Issues with builtin network ML job high_count_network_denies

willemdh · August 6, 2021, 9:49am

Hello,

Just tried the new builtin network ML jobs.. First of all, our Elastic stack crashed after adding the ML jobs through the wizard. After recovering one of the four jobs, high_count_network_denies, seemed to not process anything. Just analysed it and it seems related to the datafeed...

high_count_network_denies has as filter:

{"bool":{"filter":[{"term":{"event.category":"network"}},{"term":{"event.outcome":"deny"}}]}}

But the panw dataset does not set event.outcome to deny:

Considering that the ECS categorization documentation says:

I guess that the ML job has a bug and that the event.outcome field actually has to be the event.type field and the value denied instead of deny?

Grtz

Willem

Craig_Chamberlain · August 8, 2021, 8:12pm

Hi, that data feed query was updated in 7.13.2 with an additional test for an event.type value of denied. The updated query, in the updated job, should work with most any ECS compatible network events. . The latest ML job is in version 7.13.4 and 7.14.0 at the time of this writing. Alternatively, you can clone the job and use the newer data feed query from the upated job here: Update datafeed_high_count_network_denies.json by randomuserid · Pull Request #101681 · elastic/kibana · GitHub

system · September 5, 2021, 8:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.