Security Analytics settings
The Security Analytics plugin supports the following settings. All settings in this list are dynamic:
plugins.security_analytics.index_timeout
(Time value): The timeout for creating detectors, findings, rules, and custom log types using the REST APIs. Default is 60 seconds.
plugins.security_analytics.alert_history_enabled
(Boolean): Specifies whether to create .opensearch-sap-<detector_type>-alerts-history-<date>
indexes. Default is true
.
plugins.security_analytics.alert_finding_enabled
(Boolean): Specifies whether to create .opensearch-sap-<detector_type>-findings-<date>
indexes. Default is true
.
plugins.security_analytics.alert_history_rollover_period
(Time value): Specifies how frequently to roll over and delete alert history indexes. Default is 12 hours.
plugins.security_analytics.alert_finding_rollover_period
(Time value): Specifies how frequently to roll over and delete finding history indexes. Default is 12 hours.
plugins.security_analytics.correlation_history_rollover_period
(Time value): Specifies how frequently to roll over and delete correlation history indexes. Default is 12 hours.
plugins.security_analytics.alert_history_max_age
(Time value): The oldest document to store in the alert history index before creating a new index. If the number of alerts in this time period does not exceed alert_history_max_docs
, a new alert history index is created per period (for example, one index every 30 days). Default is 30 days.
plugins.security_analytics.finding_history_max_age
(Time value): The oldest document to store in the finding history index before creating a new index. If the number of findings in this time period does not exceed finding_history_max_docs
, a new finding history index is created per period (for example, one index every 30 days). Default is 30 days.
plugins.security_analytics.correlation_history_max_age
(Time value): The oldest document to store in the correlation history index before creating a new index. If the number of correlations in this time period does not exceed correlation_history_max_docs
, a new correlation history index is created per period (for example, one index every 30 days). Default is 30 days.
plugins.security_analytics.alert_history_max_docs
(Integer): The maximum number of alerts to store in the alert history index before creating a new index. Default is 1,000.
plugins.security_analytics.alert_finding_max_docs
(Integer): The maximum number of findings to store in the findings history index before creating a new index. Default is 1,000.
plugins.security_analytics.correlation_history_max_docs
(Integer): The maximum number of correlations to store in the correlation history index before creating a new index. Default is 1,000.
plugins.security_analytics.alert_history_retention_period
(Time value): The amount of time to keep alert history indexes before automatically deleting them. Default is 60 days.
plugins.security_analytics.finding_history_retention_period
(Time value): The amount of time to keep finding history indexes before automatically deleting them. Default is 60 days.
plugins.security_analytics.correlation_history_retention_period
(Time value): The amount of time to keep correlation history indexes before automatically deleting them. Default is 60 days.
plugins.security_analytics.request_timeout
(Time value): The timeout for all requests the Security Analytics plugin sends to other parts of OpenSearch. Default is 10 seconds.
plugins.security_analytics.action_throttle_max_value
(Time value): The maximum amount of time you can set for action throttling. Default is 24 hours. (This value displays as 1440 minutes in OpenSearch Dashboards.)
plugins.security_analytics.filter_by_backend_roles
(Boolean): When set to true
, restricts access to detectors, alerts, findings, and custom log types by backend role when enabled. Default is false
.
plugins.security_analytics.enable_workflow_usage
(Boolean): Supports the Alerting plugin workflow integration with Security Analytics. Determines whether composite monitor workflows are generated for the Alerting plugin after creating a new threat detector in Security Analytics. When set to true
, composite monitor workflows based on an associated threat detector’s configuration are enabled. When set to false
, composite monitor workflows based on an associated threat detector’s configuration are disabled. Default is true
. For more information about Alerting plugin workflow integration with Security Analytics, see Integrated Alerting plugin workflows.
plugins.security_analytics.correlation_time_window
(Time value): Security Analytics generates correlations within a time window. This setting specifies the time window within which documents must be indexed into the index in order to be included in the same correlation. Default is 5 minutes.
plugins.security_analytics.mappings.default_schema
(String): The default mapping schema used for configuring a field mapping for a security analytics detector. Default is ecs
.
plugins.security_analytics.threatintel.tifjob.update_interval
(Time value): The threat intelligence feature uses a job runner to periodically fetch new feeds. This setting is the rate at which the runner fetches and updates these new feeds. Default is 1440 minutes.
plugins.security_analytics.threatintel.tifjob.batch_size
(Integer): The maximum number of documents to ingest in a bulk request during the threat intelligence feed data creation process. Default is 10,000.
plugins.security_analytics.threat_intel_timeout
(Time value): The timeout value for creating and deleting threat intelligence feed data. Default is 30 seconds.
To learn more about static and dynamic settings, see Configuring OpenSearch.