From d558cea9ae42bc44714172cf349843f69c9f201c Mon Sep 17 00:00:00 2001
From: eric-forte-elastic <eric.forte@elastic.co>
Date: Wed, 19 Mar 2025 20:03:55 -0400
Subject: [PATCH] Revert "Add new ML detection rules for Privileged Access
 Detection (#4516)"

This reverts commit 2ff8d1bb567aa1360febad2688074d26b959afbb.
---
 .github/workflows/react-tests-dispatcher.yml  |   1 -
 .../etc/integration-manifests.json.gz         | Bin 15863 -> 15578 bytes
 .../etc/integration-schemas.json.gz           | Bin 5145013 -> 5141685 bytes
 detection_rules/schemas/definitions.py        |   2 +-
 pyproject.toml                                |   2 +-
 ...unt_privileged_process_events_by_user.toml |  99 ---------------
 ..._process_command_line_entropy_by_user.toml |  99 ---------------
 ...l_linux_rare_process_executed_by_user.toml |  98 ---------------
 ..._high_sum_concurrent_sessions_by_user.toml | 103 ---------------
 ...access_ml_okta_rare_host_name_by_user.toml |  99 ---------------
 ...cess_ml_okta_rare_region_name_by_user.toml |  99 ---------------
 ...access_ml_okta_rare_source_ip_by_user.toml |  98 ---------------
 ..._group_application_assignment_changes.toml | 108 ----------------
 ...okta_spike_in_group_lifecycle_changes.toml | 103 ---------------
 ...kta_spike_in_group_membership_changes.toml | 103 ---------------
 ...okta_spike_in_group_privilege_changes.toml | 108 ----------------
 ..._in_user_lifecycle_management_changes.toml | 102 ---------------
 ...ws_high_count_group_management_events.toml | 105 ----------------
 ...ndows_high_count_special_logon_events.toml | 102 ---------------
 ...gh_count_special_privilege_use_events.toml | 104 ---------------
 ..._count_user_account_management_events.toml | 104 ---------------
 ...access_ml_windows_rare_device_by_user.toml |  99 ---------------
 ...ss_ml_windows_rare_group_name_by_user.toml | 119 ------------------
 ...ndows_rare_privilege_assigned_to_user.toml | 104 ---------------
 ...s_ml_windows_rare_region_name_by_user.toml |  99 ---------------
 ...ess_ml_windows_rare_source_ip_by_user.toml |  98 ---------------
 26 files changed, 2 insertions(+), 2156 deletions(-)
 delete mode 100644 rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml
 delete mode 100644 rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml
 delete mode 100644 rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml
 delete mode 100644 rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml
 delete mode 100644 rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml
 delete mode 100644 rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml
 delete mode 100644 rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml
 delete mode 100644 rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml
 delete mode 100644 rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml
 delete mode 100644 rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml
 delete mode 100644 rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml
 delete mode 100644 rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml
 delete mode 100644 rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml
 delete mode 100644 rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml
 delete mode 100644 rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml
 delete mode 100644 rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml
 delete mode 100644 rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml
 delete mode 100644 rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml
 delete mode 100644 rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml
 delete mode 100644 rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml
 delete mode 100644 rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml

diff --git a/.github/workflows/react-tests-dispatcher.yml b/.github/workflows/react-tests-dispatcher.yml
index 4418edc8a63..7e871429c8f 100644
--- a/.github/workflows/react-tests-dispatcher.yml
+++ b/.github/workflows/react-tests-dispatcher.yml
@@ -22,7 +22,6 @@ on:
       - '!rules/integrations/o365/*.toml'
       - '!rules/integrations/okta/*.toml'
       - '!rules/integrations/problemchild/*.toml'
-      - '!rules/integrations/pad/*.toml'
 
 jobs:
   dispatch:
diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz
index df76b3ea8a3cdf69ae3dfe7fee6cca49ba9cf2df..4cc6c08403c999e516fa527ba52e0dd34eeeef5e 100644
GIT binary patch
literal 15578
zcmZX*WmH^U6EzqtxVwem4#C~srE!Pg?ykX|Ai>?8;4T3IH0~DMX$bB%O`dnYnKkpL
z_O04gyXqVkt8d?Xnj{(y?(1lt1>~ERy{nmpv$3m{gFU02vAvbKnTx9nleLS3{fE<R
zT^B;B=HfTm(A*QaBv>Dd1(>T6_uRi1F@8GJ?(#zNuJlpDGQZ%Ump;&F`~7+It3W6k
zpx2Vd3T(pQBdV8%pi%R)*|R&C7<+r&U-Nyn*Xep-H}usqNGUwdeEa@<$K}j)u=2`I
z&zu?H{oH((<bX5ZNS6vq9o;ASJ@4F@rdLgMrF|7IG*&um-6&gf<uST@YT}>%+}0&~
z*|J(mkxNy1Hxi&Yx@XNQYtU6`UU_vZdZpBG)Jepp`4E3>eL;fS^Exe*)zsqqT05eC
z^)T(rnZw@l)0Skrf43kj<usn8a`1Bh_Vs(NoV(!t{>EF4kP}C)qGawyRmEtfRa-^I
z<jcko>dW0@_D!{V^sUa>ab{1qC6jt}?xxU>`9p6OZ9l<Ee_i!xZ61NlF^%~SiMH<4
z+ss{lK3vY`8%BqrX70No;mk!t*|6qrGmOSx;XekOfZ-Z4Q@nzWanRKVVj$Wn9N%#*
zk(n6ehba`=DQmw}Q_EG|5@C8@%TO4`d^^hC7KOJiuWdr!Q@$UIxObm+3iK9gi3}hm
zedP2oX!4;6QlaCNA#qcobCe-TQlV+{p=pbtD<?JQi6JsN5H%>t)hPKO)I*f9BMq=A
z)g;I@DXFXaE)Q+$zA2}Wd8>zoR3Iq{W0R^$6lhAot8Y1+rp|Bg6!~YBijyLl)5^5!
zJ<yRBOG8=x1w2gA!Rri#FF55<W(my(J~X(8g_OcjWT^tc(!b*(C2JA31~Na&cQ#?h
z@K>Ns43@_mVE;PeQTTu9Pamo~g;ca2s$Yau+#jmTz^luUYleQomufhCG71^t&XCxE
zC6|Ai;(x3cO}ovPxUN7e@v{_O8S-9)#ZiX~PKq;STD@pmdI$6ggm#f@w~@f9i{L;(
zx)iz)Ok%;hupvDcaqiOZl2n1`@SoA)h4EB?1#}Q0#!>tgZlxjUkz{lbaKWhk5zv;m
zlP3-ajh!`C6w$}l-C6>L1N8^vLc~M+xqjv!K4o1lln2@XN6vbv-)L4|^5c4S)4k{k
z9fnREh7QgIzotoTGWvF=q;nbjZKrwhajxgIz25rXcmT)vD3`A}%<L%uiTYz~=F}GV
ziuU~<8!qNMU+-=S26wvTdOFvGZa{;+^L4NMJq8qK2crb8JcQJRN6+3_?00Lzo%x;K
zJ!L?3=cY2jg)|VNZ*ENG{_JV|_|R{4x0FAEVysM>W|vO&S$gs%H)l#9XP*W`e{TA3
z?wl#(*mt;8+1P25O#6E#{OMhMl_aOOyk5Gog7GEu%X=O3kI^g4DTh;th~BX%UCw!_
zhjdv95<@dyWaVwvUh2&r9BtqCZ%cX}o)#|cQeD5)tS>C`*i3b2PY5xdmC;O>(@>Wd
zNNVETb<7a~Byh8%p7b-~$_wHZ2NQ}<a`Xn-d9lTQbeCS!$-2@3;Va6f%gd-sO>p#M
zGfv&Ue<+Faa-|Dn_&L_59#i9jIn^Q)kH!{VgMd^9(NO4^y3~pYb$3V*ohN?x^?x22
zXAf)@JxyG%A0FXd;2w1Ue`$gqJZC(MI|(snPr*N~GA%EIND<jg;RCZi!PI{d!$BAZ
zp6vF9N=gMXj3tCZ*RzUgAPmQ~wZmz*q>w<=TZ9oMpnc&+_-bs<fD{8TCn-e|WJ-H-
zkQladA2K4+|En*2oXrP$cUZsYyD=JmJE(86!?gJ)(}7NiaYIjSXVCXLziVYjYkkeb
z_NV;cd9#Pw2Zo3K$E1-xUp<ASk&_+Yxf%l9v*6iH1HDC7J&h5wCLMXnwbY5Vw%QJ%
zaOmq5cDyyOtIUp~+d9&(S6zjJ&$FJ|!H>#o!#9@MYiljgr*hZ*i-@i`I}@qvFAwtH
zG{)`h9nJ)elvWW1^uB}-DZ}B>af^jo&}^D%!vX69Q_V<eMj;J;gyu2OdunTZtFHnR
z@W6VgyL|HVd{~P^c)XHLBmiU>K6ii2xBNi10SADyBgsCrAVV)c4i*wjRzBJnHODa7
z-l-rq*K?%s&6_Q>9znJ9whxqPh|1@9RTu+C*!;J}urYpiTsL<Z8W2NtF<O1(rpMfC
z$GvM{i|{F0ZSqLt{Jf|n2$q+axH9l7wq(_2kkPoPM~wilCd2_<ksfwdrK&Rw>VS=+
z4r(CmK~vry-KL%jXz@VF%E3Xm?<XC#25j6siwR8pH3+TQc`al<2=;C5vn%Y&jtNXI
zs^hOnY~QF}TKf0)Sz6dcm8{^fms4B=#)n)o#~keUrixVvaq2ujc^#|b(CP2_^W}Iz
z8t3qgsZQWj5=XB?FWaHtbemeCV6rNj{(W!<H!+PW$T)TGpLE<BdjrS4KY2x~Hc25!
z>SCSODCPX$1bBYcL!1i-qAoE#M11Khg?b6BpTFDG4Sj$xt32zo(C%_<$M$7oV9v6K
z$?d!ag12GBrnbsn-LWc$oDNmc>y+4n@&gzIs5Q>L=yU5$upO(C6>#od^CrOq2ofJ&
z<z=tN$6@=f197vo`VOj}6ENsKr9LC`F`r7SXq@j06-T`Vb3Njxu=Q!yTc}MypK+nv
zdLXPz(BZ)$aEkO%mn}hWaq+^OeaEz&Zp#HE`fFo819+-)J75!n*OkK7VMh!wGBU^y
zYk-6Gvg<WR0(KLXgTB53I*dL+Ah=C$jn+?}?3LP3!o%qy$n#Dtvu|@ye)4`ar~LJ2
zw&-Px#ikeSIxQ^)n=LhynBH6}l*eo^OVxNni^W1M%|&C32i<&VW!6zm0Qvs~5CXB!
z5orSS=1NWO(d;E#+U9PV4sB(?M=I(Dk5h@==PiQT+FB2z*LEU5nho_4>m2#t9Bm`3
zlOw5!6nmB&4_X^atm%}w2aD0B8r6d1xFm_kUtiYuX486npFv7?^7c>s>E`L`R|72%
zOyj!$J|Oc*1=95mn{k<Hfzcz4-M7e3x;Y!qU6d_mRO5TsC*GHOohV852>=ZQpsbQM
z4GkiXS#e&~ZZa{9*^p%0>$SF*8%MU<PQ&Pt!p2v<*xVyG_FC7^uUATLi+>TXotmt9
zeRrJIspcIVsAuQfE3YCvui{F*7B^O(;X%giR(09vLV@?+m`Rw>r8dcxeX-)=MK7FS
zcW05>j#De+@`#XV1RNzAVQ7%czlS|RQMTrpPUhXNz*^ZGI*uT4X%A9Xj+tV&aBhAw
z02OX=VCh7f5M8=EKa6n~c@;yQ7;b2e<Pum5HA5_zC*QdUXz7mQjt`$H&T(j~X<iLl
zFS8o>8`M;cnqGHjbyfa|#fq-TqN*G*yJ3HLw9gPSE=(HNh2=tR&s7sw3xSMD7z|@Q
ze1h9DAVokF4+@nAWWX#%0wGoIP=5{;3Jv~rbkoxlK-8T4t*+IIfUwwLC4g~%TGh6&
z`mlY8B4=h?e#ij$ahbE7e0QLYfGBs(Ix%CX`saI5Vk^t%L|5(**>B2D=)4#qDA=T<
z%0pWVp$vrt@iEHMXb4QAlp<xVaK!MUOZy>a1F72!q4@B>kZ_F^zkL~!&`S8s;E0YQ
zgN8zi&Z)^<yYPU?MM$z1y4*Pju^*2dtA2TWGikRyl0<PV#}P2GurYJ>L;fZ-lQ_->
zg&Ez-ervz_bZ<p&ROAz{=}61TS^mvu)M{zj1K6J)pPB<*nNjumfsrfyY`CQG3c+0h
zKZ&*@#c(wLUPRuYDOGVRRfSKr-lYfW=PVI#M?!4}*vBiKi00gv5Z=8gES%igsh)VM
zc4v;Ks<UP+wrIZmXw)t$bVEI>&|$~a+_P1qOxn9__crI*&{sqWPeOJ1P09@eE%x$>
zhn9&tbo2VG!=+QnOl_mHb@1aS(9KT}G2bh{_RAzFdcw!Gs^?_CHlgu|vH7aatFD`K
z6q~~Om#D(`GFn&;5xV?es-k9hQKukD@eWbKkj6x3VKvAQ**X<kG&%`MN@19~yLs4`
z0@crIQE{??%J7_YFrvl7Wkkvlu1hdqU_?_)3W0&jW=mzxpVfFcD<I+2gJP}WLagCp
zWxszz0%DkcIF6x{LqjXmtY9GR4M${;1CD+F0)_D5_(R7f>^pcXR|~5!4#rv2Dyzw%
zV$L5su|dKh$dr*6Q43#(#N@zU=9FH2QVx*^@Olf2u#F!cLJUr`Q~zV*av-Mx+};Wp
z>!xY~u#*sdE_&yIqT2*$7`SVK3^U{cc{FVw#YYB-({nydWAb_<h$|f(@_hD=i~gh>
zIQUcE69VR=?*@IkHw+9GlyrVld{EdEK08g`cRv(l1j{eVfx#F=%8<yiPQs)I&rq=x
z;k^<{lg7@N-{PwI%zN}FVZyV|e_|53{~A<u@-4OPcHurDLhrbx$GwWSa^vw9N*DAX
zxaw+g<@2%U$u+2LVfA!{TT@DkA4jpeYH>)Kf1-ORUq;?q&E2oe?Un=1SNK0&j+VR5
zpX`{j<mz*tC-rE&b>=Wsn5k0LI-o?z{mmh|YvlJhds$~TE-mwm4233HBVv|c7Lw;d
zw*Zo6(Nb^A^Te>-h#MVu8y`oq3m-~(56KGDU-j*z&{p*S-bs;ZGjpaUOWOG{k{cnP
zqg!$<ZYn!s>g{^|lEgBkb)(wOwBh1C5_w2@;?1#$=ht0^v$x%^-sVfy=zT|gchga(
zq4c{l6SY&vSK5Htx~XKo!#b;zAhu$U^<i%x!d|h+vanMrvFEDTBLL;kXE&Gg$G=d2
zEqY|Xgpl%SJwlQDwyp=*g!FXhGW5vD{Sg3}Hs&a5ucs@u4R%ouCB%L}8NIl`JM)So
zKFDd;Y5)z)xmZGl*)o5s_zBy%W+Thc{PgFmH)>iaR)eFlhU!??nN1yRb6j#Yxe-Wa
z*&DK%mUcBc&`uJ_Np6&xR6mY7)ZAir_UI|3i1P=A`Y$Q%Us8H|(m}?o))cH3lkN31
zWT6ux3$en}drNw&fwH%8K2*_6cE_TZ+HxK^`<V}kbkz1UX^Fgwe~OGt62{4csmr|w
z6bQT!mhCV;cmR0@WbRsb0^U?;X95i+Ibu_sczMWO>YYV3$cBqpPO>W6Kga6fswK$m
z%!{!O|AJ31-|}hwO^)X5r7v_SHg{u|_y#ag(v+D6)aJIPvh$+mN-hGH4vpkfDs-m&
z+pS@XM(3nlOxNAi*4_Tu8`Je0we|n3!boRky=TkAkNMs4g3gSXE3V4B=nB0q{BdUH
z(PbB12Z5(s#t^N5di@f%Y(?u|h1S)>wIE!7EkjnXo5!IEYkm*I$!@gfwT1o7mj=h%
zhA9Rr#t?<*@QxgD$}niEq^`O@O{1)f`U9QWWF2(4mHQj++<%UyA=AsQk@Y1ozjrg4
z`(+=2zAh|gb_?#`F6N3pbsSX{NZCvmByu4Ourh!0Ye>5pm*3zw_q&=ZTClv1^>Uqi
z!h!NZkr?1lbTZW$;6FYG+drZ5BaIPl9jV`~&|MZ8sAmfzw4%SsM;j05AeA>xMU-ZH
za0h-#oGujP{YJ;+wzoS!A2C0lq`4?jRm11xM!D^-so1>+j;RB<whdBpd~1OcdhTnq
zscZXGKXOxVkol9G{jN+(UC{ikHlDVv&_QzR&)A-0zxS_KGc)~Z3C>+J8oHmK&)m6T
z3VvSyySL_|hgiWhwZDAhyFlQnGYaS|iZ<rdfCeeK=FPSdc#7NRKJA=AG9$XLLTs7w
z5jl4t{><!|1nwJ5{@$zLuViMe%u%=sEJ{6d^t>@R!bZAAQ1cf1=q;w_{YzL$`G^)u
zK%)2n?~q5$J0~bdsyLN(N{;mCC@^mvdAUaiMO+E*5S~uJEU&ceng~iDTy~Oe>MHFT
z4^mC!>6|1ahjj{|<{cN5(_c)DbS><|kkjY$Y2N4EF8Tn4l~j&+K6>YM?Iq{0%c+36
z{{PTYdsh!NeT8(*Pt_HZKM$vM;)Umpl#WNx$ba?aIwZ(oQtJ6uBAzr}!pAUf1y>-9
zABXtcj0+N5qJ5xjJSpoLbZX9*seW6IKThOVBP~6zmqS7n0c9F{9>g*q#gC!|y_v6~
z_m)j>-BoG=JWXI}!h{>HdhbIZas#)&!rirDE%+hr7^Fh%V1D$4j8?)wr=<}LtBW2r
zMr0QIGq_h5no4@Uji7ahjr5m3aIF;SUO5vbtTmUg0B8N2^sG-K(x*uMCWln{7z(nu
zzkex~RP`7JheQmc0aeDtUZa>OkVK52!K3vVkF02Y=kjaB#l!WNXZx0ywl(j=5xW2b
zNg&$Y6+XVIu`r#uG(M!BV5u{$*wpBODU<rgBH55+(&j_Nif@x>7Z+lzMZW@*%a|1K
zAtjCiM~Z3tf0G;q0*jF@TGh(*fM|tsVkWK-Hl^O8K(uB#;{RLnTVXk>fZ79%H2!w6
zm28+AUIGHPs+n*FxLd)am8AMPzUY*dVrVjHYbuVZbSOl*GAX#T{5Yl<94~QL4y-E$
zxUE`Q0v(iUvFI^g0xw-r4n+BZ2(S*1QH=MAo}6ZWxjEFkr<Wh%3kjs{hE%Z`5@!E$
zVEI`Zi#(DAR7v;O-;VO)oJPld=13M&rvC-<#5wbh`B2~#-L35t;b_GY6{yr01^aW1
z)0La<k-X&6Rom3?^(xeu%%ovPMOFJQ$;q%k7Kw(c;V00ctA?GlkA-7DbMCVvMe>{?
