diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
index b4a302af6..5f546571c 100644
--- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
+++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
@@ -4,7 +4,7 @@ integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "LotL package job ID and rule removal updates"
 min_stack_version = "8.9.0"
-updated_date = "2023/12/12"
+updated_date = "2024/04/01"
 
 [rule]
 anomaly_threshold = 75
@@ -40,9 +40,9 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 - Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.
 
 #### Ingest Pipeline Setup
-Before you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
+**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
 - If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.
-- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).
+- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).
 
 #### Adding Custom Mappings
 - Go to the Kibana homepage. Under Management, click Stack Management.
@@ -69,10 +69,10 @@ Before you can enable this rule, you'll need to enrich Windows process events wi
 ```
 
 ### Anomaly Detection Setup
-Before you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. 
+**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. 
 - Go to the Kibana homepage. Under Analytics, click Machine Learning.
 - Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.
-- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs".
+- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: If the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and check whether any ProblemChild predictions have been generated.
 - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed.
 """
 references = [
diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml
index caef24727..08116f76b 100644
--- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml
+++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml
@@ -4,7 +4,7 @@ integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "LotL package job ID and rule removal updates"
 min_stack_version = "8.9.0"
-updated_date = "2023/12/12"
+updated_date = "2024/04/01"
 
 [rule]
 anomaly_threshold = 75
@@ -40,9 +40,9 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 - Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.
 
 #### Ingest Pipeline Setup
-Before you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
+**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
 - If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.
-- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).
+- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).
 
 #### Adding Custom Mappings
 - Go to the Kibana homepage. Under Management, click Stack Management.
@@ -69,10 +69,10 @@ Before you can enable this rule, you'll need to enrich Windows process events wi
 ```
 
 ### Anomaly Detection Setup
-Before you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. 
+**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. 
 - Go to the Kibana homepage. Under Analytics, click Machine Learning.
 - Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.
-- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs".
+- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.
 - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed.
 """
 references = [
diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml
index f81de03f7..1f3913154 100644
--- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml
+++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml
@@ -4,7 +4,7 @@ integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "LotL package job ID and rule removal updates"
 min_stack_version = "8.9.0"
-updated_date = "2023/12/12"
+updated_date = "2024/04/01"
 
 [rule]
 anomaly_threshold = 75
@@ -41,9 +41,9 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 - Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.
 
 #### Ingest Pipeline Setup
-Before you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
+**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
 - If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.
-- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).
+- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).
 
 #### Adding Custom Mappings
 - Go to the Kibana homepage. Under Management, click Stack Management.
@@ -70,10 +70,10 @@ Before you can enable this rule, you'll need to enrich Windows process events wi
 ```
 
 ### Anomaly Detection Setup
-Before you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. 
+**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. 
 - Go to the Kibana homepage. Under Analytics, click Machine Learning.
 - Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.
-- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs".
+- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.
 - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed.
 """
 references = [
diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml
index c7fc89b38..ae2a2dd34 100644
--- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml
+++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml
@@ -4,7 +4,7 @@ integration = ["problemchild", "endpoint"]
 maturity = "production"
 min_stack_comments = "LotL package job ID and rule removal updates"
 min_stack_version = "8.9.0"
-updated_date = "2023/12/12"
+updated_date = "2024/04/01"
 
 [rule]
 author = ["Elastic"]
@@ -38,9 +38,9 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 - Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.
 
 #### Ingest Pipeline Setup
-Before you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
+**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
 - If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.
-- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).
+- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).
 
 #### Adding Custom Mappings
 - Go to the Kibana homepage. Under Management, click Stack Management.
diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
index 60c5f5f8f..0357b533e 100644
--- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
+++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
@@ -4,7 +4,7 @@ integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "LotL package job ID and rule removal updates"
 min_stack_version = "8.9.0"
-updated_date = "2023/12/12"
+updated_date = "2024/04/01"
 
 [rule]
 author = ["Elastic"]
@@ -38,9 +38,9 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 - Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.
 
 #### Ingest Pipeline Setup
-Before you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
+**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
 - If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.
-- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).
+- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).
 
 #### Adding Custom Mappings
 - Go to the Kibana homepage. Under Management, click Stack Management.
diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml
index 4f40a2ef5..77346bbbf 100644
--- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml
+++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml
@@ -4,7 +4,7 @@ integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "LotL package job ID and rule removal updates"
 min_stack_version = "8.9.0"
-updated_date = "2023/12/12"
+updated_date = "2024/04/01"
 
 [rule]
 anomaly_threshold = 75
@@ -42,9 +42,9 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 - Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.
 
 #### Ingest Pipeline Setup
-Before you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
+**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
 - If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.
-- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).
+- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).
 
 #### Adding Custom Mappings
 - Go to the Kibana homepage. Under Management, click Stack Management.
@@ -71,10 +71,10 @@ Before you can enable this rule, you'll need to enrich Windows process events wi
 ```
 
 ### Anomaly Detection Setup
-Before you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. 
+**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. 
 - Go to the Kibana homepage. Under Analytics, click Machine Learning.
 - Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.
-- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs".
+- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.
 - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed.
 """
 references = [
diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml
index 9af714105..693b3cadd 100644
--- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml
+++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml
@@ -4,7 +4,7 @@ integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "LotL package job ID and rule removal updates"
 min_stack_version = "8.9.0"
-updated_date = "2023/12/12"
+updated_date = "2024/04/01"
 
 [rule]
 anomaly_threshold = 75
@@ -42,9 +42,9 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 - Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.
 
 #### Ingest Pipeline Setup
-Before you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
+**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
 - If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.
-- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).
+- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).
 
 #### Adding Custom Mappings
 - Go to the Kibana homepage. Under Management, click Stack Management.
@@ -71,10 +71,10 @@ Before you can enable this rule, you'll need to enrich Windows process events wi
 ```
 
 ### Anomaly Detection Setup
-Before you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. 
+**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. 
 - Go to the Kibana homepage. Under Analytics, click Machine Learning.
 - Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.
-- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs".
+- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.
 - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed.
 """
 references = [
diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml
index e09edc723..d9533c157 100644
--- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml
+++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml
@@ -4,7 +4,7 @@ integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "LotL package job ID and rule removal updates"
 min_stack_version = "8.9.0"
-updated_date = "2023/12/12"
+updated_date = "2024/04/01"
 
 [rule]
 anomaly_threshold = 75
@@ -42,9 +42,9 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 - Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.
 
 #### Ingest Pipeline Setup
-Before you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
+**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
 - If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.
-- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).
+- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).
 
 #### Adding Custom Mappings
 - Go to the Kibana homepage. Under Management, click Stack Management.
@@ -71,10 +71,10 @@ Before you can enable this rule, you'll need to enrich Windows process events wi
 ```
 
 ### Anomaly Detection Setup
-Before you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. 
+**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. 
 - Go to the Kibana homepage. Under Analytics, click Machine Learning.
 - Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.
-- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs".
+- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.
 - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed.
 """
 references = [