Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Custom Rule field mappings should be provided while configuring detector #393

Open
jinalp-crest opened this issue Apr 7, 2023 · 2 comments
Open

[FEATURE] Custom Rule field mappings should be provided while configuring detector #393

jinalp-crest opened this issue Apr 7, 2023 · 2 comments
Labels
enhancement New feature or request good first issue Good for newcomers v2.5.0 2.5.0 release v2.6.0 v2.7.0 v2.8.0

Comments

@jinalp-crest
Copy link

Is your feature request related to a problem?
Custom Rule Mappings are not provided out-of-the-box while configuring field mappings for the detectors.

While creating detectors, after the selection of log type for a particular detector i.e. Cloudtrail, and configuring all Sigma rules, we are provided with the field mappings screen. In field mappings, on the left-hand side, it gives all fields as per the chosen log category, and on the right-hand side, it gives a list of fields in the ingested index to choose from. But on the selection of custom rules, it does not recognize its fields for the field mappings and hence, we are not able to map custom rule fields properly.

Also, due to ongoing issues of "." to "_" conversion #375 in custom rule queries, it does not even matches the exact field that we use for rule specification.

What solution would you like?
Based on the Sigma or custom rules selection, we should be prompted with necessary fields as per the chosen log category, which allows us to map our ingested fields correctly.

What alternatives have you considered?
As fields were not getting mapped automatically, we tried to put alias mappings to the respective index manually. That will map the necessary fields while running detector queries on the index.

Custom rule specification
image

Custom rule detector query

API Request:
image

API Response:
image

{
  "took": 2,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 1,
      "relation": "eq"
    },
    "max_score": 1.605183,
    "hits": [
      {
        "_index": ".opensearch-sap-custom-rules-config",
        "_id": "GUYlVocB-q1Aw1948wE9",
        "_score": 1.605183,
        "_source": {
          "rule": {
            "category": "cloudtrail",
            "title": "custom-assumerole",
            "log_source": "cloudtrail",
            "description": "custom-assumerole",
            "references": [
              {
                "value": ""
              }
            ],
            "tags": [],
            "level": "low",
            "false_positives": [
              {
                "value": ""
              }
            ],
            "author": "jinalp",
            "status": "experimental",
            "last_update_time": "2023-04-06T00:00:00.000Z",
            "queries": [
              {
                "value": """(user_type: "AssumedRole") AND (user_sessionContext_sessionIssuer_type: "Role")"""
              }
            ],
            "query_field_names": [
              {
                "value": "user_sessionContext_sessionIssuer_type"
              },
              {
                "value": "user_type"
              }
            ],
            "aggregationQueries": [],
            "rule": """id: 25b9c01c-350d-4b95-bed1-836d04a4f324
title: custom-assumerole
description: custom-assumerole
status: experimental
author: jinalp
date: 2023/04/06
modified: 2023/04/06
logsource:
  category: cloudtrail
level: low
detection:
  selection:
    user.type: AssumedRole
    user.sessionContext.sessionIssuer.type: Role
  condition: selection
references:
  - ''
falsepositives:
  - ''
"""
          }
        }
      }
    ]
  }
}

Field alias mapping specification on index
image

After manually mapping the fields, we were able to generate the relevant findings.
@jinalp-crest jinalp-crest added enhancement New feature or request untriaged labels Apr 7, 2023
@praveensameneni
Copy link
Member

Looking into the issue

@praveensameneni praveensameneni added the good first issue Good for newcomers label Sep 14, 2023
@amsiglan
Copy link
Collaborator

This has been fixed for 2.9 and beyond. We will work on backporting the fixes to earlier versions

riysaxen-amzn pushed a commit to riysaxen-amzn/security-analytics that referenced this issue Feb 20, 2024
@jovancvetkovic3006
Fixes UX issues with edit detector pages (opensearch-project#404)
85f2ee4 
* [FEATURE] Add edit detector links into breadcrumbs opensearch-project#393

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Add edit detector links into breadcrumbs opensearch-project#393

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Add edit detector links into breadcrumbs opensearch-project#393

Signed-off-by: Jovan Cvetkovic <[email protected]>

* Unit tests for public components opensearch-project#383
[BUG] Detector Edit | Custom rule are not selected on update rules opensearch-project#406

Signed-off-by: Jovan Cvetkovic <[email protected]>

---------

Signed-off-by: Jovan Cvetkovic <[email protected]>
@github-project-automation github-project-automation bot moved this to Backlog (Feature Requests, Enhancements) in Security Analytics Roadmap Aug 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers v2.5.0 2.5.0 release v2.6.0 v2.7.0 v2.8.0
Projects
Security Analytics Roadmap
Status: Backlog (Feature Requests, Enhancements)
Milestone
No milestone
Development

No branches or pull requests
3 participants
@praveensameneni @amsiglan @jinalp-crest