Auditbeat anomaly detection configurations

These anomaly detection job wizards appear in Kibana if you use Auditbeat to audit process activity on your systems. For more details, see the datafeed and job definitions in GitHub.

Auditbeat docker processes

Detect unusual processes in docker containers from auditd data (ECS).

These configurations are only available if data exists that matches the recognizer query specified in the manifest file.

Name	Description	Job (JSON)	Datafeed
docker_high_count_process_events_ecs	Detect unusual increases in process execution rates in docker containers (ECS)	code	code
docker_rare_process_activity_ecs	Detect rare process executions in docker containers (ECS)	code	code