Hi, as i know es provide ml to detect unusual event, like "Unusual Windows Username" and another exapmle is " Unusual Hour for a User to Logon".
I have question about unusual meaning as belows.
Hello. It is hard to tell based on the question. but we have a couple of blogs that explain the "rare" function in machine learning:
Hope this helps
We have some pre-built jobs that look for rarities in username over a single host:
Auth rare hour for user: Prebuilt job reference | Elastic Security Solution [8.5] | Elastic
Unusual Windows username: Unusual Windows Username | Elastic Security Solution [8.5] | Elastic
However it might depend on your situation specifically about your 100 host event log data.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.