I try to implement the Security Analytics Recipe for DNS Data Exfiltration, posted here: github. In order to do this, I use ELK and Packetbeat v. 7.6.2. I took step by step all the explanations in the above link, with some little changes because many things from there are old and not applying to the current version (e.g. X-pack is already integrated and available with a trail license, there is no need for the ingest script as we can use the already defined fields dns.question.subdomain and dns.question.etld_plus_one, etc.). For the Machine Learning (ML) job creation I utilize the UI provided by Kibana, using parameters in files job.json and data_feed.json. Moreover, I use the dns_exfil_random.sh script to generate the DNS Data Exfiltration signature, which works perfectly. Everything is fine, I got about 4000 docs processed in 2 hours, but I am not able to get any anomaly (aprox. 3000 events from all of them are generated running for 3 times the script with parameters like vodkaroom.ru, elastic.co and hp.com). For this job I chose the options, Start time: Start now and End time: Real-time search.
I will present to you some pictures which describe the configuration I did for the ML job:
Looking to my explanations and my configuration photos please tell me where I am wrong and how could I get some results like the author in the following picture Anomaly found. I trust on your experience and professional skills.
Thanks in advance!