[DOC] Ingesting data into security analytics

[Naarcha-AWS]

What do you want to do?

• Request a change to existing documentation
• Add new documentation
• Report a technical problem with the documentation
• Other

Tell us about your request. Provide a summary of the request and all versions that are affected.

Data mappings are useless without data. One of the biggest pain points of Security Analytics users is how to ingest data for use in Security Analytics. To quote one common mantra among users, "No data, No SIEM, No Detection."

To resolve this issue, create an end-to-end guide about ingesting data into Security Analytics. In particular:

• What APIs, Dashboard elements, or tools, such as Data Prepper or OpenSearch Ingestion Pipelines, can be used to add data to Security Analytics.
• How to format and map the data.
• How to set up and create detectors based on logs produced on the data. Some of this is documented on the Creating Detectors page.
• How to correlate Sigma rules and detectors. Could have some overlaps with issue [DOC] Mapping Sigma rules to OpenSearch #5704. Could also use this blog as a core resource https://opensearch.org/blog/correlating-security-events/

What other resources are available? Provide links to related issues, POCs, steps for testing, etc.

• Issue [DOC] Add overall documentation and instructions on how to connect data sources for security analytics #4079
• https://opensearch.org/docs/latest/security-analytics/sec-analytics-config/detectors-config/
• https://opensearch.org/docs/latest/security-analytics/sec-analytics-config/log-types/
• https://opensearch.org/blog/correlating-security-events/