Hello, I've been running Elastic Clouds prebuilt machine learning jobs for Windows Security for about a month now and I've found they create a lot of noise. About 99% of the alerts I get out of these ML jobs I end up closing as its usually just a random windows process or update, only a very few are ever worth following up.
The alerts I'm mainly referring to are:
- v3_rare_process_by_host_windows
- v3_windows_anomalous_process_all_hosts
- v3_windows_anomalous_process_creation
So I've started adding a lot of processes to the job filters to try and reduce the noise, but even with such efforts I find our team is still getting lots and lots of really unhelpful alerts to the point of alert fatigue.
This is starting to make me think we're doing something wrong as I thought ML was supposed to help reduce false positives and this definitely doesn't seem very scalable, so I was wondering how other people have managed this? Do we just need to keep up our filtering efforts or are these jobs just not worth enabling in the first place?