Normalizing usernames in executable paths to reduce "rare" detection noise?

hukel · April 26, 2021, 4:15pm

Is anyone "normalizing" executable or command line paths in the process schema?

We see some noise in our rare detections for processes that run under the user's home drive.

Considering changing "fred", "mary", "bob", and "alice" here:

"executable": "\\Users\\fred\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\89.259.200\\software_reporter_tool.exe",

to this, so that the ML job won't see each different user's instance of the same tool as an anomaly.

"executable": "\\Users\\##USERNAME##\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\89.259.200\\software_reporter_tool.exe",

bfilar · April 27, 2021, 5:00pm

So the Security Data Science team is exploring different ways to normalize process paths and command lines in event data. One effort that may be of interest is within the ProblemChild (Anomalous Parent-Child Process Events) Classifier set to be released in 7.13.

You can see the painless script for normalization here: examples/normalize_ppath.json at master · elastic/examples · GitHub

If you have other ideas or edge cases, pass them along!

system · May 25, 2021, 5:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.