[FEATURE] Threat Intelligence scanners can't use index patterns? #1417
Labels
enhancement
New feature or request
Comments
Grumpyfish1200
changed the title
|
[Catch All Triage - 1, 2, 3] |
|
@Grumpyfish1200 we do not recommend usage of index patterns for detectors at all. Security analytics detectors are optimized to work better with aliases and data streams In 2.16 we have added a revamped experience for threat intelligence: https://opensearch.org/docs/2.16/security-analytics/threat-intelligence/api/threat-intel-api/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am ingesting VPC Flowlogs into my OpenSearch domain. I even made sure to use a copy_values processor in my Data Prepper pipeline to the source IP, Destination IP, and Timestamp in an ECS format:
" - copy_values:
entries:
- from_key: srcaddr
to_key: source.ip
- from_key: dstaddr
to_key: destination.ip
- from_key: "@timestamp"
to_key: timestamp"
But even after doing this it is not compatible with Threat Intelligence.
When I try to make a general detector, no field mappings pop up, period:
And nothing populates for Threat Intelligence either:
I do not know if this is a problem caused by me or if it just doesn't work.
EDIT:
For the Threat Intelligence scanner, I can do it by individual indices but not for an index pattern? Why is this? Is there anyway I can select an index pattern?
The text was updated successfully, but these errors were encountered: