- Elastic Cloud Serverless
- Elasticsearch
- Elastic Observability
- Get started
- Observability overview
- Elastic Observability Serverless billing dimensions
- Create an Observability project
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Monitor hosts with OpenTelemetry
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Get started with dashboards
- Applications and services
- Application performance monitoring (APM)
- Get started with traces and APM
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Reduce storage
- Managed intake service event API
- Troubleshooting
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure a Synthetics project
- Multifactor Authentication for browser monitors
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Scale and architect a deployment
- Synthetics Encryption and Security
- Troubleshooting
- Application performance monitoring (APM)
- Infrastructure and hosts
- Logs
- Inventory
- Incident management
- Data set quality
- Observability AI Assistant
- Machine learning
- Reference
- Get started
- Elastic Security
- Elastic Security overview
- Security billing dimensions
- Create a Security project
- Elastic Security requirements
- Elastic Security UI
- AI for Security
- Ingest data
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Identify antivirus software on your hosts
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud Security
- Explore your data
- Dashboards
- Detection engine overview
- Rules
- Alerts
- Advanced Entity Analytics
- Investigation tools
- Asset management
- Manage settings
- Troubleshooting
- Manage your project
- Changelog
Detect anomalies
editDetect anomalies
editMachine learning functionality is available when you have the appropriate role. Refer to Machine learning job and rule requirements for more information.
You can view the details of detected anomalies within the Anomalies table
widget shown on the Hosts, Network, and associated details pages, or even narrow
to the specific date range of an anomaly from the Max anomaly score by job field
in the overview of the details pages for hosts and IPs. These interfaces also
offer the ability to drag and drop details of the anomaly to Timeline, such as
the Entity itself, or any of the associated Influencers.
Manage machine learning jobs
editIf you have the machine_learning_admin role, you can use the ML job settings interface on the Alerts, Rules, and Rule Exceptions pages to view, start, and stop Elastic Security machine learning jobs.
Manage machine learning detection rules
editYou can also check the status of machine learning detection rules, and start or stop their associated machine learning jobs:
-
On the Rules page, the Last response column displays the rule’s current status. An indicator icon (
) also appears if a required machine learning job isn’t running. Click the icon to list the affected jobs, then click Visit rule details page to investigate to open the rule’s details page.
-
On a rule’s details page, check the Definition section to confirm whether the required machine learning jobs are running. Switch the toggles on or off to run or stop each job.
Prebuilt jobs
editElastic Security comes with prebuilt machine learning anomaly detection jobs for automatically detecting
host and network anomalies. The jobs are displayed in the Anomaly Detection
interface. They are available when either:
-
You ship data using Beats or the
Elastic Agent, and Kibana is configured with the required index
patterns (such as
auditbeat-*,filebeat-*,packetbeat-*, orwinlogbeat-*in Project settings → Management → Index Management).
Or
- Your shipped data is ECS-compliant, and Kibana is configured with the shipped data’s index patterns in Project settings → Management → Index Management.
Or
- You install one or more of the Advanced Analytics integrations.
Prebuilt job reference describes all available machine learning jobs and lists which ECS fields are required on your hosts when you are not using Beats or the Elastic Agent to ship your data. For information on tuning anomaly results to reduce the number of false positives, see Optimizing anomaly results.
Machine learning jobs look back and analyze two weeks of historical data prior to the time they are enabled. After jobs are enabled, they continuously analyze incoming data. When jobs are stopped and restarted within the two-week time frame, previously analyzed data is not processed again.
View detected anomalies
editTo view the Anomalies table widget and Max Anomaly Score By Job details,
the user must have the machine_learning_admin or machine_learning_user role.
To adjust the score threshold that determines which anomalies are shown,
you can modify the securitySolution:defaultAnomalyScore advanced setting.
On this page