From 0a8efb4e8f28d63eeb714ee51fc549dc4479d59e Mon Sep 17 00:00:00 2001
From: Ben Skelker <ben.skelker@elastic.co>
Date: Mon, 13 Jul 2020 09:06:02 +0300
Subject: [PATCH 1/8] updates in-app links

---
 src/core/public/doc_links/doc_links_service.ts                | 4 ++--
 .../public/cases/pages/saved_object_no_permissions.tsx        | 2 +-
 .../public/common/components/ml_popover/ml_popover.tsx        | 2 +-
 .../components/rules/pre_packaged_rules/update_callout.tsx    | 2 +-
 .../detection_engine/detection_engine_no_signal_index.tsx     | 2 +-
 .../embeddables/__snapshots__/embedded_map.test.tsx.snap      | 2 +-
 .../public/network/components/embeddables/embedded_map.tsx    | 2 +-
 7 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/core/public/doc_links/doc_links_service.ts b/src/core/public/doc_links/doc_links_service.ts
index 0662586797164..70b25cb78787a 100644
--- a/src/core/public/doc_links/doc_links_service.ts
+++ b/src/core/public/doc_links/doc_links_service.ts
@@ -111,8 +111,8 @@ export class DocLinksService {
         },
         kibana: `${ELASTIC_WEBSITE_URL}guide/en/kibana/${DOC_LINK_VERSION}/index.html`,
         siem: {
-          guide: `${ELASTIC_WEBSITE_URL}guide/en/siem/guide/${DOC_LINK_VERSION}/index.html`,
-          gettingStarted: `${ELASTIC_WEBSITE_URL}guide/en/siem/guide/${DOC_LINK_VERSION}/install-siem.html`,
+          guide: `${ELASTIC_WEBSITE_URL}guide/en/security/${DOC_LINK_VERSION}/index.html`,
+          gettingStarted: `${ELASTIC_WEBSITE_URL}guide/en/security/${DOC_LINK_VERSION}/install-siem.html`,
         },
         query: {
           luceneQuerySyntax: `${ELASTICSEARCH_DOCS}query-dsl-query-string-query.html#query-string-syntax`,
diff --git a/x-pack/plugins/security_solution/public/cases/pages/saved_object_no_permissions.tsx b/x-pack/plugins/security_solution/public/cases/pages/saved_object_no_permissions.tsx
index a560f697de415..7129aa04bdf69 100644
--- a/x-pack/plugins/security_solution/public/cases/pages/saved_object_no_permissions.tsx
+++ b/x-pack/plugins/security_solution/public/cases/pages/saved_object_no_permissions.tsx
@@ -17,7 +17,7 @@ export const CaseSavedObjectNoPermissions = React.memo(() => {
     <EmptyPage
       actionPrimaryIcon="documents"
       actionPrimaryLabel={i18n.GO_TO_DOCUMENTATION}
-      actionPrimaryUrl={`${docLinks.ELASTIC_WEBSITE_URL}guide/en/siem/guide/${docLinks.DOC_LINK_VERSION}s`}
+      actionPrimaryUrl={`${docLinks.ELASTIC_WEBSITE_URL}guide/en/security/${docLinks.DOC_LINK_VERSION}s`}
       actionPrimaryTarget="_blank"
       message={i18n.SAVED_OBJECT_NO_PERMISSIONS_MSG}
       data-test-subj="no_saved_objects_permissions"
diff --git a/x-pack/plugins/security_solution/public/common/components/ml_popover/ml_popover.tsx b/x-pack/plugins/security_solution/public/common/components/ml_popover/ml_popover.tsx
index a34dfb5753d92..0ebf367471848 100644
--- a/x-pack/plugins/security_solution/public/common/components/ml_popover/ml_popover.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/ml_popover/ml_popover.tsx
@@ -177,7 +177,7 @@ export const MlPopover = React.memo(() => {
                     values={{
                       mlDocs: (
                         <a
-                          href={`${docLinks.ELASTIC_WEBSITE_URL}guide/en/siem/guide/${docLinks.DOC_LINK_VERSION}/machine-learning.html`}
+                          href={`${docLinks.ELASTIC_WEBSITE_URL}guide/en/security/${docLinks.DOC_LINK_VERSION}/machine-learning.html`}
                           rel="noopener noreferrer"
                           target="_blank"
                         >
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/pre_packaged_rules/update_callout.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/pre_packaged_rules/update_callout.tsx
index 0faf4074ed890..2ccfccba43ec9 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/pre_packaged_rules/update_callout.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/pre_packaged_rules/update_callout.tsx
@@ -29,7 +29,7 @@ const UpdatePrePackagedRulesCallOutComponent: React.FC<UpdatePrePackagedRulesCal
         {i18n.UPDATE_PREPACKAGED_RULES_MSG(numberOfUpdatedRules)}
         <br />
         <EuiLink
-          href={`${services.docLinks.ELASTIC_WEBSITE_URL}guide/en/siem/guide/${services.docLinks.DOC_LINK_VERSION}/prebuilt-rules-changelog.html`}
+          href={`${services.docLinks.ELASTIC_WEBSITE_URL}guide/en/security/${services.docLinks.DOC_LINK_VERSION}/prebuilt-rules-changelog.html`}
           target="_blank"
         >
           {i18n.RELEASE_NOTES_HELP}
diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine_no_signal_index.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine_no_signal_index.tsx
index 59267b5d62a26..32ae585aec191 100644
--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine_no_signal_index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine_no_signal_index.tsx
@@ -16,7 +16,7 @@ export const DetectionEngineNoIndex = React.memo(() => {
     <EmptyPage
       actionPrimaryIcon="documents"
       actionPrimaryLabel={i18n.GO_TO_DOCUMENTATION}
-      actionPrimaryUrl={`${docLinks.ELASTIC_WEBSITE_URL}guide/en/siem/guide/${docLinks.DOC_LINK_VERSION}/detection-engine-overview.html#detections-permissions`}
+      actionPrimaryUrl={`${docLinks.ELASTIC_WEBSITE_URL}guide/en/security/${docLinks.DOC_LINK_VERSION}/detection-engine-overview.html#detections-permissions`}
       actionPrimaryTarget="_blank"
       message={i18n.NO_INDEX_MSG_BODY}
       data-test-subj="no_index"
diff --git a/x-pack/plugins/security_solution/public/network/components/embeddables/__snapshots__/embedded_map.test.tsx.snap b/x-pack/plugins/security_solution/public/network/components/embeddables/__snapshots__/embedded_map.test.tsx.snap
index d5de7ab508a73..456e07cf9cd15 100644
--- a/x-pack/plugins/security_solution/public/network/components/embeddables/__snapshots__/embedded_map.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/network/components/embeddables/__snapshots__/embedded_map.test.tsx.snap
@@ -9,7 +9,7 @@ exports[`EmbeddedMapComponent renders correctly against snapshot 1`] = `
       size="xs"
     >
       <EuiLink
-        href="https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/conf-map-ui.html"
+        href="https://www.elastic.co/guide/en/security/mocked-test-branch/conf-map-ui.html"
         target="_blank"
       >
         Map configuration help
diff --git a/x-pack/plugins/security_solution/public/network/components/embeddables/embedded_map.tsx b/x-pack/plugins/security_solution/public/network/components/embeddables/embedded_map.tsx
index 81aa4b1671fca..ee1af9a2c1bdd 100644
--- a/x-pack/plugins/security_solution/public/network/components/embeddables/embedded_map.tsx
+++ b/x-pack/plugins/security_solution/public/network/components/embeddables/embedded_map.tsx
@@ -185,7 +185,7 @@ export const EmbeddedMapComponent = ({
       <EmbeddableHeader title={i18n.EMBEDDABLE_HEADER_TITLE}>
         <EuiText size="xs">
           <EuiLink
-            href={`${services.docLinks.ELASTIC_WEBSITE_URL}guide/en/siem/guide/${services.docLinks.DOC_LINK_VERSION}/conf-map-ui.html`}
+            href={`${services.docLinks.ELASTIC_WEBSITE_URL}guide/en/security/${services.docLinks.DOC_LINK_VERSION}/conf-map-ui.html`}
             target="_blank"
           >
             {i18n.EMBEDDABLE_HEADER_HELP}

