Add Entity related integrations ML rules with _ea job IDs and min_stack_version 9.4.0 (#5909)

Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
2026-04-22 08:06:35 -04:00
parent 4512ec1735
commit d8a39869c5
49 changed files with 185 additions and 93 deletions
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.6.19"
+version = "1.6.20"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"
@@ -2,7 +2,9 @@
 creation_date = "2023/09/22"
 integration = ["ded", "endpoint", "network_traffic"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ and control channels.
 from = "now-6h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "ded_high_sent_bytes_destination_geo_country_iso_code"
+machine_learning_job_id = "ded_high_sent_bytes_destination_geo_country_iso_code_ea"
 name = "Potential Data Exfiltration Activity to an Unusual ISO Code"
 references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
@@ -2,7 +2,9 @@
 creation_date = "2023/09/22"
 integration = ["ded", "endpoint", "network_traffic"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ and control channels.
 from = "now-6h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "ded_high_sent_bytes_destination_ip"
+machine_learning_job_id = "ded_high_sent_bytes_destination_ip_ea"
 name = "Potential Data Exfiltration Activity to an Unusual IP Address"
 references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
@@ -2,7 +2,9 @@
 creation_date = "2023/09/22"
 integration = ["ded", "endpoint", "network_traffic"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -14,7 +16,7 @@ outside the normal traffic patterns of an organization could indicate exfiltrati
 from = "now-6h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "ded_high_sent_bytes_destination_port"
+machine_learning_job_id = "ded_high_sent_bytes_destination_port_ea"
 name = "Potential Data Exfiltration Activity to an Unusual Destination Port"
 references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
@@ -2,7 +2,9 @@
 creation_date = "2023/09/22"
 integration = ["ded", "endpoint", "network_traffic"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ and control channels.
 from = "now-6h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "ded_high_sent_bytes_destination_region_name"
+machine_learning_job_id = "ded_high_sent_bytes_destination_region_name_ea"
 name = "Potential Data Exfiltration Activity to an Unusual Region"
 references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
@@ -2,7 +2,9 @@
 creation_date = "2023/09/22"
 integration = ["ded", "endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ large amount of data being written is anomalous and can signal illicit data copy
 from = "now-2h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "ded_high_bytes_written_to_external_device"
+machine_learning_job_id = "ded_high_bytes_written_to_external_device_ea"
 name = "Spike in Bytes Sent to an External Device"
 references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
@@ -2,7 +2,9 @@
 creation_date = "2023/09/22"
 integration = ["ded", "endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -16,7 +18,7 @@ activities.
 from = "now-2h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "ded_high_bytes_written_to_external_device_airdrop"
+machine_learning_job_id = "ded_high_bytes_written_to_external_device_airdrop_ea"
 name = "Spike in Bytes Sent to an External Device via Airdrop"
 references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
@@ -2,7 +2,9 @@
 creation_date = "2023/09/22"
 integration = ["ded", "endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ legitimate reason to write data to external devices can indicate exfiltration.
 from = "now-2h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "ded_rare_process_writing_to_external_device"
+machine_learning_job_id = "ded_rare_process_writing_to_external_device_ea"
 name = "Unusual Process Writing Data to an External Device"
 references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
@@ -2,7 +2,9 @@
 creation_date = "2023/09/14"
 integration = ["dga", "endpoint", "network_traffic"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 70
@@ -15,7 +17,7 @@ making DNS requests that have an aggregate high probability of being DGA activit
 from = "now-45m"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "dga_high_sum_probability"
+machine_learning_job_id = "dga_high_sum_probability_ea"
 name = "Potential DGA Activity"
 references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
@@ -2,7 +2,9 @@
 creation_date = "2023/10/12"
 integration = ["lmd", "endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 70
@@ -15,7 +17,7 @@ redirection and piping, which in turn increases the number of arguments in a com
 from = "now-12h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "lmd_high_mean_rdp_process_args"
+machine_learning_job_id = "lmd_high_mean_rdp_process_args_ea"
 name = "High Mean of Process Arguments in an RDP Session"
 references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
@@ -2,7 +2,9 @@
 creation_date = "2023/10/12"
 integration = ["lmd", "endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 70
@@ -15,7 +17,7 @@ require uninterrupted access to a compromised machine.
