Skip to content

[ML] Update Security ML jobs influencers list#259833

Open
sodhikirti07 wants to merge 3 commits intomainfrom
update-security-ml-job-influencers
Open

[ML] Update Security ML jobs influencers list#259833
sodhikirti07 wants to merge 3 commits intomainfrom
update-security-ml-job-influencers

Conversation

@sodhikirti07
Copy link
Contributor

@sodhikirti07 sodhikirti07 commented Mar 26, 2026

Summary

Update the list of influencers for Security ML jobs

Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

  • Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
  • Documentation was added for features that require explanation or tutorials
  • Unit or functional tests were updated or added to match the most common scenarios
  • If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
  • This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The release_note:breaking label should be applied in these situations.
  • Flaky Test Runner was used on any tests changed
  • The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines
  • Review the backport guidelines and apply applicable backport:* labels.

Identify risks

Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss.

Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging.

@sodhikirti07 sodhikirti07 requested a review from a team as a code owner March 26, 2026 16:50
@sodhikirti07 sodhikirti07 added Feature:Anomaly Detection ML anomaly detection release_note:skip Skip the PR/issue when compiling release notes backport:skip This PR does not require backporting Feature:Security ML Jobs Security Solution ML Jobs v9.4.0 labels Mar 26, 2026
susan-shu-c
susan-shu-c reviewed Mar 26, 2026
View reviewed changes
...erver/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_script_ea.json Outdated
"file.path",
"event.module"
"event.module",
"powershell.file.script_block_text"
Copy link
Member

@susan-shu-c susan-shu-c Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This text could be very large, it might not be great to add in this particular case, will it cause memory or UI issues?

Though the function is indeed "function": "high_info_content", which I think is a bit of a special case

Copy link
Contributor

@jmcarlock jmcarlock Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as Susan for "aws.cloudtrail.error_message” and "gcp.audit.status.message". These will be high cardinality fields.

@elasticmachine
Copy link
Contributor

elasticmachine commented Mar 26, 2026

💛 Build succeeded, but was flaky

Failed CI Steps

Metrics [docs]

✅ unchanged

@elasticmachine
Copy link
Contributor

elasticmachine commented Mar 26, 2026

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

@jmcarlock
Copy link
Contributor

jmcarlock commented Mar 26, 2026

Can you also add dns.question.name to the influencers in packetbeat_dns_tunneling_ea?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmcarlock jmcarlock jmcarlock left review comments

@susan-shu-c susan-shu-c susan-shu-c left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

backport:skip This PR does not require backporting Feature:Anomaly Detection ML anomaly detection Feature:Security ML Jobs Security Solution ML Jobs release_note:skip Skip the PR/issue when compiling release notes v9.4.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sodhikirti07 @elasticmachine @jmcarlock @susan-shu-c