Hello guys,
I´m trying to create a ML job which detect anomalies using an index pattern which contains information about traffic DNS (Cisco Umbrella). With this log, I can get categories about the DNS resolutions, knowing if the requests are Malware or suspicious webs.
I´m trying to deploy some ML jobs to try to identify that kind of "anomalies", I mean, the anomalies which contains Malware, for example. Or just try to see what information about anomalies ML can give to me, not specially about Malware, anything.
The thing is I dont know totally how ML jobs works, even I read documentation. In the log, Malware events are the lowest, so should be easy to get them using ML.
What do you recommend me to create the ML job? I mean, single metric, Multi, population....
What information can i get?
The data structure of the log parsed is as follows:
{
"_index": "myindex",
"_type": "_doc",
"_id": "1",
"_version": 1,
"_score": null,
"_source": {
"path": "/...",
"Timestamp": "2020-03-03 22:49:27",
"file": {
"name": "2421459_5c27c809c3f9c2a4d9aaba22472f976d5a5813b7-dnslogs-2020-03-03-2020-03-03-22-40-0076.csv.gz"
},
"source": {
"ip": "10.10.10.10"
},
"event": {
"module": "DNS",
"action": "Blocked"
},
"dns": {
"type": "DNSLog",
"repose_code": "NOERROR",
"answers": {
"type": "Malware"
},
"op_code": "1 (A)",
"question": {
"name": "mail.look251.com."
}
},
"host": "localhost.localdomain",
"message": "{\"sourceFile\":\"2421459_5c27c809c3f9c2a4d9aaba22472f976d5a5813b7-dnslogs-2020-03-03-2020-03-03-22-40-0076.csv.gz\",\"EventType\":\"DNSLog\",\"Timestamp\":\"2020-03-03 22:49:27\",\"MostGranularIdentity\":\"DNS\",\"Identities\":\"DN\",\"InternalIp\":\"10.10.10.10\",\"ExternalIp\":\"10.10.10.10\",\"Action\":\"Blocked\",\"QueryType\":\"1 (A)\",\"ResponseCode\":\"NOERROR\",\"Domain\":\"mail.look251.com.\",\"Categories\":\"Malware\"}\r",
"@timestamp": "2020-03-03T21:49:27.000Z",
"@version": "1"
},
"fields": {
"@timestamp": [
"2020-03-03T21:49:27.000Z"
]
},
"highlight": {
"dns.answers.type": [
"@kibana-highlighted-field@Malware@/kibana-highlighted-field@"
],
"message": [
",\"Categories\":\"@kibana-highlighted-field@Malware@/kibana-highlighted-field@\"}"
]
},
"sort": [
1583272167000
]
}
Data is parsed according to ECS (exactly field I want to use like dns categorie, event action, etc).
Any idea?
Thank you very much!
Regards,