[ML] Adds new SIEM auditbeat, winlogbeat and packetbeat modules#47848
Merged
peteharverson merged 3 commits intoelastic:masterfrom Oct 11, 2019
Merged
Conversation
peteharverson
added
release_note:enhancement
:ml
Feature:Anomaly Detection
Contributor
|
Pinging @elastic/ml-ui (:ml) |
Contributor
💚 Build Succeeded |
blaklaybul
suggested changes
Oct 10, 2019
Contributor
There was a problem hiding this comment.
Looks good. However let's pull windows_rare_country_for_user and linux_rare_country_for_user for now. This detector has only been tested on okta data, not yet on auditbeat or winlogbeat. @cwurm began ingesting country info on our siem development cluster, but these jobs have yet to produce results there.
Contributor
💚 Build Succeeded |
peteharverson
added a commit
to peteharverson/kibana
that referenced
this pull request
Oct 11, 2019
…tic#47848) * [ML] Adds new SIEM auditbeat, winlogbeat and packetbeat modules * [ML] Removed rare_country_for_user jobs * [ML] Removed rare_country_for_user jobs from manifests
peteharverson
added a commit
that referenced
this pull request
Oct 11, 2019
…) (#47945) * [ML] Adds new SIEM auditbeat, winlogbeat and packetbeat modules * [ML] Removed rare_country_for_user jobs * [ML] Removed rare_country_for_user jobs from manifests
7 tasks
droberts195
pushed a commit
that referenced
this pull request
Oct 15, 2019
This change augments the SIEM jobs and datafeeds that were added in #47848 with the allow_lazy_open and max_empty_searches options that were added in elastic/elasticsearch#47726 and elastic/elasticsearch#47922 respectively.
spong
added a commit
that referenced
this pull request
Oct 15, 2019
## Summary This PR updates the list of ML Modules that the SIEM App should display jobs from within the Anomaly Detection UI. ML PR: #47848 Modules include: ``` 'siem_auditbeat', 'siem_auditbeat_auth', 'siem_packetbeat', 'siem_winlogbeat', 'siem_winlogbeat_auth', ``` Anomaly Detection UI now shows `23` jobs in total:  Summarize your PR. If it involves visual changes include a screenshot or gif. ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. - [ ] ~This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~ - [ ] ~Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~ - [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials * will work with @benskelker on latest ML doc updates - [ ] ~[Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~ - [ ] ~This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~ ### For maintainers - [ ] ~This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~ - [ ] ~This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~
spong
added a commit
to spong/kibana
that referenced
this pull request
Oct 16, 2019
## Summary This PR updates the list of ML Modules that the SIEM App should display jobs from within the Anomaly Detection UI. ML PR: elastic#47848 Modules include: ``` 'siem_auditbeat', 'siem_auditbeat_auth', 'siem_packetbeat', 'siem_winlogbeat', 'siem_winlogbeat_auth', ``` Anomaly Detection UI now shows `23` jobs in total:  Summarize your PR. If it involves visual changes include a screenshot or gif. ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. - [ ] ~This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~ - [ ] ~Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~ - [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials * will work with @benskelker on latest ML doc updates - [ ] ~[Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~ - [ ] ~This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~ ### For maintainers - [ ] ~This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~ - [ ] ~This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~
spong
added a commit
that referenced
this pull request
Oct 16, 2019
## Summary This PR updates the list of ML Modules that the SIEM App should display jobs from within the Anomaly Detection UI. ML PR: #47848 Modules include: ``` 'siem_auditbeat', 'siem_auditbeat_auth', 'siem_packetbeat', 'siem_winlogbeat', 'siem_winlogbeat_auth', ``` Anomaly Detection UI now shows `23` jobs in total:  Summarize your PR. If it involves visual changes include a screenshot or gif. ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. - [ ] ~This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~ - [ ] ~Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~ - [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials * will work with @benskelker on latest ML doc updates - [ ] ~[Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~ - [ ] ~This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~ ### For maintainers - [ ] ~This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~ - [ ] ~This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~
droberts195
pushed a commit
that referenced
this pull request
Oct 16, 2019
…#48372) This change augments the SIEM jobs and datafeeds that were added in #47848 with the allow_lazy_open and max_empty_searches options that were added in elastic/elasticsearch#47726 and elastic/elasticsearch#47922 respectively.
Contributor
|
Pinging @elastic/siem (Team:SIEM) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds files for three new SIEM data recognizer modules for auditbeat, winlogbeat and packetbeat data:
Also includes some edits to the descriptions and filters from the existing Auditbeat and Winlogbeat modules, removing the
ecssuffix from the module IDs and folders.Contains:
manifest.jsonlogo.jsonChecklist
For maintainers