diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker_ecs/ml/docker_high_count_process_events_ecs.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker_ecs/ml/docker_high_count_process_events_ecs.json index e1b706ace9a98..81c0af094652b 100644 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker_ecs/ml/docker_high_count_process_events_ecs.json +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker_ecs/ml/docker_high_count_process_events_ecs.json @@ -3,10 +3,10 @@ "description": "Auditbeat: Detect unusual increases in process execution rates in docker containers (ECS)", "groups": ["auditd"], "analysis_config": { - "bucket_span": "10m", + "bucket_span": "1h", "detectors": [ { - "detector_description": "high_non_zero_count partition container.name", + "detector_description": "High process rate in docker containers", "function": "high_count", "partition_field_name": "container.name" } diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker_ecs/ml/docker_rare_process_activity_ecs.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker_ecs/ml/docker_rare_process_activity_ecs.json index c50c3819b87b3..5cc28d4db4802 100644 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker_ecs/ml/docker_rare_process_activity_ecs.json +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker_ecs/ml/docker_rare_process_activity_ecs.json @@ -3,9 +3,10 @@ "description": "Auditbeat: Detect rare process executions in docker containers (ECS)", "groups": ["auditd"], "analysis_config": { - "bucket_span": "10m", + "bucket_span": "1h", "detectors": [ { + "detector_description": "Rare process execution in docker containers", "function": "rare", "by_field_name": "process.executable", "partition_field_name": "container.name" diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/ml/hosts_high_count_process_events_ecs.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/ml/hosts_high_count_process_events_ecs.json index b8e0480680fc7..5e9e808a4f906 100644 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/ml/hosts_high_count_process_events_ecs.json +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/ml/hosts_high_count_process_events_ecs.json @@ -3,10 +3,10 @@ "description": "Auditbeat Hosts: Detect unusual increases in process execution rates (ECS)", "groups": ["auditd"], "analysis_config": { - "bucket_span": "10m", + "bucket_span": "1h", "detectors": [ { - "detector_description": "high_non_zero_count partition host.name", + "detector_description": "High process rate on hosts", "function": "high_non_zero_count", "partition_field_name": "host.name" } diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/ml/hosts_rare_process_activity_ecs.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/ml/hosts_rare_process_activity_ecs.json index 2517602077a9a..9710522ac4c54 100644 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/ml/hosts_rare_process_activity_ecs.json +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/ml/hosts_rare_process_activity_ecs.json @@ -3,9 +3,10 @@ "description": "Auditbeat Hosts: Detect rare process executions on hosts (ECS)", "groups": ["auditd"], "analysis_config": { - "bucket_span": "10m", + "bucket_span": "1h", "detectors": [ { + "detector_description": "Rare process execution on hosts", "function": "rare", "by_field_name": "process.executable", "partition_field_name": "host.name"