 from = "now-12h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "lmd_high_mean_rdp_session_duration"
+machine_learning_job_id = "lmd_high_mean_rdp_session_duration_ea"
 name = "High Mean of RDP Session Duration"
 references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
@@ -2,7 +2,9 @@
 creation_date = "2023/10/12"
 integration = ["lmd", "endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 70
@@ -16,7 +18,7 @@ into a single large file transfer.
 from = "now-90m"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "lmd_high_file_size_remote_file_transfer"
+machine_learning_job_id = "lmd_high_file_size_remote_file_transfer_ea"
 name = "Unusual Remote File Size"
 references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
@@ -2,7 +2,9 @@
 creation_date = "2023/10/12"
 integration = ["lmd", "endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 70
@@ -15,7 +17,7 @@ might require uninterrupted access to a compromised machine.
 from = "now-12h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "lmd_high_var_rdp_session_duration"
+machine_learning_job_id = "lmd_high_var_rdp_session_duration_ea"
 name = "High Variance in RDP Session Duration"
 references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
@@ -2,7 +2,9 @@
 creation_date = "2023/10/12"
 integration = ["lmd", "endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 70
@@ -15,7 +17,7 @@ attackers might use less common directories to bypass monitoring.
 from = "now-90m"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "lmd_rare_file_path_remote_transfer"
+machine_learning_job_id = "lmd_rare_file_path_remote_transfer_ea"
 name = "Unusual Remote File Directory"
 references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
@@ -2,7 +2,9 @@
 creation_date = "2023/10/12"
 integration = ["lmd", "endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 70
@@ -14,7 +16,7 @@ lateral movement activity on the host.
 from = "now-90m"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "lmd_rare_file_extension_remote_transfer"
+machine_learning_job_id = "lmd_rare_file_extension_remote_transfer_ea"
 name = "Unusual Remote File Extension"
 references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
@@ -2,7 +2,9 @@
 creation_date = "2023/10/12"
 integration = ["lmd", "endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 70
@@ -15,7 +17,7 @@ valuable assets, data, or further access points.
 from = "now-12h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "lmd_high_rdp_distinct_count_destination_ip_for_source"
+machine_learning_job_id = "lmd_high_rdp_distinct_count_destination_ip_for_source_ea"
 name = "Spike in Number of Connections Made from a Source IP"
 references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
@@ -2,7 +2,9 @@
 creation_date = "2023/10/12"
 integration = ["lmd", "endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 70
@@ -15,7 +17,7 @@ detected and blocked.
 from = "now-12h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "lmd_high_rdp_distinct_count_source_ip_for_destination"
+machine_learning_job_id = "lmd_high_rdp_distinct_count_source_ip_for_destination_ea"
 name = "Spike in Number of Connections Made to a Destination IP"
 references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
@@ -2,7 +2,9 @@
 creation_date = "2023/10/12"
 integration = ["lmd", "endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 70
@@ -14,7 +16,7 @@ large number of processes remotely on other machines can be an indicator of late
 from = "now-12h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "lmd_high_sum_rdp_number_of_processes"
+machine_learning_job_id = "lmd_high_sum_rdp_number_of_processes_ea"
 name = "Spike in Number of Processes in an RDP Session"
 references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
@@ -2,7 +2,9 @@
 creation_date = "2023/10/12"
 integration = ["lmd", "endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 70
@@ -16,7 +18,7 @@ to evade detection.
 from = "now-90m"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "lmd_high_count_remote_file_transfer"
+machine_learning_job_id = "lmd_high_count_remote_file_transfer_ea"
 name = "Spike in Remote File Transfers"
 references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
@@ -2,7 +2,9 @@
 creation_date = "2023/10/12"
 integration = ["lmd", "endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 70
@@ -15,7 +17,7 @@ attack.
 from = "now-12h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "lmd_unusual_time_weekday_rdp_session_start"
+machine_learning_job_id = "lmd_unusual_time_weekday_rdp_session_start_ea"
 name = "Unusual Time or Day for an RDP Session"
 references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
@@ -2,7 +2,9 @@
 creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "sysmon_linux"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ restricted parts of the system.
