Rules for 'builtin' ML Jobs


When we configure rules for 'builtin' jobs, such as 'rare process executions on Linux', where we would skip the result if the process in in a filter list 'whitelist_process_name', will these rules be overwritten when we would update Elasticsearch / Kibana? (Like edits to builtin templates / pipelines would be overwritten)?

The issue now is that we have a lot of anomalies and were hoping to lower noise by using a whitelist for process names.



No, they will not be overwritten, as the rule definitions are stored with the ML job configs themselves. Only if you deleted and/or recreated the jobs would the rules be erased.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.