search

opensearch-project / security-analytics

Security Analytics enables users for detecting security threats on their security event log data. It will also allow them to modify/tailor the pre-packaged solution.
Apache License 2.0
72 stars 74 forks source link

[FEATURE] Enrichment of events with other datasets stored in opensearch #414

Open jimmyjones2 opened 1 year ago

jimmyjones2 commented 1 year ago

Is your feature request related to a problem? Some events I receive are not useful until they have been enriched with other data - for example enriching IP addresses with corporate inventory details, public datasets such as WHOIS, known scanners, proxies etc

What solution would you like? A way of enriching events as they are ingested with other datasets.

What alternatives have you considered?

Do you have any additional context? See comments in #2 https://forum.opensearch.org/t/feature-request-enrich-processor/2108 https://forum.opensearch.org/t/enrich-processor/7597 https://forum.opensearch.org/t/alternative-for-enrich-processor/11201 https://forum.opensearch.org/t/ingest-pipelines-support/7716

praveensameneni commented 1 year ago

We will add to our backlog

sandervandegeijn commented 1 year ago

I'm looking at the same problem, wanting to enrich the raw mapped data with data from our CMDB (i.e. so we can pinpoint problems to a user). Question is if this should be part of the security analytics plugin, there are also ingestion pipelines in Opensearch which could do this.

Elasticsearch has the enrich processor, I suspect opensearch supports it in some way, but the docs are very thin on this point.

sandervandegeijn commented 1 year ago

Implemented this using memcached and logstash with the memcached filter.