Closed w0rk3r closed 5 months ago
@andrewkroh WDYT about increasing or removing the ignore_above for this field to pave the way for some detection rules based on this field? @w0rk3r based on what you've seen, is there a limit you'd recommend for ignore_above or is it too difficult to say?
We may also require to change the type, similar to what we have done in https://github.com/elastic/integrations/issues/1776
Would a match_only_text
data type be best for the types of searches you want to do? Perhaps we could create a multi-field where winlog.event_data.AttributeValue.text
is match_only_text.
Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
Would a match_only_text data type be best for the types of searches you want to do? Perhaps we could create a multi-field where winlog.event_data.AttributeValue.text is match_only_text.
@andrewkroh match_only_text data type doesn't support analyzers? I think we will have trouble searching through the security descriptors as -
, ;;
, ()
are very relevant here and they are ignored by the standard analyzer as far as I remember. I like the idea of having a new field (multi) to not break anything
You're right. So I think we need to work on the configuration of an analyzer that can split the SDDL string. Here's an analyzer I was playing with that might work for this. We might need to create a separate field that specifically holds security descriptors because IIUC the AttributeValue
field could hold other types of values that are not security descriptors and hence the SDDL custom analyzer wouldn't be applicable?
IIUC the AttributeValue field could hold other types of values that are not security descriptors and hence the SDDL custom analyzer wouldn't be applicable?
Yup, I mean an analyzer similar to what we've done to PowerShell stuff in https://github.com/elastic/integrations/pull/1931/files to not split on these chars so we can search for SIDs for example, or specific strings that contain those characters
@andrewkroh @jamiehynds just a ping around this, as it is blocking some use cases we want to develop😅
@nfritts is this something your team could look into? It's currently blocking some important detection rules the TRADE team want to develop.
The problem
We need to cover some security descriptor changes in Active Directory events (and other use cases that use this field), and with the current dynamic parsing, we cannot search this field as it often contains more than 1024 chars, and if we could, the keyword field type would make us unable to do partial matches efficiently (they need to be case-insensitive).