Skip to content

Commit

Permalink
[8.x] [Security Solution] [Attack discovery] Includes the `user.…
Browse files Browse the repository at this point in the history
…target.name` field in the default Anonymization allow list to improve Attack discoveries (#193496) (#193564)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution] [Attack discovery] Includes the
`user.target.name` field in the default Anonymization allow
list to improve Attack discoveries
(#193496)](#193496)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Andrew
Macri","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-09-20T12:45:41Z","message":"[Security
Solution] [Attack discovery] Includes the `user.target.name` field in
the default Anonymization allow list to improve Attack discoveries
(#193496)\n\n## [Security Solution] [Attack discovery] Includes the
`user.target.name` field in the default Anonymization allow list to
improve Attack discoveries\r\n\r\n### Summary\r\n\r\nThis PR implements
<#193350> by adding the
`user.target.name` field to the default Anonymization allow
list.\r\n\r\nThe `user.target.name` field will be allowed and anonymized
by default.\r\n\r\nThe _Background_ section below describes the purpose
of this field, and how it improves Attack discoveries.\r\n\r\n###
Background\r\n\r\nIn the Elastic Common Schema (ECS), the
`user.target.name` field represents the targeted user of an action
taken. It is a member of the [Field sets that can be nested under
User](https://www.elastic.co/guide/en/ecs/current/ecs-user.html#ecs-user-nestings).\r\n\r\nSome
detection rules make a distinction between the user taking action, and
another account that's the _target_ of that action.\r\n\r\nFor example,
in the [User Added to Privileged
Group](https://www.elastic.co/guide/en/security/current/user-added-to-privileged-group.html)
detection rule:\r\n\r\n- The `user.name` field in the alert identifies
the account taking action; in this example the user _adding_ a member to
the `Administrators` group\r\n- The `user.target.name` field in the
alert specifies the account that's the _target_ of the action; in this
example it's the account _being added to_ the `Administrators`
group\r\n\r\nIncluding the `user.target.name` field in the default
Anonymization settings improves Attack discoveries, because it enables
the model to distinguish between the user taking action and the target
of that action when the `user.target.name` field is available, as
illustrated by the _Before_ and _After_ images
below:\r\n\r\n**Before**\r\n\r\n![before](https://github.com/user-attachments/assets/440d25ee-0d91-4c2a-8763-ae6ee2d6a572)\r\n\r\n**After**\r\n\r\n![after](https://github.com/user-attachments/assets/d241be88-1cb1-4e13-a9ae-6328407c26ee)\r\n\r\n###
Desk testing\r\n\r\n1) Start a new (development) instance of
Elasticsearch:\r\n\r\n```sh\r\nyarn es snapshot -E
path.data=/Users/$USERNAME/data-2024-09-19a\r\n```\r\n\r\n2) Start a
local (development) instance of Kibana:\r\n\r\n```\r\nyarn start
--no-base-path\r\n````\r\n\r\n3) Login to Kibana as the `elastic`
user\r\n\r\n4) Navigate to Stack Management > License
management\r\n\r\n5) Click Start trial\r\n\r\n6) Navigate to Stack
Management > AI Assistants\r\n\r\n7) Click `Manage Settings` for the
security assistant\r\n\r\n8) Click Anonymization\r\n\r\n9) Enter
`user.target.name` in the search field\r\n\r\n**Expected
results**\r\n\r\n- The `user.target.name` field is `Allowed`\r\n- The
`user.target.name` field is `Anonymized`\r\n\r\nas illustrated by the
screenshot
below:\r\n\r\n![anonymization_settings](https://github.com/user-attachments/assets/625dda96-d77a-416f-b78b-d4ef57fd4890)","sha":"349a30789075f0ef907608987f8cb77247c5e8e3","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","v9.0.0","Team:
