From d9e020828589b30bf4806375cc124bdd5d038d6e Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Mon, 20 Jun 2022 10:20:48 -0400 Subject: [PATCH 1/7] Update rules-ui-monitor.asciidoc --- docs/detections/rules-ui-monitor.asciidoc | 101 +++++++++------------- 1 file changed, 40 insertions(+), 61 deletions(-) diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index 2e96c654be..37458000cf 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -112,65 +112,44 @@ image::images/timestamp-override.png[] [[ml-job-compatibility]] ==== Troubleshoot missing alerts for {ml} jobs -The <> have dependencies on data fields -that are populated by {beats} and {agent} integrations. In version 7.11, new -{ml} jobs (<> and <>) were provided, -which operate on newer ECS fields than the previous Security: {winlogbeat} and -Security: {auditbeat} jobs. However, the <> were -not updated to use the new {ml} jobs. - -Therefore: - -* If you have only 7.10 or earlier versions of {beats}, you can continue using -the Security:Auditbeat and Security:Winlogbeat {ml} jobs and the prebuilt {ml} -rules that have been in the {security-app} since version 7.5. -* If you have only 7.11 or later versions of {beats}, use the Security:Linux and -Security:Windows {ml} jobs. If you want to generate alerts for anomalies in -these jobs, make clones of the existing {ml} rules and update them to use the -new jobs. -* If you have a mix of old and new versions of {beats} or you have a mix of -{beats} and {elastic-endpoint} integrations, use both the old and new {ml} jobs. -If you want alerts for anomalies in the new jobs, make clones of the existing -{ml} rules and update them to use the new jobs. +{ml} detection rules use {ml} jobs that in turn have dependencies on data fields populated by the {beats} and {agent} integrations. In version 8.3.0, new {ml} jobs (prefixed with `V3`) were released to operate on the ECS fields available at that time. If you're using multiple versions of {beats} or {agent} (from both before and after 8.3.0), you may need to duplicate or create new {ml} rules that specify the new ML `V3` jobs and enable them to run alongside your existing rules, to ensure continued coverage from rules currently using `V1` or `V2` jobs. + +* If you have only 8.2 or earlier versions of {beats} and {agent}, you can continue using the same `V1` and `V2` {ml} jobs and the existing prebuilt {ml} rules. + +* If you have only 8.3 or later versions of {beats} and {agent}, you can use the latest `V3` {ml} jobs. To generate alerts for anomalies using these jobs, duplicate the existing {ml} rules and reconfigure them to use the `V3` {ml} jobs. + +* If you have a mix of old and new versions of {beats} or a mix of {beats} and {agent} integrations, you can use both the old and new {ml} jobs. To generate alerts for anomalies using the new jobs, duplicate the existing {ml} rules and reconfigure them to use the `V3` {ml} jobs. + * If you have a non-Elastic data shipper that gathers ECS-compatible Windows -events, use the Security:Windows {ml} jobs. If you want alerts for anomalies in -these jobs, make clones of the existing {ml} rules and update them to use these -jobs. - -If you are cloning prebuilt {ml} rules to generate alerts for the new {ml} jobs, -the following rules are affected: - -* <>: Use -`v2_linux_anomalous_network_port_activity_ecs` instead of -`linux_anomalous_network_port_activity_ecs`. -* <>: Use -`v2_linux_anomalous_process_all_hosts_ecs` instead of -`linux_anomalous_process_all_hosts_ecs`. -* <>: Use `v2_linux_anomalous_user_name_ecs` instead of -`linux_anomalous_user_name_ecs`. -* <>: Use -`v2_linux_rare_metadata_process` instead of `linux_rare_metadata_process`. -* <>: Use -`v2_linux_rare_metadata_user` instead of `linux_rare_metadata_user`. -* <>: Use `v2_rare_process_by_host_linux_ecs` -instead of `rare_process_by_host_linux_ecs`. -* <>: Use -`v2_rare_process_by_host_windows_ecs` instead of -`rare_process_by_host_windows_ecs`. -* <>: Use -`v2_windows_anomalous_network_activity_ecs` instead