Hello,
Could anyone please help me with this?
I am working on machine learning-based anomaly detection use cases using Elastic’s built-in anomaly detection job, "auth_rare_hour_for_a_user". I integrated this job into a machine learning rule. After a few days of the learning period, the rule triggered an alert for a user.
Based on Elastic’s documentation, the rule’s conditions and alerting criteria are outlined. However, I would like to understand where I can find details on how the alert was triggered — specifically, what deviation from the baseline was detected that led to this alert.
Additionally, from a SOC analyst's perspective, it's important to know how the alert was generated and how to effectively triage these types of machine learning-based alerts. Where can this information be found or derived to support the analyst during the investigation?
Thanks in advance 