From 4cb9f7962892492e5c26ac81b55a4583850e7d34 Mon Sep 17 00:00:00 2001
From: Ben Skelker <ben.skelker@elastic.co>
Date: Mon, 13 Jul 2020 09:18:44 +0300
Subject: [PATCH 2/8] updates links from prebuilt ML jobs

---
 .../detection_engine/detection_engine_user_unauthenticated.tsx  | 2 +-
 .../prepackaged_rules/linux_anomalous_network_activity.json     | 2 +-
 .../linux_anomalous_network_port_activity.json                  | 2 +-
 .../prepackaged_rules/linux_anomalous_network_service.json      | 2 +-
 .../prepackaged_rules/linux_anomalous_network_url_activity.json | 2 +-
 .../prepackaged_rules/linux_anomalous_process_all_hosts.json    | 2 +-
 .../rules/prepackaged_rules/linux_anomalous_user_name.json      | 2 +-
 .../rules/prepackaged_rules/packetbeat_dns_tunneling.json       | 2 +-
 .../rules/prepackaged_rules/packetbeat_rare_dns_question.json   | 2 +-
 .../rules/prepackaged_rules/packetbeat_rare_server_domain.json  | 2 +-
 .../rules/prepackaged_rules/packetbeat_rare_urls.json           | 2 +-
 .../rules/prepackaged_rules/packetbeat_rare_user_agent.json     | 2 +-
 .../rules/prepackaged_rules/rare_process_by_host_linux.json     | 2 +-
 .../rules/prepackaged_rules/rare_process_by_host_windows.json   | 2 +-
 .../rules/prepackaged_rules/suspicious_login_activity.json      | 2 +-
 .../prepackaged_rules/windows_anomalous_network_activity.json   | 2 +-
 .../prepackaged_rules/windows_anomalous_path_activity.json      | 2 +-
 .../prepackaged_rules/windows_anomalous_process_all_hosts.json  | 2 +-
 .../prepackaged_rules/windows_anomalous_process_creation.json   | 2 +-
 .../rules/prepackaged_rules/windows_anomalous_script.json       | 2 +-
 .../rules/prepackaged_rules/windows_anomalous_service.json      | 2 +-
 .../rules/prepackaged_rules/windows_anomalous_user_name.json    | 2 +-
 .../rules/prepackaged_rules/windows_rare_user_runas_event.json  | 2 +-
 .../windows_rare_user_type10_remote_login.json                  | 2 +-
 24 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine_user_unauthenticated.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine_user_unauthenticated.tsx
index a353be80c7239..6123e3740e306 100644
--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine_user_unauthenticated.tsx
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine_user_unauthenticated.tsx
@@ -17,7 +17,7 @@ export const DetectionEngineUserUnauthenticated = React.memo(() => {
     <EmptyPage
       actionPrimaryIcon="documents"
       actionPrimaryLabel={i18n.GO_TO_DOCUMENTATION}
-      actionPrimaryUrl={`${docLinks.ELASTIC_WEBSITE_URL}guide/en/security/guide/${docLinks.DOC_LINK_VERSION}/detection-engine-overview.html#detections-permissions`}
+      actionPrimaryUrl={`${docLinks.ELASTIC_WEBSITE_URL}guide/en/security/${docLinks.DOC_LINK_VERSION}/detection-engine-overview.html#detections-permissions`}
       actionPrimaryTarget="_blank"
       message={i18n.USER_UNAUTHENTICATED_MSG_BODY}
       data-test-subj="no_index"
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_activity.json
index d910f83b0c8bd..a8522cbb9bda0 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_activity.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_activity.json
@@ -10,7 +10,7 @@
   "name": "Unusual Linux Network Activity",
   "note": "### Investigating Unusual Network Activity ###\nSignals from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual.  Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? \n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_port_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_port_activity.json
index aa0d1cb125aed..6787d5bc02e7e 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_port_activity.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_port_activity.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "linux_anomalous_network_port_activity_ecs",
   "name": "Unusual Linux Network Port Activity",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_service.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_service.json
index 5d137b81d1314..b214edecf3305 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_service.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_service.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "linux_anomalous_network_service",
   "name": "Unusual Linux Network Service",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "52afbdc5-db15-596e-bc35-f5707f820c4b",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_url_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_url_activity.json
index 3732e575a2e41..9438cb8076ac6 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_url_activity.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_url_activity.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "linux_anomalous_network_url_activity_ecs",
   "name": "Unusual Linux Web Activity",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "52afbdc5-db15-485e-bc35-f5707f820c4c",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_process_all_hosts.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_process_all_hosts.json
index 259f0147953ad..08374445396c1 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_process_all_hosts.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_process_all_hosts.json
@@ -10,7 +10,7 @@
   "name": "Anomalous Process For a Linux Population",
   "note": "### Investigating an Unusual Linux Process ###\nSignals from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_user_name.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_user_name.json
index 2e7bd0d1d99d7..c2bfa943c2b74 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_user_name.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_user_name.json
@@ -10,7 +10,7 @@
   "name": "Unusual Linux Username",
   "note": "### Investigating an Unusual Linux User ###\nSignals from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_dns_tunneling.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_dns_tunneling.json
index c5cf6385afaf0..61a12473e30fc 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_dns_tunneling.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_dns_tunneling.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "packetbeat_dns_tunneling",
   "name": "DNS Tunneling",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_dns_question.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_dns_question.json
index 4623639b6e8b7..7d78663f72c8b 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_dns_question.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_dns_question.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "packetbeat_rare_dns_question",
   "name": "Unusual DNS Activity",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "746edc4c-c54c-49c6-97a1-651223819448",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_server_domain.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_server_domain.json
index dd14191d30df2..d61a7faec9b65 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_server_domain.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_server_domain.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "packetbeat_rare_server_domain",
   "name": "Unusual Network Destination Domain Name",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_urls.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_urls.json
index 386e00054c2cc..f7ddf7a4599a7 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_urls.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_urls.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "packetbeat_rare_urls",
   "name": "Unusual Web Request",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_user_agent.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_user_agent.json
index a68c43b228303..0517b8eed4d24 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_user_agent.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_user_agent.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "packetbeat_rare_user_agent",
   "name": "Unusual Web User Agent",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_linux.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_linux.json
index 9d9fb5e4a0a8d..a8cd90b257eef 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_linux.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_linux.json
@@ -10,7 +10,7 @@
   "name": "Unusual Process For a Linux Host",
   "note": "### Investigating an Unusual Linux Process ###\nSignals from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_windows.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_windows.json
index 0c1d097a73dc2..446120e840d59 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_windows.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_windows.json
@@ -10,7 +10,7 @@
   "name": "Unusual Process For a Windows Host",
   "note": "### Investigating an Unusual Windows Process ###\nSignals from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package. \n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/suspicious_login_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/suspicious_login_activity.json
index b3c3f2d76a8c9..311e84456ec48 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/suspicious_login_activity.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/suspicious_login_activity.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "suspicious_login_activity_ecs",
   "name": "Unusual Login Activity",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_network_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_network_activity.json
index 0a85fee3de436..fc456ffbd45b1 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_network_activity.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_network_activity.json
@@ -10,7 +10,7 @@
   "name": "Unusual Windows Network Activity",
   "note": "### Investigating Unusual Network Activity ###\nSignals from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual.  Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? \n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_path_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_path_activity.json
index 2652915d21d85..72c9527baf90b 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_path_activity.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_path_activity.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "windows_anomalous_path_activity_ecs",
   "name": "Unusual Windows Path Activity",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_all_hosts.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_all_hosts.json
index 4e70426a4faf8..8d2cf46c75608 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_all_hosts.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_all_hosts.json
@@ -10,7 +10,7 @@
   "name": "Anomalous Process For a Windows Population",
   "note": "### Investigating an Unusual Windows Process ###\nSignals from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package. \n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_creation.json
index 4742fd951f471..38238f60b523e 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_creation.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_creation.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "windows_anomalous_process_creation",
   "name": "Anomalous Windows Process Creation",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_script.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_script.json
index bc38877a00ad0..4fe976211cb19 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_script.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_script.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "windows_anomalous_script",
   "name": "Suspicious Powershell Script",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_service.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_service.json
index 92c4b22823120..14c62a21bc28d 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_service.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_service.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "windows_anomalous_service",
   "name": "Unusual Windows Service",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_user_name.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_user_name.json
index 9ad05eda8f518..3d6cd16198fab 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_user_name.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_user_name.json
@@ -10,7 +10,7 @@
   "name": "Unusual Windows Username",
   "note": "### Investigating an Unusual Windows User ###\nSignals from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_runas_event.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_runas_event.json
index a227b36064a9d..1ec5d9018d42f 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_runas_event.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_runas_event.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "windows_rare_user_runas_event",
   "name": "Unusual Windows User Privilege Elevation Activity",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_type10_remote_login.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_type10_remote_login.json
index 15241d7869c00..95899d0fb7773 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_type10_remote_login.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_type10_remote_login.json
@@ -10,7 +10,7 @@
   "name": "Unusual Windows Remote User",
   "note": "### Investigating an Unusual Windows User ###\nSignals from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? \n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?",
   "references": [
-    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9",

From e9d8b3f28aa00205be8d8df89b2d092257e82462 Mon Sep 17 00:00:00 2001
From: Ben Skelker <ben.skelker@elastic.co>
Date: Mon, 13 Jul 2020 09:53:34 +0300
Subject: [PATCH 3/8] updates kibana help window text and link

---
 .../public/common/components/help_menu/index.tsx              | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugins/security_solution/public/common/components/help_menu/index.tsx b/x-pack/plugins/security_solution/public/common/components/help_menu/index.tsx
index 56f0c825aa59e..a8eeeef1603e9 100644
--- a/x-pack/plugins/security_solution/public/common/components/help_menu/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/help_menu/index.tsx
@@ -14,12 +14,12 @@ export const HelpMenu = React.memo(() => {
   useEffect(() => {
     chrome.setHelpExtension({
       appName: i18n.translate('xpack.securitySolution.chrome.help.appName', {
-        defaultMessage: 'SIEM',
+        defaultMessage: 'Security Solution',
       }),
       links: [
         {
           content: i18n.translate('xpack.securitySolution.chrome.helpMenu.documentation', {
-            defaultMessage: 'SIEM documentation',
+            defaultMessage: 'Security documentation',
           }),
           href: docLinks.links.siem.guide,
           iconType: 'documents',

From aaa7e2a4ca0ac911622de140570fecd3b6b7e154 Mon Sep 17 00:00:00 2001
From: Ben Skelker <ben.skelker@elastic.co>
Date: Mon, 13 Jul 2020 10:13:58 +0300
Subject: [PATCH 4/8] removes problematic terminolgy from prebuilt job
 descriptions

---
 .../network_proxy_port_activity_to_the_internet.json            | 2 +-
 .../windows_misc_lolbin_connecting_to_the_internet.json         | 2 +-
 ...dows_register_server_program_connecting_to_the_internet.json | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json
index 35ba1ca806296..a60aabd019683 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json
@@ -1,7 +1,7 @@
 {
   "description": "This rule detects events that may describe network events of proxy use to the Internet. It includes popular HTTP proxy ports and SOCKS proxy ports. Typically, environments will use an internal IP address for a proxy server. It can also be used to circumvent network controls and detection mechanisms.",
   "false_positives": [
-    "Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. Internet proxy services using these ports can be white-listed if desired. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired."
+    "Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. If desired, internet proxy services using these ports can be added to allowlists. Some screen recording applications may use these ports. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired."
   ],
   "index": [
     "filebeat-*"
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json
index 361a3e99b4dbd..f61f117c86c10 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json
@@ -1,5 +1,5 @@
 {
-  "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application whitelisting and signature validation.",
+  "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.",
   "index": [
     "winlogbeat-*"
   ],
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json
index f6fc38f963640..ee95ac70dfa1f 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json
@@ -1,5 +1,5 @@
 {
-  "description": "Identifies the native Windows tools regsvr32.exe and regsvr64.exe making a network connection. This may be indicative of an attacker bypassing whitelisting or running arbitrary scripts via a signed Microsoft binary.",
+  "description": "Identifies the native Windows tools regsvr32.exe and regsvr64.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.",
   "false_positives": [
     "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual."
   ],

From eb86e96a12da9ec68a845b46f5415e4df98c2755 Mon Sep 17 00:00:00 2001
From: Ben Skelker <ben.skelker@elastic.co>
Date: Mon, 13 Jul 2020 18:55:24 +0300
Subject: [PATCH 5/8] Revert "removes problematic terminolgy from prebuilt job
 descriptions"