of -`windows_anomalous_network_activity_ecs`. -* <>: Use `v2_windows_anomalous_path_activity_ecs` -instead of `windows_anomalous_path_activity_ecs`. -* <>: Use -`v2_windows_anomalous_process_creation` instead of -`windows_anomalous_process_creation`. -* <>: Use -`v2_windows_anomalous_process_all_hosts_ecs` instead of -`windows_anomalous_process_all_hosts_ecs`. -* <>: Use `v2_windows_anomalous_user_name_ecs` instead -of `windows_anomalous_user_name_ecs`. -* <>: Use -`v2_windows_rare_metadata_process` instead of `windows_rare_metadata_process`. -* <>: Use -`v2_windows_rare_metadata_user` instead of `windows_rare_metadata_user`. +events, use the `Security:Windows` {ml} jobs. To generate alerts for anomalies using these jobs, duplicate the existing {ml} rules and reconfigure them to use the `V3` {ml} jobs. + +If you're duplicating prebuilt {ml} rules to generate alerts using the new `V3` {ml} jobs, +the following rules are affected. Use the new {ml} job listed for each rule: + +* <>: `v3_linux_anomalous_network_port_activity` + +* <>: `v3_linux_anomalous_process_all_hosts` + +* <>: `v3_linux_anomalous_user_name` + +* <>: `v3_linux_rare_metadata_process` + +* <>: `v3_linux_rare_metadata_user` + +* <>: `v3_rare_process_by_host_linux` + +* <>: `v3_rare_process_by_host_windows` + +* <>: `v3_windows_anomalous_network_activity` + +* <>: `v3_windows_anomalous_path_activity` + +* <>: `v3_windows_anomalous_process_creation` + +* <>: `v3_windows_anomalous_process_all_hosts` + +* <>: `v3_windows_anomalous_user_name` + +* <>: `v3_windows_rare_metadata_process` + +* <>: `v3_windows_rare_metadata_user` From cc386621d79675a6dbed296cc7b51ff06be9b3bf Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Mon, 20 Jun 2022 10:42:35 -0400 Subject: [PATCH 2/7] Small fixes --- docs/detections/rules-ui-monitor.asciidoc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index 37458000cf..c81e81e586 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -112,7 +112,7 @@ image::images/timestamp-override.png[] [[ml-job-compatibility]] ==== Troubleshoot missing alerts for {ml} jobs -{ml} detection rules use {ml} jobs that in turn have dependencies on data fields populated by the {beats} and {agent} integrations. In version 8.3.0, new {ml} jobs (prefixed with `V3`) were released to operate on the ECS fields available at that time. If you're using multiple versions of {beats} or {agent} (from both before and after 8.3.0), you may need to duplicate or create new {ml} rules that specify the new ML `V3` jobs and enable them to run alongside your existing rules, to ensure continued coverage from rules currently using `V1` or `V2` jobs. +{ml-cap} detection rules use {ml} jobs that in turn have dependencies on data fields populated by the {beats} and {agent} integrations. In version 8.3.0, new {ml} jobs (prefixed with `V3`) were released to operate on the ECS fields available at that time. If you're using multiple versions of {beats} or {agent} (from both before and after 8.3.0), you may need to duplicate or create new {ml} rules that specify the new ML `V3` jobs and enable them to run alongside your existing rules, to ensure continued coverage from rules currently using `V1` or `V2` jobs. * If you have only 8.2 or earlier versions of {beats} and {agent}, you can continue using the same `V1` and `V2` {ml} jobs and the existing prebuilt {ml} rules. @@ -120,8 +120,7 @@ image::images/timestamp-override.png[] * If you have a mix of old and new versions of {beats} or a mix of {beats} and {agent} integrations, you can use both the old and new {ml} jobs. To generate alerts for anomalies using the new jobs, duplicate the existing {ml} rules and reconfigure them to use the `V3` {ml} jobs. -* If you have a non-Elastic data shipper that gathers ECS-compatible Windows -events, use the `Security:Windows` {ml} jobs. To generate alerts for anomalies using these jobs, duplicate the existing {ml} rules and reconfigure them to use the `V3` {ml} jobs. +* If you have a non-Elastic data shipper that gathers ECS-compatible events, use the `V3` {ml} jobs. To generate alerts for anomalies using these jobs, duplicate the existing {ml} rules and reconfigure them to use the `V3` {ml} jobs. If you're duplicating prebuilt {ml} rules to generate alerts using the new `V3` {ml} jobs, the following rules are affected. Use the new {ml} job listed for each rule: From bf58ff347827a0a6b8ee1c50051932db0dbe0319 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Mon, 20 Jun 2022 13:51:20 -0400 Subject: [PATCH 3/7] Apply suggestions from Nastasha's review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> --- docs/detections/rules-ui-monitor.asciidoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index c81e81e586..66aab781f5 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -112,11 +112,11 @@ image::images/timestamp-override.png[] [[ml-job-compatibility]] ==== Troubleshoot missing alerts for {ml} jobs -{ml-cap} detection rules use {ml} jobs that in turn have dependencies on data fields populated by the {beats} and {agent} integrations. In version 8.3.0, new {ml} jobs (prefixed with `V3`) were released to operate on the ECS fields available at that time. If you're using multiple versions of {beats} or {agent} (from both before and after 8.3.0), you may need to duplicate or create new {ml} rules that specify the new ML `V3` jobs and enable them to run alongside your existing rules, to ensure continued coverage from rules currently using `V1` or `V2` jobs. +{ml-cap} detection rules use {ml} jobs that have dependencies on data fields populated by the {beats} and {agent} integrations. In version 8.3, new {ml} jobs (prefixed with `V3`) were released to operate on the ECS fields available at that time. If you're using multiple versions of {beats} or {agent} (from both before and after 8.3), you may need to duplicate or create new {ml} rules that specify the new ML `V3` jobs and enable them to run alongside your existing rules, to ensure continued coverage from rules currently using `V1` or `V2` jobs. -* If you have only 8.2 or earlier versions of {beats} and {agent}, you can continue using the same `V1` and `V2` {ml} jobs and the existing prebuilt {ml} rules. +* If you only have 8.2 or earlier versions of {beats} and {agent}, you can continue using the same `V1` and `V2` {ml} jobs and the existing prebuilt {ml} rules. -* If you have only 8.3 or later versions of {beats} and {agent}, you can use the latest `V3` {ml} jobs. To generate alerts for anomalies using these jobs, duplicate the existing {ml} rules and reconfigure them to use the `V3` {ml} jobs. +* If you only have 8.3 or later versions of {beats} and {agent}, you can use the latest `V3` {ml} jobs. To generate alerts for anomalies using these jobs, duplicate the existing {ml} rules and reconfigure them to use the `V3` {ml} jobs. * If you have a mix of old and new versions of {beats} or a mix of {beats} and {agent} integrations, you can use both the old and new {ml} jobs. To generate alerts for anomalies using the new jobs, duplicate the existing {ml} rules and reconfigure them to use the `V3` {ml} jobs. From 2f397d0f960f925adb055a0f74f8238b4d3ad4ca Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Mon, 27 Jun 2022 10:55:55 -0400 Subject: [PATCH 4/7] Revised draft --- docs/detections/rules-ui-monitor.asciidoc | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index 66aab781f5..b3eed0aa2b 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -112,18 +112,23 @@ image::images/timestamp-override.png[] [[ml-job-compatibility]] ==== Troubleshoot missing alerts for {ml} jobs -{ml-cap} detection rules use {ml} jobs that have dependencies on data fields populated by the {beats} and {agent} integrations. In version 8.3, new {ml} jobs (prefixed with `V3`) were released to operate on the ECS fields available at that time. If you're using multiple versions of {beats} or {agent} (from both before and after 8.3), you may need to duplicate or create new {ml} rules that specify the new ML `V3` jobs and enable them