Enable Elastic Security prebuilt rules and ML jobs

bil_15 · September 24, 2021, 9:06am

Hello!
I'd like to know if there is ability to enable Elastic Security prebuilt rules and ML jobs they require to work properly via API.
I didn't managed to find any info on this, so perhaps this functionality is not available, but maybe any of you guys have any.

richcollier · September 24, 2021, 3:11pm

Information on the ML jobs for Elastic Security is: Prebuilt job reference | Elastic Security Solution [7.15] | Elastic

It requires you to have a Platinum License (or a trial license)

bil_15 · October 1, 2021, 10:34am

Not a single word about API in this docs.

richcollier · October 1, 2021, 2:21pm

The pre-built jobs are basically stored as kibana plugin "models" - you can see them all in this GH repo: kibana/x-pack/plugins/ml/server/models/data_recognizer/modules at 7.15 · elastic/kibana · GitHub

for example: rare destination by country

job: https://github.com/elastic/kibana/blob/7.15/x-pack/plugins/ml/server/models/data_r[…]nizer/modules/security_network/ml/rare_destination_country.json
datafeed: https://github.com/elastic/kibana/blob/7.15/x-pack/plugins/ml/server/models/data_r[…]ules/security_network/ml/datafeed_rare_destination_country.json

In the Kibana UI, once the user clicks on "enable" - Kibana just reads these static files and calls the _ml API with the details and the jobs get created.

You now have all the information on how to call the _ml API to create these jobs.

bil_15 · October 4, 2021, 10:27pm

Wow, that's exactly what I needed!
Thanks!

system · November 1, 2021, 10:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.