Elastic Machine Learning for CyberSecurity Training Question


(Rudy Amid) #1

Hello,

I’m reviewing the Labs for the new on-demand “Elastic Machine Learning for CyberSecurity” training. In section “Detect DNS Data Exfiltration” , on step 3.m, I cut paste the PUT request on the anomaly_detectors endpoint in Kibana dev tool, and I get this error:

{
"error": {
"root_cause": [
{
"type": "x_content_parse_exception",
"reason": "[3:3] [datafeed_config] unknown field [job_type], parser not found"
}
],
"type": "x_content_parse_exception",
"reason": "[3:3] [datafeed_config] unknown field [job_type], parser not found"
},
"status": 400
}

Am I missing something? I obviously can’t move on to the next step without creating this first ML job.

regards


(Rich Raposa) #2

Hi Rudy,

There is a typo in the lab instructions. The URL in the instructions has

PUT _xpack/ml/datafeeds/datafeed-dns_data_exfiltration_api

but it should be:

PUT _xpack/ml/anomaly_detectors/dns_data_exfiltration_api

The entire PUT command should look like:

PUT _xpack/ml/anomaly_detectors/dns_data_exfiltration_api
{
  "description": "",
  "analysis_config": {
    "bucket_span": "5m",
    "detectors": [
      {
        "detector_description": "high_info_content(subdomain) over highest_registered_domain excludefrequent=all",
        "function": "high_info_content",
        "field_name": "subdomain",
        "over_field_name": "highest_registered_domain",
        "exclude_frequent": "all",
        "detector_index": 0
      }
    ],
    "influencers": [
      "beat.hostname",
      "highest_registered_domain"
    ]
  },
  "analysis_limits": {
    "model_memory_limit": "1024mb",
    "categorization_examples_limit": 4
  },
  "data_description": {
    "time_field": "@timestamp",
    "time_format": "epoch_ms"
  }
}

(Rudy Amid) #3

Cool, thanks. My strigo session expired, so I had to login again, forcing it to recreate my workstation with a new IP address. I have to start over with the labs!