Security Analytics enables users for detecting security threats on their security event log data. It will also allow them to modify/tailor the pre-packaged solution.
Apache License 2.0
72
stars
74
forks
source link
[FEATURE] Threat Intelligence scanners can't use index patterns? #1417
I am ingesting VPC Flowlogs into my OpenSearch domain. I even made sure to use a copy_values processor in my Data Prepper pipeline to the source IP, Destination IP, and Timestamp in an ECS format:
" - copy_values:
entries:
from_key: srcaddr
to_key: source.ip
from_key: dstaddr
to_key: destination.ip
from_key: "@timestamp"
to_key: timestamp"
But even after doing this it is not compatible with Threat Intelligence.
When I try to make a general detector, no field mappings pop up, period:
And nothing populates for Threat Intelligence either:
I do not know if this is a problem caused by me or if it just doesn't work.
EDIT:
For the Threat Intelligence scanner, I can do it by individual indices but not for an index pattern? Why is this? Is there anyway I can select an index pattern?
I am ingesting VPC Flowlogs into my OpenSearch domain. I even made sure to use a copy_values processor in my Data Prepper pipeline to the source IP, Destination IP, and Timestamp in an ECS format: " - copy_values: entries:
But even after doing this it is not compatible with Threat Intelligence.
When I try to make a general detector, no field mappings pop up, period:
And nothing populates for Threat Intelligence either:
I do not know if this is a problem caused by me or if it just doesn't work.
EDIT: For the Threat Intelligence scanner, I can do it by individual indices but not for an index pattern? Why is this? Is there anyway I can select an index pattern?