diff --git a/docs/advanced-entity-analytics/images/filter-add-item.png b/docs/advanced-entity-analytics/images/filter-add-item.png index 004380ad3a..fe58941ce3 100644 Binary files a/docs/advanced-entity-analytics/images/filter-add-item.png and b/docs/advanced-entity-analytics/images/filter-add-item.png differ diff --git a/docs/advanced-entity-analytics/tune-anomaly-results.asciidoc b/docs/advanced-entity-analytics/tune-anomaly-results.asciidoc index 431e71125b..75ede391a2 100644 --- a/docs/advanced-entity-analytics/tune-anomaly-results.asciidoc +++ b/docs/advanced-entity-analytics/tune-anomaly-results.asciidoc @@ -16,12 +16,13 @@ you can filter out the unwanted results. For example, to filter out results from a housekeeping process, named `maintenanceservice.exe`, that only executes occasionally you need to: -. <> +. <> . <> . <> (optional) [float] -[[create-fiter-list]] +[[create-filter-list]] +//Make sure that fixing this typo doesn't affect any other references in the Security docset and elsewhere. === Create a filter list . Find **Machine Learning** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. @@ -37,9 +38,9 @@ filter out anomaly results (`maintenanceservice.exe` in our example). + [role="screenshot"] image::filter-add-item.png[] -. Click *Add* and then *Save*. -+ -The new filter appears in the Filter List and can be added to relevant jobs. +.. Click *Add* and then *Save*. + +The new filter appears on the Filter Lists page, where you can add it to relevant jobs. [float] [[add-job-filter]] @@ -51,7 +52,7 @@ The new filter appears in the Filter List and can be added to relevant jobs. are not listed, click *Edit job selection* and select the relevant job. . In the *actions* column, click the gear icon and then select _Configure rules_. + -The *Create Rule* window is displayed. +The Create Rule window displays. + [role="screenshot"] image::rule-scope.png[] @@ -60,13 +61,13 @@ image::rule-scope.png[] .. The _WHEN_ statement for the relevant detector (`process.name` in our example). .. The _IS IN_ statement. -.. The filter you created as part of the <> procedure. +.. The filter you created as part of the <> procedure. + -TIP: For more information, see +TIP: To learn more about creating filters that change the behavior of anomaly detectors, refer to {ml-docs}/ml-configuring-detector-custom-rules.html[Customizing detectors with custom rules]. -. Click *Save*. - +. Click *Save* to save the filter to the job results. ++ NOTE: Changes to rules only affect new results. All anomalies found by the job before the filter was added are still displayed. @@ -96,18 +97,19 @@ name, such as `windows-rare-network-process-2`. + [role="screenshot"] image::cloned-job-details.png[] -. Click *Next* and check the job validates without errors. You can ignore -warnings about multiple influencers. -. Click *Next* and then *Create job*. + +. Click **Next** and confirm that the job doesn't return errors. You can ignore warnings about multiple influencers. +. Click **Next**, then **Create job**. + -The *Start * window is displayed. +The *Start * window displays. + [role="screenshot"] image::start-job-window.png[] -. Select the point of time from which the job will analyze anomalies. -. Click *Start*. + +. Specify when the job begins to analyze anomalies. +. Click **Start**. + -After a while, results will start to appear on the *Anomaly Explorer* page. +Results will eventually appear on the Anomaly Explorer page. [float] [[define-rule-threshold]] @@ -144,4 +146,4 @@ _WHEN actual IS GREATER THAN _ Where `` is the threshold above which anomalies are detected. . Click *Save*. . To apply the new threshold, rerun the job by selecting *Actions* -> -*Start datafeed* on the **Anomaly Detection Jobs** page. \ No newline at end of file +*Start datafeed* on the **Anomaly Detection Jobs** page.