Skip to content

Entity Analytics 9.4 updates for UEBA integrations#17626

Merged
jmcarlock merged 50 commits intomainfrom
ueba-9.4-euid-update
Apr 20, 2026
Merged

Entity Analytics 9.4 updates for UEBA integrations#17626
jmcarlock merged 50 commits intomainfrom
ueba-9.4-euid-update

Conversation

@jmcarlock
Copy link
Copy Markdown
Contributor

@jmcarlock jmcarlock commented Mar 2, 2026

Proposed commit message

Updates UEBA packages for Entity Analytics in the 9.4 release.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

Test with ITP

@jmcarlock jmcarlock added the enhancement New feature or request label Mar 2, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 2, 2026

Vale Linting Results

Summary: 3 warnings, 12 suggestions found

⚠️ Warnings (3)
File Line Rule Message
packages/ded/docs/README.md 83 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'using' instead of 'via'.
packages/dga/docs/README.md 3 Elastic.DontUse Don't use 'Please'.
packages/dga/docs/README.md 5 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'using' instead of 'via'.
💡 Suggestions (12)
File Line Rule Message
packages/beaconing/docs/README.md 39 Elastic.Wordiness Consider using 'if' instead of 'In the event that'.
packages/ded/docs/README.md 37 Elastic.WordChoice Consider using 'refer to if it's a document, view if it's a UI element' instead of 'See', unless the term is in the UI.
packages/ded/docs/README.md 52 Elastic.Wordiness Consider using 'if' instead of 'In the event that'.
packages/dga/docs/README.md 5 Elastic.Wordiness Consider using 'before' instead of 'Prior to'.
packages/dga/docs/README.md 84 Elastic.Repetition "Detection" is repeated.
packages/lmd/docs/README.md 46 Elastic.WordChoice Consider using 'refer to if it's a document, view if it's a UI element' instead of 'See', unless the term is in the UI.
packages/lmd/docs/README.md 61 Elastic.Wordiness Consider using 'if' instead of 'In the event that'.
packages/lmd/docs/README.md 86 Elastic.Clone Use Clone only when referring to cloning a GitHub repository or creating a copy that is linked to the original. Often confused with 'copy' and 'duplicate'.
packages/pad/docs/README.md 96 Elastic.Wordiness Consider using 'if' instead of 'In the event that'.
packages/problemchild/docs/README.md 16 Elastic.WordChoice Consider using 'refer to if it's a document, view if it's a UI element' instead of 'see', unless the term is in the UI.
packages/problemchild/docs/README.md 124 Elastic.WordChoice Consider using 'refer to if it's a document, view if it's a UI element' instead of 'See', unless the term is in the UI.
packages/problemchild/docs/README.md 126 Elastic.Repetition "Detection" is repeated.

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@andrewkroh andrewkroh added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:ded Data Exfiltration Detection Integration:lmd Lateral Movement Detection Integration:dga Domain Generation Algorithm Detection Integration:pad Privileged Access Detection Integration:problemchild Living off the Land Attack Detection dashboard Relates to a Kibana dashboard bug, enhancement, or modification. labels Mar 3, 2026
Comment thread packages/problemchild/kibana/ml_module/problemchild-ml.json Outdated
@andrewkroh andrewkroh added the Integration:hta Host Traffic Anomalies label Mar 3, 2026
@jmcarlock jmcarlock changed the title Add EUIDs to UEBA integrations Entity Analytics 9.4 updates for UEBA integrations Mar 9, 2026
Comment thread packages/ded/changelog.yml Outdated
Comment thread packages/dga/changelog.yml Outdated
Comment thread packages/hta/changelog.yml Outdated
Comment thread packages/hta/changelog.yml
Comment thread packages/lmd/changelog.yml Outdated
Comment thread packages/pad/changelog.yml Outdated
Comment thread packages/problemchild/changelog.yml Outdated
Comment thread packages/ded/changelog.yml Outdated
Copy link
Copy Markdown
Contributor

@sodhikirti07 sodhikirti07 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jmcarlock Thanks for making the changes. I've left a few comments around documentation and adding fields to the transforms. Other are some minor changes.

Comment thread packages/ded/changelog.yml Outdated
Comment thread packages/dga/docs/README.md
Comment thread packages/hta/changelog.yml Outdated
Comment thread packages/hta/manifest.yml
Comment thread packages/pad/kibana/ml_module/pad-ml.json
Comment thread packages/pad/kibana/ml_module/pad-ml.json
Comment thread packages/problemchild/docs/README.md Outdated
Copy link
Copy Markdown
Member

@susan-shu-c susan-shu-c left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestions to be more explicit

Comment thread packages/lmd/docs/README.md Outdated
Comment thread packages/ded/docs/README.md Outdated
Comment thread packages/dga/docs/README.md Outdated
Comment thread packages/hta/docs/README.md Outdated
Comment thread packages/pad/docs/README.md Outdated
Comment thread packages/problemchild/docs/README.md Outdated
Comment thread packages/beaconing/manifest.yml
jmcarlock and others added 6 commits April 20, 2026 08:50
Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com>
Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com>
Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com>
Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com>
Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com>
Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com>
@susan-shu-c susan-shu-c dismissed their stale review April 20, 2026 13:51

Outdated

@jmcarlock
Copy link
Copy Markdown
Contributor Author

@copilot

Copy link
Copy Markdown

Copilot AI commented Apr 20, 2026

@copilot

I've reviewed all the outstanding issues from the PR reviews. All changes are already committed and the working tree is clean. Here's a verification of the key items:

  1. PAD Windows dashboard (pad-ea-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json): All 9 Windows job IDs are correctly included in the searchSourceJSON query, including pad_windows_rare_region_name_by_user_ea. No Linux job names remain in the swim lane panelTitle.

  2. PAD README platform label: pad_linux_high_median_process_command_line_entropy_by_user_ea correctly shows "Linux" (not "Okta Integration") at line 128.

  3. PAD README job ID: pad_okta_spike_in_group_application_assignment_changes_ea has the correct name with both the trailing s and _ea suffix at line 132.

  4. "After confirming" wording: Updated across all 6 packages (ded, dga, hta, lmd, pad, problemchild) per @susan-shu-c's suggestions.

The latest build is also green (commit 4c03c49). The PR appears ready for merge.

@elasticmachine
Copy link
Copy Markdown

💚 Build Succeeded

History

@jmcarlock jmcarlock merged commit 9728d0f into main Apr 20, 2026
13 checks passed
@jmcarlock jmcarlock deleted the ueba-9.4-euid-update branch April 20, 2026 14:30
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

Package beaconing - 1.5.4 containing this change is available at https://epr.elastic.co/package/beaconing/1.5.4/

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

Package ded - 3.0.0 containing this change is available at https://epr.elastic.co/package/ded/3.0.0/

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

Package dga - 3.0.0 containing this change is available at https://epr.elastic.co/package/dga/3.0.0/

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

Package hta - 2.0.0 containing this change is available at https://epr.elastic.co/package/hta/2.0.0/

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

Package lmd - 3.0.0 containing this change is available at https://epr.elastic.co/package/lmd/3.0.0/

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

Package pad - 2.0.0 containing this change is available at https://epr.elastic.co/package/pad/2.0.0/

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

Package problemchild - 3.0.0 containing this change is available at https://epr.elastic.co/package/problemchild/3.0.0/

jen-huang added a commit to elastic/kibana that referenced this pull request Apr 21, 2026
## Summary

Fixes this test that has been failing CI on main and 9.4 backports:
```
Fleet Cypress Tests #4 / Assets - Real API for integration with ML and transforms should install integration with ML module & transforms
```

Cause was due to new version of lmd published
([lmd-3.0.0](elastic/integrations#17626)) that
caused index template and transform names to be changed.
kibanamachine added a commit to elastic/kibana that referenced this pull request Apr 21, 2026
# Backport

This will backport the following commits from `main` to `9.4`:
- [[UII] Fix cypress ml tests
(#264584)](#264584)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Jen
Huang","email":"its.jenetic@gmail.com"},"sourceCommit":{"committedDate":"2026-04-21T08:06:57Z","message":"[UII]
Fix cypress ml tests (#264584)\n\n## Summary\n\nFixes this test that has
been failing CI on main and 9.4 backports:\n```\nFleet Cypress Tests #4
/ Assets - Real API for integration with ML and transforms should
install integration with ML module & transforms\n```\n\nCause was due to
new version of lmd
published\n([lmd-3.0.0](elastic/integrations#17626))
that\ncaused index template and transform names to be
changed.","sha":"fa12076f23912b4114d44e30196f20731e066511","branchLabelMapping":{"^v9.5.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","backport:version","v9.4.0","v9.5.0"],"title":"[UII]
Fix cypress ml
tests","number":264584,"url":"https://github.com/elastic/kibana/pull/264584","mergeCommit":{"message":"[UII]
Fix cypress ml tests (#264584)\n\n## Summary\n\nFixes this test that has
been failing CI on main and 9.4 backports:\n```\nFleet Cypress Tests #4
/ Assets - Real API for integration with ML and transforms should
install integration with ML module & transforms\n```\n\nCause was due to
new version of lmd
published\n([lmd-3.0.0](elastic/integrations#17626))
that\ncaused index template and transform names to be
changed.","sha":"fa12076f23912b4114d44e30196f20731e066511"}},"sourceBranch":"main","suggestedTargetBranches":["9.4"],"targetPullRequestStates":[{"branch":"9.4","label":"v9.4.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.5.0","branchLabelMappingKey":"^v9.5.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/264584","number":264584,"mergeCommit":{"message":"[UII]
Fix cypress ml tests (#264584)\n\n## Summary\n\nFixes this test that has
been failing CI on main and 9.4 backports:\n```\nFleet Cypress Tests #4
/ Assets - Real API for integration with ML and transforms should
install integration with ML module & transforms\n```\n\nCause was due to
new version of lmd
published\n([lmd-3.0.0](elastic/integrations#17626))
that\ncaused index template and transform names to be
changed.","sha":"fa12076f23912b4114d44e30196f20731e066511"}}]}]
BACKPORT-->

Co-authored-by: Jen Huang <its.jenetic@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:beaconing Network Beaconing Identification Integration:ded Data Exfiltration Detection Integration:dga Domain Generation Algorithm Detection Integration:hta Host Traffic Anomalies Integration:lmd Lateral Movement Detection Integration:pad Privileged Access Detection Integration:problemchild Living off the Land Attack Detection Team:Security-Applied ML Elastic Security Protections Machine Learning (ML) team [elastic/sec-applied-ml]

Projects

None yet

Development

Successfully merging this pull request may close these issues.