diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml
index 55c6641976a00..248676e0b2784 100644
--- a/oas_docs/output/kibana.serverless.yaml
+++ b/oas_docs/output/kibana.serverless.yaml
@@ -14852,7 +14852,7 @@ paths:
anomaly_threshold: 50
id: 60b13926-289b-41b1-a537-197ef1fa5059
machine_learning_job_id:
- - auth_high_count_logon_events
+ - auth_high_count_logon_events_ea
schema:
$ref: '#/components/schemas/Security_Detections_API_RulePatchProps'
description: |
@@ -15724,7 +15724,7 @@ paths:
description: New description of ml rule
id: 60b13926-289b-41b1-a537-197ef1fa5059
machine_learning_job_id:
- - auth_high_count_logon_events
+ - auth_high_count_logon_events_ea
name: New name of ml rule
risk_score: 21
severity: low
@@ -16240,7 +16240,7 @@ paths:
interval: 15m
license: Elastic License v2
machine_learning_job_id:
- - packetbeat_dns_tunneling
+ - packetbeat_dns_tunneling_ea
max_signals: 100
name: DNS Tunneling [Duplicate]
references:
diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml
index df65ce1e97fea..db7b01b9d641c 100644
--- a/oas_docs/output/kibana.yaml
+++ b/oas_docs/output/kibana.yaml
@@ -16799,7 +16799,7 @@ paths:
anomaly_threshold: 50
id: 60b13926-289b-41b1-a537-197ef1fa5059
machine_learning_job_id:
- - auth_high_count_logon_events
+ - auth_high_count_logon_events_ea
schema:
$ref: '#/components/schemas/Security_Detections_API_RulePatchProps'
description: |
@@ -17671,7 +17671,7 @@ paths:
description: New description of ml rule
id: 60b13926-289b-41b1-a537-197ef1fa5059
machine_learning_job_id:
- - auth_high_count_logon_events
+ - auth_high_count_logon_events_ea
name: New name of ml rule
risk_score: 21
severity: low
@@ -18187,7 +18187,7 @@ paths:
interval: 15m
license: Elastic License v2
machine_learning_job_id:
- - packetbeat_dns_tunneling
+ - packetbeat_dns_tunneling_ea
max_signals: 100
name: DNS Tunneling [Duplicate]
references:
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/manifest.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/manifest.json
index cdb53fe0d72ef..9ec3c5131217a 100755
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/manifest.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/manifest.json
@@ -19,69 +19,69 @@
},
"jobs": [
{
- "id": "auth_high_count_logon_events_for_a_source_ip",
- "file": "auth_high_count_logon_events_for_a_source_ip.json"
+ "id": "auth_high_count_logon_events_for_a_source_ip_ea",
+ "file": "auth_high_count_logon_events_for_a_source_ip_ea.json"
},
{
- "id": "auth_high_count_logon_fails",
- "file": "auth_high_count_logon_fails.json"
+ "id": "auth_high_count_logon_fails_ea",
+ "file": "auth_high_count_logon_fails_ea.json"
},
{
- "id": "auth_high_count_logon_events",
- "file": "auth_high_count_logon_events.json"
+ "id": "auth_high_count_logon_events_ea",
+ "file": "auth_high_count_logon_events_ea.json"
},
{
- "id": "auth_rare_hour_for_a_user",
- "file": "auth_rare_hour_for_a_user.json"
+ "id": "auth_rare_hour_for_a_user_ea",
+ "file": "auth_rare_hour_for_a_user_ea.json"
},
{
- "id": "auth_rare_source_ip_for_a_user",
- "file": "auth_rare_source_ip_for_a_user.json"
+ "id": "auth_rare_source_ip_for_a_user_ea",
+ "file": "auth_rare_source_ip_for_a_user_ea.json"
},
{
- "id": "auth_rare_user",
- "file": "auth_rare_user.json"
+ "id": "auth_rare_user_ea",
+ "file": "auth_rare_user_ea.json"
},
{
- "id": "suspicious_login_activity",
- "file": "suspicious_login_activity.json"
+ "id": "suspicious_login_activity_ea",
+ "file": "suspicious_login_activity_ea.json"
}
],
"datafeeds": [
{
- "id": "datafeed-auth_high_count_logon_events_for_a_source_ip",
- "file": "datafeed_auth_high_count_logon_events_for_a_source_ip.json",
- "job_id": "auth_high_count_logon_events_for_a_source_ip"
+ "id": "datafeed-auth_high_count_logon_events_for_a_source_ip_ea",
+ "file": "datafeed_auth_high_count_logon_events_for_a_source_ip_ea.json",
+ "job_id": "auth_high_count_logon_events_for_a_source_ip_ea"
},
{
- "id": "datafeed-auth_high_count_logon_fails",
- "file": "datafeed_auth_high_count_logon_fails.json",
- "job_id": "auth_high_count_logon_fails"
+ "id": "datafeed-auth_high_count_logon_fails_ea",
+ "file": "datafeed_auth_high_count_logon_fails_ea.json",
+ "job_id": "auth_high_count_logon_fails_ea"
},
{
- "id": "datafeed-auth_high_count_logon_events",
- "file": "datafeed_auth_high_count_logon_events.json",
- "job_id": "auth_high_count_logon_events"
+ "id": "datafeed-auth_high_count_logon_events_ea",
+ "file": "datafeed_auth_high_count_logon_events_ea.json",
+ "job_id": "auth_high_count_logon_events_ea"
},
{
- "id": "datafeed-auth_rare_hour_for_a_user",
- "file": "datafeed_auth_rare_hour_for_a_user.json",
- "job_id": "auth_rare_hour_for_a_user"
+ "id": "datafeed-auth_rare_hour_for_a_user_ea",
+ "file": "datafeed_auth_rare_hour_for_a_user_ea.json",
+ "job_id": "auth_rare_hour_for_a_user_ea"
},
{
- "id": "datafeed-auth_rare_source_ip_for_a_user",
- "file": "datafeed_auth_rare_source_ip_for_a_user.json",
- "job_id": "auth_rare_source_ip_for_a_user"
+ "id": "datafeed-auth_rare_source_ip_for_a_user_ea",
+ "file": "datafeed_auth_rare_source_ip_for_a_user_ea.json",
+ "job_id": "auth_rare_source_ip_for_a_user_ea"
},
{
- "id": "datafeed-auth_rare_user",
- "file": "datafeed_auth_rare_user.json",
- "job_id": "auth_rare_user"
+ "id": "datafeed-auth_rare_user_ea",
+ "file": "datafeed_auth_rare_user_ea.json",
+ "job_id": "auth_rare_user_ea"
},
{
- "id": "datafeed-suspicious_login_activity",
- "file": "datafeed_suspicious_login_activity.json",
- "job_id": "suspicious_login_activity"
+ "id": "datafeed-suspicious_login_activity_ea",
+ "file": "datafeed_suspicious_login_activity_ea.json",
+ "job_id": "suspicious_login_activity_ea"
}
],
"tags": [
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_events.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_events_ea.json
similarity index 77%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_events.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_events_ea.json
index c5d54f9ae706a..321bf74d398d7 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_events.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_events_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Authentication - Looks for an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration, or brute force activity. Requires Windows event data, such as from Winlogbeat.",
- "groups": ["security", "authentication"],
+ "groups": [
+ "security",
+ "authentication"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -10,7 +13,15 @@
"detector_index": 0
}
],
- "influencers": ["source.ip", "winlog.event_data.LogonType", "user.name", "host.name"]
+ "influencers": [
+ "source.ip",
+ "winlog.event_data.LogonType",
+ "user.name",
+ "user.id",
+ "host.name",
+ "host.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_events_for_a_source_ip.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_events_for_a_source_ip_ea.json
similarity index 79%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_events_for_a_source_ip.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_events_for_a_source_ip_ea.json
index e2b7b8fabb0e2..de1886b043b54 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_events_for_a_source_ip.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_events_for_a_source_ip_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Authentication - Looks for an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration, or brute force activity. Requires Windows event data, such as from Winlogbeat.",
- "groups": ["security", "authentication"],
+ "groups": [
+ "security",
+ "authentication"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,15 @@
"detector_index": 0
}
],
- "influencers": ["source.ip", "winlog.event_data.LogonType", "user.name", "host.name"]
+ "influencers": [
+ "source.ip",
+ "winlog.event_data.LogonType",
+ "user.name",
+ "user.id",
+ "host.name",
+ "host.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_fails.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_fails_ea.json
similarity index 81%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_fails.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_fails_ea.json
index db2db5ea00832..d98c4d45ca70f 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_fails.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_fails_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Authentication - Looks for an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration, or brute force activity and may be a precursor to account takeover or credentialed access.",
- "groups": ["security", "authentication"],
+ "groups": [
+ "security",
+ "authentication"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -10,7 +13,14 @@
"detector_index": 0
}
],
- "influencers": ["source.ip", "user.name", "host.name"]
+ "influencers": [
+ "source.ip",
+ "user.name",
+ "user.id",
+ "host.name",
+ "host.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_hour_for_a_user.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_hour_for_a_user_ea.json
similarity index 82%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_hour_for_a_user.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_hour_for_a_user_ea.json
index 2b76d8d71fe48..e795a7566ade2 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_hour_for_a_user.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_hour_for_a_user_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Authentication - Looks for a user with successful login/logon at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours.",
- "groups": ["security", "authentication"],
+ "groups": [
+ "security",
+ "authentication"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,14 @@
"detector_index": 0
}
],
- "influencers": ["source.ip", "user.name", "host.name"]
+ "influencers": [
+ "source.ip",
+ "host.name",
+ "user.name",
+ "user.id",
+ "host.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_source_ip_for_a_user.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_source_ip_for_a_user_ea.json
similarity index 84%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_source_ip_for_a_user.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_source_ip_for_a_user_ea.json
index 81185ef5039c7..fd61aca377e74 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_source_ip_for_a_user.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_source_ip_for_a_user_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Authentication - Looks for a user logging in from an IP address that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts.",
- "groups": ["security", "authentication"],
+ "groups": [
+ "security",
+ "authentication"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -12,7 +15,14 @@
"detector_index": 0
}
],
- "influencers": ["source.ip", "user.name", "host.name"]
+ "influencers": [
+ "source.ip",
+ "host.name",
+ "user.name",
+ "user.id",
+ "host.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_user.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_user_ea.json
similarity index 84%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_user.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_user_ea.json
index 58530fe085014..2e5e2b16be3a0 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_user.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_user_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Authentication - Looks for an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. A user account that is normally inactive, because the user has left the organization, which becomes active, may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.",
- "groups": ["security", "authentication"],
+ "groups": [
+ "security",
+ "authentication"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,14 @@
"detector_index": 0
}
],
- "influencers": ["source.ip", "user.name", "host.name"]
+ "influencers": [
+ "source.ip",
+ "host.name",
+ "user.name",
+ "user.id",
+ "host.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_hour_for_a_user.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events_ea.json
similarity index 55%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_hour_for_a_user.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events_ea.json
index 1696c9b5340fc..1d1cf2108be1e 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_hour_for_a_user.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events_ea.json
@@ -20,9 +20,20 @@
],
"must_not": {
"terms": {
- "process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
+ "process.name": [
+ "elastic-agent.exe",
+ "elastic-agent",
+ "metricbeat.exe",
+ "metricbeat",
+ "filebeat.exe",
+ "filebeat",
+ "packetbeat.exe",
+ "packetbeat",
+ "winlogbeat.exe",
+ "winlogbeat"
+ ]
}
}
}
}
-}
\ No newline at end of file
+}
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events_for_a_source_ip.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events_for_a_source_ip_ea.json
similarity index 60%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events_for_a_source_ip.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events_for_a_source_ip_ea.json
index 3588348c0ef95..5849fd50c2d48 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events_for_a_source_ip.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events_for_a_source_ip_ea.json
@@ -25,9 +25,20 @@
],
"must_not": {
"terms": {
- "process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
+ "process.name": [
+ "elastic-agent.exe",
+ "elastic-agent",
+ "metricbeat.exe",
+ "metricbeat",
+ "filebeat.exe",
+ "filebeat",
+ "packetbeat.exe",
+ "packetbeat",
+ "winlogbeat.exe",
+ "winlogbeat"
+ ]
}
}
}
}
-}
\ No newline at end of file
+}
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_fails.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_fails_ea.json
similarity index 55%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_fails.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_fails_ea.json
index b9d67ec55a108..1e49fe5beb003 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_fails.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_fails_ea.json
@@ -20,9 +20,20 @@
],
"must_not": {
"terms": {
- "process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
+ "process.name": [
+ "elastic-agent.exe",
+ "elastic-agent",
+ "metricbeat.exe",
+ "metricbeat",
+ "filebeat.exe",
+ "filebeat",
+ "packetbeat.exe",
+ "packetbeat",
+ "winlogbeat.exe",
+ "winlogbeat"
+ ]
}
}
}
}
-}
\ No newline at end of file
+}
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_source_ip_for_a_user.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_hour_for_a_user_ea.json
similarity index 55%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_source_ip_for_a_user.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_hour_for_a_user_ea.json
index 1696c9b5340fc..1d1cf2108be1e 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_source_ip_for_a_user.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_hour_for_a_user_ea.json
@@ -20,9 +20,20 @@
],
"must_not": {
"terms": {
- "process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
+ "process.name": [
+ "elastic-agent.exe",
+ "elastic-agent",
+ "metricbeat.exe",
+ "metricbeat",
+ "filebeat.exe",
+ "filebeat",
+ "packetbeat.exe",
+ "packetbeat",
+ "winlogbeat.exe",
+ "winlogbeat"
+ ]
}
}
}
}
-}
\ No newline at end of file
+}
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_user.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_source_ip_for_a_user_ea.json
similarity index 55%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_user.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_source_ip_for_a_user_ea.json
index 1696c9b5340fc..1d1cf2108be1e 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_user.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_source_ip_for_a_user_ea.json
@@ -20,9 +20,20 @@
],
"must_not": {
"terms": {
- "process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
+ "process.name": [
+ "elastic-agent.exe",
+ "elastic-agent",
+ "metricbeat.exe",
+ "metricbeat",
+ "filebeat.exe",
+ "filebeat",
+ "packetbeat.exe",
+ "packetbeat",
+ "winlogbeat.exe",
+ "winlogbeat"
+ ]
}
}
}
}
-}
\ No newline at end of file
+}
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_user_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_user_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_suspicious_login_activity.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_suspicious_login_activity_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_suspicious_login_activity.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_suspicious_login_activity_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/suspicious_login_activity.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/suspicious_login_activity_ea.json
similarity index 79%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/suspicious_login_activity.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/suspicious_login_activity_ea.json
index 15bc7f37d8f1e..fbc7fd614b16f 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/suspicious_login_activity.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/suspicious_login_activity_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Authentication - Detects unusually high number of authentication attempts for a host.",
- "groups": ["security", "authentication"],
+ "groups": [
+ "security",
+ "authentication"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,14 @@
"detector_index": 0
}
],
- "influencers": ["host.name", "user.name", "source.ip"],
+ "influencers": [
+ "host.name",
+ "host.id",
+ "user.name",
+ "user.id",
+ "source.ip",
+ "event.module"
+ ],
"model_prune_window": "30d"
},
"allow_lazy_open": true,
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/manifest.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/manifest.json
index c356ab8d7f4c8..435068a902e9c 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/manifest.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/manifest.json
@@ -13,51 +13,51 @@
},
"jobs": [
{
- "id": "azure_activitylogs_rare_event_action_for_a_city",
- "file": "azure_activitylogs_rare_event_action_for_a_city.json"
+ "id": "azure_activitylogs_rare_event_action_for_a_city_ea",
+ "file": "azure_activitylogs_rare_event_action_for_a_city_ea.json"
},
{
- "id": "azure_activitylogs_rare_event_action_for_a_country",
- "file": "azure_activitylogs_rare_event_action_for_a_country.json"
+ "id": "azure_activitylogs_rare_event_action_for_a_country_ea",
+ "file": "azure_activitylogs_rare_event_action_for_a_country_ea.json"
},
{
- "id": "azure_activitylogs_rare_event_action_for_a_username",
- "file": "azure_activitylogs_rare_event_action_for_a_username.json"
+ "id": "azure_activitylogs_rare_event_action_for_a_user_email_ea",
+ "file": "azure_activitylogs_rare_event_action_for_a_user_email_ea.json"
},
{
- "id": "azure_activitylogs_high_distinct_count_event_action_on_failure",
- "file": "azure_activitylogs_high_distinct_count_event_action_on_failure.json"
+ "id": "azure_activitylogs_high_distinct_count_event_action_fail_ea",
+ "file": "azure_activitylogs_high_distinct_count_event_action_fail_ea.json"
},
{
- "id": "azure_activitylogs_rare_event_action_on_failure",
- "file": "azure_activitylogs_rare_event_action_on_failure.json"
+ "id": "azure_activitylogs_rare_event_action_on_failure_ea",
+ "file": "azure_activitylogs_rare_event_action_on_failure_ea.json"
}
],
"datafeeds": [
{
- "id": "datafeed-azure_activitylogs_rare_event_action_for_a_city",
- "file": "datafeed_azure_activitylogs_rare_event_action_for_a_city.json",
