diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index 161aa44c3..6bc334102 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" +updated_date = "2026/04/01" [rule] anomaly_threshold = 75 @@ -21,7 +23,7 @@ false_positives = [ from = "now-2h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "rare_method_for_a_username" +machine_learning_job_id = "rare_method_for_a_user_id_ea" name = "Unusual AWS Command for a User" setup = """## Setup diff --git a/rules/integrations/azure/ml_azure_event_failures.toml b/rules/integrations/azure/ml_azure_event_failures.toml index 273f46e76..78fe48d35 100644 --- a/rules/integrations/azure/ml_azure_event_failures.toml +++ b/rules/integrations/azure/ml_azure_event_failures.toml @@ -2,9 +2,9 @@ creation_date = "2025/10/06" integration = ["azure"] maturity = "production" -min_stack_comments = "New job added" -min_stack_version = "9.3.0" -updated_date = "2025/12/08" +min_stack_comments = "Use EA (Entity Analytics) fields" +min_stack_version = "9.4.0" +updated_date = "2026/04/01" [rule] anomaly_threshold = 50 @@ -23,7 +23,7 @@ false_positives = [ from = "now-60m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "azure_activitylogs_high_distinct_count_event_action_on_failure" +machine_learning_job_id = "azure_activitylogs_high_distinct_count_event_action_fail_ea" name = "Spike in Azure Activity Logs Failed Messages" note = """## Triage and analysis diff --git a/rules/integrations/azure/ml_azure_rare_event_failures.toml b/rules/integrations/azure/ml_azure_rare_event_failures.toml index 9e1182f57..aeeed15f1 100644 --- a/rules/integrations/azure/ml_azure_rare_event_failures.toml +++ b/rules/integrations/azure/ml_azure_rare_event_failures.toml @@ -2,9 +2,9 @@ creation_date = "2025/10/06" integration = ["azure"] maturity = "production" -min_stack_comments = "New job added" -min_stack_version = "9.3.0" -updated_date = "2025/12/08" +min_stack_comments = "Use EA (Entity Analytics) fields" +min_stack_version = "9.4.0" +updated_date = "2026/04/01" [rule] anomaly_threshold = 50 @@ -23,7 +23,7 @@ false_positives = [ from = "now-2h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "azure_activitylogs_rare_event_action_on_failure" +machine_learning_job_id = "azure_activitylogs_rare_event_action_on_failure_ea" name = "Rare Azure Activity Logs Event Failures" note = """## Triage and analysis diff --git a/rules/integrations/azure/ml_azure_rare_method_by_city.toml b/rules/integrations/azure/ml_azure_rare_method_by_city.toml index cba37cb9c..f9eb59b78 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_city.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_city.toml @@ -3,8 +3,8 @@ creation_date = "2025/10/06" integration = ["azure"] maturity = "production" min_stack_comments = "New job added" -min_stack_version = "9.3.0" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +updated_date = "2026/04/01" [rule] anomaly_threshold = 50 @@ -24,7 +24,7 @@ false_positives = [ from = "now-2h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "azure_activitylogs_rare_event_action_for_a_city" +machine_learning_job_id = "azure_activitylogs_rare_event_action_for_a_city_ea" name = "Unusual City for an Azure Activity Logs Event" note = """## Triage and analysis diff --git a/rules/integrations/azure/ml_azure_rare_method_by_country.toml b/rules/integrations/azure/ml_azure_rare_method_by_country.toml index 8ab7ffc66..7e9766480 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_country.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_country.toml @@ -3,8 +3,8 @@ creation_date = "2025/10/06" integration = ["azure"] maturity = "production" min_stack_comments = "New job added" -min_stack_version = "9.3.0" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +updated_date = "2026/04/01" [rule] anomaly_threshold = 50 @@ -24,7 +24,7 @@ false_positives = [ from = "now-2h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "azure_activitylogs_rare_event_action_for_a_country" +machine_learning_job_id = "azure_activitylogs_rare_event_action_for_a_country_ea" name = "Unusual Country for an Azure Activity Logs Event" note = """## Triage and analysis diff --git a/rules/integrations/azure/ml_azure_rare_method_by_user.toml b/rules/integrations/azure/ml_azure_rare_method_by_user.toml index 712517153..4d4c58404 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_user.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_user.toml @@ -3,8 +3,8 @@ creation_date = "2025/10/06" integration = ["azure"] maturity = "production" min_stack_comments = "New job added" -min_stack_version = "9.3.0" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +updated_date = "2026/04/01" [rule] anomaly_threshold = 75 @@ -23,7 +23,7 @@ false_positives = [ from = "now-2h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "azure_activitylogs_rare_event_action_for_a_username" +machine_learning_job_id = "azure_activitylogs_rare_event_action_for_a_user_email_ea" name = "Unusual Azure Activity Logs Event for a User" note = """## Triage and analysis diff --git a/rules/integrations/gcp/ml_gcp_error_message_spike.toml b/rules/integrations/gcp/ml_gcp_error_message_spike.toml index 5a8f5a9bd..dacc3c9b6 100644 --- a/rules/integrations/gcp/ml_gcp_error_message_spike.toml +++ b/rules/integrations/gcp/ml_gcp_error_message_spike.toml @@ -2,9 +2,9 @@ creation_date = "2025/10/06" integration = ["gcp"] maturity = "production" -min_stack_comments = "New job added" -min_stack_version = "9.3.0" -updated_date = "2025/11/21" +min_stack_comments = "Use EA (Entity Analytics) fields" +min_stack_version = "9.4.0" +updated_date = "2026/04/01" [rule] anomaly_threshold = 50 @@ -23,7 +23,7 @@ false_positives = [ from = "now-60m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "gcp_audit_high_distinct_count_error_message" +machine_learning_job_id = "gcp_audit_high_distinct_count_error_message_ea" name = "Spike in GCP Audit Failed Messages" setup = """## Setup diff --git a/rules/integrations/gcp/ml_gcp_rare_error_code.toml b/rules/integrations/gcp/ml_gcp_rare_error_code.toml index 00a36b532..27d48c423 100644 --- a/rules/integrations/gcp/ml_gcp_rare_error_code.toml +++ b/rules/integrations/gcp/ml_gcp_rare_error_code.toml @@ -2,9 +2,9 @@ creation_date = "2025/10/06" integration = ["gcp"] maturity = "production" -min_stack_comments = "New job added" -min_stack_version = "9.3.0" -updated_date = "2025/11/21" +min_stack_comments = "Use EA (Entity Analytics) fields" +min_stack_version = "9.4.0" +updated_date = "2026/04/01" [rule] anomaly_threshold = 50 @@ -23,7 +23,7 @@ false_positives = [ from = "now-2h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "gcp_audit_rare_error_code" +machine_learning_job_id = "gcp_audit_rare_error_code_ea" name = "Rare GCP Audit Failure Event Code" setup = """## Setup diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml index 5b663d18f..03374a24d 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml @@ -3,8 +3,8 @@ creation_date = "2025/10/06" integration = ["gcp"] maturity = "production" min_stack_comments = "New job added" -min_stack_version = "9.3.0" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +updated_date = "2026/04/01" [rule] anomaly_threshold = 50 @@ -24,7 +24,7 @@ false_positives = [ from = "now-2h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "gcp_audit_rare_method_for_a_city" +machine_learning_job_id = "gcp_audit_rare_method_for_a_city_ea" name = "Unusual City For a GCP Event" setup = """## Setup diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml index 406d9c424..a6ee7f7b4 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml @@ -3,8 +3,8 @@ creation_date = "2025/10/06" integration = ["gcp"] maturity = "production" min_stack_comments = "New job added" -min_stack_version = "9.3.0" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +updated_date = "2026/04/01" [rule] anomaly_threshold = 50 @@ -24,7 +24,7 @@ false_positives = [ from = "now-2h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "gcp_audit_rare_method_for_a_country" +machine_learning_job_id = "gcp_audit_rare_method_for_a_country_ea" name = "Unusual Country For a GCP Event" setup = """## Setup diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml index 871858777..890c72513 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml @@ -3,8 +3,8 @@ creation_date = "2025/10/06" integration = ["gcp"] maturity = "production" min_stack_comments = "New job added" -min_stack_version = "9.3.0" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +updated_date = "2026/04/01" [rule] anomaly_threshold = 75 @@ -23,7 +23,7 @@ false_positives = [ from = "now-2h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "gcp_audit_rare_method_for_a_client_user_email" +machine_learning_job_id = "gcp_audit_rare_method_for_a_user_email_ea" name = "Unusual GCP Event for a User" setup = """## Setup diff --git a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml index 6e0dfd194..2d1f9b33b 100644 --- a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" +updated_date = "2026/04/01" [rule] anomaly_threshold = 50 @@ -22,7 +24,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "packetbeat_dns_tunneling" +machine_learning_job_id = "packetbeat_dns_tunneling_ea" name = "DNS Tunneling" setup = """## Setup diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml index f2fe9d6cf..910acadb8 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" +updated_date = "2026/04/01" [rule] anomaly_threshold = 50 @@ -25,7 +27,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "packetbeat_rare_dns_question" +machine_learning_job_id = "packetbeat_rare_dns_question_ea" name = "Unusual DNS Activity" setup = """## Setup diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml index a48e00fa0..b7b447f73 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" +updated_date = "2026/04/01" [rule] anomaly_threshold = 50 @@ -28,7 +30,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "packetbeat_rare_urls" +machine_learning_job_id = "packetbeat_rare_urls_ea" name = "Unusual Web Request" setup = """## Setup diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml index 8ad611b10..b6e0fee8a 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 50 @@ -26,7 +28,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "packetbeat_rare_user_agent" +machine_learning_job_id = "packetbeat_rare_user_agent_ea" name = "Unusual Web User Agent" setup = """## Setup