UEBA packages documentation update for .ml-anomalies-shared/blogs

packages/beaconing/changelog.yml

@@ -1,3 +1,8 @@
+- version: "1.5.3"
+  changes:
+    - description: Update documentation for blogs
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/17933
 - version: "1.5.2"
   changes:
     - description: Clarify prebuilt rules available from version 8.11.3 and above

packages/beaconing/docs/README.md

@@ -7,7 +7,7 @@ This package leverages event logs on Linux, macOS, and Windows. Prior to using t
 
 **Note**: This package filters out data from cold and frozen data tiers to reduce heap memory usage, avoid running on outdated data, and to follow best practices.
 
-For more detailed information refer to the following blog:
+The following blog provides additional context. For the most current installation instructions, always follow the steps in this guide.
 - [Identifying beaconing malware using Elastic](https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic)
 
 ## Installation

packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml

@@ -1,6 +1,6 @@
 dest:
-  index: ml_beaconing-1.5.2
-  pipeline: 1.5.2-ml_beaconing_ingest_pipeline
+  index: ml_beaconing-1.5.3
+  pipeline: 1.5.3-ml_beaconing_ingest_pipeline
   aliases:
     - alias: ml_beaconing.latest
       move_on_creation: true
@@ -394,5 +394,5 @@ sync:
     delay: 120s
     field: "@timestamp"
 _meta:
-  fleet_transform_version: 1.5.2
+  fleet_transform_version: 1.5.3
   run_as_kibana_system: false

packages/beaconing/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.0.0
 name: beaconing
 title: "Network Beaconing Identification"
-version: 1.5.2
+version: 1.5.3
 source:
   license: "Elastic-2.0"
 description: "Package to identify beaconing activity in your network events."

packages/ded/changelog.yml

@@ -1,3 +1,8 @@
+- version: "2.4.2"
+  changes:
+    - description: Update documentation for blogs/data views
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/17933
 - version: "2.4.1"
   changes:
     - description: Update package docs with customization steps for ML jobs and transforms

packages/ded/docs/README.md

@@ -6,7 +6,7 @@ This package leverages event logs. Prior to using this integration, you must hav
 
 **Note**: In versions 2.1.1 and later, this package ignores data in cold and frozen data tiers to reduce heap memory usage, avoid running on outdated data, and to follow best practices.
 
-For more detailed information refer to the following blog:
+The following blog provides additional context. For the most current installation instructions, always follow the steps in this guide.
 - [Detect data exfiltration activity with Kibana’s new integration](https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration)
 
 ## Installation
@@ -22,10 +22,10 @@ For more detailed information refer to the following blog:
 1. **Add preconfigured anomaly detection jobs**: In **Stack Management -> Anomaly Detection Jobs**, you will see **Select data view or saved search**. Select the data view created in the previous step. Then under `Use preconfigured jobs` you will see **Data Exfiltration Detection**. If you do not see this card, events must be ingested from a source that matches the query specified in the [ded-ml file](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json#L10), such as Elastic Defend. When you select the card, you will see pre-configured anomaly detection jobs that you can create depending on what makes the most sense for your environment. If you are using Elastic Defend to collect events, file events are in `logs-endpoint.events.file-*` and network events in `logs-endpoint.events.network-*`. If you are only collecting file or network events, select only the relevant jobs at this step.
 1. **Data view configuration for Dashboards**: For the dashboard to work as expected, the following settings need to be configured in Kibana. 
     1. You have started the above anomaly detection jobs.
-    1. You have **read** access to `.ml-anomalies-shared` index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges).
+    1. You have **read** access to `.ml-anomalies-shared` data stream/index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges).
     1. After enabling the jobs, go to **Management > Stack Management > Kibana > Data Views**.  Click on **Create data view** with the following settings:
         - Name: `.ml-anomalies-shared`
-        - Index pattern : `.ml-anomalies-shared`
+        - Index pattern : `.ml-anomalies-shared*`
         - Select **Show Advanced settings** enable **Allow hidden and system indices**
         - Custom data view ID: `.ml-anomalies-shared`
 

packages/ded/elasticsearch/transform/pivot_transform/transform.yml

@@ -1,12 +1,12 @@
 
 dest:
-  index: ml_network_ded-2.4.1
+  index: ml_network_ded-2.4.2
   aliases:
     - alias: ml_network_ded.latest
       move_on_creation: true
     - alias: ml_network_ded.all
       move_on_creation: false
-  pipeline: 2.4.1-ml_ded_ingest_pipeline
+  pipeline: 2.4.2-ml_ded_ingest_pipeline
 description: This transform runs every 30 minutes and collects network logs to detect data exfiltration in your environment for the past month up to the runtime.
 frequency: 30m
 pivot:
@@ -94,5 +94,5 @@ sync:
     delay: 120s
     field: "@timestamp"
 _meta:
-  fleet_transform_version: 2.4.1
+  fleet_transform_version: 2.4.2
   run_as_kibana_system: false

packages/ded/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.0.0
 name: ded
 title: "Data Exfiltration Detection"
-version: 2.4.1
+version: 2.4.2
 source:
   license: "Elastic-2.0"
 description: "ML package to detect data exfiltration in your network and file data."

