[ML] Fixes bucket spans and detector descriptions in ECS auditbeat modules (#30362) (#30379)

2025-04-23 09:19:04 -04:00 · 2019-02-07 14:26:31 +00:00 · 2019-02-07 14:26:31 +00:00 · fc7a0c4417
commit fc7a0c4417
parent 1087d8b473
4 changed files with 8 additions and 6 deletions
--- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker_ecs/ml/docker_high_count_process_events_ecs.json
+++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker_ecs/ml/docker_high_count_process_events_ecs.json
@ -3,10 +3,10 @@
  "description": "Auditbeat: Detect unusual increases in process execution rates in docker containers (ECS)",
  "groups": ["auditd"],
  "analysis_config": {
-    "bucket_span": "10m",
+    "bucket_span": "1h",
    "detectors": [
      {
-        "detector_description": "high_non_zero_count partition container.name",
+        "detector_description": "High process rate in docker containers",
        "function": "high_count",
        "partition_field_name": "container.name"
      }
--- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker_ecs/ml/docker_rare_process_activity_ecs.json
+++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker_ecs/ml/docker_rare_process_activity_ecs.json
@ -3,9 +3,10 @@
  "description": "Auditbeat: Detect rare process executions in docker containers (ECS)",
  "groups": ["auditd"],
  "analysis_config": {
-    "bucket_span": "10m",
+    "bucket_span": "1h",
    "detectors": [
      {
+        "detector_description": "Rare process execution in docker containers",
        "function": "rare",
        "by_field_name": "process.executable",
        "partition_field_name": "container.name"
--- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/ml/hosts_high_count_process_events_ecs.json
+++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/ml/hosts_high_count_process_events_ecs.json
@ -3,10 +3,10 @@
  "description": "Auditbeat Hosts: Detect unusual increases in process execution rates (ECS)",
  "groups": ["auditd"],
  "analysis_config": {
-    "bucket_span": "10m",
+    "bucket_span": "1h",
    "detectors": [
      {
-        "detector_description": "high_non_zero_count partition host.name",
+        "detector_description": "High process rate on hosts",
        "function": "high_non_zero_count",
        "partition_field_name": "host.name"
      }
--- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/ml/hosts_rare_process_activity_ecs.json
+++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/ml/hosts_rare_process_activity_ecs.json
@ -3,9 +3,10 @@
  "description": "Auditbeat Hosts: Detect rare process executions on hosts (ECS)",
  "groups": ["auditd"],
  "analysis_config": {
-    "bucket_span": "10m",
+    "bucket_span": "1h",
    "detectors": [
      {
+        "detector_description": "Rare process execution on hosts",
        "function": "rare",
        "by_field_name": "process.executable",
        "partition_field_name": "host.name"