search

aws-samples / siem-on-amazon-opensearch-service

A solution for collecting, correlating and visualizing multiple types of logs to help investigate security incidents.
MIT No Attribution
573 stars 189 forks source link

Create Detection Rule with Custom Log Type #433

Closed khairulhabibataws closed 7 months ago

khairulhabibataws commented 7 months ago

We have issues during create detection rule from Security Analytics -> Detection rules -> Create detection rule when using Log type other than provided (sigma). The issues are:

  1. Log Type are changing to ID log, for example: Crowdstrike log will appear as "Mf A Dq 40 B xxxx xxx"
  2. When saving, there are error said: [security_analytics_exception] Invalid rule category "mfadq40bhfu3-v6xlgmp"

How to recreate:

  1. Go to Security Analytics, Detectors, Log types, and create log type
  2. Use newly created log type to create Detection rules
  3. Error happened
khairulhabibataws commented 7 months ago

We managed to solve the issue by upgrading Amazon Opensearch version to 2.11.