Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Amazon OpenSearch Service Introduces Security Analytics

Amazon OpenSearch Service Introduces Security Analytics

Amazon recently announced the general availability of security analytics for OpenSearch Service. The new capability of the successor of ElasticSearch Service provides threat monitoring, detection, and alerting features to help manage security threats.

The new security analytics plugin helps identify attack signatures and create alerts from security findings. It visualizes threat patterns using dashboards, allowing the visualization of metrics data from Prometheus and from log data aggregated within OpenSearch. Furthermore, the plugin supports trace data collected by Jaeger.

The new feature of Amazon OpenSearch Service includes a threat detection engine pre-loaded with a set of default rules and benefits from the recent announcement of the support of OpenSearch 2.5. The latest open-source version also introduced support for Point in Time Search and improvements to observability and geospatial functionality.

Security Analytics includes four main tools and features: detectors, the core components required to identify cybersecurity threats, log types, providing the data used to evaluate events, rules, defining the conditional logic applied to the ingested log data, and findings, generated every time a detector matches a rule with a log event.

Detectors use JSON formatted data to evaluate events and correspond to adversary tactics and techniques maintained by the MITRE ATT&CK organization. Currently, the supported log sources are NetFlow, DNS logs, Apache access logs, Windows logs, AD/LDAP, system logs, AWS CloudTrail logs, and S3 access logs. After creating detectors and generating findings, the visualization options help customers investigate findings, and handle alerts and notifications.


According to the cloud provider, the new feature helps developers with no prior security experience leverage simplified workflows in OpenSearch to correlate multiple security logs and investigate security incidents. James McIntyre, senior product marketing manager at AWS, writes:

With more than 2,000 prepackaged Sigma security rules and support for multiple log sources, including Windows, Netflow, DNS, AWS CloudTrail, and more, Security Analytics offers a range of tools to help you monitor and detect potential security threats before they can disrupt your operations.

OpenSearch provides a second security plugin, supporting features like authentication, encryption, access control, and audit/compliance logging. In a separate article series, Sagar Gandha, senior technical account manager at AWS, and Prakash Srinivasan, solutions architect at AWS, show how to analyze network firewall logs using OpenSearch Service. Andrzej Komarnicki, cloud DevOps consultant, comments:

Amazon OpenSearch seems to be killing it in the domain of observability, security, and network log analytics ever since it forked from upstream Elasticsearch.

Service Security analytics is available in all the regions where OpenSearch Service is supported and requires running OpenSearch version 2.5 or higher. Security analytics is provided at no additional cost but customers still pay for data ingestion.

The code of the Security Analytics plugin is on GitHub.

About the Author

Rate this Article