- "job_id": "azure_activitylogs_rare_event_action_for_a_city"
+ "id": "datafeed-azure_activitylogs_rare_event_action_for_a_city_ea",
+ "file": "datafeed_azure_activitylogs_rare_event_action_for_a_city_ea.json",
+ "job_id": "azure_activitylogs_rare_event_action_for_a_city_ea"
},
{
- "id": "datafeed-azure_activitylogs_rare_event_action_for_a_country",
- "file": "datafeed_azure_activitylogs_rare_event_action_for_a_country.json",
- "job_id": "azure_activitylogs_rare_event_action_for_a_country"
+ "id": "datafeed-azure_activitylogs_rare_event_action_for_a_country_ea",
+ "file": "datafeed_azure_activitylogs_rare_event_action_for_a_country_ea.json",
+ "job_id": "azure_activitylogs_rare_event_action_for_a_country_ea"
},
{
- "id": "datafeed-azure_activitylogs_rare_event_action_for_a_username",
- "file": "datafeed_azure_activitylogs_rare_event_action_for_a_username.json",
- "job_id": "azure_activitylogs_rare_event_action_for_a_username"
+ "id": "datafeed-azure_activitylogs_rare_event_action_for_a_user_email_ea",
+ "file": "datafeed_azure_activitylogs_rare_event_action_for_a_user_email_ea.json",
+ "job_id": "azure_activitylogs_rare_event_action_for_a_user_email_ea"
},
{
- "id": "datafeed-azure_activitylogs_high_distinct_count_event_action_on_failure",
- "file": "datafeed_azure_activitylogs_high_distinct_count_event_action_on_failure.json",
- "job_id": "azure_activitylogs_high_distinct_count_event_action_on_failure"
+ "id": "datafeed-azure_activitylogs_high_distinct_count_event_action_fail_ea",
+ "file": "datafeed_azure_activitylogs_high_distinct_count_event_action_fail_ea.json",
+ "job_id": "azure_activitylogs_high_distinct_count_event_action_fail_ea"
},
{
- "id": "datafeed-azure_activitylogs_rare_event_action_on_failure",
- "file": "datafeed_azure_activitylogs_rare_event_action_on_failure.json",
- "job_id": "azure_activitylogs_rare_event_action_on_failure"
+ "id": "datafeed-azure_activitylogs_rare_event_action_on_failure_ea",
+ "file": "datafeed_azure_activitylogs_rare_event_action_on_failure_ea.json",
+ "job_id": "azure_activitylogs_rare_event_action_on_failure_ea"
}
],
"tags": [
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_high_distinct_count_event_action_on_failure.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_high_distinct_count_event_action_fail_ea.json
similarity index 86%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_high_distinct_count_event_action_on_failure.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_high_distinct_count_event_action_fail_ea.json
index aafeae6d7d856..8137412cd4fd6 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_high_distinct_count_event_action_on_failure.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_high_distinct_count_event_action_fail_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Azure Activity Logs - Looks for a spike in the rate of an error message which may simply indicate an impending service failure but these can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor.",
- "groups": ["security", "azure"],
+ "groups": [
+ "security",
+ "azure"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,12 @@
"detector_index": 0
}
],
- "influencers": ["user.email", "source.ip", "source.geo.city_name"]
+ "influencers": [
+ "user.email",
+ "event.module",
+ "source.ip",
+ "source.geo.city_name"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
@@ -26,4 +34,4 @@
"managed": true,
"job_revision": 4
}
-}
\ No newline at end of file
+}
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_city.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_city_ea.json
similarity index 85%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_city.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_city_ea.json
index 5c6bcc57f28f4..2e9ca140c9475 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_city.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_city_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Azure Activity Logs - Looks for Azure activity event actions that, while not inherently suspicious or abnormal, are sourcing from a geolocation (city) that is unusual. This can be the result of compromised credentials or keys.",
- "groups": ["security", "azure"],
+ "groups": [
+ "security",
+ "azure"
+ ],
"analysis_config": {
"bucket_span": "60m",
"detectors": [
@@ -12,7 +15,12 @@
"detector_index": 0
}
],
- "influencers": ["user.email", "source.ip", "source.geo.city_name"]
+ "influencers": [
+ "user.email",
+ "event.module",
+ "source.ip",
+ "source.geo.city_name"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_country.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_country_ea.json
similarity index 85%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_country.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_country_ea.json
index b59b5ce15a28d..d37d438ab4553 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_country.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_country_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Azure Activity Logs - Looks for Azure activity event actions that, while not inherently suspicious or abnormal, are sourcing from a geolocation (country) that is unusual. This can be the result of compromised credentials or keys.",
- "groups": ["security", "azure"],
+ "groups": [
+ "security",
+ "azure"
+ ],
"analysis_config": {
"bucket_span": "60m",
"detectors": [
@@ -12,7 +15,12 @@
"detector_index": 0
}
],
- "influencers": ["user.email", "source.ip", "source.geo.country_iso_code"]
+ "influencers": [
+ "user.email",
+ "event.module",
+ "source.ip",
+ "source.geo.country_iso_code"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_username.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_user_email_ea.json
similarity index 88%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_username.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_user_email_ea.json
index b401d6964b139..935d69af260e1 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_username.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_user_email_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Azure Activity Logs - Looks for Azure activity event actions that, while not inherently suspicious or abnormal, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data.",
- "groups": ["security", "azure"],
+ "groups": [
+ "security",
+ "azure"
+ ],
"analysis_config": {
"bucket_span": "60m",
"detectors": [
@@ -8,15 +11,15 @@
"detector_description": "Detects rare Azure Activity Logs event actions for a user.",
"function": "rare",
"by_field_name": "event.action",
- "partition_field_name": "user.name",
+ "partition_field_name": "user.email",
"detector_index": 0
}
],
"influencers": [
"user.email",
+ "event.module",
"source.ip",
- "source.geo.city_name",
- "user.name"
+ "source.geo.city_name"
]
},
"allow_lazy_open": true,
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_on_failure.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_on_failure_ea.json
similarity index 86%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_on_failure.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_on_failure_ea.json
index f66b690c7017f..5de81049982fc 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_on_failure.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_on_failure_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Azure Activity Logs - Looks for unusual Azure activity event actions on failure. Rare and unusual errors may simply indicate an impending service failure but they can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor.",
- "groups": ["security", "azure"],
+ "groups": [
+ "security",
+ "azure"
+ ],
"analysis_config": {
"bucket_span": "60m",
"detectors": [
@@ -11,7 +14,12 @@
"detector_index": 0
}
],
- "influencers": ["user.email", "source.ip", "source.geo.city_name"]
+ "influencers": [
+ "user.email",
+ "event.module",
+ "source.ip",
+ "source.geo.city_name"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_high_distinct_count_event_action_on_failure.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_high_distinct_count_event_action_fail_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_high_distinct_count_event_action_on_failure.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_high_distinct_count_event_action_fail_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_city.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_city_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_city.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_city_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_country.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_country_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_country.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_country_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_username.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_user_email_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_username.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_user_email_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_on_failure.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_on_failure_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_on_failure.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_on_failure_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/manifest.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/manifest.json
index 0594dfce1856e..d2c7af761ba3f 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/manifest.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/manifest.json
@@ -21,8 +21,8 @@
"file": "rare_method_for_a_country.json"
},
{
- "id": "rare_method_for_a_username",
- "file": "rare_method_for_a_username.json"
+ "id": "rare_method_for_a_user_id_ea",
+ "file": "rare_method_for_a_user_id_ea.json"
},
{
"id": "high_distinct_count_error_message",
@@ -45,9 +45,9 @@
"job_id": "rare_method_for_a_country"
},
{
- "id": "datafeed-rare_method_for_a_username",
- "file": "datafeed_rare_method_for_a_username.json",
- "job_id": "rare_method_for_a_username"
+ "id": "datafeed-rare_method_for_a_user_id_ea",
+ "file": "datafeed_rare_method_for_a_user_id_ea.json",
+ "job_id": "rare_method_for_a_user_id_ea"
},
{
"id": "datafeed-high_distinct_count_error_message",
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_username.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_user_id_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_username.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_user_id_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_username.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_user_id_ea.json
similarity index 85%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_username.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_user_id_ea.json
index a508028619833..97b53979ab0f1 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_username.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_user_id_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Cloudtrail - Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data.",
- "groups": ["security", "cloudtrail"],
+ "groups": [
+ "security",
+ "cloudtrail"
+ ],
"analysis_config": {
"bucket_span": "60m",
"detectors": [
@@ -8,15 +11,16 @@
"detector_description": "Detects rare event actions for a user.",
"function": "rare",
"by_field_name": "event.action",
- "partition_field_name": "user.name",
+ "partition_field_name": "user.id",
"detector_index": 0
}
],
"influencers": [
- "user.name",
+ "user.id",
"source.ip",
"source.geo.city_name",
- "aws.cloudtrail.user_identity.arn"
+ "aws.cloudtrail.user_identity.arn",
+ "event.module"
]
},
"allow_lazy_open": true,
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/manifest.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/manifest.json
index 4a56ff713c865..ea9163d668ba2 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/manifest.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/manifest.json
@@ -13,51 +13,51 @@
},
"jobs": [
{
- "id": "gcp_audit_rare_method_for_a_city",
- "file": "gcp_audit_rare_method_for_a_city.json"
+ "id": "gcp_audit_rare_method_for_a_city_ea",
+ "file": "gcp_audit_rare_method_for_a_city_ea.json"
},
{
- "id": "gcp_audit_rare_method_for_a_country",
- "file": "gcp_audit_rare_method_for_a_country.json"
+ "id": "gcp_audit_rare_method_for_a_country_ea",
+ "file": "gcp_audit_rare_method_for_a_country_ea.json"
},
{
- "id": "gcp_audit_rare_method_for_a_client_user_email",
- "file": "gcp_audit_rare_method_for_a_client_user_email.json"
+ "id": "gcp_audit_rare_method_for_a_user_email_ea",
+ "file": "gcp_audit_rare_method_for_a_user_email_ea.json"
},
{
- "id": "gcp_audit_high_distinct_count_error_message",
- "file": "gcp_audit_high_distinct_count_error_message.json"
+ "id": "gcp_audit_high_distinct_count_error_message_ea",
+ "file": "gcp_audit_high_distinct_count_error_message_ea.json"
},
{
- "id": "gcp_audit_rare_error_code",
- "file": "gcp_audit_rare_error_code.json"
+ "id": "gcp_audit_rare_error_code_ea",
+ "file": "gcp_audit_rare_error_code_ea.json"
}
],
"datafeeds": [
{
- "id": "datafeed-gcp_audit_rare_method_for_a_city",
- "file": "datafeed_gcp_audit_rare_method_for_a_city.json",
- "job_id": "gcp_audit_rare_method_for_a_city"
+ "id": "datafeed-gcp_audit_rare_method_for_a_city_ea",
+ "file": "datafeed_gcp_audit_rare_method_for_a_city_ea.json",
+ "job_id": "gcp_audit_rare_method_for_a_city_ea"
},
{
- "id": "datafeed-gcp_audit_rare_method_for_a_country",
- "file": "datafeed_gcp_audit_rare_method_for_a_country.json",
- "job_id": "gcp_audit_rare_method_for_a_country"
+ "id": "datafeed-gcp_audit_rare_method_for_a_country_ea",
+ "file": "datafeed_gcp_audit_rare_method_for_a_country_ea.json",
+ "job_id": "gcp_audit_rare_method_for_a_country_ea"
},
{
- "id": "datafeed-gcp_audit_rare_method_for_a_client_user_email",
- "file": "datafeed_gcp_audit_rare_method_for_a_client_user_email.json",
- "job_id": "gcp_audit_rare_method_for_a_client_user_email"
+ "id": "datafeed-gcp_audit_rare_method_for_a_user_email_ea",
+ "file": "datafeed_gcp_audit_rare_method_for_a_user_email_ea.json",
+ "job_id": "gcp_audit_rare_method_for_a_user_email_ea"
},
{
- "id": "datafeed-gcp_audit_high_distinct_count_error_message",
- "file": "datafeed_gcp_audit_high_distinct_count_error_message.json",
- "job_id": "gcp_audit_high_distinct_count_error_message"
+ "id": "datafeed-gcp_audit_high_distinct_count_error_message_ea",
+ "file": "datafeed_gcp_audit_high_distinct_count_error_message_ea.json",
+ "job_id": "gcp_audit_high_distinct_count_error_message_ea"
},
{
- "id": "datafeed-gcp_audit_rare_error_code",
- "file": "datafeed_gcp_audit_rare_error_code.json",
- "job_id": "gcp_audit_rare_error_code"
+ "id": "datafeed-gcp_audit_rare_error_code_ea",
+ "file": "datafeed_gcp_audit_rare_error_code_ea.json",
+ "job_id": "gcp_audit_rare_error_code_ea"
}
],
"tags": [
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_high_distinct_count_error_message.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_high_distinct_count_error_message_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_high_distinct_count_error_message.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_high_distinct_count_error_message_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_error_code.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_error_code_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_error_code.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_error_code_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_city.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_city_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_city.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_city_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_country.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_country_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_country.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_country_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_client_user_email.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_user_email_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_client_user_email.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_user_email_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_high_distinct_count_error_message.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_high_distinct_count_error_message_ea.json
similarity index 92%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_high_distinct_count_error_message.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_high_distinct_count_error_message_ea.json
index e43207608586b..24f814472f1e2 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_high_distinct_count_error_message.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_high_distinct_count_error_message_ea.json
@@ -11,7 +11,7 @@
"detector_index": 0
}
],
- "influencers": ["client.user.email", "source.ip", "source.geo.city_name"]
+ "influencers": ["user.email", "source.ip", "source.geo.city_name", "event.module"]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_error_code.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_error_code_ea.json
similarity index 91%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_error_code.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_error_code_ea.json
index a5cfae2d2bb85..193e33e5261a1 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_error_code.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_error_code_ea.json
@@ -11,7 +11,7 @@
"detector_index": 0
}
],
- "influencers": ["client.user.email", "source.ip", "source.geo.city_name"]
+ "influencers": ["user.email", "source.ip", "source.geo.city_name", "event.module"]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_city.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_city_ea.json
similarity index 91%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_city.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_city_ea.json
index e191d6929aa9e..f8923031b4f8a 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_city.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_city_ea.json
@@ -12,7 +12,7 @@
"detector_index": 0
}
],
- "influencers": ["client.user.email", "source.ip", "source.geo.city_name"]
+ "influencers": ["user.email", "source.ip", "source.geo.city_name", "event.module"]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_country.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_country_ea.json
similarity index 91%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_country.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_country_ea.json
index 6e1bd48c749d8..0455d2591a744 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_country.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_country_ea.json
@@ -12,7 +12,7 @@
"detector_index": 0
}
],
- "influencers": ["client.user.email", "source.ip", "source.geo.country_iso_code"]
+ "influencers": ["user.email", "source.ip", "source.geo.country_iso_code", "event.module"]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_client_user_email.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_user_email_ea.json
similarity index 89%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_client_user_email.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_user_email_ea.json
index 2734dfa6ee0e5..b84c23f1e7e2c 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_client_user_email.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_user_email_ea.json
@@ -8,14 +8,15 @@
"detector_description": "Detects rare GCP Audit event actions for a user.",
