From d061bf8e7cb167db5bd58bcb9fdd6b6174ad14d9 Mon Sep 17 00:00:00 2001 From: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com> Date: Tue, 30 Nov 2021 11:24:37 -0800 Subject: [PATCH] Updating host risk score and experimental detections docs (#1639) Co-authored-by: Jonhnathan --- .../experimental-detections.md | 2 +- docs/experimental-machine-learning/host-risk-score.md | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/experimental-machine-learning/experimental-detections.md b/docs/experimental-machine-learning/experimental-detections.md index a765321a9..60d615fe3 100644 --- a/docs/experimental-machine-learning/experimental-detections.md +++ b/docs/experimental-machine-learning/experimental-detections.md @@ -1,7 +1,7 @@ # Experimental ML Jobs and Rules The ingest pipeline enriches process events by adding additional fields, which are used to power several rules. -The experimental rules and jobs are staged separately from the model bundle under [releases](https://github.com/elastic/detection-rules/releases), with the tag `ML-experimental-detections-YYYMMDD-N`. New releases with this tag may contain either updates to existing rules or new experimental detcetions. +The experimental rules and jobs are staged separately from the model bundles under [releases](https://github.com/elastic/detection-rules/releases), with the tag `ML-experimental-detections-YYYMMDD-N`. New releases with this tag may contain either updates to existing rules or new experimental detections. Note that if a rule is of `type = "machine_learning"`, then it may be dependent on uploading and running a machine learning job first. If this is the case, it will likely be annotated within the `note` field of the rule. diff --git a/docs/experimental-machine-learning/host-risk-score.md b/docs/experimental-machine-learning/host-risk-score.md index 6c414635f..55154e217 100644 --- a/docs/experimental-machine-learning/host-risk-score.md +++ b/docs/experimental-machine-learning/host-risk-score.md @@ -1,13 +1,16 @@ # Host Risk Score- What is it? -The Host Risk Score package (available as a GitHub release [here](https://github.com/elastic/detection-rules/releases)) consists of all the artifacts required to stand up the host risk scoring framework in your environment. This framework leverages transforms and visualizations in Kibana to identify the most suspicious hosts in your environment, based on alert activity on the hosts. +The Host Risk Score package consists of all the artifacts required to stand up the host risk scoring framework in your environment. This framework leverages transforms and visualizations in Kibana to identify the most suspicious hosts in your environment, based on alert activity on the hosts. To deploy this framework in your environment, follow the steps outlined below. # Detailed steps #### 1. Unzip the release bundle +Navigate to the latest GitHub [release](https://github.com/elastic/detection-rules/releases)), with the tag `ML-HostRiskScore-YYYMMDD-N`. From under `Assets`, download the zip file named `ML-HostRiskScore-YYYMMDD-N.zip` and unzip it. New releases may contain updated artifacts. + #### 2. Modify artifacts to reflect Kibana space + For security reasons, we require that you restrict the Host Risk Score application to a specific Kibana space. In order to do so, run the `ml_hostriskscore_generate_scripts.py` script in the directory that is prefixed with `ML-HostRiskScore` with your Kibana space as the argument. Eg: @@ -91,7 +94,7 @@ PUT _transform/ml_hostriskscore_latest_transform_ GET ml_host_risk_score_latest_/_search (or _count) ``` -#### 8. Import the dashboards +#### 9. Import the dashboards * Navigate to `Management` -> `Stack Management` -> `Kibana` -> `Saved Objects` * Click on `Import` and import the `ml_hostriskscore_dashboards.ndjson` file