IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Auditbeat anomaly detection configurations
editAuditbeat anomaly detection configurations
editThese anomaly detection job wizards appear in Kibana if you use
Auditbeat to audit process activity on your
systems. For more details, see the datafeed and job definitions in the
auditbeat_*
folders in
GitHub.
- docker_high_count_process_events_ecs
-
-
For Auditbeat data where
event.module
isauditd
andcontainer.runtime
isdocker
. -
Models process execution rates (
partition_field_name
iscontainer.name
). -
Detects unusual increases in process execution rates in Docker containers
(using the
high_count
function).
-
For Auditbeat data where
- docker_rare_process_activity_ecs
-
-
For Auditbeat data where
event.module
isauditd
andcontainer.runtime
isdocker
. -
Models occurrences of process execution (
partition_field_name
iscontainer.name
). -
Detects rare process executions in Docker containers (using the
rare
function).
-
For Auditbeat data where
- hosts_high_count_process_events_ecs
-
-
For Auditbeat data where
event.module
isauditd
. -
Models process execution rates (
partition_field_name
ishost.name
). -
Detects unusual increases in process execution rates (using the
high_non_zero_count
function).
-
For Auditbeat data where
- hosts_rare_process_activity_ecs
-
-
For Auditbeat data where
event.module
isauditd
. -
Models process execution rates (
partition_field_name
ishost.name
). -
Detects rare process executions on hosts (using the
rare
function).
-
For Auditbeat data where