finish azure activity logs updates

jmcarlock · jmcarlock · commit b5755ce0ee29 · 2025-09-30T15:25:19.000-05:00
diff --git a/reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md b/reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md
@@ -45,11 +45,12 @@ In the {{ml-app}} app, these configurations are available only when data exists
 
 | Name | Description | Job (JSON) | Datafeed | Supported Integrations                                                                                                                                                                                                                                                                                      |
 | --- | --- | --- | --- |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| high_distinct_count_error_message | Looks for a spike in the rate of an error message which may simply indicate an impending service failure but these can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/high_distinct_count_error_message.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_high_distinct_count_error_message.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
-| rare_error_code | Looks for unusual errors. Rare and unusual errors may simply indicate an impending service failure but they can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_error_code.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_error_code.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
-| rare_method_for_a_city | Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a geolocation (city) that is unusual. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_city.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_city.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
-| rare_method_for_a_country | Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a geolocation (country) that is unusual. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_country.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_country.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
-| rare_method_for_a_username | Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_username.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_username.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
+| azure_activitylogs_high_distinct_count_event_action_on_failure | Looks for a spike in the rate of an error message which may simply indicate an impending service failure but these can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/azure_activitylogs_high_distinct_count_event_action_on_failure.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/datafeed_azure_activitylogs_high_distinct_count_event_action_on_failure.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
+| azure_activitylogs_rare_event_action_on_failure | Looks for unusual Azure activity event actions on failure. Rare and unusual errors may simply indicate an impending service failure but they can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/azure_activitylogs_rare_event_action_on_failure.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_on_failure.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
+| azure_activitylogs_rare_event_action_for_a_city | Looks for Azure activity event actions that, while not inherently suspicious or abnormal, are sourcing from a geolocation (city) that is unusual. This can be the result of compromised credentials or keys.| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_city.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_city.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
+| azure_activitylogs_rare_event_action_for_a_country | Looks for Azure activity event actions that, while not inherently suspicious or abnormal, are sourcing from a geolocation (country) that is unusual. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_country.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_country.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
+| azure_activitylogs_rare_event_action_for_a_username | Looks for Azure activity event actions that, while not inherently suspicious or abnormal, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_username.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_username.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
+| azure_activitylogs_rare_event_action_for_a_user_email | Looks for Azure activity event actions that, while not inherently suspicious or abnormal, are sourcing from a user email that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_user_email.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_user_email.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
 
 
 ## Security: CloudTrail [security-cloudtrail-jobs]