diff --git a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml index 30ca95d7d..3b47febb7 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" +updated_date = "2026/04/01" [rule] anomaly_threshold = 75 @@ -21,7 +23,7 @@ false_positives = [ from = "now-30m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "auth_high_count_logon_fails" +machine_learning_job_id = "auth_high_count_logon_fails_ea" name = "Spike in Failed Logon Events" setup = """## Setup diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml index 9fad9a30e..932535634 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" +updated_date = "2026/04/01" [rule] anomaly_threshold = 75 @@ -20,7 +22,7 @@ false_positives = [ from = "now-30m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "auth_high_count_logon_events" +machine_learning_job_id = "auth_high_count_logon_events_ea" name = "Spike in Logon Events" setup = """## Setup diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml index 1e36cec12..f4a243931 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" +updated_date = "2026/04/01" [rule] anomaly_threshold = 75 @@ -20,7 +22,7 @@ false_positives = [ from = "now-30m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "auth_high_count_logon_events_for_a_source_ip" +machine_learning_job_id = "auth_high_count_logon_events_for_a_source_ip_ea" name = "Spike in Successful Logon Events from a Source IP" setup = """## Setup diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml index 15e0e984e..7519118a5 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 50 @@ -20,7 +22,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_linux_rare_metadata_process"] +machine_learning_job_id = ["v3_linux_rare_metadata_process_ea"] name = "Unusual Linux Process Calling the Metadata Service" setup = """## Setup diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml index bddcf4eb5..b7e95774b 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -20,7 +22,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_linux_rare_metadata_user"] +machine_learning_job_id = ["v3_linux_rare_metadata_user_ea"] name = "Unusual Linux User Calling the Metadata Service" setup = """## Setup diff --git a/rules/ml/credential_access_ml_suspicious_login_activity.toml b/rules/ml/credential_access_ml_suspicious_login_activity.toml index 1a3ed0a32..ca94eeda7 100644 --- a/rules/ml/credential_access_ml_suspicious_login_activity.toml +++ b/rules/ml/credential_access_ml_suspicious_login_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 50 @@ -17,7 +19,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "suspicious_login_activity" +machine_learning_job_id = "suspicious_login_activity_ea" name = "Unusual Login Activity" setup = """## Setup diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml index fb80318ed..fdc693f1c 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" +updated_date = "2026/04/01" [rule] anomaly_threshold = 50 @@ -20,7 +22,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_windows_rare_metadata_process"] +machine_learning_job_id = ["v3_windows_rare_metadata_process_ea"] name = "Unusual Windows Process Calling the Metadata Service" note = """## Triage and analysis diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml index 885dc3a82..601f850f5 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -20,7 +22,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_windows_rare_metadata_user"] +machine_learning_job_id = ["v3_windows_rare_metadata_user_ea"] name = "Unusual Windows User Calling the Metadata Service" note = """## Triage and analysis diff --git a/rules/ml/discovery_ml_linux_system_information_discovery.toml b/rules/ml/discovery_ml_linux_system_information_discovery.toml index 1fc150ac2..4228c6a44 100644 --- a/rules/ml/discovery_ml_linux_system_information_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_information_discovery.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -22,7 +24,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_linux_system_information_discovery"] +machine_learning_job_id = ["v3_linux_system_information_discovery_ea"] name = "Unusual Linux System Information Discovery Activity" setup = """## Setup diff --git a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml index c51fe1ec4..5cb14bd6b 100644 --- a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 25 @@ -22,7 +24,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_linux_network_configuration_discovery"] +machine_learning_job_id = ["v3_linux_network_configuration_discovery_ea"] name = "Unusual Linux Network Configuration Discovery" setup = """## Setup diff --git a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml index 0dc7700b1..2e0cc0ecf 100644 --- a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 25 @@ -22,7 +24,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_linux_network_connection_discovery"] +machine_learning_job_id = ["v3_linux_network_connection_discovery_ea"] name = "Unusual Linux Network Connection Discovery" setup = """## Setup diff --git a/rules/ml/discovery_ml_linux_system_process_discovery.toml b/rules/ml/discovery_ml_linux_system_process_discovery.toml index 0f0f38d7a..cb11d41cb 100644 --- a/rules/ml/discovery_ml_linux_system_process_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_process_discovery.