diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz
index 5dadd95b2..3159b3e2e 100644
Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ
diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz
index 05455f50b..026d7cf39 100644
Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ
diff --git a/pyproject.toml b/pyproject.toml
index 0832c3dd3..d529308a0 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.5.31"
+version = "1.5.32"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"
diff --git a/rules/linux/command_and_control_kubectl_networking_modification.toml b/rules/linux/command_and_control_kubectl_networking_modification.toml
index b2f22c675..17fe6a60a 100644
--- a/rules/linux/command_and_control_kubectl_networking_modification.toml
+++ b/rules/linux/command_and_control_kubectl_networking_modification.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/06/19"
-integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_defend"]
 maturity = "production"
-updated_date = "2025/07/07"
+updated_date = "2026/01/19"
 
 [rule]
 author = ["Elastic"]
@@ -18,6 +18,7 @@ index = [
     "logs-crowdstrike.fdr*",
     "logs-endpoint.events.process*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-cloud_defend.process*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -96,6 +97,7 @@ tags = [
     "Data Source: Elastic Endgame",
     "Data Source: Crowdstrike",
     "Data Source: SentinelOne",
+    "Data Source: Elastic Defend for Containers",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
@@ -104,7 +106,7 @@ query = '''
 process where host.os.type == "linux" and event.type == "start" and
 event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
 process.name == "kubectl" and (
-  process.args == "port-forward" and process.command_line like "*:*" or
+  process.args == "port-forward" and process.args like "*:*" or
   process.args in ("proxy", "expose")
 ) and (
   process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") or
diff --git a/rules/linux/defense_evasion_potential_kubectl_impersonation.toml b/rules/linux/defense_evasion_potential_kubectl_impersonation.toml
index 5d6ba4ecf..b8e13a7d8 100644
--- a/rules/linux/defense_evasion_potential_kubectl_impersonation.toml
+++ b/rules/linux/defense_evasion_potential_kubectl_impersonation.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/06/19"
-integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "cloud_defend"]
 maturity = "production"
-updated_date = "2025/12/18"
+updated_date = "2026/01/19"
 
 [rule]
 author = ["Elastic"]
@@ -21,6 +21,7 @@ index = [
     "logs-auditd_manager.auditd-*",
     "logs-endpoint.events.process*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-cloud_defend.process*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -100,6 +101,7 @@ tags = [
     "Data Source: Elastic Defend",
     "Data Source: Auditd Manager",
     "Data Source: SentinelOne",
+    "Data Source: Elastic Defend for Containers",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
diff --git a/rules/linux/defense_evasion_potential_kubectl_masquerading.toml b/rules/linux/defense_evasion_potential_kubectl_masquerading.toml
index 811f56269..a3e787fc5 100644
--- a/rules/linux/defense_evasion_potential_kubectl_masquerading.toml
+++ b/rules/linux/defense_evasion_potential_kubectl_masquerading.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/06/19"
-integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_defend"]
 maturity = "production"
-updated_date = "2025/12/18"
+updated_date = "2026/01/19"
 
 [rule]
 author = ["Elastic"]
@@ -18,6 +18,7 @@ index = [
     "logs-crowdstrike.fdr*",
     "logs-endpoint.events.process*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-cloud_defend.process*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -99,6 +100,7 @@ tags = [
     "Data Source: Elastic Endgame",
     "Data Source: Crowdstrike",
     "Data Source: SentinelOne",
+    "Data Source: Elastic Defend for Containers",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
@@ -110,7 +112,7 @@ event.action in ("exec", "exec_event", "start", "executed", "process_started") a
   process.executable like~ ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/root/*", "/var/www/*", "./kubectl") or
   process.name like ".*"
 ) and
-process.command_line like~ (
+process.args like~ (
 
   // get and describe commands
   "*get po*", "*get deploy*", "*get node*", "*get svc*", "*get service*", "*get secret*", "*get clusterrole*", "*get ingress*",
diff --git a/rules/linux/discovery_docker_socket_discovery.toml b/rules/linux/discovery_docker_socket_discovery.toml
index baefc1b93..4dfa89571 100644
--- a/rules/linux/discovery_docker_socket_discovery.toml
+++ b/rules/linux/discovery_docker_socket_discovery.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/03/04"
-integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_defend"]
 maturity = "production"
-updated_date = "2025/12/18"
+updated_date = "2026/01/19"
 
