diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json
index a1b910c70..b83a681da 100644
--- a/detection_rules/etc/version.lock.json
+++ b/detection_rules/etc/version.lock.json
@@ -1364,9 +1364,9 @@
   },
   "1b5e9d4a-7c2f-4e8b-a3d6-0f9c8e2b1a4d": {
     "rule_name": "Remote Management Access Launch After MSI Install",
-    "sha256": "04339c5baefede30ec62d7622df43d61a7eef47d7e5140c4166a4ef84c05df63",
+    "sha256": "cc1f83a967b60cefd14eb2acfe29dc5ebcafbdac6c0ff14de2939760741d65e3",
     "type": "eql",
-    "version": 1
+    "version": 2
   },
   "1b65429e-bd92-44c0-aff8-e8065869d860": {
     "rule_name": "BPF Program Tampering via bpftool",
@@ -1382,9 +1382,9 @@
   },
   "1bb329a5-2168-4da5-b7b9-d42a51deb6dd": {
     "rule_name": "Correlated Alerts on Similar User Identities",
-    "sha256": "a3ef283129c4f9b2d2ff401a29cf89bafab9d5241edd4760ffc71517c9f865cc",
+    "sha256": "68998d6567c249cc78dcca6818615a5ba8e4f942205978f489fad037876e6b4b",
     "type": "esql",
-    "version": 2
+    "version": 3
   },
   "1c27fa22-7727-4dd3-81c0-de6da5555feb": {
     "rule_name": "Potential Internal Linux SSH Brute Force Detected",
@@ -1707,10 +1707,10 @@
     "version": 210
   },
   "22599847-5d13-48cb-8872-5796fee8692b": {
-    "rule_name": "SUNBURST Command and Control Activity",
-    "sha256": "c954a580d6a107f3549d5eb9ba4cc18b263b5cecfb80b52f61371d0561a8a053",
+    "rule_name": "Deprecated - SUNBURST Command and Control Activity",
+    "sha256": "e436ded1c2bcdb723f2a841740b8072959feceb4095c0086697c55e444763575",
     "type": "eql",
-    "version": 111
+    "version": 112
   },
   "227cf26a-88d1-4bcb-bf4c-925e5875abcf": {
     "min_stack_version": "9.3",
@@ -2922,9 +2922,9 @@
   "3dc4e312-346b-4a10-b05f-450e1eeab91c": {
     "min_stack_version": "9.3",
     "rule_name": "LLM-Based Compromised User Triage by User",
-    "sha256": "f7d7a3d2b3fa34c89c46ec93946265b367223bda8341a57198fb272f8bd91505",
+    "sha256": "08654fdc3bd24c49261ae772ea553f821ca9fe8bd83696f6e95b510b590b2b61",
     "type": "esql",
-    "version": 3
+    "version": 4
   },
   "3df49ff6-985d-11ef-88a1-f661ea17fbcd": {
     "rule_name": "AWS SNS Rare Protocol Subscription by User",
@@ -3545,9 +3545,9 @@
   },
   "4ae94fc1-f08f-419f-b692-053d28219380": {
     "rule_name": "Connection to Common Large Language Model Endpoints",
-    "sha256": "f1c88d3cd852e1d0a2d4aac9a07c89847100fbd5606cae21c47cebfc0a741265",
+    "sha256": "20f23bd803877535a040a877678ccc9f9bf5b382f9fddfa9b16fd9a803a1d4be",
     "type": "eql",
-    "version": 4
+    "version": 5
   },
   "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": {
     "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process",
@@ -4116,9 +4116,9 @@
   },
   "590fc62d-7386-4c75-92b0-af4517018da1": {
     "rule_name": "Unusual Process Modifying GenAI Configuration File",
-    "sha256": "e545844a7c0d04bacd4149972e5530758f6f5fcfaad5eb85dbc690ef57aacdf0",
+    "sha256": "4c8318ca5f58fb1f5df70040197b63e88f8b5f390e666cc85e3eac0c39129222",
     "type": "new_terms",
-    "version": 5
+    "version": 6
   },
   "5919988c-29e1-4908-83aa-1f087a838f63": {
     "rule_name": "File or Directory Deletion Command",
@@ -7581,9 +7581,9 @@
   },
   "a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e": {
     "rule_name": "Execution via OpenClaw Agent",
-    "sha256": "57561a090eba3d509ddd4db1e495c4ae3e56bac366975fbf1ea694a59947c35c",
+    "sha256": "a9fb3ddbff42c0d57d6e0002f0d6155ea00cf381999b2af63577940aa8776c47",
     "type": "eql",
-    "version": 3
+    "version": 4
   },
   "a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
     "rule_name": "Suspicious Print Spooler SPL File Created",
@@ -9822,9 +9822,9 @@
   },
   "d9af2479-ad13-4471-a312-f586517f1243": {
     "rule_name": "Curl or Wget Spawned via Node.js",
-    "sha256": "7ca35f6a6c0eba849591ca1295bb52c5a29e74d0845523a9c3dbf72eb58b3b16",
+    "sha256": "951ee0aea30e70bfde8e78165a1547a8b00bdc808aad4a313029de907d78bfc6",
     "type": "eql",
-    "version": 5
+    "version": 6
   },
   "d9bfa475-270d-4b07-93cb-b1f49abe13da": {
     "min_stack_version": "9.3",
@@ -10987,9 +10987,9 @@
   "f236cca1-e887-4d14-9ba9-bb8dd3e16cf1": {
     "min_stack_version": "9.3",
     "rule_name": "LLM-Based Attack Chain Triage by Host",
-    "sha256": "286422b3b4035aa2adeafd1b284e053369eeed39302d7369532e46de03eaff07",
+    "sha256": "c1f09b9398519eeca1ca5751ca9ef554c12bcecc242670114227526c401ca16f",
     "type": "esql",
-    "version": 3
+    "version": 4
   },
   "f243fe39-83a4-46f3-a3b6-707557a102df": {
     "rule_name": "Service Path Modification",
diff --git a/pyproject.toml b/pyproject.toml
index 61c71b2e9..f10677509 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.6.13"
+version = "1.6.14"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"