You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Originally, we tried to enforce that every field seen in an observable must be an attribute in every single risk event
In practice this does not seem to be the case, for two different reasons
Sparsely populated fields (some returned search results don't have all fields, and thus those fields don't exist in some risk objects); see the 'dest' field in Windows Steal Authentication Certificates - ESC1 Abuse for an example
Certain computed fields, (e.g. when user is computed) may not be vailable in the risk event; see Windows Unusual Count Of Disabled Users Failed Auth Using Kerbero for an example
The former of these possibilities is more confusing and the solution is less clear
Resolution of this issue may involve closing it w/o fixing
The text was updated successfully, but these errors were encountered:
cmcginley-splunk
changed the title
Refactor and re-enable per-fielf validation of risk events
Refactor and re-enable per-field validation of risk events
Aug 20, 2024
Windows Steal Authentication Certificates - ESC1 Abuse
for an exampleWindows Unusual Count Of Disabled Users Failed Auth Using Kerbero
for an exampleThe text was updated successfully, but these errors were encountered: