---
title: Security anomaly detection configurations
description: These anomaly detection jobs automatically detect file system and network anomalies on your hosts. They appear in the Anomaly Detection interface of the...
url: https://www.elastic.co/elastic/docs-builder/docs/3016/reference/machine-learning/ootb-ml-jobs-siem
products:
  - Elastic Cloud Serverless
  - Elastic Security
  - Machine Learning
applies_to:
  - Serverless Security projects: Generally available
  - Elastic Stack: Generally available
---

# Security anomaly detection configurations
These anomaly detection jobs automatically detect file system and network anomalies on your hosts. They appear in the **Anomaly Detection** interface of the Elastic Security app in Kibana when you have data that matches their configuration. For more information, refer to [Anomaly detection with machine learning](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/advanced-entity-analytics/anomaly-detection).
<note applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
  In Elastic Stack 9.4, [Entity Analytics](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/advanced-entity-analytics) introduces fields for entity resolution. The machine learning jobs created in this version and later are designed to leverage these fields.
  - The affected machine learning jobs include an `_ea` suffix in their names, as described in each module below.
  - Previously installed machine learning jobs and detection rules continue to run, allowing time to transition to the Entity Analytics fields.
  - We recommend that you install the `_ea` machine learning jobs and verify they are collecting data and generating anomalies before upgrading to the latest detection rules included in 9.4.
</note>


## Data requirements

To use these anomaly detection jobs, install and configure one of the supported integrations listed in each job's table. No additional configuration is required beyond the integration's standard setup. For installation instructions, refer to each integration's documentation.

## Security: Authentication

Detect anomalous activity in your ECS-compatible authentication logs.
In the Machine Learning app, these configurations are available only when data exists that matches the query specified in the [manifest file](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/manifest.json). In the Elastic Security app, it looks in the data view specified in the [`securitySolution:defaultIndex` advanced setting](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/kibana/advanced-settings#securitysolution-defaultindex) for data that matches the query.
By default, when you create these jobs in the Elastic Security app, the job wizard uses a data view that applies to multiple indices. If you use Machine Learning instead, create a similar [data view](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/manifest.json#L7) and select it in the job wizard so the results match.
<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="auth_high_count_logon_events_ea">
        Looks for an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration, or brute force activity.
        **Supported integrations:** [System](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/system), [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_events_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="auth_high_count_logon_events">
        Looks for an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration, or brute force activity.
        **Supported integrations:** [System](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/system), [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_events.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="auth_high_count_logon_events_for_a_source_ip_ea">
        Looks for an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity.
        **Supported integrations:** [System](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/system), [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_events_for_a_source_ip_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events_for_a_source_ip_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="auth_high_count_logon_events_for_a_source_ip">
        Looks for an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity.
        **Supported integrations:** [System](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/system), [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_events_for_a_source_ip.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events_for_a_source_ip.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="auth_high_count_logon_fails_ea">
        Looks for an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration, or brute force activity and may be a precursor to account takeover or credentialed access.
        **Supported integrations:** [System](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/system), [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager)
        **Supported OS:** Windows, Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_fails_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_fails_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="auth_high_count_logon_fails">
        Looks for an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration, or brute force activity and may be a precursor to account takeover or credentialed access.
        **Supported integrations:** [System](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/system), [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager)
        **Supported OS:** Windows, Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_fails.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_fails.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="auth_rare_hour_for_a_user_ea">
        Looks for a user logging in at a time of day that is unusual for the user. This can be due to credentialed access through a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours.
        **Supported integrations:** [System](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/system), [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager)
        **Supported OS:** Windows, Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_hour_for_a_user_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_hour_for_a_user_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="auth_rare_hour_for_a_user">
        Looks for a user logging in at a time of day that is unusual for the user. This can be due to credentialed access through a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours.
        **Supported integrations:** [System](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/system), [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager)
        **Supported OS:** Windows, Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_hour_for_a_user.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_hour_for_a_user.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="auth_rare_source_ip_for_a_user_ea">
        Looks for a user logging in from an IP address that is unusual for the user. This can be due to credentialed access through a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts.
        **Supported integrations:** [System](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/system), [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager)
        **Supported OS:** Windows, Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_source_ip_for_a_user_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_source_ip_for_a_user_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="auth_rare_source_ip_for_a_user">
        Looks for a user logging in from an IP address that is unusual for the user. This can be due to credentialed access through a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts.
        **Supported integrations:** [System](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/system), [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager)
        **Supported OS:** Windows, Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_source_ip_for_a_user.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_source_ip_for_a_user.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="auth_rare_user_ea">
        Looks for an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. A user account that is normally inactive, because the user has left the organization, which becomes active, may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.
        **Supported integrations:** [System](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/system), [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager)
        **Supported OS:** Windows, Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_user_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_user_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="auth_rare_user">
        Looks for an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. A user account that is normally inactive, because the user has left the organization, which becomes active, may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.
        **Supported integrations:** [System](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/system), [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager)
        **Supported OS:** Windows, Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_user.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_user.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="suspicious_login_activity_ea">
        Detect unusually high number of authentication attempts.
        **Supported integrations:** [System](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/system), [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager)
        **Supported OS:** Windows, Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/suspicious_login_activity_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_suspicious_login_activity_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="suspicious_login_activity">
        Detect unusually high number of authentication attempts.
        **Supported integrations:** [System](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/system), [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager)
        **Supported OS:** Windows, Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/suspicious_login_activity.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_suspicious_login_activity.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>


## Security: Azure Activity Logs

<applies-to>
  - Elastic Cloud Serverless: Generally available
  - Elastic Stack: Generally available since 9.3
</applies-to>