 from = "now-3h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "pad_linux_high_count_privileged_process_events_by_user"
+machine_learning_job_id = "pad_linux_high_count_privileged_process_events_by_user_ea"
 name = "Spike in Privileged Command Execution by a User"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "sysmon_linux"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -16,7 +18,7 @@ access.
 from = "now-3h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "pad_linux_high_median_process_command_line_entropy_by_user"
+machine_learning_job_id = "pad_linux_high_median_process_command_line_entropy_by_user_ea"
 name = "High Command Line Entropy Detected for Privileged Commands"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "sysmon_linux"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -14,7 +16,7 @@ privileged access activity.
 from = "now-1h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "pad_linux_rare_process_executed_by_user"
+machine_learning_job_id = "pad_linux_rare_process_executed_by_user_ea"
 name = "Unusual Process Detected for Privileged Commands by a User"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2025/02/18"
 integration = ["pad", "okta"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -17,7 +19,7 @@ systems.
 from = "now-3h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "pad_okta_high_sum_concurrent_sessions_by_user"
+machine_learning_job_id = "pad_okta_high_sum_concurrent_sessions_by_user_ea"
 name = "Unusual Spike in Concurrent Active Sessions by a User"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2025/02/18"
 integration = ["pad", "okta"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ credentials, or an insider threat leveraging an unauthorized device to escalate
 from = "now-1h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "pad_okta_rare_host_name_by_user"
+machine_learning_job_id = "pad_okta_rare_host_name_by_user_ea"
 name = "Unusual Host Name for Okta Privileged Operations Detected"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2025/02/18"
 integration = ["pad", "okta"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ access, or an attacker using stolen credentials to escalate privileges.
 from = "now-1h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "pad_okta_rare_region_name_by_user"
+machine_learning_job_id = "pad_okta_rare_region_name_by_user_ea"
 name = "Unusual Region Name for Okta Privileged Operations Detected"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2025/02/18"
 integration = ["pad", "okta"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ privileges, or an attacker leveraging a new network location to escalate privile
 from = "now-1h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "pad_okta_rare_source_ip_by_user"
+machine_learning_job_id = "pad_okta_rare_source_ip_by_user_ea"
 name = "Unusual Source IP for Okta Privileged Operations Detected"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2025/02/18"
 integration = ["pad", "okta"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ maintain persistence, or facilitate lateral movement within an organization’s
 from = "now-3h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "pad_okta_spike_in_group_application_assignment_changes"
+machine_learning_job_id = "pad_okta_spike_in_group_application_assignment_changes_ea"
 name = "Spike in Group Application Assignment Change Events"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2025/02/18"
 integration = ["pad", "okta"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ or facilitate lateral movement within an organization’s identity management sy
 from = "now-3h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "pad_okta_spike_in_group_lifecycle_changes"
+machine_learning_job_id = "pad_okta_spike_in_group_lifecycle_changes_ea"
 name = "Spike in Group Lifecycle Change Events"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2025/02/18"
 integration = ["pad", "okta"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ potentially leading to unauthorized actions or data breaches.
 from = "now-3h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "pad_okta_spike_in_group_membership_changes"
+machine_learning_job_id = "pad_okta_spike_in_group_membership_changes_ea"
 name = "Spike in Group Membership Events"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2025/02/18"
 integration = ["pad", "okta"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ high-privilege groups, enabling further access or persistence.
 from = "now-3h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "pad_okta_spike_in_group_privilege_changes"
+machine_learning_job_id = "pad_okta_spike_in_group_privilege_changes_ea"
 name = "Spike in Group Privilege Change Events"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2025/02/18"
 integration = ["pad", "okta"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ within the environment.
 from = "now-3h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "pad_okta_spike_in_user_lifecycle_management_changes"
+machine_learning_job_id = "pad_okta_spike_in_user_lifecycle_management_changes_ea"
 name = "Spike in User Lifecycle Management Change Events"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -16,7 +18,7 @@ modifications to group memberships.
 from = "now-3h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "pad_windows_high_count_group_management_events"
+machine_learning_job_id = "pad_windows_high_count_group_management_events_ea"
 name = "Spike in Group Management Events"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ possibly for lateral movement or privilege escalation.
 from = "now-3h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "pad_windows_high_count_special_logon_events"
+machine_learning_job_id = "pad_windows_high_count_special_logon_events_ea"
 name = "Spike in Special Logon Events"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ indicate an attempt to escalate privileges, execute unauthorized tasks, or maint
 from = "now-3h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "pad_windows_high_count_special_privilege_use_events"
+machine_learning_job_id = "pad_windows_high_count_special_privilege_use_events_ea"
 name = "Spike in Special Privilege Use Events"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -16,7 +18,7 @@ activity involving account management.
 from = "now-3h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "pad_windows_high_count_user_account_management_events"
+machine_learning_job_id = "pad_windows_high_count_user_account_management_events_ea"
 name = "Spike in User Account Management Events"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ credentials, or an insider threat leveraging an unauthorized device to escalate
 from = "now-1h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "pad_windows_rare_device_by_user"
+machine_learning_job_id = "pad_windows_rare_device_by_user_ea"
 name = "Unusual Host Name for Windows Privileged Operations Detected"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -16,7 +18,7 @@ group memberships or escalate privileges on a system.
 from = "now-1h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "pad_windows_rare_group_name_by_user"
+machine_learning_job_id = "pad_windows_rare_group_name_by_user_ea"
 name = "Unusual Group Name Accessed by a User"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ but is using a privilege type that is not typically seen in their baseline logs.
 from = "now-1h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "pad_windows_rare_privilege_assigned_to_user"
+machine_learning_job_id = "pad_windows_rare_privilege_assigned_to_user_ea"
 name = "Unusual Privilege Type assigned to a User"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ access, or an attacker using stolen credentials to escalate privileges.
 from = "now-1h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "pad_windows_rare_region_name_by_user"
+machine_learning_job_id = "pad_windows_rare_region_name_by_user_ea"
 name = "Unusual Region Name for Windows Privileged Operations Detected"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ privileges, or an attacker leveraging a new network location to escalate privile
 from = "now-1h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "pad_windows_rare_source_ip_by_user"
+machine_learning_job_id = "pad_windows_rare_source_ip_by_user_ea"
 name = "Unusual Source IP for Windows Privileged Operations Detected"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2023/09/19"
 integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -16,7 +18,7 @@ or malicious activity, possibly involving LOLbins, that may be resistant to dete
 from = "now-45m"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "problem_child_rare_process_by_host"
+machine_learning_job_id = "problem_child_rare_process_by_host_ea"
 name = "Unusual Process Spawned by a Host"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2023/10/16"
 integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -16,7 +18,7 @@ malicious activity, possibly involving LOLbins, that may be resistant to detecti
 from = "now-45m"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "problem_child_rare_process_by_parent"
+machine_learning_job_id = "problem_child_rare_process_by_parent_ea"
 name = "Unusual Process Spawned by a Parent Process"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2023/10/16"
 integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -17,7 +19,7 @@ detection using conventional search rules.
 from = "now-45m"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "problem_child_rare_process_by_user"
+machine_learning_job_id = "problem_child_rare_process_by_user_ea"
 name = "Unusual Process Spawned by a User"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2023/10/16"
 integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -18,7 +20,7 @@ possibly involving LOLbins, that may be resistant to detection using conventiona
 from = "now-45m"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "problem_child_high_sum_by_host"
+machine_learning_job_id = "problem_child_high_sum_by_host_ea"
 name = "Host Detected with Suspicious Windows Process(es)"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2023/10/16"
 integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -18,7 +20,7 @@ malicious activity, possibly involving LOLbins, that may be resistant to detecti
 from = "now-45m"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "problem_child_high_sum_by_parent"
+machine_learning_job_id = "problem_child_high_sum_by_parent_ea"
 name = "Parent Process Detected with Suspicious Windows Process(es)"
 note = """## Triage and analysis

@@ -2,7 +2,9 @@
 creation_date = "2023/10/16"
 integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"

 [rule]
 anomaly_threshold = 75
@@ -18,7 +20,7 @@ possibly involving LOLbins, that may be resistant to detection using conventiona
 from = "now-45m"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "problem_child_high_sum_by_user"
+machine_learning_job_id = "problem_child_high_sum_by_user_ea"
 name = "User Detected with Suspicious Windows Process(es)"
 note = """## Triage and analysis