elastic
diff --git a/‎detection_rules/etc/integration-manifests.json.gz‎
263 Bytes b/‎detection_rules/etc/integration-manifests.json.gz‎
263 Bytes
diff --git a/‎detection_rules/etc/integration-schemas.json.gz‎
385 Bytes b/‎detection_rules/etc/integration-schemas.json.gz‎
385 Bytes
diff --git a/‎pyproject.toml‎
Lines changed: 1 addition & 1 deletion b/‎pyproject.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml‎
Lines changed: 4 additions & 2 deletions b/‎rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml‎
Lines changed: 4 additions & 2 deletions b/‎rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml‎
Lines changed: 4 additions & 2 deletions b/‎rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml‎
Lines changed: 4 additions & 2 deletions b/‎rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml‎
Lines changed: 4 additions & 2 deletions b/‎rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml‎
Lines changed: 4 additions & 2 deletions b/‎rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml‎
Lines changed: 4 additions & 2 deletions b/‎rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml‎
Lines changed: 4 additions & 2 deletions
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.6.19"
+version = "1.6.20"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"
 
@@ -2,7 +2,9 @@
 creation_date = "2023/09/22"
 integration = ["ded", "endpoint", "network_traffic"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"
 
 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ and control channels.
 from = "now-6h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "ded_high_sent_bytes_destination_geo_country_iso_code"
+machine_learning_job_id = "ded_high_sent_bytes_destination_geo_country_iso_code_ea"
 name = "Potential Data Exfiltration Activity to an Unusual ISO Code"
 references = [
     "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 
@@ -2,7 +2,9 @@
 creation_date = "2023/09/22"
 integration = ["ded", "endpoint", "network_traffic"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"
 
 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ and control channels.
 from = "now-6h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "ded_high_sent_bytes_destination_ip"
+machine_learning_job_id = "ded_high_sent_bytes_destination_ip_ea"
 name = "Potential Data Exfiltration Activity to an Unusual IP Address"
 references = [
     "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 
@@ -2,7 +2,9 @@
 creation_date = "2023/09/22"
 integration = ["ded", "endpoint", "network_traffic"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"
 
 [rule]
 anomaly_threshold = 75
@@ -14,7 +16,7 @@ outside the normal traffic patterns of an organization could indicate exfiltrati
 from = "now-6h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "ded_high_sent_bytes_destination_port"
+machine_learning_job_id = "ded_high_sent_bytes_destination_port_ea"
 name = "Potential Data Exfiltration Activity to an Unusual Destination Port"
 references = [
     "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 
@@ -2,7 +2,9 @@
 creation_date = "2023/09/22"
 integration = ["ded", "endpoint", "network_traffic"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"
 
 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ and control channels.
 from = "now-6h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "ded_high_sent_bytes_destination_region_name"
+machine_learning_job_id = "ded_high_sent_bytes_destination_region_name_ea"
 name = "Potential Data Exfiltration Activity to an Unusual Region"
 references = [
     "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 
@@ -2,7 +2,9 @@
 creation_date = "2023/09/22"
 integration = ["ded", "endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"
 
 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ large amount of data being written is anomalous and can signal illicit data copy
 from = "now-2h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "ded_high_bytes_written_to_external_device"
+machine_learning_job_id = "ded_high_bytes_written_to_external_device_ea"
 name = "Spike in Bytes Sent to an External Device"
 references = [
     "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 
@@ -2,7 +2,9 @@
 creation_date = "2023/09/22"
 integration = ["ded", "endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"
 
 [rule]
 anomaly_threshold = 75
@@ -16,7 +18,7 @@ activities.
 from = "now-2h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "ded_high_bytes_written_to_external_device_airdrop"
+machine_learning_job_id = "ded_high_bytes_written_to_external_device_airdrop_ea"
 name = "Spike in Bytes Sent to an External Device via Airdrop"
 references = [
     "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 
@@ -2,7 +2,9 @@
 creation_date = "2023/09/22"
 integration = ["ded", "endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/01"
+min_stack_version = "9.4.0"
+min_stack_comments = "Use EA (Entity Analytics) fields"
 
 [rule]
 anomaly_threshold = 75
@@ -15,7 +17,7 @@ legitimate reason to write data to external devices can indicate exfiltration.
 from = "now-2h"
 interval = "15m"
 license = "Elastic License v2"
-machine_learning_job_id = "ded_rare_process_writing_to_external_device"
+machine_learning_job_id = "ded_rare_process_writing_to_external_device_ea"
 name = "Unusual Process Writing Data to an External Device"
 references = [
     "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",