Add documentation that supports custom log types #4969
Merged
+305
−13
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: cwillum <[email protected]>
cwillum
added
2 - In progress
cwillum
requested review from
hdhalter,
kolchfa-aws,
Naarcha-AWS,
vagimeli,
ananzh,
seanneumann,
AMoo-Miki and
natebower
as code owners
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
|
@sbcd90 @amsiglan Could you look at this documentation for custom log types? I also have a few questions about the "Search custom log types" API:
Thank you. |
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
cwillum
added
4 - Doc review
|
Will create a separate PR to address "Search custom log type API" questions. Pushing this to Documentation team review. (this was tech reviewed via direct communications) |
Naarcha-AWS
reviewed
Sep 19, 2023
Naarcha-AWS
approved these changes
Sep 19, 2023
| After selecting **Create log type** in the **Log types** page, the **Create log type** page opens and provides the necessary fields to create a new log type: | ||
| 1. Enter a name for the log type. | ||
|
|
||
| The log type name supports characters a-z (lower case), 0--9, hyphens, and underscores. |
There was a problem hiding this comment.
Does this note format correctly?
| @@ -69,7 +69,7 @@ Although the ECS rule field names are largely self-explanatory, you can find pre | |||
|
|
|||
| [Amazon Security Lake](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html) converts security log and event data to the [Open Cybersecurity Schema Framework](https://docs.aws.amazon.com/security-lake/latest/userguide/open-cybersecurity-schema-framework.html) (OCSF) to normalize combined data and facilitate its management. OpenSearch supports ingestion of log data from Security Lake in the OCSF format, and Security Analytics can automatically map fields from OCSF to ECS (the default field-mapping schema). | |||
|
|
|||
| The Security Lake log types that can be used as log sources for detector creation include CloudTrail, Route 53, and VPC Flow. Given that Route 53 is a log that captures DNS activity, its log type should be specified as **DNS logs** when [defining a detector](#step-1-define-a-detector). Furthermore, because logs such as CloudTrail can conceivably be captured in both raw format and OCSF, it's good practice to name indexes in a way that keeps these logs separate and easily identifiable. This becomes helpful when specifying an index name in any of the APIs associated with Security Analytics. | |||
| The Security Lake log types that can be used as log sources for detector creation include CloudTrail, Route 53, and VPC Flow. Given that Route 53 is a log that captures DNS activity, its log type should be specified as **dns** when [defining a detector](#step-1-define-a-detector). Furthermore, because logs such as CloudTrail can conceivably be captured in both raw format and OCSF, it's good practice to name indexes in a way that keeps these logs separate and easily identifiable. This becomes helpful when specifying an index name in any of the APIs associated with Security Analytics. | |||
There was a problem hiding this comment.
Why is DNS lowercased and bolded in this context? Is it supposed to match a UI element?
There was a problem hiding this comment.
Yes. But this representation is opposed by the PM. UX and front-end dev will eventually replace these log type names with revised names. For the time being, this is the way the log type is represented in the UI.
cwillum
commented
Sep 19, 2023
| @@ -69,7 +69,7 @@ Although the ECS rule field names are largely self-explanatory, you can find pre | |||
|
|
|||
| [Amazon Security Lake](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html) converts security log and event data to the [Open Cybersecurity Schema Framework](https://docs.aws.amazon.com/security-lake/latest/userguide/open-cybersecurity-schema-framework.html) (OCSF) to normalize combined data and facilitate its management. OpenSearch supports ingestion of log data from Security Lake in the OCSF format, and Security Analytics can automatically map fields from OCSF to ECS (the default field-mapping schema). | |||
|
|
|||
| The Security Lake log types that can be used as log sources for detector creation include CloudTrail, Route 53, and VPC Flow. Given that Route 53 is a log that captures DNS activity, its log type should be specified as **DNS logs** when [defining a detector](#step-1-define-a-detector). Furthermore, because logs such as CloudTrail can conceivably be captured in both raw format and OCSF, it's good practice to name indexes in a way that keeps these logs separate and easily identifiable. This becomes helpful when specifying an index name in any of the APIs associated with Security Analytics. | |||
| The Security Lake log types that can be used as log sources for detector creation include CloudTrail, Route 53, and VPC Flow. Given that Route 53 is a log that captures DNS activity, its log type should be specified as **dns** when [defining a detector](#step-1-define-a-detector). Furthermore, because logs such as CloudTrail can conceivably be captured in both raw format and OCSF, it's good practice to name indexes in a way that keeps these logs separate and easily identifiable. This becomes helpful when specifying an index name in any of the APIs associated with Security Analytics. | |||
There was a problem hiding this comment.
Yes. But this representation is opposed by the PM. UX and front-end dev will eventually replace these log type names with revised names. For the time being, this is the way the log type is represented in the UI.
| After selecting **Create log type** in the **Log types** page, the **Create log type** page opens and provides the necessary fields to create a new log type: | ||
| 1. Enter a name for the log type. | ||
|
|
||
| The log type name supports characters a-z (lower case), 0--9, hyphens, and underscores. |
Signed-off-by: cwillum <[email protected]>
cwillum
added
5 - Editorial review
Signed-off-by: cwillum <[email protected]>
cwillum
commented
Sep 19, 2023
Signed-off-by: cwillum <[email protected]>
cwillum
added
3 - Done
vagimeli
pushed a commit
that referenced
this pull request
Sep 19, 2023
* fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> --------- Signed-off-by: cwillum <[email protected]>
harshavamsi
pushed a commit
to harshavamsi/documentation-website
that referenced
this pull request
Oct 31, 2023
…4969) * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> --------- Signed-off-by: cwillum <[email protected]>
vagimeli
pushed a commit
that referenced
this pull request
Dec 21, 2023
* fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> * fix#4741 custom logtype updates Signed-off-by: cwillum <[email protected]> --------- Signed-off-by: cwillum <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Adds documentation for custom log type enhancements.
Issues Resolved
Fixes #4741
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.