This reverts commit aaa7e2a4ca0ac911622de140570fecd3b6b7e154, as it will be done via the rules repo.
---
 .../network_proxy_port_activity_to_the_internet.json            | 2 +-
 .../windows_misc_lolbin_connecting_to_the_internet.json         | 2 +-
 ...dows_register_server_program_connecting_to_the_internet.json | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json
index a60aabd019683..35ba1ca806296 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json
@@ -1,7 +1,7 @@
 {
   "description": "This rule detects events that may describe network events of proxy use to the Internet. It includes popular HTTP proxy ports and SOCKS proxy ports. Typically, environments will use an internal IP address for a proxy server. It can also be used to circumvent network controls and detection mechanisms.",
   "false_positives": [
-    "Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. If desired, internet proxy services using these ports can be added to allowlists. Some screen recording applications may use these ports. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired."
+    "Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. Internet proxy services using these ports can be white-listed if desired. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired."
   ],
   "index": [
     "filebeat-*"
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json
index f61f117c86c10..361a3e99b4dbd 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json
@@ -1,5 +1,5 @@
 {
-  "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.",
+  "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application whitelisting and signature validation.",
   "index": [
     "winlogbeat-*"
   ],
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json
index ee95ac70dfa1f..f6fc38f963640 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json
@@ -1,5 +1,5 @@
 {
-  "description": "Identifies the native Windows tools regsvr32.exe and regsvr64.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.",
+  "description": "Identifies the native Windows tools regsvr32.exe and regsvr64.exe making a network connection. This may be indicative of an attacker bypassing whitelisting or running arbitrary scripts via a signed Microsoft binary.",
   "false_positives": [
     "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual."
   ],

From 9234481d6d6aa9b945ae7208ad58b75a6121b80a Mon Sep 17 00:00:00 2001
From: Ben Skelker <ben.skelker@elastic.co>
Date: Mon, 13 Jul 2020 18:57:53 +0300
Subject: [PATCH 6/8] Revert "updates links from prebuilt ML jobs"

