| fit DensityFunction failure partial_fit=true dist=norm into app:failures_by_src_count_1h | tstats `summariesonly` count as failure from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.src,_time span=1h Line three uses the XS xsUpdateDDContext command to build a data-defined historical view context, puts it in an app context, gives it a name, assigns a container, and a scope.Ĭonsider the MLTK version of the search is Access - Authentication Failures By Source - Model Gen as two lines. In some searches you see the macro `context_stats` used instead, such as `context_stats(web_event_count, http_method)`. Line two contains stats median(failures) as median, min(failures) as min, count as count | eval max = median*2, which is putting the results of the search into the input format that the XS xsUpdateDDContext command requires. | tstats `summariesonly` count as failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.src,_time span=1h. Line one starts by counting the authentication failures per hour: | xsUpdateDDContext app="SA-AccessProtection" name=failures_by_src_count_1h container=authentication scope=app | stats count | stats median(failures) as median, min(failures) as min, count as count | eval max = median*2 | tstats `summariesonly` count as failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.src,_time span=1h To accommodate this change, the dispatch times of the Model Gen searches that were converted from xsUpdateDDContext XS searches have been increased to generate the model from more data, to get more reliable models.Īs an example of converting a context gen search, consider Access - Authentication Failures By Source - Context Gen as three lines. All model-generation searches wipe out the old model and produce a new model based on the data retrieved in the dispatch window. There are no models/contexts that are updated additively. There is no xsUpdateDDContext equivalent in MLTK at this time. See Access - Authentication Failures By Source in SA-AccessProtection xsUpdateDDContextĮach time this is run, it will combine the new training with the existing model. These both generate a new model each time the search is run. The xsCreateDDContext command is approximately equivalent to the fit command.
See Access - Total Access Attempts in DA-ESS-AccessProtection. For example: the high range is between 0.05 - 0.01, and the extreme range is between 0.01 - 0.000000001. For each value, these tell you in which threshold range the value falls on the distribution curve.
They are almost the opposite of the xsWhere and applycommands. The xsFindBestConcept command is approximately equivalent to the `mltk_findbest` macro. See Abnormally High Number of HTTP Method Events By Src - Rule in DA-ESS-NetworkProtection. For each value, given the provided threshold, the macros tell you if the value is an outlier.
These apply data to a model, compare against thresholds, and find outliers for a field. The xsWhere command is approximately equivalent to the `mltk_apply` macro. The most common common XS commands that have MLTK equivalents in ES follow. If you need to convert any locally modified XS searches to MLTK, use the following information to help guide your decisions. Convert Extreme Searches to Machine Learning Toolkit in Splunk Enterprise Security
0 kommentar(er)
