Perform training with the following kinds of machine data. Ingest machine data during times of low activity on your endpoint and high activity on your endpoint, so that the full scope of functionality of your software is captured in training. Ingest one or more of the following machine data from Category #1. And ingest one or more of the following machine data from Category #2.
General system-wide error messages from /var/log/syslog
Auditing logs of application rulesets
Auditing logs of security contexts
Auditing logs of login attempts from /var/log/auth.log
Auditing logs of user management or group management
Auditing logs of password management
Application specific logs from /var/log
File system status of files and directories from stat
Auditing logs of package management
Auditing logs of configuration management
Raw dumps from sniffing at Layers 2-3
Raw dumps from /proc of kernel data structures
Raw dumps of kernel routing tables
Network services configuration files
Network interface configuration files
Periodically upload a new source of machine data and get its prediction report. The new source should contain that same kind of machine data with close similarity in structure and formatting to the machine data ingested in training. At a minimum the new source must contain the deltas of that same kind of machine data ingested in training.
Parse the predictions report that's in JSON format for threat notifications.