..but these directions are outdated, I FINALLY figured out that x-pack is automatically installed in recent versions of elasticsearch, BUT I have been having trouble with the obviously dated instructions on this elasticsearch page... Do I need a license to run x-pack to be able to do this DNS Data Exfiltration machine learning? And if so, what license do I need??
The X-Pack features are included in the default distribution since 6.3.
Machine learning features are available with a trial or platinum license.
At lot has changed since v5.4 as I am sure you are experiencing. Looking at the ML job and datafeed config, I can see some paramaters which have since been deprecated or removed from the example job and datafeed json configs. When creating the ML job I would recommend using the Kibana UI, rather than the scripts provided.
In the UI:
Create Job
Select the packetbeat index (this should have been indexed already, and a kibana index pattern created)
If you do not already have some familiarity with creating ML jobs, then I would recommend looking at the Single Metric Wizard first, and analyzing a simple event rate count of a data source.
To answer your question from earlier - you do need a Platinum license to have ML run this kind of DNS exfiltration detection job (or just a trial license if you want to test it short term).
I personally think that the recipes should be removed from the website and instead the "recipes" should be just whatever gets documented as the ML jobs for the SIEM app.
I just want to gently nudge that if there were updated directions that show how it is possible to get machine learning running to detect DNS exfiltration on the recent versions of Elasticsearch, that you will probably get a lot more subscriptions.
Not everyone is using or even planning to set up the SIEM app yet.
But just in case I end up setting up the SIEM app much later, are the already directions documented somewhere for ML in the SIEM app? Or no directions for neither Elasticsearch nor SIEM app?
The DNS exfil job is scheduled to be added (together with other Packetbeat jobs) to the SIEM app in the upcoming 7.5 release. 16 other jobs for Auditbeat and Winlogbeat are already included today in 7.4.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.