Auditbeat anomaly detection configurationsedit

These anomaly detection job wizards appear in Kibana if you use Auditbeat to audit process activity on your systems. For more details, see the datafeed and job definitions in the auditbeat_* folders in GitHub.

docker_high_count_process_events_ecs
  • For Auditbeat data where event.module is auditd and container.runtime is docker.
  • Models process execution rates (partition_field_name is container.name).
  • Detects unusual increases in process execution rates in Docker containers (using the high_count function).
docker_rare_process_activity_ecs
  • For Auditbeat data where event.module is auditd and container.runtime is docker.
  • Models occurrences of process execution (partition_field_name is container.name).
  • Detects rare process executions in Docker containers (using the rare function).
hosts_high_count_process_events_ecs
  • For Auditbeat data where event.module is auditd.
  • Models process execution rates (partition_field_name is host.name).
  • Detects unusual increases in process execution rates (using the high_non_zero_count function).
hosts_rare_process_activity_ecs
  • For Auditbeat data where event.module is auditd.
  • Models process execution rates (partition_field_name is host.name).
  • Detects rare process executions on hosts (using the rare function).