zwLG*dC27A{f}WDE!Y|5KHTe==S0AfK;thLtWbC<8J71ovUS@I%Gh14SF$$Byk?(Mj
z?ALA^$L--?_EK+~emf?q%&$4ckBlswdc-n;@DBc<7f^pYj7PZ`6ifB<9O37lO3?R-
z`=AyPh#)wXJe*G(ECwJ8FCjuvC(DaMWhbY*#25QM85y{bB#cOw2Lm-liatdOt4s<>
zha{W=N8?XlyTvbd7x}WfSbHd};-f_Uhw?ffDu+N7O110RSe|RM9Eam`2S^wzbU3;z
zS7m`*g0z4p4=ZIj8UZ9BB|hD!N)c6330p!Vj->*UC}?dfsWYHJkO<2P^#2?selb*+
zG=(bqo#t@qEqz@;6^ksYtQt|Jv-u5k=BeN?!i4uFH+h{<qQEjFI98Ioz^O5qSc>oe
zfvaAu&<HY1r6Kg#LgEwd6)-#rsdRBgiSHb~#y9_sC7b4Me<RQEDU@c1JbA17(@o=D
zfNnI5UI$wMjv(>C-x`4x3IbIr2&BS^Dt*30iHf7oM~hEKB#=j;ihrjeKzCNY=%YbE
zmk25@6UV~-Q9xdBXhiEx7WL_eiL5vaOtCap@eQplp+Y13QfZwXyGqq+|L=AXA0~Jy
z1{4`A=XGo!#bf0NnvbS)JpN9*WN^3Sgr5M`YdRiZK{?w0eL>3k_XN>4x@Fd0FBAC>
zf8zO6>ir=-s$Xnu_xT(@hT(W2|22o;V_bN5^!M)nL&kUS<ezO9o_QTU-5-|nU(enj
zTJT>tL>zJ%-n{`wTO4X|uGC{M(z|-jx{8Bo0;(nFcfXFeJ!%E)#p1kGc1vG+`+c8)
z{PVK!(-UHg^SZ4)?cs2NKcl&4GXK1qRFwL^=cyemE83}b1Y~+<q4ZdePeP_gpB+;m
zYn*?%VL1|0>nTAjy8Ke0-7Lv+WJ74hr`O95q|f^QB(VJ&rzL32Y7n8P*~H0m499YW
zT2PRiRU;v;QSQZNZ5_vD23cf}RUBnLRC%*yOw<lJtQ$-o2Uzx)pVL_0K0loyI;m6}
zAdR%}K0CYg^^8^QhVOfi<gS3+gp9A+_`F|J8v48rf9vyw9q0P2;3j?PvDAKPuE1$<
zeiWA}&$ULY)FWlFI5M^`E;P!f(&e?G`DsmaVR`Qx%%Qd6mW&~LIER`YLQok(>hd|b
zpTkc;_Ru6{Dmx}bPy_x2UWVqUEDbez{%<;CqmW#MUs^tF1bbfu7viF$Rjak0Xar@O
zW~Aq3^XHFQ1b;}-8M)Iz?te!}%Z&@fC=YZdfJ7l@4C=>Br||AXD6RZ<7I=fG+a$(K
zl)9<yX8W+KwmVC+H#_@XsUTTNQA`lm?8v25^-(Xmcrsh|=t|{>U;te)bF6Cjwc74z
zK{7KR_QNI3-l&p9H<|21)Ra1@@1;!grOfpu2Nz2hkx&DS%9Skap#Ljv8=Vvh&_lgG
zgL<bz|6!JYvLK5p^(ube>_uGWWoe!}eKN5n$?D~|1dncaHI59Aj)LHV$9<#o4KaJb
zFVQrs@QS)ELGTy%nwuqdM1LNEjvQZPOvEp=L1e{J<nw=p+&hSu4d3n`&9hfVKlD$0
zU4a!Au+B$<#A}S7cMSLtikf$VZ{)IeS<#s$50cwp=W9_I<O&D~YypT}1-71}<JxZn
zrS#e&`2@G)GFuPG|F%Vz`VIhCw{J=(ft8g<MFhF}in*(|-#>KCxaoY#cNp5;JDFwM
z*}5%8q3dKSz1p2`)Y$B)m@j?U?q_|t0JT2J#EciOzJ(&WU1gre<s#EIa;-~cwD4Qs
zp$wRUnn4Nj><J@wWuTkNH{PdFW;ZK6wOpVTK-nT`-j^l4s{<3p2XeD@#opqyLl_&s
z43WWe2>STevp}!bG6k)gHSZ>*=7y-o&vTOrYNZ-=eLV9am^@Eiv=JDzfL`E+WXblc
zofEOl1~u;1sgsDrPPzBlh(D#~o86h0ZjQp`orou|XuwAbQj&xNd%w!kyzyfP{>o|J
ze4;1?;h$}rn^WsQ+Y%lYp-eFKY=`XudbSAB3XX{7A8=Ls7>gkFq+wbT5S&S2>}6rv
z7_oPck=y+NMvhTP6A;0OYcQvuH~GJC$0ISpd`u+^9u4d>8{Tv_a^zucg~ZbfLb8WL
zviJPp*k!l5I}zmLK1|FvNPIzm9%1Mt^^Cy3t+|QbgECCVzxg>3fmja0oYs^9JFWOv
z9Y3L_=Ip}(728`?R_vtxetM6i_}^(7<p=*ra>qkiVr(gheHwP6Ao6d=k<W)gFNfvN
zWxYfx5rt6uhY{S~MsYb|<mb>)CE};@2!AGu{tqCXKj)Z>@9{!0E#j-RO$3g*NvhWn
zf02?Jn1*sGIue2mA168wp>uQ{68j3?4agV;r=MFBVo<2DfK5>ZehkGRMB4LSE*Pew
z-lH@gN78X8L@N|MX_r5u8Bn;Yn{ykGtqG9SuPDYpz5X=az54cIJY2WRUHA>FKJTcg
z=|us>rngjG`LP6;Bql{w9CdNGtn{H<+|Y9tB%HdWlb$lSZ*c*MuO=OB?V~f9vC|}{
zOViyr(ANhemMn%78#RfK7}@Zg8;h@J^52>d6Jj&pnv`Z|-H%ZDmZhjDTZ^Da0N+k%
zCCG}0i-<62!xdx`q#+gopGE+mmj7pI6H8T1mCU4zSWQ)VFv{2Os*jS?g2XF?sW`;R
zIH0MDrO9_+TN)2jlRtmQ&{O^A-5w@k&A_$2DPTNOgtCkN4Im7mmcD5ojN~`?6`<ys
zgOc;P50lPQ8tV6}=EYxPu=mv^hpZ0(4oyeD;vW6Q|D-A`=ECYJ&4R)>yh$1=;3^HP
zl&}ep&oA*!YJO#3`1dFj3e;ck3Fr8&4@DXUOFPqZU1XS_O(~cFpG|>*Nae7syEJLi
zFL9(&ed5P<(5{>)>@771+(|y(f<^=={DS(=X@?=m*&p)72&EV+C6cONk$7OpO2v1v
z%3A64oYv$O1Bc<U!J!sEW>ZIgSCq2Wu%Zr7vp}ohG&~ybmT0N)VKQPil;}a)lviFm
zlPP`}-=}sgIDKGP&71i)v%|)MVGESV7Fn4mbV}r=V7;_EMVeE}Hc~B?g<dgtKm8!S
zF0H#KG%>D7ywsEny8H!Pi9EDRXEXPKbu=RXHyA>ZK62^#O#E#x$KhQO_#BKLv7@2d
zR6iCzBeWmE&Ut1tK`)7h8%jS6ZJiH(jab?>n5p_zbv5)^F*9eZHwQRN+pp-xdzRKO
zuEVhwuX%Uv*=FgbM4L6a19ImAyP7~_OY3DkaklOH2cEaX@nk`>g^!ai_YRBmzkGJ7
ziJq}iNMs(|%ASd!da#<FONjQk#O#Dv<8H~N_EP(=Y?uuFb=FT_o*nZxI%nK$pLWxl
zDVI09sx+cU4#SQsM=uR;I$kyODSE2<QAT%HH3OdZI;evdxTc?%<%~8>ShE$)&sOLa
z4;FXk3$o;Uo^Q+bV%J;luG^?sNetPAG;tY|tcy+!XKzVL_x1)`CD`aS&yGg}=!9B!
