Merge branch '2.13' into backport/backport-6871-to-2.13

_security-analytics/index.md

@@ -39,7 +39,7 @@ For information about configuring detectors, see [Creating detectors]({{site.url
 
 ### Log types
 
-Log types provide the data used to evaluate events occurring in a system. OpenSearch supports several types of logs and provides out-of-the-box mappings for the most common log sources. See [Supported log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types/) for a list of log types currently supported by Security Analytics.
+[Log types]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/log-types/) provide the data used to evaluate events occurring in a system. OpenSearch supports several types of logs and provides out-of-the-box mappings for the most common log sources.
 
 Log types are specified during the creation of detectors, including steps for mapping log fields to the detector. Security Analytics also automatically selects an appropriate set of rules based on a specific log type and populates them for the detector.
 

_security-analytics/log-types-reference/ad-ldap.md

@@ -0,0 +1,114 @@
+---
+layout: default
+title: AD LDAP
+parent: Supported log types
+nav_order: 20
+---
+
+# AD LDAP
+
+The `ad_ldap` log type tracks Active Directory logs, such as:
+
+- Lightweight Directory Access Protocol (LDAP) queries.
+- Errors from the LDAP server.
+- Timeout events.
+- Unsecured LDAP binds.
+
+The following code snippet contains all `raw_field` and `ecs` mappings for this log type:
+
+```json
+ "mappings": [
+   {
+      "raw_field":"TargetUserName",
+      "ecs":"azure.signinlogs.properties.user_id"
+    },
+    {
+      "raw_field":"creationTime",
+      "ecs":"timestamp"
+    },
+    {
+      "raw_field":"Category",
+      "ecs":"azure.activitylogs.category"
+    },
+    {
+      "raw_field":"OperationName",
+      "ecs":"azure.platformlogs.operation_name"
+    },
+    {
+      "raw_field":"ModifiedProperties_NewValue",
+      "ecs":"modified_properties.new_value"
+    },
+    {
+      "raw_field":"ResourceProviderValue",
+      "ecs":"azure.resource.provider"
+    },
+    {
+      "raw_field":"conditionalAccessStatus",
+      "ecs":"azure.signinlogs.properties.conditional_access_status"
+    },
+    {
+      "raw_field":"SearchFilter",
+      "ecs":"SearchFilter"
+    },
+    {
+      "raw_field":"Operation",
+      "ecs":"azure.platformlogs.operation_name"
+    },
+    {
+      "raw_field":"ResultType",
+      "ecs":"azure.platformlogs.result_type"
+    },
+    {
+      "raw_field":"DeviceDetail_isCompliant",
+      "ecs":"azure.signinlogs.properties.device_detail.is_compliant"
+    },
+    {
+      "raw_field":"ResourceDisplayName",
+      "ecs":"resource_display_name"
+    },
+    {
+      "raw_field":"AuthenticationRequirement",
+      "ecs":"azure.signinlogs.properties.authentication_requirement"
+    },
+    {
+      "raw_field":"TargetResources",
+      "ecs":"target_resources"
+    },
+    {
+      "raw_field":"Workload",
+      "ecs":"workload"
+    },
+    {
+      "raw_field":"DeviceDetail.deviceId",
+      "ecs":"azure.signinlogs.properties.device_detail.device_id"
+    },
+    {
+      "raw_field":"OperationNameValue",
+      "ecs":"azure.platformlogs.operation_name"
+    },
+    {
+      "raw_field":"ResourceId",
+      "ecs":"azure.signinlogs.properties.resource_id"
+    },
+    {
+      "raw_field":"ResultDescription",
+      "ecs":"azure.signinlogs.result_description"
+    },
+    {
+      "raw_field":"EventID",
+      "ecs":"EventID"
+    },
+    {
+      "raw_field":"NetworkLocationDetails",
+      "ecs":"azure.signinlogs.properties.network_location_details"
+    },
+    {
+      "raw_field":"CategoryValue",
+      "ecs":"azure.activitylogs.category"
+    },
+    {
+      "raw_field":"ActivityDisplayName",
+      "ecs":"azure.auditlogs.properties.activity_display_name"
+    }
+  ]
+```

_security-analytics/log-types-reference/apache-access.md

@@ -0,0 +1,10 @@
+---
+layout: default
+title: Apache Access
+parent: Supported log types
+nav_order: 25
+---
+
+# Apache Access
+
+The `apache_access` log type records data for all requests processed by Apache HTTP servers. It contains no `raw_field` or `ecs` mappings.

