github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 17:59:23 -04:00
Code Issues Projects Releases Packages Wiki Activity
Your window into the Elastic Stack
78458 commits 429 branches 496 tags 23 GiB
Find a file
Kibana Machine ac64f5216e
[8.x] [Security Solution] [Attack discovery] Includes the `user.target.name` field in the default Anonymization allow list to improve Attack discoveries (#193496) (#193564) 
# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution] [Attack discovery] Includes the
`user.target.name` field in the default Anonymization allow
list to improve Attack discoveries
(#193496)](https://github.com/elastic/kibana/pull/193496)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Andrew
Macri","email":"andrew.macri@elastic.co"},"sourceCommit":{"committedDate":"2024-09-20T12:45:41Z","message":"[Security
Solution] [Attack discovery] Includes the `user.target.name` field in
the default Anonymization allow list to improve Attack discoveries
(#193496)\n\n## [Security Solution] [Attack discovery] Includes the
`user.target.name` field in the default Anonymization allow list to
improve Attack discoveries\r\n\r\n### Summary\r\n\r\nThis PR implements
<https://github.com/elastic/kibana/issues/193350> by adding the
`user.target.name` field to the default Anonymization allow
list.\r\n\r\nThe `user.target.name` field will be allowed and anonymized
by default.\r\n\r\nThe _Background_ section below describes the purpose
of this field, and how it improves Attack discoveries.\r\n\r\n###
Background\r\n\r\nIn the Elastic Common Schema (ECS), the
`user.target.name` field represents the targeted user of an action
taken. It is a member of the [Field sets that can be nested under
User](https://www.elastic.co/guide/en/ecs/current/ecs-user.html#ecs-user-nestings).\r\n\r\nSome
detection rules make a distinction between the user taking action, and
another account that's the _target_ of that action.\r\n\r\nFor example,
in the [User Added to Privileged
Group](https://www.elastic.co/guide/en/security/current/user-added-to-privileged-group.html)
detection rule:\r\n\r\n- The `user.name` field in the alert identifies
the account taking action; in this example the user _adding_ a member to
the `Administrators` group\r\n- The `user.target.name` field in the
alert specifies the account that's the _target_ of the action; in this
example it's the account _being added to_ the `Administrators`
group\r\n\r\nIncluding the `user.target.name` field in the default
Anonymization settings improves Attack discoveries, because it enables
the model to distinguish between the user taking action and the target
of that action when the `user.target.name` field is available, as
illustrated by the _Before_ and _After_ images
below:\r\n\r\n**Before**\r\n\r\n![before](d241be88-1cb1-4e13-a9ae-6328407c26ee)\r\n\r\n###
Desk testing\r\n\r\n1) Start a new (development) instance of
Elasticsearch:\r\n\r\n```sh\r\nyarn es snapshot -E
path.data=/Users/$USERNAME/data-2024-09-19a\r\n```\r\n\r\n2) Start a
local (development) instance of Kibana:\r\n\r\n```\r\nyarn start
--no-base-path\r\n````\r\n\r\n3) Login to Kibana as the `elastic`
user\r\n\r\n4) Navigate to Stack Management > License
management\r\n\r\n5) Click Start trial\r\n\r\n6) Navigate to Stack
Management > AI Assistants\r\n\r\n7) Click `Manage Settings` for the
security assistant\r\n\r\n8) Click Anonymization\r\n\r\n9) Enter
`user.target.name` in the search field\r\n\r\n**Expected
results**\r\n\r\n- The `user.target.name` field is `Allowed`\r\n- The
`user.target.name` field is `Anonymized`\r\n\r\nas illustrated by the
screenshot
below:\r\n\r\n![anonymization_settings](https://github.com/user-attachments/assets/625dda96-d77a-416f-b78b-d4ef57fd4890)","sha":"349a30789075f0ef907608987f8cb77247c5e8e3","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","v9.0.0","Team:
SecuritySolution","backport:prev-minor","Team:Security Generative
AI","v8.16.0","v8.15.2"],"title":"[Security Solution] [Attack discovery]