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 50 @@ -22,7 +24,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_linux_system_process_discovery"] +machine_learning_job_id = ["v3_linux_system_process_discovery_ea"] name = "Unusual Linux Process Discovery Activity" setup = """## Setup diff --git a/rules/ml/discovery_ml_linux_system_user_discovery.toml b/rules/ml/discovery_ml_linux_system_user_discovery.toml index 97dcc42a2..22f792373 100644 --- a/rules/ml/discovery_ml_linux_system_user_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_user_discovery.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -22,7 +24,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_linux_system_user_discovery"] +machine_learning_job_id = ["v3_linux_system_user_discovery_ea"] name = "Unusual Linux User Discovery Activity" setup = """## Setup diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index 300b73598..6c5a83009 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" +updated_date = "2026/04/01" [rule] anomaly_threshold = 50 @@ -20,7 +22,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_windows_anomalous_script"] +machine_learning_job_id = ["v3_windows_anomalous_script_ea"] name = "Suspicious Powershell Script" note = """## Triage and analysis diff --git a/rules/ml/execution_ml_windows_rare_script.toml b/rules/ml/execution_ml_windows_rare_script.toml new file mode 100644 index 000000000..5b134429a --- /dev/null +++ b/rules/ml/execution_ml_windows_rare_script.toml @@ -0,0 +1,148 @@ +[metadata] +creation_date = "2026/03/27" +integration = ["endpoint", "windows"] +maturity = "production" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +A machine learning job detected a rare PowerShell script, identified by its script block hash, that may indicate +execution of malware, or persistence mechanisms. Unlike anomaly detection based on content entropy, this rule +identifies scripts that have rarely or never been seen in the environment. +""" +false_positives = [ + """ + A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this + alert. PowerShell scripts that are new to the environment or run infrequently may trigger this alert. + """, +] +from = "now-45m" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = ["v3_windows_rare_script_ea"] +name = "Rare Powershell Script" +note = """## Triage and analysis + +### Investigating Rare Powershell Script + +Searching for abnormal PowerShell scripts is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors. + +This rule uses a machine learning job to detect a PowerShell script that is rare and unusual for an individual Windows host in your environment, based on the script block hash. + +#### Possible investigation steps + +- Investigate the PowerShell script block that triggered the detection. Retrieve the full script content associated with the hash and examine it for malicious indicators such as encoded commands, suspicious URLs, or unusual system calls. + - Investigate the process execution chain (parent process tree) for the PowerShell process. Examine the parent process for prevalence, whether it is located in an expected location, and if it is signed with a valid digital signature. + - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Consider the user as identified by the `user.name` field. Is this script part of an expected workflow for the user who ran it on this host? +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process. +- Retrieve the script block hash value and search for its existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False Positive Analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Related Rules + +- Suspicious Powershell Script - 1781d055-5c66-4adf-9d60-fc0fa58337b6 + +### Response and Remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "4577d441-0c05-4bfb-9068-39a0cb855269" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Windows" and select the integration to see more details about it. +- Click "Add Windows". +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed "windows" to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click "Save and Continue". +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Execution", + "Resources: Investigation Guide", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml index 53e05ffe3..334db84fd 100644 --- a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -16,7 +18,7 @@ false_positives = ["Users working late, or logging in from unusual time zones wh from = "now-30m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "auth_rare_hour_for_a_user" +machine_learning_job_id = "auth_rare_hour_for_a_user_ea" name = "Unusual Hour for a User to Logon" setup = """## Setup diff --git a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml index 25ab0ac2b..723319a49 100644 --- a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml +++ b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" +updated_date = "2026/04/01" [rule] anomaly_threshold = 75 @@ -17,7 +19,7 @@ false_positives = ["Business travelers who roam to new locations may trigger thi from = "now-30m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "auth_rare_source_ip_for_a_user" +machine_learning_job_id = "auth_rare_source_ip_for_a_user_ea" name = "Unusual Source IP for a User to Logon from" setup = """## Setup diff --git a/rules/ml/initial_access_ml_auth_rare_user_logon.toml b/rules/ml/initial_access_ml_auth_rare_user_logon.toml index 47a768779..a297d00e4 100644 --- a/rules/ml/initial_access_ml_auth_rare_user_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_user_logon.