diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz
index 3159b3e2e..5dadd95b2 100644
Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ
diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz
index 026d7cf39..05455f50b 100644
Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ
diff --git a/pyproject.toml b/pyproject.toml
index d529308a0..0832c3dd3 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.5.32"
+version = "1.5.31"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"
diff --git a/rules/linux/command_and_control_kubectl_networking_modification.toml b/rules/linux/command_and_control_kubectl_networking_modification.toml
index 17fe6a60a..b2f22c675 100644
--- a/rules/linux/command_and_control_kubectl_networking_modification.toml
+++ b/rules/linux/command_and_control_kubectl_networking_modification.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/06/19"
-integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_defend"]
+integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2026/01/19"
+updated_date = "2025/07/07"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,6 @@ index = [
     "logs-crowdstrike.fdr*",
     "logs-endpoint.events.process*",
     "logs-sentinel_one_cloud_funnel.*",
-    "logs-cloud_defend.process*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -97,7 +96,6 @@ tags = [
     "Data Source: Elastic Endgame",
     "Data Source: Crowdstrike",
     "Data Source: SentinelOne",
-    "Data Source: Elastic Defend for Containers",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
@@ -106,7 +104,7 @@ query = '''
 process where host.os.type == "linux" and event.type == "start" and
 event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
 process.name == "kubectl" and (
-  process.args == "port-forward" and process.args like "*:*" or
+  process.args == "port-forward" and process.command_line like "*:*" or
   process.args in ("proxy", "expose")
 ) and (
   process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") or
diff --git a/rules/linux/defense_evasion_potential_kubectl_impersonation.toml b/rules/linux/defense_evasion_potential_kubectl_impersonation.toml
index b8e13a7d8..5d6ba4ecf 100644
--- a/rules/linux/defense_evasion_potential_kubectl_impersonation.toml
+++ b/rules/linux/defense_evasion_potential_kubectl_impersonation.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/06/19"
-integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "cloud_defend"]
+integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2026/01/19"
+updated_date = "2025/12/18"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,6 @@ index = [
     "logs-auditd_manager.auditd-*",
     "logs-endpoint.events.process*",
     "logs-sentinel_one_cloud_funnel.*",
-    "logs-cloud_defend.process*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -101,7 +100,6 @@ tags = [
     "Data Source: Elastic Defend",
     "Data Source: Auditd Manager",
     "Data Source: SentinelOne",
-    "Data Source: Elastic Defend for Containers",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
diff --git a/rules/linux/defense_evasion_potential_kubectl_masquerading.toml b/rules/linux/defense_evasion_potential_kubectl_masquerading.toml
index a3e787fc5..811f56269 100644
--- a/rules/linux/defense_evasion_potential_kubectl_masquerading.toml
+++ b/rules/linux/defense_evasion_potential_kubectl_masquerading.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/06/19"
-integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_defend"]
+integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2026/01/19"
+updated_date = "2025/12/18"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,6 @@ index = [
     "logs-crowdstrike.fdr*",
     "logs-endpoint.events.process*",
     "logs-sentinel_one_cloud_funnel.*",
-    "logs-cloud_defend.process*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -100,7 +99,6 @@ tags = [
     "Data Source: Elastic Endgame",
     "Data Source: Crowdstrike",
     "Data Source: SentinelOne",
-    "Data Source: Elastic Defend for Containers",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
@@ -112,7 +110,7 @@ event.action in ("exec", "exec_event", "start", "executed", "process_started") a
   process.executable like~ ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/root/*", "/var/www/*", "./kubectl") or
   process.name like ".*"
 ) and
-process.args like~ (
+process.command_line like~ (
 
   // get and describe commands
   "*get po*", "*get deploy*", "*get node*", "*get svc*", "*get service*", "*get secret*", "*get clusterrole*", "*get ingress*",
diff --git a/rules/linux/discovery_docker_socket_discovery.toml b/rules/linux/discovery_docker_socket_discovery.toml
index 4dfa89571..baefc1b93 100644
--- a/rules/linux/discovery_docker_socket_discovery.toml
+++ b/rules/linux/discovery_docker_socket_discovery.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/03/04"
-integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_defend"]
+integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2026/01/19"
+updated_date = "2025/12/18"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,6 @@ index = [
     "logs-crowdstrike.fdr*",
     "logs-endpoint.events.process*",
     "logs-sentinel_one_cloud_funnel.*",
-    "logs-cloud_defend.process*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -101,7 +100,6 @@ tags = [
     "Data Source: Auditd Manager",
     "Data Source: Crowdstrike",
     "Data Source: SentinelOne",
-    "Data Source: Elastic Defend for Containers",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
@@ -110,7 +108,7 @@ query = '''
 process where host.os.type == "linux" and event.type == "start" and
 event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
 process.name in ("curl", "socat", "nc", "netcat", "ncat", "nc.traditional") and
-process.args like ("*/var/run/docker.sock*", "*/run/docker.sock*") and
+process.command_line like ("*/var/run/docker.sock*", "*/run/docker.sock*") and
 process.parent.executable != null and
 not (
   process.parent.executable in ("/usr/sbin/sshd", "/www/server/panel/BT-Panel") or
diff --git a/rules/linux/discovery_kubeconfig_file_discovery.toml b/rules/linux/discovery_kubeconfig_file_discovery.toml
index b1998a7d4..481b84957 100644
--- a/rules/linux/discovery_kubeconfig_file_discovery.toml
+++ b/rules/linux/discovery_kubeconfig_file_discovery.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/06/17"
-integration = ["endpoint", "cloud_defend"]
+integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/01/19"
+updated_date = "2025/12/18"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,6 @@ directories.
