Index Patterns
Index patterns define which OpenSearch indices contain logs for detection. Each pattern represents a log source type (e.g., Windows logs, network logs).
Understanding Index Patterns
An index pattern tells CHAD:
- Which indices contain the logs
- What timestamp field to use
- How to map Sigma fields to your schema
- Auth token for log shipping authentication
- Security settings (IP allowlist, rate limiting)
- Health thresholds for monitoring
Creating Index Patterns
- Navigate to Settings > Index Patterns
- Click Create Index Pattern
- Fill in the configuration
- Click Save
Required Fields
| Field | Description | Example |
|---|
| Name | Friendly name | Windows Security Logs |
| Index Pattern | OpenSearch index pattern | winlogbeat-* |
| Timestamp Field | Time field name | @timestamp |
Pattern Syntax
Use wildcards to match multiple indices:
| Pattern | Matches |
|---|
logs-* | logs-2024.01, logs-2024.02, etc. |
winlogbeat-* | All winlogbeat indices |
auditbeat-*,filebeat-* | Multiple patterns (comma-separated) |
Sigma Logsource Mapping
Link Sigma logsources to index patterns:
# Sigma rule logsource
logsource:
product: windows
service: security
| Sigma Product | Sigma Service | Index Pattern |
|---|
| windows | security | winlogbeat-* |
| windows | sysmon | sysmon-* |
| linux | auth | filebeat-* |
| network | - | zeek-* |
Log Shipping Authentication
Each index pattern has a unique auth token for authenticating log shipping requests.
Getting the Token
- Open the index pattern
- Click Settings tab
- Copy the Auth Token
Using the Token
Include in the Authorization header when sending logs:
curl -X POST \
-H "Authorization: Bearer YOUR_AUTH_TOKEN" \
-H "Content-Type: application/json" \
-d '[{"@timestamp": "...", "event": {...}}]' \
https://chad.example.com/api/logs/winlogbeat
The auth token is sensitive. Store it securely in your log shipper configuration.
Security Settings
IP Allowlist
Restrict which IPs can send logs to this index pattern:
- Open the index pattern
- Click Security tab
- Add allowed IPs or CIDR ranges
Examples:
- Single IP:
192.168.1.100
- CIDR range:
10.0.0.0/8
Leave empty to allow all IPs.
Rate Limiting
Prevent log flooding with rate limits:
| Setting | Description | Default |
|---|
| Requests/minute | Max API requests | 100 |
| Events/minute | Max log events | 50,000 |
Field Mapping Configuration
Each index pattern has its own field mappings:
- Open the index pattern
- Click Field Mappings
- Map Sigma fields to your schema
Example mappings:
| Sigma Field | Your Field |
|---|
CommandLine | process.command_line |
User | user.name |
SourceIP | source.ip |
Health Monitoring
Configure health thresholds per index pattern:
| Setting | Description | Default |
|---|
| No Data Alert | Alert if no logs for N minutes | 15 min |
| Error Rate Threshold | Alert if error rate exceeds % | 5% |
| Latency Warning | Warn if queries exceed ms | 500 ms |
| Latency Critical | Critical if queries exceed ms | 2000 ms |
Example: Strict Monitoring
For critical log sources:
No Data Alert: 5 minutes
Error Rate Threshold: 1%
Latency Warning: 200 ms
Latency Critical: 500 ms
Example: Relaxed Monitoring
For batch or periodic logs:
No Data Alert: 60 minutes
Error Rate Threshold: 10%
Latency Warning: 1000 ms
Latency Critical: 5000 ms
Threat Intelligence
Enable TI enrichment per index pattern:
- Open the index pattern
- Click Threat Intelligence
- Select which TI sources to use
- Map fields for IOC extraction
IOC Field Mapping:
| IOC Type | Your Field |
|---|
| IP Address | source.ip, destination.ip |
| Domain | dns.question.name |
| URL | url.original |
| Hash | file.hash.sha256 |
Managing Index Patterns
Edit
- Click the index pattern
- Modify settings
- Save changes
Changes take effect immediately for new alerts.
Delete
- Click the index pattern
- Click Delete
- Confirm deletion
Deleting an index pattern removes associated percolators. Rules remain but become undeployed.
Disable
Temporarily disable without deleting:
- Click the index pattern
- Toggle Enabled off
- Detection pauses for this pattern
Index Pattern vs OpenSearch Index
| Concept | Description |
|---|
| OpenSearch Index | Actual data storage in OpenSearch |
| Index Pattern | CHAD configuration pointing to indices |
Common Patterns
Elastic Beats
winlogbeat-* # Windows Event Logs
auditbeat-* # Linux Audit
filebeat-* # Various file-based logs
packetbeat-* # Network traffic
Fluentd
logs-windows-* # Windows logs via Fluentd
logs-linux-* # Linux logs via Fluentd
Custom
security-events-* # Custom security events
network-traffic-* # Network flow data
cloud-audit-* # Cloud provider audit logs
Troubleshooting
No indices found
- Verify the pattern matches actual indices
- Check OpenSearch permissions
- Test with
GET _cat/indices/your-pattern-*
Rules not matching
- Verify logsource mapping
- Check field mappings
- Test with sample logs
Health alerts firing
- Check if logs are actually flowing
- Verify timestamp field is correct
- Adjust thresholds for your volume
Next Steps
