diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 751c3e489..28a370043 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index e3484efaa..a235fcec9 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/pyproject.toml b/pyproject.toml index 7ff99b978..071483bca 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.6.19" +version = "1.6.20" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml index 4f85de1b1..c0533663b 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -15,7 +17,7 @@ and control channels. from = "now-6h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "ded_high_sent_bytes_destination_geo_country_iso_code" +machine_learning_job_id = "ded_high_sent_bytes_destination_geo_country_iso_code_ea" name = "Potential Data Exfiltration Activity to an Unusual ISO Code" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml index 902dd750d..c27e50cf1 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -15,7 +17,7 @@ and control channels. from = "now-6h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "ded_high_sent_bytes_destination_ip" +machine_learning_job_id = "ded_high_sent_bytes_destination_ip_ea" name = "Potential Data Exfiltration Activity to an Unusual IP Address" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml index 78a1259f5..82bfde642 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -14,7 +16,7 @@ outside the normal traffic patterns of an organization could indicate exfiltrati from = "now-6h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "ded_high_sent_bytes_destination_port" +machine_learning_job_id = "ded_high_sent_bytes_destination_port_ea" name = "Potential Data Exfiltration Activity to an Unusual Destination Port" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml index b3bd71f70..018fa8f78 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -15,7 +17,7 @@ and control channels. from = "now-6h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "ded_high_sent_bytes_destination_region_name" +machine_learning_job_id = "ded_high_sent_bytes_destination_region_name_ea" name = "Potential Data Exfiltration Activity to an Unusual Region" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml index 8b7205dff..b589a7970 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -15,7 +17,7 @@ large amount of data being written is anomalous and can signal illicit data copy from = "now-2h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "ded_high_bytes_written_to_external_device" +machine_learning_job_id = "ded_high_bytes_written_to_external_device_ea" name = "Spike in Bytes Sent to an External Device" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml index efabd6323..66089a95a 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -16,7 +18,7 @@ activities. from = "now-2h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "ded_high_bytes_written_to_external_device_airdrop" +machine_learning_job_id = "ded_high_bytes_written_to_external_device_airdrop_ea" name = "Spike in Bytes Sent to an External Device via Airdrop" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml index f4de893c2..5699e2100 100644 --- a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -15,7 +17,7 @@ legitimate reason to write data to external devices can indicate exfiltration. from = "now-2h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "ded_rare_process_writing_to_external_device" +machine_learning_job_id = "ded_rare_process_writing_to_external_device_ea" name = "Unusual Process Writing Data to an External Device" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml index e02a63c65..c3d26c992 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 70 @@ -15,7 +17,7 @@ making DNS requests that have an aggregate high probability of being DGA activit from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "dga_high_sum_probability" +machine_learning_job_id = "dga_high_sum_probability_ea" name = "Potential DGA Activity" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml index d7e8c4ec4..1123a30bc 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 70 @@ -15,7 +17,7 @@ redirection and piping, which in turn increases the number of arguments in a com from = "now-12h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "lmd_high_mean_rdp_process_args" +machine_learning_job_id = "lmd_high_mean_rdp_process_args_ea" name = "High Mean of Process Arguments in an RDP Session" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml index c4a9de77a..b1d65e6d4 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 70 @@ -15,7 +17,7 @@ require uninterrupted access to a compromised machine. from = "now-12h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "lmd_high_mean_rdp_session_duration" +machine_learning_job_id = "lmd_high_mean_rdp_session_duration_ea" name = "High Mean of RDP Session Duration" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml index 8b4708007..bd7b9eb00 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 70 @@ -16,7 +18,7 @@ into a single large file transfer. from = "now-90m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "lmd_high_file_size_remote_file_transfer" +machine_learning_job_id = "lmd_high_file_size_remote_file_transfer_ea" name = "Unusual Remote File Size" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml index 28673a7b2..0e9ff03ab 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 70 @@ -15,7 +17,7 @@ might require uninterrupted access to a compromised machine. from = "now-12h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "lmd_high_var_rdp_session_duration" +machine_learning_job_id = "lmd_high_var_rdp_session_duration_ea" name = "High Variance in RDP Session Duration" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml index ea82363e1..88defa2bf 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 70 @@ -15,7 +17,7 @@ attackers might use less common directories to bypass monitoring. from = "now-90m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "lmd_rare_file_path_remote_transfer" +machine_learning_job_id = "lmd_rare_file_path_remote_transfer_ea" name = "Unusual Remote File Directory" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml index 60be1f2cb..227b4c3a9 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 70 @@ -14,7 +16,7 @@ lateral movement activity on the host. from = "now-90m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "lmd_rare_file_extension_remote_transfer" +machine_learning_job_id = "lmd_rare_file_extension_remote_transfer_ea" name = "Unusual Remote File Extension" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml index 53517117a..dd88f7107 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 70 @@ -15,7 +17,7 @@ valuable assets, data, or further access points. from = "now-12h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "lmd_high_rdp_distinct_count_destination_ip_for_source" +machine_learning_job_id = "lmd_high_rdp_distinct_count_destination_ip_for_source_ea" name = "Spike in Number of Connections Made from a Source IP" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml index fb2dd4c72..bc1e2b17d 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 70 @@ -15,7 +17,7 @@ detected and blocked. from = "now-12h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "lmd_high_rdp_distinct_count_source_ip_for_destination" +machine_learning_job_id = "lmd_high_rdp_distinct_count_source_ip_for_destination_ea" name = "Spike in Number of Connections Made to a Destination IP" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml index c39a26c35..a48c62864 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 70 @@ -14,7 +16,7 @@ large number of processes remotely on other machines can be an indicator of late from = "now-12h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "lmd_high_sum_rdp_number_of_processes" +machine_learning_job_id = "lmd_high_sum_rdp_number_of_processes_ea" name = "Spike in Number of Processes in an RDP Session" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml index a06650355..93cb52958 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 70 @@ -16,7 +18,7 @@ to evade detection. from = "now-90m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "lmd_high_count_remote_file_transfer" +machine_learning_job_id = "lmd_high_count_remote_file_transfer_ea" name = "Spike in Remote File Transfers" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml index c989b30fd..d74f9f47e 100644 --- a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml +++ b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 70 @@ -15,7 +17,7 @@ attack. from = "now-12h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "lmd_unusual_time_weekday_rdp_session_start" +machine_learning_job_id = "lmd_unusual_time_weekday_rdp_session_start_ea" name = "Unusual Time or Day for an RDP Session" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml index 8fe48c524..68d164511 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "sysmon_linux"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -15,7 +17,7 @@ restricted parts of the system. from = "now-3h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "pad_linux_high_count_privileged_process_events_by_user" +machine_learning_job_id = "pad_linux_high_count_privileged_process_events_by_user_ea" name = "Spike in Privileged Command Execution by a User" note = """## Triage and analysis diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml index edb900374..b809aec1e 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "sysmon_linux"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -16,7 +18,7 @@ access. from = "now-3h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "pad_linux_high_median_process_command_line_entropy_by_user" +machine_learning_job_id = "pad_linux_high_median_process_command_line_entropy_by_user_ea" name = "High Command Line Entropy Detected for Privileged Commands" note = """## Triage and analysis diff --git a/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml index 9a2e72774..2669ce61d 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "sysmon_linux"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -14,7 +16,7 @@ privileged access activity. from = "now-1h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "pad_linux_rare_process_executed_by_user" +machine_learning_job_id = "pad_linux_rare_process_executed_by_user_ea" name = "Unusual Process Detected for Privileged Commands by a User" note = """## Triage and analysis diff --git a/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml index 7b479bfd9..d24110cd7 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -17,7 +19,7 @@ systems. from = "now-3h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "pad_okta_high_sum_concurrent_sessions_by_user" +machine_learning_job_id = "pad_okta_high_sum_concurrent_sessions_by_user_ea" name = "Unusual Spike in Concurrent Active Sessions by a User" note = """## Triage and analysis diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml index e2754c6f0..9532d8836 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -15,7 +17,7 @@ credentials, or an insider threat leveraging an unauthorized device to escalate from = "now-1h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "pad_okta_rare_host_name_by_user" +machine_learning_job_id = "pad_okta_rare_host_name_by_user_ea" name = "Unusual Host Name for Okta Privileged Operations Detected" note = """## Triage and analysis diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml index eddc6f5cc..2bac240d5 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -15,7 +17,7 @@ access, or an attacker using stolen credentials to escalate privileges. from = "now-1h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "pad_okta_rare_region_name_by_user" +machine_learning_job_id = "pad_okta_rare_region_name_by_user_ea" name = "Unusual Region Name for Okta Privileged Operations Detected" note = """## Triage and analysis diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml index 956843017..aafcf4384 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -15,7 +17,7 @@ privileges, or an attacker leveraging a new network location to escalate privile from = "now-1h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "pad_okta_rare_source_ip_by_user" +machine_learning_job_id = "pad_okta_rare_source_ip_by_user_ea" name = "Unusual Source IP for Okta Privileged Operations Detected" note = """## Triage and analysis diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml index 5d92fbdb9..fc8a61124 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -15,7 +17,7 @@ maintain persistence, or facilitate lateral movement within an organization’s from = "now-3h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "pad_okta_spike_in_group_application_assignment_changes" +machine_learning_job_id = "pad_okta_spike_in_group_application_assignment_changes_ea" name = "Spike in Group Application Assignment Change Events" note = """## Triage and analysis diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml index e1575db67..bb5e81b03 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -15,7 +17,7 @@ or facilitate lateral movement within an organization’s identity management sy from = "now-3h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "pad_okta_spike_in_group_lifecycle_changes" +machine_learning_job_id = "pad_okta_spike_in_group_lifecycle_changes_ea" name = "Spike in Group Lifecycle Change Events" note = """## Triage and analysis diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml index 1a67cb5a8..c388f3535 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -15,7 +17,7 @@ potentially leading to unauthorized actions or data breaches. from = "now-3h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "pad_okta_spike_in_group_membership_changes" +machine_learning_job_id = "pad_okta_spike_in_group_membership_changes_ea" name = "Spike in Group Membership Events" note = """## Triage and analysis diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml index 6861aead8..c586493cf 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -15,7 +17,7 @@ high-privilege groups, enabling further access or persistence. from = "now-3h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "pad_okta_spike_in_group_privilege_changes" +machine_learning_job_id = "pad_okta_spike_in_group_privilege_changes_ea" name = "Spike in Group Privilege Change Events" note = """## Triage and analysis diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml index e394e67f9..27556cabf 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -15,7 +17,7 @@ within the environment. from = "now-3h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "pad_okta_spike_in_user_lifecycle_management_changes" +machine_learning_job_id = "pad_okta_spike_in_user_lifecycle_management_changes_ea" name = "Spike in User Lifecycle Management Change Events" note = """## Triage and analysis diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml index b3949f019..8db70f3aa 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -16,7 +18,7 @@ modifications to group memberships. from = "now-3h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "pad_windows_high_count_group_management_events" +machine_learning_job_id = "pad_windows_high_count_group_management_events_ea" name = "Spike in Group Management Events" note = """## Triage and analysis diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml index 78f44f6aa..f02295cdd 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -15,7 +17,7 @@ possibly for lateral movement or privilege escalation. from = "now-3h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "pad_windows_high_count_special_logon_events" +machine_learning_job_id = "pad_windows_high_count_special_logon_events_ea" name = "Spike in Special Logon Events" note = """## Triage and analysis diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml index 847040157..5d5a92237 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -15,7 +17,7 @@ indicate an attempt to escalate privileges, execute unauthorized tasks, or maint from = "now-3h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "pad_windows_high_count_special_privilege_use_events" +machine_learning_job_id = "pad_windows_high_count_special_privilege_use_events_ea" name = "Spike in Special Privilege Use Events" note = """## Triage and analysis diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml index 655cc4258..c08026170 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -16,7 +18,7 @@ activity involving account management. from = "now-3h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "pad_windows_high_count_user_account_management_events" +machine_learning_job_id = "pad_windows_high_count_user_account_management_events_ea" name = "Spike in User Account Management Events" note = """## Triage and analysis diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml index 8651e7f6c..690a7bb61 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -15,7 +17,7 @@ credentials, or an insider threat leveraging an unauthorized device to escalate from = "now-1h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "pad_windows_rare_device_by_user" +machine_learning_job_id = "pad_windows_rare_device_by_user_ea" name = "Unusual Host Name for Windows Privileged Operations Detected" note = """## Triage and analysis diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml index 539df8411..42e1e24c9 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -16,7 +18,7 @@ group memberships or escalate privileges on a system. from = "now-1h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "pad_windows_rare_group_name_by_user" +machine_learning_job_id = "pad_windows_rare_group_name_by_user_ea" name = "Unusual Group Name Accessed by a User" note = """## Triage and analysis diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml index c8216dd03..0796256eb 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -15,7 +17,7 @@ but is using a privilege type that is not typically seen in their baseline logs. from = "now-1h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "pad_windows_rare_privilege_assigned_to_user" +machine_learning_job_id = "pad_windows_rare_privilege_assigned_to_user_ea" name = "Unusual Privilege Type assigned to a User" note = """## Triage and analysis diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml index 697850d93..082a5ba42 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -15,7 +17,7 @@ access, or an attacker using stolen credentials to escalate privileges. from = "now-1h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "pad_windows_rare_region_name_by_user" +machine_learning_job_id = "pad_windows_rare_region_name_by_user_ea" name = "Unusual Region Name for Windows Privileged Operations Detected" note = """## Triage and analysis diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml index af481beaf..1cae5d97f 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml @@ -2,7 +2,9 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -15,7 +17,7 @@ privileges, or an attacker leveraging a new network location to escalate privile from = "now-1h" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "pad_windows_rare_source_ip_by_user" +machine_learning_job_id = "pad_windows_rare_source_ip_by_user_ea" name = "Unusual Source IP for Windows Privileged Operations Detected" note = """## Triage and analysis diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml index 24db21c14..99c69415b 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/19" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -16,7 +18,7 @@ or malicious activity, possibly involving LOLbins, that may be resistant to dete from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "problem_child_rare_process_by_host" +machine_learning_job_id = "problem_child_rare_process_by_host_ea" name = "Unusual Process Spawned by a Host" note = """## Triage and analysis diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml index f0e3a9b3e..956f53a3b 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -16,7 +18,7 @@ malicious activity, possibly involving LOLbins, that may be resistant to detecti from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "problem_child_rare_process_by_parent" +machine_learning_job_id = "problem_child_rare_process_by_parent_ea" name = "Unusual Process Spawned by a Parent Process" note = """## Triage and analysis diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml index 182abe9bb..1761391d1 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -17,7 +19,7 @@ detection using conventional search rules. from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "problem_child_rare_process_by_user" +machine_learning_job_id = "problem_child_rare_process_by_user_ea" name = "Unusual Process Spawned by a User" note = """## Triage and analysis diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml index 9e43cb9de..683629175 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -18,7 +20,7 @@ possibly involving LOLbins, that may be resistant to detection using conventiona from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "problem_child_high_sum_by_host" +machine_learning_job_id = "problem_child_high_sum_by_host_ea" name = "Host Detected with Suspicious Windows Process(es)" note = """## Triage and analysis diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml index 1d01817a6..a0306806b 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -18,7 +20,7 @@ malicious activity, possibly involving LOLbins, that may be resistant to detecti from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "problem_child_high_sum_by_parent" +machine_learning_job_id = "problem_child_high_sum_by_parent_ea" name = "Parent Process Detected with Suspicious Windows Process(es)" note = """## Triage and analysis diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml index 9202b9bc1..a891b1b02 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/01" +min_stack_version = "9.4.0" +min_stack_comments = "Use EA (Entity Analytics) fields" [rule] anomaly_threshold = 75 @@ -18,7 +20,7 @@ possibly involving LOLbins, that may be resistant to detection using conventiona from = "now-45m" interval = "15m" license = "Elastic License v2" -machine_learning_job_id = "problem_child_high_sum_by_user" +machine_learning_job_id = "problem_child_high_sum_by_user_ea" name = "User Detected with Suspicious Windows Process(es)" note = """## Triage and analysis