Includes the `user.target.name` field in the default Anonymization allow
list to improve Attack
discoveries","number":193496,"url":"https://github.com/elastic/kibana/pull/193496","mergeCommit":{"message":"[Security
Solution] [Attack discovery] Includes the `user.target.name` field in
the default Anonymization allow list to improve Attack discoveries
(#193496)\n\n## [Security Solution] [Attack discovery] Includes the
`user.target.name` field in the default Anonymization allow list to
improve Attack discoveries\r\n\r\n### Summary\r\n\r\nThis PR implements
<https://github.com/elastic/kibana/issues/193350> by adding the
`user.target.name` field to the default Anonymization allow
list.\r\n\r\nThe `user.target.name` field will be allowed and anonymized
by default.\r\n\r\nThe _Background_ section below describes the purpose
of this field, and how it improves Attack discoveries.\r\n\r\n###
Background\r\n\r\nIn the Elastic Common Schema (ECS), the
`user.target.name` field represents the targeted user of an action
taken. It is a member of the [Field sets that can be nested under
User](https://www.elastic.co/guide/en/ecs/current/ecs-user.html#ecs-user-nestings).\r\n\r\nSome
detection rules make a distinction between the user taking action, and
another account that's the _target_ of that action.\r\n\r\nFor example,
in the [User Added to Privileged
Group](https://www.elastic.co/guide/en/security/current/user-added-to-privileged-group.html)
detection rule:\r\n\r\n- The `user.name` field in the alert identifies
the account taking action; in this example the user _adding_ a member to
the `Administrators` group\r\n- The `user.target.name` field in the
alert specifies the account that's the _target_ of the action; in this
example it's the account _being added to_ the `Administrators`
group\r\n\r\nIncluding the `user.target.name` field in the default
Anonymization settings improves Attack discoveries, because it enables
the model to distinguish between the user taking action and the target
of that action when the `user.target.name` field is available, as
illustrated by the _Before_ and _After_ images
below:\r\n\r\n**Before**\r\n\r\n![before](d241be88-1cb1-4e13-a9ae-6328407c26ee)\r\n\r\n###
Desk testing\r\n\r\n1) Start a new (development) instance of
Elasticsearch:\r\n\r\n```sh\r\nyarn es snapshot -E
path.data=/Users/$USERNAME/data-2024-09-19a\r\n```\r\n\r\n2) Start a
local (development) instance of Kibana:\r\n\r\n```\r\nyarn start
--no-base-path\r\n````\r\n\r\n3) Login to Kibana as the `elastic`
user\r\n\r\n4) Navigate to Stack Management > License
management\r\n\r\n5) Click Start trial\r\n\r\n6) Navigate to Stack
Management > AI Assistants\r\n\r\n7) Click `Manage Settings` for the
security assistant\r\n\r\n8) Click Anonymization\r\n\r\n9) Enter
`user.target.name` in the search field\r\n\r\n**Expected
results**\r\n\r\n- The `user.target.name` field is `Allowed`\r\n- The
`user.target.name` field is `Anonymized`\r\n\r\nas illustrated by the
screenshot
below:\r\n\r\n![anonymization_settings](https://github.com/user-attachments/assets/625dda96-d77a-416f-b78b-d4ef57fd4890)","sha":"349a30789075f0ef907608987f8cb77247c5e8e3"}},"sourceBranch":"main","suggestedTargetBranches":["8.x","8.15"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/193496","number":193496,"mergeCommit":{"message":"[Security
Solution] [Attack discovery] Includes the `user.target.name` field in
the default Anonymization allow list to improve Attack discoveries
(#193496)\n\n## [Security Solution] [Attack discovery] Includes the
`user.target.name` field in the default Anonymization allow list to
improve Attack discoveries\r\n\r\n### Summary\r\n\r\nThis PR implements
<https://github.com/elastic/kibana/issues/193350> by adding the
`user.target.name` field to the default Anonymization allow
list.\r\n\r\nThe `user.target.name` field will be allowed and anonymized
by default.\r\n\r\nThe _Background_ section below describes the purpose
of this field, and how it improves Attack discoveries.\r\n\r\n###
