Real Security Data: Training and Deploying Anomaly Detection Models (Part 4 of 4)
Introduction The first three parts of this series built the infrastructure. This final post uses it. You now have four Jetson Nano inference containers running HTTPS, DSDL wired to Splunk, and HEC delivering scored events back to your indexers. In this post, you will train three Isolation Forest models on real security data and build the ES correlation rules that turn AI-scored anomalies into actionable notable events. The three detection use cases are chosen for complementary coverage across the kill chain. Zeek connection log anomaly detection catches behavioral outliers in network traffic – the kinds of connections that do not match your environment’s normal patterns. DNS anomaly detection catches tunneling, command-and-control beaconing, and DGA callbacks that generate no network flow anomalies because they hide inside legitimate DNS traffic. Windows authentication anomaly detection catches credential abuse, brute force, and lateral movement patterns that look like legitimate events when examined individually but are anomalous in aggregate. ...