Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor and re-enable per-field validation of risk events #252

Open
cmcginley-splunk opened this issue Aug 20, 2024 · 0 comments
Open

Refactor and re-enable per-field validation of risk events #252

cmcginley-splunk opened this issue Aug 20, 2024 · 0 comments

Comments

@cmcginley-splunk
Copy link
Collaborator

  • Originally, we tried to enforce that every field seen in an observable must be an attribute in every single risk event
  • In practice this does not seem to be the case, for two different reasons
    • Sparsely populated fields (some returned search results don't have all fields, and thus those fields don't exist in some risk objects); see the 'dest' field in Windows Steal Authentication Certificates - ESC1 Abuse for an example
    • Certain computed fields, (e.g. when user is computed) may not be vailable in the risk event; see Windows Unusual Count Of Disabled Users Failed Auth Using Kerbero for an example
  • The former of these possibilities is more confusing and the solution is less clear
  • Resolution of this issue may involve closing it w/o fixing
@cmcginley-splunk cmcginley-splunk changed the title Refactor and re-enable per-fielf validation of risk events Refactor and re-enable per-field validation of risk events Aug 20, 2024
@cmcginley-splunk cmcginley-splunk mentioned this issue Aug 20, 2024
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cmcginley-splunk