[pad] Update ML jobs description and groups for Privileged Access Detection (#14268)

sodhikirti07 · web-flow · commit 7bcf6b5f7a26 · 2025-06-23T09:27:26.000-04:00
diff --git a/packages/pad/changelog.yml b/packages/pad/changelog.yml
@@ -1,3 +1,8 @@
+- version: "0.6.0"
+  changes:
+    - description: Update ML jobs description and groups
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14268
 - version: "0.5.0"
   changes:
     - description: Fix bug in the dashboard
diff --git a/packages/pad/kibana/ml_module/pad-ml.json b/packages/pad/kibana/ml_module/pad-ml.json
@@ -80,7 +80,8 @@
           "config": {
             "groups": [
               "security",
-              "pad"
+              "pad",
+              "windows"
             ],
             "description": "Detects unusually high special logon events initiated by a user.",
             "analysis_config": {
@@ -117,7 +118,8 @@
           "config": {
             "groups": [
               "security",
-              "pad"
+              "pad",
+              "windows"
             ],
             "description": "Detects unusually high special privilege use events initiated by a user.",
             "analysis_config": {
@@ -153,7 +155,8 @@
           "config": {
             "groups": [
               "security",
-              "pad"
+              "pad",
+              "windows"
             ],
             "description": "Detects unusually high security group management events initiated by a user.",
             "analysis_config": {
@@ -189,7 +192,8 @@
           "config": {
             "groups": [
               "security",
-              "pad"
+              "pad",
+              "windows"
             ],
             "description": "Detects unusually high security user account management events initiated by a user.",
             "analysis_config": {
@@ -224,7 +228,8 @@
           "config": {
             "groups": [
               "security",
-              "pad"
+              "pad",
+              "windows"
             ],
             "description": "Detects an unusual privilege type assigned to a user.",
             "analysis_config": {
@@ -259,7 +264,8 @@
           "config": {
             "groups": [
               "security",
-              "pad"
+              "pad",
+              "windows"
             ],
             "description": "Detects an unusual group name accessed by a user.",
             "analysis_config": {
@@ -295,7 +301,8 @@
           "config": {
             "groups": [
               "security",
-              "pad"
+              "pad",
+              "windows"
             ],
             "description": "Detects an unusual device accessed by a user.",
             "analysis_config": {
@@ -331,7 +338,8 @@
           "config": {
             "groups": [
               "security",
-              "pad"
+              "pad",
+              "windows"
             ],
             "description": "Detects an unusual source IP address accessed by a user.",
             "analysis_config": {
@@ -367,7 +375,8 @@
           "config": {
             "groups": [
               "security",
-              "pad"
+              "pad",
+              "windows"
             ],
             "description": "Detects an unusual region name for a user.",
             "analysis_config": {
@@ -404,7 +413,8 @@
           "config": {
             "groups": [
               "security",
-              "pad"
+              "pad",
+              "linux"
             ],
             "description": "Detects a spike in privileged commands executed by a user.",
             "analysis_config": {
@@ -438,7 +448,8 @@
           "config": {
             "groups": [
               "security",
-              "pad"
+              "pad",
+              "linux"
             ],
             "description": "Detects a rare process executed by a user.",
             "analysis_config": {
@@ -472,9 +483,10 @@
           "config": {
             "groups": [
               "security",
-              "pad"
+              "pad",
+              "linux"
             ],
-            "description": "Detects process command lines executed by a user with an abnormally high median entropy value",
+            "description": "Detects process command lines executed by a user with an abnormally high median entropy value. This job requires some manual setup before it can run successfully, specifically adding custom field mappings for data coming from an ingest pipeline. Instructions for these steps are available in the package overview.",
             "analysis_config": {
               "bucket_span": "30m",
               "detectors": [
@@ -506,7 +518,8 @@
           "config": {
             "groups": [
               "security",
-              "pad"
+              "pad",
+              "okta"
             ],
             "description": "Detects spike in group membership change events by a user.",
             "analysis_config": {
@@ -542,7 +555,8 @@
           "config": {
             "groups": [
               "security",
-              "pad"
+              "pad",
+              "okta"
             ],
             "description": "Detects spike in user lifecycle management change events by a user.",
             "analysis_config": {
@@ -578,7 +592,8 @@
           "config": {
             "groups": [
               "security",
-              "pad"
+              "pad",
+              "okta"
             ],
             "description": "Detects spike in group privilege change events by a user.",
             "analysis_config": {
@@ -616,7 +631,8 @@
           "config": {
             "groups": [
               "security",
-              "pad"
+              "pad",
+              "okta"
             ],
             "description": "Detects spike in group application assignment change events by a user.",
             "analysis_config": {
@@ -651,7 +667,8 @@
           "config": {
             "groups": [
               "security",
-              "pad"
+              "pad",
+              "okta"
             ],
             "description": "Detects spike in group lifecycle change events by a user.",
             "analysis_config": {
@@ -686,7 +703,8 @@
           "config": {
             "groups": [
               "security",
-              "pad"
+              "pad",
+              "okta"
             ],
             "description": "Detects an unusual sum of active sessions started by a user.",
             "analysis_config": {
@@ -720,7 +738,8 @@
           "config": {
             "groups": [
               "security",
-              "pad"
+              "pad",
+              "okta"
             ],
             "description": "Detects an unusual source IP address accessed by a user.",
             "analysis_config": {
@@ -755,7 +774,8 @@
           "config": {
             "groups": [
               "security",
-              "pad"
+              "pad",
+              "okta"
             ],
             "description": "Detects an unusual region name for a user.",
             "analysis_config": {
@@ -791,7 +811,8 @@
           "config": {
             "groups": [
               "security",
-              "pad"
+              "pad",
+              "okta"
             ],
             "description": "Detects an unusual host name for a user.",
             "analysis_config": {
diff --git a/packages/pad/manifest.yml b/packages/pad/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.0.0
 name: pad
 title: "Privileged Access Detection"
-version: 0.5.0
+version: 0.6.0
 source:
   license: "Elastic-2.0"
 description: "ML package to detect anomalous privileged access activity in Windows, Linux and Okta logs"
