Index Patterns Index patterns define which OpenSearch indices contain logs for detection. Each pattern represents a log source type (e.g., Windows logs, network logs).
Understanding Index Patterns An index pattern tells CHAD:
Which indices contain the logsWhat timestamp field to useHow to map Sigma fields to your schemaAuth token for log shipping authenticationSecurity settings (IP allowlist, rate limiting)Health thresholds for monitoring
Creating Index Patterns
Navigate to Settings > Index Patterns
Click Create Index Pattern
Fill in the configuration
Click Save
Required Fields Field Description Example Name Friendly name Windows Security LogsIndex Pattern OpenSearch index pattern winlogbeat-*Timestamp Field Time field name @timestamp
Pattern Syntax Use wildcards to match multiple indices:
Pattern Matches logs-*logs-2024.01, logs-2024.02, etc.winlogbeat-*All winlogbeat indices auditbeat-*,filebeat-*Multiple patterns (comma-separated)
Sigma Logsource Mapping Link Sigma logsources to index patterns:
# Sigma rule logsource logsource : product : windows service : security
In CHAD, map this to your index pattern:
Sigma Product Sigma Service Index Pattern windows security winlogbeat-*windows sysmon sysmon-*linux auth filebeat-*network - zeek-*
Rules automatically deploy to matching index patterns.
Log Shipping Authentication Each index pattern has a unique auth token for authenticating log shipping requests.
Getting the Token
Open the index pattern
Click Settings tab
Copy the Auth Token
Using the Token Include in the Authorization header when sending logs:
curl -X POST \ -H "Authorization: Bearer YOUR_AUTH_TOKEN" \ -H "Content-Type: application/json" \ -d '[{"@timestamp": "...", "event": {...}}]' \ https://chad.example.com/api/logs/winlogbeat
The auth token is sensitive. Store it securely in your log shipper configuration.
Security Settings IP Allowlist Restrict which IPs can send logs to this index pattern:
Open the index pattern
Click Security tab
Add allowed IPs or CIDR ranges
Examples:
Single IP: 192.168.1.100
CIDR range: 10.0.0.0/8
Leave empty to allow all IPs.
Rate Limiting Prevent log flooding with rate limits:
Setting Description Default Requests/minute Max API requests 100 Events/minute Max log events 50,000
Enable rate limiting in the index pattern settings.
Field Mapping Configuration Each index pattern has its own field mappings:
Open the index pattern
Click Field Mappings
Map Sigma fields to your schema
Example mappings:
Sigma Field Your Field CommandLineprocess.command_lineUseruser.nameSourceIPsource.ip
See Field Mappings for detailed configuration.
Health Monitoring Configure health thresholds per index pattern:
Setting Description Default No Data Alert Alert if no logs for N minutes 15 min Error Rate Threshold Alert if error rate exceeds % 5% Latency Warning Warn if queries exceed ms 500 ms Latency Critical Critical if queries exceed ms 2000 ms
Example: Strict Monitoring For critical log sources:
No Data Alert: 5 minutes Error Rate Threshold: 1% Latency Warning: 200 ms Latency Critical: 500 ms
Example: Relaxed Monitoring For batch or periodic logs:
No Data Alert: 60 minutes Error Rate Threshold: 10% Latency Warning: 1000 ms Latency Critical: 5000 ms
Threat Intelligence Enable TI enrichment per index pattern:
Open the index pattern
Click Threat Intelligence
Select which TI sources to use
Map fields for IOC extraction
IOC Field Mapping:
IOC Type Your Field IP Address source.ip, destination.ipDomain dns.question.nameURL url.originalHash file.hash.sha256
Managing Index Patterns Edit
Click the index pattern
Modify settings
Save changes
Changes take effect immediately for new alerts.
Delete
Click the index pattern
Click Delete
Confirm deletion
Deleting an index pattern removes associated percolators. Rules remain but become undeployed.
Disable Temporarily disable without deleting:
Click the index pattern
Toggle Enabled off
Detection pauses for this pattern
Index Pattern vs OpenSearch Index Concept Description OpenSearch Index Actual data storage in OpenSearch Index Pattern CHAD configuration pointing to indices
CHAD doesn’t create data indices—it uses existing ones created by your log shipper.
Common Patterns Elastic Beats winlogbeat-* # Windows Event Logs auditbeat-* # Linux Audit filebeat-* # Various file-based logs packetbeat-* # Network traffic
Fluentd logs-windows-* # Windows logs via Fluentd logs-linux-* # Linux logs via Fluentd
Custom security-events-* # Custom security events network-traffic-* # Network flow data cloud-audit-* # Cloud provider audit logs
Troubleshooting No indices found
Verify the pattern matches actual indices
Check OpenSearch permissions
Test with GET _cat/indices/your-pattern-*
Rules not matching
Verify logsource mapping
Check field mappings
Test with sample logs
Health alerts firing
Check if logs are actually flowing
Verify timestamp field is correct
Adjust thresholds for your volume
Next Steps
Field Mappings Configure field translation
Health Monitoring Configure monitoring thresholds