to run alongside your existing rules, to ensure continued coverage from rules currently using `V1` or `V2` jobs. +{ml-cap} detection rules use {ml} jobs that have dependencies on data fields populated by the {beats} and {agent} integrations. In version 8.3, new {ml} jobs (prefixed with `v3`) were released to operate on the ECS fields available at that time. -* If you only have 8.2 or earlier versions of {beats} and {agent}, you can continue using the same `V1` and `V2` {ml} jobs and the existing prebuilt {ml} rules. +If you're using 8.2 or earlier versions of {beats} or {agent} with {stack} version 8.3 or later, you may need to duplicate prebuilt rules or create new custom rules _before_ you update the Elastic prebuilt rules. Once you update the prebuilt rules, they will only use `v3` {ml} jobs, and you will no longer be able to specify `v1` or `v2` jobs to custom rules. Duplicating the relevant prebuilt rules before updating them ensures continued coverage, by allowing you to keep using `v1` or `v2` jobs in the duplicated rules while running alongside the new `v3` jobs in the updated prebuilt rules. -* If you only have 8.3 or later versions of {beats} and {agent}, you can use the latest `V3` {ml} jobs. To generate alerts for anomalies using these jobs, duplicate the existing {ml} rules and reconfigure them to use the `V3` {ml} jobs. +[IMPORTANT] +===== +* Duplicated rules may result in duplicate anomaly detections and alerts. +* Ensure that the relevant `v3` {ml} jobs are running before you update the Elastic prebuilt rules. +===== -* If you have a mix of old and new versions of {beats} or a mix of {beats} and {agent} integrations, you can use both the old and new {ml} jobs. To generate alerts for anomalies using the new jobs, duplicate the existing {ml} rules and reconfigure them to use the `V3` {ml} jobs. +* If you only have *8.3 or later versions of {beats} and {agent}*: You can download or update your prebuilt rules and use the latest `v3` {ml} jobs with no additional action required. -* If you have a non-Elastic data shipper that gathers ECS-compatible events, use the `V3` {ml} jobs. To generate alerts for anomalies using these jobs, duplicate the existing {ml} rules and reconfigure them to use the `V3` {ml} jobs. +* If you only have *8.2 or earlier versions of {beats} or {agent}*, or *a mix of old and new versions*: To continue using the `v1` and `v2` {ml} jobs specified by pre-8.3 prebuilt detection rules, you must duplicate affected prebuilt rules _before_ updating them to the latest rule versions. The duplicated rules can continue using the same `v1` and `v2` {ml} jobs, and the updated prebuilt {ml} rules will use the new `v3` {ml} jobs. -If you're duplicating prebuilt {ml} rules to generate alerts using the new `V3` {ml} jobs, -the following rules are affected. Use the new {ml} job listed for each rule: +* If you have *a non-Elastic data shipper that gathers ECS-compatible events*: You can use the latest `v3` {ml} jobs with no additional action required, as long as your data shipper uses the latest ECS specifications. However, if you're migrating from {ml} rules using `v1`/`v2` jobs, ensure that you start the relevant `v3` jobs before updating the Elastic prebuilt rules. + +The following Elastic prebuilt rules use the new `v3` {ml} jobs to generate alerts. Duplicate these prebuilt rules _before_ updating them if you need continued coverage using the `v1`/`v2` {ml} jobs: * <>: `v3_linux_anomalous_network_port_activity` From 5e66ec938977813a700f0e25b9f5c56f9c17974e Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Mon, 27 Jun 2022 11:37:54 -0400 Subject: [PATCH 5/7] Minor edit --- docs/detections/rules-ui-monitor.