zf1hTi*1WvgzKja3_8iw{Fj9ML_;xXDsE?zP)Ji&(UMYb{ESRI7UDF_SWLPNq=pW9}
zGU8O%5wlz|YHW}_q<)JC!!n<0^_}WYuXeqVRD#wSG_NEWw=%8V3SILyZwzyREvH;#
zwVLY3zZlT8GEhx|5(;c_mR2B9Q;9xn3q!Rpm)ZrbKGmwHRsTZT3Isu0xcxFfX6ez&
zX>t(i$eN_OQQ#2HSv@5g#nS)~jpKc4{e7<Sm1q`^wvI)W?e|5@cPK(~uCGLscrbM=
z2yDN9#(amkV_^lor+iw%TaR(#|7zO%dw2|Qh*c8hPx9_U@`-7T#?Zy(%kJp}6}nN9
zRvqF11%fR`rU(p6Bot>PTar=Q0959HB+F+inIHv|EmycCtlq**NN-m*otzv^=p}j+
zgP_YONFRxDdSL^6$QBVXo8ZS=*_W&Ekt!X<9~~=_fp%ZV(W~sRmN*w!`&NEKto}~7
zQ?}a)vfCNwENhktvP;SU`$-V1RBWqxD^#$}3ii!Gjj<?>JDdcLruk`_w+Gmp#XEHS
zDcxN&zVqWb%&~Ir^>L88QscbC3lIibH4|0AcEk|PacOP|)rGwa%a0!jEf#q4+=%Mj
zvb15Bc|R@ju2%)y5N{G|vu`c|8YW1q$$J;j8&K-qu$Fii6vCS0pqk^{lJcu}f~vo+
znOcI1dKYBg)kgxWlhWNBtCJv6Cjf+5Uv;GdtG@=jSb}Kk+-x0D?1*7)i3ziybYVSf
z1;$&>K%NZ~oD1av*<(L6n-Z@EYXmWjNFpC1eoG;okaLhs-w#7P4X4LT`$Bi>rs6CJ
zkzIcO@HG4=#V@F8M56r`F(ieuB()%9a)ExX=*;`4J0LkdK5ma3;`V!5Jh$&|pog?0
zRAsy+xZLL(=G8Q*pW55y-*&y2p~cF{j&uZ1Lzq%?It>7PU3t}kxHTONXG%sno&roK
zSB%TT^Un;~Kn1gLlJat_CAEd;?-@XdOknyy{(HpLLa7Ny%7;wgqgqjksu4gtH)>7|
z1)Nt(#*qTcnZgBd$^h%BTbG!yW1lNxGZ~denWN{YAK#Z?7y%;Fqo&pH9Tifv6$Y*8
zAUIRz|5GVXkD7f~nUEi}qC>T%b12znS4Xg|m;?J2NK0zz?>tXkxicGfX*q%s0Nb2S
z5r7<|z`+h+$w2Tt&`8x4&z@I<w55wKOUjT9QZPezQw8vV#}m(<QS0sKYX9}9R`ou?