 from = "now-9m"
 index = [
     "logs-endpoint.events.process*",
-    "logs-cloud_defend.process*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -98,7 +97,6 @@ tags = [
     "Use Case: Threat Detection",
     "Tactic: Discovery",
     "Data Source: Elastic Defend",
-    "Data Source: Elastic Defend for Containers",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
diff --git a/rules/linux/discovery_kubectl_permission_discovery.toml b/rules/linux/discovery_kubectl_permission_discovery.toml
index d58d24ae3..ea8707c76 100644
--- a/rules/linux/discovery_kubectl_permission_discovery.toml
+++ b/rules/linux/discovery_kubectl_permission_discovery.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/06/17"
-integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_defend"]
+integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2026/01/19"
+updated_date = "2025/12/18"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,6 @@ index = [
     "logs-crowdstrike.fdr*",
     "logs-endpoint.events.process*",
     "logs-sentinel_one_cloud_funnel.*",
-    "logs-cloud_defend.process*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -102,7 +101,6 @@ tags = [
   "Data Source: Auditd Manager",
   "Data Source: Crowdstrike",
   "Data Source: SentinelOne",
-  "Data Source: Elastic Defend for Containers",
   "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
diff --git a/rules/linux/execution_kubectl_apply_pod_from_url.toml b/rules/linux/execution_kubectl_apply_pod_from_url.toml
index f8288a54e..6befd6eb9 100644
--- a/rules/linux/execution_kubectl_apply_pod_from_url.toml
+++ b/rules/linux/execution_kubectl_apply_pod_from_url.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/06/27"
-integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager", "cloud_defend"]
+integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"]
 maturity = "production"
-updated_date = "2026/01/19"
+updated_date = "2025/12/18"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,6 @@ index = [
     "logs-endpoint.events.process*",
     "logs-sentinel_one_cloud_funnel.*",
     "logs-auditd_manager.auditd-*",
-    "logs-cloud_defend.process*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -98,7 +97,6 @@ tags = [
     "Data Source: Elastic Defend",
     "Data Source: Crowdstrike",
     "Data Source: SentinelOne",
-    "Data Source: Elastic Defend for Containers",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
@@ -108,7 +106,7 @@ process where host.os.type == "linux" and event.type == "start" and
 event.action in ("exec", "exec_event", "start", "ProcessRollup2", "process_started", "executed") and
 process.name == "kubectl" and process.args == "apply" and
 process.args like ("http://*", "https://*") and
-not ?process.command_line like ("*download.elastic.co*", "*github.com/kubernetes-sigs/*")
+not process.command_line like ("*download.elastic.co*", "*github.com/kubernetes-sigs/*")
 '''
 
 [[rule.threat]]
diff --git a/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml b/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml
index db0d97331..b0d37287c 100644
--- a/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml
+++ b/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/06/23"
-integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager", "cloud_defend"]
+integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"]
 maturity = "production"
-updated_date = "2026/01/19"
+updated_date = "2025/12/18"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,6 @@ index = [
     "logs-endpoint.events.process*",
     "logs-sentinel_one_cloud_funnel.*",
     "logs-auditd_manager.auditd-*",
-    "logs-cloud_defend.process*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -102,7 +101,6 @@ tags = [
     "Data Source: Elastic Endgame",
     "Data Source: Crowdstrike",
     "Data Source: SentinelOne",
-    "Data Source: Elastic Defend for Containers",
     "Resources: Investigation Guide"
 ]
 timestamp_override = "event.ingested"
diff --git a/rules/linux/lateral_movement_kubeconfig_file_activity.toml b/rules/linux/lateral_movement_kubeconfig_file_activity.toml
index 6afcdc576..e9159ad4a 100644
--- a/rules/linux/lateral_movement_kubeconfig_file_activity.toml
+++ b/rules/linux/lateral_movement_kubeconfig_file_activity.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/06/17"
-integration = ["endpoint", "cloud_defend"]
+integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/01/19"