Background\r\n\r\nIn the Elastic Common Schema (ECS), the
`user.target.name` field represents the targeted user of an action
taken. It is a member of the [Field sets that can be nested under
User](https://www.elastic.co/guide/en/ecs/current/ecs-user.html#ecs-user-nestings).\r\n\r\nSome
detection rules make a distinction between the user taking action, and
another account that's the _target_ of that action.\r\n\r\nFor example,
in the [User Added to Privileged
Group](https://www.elastic.co/guide/en/security/current/user-added-to-privileged-group.html)
detection rule:\r\n\r\n- The `user.name` field in the alert identifies
the account taking action; in this example the user _adding_ a member to
the `Administrators` group\r\n- The `user.target.name` field in the
alert specifies the account that's the _target_ of the action; in this
example it's the account _being added to_ the `Administrators`
group\r\n\r\nIncluding the `user.target.name` field in the default
Anonymization settings improves Attack discoveries, because it enables
the model to distinguish between the user taking action and the target
of that action when the `user.target.name` field is available, as
illustrated by the _Before_ and _After_ images
below:\r\n\r\n**Before**\r\n\r\n![before](d241be88-1cb1-4e13-a9ae-6328407c26ee)\r\n\r\n###
Desk testing\r\n\r\n1) Start a new (development) instance of
Elasticsearch:\r\n\r\n```sh\r\nyarn es snapshot -E
path.data=/Users/$USERNAME/data-2024-09-19a\r\n```\r\n\r\n2) Start a
local (development) instance of Kibana:\r\n\r\n```\r\nyarn start
--no-base-path\r\n````\r\n\r\n3) Login to Kibana as the `elastic`
user\r\n\r\n4) Navigate to Stack Management > License
management\r\n\r\n5) Click Start trial\r\n\r\n6) Navigate to Stack
Management > AI Assistants\r\n\r\n7) Click `Manage Settings` for the
security assistant\r\n\r\n8) Click Anonymization\r\n\r\n9) Enter
`user.target.name` in the search field\r\n\r\n**Expected
results**\r\n\r\n- The `user.target.name` field is `Allowed`\r\n- The
`user.target.name` field is `Anonymized`\r\n\r\nas illustrated by the
screenshot
below:\r\n\r\n![anonymization_settings](https://github.com/user-attachments/assets/625dda96-d77a-416f-b78b-d4ef57fd4890)","sha":"349a30789075f0ef907608987f8cb77247c5e8e3"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.15","label":"v8.15.2","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Andrew Macri <andrew.macri@elastic.co>
2024-09-20 09:32:49 -05:00
.buildkite [8.x] [ES|QL] Enhances the inline documentation experience (#192156) (#193444) 2024-09-19 11:38:58 -05:00
.devcontainer Add Kibana Dev Container (#188887) 2024-08-26 14:38:45 -07:00
.github [8.x] Prepare branch (#192528) 2024-09-12 16:24:06 -05:00
api_docs [api-docs] 2024-09-12 Daily api_docs build (#192656) 2024-09-12 04:56:23 +00:00
config [Fleet] Update Package Spec max version to 3.2 (#192493) 2024-09-12 05:38:26 -05:00
dev_docs [8.x] [Feature Flags Service] Hello world 👋 (#188562) (#193519) 2024-09-20 12:21:41 +02:00
docs [8.x] [DOCS] Remove &quot;Save changes&quot; statement from the query page of the Playground (#192945) (#193586) 2024-09-20 14:17:05 +00:00
examples [8.x] [Feature Flags Service] Hello world 👋 (#188562) (#193519) 2024-09-20 12:21:41 +02:00
kbn_pm Adds AGPL 3.0 license (#192025) 2024-09-06 19:02:41 -06:00
legacy_rfcs rename @elastic/* packages to @kbn/* (#138957) 2022-08-18 08:54:42 -07:00
licenses Adds AGPL 3.0 license (#192025) 2024-09-06 19:02:41 -06:00
oas_docs [8.x] [ResponseOps][Rules] Add OAS schema for handled 4xx errors on rule apis (#192616) (#193454) 2024-09-19 13:32:07 -05:00
packages [8.x] [APM][ECO] Service name and trace id links on Logs Explorer and Discover (#192349) (#193276) 2024-09-20 13:21:58 +02:00
plugins
scripts Adds AGPL 3.0 license (#192025) 2024-09-06 19:02:41 -06:00
src [8.x] [Console] Add remote_indices to autocomplete overrides (#193403) (#193538) 2024-09-20 07:37:47 -05:00
test [8.x] [Console] Fix and skip flaky tests (#193508) (#193527) 2024-09-20 14:50:32 +02:00
