Security Analytics—additional updates following 2.5 release#2515
Merged
Security Analytics—additional updates following 2.5 release#2515
Conversation
Signed-off-by: cwillum <cwmmoore@amazon.com>
cwillum
added
xx-documentation
In progress
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
cwillum
added
Doc review
Signed-off-by: cwillum <cwmmoore@amazon.com>
alicejw1
approved these changes
Jan 31, 2023
| ## Step 3. Set up alerts | ||
|
|
||
| At this stage, setting up alerts is optional for creating a new detector. Alerts can be configured at any time, including from the Findings window. This section describes the process for defining the alert conditions during creation of a detector. To see how to initiate creation of alerts from the Findings window, see [The findings list]({{site.url}}{{site.baseurl}}/security-analytics/usage/findings/#the-findings-list). | ||
| The third step in creating a detector involves setting up alerts. Alerts are configured to create triggers that, when matched with a set of detection rule criteria, send a notification of a possible security event. You can select the criteria (rules, rule severity, and tags) in any combination to define a trigger. Once a trigger is defined, the alert setup lets you choose the channel on which to be notified and provides options for customizing a message for the notification. |
Contributor
There was a problem hiding this comment.
Suggested change
| The third step in creating a detector involves setting up alerts. Alerts are configured to create triggers that, when matched with a set of detection rule criteria, send a notification of a possible security event. You can select the criteria (rules, rule severity, and tags) in any combination to define a trigger. Once a trigger is defined, the alert setup lets you choose the channel on which to be notified and provides options for customizing a message for the notification. | |
| The third step in creating a detector involves setting up alerts. Alerts are configured to create triggers that, when matched with a set of detection rule criteria, send a notification of a possible security event. You can select the criteria such as rules, rule severity, and tags in any combination to define a trigger. Once a trigger is defined, the alert setup lets you choose the channel on which to be notified and provides options for customizing a message for the notification. |
Contributor
Author
There was a problem hiding this comment.
I agree, it's a little clunky like that. These three criteria, however, are the only three criteria. So "such as" doesn't work. But I've run them into the sentence to address the problem you point out.
"You can select rule names, rule severity, and tags in any combination to define a trigger."
Thanks.
Contributor
There was a problem hiding this comment.
Echoing what Alice said but with a different suggestion:
Suggested change
| The third step in creating a detector involves setting up alerts. Alerts are configured to create triggers that, when matched with a set of detection rule criteria, send a notification of a possible security event. You can select the criteria (rules, rule severity, and tags) in any combination to define a trigger. Once a trigger is defined, the alert setup lets you choose the channel on which to be notified and provides options for customizing a message for the notification. | |
| The third step in creating a detector involves setting up alerts. Alerts are configured to create triggers that, when matched with a set of detection rule criteria, send a notification of a possible security event. Detection rule criteria includes the following: | |
| - Rules | |
| - Rule severity | |
| - Tags | |
| After defining the trigger, the alert setup lets you choose the channel on which to be notified and provides options for customizing a message for the notification. |
Contributor
Author
There was a problem hiding this comment.
This is just a basic description of what is to follow. Each of the three configuration settings are addressed separately in step two of Alert setup (immediately below this). I don't really want to make a big deal about these three settings at this point - I just want to make the process familiar and then mention each in detail in the steps.
Generally for alert setup you make selections for the rule criteria and configure a notification if you want a notification. The specific steps are covered in material that follows. It doesn't really make sense to emphasize these here, not emphasize the steps for notifications, and then re-emphasize the rule criteria in steps a few lines later.
cwillum
commented
Jan 31, 2023
| ## Step 3. Set up alerts | ||
|
|
||
| At this stage, setting up alerts is optional for creating a new detector. Alerts can be configured at any time, including from the Findings window. This section describes the process for defining the alert conditions during creation of a detector. To see how to initiate creation of alerts from the Findings window, see [The findings list]({{site.url}}{{site.baseurl}}/security-analytics/usage/findings/#the-findings-list). | ||
| The third step in creating a detector involves setting up alerts. Alerts are configured to create triggers that, when matched with a set of detection rule criteria, send a notification of a possible security event. You can select the criteria (rules, rule severity, and tags) in any combination to define a trigger. Once a trigger is defined, the alert setup lets you choose the channel on which to be notified and provides options for customizing a message for the notification. |
Contributor
Author
There was a problem hiding this comment.
