opensearch-project / security-analytics

Security Analytics enables users for detecting security threats on their security event log data. It will also allow them to modify/tailor the pre-packaged solution.
Apache License 2.0
72 stars 74 forks source link

[FEATURE] Custom Field Visualization Enhancement in Security Analytics for OpenSearch #829

Open ghost opened 10 months ago

ghost commented 10 months ago

Is your feature request related to a problem?

Yes, the current limitation I'm facing involves the "Security Analytics" functionality within OpenSearch. My main issue is the inability to visualize custom field values alongside the findings and alert count that result from detection rules and search identifiers. This is particularly problematic when attempting to analyze and understand the distribution and frequency of specific custom fields (e.g., "hostname", or any other custom field that users might want to track) in detected security events. The absence of this feature makes it difficult to gain a comprehensive view of how different elements contribute to the security landscape.

What solution would you like?

I propose an enhancement to the Security Analytics feature that allows users to specify one or more custom fields for visualization in the analytics dashboard. This would enable the creation of customizable visualizations (graphs, charts, tables, etc.) that reflect the frequency and distribution of these selected field values within the security findings. For example, if a user is tracking detections based on the "hostname" field, they could easily visualize which hosts are most frequently involved in security alerts. This capability should be flexible enough to accommodate any field specified by the user, providing a tailored analytics experience.

What alternatives have you considered?

An alternative method involves manually extracting the data and using third-party tools to visualize these specific field values. However, this workaround is inefficient, disrupting the workflow and negating the integrated analytics experience that OpenSearch aims to offer. Directly incorporating this visualization feature within OpenSearch would eliminate the need for external tools and significantly streamline the analysis process.

Do you have any additional context?

Adding this feature would greatly enhance the functionality and user experience of OpenSearch's Security Analytics. It would allow for a more nuanced analysis of security data, enabling users to quickly visualize and understand the role of specific fields in their security landscape. This improvement would make OpenSearch a more powerful and versatile tool for security analysts, allowing for more detailed and customizable analytics directly within the platform.

This request is about broadening the analytical capabilities of OpenSearch to include more detailed, user-defined data visualization options, thus empowering users to gain deeper insights into their security data and more effectively manage and mitigate potential threats.

praveensameneni commented 8 months ago

@ghost , Thank you for creating the request. Added to our backlog. In the meantime, we have added some enhancements to notification ctx object to capture the rule-id as part of the trigger - a small first step in the right direction

lazzio7 commented 3 months ago

Would be great to get such feature.