"function": "rare",
"by_field_name": "event.action",
- "partition_field_name": "client.user.email",
+ "partition_field_name": "user.email",
"detector_index": 0
}
],
"influencers": [
- "client.user.email",
+ "user.email",
"source.ip",
- "source.geo.city_name"
+ "source.geo.city_name",
+ "event.module"
]
},
"allow_lazy_open": true,
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/manifest.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/manifest.json
index 46d35c3761b6e..7f2af1d025154 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/manifest.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/manifest.json
@@ -34,24 +34,24 @@
},
"jobs": [
{
- "id": "high_count_events_for_a_host_name",
- "file": "high_count_events_for_a_host_name.json"
+ "id": "high_count_events_for_a_host_name_ea",
+ "file": "high_count_events_for_a_host_name_ea.json"
},
{
- "id": "low_count_events_for_a_host_name",
- "file": "low_count_events_for_a_host_name.json"
+ "id": "low_count_events_for_a_host_name_ea",
+ "file": "low_count_events_for_a_host_name_ea.json"
}
],
"datafeeds": [
{
- "id": "datafeed-high_count_events_for_a_host_name",
- "file": "datafeed_high_count_events_for_a_host_name.json",
- "job_id": "high_count_events_for_a_host_name"
+ "id": "datafeed-high_count_events_for_a_host_name_ea",
+ "file": "datafeed_high_count_events_for_a_host_name_ea.json",
+ "job_id": "high_count_events_for_a_host_name_ea"
},
{
- "id": "datafeed-low_count_events_for_a_host_name",
- "file": "datafeed_low_count_events_for_a_host_name.json",
- "job_id": "low_count_events_for_a_host_name"
+ "id": "datafeed-low_count_events_for_a_host_name_ea",
+ "file": "datafeed_low_count_events_for_a_host_name_ea.json",
+ "job_id": "low_count_events_for_a_host_name_ea"
}
],
"tags": [
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_high_count_events_for_a_host_name.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_high_count_events_for_a_host_name_ea.json
similarity index 64%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_high_count_events_for_a_host_name.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_high_count_events_for_a_host_name_ea.json
index 9f53a8849730b..3b4bc3572323f 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_high_count_events_for_a_host_name.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_high_count_events_for_a_host_name_ea.json
@@ -30,7 +30,18 @@
],
"must_not": {
"terms": {
- "process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
+ "process.name": [
+ "elastic-agent.exe",
+ "elastic-agent",
+ "metricbeat.exe",
+ "metricbeat",
+ "filebeat.exe",
+ "filebeat",
+ "packetbeat.exe",
+ "packetbeat",
+ "winlogbeat.exe",
+ "winlogbeat"
+ ]
}
}
}
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_low_count_events_for_a_host_name.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_low_count_events_for_a_host_name_ea.json
similarity index 64%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_low_count_events_for_a_host_name.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_low_count_events_for_a_host_name_ea.json
index 9f53a8849730b..3b4bc3572323f 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_low_count_events_for_a_host_name.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_low_count_events_for_a_host_name_ea.json
@@ -30,7 +30,18 @@
],
"must_not": {
"terms": {
- "process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
+ "process.name": [
+ "elastic-agent.exe",
+ "elastic-agent",
+ "metricbeat.exe",
+ "metricbeat",
+ "filebeat.exe",
+ "filebeat",
+ "packetbeat.exe",
+ "packetbeat",
+ "winlogbeat.exe",
+ "winlogbeat"
+ ]
}
}
}
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/high_count_events_for_a_host_name.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/high_count_events_for_a_host_name_ea.json
similarity index 81%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/high_count_events_for_a_host_name.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/high_count_events_for_a_host_name_ea.json
index 3002c77097961..2148caca4617b 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/high_count_events_for_a_host_name.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/high_count_events_for_a_host_name_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Host - Looks for a sudden spike in host based traffic. This can be due to a range of security issues, such as a compromised system, DDoS attacks, malware infections, privilege escalation, or data exfiltration.",
- "groups": ["security", "host"],
+ "groups": [
+ "security",
+ "host"
+ ],
"analysis_config": {
"bucket_span": "1h",
"detectors": [
@@ -11,7 +14,14 @@
"detector_index": 0
}
],
- "influencers": ["host.name", "host.ip", "event.dataset", "event.action", "event.category"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "host.ip",
+ "event.dataset",
+ "event.action",
+ "event.category"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/low_count_events_for_a_host_name.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/low_count_events_for_a_host_name_ea.json
similarity index 80%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/low_count_events_for_a_host_name.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/low_count_events_for_a_host_name_ea.json
index d46fbcde86e0b..d6401cbca606b 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/low_count_events_for_a_host_name.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/low_count_events_for_a_host_name_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Host - Looks for a sudden drop in host based traffic. This can be due to a range of security issues, such as a compromised system, a failed service, or a network misconfiguration.",
- "groups": ["security", "host"],
+ "groups": [
+ "security",
+ "host"
+ ],
"analysis_config": {
"bucket_span": "5m",
"detectors": [
@@ -11,7 +14,14 @@
"detector_index": 0
}
],
- "influencers": ["host.name", "host.ip", "event.dataset", "event.action", "event.category"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "host.ip",
+ "event.dataset",
+ "event.action",
+ "event.category"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/manifest.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/manifest.json
index 14d8ae5162558..8e2b6283a4f60 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/manifest.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/manifest.json
@@ -50,132 +50,132 @@
},
"jobs": [
{
- "id": "v3_linux_anomalous_network_port_activity",
- "file": "v3_linux_anomalous_network_port_activity.json"
+ "id": "v3_linux_anomalous_network_port_activity_ea",
+ "file": "v3_linux_anomalous_network_port_activity_ea.json"
},
{
- "id": "v3_linux_network_configuration_discovery",
- "file": "v3_linux_network_configuration_discovery.json"
+ "id": "v3_linux_network_configuration_discovery_ea",
+ "file": "v3_linux_network_configuration_discovery_ea.json"
},
{
- "id": "v3_linux_network_connection_discovery",
- "file": "v3_linux_network_connection_discovery.json"
+ "id": "v3_linux_network_connection_discovery_ea",
+ "file": "v3_linux_network_connection_discovery_ea.json"
},
{
- "id": "v3_linux_rare_sudo_user",
- "file": "v3_linux_rare_sudo_user.json"
+ "id": "v3_linux_rare_sudo_user_ea",
+ "file": "v3_linux_rare_sudo_user_ea.json"
},
{
- "id": "v3_linux_rare_user_compiler",
- "file": "v3_linux_rare_user_compiler.json"
+ "id": "v3_linux_rare_user_compiler_ea",
+ "file": "v3_linux_rare_user_compiler_ea.json"
},
{
- "id": "v3_linux_system_information_discovery",
- "file": "v3_linux_system_information_discovery.json"
+ "id": "v3_linux_system_information_discovery_ea",
+ "file": "v3_linux_system_information_discovery_ea.json"
},
{
- "id": "v3_linux_system_process_discovery",
- "file": "v3_linux_system_process_discovery.json"
+ "id": "v3_linux_system_process_discovery_ea",
+ "file": "v3_linux_system_process_discovery_ea.json"
},
{
- "id": "v3_linux_system_user_discovery",
- "file": "v3_linux_system_user_discovery.json"
+ "id": "v3_linux_system_user_discovery_ea",
+ "file": "v3_linux_system_user_discovery_ea.json"
},
{
- "id": "v3_linux_anomalous_process_all_hosts",
- "file": "v3_linux_anomalous_process_all_hosts.json"
+ "id": "v3_linux_anomalous_process_all_hosts_ea",
+ "file": "v3_linux_anomalous_process_all_hosts_ea.json"
},
{
- "id": "v3_linux_anomalous_user_name",
- "file": "v3_linux_anomalous_user_name.json"
+ "id": "v3_linux_anomalous_user_name_ea",
+ "file": "v3_linux_anomalous_user_name_ea.json"
},
{
- "id": "v3_linux_rare_metadata_process",
- "file": "v3_linux_rare_metadata_process.json"
+ "id": "v3_linux_rare_metadata_process_ea",
+ "file": "v3_linux_rare_metadata_process_ea.json"
},
{
- "id": "v3_linux_rare_metadata_user",
- "file": "v3_linux_rare_metadata_user.json"
+ "id": "v3_linux_rare_metadata_user_ea",
+ "file": "v3_linux_rare_metadata_user_ea.json"
},
{
- "id": "v3_rare_process_by_host_linux",
- "file": "v3_rare_process_by_host_linux.json"
+ "id": "v3_rare_process_by_host_linux_ea",
+ "file": "v3_rare_process_by_host_linux_ea.json"
},
{
- "id": "v3_linux_anomalous_network_activity",
- "file": "v3_linux_anomalous_network_activity.json"
+ "id": "v3_linux_anomalous_network_activity_ea",
+ "file": "v3_linux_anomalous_network_activity_ea.json"
}
],
"datafeeds": [
{
- "id": "datafeed-v3_linux_anomalous_network_port_activity",
- "file": "datafeed_v3_linux_anomalous_network_port_activity.json",
- "job_id": "v3_linux_anomalous_network_port_activity"
+ "id": "datafeed-v3_linux_anomalous_network_port_activity_ea",
+ "file": "datafeed_v3_linux_anomalous_network_port_activity_ea.json",
+ "job_id": "v3_linux_anomalous_network_port_activity_ea"
},
{
- "id": "datafeed-v3_linux_network_configuration_discovery",
- "file": "datafeed_v3_linux_network_configuration_discovery.json",
- "job_id": "v3_linux_network_configuration_discovery"
+ "id": "datafeed-v3_linux_network_configuration_discovery_ea",
+ "file": "datafeed_v3_linux_network_configuration_discovery_ea.json",
+ "job_id": "v3_linux_network_configuration_discovery_ea"
},
{
- "id": "datafeed-v3_linux_network_connection_discovery",
- "file": "datafeed_v3_linux_network_connection_discovery.json",
- "job_id": "v3_linux_network_connection_discovery"
+ "id": "datafeed-v3_linux_network_connection_discovery_ea",
+ "file": "datafeed_v3_linux_network_connection_discovery_ea.json",
+ "job_id": "v3_linux_network_connection_discovery_ea"
},
{
- "id": "datafeed-v3_linux_rare_sudo_user",
- "file": "datafeed_v3_linux_rare_sudo_user.json",
- "job_id": "v3_linux_rare_sudo_user"
+ "id": "datafeed-v3_linux_rare_sudo_user_ea",
+ "file": "datafeed_v3_linux_rare_sudo_user_ea.json",
+ "job_id": "v3_linux_rare_sudo_user_ea"
},
{
- "id": "datafeed-v3_linux_rare_user_compiler",
- "file": "datafeed_v3_linux_rare_user_compiler.json",
- "job_id": "v3_linux_rare_user_compiler"
+ "id": "datafeed-v3_linux_rare_user_compiler_ea",
+ "file": "datafeed_v3_linux_rare_user_compiler_ea.json",
+ "job_id": "v3_linux_rare_user_compiler_ea"
},
{
- "id": "datafeed-v3_linux_system_information_discovery",
- "file": "datafeed_v3_linux_system_information_discovery.json",
- "job_id": "v3_linux_system_information_discovery"
+ "id": "datafeed-v3_linux_system_information_discovery_ea",
+ "file": "datafeed_v3_linux_system_information_discovery_ea.json",
+ "job_id": "v3_linux_system_information_discovery_ea"
},
{
- "id": "datafeed-v3_linux_system_process_discovery",
- "file": "datafeed_v3_linux_system_process_discovery.json",
- "job_id": "v3_linux_system_process_discovery"
+ "id": "datafeed-v3_linux_system_process_discovery_ea",
+ "file": "datafeed_v3_linux_system_process_discovery_ea.json",
+ "job_id": "v3_linux_system_process_discovery_ea"
},
{
- "id": "datafeed-v3_linux_system_user_discovery",
- "file": "datafeed_v3_linux_system_user_discovery.json",
- "job_id": "v3_linux_system_user_discovery"
+ "id": "datafeed-v3_linux_system_user_discovery_ea",
+ "file": "datafeed_v3_linux_system_user_discovery_ea.json",
+ "job_id": "v3_linux_system_user_discovery_ea"
},
{
- "id": "datafeed-v3_linux_anomalous_process_all_hosts",
- "file": "datafeed_v3_linux_anomalous_process_all_hosts.json",
- "job_id": "v3_linux_anomalous_process_all_hosts"
+ "id": "datafeed-v3_linux_anomalous_process_all_hosts_ea",
+ "file": "datafeed_v3_linux_anomalous_process_all_hosts_ea.json",
+ "job_id": "v3_linux_anomalous_process_all_hosts_ea"
},
{
- "id": "datafeed-v3_linux_anomalous_user_name",
- "file": "datafeed_v3_linux_anomalous_user_name.json",
- "job_id": "v3_linux_anomalous_user_name"
+ "id": "datafeed-v3_linux_anomalous_user_name_ea",
+ "file": "datafeed_v3_linux_anomalous_user_name_ea.json",
+ "job_id": "v3_linux_anomalous_user_name_ea"
},
{
- "id": "datafeed-v3_linux_rare_metadata_process",
- "file": "datafeed_v3_linux_rare_metadata_process.json",
- "job_id": "v3_linux_rare_metadata_process"
+ "id": "datafeed-v3_linux_rare_metadata_process_ea",
+ "file": "datafeed_v3_linux_rare_metadata_process_ea.json",
+ "job_id": "v3_linux_rare_metadata_process_ea"
},
{
- "id": "datafeed-v3_linux_rare_metadata_user",
- "file": "datafeed_v3_linux_rare_metadata_user.json",
- "job_id": "v3_linux_rare_metadata_user"
+ "id": "datafeed-v3_linux_rare_metadata_user_ea",
+ "file": "datafeed_v3_linux_rare_metadata_user_ea.json",
+ "job_id": "v3_linux_rare_metadata_user_ea"
},
{
- "id": "datafeed-v3_rare_process_by_host_linux",
- "file": "datafeed_v3_rare_process_by_host_linux.json",
- "job_id": "v3_rare_process_by_host_linux"
+ "id": "datafeed-v3_rare_process_by_host_linux_ea",
+ "file": "datafeed_v3_rare_process_by_host_linux_ea.json",
+ "job_id": "v3_rare_process_by_host_linux_ea"
},
{
- "id": "datafeed-v3_linux_anomalous_network_activity",
- "file": "datafeed_v3_linux_anomalous_network_activity.json",
- "job_id": "v3_linux_anomalous_network_activity"
+ "id": "datafeed-v3_linux_anomalous_network_activity_ea",
+ "file": "datafeed_v3_linux_anomalous_network_activity_ea.json",
+ "job_id": "v3_linux_anomalous_network_activity_ea"
}
],
"tags": [
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_network_activity.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_network_activity_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_network_activity.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_network_activity_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_network_port_activity.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_network_port_activity_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_network_port_activity.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_network_port_activity_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_process_all_hosts.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_process_all_hosts_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_process_all_hosts.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_process_all_hosts_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_user_name.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_user_name_ea.json
similarity index 82%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_user_name.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_user_name_ea.json
index f7ff797385ab9..7d13bc79b8ed1 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_user_name.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_user_name_ea.json
@@ -68,9 +68,20 @@
],
"must_not": {
"terms": {
- "process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
+ "process.name": [
+ "elastic-agent.exe",
+ "elastic-agent",
+ "metricbeat.exe",
+ "metricbeat",
+ "filebeat.exe",
+ "filebeat",
+ "packetbeat.exe",
+ "packetbeat",
+ "winlogbeat.exe",
+ "winlogbeat"
+ ]
}
}
}
}
-}
\ No newline at end of file
+}
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_network_configuration_discovery.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_network_configuration_discovery_ea.json
similarity index 89%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_network_configuration_discovery.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_network_configuration_discovery_ea.json
index 8acf409807c30..ab314352f5276 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_network_configuration_discovery.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_network_configuration_discovery_ea.json
@@ -105,12 +105,19 @@
"must_not": {
"terms": {
"process.name": [
- "elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat",
- "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat",
- "winlogbeat.exe", "winlogbeat"
+ "elastic-agent.exe",
+ "elastic-agent",
+ "metricbeat.exe",
+ "metricbeat",
+ "filebeat.exe",
+ "filebeat",
+ "packetbeat.exe",
+ "packetbeat",
+ "winlogbeat.exe",
+ "winlogbeat"
]
}
}
}
}
-}
\ No newline at end of file
+}
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_network_connection_discovery.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_network_connection_discovery_ea.json
similarity index 88%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_network_connection_discovery.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_network_connection_discovery_ea.json
index 4c7e2efce3ebe..5463f76ae0815 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_network_connection_discovery.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_network_connection_discovery_ea.json
@@ -90,12 +90,19 @@
"must_not": {
"terms": {
"process.name": [
- "elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat",
- "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat",
- "winlogbeat.exe", "winlogbeat"
+ "elastic-agent.exe",
+ "elastic-agent",
+ "metricbeat.exe",
+ "metricbeat",
+ "filebeat.exe",
+ "filebeat",
+ "packetbeat.exe",
+ "packetbeat",
+ "winlogbeat.exe",
+ "winlogbeat"
]
}
}
}
}
-}
\ No newline at end of file
+}
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_metadata_process.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_metadata_process_ea.json
similarity index 84%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_metadata_process.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_metadata_process_ea.json
index b547d4ea9b6c1..74d9274cd6461 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_metadata_process.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_metadata_process_ea.json
@@ -64,11 +64,19 @@
"must_not": {
"terms": {
"process.name": [
- "elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe",
- "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"
+ "elastic-agent.exe",
+ "elastic-agent",
+ "metricbeat.exe",
+ "metricbeat",
+ "filebeat.exe",
+ "filebeat",
+ "packetbeat.exe",
+ "packetbeat",
+ "winlogbeat.exe",
+ "winlogbeat"
]
}
}
}
}
-}
\ No newline at end of file
+}
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_metadata_user.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_metadata_user_ea.json
similarity index 84%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_metadata_user.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_metadata_user_ea.json
index b547d4ea9b6c1..74d9274cd6461 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_metadata_user.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_metadata_user_ea.json
@@ -64,11 +64,19 @@
"must_not": {
"terms": {
"process.name": [
- "elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe",
- "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"
+ "elastic-agent.exe",
+ "elastic-agent",
+ "metricbeat.exe",
+ "metricbeat",
+ "filebeat.exe",
+ "filebeat",
+ "packetbeat.exe",
+ "packetbeat",
+ "winlogbeat.exe",
+ "winlogbeat"
]
}
}
}
}
-}
\ No newline at end of file
+}
