[ML] Adds Authentication module with six ML jobs for ECS data (Auditbeat, Winlogbeat, Filebeat and Logs) #101840
Conversation
|
Pinging @elastic/ml-ui (:ml) |
|
I tested the module on a local dev instance |
randomuserid
added
release_note:feature
| @@ -0,0 +1,77 @@ | |||
| { | |||
| "id": "security_auth", | |||
There was a problem hiding this comment.
Looks like the expected response for the auditbeat data set used in the x-pack/test/api_integration/apis/ml/modules/recognize_module·ts test needs editing, to add in the ID of the new module security_auth which also now matches our test data set. This block here
{
testTitleSuffix: 'for auditbeat dataset',
sourceDataArchive: 'x-pack/test/functional/es_archives/ml/module_auditbeat',
indexPattern: 'ft_module_auditbeat',
user: USER.ML_POWERUSER,
expected: {
responseCode: 200,
moduleIds: ['auditbeat_process_hosts_ecs', 'security_linux', 'siem_auditbeat'],
},
},
| moduleIds: ['auditbeat_process_hosts_ecs', 'security_linux', 'siem_auditbeat'], | ||
| moduleIds: [ | ||
| 'auditbeat_process_hosts_ecs', | ||
| 'security_auth', |
There was a problem hiding this comment.
@peteharverson I noticed that in the testing output, but security_auth has been added to the auditbeat testset and yet that test still fails.
There was a problem hiding this comment.
@ajosh0504 From what I can see in the test log it looks like we're now expecting the security_auth module to be recognized in the ft_module_auditbeat index pattern, but it is not. If we think that it's ok it's not recognized there, we can remove it from the expected modules for this dataset.
There was a problem hiding this comment.
@pheyos Any idea it might not be recognizing the module?
There was a problem hiding this comment.
@ajosh0504 I'd need to double check the dataset. But the new module checks for "event.category": "authentication". And it it is not recognized in an index pattern, it means that the documents don't have this field or have a different value for this field. I'll take a closer look and report back here.
There was a problem hiding this comment.
@ajosh0504 I've checked the ft_module_auditbeat dataset and it has "event.category": "audit-rule" (see screenshot), so it's ok that it doesn't match.
There was a problem hiding this comment.
Yes event.category was added last year and this Auditbeat data may be from 2019 so that test will have to be skipped until we have newer data.
There was a problem hiding this comment.
I've created a reminder issue to decide whether or not to update the dataset, see #101910.
For now it's fine to not have the security_auth in the list of expected modules for the "old" auditbeat dataset.
this test modules uses older Auditbeat data which predates the event.category field so the test has to be skipped per https://elastic.zoom.us/j/93000943632?pwd=TmpvNWhtYUNzMUc0c0N6Tlc2QlVPZz09
needs to be a single line
Some linters want spaces and some linters want no spaces. This linter wants spaces.
added description text
removed a wayward newline char
|
@elasticmachine merge upstream |
There was a problem hiding this comment.
Jobs and datafeed configs look good, but I am a bit concerned about the low model memory limits. For auth_high_count_logon_events_for_a_source_ip we have a limit of 12mb. In other modules we've used 128, 256, or 512 mb for jobs with by or partition fields that could have high cardinality - can we bump these up a bit here?
|
@blaklaybul We'll update that. Is there a standard limit for low cardinality jobs as well? I have seen 16/32 mb in some of the jobs. |
|
@ajosh0504 for the existing jobs, we did thorough testing on live systems to arrive at the memory limits we ship with. Fields with a potential for higher cardinality warrant higher limits. I would suggest testing these new jobs on live system to get better memory estimates, or at least setting them |
They were tested on a medium sized prod cluster and we set the memory minimums to a multiple of what we saw there. We can increase it again though |
|
@randomuserid Ok, but Using another example - high_count_by_destination_country uses a relatively simple config with a known number of potential by field values and we set the memory limit to |
raised memory limits to 128mb which is larger than the highest observed peak model bytes for the most memory hungry jobs in this event class.
How's this: I increased each to 128MB which is a bit more then the largest observed peak model bytes for any job in this event class. That should be sufficient for most data sets. |
💚 Build SucceededMetrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: cc @ajosh0504 |
…eat, Winlogbeat, Filebeat and Logs) (elastic#101840) * Adding Security Authentication jobs in 7.14 * Renamed some jobs * Changing memory limits and linting change * Linting fix * Changed the order * Adding module to ml_modules.tsx * Update recognize_module.ts this test modules uses older Auditbeat data which predates the event.category field so the test has to be skipped per https://elastic.zoom.us/j/93000943632?pwd=TmpvNWhtYUNzMUc0c0N6Tlc2QlVPZz09 * Update recognize_module.ts needs to be a single line * Update recognize_module.ts Some linters want spaces and some linters want no spaces. This linter wants spaces. * descriptions added description text * Update auth_rare_hour_for_a_user.json removed a wayward newline char * Minor nitpicking * memory limits raised memory limits to 128mb which is larger than the highest observed peak model bytes for the most memory hungry jobs in this event class. Co-authored-by: Craig <mailredirector36@gmail.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
…eat, Winlogbeat, Filebeat and Logs) (#101840) (#102127) * Adding Security Authentication jobs in 7.14 * Renamed some jobs * Changing memory limits and linting change * Linting fix * Changed the order * Adding module to ml_modules.tsx * Update recognize_module.ts this test modules uses older Auditbeat data which predates the event.category field so the test has to be skipped per https://elastic.zoom.us/j/93000943632?pwd=TmpvNWhtYUNzMUc0c0N6Tlc2QlVPZz09 * Update recognize_module.ts needs to be a single line * Update recognize_module.ts Some linters want spaces and some linters want no spaces. This linter wants spaces. * descriptions added description text * Update auth_rare_hour_for_a_user.json removed a wayward newline char * Minor nitpicking * memory limits raised memory limits to 128mb which is larger than the highest observed peak model bytes for the most memory hungry jobs in this event class. Co-authored-by: Craig <mailredirector36@gmail.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com> Co-authored-by: Craig <mailredirector36@gmail.com>
…eat, Winlogbeat, Filebeat and Logs) (elastic#101840) * Adding Security Authentication jobs in 7.14 * Renamed some jobs * Changing memory limits and linting change * Linting fix * Changed the order * Adding module to ml_modules.tsx * Update recognize_module.ts this test modules uses older Auditbeat data which predates the event.category field so the test has to be skipped per https://elastic.zoom.us/j/93000943632?pwd=TmpvNWhtYUNzMUc0c0N6Tlc2QlVPZz09 * Update recognize_module.ts needs to be a single line * Update recognize_module.ts Some linters want spaces and some linters want no spaces. This linter wants spaces. * descriptions added description text * Update auth_rare_hour_for_a_user.json removed a wayward newline char * Minor nitpicking * memory limits raised memory limits to 128mb which is larger than the highest observed peak model bytes for the most memory hungry jobs in this event class. Co-authored-by: Craig <mailredirector36@gmail.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Summary
This PR adds a
security_auth modulefor use within the Security app. Detailed information, stats, and screenshots are here: https://github.com/elastic/mechagodzilla/issues/35It contains 1 Module called
security_authconsisting of: