OCSF Mappings for OpenSearch #202
Conversation
Kevlw-AWS
requested review from
bowenlan-amzn,
khushbr,
praveensameneni,
ananzh,
Swiddis,
AMoo-Miki and
YANG-DB
as code owners
|
Thanks @Kevlw-AWS this looks great !! |
|
@Kevlw-AWS can u plz fix the DCO ? |
…oject#193) * add csv upload file integration Signed-off-by: YANGDB <yang.db.dev@gmail.com> * update csv_file getting started docker content Signed-off-by: YANGDB <yang.db.dev@gmail.com> * update fluent-bit index names getting started docker content Signed-off-by: YANGDB <yang.db.dev@gmail.com> * update fluent-bit index names getting started docker content Signed-off-by: YANGDB <yang.db.dev@gmail.com> --------- Signed-off-by: YANGDB <yang.db.dev@gmail.com> Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: YANGDB <yang.db.dev@gmail.com> Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
…ated properly Signed-off-by: Kevin Low <kevlw@amazon.com>
remove AWS account ID information. this is a no no! Signed-off-by: Kevin Low <kevlw@amazon.com>
tweaks for the drop Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Bumps [org.json:json](https://github.com/douglascrockford/JSON-java) from 20210307 to 20231013. - [Release notes](https://github.com/douglascrockford/JSON-java/releases) - [Changelog](https://github.com/stleary/JSON-java/blob/master/docs/RELEASES.md) - [Commits](https://github.com/douglascrockford/JSON-java/commits) --- updated-dependencies: - dependency-name: org.json:json dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
relative path changes Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
Kevlw-AWS
force-pushed
the
security-lake
branch
from
6526f34 to
be0a7b1
Compare
|
Hi Yang,
I’ve fixed this.
Thanks!
Kevin Low
Security Solutions Architect
Amazon Web Services
From: YANGDB ***@***.***>
Reply to: opensearch-project/opensearch-catalog ***@***.***>
Date: Friday, 27 December 2024 at 12:59 PM
To: opensearch-project/opensearch-catalog ***@***.***>
Cc: "Low, Kevin" ***@***.***>, Mention ***@***.***>
Subject: Re: [opensearch-project/opensearch-catalog] OCSF Mappings for OpenSearch (PR #202)
@Kevlw-AWS<https://github.com/Kevlw-AWS> can u plz fix the DCO ?
see how to fix this here<https://github.com/opensearch-project/opensearch-catalog/pull/202/checks?check_run_id=34901231954>
—
Reply to this email directly, view it on GitHub<#202 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ASHNJBZM6YWUBR4WJSOZE4T2HTNDHAVCNFSM6AAAAABUH5MPM2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNRTGMYTMNZVHE>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
There was a problem hiding this comment.
Hi
I've reviewed the content I could - the schema is something I've not yet dived into...
For a standard integration such as the following apache https
there are a few elements missing:
- data : containing a sample.json documents to show the
TryMefunctionality - info: containing the specific integrations content and resources README.md files
- for example - each OCSF entity can have its own description here
- ocsf.json integration metadata file (see apache's integration metadata file )
LMK if you need any help creating the OCSF.json integration metadata file
.DS_Store
Outdated
There was a problem hiding this comment.
What is the purpose of this file ?
There was a problem hiding this comment.
this has been nuked
integrations/.DS_Store
Outdated
There was a problem hiding this comment.
same here - what's the purpose of this file ?
There was a problem hiding this comment.
this has been nuked
There was a problem hiding this comment.
can you pls elaborate on the usage of this auth policy?
- how is it activated
- where is it called
- who calls it
There was a problem hiding this comment.
can you pls elaborate on the usage of this auth policy?
how is it activated
where is it called
who calls it
| - OCSF 6007 - Scan Activity | ||
|
|
||
| ### OpenSearch Ingestion template | ||
| The OpenSearch Ingestion template (`assets/OSI-pipeline.yaml`) provides a template you can use with an OpenSearch Ingestion pipeline to ingest OCSF data. |
There was a problem hiding this comment.
please add more context of the actual pipeline workflow and the framework (data-preper) that operates it
- add links to data-preper resources
There was a problem hiding this comment.
