Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[8.x] [Security Solution] [Attack discovery] Includes the `user.…
…target.name` field in the default Anonymization allow list to improve Attack discoveries (#193496) (#193564) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] [Attack discovery] Includes the `user.target.name` field in the default Anonymization allow list to improve Attack discoveries (#193496)](#193496) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Andrew Macri","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-09-20T12:45:41Z","message":"[Security Solution] [Attack discovery] Includes the `user.target.name` field in the default Anonymization allow list to improve Attack discoveries (#193496)\n\n## [Security Solution] [Attack discovery] Includes the `user.target.name` field in the default Anonymization allow list to improve Attack discoveries\r\n\r\n### Summary\r\n\r\nThis PR implements <#193350> by adding the `user.target.name` field to the default Anonymization allow list.\r\n\r\nThe `user.target.name` field will be allowed and anonymized by default.\r\n\r\nThe _Background_ section below describes the purpose of this field, and how it improves Attack discoveries.\r\n\r\n### Background\r\n\r\nIn the Elastic Common Schema (ECS), the `user.target.name` field represents the targeted user of an action taken. It is a member of the [Field sets that can be nested under User](https://www.elastic.co/guide/en/ecs/current/ecs-user.html#ecs-user-nestings).\r\n\r\nSome detection rules make a distinction between the user taking action, and another account that's the _target_ of that action.\r\n\r\nFor example, in the [User Added to Privileged Group](https://www.elastic.co/guide/en/security/current/user-added-to-privileged-group.html) detection rule:\r\n\r\n- The `user.name` field in the alert identifies the account taking action; in this example the user _adding_ a member to the `Administrators` group\r\n- The `user.target.name` field in the alert specifies the account that's the _target_ of the action; in this example it's the account _being added to_ the `Administrators` group\r\n\r\nIncluding the `user.target.name` field in the default Anonymization settings improves Attack discoveries, because it enables the model to distinguish between the user taking action and the target of that action when the `user.target.name` field is available, as illustrated by the _Before_ and _After_ images below:\r\n\r\n**Before**\r\n\r\n![before](https://github.com/user-attachments/assets/440d25ee-0d91-4c2a-8763-ae6ee2d6a572)\r\n\r\n**After**\r\n\r\n![after](https://github.com/user-attachments/assets/d241be88-1cb1-4e13-a9ae-6328407c26ee)\r\n\r\n### Desk testing\r\n\r\n1) Start a new (development) instance of Elasticsearch:\r\n\r\n```sh\r\nyarn es snapshot -E path.data=/Users/$USERNAME/data-2024-09-19a\r\n```\r\n\r\n2) Start a local (development) instance of Kibana:\r\n\r\n```\r\nyarn start --no-base-path\r\n````\r\n\r\n3) Login to Kibana as the `elastic` user\r\n\r\n4) Navigate to Stack Management > License management\r\n\r\n5) Click Start trial\r\n\r\n6) Navigate to Stack Management > AI Assistants\r\n\r\n7) Click `Manage Settings` for the security assistant\r\n\r\n8) Click Anonymization\r\n\r\n9) Enter `user.target.name` in the search field\r\n\r\n**Expected results**\r\n\r\n- The `user.target.name` field is `Allowed`\r\n- The `user.target.name` field is `Anonymized`\r\n\r\nas illustrated by the screenshot below:\r\n\r\n![anonymization_settings](https://github.com/user-attachments/assets/625dda96-d77a-416f-b78b-d4ef57fd4890)","sha":"349a30789075f0ef907608987f8cb77247c5e8e3","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","v9.0.0","Team: SecuritySolution","backport:prev-minor","Team:Security Generative AI","v8.16.0","v8.15.2"],"title":"[Security Solution] [Attack discovery] Includes the `user.target.name` field in the default Anonymization allow list to improve Attack discoveries","number":193496,"url":"https://github.com/elastic/kibana/pull/193496","mergeCommit":{"message":"[Security Solution] [Attack discovery] Includes the `user.target.name` field in the default Anonymization allow list to improve Attack discoveries (#193496)\n\n## [Security Solution] [Attack discovery] Includes the `user.target.name` field in the default Anonymization allow list to improve Attack discoveries\r\n\r\n### Summary\r\n\r\nThis PR implements <#193350> by adding the `user.target.name` field to the default Anonymization allow list.\r\n\r\nThe `user.target.name` field will be allowed and anonymized by default.\r\n\r\nThe _Background_ section below describes the purpose of this field, and how it improves Attack discoveries.\r\n\r\n### Background\r\n\r\nIn the Elastic Common Schema (ECS), the `user.target.name` field represents the targeted user of an action taken. It is a member of the [Field sets that can be nested under User](https://www.elastic.co/guide/en/ecs/current/ecs-user.html#ecs-user-nestings).\r\n\r\nSome detection rules make a distinction between the user taking action, and another account that's the _target_ of that action.