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_sudo_user.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_sudo_user_ea.json
similarity index 82%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_sudo_user.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_sudo_user_ea.json
index 2abf970ef356a..f41df79f3104c 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_sudo_user.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_sudo_user_ea.json
@@ -68,9 +68,20 @@
],
"must_not": {
"terms": {
- "process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
+ "process.name": [
+ "elastic-agent.exe",
+ "elastic-agent",
+ "metricbeat.exe",
+ "metricbeat",
+ "filebeat.exe",
+ "filebeat",
+ "packetbeat.exe",
+ "packetbeat",
+ "winlogbeat.exe",
+ "winlogbeat"
+ ]
}
}
}
}
-}
\ No newline at end of file
+}
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_user_compiler.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_user_compiler_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_user_compiler.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_user_compiler_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_information_discovery.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_information_discovery_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_information_discovery.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_information_discovery_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_process_discovery.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_process_discovery_ea.json
similarity index 99%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_process_discovery.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_process_discovery_ea.json
index e90e9f9161eff..43053f7964c3d 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_process_discovery.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_process_discovery_ea.json
@@ -79,4 +79,4 @@
]
}
}
-}
\ No newline at end of file
+}
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_user_discovery.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_user_discovery_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_user_discovery.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_user_discovery_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_rare_process_by_host_linux.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_rare_process_by_host_linux_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_rare_process_by_host_linux.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_rare_process_by_host_linux_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_network_activity.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_network_activity_ea.json
similarity index 78%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_network_activity.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_network_activity_ea.json
index b276bcc7856ba..4f907b86bda22 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_network_activity.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_network_activity_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Linux - Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity.",
- "groups": ["linux", "security"],
+ "groups": [
+ "linux",
+ "security"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,15 @@
"detector_index": 0
}
],
- "influencers": ["host.name", "process.name", "user.name", "destination.ip"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "process.name",
+ "user.name",
+ "user.id",
+ "destination.ip",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_network_port_activity.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_network_port_activity_ea.json
similarity index 78%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_network_port_activity.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_network_port_activity_ea.json
index a551d6c2c204f..4dc2ca941aea2 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_network_port_activity.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_network_port_activity_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Linux - Looks for unusual destination port activity that could indicate command-and-control, persistence mechanism, or data exfiltration activity.",
- "groups": ["security", "linux"],
+ "groups": [
+ "security",
+ "linux"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,15 @@
"detector_index": 0
}
],
- "influencers": ["host.name", "process.name", "user.name", "destination.ip"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "process.name",
+ "user.name",
+ "user.id",
+ "destination.ip",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_process_all_hosts.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_process_all_hosts_ea.json
similarity index 81%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_process_all_hosts.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_process_all_hosts_ea.json
index dea5fa3a5db31..961e16c71ec58 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_process_all_hosts.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_process_all_hosts_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Linux - Looks for processes that are unusual to all Linux hosts. Such unusual processes may indicate unauthorized software, malware, or persistence mechanisms.",
- "groups": ["linux", "security"],
+ "groups": [
+ "linux",
+ "security"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,14 @@
"detector_index": 0
}
],
- "influencers": ["host.name", "process.name", "user.name"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "process.name",
+ "user.name",
+ "user.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_user_name.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_user_name_ea.json
similarity index 81%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_user_name.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_user_name_ea.json
index 05d46860b145f..8de3d2d893bfc 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_user_name.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_user_name_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Linux - Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement.",
- "groups": ["linux", "security"],
+ "groups": [
+ "linux",
+ "security"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,14 @@
"detector_index": 0
}
],
- "influencers": ["host.name", "process.name", "user.name"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "process.name",
+ "user.name",
+ "user.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_network_configuration_discovery.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_network_configuration_discovery_ea.json
similarity index 83%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_network_configuration_discovery.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_network_configuration_discovery_ea.json
index fccfa9493e8c2..da4ff73d5f2ea 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_network_configuration_discovery.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_network_configuration_discovery_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Linux - Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
- "groups": ["security", "linux"],
+ "groups": [
+ "security",
+ "linux"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,15 @@
"detector_index": 0
}
],
- "influencers": ["process.name", "host.name", "process.args", "user.name"]
+ "influencers": [
+ "process.name",
+ "host.name",
+ "host.id",
+ "process.args",
+ "user.name",
+ "user.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_network_connection_discovery.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_network_connection_discovery_ea.json
similarity index 83%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_network_connection_discovery.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_network_connection_discovery_ea.json
index 32dc04c079db1..af139ba0d430f 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_network_connection_discovery.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_network_connection_discovery_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Linux - Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
- "groups": ["security", "linux"],
+ "groups": [
+ "security",
+ "linux"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,15 @@
"detector_index": 0
}
],
- "influencers": ["process.name", "host.name", "process.args", "user.name"]
+ "influencers": [
+ "process.name",
+ "host.name",
+ "host.id",
+ "process.args",
+ "user.name",
+ "user.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_metadata_process.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_metadata_process_ea.json
similarity index 82%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_metadata_process.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_metadata_process_ea.json
index 6897876ad6ba3..74dcb0375c1b6 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_metadata_process.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_metadata_process_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Linux - Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
- "groups": ["linux", "security"],
+ "groups": [
+ "linux",
+ "security"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,14 @@
"detector_index": 0
}
],
- "influencers": ["host.name", "user.name", "process.name"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "user.name",
+ "user.id",
+ "process.name",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_metadata_user.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_metadata_user_ea.json
similarity index 83%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_metadata_user.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_metadata_user_ea.json
index ad81023d69383..eed5e4b8b3f58 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_metadata_user.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_metadata_user_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Linux - Looks for anomalous access to the metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
- "groups": ["linux", "security"],
+ "groups": [
+ "linux",
+ "security"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,13 @@
"detector_index": 0
}
],
- "influencers": ["host.name", "user.name"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "user.name",
+ "user.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_sudo_user.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_sudo_user_ea.json
similarity index 66%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_sudo_user.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_sudo_user_ea.json
index 11be6277c4220..05479ac8ebd28 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_sudo_user.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_sudo_user_ea.json
@@ -1,6 +1,9 @@
{
- "description": "Security: Linux - Looks for sudo activity from an unusual user context. Unusual user context changes can be due to privilege escalation.",
- "groups": ["security", "linux"],
+ "description": "Security: Linux - Looks for sudo activity from an unusual user context. Unusual unique user identifier context changes can be due to privilege escalation.",
+ "groups": [
+ "security",
+ "linux"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,15 @@
"detector_index": 0
}
],
- "influencers": ["process.name", "host.name", "process.args", "user.name"]
+ "influencers": [
+ "process.name",
+ "host.name",
+ "host.id",
+ "process.args",
+ "user.name",
+ "user.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_user_compiler.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_user_compiler_ea.json
similarity index 79%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_user_compiler.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_user_compiler_ea.json
index 08dbbc60d02f7..cb84761dbaba6 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_user_compiler.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_user_compiler_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Linux - Looks for compiler activity by a user context which does not normally run compilers. This can be ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.",
- "groups": ["security", "linux"],
+ "groups": [
+ "security",
+ "linux"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,15 @@
"detector_index": 0
}
],
- "influencers": ["process.title", "host.name", "process.working_directory", "user.name"]
+ "influencers": [
+ "process.title",
+ "host.name",
+ "host.id",
+ "process.working_directory",
+ "user.name",
+ "user.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_information_discovery.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_information_discovery_ea.json
similarity index 83%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_information_discovery.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_information_discovery_ea.json
index 255d0347654b0..169a9a6f84fd7 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_information_discovery.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_information_discovery_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Linux - Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery to gather detailed information about system configuration and software versions. This may be a precursor to the selection of a persistence mechanism or a method of privilege elevation.",
- "groups": ["security", "linux"],
+ "groups": [
+ "security",
+ "linux"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,15 @@
"detector_index": 0
}
],
- "influencers": ["process.name", "host.name", "process.args", "user.name"]
+ "influencers": [
+ "process.name",
+ "host.name",
+ "host.id",
+ "process.args",
+ "user.name",
+ "user.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_process_discovery.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_process_discovery_ea.json
similarity index 83%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_process_discovery.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_process_discovery_ea.json
index 03e57ce2237af..bddf1da0eea62 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_process_discovery.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_process_discovery_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Linux - Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system process discovery to increase their understanding of software applications running on a target host or network. This may be a precursor to the selection of a persistence mechanism or a method of privilege elevation.",
- "groups": ["security", "linux"],
+ "groups": [
+ "security",
+ "linux"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,15 @@
"detector_index": 0
}
],
- "influencers": ["process.name", "host.name", "process.args", "user.name"]
+ "influencers": [
+ "process.name",
+ "host.name",
+ "host.id",
+ "process.args",
+ "user.name",
+ "user.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_user_discovery.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_user_discovery_ea.json
similarity index 83%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_user_discovery.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_user_discovery_ea.json
index 2b1c4dc595777..f764bc6b1478b 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_user_discovery.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_user_discovery_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Linux - Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping, or privilege elevation activity.",
- "groups": ["security", "linux"],
+ "groups": [
+ "security",
+ "linux"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,15 @@
"detector_index": 0
}
],
- "influencers": ["process.name", "host.name", "process.args", "user.name"]
+ "influencers": [
+ "process.name",
+ "host.name",
+ "host.id",
+ "process.args",
+ "user.name",
+ "user.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_rare_process_by_host_linux.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_rare_process_by_host_linux_ea.json
similarity index 82%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_rare_process_by_host_linux.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_rare_process_by_host_linux_ea.json
index ce0e7f413f676..7bd1bffb7b4da 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_rare_process_by_host_linux.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_rare_process_by_host_linux_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Linux - Looks for processes that are unusual to a particular Linux host. Such unusual processes may indicate unauthorized software, malware, or persistence mechanisms.",
- "groups": ["linux", "security"],
+ "groups": [
+ "linux",
+ "security"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -12,7 +15,14 @@
"detector_index": 0
}
],
- "influencers": ["host.name", "process.name", "user.name"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "process.name",
+ "user.name",
+ "user.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/manifest.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/manifest.json
index 0ae305f973501..f461e8d461a4b 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/manifest.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/manifest.json
@@ -13,51 +13,51 @@
},
"jobs": [
{
- "id": "packetbeat_dns_tunneling",
- "file": "packetbeat_dns_tunneling.json"
+ "id": "packetbeat_dns_tunneling_ea",
+ "file": "packetbeat_dns_tunneling_ea.json"
},
{
- "id": "packetbeat_rare_dns_question",
- "file": "packetbeat_rare_dns_question.json"
+ "id": "packetbeat_rare_dns_question_ea",
+ "file": "packetbeat_rare_dns_question_ea.json"
},
{
- "id": "packetbeat_rare_server_domain",
- "file": "packetbeat_rare_server_domain.json"
+ "id": "packetbeat_rare_server_domain_ea",
+ "file": "packetbeat_rare_server_domain_ea.json"
},
{
- "id": "packetbeat_rare_urls",
- "file": "packetbeat_rare_urls.json"
+ "id": "packetbeat_rare_urls_ea",
+ "file": "packetbeat_rare_urls_ea.json"
},
{
- "id": "packetbeat_rare_user_agent",
- "file": "packetbeat_rare_user_agent.json"
+ "id": "packetbeat_rare_user_agent_ea",
+ "file": "packetbeat_rare_user_agent_ea.json"
}
],
"datafeeds": [
{
- "id": "datafeed-packetbeat_dns_tunneling",
- "file": "datafeed_packetbeat_dns_tunneling.json",
- "job_id": "packetbeat_dns_tunneling"
+ "id": "datafeed-packetbeat_dns_tunneling_ea",
+ "file": "datafeed_packetbeat_dns_tunneling_ea.json",
+ "job_id": "packetbeat_dns_tunneling_ea"
},
{
- "id": "datafeed-packetbeat_rare_dns_question",
- "file": "datafeed_packetbeat_rare_dns_question.json",
- "job_id": "packetbeat_rare_dns_question"
+ "id": "datafeed-packetbeat_rare_dns_question_ea",
+ "file": "datafeed_packetbeat_rare_dns_question_ea.json",
+ "job_id": "packetbeat_rare_dns_question_ea"
},
{
- "id": "datafeed-packetbeat_rare_server_domain",
- "file": "datafeed_packetbeat_rare_server_domain.json",
- "job_id": "packetbeat_rare_server_domain"
+ "id": "datafeed-packetbeat_rare_server_domain_ea",
+ "file": "datafeed_packetbeat_rare_server_domain_ea.json",
+ "job_id": "packetbeat_rare_server_domain_ea"
},
{
- "id": "datafeed-packetbeat_rare_urls",
- "file": "datafeed_packetbeat_rare_urls.json",
- "job_id": "packetbeat_rare_urls"
+ "id": "datafeed-packetbeat_rare_urls_ea",
+ "file": "datafeed_packetbeat_rare_urls_ea.json",
+ "job_id": "packetbeat_rare_urls_ea"
},
{
- "id": "datafeed-packetbeat_rare_user_agent",
- "file": "datafeed_packetbeat_rare_user_agent.json",
- "job_id": "packetbeat_rare_user_agent"
