Open andrew-goldstein opened 1 month ago
Pinging @elastic/security-solution (Team: SecuritySolution)
Users may manually add theuser.target.name
field to their default anonymization fields via the following steps:
1) In the Security > Alerts page, locate an alert generated by the User Added to Privileged Group
rule, or any alert where the user.target.name
field exists (via a user.target.name: *
query in the search bar)
2) Click View details
to open the alert
3) In the alert details flyout, click the Chat
icon to add the alert as context to the security assistant
4) Expand the alert in the assistant by clicking Alert (from summary)
5) Click Edit
to edit the anonymization settings
6) Type user.target.name
in the Search
input
7) Select Allowed
and Anonymized
(yes) for the user.target.name
field
8) Check the Update presets
checkbox to apply the update for current & future conversations
9) Click Save
[Security Solution] [Attack discovery] Include the
user.target.name
field in the default Anonymization settings to improve Attack discoveriesSome detection rules make a distinction between the user taking action, and another account that's the target of that action. For example, in the User Added to Privileged Group detection rule:
user.name
field in the alert identifies the account taking action; in this example the user adding a member to theAdministrators
groupuser.target.name
field in the alert specifies the account that's the target of the action; in this example it's the account being added to theAdministrators
groupInclude the
user.target.name
field in the default Anonymization settings to improve Attack discoveries by distinguishing between the user taking action and the target of that action when theuser.target.name
field is available:Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
Attack discovery
Kibana/Elasticsearch Stack version:
8.15.1