[Security] [Serverless: Mar 31] Update prebuilt ML jobs documentation with EA changes#5348
Merged
natasha-moore-elastic merged 18 commits intomainfrom Apr 2, 2026
Merged
Conversation
Contributor
Vale Linting ResultsSummary: 92 suggestions found 💡 Suggestions (92)
The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale. |
Contributor
🔍 Preview links for changed docs⏳ Building and deploying preview... View progress This comment will be updated with preview links when the build is complete. |
sodhikirti07
changed the title
susan-shu-c
reviewed
Mar 10, 2026
Member
susan-shu-c
left a comment
susan-shu-c
left a comment
There was a problem hiding this comment.
Thanks for the changes, Kirti!
| @@ -17,6 +17,12 @@ products: | |||
|
|
|||
| These {{anomaly-jobs}} automatically detect file system and network anomalies on your hosts. They appear in the **Anomaly Detection** interface of the {{security-app}} in {{kib}} when you have data that matches their configuration. For more information, refer to [Anomaly detection with machine learning](/solutions/security/advanced-entity-analytics/anomaly-detection.md). | |||
|
|
|||
| ::::{note} | |||
| With version 9.4, Elastic Stack introduces support for Entity Analytics (EA), adding new fields for proper entity resolution. The machine learning jobs created from this version onward are designed to leverage these fields. | |||
Member
There was a problem hiding this comment.
Suggested change
| With version 9.4, Elastic Stack introduces support for Entity Analytics (EA), adding new fields for proper entity resolution. The machine learning jobs created from this version onward are designed to leverage these fields. | |
| With version 9.4, the Elastic Stack introduces support for Entity Analytics (EA), adding new fields for proper entity resolution. The machine learning jobs created from this version onward are designed to leverage these fields. |
| | gcp_audit_high_distinct_count_error_message_ea | Looks for a spike in the rate of an action where the event outcome is a failure. Spikes might indicate an impending service failure but could also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_high_distinct_count_error_message_ea.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_high_distinct_count_error_message_ea.json)| [GCP Audit](https://www.elastic.co/docs/reference/integrations/gcp/audit) | | ||
| | gcp_audit_rare_error_code_ea | Looks for unusual errors. Rare and unusual errors might indicate an impending service failure but they can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_error_code_ea.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_error_code_ea.json)| [GCP Audit](https://www.elastic.co/docs/reference/integrations/gcp/audit) | | ||
| | gcp_audit_rare_method_for_a_city_ea | Looks for GCP actions that, while not inherently suspicious or atypical, are sourcing from a geolocation (city) that is unexpected. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_city_ea.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_city_ea.json)| [GCP Audit](https://www.elastic.co/docs/reference/integrations/gcp/audit) | | ||
| | gcp_audit_rare_method_for_a_country_ea | Looks for GCP actions calls that, while not inherently suspicious or aytpical, are sourcing from a geolocation (country) that is unexpected. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_country_ea.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_country_ea.json)| [GCP Audit](https://www.elastic.co/docs/reference/integrations/gcp/audit) | |
Member
There was a problem hiding this comment.
Suggested change
| | gcp_audit_rare_method_for_a_country_ea | Looks for GCP actions calls that, while not inherently suspicious or aytpical, are sourcing from a geolocation (country) that is unexpected. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_country_ea.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_country_ea.json)| [GCP Audit](https://www.elastic.co/docs/reference/integrations/gcp/audit) | | |
| | gcp_audit_rare_method_for_a_country_ea | Looks for GCP actions calls that, while not inherently suspicious or atypical, are sourcing from a geolocation (country) that is unexpected. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_country_ea.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_country_ea.json)| [GCP Audit](https://www.elastic.co/docs/reference/integrations/gcp/audit) | |
Member
There was a problem hiding this comment.
If this is a typo from the job, let's take the opportunity to update the jobs as well
| | lmd_high_mean_rdp_session_duration_ea | Detects unusually high mean of RDP session duration. | [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint) | windows | | ||
| | lmd_high_var_rdp_session_duration_ea | Detects unusually high variance in RDP session duration. | [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint) | windows | | ||
| | lmd_high_sum_rdp_number_of_processes_ea | Detects unusually high number of processes started in a single RDP session. | [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint) | windows | | ||
| | lmd_unusual_time_weekday_rdp_session_start_ea | Detects an RDP session started at an usual time or weekday. | [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint) | windows | |
Member
There was a problem hiding this comment.
Suggested change
| | lmd_unusual_time_weekday_rdp_session_start_ea | Detects an RDP session started at an usual time or weekday. | [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint) | windows | | |
| | lmd_unusual_time_weekday_rdp_session_start_ea | Detects an RDP session started at an unusual time or weekday. | [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint) | windows | |
Member
There was a problem hiding this comment.
If this is a typo from the job, let's take the opportunity to update the jobs as well
Contributor
Author
|
@elastic/docs Could you take a look at the changes? |
jmcarlock
reviewed
Mar 18, 2026
| | rare_error_code | Looks for unusual errors. Rare and unusual errors may simply indicate an impending service failure but they can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_error_code.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_error_code.json)| [AWS](https://www.elastic.co/docs/reference/integrations/aws/cloudtrail) | | ||
| | rare_method_for_a_city | Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a geolocation (city) that is unusual. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_city.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_city.json)| [AWS](https://www.elastic.co/docs/reference/integrations/aws/cloudtrail) | | ||
| | rare_method_for_a_country | Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a geolocation (country) that is unusual. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_country.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_country.json)| [AWS](https://www.elastic.co/docs/reference/integrations/aws/cloudtrail) | | ||
| | rare_method_for_a_username_ea | Looks for AWS API calls that, while not inherently suspicious or atypical, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_username_ea.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_username_ea.json)| [AWS](https://www.elastic.co/docs/reference/integrations/aws/cloudtrail) | | ||
|
|
||
|
|
||
| ## Security: GCP Audit logs [security-gcp-audit] |
Contributor
There was a problem hiding this comment.
We should make a note that these jobs now require the GCP audit integration version 2.47.2.
Contributor
|
This commit updates the PR for structure and doc conventions:
|
susan-shu-c
approved these changes
Mar 24, 2026
natasha-moore-elastic
changed the title
natasha-moore-elastic
approved these changes
Mar 25, 2026
jmcarlock
approved these changes
Mar 25, 2026
Contributor
Author
|
@natasha-moore-elastic This PR is ready to merge. |
Contributor
Thanks @sodhikirti07, I will merge it when the dev changes are live in serverless (next week's release) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Relates to:
These changes are staged for
9.4release.Generative AI disclosure