Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TR-2335: Use of Incident Response/Review compatible fields in Correlation Searches #2319

Open
beano500 opened this issue Aug 9, 2022 · 1 comment
Assignees
Labels
enhancement New feature or request

Comments

@beano500
Copy link

beano500 commented Aug 9, 2022

A few of the use cases (e.g. "Detect Mimikatz With PowerShell Script Block Logging") generate fields in the notable events that are not compatible with the default configuration of Incident Response / Asset Enrichment (UserID) in this case.

If I have asset enrichment enabled, and the field that identifies a user is, for example, "user" - then within Incident Response fields like user_email, user_bunit, etc. are also pulled through - as they have been defined in "Incident Review - Event Attributes"

If a field of a different name is used, for example, "UserID", then these fields are not pulled through (and would have to be manually defined as an "Incident Review - Event Attributes"

Also the identity enrichment macro "get_identity4events()" currently reports that it only supports the field names - user, src_user, host_owner, orig_host_owner, src_owner, dest_owner, or dvc_owner. So I am not sure if UserID would work.

Consistency in naming fields across the whole of ESCU would be good, and I would suggest adopting some of the CIM based names would be good.

Many thanks
Simon

@josehelps josehelps added the bug Something isn't working label Aug 9, 2022
@ljstella ljstella changed the title Use of Incident Response/Review compatible fields in Correlation Searches TR-2335: Use of Incident Response/Review compatible fields in Correlation Searches Aug 9, 2022
@ljstella
Copy link
Contributor

Update: We're aware of this issue, and have been for some time but are still determining the best route forward for revisiting every single search that's included as part of ESCU.

@ljstella ljstella added enhancement New feature or request and removed bug Something isn't working labels Oct 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants