You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Jan 10, 2025. It is now read-only.
Copy file name to clipboardExpand all lines: Security Analytics/auditd_analysis/example_2/README.md
+2-2Lines changed: 2 additions & 2 deletions
Original file line number
Diff line number
Diff line change
@@ -11,7 +11,7 @@ This example adapts the machine learning recipe described here.
11
11
This example utilises:
12
12
13
13
-[auditd.cef.tar.gz](https://github.com/elastic/examples/blob/master/Security%20Analytics/auditd_analysis/example_2/auditd.cef.tar.gz) - Sample Auditd logs in CEF format used in the above blog post.
14
-
-[unusual_process.json](https://github.com/elastic/examples/blob/master/Security%20Analytics/auditd_analysis/example_2/unusual_process.json) - A watch that alerts on anamolies detected by X-Pack Machine Learning. REFERENCE ONLY.
14
+
-[unusual_process.json](https://github.com/elastic/examples/blob/master/Security%20Analytics/auditd_analysis/example_2/unusual_process.json) - A watch that alerts on anomalies detected by X-Pack Machine Learning. REFERENCE ONLY.
15
15
-[unusual_process.inline.json](https://github.com/elastic/examples/blob/master/Security%20Analytics/auditd_analysis/example_2/unusual_process.inline.json) - The above watch in an inline execution format so it can be used with the `simulate_watch.py` script and be executed over the full dataset.
16
16
-[simulate_watch.py](https://github.com/elastic/examples/blob/master/Security%20Analytics/auditd_analysis/simulate_watch.py) - A convenience script to execute the above watch. In order to test this watch against the provided test data set, this script which performs a “sliding window” execution of the watch.
17
17
This repeatedly executes the watch, each time adjusting the date filters to target the next 5 minute time range thus simulating the execution against a live stream of several days of data in a few seconds.
*`es_host` - Elasticsearch host and port. Defaults to `localhost:9200`
149
149
*`interval` - Size of the window in seconds. Defaults to 300 or 5m as indicated in the blog.
150
150
151
-
The watch uses a log action to record the alert. The dataset contains only a single critical anamoly. During execution the user should therefore see a message similar to the following in the Elasticsearch logs:
151
+
The watch uses a log action to record the alert. The dataset contains only a single critical anomaly. During execution the user should therefore see a message similar to the following in the Elasticsearch logs:
152
152
153
153
`Alert for job [unusual_process] at [2017-06-12T07:30:00.000Z] score [78]`
0 commit comments