Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[intelligence] Dashboard is showing AdvancedHunting-AlertInfo in the table #193491

Open
nicpenning opened this issue Sep 19, 2024 · 2 comments
Open

[intelligence] Dashboard is showing AdvancedHunting-AlertInfo in the table #193491

nicpenning opened this issue Sep 19, 2024 · 2 comments
Labels
bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting Security Solution Threat Hunting Team triage_needed

Comments

@nicpenning
Copy link

Kibana version:
8.15.1
Elasticsearch version:
8.15.1
Server OS version:
Windows 2019
Browser version:
Latest MS Edge
Browser OS version:
Latest MS Edge
Original install method (e.g. download page, yum, from source, etc.):
Download page
Describe the bug:
It appears that the threat intelligence dashboard in Security is showing more than just indicator/threat feed data in the table.
Steps to reproduce:

  1. Ingest M365 events using event hub
  2. Look at Intelligence Page in Security
  3. See the events

Expected behavior:
I expect that only Threat Indicators are included in the Intelligence dashboard
Screenshots (if relevant):
Image

Any additional context:
It seems that the integration for M365 Advanced Hunting is calling this event type an indicator but I argue it is far from it because the information from some of these events is not useful. For example:

{
  "_index": ".ds-logs-m365_defender.event-redacted-2024.09.17-000223",
  "_id": "TsMdCpIBN2K78Cs8yMeN",
  "_score": 0,
  "_source": {
    "input": {
      "type": "azure-eventhub"
    },
    "agent": {
      "name": "redacted",
      "id": "redacted",
      "ephemeral_id": "redacted",
      "type": "filebeat",
      "version": "8.15.1"
    },
    "@timestamp": "2024-09-19T11:48:05.699Z",
    "ecs": {
      "version": "8.11.0"
    },
    "data_stream": {
      "namespace": "redacted",
      "type": "logs",
      "dataset": "m365_defender.event"
    },
    "elastic_agent": {
      "id": "redacted",
      "version": "8.15.1",
      "snapshot": false
    },
    "event": {
      "severity": 1,
      "agent_id_status": "verified",
      "ingested": "2024-09-19T11:49:36Z",
      "provider": "Microsoft Defender for Endpoint",
      "kind": "alert",
      "id": "redacted",
      "category": [
        "threat"
      ],
      "type": [
        "indicator"
      ],
      "dataset": "m365_defender.event"
    },
    "m365_defender": {
      "event": {
        "operation_name": "Publish",
        "severity": "informational",
        "machine_group": "redacted",
        "detection": {
          "source": "Custom TI"
        },
        "alert": {
          "category": "SuspiciousActivity"
        },
        "time": "2024-09-19T11:48:29.482Z",
        "category": "AdvancedHunting-AlertInfo",
        "tenant": {
          "name": "DefaultTenant",
          "id": "redacted"
        }
      }
    },
    "message": "Unsanctioned cloud app access was blocked",
    "azure": {
      "sequence_number": redacted,
      "consumer_group": "$Default",
      "offset": redacted,
      "eventhub": "redacted",
      "enqueued_time": "2024-09-19T11:49:34.174Z"
    },
    "tags": [
      "forwarded",
      "m365_defender-event"
    ]
  },
  "fields": {
    "azure.enqueued_time": [
      "2024-09-19T11:49:34.174Z"
    ],
    "elastic_agent.version": [
      "8.15.1"
    ],
    "event.category": [
      "threat"
    ],
    "azure.eventhub": [
      "redacted"
    ],
    "m365_defender.event.category": [
      "AdvancedHunting-AlertInfo"
    ],
    "azure.offset": [
      redacted
    ],
    "m365_defender.event.tenant.name": [
      "DefaultTenant"
    ],
    "agent.type": [
      "filebeat"
    ],
    "event.module": [
      "m365_defender"
    ],
    "threat.indicator.name": [
      ""
    ],
    "threat.indicator.name_origin": [
      ""
    ],
    "agent.name.text": [
      "redacted"
    ],
    "m365_defender.event.detection.source": [
      "Custom TI"
    ],
    "agent.name": [
      "redacted"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "event.kind": [
      "alert"
    ],
    "m365_defender.event.alert.category": [
      "SuspiciousActivity"
    ],
    "event.severity": [
      1
    ],
    "m365_defender.event.operation_name": [
      "Publish"
    ],
    "elastic_agent.id": [
      "redacted"
    ],
    "data_stream.namespace": [
      "redacted"
    ],
    "m365_defender.event.tenant.id": [
      "redacted"
    ],
    "m365_defender.event.time": [
      "2024-09-19T11:48:29.482Z"
    ],
    "input.type": [
      "azure-eventhub"
    ],
    "m365_defender.event.severity": [
      "informational"
    ],
    "message": [
      "Unsanctioned cloud app access was blocked"
    ],
    "data_stream.type": [
      "logs"
    ],
    "tags": [
      "forwarded",
      "m365_defender-event"
    ],
    "azure.consumer_group": [
      "$Default"
    ],
    "event.ingested": [
      "2024-09-19T11:49:36Z"
    ],
    "event.provider": [
      "Microsoft Defender for Endpoint"
    ],
    "@timestamp": [
      "2024-09-19T11:48:05.699Z"
    ],
    "agent.id": [
      "redacted"
    ],
    "azure.sequence_number": [
      redacted
    ],
    "ecs.version": [
      "8.11.0"
    ],
    "m365_defender.event.machine_group": [
      "redacted"
    ],
    "data_stream.dataset": [
      "m365_defender.event"
    ],
    "event.type": [
      "indicator"
    ],
    "agent.ephemeral_id": [
      "redacted"
    ],
    "agent.version": [
      "8.15.1"
    ],
    "event.id": [
      "da638623433084288252_-1065258170"
    ],
    "event.dataset": [
      "m365_defender.event"
    ]
  }
}

Custom TI is far from any type of threat indicator/information. This is more of an annoyance but I would recommend that the search be slightly tuned to remove this type of information from this dashboard or the integration to change those field types. I am open to other thoughts, but figured I would mention it.
@nicpenning nicpenning added the bug Fixes for quality problems that affect the customer experience label Sep 19, 2024
@botelastic botelastic bot added the needs-team Issues missing a team label label Sep 19, 2024
@jughosta jughosta added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 24, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@botelastic botelastic bot removed the needs-team Issues missing a team label label Sep 24, 2024
@jughosta jughosta added Team:Threat Hunting Security Solution Threat Hunting Team needs-team Issues missing a team label labels Sep 24, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@botelastic botelastic bot removed the needs-team Issues missing a team label label Sep 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting Security Solution Threat Hunting Team triage_needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jughosta @nicpenning @elasticmachine @MadameSheema