Detect suspicious activity recorded in your Azure Activity Logs.
In the Machine Learning app, these configurations are available only when data exists that matches the query specified in the [manifest file](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/manifest.json). In the Elastic Security app, it looks in the data view specified in the [`securitySolution:defaultIndex` advanced setting](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/kibana/advanced-settings#securitysolution-defaultindex) for data that matches the query.
<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="azure_activitylogs_high_distinct_count_event_action_fail_ea">
        Looks for a spike in the rate of an error message, which might indicate an impending service failure or potentially be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor.
        **Supported integrations:** [Azure Activity Logs](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/azure/activitylogs)
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_high_distinct_count_event_action_fail_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_high_distinct_count_event_action_fail_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga =9.3}" applies-to="Elastic Stack: Generally available in 9.3">
    <definitions>
      <definition term="azure_activitylogs_high_distinct_count_event_action_on_failure">
        Looks for a spike in the rate of an error message, which might indicate an impending service failure or potentially be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor.
        **Supported integrations:** [Azure Activity Logs](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/azure/activitylogs)
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_high_distinct_count_event_action_on_failure.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_high_distinct_count_event_action_on_failure.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="azure_activitylogs_rare_event_action_on_failure_ea">
        Looks for unusual Azure activity event actions on failure. Rare and unusual errors might simply indicate an impending service failure but they can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor.
        **Supported integrations:** [Azure Activity Logs](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/azure/activitylogs)
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_on_failure_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_on_failure_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga =9.3}" applies-to="Elastic Stack: Generally available in 9.3">
    <definitions>
      <definition term="azure_activitylogs_rare_event_action_on_failure">
        Looks for unusual Azure activity event actions on failure. Rare and unusual errors might simply indicate an impending service failure but they can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor.
        **Supported integrations:** [Azure Activity Logs](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/azure/activitylogs)
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_on_failure.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_on_failure.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="azure_activitylogs_rare_event_action_for_a_city_ea">
        Looks for Azure activity event actions that, while not inherently suspicious or atypical, are sourcing from a geolocation (city) that is unexpected. This can be the result of compromised credentials or keys.
        **Supported integrations:** [Azure Activity Logs](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/azure/activitylogs)
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_city_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_city_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga =9.3}" applies-to="Elastic Stack: Generally available in 9.3">
    <definitions>
      <definition term="azure_activitylogs_rare_event_action_for_a_city">
        Looks for Azure activity event actions that, while not inherently suspicious or atypical, are sourcing from a geolocation (city) that is unexpected. This can be the result of compromised credentials or keys.
        **Supported integrations:** [Azure Activity Logs](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/azure/activitylogs)
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_city.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_city.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="azure_activitylogs_rare_event_action_for_a_country_ea">
        Looks for Azure activity event actions that, while not inherently suspicious or atypical, are sourcing from a geolocation (country) that is unexpected. This can be the result of compromised credentials or keys.
        **Supported integrations:** [Azure Activity Logs](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/azure/activitylogs)
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_country_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_country_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga =9.3}" applies-to="Elastic Stack: Generally available in 9.3">
    <definitions>
      <definition term="azure_activitylogs_rare_event_action_for_a_country">
        Looks for Azure activity event actions that, while not inherently suspicious or atypical, are sourcing from a geolocation (country) that is unexpected. This can be the result of compromised credentials or keys.
        **Supported integrations:** [Azure Activity Logs](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/azure/activitylogs)
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_country.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_country.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="azure_activitylogs_rare_event_action_for_a_user_email_ea">
        Looks for Azure activity event actions that, while not inherently suspicious or atypical, are sourcing from a unique user identifier context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data.
        **Supported integrations:** [Azure Activity Logs](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/azure/activitylogs)
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_user_email_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_user_email_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga =9.3}" applies-to="Elastic Stack: Generally available in 9.3">
    <definitions>
      <definition term="azure_activitylogs_rare_event_action_for_a_username">
        Looks for Azure activity event actions that, while not inherently suspicious or atypical, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data.
        **Supported integrations:** [Azure Activity Logs](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/azure/activitylogs)
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_username.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_username.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>


## Security: CloudTrail

Detect suspicious activity recorded in your CloudTrail logs.
In the Machine Learning app, these configurations are available only when data exists that matches the query specified in the [manifest file](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/manifest.json). In the Elastic Security app, it looks in the data view specified in the [`securitySolution:defaultIndex` advanced setting](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/kibana/advanced-settings#securitysolution-defaultindex) for data that matches the query.
<definitions>
  <definition term="high_distinct_count_error_message">
    Looks for a spike in the rate of an error message which may simply indicate an impending service failure but these can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor.
    **Supported integrations:** [AWS](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/aws/cloudtrail)
    **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/high_distinct_count_error_message.json)
    **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_high_distinct_count_error_message.json)
  </definition>
  <definition term="rare_error_code">
    Looks for unusual errors. Rare and unusual errors may simply indicate an impending service failure but they can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor.
    **Supported integrations:** [AWS](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/aws/cloudtrail)
    **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_error_code.json)
    **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_error_code.json)
  </definition>
  <definition term="rare_method_for_a_city">
    Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a geolocation (city) that is unusual. This can be the result of compromised credentials or keys.
    **Supported integrations:** [AWS](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/aws/cloudtrail)
    **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_city.json)
    **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_city.json)
  </definition>
  <definition term="rare_method_for_a_country">
    Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a geolocation (country) that is unusual. This can be the result of compromised credentials or keys.
    **Supported integrations:** [AWS](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/aws/cloudtrail)
    **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_country.json)
    **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_country.json)
  </definition>
</definitions>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="rare_method_for_a_user_id_ea">
        Looks for AWS API calls that, while not inherently suspicious or atypical, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data.
        **Supported integrations:** [AWS](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/aws/cloudtrail)
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_user_id_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_user_id_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="rare_method_for_a_username">
        Looks for AWS API calls that, while not inherently suspicious or atypical, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data.
        **Supported integrations:** [AWS](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/aws/cloudtrail)
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_username.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_username.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>


## Security: GCP Audit logs

<applies-to>
  - Elastic Cloud Serverless: Generally available
  - Elastic Stack: Generally available since 9.3
</applies-to>

Detect suspicious activity recorded in your GCP Audit logs.
In the Machine Learning app, these configurations are available only when data exists that matches the query specified in the [manifest file](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/manifest.json). In the Elastic Security app, it looks in the data view specified in the [`securitySolution:defaultIndex` advanced setting](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/kibana/advanced-settings#securitysolution-defaultindex) for data that matches the query.
<note applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
  Entity Analytics machine learning jobs require GCP Audit integration version `2.47.2` or later.
</note>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="gcp_audit_high_distinct_count_error_message_ea">
        Looks for a spike in the rate of an action where the event outcome is a failure. Spikes might indicate an impending service failure but could also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor.
        **Supported integrations:** [GCP Audit](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/gcp/audit)
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_high_distinct_count_error_message_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_high_distinct_count_error_message_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga =9.3}" applies-to="Elastic Stack: Generally available in 9.3">
    <definitions>
      <definition term="gcp_audit_high_distinct_count_error_message">
        Looks for a spike in the rate of an action where the event outcome is a failure. Spikes might indicate an impending service failure but could also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor.
        **Supported integrations:** [GCP Audit](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/gcp/audit)
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_high_distinct_count_error_message.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_high_distinct_count_error_message.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="gcp_audit_rare_error_code_ea">
        Looks for unusual errors. Rare and unusual errors might indicate an impending service failure but they can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor.
        **Supported integrations:** [GCP Audit](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/gcp/audit)
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_error_code_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_error_code_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga =9.3}" applies-to="Elastic Stack: Generally available in 9.3">
    <definitions>
      <definition term="gcp_audit_rare_error_code">
        Looks for unusual errors. Rare and unusual errors might indicate an impending service failure but they can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor.
        **Supported integrations:** [GCP Audit](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/gcp/audit)
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_error_code.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_error_code.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="gcp_audit_rare_method_for_a_city_ea">
        Looks for GCP actions that, while not inherently suspicious or atypical, are sourcing from a geolocation (city) that is unexpected. This can be the result of compromised credentials or keys.
        **Supported integrations:** [GCP Audit](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/gcp/audit)
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_city_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_city_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga =9.3}" applies-to="Elastic Stack: Generally available in 9.3">
    <definitions>
      <definition term="gcp_audit_rare_method_for_a_city">
        Looks for GCP actions that, while not inherently suspicious or atypical, are sourcing from a geolocation (city) that is unexpected. This can be the result of compromised credentials or keys.
        **Supported integrations:** [GCP Audit](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/gcp/audit)
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_city.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_city.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="gcp_audit_rare_method_for_a_country_ea">
        Looks for GCP actions calls that, while not inherently suspicious or atypical, are sourcing from a geolocation (country) that is unexpected. This can be the result of compromised credentials or keys.
        **Supported integrations:** [GCP Audit](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/gcp/audit)
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_country_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_country_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga =9.3}" applies-to="Elastic Stack: Generally available in 9.3">
    <definitions>
      <definition term="gcp_audit_rare_method_for_a_country">
        Looks for GCP actions calls that, while not inherently suspicious or atypical, are sourcing from a geolocation (country) that is unexpected. This can be the result of compromised credentials or keys.
        **Supported integrations:** [GCP Audit](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/gcp/audit)
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_country.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_country.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="gcp_audit_rare_method_for_a_user_email_ea">
        Looks for GCP actions that, while not inherently suspicious or atypical, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data.
        **Supported integrations:** [GCP Audit](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/gcp/audit)
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_user_email_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_user_email_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga =9.3}" applies-to="Elastic Stack: Generally available in 9.3">
    <definitions>
      <definition term="gcp_audit_rare_method_for_a_client_user_email">
        Looks for GCP actions that, while not inherently suspicious or atypical, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data.
        **Supported integrations:** [GCP Audit](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/gcp/audit)
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_client_user_email.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_client_user_email.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>


## Security: Host

Anomaly detection jobs for host-based threat hunting and detection.
In the Machine Learning app, these configurations are available only when data exists that matches the query specified in the [manifest file](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/manifest.json). In the Elastic Security app, it looks in the data view specified in the [`securitySolution:defaultIndex` advanced setting](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/kibana/advanced-settings#securitysolution-defaultindex) for data that matches the query.
To access the host traffic anomalies dashboard in Kibana, go to: `Security -> Dashboards -> Host Traffic Anomalies`.
<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="high_count_events_for_a_host_name_ea">
        Detects sudden spikes in traffic associated with a host. This can be due to a range of security issues, such as a compromised system, DDoS attacks, malware infections, privilege escalation, or data exfiltration.
        **Supported integrations:** [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [System](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/system)
        **Supported OS:** Windows, Linux, macOS
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/high_count_events_for_a_host_name_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_high_count_events_for_a_host_name_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="high_count_events_for_a_host_name">
        Looks for a sudden spike in host based traffic. This can be due to a range of security issues, such as a compromised system, DDoS attacks, malware infections, privilege escalation, or data exfiltration.
        **Supported integrations:** [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [System](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/system)
        **Supported OS:** Windows, Linux, macOS
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/high_count_events_for_a_host_name.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_high_count_events_for_a_host_name.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="low_count_events_for_a_host_name_ea">
        Detects sudden drops in traffic associated with a host. This can be due to a range of security issues, such as a compromised system, a failed service, or a network misconfiguration.
        **Supported integrations:** [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [System](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/system)
        **Supported OS:** Windows, Linux, macOS
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/low_count_events_for_a_host_name_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_low_count_events_for_a_host_name_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="low_count_events_for_a_host_name">
        Looks for a sudden drop in host based traffic. This can be due to a range of security issues, such as a compromised system, a failed service, or a network misconfiguration.
        **Supported integrations:** [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [System](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/system)
        **Supported OS:** Windows, Linux, macOS
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/low_count_events_for_a_host_name.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_low_count_events_for_a_host_name.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>


## Security: Linux

Anomaly detection jobs for Linux host-based threat hunting and detection.
In the Machine Learning app, these configurations are available only when data exists that matches the query specified in the [manifest file](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/manifest.json). In the Elastic Security app, it looks in the data view specified in the [`securitySolution:defaultIndex` advanced setting](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/kibana/advanced-settings#securitysolution-defaultindex) for data that matches the query.
<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_linux_anomalous_network_activity_ea">
        Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_network_activity_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_network_activity_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_linux_anomalous_network_activity">
        Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_network_activity.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_network_activity.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_linux_anomalous_network_port_activity_ea">
        Looks for unusual destination port activity that could indicate command-and-control, persistence mechanism, or data exfiltration activity.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_network_port_activity_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_network_port_activity_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_linux_anomalous_network_port_activity">
        Looks for unusual destination port activity that could indicate command-and-control, persistence mechanism, or data exfiltration activity.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_network_port_activity.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_network_port_activity.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_linux_anomalous_process_all_hosts_ea">
        Looks for processes that are unusual to all Linux hosts. Such unusual processes may indicate unauthorized software, malware, or persistence mechanisms.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_process_all_hosts_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_process_all_hosts_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_linux_anomalous_process_all_hosts">
        Looks for processes that are unusual to all Linux hosts. Such unusual processes may indicate unauthorized software, malware, or persistence mechanisms.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_process_all_hosts.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_process_all_hosts.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_linux_anomalous_user_name_ea">
        Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_user_name_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_user_name_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_linux_anomalous_user_name">
        Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_user_name.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_user_name.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_linux_network_configuration_discovery_ea">
        Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_network_configuration_discovery_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_network_configuration_discovery_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_linux_network_configuration_discovery">
        Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_network_configuration_discovery.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_network_configuration_discovery.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_linux_network_connection_discovery_ea">
        Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_network_connection_discovery_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_network_connection_discovery_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_linux_network_connection_discovery">
        Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_network_connection_discovery.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_network_connection_discovery.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_linux_rare_metadata_process_ea">
        Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_metadata_process_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_metadata_process_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_linux_rare_metadata_process">
        Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_metadata_process.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_metadata_process.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_linux_rare_metadata_user_ea">
        Looks for anomalous access to the metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_metadata_user_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_metadata_user_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_linux_rare_metadata_user">
        Looks for anomalous access to the metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_metadata_user.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_metadata_user.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_linux_rare_sudo_user_ea">
        Looks for sudo activity from an unusual user context. Unusual user context changes can be due to privilege escalation.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_sudo_user_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_sudo_user_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_linux_rare_sudo_user">
        Looks for sudo activity from an unusual user context. Unusual user context changes can be due to privilege escalation.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_sudo_user.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_sudo_user.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_linux_rare_user_compiler_ea">
        Looks for compiler activity by a user context which does not normally run compilers. This can be ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation through locally run exploits or malware activity.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_user_compiler_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_user_compiler_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_linux_rare_user_compiler">
        Looks for compiler activity by a user context which does not normally run compilers. This can be ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation through locally run exploits or malware activity.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_user_compiler.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_user_compiler.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_linux_system_information_discovery_ea">
        Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery to gather detailed information about system configuration and software versions. This may be a precursor to the selection of a persistence mechanism or a method of privilege elevation.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_information_discovery_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_information_discovery_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_linux_system_information_discovery">
        Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery to gather detailed information about system configuration and software versions. This may be a precursor to the selection of a persistence mechanism or a method of privilege elevation.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_information_discovery.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_information_discovery.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_linux_system_process_discovery_ea">
        Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system process discovery to increase their understanding of software applications running on a target host or network. This may be a precursor to the selection of a persistence mechanism or a method of privilege elevation.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_process_discovery_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_process_discovery_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_linux_system_process_discovery">
        Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system process discovery to increase their understanding of software applications running on a target host or network. This may be a precursor to the selection of a persistence mechanism or a method of privilege elevation.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_process_discovery.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_process_discovery.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_linux_system_user_discovery_ea">
        Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping, or privilege elevation activity.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_user_discovery_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_user_discovery_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_linux_system_user_discovery">
        Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping, or privilege elevation activity.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_user_discovery.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_user_discovery.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_rare_process_by_host_linux_ea">
        Looks for processes that are unusual to a particular Linux host. Such unusual processes may indicate unauthorized software, malware, or persistence mechanisms.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_rare_process_by_host_linux_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_rare_process_by_host_linux_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_rare_process_by_host_linux">
        Looks for processes that are unusual to a particular Linux host. Such unusual processes may indicate unauthorized software, malware, or persistence mechanisms.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Auditd Manager](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd_manager), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_rare_process_by_host_linux.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_rare_process_by_host_linux.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>