packages/dga/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.3.6"
+  changes:
+    - description: Update documentation for blogs
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/17933
 - version: "2.3.5"
   changes:
     - description: Update package docs with customization steps for ML jobs and transforms

packages/dga/docs/README.md

@@ -6,7 +6,7 @@ This package leverages event logs on Linux, macOS, and Windows. Prior to using t
 
 **Note**: In versions 2.0.1 and later, this package ignores data in cold and frozen data tiers to reduce heap memory usage, avoid running on outdated data, and to follow best practices.
 
-For more detailed information refer to the following blogs:
+The following blogs provide additional context. For the most current installation instructions, always follow the steps in this guide.
 - [Detect domain generation algorithm (DGA) activity with new Kibana integration](https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration)
 - [Combining supervised and unsupervised machine learning for DGA detection](https://www.elastic.co/blog/supervised-and-unsupervised-machine-learning-for-dga-detection)
 

packages/dga/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.0.4
 name: dga
 title: "Domain Generation Algorithm Detection"
-version: 2.3.5
+version: 2.3.6
 source:
   license: "Elastic-2.0"
 description: "ML solution package to detect domain generation algorithm (DGA) activity in your network data."

packages/hta/changelog.yml

@@ -1,3 +1,8 @@
+- version: "1.0.2"
+  changes:
+    - description: Update documentation for data views
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/17933
 - version: "1.0.1"
   changes:
     - description: Update documentation on configuring data view for dashboards

packages/hta/docs/README.md

@@ -6,10 +6,10 @@ The Host Traffic Anomalies package includes a dashboard that offers a high-level
 1. **Start preconfigured anomaly detection jobs**: Go to **Machine Learning** -> Under **Anomaly Detection**, select **Jobs** -> Click **Create anomaly detection job button** -> Select your data view (ex: "logs-*") -> Select **Security: Host** -> Click **Create jobs**.
 1. **Data view configuration for Dashboards**: For the dashboard to work as expected, the following settings need to be configured in Kibana. 
     1. You have started the above anomaly detection jobs.
-    1. You have **read** access to `.ml-anomalies-shared` index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges).
+    1. You have **read** access to `.ml-anomalies-shared` data stream/index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges).
     1. After enabling the jobs, go to **Management > Stack Management > Kibana > Data Views**.  Click on **Create data view** with the following settings:
         - Name: `.ml-anomalies-shared`
-        - Index pattern : `.ml-anomalies-shared`
+        - Index pattern : `.ml-anomalies-shared*`
         - Select **Show Advanced settings** enable **Allow hidden and system indices**
         - Custom data view ID: `.ml-anomalies-shared`
 

packages/hta/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.0.0
 name: hta
 title: "Host Traffic Anomalies"
-version: 1.0.1
+version: 1.0.2
 source:
   license: "Elastic-2.0"
 description: "Prebuilt dashboard for Machine Learning module Security: Host."

packages/lmd/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.6.3"
+  changes:
+    - description: Update documentation for blogs/data views
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/17933
 - version: "2.6.2"
   changes:
     - description: Update package docs with prerequisite steps for host.* fields

packages/lmd/docs/README.md

@@ -4,7 +4,7 @@ The Lateral movement detection model package contains assets that detect lateral
 
 **Note**: In versions 2.1.2 and later, this package ignores data in cold and frozen data tiers to reduce heap memory usage, avoid running on outdated data, and to follow best practices.
 
-For more detailed information refer to the following blogs:
+The following blogs provide additional context. For the most current installation instructions, always follow the steps in this guide.
 - [Detecting Lateral Movement activity: A new Kibana integration](https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration)
 - [Identifying malicious Remote Desktop Protocol (RDP) connections with Elastic Security](https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security)
 
