Support security analytics - Threat detection, intrusion detection

[praveensameneni]

Support an open-source solution for security operations in OpenSearch, which addresses the cost and the complexity of commercial SIEM solutions. Security Analytics’ threat detection engine is pre-loaded with a rich set of threat detection rules, which define conditional logic to apply to the ingested log records

[HarishHary]

Would be nice to have a whole plugin for it?
User behavior detection, User or Host panel, Network Panel, detection query language like EQL or something different? Yara-L like chronicle?
Alerts dashboards, Signal type alerts? Exception for alerts handling? throttling and re-alerting?
This could be really interesting with PPL, SQL and notebooks. This could be a super SIEM.
Ingestion of external alerts as well

[praveensameneni]

@HarishHary, Here are some of the high level requirements we are thinking of supporting

1. Support different log sources (Netflow, DNS, Windows logs, Syslogs, Apache access)
2. Support open source security rules (e.g., Sigma rules https://github.com/SigmaHQ/sigma )
3. Visualization of findings and being able to alert on additional custom rules or thresholds
4. Provide playbook for different detections categorized by Mitre ATT&CK (https://attack.mitre.org/ - Tactics and Techniques)
5. Provide integration API's for external SIEM solutions

[brijos]

@praveensameneni Is this planned for 2.0?

[praveensameneni]

@praveensameneni Is this planned for 2.0?
@brijos,
We are targeting Security Analytics in OpenSearch 2.2 (8/11).

[sandervandegeijn]

@HarishHary, Here are some of the high level requirements we are thinking of supporting

1. Support different log sources (Netflow, DNS, Windows logs, Syslogs, Apache access)
2. Support open source security rules (e.g., Sigma rules https://github.com/SigmaHQ/sigma )
3. Visualization of findings and being able to alert on additional custom rules or thresholds
4. Provide playbook for different detections categorized by Mitre ATT&CK (https://attack.mitre.org/ - Tactics and Techniques)
5. Provide integration API's for external SIEM solutions

Shouldnt the log sources be parsed by fluentbit or something similar and transformed to something like ECS? Example configs would be nice for this.

Automatic detection based on live threat Intel would be cool as well, something like how Suricata does it with its rules that are updated frequently.

Really like the feature, especially given the prices of Sentinel, Splunk, Elastic, etc.

[praveensameneni]

Please provide feedback on the RFC for security analytics -
opensearch-project/security-analytics#2

[getsaurabh02]

Closing in favor of the new Meta issue created in the Security Analytics Repo : opensearch-project/security-analytics#7