Revert "updates links from prebuilt ML jobs"

This reverts commit to update links from prebuilt jobs, will be done via the rules repo.

x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine_user_unauthenticated.tsx

@@ -17,7 +17,7 @@ export const DetectionEngineUserUnauthenticated = React.memo(() => {
     <EmptyPage
       actionPrimaryIcon="documents"
       actionPrimaryLabel={i18n.GO_TO_DOCUMENTATION}
-      actionPrimaryUrl={`${docLinks.ELASTIC_WEBSITE_URL}guide/en/security/${docLinks.DOC_LINK_VERSION}/detection-engine-overview.html#detections-permissions`}
+      actionPrimaryUrl={`${docLinks.ELASTIC_WEBSITE_URL}guide/en/security/guide/${docLinks.DOC_LINK_VERSION}/detection-engine-overview.html#detections-permissions`}
       actionPrimaryTarget="_blank"
       message={i18n.USER_UNAUTHENTICATED_MSG_BODY}
       data-test-subj="no_index"

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_activity.json

@@ -10,7 +10,7 @@
   "name": "Unusual Linux Network Activity",
   "note": "### Investigating Unusual Network Activity ###\nSignals from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual.  Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? \n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_port_activity.json

@@ -9,7 +9,7 @@
   "machine_learning_job_id": "linux_anomalous_network_port_activity_ecs",
   "name": "Unusual Linux Network Port Activity",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_service.json

@@ -9,7 +9,7 @@
   "machine_learning_job_id": "linux_anomalous_network_service",
   "name": "Unusual Linux Network Service",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "52afbdc5-db15-596e-bc35-f5707f820c4b",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_url_activity.json

@@ -9,7 +9,7 @@
   "machine_learning_job_id": "linux_anomalous_network_url_activity_ecs",
   "name": "Unusual Linux Web Activity",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "52afbdc5-db15-485e-bc35-f5707f820c4c",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_process_all_hosts.json

@@ -10,7 +10,7 @@
   "name": "Anomalous Process For a Linux Population",
   "note": "### Investigating an Unusual Linux Process ###\nSignals from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_user_name.json

@@ -10,7 +10,7 @@
   "name": "Unusual Linux Username",
   "note": "### Investigating an Unusual Linux User ###\nSignals from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_dns_tunneling.json

@@ -9,7 +9,7 @@
   "machine_learning_job_id": "packetbeat_dns_tunneling",
   "name": "DNS Tunneling",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_dns_question.json

@@ -9,7 +9,7 @@
   "machine_learning_job_id": "packetbeat_rare_dns_question",
   "name": "Unusual DNS Activity",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "746edc4c-c54c-49c6-97a1-651223819448",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_server_domain.json

@@ -9,7 +9,7 @@
   "machine_learning_job_id": "packetbeat_rare_server_domain",
   "name": "Unusual Network Destination Domain Name",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_urls.json

@@ -9,7 +9,7 @@
   "machine_learning_job_id": "packetbeat_rare_urls",
   "name": "Unusual Web Request",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_user_agent.json

@@ -9,7 +9,7 @@
   "machine_learning_job_id": "packetbeat_rare_user_agent",
   "name": "Unusual Web User Agent",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_linux.json

@@ -10,7 +10,7 @@
   "name": "Unusual Process For a Linux Host",
   "note": "### Investigating an Unusual Linux Process ###\nSignals from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_windows.json

@@ -10,7 +10,7 @@
   "name": "Unusual Process For a Windows Host",
   "note": "### Investigating an Unusual Windows Process ###\nSignals from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package. \n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/suspicious_login_activity.json

@@ -9,7 +9,7 @@
   "machine_learning_job_id": "suspicious_login_activity_ecs",
   "name": "Unusual Login Activity",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_network_activity.json

@@ -10,7 +10,7 @@
   "name": "Unusual Windows Network Activity",
   "note": "### Investigating Unusual Network Activity ###\nSignals from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual.  Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? \n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_path_activity.json

@@ -9,7 +9,7 @@
   "machine_learning_job_id": "windows_anomalous_path_activity_ecs",
   "name": "Unusual Windows Path Activity",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_all_hosts.json

@@ -10,7 +10,7 @@
   "name": "Anomalous Process For a Windows Population",
   "note": "### Investigating an Unusual Windows Process ###\nSignals from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package. \n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_creation.json

@@ -9,7 +9,7 @@
   "machine_learning_job_id": "windows_anomalous_process_creation",
   "name": "Anomalous Windows Process Creation",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_script.json

@@ -9,7 +9,7 @@
   "machine_learning_job_id": "windows_anomalous_script",
   "name": "Suspicious Powershell Script",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_service.json

@@ -9,7 +9,7 @@
   "machine_learning_job_id": "windows_anomalous_service",
   "name": "Unusual Windows Service",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_user_name.json

@@ -10,7 +10,7 @@
   "name": "Unusual Windows Username",
   "note": "### Investigating an Unusual Windows User ###\nSignals from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_runas_event.json

@@ -9,7 +9,7 @@
   "machine_learning_job_id": "windows_rare_user_runas_event",
   "name": "Unusual Windows User Privilege Elevation Activity",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_type10_remote_login.json

@@ -10,7 +10,7 @@
   "name": "Unusual Windows Remote User",
   "note": "### Investigating an Unusual Windows User ###\nSignals from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? \n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9",