_security-analytics/log-types-reference/azure.md

@@ -0,0 +1,225 @@
+---
+layout: default
+title: Azure
+parent: Supported log types
+nav_order: 29
+---
+
+# Azure
+
+The `azure` log type monitors log data for cloud applications managed by Azure Cloud Services.
+
+The following code snippet contains all `raw_field` and `ecs` mappings for this log type:
+
+```json
+"mappings": [
+    {
+      "raw_field":"Resultdescription",
+      "ecs":"azure.signinlogs.result_description"
+    },
+    {
+      "raw_field":"eventSource",
+      "ecs":"eventSource"
+    },
+    {
+      "raw_field":"eventName",
+      "ecs":"eventName"
+    },
+    {
+      "raw_field":"Status",
+      "ecs":"azure.platformlogs.status"
+    },
+    {
+      "raw_field":"LoggedByService",
+      "ecs":"azure.auditlogs.properties.logged_by_service"
+    },
+    {
+      "raw_field":"properties_message",
+      "ecs":"properties_message"
+    },
+    {
+      "raw_field":"status",
+      "ecs":"azure.platformlogs.status"
+    },
+    {
+      "raw_field":"TargetUserName",
+      "ecs":"azure.signinlogs.properties.user_id"
+    },
+    {
+      "raw_field":"creationTime",
+      "ecs":"timestamp"
+    },
+    {
+      "raw_field":"Category",
+      "ecs":"azure.activitylogs.category"
+    },
+    {
+      "raw_field":"OperationName",
+      "ecs":"azure.platformlogs.operation_name"
+    },
+    {
+      "raw_field":"ModifiedProperties_NewValue",
+      "ecs":"modified_properties.new_value"
+    },
+    {
+      "raw_field":"ResourceProviderValue",
+      "ecs":"azure.resource.provider"
+    },
+    {
+      "raw_field":"conditionalAccessStatus",
+      "ecs":"azure.signinlogs.properties.conditional_access_status"
+    },
+    {
+      "raw_field":"SearchFilter",
+      "ecs":"search_filter"
+    },
+    {
+      "raw_field":"Operation",
+      "ecs":"azure.platformlogs.operation_name"
+    },
+    {
+      "raw_field":"ResultType",
+      "ecs":"azure.platformlogs.result_type"
+    },
+    {
+      "raw_field":"DeviceDetail_isCompliant",
+      "ecs":"azure.signinlogs.properties.device_detail.is_compliant"
+    },
+    {
+      "raw_field":"ResourceDisplayName",
+      "ecs":"resource_display_name"
+    },
+    {
+      "raw_field":"AuthenticationRequirement",
+      "ecs":"azure.signinlogs.properties.authentication_requirement"
+    },
+    {
+      "raw_field":"TargetResources",
+      "ecs":"target_resources"
+    },
+    {
+      "raw_field":"Workload",
+      "ecs":"Workload"
+    },
+    {
+      "raw_field":"DeviceDetail_deviceId",
+      "ecs":"azure.signinlogs.properties.device_detail.device_id"
+    },
+    {
+      "raw_field":"OperationNameValue",
+      "ecs":"azure.platformlogs.operation_name"
+    },
+    {
+      "raw_field":"ResourceId",
+      "ecs":"azure.signinlogs.properties.resource_id"
+    },
+    {
+      "raw_field":"ResultDescription",
+      "ecs":"azure.signinlogs.result_description"
+    },
+    {
+      "raw_field":"EventID",
+      "ecs":"EventID"
+    },
+    {
+      "raw_field":"NetworkLocationDetails",
+      "ecs":"azure.signinlogs.properties.network_location_details"
+    },
+    {
+      "raw_field":"CategoryValue",
+      "ecs":"azure.activitylogs.category"
+    },
+    {
+      "raw_field":"ActivityDisplayName",
+      "ecs":"azure.auditlogs.properties.activity_display_name"
+    },
+    {
+      "raw_field":"Initiatedby",
+      "ecs":"azure.activitylogs.identity.claims_initiated_by_user.name"
+    },
+    {
+      "raw_field":"Count",
+      "ecs":"Count"
+    },
+    {
+      "raw_field":"ResourceTenantId",
+      "ecs":"azure.signinlogs.properties.resource_tenant_id"
+    },
+    {
+      "raw_field":"failure_status_reason",
+      "ecs":"failure_status_reason"
+    },
+    {
+      "raw_field":"AppId",
+      "ecs":"azure.signinlogs.properties.app_id"
+    },
+    {
+      "raw_field":"properties.message",
+      "ecs":"properties.message"
+    },
+    {
+      "raw_field":"ClientApp",
+      "ecs":"azure.signinlogs.properties.client_app_used"
+    },
+    {
+      "raw_field":"ActivityDetails",
+      "ecs":"ActivityDetails"
+    },
+    {
+      "raw_field":"Target",
+      "ecs":"Target"
+    },
+    {
+      "raw_field":"DeviceDetail.trusttype",
+      "ecs":"azure.signinlogs.properties.device_detail.trust_type"
+    },
+    {
+      "raw_field":"HomeTenantId",
+      "ecs":"azure.signinlogs.properties.home_tenant_id"
+    },
+    {
+      "raw_field":"ConsentContext.IsAdminConsent",
+      "ecs":"ConsentContext.IsAdminConsent"
+    },
+    {
+      "raw_field":"InitiatedBy",
+      "ecs":"InitiatedBy"
+    },
+    {
+      "raw_field":"ActivityType",
+      "ecs":"azure.auditlogs.properties.activity_display_name"
+    },
+    {
+      "raw_field":"operationName",
+      "ecs":"azure.activitylogs.operation_name"
+    },
+    {
+      "raw_field":"ModifiedProperties{}.NewValue",
+      "ecs":"modified_properties.new_value"
+    },
+    {
+      "raw_field":"userAgent",
+      "ecs":"user_agent.name"
+    },
+    {
+      "raw_field":"RiskState",
+      "ecs":"azure.signinlogs.properties.risk_state"
+    },
+    {
+      "raw_field":"Username",
+      "ecs":"azure.activitylogs.identity.claims_initiated_by_user.name"
+    },
+    {
+      "raw_field":"DeviceDetail.deviceId",
+      "ecs":"azure.signinlogs.properties.device_detail.device_id"
+    },
+    {
+      "raw_field":"DeviceDetail.isCompliant",
+      "ecs":"azure.signinlogs.properties.device_detail.is_compliant"
+    },
+    {
+      "raw_field":"Location",
+      "ecs":"azure.signinlogs.properties.network_location_details"
+    }
+  ]
+```