IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« APM anomaly detection configurations Logs anomaly detection configurations »
Elastic Docs Machine Learning in the Elastic Stack [7.8] Anomaly detection Supplied anomaly detection configurations

Auditbeat anomaly detection configurations

edit

Auditbeat anomaly detection configurations

edit

These anomaly detection job wizards appear in Kibana if you use Auditbeat to audit process activity on your systems. For more details, see the datafeed and job definitions in the auditbeat_* folders in GitHub.

docker_high_count_process_events_ecs
  • For Auditbeat data where event.module is auditd and container.runtime is docker.
  • Models process execution rates (partition_field_name is container.name).
  • Detects unusual increases in process execution rates in Docker containers (using the high_count function).
docker_rare_process_activity_ecs
  • For Auditbeat data where event.module is auditd and container.runtime is docker.
  • Models occurrences of process execution (partition_field_name is container.name).
  • Detects rare process executions in Docker containers (using the rare function).
hosts_high_count_process_events_ecs
  • For Auditbeat data where event.module is auditd.
  • Models process execution rates (partition_field_name is host.name).
  • Detects unusual increases in process execution rates (using the high_non_zero_count function).
hosts_rare_process_activity_ecs
  • For Auditbeat data where event.module is auditd.
  • Models process execution rates (partition_field_name is host.name).
  • Detects rare process executions on hosts (using the rare function).
« APM anomaly detection configurations Logs anomaly detection configurations »