This reverts commit to update links from prebuilt jobs, will be done via the rules repo.
---
 .../detection_engine/detection_engine_user_unauthenticated.tsx  | 2 +-
 .../prepackaged_rules/linux_anomalous_network_activity.json     | 2 +-
 .../linux_anomalous_network_port_activity.json                  | 2 +-
 .../prepackaged_rules/linux_anomalous_network_service.json      | 2 +-
 .../prepackaged_rules/linux_anomalous_network_url_activity.json | 2 +-
 .../prepackaged_rules/linux_anomalous_process_all_hosts.json    | 2 +-
 .../rules/prepackaged_rules/linux_anomalous_user_name.json      | 2 +-
 .../rules/prepackaged_rules/packetbeat_dns_tunneling.json       | 2 +-
 .../rules/prepackaged_rules/packetbeat_rare_dns_question.json   | 2 +-
 .../rules/prepackaged_rules/packetbeat_rare_server_domain.json  | 2 +-
 .../rules/prepackaged_rules/packetbeat_rare_urls.json           | 2 +-
 .../rules/prepackaged_rules/packetbeat_rare_user_agent.json     | 2 +-
 .../rules/prepackaged_rules/rare_process_by_host_linux.json     | 2 +-
 .../rules/prepackaged_rules/rare_process_by_host_windows.json   | 2 +-
 .../rules/prepackaged_rules/suspicious_login_activity.json      | 2 +-
 .../prepackaged_rules/windows_anomalous_network_activity.json   | 2 +-
 .../prepackaged_rules/windows_anomalous_path_activity.json      | 2 +-
 .../prepackaged_rules/windows_anomalous_process_all_hosts.json  | 2 +-
 .../prepackaged_rules/windows_anomalous_process_creation.json   | 2 +-
 .../rules/prepackaged_rules/windows_anomalous_script.json       | 2 +-
 .../rules/prepackaged_rules/windows_anomalous_service.json      | 2 +-
 .../rules/prepackaged_rules/windows_anomalous_user_name.json    | 2 +-
 .../rules/prepackaged_rules/windows_rare_user_runas_event.json  | 2 +-
 .../windows_rare_user_type10_remote_login.json                  | 2 +-
 24 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine_user_unauthenticated.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine_user_unauthenticated.tsx
index 6123e3740e306..a353be80c7239 100644
--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine_user_unauthenticated.tsx
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine_user_unauthenticated.tsx
@@ -17,7 +17,7 @@ export const DetectionEngineUserUnauthenticated = React.memo(() => {
     <EmptyPage
       actionPrimaryIcon="documents"
       actionPrimaryLabel={i18n.GO_TO_DOCUMENTATION}
-      actionPrimaryUrl={`${docLinks.ELASTIC_WEBSITE_URL}guide/en/security/${docLinks.DOC_LINK_VERSION}/detection-engine-overview.html#detections-permissions`}
+      actionPrimaryUrl={`${docLinks.ELASTIC_WEBSITE_URL}guide/en/security/guide/${docLinks.DOC_LINK_VERSION}/detection-engine-overview.html#detections-permissions`}
       actionPrimaryTarget="_blank"
       message={i18n.USER_UNAUTHENTICATED_MSG_BODY}
       data-test-subj="no_index"
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_activity.json
index a8522cbb9bda0..d910f83b0c8bd 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_activity.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_activity.json
@@ -10,7 +10,7 @@
   "name": "Unusual Linux Network Activity",
   "note": "### Investigating Unusual Network Activity ###\nSignals from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual.  Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? \n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_port_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_port_activity.json
index 6787d5bc02e7e..aa0d1cb125aed 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_port_activity.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_port_activity.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "linux_anomalous_network_port_activity_ecs",
   "name": "Unusual Linux Network Port Activity",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_service.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_service.json
index b214edecf3305..5d137b81d1314 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_service.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_service.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "linux_anomalous_network_service",
   "name": "Unusual Linux Network Service",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "52afbdc5-db15-596e-bc35-f5707f820c4b",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_url_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_url_activity.json
index 9438cb8076ac6..3732e575a2e41 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_url_activity.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_url_activity.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "linux_anomalous_network_url_activity_ecs",
   "name": "Unusual Linux Web Activity",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "52afbdc5-db15-485e-bc35-f5707f820c4c",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_process_all_hosts.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_process_all_hosts.json
index 08374445396c1..259f0147953ad 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_process_all_hosts.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_process_all_hosts.json
@@ -10,7 +10,7 @@
   "name": "Anomalous Process For a Linux Population",
   "note": "### Investigating an Unusual Linux Process ###\nSignals from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_user_name.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_user_name.json
index c2bfa943c2b74..2e7bd0d1d99d7 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_user_name.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_user_name.json
@@ -10,7 +10,7 @@
   "name": "Unusual Linux Username",
   "note": "### Investigating an Unusual Linux User ###\nSignals from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_dns_tunneling.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_dns_tunneling.json
index 61a12473e30fc..c5cf6385afaf0 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_dns_tunneling.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_dns_tunneling.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "packetbeat_dns_tunneling",
   "name": "DNS Tunneling",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_dns_question.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_dns_question.json
index 7d78663f72c8b..4623639b6e8b7 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_dns_question.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_dns_question.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "packetbeat_rare_dns_question",
   "name": "Unusual DNS Activity",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "746edc4c-c54c-49c6-97a1-651223819448",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_server_domain.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_server_domain.json
