Normalizing usernames in executable paths to reduce "rare" detection noise?

Elastic Security
#1

Is anyone "normalizing" executable or command line paths in the process schema?

We see some noise in our rare detections for processes that run under the user's home drive.

Considering changing "fred", "mary", "bob", and "alice" here:

"executable": "\\Users\\fred\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\89.259.200\\software_reporter_tool.exe",

to this, so that the ML job won't see each different user's instance of the same tool as an anomaly.

"executable": "\\Users\\##USERNAME##\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\89.259.200\\software_reporter_tool.exe",
1 Like
#2

So the Security Data Science team is exploring different ways to normalize process paths and command lines in event data. One effort that may be of interest is within the ProblemChild (Anomalous Parent-Child Process Events) Classifier set to be released in 7.13.

You can see the painless script for normalization here: examples/normalize_ppath.json at master · elastic/examples · GitHub

If you have other ideas or edge cases, pass them along!