SecuritySolution","backport:prev-minor","Team:Security Generative
AI","v8.16.0","v8.15.2"],"title":"[Security Solution] [Attack discovery]
Includes the `user.target.name` field in the default Anonymization allow
list to improve Attack
discoveries","number":193496,"url":"https://github.com/elastic/kibana/pull/193496","mergeCommit":{"message":"[Security
Solution] [Attack discovery] Includes the `user.target.name` field in
the default Anonymization allow list to improve Attack discoveries
(#193496)\n\n## [Security Solution] [Attack discovery] Includes the
`user.target.name` field in the default Anonymization allow list to
improve Attack discoveries\r\n\r\n### Summary\r\n\r\nThis PR implements
<#193350> by adding the
`user.target.name` field to the default Anonymization allow
list.\r\n\r\nThe `user.target.name` field will be allowed and anonymized
by default.\r\n\r\nThe _Background_ section below describes the purpose
of this field, and how it improves Attack discoveries.\r\n\r\n###
Background\r\n\r\nIn the Elastic Common Schema (ECS), the
`user.target.name` field represents the targeted user of an action
taken. It is a member of the [Field sets that can be nested under
User](https://www.elastic.co/guide/en/ecs/current/ecs-user.html#ecs-user-nestings).\r\n\r\nSome
detection rules make a distinction between the user taking action, and
another account that's the _target_ of that action.\r\n\r\nFor example,
in the [User Added to Privileged
Group](https://www.elastic.co/guide/en/security/current/user-added-to-privileged-group.html)
detection rule:\r\n\r\n- The `user.name` field in the alert identifies
the account taking action; in this example the user _adding_ a member to
the `Administrators` group\r\n- The `user.target.name` field in the
alert specifies the account that's the _target_ of the action; in this
example it's the account _being added to_ the `Administrators`
group\r\n\r\nIncluding the `user.target.name` field in the default
Anonymization settings improves Attack discoveries, because it enables
the model to distinguish between the user taking action and the target
of that action when the `user.target.name` field is available, as
illustrated by the _Before_ and _After_ images
below:\r\n\r\n**Before**\r\n\r\n![before](https://github.com/user-attachments/assets/440d25ee-0d91-4c2a-8763-ae6ee2d6a572)\r\n\r\n**After**\r\n\r\n![after](https://github.com/user-attachments/assets/d241be88-1cb1-4e13-a9ae-6328407c26ee)\r\n\r\n###
Desk testing\r\n\r\n1) Start a new (development) instance of
Elasticsearch:\r\n\r\n```sh\r\nyarn es snapshot -E
path.data=/Users/$USERNAME/data-2024-09-19a\r\n```\r\n\r\n2) Start a
local (development) instance of Kibana:\r\n\r\n```\r\nyarn start
--no-base-path\r\n````\r\n\r\n3) Login to Kibana as the `elastic`
user\r\n\r\n4) Navigate to Stack Management > License
management\r\n\r\n5) Click Start trial\r\n\r\n6) Navigate to Stack
Management > AI Assistants\r\n\r\n7) Click `Manage Settings` for the
security assistant\r\n\r\n8) Click Anonymization\r\n\r\n9) Enter
`user.target.name` in the search field\r\n\r\n**Expected
results**\r\n\r\n- The `user.target.name` field is `Allowed`\r\n- The
`user.target.name` field is `Anonymized`\r\n\r\nas illustrated by the
screenshot
below:\r\n\r\n![anonymization_settings](https://github.com/user-attachments/assets/625dda96-d77a-416f-b78b-d4ef57fd4890)","sha":"349a30789075f0ef907608987f8cb77247c5e8e3"}},"sourceBranch":"main","suggestedTargetBranches":["8.x","8.15"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/193496","number":193496,"mergeCommit":{"message":"[Security
Solution] [Attack discovery] Includes the `user.target.name` field in
the default Anonymization allow list to improve Attack discoveries