index d61a7faec9b65..dd14191d30df2 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_server_domain.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_server_domain.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "packetbeat_rare_server_domain",
   "name": "Unusual Network Destination Domain Name",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_urls.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_urls.json
index f7ddf7a4599a7..386e00054c2cc 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_urls.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_urls.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "packetbeat_rare_urls",
   "name": "Unusual Web Request",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_user_agent.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_user_agent.json
index 0517b8eed4d24..a68c43b228303 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_user_agent.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_user_agent.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "packetbeat_rare_user_agent",
   "name": "Unusual Web User Agent",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_linux.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_linux.json
index a8cd90b257eef..9d9fb5e4a0a8d 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_linux.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_linux.json
@@ -10,7 +10,7 @@
   "name": "Unusual Process For a Linux Host",
   "note": "### Investigating an Unusual Linux Process ###\nSignals from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_windows.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_windows.json
index 446120e840d59..0c1d097a73dc2 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_windows.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_windows.json
@@ -10,7 +10,7 @@
   "name": "Unusual Process For a Windows Host",
   "note": "### Investigating an Unusual Windows Process ###\nSignals from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package. \n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/suspicious_login_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/suspicious_login_activity.json
index 311e84456ec48..b3c3f2d76a8c9 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/suspicious_login_activity.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/suspicious_login_activity.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "suspicious_login_activity_ecs",
   "name": "Unusual Login Activity",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_network_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_network_activity.json
index fc456ffbd45b1..0a85fee3de436 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_network_activity.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_network_activity.json
@@ -10,7 +10,7 @@
   "name": "Unusual Windows Network Activity",
   "note": "### Investigating Unusual Network Activity ###\nSignals from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual.  Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? \n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_path_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_path_activity.json
index 72c9527baf90b..2652915d21d85 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_path_activity.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_path_activity.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "windows_anomalous_path_activity_ecs",
   "name": "Unusual Windows Path Activity",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_all_hosts.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_all_hosts.json
index 8d2cf46c75608..4e70426a4faf8 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_all_hosts.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_all_hosts.json
@@ -10,7 +10,7 @@
   "name": "Anomalous Process For a Windows Population",
   "note": "### Investigating an Unusual Windows Process ###\nSignals from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package. \n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_creation.json
index 38238f60b523e..4742fd951f471 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_creation.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_creation.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "windows_anomalous_process_creation",
   "name": "Anomalous Windows Process Creation",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_script.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_script.json
index 4fe976211cb19..bc38877a00ad0 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_script.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_script.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "windows_anomalous_script",
   "name": "Suspicious Powershell Script",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_service.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_service.json
index 14c62a21bc28d..92c4b22823120 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_service.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_service.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "windows_anomalous_service",
   "name": "Unusual Windows Service",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_user_name.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_user_name.json
index 3d6cd16198fab..9ad05eda8f518 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_user_name.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_user_name.json
@@ -10,7 +10,7 @@
   "name": "Unusual Windows Username",
   "note": "### Investigating an Unusual Windows User ###\nSignals from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_runas_event.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_runas_event.json
index 1ec5d9018d42f..a227b36064a9d 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_runas_event.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_runas_event.json
@@ -9,7 +9,7 @@
   "machine_learning_job_id": "windows_rare_user_runas_event",
   "name": "Unusual Windows User Privilege Elevation Activity",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_type10_remote_login.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_type10_remote_login.json
index 95899d0fb7773..15241d7869c00 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_type10_remote_login.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_type10_remote_login.json
@@ -10,7 +10,7 @@
   "name": "Unusual Windows Remote User",
   "note": "### Investigating an Unusual Windows User ###\nSignals from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? \n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?",
   "references": [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"
   ],
   "risk_score": 21,
   "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9",