## Security: Network

Detect anomalous network activity in your ECS-compatible network logs.
In the Machine Learning app, these configurations are available only when data exists that matches the query specified in the [manifest file](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_network/manifest.json). In the Elastic Security app, it looks in the data view specified in the [`securitySolution:defaultIndex` advanced setting](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/kibana/advanced-settings#securitysolution-defaultindex) for data that matches the query.
By default, when you create these jobs in the Elastic Security app, the job wizard uses a data view that applies to multiple indices. If you use Machine Learning instead, create a similar [data view](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_network/manifest.json#L7) and select it in the job wizard so the results match.
<definitions>
  <definition term="high_count_by_destination_country">
    Looks for an unusually large spike in network activity to one destination country in the network logs. This could be due to unusually large amounts of reconnaissance or enumeration traffic. Data exfiltration activity may also produce such a surge in traffic to a destination country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.
    **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
    **Supported OS:** Windows, Linux, macOS
    **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_network/ml/high_count_by_destination_country.json)
    **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_network/ml/datafeed_high_count_by_destination_country.json)
  </definition>
  <definition term="high_count_network_denies">
    Looks for an unusually large spike in network traffic that was denied by network ACLs or firewall rules. Such a burst of denied traffic is usually either 1) a misconfigured application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This could also be due to unusually large amounts of reconnaissance or enumeration traffic.  Denial-of-service attacks or traffic floods may also produce such a surge in traffic.
    **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
    **Supported OS:** Windows, Linux, macOS
    **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_network/ml/high_count_network_denies.json)
    **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_network/ml/datafeed_high_count_network_denies.json)
  </definition>
  <definition term="high_count_network_events">
    Looks for an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic.  Denial-of-service attacks or traffic floods may also produce such a surge in traffic.
    **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
    **Supported OS:** Windows, Linux, macOS
    **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_network/ml/high_count_network_events.json)
    **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_network/ml/datafeed_high_count_network_events.json)
  </definition>
  <definition term="rare_destination_country">
    Looks for an unusual destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from a server in a country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.
    **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
    **Supported OS:** Windows, Linux, macOS
    **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_network/ml/rare_destination_country.json)
    **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_network/ml/datafeed_rare_destination_country.json)
  </definition>
</definitions>


## Security: Packetbeat

Detect suspicious network activity in Packetbeat data.
In the Machine Learning app, these configurations are available only when data exists that matches the query specified in the [manifest file](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/manifest.json). In the Elastic Security app, it looks in the data view specified in the [`securitySolution:defaultIndex` advanced setting](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/kibana/advanced-settings#securitysolution-defaultindex) for data that matches the query.
<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="packetbeat_dns_tunneling_ea">
        Looks for unusual DNS activity that could indicate command-and-control or data exfiltration activity.
        **Supported integrations:** [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Windows, Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_dns_tunneling_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_dns_tunneling_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="packetbeat_dns_tunneling">
        Looks for unusual DNS activity that could indicate command-and-control or data exfiltration activity.
        **Supported integrations:** [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Windows, Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_dns_tunneling.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_dns_tunneling.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="packetbeat_rare_dns_question_ea">
        Looks for unusual DNS activity that could indicate command-and-control activity.
        **Supported integrations:** [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Windows, Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_dns_question_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_dns_question_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="packetbeat_rare_dns_question">
        Looks for unusual DNS activity that could indicate command-and-control activity.
        **Supported integrations:** [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Windows, Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_dns_question.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_dns_question.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="packetbeat_rare_server_domain_ea">
        Looks for unusual HTTP or TLS destination domain activity that could indicate execution, persistence, command-and-control or data exfiltration activity.
        **Supported integrations:** [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Windows, Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_server_domain_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_server_domain_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="packetbeat_rare_server_domain">
        Looks for unusual HTTP or TLS destination domain activity that could indicate execution, persistence, command-and-control or data exfiltration activity.
        **Supported integrations:** [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Windows, Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_server_domain.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_server_domain.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="packetbeat_rare_urls_ea">
        Looks for unusual web browsing URL activity that could indicate execution, persistence, command-and-control or data exfiltration activity.
        **Supported integrations:** [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Windows, Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_urls_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_urls_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="packetbeat_rare_urls">
        Looks for unusual web browsing URL activity that could indicate execution, persistence, command-and-control or data exfiltration activity.
        **Supported integrations:** [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Windows, Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_urls.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_urls.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="packetbeat_rare_user_agent_ea">
        Looks for unusual HTTP user agent activity that could indicate execution, persistence, command-and-control or data exfiltration activity.
        **Supported integrations:** [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Windows, Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_user_agent_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_user_agent_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="packetbeat_rare_user_agent">
        Looks for unusual HTTP user agent activity that could indicate execution, persistence, command-and-control or data exfiltration activity.
        **Supported integrations:** [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Windows, Linux
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/packetbeat_rare_user_agent.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_user_agent.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>


