You can view the details of detected anomalies within the
widget shown on the Hosts, Network and associated Details pages, or even narrow
to the specific date range of an anomaly from the
Max Anomaly Score details
in the overview of the Host and IP Details pages. Each of these interfaces also
offer the ability to drag and drop details of the anomaly to Timeline, such as
Entity itself, or any of the associated
Manage machine learning jobsedit
For users with the
machine_learning_admin role, the
ML job settings
interface on the Detections page can be used for for viewing, starting, and
stopping SIEM machine learning jobs.
To add a custom job to the
ML job settings interface, add
Groups field (Kibana → Machine learning → Create/Edit job → Job
The SIEM app comes with prebuilt machine learning anomaly detection jobs for automatically detecting
host and network anomalies. The jobs are displayed in the
interface. They are available when either:
You ship data using Beats, and
Kibana is configured with the required index patterns
winlogbeat-*via Kibana → Management → Index Patterns).
- Your shipped data is ECS-compliant, and Kibana is configured with the shipped data’s index patterns.
Prebuilt job reference describes all available machine learning jobs, and lists which ECS fields are required on your hosts when you are not using Beats to ship your data. For information on tuning anomaly results to reduce the number of false positive, see Optimizing anomaly results.
Machine learning jobs look back and analyse two weeks of historical data prior to the time they are enabled. After jobs are enabled, they continuously analyse incoming data. When jobs are stopped and restarted within the two week timeframe, previously analysed data is not processed again.
View detected anomaliesedit
To view the
Anomalies table widget and
Max Anomaly Score By Job details,
the user must have the
To adjust the
score threshold that determines which
anomalies are shown, you can modify Kibana →
Management → Advanced Settings →