+updated_date = "2025/12/19"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ create or modify kubeconfig files to gain unauthorized initial access to Kuberne
 move laterally within the cluster.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.file*", "logs-cloud_defend.file*"]
+index = ["logs-endpoint.events.file*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Kubeconfig File Creation or Modification"
@@ -95,7 +95,6 @@ tags = [
     "Tactic: Defense Evasion",
     "Tactic: Initial Access",
     "Data Source: Elastic Defend",
-    "Data Source: Elastic Defend for Containers",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
@@ -112,7 +111,7 @@ file where host.os.type == "linux" and event.type != "deletion" and file.path li
   "/var/lib/*/kubeconfig"
 ) and not (
   process.name in ("kubeadm", "kubelet", "vcluster", "minikube", "kind") or
-  (process.name == "sed" and ?file.Ext.original.name like "sed*") or
+  (process.name == "sed" and file.Ext.original.name like "sed*") or
   process.executable like (
     "/usr/local/bin/k3d", "/usr/local/aws-cli/*/dist/aws", "/usr/local/bin/ks", "/usr/local/bin/aws",
     "/usr/local/bin/kubectl"
diff --git a/rules/linux/persistence_kubernetes_sensitive_file_activity.toml b/rules/linux/persistence_kubernetes_sensitive_file_activity.toml
index b40d360e8..f9c982461 100644
--- a/rules/linux/persistence_kubernetes_sensitive_file_activity.toml
+++ b/rules/linux/persistence_kubernetes_sensitive_file_activity.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/06/26"
-integration = ["endpoint", "cloud_defend"]
+integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/01/19"
+updated_date = "2025/12/22"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ vulnerabilities in Kubernetes environments. Attackers may attempt to modify thes
 deploy malicious containers within the Kubernetes cluster.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.file*", "logs-cloud_defend.file*"]
+index = ["logs-endpoint.events.file*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Kubernetes Sensitive Configuration File Activity"
@@ -90,7 +90,6 @@ tags = [
     "Use Case: Threat Detection",
     "Tactic: Persistence",
     "Data Source: Elastic Defend",
-    "Data Source: Elastic Defend for Containers",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
diff --git a/rules_building_block/discovery_kubectl_configuration_discovery.toml b/rules_building_block/discovery_kubectl_configuration_discovery.toml
index bbc7becad..2a05e5c37 100644
--- a/rules_building_block/discovery_kubectl_configuration_discovery.toml
+++ b/rules_building_block/discovery_kubectl_configuration_discovery.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/06/19"
-integration = ["endpoint", "auditd_manager", "crowdstrike", "cloud_defend"]
+integration = ["endpoint", "auditd_manager", "crowdstrike"]
 maturity = "production"
-updated_date = "2026/01/19"
+updated_date = "2025/12/24"
 
 [rule]
 author = ["Elastic"]
@@ -19,8 +19,7 @@ index = [
     "endgame-*",
     "auditbeat-*",
     "logs-auditd_manager.auditd-*",
-    "logs-crowdstrike.fdr*",
-    "logs-cloud_defend.process*"
+    "logs-crowdstrike.fdr*"
 ]
 interval = "60m"
 language = "eql"
@@ -41,7 +40,6 @@ tags = [
   "Data Source: Elastic Endgame",
   "Data Source: Auditd Manager",
   "Data Source: Crowdstrike",
-  "Data Source: Elastic Defend for Containers",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
diff --git a/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml b/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml
index 0ea1ba505..c03159fd9 100644
--- a/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml
+++ b/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/06/19"
-integration = ["endpoint", "auditd_manager", "crowdstrike", "cloud_defend"]
+integration = ["endpoint", "auditd_manager", "crowdstrike"]
 maturity = "production"
-updated_date = "2026/01/19"
+updated_date = "2025/10/17"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ resources. In environments where kubectl is not expected to be used, this could
 reconnaissance activity by an adversary.
 """
 from = "now-119m"
-index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-cloud_defend.process*"]
+index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*"]
 interval = "60m"
 language = "eql"
 license = "Elastic License v2"
@@ -35,7 +35,6 @@ tags = [
   "Data Source: Elastic Endgame",
   "Data Source: Auditd Manager",
   "Data Source: Crowdstrike",
-  "Data Source: Elastic Defend for Containers",
 ]
 timestamp_override = "event.ingested"
 type = "eql"