From b188dc9effd28e7e11eb883dc1761b87e963a33f Mon Sep 17 00:00:00 2001
From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com>
Date: Tue, 30 Sep 2025 15:13:35 -0500
Subject: [PATCH 1/4] add docuentation

---
 .../machine-learning/ootb-ml-jobs-siem.md     | 32 ++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md b/reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md
index 0d96ad1fbf..a435c35641 100644
--- a/reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md
+++ b/reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md
@@ -37,6 +37,21 @@ By default, when you create these job in the {{security-app}}, it uses a {{data-
 | suspicious_login_activity | Detect unusually high number of authentication attempts. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/suspicious_login_activity.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_suspicious_login_activity.json)| [System](https://www.elastic.co/docs/reference/integrations/system), [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Auditd Manager](https://www.elastic.co/docs/reference/integrations/auditd_manager)                                                          | windows, linux |
 
 
+## Security: Azure Activiy Logs [security-azure-activitylogs]
+
+Detect suspicious activity recorded in your Azure Activity Logs.
+
+In the {{ml-app}} app, these configurations are available only when data exists that matches the query specified in the [manifest file](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/manifest.json). In the {{security-app}}, it looks in the {{data-source}} specified in the [`securitySolution:defaultIndex` advanced setting](kibana://reference/advanced-settings.md#securitysolution-defaultindex) for data that matches the query.
+
+| Name | Description | Job (JSON) | Datafeed | Supported Integrations                                                                                                                                                                                                                                                                                      |
+| --- | --- | --- | --- |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| high_distinct_count_error_message | Looks for a spike in the rate of an error message which may simply indicate an impending service failure but these can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/high_distinct_count_error_message.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_high_distinct_count_error_message.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
+| rare_error_code | Looks for unusual errors. Rare and unusual errors may simply indicate an impending service failure but they can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_error_code.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_error_code.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
+| rare_method_for_a_city | Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a geolocation (city) that is unusual. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_city.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_city.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
+| rare_method_for_a_country | Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a geolocation (country) that is unusual. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_country.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_country.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
+| rare_method_for_a_username | Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_username.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_username.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
+
+
 ## Security: CloudTrail [security-cloudtrail-jobs]
 
 Detect suspicious activity recorded in your CloudTrail logs.
@@ -49,7 +64,22 @@ In the {{ml-app}} app, these configurations are available only when data exists
 | rare_error_code | Looks for unusual errors. Rare and unusual errors may simply indicate an impending service failure but they can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_error_code.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_error_code.json)| [AWS](https://www.elastic.co/docs/reference/integrations/aws/cloudtrail) |
 | rare_method_for_a_city | Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a geolocation (city) that is unusual. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_city.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_city.json)| [AWS](https://www.elastic.co/docs/reference/integrations/aws/cloudtrail) |
 | rare_method_for_a_country | Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a geolocation (country) that is unusual. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_country.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_country.json)| [AWS](https://www.elastic.co/docs/reference/integrations/aws/cloudtrail) |
-| rare_method_for_a_username | Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_username.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_username.json)| [AWS](https://www.elastic.co/docs/reference/integrations/aws/cloudtrail)                                                           |
+| rare_method_for_a_username | Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_username.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_username.json)| [AWS](https://www.elastic.co/docs/reference/integrations/aws/cloudtrail) |
+
+
+## Security: GCP Audit logs [security-gcp-audit]
+
+Detect suspicious activity recorded in your GCP Audit logs.
+
+In the {{ml-app}} app, these configurations are available only when data exists that matches the query specified in the [manifest file](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/manifest.json). In the {{security-app}}, it looks in the {{data-source}} specified in the [`securitySolution:defaultIndex` advanced setting](kibana://reference/advanced-settings.md#securitysolution-defaultindex) for data that matches the query.
+
+| Name | Description | Job (JSON) | Datafeed | Supported Integrations                                                                                                                                                                                                                                                                                      |
+| --- | --- | --- | --- |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| gcp_audit_high_distinct_count_error_message | Looks for a spike in the rate of an actions when the event outcome is a failure, which may simply indicate an impending service failure but these can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_high_distinct_count_error_message.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_high_distinct_count_error_message.json)| [GCP Audit](https://www.elastic.co/docs/reference/integrations/gcp/audit) |
+| gcp_audit_rare_error_code | Looks for unusual errors. Rare and unusual errors may simply indicate an impending service failure but they can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_error_code.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_error_code.json)| [GCP Audit](https://www.elastic.co/docs/reference/integrations/gcp/audit) |
+| gcp_audit_rare_method_for_a_city | Looks for GCP actions that, while not inherently suspicious or abnormal, are sourcing from a geolocation (city) that is unusual. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_city.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_city.json)| [GCP Audit](https://www.elastic.co/docs/reference/integrations/gcp/audit) |
+| gcp_audit_rare_method_for_a_country | Looks for GCP actions calls that, while not inherently suspicious or abnormal, are sourcing from a geolocation (country) that is unusual. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_country.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_country.json)| [GCP Audit](https://www.elastic.co/docs/reference/integrations/gcp/audit) |
+| gcp_audit_rare_method_for_a_client_user_email | Looks for GCP actions that, while not inherently suspicious or abnormal, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_client_user_email.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_client_user_email.json)| [GCP Audit](https://www.elastic.co/docs/reference/integrations/gcp/audit) |
 