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index b3eed0aa2b..fbad54b9ef 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -114,7 +114,7 @@ image::images/timestamp-override.png[] {ml-cap} detection rules use {ml} jobs that have dependencies on data fields populated by the {beats} and {agent} integrations. In version 8.3, new {ml} jobs (prefixed with `v3`) were released to operate on the ECS fields available at that time. -If you're using 8.2 or earlier versions of {beats} or {agent} with {stack} version 8.3 or later, you may need to duplicate prebuilt rules or create new custom rules _before_ you update the Elastic prebuilt rules. Once you update the prebuilt rules, they will only use `v3` {ml} jobs, and you will no longer be able to specify `v1` or `v2` jobs to custom rules. Duplicating the relevant prebuilt rules before updating them ensures continued coverage, by allowing you to keep using `v1` or `v2` jobs in the duplicated rules while running alongside the new `v3` jobs in the updated prebuilt rules. +If you're using 8.2 or earlier versions of {beats} or {agent} with {stack} version 8.3 or later, you may need to duplicate prebuilt rules or create new custom rules _before_ you update the Elastic prebuilt rules. Once you update the prebuilt rules, they will only use `v3` {ml} jobs, and you will no longer be able to assign `v1` or `v2` jobs to custom rules. Duplicating the relevant prebuilt rules before updating them ensures continued coverage, by allowing you to keep using `v1` or `v2` jobs in the duplicated rules while running alongside the new `v3` jobs in the updated prebuilt rules. [IMPORTANT] ===== From 2d3ca992bf5e7890c31fc3d173ce595ba4a7d7dd Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Mon, 27 Jun 2022 22:10:46 -0400 Subject: [PATCH 6/7] Apply suggestions from Garrett's review Co-authored-by: Garrett Spong --- docs/detections/rules-ui-monitor.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index fbad54b9ef..f9e7f0b9d4 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -114,7 +114,7 @@ image::images/timestamp-override.png[] {ml-cap} detection rules use {ml} jobs that have dependencies on data fields populated by the {beats} and {agent} integrations. In version 8.3, new {ml} jobs (prefixed with `v3`) were released to operate on the ECS fields available at that time. -If you're using 8.2 or earlier versions of {beats} or {agent} with {stack} version 8.3 or later, you may need to duplicate prebuilt rules or create new custom rules _before_ you update the Elastic prebuilt rules. Once you update the prebuilt rules, they will only use `v3` {ml} jobs, and you will no longer be able to assign `v1` or `v2` jobs to custom rules. Duplicating the relevant prebuilt rules before updating them ensures continued coverage, by allowing you to keep using `v1` or `v2` jobs in the duplicated rules while running alongside the new `v3` jobs in the updated prebuilt rules. +If you're using 8.2 or earlier versions of {beats} or {agent} with {stack} version 8.3 or later, you may need to duplicate prebuilt rules or create new custom rules _before_ you update the Elastic prebuilt rules. Once you update the prebuilt rules, they will only use `v3` {ml} jobs. Duplicating the relevant prebuilt rules before updating them ensures continued coverage, by allowing you to keep using `v1` or `v2` jobs in the duplicated rules while running alongside the new `v3` jobs in the updated prebuilt rules. [IMPORTANT] ===== @@ -128,7 +128,7 @@ If you're using 8.2 or earlier versions of {beats} or {agent} with {stack} versi * If you have *a non-Elastic data shipper that gathers ECS-compatible events*: You can use the latest `v3` {ml} jobs with no additional action required, as long as your data shipper uses the latest ECS specifications. However, if you're migrating from {ml} rules using `v1`/`v2` jobs, ensure that you start the relevant `v3` jobs before updating the Elastic prebuilt rules. -The following Elastic prebuilt rules use the new `v3` {ml} jobs to generate alerts. Duplicate these prebuilt rules _before_ updating them if you need continued coverage using the `v1`/`v2` {ml} jobs: +The following Elastic prebuilt rules use the new `v3` {ml} jobs to generate alerts. Duplicate their associated `v1`/`v2` prebuilt rules _before_ updating them if you need continued coverage using