You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A few of the use cases (e.g. "Detect Mimikatz With PowerShell Script Block Logging") generate fields in the notable events that are not compatible with the default configuration of Incident Response / Asset Enrichment (UserID) in this case.
If I have asset enrichment enabled, and the field that identifies a user is, for example, "user" - then within Incident Response fields like user_email, user_bunit, etc. are also pulled through - as they have been defined in "Incident Review - Event Attributes"
If a field of a different name is used, for example, "UserID", then these fields are not pulled through (and would have to be manually defined as an "Incident Review - Event Attributes"
Also the identity enrichment macro "get_identity4events()" currently reports that it only supports the field names - user, src_user, host_owner, orig_host_owner, src_owner, dest_owner, or dvc_owner. So I am not sure if UserID would work.
Consistency in naming fields across the whole of ESCU would be good, and I would suggest adopting some of the CIM based names would be good.
Many thanks
Simon
The text was updated successfully, but these errors were encountered:
ljstella
changed the title
Use of Incident Response/Review compatible fields in Correlation Searches
TR-2335: Use of Incident Response/Review compatible fields in Correlation Searches
Aug 9, 2022
Update: We're aware of this issue, and have been for some time but are still determining the best route forward for revisiting every single search that's included as part of ESCU.
A few of the use cases (e.g. "Detect Mimikatz With PowerShell Script Block Logging") generate fields in the notable events that are not compatible with the default configuration of Incident Response / Asset Enrichment (UserID) in this case.
If I have asset enrichment enabled, and the field that identifies a user is, for example, "user" - then within Incident Response fields like user_email, user_bunit, etc. are also pulled through - as they have been defined in "Incident Review - Event Attributes"
If a field of a different name is used, for example, "UserID", then these fields are not pulled through (and would have to be manually defined as an "Incident Review - Event Attributes"
Also the identity enrichment macro "get_identity4events()" currently reports that it only supports the field names - user, src_user, host_owner, orig_host_owner, src_owner, dest_owner, or dvc_owner. So I am not sure if UserID would work.
Consistency in naming fields across the whole of ESCU would be good, and I would suggest adopting some of the CIM based names would be good.
Many thanks
Simon
The text was updated successfully, but these errors were encountered: