I have an issue with the packetbeat rare dns question ml job, which generates quite a bit of anomalies due to the fact that our hosts are frequently contacting
*.avqs.mcafee.com url's, which have a random part. For example:
These anomalies are picked up by SIEM and as a SIEM ML Detection has nu way to filter stuff:
I will need to tune or filter the ml job itself.
The query used in the ml job is:
So I'd like to discuss what would the best long term and flexible solution, so I can exclude certain domains when needed, without having to rebuild the ml job.
Some possible solutions:
- I could filter out
dns.question.namein the ml datafeed query
- Even better (so I don't have to use expensive leading wildcard query) I could filter out
But both above options would require me to stop the datafeed, job and then update the datafeed query, which is not really user-friendly.
Ideally I'd love to use a whitelist filter list like this:
dns.question.registered_domain is not an option to scope. Feedback to enable me to dynamically filter on
dns.question.registered_domain is welcome.
Or is my only option to update the datafeed query in the ml job?