## Security: Windows

Anomaly detection jobs for Windows host-based threat hunting and detection.
In the Machine Learning app, these configurations are available only when data exists that matches the query specified in the [manifest file](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/manifest.json). In the Elastic Security app, it looks in the data view specified in the [`securitySolution:defaultIndex` advanced setting](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/kibana/advanced-settings#securitysolution-defaultindex) for data that matches the query.
If there are additional requirements such as installing the Windows System Monitor (Sysmon) or auditing process creation in the Windows security event log, they are listed for each job.
<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_rare_process_by_host_windows_ea">
        Looks for processes that are unusual to a particular Windows host. Such unusual processes may indicate unauthorized software, malware, or persistence mechanisms.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_rare_process_by_host_windows_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_rare_process_by_host_windows_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_rare_process_by_host_windows">
        Looks for processes that are unusual to a particular Windows host. Such unusual processes may indicate unauthorized software, malware, or persistence mechanisms.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_rare_process_by_host_windows.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_rare_process_by_host_windows.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_windows_anomalous_network_activity_ea">
        Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_network_activity_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_network_activity_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_windows_anomalous_network_activity">
        Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_network_activity.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_network_activity.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_windows_anomalous_path_activity_ea">
        Looks for activity in unusual paths that may indicate execution of malware or persistence mechanisms. Windows payloads often execute from user profile paths.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_path_activity_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_path_activity_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_windows_anomalous_path_activity">
        Looks for activity in unusual paths that may indicate execution of malware or persistence mechanisms. Windows payloads often execute from user profile paths.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_path_activity.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_path_activity.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_windows_anomalous_process_all_hosts_ea">
        Looks for processes that are unusual to all Windows hosts. Such unusual processes may indicate execution of unauthorized software, malware, or persistence mechanisms.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_process_all_hosts_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_process_all_hosts_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_windows_anomalous_process_all_hosts">
        Looks for processes that are unusual to all Windows hosts. Such unusual processes may indicate execution of unauthorized software, malware, or persistence mechanisms.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_process_all_hosts.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_process_all_hosts.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_windows_anomalous_process_creation_ea">
        Looks for unusual process relationships which may indicate execution of malware or persistence mechanisms.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_process_creation_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_process_creation_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_windows_anomalous_process_creation">
        Looks for unusual process relationships which may indicate execution of malware or persistence mechanisms.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_process_creation.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_process_creation.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_windows_anomalous_script_ea">
        Looks for unusual powershell scripts that may indicate execution of malware, or persistence mechanisms.
        **Supported integrations:** [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_script_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_script_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_windows_anomalous_script">
        Looks for unusual powershell scripts that may indicate execution of malware, or persistence mechanisms.
        **Supported integrations:** [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_script.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_script.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_windows_anomalous_service_ea">
        Looks for rare and unusual Windows service names which may indicate execution of unauthorized services, malware, or persistence mechanisms.
        **Supported integrations:** [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_service_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_service_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_windows_anomalous_service">
        Looks for rare and unusual Windows service names which may indicate execution of unauthorized services, malware, or persistence mechanisms.
        **Supported integrations:** [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_service.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_service.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_windows_anomalous_user_name_ea">
        Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_user_name_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_user_name_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_windows_anomalous_user_name">
        Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_user_name.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_user_name.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_windows_rare_metadata_process_ea">
        Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_metadata_process_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_metadata_process_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_windows_rare_metadata_process">
        Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_metadata_process.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_metadata_process.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_windows_rare_metadata_user_ea">
        Looks for anomalous access to the metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_metadata_user_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_metadata_user_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_windows_rare_metadata_user">
        Looks for anomalous access to the metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_metadata_user.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_metadata_user.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_windows_rare_user_runas_event_ea">
        Unusual user context switches can be due to privilege escalation.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_user_runas_event_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_user_runas_event_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_windows_rare_user_runas_event">
        Unusual user context switches can be due to privilege escalation.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_user_runas_event.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_user_runas_event.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_windows_rare_user_type10_remote_login_ea">
        Unusual RDP (remote desktop protocol) user logins can indicate account takeover or credentialed access.
        **Supported integrations:** [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_user_type10_remote_login_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_user_type10_remote_login_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_windows_rare_user_type10_remote_login">
        Unusual RDP (remote desktop protocol) user logins can indicate account takeover or credentialed access.
        **Supported integrations:** [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_user_type10_remote_login.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_user_type10_remote_login.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="v3_windows_rare_script_ea">
        Looks for rare powershell scripts that may indicate execution of malware, or persistence mechanisms using hash.
        **Supported integrations:** [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_script_ea.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_script_ea.json)
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="v3_windows_rare_script">
        Looks for rare powershell scripts that may indicate execution of malware, or persistence mechanisms using hash.
        **Supported integrations:** [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows), [Winlogbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/winlogbeat)
        **Supported OS:** Windows
        **Job (JSON):** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_script.json)
        **Datafeed:** [code](https://github.com/elastic/kibana/blob/9.3/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_script.json)
      </definition>
    </definitions>
  </applies-item>
</applies-switch>


## Security: Elastic Integrations

[Elastic Integrations](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference) are a streamlined way to add Elastic assets to your environment, such as data ingestion, transforms, and in this case, machine learning capabilities for Security.
The following Integrations use machine learning to analyze patterns of user and entity behavior, and help detect and alert when there is related suspicious activity in your environment.
- [Data Exfiltration Detection](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/ded)
- [Domain Generation Algorithm Detection](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/dga)
- [Lateral Movement Detection](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/lmd)
- [Living off the Land Attack Detection](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/problemchild)
- <applies-to>Elastic Stack: Planned</applies-to> <applies-to>Elastic Cloud Serverless: Generally available</applies-to> [Privileged Access Detection](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/pad)


### Data Exfiltration Detection (DED)

Machine learning package to detect data exfiltration in your network and file data. Refer to the [subscription page](https://www.elastic.co/subscriptions) to learn more about the required subscription.
To download, refer to the [documentation](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/ded).
<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="ded_high_sent_bytes_destination_geo_country_iso_code_ea">
        Detects data exfiltration to an unusual geo-location (by country iso code).
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Windows, Linux
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="ded_high_sent_bytes_destination_geo_country_iso_code">
        Detects data exfiltration to an unusual geo-location (by country iso code).
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Windows, Linux
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="ded_high_sent_bytes_destination_ip_ea">
        Detects data exfiltration to an unusual geo-location (by IP address).
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Windows, Linux
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="ded_high_sent_bytes_destination_ip">
        Detects data exfiltration to an unusual geo-location (by IP address).
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Windows, Linux
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="ded_high_sent_bytes_destination_port_ea">
        Detects data exfiltration to an unusual destination port.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Windows, Linux
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="ded_high_sent_bytes_destination_port">
        Detects data exfiltration to an unusual destination port.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Windows, Linux
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="ded_high_sent_bytes_destination_region_name_ea">
        Detects data exfiltration to an unusual geo-location (by region name).
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Windows, Linux
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="ded_high_sent_bytes_destination_region_name">
        Detects data exfiltration to an unusual geo-location (by region name).
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Windows, Linux
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="ded_high_bytes_written_to_external_device_ea">
        Detects data exfiltration activity by identifying high bytes written to an external device.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="ded_high_bytes_written_to_external_device">
        Detects data exfiltration activity by identifying high bytes written to an external device.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="ded_rare_process_writing_to_external_device_ea">
        Detects data exfiltration activity by identifying a file write started by a rare process to an external device.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="ded_rare_process_writing_to_external_device">
        Detects data exfiltration activity by identifying a file write started by a rare process to an external device.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="ded_high_bytes_written_to_external_device_airdrop_ea">
        Detects data exfiltration activity by identifying high bytes written to an external device using Airdrop.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** macOS
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="ded_high_bytes_written_to_external_device_airdrop">
        Detects data exfiltration activity by identifying high bytes written to an external device using Airdrop.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** macOS
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

The job configurations and datafeeds can be found [here](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json).

### Domain Generation Algorithm (DGA) Detection

Machine learning solution package to detect domain generation algorithm (DGA) activity in your network data. Refer to the [subscription page](https://www.elastic.co/subscriptions) to learn more about the required subscription.
To download, refer to the [documentation](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/dga).
<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="dga_high_sum_probability_ea">
        Detect domain generation algorithm (DGA) activity in your network data.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Windows, Linux
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="dga_high_sum_probability">
        Detect domain generation algorithm (DGA) activity in your network data.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Network Packet Capture](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/network_traffic), [Packetbeat](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/beats/packetbeat)
        **Supported OS:** Windows, Linux
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

The job configurations and datafeeds can be found [here](https://github.com/elastic/integrations/blob/main/packages/dga/kibana/ml_module/dga-ml.json).

### Lateral Movement Detection (LMD)

Machine learning package to detect lateral movement based on file transfer activity and Windows RDP events. Refer to the [subscription page](https://www.elastic.co/subscriptions) to learn more about the required subscription.
To download, refer to the [documentation](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/lmd).
<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="lmd_high_count_remote_file_transfer_ea">
        Detects unusually high file transfers to a remote host in the network.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows, Linux
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="lmd_high_count_remote_file_transfer">
        Detects unusually high file transfers to a remote host in the network.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows, Linux
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="lmd_high_file_size_remote_file_transfer_ea">
        Detects unusually high size of files shared with a remote host in the network.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows, Linux
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="lmd_high_file_size_remote_file_transfer">
        Detects unusually high size of files shared with a remote host in the network.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows, Linux
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="lmd_rare_file_extension_remote_transfer_ea">
        Detects data exfiltration to an unusual destination port.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows, Linux
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="lmd_rare_file_extension_remote_transfer">
        Detects data exfiltration to an unusual destination port.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows, Linux
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="lmd_rare_file_path_remote_transfer_ea">
        Detects unusual folders and directories on which a file is transferred.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows, Linux
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="lmd_rare_file_path_remote_transfer">
        Detects unusual folders and directories on which a file is transferred.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows, Linux
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="lmd_high_mean_rdp_session_duration_ea">
        Detects unusually high mean of RDP session duration.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="lmd_high_mean_rdp_session_duration">
        Detects unusually high mean of RDP session duration.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="lmd_high_var_rdp_session_duration_ea">
        Detects unusually high variance in RDP session duration.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="lmd_high_var_rdp_session_duration">
        Detects unusually high variance in RDP session duration.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="lmd_high_sum_rdp_number_of_processes_ea">
        Detects unusually high number of processes started in a single RDP session.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="lmd_high_sum_rdp_number_of_processes">
        Detects unusually high number of processes started in a single RDP session.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="lmd_unusual_time_weekday_rdp_session_start_ea">
        Detects an RDP session started at an unusual time or weekday.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="lmd_unusual_time_weekday_rdp_session_start">
        Detects an RDP session started at an unusual time or weekday.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="lmd_high_rdp_distinct_count_source_ip_for_destination_ea">
        Detects a high count of source IPs making an RDP connection with a single destination IP.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="lmd_high_rdp_distinct_count_source_ip_for_destination">
        Detects a high count of source IPs making an RDP connection with a single destination IP.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="lmd_high_rdp_distinct_count_destination_ip_for_source_ea">
        Detects a high count of destination IPs establishing an RDP connection with a single source IP.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="lmd_high_rdp_distinct_count_destination_ip_for_source">
        Detects a high count of destination IPs establishing an RDP connection with a single source IP.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="lmd_high_mean_rdp_process_args_ea">
        Detects unusually high number of process arguments in an RDP session.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="lmd_high_mean_rdp_process_args">
        Detects unusually high number of process arguments in an RDP session.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

The job configurations and datafeeds can be found [here](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json).

### Living off the Land Attack (LotL) Detection

Machine learning solution package to detect Living off the Land (LotL) attacks in your environment. Refer to the [subscription page](https://www.elastic.co/subscriptions) to learn more about the required subscription. (Also known as ProblemChild).
To download, refer to the [documentation](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/problemchild).
<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="problem_child_rare_process_by_host_ea">
        Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="problem_child_rare_process_by_host">
        Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="problem_child_high_sum_by_host_ea">
        Looks for a set of one or more malicious child processes on a single host.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="problem_child_high_sum_by_host">
        Looks for a set of one or more malicious child processes on a single host.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="problem_child_rare_process_by_user_ea">
        Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="problem_child_rare_process_by_user">
        Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="problem_child_rare_process_by_parent_ea">
        Looks for rare malicious child processes spawned by a parent process.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="problem_child_rare_process_by_parent">
        Looks for rare malicious child processes spawned by a parent process.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="problem_child_high_sum_by_user_ea">
        Looks for a set of one or more malicious processes, started by the same user.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="problem_child_high_sum_by_user">
        Looks for a set of one or more malicious processes, started by the same user.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

<applies-switch>
  <applies-item title="{stack: ga 9.4+, serverless: ga}" applies-to="Elastic Cloud Serverless: Generally available, Elastic Stack: Planned">
    <definitions>
      <definition term="problem_child_high_sum_by_parent_ea">
        Looks for a set of one or more malicious child processes spawned by the same parent process.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>

  <applies-item title="{stack: ga 9.0-9.3}" applies-to="Elastic Stack: Generally available from 9.0 to 9.3">
    <definitions>
      <definition term="problem_child_high_sum_by_parent">
        Looks for a set of one or more malicious child processes spawned by the same parent process.
        **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint), [Windows](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/windows)
        **Supported OS:** Windows
      </definition>
    </definitions>
  </applies-item>
</applies-switch>

The job configurations and datafeeds can be found [here](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json).

### Privileged Access Detection (PAD)

<applies-to>
  - Elastic Cloud Serverless: Generally available
  - Elastic Stack: Planned
</applies-to>

Machine learning package to detect anomalous privileged access activity in Windows, Linux and Okta logs. Refer to the [subscription page](https://www.elastic.co/subscriptions) to learn more about the required subscription.
To download, refer to the [documentation](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/pad).
<definitions>
  <definition term="pad_windows_high_count_special_logon_events_ea">
    Detects unusually high special logon events initiated by a user.
    **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
    **Supported OS:** Windows
  </definition>
  <definition term="pad_windows_high_count_special_privilege_use_events_ea">
    Detects unusually high special privilege use events initiated by a user.
    **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
    **Supported OS:** Windows
  </definition>
  <definition term="pad_windows_high_count_group_management_events_ea">
    Detects unusually high security group management events initiated by a user.
    **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
    **Supported OS:** Windows
  </definition>
  <definition term="pad_windows_high_count_user_account_management_events_ea">
    Detects unusually high security user account management events initiated by a user.
    **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
    **Supported OS:** Windows
  </definition>
  <definition term="pad_windows_rare_privilege_assigned_to_user_ea">
    Detects an unusual privilege type assigned to a user.
    **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
    **Supported OS:** Windows
  </definition>
  <definition term="pad_windows_rare_group_name_by_user_ea">
    Detects an unusual group name accessed by a user.
    **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
    **Supported OS:** Windows
  </definition>
  <definition term="pad_windows_rare_device_by_user_ea">
    Detects an unusual device accessed by a user.
    **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
    **Supported OS:** Windows
  </definition>
  <definition term="pad_windows_rare_source_ip_by_user_ea">
    Detects an unusual source IP address accessed by a user.
    **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
    **Supported OS:** Windows
  </definition>
  <definition term="pad_windows_rare_region_name_by_user_ea">
    Detects an unusual region name for a user.
    **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
    **Supported OS:** Windows
  </definition>
  <definition term="pad_linux_high_count_privileged_process_events_by_user_ea">
    Detects a spike in privileged commands executed by a user.
    **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
    **Supported OS:** Linux
  </definition>
  <definition term="pad_linux_rare_process_executed_by_user_ea">
    Detects a rare process executed by a user.
    **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
    **Supported OS:** Linux
  </definition>
  <definition term="pad_linux_high_median_process_command_line_entropy_by_user_ea">
    Detects process command lines executed by a user with an abnormally high median entropy value.
    **Supported integrations:** [Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/endpoint)
    **Supported OS:** Linux
  </definition>
  <definition term="pad_okta_spike_in_group_membership_changes_ea">
    Detects spike in group membership change events by a user.
    **Supported integrations:** [Okta](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/okta)
  </definition>
  <definition term="pad_okta_spike_in_user_lifecycle_management_changes_ea">
    Detects spike in user lifecycle management change events by a user.
    **Supported integrations:** [Okta](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/okta)
  </definition>
  <definition term="pad_okta_spike_in_group_privilege_changes_ea">
    Detects spike in group privilege change events by a user.
    **Supported integrations:** [Okta](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/okta)
  </definition>
  <definition term="pad_okta_spike_in_group_application_assignment_change_ea">
    Detects spike in group application assignment change events by a user.
    **Supported integrations:** [Okta](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/okta)
  </definition>
  <definition term="pad_okta_spike_in_group_lifecycle_changes_ea">
    Detects spike in group lifecycle change events by a user.
    **Supported integrations:** [Okta](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/okta)
  </definition>
  <definition term="pad_okta_high_sum_concurrent_sessions_by_user_ea">
    Detects an unusual sum of active sessions started by a user.
    **Supported integrations:** [Okta](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/okta)
  </definition>
  <definition term="pad_okta_rare_source_ip_by_user_ea">
    Detects an unusual source IP address accessed by a user.
    **Supported integrations:** [Okta](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/okta)
  </definition>
  <definition term="pad_okta_rare_region_name_by_user_ea">
    Detects an unusual region name for a user.
    **Supported integrations:** [Okta](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/okta)
  </definition>
  <definition term="pad_okta_rare_host_name_by_user_ea">
    Detects an unusual host name for a user.
    **Supported integrations:** [Okta](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/okta)
  </definition>
</definitions>

The job configurations and datafeeds can be found [here](https://github.com/elastic/integrations/blob/main/packages/pad/kibana/ml_module/pad-ml.json).