the `v1`/`v2` {ml} jobs: * <>: `v3_linux_anomalous_network_port_activity` From 7e2edb2afcecc6028129be69c23364060373577e Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Tue, 28 Jun 2022 15:36:21 -0400 Subject: [PATCH 7/7] Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> --- docs/detections/rules-ui-monitor.asciidoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index f9e7f0b9d4..587982e0e4 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -112,9 +112,9 @@ image::images/timestamp-override.png[] [[ml-job-compatibility]] ==== Troubleshoot missing alerts for {ml} jobs -{ml-cap} detection rules use {ml} jobs that have dependencies on data fields populated by the {beats} and {agent} integrations. In version 8.3, new {ml} jobs (prefixed with `v3`) were released to operate on the ECS fields available at that time. +{ml-cap} detection rules use {ml} jobs that have dependencies on data fields populated by the {beats} and {agent} integrations. In {stack} version 8.3, new {ml} jobs (prefixed with `v3`) were released to operate on the ECS fields available at that time. -If you're using 8.2 or earlier versions of {beats} or {agent} with {stack} version 8.3 or later, you may need to duplicate prebuilt rules or create new custom rules _before_ you update the Elastic prebuilt rules. Once you update the prebuilt rules, they will only use `v3` {ml} jobs. Duplicating the relevant prebuilt rules before updating them ensures continued coverage, by allowing you to keep using `v1` or `v2` jobs in the duplicated rules while running alongside the new `v3` jobs in the updated prebuilt rules. +If you're using 8.2 or earlier versions of {beats} or {agent} with {stack} version 8.3 or later, you may need to duplicate prebuilt rules or create new custom rules _before_ you update the Elastic prebuilt rules. Once you update the prebuilt rules, they will only use `v3` {ml} jobs. Duplicating the relevant prebuilt rules before updating them ensures continued coverage by allowing you to keep using `v1` or `v2` jobs (in the duplicated rules) while also running the new `v3` jobs (in the updated prebuilt rules). [IMPORTANT] ===== @@ -122,13 +122,13 @@ If you're using 8.2 or earlier versions of {beats} or {agent} with {stack} versi * Ensure that the relevant `v3` {ml} jobs are running before you update the Elastic prebuilt rules. ===== -* If you only have *8.3 or later versions of {beats} and {agent}*: You can download or update your prebuilt rules and use the latest `v3` {ml} jobs with no additional action required. +* If you only have *8.3 or later versions of {beats} and {agent}*: You can download or update your prebuilt rules and use the latest `v3` {ml} jobs. No additional action is required. * If you only have *8.2 or earlier versions of {beats} or {agent}*, or *a mix of old and new versions*: To continue using the `v1` and `v2` {ml} jobs specified by pre-8.3 prebuilt detection rules, you must duplicate affected prebuilt rules _before_ updating them to the latest rule versions. The duplicated rules can continue using the same `v1` and `v2` {ml} jobs, and the updated prebuilt {ml} rules will use the new `v3` {ml} jobs. * If you have *a non-Elastic data shipper that gathers ECS-compatible events*: You can use the latest `v3` {ml} jobs with no additional action required, as long as your data shipper uses the latest ECS specifications. However, if you're migrating from {ml} rules using `v1`/`v2` jobs, ensure that you start the relevant `v3` jobs before updating the Elastic prebuilt rules. -The following Elastic prebuilt rules use the new `v3` {ml} jobs to generate alerts. Duplicate their associated `v1`/`v2` prebuilt rules _before_ updating them if you need continued coverage using the `v1`/`v2` {ml} jobs: +The following Elastic prebuilt rules use the new `v3` {ml} jobs to generate alerts. Duplicate their associated `v1`/`v2` prebuilt rules _before_ updating them if you need continued coverage from the `v1`/`v2` {ml} jobs: * <>: `v3_linux_anomalous_network_port_activity`