[SIEM] [ML] Adds new jobs for SIEM ML Integration (#44301)

## Summary Adds the below new ML Jobs from https://github.com/elastic/kibana/pull/43783 and https://github.com/elastic/kibana/pull/44383 for the SIEM ML Integration. Note: This also removes the `siem-api-` prefix added when jobs are initially created. As a result, upgrading users who have any of the three original jobs (`rare_process_linux_ecs`, `suspicious_login_activity_ecs`, `rare_process_windows_ecs`) installed, will have the latest version of them installed without the prefix. The old `siem-api-` prefixed jobs will then show up in the `Custom jobs` tab within the UI. This was going to happen with the `rare_process_linux_ecs` anyway, as it was renamed to `rare_process_by_host_linux_ecs`, so we took the opportunity to clean up naming while the job count is low. Job versioning/migration will be addressed in 7.5. ``` ts { name: 'siem_auditbeat_ecs', defaultIndexPattern: 'auditbeat-*', jobs: [ 'rare_process_by_host_linux_ecs', 'suspicious_login_activity_ecs', 'linux_anomalous_network_activity_ecs', 'linux_anomalous_network_port_activity_ecs', 'linux_anomalous_network_service', 'linux_anomalous_network_url_activity_ecs', 'linux_anomalous_process_all_hosts_ecs', 'linux_anomalous_user_name_ecs', ], }, { name: 'siem_winlogbeat_ecs', defaultIndexPattern: 'winlogbeat-*', jobs: [ 'rare_process_by_host_windows_ecs', 'windows_anomalous_network_activity_ecs', 'windows_anomalous_path_activity_ecs', 'windows_anomalous_process_all_hosts_ecs', 'windows_anomalous_process_creation', 'windows_anomalous_script', 'windows_anomalous_service', 'windows_anomalous_user_name_ecs', ], }, ``` ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. - [ ] ~This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~ - [ ] ~Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~ - [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials * Will work with @benskelker to update the job list in the [SIEM Guide](https://www.elastic.co/guide/en/siem/guide/current/machine-learning.html). @randomuserid, is there any additional documentation you would like to add? - [ ] ~[Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~ - [ ] ~This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~ ### For maintainers - [ ] ~This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~ - [ ] ~This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~
2019-08-29 16:38:40 -06:00 · 2019-08-29 16:38:40 -06:00 · 195be6022e
parent 3c68c98e2c
commit 195be6022e
2 changed files with 19 additions and 7 deletions
--- a/x-pack/legacy/plugins/siem/public/components/ml_popover/config_templates.tsx
+++ b/x-pack/legacy/plugins/siem/public/components/ml_popover/config_templates.tsx
@ -6,8 +6,6 @@

 import { ConfigTemplate } from './types';

-export const siemJobPrefix = 'siem-api-';
-
 /**
 * Config Templates w/ corresponding defaultIndexPattern and jobId's of the SIEM Jobs embedded
 * in ML. Added as part of: https://github.com/elastic/kibana/pull/39678/files
@ -17,13 +15,28 @@ export const configTemplates: ConfigTemplate[] = [
    name: 'siem_auditbeat_ecs',
    defaultIndexPattern: 'auditbeat-*',
    jobs: [
-      `${siemJobPrefix}rare_process_linux_ecs`,
-      `${siemJobPrefix}suspicious_login_activity_ecs`,
+      'rare_process_by_host_linux_ecs',
+      'suspicious_login_activity_ecs',
+      'linux_anomalous_network_activity_ecs',
+      'linux_anomalous_network_port_activity_ecs',
+      'linux_anomalous_network_service',
+      'linux_anomalous_network_url_activity_ecs',
+      'linux_anomalous_process_all_hosts_ecs',
+      'linux_anomalous_user_name_ecs',
    ],
  },
  {
    name: 'siem_winlogbeat_ecs',
    defaultIndexPattern: 'winlogbeat-*',
-    jobs: [`${siemJobPrefix}rare_process_windows_ecs`],
+    jobs: [
+      'rare_process_by_host_windows_ecs',
+      'windows_anomalous_network_activity_ecs',
+      'windows_anomalous_path_activity_ecs',
+      'windows_anomalous_process_all_hosts_ecs',
+      'windows_anomalous_process_creation',
+      'windows_anomalous_script',
+      'windows_anomalous_service',
+      'windows_anomalous_user_name_ecs',
+    ],
  },
 ];
--- a/x-pack/legacy/plugins/siem/public/components/ml_popover/ml_popover.tsx
+++ b/x-pack/legacy/plugins/siem/public/components/ml_popover/ml_popover.tsx
@ -27,7 +27,7 @@ import {
  getJobsToDisplay,
  getJobsToInstall,
 } from './helpers';
-import { configTemplates, siemJobPrefix } from './config_templates';
+import { configTemplates } from './config_templates';
 import { useStateToaster } from '../toasters';
 import { errorToToaster } from '../ml/api/error_to_toaster';
 import { useKibanaUiSetting } from '../../lib/settings/use_kibana_ui_setting';
@ -176,7 +176,6 @@ export const MlPopover = React.memo(() => {
                configTemplate: configTemplate.name,
                indexPatternName: configTemplate.defaultIndexPattern,
                groups: ['siem'],
-                prefix: siemJobPrefix,
                headers,
              });
            })