Auditbeat anomaly detection configurations

edit

These anomaly detection job wizards appear in Kibana if you use Auditbeat to audit process activity on your systems. For more details, see the datafeed and job definitions in the auditbeat_* folders in GitHub.

These configurations are only available if data exists that matches the recognizer query specified in the manifest file.

docker_high_count_process_events_ecs
  • For Auditbeat data where event.module is auditd and container.runtime is docker.
  • Models process execution rates for each container.name.
  • Detects unusual increases in process execution rates in Docker containers.
docker_rare_process_activity_ecs
  • For Auditbeat data where event.module is auditd and container.runtime is docker.
  • Models occurrences of process execution for each container.name.
  • Detects rare process executions in Docker containers.

These configurations are only available if data exists that matches the recognizer query specified in the manifest file.

hosts_high_count_process_events_ecs
  • For Auditbeat data where event.module is auditd.
  • Models process execution rates for each host.name.
  • Detects unusual increases in process execution rates.
hosts_rare_process_activity_ecs
  • For Auditbeat data where event.module is auditd.
  • Models process execution rates for each host.name.
  • Detects rare process executions on hosts.