Job tags are being added to anomaly detection jobs in security modules to provide additional metadata equivalent. One of these fields is a GUID, which will be used to precisely identify the job. The tags will be stored inside a job_tags field added to the existing custom_settings field, with the GUID field being euid ('Elastic unique identifier'), for example:
"custom_settings": {
"created_by": "ml-module-security-windows",
"job_tags": {
"euid": "8015",
"name": "many-usernames-from-a-source-ip",
"event.category": "authentication",
"maturity": "experimental",
"author": "@randomuserid",
"version": "1",
"updated_date": "5/12/2021"
}
}
- The
euid field needs to be searchable from the jobs list, using a text based search (i.e. no need to support e.g. `euid >= 9000). There is no need at this stage to highlight in the job row why the job has matched the euid search term.
- The
job_tags field must be retained when the job is cloned.
- If
job_tags exist, then should be enumerated and displayed in the job list row expansion. These are manually configured by security operators so values may change.
Job tags are being added to anomaly detection jobs in security modules to provide additional metadata equivalent. One of these fields is a GUID, which will be used to precisely identify the job. The tags will be stored inside a
job_tagsfield added to the existingcustom_settingsfield, with the GUID field beingeuid('Elastic unique identifier'), for example:euidfield needs to be searchable from the jobs list, using a text based search (i.e. no need to support e.g. `euid >= 9000). There is no need at this stage to highlight in the job row why the job has matched the euid search term.job_tagsfield must be retained when the job is cloned.job_tagsexist, then should be enumerated and displayed in the job list row expansion. These are manually configured by security operators so values may change.