1{
2  "job_type": "anomaly_detector",
3  "description": "Security: Authentication - looks for an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute force activity.",
4  "groups": [
5    "security",
6    "authentication"
7  ],
8  "analysis_config": {
9    "bucket_span": "15m",
10    "detectors": [
11      {
12        "detector_description": "high count of logon events",
13        "function": "high_non_zero_count",
14        "detector_index": 0
15      }
16    ],
17    "influencers": [],
18    "model_prune_window": "30d"
19  },
20  "allow_lazy_open": true,
21  "analysis_limits": {
22    "model_memory_limit": "128mb"
23  },
24  "data_description": {
25    "time_field": "@timestamp"
26  },
27  "custom_settings": {
28    "created_by": "ml-module-security-auth"
29  }
30}
31