From 29cf37eeecc7705ec57a68b605360a1dd5566f11 Mon Sep 17 00:00:00 2001 From: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com> Date: Wed, 9 Nov 2022 09:42:34 -0800 Subject: [PATCH] Adding deprecation notes to experimental ML docs (#2393) * Adding deprecation notes to host and user risk score documentation * Adding deprecation notes to experimental ML packages --- docs/experimental-machine-learning/DGA.md | 1 + docs/experimental-machine-learning/host-risk-score.md | 1 + docs/experimental-machine-learning/problem-child.md | 1 + docs/experimental-machine-learning/user-risk-score.md | 1 + 4 files changed, 4 insertions(+) diff --git a/docs/experimental-machine-learning/DGA.md b/docs/experimental-machine-learning/DGA.md index c1eb8603a..9aa7e143e 100644 --- a/docs/experimental-machine-learning/DGA.md +++ b/docs/experimental-machine-learning/DGA.md @@ -1,3 +1,4 @@ +**The setup instructions in this document have been deprecated. Please follow the steps outlined in [this](https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-Kibana-integration) blog to enable DGA detection in your environment.** # Machine Learning on Domain Generation Algorithm (DGA) To create and use supervised DGA ML models to enrich data within the stack, check out these Elastic blogs: diff --git a/docs/experimental-machine-learning/host-risk-score.md b/docs/experimental-machine-learning/host-risk-score.md index bfaf1b1ae..605b5405a 100644 --- a/docs/experimental-machine-learning/host-risk-score.md +++ b/docs/experimental-machine-learning/host-risk-score.md @@ -1,3 +1,4 @@ +**The setup instructions in this document have been deprecated. Please follow the steps outlined [here](https://www.elastic.co/guide/en/security/current/host-risk-score.html), to enable Host Risk Score in your environment.** # Host Risk Score Host Risk Score is an experimental feature that assigns risk scores to hosts in a given Kibana space. Risk scores are calculated for each host by utilizing transforms on the alerting indices. The transform runs hourly to update the score as new alerts are generated. The Host Risk Score [package](https://github.com/elastic/detection-rules/releases) contains all of the required artifacts for setup. The Host Risk Score feature provides drilldown Lens dashboards and additional Kibana features such as the **Host Risk Score Card** on the Overview page of the Elastic Security app, and the **Host Risk Keyword** on the Alert details flyout for an enhanced experience. diff --git a/docs/experimental-machine-learning/problem-child.md b/docs/experimental-machine-learning/problem-child.md index ddb62fb60..c09c68174 100644 --- a/docs/experimental-machine-learning/problem-child.md +++ b/docs/experimental-machine-learning/problem-child.md @@ -1,3 +1,4 @@ +**The setup instructions in this document have been deprecated. Please follow the steps outlined in [this](https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration) blog to enable Living off the Land (LotL) detection in your environment.** # ProblemChild in the Elastic Stack ProblemChild helps detect anomalous activity in Windows process events by: diff --git a/docs/experimental-machine-learning/user-risk-score.md b/docs/experimental-machine-learning/user-risk-score.md index f116b00fc..ca65eaa65 100644 --- a/docs/experimental-machine-learning/user-risk-score.md +++ b/docs/experimental-machine-learning/user-risk-score.md @@ -1,3 +1,4 @@ +**The setup instructions in this document have been deprecated. Please follow the steps outlined [here](https://www.elastic.co/guide/en/security/current/user-risk-score.html), to enable User Risk Score in your environment.** # User Risk Score The User Risk Score feature highlights risky usernames from within your environment. It utilizes a transform with a scripted metric aggregation to calculate user risk scores based on alerts that were generated within the past three months. The transform runs hourly to update the score as new alerts are generated. Each alert's contribution to the user risk score is based on the alert's risk score (`signal.rule.risk_score`). The risk score is calculated using a weighted sum where rules with higher time-corrected risk scores also have higher weights. Each risk score is normalized to a scale of 0 to 100.