Auditbeat

edit

These anomaly detection job wizards appear in Kibana if you use Auditbeat to audit process activity on your systems.

docker_high_count_process_events_ecs
  • For Auditbeat data where event.module is auditd and container.runtime is docker.
  • Models process execution rates (partition_field_name is container.name).
  • Detects unusual increases in process execution rates in Docker containers (using the high_count function).
docker_rare_process_activity_ecs
  • For Auditbeat data where event.module is auditd and container.runtime is docker.
  • Models occurrences of process execution (partition_field_name is container.name).
  • Detects rare process executions in Docker containers (using the rare function).
hosts_high_count_process_events_ecs
  • For Auditbeat data where event.module is auditd.
  • Models process execution rates (partition_field_name is host.name).
  • Detects unusual increases in process execution rates (using the high_non_zero_count function).
hosts_rare_process_activity_ecs
  • For Auditbeat data where event.module is auditd.
  • Models process execution rates (partition_field_name is host.name).
  • Detects rare process executions on hosts (using the rare function).