Hi, I am playing around with SIEM app and was wondering if there is a way to pivot off of user.name rather than Hosts and IP. I understand I can use Events and filter for both user.name and host.name but might be helpful in cases where the log/event itself is not tied to a specific host but to a user.
@forkhead, welcome to our forum, and thanks for the question!
The general answer is that yes, we agree, being able to pivot off the username is a very useful capability for security analysts.
I'm not sure I fully understand your question about "where" in the app you want to pivot. Maybe you are looking for a "Users" page to complement the existing "Hosts" page? If so, yes, this is on our future capabilities list.
In the meantime, please let me explore this approach to pivoting in the SIEM app to see if it can help.
Using the SIEM app, in the Timeline event viewer, you can use any ECS-compatible
field:value filter to pivot across all your siem-related data. By default, the timeline will search all your indices that are specified in your
siem:defaultIndex advanced setting. So simply dragging a
user.name:value filter to the drop area, you are automatically able to pivot across all your data.
Would love to hear your further thoughts.
@Mike_Paquette Exactly, I was looking for a "Users" page like the existing "Hosts" page. Timeline is pretty cool and the ways it can be used, yes I am using Timeline to see all the events for the host.name and user.name. Not sure if Elastic Security has plans for adding UEBA functionalities to it. Thanks for the information and all the help.