Anomaly Detection with Machine Learning
editAnomaly Detection with Machine Learning
editFor Free Trial
and Platinum License deployments,
Machine Learning functionality is available throughout the SIEM app. You can
view the details of detected anomalies within the Anomalies table widget
shown on the Hosts, Network and associated Details pages, or even narrow to
the specific daterange of an anomaly from the Max Anomaly Score details in
the overview of the Host and IP Details pages. Each of these interfaces also
offer the ability to drag and drop details of the anomaly to Timeline, such
as the Entity itself, or any of the associated Influencers.
Manage machine learning jobs
editFor users with the ml_admin role, the Anomaly Detection interface within
the main navigation header can be used for for viewing, starting, and stopping
SIEM Machine Learning Jobs.
Prebuilt Jobs
editThe SIEM app ships with prebuilt Machine Learning Jobs for detecting anomalies.
If your environment is configured with the appropriate indices (auditbeat-*
and winlogbeat-*) via Kibana → Management → Index Patterns, the jobs will be
installed on page load, and will be displayed within the Anomaly Detection
interface.
-
SIEM Auditbeat: Detect suspicious logins and unusual processes in Auditbeat ECS data (beta)
- siem-api-suspicious_login_activity_ecs
- siem-api-rare_process_linux_ecs
-
SIEM Winlogbeat: Detect unusual processes in Winlogbeat ECS data (beta)
- siem-api-rare_process_windows_ecs
View detected anomalies
editTo view the Anomalies table widget and Max Anomaly Score By Job details,
the user must have the ml_admin or ml_user role.
To adjust the score threshold for which anomalies are shown, you can
modify Kibana → Management → Advanced Settings → siem:defaultAnomalyScore.