Appendix C: Auditbeat anomaly detection configurations

edit

Appendix C: Auditbeat anomaly detection configurations

edit

These anomaly detection job wizards appear in Kibana if you use Auditbeat to audit process activity on your systems. For more details, see the datafeed and job definitions in GitHub.

Auditbeat docker processes

edit

Detect unusual processes in docker containers from auditd data (ECS).

These configurations are only available if data exists that matches the recognizer query specified in the manifest file.

Name Description Job Datafeed

docker_high_count_process_events_ecs

Detect unusual increases in process execution rates in docker containers (ECS)

A link icon

A link icon

docker_rare_process_activity_ecs

Detect rare process executions in docker containers (ECS)

A link icon

A link icon

Auditbeat host processes

edit

Detect unusual processes on hosts from auditd data (ECS).

These configurations are only available if data exists that matches the recognizer query specified in the manifest file.

Name Description Job Datafeed

hosts_high_count_process_events_ecs

Detect unusual increases in process execution rates (ECS)

A link icon

A link icon

hosts_rare_process_activity_ecs

Detect rare process executions on hosts (ECS)

A link icon

A link icon