I would like to create a machine learning job to detect port scanner
so I have configured my job like that:
Job Type: Population Population field: destination.ip Add metric: Distinct count(destination.port) Influencers: I have tried source.ip alone and then destination.ip alone and then both of them
The config, and having both source.ip and destination.ip as influencers also is recommended. If you're not seeing certain source.ips showing up as influencers, then basically that means that there isn't a significant single IP that is dominating and exhibiting that kind of behavior. If a certain destination.ip has a highly unusual number of ports being scanned, then it is not unimaginable that many source.ips did that.
You could contrive an anomaly that you want to detect by allowing the ML job to learn for a while, then artificially created a port scan from a single device and see if the anomaly is reported as you expect.
I changed the index and I tried it with the packetbeat-* index and then scanned a machine where packetbeat is installed, and the machine learninig job worked perfectly
I think that the job didn't work with my firewall logs cause there are a lot of machine that are scanning my network, so the job is learninig while the machines are scanning, so it will consider that as a normal trafic
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