 
 ## Security: Host [security-host-jobs]

From b5755ce0ee29091a9b5795d9ef8538f1469615cb Mon Sep 17 00:00:00 2001
From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com>
Date: Tue, 30 Sep 2025 15:25:19 -0500
Subject: [PATCH 2/4] finish azure activity logs updates

---
 .../machine-learning/ootb-ml-jobs-siem.md             | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md b/reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md
index a435c35641..85579f2632 100644
--- a/reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md
+++ b/reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md
@@ -45,11 +45,12 @@ In the {{ml-app}} app, these configurations are available only when data exists
 
 | Name | Description | Job (JSON) | Datafeed | Supported Integrations                                                                                                                                                                                                                                                                                      |
 | --- | --- | --- | --- |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| high_distinct_count_error_message | Looks for a spike in the rate of an error message which may simply indicate an impending service failure but these can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/high_distinct_count_error_message.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_high_distinct_count_error_message.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
-| rare_error_code | Looks for unusual errors. Rare and unusual errors may simply indicate an impending service failure but they can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_error_code.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_error_code.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
-| rare_method_for_a_city | Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a geolocation (city) that is unusual. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_city.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_city.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
-| rare_method_for_a_country | Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a geolocation (country) that is unusual. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_country.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_country.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
-| rare_method_for_a_username | Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_username.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_username.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
+| azure_activitylogs_high_distinct_count_event_action_on_failure | Looks for a spike in the rate of an error message which may simply indicate an impending service failure but these can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/azure_activitylogs_high_distinct_count_event_action_on_failure.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/datafeed_azure_activitylogs_high_distinct_count_event_action_on_failure.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
+| azure_activitylogs_rare_event_action_on_failure | Looks for unusual Azure activity event actions on failure. Rare and unusual errors may simply indicate an impending service failure but they can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/azure_activitylogs_rare_event_action_on_failure.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_on_failure.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
+| azure_activitylogs_rare_event_action_for_a_city | Looks for Azure activity event actions that, while not inherently suspicious or abnormal, are sourcing from a geolocation (city) that is unusual. This can be the result of compromised credentials or keys.| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_city.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_city.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
+| azure_activitylogs_rare_event_action_for_a_country | Looks for Azure activity event actions that, while not inherently suspicious or abnormal, are sourcing from a geolocation (country) that is unusual. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_country.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_country.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
+| azure_activitylogs_rare_event_action_for_a_username | Looks for Azure activity event actions that, while not inherently suspicious or abnormal, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_username.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_username.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
+| azure_activitylogs_rare_event_action_for_a_user_email | Looks for Azure activity event actions that, while not inherently suspicious or abnormal, are sourcing from a user email that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_user_email.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_user_email.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
 
 
 ## Security: CloudTrail [security-cloudtrail-jobs]

From 409e490c4edac75f082366d0e32d4fc7610f3c11 Mon Sep 17 00:00:00 2001
From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com>
Date: Wed, 1 Oct 2025 13:25:21 -0500
Subject: [PATCH 3/4] remove duplicate job

---
 reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md b/reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md
index 85579f2632..277d86ff67 100644
--- a/reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md
+++ b/reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md
@@ -50,7 +50,6 @@ In the {{ml-app}} app, these configurations are available only when data exists
 | azure_activitylogs_rare_event_action_for_a_city | Looks for Azure activity event actions that, while not inherently suspicious or abnormal, are sourcing from a geolocation (city) that is unusual. This can be the result of compromised credentials or keys.| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_city.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_city.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
 | azure_activitylogs_rare_event_action_for_a_country | Looks for Azure activity event actions that, while not inherently suspicious or abnormal, are sourcing from a geolocation (country) that is unusual. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_country.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_country.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
 | azure_activitylogs_rare_event_action_for_a_username | Looks for Azure activity event actions that, while not inherently suspicious or abnormal, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_username.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_username.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
-| azure_activitylogs_rare_event_action_for_a_user_email | Looks for Azure activity event actions that, while not inherently suspicious or abnormal, are sourcing from a user email that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_user_email.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_user_email.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
 
 
 ## Security: CloudTrail [security-cloudtrail-jobs]

From 17f09de50f676d41f6614e62b06fc3aeff72438d Mon Sep 17 00:00:00 2001
From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com>
Date: Thu, 9 Oct 2025 09:37:20 -0500
Subject: [PATCH 4/4] Update
 reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md

Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com>
---
 reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md b/reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md
index 277d86ff67..ae199a7be9 100644
--- a/reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md
+++ b/reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md
@@ -37,7 +37,7 @@ By default, when you create these job in the {{security-app}}, it uses a {{data-
 | suspicious_login_activity | Detect unusually high number of authentication attempts. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/suspicious_login_activity.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_suspicious_login_activity.json)| [System](https://www.elastic.co/docs/reference/integrations/system), [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Auditd Manager](https://www.elastic.co/docs/reference/integrations/auditd_manager)                                                          | windows, linux |
 
 
-## Security: Azure Activiy Logs [security-azure-activitylogs]
+## Security: Azure Activity Logs [security-azure-activitylogs]
 
 Detect suspicious activity recorded in your Azure Activity Logs.