New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Refactor RDP ML job for field changes #91910
Comments
Pinging @elastic/security-solution (Team: SecuritySolution) |
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Note: Detection ML Job Setting UI only goes back two weeks, larger lookbacks need to be done via ML App. |
So I have the OK from @blaklaybul to make an update to the data feed query for this job, which should not require shipping a new job. I am going to plan and get this into 7.13.1 - or 7.13.2 at worst. |
So it looks like event.outcome is mapped to success for event 4624 (a windows login.) However, we need to use either The quickest fix here would be to do this, which evals true on newer events as well as the older events from when the query was first written. This makes it winlogbeat specific, but the job already is winlogbeat specific - the winlog* fields are beats fields, and the manifest is tied to the winlogbeat index - so we will need to ship a new version of this job to be portable across data types, that cannot be done by changing the data feed query.
|
Describe the bug:
The RDP job windows_rare_user_type10_remote_login needs a field change, event.type for type 10 RDP auth events is now start. The job will need to be either versioned, replaced or forked.
The text was updated successfully, but these errors were encountered: