Revert "Back-porting Version Trimming (#3681)"

This reverts commit 71d2c59b5c.

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

@@ -2,7 +2,9 @@
 creation_date = "2023/09/19"
 integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+min_stack_comments = "LotL package job ID and rule removal updates"
+min_stack_version = "8.9.0"
+updated_date = "2024/04/01"
 
 [rule]
 anomaly_threshold = 75
@@ -18,13 +20,6 @@ interval = "15m"
 license = "Elastic License v2"
 machine_learning_job_id = "problem_child_rare_process_by_host"
 name = "Unusual Process Spawned by a Host"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/problemchild",
-    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
-]
-risk_score = 21
-rule_id = "56004189-4e69-4a39-b4a9-195329d226e9"
 setup = """## Setup
 
 The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat.  
@@ -80,6 +75,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: If the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and check whether any ProblemChild predictions have been generated.
 - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed.
 """
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/problemchild",
+    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
+]
+risk_score = 21
+rule_id = "56004189-4e69-4a39-b4a9-195329d226e9"
 severity = "low"
 tags = [
     "Domain: Endpoint",

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml

@@ -2,7 +2,9 @@
 creation_date = "2023/10/16"
 integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+min_stack_comments = "LotL package job ID and rule removal updates"
+min_stack_version = "8.9.0"
+updated_date = "2024/04/01"
 
 [rule]
 anomaly_threshold = 75
@@ -18,13 +20,6 @@ interval = "15m"
 license = "Elastic License v2"
 machine_learning_job_id = "problem_child_rare_process_by_parent"
 name = "Unusual Process Spawned by a Parent Process"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/problemchild",
-    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
-]
-risk_score = 21
-rule_id = "ea09ff26-3902-4c53-bb8e-24b7a5d029dd"
 setup = """## Setup
 
 The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat.  
@@ -80,6 +75,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.
 - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed.
 """
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/problemchild",
+    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
+]
+risk_score = 21
+rule_id = "ea09ff26-3902-4c53-bb8e-24b7a5d029dd"
 severity = "low"
 tags = [
     "Domain: Endpoint",

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml

@@ -2,7 +2,9 @@
 creation_date = "2023/10/16"
 integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+min_stack_comments = "LotL package job ID and rule removal updates"
+min_stack_version = "8.9.0"
+updated_date = "2024/04/01"
 
 [rule]
 anomaly_threshold = 75
@@ -19,13 +21,6 @@ interval = "15m"
 license = "Elastic License v2"
 machine_learning_job_id = "problem_child_rare_process_by_user"
 name = "Unusual Process Spawned by a User"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/problemchild",
-    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
-]
-risk_score = 21
-rule_id = "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb"
 setup = """## Setup
 
 The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat.  
@@ -81,6 +76,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.
 - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed.
 """
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/problemchild",
+    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
+]
+risk_score = 21
+rule_id = "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb"
 severity = "low"
 tags = [
     "Domain: Endpoint",

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml

@@ -2,7 +2,9 @@
 creation_date = "2023/10/16"
 integration = ["problemchild", "endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+min_stack_comments = "LotL package job ID and rule removal updates"
+min_stack_version = "8.9.0"
+updated_date = "2024/04/01"
 
 [rule]
 author = ["Elastic"]
@@ -16,13 +18,6 @@ index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/problemchild",
-    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
-]
-risk_score = 21
-rule_id = "13e908b9-7bf0-4235-abc9-b5deb500d0ad"
 setup = """## Setup
 
 The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat.  
@@ -71,6 +66,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 }
 ```
 """
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/problemchild",
+    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
+]
+risk_score = 21
+rule_id = "13e908b9-7bf0-4235-abc9-b5deb500d0ad"
 severity = "low"
 tags = [
     "OS: Windows",

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml

@@ -2,7 +2,9 @@
 creation_date = "2023/10/16"
 integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+min_stack_comments = "LotL package job ID and rule removal updates"
+min_stack_version = "8.9.0"
+updated_date = "2024/04/01"
 
 [rule]
 author = ["Elastic"]
@@ -16,13 +18,6 @@ index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/problemchild",
-    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
-]
-risk_score = 21
-rule_id = "994e40aa-8c85-43de-825e-15f665375ee8"
 setup = """## Setup
 
 The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat.  
@@ -71,6 +66,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 }
 ```
 """
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/problemchild",
+    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
+]
+risk_score = 21
+rule_id = "994e40aa-8c85-43de-825e-15f665375ee8"
 severity = "low"
 tags = [
     "OS: Windows",

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml

@@ -2,7 +2,9 @@
 creation_date = "2023/10/16"
 integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+min_stack_comments = "LotL package job ID and rule removal updates"
+min_stack_version = "8.9.0"
+updated_date = "2024/04/01"
 
 [rule]
 anomaly_threshold = 75
@@ -20,13 +22,6 @@ interval = "15m"
 license = "Elastic License v2"
 machine_learning_job_id = "problem_child_high_sum_by_host"
 name = "Suspicious Windows Process Cluster Spawned by a Host"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/problemchild",
-    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
-]
-risk_score = 21
-rule_id = "bdfebe11-e169-42e3-b344-c5d2015533d3"
 setup = """## Setup
 
 The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat.  
@@ -82,6 +77,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.
 - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed.
 """
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/problemchild",
+    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
+]
+risk_score = 21
+rule_id = "bdfebe11-e169-42e3-b344-c5d2015533d3"
 severity = "low"
 tags = [
     "Use Case: Living off the Land Attack Detection",

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml

@@ -2,7 +2,9 @@
 creation_date = "2023/10/16"
 integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+min_stack_comments = "LotL package job ID and rule removal updates"
+min_stack_version = "8.9.0"
+updated_date = "2024/04/01"
 
 [rule]
 anomaly_threshold = 75
@@ -20,13 +22,6 @@ interval = "15m"
 license = "Elastic License v2"
 machine_learning_job_id = "problem_child_high_sum_by_parent"
 name = "Suspicious Windows Process Cluster Spawned by a Parent Process"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/problemchild",
-    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
-]
-risk_score = 21
-rule_id = "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0"
 setup = """## Setup
 
 The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat.  
@@ -82,6 +77,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.
 - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed.
 """
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/problemchild",
+    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
+]
+risk_score = 21
+rule_id = "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0"
 severity = "low"
 tags = [
     "Domain: Endpoint",

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml

@@ -2,7 +2,9 @@
 creation_date = "2023/10/16"
 integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+min_stack_comments = "LotL package job ID and rule removal updates"
+min_stack_version = "8.9.0"
+updated_date = "2024/04/01"
 
 [rule]
 anomaly_threshold = 75
@@ -20,13 +22,6 @@ interval = "15m"
 license = "Elastic License v2"
 machine_learning_job_id = "problem_child_high_sum_by_user"
 name = "Suspicious Windows Process Cluster Spawned by a User"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/problemchild",
-    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
-]
-risk_score = 21
-rule_id = "1224da6c-0326-4b4f-8454-68cdc5ae542b"
 setup = """## Setup
 
 The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat.  
@@ -82,6 +77,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.
 - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed.
 """
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/problemchild",
+    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
+]
+risk_score = 21
+rule_id = "1224da6c-0326-4b4f-8454-68cdc5ae542b"
 severity = "low"
 tags = [
     "Domain: Endpoint",