typings Adds AGPL 3.0 license (#192025) 2024-09-06 19:02:41 -06:00
x-pack [8.x] [Security Solution] [Attack discovery] Includes the &#x60;user.target.name&#x60; field in the default Anonymization allow list to improve Attack discoveries (#193496) (#193564) 2024-09-20 09:32:49 -05:00
.backportrc.json chore(NA): adds 8.16 into backportrc (#187530) 2024-07-04 19:09:25 +01:00
.bazelignore Remove references to deleted .ci folder (#177168) 2024-02-20 19:54:21 +01:00
.bazeliskversion chore(NA): upgrade bazelisk into v1.11.0 (#125070) 2022-02-09 20:43:57 +00:00
.bazelrc chore(NA): use new and more performant BuildBuddy servers (#130350) 2022-04-18 02:01:38 +01:00
.bazelrc.common Transpile packages on demand, validate all TS projects (#146212) 2022-12-22 19:00:29 -06:00
.bazelversion chore(NA): revert bazel upgrade for v5.2.0 (#135096) 2022-06-24 03:57:21 +01:00
.browserslistrc Add Firefox ESR to browserlistrc (#184462) 2024-05-29 17:53:18 -05:00
.editorconfig
.eslintignore [ES|QL] New @kbn/esql-services package (#179029) 2024-03-27 14:39:48 +01:00
.eslintrc.js Adds AGPL 3.0 license (#192025) 2024-09-06 19:02:41 -06:00
.gitattributes
.gitignore [ON-WEEK][POC] Playwright (#190803) 2024-09-06 13:09:18 +02:00
.i18nrc.json [Inventory] Inventory plugin (#191798) 2024-09-12 15:07:09 +02:00
.node-version Upgrade Node.js to 20.15.1 (#187791) 2024-07-15 12:34:07 -05:00
.npmrc [npmrc] Fix puppeteer_skip_download configuration (#177673) 2024-02-22 18:59:01 -07:00
.nvmrc Upgrade Node.js to 20.15.1 (#187791) 2024-07-15 12:34:07 -05:00
.prettierignore
.prettierrc
.puppeteerrc Add .puppeteerrc (#179847) 2024-04-03 09:14:39 -05:00
.stylelintignore
.stylelintrc Bump stylelint to ^14 (#136693) 2022-07-20 10:11:00 -05:00
.telemetryrc.json [Telemetry] Fix telemetry-tools TS parser for packages (#149819) 2023-01-31 04:09:09 +03:00
.yarnrc
BUILD.bazel Transpile packages on demand, validate all TS projects (#146212) 2022-12-22 19:00:29 -06:00
catalog-info.yaml [sonarqube] Disable cron (#190611) 2024-08-15 09:19:09 -05:00
CODE_OF_CONDUCT.md
CONTRIBUTING.md Update doc slugs to improve analytic tracking, move to appropriate folders (#113630) 2021-10-04 13:36:45 -04:00
FAQ.md Fix small typos in the root md files (#134609) 2022-06-23 09:36:11 -05:00
fleet_packages.json [8.x] Sync bundled packages with Package Storage (#193164) 2024-09-18 11:59:26 +00:00
github_checks_reporter.json
kibana.d.ts Adds AGPL 3.0 license (#192025) 2024-09-06 19:02:41 -06:00
LICENSE.txt Adds AGPL 3.0 license (#192025) 2024-09-06 19:02:41 -06:00
NOTICE.txt Upgrade FullStory snippet (#189960) 2024-08-23 12:17:21 -05:00
package.json [8.x] [Feature Flags Service] Hello world 👋 (#188562) (#193519) 2024-09-20 12:21:41 +02:00
preinstall_check.js Adds AGPL 3.0 license (#192025) 2024-09-06 19:02:41 -06:00
README.md [README] Update version Compatibility with Elasticsearch (#116040) 2022-01-10 10:31:21 -05:00
renovate.json [8.x] [Feature Flags Service] Hello world 👋 (#188562) (#193519) 2024-09-20 12:21:41 +02:00
RISK_MATRIX.mdx
run_fleet_setup_parallel.sh [Fleet] Prevent concurrent runs of Fleet setup (#183636) 2024-05-31 16:38:51 +02:00
SECURITY.md
sonar-project.properties [sonarqube] update memory, cpu (#190547) 2024-09-09 16:16:30 -05:00
STYLEGUIDE.mdx [styleguide] update path to scss theme (#140742) 2022-09-15 10:41:14 -04:00
tsconfig.base.json [8.x] chore(tsconfig): uncomment option &#x60;moduleDetection&#x60; (#191834) (#193481) 2024-09-20 05:24:14 -05:00
tsconfig.browser.json
tsconfig.browser_bazel.json
tsconfig.json Transpile packages on demand, validate all TS projects (#146212) 2022-12-22 19:00:29 -06:00
TYPESCRIPT.md Fix small typos in the root md files (#134609) 2022-06-23 09:36:11 -05:00
versions.json [ci] Update version tracking for 7.17.25 (#192477) 2024-09-10 20:54:04 -05:00
WORKSPACE.bazel chore(NA): remove usage of re2 and replace it with a non native module (#188134) 2024-07-15 20:33:28 +01:00
yarn.lock [8.x] [Feature Flags Service] Hello world 👋 (#188562) (#193519) 2024-09-20 12:21:41 +02:00