@Kevlw-AWS , lets sync on building more detail into the readme.md. I figured we were pretty light in the explanation of this solution. i can build the arch diagrams and the explanation.
|
|
||
| ## Installation instructions | ||
| 1. Download the index and component template zip files. Upload it to an S3 bucket or save it to your local machine. | ||
| 2. Download the right initialization script based on how you would like to authenticate to OpenSearch (basic auth or AWS IAM). |
There was a problem hiding this comment.
plz give an example bash here
% cp {initialization script}
% edit {variables in the initialization script}
% ./script.sh
There was a problem hiding this comment.
one script covers all OCSF 1.1.0 standard...since this solution hinges on component templates, there are a good portion of those component templates that are shared across ALL categories...so for now, in this version, it goes as one complete package regardless if a set of class_uids are not used. If we segregate by class_uid, were screwed because each commit that has a shared component template would need to traverse the dependencies in other source check-insif those are misaligned, it breaks others. That would be something we could filter and de-select if the Integrations package was a bit more flexible than the tunnel vision approach it has now...one source, multiple impls on data source side, similar viziz
There was a problem hiding this comment.
The script is a bit complex to have it in bash. I'll add clearer instructions on where to modify the variables and to run it in an IDE
There was a problem hiding this comment.
ok cool
@Kevlw-AWS
I would also love to see this as a packaged docker compose solution that anyone can just run and see a live containerized example in its local env
| 2. Download the right initialization script based on how you would like to authenticate to OpenSearch (basic auth or AWS IAM). | ||
| 3. Modify the variables in the initialization script. You will need to add your OpenSearch cluster endpoint, authentication information, and the location of the index and component templates. | ||
| 4. Run the initialization script. | ||
| 5. Log in to the OpenSearch cluster and upload the OpenSearch objects in the **Saved Objects** screen under **Dashboards Management**. |
There was a problem hiding this comment.
plz give some screenshots + url on how/where its done in the dashboard management dialog
There was a problem hiding this comment.
@Kevlw-AWS - lets record this in Camtasia and ANI GIF the setup and drop as a gif is supported for readme.md
There was a problem hiding this comment.
These have been added as screenshots -- I prefer them to Gifs as GIFS are often grainy and show the whole screen, making the text tiny
|
|
||
| Component templates (`schemas/component_templates`) are reusable building blocks that contain mapping definitions. Component templates are used as part of index templates. | ||
|
|
||
| The current set of index and component templates are mapped to the OSCF 1.1.0 standard. The repository contains index templates for the following OCSF 1.1.0 categories and classes: |
There was a problem hiding this comment.
can you add a visual diagram of the different OCSF entities that are presented here ?
and also a link to the OCSF url resources?
There was a problem hiding this comment.
we can hotlink this to the spec for each class_uid....beware it could break if the OCSF project reorgs the structure of the presentation on the current site
There was a problem hiding this comment.
what is the content of this zip file ?
if it being used anywhere ?
There was a problem hiding this comment.
something Kevin Low and I would like to see in the Integrations project is the ability to wire things not in the dashboard or core APIs. we should be able to wire any plugin endpoint to seed our needs. and have dependency and order adhered to. to really bring elucidation to this issue, i would need to write a 6 pager...kinda hoping I dont have to do that, but the writing is on the wall...things like the dependency of this to work based on a data prepper config...if that config is not set, this solution breaks...however, this solution for OCSF relies on the strict OCSF schema ties...we need static templates for data to actually ingest properly. right now the install script needs to upload a local zip and unwind it so it can call them to install into OpenSearch via template apis
There was a problem hiding this comment.
@kffallis
lets use this OCSF integration use case to create the detailed Integration RFC for what we need in terms of functionality and capabilities so we could have a clear path for the integration framework evolution and release features
There was a problem hiding this comment.
what is the content of this zip file ?
if it being used directly anywhere ?
There was a problem hiding this comment.
see comments on all things zip above for index templates etc
|
"I've reviewed the content I could - the schema is something I've not yet dived into..." you will need more than a week on this topic |
Signed-off-by: Kevin Low <kevlw@amazon.com>
Signed-off-by: Kevin Low <kevlw@amazon.com>
…ll not working Signed-off-by: Kevin Low <kevlw@amazon.com>
…ile. Integration package can be built and imported but not accessed Signed-off-by: Kevin Low <kevlw@amazon.com>
…e why. OCSF mappings still not working
|
@Swiddis would u be able to review and comment ? |
Description
This PR adds schemas and and assets that customers can use with OpenSearch to ingest and analyse OCSF v1.1.0 logs. It includes mappings, visualisations, and index patterns.
Issues Resolved
No existing issues
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.