(#193496)\n\n## [Security Solution] [Attack discovery] Includes the
`user.target.name` field in the default Anonymization allow list to
improve Attack discoveries\r\n\r\n### Summary\r\n\r\nThis PR implements
<#193350> by adding the
`user.target.name` field to the default Anonymization allow
list.\r\n\r\nThe `user.target.name` field will be allowed and anonymized
by default.\r\n\r\nThe _Background_ section below describes the purpose
of this field, and how it improves Attack discoveries.\r\n\r\n###
Background\r\n\r\nIn the Elastic Common Schema (ECS), the
`user.target.name` field represents the targeted user of an action
taken. It is a member of the [Field sets that can be nested under
User](https://www.elastic.co/guide/en/ecs/current/ecs-user.html#ecs-user-nestings).\r\n\r\nSome
detection rules make a distinction between the user taking action, and
another account that's the _target_ of that action.\r\n\r\nFor example,
in the [User Added to Privileged
Group](https://www.elastic.co/guide/en/security/current/user-added-to-privileged-group.html)
detection rule:\r\n\r\n- The `user.name` field in the alert identifies
the account taking action; in this example the user _adding_ a member to
the `Administrators` group\r\n- The `user.target.name` field in the
alert specifies the account that's the _target_ of the action; in this
example it's the account _being added to_ the `Administrators`
group\r\n\r\nIncluding the `user.target.name` field in the default
Anonymization settings improves Attack discoveries, because it enables
the model to distinguish between the user taking action and the target
of that action when the `user.target.name` field is available, as
illustrated by the _Before_ and _After_ images
below:\r\n\r\n**Before**\r\n\r\n![before](https://github.com/user-attachments/assets/440d25ee-0d91-4c2a-8763-ae6ee2d6a572)\r\n\r\n**After**\r\n\r\n![after](https://github.com/user-attachments/assets/d241be88-1cb1-4e13-a9ae-6328407c26ee)\r\n\r\n###
Desk testing\r\n\r\n1) Start a new (development) instance of
Elasticsearch:\r\n\r\n```sh\r\nyarn es snapshot -E
path.data=/Users/$USERNAME/data-2024-09-19a\r\n```\r\n\r\n2) Start a
local (development) instance of Kibana:\r\n\r\n```\r\nyarn start
--no-base-path\r\n````\r\n\r\n3) Login to Kibana as the `elastic`
user\r\n\r\n4) Navigate to Stack Management > License
management\r\n\r\n5) Click Start trial\r\n\r\n6) Navigate to Stack
Management > AI Assistants\r\n\r\n7) Click `Manage Settings` for the
security assistant\r\n\r\n8) Click Anonymization\r\n\r\n9) Enter
`user.target.name` in the search field\r\n\r\n**Expected
results**\r\n\r\n- The `user.target.name` field is `Allowed`\r\n- The
`user.target.name` field is `Anonymized`\r\n\r\nas illustrated by the
screenshot
below:\r\n\r\n![anonymization_settings](https://github.com/user-attachments/assets/625dda96-d77a-416f-b78b-d4ef57fd4890)","sha":"349a30789075f0ef907608987f8cb77247c5e8e3"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.15","label":"v8.15.2","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Andrew Macri <[email protected]>
  • Loading branch information
kibanamachine and andrew-goldstein authored Sep 20, 2024
1 parent e0e48cc commit ac64f52
Showing 1 changed file with 2 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -107,13 +107,15 @@ export const DEFAULT_ALLOW = [
'user.name',
'user.risk.calculated_level',
'user.risk.calculated_score_norm',
'user.target.name',
];

/** By default, these fields will be anonymized */
export const DEFAULT_ALLOW_REPLACEMENT = [
'host.ip', // not a default allow field, but anonymized by default
'host.name',
'user.name',
'user.target.name',
];

export const getDefaultAnonymizationFields = (spaceId: string) => {
Expand Down

0 comments on commit ac64f52

Please sign in to comment.