\r\n\r\nFor example, in the [User Added to Privileged Group](https://www.elastic.co/guide/en/security/current/user-added-to-privileged-group.html) detection rule:\r\n\r\n- The `user.name` field in the alert identifies the account taking action; in this example the user _adding_ a member to the `Administrators` group\r\n- The `user.target.name` field in the alert specifies the account that's the _target_ of the action; in this example it's the account _being added to_ the `Administrators` group\r\n\r\nIncluding the `user.target.name` field in the default Anonymization settings improves Attack discoveries, because it enables the model to distinguish between the user taking action and the target of that action when the `user.target.name` field is available, as illustrated by the _Before_ and _After_ images below:\r\n\r\n**Before**\r\n\r\n![before](https://github.com/user-attachments/assets/440d25ee-0d91-4c2a-8763-ae6ee2d6a572)\r\n\r\n**After**\r\n\r\n![after](https://github.com/user-attachments/assets/d241be88-1cb1-4e13-a9ae-6328407c26ee)\r\n\r\n### Desk testing\r\n\r\n1) Start a new (development) instance of Elasticsearch:\r\n\r\n```sh\r\nyarn es snapshot -E path.data=/Users/$USERNAME/data-2024-09-19a\r\n```\r\n\r\n2) Start a local (development) instance of Kibana:\r\n\r\n```\r\nyarn start --no-base-path\r\n````\r\n\r\n3) Login to Kibana as the `elastic` user\r\n\r\n4) Navigate to Stack Management > License management\r\n\r\n5) Click Start trial\r\n\r\n6) Navigate to Stack Management > AI Assistants\r\n\r\n7) Click `Manage Settings` for the security assistant\r\n\r\n8) Click Anonymization\r\n\r\n9) Enter `user.target.name` in the search field\r\n\r\n**Expected results**\r\n\r\n- The `user.target.name` field is `Allowed`\r\n- The `user.target.name` field is `Anonymized`\r\n\r\nas illustrated by the screenshot below:\r\n\r\n![anonymization_settings](https://github.com/user-attachments/assets/625dda96-d77a-416f-b78b-d4ef57fd4890)","sha":"349a30789075f0ef907608987f8cb77247c5e8e3"}},"sourceBranch":"main","suggestedTargetBranches":["8.x","8.15"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/193496","number":193496,"mergeCommit":{"message":"[Security Solution] [Attack discovery] Includes the `user.target.name` field in the default Anonymization allow list to improve Attack discoveries (#193496)\n\n## [Security Solution] [Attack discovery] Includes the `user.target.name` field in the default Anonymization allow list to improve Attack discoveries\r\n\r\n### Summary\r\n\r\nThis PR implements <#193350> by adding the `user.target.name` field to the default Anonymization allow list.\r\n\r\nThe `user.target.name` field will be allowed and anonymized by default.\r\n\r\nThe _Background_ section below describes the purpose of this field, and how it improves Attack discoveries.\r\n\r\n### Background\r\n\r\nIn the Elastic Common Schema (ECS), the `user.target.name` field represents the targeted user of an action taken. It is a member of the [Field sets that can be nested under User](https://www.elastic.co/guide/en/ecs/current/ecs-user.html#ecs-user-nestings).\r\n\r\nSome detection rules make a distinction between the user taking action, and another account that's the _target_ of that action.\r\n\r\nFor example, in the [User Added to Privileged Group](https://www.elastic.co/guide/en/security/current/user-added-to-privileged-group.html) detection rule:\r\n\r\n- The `user.name` field in the alert identifies the account taking action; in this example the user _adding_ a member to the `Administrators` group\r\n- The `user.target.name` field in the alert specifies the account that's the _target_ of the action; in this example it's the account _being added to_ the `Administrators` group\r\n\r\nIncluding the `user.target.name` field in the default Anonymization settings improves Attack discoveries, because it enables the model to distinguish between the user taking action and the target of that action when the `user.target.name` field is available, as illustrated by the _Before_ and _After_ images below:\r\n\r\n**Before**\r\n\r\n![before](https://github.com/user-attachments/assets/440d25ee-0d91-4c2a-8763-ae6ee2d6a572)\r\n\r\n**After**\r\n\r\n![after](https://github.com/user-attachments/assets/d241be88-1cb1-4e13-a9ae-6328407c26ee)\r\n\r\n### Desk testing\r\n\r\n1) Start a new (development) instance of Elasticsearch:\r\n\r\n```sh\r\nyarn es snapshot -E path.data=/Users/$USERNAME/data-2024-09-19a\r\n```\r\n\r\n2) Start a local (development) instance of Kibana:\r\n\r\n```\r\nyarn start --no-base-path\r\n````\r\n\r\n3) Login to Kibana as the `elastic` user\r\n\r\n4) Navigate to Stack Management > License management\r\n\r\n5) Click Start trial\r\n\r\n6) Navigate to Stack Management > AI Assistants\r\n\r\n7) Click `Manage Settings` for the security assistant\r\n\r\n8) Click Anonymization\r\n\r\n9) Enter `user.target.name` in the search field\r\n\r\n**Expected results**\r\n\r\n- The `user.target.name` field is `Allowed`\r\n- The `user.target.name` field is `Anonymized`\r\n\r\nas illustrated by the screenshot below:\r\n\r\n![anonymization_settings](https://github.com/user-attachments/assets/625dda96-d77a-416f-b78b-d4ef57fd4890)","sha":"349a30789075f0ef907608987f8cb77247c5e8e3"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.15","label":"v8.15.2","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Andrew Macri <[email protected]>
- Loading branch information