A newer version is available. For the latest information, see the
current release documentation.
Auditbeat anomaly detection configurations
editAuditbeat anomaly detection configurations
editThese anomaly detection job wizards appear in Kibana if you use
Auditbeat to audit process activity on your
systems. For more details, see the datafeed and job definitions in the
auditbeat_*
folders in
GitHub.
These configurations are only available if data exists that matches the recognizer query specified in the manifest file.
- docker_high_count_process_events_ecs
-
-
For Auditbeat data where
event.module
isauditd
andcontainer.runtime
isdocker
. -
Models process execution rates for each
container.name
. - Detects unusual increases in process execution rates in Docker containers.
-
For Auditbeat data where
- docker_rare_process_activity_ecs
-
-
For Auditbeat data where
event.module
isauditd
andcontainer.runtime
isdocker
. -
Models occurrences of process execution for each
container.name
. - Detects rare process executions in Docker containers.
-
For Auditbeat data where
These configurations are only available if data exists that matches the recognizer query specified in the manifest file.
- hosts_high_count_process_events_ecs
-
-
For Auditbeat data where
event.module
isauditd
. -
Models process execution rates for each
host.name
. - Detects unusual increases in process execution rates.
-
For Auditbeat data where
- hosts_rare_process_activity_ecs
-
-
For Auditbeat data where
event.module
isauditd
. -
Models process execution rates for each
host.name
. - Detects rare process executions on hosts.
-
For Auditbeat data where