ML Aggregation and Fields

Elastic Stack Elasticsearch
1

I have x-pack up and running and am collecting event logs containing windows and powershell command line activities.

Basically, I want to see the anomalies in command line activity.
I don't care about something like this
C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{??????????}
that happened over 900,000 times
I care about the 'anomalies', something like this as an example, that might have happened very few times -
psexec -i -s -d cmd.exe /c type test > C:\Windows\System32\backdoor.bat

Isn't this what it's designed for? I've been running it with 'Distinct Count' but I'm thinking that's not what I want, maybe 'low count'? But if I select 'low count' from Aggregation, there's nothing in Fields...

Questions -

  1. Do I want 'low count'?

  2. Why is there nothing in Fields for some of the 'Aggregation' options?

Yes, I am going through the machine learning course...

Appreciate any explanations!

2

Hi,

I think what you are looking for is using categorization. Have a look here for more details. I hope it helps.

3

Ah got it, thanks!

4

Alright I'm trying this but... I want to get the 'rare' of something, I'm not sure what

image
image.png1115×422 26.3 KB

The categorization filter is supposed to take this from the windows command line -
"C:\frompath\frompath\Pulse.exe" -tray
to
Pulse.exe" -tray

I could have this totally wrong... I'm trying to detect items like this on the win cmd or ps cmd
START cmd.exe /c type test > c:\temp\backdoor.bat

Appreciate any input...thanks!

5

Hmm, was just told by someone else that this isn't what I want to use, need to use 'rare' function. Alright, back to the drawing board!