Security Analytics Detection Rules not working on OpenSearch Domain

Question

We've started ingesting data into a new OpenSearch domain running OpenSearch 2.17 and have been trying to set up detection rules, both custom and pre-made, with no luck generating alerts/findings with either.

For example, we have windows data being ingested into a logs-windows data stream, and then setup the following detection rule that should trigger on the failed login event code 4625, which I've confirmed exists in the logs:

```
id: 803f870f-7beb-482b-bb8b-8ef346e6ea30
logsource:
  product: windows
title: Failed user login
description: Test Detection
tags: []
falsepositives: []
level: informational
status: experimental
references: []
author: ''
detection:
  condition: selection
  selection:
    event.code:
      - 4625

```

Has anyone encountered similar issues or knows why no alerts/findings are being generated? We were previously encountering resource spikes as well, but that issue appears to have been resolved by allocating more resources.

re:Post Agent · Answer

It sounds like you're experiencing some challenges with setting up Security Analytics Detection Rules in your OpenSearch domain. There are a few things to consider when troubleshooting this issue:

1. Detector Configuration: Make sure you have properly configured a detector for the Windows log type. Detectors are responsible for identifying threats across data indexes using both custom and pre-packaged Sigma rules.

2. Rule Implementation: Ensure that your custom rule is correctly implemented and follows the proper syntax for Security Analytics rules. The rule you've provided looks like it's in YAML format, which is correct for Sigma rules.

3. Index Mapping: Verify that the field names in your rule (e.g., "event.code") match the actual field names in your ingested data. Sometimes, discrepancies in field naming can prevent rules from triggering.

4. Data Ingestion: Confirm that the Windows log data is being correctly ingested into the "logs-windows" data stream and that the events with code 4625 are present and properly formatted.

5. Time Range: Check if you're looking for alerts/findings within the correct time range. Sometimes, alerts might not appear immediately and could take some time to generate.

6. Permissions: Ensure that the necessary permissions are set up correctly. If you're using fine-grained access control, make sure the appropriate roles and users are mapped to allow for rule execution and alert generation.

7. Resource Allocation: While you mentioned allocating more resources has helped with resource spikes, it's worth double-checking that your cluster has sufficient resources to handle the Security Analytics workload.

If you're still not seeing any alerts or findings after checking these points, you might want to review the audit logs for any error messages or unexpected behavior related to the Security Analytics feature.

Additionally, if you're new to using Security Analytics, be aware that when you first open the Security Analytics dashboard without any detectors, you might see a notification about a missing index. This is normal and will disappear once you create a detector.

If the issue persists, you may need to reach out to AWS support for further assistance in troubleshooting the Security Analytics configuration on your OpenSearch domain.  
**Sources**  
[Security Analytics for Amazon OpenSearch Service - Amazon OpenSearch Service](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/security-analytics.html)  
[How to customize audit logs in OpenSearch to see which queries were run by users? | AWS re:Post](https://repost.aws/articles/ARdmAPleMOQXef6jukKLBk2w/how-to-customize-audit-logs-in-opensearch-to-see-which-queries-were-run-by-users)  
[Open-Source Search Engine – Amazon OpenSearch Service Security – Amazon Web Services](https://aws.amazon.com/opensearch-service/features/security/)

Security Analytics Detection Rules not working on OpenSearch Domain

Relevant content