@@ -31,10 +31,10 @@ If you are running version 8.18+, the Defend integration only collects a [subset
     1. **_Note_**: In the Machine Learning app, these configurations are available only when data exists that matches the query specified in the [lmd-ml file](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L10). For example, this would be available in `logs-endpoint.events.*` if you used Elastic Defend to collect events.
 1. **Data view configuration for Dashboards**: For the dashboard to work as expected, the following settings need to be configured in Kibana.
     1. You have started the above anomaly detection jobs.
-    1. You have **read** access to `.ml-anomalies-shared` index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges).
+    1. You have **read** access to `.ml-anomalies-shared` data stream/index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges).
     1. After enabling the jobs, go to **Management > Stack Management > Kibana > Data Views**.  Click on **Create data view** with the following settings:
         - Name: `.ml-anomalies-shared`
-        - Index pattern : `.ml-anomalies-shared`
+        - Index pattern : `.ml-anomalies-shared*`
         - Select **Show Advanced settings** enable **Allow hidden and system indices**
         - Custom data view ID: `.ml-anomalies-shared`
 

packages/lmd/elasticsearch/transform/pivot_transform/transform.yml

@@ -77,5 +77,5 @@ sync:
     delay: 60s
     field: '@timestamp'
 _meta:
-  fleet_transform_version: 2.6.0
+  fleet_transform_version: 2.6.3
   run_as_kibana_system: false

packages/lmd/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.0.0
 name: lmd
 title: "Lateral Movement Detection"
-version: 2.6.2
+version: 2.6.3
 source:
   license: "Elastic-2.0"
 description: "ML package to detect lateral movement based on file transfer activity and Windows RDP events."

packages/pad/changelog.yml

@@ -1,3 +1,8 @@
+- version: "1.1.2"
+  changes:
+    - description: Update documentation for data views
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/17933
 - version: "1.1.1"
   changes:
     - description: Update package docs with customization steps for ML jobs and transforms

packages/pad/docs/README.md

@@ -72,10 +72,10 @@ The package transform supports data from Elastic Endpoint via Elastic Defend and
 **_Note_**: In the Machine Learning app, these configurations are available only when data exists that matches the query specified in the [pad-ml file](https://github.com/elastic/integrations/blob/main/packages/pad/kibana/ml_module/pad-ml.json#L10). Additionally, we recommend backdating the datafeed for these anomaly detection jobs to a specific timeframe, as some datafeed queries are resource-intensive and may lead to query delays. We advise you to start the datafeed with 2-3 months' worth of data.
 1. **Data view configuration for Dashboards**: For the dashboard to work as expected, the following settings need to be configured in Kibana.
     1. You have started the above anomaly detection jobs.
-    1. You have **read** access to `.ml-anomalies-shared` index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges).
+    1. You have **read** access to `.ml-anomalies-shared` data stream/index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges).
     1. After enabling the jobs, go to **Management > Stack Management > Kibana > Data Views**.  Click on **Create data view** with the following settings:
         - Name: `.ml-anomalies-shared`
-        - Index pattern : `.ml-anomalies-shared`
+        - Index pattern : `.ml-anomalies-shared*`
         - Select **Show Advanced settings** enable **Allow hidden and system indices**
         - Custom data view ID: `.ml-anomalies-shared`
 

packages/pad/elasticsearch/transform/pivot_transform_okta_multiple_sessions/transform.yml

@@ -18,7 +18,7 @@ source:
         - terms:
             '_tier': [ "data_cold", "data_frozen" ]
 dest:
-  index: ml_okta_multiple_user_sessions_pad-1.1.1
+  index: ml_okta_multiple_user_sessions_pad-1.1.2
   aliases:
     - alias: ml_okta_multiple_user_sessions_pad.latest
       move_on_creation: true
@@ -61,5 +61,5 @@ sync:
     delay: 60s
     field: '@timestamp'
 _meta:
-  fleet_transform_version: 1.1.1
+  fleet_transform_version: 1.1.2
   run_as_kibana_system: false

packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/transform.yml

@@ -20,7 +20,7 @@ source:
         - terms:
             '_tier': [ "data_cold", "data_frozen" ]
 dest:
-  index: ml_windows_privilege_type_pad-1.1.1
+  index: ml_windows_privilege_type_pad-1.1.2
   aliases:
     - alias: ml_windows_privilege_type_pad.latest
       move_on_creation: true
@@ -61,5 +61,5 @@ sync:
     delay: 60s
     field: '@timestamp'
 _meta:
-  fleet_transform_version: 1.1.1
+  fleet_transform_version: 1.1.2
   run_as_kibana_system: false

packages/pad/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.0.0
 name: pad
 title: "Privileged Access Detection"
-version: 1.1.1
+version: 1.1.2
 source:
   license: "Elastic-2.0"
 description: "ML package to detect anomalous privileged access activity in Windows, Linux and Okta logs"

packages/problemchild/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.4.6"
+  changes:
+    - description: Update documentation for blogs
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/17933
 - version: "2.4.5"
   changes:
     - description: Update package docs with customization steps for ML jobs and transforms