diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/manifest.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/manifest.json index 5aade8ad0a93f..7f6806739499f 100644 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/manifest.json +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/manifest.json @@ -10,7 +10,7 @@ "must": [ { "exists": { - "field": "auditd" + "field": "auditd.summary" } }, { diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_event_volume.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_event_volume.json index 71ccdaeb8c882..83ee6bc38897e 100644 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_event_volume.json +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_event_volume.json @@ -1,6 +1,6 @@ { "title": "ML Auditbeat Hosts: Event Volume", - "visState": "{\"title\":\"ML Auditbeat Hosts: Event Volume\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"beat.hostname\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "visState": "{\"title\":\"ML Auditbeat Hosts: Event Volume\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"beat.name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", "uiStateJSON": "{}", "description": "", "savedSearchId": "ml_auditbeat_hosts_events", diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/manifest.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/manifest.json index ac667e3f525b5..f60b8e514ea63 100644 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/manifest.json +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/manifest.json @@ -10,7 +10,7 @@ "must": [ { "exists": { - "field": "auditd" + "field": "auditd.summary" } } ], diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/hosts_high_count_events.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/hosts_high_count_events.json index 81abf4db3569f..6ec1f172e751d 100644 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/hosts_high_count_events.json +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/hosts_high_count_events.json @@ -6,13 +6,13 @@ "bucket_span": "1h", "detectors": [ { - "detector_description": "high_count partitionfield=\"beat.hostname\"", + "detector_description": "high_count partitionfield=\"beat.name\"", "function": "high_count", - "partition_field_name": "beat.hostname" + "partition_field_name": "beat.name" } ], "influencers": [ - "beat.hostname", + "beat.name", "process.exe" ] }, @@ -29,7 +29,7 @@ { "url_name": "Host Events", "time_range": "1h", - "url_value": "kibana#/dashboard/ml_auditbeat_hosts_audit_events?_g=(time:(from:'$earliest$',mode:absolute,to:'$latest$'))&_a=(filters:!(),query:(language:lucene,query:'beat.hostname:\"$beat.hostname$\"'))" + "url_value": "kibana#/dashboard/ml_auditbeat_hosts_audit_events?_g=(time:(from:'$earliest$',mode:absolute,to:'$latest$'))&_a=(filters:!(),query:(language:lucene,query:'beat.name:\"$beat.name$\"'))" } ] } diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/hosts_suspicious_process_activity.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/hosts_suspicious_process_activity.json index 7ef2aafe964a4..1464165393cc2 100644 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/hosts_suspicious_process_activity.json +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/hosts_suspicious_process_activity.json @@ -13,7 +13,7 @@ ], "influencers": [ "process.exe", - "beat.hostname" + "beat.name" ] }, "analysis_limits": { @@ -28,7 +28,7 @@ { "url_name": "Host Events", "time_range": "1h", - "url_value": "kibana#/dashboard/ml_auditbeat_hosts_audit_events?_g=(time:(from:'$earliest$',mode:absolute,to:'$latest$'))&_a=(filters:!(),query:(language:lucene,query:'beat.hostname:\"$beat.hostname$\" AND process.exe:\"$process.exe$\"'))" + "url_value": "kibana#/dashboard/ml_auditbeat_hosts_audit_events?_g=(time:(from:'$earliest$',mode:absolute,to:'$latest$'))&_a=(filters:!(),query:(language:lucene,query:'beat.name:\"$beat.name$\" AND process.exe:\"$process.exe$\"'))" } ] }