Change description and name of problemchild ML detection-rules

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml

@@ -2,16 +2,16 @@
 creation_date = "2023/10/16"
 integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/03/19"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
 [rule]
 anomaly_threshold = 75
 author = ["Elastic"]
 description = """
-A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high
-scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es)
+A machine learning job combination has identified a host with one or more suspicious Windows processes that exhibit
+unusually high malicious probability scores.These process(es) have been classified as malicious in several ways. The process(es)
 were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious
 processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be
 unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly
@@ -21,7 +21,7 @@ from = "now-45m"
 interval = "15m"
 license = "Elastic License v2"
 machine_learning_job_id = "problem_child_high_sum_by_host"
-name = "Suspicious Windows Process Cluster Spawned by a Host"
+name = "Host Detected with Suspicious Windows Process(es)"
 references = [
     "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
     "https://docs.elastic.co/en/integrations/problemchild",
@@ -63,7 +63,7 @@ note = """## Triage and analysis
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Suspicious Windows Process Cluster Spawned by a Host
+### Investigating Host Detected with Suspicious Windows Process(es)
 
 The detection leverages machine learning to identify clusters of Windows processes with high malicious probability scores. Adversaries exploit legitimate tools, known as LOLbins, to evade detection. This rule uses both supervised and unsupervised ML models to flag unusual process clusters on a single host, indicating potential masquerading tactics for defense evasion.
 

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml

@@ -2,16 +2,16 @@
 creation_date = "2023/10/16"
 integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/03/19"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
 [rule]
 anomaly_threshold = 75
 author = ["Elastic"]
 description = """
-A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high
-scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es)
+A machine learning job combination has identified a parent process with one or more suspicious Windows processes that exhibit
+unusually high malicious probability scores. These process(es) have been classified as malicious in several ways. The process(es)
 were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious
 processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to
 be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly
@@ -21,7 +21,7 @@ from = "now-45m"
 interval = "15m"
 license = "Elastic License v2"
 machine_learning_job_id = "problem_child_high_sum_by_parent"
-name = "Suspicious Windows Process Cluster Spawned by a Parent Process"
+name = "Parent Process Detected with Suspicious Windows Process(es)"
 references = [
     "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
     "https://docs.elastic.co/en/integrations/problemchild",
@@ -65,7 +65,7 @@ note = """## Triage and analysis
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Suspicious Windows Process Cluster Spawned by a Parent Process
+### Investigating Parent Process Detected with Suspicious Windows Process(es)
 
 In Windows environments, processes are often spawned by parent processes, forming a hierarchy. Adversaries exploit this by using legitimate processes to launch malicious ones, often leveraging Living off the Land Binaries (LOLBins) to evade detection. The detection rule employs machine learning to identify clusters of processes with high malicious probability, focusing on those sharing a common parent process. This approach helps uncover stealthy attacks that traditional methods might miss, enhancing defense against tactics like masquerading.
 

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml

@@ -2,16 +2,16 @@
 creation_date = "2023/10/16"
 integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/03/19"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
 [rule]
 anomaly_threshold = 75
 author = ["Elastic"]
 description = """
-A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high
-scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es)
+A machine learning job combination has identified a user with one or more suspicious Windows processes that exhibit
+unusually high malicious probability scores. These process(es) have been classified as malicious in several ways. The process(es)
 were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious
 processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be
 unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly
@@ -21,7 +21,7 @@ from = "now-45m"
 interval = "15m"
 license = "Elastic License v2"
 machine_learning_job_id = "problem_child_high_sum_by_user"
-name = "Suspicious Windows Process Cluster Spawned by a User"
+name = "User Detected with Suspicious Windows Process(es)"
 references = [
     "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
     "https://docs.elastic.co/en/integrations/problemchild",
@@ -65,7 +65,7 @@ note = """## Triage and analysis
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Suspicious Windows Process Cluster Spawned by a User
+### Investigating User Detected with Suspicious Windows Process(es)
 
 The detection leverages machine learning to identify clusters of Windows processes with high malicious probability, often linked to tactics like masquerading. Adversaries exploit legitimate tools (LOLBins) to evade detection. This rule uses both supervised and unsupervised ML models to flag unusual process clusters, focusing on user-associated anomalies to uncover potential threats.