appear in the **Pending field mapping** table. In this table you can manually map rule fields to log fields. | ||
| <br><img src="{{site.url}}{{site.baseurl}}/images/Security/pending-mappings.png" alt="Field mapping example for pending mappings" width="900"> | ||
|
|
||
| * The Rule field name column lists field names based on all of the pre-packaged rules associated with the selected log type. |
There was a problem hiding this comment.
Added ...
"While mapping fields, consider the following:"
| The **Default mapped fields** table contains mappings that the system made automatically after defining the detector. As shown in the image that follows, when the field names are similar to one another the system can successfully match the two. | ||
| <br><img src="{{site.url}}{{site.baseurl}}/images/Security/default-mappings.png" alt="Field mapping example for pending mappings" width="900"> | ||
|
|
||
| Nevertheless, it's a good idea to review the mappings and verify that they are correct and matched as expected. If you find a mapping that doesn't appear to be accurate, you can use the dropdown list as described in the [Pending field mappings](#pending-field-mappings) section above to correct the field mapping. |
There was a problem hiding this comment.
I added this ...
"Although these automatic matches are normally dependable, it's still a good idea to review the mappings ..."
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
4 tasks
cwillum
added
the
release-notes
vagimeli
pushed a commit
that referenced
this pull request
Jan 25, 2023
* fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> * fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> * fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> * fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> * fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> * fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> * fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> * fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> * fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> * fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> * fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> * fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> Signed-off-by: cwillum <[email protected]>
vagimeli
added a commit
that referenced
this pull request
Jan 26, 2023
)" This reverts commit e58ad65.
vagimeli
pushed a commit
that referenced
this pull request
Jan 27, 2023
* fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> * fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> * fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> * fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> * fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> * fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> * fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> * fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> * fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> * fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> * fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> * fix#2400-field-mappings Signed-off-by: cwillum <[email protected]> Signed-off-by: cwillum <[email protected]>
vagimeli
added a commit
that referenced
this pull request
Jan 30, 2023
)" This reverts commit 3955777.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: cwillum [email protected]
Description
Field mappings steps for detection creation have been separated into two tables: pending and default field mappings. This needs to be updated in documentation and the functionality of this step needs to be updated and clarified in general.
Issues Resolved
This update better clarifies the purpose of this step and the configuration of field mappings. This also updates the documentation to cover the two types of fields: pending and default.
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.