1{ 2 "job_type": "anomaly_detector", 3 "description": "Security: Authentication - looks for an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute force activity.", 4 "groups": [ 5 "security", 6 "authentication" 7 ], 8 "analysis_config": { 9 "bucket_span": "15m", 10 "detectors": [ 11 { 12 "detector_description": "high count of logon events", 13 "function": "high_non_zero_count", 14 "detector_index": 0 15 } 16 ], 17 "influencers": [], 18 "model_prune_window": "30d" 19 }, 20 "allow_lazy_open": true, 21 "analysis_limits": { 22 "model_memory_limit": "128mb" 23 }, 24 "data_description": { 25 "time_field": "@timestamp" 26 }, 27 "custom_settings": { 28 "created_by": "ml-module-security-auth" 29 } 30} 31