search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.82k stars 8.2k forks source link

[Security Solution] [Attack discovery] Include the `user.target.name` field in the default Anonymization settings to improve Attack discoveries #193350

Open andrew-goldstein opened 1 month ago

andrew-goldstein commented 1 month ago

[Security Solution] [Attack discovery] Include the user.target.name field in the default Anonymization settings to improve Attack discoveries

Some detection rules make a distinction between the user taking action, and another account that's the target of that action. For example, in the User Added to Privileged Group detection rule:

Include the user.target.name field in the default Anonymization settings to improve Attack discoveries by distinguishing between the user taking action and the target of that action when the user.target.name field is available:

Image

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):

Attack discovery

Kibana/Elasticsearch Stack version:

8.15.1

elasticmachine commented 1 month ago

Pinging @elastic/security-solution (Team: SecuritySolution)

andrew-goldstein commented 1 month ago

Users may manually add theuser.target.name field to their default anonymization fields via the following steps:

1) In the Security > Alerts page, locate an alert generated by the User Added to Privileged Group rule, or any alert where the user.target.name field exists (via a user.target.name: * query in the search bar) 2) Click View details to open the alert 3) In the alert details flyout, click the Chat icon to add the alert as context to the security assistant 4) Expand the alert in the assistant by clicking Alert (from summary) 5) Click Edit to edit the anonymization settings 6) Type user.target.name in the Search input 7) Select Allowed and Anonymized (yes) for the user.target.name field 8) Check the Update presets checkbox to apply the update for current & future conversations 9) Click Save