Refactor and re-enable per-field validation of risk events
cmcginley-splunk opened this issue · 0 comments
cmcginley-splunk commented
- Originally, we tried to enforce that every field seen in an observable must be an attribute in every single risk event
- In practice this does not seem to be the case, for two different reasons
- Sparsely populated fields (some returned search results don't have all fields, and thus those fields don't exist in some risk objects); see the 'dest' field in
Windows Steal Authentication Certificates - ESC1 Abusefor an example - Certain computed fields, (e.g. when user is computed) may not be vailable in the risk event; see
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberofor an example
- Sparsely populated fields (some returned search results don't have all fields, and thus those fields don't exist in some risk objects); see the 'dest' field in
- The former of these possibilities is more confusing and the solution is less clear
- Resolution of this issue may involve closing it w/o fixing