[ML] Adds new security module to detect anomalous activity in host-based logs #195582
Conversation
sodhikirti07
requested review from
peteharverson,
jmcarlock,
susan-shu-c and
dhru42
| @@ -0,0 +1,60 @@ | |||
| { | |||
| "id": "security_host", | |||
There was a problem hiding this comment.
You'll need to make edits to a couple of the test files to fix the test errors:
https://github.com/elastic/kibana/blob/main/x-pack/test/functional/services/ml/supplied_configurations.ts#L30 - up the expected length to 19 for the new module.
https://github.com/elastic/kibana/blob/main/x-pack/test/api_integration/apis/ml/modules/get_module.ts#L15 - add in security_host to the two arrays in this file (module IDs need to be in alphabetical order, so it will need to go in after security_cloudtrail.
There was a problem hiding this comment.
Sorry I missed this one which will also need updating - https://github.com/elastic/kibana/blob/main/x-pack/test/api_integration/apis/ml/modules/recognize_module.ts#L136 - add in security_host to the expected array in this file, after security_auth.
...erver/models/data_recognizer/modules/security_host/ml/high_count_events_for_a_host_name.json
Outdated
Show resolved
Hide resolved
...server/models/data_recognizer/modules/security_host/ml/low_count_events_for_a_host_name.json
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Looks good, though it seems that you'll need to add the version label and backport labels to the issue. I think you'll have to add the newest versions this is to go out in, but if in doubt let's check with Stack ML.
I'd also suggest editing the PR description body Detect Stoppages in Host based traffic to Detect decrease in host based traffic to better fit the actual change, for those that come look for this PR later on.
susan-shu-c
added
the
release_note:feature
|
@dhru42 Could you take a look at the jobs? Also, what version are we aiming to release this new module? |
|
Pinging @elastic/ml-ui (:ml) |
I've added our ml labels to this, and also You should also give the PR a more specific description, like |
sodhikirti07
changed the title
Hi, If I'm not mistaken we are not supposed to ship any new functionality in 8.17 so we will have to do it in 8.18 @jamesspi can you please confirm? |
|
@elasticmachine merge upstream |
💚 Build Succeeded
Metrics [docs]
History
|
|
Starting backport for target branches: 8.x https://github.com/elastic/kibana/actions/runs/12041349870 |
…sed logs (elastic#195582) ## Summary Adds a new security module `Security: Host` to the prebuilt security jobs. The module has the following jobs: - Detect Spike in Host based traffic - Detect Decrease in Host based traffic (cherry picked from commit 5ed4297)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…ost-based logs (#195582) (#201898) # Backport This will backport the following commits from `main` to `8.x`: - [[ML] Adds new security module to detect anomalous activity in host-based logs (#195582)](#195582) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Kirti Sodhi","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-11-27T00:24:35Z","message":"[ML] Adds new security module to detect anomalous activity in host-based logs (#195582)\n\n## Summary\r\n\r\nAdds a new security module `Security: Host` to the prebuilt security\r\njobs. The module has the following jobs:\r\n- Detect Spike in Host based traffic\r\n- Detect Decrease in Host based traffic","sha":"5ed42978f8f4471f1f1852ffe90e04bcbb0713e6","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":[":ml","Feature:Anomaly Detection","v9.0.0","release_note:feature","backport:version","v8.18.0"],"title":"[ML] Adds new security module to detect anomalous activity in host-based logs","number":195582,"url":"https://github.com/elastic/kibana/pull/195582","mergeCommit":{"message":"[ML] Adds new security module to detect anomalous activity in host-based logs (#195582)\n\n## Summary\r\n\r\nAdds a new security module `Security: Host` to the prebuilt security\r\njobs. The module has the following jobs:\r\n- Detect Spike in Host based traffic\r\n- Detect Decrease in Host based traffic","sha":"5ed42978f8f4471f1f1852ffe90e04bcbb0713e6"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/195582","number":195582,"mergeCommit":{"message":"[ML] Adds new security module to detect anomalous activity in host-based logs (#195582)\n\n## Summary\r\n\r\nAdds a new security module `Security: Host` to the prebuilt security\r\njobs. The module has the following jobs:\r\n- Detect Spike in Host based traffic\r\n- Detect Decrease in Host based traffic","sha":"5ed42978f8f4471f1f1852ffe90e04bcbb0713e6"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Kirti Sodhi <[email protected]>
…sed logs (elastic#195582) ## Summary Adds a new security module `Security: Host` to the prebuilt security jobs. The module has the following jobs: - Detect Spike in Host based traffic - Detect Decrease in Host based traffic
Summary
Adds a new security module
Security: Hostto the prebuilt security jobs. The module has the following jobs:Checklist
Delete any items that are not applicable to this PR.
For maintainers