zzj+aC=|F)0*7d%O%ifZD1{hfYvF+-XgW=0*>X~R2N8{he=_>U%RRaZk2UFZah}w`1
zZ&F{oTGz?SW=>t3Nq29VgArTxF5P4s#g<2uDS8Z{x+sdUC{xF>3{%)bZHCVXg|wa1
z41#E((?no22O~ci<G`ruS-6Z4K@;<%k8oT=Lfp8KXx*||l?<T}`&_bN9#aL+4$gsH
zR|P$28rt7n*w*~>$9Ji@7@XjDDM&?Qx-rW@NleeeNPNcsQNJD7Q8!$@ZFqOSWb_h_
zXH3w<lz_!b*boYNJPUc)bdV&k&LywR+5HQP&x3>JK0<w#w8?pJ{#m&Jz3#wC6*1y~
zaK=SQFtE!73r12fqJoiTV7CQn-68#fk*sI$+<$c30sWym@J`p*KYG|f%(Dl1++q5j
zF*yFt9Oo<+=m2@f6@4eU$MuY$SQQpM;)LM9ooNh~Mgh0zM@!mJ_3SC$Z;5#R(f2fN
zj%RYIi*m;GF9D`=!#0eRst0-N#heZ4;+`=)*Lc`2jFhei{vY$H2mAa+*Z4+P+&@_8
z6A*RW0h}`^!08D}2?PNO5;p>rUZ>|G-3{itt_oEDT=mY>UG>TzStN%E;WH3x5n`wi
zLIwzH@z$|utN8;wd$ds$<^5gG{Tqm~(w_IhO)GuBUh0B(VDuqs!~wr^gW-VwQ%_%R
zcw*F`Sixmx@6-4;Da(TbIP)R_T(S9%p3ffx#<U0=$Cex?XMgOs5I<9$`(s||vV&(_
zV{+5zk=Wx3y33q*_*Yo+zHo5i{up=<$NQhgGdIZITei$S<3w+;{z-vKuO>Ql+3Q8~
z;FwDA<d|}@PB}%+JJ_U`S|Mx<ql^nHjx-MLP#CjgX;YY5GZ&eR_)~Id-;iLzZy$Wt
zDkD6pkP+(t_WFwW?Ur#A6zvo5sKNx&9QzUebMN>{-EAoO^q|G9qL)v7tbAV$zn5zZ
zVl-yF9Gw?C;4|aGV<teC1g;ZMeIrC#8kcGTKG~tpA*j2qbr7eCy<WNSnyI;H;C61{
zwy%C=eF`0VR{fFTz$zEmNsy}vvtDUpz){<*sO(u=;Wgi>!`Ih$2a$CHLDRLOSLXYa
z|0miCX1#F%|I6$;TXlG?Ro8r@`AT>Rw&$#lf=!8^kxnRAb!^XA<DGowFAr2z(5Eyj
zk_?Sa1)DV}wo|BCx=yQVAEWm?SO*=85{}t*uIg~EYOdJ~tFsKwV3G(kPBb=f&<@36
zg}=9PLY}a}3ej^G2cqOgAg%fJ@lKsbziELTwx8D%?rbxkXNl;!Gk6Qodnz0r;XV|o
zwB5WzWa3QtY{0-<x3H{pfLzV?><>w|Z{%|R5q8Jp%RG@S%KD*EkVjow@Oa-OFP?vF
zDsLtDl8^|g$6c}uEZ8~S2YF@$l1K~Y;?de7uKKT*&l8r<rH<!b8@8VrV|MPbZ+|lu
z1;-OsSLnYHuKGDBg!nmNb7O+Hk_I`rU^9ccxbXyC^bo;Sp25LeY(s9AD4eiDXGZrj
zW)|r?7rU3d_j(3ga23q+$D^3#%v+PXuA~Qy8No^;eF$ep9RC!S`uLX8|2L^b0-`p0
zvi6_N5F&<i6rBHbvDf>o!LkmHb-^BWZ2#5t^DSlmug0tsKsb{AK1u+>KcV+^)+~Ab
zZzxUZwz>Bm*)+Pp!D9MX&a1UaY|BQlzo~$t;R(AM6UKAz1>0Y1<<fRTHui6uO2)B8
zP@4ZV&N|ig@@b8McLMo6wetOskrli}&E8oJjImIsdM+thpSX$~vO5Rpm(SZ>v?BZK
z(6O})?sAHFWHuE|w;~H_<-ji3xodDIQ1hW$<TlXyig$j=%utxz>R*>ITD9Yh9W9Bn
z2XKHx)2SsmtF`hRnUa=(czb{YCr4&Z=^>}Wc!~M!71CNs`ttRz9YT-Q(-fqt`K*qr
zNJ}|Pk>W~8toWIv=BZo8+U;Mdk_^q}8ynEH(B#2ciTb73Rp<yv=f34?(99xW!Ep7N
z$Hu{uFJPZb%8=itYyZ1J#?KD*{i;Vhbw=~OYg<-b^)sBkN6>2Y;@zzy_4Cf`iub`2
zfu_HpH27%7gA`k+GoEAAZw08jVyWH|%cbNGnPM)Pg^rm%Q*IEwRM1QO1e_#+jC>xj
zL;qOaD2<k42)9+1I(P!kFwu;B<58MAY|GHbJUmLI={jVY_jvxh64s~8oZwL56~YzH
zyd%zfx>`^)KN8h?B*Z$h*#vWKjpqDmW+vR%c}xqD9R`sUWB0F02)mB!C`e~FP=1|p
z@jV0Gk-rx`0#p=7mk;-2x$<v0nO^c=Z1ie?m4ltg>W2D;3^sn=7|6AG5s|m`mXOpL
zX_m}UVVZLTz?IQ@2pmp&JLb_6&-(I_+eBN>igYl!zbWoQwIWyG#Xa2_d7EfSn`K%4
zj`&%Y>F>ysW!d(QFj<zN?<mGS9Y(ccK8?j>TZJATyU25qWEOA?pXF_G?4~x^mm=VC
