验证主机风险评分数据是否已成功安装(可选)
编辑验证主机风险评分数据是否已成功安装(可选)编辑
启用或升级主机风险评分后,可能会出现以下消息
如果出现这种情况,请点击 重启,并至少等待一个小时以生成数据。如果数据仍然没有出现,请验证主机风险评分数据是否已生成
在 Kibana 中,在控制台中运行以下命令以查询 ml_host_risk_score_<space-id> 索引
GET ml_host_risk_score_<space-id>/_search
如果返回无数据,您需要检查警报索引 (.alerts-security.alerts-<space-id>) 是否在 ml_hostriskscore_pivot_transform_<space-id> 启动时包含警报数据。
示例
GET transform/ml_hostriskscore_pivot_transform_<space-id>/_stats?human=true
以下是一个示例响应
{
"count": 1,
"transforms": [
{
"id": "ml_hostriskscore_pivot_transform_<space-id>",
"state": "started",
"node": {
"id": "H1tlwfTyRkWls-C0sarmHw",
"name": "instance-0000000000",
"ephemeral_id": "SBqlp5ywRuuop2gtcdCljA",
"transport_address": "10.43.255.164:19635",
"attributes": {}
},
"stats": {
"pages_processed": 29,
"documents_processed": 11805,
"documents_indexed": 8,
"documents_deleted": 0,
"trigger_count": 9,
"index_time_in_ms": 52,
"index_total": 7,
"index_failures": 0,
"search_time_in_ms": 201,
"search_total": 29,
"search_failures": 0,
"processing_time_in_ms": 14,
"processing_total": 29,
"delete_time_in_ms": 0,
"exponential_avg_checkpoint_duration_ms": 59.02353261024906,
"exponential_avg_documents_indexed": 0.8762710605864747,
"exponential_avg_documents_processed": 1664.7724779548555
},
"checkpointing": {
"last": {
"checkpoint": 8,
"timestamp": "2022-10-17T14:49:50.315Z",
"timestamp_millis": 1666018190315,
"time_upper_bound": "2022-10-17T14:47:50.315Z",
"time_upper_bound_millis": 1666018070315
},
"operations_behind": 380,
"changes_last_detected_at_string": "2022-10-17T14:49:50.113Z",
"changes_last_detected_at": 1666018190113,
"last_search_time_string": "2022-10-17T14:49:50.113Z",
"last_search_time": 1666018190113
}
}
]
}
请注意 time_upper_bound_millis 中的值,并将其作为范围查询输入到警报索引中。
示例
GET .alerts-security.alerts-<space-id>/_search
{
"query": {
"range": {
"@timestamp": {
"lt": 1666018070315
}
}
}
}
如果没有响应,请验证相关的 规则 是否正在运行,以及是否正在生成警报数据。如果有响应,请点击 重启,并等待一个小时以使主机风险数据出现。