[8.15] [Security Solution] [Attack discovery] Includes the `user.target.name` field in the default Anonymization allow list to improve Attack discoveries (#193496) #193563
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…` field in the default Anonymization allow list to improve Attack discoveries (elastic#193496) ## [Security Solution] [Attack discovery] Includes the `user.target.name` field in the default Anonymization allow list to improve Attack discoveries ### Summary This PR implements <elastic#193350> by adding the `user.target.name` field to the default Anonymization allow list. The `user.target.name` field will be allowed and anonymized by default. The _Background_ section below describes the purpose of this field, and how it improves Attack discoveries. ### Background In the Elastic Common Schema (ECS), the `user.target.name` field represents the targeted user of an action taken. It is a member of the [Field sets that can be nested under User](https://www.elastic.co/guide/en/ecs/current/ecs-user.html#ecs-user-nestings). Some detection rules make a distinction between the user taking action, and another account that's the _target_ of that action. For example, in the [User Added to Privileged Group](https://www.elastic.co/guide/en/security/current/user-added-to-privileged-group.html) detection rule: - The `user.name` field in the alert identifies the account taking action; in this example the user _adding_ a member to the `Administrators` group - The `user.target.name` field in the alert specifies the account that's the _target_ of the action; in this example it's the account _being added to_ the `Administrators` group Including the `user.target.name` field in the default Anonymization settings improves Attack discoveries, because it enables the model to distinguish between the user taking action and the target of that action when the `user.target.name` field is available, as illustrated by the _Before_ and _After_ images below: **Before**  **After**  ### Desk testing 1) Start a new (development) instance of Elasticsearch: ```sh yarn es snapshot -E path.data=/Users/$USERNAME/data-2024-09-19a ``` 2) Start a local (development) instance of Kibana: ``` yarn start --no-base-path ```` 3) Login to Kibana as the `elastic` user 4) Navigate to Stack Management > License management 5) Click Start trial 6) Navigate to Stack Management > AI Assistants 7) Click `Manage Settings` for the security assistant 8) Click Anonymization 9) Enter `user.target.name` in the search field **Expected results** - The `user.target.name` field is `Allowed` - The `user.target.name` field is `Anonymized` as illustrated by the screenshot below:  (cherry picked from commit 349a307)
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]
History
To update your PR or re-run it, just comment with: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This will backport the following commits from
mainto8.15:Questions ?
Please refer to the Backport tool documentation