Attempting to deploy std. SIEM ML jobs, only to find that they fail as they are meant for std. index naming. Issue is that we're using a custom named indices prefixed for a SIEM PoC.
So question is how may we change the expected indices in the std./default ML jobs' Datafeeds to go look for our custom named indices?
Clone job option is greyed out in Kibana UI.
Can jobs be exported+edited+import or could we alter jobs through API somehow, as edit job directly from UI doesn't seem to enable us to alter indices?
Currently, SIEM will only create ML jobs with the default SIEM index patterns: auditbeat-*,endgame-*,filebeat-*,packetbeat-*,winlogbeat-*.
Not having a winlogbeat-* index pattern is also causing the "Clone Job" option to be unavailable.
To work around this, you can deploy the SIEM Jobs via the ML page. If you Click "Create New Job" and choose your custom index pattern, you should see several SIEM options under the "Use a supplied configuration" header. Clicking into one of those will allow you to create jobs using your custom index pattern. These should then automatically show up in SIEM.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
