From 44535cba8c0403ed3797a98d5d4ab8d1e28b873b Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 4 Mar 2025 06:46:56 -0500 Subject: [PATCH] FIX: Elastic Agent Security Events dashboard should reference user.effective.name #14325 --- salt/soc/defaults.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 665b4106b..962d1096b 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1256,7 +1256,7 @@ soc: - soc_timestamp - event.dataset - host.name - - user.name + - user.effective.name - process.executable - event.action - event.outcome @@ -1918,7 +1918,7 @@ soc: query: 'event.dataset:endpoint.events.registry | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby -sankey user.name process.name | groupby process.name | groupby event.action | groupby registry.path' - name: Elastic Agent Security Events description: Security events from Elastic Agents - query: 'event.dataset:endpoint.events.security | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby -sankey user.name process.executable | groupby process.executable | groupby event.action | groupby event.outcome' + query: 'event.dataset:endpoint.events.security | groupby host.name | groupby -sankey host.name user.effective.name | groupby user.effective.name | groupby -sankey user.effective.name process.executable | groupby process.executable | groupby event.action | groupby event.outcome' - name: Host Overview description: Overview of all host data types query: '((event.category:registry OR event.category:host OR event.category:process OR event.category:driver OR event.category:configuration) OR (event.category:file AND _exists_:process.executable) OR (event.category:network AND _exists_:host.name)) | groupby event.dataset* event.category* event.action* | groupby event.type | groupby -sankey event.type host.name | groupby host.name | groupby user.name | groupby file.name | groupby process.executable'