README.md

Kibana

Kibana is your window into the Elastic Stack. Specifically, it's a browser-based analytics and search dashboard for Elasticsearch.

Getting Started

If you just want to try Kibana out, check out the Elastic Stack Getting Started Page to give it a whirl.

If you're interested in diving a bit deeper and getting a taste of Kibana's capabilities, head over to the Kibana Getting Started Page.

Using a Kibana Release

If you want to use a Kibana release in production, give it a test run, or just play around:

Building and Running Kibana, and/or Contributing Code

You might want to build Kibana locally to contribute some code, test out the latest features, or try out an open PR:

Documentation

Visit Elastic.co for the full Kibana documentation.

For information about building the documentation, see the README in elastic/docs.

Version Compatibility with Elasticsearch

Ideally, you should be running Elasticsearch and Kibana with matching version numbers. If your Elasticsearch has an older version number or a newer major number than Kibana, then Kibana will fail to run. If Elasticsearch has a newer minor or patch number than Kibana, then the Kibana Server will log a warning.

Note: The version numbers below are only examples, meant to illustrate the relationships between different types of version numbers.

Situation Example Kibana version Example ES version Outcome
Versions are the same. 7.15.1 7.15.1 💚 OK
ES patch number is newer. 7.15.0 7.15.1 ⚠️ Logged warning
ES minor number is newer. 7.14.2 7.15.0 ⚠️ Logged warning
ES major number is newer. 7.15.1 8.0.0 🚫 Fatal error
ES patch number is older. 7.15.1 7.15.0 ⚠️ Logged warning
ES minor number is older. 7.15.1 7.14.2 🚫 Fatal error
ES major number is older. 8.0.0 7.15.1 🚫 Fatal error

Questions? Problems? Suggestions?

  • If you've found a bug or want to request a feature, please create a GitHub Issue. Please check to make sure someone else hasn't already created an issue for the same topic.
  • Need help using Kibana? Ask away on our Kibana Discuss Forum and a fellow community member or Elastic engineer will be glad to help you out.