+ "id": "datafeed-packetbeat_rare_user_agent_ea",
+ "file": "datafeed_packetbeat_rare_user_agent_ea.json",
+ "job_id": "packetbeat_rare_user_agent_ea"
}
],
"tags": [
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_dns_tunneling.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_dns_tunneling_ea.json
similarity index 53%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_dns_tunneling.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_dns_tunneling_ea.json
index 334fe19ff09ba..b2a4bad21f019 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_dns_tunneling.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_dns_tunneling_ea.json
@@ -1,29 +1,54 @@
{
"job_id": "JOB_ID",
- "indices": ["INDEX_PATTERN_NAME"],
+ "indices": [
+ "INDEX_PATTERN_NAME"
+ ],
"max_empty_searches": 10,
"query": {
"bool": {
- "filter": [{ "term": { "agent.type": "packetbeat" } }],
+ "filter": [
+ {
+ "term": {
+ "agent.type": "packetbeat"
+ }
+ }
+ ],
"should": [
- { "term": { "event.dataset": "dns" } },
- { "term": { "event.dataset": "network_traffic.dns" } }
+ {
+ "term": {
+ "event.dataset": "dns"
+ }
+ },
+ {
+ "term": {
+ "event.dataset": "network_traffic.dns"
+ }
+ }
],
"minimum_should_match": 1,
"must_not": [
{
"bool": {
"filter": {
- "term": { "destination.ip": "169.254.169.254" }
+ "term": {
+ "destination.ip": "169.254.169.254"
+ }
}
}
},
{
"terms": {
"process.name": [
- "elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat",
- "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat",
- "winlogbeat.exe", "winlogbeat"
+ "elastic-agent.exe",
+ "elastic-agent",
+ "metricbeat.exe",
+ "metricbeat",
+ "filebeat.exe",
+ "filebeat",
+ "packetbeat.exe",
+ "packetbeat",
+ "winlogbeat.exe",
+ "winlogbeat"
]
}
}
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_dns_question.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_dns_question_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_dns_question.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_dns_question_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_server_domain.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_server_domain_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_server_domain.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_server_domain_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_urls.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_urls_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_urls.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_urls_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_user_agent.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_user_agent_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_user_agent.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_user_agent_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_dns_tunneling.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_dns_tunneling_ea.json
similarity index 80%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_dns_tunneling.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_dns_tunneling_ea.json
index c12cb56915641..51edf2f959701 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_dns_tunneling.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_dns_tunneling_ea.json
@@ -1,6 +1,10 @@
{
"description": "Security: Packetbeat - Looks for unusual DNS activity that could indicate command-and-control or data exfiltration activity.",
- "groups": ["security", "packetbeat", "dns"],
+ "groups": [
+ "security",
+ "packetbeat",
+ "dns"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +15,9 @@
"over_field_name": "dns_question_etld",
"custom_rules": [
{
- "actions": ["skip_result"],
+ "actions": [
+ "skip_result"
+ ],
"conditions": [
{
"applies_to": "actual",
@@ -23,7 +29,12 @@
]
}
],
- "influencers": ["destination.ip", "host.name", "dns_question_etld"]
+ "influencers": [
+ "destination.ip",
+ "host.name",
+ "host.id",
+ "dns_question_etld"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_dns_question.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_dns_question_ea.json
similarity index 84%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_dns_question.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_dns_question_ea.json
index 049d4e3babd23..93949b587097f 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_dns_question.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_dns_question_ea.json
@@ -1,6 +1,10 @@
{
"description": "Security: Packetbeat - Looks for unusual DNS activity that could indicate command-and-control activity.",
- "groups": ["security", "packetbeat", "dns"],
+ "groups": [
+ "security",
+ "packetbeat",
+ "dns"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -10,7 +14,10 @@
"by_field_name": "dns.question.name"
}
],
- "influencers": ["host.name"]
+ "influencers": [
+ "host.name",
+ "host.id"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_server_domain.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_server_domain_ea.json
similarity index 83%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_server_domain.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_server_domain_ea.json
index d8df5c4986b99..189ff78160cf3 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_server_domain.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_server_domain_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Packetbeat - Looks for unusual HTTP or TLS destination domain activity that could indicate execution, persistence, command-and-control or data exfiltration activity.",
- "groups": ["security", "packetbeat"],
+ "groups": [
+ "security",
+ "packetbeat"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -10,7 +13,12 @@
"by_field_name": "server.domain"
}
],
- "influencers": ["host.name", "destination.ip", "source.ip"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "destination.ip",
+ "source.ip"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_urls.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_urls_ea.json
similarity index 84%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_urls.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_urls_ea.json
index 055204dd1c376..47bdacb3ec611 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_urls.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_urls_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Packetbeat - Looks for unusual web browsing URL activity that could indicate execution, persistence, command-and-control or data exfiltration activity.",
- "groups": ["security", "packetbeat"],
+ "groups": [
+ "security",
+ "packetbeat"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -10,7 +13,11 @@
"by_field_name": "url.full"
}
],
- "influencers": ["host.name", "destination.ip"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "destination.ip"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_user_agent.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_user_agent_ea.json
similarity index 84%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_user_agent.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_user_agent_ea.json
index c947e4f1d509b..ca87dca8b4aad 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_user_agent.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_user_agent_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Packetbeat - Looks for unusual HTTP user agent activity that could indicate execution, persistence, command-and-control or data exfiltration activity.",
- "groups": ["security", "packetbeat"],
+ "groups": [
+ "security",
+ "packetbeat"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -10,7 +13,11 @@
"by_field_name": "user_agent.original"
}
],
- "influencers": ["host.name", "destination.ip"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "destination.ip"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/manifest.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/manifest.json
index 1a9b5f7c4f4dd..8a9a662485465 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/manifest.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/manifest.json
@@ -43,123 +43,123 @@
},
"jobs": [
{
- "id": "v3_windows_anomalous_service",
- "file": "v3_windows_anomalous_service.json"
+ "id": "v3_windows_anomalous_service_ea",
+ "file": "v3_windows_anomalous_service_ea.json"
},
{
- "id": "v3_windows_rare_user_runas_event",
- "file": "v3_windows_rare_user_runas_event.json"
+ "id": "v3_windows_rare_user_runas_event_ea",
+ "file": "v3_windows_rare_user_runas_event_ea.json"
},
{
- "id": "v3_windows_rare_user_type10_remote_login",
- "file": "v3_windows_rare_user_type10_remote_login.json"
+ "id": "v3_windows_rare_user_type10_remote_login_ea",
+ "file": "v3_windows_rare_user_type10_remote_login_ea.json"
},
{
- "id": "v3_rare_process_by_host_windows",
- "file": "v3_rare_process_by_host_windows.json"
+ "id": "v3_rare_process_by_host_windows_ea",
+ "file": "v3_rare_process_by_host_windows_ea.json"
},
{
- "id": "v3_windows_anomalous_network_activity",
- "file": "v3_windows_anomalous_network_activity.json"
+ "id": "v3_windows_anomalous_network_activity_ea",
+ "file": "v3_windows_anomalous_network_activity_ea.json"
},
{
- "id": "v3_windows_anomalous_path_activity",
- "file": "v3_windows_anomalous_path_activity.json"
+ "id": "v3_windows_anomalous_path_activity_ea",
+ "file": "v3_windows_anomalous_path_activity_ea.json"
},
{
- "id": "v3_windows_anomalous_process_all_hosts",
- "file": "v3_windows_anomalous_process_all_hosts.json"
+ "id": "v3_windows_anomalous_process_all_hosts_ea",
+ "file": "v3_windows_anomalous_process_all_hosts_ea.json"
},
{
- "id": "v3_windows_anomalous_process_creation",
- "file": "v3_windows_anomalous_process_creation.json"
+ "id": "v3_windows_anomalous_process_creation_ea",
+ "file": "v3_windows_anomalous_process_creation_ea.json"
},
{
- "id": "v3_windows_anomalous_user_name",
- "file": "v3_windows_anomalous_user_name.json"
+ "id": "v3_windows_anomalous_user_name_ea",
+ "file": "v3_windows_anomalous_user_name_ea.json"
},
{
- "id": "v3_windows_rare_metadata_process",
- "file": "v3_windows_rare_metadata_process.json"
+ "id": "v3_windows_rare_metadata_process_ea",
+ "file": "v3_windows_rare_metadata_process_ea.json"
},
{
- "id": "v3_windows_rare_metadata_user",
- "file": "v3_windows_rare_metadata_user.json"
+ "id": "v3_windows_rare_metadata_user_ea",
+ "file": "v3_windows_rare_metadata_user_ea.json"
},
{
- "id": "v3_windows_anomalous_script",
- "file": "v3_windows_anomalous_script.json"
+ "id": "v3_windows_anomalous_script_ea",
+ "file": "v3_windows_anomalous_script_ea.json"
},
{
- "id": "v3_windows_rare_script",
- "file": "v3_windows_rare_script.json"
+ "id": "v3_windows_rare_script_ea",
+ "file": "v3_windows_rare_script_ea.json"
}
],
"datafeeds": [
{
- "id": "datafeed-v3_windows_anomalous_service",
- "file": "datafeed_v3_windows_anomalous_service.json",
- "job_id": "v3_windows_anomalous_service"
+ "id": "datafeed-v3_windows_anomalous_service_ea",
+ "file": "datafeed_v3_windows_anomalous_service_ea.json",
+ "job_id": "v3_windows_anomalous_service_ea"
},
{
- "id": "datafeed-v3_windows_rare_user_runas_event",
- "file": "datafeed_v3_windows_rare_user_runas_event.json",
- "job_id": "v3_windows_rare_user_runas_event"
+ "id": "datafeed-v3_windows_rare_user_runas_event_ea",
+ "file": "datafeed_v3_windows_rare_user_runas_event_ea.json",
+ "job_id": "v3_windows_rare_user_runas_event_ea"
},
{
- "id": "datafeed-v3_windows_rare_user_type10_remote_login",
- "file": "datafeed_v3_windows_rare_user_type10_remote_login.json",
- "job_id": "v3_windows_rare_user_type10_remote_login"
+ "id": "datafeed-v3_windows_rare_user_type10_remote_login_ea",
+ "file": "datafeed_v3_windows_rare_user_type10_remote_login_ea.json",
+ "job_id": "v3_windows_rare_user_type10_remote_login_ea"
},
{
- "id": "datafeed-v3_rare_process_by_host_windows",
- "file": "datafeed_v3_rare_process_by_host_windows.json",
- "job_id": "v3_rare_process_by_host_windows"
+ "id": "datafeed-v3_rare_process_by_host_windows_ea",
+ "file": "datafeed_v3_rare_process_by_host_windows_ea.json",
+ "job_id": "v3_rare_process_by_host_windows_ea"
},
{
- "id": "datafeed-v3_windows_anomalous_network_activity",
- "file": "datafeed_v3_windows_anomalous_network_activity.json",
- "job_id": "v3_windows_anomalous_network_activity"
+ "id": "datafeed-v3_windows_anomalous_network_activity_ea",
+ "file": "datafeed_v3_windows_anomalous_network_activity_ea.json",
+ "job_id": "v3_windows_anomalous_network_activity_ea"
},
{
- "id": "datafeed-v3_windows_anomalous_path_activity",
- "file": "datafeed_v3_windows_anomalous_path_activity.json",
- "job_id": "v3_windows_anomalous_path_activity"
+ "id": "datafeed-v3_windows_anomalous_path_activity_ea",
+ "file": "datafeed_v3_windows_anomalous_path_activity_ea.json",
+ "job_id": "v3_windows_anomalous_path_activity_ea"
},
{
- "id": "datafeed-v3_windows_anomalous_process_all_hosts",
- "file": "datafeed_v3_windows_anomalous_process_all_hosts.json",
- "job_id": "v3_windows_anomalous_process_all_hosts"
+ "id": "datafeed-v3_windows_anomalous_process_all_hosts_ea",
+ "file": "datafeed_v3_windows_anomalous_process_all_hosts_ea.json",
+ "job_id": "v3_windows_anomalous_process_all_hosts_ea"
},
{
- "id": "datafeed-v3_windows_anomalous_process_creation",
- "file": "datafeed_v3_windows_anomalous_process_creation.json",
- "job_id": "v3_windows_anomalous_process_creation"
+ "id": "datafeed-v3_windows_anomalous_process_creation_ea",
+ "file": "datafeed_v3_windows_anomalous_process_creation_ea.json",
+ "job_id": "v3_windows_anomalous_process_creation_ea"
},
{
- "id": "datafeed-v3_windows_anomalous_user_name",
- "file": "datafeed_v3_windows_anomalous_user_name.json",
- "job_id": "v3_windows_anomalous_user_name"
+ "id": "datafeed-v3_windows_anomalous_user_name_ea",
+ "file": "datafeed_v3_windows_anomalous_user_name_ea.json",
+ "job_id": "v3_windows_anomalous_user_name_ea"
},
{
- "id": "datafeed-v3_windows_rare_metadata_process",
- "file": "datafeed_v3_windows_rare_metadata_process.json",
- "job_id": "v3_windows_rare_metadata_process"
+ "id": "datafeed-v3_windows_rare_metadata_process_ea",
+ "file": "datafeed_v3_windows_rare_metadata_process_ea.json",
+ "job_id": "v3_windows_rare_metadata_process_ea"
},
{
- "id": "datafeed-v3_windows_rare_metadata_user",
- "file": "datafeed_v3_windows_rare_metadata_user.json",
- "job_id": "v3_windows_rare_metadata_user"
+ "id": "datafeed-v3_windows_rare_metadata_user_ea",
+ "file": "datafeed_v3_windows_rare_metadata_user_ea.json",
+ "job_id": "v3_windows_rare_metadata_user_ea"
},
{
- "id": "datafeed-v3_windows_anomalous_script",
- "file": "datafeed_v3_windows_anomalous_script.json",
- "job_id": "v3_windows_anomalous_script"
+ "id": "datafeed-v3_windows_anomalous_script_ea",
+ "file": "datafeed_v3_windows_anomalous_script_ea.json",
+ "job_id": "v3_windows_anomalous_script_ea"
},
{
- "id": "datafeed-v3_windows_rare_script",
- "file": "datafeed_v3_windows_rare_script.json",
- "job_id": "v3_windows_rare_script"
+ "id": "datafeed-v3_windows_rare_script_ea",
+ "file": "datafeed_v3_windows_rare_script_ea.json",
+ "job_id": "v3_windows_rare_script_ea"
}
],
"tags": [
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_rare_process_by_host_windows.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_rare_process_by_host_windows_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_rare_process_by_host_windows.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_rare_process_by_host_windows_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_network_activity.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_network_activity_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_network_activity.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_network_activity_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_path_activity.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_path_activity_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_path_activity.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_path_activity_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_process_all_hosts.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_process_all_hosts_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_process_all_hosts.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_process_all_hosts_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_process_creation.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_process_creation_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_process_creation.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_process_creation_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_script.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_script_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_script.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_script_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_service.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_service_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_service.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_service_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_user_name.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_user_name_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_user_name.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_user_name_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_metadata_process.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_metadata_process_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_metadata_process.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_metadata_process_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_metadata_user.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_metadata_user_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_metadata_user.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_metadata_user_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_script.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_script_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_script.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_script_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_user_runas_event.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_user_runas_event_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_user_runas_event.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_user_runas_event_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_user_type10_remote_login.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_user_type10_remote_login_ea.json
similarity index 100%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_user_type10_remote_login.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_user_type10_remote_login_ea.json
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_rare_process_by_host_windows.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_rare_process_by_host_windows_ea.json
similarity index 81%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_rare_process_by_host_windows.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_rare_process_by_host_windows_ea.json
index f74beb1eba642..77cf7d4a51297 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_rare_process_by_host_windows.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_rare_process_by_host_windows_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Windows - Looks for processes that are unusual to a particular Windows host. Such unusual processes may indicate unauthorized software, malware, or persistence mechanisms.",
- "groups": ["security", "windows"],