 [rule]
 author = ["Elastic"]
@@ -21,6 +21,7 @@ index = [
     "logs-crowdstrike.fdr*",
     "logs-endpoint.events.process*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-cloud_defend.process*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -100,6 +101,7 @@ tags = [
     "Data Source: Auditd Manager",
     "Data Source: Crowdstrike",
     "Data Source: SentinelOne",
+    "Data Source: Elastic Defend for Containers",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
@@ -108,7 +110,7 @@ query = '''
 process where host.os.type == "linux" and event.type == "start" and
 event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
 process.name in ("curl", "socat", "nc", "netcat", "ncat", "nc.traditional") and
-process.command_line like ("*/var/run/docker.sock*", "*/run/docker.sock*") and
+process.args like ("*/var/run/docker.sock*", "*/run/docker.sock*") and
 process.parent.executable != null and
 not (
   process.parent.executable in ("/usr/sbin/sshd", "/www/server/panel/BT-Panel") or
diff --git a/rules/linux/discovery_kubeconfig_file_discovery.toml b/rules/linux/discovery_kubeconfig_file_discovery.toml
index 481b84957..b1998a7d4 100644
--- a/rules/linux/discovery_kubeconfig_file_discovery.toml
+++ b/rules/linux/discovery_kubeconfig_file_discovery.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/06/17"
-integration = ["endpoint"]
+integration = ["endpoint", "cloud_defend"]
 maturity = "production"
-updated_date = "2025/12/18"
+updated_date = "2026/01/19"
 
 [rule]
 author = ["Elastic"]
@@ -17,6 +17,7 @@ directories.
 from = "now-9m"
 index = [
     "logs-endpoint.events.process*",
+    "logs-cloud_defend.process*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -97,6 +98,7 @@ tags = [
     "Use Case: Threat Detection",
     "Tactic: Discovery",
     "Data Source: Elastic Defend",
+    "Data Source: Elastic Defend for Containers",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
diff --git a/rules/linux/discovery_kubectl_permission_discovery.toml b/rules/linux/discovery_kubectl_permission_discovery.toml
index ea8707c76..d58d24ae3 100644
--- a/rules/linux/discovery_kubectl_permission_discovery.toml
+++ b/rules/linux/discovery_kubectl_permission_discovery.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/06/17"
-integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_defend"]
 maturity = "production"
-updated_date = "2025/12/18"
+updated_date = "2026/01/19"
 
 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ index = [
     "logs-crowdstrike.fdr*",
     "logs-endpoint.events.process*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-cloud_defend.process*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -101,6 +102,7 @@ tags = [
   "Data Source: Auditd Manager",
   "Data Source: Crowdstrike",
   "Data Source: SentinelOne",
+  "Data Source: Elastic Defend for Containers",
   "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
diff --git a/rules/linux/execution_kubectl_apply_pod_from_url.toml b/rules/linux/execution_kubectl_apply_pod_from_url.toml
index 6befd6eb9..f8288a54e 100644
--- a/rules/linux/execution_kubectl_apply_pod_from_url.toml
+++ b/rules/linux/execution_kubectl_apply_pod_from_url.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/06/27"
-integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"]
+integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager", "cloud_defend"]
 maturity = "production"
-updated_date = "2025/12/18"
+updated_date = "2026/01/19"
 
 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ index = [
     "logs-endpoint.events.process*",
     "logs-sentinel_one_cloud_funnel.*",
     "logs-auditd_manager.auditd-*",
+    "logs-cloud_defend.process*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -97,6 +98,7 @@ tags = [
     "Data Source: Elastic Defend",
     "Data Source: Crowdstrike",
     "Data Source: SentinelOne",
+    "Data Source: Elastic Defend for Containers",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
@@ -106,7 +108,7 @@ process where host.os.type == "linux" and event.type == "start" and
 event.action in ("exec", "exec_event", "start", "ProcessRollup2", "process_started", "executed") and
 process.name == "kubectl" and process.args == "apply" and
 process.args like ("http://*", "https://*") and
-not process.command_line like ("*download.elastic.co*", "*github.com/kubernetes-sigs/*")
+not ?process.command_line like ("*download.elastic.co*", "*github.com/kubernetes-sigs/*")
 '''
 
 [[rule.threat]]
diff --git a/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml b/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml
index b0d37287c..db0d97331 100644
--- a/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml
+++ b/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/06/23"
-integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"]
+integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager", "cloud_defend"]
 maturity = "production"
-updated_date = "2025/12/18"
+updated_date = "2026/01/19"
 
