[ML] Fixes bucket spans and detector descriptions in ECS auditbeat mo…

…dules (#30362) (#30377)
elastic · Feb 7, 2019 · 18bb59f · 18bb59f
1 parent 775c123
commit 18bb59f
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 6 deletions.
diff --git a/...ognizer/modules/auditbeat_process_docker_ecs/ml/docker_high_count_process_events_ecs.json b/...ognizer/modules/auditbeat_process_docker_ecs/ml/docker_high_count_process_events_ecs.json
@@ -3,10 +3,10 @@
   "description": "Auditbeat: Detect unusual increases in process execution rates in docker containers (ECS)",
   "groups": ["auditd"],
   "analysis_config": {
-    "bucket_span": "10m",
+    "bucket_span": "1h",
     "detectors": [
       {
-        "detector_description": "high_non_zero_count partition container.name",
+        "detector_description": "High process rate in docker containers",
         "function": "high_count",
         "partition_field_name": "container.name"
       }

diff --git a/..._recognizer/modules/auditbeat_process_docker_ecs/ml/docker_rare_process_activity_ecs.json b/..._recognizer/modules/auditbeat_process_docker_ecs/ml/docker_rare_process_activity_ecs.json
@@ -3,9 +3,10 @@
   "description": "Auditbeat: Detect rare process executions in docker containers (ECS)",
   "groups": ["auditd"],
   "analysis_config": {
-    "bucket_span": "10m",
+    "bucket_span": "1h",
     "detectors": [
       {
+        "detector_description": "Rare process execution in docker containers",
         "function": "rare",
         "by_field_name": "process.executable",
         "partition_field_name": "container.name"

diff --git a/...ecognizer/modules/auditbeat_process_hosts_ecs/ml/hosts_high_count_process_events_ecs.json b/...ecognizer/modules/auditbeat_process_hosts_ecs/ml/hosts_high_count_process_events_ecs.json
@@ -3,10 +3,10 @@
   "description": "Auditbeat Hosts: Detect unusual increases in process execution rates (ECS)",
   "groups": ["auditd"],
   "analysis_config": {
-    "bucket_span": "10m",
+    "bucket_span": "1h",
     "detectors": [
       {
-        "detector_description": "high_non_zero_count partition host.name",
+        "detector_description": "High process rate on hosts",
         "function": "high_non_zero_count",
         "partition_field_name": "host.name"
       }

diff --git a/...ta_recognizer/modules/auditbeat_process_hosts_ecs/ml/hosts_rare_process_activity_ecs.json b/...ta_recognizer/modules/auditbeat_process_hosts_ecs/ml/hosts_rare_process_activity_ecs.json
@@ -3,9 +3,10 @@
   "description": "Auditbeat Hosts: Detect rare process executions on hosts (ECS)",
   "groups": ["auditd"],
   "analysis_config": {
-    "bucket_span": "10m",
+    "bucket_span": "1h",
     "detectors": [
       {
+        "detector_description": "Rare process execution on hosts",
         "function": "rare",
         "by_field_name": "process.executable",
         "partition_field_name": "host.name"