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -23,7 +25,7 @@ false_positives = [ from = "now-30m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "auth_rare_user" +machine_learning_job_id = "auth_rare_user_ea" name = "Rare User Logon" setup = """## Setup diff --git a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml index 89fb357f6..f0165bdbd 100644 --- a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/01/17" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 50 @@ -26,7 +28,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_linux_anomalous_user_name"] +machine_learning_job_id = ["v3_linux_anomalous_user_name_ea"] name = "Unusual Linux Username" setup = """## Setup diff --git a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml index e0e85483f..77b161db9 100644 --- a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 50 @@ -26,7 +28,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_windows_anomalous_user_name"] +machine_learning_job_id = ["v3_windows_anomalous_user_name_ea"] name = "Unusual Windows Username" note = """## Triage and analysis diff --git a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml index d75624732..1311db225 100644 --- a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" +updated_date = "2026/04/01" [rule] anomaly_threshold = 50 @@ -21,7 +23,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_windows_rare_user_type10_remote_login"] +machine_learning_job_id = ["v3_windows_rare_user_type10_remote_login_ea"] name = "Unusual Windows Remote User" note = """## Triage and analysis diff --git a/rules/ml/ml_high_count_events_for_a_host_name.toml b/rules/ml/ml_high_count_events_for_a_host_name.toml index 4baed3cf7..61f2b57a3 100644 --- a/rules/ml/ml_high_count_events_for_a_host_name.toml +++ b/rules/ml/ml_high_count_events_for_a_host_name.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" +updated_date = "2026/04/01" [rule] anomaly_threshold = 75 @@ -19,7 +21,7 @@ false_positives = [ from = "now-1h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "high_count_events_for_a_host_name" +machine_learning_job_id = "high_count_events_for_a_host_name_ea" name = "Spike in host-based traffic" setup = """## Setup diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index 6993543b0..06789ac6b 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 50 @@ -17,7 +19,7 @@ applications. from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_linux_anomalous_network_activity"] +machine_learning_job_id = ["v3_linux_anomalous_network_activity_ea"] name = "Unusual Linux Network Activity" setup = """## Setup diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index c6d68ce99..7f7b001c0 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" +updated_date = "2026/04/01" [rule] anomaly_threshold = 50 @@ -16,7 +18,7 @@ false_positives = ["A newly installed program or one that rarely uses the networ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_linux_anomalous_network_port_activity"] +machine_learning_job_id = ["v3_linux_anomalous_network_port_activity_ea"] name = "Unusual Linux Network Port Activity" setup = """## Setup diff --git a/rules/ml/ml_low_count_events_for_a_host_name.toml b/rules/ml/ml_low_count_events_for_a_host_name.toml index 1e9be8d73..626f03f32 100644 --- a/rules/ml/ml_low_count_events_for_a_host_name.toml +++ b/rules/ml/ml_low_count_events_for_a_host_name.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" +updated_date = "2026/04/01" [rule] anomaly_threshold = 75 @@ -19,7 +21,7 @@ false_positives = [ from = "now-45m" interval = "5m" license = "Elastic License v2" -machine_learning_job_id = "low_count_events_for_a_host_name" +machine_learning_job_id = "low_count_events_for_a_host_name_ea" name = "Decline in host-based traffic" setup = """## Setup diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index dd5fc5ab5..90cd09248 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" +updated_date = "2026/04/01" [rule] anomaly_threshold = 50 @@ -25,7 +27,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "packetbeat_rare_server_domain" +machine_learning_job_id = "packetbeat_rare_server_domain_ea" name = "Unusual Network Destination Domain Name" setup = """## Setup diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 0f4ce5e16..b1660d4a1 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" +updated_date = "2026/04/01" [rule] anomaly_threshold = 50 @@ -18,7 +20,7 @@ false_positives = ["A newly installed program or one that rarely uses the networ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_windows_anomalous_network_activity"] +machine_learning_job_id = ["v3_windows_anomalous_network_activity_ea"] name = "Unusual Windows Network Activity" note = """## Triage and analysis diff --git a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml index 3df45d5fb..21a6f52ab 100644 --- a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 50 @@ -21,7 +23,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_linux_anomalous_process_all_hosts"] +machine_learning_job_id = ["v3_linux_anomalous_process_all_hosts_ea"] name = "Anomalous Process For a Linux Population" setup = """## Setup diff --git a/rules/ml/persistence_ml_rare_process_by_host_linux.toml b/rules/ml/persistence_ml_rare_process_by_host_linux.toml index 27b54cff3..50b231865 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_linux.