[Security Solution][Detections] Format Custom Machine Learning Job Field to Time Format in Alert View

secops4thewin commented 3 years ago

Describe the feature:

Currently in the detections engine, if a custom machine learning job with a detector of time_of_day or time_of_week is triggered, the value of the field is presented as a double.

However, Inside of the Machine Learning > Anomaly Detection > Anomaly Explorer function, the correct format is presented. The logic from the Anomaly Explorer should be ported across to Signals

Machine Learning Raw Document

Machine Learning Anomaly Explorer Anomaly View

SIEM UI SIEM Alert

Describe a specific use case for the feature:

Unusual time of day and unusual time of the week is common Machine Learning jobs to create when detecting anomalous user behaviour. Humans are not good at converting doubles to time formats on the fly. This formatting function will help analysts in the future once we adopt more of these time-based machine learning jobs. My expectation is the output would look similar to image in the Anomaly Explorer

This is dependant on #90344

elasticmachine commented 3 years ago

Pinging @elastic/security-detections-response (Team:Detections and Resp)

secops4thewin commented 3 years ago

This may be the code that performs the function Date Time Formatter

elastic / kibana

[Security Solution][Detections] Format Custom Machine Learning Job Field to Time Format in Alert View #90564

Describe the feature:

Describe a specific use case for the feature: