From 3dbdeeed6dbe195de621341285bc1156caf9799d Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Fri, 20 Mar 2026 14:23:43 -0500 Subject: [PATCH 1/3] update data view index pattern to use .ml-anomalies-shared* across multiple packages --- packages/ded/changelog.yml | 5 +++++ packages/ded/docs/README.md | 4 ++-- packages/ded/manifest.yml | 2 +- packages/hta/changelog.yml | 5 +++++ packages/hta/docs/README.md | 4 ++-- packages/hta/manifest.yml | 2 +- packages/lmd/changelog.yml | 5 +++++ packages/lmd/docs/README.md | 4 ++-- packages/lmd/manifest.yml | 2 +- packages/pad/changelog.yml | 5 +++++ packages/pad/docs/README.md | 4 ++-- packages/pad/manifest.yml | 2 +- 12 files changed, 32 insertions(+), 12 deletions(-) diff --git a/packages/ded/changelog.yml b/packages/ded/changelog.yml index c93ff173b61..c4054766aa7 100644 --- a/packages/ded/changelog.yml +++ b/packages/ded/changelog.yml @@ -1,3 +1,8 @@ +- version: "2.4.2" + changes: + - description: Update dashboard data view index pattern to use .ml-anomalies-shared*, as in newer stack versions this is now a data stream + type: bugfix + link: https://github.com/elastic/integrations/pull/XXXXX - version: "2.4.1" changes: - description: Update package docs with customization steps for ML jobs and transforms diff --git a/packages/ded/docs/README.md b/packages/ded/docs/README.md index 47c3892e08a..612e56f6a68 100644 --- a/packages/ded/docs/README.md +++ b/packages/ded/docs/README.md @@ -22,10 +22,10 @@ For more detailed information refer to the following blog: 1. **Add preconfigured anomaly detection jobs**: In **Stack Management -> Anomaly Detection Jobs**, you will see **Select data view or saved search**. Select the data view created in the previous step. Then under `Use preconfigured jobs` you will see **Data Exfiltration Detection**. If you do not see this card, events must be ingested from a source that matches the query specified in the [ded-ml file](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json#L10), such as Elastic Defend. When you select the card, you will see pre-configured anomaly detection jobs that you can create depending on what makes the most sense for your environment. If you are using Elastic Defend to collect events, file events are in `logs-endpoint.events.file-*` and network events in `logs-endpoint.events.network-*`. If you are only collecting file or network events, select only the relevant jobs at this step. 1. **Data view configuration for Dashboards**: For the dashboard to work as expected, the following settings need to be configured in Kibana. 1. You have started the above anomaly detection jobs. - 1. You have **read** access to `.ml-anomalies-shared` index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges). + 1. You have **read** access to `.ml-anomalies-shared` data stream/index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges). 1. After enabling the jobs, go to **Management > Stack Management > Kibana > Data Views**. Click on **Create data view** with the following settings: - Name: `.ml-anomalies-shared` - - Index pattern : `.ml-anomalies-shared` + - Index pattern : `.ml-anomalies-shared*` - Select **Show Advanced settings** enable **Allow hidden and system indices** - Custom data view ID: `.ml-anomalies-shared` diff --git a/packages/ded/manifest.yml b/packages/ded/manifest.yml index 2e83c8b7bae..d6603623ef0 100644 --- a/packages/ded/manifest.yml +++ b/packages/ded/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: ded title: "Data Exfiltration Detection" -version: 2.4.1 +version: 2.4.2 source: license: "Elastic-2.0" description: "ML package to detect data exfiltration in your network and file data." diff --git a/packages/hta/changelog.yml b/packages/hta/changelog.yml index 3064f0f2725..e32de278ee4 100644 --- a/packages/hta/changelog.yml +++ b/packages/hta/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.0.2" + changes: + - description: Update dashboard data view index pattern to use .ml-anomalies-shared*, as in newer stack versions this is now a data stream + type: bugfix + link: https://github.com/elastic/integrations/pull/XXXXX - version: "1.0.1" changes: - description: Update documentation on configuring data view for dashboards diff --git a/packages/hta/docs/README.md b/packages/hta/docs/README.md index c568e1cb29b..dbffaf4e393 100644 --- a/packages/hta/docs/README.md +++ b/packages/hta/docs/README.md @@ -6,10 +6,10 @@ The Host Traffic Anomalies package includes a dashboard that offers a high-level 1. **Start preconfigured anomaly detection jobs**: Go to **Machine Learning** -> Under **Anomaly Detection**, select **Jobs** -> Click **Create anomaly detection job button** -> Select your data view (ex: "logs-*") -> Select **Security: Host** -> Click **Create jobs**. 1. **Data view configuration for Dashboards**: For the dashboard to work as expected, the following settings need to be configured in Kibana. 1. You have started the above anomaly detection jobs. - 1. You have **read** access to `.ml-anomalies-shared` index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges). + 1. You have **read** access to `.ml-anomalies-shared` data stream/index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges). 1. After enabling the jobs, go to **Management > Stack Management > Kibana > Data Views**. Click on **Create data view** with the following settings: - Name: `.ml-anomalies-shared` - - Index pattern : `.ml-anomalies-shared` + - Index pattern : `.ml-anomalies-shared*` - Select **Show Advanced settings** enable **Allow hidden and system indices** - Custom data view ID: `.ml-anomalies-shared` diff --git a/packages/hta/manifest.yml b/packages/hta/manifest.yml index 78f374fee47..e3ee8455255 100644 --- a/packages/hta/manifest.yml +++ b/packages/hta/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: hta title: "Host Traffic Anomalies" -version: 1.0.1 +version: 1.0.2 source: license: "Elastic-2.0" description: "Prebuilt dashboard for Machine Learning module Security: Host." diff --git a/packages/lmd/changelog.yml b/packages/lmd/changelog.yml index 716e52f38fe..a04af7bda93 100644 --- a/packages/lmd/changelog.yml +++ b/packages/lmd/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.6.3" + changes: + - description: Update dashboard data view index pattern to use .ml-anomalies-shared*, as in newer stack versions this is now a data stream + type: bugfix + link: https://github.com/elastic/integrations/pull/XXXXX - version: "2.6.2" changes: - description: Update package docs with prerequisite steps for host.* fields diff --git a/packages/lmd/docs/README.md b/packages/lmd/docs/README.md index fcba3e98fbd..f3c9be687ef 100644 --- a/packages/lmd/docs/README.md +++ b/packages/lmd/docs/README.md @@ -31,10 +31,10 @@ If you are running version 8.18+, the Defend integration only collects a [subset 1. **_Note_**: In the Machine Learning app, these configurations are available only when data exists that matches the query specified in the [lmd-ml file](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L10). For example, this would be available in `logs-endpoint.events.*` if you used Elastic Defend to collect events. 1. **Data view configuration for Dashboards**: For the dashboard to work as expected, the following settings need to be configured in Kibana. 1. You have started the above anomaly detection jobs. - 1. You have **read** access to `.ml-anomalies-shared` index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges). + 1. You have **read** access to `.ml-anomalies-shared` data stream/index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges). 1. After enabling the jobs, go to **Management > Stack Management > Kibana > Data Views**. Click on **Create data view** with the following settings: - Name: `.ml-anomalies-shared` - - Index pattern : `.ml-anomalies-shared` + - Index pattern : `.ml-anomalies-shared*` - Select **Show Advanced settings** enable **Allow hidden and system indices** - Custom data view ID: `.ml-anomalies-shared` diff --git a/packages/lmd/manifest.yml b/packages/lmd/manifest.yml index 3c4b18933ed..a255abc0acd 100644 --- a/packages/lmd/manifest.yml +++ b/packages/lmd/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: lmd title: "Lateral Movement Detection" -version: 2.6.2 +version: 2.6.3 source: license: "Elastic-2.0" description: "ML package to detect lateral movement based on file transfer activity and Windows RDP events." diff --git a/packages/pad/changelog.yml b/packages/pad/changelog.yml index bd4f7959dd1..1dd904ab4b0 100644 --- a/packages/pad/changelog.yml +++ b/packages/pad/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.1.2" + changes: + - description: Update dashboard data view index pattern to use .ml-anomalies-shared*, as in newer stack versions this is now a data stream + type: bugfix + link: https://github.com/elastic/integrations/pull/XXXXX - version: "1.1.1" changes: - description: Update package docs with customization steps for ML jobs and transforms diff --git a/packages/pad/docs/README.md b/packages/pad/docs/README.md index 5ea7bf25871..0016f65405c 100644 --- a/packages/pad/docs/README.md +++ b/packages/pad/docs/README.md @@ -72,10 +72,10 @@ The package transform supports data from Elastic Endpoint via Elastic Defend and **_Note_**: In the Machine Learning app, these configurations are available only when data exists that matches the query specified in the [pad-ml file](https://github.com/elastic/integrations/blob/main/packages/pad/kibana/ml_module/pad-ml.json#L10). Additionally, we recommend backdating the datafeed for these anomaly detection jobs to a specific timeframe, as some datafeed queries are resource-intensive and may lead to query delays. We advise you to start the datafeed with 2-3 months' worth of data. 1. **Data view configuration for Dashboards**: For the dashboard to work as expected, the following settings need to be configured in Kibana. 1. You have started the above anomaly detection jobs. - 1. You have **read** access to `.ml-anomalies-shared` index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges). + 1. You have **read** access to `.ml-anomalies-shared` data stream/index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges). 1. After enabling the jobs, go to **Management > Stack Management > Kibana > Data Views**. Click on **Create data view** with the following settings: - Name: `.ml-anomalies-shared` - - Index pattern : `.ml-anomalies-shared` + - Index pattern : `.ml-anomalies-shared*` - Select **Show Advanced settings** enable **Allow hidden and system indices** - Custom data view ID: `.ml-anomalies-shared` diff --git a/packages/pad/manifest.yml b/packages/pad/manifest.yml index 8d39609dc15..a71f93f3bdf 100644 --- a/packages/pad/manifest.yml +++ b/packages/pad/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: pad title: "Privileged Access Detection" -version: 1.1.1 +version: 1.1.2 source: license: "Elastic-2.0" description: "ML package to detect anomalous privileged access activity in Windows, Linux and Okta logs" From 4c3f6efa85bfc2cbec970729c2647f70d5b58659 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Fri, 20 Mar 2026 14:44:47 -0500 Subject: [PATCH 2/3] clarification for blogs --- packages/beaconing/changelog.yml | 5 +++++ packages/beaconing/docs/README.md | 2 +- packages/beaconing/manifest.yml | 2 +- packages/ded/changelog.yml | 4 ++-- packages/ded/docs/README.md | 2 +- packages/dga/changelog.yml | 5 +++++ packages/dga/docs/README.md | 2 +- packages/dga/manifest.yml | 2 +- packages/hta/changelog.yml | 4 ++-- packages/lmd/changelog.yml | 4 ++-- packages/lmd/docs/README.md | 2 +- packages/pad/changelog.yml | 4 ++-- packages/problemchild/changelog.yml | 5 +++++ packages/problemchild/docs/README.md | 2 +- packages/problemchild/manifest.yml | 2 +- 15 files changed, 31 insertions(+), 16 deletions(-) diff --git a/packages/beaconing/changelog.yml b/packages/beaconing/changelog.yml index b4c209c86f4..2264a7d1711 100644 --- a/packages/beaconing/changelog.yml +++ b/packages/beaconing/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.5.3" + changes: + - description: Update documentation for blogs + type: enhancement + link: https://github.com/elastic/integrations/pull/17933 - version: "1.5.2" changes: - description: Clarify prebuilt rules available from version 8.11.3 and above diff --git a/packages/beaconing/docs/README.md b/packages/beaconing/docs/README.md index d071d616729..fac74c2f0bb 100644 --- a/packages/beaconing/docs/README.md +++ b/packages/beaconing/docs/README.md @@ -7,7 +7,7 @@ This package leverages event logs on Linux, macOS, and Windows. Prior to using t **Note**: This package filters out data from cold and frozen data tiers to reduce heap memory usage, avoid running on outdated data, and to follow best practices. -For more detailed information refer to the following blog: +The following blog provides additional context. For the most current installation instructions, always follow the steps in this guide. - [Identifying beaconing malware using Elastic](https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic) ## Installation diff --git a/packages/beaconing/manifest.yml b/packages/beaconing/manifest.yml index 1fe9f427db7..6666e4bff5b 100644 --- a/packages/beaconing/manifest.yml +++ b/packages/beaconing/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: beaconing title: "Network Beaconing Identification" -version: 1.5.2 +version: 1.5.3 source: license: "Elastic-2.0" description: "Package to identify beaconing activity in your network events." diff --git a/packages/ded/changelog.yml b/packages/ded/changelog.yml index c4054766aa7..b2fafdd0d35 100644 --- a/packages/ded/changelog.yml +++ b/packages/ded/changelog.yml @@ -1,8 +1,8 @@ - version: "2.4.2" changes: - - description: Update dashboard data view index pattern to use .ml-anomalies-shared*, as in newer stack versions this is now a data stream + - description: Update documentation for blogs/data views type: bugfix - link: https://github.com/elastic/integrations/pull/XXXXX + link: https://github.com/elastic/integrations/pull/17933 - version: "2.4.1" changes: - description: Update package docs with customization steps for ML jobs and transforms diff --git a/packages/ded/docs/README.md b/packages/ded/docs/README.md index 612e56f6a68..4a79d69ea29 100644 --- a/packages/ded/docs/README.md +++ b/packages/ded/docs/README.md @@ -6,7 +6,7 @@ This package leverages event logs. Prior to using this integration, you must hav **Note**: In versions 2.1.1 and later, this package ignores data in cold and frozen data tiers to reduce heap memory usage, avoid running on outdated data, and to follow best practices. -For more detailed information refer to the following blog: +The following blog provides additional context. For the most current installation instructions, always follow the steps in this guide. - [Detect data exfiltration activity with Kibana’s new integration](https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration) ## Installation diff --git a/packages/dga/changelog.yml b/packages/dga/changelog.yml index 2d79a5cf85c..892959704dc 100644 --- a/packages/dga/changelog.yml +++ b/packages/dga/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.3.6" + changes: + - description: Update documentation for blogs + type: enhancement + link: https://github.com/elastic/integrations/pull/17933 - version: "2.3.5" changes: - description: Update package docs with customization steps for ML jobs and transforms diff --git a/packages/dga/docs/README.md b/packages/dga/docs/README.md index e4570628b47..d49d259b181 100644 --- a/packages/dga/docs/README.md +++ b/packages/dga/docs/README.md @@ -6,7 +6,7 @@ This package leverages event logs on Linux, macOS, and Windows. Prior to using t **Note**: In versions 2.0.1 and later, this package ignores data in cold and frozen data tiers to reduce heap memory usage, avoid running on outdated data, and to follow best practices. -For more detailed information refer to the following blogs: +The following blogs provide additional context. For the most current installation instructions, always follow the steps in this guide. - [Detect domain generation algorithm (DGA) activity with new Kibana integration](https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration) - [Combining supervised and unsupervised machine learning for DGA detection](https://www.elastic.co/blog/supervised-and-unsupervised-machine-learning-for-dga-detection) diff --git a/packages/dga/manifest.yml b/packages/dga/manifest.yml index c7bd748790a..3064baa4fe8 100644 --- a/packages/dga/manifest.yml +++ b/packages/dga/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.4 name: dga title: "Domain Generation Algorithm Detection" -version: 2.3.5 +version: 2.3.6 source: license: "Elastic-2.0" description: "ML solution package to detect domain generation algorithm (DGA) activity in your network data." diff --git a/packages/hta/changelog.yml b/packages/hta/changelog.yml index e32de278ee4..847dd9e93f4 100644 --- a/packages/hta/changelog.yml +++ b/packages/hta/changelog.yml @@ -1,8 +1,8 @@ - version: "1.0.2" changes: - - description: Update dashboard data view index pattern to use .ml-anomalies-shared*, as in newer stack versions this is now a data stream + - description: Update documentation for data views type: bugfix - link: https://github.com/elastic/integrations/pull/XXXXX + link: https://github.com/elastic/integrations/pull/17933 - version: "1.0.1" changes: - description: Update documentation on configuring data view for dashboards diff --git a/packages/lmd/changelog.yml b/packages/lmd/changelog.yml index a04af7bda93..0ef4d08965c 100644 --- a/packages/lmd/changelog.yml +++ b/packages/lmd/changelog.yml @@ -1,9 +1,9 @@ # newer versions go on top - version: "2.6.3" changes: - - description: Update dashboard data view index pattern to use .ml-anomalies-shared*, as in newer stack versions this is now a data stream + - description: Update documentation for blogs/data views type: bugfix - link: https://github.com/elastic/integrations/pull/XXXXX + link: https://github.com/elastic/integrations/pull/17933 - version: "2.6.2" changes: - description: Update package docs with prerequisite steps for host.* fields diff --git a/packages/lmd/docs/README.md b/packages/lmd/docs/README.md index f3c9be687ef..98cf9784b92 100644 --- a/packages/lmd/docs/README.md +++ b/packages/lmd/docs/README.md @@ -4,7 +4,7 @@ The Lateral movement detection model package contains assets that detect lateral **Note**: In versions 2.1.2 and later, this package ignores data in cold and frozen data tiers to reduce heap memory usage, avoid running on outdated data, and to follow best practices. -For more detailed information refer to the following blogs: +The following blogs provide additional context. For the most current installation instructions, always follow the steps in this guide. - [Detecting Lateral Movement activity: A new Kibana integration](https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration) - [Identifying malicious Remote Desktop Protocol (RDP) connections with Elastic Security](https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security) diff --git a/packages/pad/changelog.yml b/packages/pad/changelog.yml index 1dd904ab4b0..0ef2e058e41 100644 --- a/packages/pad/changelog.yml +++ b/packages/pad/changelog.yml @@ -1,8 +1,8 @@ - version: "1.1.2" changes: - - description: Update dashboard data view index pattern to use .ml-anomalies-shared*, as in newer stack versions this is now a data stream + - description: Update documentation for data views type: bugfix - link: https://github.com/elastic/integrations/pull/XXXXX + link: https://github.com/elastic/integrations/pull/17933 - version: "1.1.1" changes: - description: Update package docs with customization steps for ML jobs and transforms diff --git a/packages/problemchild/changelog.yml b/packages/problemchild/changelog.yml index 3ca3eb3470d..6b570308034 100644 --- a/packages/problemchild/changelog.yml +++ b/packages/problemchild/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.4.6" + changes: + - description: Update documentation for blogs + type: enhancement + link: https://github.com/elastic/integrations/pull/17933 - version: "2.4.5" changes: - description: Update package docs with customization steps for ML jobs and transforms diff --git a/packages/problemchild/docs/README.md b/packages/problemchild/docs/README.md index 4dbeb562b1e..be8ea727960 100644 --- a/packages/problemchild/docs/README.md +++ b/packages/problemchild/docs/README.md @@ -6,7 +6,7 @@ This package support data from Elastic Endpoint via Elastic Defend or winlogbeat **Note**: In versions 2.1.1 and later, this package ignores data in cold and frozen data tiers to reduce heap memory usage, avoid running on outdated data, and to follow best practices. -For more detailed information refer to the following blogs and webinar: +The following blogs and webinar provide additional context. For the most current installation instructions, always follow the steps in this guide. - [Detecting Living-off-the-land attacks with new Elastic Integration](https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration) - [ProblemChild: Detecting living-off-the-land attacks using the Elastic Stack](https://www.elastic.co/blog/problemchild-detecting-living-off-the-land-attacks) - [ProblemChild: Generate alerts to detect living-off-the-land attacks](https://www.elastic.co/blog/problemchild-generate-alerts-to-detect-living-off-the-land-attacks) diff --git a/packages/problemchild/manifest.yml b/packages/problemchild/manifest.yml index f34640e516e..02b71b9b57f 100644 --- a/packages/problemchild/manifest.yml +++ b/packages/problemchild/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: problemchild title: "Living off the Land Attack Detection" -version: 2.4.5 +version: 2.4.6 source: license: "Elastic-2.0" description: "ML solution package to detect Living off the Land (LotL) attacks in your environment. Requires a Platinum subscription." From e6398852bf7474e21bc4e5036bd117bc113d40c9 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Fri, 20 Mar 2026 15:19:46 -0500 Subject: [PATCH 3/3] bump transform versions --- .../elasticsearch/transform/pivot_transform/transform.yml | 6 +++--- .../elasticsearch/transform/pivot_transform/transform.yml | 6 +++--- .../elasticsearch/transform/pivot_transform/transform.yml | 2 +- .../pivot_transform_okta_multiple_sessions/transform.yml | 4 ++-- .../pivot_transform_windows_privilege_list/transform.yml | 4 ++-- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml b/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml index 9a8e17fc4f7..8e45bffa588 100644 --- a/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml +++ b/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml @@ -1,6 +1,6 @@ dest: - index: ml_beaconing-1.5.2 - pipeline: 1.5.2-ml_beaconing_ingest_pipeline + index: ml_beaconing-1.5.3 + pipeline: 1.5.3-ml_beaconing_ingest_pipeline aliases: - alias: ml_beaconing.latest move_on_creation: true @@ -394,5 +394,5 @@ sync: delay: 120s field: "@timestamp" _meta: - fleet_transform_version: 1.5.2 + fleet_transform_version: 1.5.3 run_as_kibana_system: false diff --git a/packages/ded/elasticsearch/transform/pivot_transform/transform.yml b/packages/ded/elasticsearch/transform/pivot_transform/transform.yml index f4a2aa81aa8..83c8aa4b1ea 100644 --- a/packages/ded/elasticsearch/transform/pivot_transform/transform.yml +++ b/packages/ded/elasticsearch/transform/pivot_transform/transform.yml @@ -1,12 +1,12 @@ dest: - index: ml_network_ded-2.4.1 + index: ml_network_ded-2.4.2 aliases: - alias: ml_network_ded.latest move_on_creation: true - alias: ml_network_ded.all move_on_creation: false - pipeline: 2.4.1-ml_ded_ingest_pipeline + pipeline: 2.4.2-ml_ded_ingest_pipeline description: This transform runs every 30 minutes and collects network logs to detect data exfiltration in your environment for the past month up to the runtime. frequency: 30m pivot: @@ -94,5 +94,5 @@ sync: delay: 120s field: "@timestamp" _meta: - fleet_transform_version: 2.4.1 + fleet_transform_version: 2.4.2 run_as_kibana_system: false diff --git a/packages/lmd/elasticsearch/transform/pivot_transform/transform.yml b/packages/lmd/elasticsearch/transform/pivot_transform/transform.yml index 4ac6268cc9e..29bd9a71776 100644 --- a/packages/lmd/elasticsearch/transform/pivot_transform/transform.yml +++ b/packages/lmd/elasticsearch/transform/pivot_transform/transform.yml @@ -77,5 +77,5 @@ sync: delay: 60s field: '@timestamp' _meta: - fleet_transform_version: 2.6.0 + fleet_transform_version: 2.6.3 run_as_kibana_system: false diff --git a/packages/pad/elasticsearch/transform/pivot_transform_okta_multiple_sessions/transform.yml b/packages/pad/elasticsearch/transform/pivot_transform_okta_multiple_sessions/transform.yml index 575e9f7c384..12b72966229 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_okta_multiple_sessions/transform.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_okta_multiple_sessions/transform.yml @@ -18,7 +18,7 @@ source: - terms: '_tier': [ "data_cold", "data_frozen" ] dest: - index: ml_okta_multiple_user_sessions_pad-1.1.1 + index: ml_okta_multiple_user_sessions_pad-1.1.2 aliases: - alias: ml_okta_multiple_user_sessions_pad.latest move_on_creation: true @@ -61,5 +61,5 @@ sync: delay: 60s field: '@timestamp' _meta: - fleet_transform_version: 1.1.1 + fleet_transform_version: 1.1.2 run_as_kibana_system: false \ No newline at end of file diff --git a/packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/transform.yml b/packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/transform.yml index 00a84c693ea..57b6adb6fbe 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/transform.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/transform.yml @@ -20,7 +20,7 @@ source: - terms: '_tier': [ "data_cold", "data_frozen" ] dest: - index: ml_windows_privilege_type_pad-1.1.1 + index: ml_windows_privilege_type_pad-1.1.2 aliases: - alias: ml_windows_privilege_type_pad.latest move_on_creation: true @@ -61,5 +61,5 @@ sync: delay: 60s field: '@timestamp' _meta: - fleet_transform_version: 1.1.1 + fleet_transform_version: 1.1.2 run_as_kibana_system: false \ No newline at end of file