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_linux.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 50 @@ -21,7 +23,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_rare_process_by_host_linux"] +machine_learning_job_id = ["v3_rare_process_by_host_linux_ea"] name = "Unusual Process For a Linux Host" setup = """## Setup diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index 9c3f5c00f..76472e0a2 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" +updated_date = "2026/04/01" [transform] [[transform.osquery]] @@ -47,7 +49,7 @@ false_positives = [ from = "now-6h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_rare_process_by_host_windows"] +machine_learning_job_id = ["v3_rare_process_by_host_windows_ea"] name = "Unusual Process For a Windows Host" note = """## Triage and analysis diff --git a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml index ce8453a68..d946c621b 100644 --- a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml +++ b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 50 @@ -23,7 +25,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_windows_anomalous_path_activity"] +machine_learning_job_id = ["v3_windows_anomalous_path_activity_ea"] name = "Unusual Windows Path Activity" note = """## Triage and analysis diff --git a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml index f9ada397b..a21d0da54 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml @@ -2,8 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" - +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [transform] [[transform.osquery]] label = "Osquery - Retrieve DNS Cache" @@ -47,7 +48,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_windows_anomalous_process_all_hosts"] +machine_learning_job_id = ["v3_windows_anomalous_process_all_hosts_ea"] name = "Anomalous Process For a Windows Population" note = """## Triage and analysis diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index e075e166a..ff10665ee 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" +updated_date = "2026/04/01" [transform] [[transform.osquery]] @@ -50,7 +52,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_windows_anomalous_process_creation"] +machine_learning_job_id = ["v3_windows_anomalous_process_creation_ea"] name = "Anomalous Windows Process Creation" note = """## Triage and analysis diff --git a/rules/ml/persistence_ml_windows_anomalous_service.toml b/rules/ml/persistence_ml_windows_anomalous_service.toml index bf7341edc..7c32853a0 100644 --- a/rules/ml/persistence_ml_windows_anomalous_service.toml +++ b/rules/ml/persistence_ml_windows_anomalous_service.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" +updated_date = "2026/04/01" [rule] anomaly_threshold = 50 @@ -21,7 +23,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_windows_anomalous_service"] +machine_learning_job_id = ["v3_windows_anomalous_service_ea"] name = "Unusual Windows Service" note = """## Triage and analysis diff --git a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml index c41b0d62e..391fdd76f 100644 --- a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml +++ b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -20,7 +22,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_linux_rare_sudo_user"] +machine_learning_job_id = ["v3_linux_rare_sudo_user_ea"] name = "Unusual Sudo Activity" setup = """## Setup diff --git a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml index 45c5273ac..59377401f 100644 --- a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +++ b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" +updated_date = "2026/04/01" [rule] anomaly_threshold = 50 @@ -21,7 +23,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_windows_rare_user_runas_event"] +machine_learning_job_id = ["v3_windows_rare_user_runas_event_ea"] name = "Unusual Windows User Privilege Elevation Activity" note = """## Triage and analysis diff --git a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml index e8d45581e..8ce30955e 100644 --- a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml +++ b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2026/03/24" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" +updated_date = "2026/04/01" [rule] anomaly_threshold = 50 @@ -21,7 +23,7 @@ false_positives = [ from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = ["v3_linux_rare_user_compiler"] +machine_learning_job_id = ["v3_linux_rare_user_compiler_ea"] name = "Anomalous Linux Compiler Activity" setup = """## Setup