[ProblemChild] Update Blog Post Link in Docs and Minor Bug Fixes

packages/problemchild/_dev/build/docs/README.md

@@ -1,13 +1,13 @@
 # Living off the Land Attack Detection 
 
-The Living off the Land Attack (LotL) Detection package contains a supervised machine learning model, called [ProblemChild and associated assets](https://www.elastic.co/blog/problemchild-generate-alerts-to-detect-living-off-the-land-attacks), which are used to detect living off the land (LotL) activity in your environment.
+The Living off the Land Attack (LotL) Detection package contains a supervised machine learning model, called [ProblemChild and associated assets](https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration), which are used to detect living off the land (LotL) activity in your environment.
 This package requires a Platinum subscription. Please ensure that you have a Trial or Platinum level subscription installed on your cluster before proceeding. This package is licensed under Elastic License v 1.0.
 
 ## Configuration
 
 To download the assets, click **Settings** > **Install Living off the Land Attack Detection assets**.
 
-Follow these instructions to ingest data with the ingest pipeline and enrich your indices with inference data. Then use these detection rules and anomaly detection jobs to detect LotL attacks. For more detailed information refer to [this](https://www.elastic.co/blog/problemchild-generate-alerts-to-detect-living-off-the-land-attacks) blog.
+Follow these instructions to ingest data with the ingest pipeline and enrich your indices with inference data. Then use these detection rules and anomaly detection jobs to detect LotL attacks. For more detailed information refer to [this](https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration) blog.
 
 ### (Required) Set up the ingest pipeline
 
@@ -54,4 +54,4 @@ Detects potential LotL activity by identifying malicious processes.
 | Suspicious Windows Process Cluster Spawned by a User | A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. |
 
 ## Licensing
-Usage in production requires that you have a license key that permits use of machine learning features.
+Usage in production requires that you have a license key that permits use of machine learning features.

packages/problemchild/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.1.1"
+ changes:
+ - description: Update blog post link and minor bug fixes
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7618
 - version: "1.1.0"
  changes:
  - description: Ensure event.kind is correctly set for pipeline errors.

packages/problemchild/docs/README.md

@@ -1,13 +1,13 @@
 # Living off the Land Attack Detection 
 
-The Living off the Land Attack (LotL) Detection package contains a supervised machine learning model, called [ProblemChild and associated assets](https://www.elastic.co/blog/problemchild-generate-alerts-to-detect-living-off-the-land-attacks), which are used to detect living off the land (LotL) activity in your environment.
+The Living off the Land Attack (LotL) Detection package contains a supervised machine learning model, called [ProblemChild and associated assets](https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration), which are used to detect living off the land (LotL) activity in your environment.
 This package requires a Platinum subscription. Please ensure that you have a Trial or Platinum level subscription installed on your cluster before proceeding. This package is licensed under Elastic License v 1.0.
 
 ## Configuration
 
 To download the assets, click **Settings** > **Install Living off the Land Attack Detection assets**.
 
-Follow these instructions to ingest data with the ingest pipeline and enrich your indices with inference data. Then use these detection rules and anomaly detection jobs to detect LotL attacks. For more detailed information refer to [this](https://www.elastic.co/blog/problemchild-generate-alerts-to-detect-living-off-the-land-attacks) blog.
+Follow these instructions to ingest data with the ingest pipeline and enrich your indices with inference data. Then use these detection rules and anomaly detection jobs to detect LotL attacks. For more detailed information refer to [this](https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration) blog.
 
 ### (Required) Set up the ingest pipeline
 
@@ -54,4 +54,4 @@ Detects potential LotL activity by identifying malicious processes.
 | Suspicious Windows Process Cluster Spawned by a User | A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. |
 
 ## Licensing
-Usage in production requires that you have a license key that permits use of machine learning features.
+Usage in production requires that you have a license key that permits use of machine learning features.

packages/problemchild/elasticsearch/ingest_pipeline/problem_child_inference_pipeline.yml

@@ -351,7 +351,7 @@ processors:
  }
  if:
  ctx.containsKey('problemchild') && ctx['problemchild'].containsKey('prediction')
- && ctx['problemchild']['prediction'] == 0
+ && ctx['problemchild']['prediction'] == '0'
  params:
  blocklist:
  - dump

packages/problemchild/kibana/security_rule/34184d4e-ef61-477b-8d76-5c93448c29bf.json

@@ -7,7 +7,7 @@
  "from": "now-9m",
  "index": [
  "endgame-*",
- "logs-endpoint.events.process.*",
+ "logs-endpoint.events.process-*",
  "winlogbeat-*"
  ],
  "language": "kuery",
@@ -30,4 +30,4 @@
  },
  "id": "34184d4e-ef61-477b-8d76-5c93448c29bf",
  "type": "security-rule"
-}
+}

packages/problemchild/kibana/security_rule/9a2e372a-cbeb-4ad6-a288-017ef086324c.json

@@ -7,7 +7,7 @@
  "from": "now-9m",
  "index": [
  "endgame-*",
- "logs-endpoint.events.process.*",
+ "logs-endpoint.events.process-*",
  "winlogbeat-*"
  ],
  "language": "kuery",
@@ -30,4 +30,4 @@
  },
  "id": "9a2e372a-cbeb-4ad6-a288-017ef086324c",
  "type": "security-rule"
-}
+}

packages/problemchild/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: problemchild
 title: "Living off the Land Attack Detection"
-version: 1.1.0
+version: 1.1.1
 license: basic
 description: "ML solution package to detect Living off the Land (LotL) attacks in your environment. Requires a Platinum subscription."
 type: integration