mirror of
https://github.com/elastic/kibana.git
synced 2025-04-24 01:38:56 -04:00
* [ML] Fixes errors in JSON of SIEM module job configurations * [ML] Fixes queries in custom URLs for two SIEM jobs
This commit is contained in:
Pete Harverson
GitHub
parent
567288216b
commit
b06d553ea0
9 changed files with 180 additions and 292 deletions
|
|
@ -1,14 +0,0 @@
|
|||
{
|
||||
"job_id": "JOB_ID",
|
||||
"indices": [
|
||||
"INDEX_PATTERN_NAME"
|
||||
],
|
||||
"max_empty_searches": 10,
|
||||
"query": {
|
||||
"bool": {
|
||||
"filter": {
|
||||
"term": { "event.category": "authentication" }
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -15,52 +15,39 @@
|
|||
"by_field_name": "process.name"
|
||||
}
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "rare by \"process.name\"",
|
||||
"function": "rare",
|
||||
"by_field_name": "process.name"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"host.name",
|
||||
"process.name",
|
||||
"user.name",
|
||||
"destination.ip"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "64mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-auditbeat",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
"influencers": [
|
||||
"host.name",
|
||||
"process.name",
|
||||
"user.name",
|
||||
"destination.ip"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "64mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-auditbeat",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
@ -34,20 +34,20 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(expression:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(expression:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(expression:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(expression:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,50 +15,38 @@
|
|||
"by_field_name": "user.name"
|
||||
}
|
||||
],
|
||||
"description": "SIEM Auditbeat: Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement (beta)",
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "rare by \"user.name\"",
|
||||
"function": "rare",
|
||||
"by_field_name": "user.name"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"host.name",
|
||||
"process.name",
|
||||
"user.name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "32mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-auditbeat",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
"influencers": [
|
||||
"host.name",
|
||||
"process.name",
|
||||
"user.name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "32mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-auditbeat",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -1,39 +0,0 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "SIEM Auditbeat: Detect unusually high number of authentication attempts (beta)",
|
||||
"groups": [
|
||||
"siem"
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "high number of authentication attempts",
|
||||
"function": "high_non_zero_count",
|
||||
"partition_field_name": "host.name"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"host.name",
|
||||
"user.name",
|
||||
"source.ip"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "256mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp",
|
||||
"time_format": "epoch_ms"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-auditbeat",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "IP Address Details",
|
||||
"url_value": "siem#/ml-network/ip/$source.ip$?_g=()&query=!n&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
@ -15,52 +15,39 @@
|
|||
"by_field_name": "process.name"
|
||||
}
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "rare by \"process.name\"",
|
||||
"function": "rare",
|
||||
"by_field_name": "process.name"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"host.name",
|
||||
"process.name",
|
||||
"user.name",
|
||||
"destination.ip"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "64mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-winlogbeat",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
"influencers": [
|
||||
"host.name",
|
||||
"process.name",
|
||||
"user.name",
|
||||
"destination.ip"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "64mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-winlogbeat",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
@ -15,49 +15,38 @@
|
|||
"by_field_name": "process.executable"
|
||||
}
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "rare by \"process.executable\"",
|
||||
"function": "rare",
|
||||
"by_field_name": "process.executable"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"host.name",
|
||||
"process.name",
|
||||
"user.name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "256mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-winlogbeat",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
"influencers": [
|
||||
"host.name",
|
||||
"process.name",
|
||||
"user.name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "256mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-winlogbeat",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -33,20 +33,20 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(expression:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(expression:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(expression:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(expression:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,48 +15,38 @@
|
|||
"by_field_name": "user.name"
|
||||
}
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "rare by \"user.name\"",
|
||||
"function": "rare",
|
||||
"by_field_name": "user.name"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"host.name",
|
||||
"process.name",
|
||||
"user.name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "128mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-winlogbeat",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
"influencers": [
|
||||
"host.name",
|
||||
"process.name",
|
||||
"user.name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "128mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-winlogbeat",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue