Update rule setup instructions for UEBA packages (#3652)

* update detection-rules instructions for UEBA packages

---------

Co-authored-by: Susan <[email protected]>

rules/integrations/beaconing/command_and_control_beaconing.toml

@@ -35,7 +35,7 @@ The Network Beaconing Identification integration consists of a statistical frame
 #### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.
-- Under Settings, click "Install Network Beaconing Identification assets" and follow the prompts to install the assets.
+- Follow the instructions under the **Installation** section.
 """
 references = [
     "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",

rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml

@@ -35,7 +35,7 @@ The Network Beaconing Identification integration consists of a statistical frame
 #### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.
-- Under Settings, click "Install Network Beaconing Identification assets" and follow the prompts to install the assets.
+- Follow the instructions under the **Installation** section.
 """
 references = [
     "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",

rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml

@@ -41,14 +41,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b
 #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
-- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. 
-- Go to the Kibana homepage. Under Analytics, click Machine Learning.
-- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.
-- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs".
-- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [

rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml

@@ -41,14 +41,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b
 #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
-- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. 
-- Go to the Kibana homepage. Under Analytics, click Machine Learning.
-- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.
-- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs".
-- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [

rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml

@@ -40,14 +40,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b
 #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
-- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. 
-- Go to the Kibana homepage. Under Analytics, click Machine Learning.
-- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.
-- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs".
-- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [

rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml

@@ -41,14 +41,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b
 #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
-- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. 
-- Go to the Kibana homepage. Under Analytics, click Machine Learning.
-- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.
-- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs".
-- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [

rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml

@@ -40,14 +40,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b
 #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
-- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. 
-- Go to the Kibana homepage. Under Analytics, click Machine Learning.
-- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.
-- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs".
-- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [

rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml

@@ -41,14 +41,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b
 #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
-- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. 
-- Go to the Kibana homepage. Under Analytics, click Machine Learning.
-- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.
-- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs".
-- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [

rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml

@@ -40,14 +40,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b
 #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
-- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.
-
-#### Anomaly Detection Setup
-Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. 
-- Go to the Kibana homepage. Under Analytics, click Machine Learning.
-- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.
-- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs".
-- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 """
 severity = "low"
 tags = [

rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml

@@ -40,32 +40,8 @@ The DGA Detection integration consists of an ML-based framework to detect DGA ac
 #### The following steps should be executed to install assets associated with the DGA Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.
-- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets.
-
-#### Ingest Pipeline Setup
-Before you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `<package_version>-ml_dga_ingest_pipeline` installed with the DGA Detection package.
-- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`.
-- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).
-
-#### Adding Custom Mappings
-- Go to the Kibana homepage. Under Management, click Stack Management.
-- Under Data click Index Management and navigate to the Component Templates tab.
-- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout:
-```
-{
-  "properties": {
-    "ml_is_dga": {
-      "properties": {
-        "malicious_prediction": {
-          "type": "long"
-        },
-        "malicious_probability": {
-          "type": "float"
-        }
-      }
-    }
-  }
-}
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Configure the ingest pipeline**.
 ``` 
 """
 severity = "critical"

rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml

@@ -42,32 +42,8 @@ The DGA Detection integration consists of an ML-based framework to detect DGA ac
 #### The following steps should be executed to install assets associated with the DGA Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.
-- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets.
-
-#### Ingest Pipeline Setup
-Before you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `<package_version>-ml_dga_ingest_pipeline` installed with the DGA Detection package.
-- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`.
-- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).
-
-#### Adding Custom Mappings
-- Go to the Kibana homepage. Under Management, click Stack Management.
-- Under Data click Index Management and navigate to the Component Templates tab.
-- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout:
-```
-{
-  "properties": {
-    "ml_is_dga": {
-      "properties": {
-        "malicious_prediction": {
-          "type": "long"
-        },
-        "malicious_probability": {
-          "type": "float"
-        }
-      }
-    }
-  }
-}
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 ```
 
 ### Anomaly Detection Setup

rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml

@@ -40,32 +40,8 @@ The DGA Detection integration consists of an ML-based framework to detect DGA ac
 #### The following steps should be executed to install assets associated with the DGA Detection integration:
 - Go to the Kibana homepage. Under Management, click Integrations.
 - In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.
-- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets.
-
-#### Ingest Pipeline Setup
-Before you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `<package_version>-ml_dga_ingest_pipeline` installed with the DGA Detection package.
-- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`.
-- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).
-
-#### Adding Custom Mappings
-- Go to the Kibana homepage. Under Management, click Stack Management.
-- Under Data click Index Management and navigate to the Component Templates tab.
-- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout:
-```
-{
-  "properties": {
-    "ml_is_dga": {
-      "properties": {
-        "malicious_prediction": {
-          "type": "long"
-        },
-        "malicious_probability": {
-          "type": "float"
-        }
-      }
-    }
-  }
-}
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Configure the ingest pipeline**.
 ```
 """
 severity = "low"