Update rule setup instructions for UEBA packages (#3652)

* update detection-rules instructions for UEBA packages --------- Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com>
2024-05-28 14:21:46 -05:00
parent d5c57463e1
commit 8b28a515c1
32 changed files with 62 additions and 537 deletions
@@ -35,7 +35,7 @@ The Network Beaconing Identification integration consists of a statistical frame
 #### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.
- Under Settings, click "Install Network Beaconing Identification assets" and follow the prompts to install the assets.
+- Follow the instructions under the **Installation** section.
 """
 references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
@@ -35,7 +35,7 @@ The Network Beaconing Identification integration consists of a statistical frame
 #### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.
- Under Settings, click "Install Network Beaconing Identification assets" and follow the prompts to install the assets.
+- Follow the instructions under the **Installation** section.
 """
 references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
@@ -41,14 +41,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b
 #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. 
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs".
- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -41,14 +41,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b
 #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. 
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs".
- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -40,14 +40,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b
 #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. 
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs".
- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -41,14 +41,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b
 #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. 
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs".
- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -40,14 +40,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b
 #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. 
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs".
- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -41,14 +41,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b
 #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. 
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs".
- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -40,14 +40,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b
 #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. 
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs".
- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -40,32 +40,8 @@ The DGA Detection integration consists of an ML-based framework to detect DGA ac
 #### The following steps should be executed to install assets associated with the DGA Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.
- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets.
-
-#### Ingest Pipeline Setup
-Before you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `<package_version>-ml_dga_ingest_pipeline` installed with the DGA Detection package.
- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`.
- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).
-
-#### Adding Custom Mappings
- Go to the Kibana homepage. Under Management, click Stack Management.
- Under Data click Index Management and navigate to the Component Templates tab.
- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout:
-```
-{
-  "properties": {
-    "ml_is_dga": {
-      "properties": {
-        "malicious_prediction": {
-          "type": "long"
-        },
-        "malicious_probability": {
-          "type": "float"
-        }
-      }
-    }
-  }
-}
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Configure the ingest pipeline**.
 ``` 
 """
 severity = "critical"
@@ -42,32 +42,8 @@ The DGA Detection integration consists of an ML-based framework to detect DGA ac
 #### The following steps should be executed to install assets associated with the DGA Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.
- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets.
-
-#### Ingest Pipeline Setup
-Before you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `<package_version>-ml_dga_ingest_pipeline` installed with the DGA Detection package.
- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`.
- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).
-
-#### Adding Custom Mappings
- Go to the Kibana homepage. Under Management, click Stack Management.
- Under Data click Index Management and navigate to the Component Templates tab.
- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout:
-```
-{
-  "properties": {
-    "ml_is_dga": {
-      "properties": {
-        "malicious_prediction": {
-          "type": "long"
-        },
-        "malicious_probability": {
-          "type": "float"
-        }
-      }
-    }
-  }
-}
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 ```

 ### Anomaly Detection Setup
@@ -40,32 +40,8 @@ The DGA Detection integration consists of an ML-based framework to detect DGA ac
 #### The following steps should be executed to install assets associated with the DGA Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.
- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets.
-
-#### Ingest Pipeline Setup
-Before you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `<package_version>-ml_dga_ingest_pipeline` installed with the DGA Detection package.
- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`.
- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).
-
-#### Adding Custom Mappings
- Go to the Kibana homepage. Under Management, click Stack Management.
- Under Data click Index Management and navigate to the Component Templates tab.
- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout:
-```
-{
-  "properties": {
-    "ml_is_dga": {
-      "properties": {
-        "malicious_prediction": {
-          "type": "long"
-        },
-        "malicious_probability": {
-          "type": "float"
-        }
-      }
-    }
-  }
-}
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Configure the ingest pipeline**.
 ```
 """
 severity = "low"
@@ -40,32 +40,8 @@ The DGA Detection integration consists of an ML-based framework to detect DGA ac
 #### The following steps should be executed to install assets associated with the DGA Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.
- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets.
-
-#### Ingest Pipeline Setup
-Before you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `<package_version>-ml_dga_ingest_pipeline` installed with the DGA Detection package.
- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`.
- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).
-
-#### Adding Custom Mappings
- Go to the Kibana homepage. Under Management, click Stack Management.
- Under Data click Index Management and navigate to the Component Templates tab.
- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout:
-```
-{
-  "properties": {
-    "ml_is_dga": {
-      "properties": {
-        "malicious_prediction": {
-          "type": "long"
-        },
-        "malicious_probability": {
-          "type": "float"
-        }
-      }
-    }
-  }
-}
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Configure the ingest pipeline**.
 ```
 """
 severity = "low"
@@ -41,15 +41,8 @@ The Lateral Movement Detection integration detects lateral movement activity by
 #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.
- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs".
- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -41,15 +41,8 @@ The Lateral Movement Detection integration detects lateral movement activity by
 #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.
- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs".
- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -42,14 +42,8 @@ The Lateral Movement Detection integration detects lateral movement activity by
 #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs".
- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -41,15 +41,8 @@ The Lateral Movement Detection integration detects lateral movement activity by
 #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.
- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs".
- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -41,14 +41,8 @@ The Lateral Movement Detection integration detects lateral movement activity by
 #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs".
- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -40,14 +40,8 @@ The Lateral Movement Detection integration detects lateral movement activity by
 #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs".
- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -41,15 +41,8 @@ The Lateral Movement Detection integration detects lateral movement activity by
 #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.
- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs".
- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -41,15 +41,8 @@ The Lateral Movement Detection integration detects lateral movement activity by
 #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.
- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs".
- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -40,15 +40,8 @@ The Lateral Movement Detection integration detects lateral movement activity by
 #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.
- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs".
- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -42,14 +42,8 @@ The Lateral Movement Detection integration detects lateral movement activity by
 #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs".
- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -41,15 +41,8 @@ The Lateral Movement Detection integration detects lateral movement activity by
 #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.
- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs".
- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -42,43 +42,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 #### The following steps should be executed to install assets associated with the LotL Attack Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.
- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.
-
-#### Ingest Pipeline Setup
-**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.
- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).
-
-#### Adding Custom Mappings
- Go to the Kibana homepage. Under Management, click Stack Management.
- Under Data click Index Management and navigate to the Component Templates tab.
- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout:
-```
-{
-  "properties": {
-    "problemchild": {
-      "properties": {
-        "prediction": {
-          "type": "long"
-        },
-        "prediction_probability": {
-          "type": "float"
-        }
-      }
-    },
-    "blocklist_label": {
-      "type": "long"
-    }
-  }
-}
-```
-
-### Anomaly Detection Setup
-**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. 
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: If the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and check whether any ProblemChild predictions have been generated.
- Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -42,43 +42,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 #### The following steps should be executed to install assets associated with the LotL Attack Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.
- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.
-
-#### Ingest Pipeline Setup
-**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.
- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).
-
-#### Adding Custom Mappings
- Go to the Kibana homepage. Under Management, click Stack Management.
- Under Data click Index Management and navigate to the Component Templates tab.
- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout:
-```
-{
-  "properties": {
-    "problemchild": {
-      "properties": {
-        "prediction": {
-          "type": "long"
-        },
-        "prediction_probability": {
-          "type": "float"
-        }
-      }
-    },
-    "blocklist_label": {
-      "type": "long"
-    }
-  }
-}
-```
-
-### Anomaly Detection Setup
-**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. 
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.
- Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -43,43 +43,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 #### The following steps should be executed to install assets associated with the LotL Attack Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.
- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.
-
-#### Ingest Pipeline Setup
-**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.
- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).
-
-#### Adding Custom Mappings
- Go to the Kibana homepage. Under Management, click Stack Management.
- Under Data click Index Management and navigate to the Component Templates tab.
- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout:
-```
-{
-  "properties": {
-    "problemchild": {
-      "properties": {
-        "prediction": {
-          "type": "long"
-        },
-        "prediction_probability": {
-          "type": "float"
-        }
-      }
-    },
-    "blocklist_label": {
-      "type": "long"
-    }
-  }
-}
-```
-
-### Anomaly Detection Setup
-**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. 
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.
- Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -40,35 +40,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 #### The following steps should be executed to install assets associated with the LotL Attack Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.
- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.
-
-#### Ingest Pipeline Setup
-**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.
- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).
-
-#### Adding Custom Mappings
- Go to the Kibana homepage. Under Management, click Stack Management.
- Under Data click Index Management and navigate to the Component Templates tab.
- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout:
-```
-{
-  "properties": {
-    "problemchild": {
-      "properties": {
-        "prediction": {
-          "type": "long"
-        },
-        "prediction_probability": {
-          "type": "float"
-        }
-      }
-    },
-    "blocklist_label": {
-      "type": "long"
-    }
-  }
-}
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Configure the ingest pipeline**.
 ```
 """
 severity = "low"
@@ -40,35 +40,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 #### The following steps should be executed to install assets associated with the LotL Attack Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.
- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.
-
-#### Ingest Pipeline Setup
-**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.
- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).
-
-#### Adding Custom Mappings
- Go to the Kibana homepage. Under Management, click Stack Management.
- Under Data click Index Management and navigate to the Component Templates tab.
- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout:
-```
-{
-  "properties": {
-    "problemchild": {
-      "properties": {
-        "prediction": {
-          "type": "long"
-        },
-        "prediction_probability": {
-          "type": "float"
-        }
-      }
-    },
-    "blocklist_label": {
-      "type": "long"
-    }
-  }
-}
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Configure the ingest pipeline**.
 ```
 """
 severity = "low"
@@ -44,43 +44,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 #### The following steps should be executed to install assets associated with the LotL Attack Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.
- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.
-
-#### Ingest Pipeline Setup
-**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.
- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).
-
-#### Adding Custom Mappings
- Go to the Kibana homepage. Under Management, click Stack Management.
- Under Data click Index Management and navigate to the Component Templates tab.
- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout:
-```
-{
-  "properties": {
-    "problemchild": {
-      "properties": {
-        "prediction": {
-          "type": "long"
-        },
-        "prediction_probability": {
-          "type": "float"
-        }
-      }
-    },
-    "blocklist_label": {
-      "type": "long"
-    }
-  }
-}
-```
-
-### Anomaly Detection Setup
-**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. 
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.
- Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -44,43 +44,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 #### The following steps should be executed to install assets associated with the LotL Attack Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.
- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.
-
-#### Ingest Pipeline Setup
-**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.
- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).
-
-#### Adding Custom Mappings
- Go to the Kibana homepage. Under Management, click Stack Management.
- Under Data click Index Management and navigate to the Component Templates tab.
- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout:
-```
-{
-  "properties": {
-    "problemchild": {
-      "properties": {
-        "prediction": {
-          "type": "long"
-        },
-        "prediction_probability": {
-          "type": "float"
-        }
-      }
-    },
-    "blocklist_label": {
-      "type": "long"
-    }
-  }
-}
-```
-
-### Anomaly Detection Setup
-**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. 
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.
- Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [
@@ -44,43 +44,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
 #### The following steps should be executed to install assets associated with the LotL Attack Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.
- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.
-
-#### Ingest Pipeline Setup
-**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `<package_version>-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.
- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.
- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).
-
-#### Adding Custom Mappings
- Go to the Kibana homepage. Under Management, click Stack Management.
- Under Data click Index Management and navigate to the Component Templates tab.
- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout:
-```
-{
-  "properties": {
-    "problemchild": {
-      "properties": {
-        "prediction": {
-          "type": "long"
-        },
-        "prediction_probability": {
-          "type": "float"
-        }
-      }
-    },
-    "blocklist_label": {
-      "type": "long"
-    }
-  }
-}
-```
-
-### Anomaly Detection Setup
-**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. 
- Go to the Kibana homepage. Under Analytics, click Machine Learning.
- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.
- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.
- Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [