Normalizing usernames in executable paths to reduce "rare" detection noise?

hukel · April 26, 2021, 4:15pm

Is anyone "normalizing" executable or command line paths in the process schema?

We see some noise in our rare detections for processes that run under the user's home drive.

Considering changing "fred", "mary", "bob", and "alice" here:

"executable": "\\Users\\fred\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\89.259.200\\software_reporter_tool.exe",

to this, so that the ML job won't see each different user's instance of the same tool as an anomaly.

"executable": "\\Users\\##USERNAME##\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\89.259.200\\software_reporter_tool.exe",

bfilar · April 27, 2021, 5:00pm

So the Security Data Science team is exploring different ways to normalize process paths and command lines in event data. One effort that may be of interest is within the ProblemChild (Anomalous Parent-Child Process Events) Classifier set to be released in 7.13.

You can see the painless script for normalization here: examples/normalize_ppath.json at master · elastic/examples · GitHub

If you have other ideas or edge cases, pass them along!

Topic		Replies	Views
Out of the Box ML jobs for Security Elasticsearch elastic-stack-machine-learning	4	724	July 1, 2022
Duplicate Windows User Names when filtering Beats winlogbeat	5	1135	April 20, 2017
ML Unsupervised question SIEM	3	450	February 6, 2023
Linux_anomalous_process_all_hosts_ecs apparently not only covering Linux, but full auditbeat SIEM elastic-stack-machine-learning	3	585	February 3, 2022
Pre-built set of rules still using SYSMON based detection (winlogbeat- *, event.code: 1, etc.) or using linguistic terms specific to an operating system (eg: Win 10 EN system user is SYSTEM, but Win 10 PT-BR system user is SISTEMA) Endpoint Security	2	766	December 1, 2020

Normalizing usernames in executable paths to reduce "rare" detection noise?

Related topics