From 6b76da6e63927283351c3eb0b5c094d55238570f Mon Sep 17 00:00:00 2001
From: Ben Skelker <ben.skelker@elastic.co>
Date: Mon, 13 Jul 2020 19:02:14 +0300
Subject: [PATCH 7/8] recommits the link correction after revert

---
 .../detection_engine/detection_engine_user_unauthenticated.tsx  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine_user_unauthenticated.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine_user_unauthenticated.tsx
index a353be80c7239..6123e3740e306 100644
--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine_user_unauthenticated.tsx
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine_user_unauthenticated.tsx
@@ -17,7 +17,7 @@ export const DetectionEngineUserUnauthenticated = React.memo(() => {
     <EmptyPage
       actionPrimaryIcon="documents"
       actionPrimaryLabel={i18n.GO_TO_DOCUMENTATION}
-      actionPrimaryUrl={`${docLinks.ELASTIC_WEBSITE_URL}guide/en/security/guide/${docLinks.DOC_LINK_VERSION}/detection-engine-overview.html#detections-permissions`}
+      actionPrimaryUrl={`${docLinks.ELASTIC_WEBSITE_URL}guide/en/security/${docLinks.DOC_LINK_VERSION}/detection-engine-overview.html#detections-permissions`}
       actionPrimaryTarget="_blank"
       message={i18n.USER_UNAUTHENTICATED_MSG_BODY}
       data-test-subj="no_index"

From be91bf39e3213ded18b096b1cb9e416604bc8962 Mon Sep 17 00:00:00 2001
From: Ben Skelker <ben.skelker@elastic.co>
Date: Wed, 15 Jul 2020 17:14:57 +0300
Subject: [PATCH 8/8] changes help window app name to Security

---
 .../public/common/components/help_menu/index.tsx                | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/plugins/security_solution/public/common/components/help_menu/index.tsx b/x-pack/plugins/security_solution/public/common/components/help_menu/index.tsx
index a8eeeef1603e9..f4477740f7b58 100644
--- a/x-pack/plugins/security_solution/public/common/components/help_menu/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/help_menu/index.tsx
@@ -14,7 +14,7 @@ export const HelpMenu = React.memo(() => {
   useEffect(() => {
     chrome.setHelpExtension({
       appName: i18n.translate('xpack.securitySolution.chrome.help.appName', {
-        defaultMessage: 'Security Solution',
+        defaultMessage: 'Security',
       }),
       links: [
         {