+ "groups": [
+ "security",
+ "windows"
+ ],
"analysis_config": {
"bucket_span": "2h",
"detectors": [
@@ -12,7 +15,14 @@
"detector_index": 0
}
],
- "influencers": ["host.name", "process.name", "user.name"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "process.name",
+ "user.name",
+ "user.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_network_activity.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_network_activity_ea.json
similarity index 78%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_network_activity.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_network_activity_ea.json
index 2e04fa91be336..ba85f225dd093 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_network_activity.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_network_activity_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Windows - Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity.",
- "groups": ["security", "windows"],
+ "groups": [
+ "security",
+ "windows"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,15 @@
"detector_index": 0
}
],
- "influencers": ["host.name", "process.name", "user.name", "destination.ip"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "process.name",
+ "user.name",
+ "user.id",
+ "destination.ip",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_path_activity.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_path_activity_ea.json
similarity index 80%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_path_activity.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_path_activity_ea.json
index c9f0579309c6b..75f63f88c68eb 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_path_activity.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_path_activity_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Windows - Looks for activity in unusual paths that may indicate execution of malware or persistence mechanisms. Windows payloads often execute from user profile paths.",
- "groups": ["security", "windows"],
+ "groups": [
+ "security",
+ "windows"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,14 @@
"detector_index": 0
}
],
- "influencers": ["host.name", "process.name", "user.name"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "process.name",
+ "user.name",
+ "user.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_process_all_hosts.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_process_all_hosts_ea.json
similarity index 81%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_process_all_hosts.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_process_all_hosts_ea.json
index 08baa6587f9ff..b0ace368518a5 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_process_all_hosts.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_process_all_hosts_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Windows - Looks for processes that are unusual to all Windows hosts. Such unusual processes may indicate execution of unauthorized software, malware, or persistence mechanisms.",
- "groups": ["security", "windows"],
+ "groups": [
+ "security",
+ "windows"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,14 @@
"detector_index": 0
}
],
- "influencers": ["host.name", "process.name", "user.name"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "process.name",
+ "user.name",
+ "user.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_process_creation.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_process_creation_ea.json
similarity index 81%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_process_creation.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_process_creation_ea.json
index 1bf46c2d416a9..edab56117123d 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_process_creation.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_process_creation_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Windows - Looks for unusual process relationships which may indicate execution of malware or persistence mechanisms.",
- "groups": ["security", "windows"],
+ "groups": [
+ "security",
+ "windows"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -12,7 +15,14 @@
"detector_index": 0
}
],
- "influencers": ["host.name", "process.name", "user.name"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "process.name",
+ "user.name",
+ "user.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_script.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_script_ea.json
similarity index 79%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_script.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_script_ea.json
index 5472ad77e1b70..01bcbd5770a0a 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_script.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_script_ea.json
@@ -1,6 +1,10 @@
{
"description": "Security: Windows - Looks for unusual powershell scripts that may indicate execution of malware, or persistence mechanisms.",
- "groups": ["windows", "powershell", "security"],
+ "groups": [
+ "windows",
+ "powershell",
+ "security"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +15,14 @@
"detector_index": 0
}
],
- "influencers": ["host.name", "user.name", "file.path"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "user.name",
+ "user.id",
+ "file.path",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_service.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_service_ea.json
similarity index 83%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_service.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_service_ea.json
index b2530538a9263..7b1cdf360daaf 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_service.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_service_ea.json
@@ -1,5 +1,8 @@
{
- "groups": ["security", "windows"],
+ "groups": [
+ "security",
+ "windows"
+ ],
"description": "Security: Windows - Looks for rare and unusual Windows service names which may indicate execution of unauthorized services, malware, or persistence mechanisms.",
"analysis_config": {
"bucket_span": "15m",
@@ -11,7 +14,11 @@
"detector_index": 0
}
],
- "influencers": ["host.name", "winlog.event_data.ServiceName"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "winlog.event_data.ServiceName"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_user_name.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_user_name_ea.json
similarity index 80%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_user_name.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_user_name_ea.json
index 659e58cfdba32..c112f29777277 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_user_name.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_user_name_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Windows - Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement.",
- "groups": ["security", "windows"],
+ "groups": [
+ "security",
+ "windows"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,14 @@
"detector_index": 0
}
],
- "influencers": ["host.name", "process.name", "user.name"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "process.name",
+ "user.name",
+ "user.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_metadata_process.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_metadata_process_ea.json
similarity index 81%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_metadata_process.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_metadata_process_ea.json
index 953a00a8fff52..0cc2989fc5a25 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_metadata_process.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_metadata_process_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Windows - Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
- "groups": ["security", "windows"],
+ "groups": [
+ "security",
+ "windows"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,14 @@
"detector_index": 0
}
],
- "influencers": ["process.name", "host.name", "user.name"]
+ "influencers": [
+ "process.name",
+ "host.name",
+ "host.id",
+ "user.name",
+ "user.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_metadata_user.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_metadata_user_ea.json
similarity index 83%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_metadata_user.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_metadata_user_ea.json
index df55cb3d67709..adaff10a792ff 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_metadata_user.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_metadata_user_ea.json
@@ -1,6 +1,9 @@
{
"description": "Security: Windows - Looks for anomalous access to the metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
- "groups": ["security", "windows"],
+ "groups": [
+ "security",
+ "windows"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +14,13 @@
"detector_index": 0
}
],
- "influencers": ["host.name", "user.name"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "user.name",
+ "user.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_script.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_script_ea.json
similarity index 80%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_script.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_script_ea.json
index 8a09c045c5fed..f5f9b6aa7564f 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_script.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_script_ea.json
@@ -1,6 +1,10 @@
{
"description": "Security: Windows - Looks for rare powershell scripts that may indicate execution of malware, or persistence mechanisms.",
- "groups": ["windows", "powershell", "security"],
+ "groups": [
+ "windows",
+ "powershell",
+ "security"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -11,7 +15,13 @@
"detector_index": 0
}
],
- "influencers": ["host.name", "user.name"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "user.name",
+ "user.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_user_runas_event.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_user_runas_event_ea.json
similarity index 76%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_user_runas_event.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_user_runas_event_ea.json
index 87d9d4b172f63..513f643a30ada 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_user_runas_event.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_user_runas_event_ea.json
@@ -1,6 +1,10 @@
{
"description": "Security: Windows - Unusual user context switches can be due to privilege escalation.",
- "groups": ["security", "windows", "authentication"],
+ "groups": [
+ "security",
+ "windows",
+ "authentication"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -10,7 +14,14 @@
"by_field_name": "user.name"
}
],
- "influencers": ["host.name", "process.name", "user.name"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "process.name",
+ "user.name",
+ "user.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_user_type10_remote_login.json b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_user_type10_remote_login_ea.json
similarity index 76%
rename from x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_user_type10_remote_login.json
rename to x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_user_type10_remote_login_ea.json
index e118f761453be..3b4a669b03d3e 100644
--- a/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_user_type10_remote_login.json
+++ b/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_user_type10_remote_login_ea.json
@@ -1,6 +1,10 @@
{
"description": "Security: Windows - Unusual RDP (remote desktop protocol) user logins can indicate account takeover or credentialed access.",
- "groups": ["security", "windows", "authentication"],
+ "groups": [
+ "security",
+ "windows",
+ "authentication"
+ ],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
@@ -10,7 +14,14 @@
"by_field_name": "user.name"
}
],
- "influencers": ["host.name", "process.name", "user.name"]
+ "influencers": [
+ "host.name",
+ "host.id",
+ "process.name",
+ "user.name",
+ "user.id",
+ "event.module"
+ ]
},
"allow_lazy_open": true,
"analysis_limits": {
diff --git a/x-pack/platform/test/api_integration/apis/ml/modules/setup_module.ts b/x-pack/platform/test/api_integration/apis/ml/modules/setup_module.ts
index 8ce61928ff626..5b3e71b64c195 100644
--- a/x-pack/platform/test/api_integration/apis/ml/modules/setup_module.ts
+++ b/x-pack/platform/test/api_integration/apis/ml/modules/setup_module.ts
@@ -327,27 +327,27 @@ export default ({ getService }: FtrProviderContext) => {
responseCode: 200,
jobs: [
{
- jobId: 'pf12_packetbeat_dns_tunneling',
+ jobId: 'pf12_packetbeat_dns_tunneling_ea',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
- jobId: 'pf12_packetbeat_rare_dns_question',
+ jobId: 'pf12_packetbeat_rare_dns_question_ea',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
- jobId: 'pf12_packetbeat_rare_server_domain',
+ jobId: 'pf12_packetbeat_rare_server_domain_ea',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
- jobId: 'pf12_packetbeat_rare_urls',
+ jobId: 'pf12_packetbeat_rare_urls_ea',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
- jobId: 'pf12_packetbeat_rare_user_agent',
+ jobId: 'pf12_packetbeat_rare_user_agent_ea',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
@@ -522,7 +522,7 @@ export default ({ getService }: FtrProviderContext) => {
datafeedState: DATAFEED_STATE.STOPPED,
},
{
- jobId: 'pf20_rare_method_for_a_username',
+ jobId: 'pf20_rare_method_for_a_user_id_ea',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
diff --git a/x-pack/solutions/security/packages/kbn-evals-suite-entity-analytics/evals/anomalous_behavior_no_jobs.spec.ts b/x-pack/solutions/security/packages/kbn-evals-suite-entity-analytics/evals/anomalous_behavior_no_jobs.spec.ts
index beacca5c24bab..2f5af158459c3 100644
--- a/x-pack/solutions/security/packages/kbn-evals-suite-entity-analytics/evals/anomalous_behavior_no_jobs.spec.ts
+++ b/x-pack/solutions/security/packages/kbn-evals-suite-entity-analytics/evals/anomalous_behavior_no_jobs.spec.ts
@@ -180,7 +180,7 @@ evaluate.describe(
criteria: [
'Return that the required anomaly detection jobs are not enabled in this environment.',
'Prompt the user to enable anomaly detection jobs',
- `Mention at least 1 job id from the list: auth_rare_hour_for_a_user`,
+ `Mention at least 1 job id from the list: auth_rare_hour_for_a_user_ea`,
],
},
metadata: { query_intent: 'Factual' },
diff --git a/x-pack/solutions/security/packages/kbn-evals-suite-entity-analytics/src/ml_helpers.ts b/x-pack/solutions/security/packages/kbn-evals-suite-entity-analytics/src/ml_helpers.ts
index d11202d2b9ae4..9de9efb8b2f57 100644
--- a/x-pack/solutions/security/packages/kbn-evals-suite-entity-analytics/src/ml_helpers.ts
+++ b/x-pack/solutions/security/packages/kbn-evals-suite-entity-analytics/src/ml_helpers.ts
@@ -23,10 +23,10 @@ import { isJobStarted } from '@kbn/security-solution-plugin/common/machine_learn
// Security Authentication ML module
export const securityAuthModule = 'security_auth';
export const securityAuthJobIds = [
- 'auth_rare_source_ip_for_a_user',
- 'suspicious_login_activity',
- 'auth_rare_user',
- 'auth_rare_hour_for_a_user',
+ 'auth_rare_source_ip_for_a_user_ea',
+ 'suspicious_login_activity_ea',
+ 'auth_rare_user_ea',
+ 'auth_rare_hour_for_a_user_ea',
];
// Privileged Access Detection (PAD) ML module
@@ -45,7 +45,7 @@ export const lmdJobIds = [
// Security PacketBeat ML module
export const securityPacketBeatModule = 'security_packetbeat';
-export const securityPacketBeatJobIds = ['packetbeat_rare_server_domain'];
+export const securityPacketBeatJobIds = ['packetbeat_rare_server_domain_ea'];
// Data Exfiltration Detection (DED) ML module
export const dedModule = 'ded-ml';
diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.schema.yaml
index 0ec60c1394a4c..0de5252c8caa5 100644
--- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.schema.yaml
+++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.schema.yaml
@@ -470,7 +470,7 @@ paths:
type: 'machine_learning'
anomaly_threshold: 50
machine_learning_job_id:
- - 'packetbeat_dns_tunneling'
+ - 'packetbeat_dns_tunneling_ea'
execution_summary:
last_execution:
date: '2022-03-23T16:06:12.787Z'
diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/crud/patch_rule/patch_rule_route.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/crud/patch_rule/patch_rule_route.schema.yaml
index c0f877f863c94..85f46967f8397 100644
--- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/crud/patch_rule/patch_rule_route.schema.yaml
+++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/crud/patch_rule/patch_rule_route.schema.yaml
@@ -84,7 +84,7 @@ paths:
id: '60b13926-289b-41b1-a537-197ef1fa5059'
anomaly_threshold: 50
machine_learning_job_id:
- - 'auth_high_count_logon_events'
+ - 'auth_high_count_logon_events_ea'
responses:
200:
description: Indicates a successful call.
diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/crud/update_rule/update_rule_route.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/crud/update_rule/update_rule_route.schema.yaml
index 43da22201599c..ddee20b6dc767 100644
--- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/crud/update_rule/update_rule_route.schema.yaml
+++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/crud/update_rule/update_rule_route.schema.yaml
@@ -130,7 +130,7 @@ paths:
type: 'machine_learning'
anomaly_threshold: 50
machine_learning_job_id:
- - 'auth_high_count_logon_events'
+ - 'auth_high_count_logon_events_ea'
responses:
200:
description: Indicates a successful call.
diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_monitoring/detection_engine_health/health_endpoints.md b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_monitoring/detection_engine_health/health_endpoints.md
index 8a53bfb246fc7..98e644ae0a0e1 100644
--- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_monitoring/detection_engine_health/health_endpoints.md
+++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_monitoring/detection_engine_health/health_endpoints.md
@@ -891,7 +891,7 @@ Response:
},
{
"count": 10,
- "message": "An error occurred during rule execution message rare_method_for_a_username missing"
+ "message": "An error occurred during rule execution message rare_method_for_a_username_ea missing"
}
],
"top_warnings": [
diff --git a/x-pack/solutions/security/plugins/security_solution/common/machine_learning/affected_job_ids.ts b/x-pack/solutions/security/plugins/security_solution/common/machine_learning/affected_job_ids.ts
index 1bd1bd43bfe08..36c585aa7c95c 100644
--- a/x-pack/solutions/security/plugins/security_solution/common/machine_learning/affected_job_ids.ts
+++ b/x-pack/solutions/security/plugins/security_solution/common/machine_learning/affected_job_ids.ts
@@ -20,53 +20,86 @@
// must be taken before updating to ensure continued functionality if they still need to run
// the V1/V2 jobs
// For details see: https://github.com/elastic/kibana/issues/128121
+//
+// Note: In 9.4 the V3 jobs were replaced by Entity Analytics (_ea) variants that use
+// Entity Analytics fields (host.id, user.id, event.module, etc.) as influencers.
+// V3 non-EA jobs are now also considered affected.
export const affectedJobIds: string[] = [
- // security_linux module
- 'v2_rare_process_by_host_linux_ecs', // Replaced by: v3_rare_process_by_host_linux_ecs
- 'v2_linux_rare_metadata_user', // Replaced by: v3_linux_rare_metadata_user
- 'v2_linux_rare_metadata_process', // Replaced by: v3_linux_rare_metadata_process
