There seems to be a bug in 7.10.2's builtin ml job windows_rare_user_type10_remote_login

willemdh · February 17, 2021, 8:20pm

Hello,

I noticed the windows_rare_user_type10_remote_login ml job didn't produce a lot of data anymore.. To be sure there was nothing going on with an outdated builtin configuration, I re-added this ml job with the provided wizard.

But again the ml job did not produce any data. So I checked the query and noticed the event.type value in the query still points to an older value:

{"bool":{"filter":[{"term":{"event.type":"authentication_success"}},{"term":{"winlog.event_data.LogonType":"10"}},{"term":{"agent.type":"winlogbeat"}}]}}

event.type for type 10 RDP events is now start

This might already be fixed in 7.11, but I don't have a 7.11 cluster yet (ad bug...), so I can't check.

Grtz

Willem

Craig_Chamberlain · February 18, 2021, 7:05pm

Thanks Willem for investigating and reporting this. You are correct, the event.type field value has changed. I will see about updating the query and I opened an issue here: [Security Solution] Refactor RDP ML job for field changes · Issue #91910 · elastic/kibana · GitHub

system · March 18, 2021, 7:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.