I agree, it's a little clunky like that. These three criteria, however, are the only three criteria. So "such as" doesn't work. But I've run them into the sentence to address the problem you point out.
"You can select rule names, rule severity, and tags in any combination to define a trigger."
Thanks.
Naarcha-AWS
approved these changes
Jan 31, 2023
Contributor
Naarcha-AWS
left a comment
Naarcha-AWS
left a comment
There was a problem hiding this comment.
A couple comments, but looks good.
| ## Step 3. Set up alerts | ||
|
|
||
| At this stage, setting up alerts is optional for creating a new detector. Alerts can be configured at any time, including from the Findings window. This section describes the process for defining the alert conditions during creation of a detector. To see how to initiate creation of alerts from the Findings window, see [The findings list]({{site.url}}{{site.baseurl}}/security-analytics/usage/findings/#the-findings-list). | ||
| The third step in creating a detector involves setting up alerts. Alerts are configured to create triggers that, when matched with a set of detection rule criteria, send a notification of a possible security event. You can select the criteria (rules, rule severity, and tags) in any combination to define a trigger. Once a trigger is defined, the alert setup lets you choose the channel on which to be notified and provides options for customizing a message for the notification. |
Contributor
There was a problem hiding this comment.
Echoing what Alice said but with a different suggestion:
Suggested change
| The third step in creating a detector involves setting up alerts. Alerts are configured to create triggers that, when matched with a set of detection rule criteria, send a notification of a possible security event. You can select the criteria (rules, rule severity, and tags) in any combination to define a trigger. Once a trigger is defined, the alert setup lets you choose the channel on which to be notified and provides options for customizing a message for the notification. | |
| The third step in creating a detector involves setting up alerts. Alerts are configured to create triggers that, when matched with a set of detection rule criteria, send a notification of a possible security event. Detection rule criteria includes the following: | |
| - Rules | |
| - Rule severity | |
| - Tags | |
| After defining the trigger, the alert setup lets you choose the channel on which to be notified and provides options for customizing a message for the notification. |
Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
…rch-project/documentation-website into fix#2400-updates-revisit
opensearch-trigger-bot bot
pushed a commit
that referenced
this pull request
Feb 1, 2023
* fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * Update _security-analytics/sec-analytics-config/detectors-config.md Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Update _security-analytics/sec-analytics-config/detectors-config.md Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> --------- Signed-off-by: cwillum <cwmmoore@amazon.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> (cherry picked from commit 8b8d968)
4 tasks
cwillum
added a commit
that referenced
this pull request
Feb 1, 2023
…2546) * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * Update _security-analytics/sec-analytics-config/detectors-config.md Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Update _security-analytics/sec-analytics-config/detectors-config.md Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> --------- Signed-off-by: cwillum <cwmmoore@amazon.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> (cherry picked from commit 8b8d968) Co-authored-by: Chris Moore <107723039+cwillum@users.noreply.github.com>
Naarcha-AWS
added a commit
that referenced
this pull request
Feb 2, 2023
* fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * Update _security-analytics/sec-analytics-config/detectors-config.md Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Update _security-analytics/sec-analytics-config/detectors-config.md Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-updates-revisit Signed-off-by: cwillum <cwmmoore@amazon.com> --------- Signed-off-by: cwillum <cwmmoore@amazon.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Signed-off-by: cwillum cwmmoore@amazon.com
Description
Some updates didn't make it into 2.5. These are follow up changes and some refinements.
Issues Resolved
Reordered some field mapping documentation to treat automatic mapping first and pending mapping second, changed language in the Alert setup section of detection creation, and other small refinements.
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.