- 'v2_linux_anomalous_user_name_ecs', // Replaced by: v3_linux_anomalous_user_name_ecs
- 'v2_linux_anomalous_process_all_hosts_ecs', // Replaced by: v3_linux_anomalous_process_all_hosts_ecs
- 'v2_linux_anomalous_network_port_activity_ecs', // Replaced by: v3_linux_anomalous_network_port_activity_ecs
- // security_windows module
- 'v2_rare_process_by_host_windows_ecs', // Replaced by: v3_rare_process_by_host_windows_ecs
- 'v2_windows_anomalous_network_activity_ecs', // Replaced by: v3_windows_anomalous_network_activity_ecs
- 'v2_windows_anomalous_path_activity_ecs', // Replaced by: v3_windows_anomalous_path_activity_ecs
- 'v2_windows_anomalous_process_all_hosts_ecs', // Replaced by: v3_windows_anomalous_process_all_hosts_ecs
- 'v2_windows_anomalous_process_creation', // Replaced by: v3_windows_anomalous_process_creation
- 'v2_windows_anomalous_user_name_ecs', // Replaced by: v3_windows_anomalous_user_name_ecs
- 'v2_windows_rare_metadata_process', // Replaced by: v3_windows_rare_metadata_process
- 'v2_windows_rare_metadata_user', // Replaced by: v3_windows_rare_metadata_user
- // siem_auditbeat module
- 'rare_process_by_host_linux_ecs', // Replaced by: v3_rare_process_by_host_linux_ecs
- 'linux_anomalous_network_activity_ecs', // Replaced by: v3_linux_anomalous_network_activity_ecs
- 'linux_anomalous_network_port_activity_ecs', // Replaced by: v3_linux_anomalous_network_port_activity_ecs
+ // security_linux module (V2 -> V3 _ea)
+ 'v2_rare_process_by_host_linux_ecs', // Replaced by: v3_rare_process_by_host_linux_ea
+ 'v2_linux_rare_metadata_user', // Replaced by: v3_linux_rare_metadata_user_ea
+ 'v2_linux_rare_metadata_process', // Replaced by: v3_linux_rare_metadata_process_ea
+ 'v2_linux_anomalous_user_name_ecs', // Replaced by: v3_linux_anomalous_user_name_ea
+ 'v2_linux_anomalous_process_all_hosts_ecs', // Replaced by: v3_linux_anomalous_process_all_hosts_ea
+ 'v2_linux_anomalous_network_port_activity_ecs', // Replaced by: v3_linux_anomalous_network_port_activity_ea
+ // security_windows module (V2 -> V3 _ea)
+ 'v2_rare_process_by_host_windows_ecs', // Replaced by: v3_rare_process_by_host_windows_ea
+ 'v2_windows_anomalous_network_activity_ecs', // Replaced by: v3_windows_anomalous_network_activity_ea
+ 'v2_windows_anomalous_path_activity_ecs', // Replaced by: v3_windows_anomalous_path_activity_ea
+ 'v2_windows_anomalous_process_all_hosts_ecs', // Replaced by: v3_windows_anomalous_process_all_hosts_ea
+ 'v2_windows_anomalous_process_creation', // Replaced by: v3_windows_anomalous_process_creation_ea
+ 'v2_windows_anomalous_user_name_ecs', // Replaced by: v3_windows_anomalous_user_name_ea
+ 'v2_windows_rare_metadata_process', // Replaced by: v3_windows_rare_metadata_process_ea
+ 'v2_windows_rare_metadata_user', // Replaced by: v3_windows_rare_metadata_user_ea
+ // siem_auditbeat module (V1 -> V3 _ea)
+ 'rare_process_by_host_linux_ecs', // Replaced by: v3_rare_process_by_host_linux_ea
+ 'linux_anomalous_network_activity_ecs', // Replaced by: v3_linux_anomalous_network_activity_ea
+ 'linux_anomalous_network_port_activity_ecs', // Replaced by: v3_linux_anomalous_network_port_activity_ea
'linux_anomalous_network_service', // Deleted
'linux_anomalous_network_url_activity_ecs', // Deleted
- 'linux_anomalous_process_all_hosts_ecs', // Replaced by: v3_linux_anomalous_process_all_hosts_ecs
- 'linux_anomalous_user_name_ecs', // Replaced by: v3_linux_anomalous_user_name_ecs
- 'linux_rare_metadata_process', // Replaced by: v3_linux_rare_metadata_process
- 'linux_rare_metadata_user', // Replaced by: v3_linux_rare_metadata_user
- 'linux_rare_user_compiler', // Replaced by: v3_linux_rare_user_compiler
+ 'linux_anomalous_process_all_hosts_ecs', // Replaced by: v3_linux_anomalous_process_all_hosts_ea
+ 'linux_anomalous_user_name_ecs', // Replaced by: v3_linux_anomalous_user_name_ea
+ 'linux_rare_metadata_process', // Replaced by: v3_linux_rare_metadata_process_ea
+ 'linux_rare_metadata_user', // Replaced by: v3_linux_rare_metadata_user_ea
+ 'linux_rare_user_compiler', // Replaced by: v3_linux_rare_user_compiler_ea
'linux_rare_kernel_module_arguments', // Deleted
- 'linux_rare_sudo_user', // Replaced by: v3_linux_rare_sudo_user
- 'linux_system_user_discovery', // Replaced by: v3_linux_system_user_discovery
- 'linux_system_information_discovery', // Replaced by: v3_linux_system_information_discovery
- 'linux_system_process_discovery', // Replaced by: v3_linux_system_process_discovery
- 'linux_network_connection_discovery', // Replaced by: v3_linux_network_connection_discovery
- 'linux_network_configuration_discovery', // Replaced by: v3_linux_network_configuration_discovery
- // siem_winlogbeat module
- 'rare_process_by_host_windows_ecs', // Replaced by: v3_rare_process_by_host_windows_ecs
- 'windows_anomalous_network_activity_ecs', // Replaced by: v3_windows_anomalous_network_activity_ecs
- 'windows_anomalous_path_activity_ecs', // Replaced by: v3_windows_anomalous_path_activity_ecs
- 'windows_anomalous_process_all_hosts_ecs', // Replaced by: v3_windows_anomalous_process_all_hosts_ecs
- 'windows_anomalous_process_creation', // Replaced by: v3_windows_anomalous_process_creation
- 'windows_anomalous_script', // Replaced by: v3_windows_anomalous_script
- 'windows_anomalous_service', // Replaced by: v3_windows_anomalous_service
- 'windows_anomalous_user_name_ecs', // Replaced by: v3_windows_anomalous_user_name_ecs
- 'windows_rare_user_runas_event', // Replaced by: v3_windows_rare_user_runas_event
- 'windows_rare_metadata_process', // Replaced by: v3_windows_rare_metadata_process
- 'windows_rare_metadata_user', // Replaced by: v3_windows_rare_metadata_user
- // siem_winlogbeat_auth module
- 'windows_rare_user_type10_remote_login', // Replaced by: v3_windows_rare_user_type10_remote_login
+ 'linux_rare_sudo_user', // Replaced by: v3_linux_rare_sudo_user_ea
+ 'linux_system_user_discovery', // Replaced by: v3_linux_system_user_discovery_ea
+ 'linux_system_information_discovery', // Replaced by: v3_linux_system_information_discovery_ea
+ 'linux_system_process_discovery', // Replaced by: v3_linux_system_process_discovery_ea
+ 'linux_network_connection_discovery', // Replaced by: v3_linux_network_connection_discovery_ea
+ 'linux_network_configuration_discovery', // Replaced by: v3_linux_network_configuration_discovery_ea
+ // siem_winlogbeat module (V1 -> V3 _ea)
+ 'rare_process_by_host_windows_ecs', // Replaced by: v3_rare_process_by_host_windows_ea
+ 'windows_anomalous_network_activity_ecs', // Replaced by: v3_windows_anomalous_network_activity_ea
+ 'windows_anomalous_path_activity_ecs', // Replaced by: v3_windows_anomalous_path_activity_ea
+ 'windows_anomalous_process_all_hosts_ecs', // Replaced by: v3_windows_anomalous_process_all_hosts_ea
+ 'windows_anomalous_process_creation', // Replaced by: v3_windows_anomalous_process_creation_ea
+ 'windows_anomalous_script', // Replaced by: v3_windows_anomalous_script_ea
+ 'windows_anomalous_service', // Replaced by: v3_windows_anomalous_service_ea
+ 'windows_anomalous_user_name_ecs', // Replaced by: v3_windows_anomalous_user_name_ea
+ 'windows_rare_user_runas_event', // Replaced by: v3_windows_rare_user_runas_event_ea
+ 'windows_rare_metadata_process', // Replaced by: v3_windows_rare_metadata_process_ea
+ 'windows_rare_metadata_user', // Replaced by: v3_windows_rare_metadata_user_ea
+ // siem_winlogbeat_auth module (V1 -> V3 _ea)
+ 'windows_rare_user_type10_remote_login', // Replaced by: v3_windows_rare_user_type10_remote_login_ea
+ // security_linux module V3 (non-EA, replaced by _ea variants)
+ 'v3_rare_process_by_host_linux_ecs', // Replaced by: v3_rare_process_by_host_linux_ea
+ 'v3_linux_rare_metadata_user', // Replaced by: v3_linux_rare_metadata_user_ea
+ 'v3_linux_rare_metadata_process', // Replaced by: v3_linux_rare_metadata_process_ea
+ 'v3_linux_anomalous_user_name_ecs', // Replaced by: v3_linux_anomalous_user_name_ea
+ 'v3_linux_anomalous_process_all_hosts_ecs', // Replaced by: v3_linux_anomalous_process_all_hosts_ea
+ 'v3_linux_anomalous_network_port_activity_ecs', // Replaced by: v3_linux_anomalous_network_port_activity_ea
+ 'v3_linux_anomalous_network_activity_ecs', // Replaced by: v3_linux_anomalous_network_activity_ea
+ 'v3_linux_rare_user_compiler', // Replaced by: v3_linux_rare_user_compiler_ea
+ 'v3_linux_rare_sudo_user', // Replaced by: v3_linux_rare_sudo_user_ea
+ 'v3_linux_system_user_discovery', // Replaced by: v3_linux_system_user_discovery_ea
+ 'v3_linux_system_information_discovery', // Replaced by: v3_linux_system_information_discovery_ea
+ 'v3_linux_system_process_discovery', // Replaced by: v3_linux_system_process_discovery_ea
+ 'v3_linux_network_connection_discovery', // Replaced by: v3_linux_network_connection_discovery_ea
+ 'v3_linux_network_configuration_discovery', // Replaced by: v3_linux_network_configuration_discovery_ea
+ // security_windows module V3 (non-EA, replaced by _ea variants)
+ 'v3_rare_process_by_host_windows_ecs', // Replaced by: v3_rare_process_by_host_windows_ea
+ 'v3_windows_anomalous_network_activity_ecs', // Replaced by: v3_windows_anomalous_network_activity_ea
+ 'v3_windows_anomalous_path_activity_ecs', // Replaced by: v3_windows_anomalous_path_activity_ea
+ 'v3_windows_anomalous_process_all_hosts_ecs', // Replaced by: v3_windows_anomalous_process_all_hosts_ea
+ 'v3_windows_anomalous_process_creation', // Replaced by: v3_windows_anomalous_process_creation_ea
+ 'v3_windows_anomalous_user_name_ecs', // Replaced by: v3_windows_anomalous_user_name_ea
+ 'v3_windows_rare_metadata_process', // Replaced by: v3_windows_rare_metadata_process_ea
+ 'v3_windows_rare_metadata_user', // Replaced by: v3_windows_rare_metadata_user_ea
+ 'v3_windows_anomalous_script', // Replaced by: v3_windows_anomalous_script_ea
+ 'v3_windows_anomalous_service', // Replaced by: v3_windows_anomalous_service_ea
+ 'v3_windows_rare_user_runas_event', // Replaced by: v3_windows_rare_user_runas_event_ea
+ 'v3_windows_rare_user_type10_remote_login', // Replaced by: v3_windows_rare_user_type10_remote_login_ea
+ 'v3_windows_rare_script', // Replaced by: v3_windows_rare_script_ea
];
diff --git a/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml
index 2a608961cc36b..fa715ac4382f2 100644
--- a/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml
+++ b/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml
@@ -504,7 +504,7 @@ paths:
anomaly_threshold: 50
id: 60b13926-289b-41b1-a537-197ef1fa5059
machine_learning_job_id:
- - auth_high_count_logon_events
+ - auth_high_count_logon_events_ea
schema:
$ref: '#/components/schemas/RulePatchProps'
description: |
@@ -1542,7 +1542,7 @@ paths:
description: New description of ml rule
id: 60b13926-289b-41b1-a537-197ef1fa5059
machine_learning_job_id:
- - auth_high_count_logon_events
+ - auth_high_count_logon_events_ea
name: New name of ml rule
risk_score: 21
severity: low
@@ -2192,7 +2192,7 @@ paths:
interval: 15m
license: Elastic License v2
machine_learning_job_id:
- - packetbeat_dns_tunneling
+ - packetbeat_dns_tunneling_ea
max_signals: 100
name: DNS Tunneling [Duplicate]
references:
diff --git a/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml
index 0401bf089f37b..f2359f6a55fd3 100644
--- a/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml
+++ b/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml
@@ -364,7 +364,7 @@ paths:
anomaly_threshold: 50
id: 60b13926-289b-41b1-a537-197ef1fa5059
machine_learning_job_id:
- - auth_high_count_logon_events
+ - auth_high_count_logon_events_ea
schema:
$ref: '#/components/schemas/RulePatchProps'
description: |
@@ -1402,7 +1402,7 @@ paths:
description: New description of ml rule
id: 60b13926-289b-41b1-a537-197ef1fa5059
machine_learning_job_id:
- - auth_high_count_logon_events
+ - auth_high_count_logon_events_ea
name: New name of ml rule
risk_score: 21
severity: low
@@ -2052,7 +2052,7 @@ paths:
interval: 15m
license: Elastic License v2
machine_learning_job_id:
- - packetbeat_dns_tunneling
+ - packetbeat_dns_tunneling_ea
max_signals: 100
name: DNS Tunneling [Duplicate]
references:
diff --git a/x-pack/solutions/security/plugins/security_solution/public/common/components/ml/anomaly/use_anomalies_search.test.ts b/x-pack/solutions/security/plugins/security_solution/public/common/components/ml/anomaly/use_anomalies_search.test.ts
index 993f7c0b47b59..a54aef038e8f3 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/common/components/ml/anomaly/use_anomalies_search.test.ts
+++ b/x-pack/solutions/security/plugins/security_solution/public/common/components/ml/anomaly/use_anomalies_search.test.ts
@@ -9,7 +9,7 @@ import { act, waitFor, renderHook } from '@testing-library/react';
import { TestProviders } from '../../../mock';
import { useAggregatedAnomaliesByJob, AnomalyEntity } from './use_anomalies_search';
-const jobId = 'auth_rare_source_ip_for_a_user';
+const jobId = 'auth_rare_source_ip_for_a_user_ea';
const from = 'now-24h';
const to = 'now';
const job = { id: jobId, jobState: 'started', datafeedState: 'started' };
@@ -106,8 +106,8 @@ describe('useAggregatedAnomaliesByJob', () => {
});
it('returns jobs sorted by name', async () => {
- const firstJobId = 'v3_windows_anomalous_script';
- const secondJobId = 'auth_rare_source_ip_for_a_user';
+ const firstJobId = 'v3_windows_anomalous_script_ea';
+ const secondJobId = 'auth_rare_source_ip_for_a_user_ea';
const fistJobCount = { key: firstJobId, doc_count: 99 };
const secondJobCount = { key: secondJobId, doc_count: 99 };
const firstJobSecurityName = '0000001';
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_about_rule/index.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_about_rule/index.test.tsx
index 6c10403b89058..40d693e9fb862 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_about_rule/index.test.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_about_rule/index.test.tsx
@@ -64,7 +64,7 @@ export const stepDefineStepMLRule: DefineStepRule = {
ruleType: 'machine_learning',
index: ['default-index-*'],
queryBar: { query: { query: '', language: '' }, filters: [], saved_id: null },
- machineLearningJobId: ['auth_high_count_logon_events_for_a_source_ip'],
+ machineLearningJobId: ['auth_high_count_logon_events_for_a_source_ip_ea'],
anomalyThreshold: 50,
threshold: { cardinality: { value: '', field: [] }, value: '100', field: [] },
threatIndex: [],
@@ -432,12 +432,12 @@ describe.skip('StepAboutRuleComponent', () => {
(useFetchIndex as jest.Mock).mockClear();
useSecurityJobsMock.mockImplementation(() => {
return {
- jobs: [{ id: 'auth_high_count_logon_events_for_a_source_ip', isInstalled: true }],
+ jobs: [{ id: 'auth_high_count_logon_events_for_a_source_ip_ea', isInstalled: true }],
loading: false,
};
});
useGetInstalledJobMock.mockImplementation((jobIds: string[]) => {
- expect(jobIds).toEqual(['auth_high_count_logon_events_for_a_source_ip']);
+ expect(jobIds).toEqual(['auth_high_count_logon_events_for_a_source_ip_ea']);
return { jobs: [{ results_index_name: 'shared' }] };
});
@@ -453,7 +453,7 @@ describe.skip('StepAboutRuleComponent', () => {
(useFetchIndex as jest.Mock).mockClear();
useSecurityJobsMock.mockImplementation(() => {
return {
- jobs: [{ id: 'auth_high_count_logon_events_for_a_source_ip', isInstalled: false }],
+ jobs: [{ id: 'auth_high_count_logon_events_for_a_source_ip_ea', isInstalled: false }],
loading: false,
};
});
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/machine_learning_job_id/machine_learning_job_id.stories.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/machine_learning_job_id/machine_learning_job_id.stories.tsx
index 1317382d90ca0..3382fa1148788 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/machine_learning_job_id/machine_learning_job_id.stories.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/machine_learning_job_id/machine_learning_job_id.stories.tsx
@@ -24,7 +24,7 @@ const mockedModulesData = [
id: 'security_auth',
jobs: [
{
- id: 'auth_high_count_logon_events',
+ id: 'auth_high_count_logon_events_ea',
config: {
groups: [],
custom_settings: {
@@ -57,7 +57,7 @@ function MockMlData({ children }: { children: React.ReactNode }) {
export const Default = () => (
-
+
);
diff --git a/x-pack/solutions/security/plugins/security_solution/server/agent_builder/skills/security_ml_jobs/inline_tools/get_security_ml_jobs/graph/find_indices_for_ml_jobs_node.test.ts b/x-pack/solutions/security/plugins/security_solution/server/agent_builder/skills/security_ml_jobs/inline_tools/get_security_ml_jobs/graph/find_indices_for_ml_jobs_node.test.ts
index 4dd522b66557f..0325c10addfda 100644
--- a/x-pack/solutions/security/plugins/security_solution/server/agent_builder/skills/security_ml_jobs/inline_tools/get_security_ml_jobs/graph/find_indices_for_ml_jobs_node.test.ts
+++ b/x-pack/solutions/security/plugins/security_solution/server/agent_builder/skills/security_ml_jobs/inline_tools/get_security_ml_jobs/graph/find_indices_for_ml_jobs_node.test.ts
@@ -68,7 +68,7 @@ describe('findIndicesForMlJobsNode', () => {
aggregations: {
ml_indices: {
buckets: [
- { key: '.ml-anomalies-custom-auth_rare_hour_for_a_user-000001', doc_count: 3 },
+ { key: '.ml-anomalies-custom-auth_rare_hour_for_a_user_ea-000001', doc_count: 3 },
{ key: '.ml-anomalies-security_auth', doc_count: 2 },
],
},
@@ -83,7 +83,7 @@ describe('findIndicesForMlJobsNode', () => {
expect(result).toEqual({
indices: [
- '.ml-anomalies-custom-auth_rare_hour_for_a_user-000001',
+ '.ml-anomalies-custom-auth_rare_hour_for_a_user_ea-000001',
'.ml-anomalies-security_auth',
],
});
@@ -218,9 +218,9 @@ describe('findIndicesForMlJobsNode', () => {
aggregations: {
ml_indices: {
buckets: [
- { key: '.ml-anomalies-custom-auth_rare_user-000001', doc_count: 1 },
- { key: '.ml-anomalies-custom-auth_rare_user-000003', doc_count: 1 },
- { key: '.ml-anomalies-custom-auth_rare_user-000002', doc_count: 1 },
+ { key: '.ml-anomalies-custom-auth_rare_user_ea-000001', doc_count: 1 },
+ { key: '.ml-anomalies-custom-auth_rare_user_ea-000003', doc_count: 1 },
+ { key: '.ml-anomalies-custom-auth_rare_user_ea-000002', doc_count: 1 },
],
},
},
@@ -233,7 +233,7 @@ describe('findIndicesForMlJobsNode', () => {
});
expect(result).toEqual({
- indices: ['.ml-anomalies-custom-auth_rare_user-000003'],
+ indices: ['.ml-anomalies-custom-auth_rare_user_ea-000003'],
});
});
@@ -246,8 +246,8 @@ describe('findIndicesForMlJobsNode', () => {
aggregations: {
ml_indices: {
buckets: [
- { key: '.ml-anomalies-custom-auth_rare_user', doc_count: 1 },
- { key: '.ml-anomalies-custom-auth_rare_user-000001', doc_count: 1 },
+ { key: '.ml-anomalies-custom-auth_rare_user_ea', doc_count: 1 },
+ { key: '.ml-anomalies-custom-auth_rare_user_ea-000001', doc_count: 1 },
],
},
},
@@ -260,7 +260,7 @@ describe('findIndicesForMlJobsNode', () => {
});
expect(result).toEqual({
- indices: ['.ml-anomalies-custom-auth_rare_user-000001'],
+ indices: ['.ml-anomalies-custom-auth_rare_user_ea-000001'],
});
});
@@ -273,10 +273,10 @@ describe('findIndicesForMlJobsNode', () => {
aggregations: {
ml_indices: {
buckets: [
- { key: '.ml-anomalies-custom-auth_rare_user', doc_count: 1 },
- { key: '.ml-anomalies-custom-auth_rare_user-000001', doc_count: 1 },
- { key: '.ml-anomalies-custom-auth_rare_user-000003', doc_count: 1 },
- { key: '.ml-anomalies-custom-auth_rare_user-000002', doc_count: 1 },
+ { key: '.ml-anomalies-custom-auth_rare_user_ea', doc_count: 1 },
+ { key: '.ml-anomalies-custom-auth_rare_user_ea-000001', doc_count: 1 },
+ { key: '.ml-anomalies-custom-auth_rare_user_ea-000003', doc_count: 1 },
+ { key: '.ml-anomalies-custom-auth_rare_user_ea-000002', doc_count: 1 },
{ key: '.ml-anomalies-security_auth', doc_count: 2 },
