You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: solutions/security/advanced-entity-analytics/anomaly-detection.md
+11-2Lines changed: 11 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,10 +14,14 @@ products:
14
14
# Anomaly detection
15
15
16
16
17
-
[{{ml-cap}}](/explore-analyze/machine-learning/anomaly-detection.md) functionality is available when you have the appropriate role, subscription, are using a [cloud deployment](https://cloud.elastic.co/registration?page=docs&placement=docs-body), or are testing out a **Free Trial**. Refer to [Machine learning job and rule requirements](/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md) for more information.
17
+
::::{note} [{{ml-cap}}](/explore-analyze/machine-learning/anomaly-detection.md) functionality is available when you have the appropriate role, subscription, are using a [cloud deployment](https://cloud.elastic.co/registration?page=docs&placement=docs-body), or are testing out a **Free Trial**. Refer to [Machine learning job and rule requirements](/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md) for more information.
18
+
::::
18
19
19
-
You can view the details of detected anomalies within the `Anomalies` table widget shown on the Hosts, Network, and associated details pages, or even narrow to the specific date range of an anomaly from the `Max anomaly score by job` field in the overview of the details pages for hosts and IPs. These interfaces also offer the ability to drag and drop details of the anomaly to Timeline, such as the `Entity` itself, or any of the associated `Influencers`.
20
+
Anomaly detection jobs allow you to to identify anomalous events or patterns in your data. In a security context, they are typically used with detection rules to create alerts when there is divergence from baseline data.
20
21
22
+
::::{tip}
23
+
More details on the creation of anomaly detection jobs can be found in [{{ml-cap}}](/explore-analyze/machine-learning/anomaly-detection.md) and background on detection rules in [solutions/security/detect-and-alert/about-detection-rules](About detection rules)
24
+
::::
21
25
22
26
## Manage {{ml}} jobs [manage-jobs]
23
27
@@ -47,6 +51,9 @@ You can also check the status of {{ml}} detection rules, and start or stop their
47
51
:screenshot:
48
52
:::
49
53
54
+
::::{tip}
55
+
For an overview of creating machine learning rules, see [Create a detection rule](/solutions/security/detect-and-alert/create-detection-rule#create-ml-rule).
56
+
::::
50
57
51
58
52
59
### Prebuilt jobs [included-jobs]
@@ -73,6 +80,8 @@ Machine learning jobs look back and analyze two weeks of historical data prior t
73
80
74
81
## View detected anomalies [view-anomalies]
75
82
83
+
From the security solution, you can view the details of detected anomalies within the `Anomalies` table widget shown on the Explore > Hosts, Network, and Users pages, or even narrow to the specific date range of an anomaly from the `Max anomaly score by job` field in the overview of the details pages for hosts and IPs. These interfaces also offer the ability to drag and drop details of the anomaly to Timeline, such as the `Entity` itself, or any of the associated `Influencers`.
84
+
76
85
To view the `Anomalies` table widget and `Max Anomaly Score By Job` details, the user must have the `machine_learning_admin` or `machine_learning_user` role.
Copy file name to clipboardExpand all lines: solutions/security/detect-and-alert/create-detection-rule.md
+6Lines changed: 6 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -92,7 +92,10 @@ To create or edit {{ml}} rules, you need:
92
92
* The appropriate [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md).
93
93
* The [`machine_learning_admin`](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) in {{stack}} or the appropriate [user role](/deploy-manage/users-roles/cloud-organization/user-roles.md) in {{serverless-short}}.
94
94
* The selected {{ml}} job to be running for the rule to function correctly.
95
+
::::
95
96
97
+
::::{tip}
98
+
For an overview of using machine learning with security, see [Anomaly detection](/solutions/security/advanced-entity-analytics/anomaly-detection).
96
99
::::
97
100
98
101
@@ -120,6 +123,9 @@ To create or edit {{ml}} rules, you need:
120
123
121
124
5. Click **Continue** to [configure basic rule settings](/solutions/security/detect-and-alert/create-detection-rule.md#rule-ui-basic-params).
122
125
126
+
::::{tip}
127
+
Machine learning rules may contain noise and need exceptions, see [Rule exceptions](/solutions/security/detect-and-alert/rule-exceptions.md) for more information.
128
+
::::
123
129
124
130
## Create a threshold rule [create-threshold-rule]
0 commit comments