 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ index = [
     "logs-endpoint.events.process*",
     "logs-sentinel_one_cloud_funnel.*",
     "logs-auditd_manager.auditd-*",
+    "logs-cloud_defend.process*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -101,6 +102,7 @@ tags = [
     "Data Source: Elastic Endgame",
     "Data Source: Crowdstrike",
     "Data Source: SentinelOne",
+    "Data Source: Elastic Defend for Containers",
     "Resources: Investigation Guide"
 ]
 timestamp_override = "event.ingested"
diff --git a/rules/linux/lateral_movement_kubeconfig_file_activity.toml b/rules/linux/lateral_movement_kubeconfig_file_activity.toml
index e9159ad4a..6afcdc576 100644
--- a/rules/linux/lateral_movement_kubeconfig_file_activity.toml
+++ b/rules/linux/lateral_movement_kubeconfig_file_activity.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/06/17"
-integration = ["endpoint"]
+integration = ["endpoint", "cloud_defend"]
 maturity = "production"
-updated_date = "2025/12/19"
+updated_date = "2026/01/19"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ create or modify kubeconfig files to gain unauthorized initial access to Kuberne
 move laterally within the cluster.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.file*"]
+index = ["logs-endpoint.events.file*", "logs-cloud_defend.file*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Kubeconfig File Creation or Modification"
@@ -95,6 +95,7 @@ tags = [
     "Tactic: Defense Evasion",
     "Tactic: Initial Access",
     "Data Source: Elastic Defend",
+    "Data Source: Elastic Defend for Containers",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
@@ -111,7 +112,7 @@ file where host.os.type == "linux" and event.type != "deletion" and file.path li
   "/var/lib/*/kubeconfig"
 ) and not (
   process.name in ("kubeadm", "kubelet", "vcluster", "minikube", "kind") or
-  (process.name == "sed" and file.Ext.original.name like "sed*") or
+  (process.name == "sed" and ?file.Ext.original.name like "sed*") or
   process.executable like (
     "/usr/local/bin/k3d", "/usr/local/aws-cli/*/dist/aws", "/usr/local/bin/ks", "/usr/local/bin/aws",
     "/usr/local/bin/kubectl"
diff --git a/rules/linux/persistence_kubernetes_sensitive_file_activity.toml b/rules/linux/persistence_kubernetes_sensitive_file_activity.toml
index f9c982461..b40d360e8 100644
--- a/rules/linux/persistence_kubernetes_sensitive_file_activity.toml
+++ b/rules/linux/persistence_kubernetes_sensitive_file_activity.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/06/26"
-integration = ["endpoint"]
+integration = ["endpoint", "cloud_defend"]
 maturity = "production"
-updated_date = "2025/12/22"
+updated_date = "2026/01/19"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ vulnerabilities in Kubernetes environments. Attackers may attempt to modify thes
 deploy malicious containers within the Kubernetes cluster.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.file*"]
+index = ["logs-endpoint.events.file*", "logs-cloud_defend.file*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Kubernetes Sensitive Configuration File Activity"
@@ -90,6 +90,7 @@ tags = [
     "Use Case: Threat Detection",
     "Tactic: Persistence",
     "Data Source: Elastic Defend",
+    "Data Source: Elastic Defend for Containers",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
diff --git a/rules_building_block/discovery_kubectl_configuration_discovery.toml b/rules_building_block/discovery_kubectl_configuration_discovery.toml
index 2a05e5c37..bbc7becad 100644
--- a/rules_building_block/discovery_kubectl_configuration_discovery.toml
+++ b/rules_building_block/discovery_kubectl_configuration_discovery.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/06/19"
-integration = ["endpoint", "auditd_manager", "crowdstrike"]
+integration = ["endpoint", "auditd_manager", "crowdstrike", "cloud_defend"]
 maturity = "production"
-updated_date = "2025/12/24"
+updated_date = "2026/01/19"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,8 @@ index = [
     "endgame-*",
     "auditbeat-*",
     "logs-auditd_manager.auditd-*",
-    "logs-crowdstrike.fdr*"
+    "logs-crowdstrike.fdr*",
+    "logs-cloud_defend.process*"
 ]
 interval = "60m"
 language = "eql"
@@ -40,6 +41,7 @@ tags = [
   "Data Source: Elastic Endgame",
   "Data Source: Auditd Manager",
   "Data Source: Crowdstrike",
+  "Data Source: Elastic Defend for Containers",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
diff --git a/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml b/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml
index c03159fd9..0ea1ba505 100644
--- a/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml
+++ b/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/06/19"
-integration = ["endpoint", "auditd_manager", "crowdstrike"]
+integration = ["endpoint", "auditd_manager", "crowdstrike", "cloud_defend"]
 maturity = "production"
-updated_date = "2025/10/17"
+updated_date = "2026/01/19"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ resources. In environments where kubectl is not expected to be used, this could
 reconnaissance activity by an adversary.
 """
 from = "now-119m"
-index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*"]
+index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-cloud_defend.process*"]
 interval = "60m"
 language = "eql"
 license = "Elastic License v2"
@@ -35,6 +35,7 @@ tags = [
   "Data Source: Elastic Endgame",
   "Data Source: Auditd Manager",
   "Data Source: Crowdstrike",
+  "Data Source: Elastic Defend for Containers",
 ]
 timestamp_override = "event.ingested"
 type = "eql"