{ key: '.ml-anomalies-custom-network_spike-000001', doc_count: 3 },
],
@@ -292,7 +292,7 @@ describe('findIndicesForMlJobsNode', () => {
expect(result).toEqual({
indices: [
- '.ml-anomalies-custom-auth_rare_user-000003',
+ '.ml-anomalies-custom-auth_rare_user_ea-000003',
'.ml-anomalies-security_auth',
'.ml-anomalies-custom-network_spike-000001',
],
diff --git a/x-pack/solutions/security/test/fixtures/es_archives/security_solution/anomalies/data.json.gz b/x-pack/solutions/security/test/fixtures/es_archives/security_solution/anomalies/data.json.gz
index fb928fe3260b8..ca7029e4cb057 100644
Binary files a/x-pack/solutions/security/test/fixtures/es_archives/security_solution/anomalies/data.json.gz and b/x-pack/solutions/security/test/fixtures/es_archives/security_solution/anomalies/data.json.gz differ
diff --git a/x-pack/solutions/security/test/fixtures/es_archives/security_solution/anomalies/mappings.json b/x-pack/solutions/security/test/fixtures/es_archives/security_solution/anomalies/mappings.json
index c681e8d8cee45..43d5b73327106 100644
--- a/x-pack/solutions/security/test/fixtures/es_archives/security_solution/anomalies/mappings.json
+++ b/x-pack/solutions/security/test/fixtures/es_archives/security_solution/anomalies/mappings.json
@@ -2,22 +2,22 @@
"type": "index",
"value": {
"aliases": {
- ".ml-anomalies-.write-v3_linux_anomalous_network_activity": {
+ ".ml-anomalies-.write-v3_linux_anomalous_network_activity_ea": {
"is_hidden": true,
"is_write_index": true
},
- ".ml-anomalies-v3_linux_anomalous_network_activity": {
+ ".ml-anomalies-v3_linux_anomalous_network_activity_ea": {
"filter": {
"term": {
"job_id": {
- "value": "v3_linux_anomalous_network_activity"
+ "value": "v3_linux_anomalous_network_activity_ea"
}
}
},
"is_hidden": true
}
},
- "index": ".ml-anomalies-custom-v3_linux_anomalous_network_activity",
+ "index": ".ml-anomalies-custom-v3_linux_anomalous_network_activity_ea",
"mappings": {
"_meta": {
"version": "8.0.0"
diff --git a/x-pack/solutions/security/test/fixtures/es_archives/security_solution/packetbeat_anomalies/data.json b/x-pack/solutions/security/test/fixtures/es_archives/security_solution/packetbeat_anomalies/data.json
index c0fce53645f5f..e6dda28c8e80f 100644
--- a/x-pack/solutions/security/test/fixtures/es_archives/security_solution/packetbeat_anomalies/data.json
+++ b/x-pack/solutions/security/test/fixtures/es_archives/security_solution/packetbeat_anomalies/data.json
@@ -2,9 +2,9 @@
"type": "doc",
"value": {
"index": ".ml-anomalies-packetbeat",
- "id": "packetbeat_rare_server_domain_record_1761555600000_3600_0_1",
+ "id": "packetbeat_rare_server_domain_ea_record_1761555600000_3600_0_1",
"source": {
- "job_id": "packetbeat_rare_server_domain",
+ "job_id": "packetbeat_rare_server_domain_ea",
"result_type": "record",
"probability": 0.001,
"record_score": 87.2,
@@ -54,9 +54,9 @@
"type": "doc",
"value": {
"index": ".ml-anomalies-packetbeat",
- "id": "packetbeat_rare_server_domain_record_1761555600000_3600_0_2",
+ "id": "packetbeat_rare_server_domain_ea_record_1761555600000_3600_0_2",
"source": {
- "job_id": "packetbeat_rare_server_domain",
+ "job_id": "packetbeat_rare_server_domain_ea",
"result_type": "record",
"probability": 0.002,
"record_score": 85.9,
diff --git a/x-pack/solutions/security/test/fixtures/es_archives/security_solution/packetbeat_anomalies/mappings.json b/x-pack/solutions/security/test/fixtures/es_archives/security_solution/packetbeat_anomalies/mappings.json
index 45faecc995352..2a0dec029de65 100644
--- a/x-pack/solutions/security/test/fixtures/es_archives/security_solution/packetbeat_anomalies/mappings.json
+++ b/x-pack/solutions/security/test/fixtures/es_archives/security_solution/packetbeat_anomalies/mappings.json
@@ -3,15 +3,15 @@
"value": {
"index": ".ml-anomalies-packetbeat",
"aliases": {
- ".ml-anomalies-.write-packetbeat_rare_server_domain": {
+ ".ml-anomalies-.write-packetbeat_rare_server_domain_ea": {
"is_hidden": true,
"is_write_index": true
},
- ".ml-anomalies-packetbeat_rare_server_domain": {
+ ".ml-anomalies-packetbeat_rare_server_domain_ea": {
"filter": {
"term": {
"job_id": {
- "value": "packetbeat_rare_server_domain"
+ "value": "packetbeat_rare_server_domain_ea"
}
}
},
diff --git a/x-pack/solutions/security/test/fixtures/es_archives/security_solution/security_auth_anomalies/data.json b/x-pack/solutions/security/test/fixtures/es_archives/security_solution/security_auth_anomalies/data.json
index c2609a24f6edb..be5de416f8e45 100644
--- a/x-pack/solutions/security/test/fixtures/es_archives/security_solution/security_auth_anomalies/data.json
+++ b/x-pack/solutions/security/test/fixtures/es_archives/security_solution/security_auth_anomalies/data.json
@@ -2,9 +2,9 @@
"type": "doc",
"value": {
"index": ".ml-anomalies-security_auth",
- "id": "auth_rare_source_ip_for_a_user_record_1761555600000_3600_0_1",
+ "id": "auth_rare_source_ip_for_a_user_ea_record_1761555600000_3600_0_1",
"source": {
- "job_id": "auth_rare_source_ip_for_a_user",
+ "job_id": "auth_rare_source_ip_for_a_user_ea",
"result_type": "record",
"probability": 0.001,
"record_score": 85.5,
@@ -71,9 +71,9 @@
"type": "doc",
"value": {
"index": ".ml-anomalies-security_auth",
- "id": "auth_rare_source_ip_for_a_user_record_1761555600000_3600_0_2",
+ "id": "auth_rare_source_ip_for_a_user_ea_record_1761555600000_3600_0_2",
"source": {
- "job_id": "auth_rare_source_ip_for_a_user",
+ "job_id": "auth_rare_source_ip_for_a_user_ea",
"result_type": "record",
"probability": 0.001,
"record_score": 82.3,
@@ -140,9 +140,9 @@
"type": "doc",
"value": {
"index": ".ml-anomalies-security_auth",
- "id": "suspicious_login_activity_record_1761555600000_3600_0_3",
+ "id": "suspicious_login_activity_ea_record_1761555600000_3600_0_3",
"source": {
- "job_id": "suspicious_login_activity",
+ "job_id": "suspicious_login_activity_ea",
"result_type": "record",
"probability": 0.002,
"record_score": 90.1,
@@ -207,9 +207,9 @@
"type": "doc",
"value": {
"index": ".ml-anomalies-security_auth",
- "id": "suspicious_login_activity_record_1761555600000_3600_0_4",
+ "id": "suspicious_login_activity_ea_record_1761555600000_3600_0_4",
"source": {
- "job_id": "suspicious_login_activity",
+ "job_id": "suspicious_login_activity_ea",
"result_type": "record",
"probability": 0.003,
"record_score": 88.7,
@@ -270,9 +270,9 @@
"type": "doc",
"value": {
"index": ".ml-anomalies-security_auth",
- "id": "auth_rare_user_record_1761555600000_3600_0_6",
+ "id": "auth_rare_user_ea_record_1761555600000_3600_0_6",
"source": {
- "job_id": "auth_rare_user",
+ "job_id": "auth_rare_user_ea",
"result_type": "record",
"probability": 0.0008,
"record_score": 92.4,
@@ -325,9 +325,9 @@
"type": "doc",
"value": {
"index": ".ml-anomalies-security_auth",
- "id": "auth_rare_user_record_1761555600000_3600_0_7",
+ "id": "auth_rare_user_ea_record_1761555600000_3600_0_7",
"source": {
- "job_id": "auth_rare_user",
+ "job_id": "auth_rare_user_ea",
"result_type": "record",
"probability": 0.0012,
"record_score": 89.6,
@@ -395,9 +395,9 @@
"type": "doc",
"value": {
"index": ".ml-anomalies-security_auth",
- "id": "v3_windows_anomalous_service_record_1761555600000_900_0_8",
+ "id": "v3_windows_anomalous_service_ea_record_1761555600000_900_0_8",
"source": {
- "job_id": "v3_windows_anomalous_service",
+ "job_id": "v3_windows_anomalous_service_ea",
"result_type": "record",
"probability": 0.0005,
"record_score": 94.2,
@@ -448,9 +448,9 @@
"type": "doc",
"value": {
"index": ".ml-anomalies-security_auth",
- "id": "v3_windows_anomalous_service_record_1761555600000_900_0_9",
+ "id": "v3_windows_anomalous_service_ea_record_1761555600000_900_0_9",
"source": {
- "job_id": "v3_windows_anomalous_service",
+ "job_id": "v3_windows_anomalous_service_ea",
"result_type": "record",
"probability": 0.0003,
"record_score": 96.8,
@@ -501,9 +501,9 @@
"type": "doc",
"value": {
"index": ".ml-anomalies-security_auth",
- "id": "v3_windows_anomalous_service_record_1761555600000_900_0_10",
+ "id": "v3_windows_anomalous_service_ea_record_1761555600000_900_0_10",
"source": {
- "job_id": "v3_windows_anomalous_service",
+ "job_id": "v3_windows_anomalous_service_ea",
"result_type": "record",
"probability": 0.0007,
"record_score": 91.5,
@@ -554,9 +554,9 @@
"type": "doc",
"value": {
"index": ".ml-anomalies-security_auth",
- "id": "auth_rare_hour_for_a_user_record_1761555600000_900_0_11",
+ "id": "auth_rare_hour_for_a_user_ea_record_1761555600000_900_0_11",
"source": {
- "job_id": "auth_rare_hour_for_a_user",
+ "job_id": "auth_rare_hour_for_a_user_ea",
"result_type": "record",
"probability": 0.0009,
"record_score": 87.3,
@@ -622,9 +622,9 @@
"type": "doc",
"value": {
"index": ".ml-anomalies-security_auth",
- "id": "auth_rare_hour_for_a_user_record_1761555600000_900_0_12",
+ "id": "auth_rare_hour_for_a_user_ea_record_1761555600000_900_0_12",
"source": {
- "job_id": "auth_rare_hour_for_a_user",
+ "job_id": "auth_rare_hour_for_a_user_ea",
"result_type": "record",
"probability": 0.0011,
"record_score": 84.6,
diff --git a/x-pack/solutions/security/test/fixtures/es_archives/security_solution/security_auth_anomalies/mappings.json b/x-pack/solutions/security/test/fixtures/es_archives/security_solution/security_auth_anomalies/mappings.json
index dc2d35ec0ee04..0616fe2ad4be8 100644
--- a/x-pack/solutions/security/test/fixtures/es_archives/security_solution/security_auth_anomalies/mappings.json
+++ b/x-pack/solutions/security/test/fixtures/es_archives/security_solution/security_auth_anomalies/mappings.json
@@ -3,43 +3,43 @@
"value": {
"index": ".ml-anomalies-security_auth",
"aliases": {
- ".ml-anomalies-.write-auth_rare_source_ip_for_a_user": {
+ ".ml-anomalies-.write-auth_rare_source_ip_for_a_user_ea": {
"is_hidden": true,
"is_write_index": true
},
- ".ml-anomalies-.write-suspicious_login_activity": {
+ ".ml-anomalies-.write-suspicious_login_activity_ea": {
"is_hidden": true,
"is_write_index": true
},
- ".ml-anomalies-.write-auth_rare_user": {
+ ".ml-anomalies-.write-auth_rare_user_ea": {
"is_hidden": true,
"is_write_index": true
},
- ".ml-anomalies-auth_rare_source_ip_for_a_user": {
+ ".ml-anomalies-auth_rare_source_ip_for_a_user_ea": {
"filter": {
"term": {
"job_id": {
- "value": "auth_rare_source_ip_for_a_user"
+ "value": "auth_rare_source_ip_for_a_user_ea"
}
}
},
"is_hidden": true
},
- ".ml-anomalies-suspicious_login_activity": {
+ ".ml-anomalies-suspicious_login_activity_ea": {
"filter": {
"term": {
"job_id": {
- "value": "suspicious_login_activity"
+ "value": "suspicious_login_activity_ea"
}
}
},
"is_hidden": true
},
- ".ml-anomalies-auth_rare_user": {
+ ".ml-anomalies-auth_rare_user_ea": {
"filter": {
"term": {
"job_id": {
- "value": "auth_rare_user"
+ "value": "auth_rare_user_ea"
}
}
},
diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning.ts
index 45fd0657a86bb..cbc33147b9f01 100644
--- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning.ts
+++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning.ts
@@ -73,7 +73,7 @@ export default ({ getService }: FtrProviderContext) => {
const retry = getService('retry');
const siemModule = 'security_linux_v3';
- const mlJobId = 'v3_linux_anomalous_network_activity';
+ const mlJobId = 'v3_linux_anomalous_network_activity_ea';
const rule: MachineLearningRuleCreateProps = {
name: 'Test ML rule',
description: 'Test ML rule description',
@@ -136,7 +136,7 @@ export default ({ getService }: FtrProviderContext) => {
influencers: expect.any(Array),
initial_record_score: expect.any(Number),
is_interim: false,
- job_id: 'v3_linux_anomalous_network_activity',
+ job_id: 'v3_linux_anomalous_network_activity_ea',
multi_bucket_impact: expect.any(Number),
probability: expect.any(Number),
record_score: expect.any(Number),
@@ -163,7 +163,7 @@ export default ({ getService }: FtrProviderContext) => {
false_positives: [],
from: '1900-01-01T00:00:00.000Z',
immutable: false,
- machine_learning_job_id: ['v3_linux_anomalous_network_activity'],
+ machine_learning_job_id: ['v3_linux_anomalous_network_activity_ea'],
max_signals: 100,
references: [],
related_integrations: [],
@@ -183,7 +183,7 @@ export default ({ getService }: FtrProviderContext) => {
[ALERT_REASON]: `event with process store, by root on mothra created critical alert Test ML rule.`,
[ALERT_ORIGINAL_TIME]: expect.any(String),
all_field_values: expect.arrayContaining([
- 'v3_linux_anomalous_network_activity',
+ 'v3_linux_anomalous_network_activity_ea',
'root',
'store',
'mothra',
diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_alert_suppression.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_alert_suppression.ts
index 3602027dccc61..182a4967e2511 100644
--- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_alert_suppression.ts
+++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_alert_suppression.ts
@@ -57,12 +57,12 @@ export default ({ getService }: FtrProviderContext) => {
const { indexListOfDocuments } = dataGeneratorFactory({
es,
- index: '.ml-anomalies-custom-v3_linux_anomalous_network_activity',
+ index: '.ml-anomalies-custom-v3_linux_anomalous_network_activity_ea',
log,
});
const mlModuleName = 'security_linux_v3';
- const mlJobId = 'v3_linux_anomalous_network_activity';
+ const mlJobId = 'v3_linux_anomalous_network_activity_ea';
const baseRuleProps: MachineLearningRuleCreateProps = {
name: 'Test ML rule',
description: 'Test ML rule description',
diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_manual_run.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_manual_run.ts
index 625334522265c..1031cf7f1eaa7 100644
--- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_manual_run.ts
+++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_manual_run.ts
@@ -42,12 +42,12 @@ export default ({ getService }: FtrProviderContext) => {
const { indexListOfDocuments } = dataGeneratorFactory({
es,
- index: '.ml-anomalies-custom-v3_linux_anomalous_network_activity',
+ index: '.ml-anomalies-custom-v3_linux_anomalous_network_activity_ea',
log,
});
const mlModuleName = 'security_linux_v3';
- const mlJobId = 'v3_linux_anomalous_network_activity';
+ const mlJobId = 'v3_linux_anomalous_network_activity_ea';
const baseRuleProps: MachineLearningRuleCreateProps = {
name: 'Test ML rule',
description: 'Test ML rule description',
diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/entity_details/trial_license_complete_tier/highlights.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/entity_details/trial_license_complete_tier/highlights.ts
index 594e21d1924e3..60e1e4c56d4c9 100644
--- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/entity_details/trial_license_complete_tier/highlights.ts
+++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/entity_details/trial_license_complete_tier/highlights.ts
@@ -91,7 +91,7 @@ export default function ({ getService }: FtrProviderContext) {
];
const siemModule = 'security_linux_v3';
- const mlJobId = 'v3_linux_anomalous_network_activity';
+ const mlJobId = 'v3_linux_anomalous_network_activity_ea';
describe('@ess @serverless @skipInServerlessMKI Entity Details - Highlights API', () => {
const createAndSyncRuleAndAlerts = createAndSyncRuleAndAlertsFactory({ supertest, log });
@@ -262,14 +262,14 @@ export default function ({ getService }: FtrProviderContext) {
},
anomalies: [
{
- id: 'v3_linux_anomalous_network_activity',
+ id: 'v3_linux_anomalous_network_activity_ea',
'job.description':
'Security: Linux - Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity.',
'job.name': 'Unusual Linux Network Activity',
score: 4.834237150691662,
},
{
- id: 'v3_linux_anomalous_network_activity',
+ id: 'v3_linux_anomalous_network_activity_ea',
'job.description':
'Security: Linux - Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity.',
'job.name': 'Unusual Linux Network Activity',
diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/alert_suppression/machine_learning_rule.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/alert_suppression/machine_learning_rule.cy.ts
index de66f6cb932e1..615812d9bc82f 100644
--- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/alert_suppression/machine_learning_rule.cy.ts
+++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/alert_suppression/machine_learning_rule.cy.ts
@@ -46,7 +46,7 @@ describe(
},
() => {
let mlRule: ReturnType;
- const jobId = 'v3_linux_anomalous_network_activity';
+ const jobId = 'v3_linux_anomalous_network_activity_ea';
const suppressByFields = ['by_field_name', 'by_field_value'];
beforeEach(() => {
diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_edit/machine_learning_rule.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_edit/machine_learning_rule.cy.ts
index e6c26528ae50c..03fdae51e5a70 100644
--- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_edit/machine_learning_rule.cy.ts
+++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_edit/machine_learning_rule.cy.ts
@@ -47,7 +47,7 @@ describe(
() => {
let mlRule: ReturnType;
const suppressByFields = ['by_field_name', 'by_field_value'];
- const jobId = 'v3_linux_anomalous_network_activity';
+ const jobId = 'v3_linux_anomalous_network_activity_ea';
before(() => {
const machineLearningJobIds = ([] as string[]).concat(
diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/prebuilt_rules/installation/install_with_preview.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/prebuilt_rules/installation/install_with_preview.cy.ts
index 3d0141f4d09a1..0c0412df5ca62 100644
--- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/prebuilt_rules/installation/install_with_preview.cy.ts
+++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/prebuilt_rules/installation/install_with_preview.cy.ts
@@ -526,7 +526,7 @@ const MACHINE_LEARNING_PREBUILT_RULE_ASSET = omit(
...commonProperties,
type: 'machine_learning',
anomaly_threshold: 65,
- machine_learning_job_id: ['auth_high_count_logon_events', 'auth_high_count_logon_fails'],
+ machine_learning_job_id: ['auth_high_count_logon_events_ea', 'auth_high_count_logon_fails_ea'],
alert_suppression: {
group_by: ['host.name'],
duration: { unit: 'm', value: 5 },
diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/prebuilt_rules/upgrade/upgrade_with_preview.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/prebuilt_rules/upgrade/upgrade_with_preview.cy.ts
index fe1e899f36f2d..c8b6c5dcae7a3 100644
--- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/prebuilt_rules/upgrade/upgrade_with_preview.cy.ts
+++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/prebuilt_rules/upgrade/upgrade_with_preview.cy.ts
@@ -1443,7 +1443,7 @@ const MACHINE_LEARNING_PREBUILT_RULE_ASSET = omit(
...commonProperties,
type: 'machine_learning',
anomaly_threshold: 65,
- machine_learning_job_id: ['auth_high_count_logon_events', 'auth_high_count_logon_fails'],
+ machine_learning_job_id: ['auth_high_count_logon_events_ea', 'auth_high_count_logon_fails_ea'],
alert_suppression: {
group_by: ['host.name'],
duration: { unit: 'm', value: 5 },
diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/objects/rule.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/objects/rule.ts
index 5e6bf59692544..e3310f5258ad8 100644
--- a/x-pack/solutions/security/test/security_solution_cypress/cypress/objects/rule.ts
+++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/objects/rule.ts
@@ -340,8 +340,8 @@ export const getMachineLearningRule = (
): MachineLearningRuleCreateProps => ({
type: 'machine_learning',
machine_learning_job_id: [
- 'v3_linux_anomalous_network_activity',
- 'v3_linux_anomalous_process_all_hosts',
+ 'v3_linux_anomalous_network_activity_ea',
+ 'v3_linux_anomalous_process_all_hosts_ea',
],
anomaly_threshold: 20,
name: 'New ML Rule Test',