alex_su
(alex Su)
January 4, 2023, 9:02am
#1
Hi, as i know es provide ml to detect unusual event, like "Unusual Windows Username" and another exapmle is " Unusual Hour for a User to Logon".
I have question about unusual meaning as belows.
how to build this ml ? like one host one model? or if i have 100 host event log data, we only need one model can handle it?
Hello. It is hard to tell based on the question. but we have a couple of blogs that explain the "rare" function in machine learning:
To secure your environment, Elastic Security has many out-of-the-box machine learning configurations for detecting rare activity, networks, and processes, as well as tools to customize your own anomaly detection jobs.
Hope this helps
shuchang
(Shu Chang)
January 9, 2023, 4:40pm
#3
We have some pre-built jobs that look for rarities in username over a single host:
Auth rare hour for user: Prebuilt job reference | Elastic Security Solution [8.5] | Elastic
Unusual Windows username: Unusual Windows Username | Elastic Security Solution [8.5] | Elastic
However it might depend on your situation specifically about your 100 host event log data.