zC}YYw!k=ZjPO-|MjX<s4OI3XoDMRI$7%9`NUB9;T5|871OOu=7o4GscT}E+7ZD@|Y
zFLw#w=&Rw?{W({3)FS0T^1=BK$Yw;ob26}tY56d)yUGA2N~t!e9uN+J4Rt`5246AD
zhp=g&N5|sCw)gFRn0`PaLSvChqCG9`ABtSbo(Kec^S^1BF0i74!uHXwMs_L@MUaf;
zO%l3tbW_D@Rmt|u<)U&GR964O>YZzx+v*Z1@#T_)pFsN3u=*n(P2)J6?f_UbVu(jd
zvcszZy00$nnPs$%W#y3sR29O}bX3Q;1)`<AR_2r(;%bLjNaG4~Xe#-oVNG9D`o*y=
zRjL(`G1T)V)G@&{EMo<mikSG#RDn0xox{?Zn-gC%P&*vsCDu9Pl2;4DnfLBljYepR
z+1NVEo1SE73ZA%khN>ig;!#)-DGh21QqL4PLdquG9{{>I@FF%&P%G!$Rn>}uDof53
zA4REs+XF);-AVW{@8fzQ8SBz|JK&MB6%MmfHrHTqEQ6|{Jup2x`F(^8Ybq|5>vepy
zVk-8CBe8W%I3hh#@OU+syednc614Ito1?rfBJ-2_^@W{Vxs&d@2d1<Knb;ydQt^0)
zmiDNeNH7o^2TU-|n0|`NRZ(5kV2ITcI)<vxb;u!Q6CH$6T})u~XE$ysQC0%QEYu%@
zuxr*3aa~1INVKFpJR<X5$~!|+wwpQaGBh!tYL*-=h>AnP?{8+k%`H_;sp%!+s3a!*
z8qI_%uq-REREW4&;<?4xox-NGKdy!=D}*^GDF1tb4Ci>zK4MwDc^MZ%GCFAL-{mU_
zba;F22c0D{6Mt8rYxd}9iprcsv(E9bNF1LZ4bW$<xP^3nb=>UmuePYFwP${e(0p<O
zz2!D>HE=YXl!WVbPKnhBE=Zicv{&lHW%}53)N-w?zZ%48B*k;|tZt-gDuijTM%%p|
zQNAiY+-~(=4M$Ll4%`F?bK3t6Bf7lu`Z2yki(wN>;1(9b8%^LA7s4A);1(3p9)ZuH
z_NMqTf4N~JAQqd`LEFIaPseh!vv$u+3)&5)VOM}mHs9BBE<+|)H}wtiXwZ1aBb8uE
z?h{Jj!WS4>9TuynWR1Kc?4)KPD{NUE4y&i61rZsL{K{+5jq;3lQZus^b_HQ^ez_pk
z=~pY_<i?4jQ-DrTqK5oRH#nnsLAU%=X$4DmW$wTD0^RO<(RiM$op~`>(S^p!<y{$(
z#tQKr!<A=H6jlU_v1zQT3FiwN5h$xO8ee2Uc|~qib^$ZqG*(?Qt4WPfb8~dQ2Djwd
z?jv%5qGshSmk1y8vxKFNBoow>`10VdC~G>6Dx3_;^!~1nV<LKEWc10y)?{a5rm&Rt
zY~Ouw@#*A-`<R1Hn}ncKKwC<&U7vpnm0vKck;wxOo)qo+n-k#@DNGXCvGSrKwRo&p
zjIgojX&FC;Vn`??e+&-B7)+-@{)kEmT)_0!=9eu}mMx;L68~5%?*2=5S6Ozqv=Uk^
z9QX)egelv~Ls4vX6pn>ZSJZ;9@|IQ7f-jrSX~)!nw2mmH<{to*k>=!_qbcQwd3yg6
z;}0d+KB7gvK%k+F!qhN<D;_v^O$j_6Sc#F4gP=RvQsh3_%KP={Z%F?ql>fPPIx(0i
zKEe_Log8Z%FlFab)`@dSdE1}UWmExy2obwfG71oMtg2}gU=nR)ih?J61&_tZaNxv}
zFPO;lV#5Ve)Gi<`Gf)>1u4%-$_fvQ%JdHGD6ntw_U=&4O1~`700PRY(xxj}fd<x4~
z#0!TeEhaLfEZ>iYj4dO^f!s1v=T&ssPQ~Hxq7CKk;iAG5&}g;#!sUk1Dr?Y`E9-9%
zK=*JFHx_NJrXZ*>TGZuSzwThccvtbdtCX~S;{ckZ4$zt7y0GfLSME`*NnGJFb5>{4
z7<oR;zVk1`X|VQwZB+QX_7ZG3xl+2ez}?Q0*YFyKOU^iI?b=nw=%fLDVd2n|m9s_*
zZ^&gTK+6cN8$C;hM>?eW1XbZ=B0-*KyX!^`Qno&{D$ifCZk<)_H?G`Ll0yza<KT7k
z=R-)&`5{c3Exc?6pNx(`QA(LG1z!ZVknpaYb~%S9oOG^ISROhB+z2YqR*~EA;v-6x
zPzm7^bi_K?JdElgA}QOAK-ppK%9fGze%wU1yQ284AA%SKlUwT3v#JvCYCP3t^`c6x
zSsL=oA~sGs=w_(ZgH|x{082(idc~|D8&c}x&<|i@D~YIGFH2*JBAf}g6q}AVZ*=gy
zs1dKgdfK<|UjIR!>D&|fm68(tib8v$bdmA4()l{y|Im~}>GymEL3QHAbA8rWqKCR)
zri~TwsKd)o^Ncyk;qCrFbAz(wVMgYqdGZP*!CI+NO$0vnmqQ&;{puy4%`Qt-YXjMY
zmpZaGa9T=Pe%AGX`Qz$|Qn3~O@B1M`XV5|T5ZTZ-#oKtr0@v)54Yw$5Bd%}L3ESK!
zb*?+dl10_<2&5uGWMv`H*im`p6o+|m-lE@LTcI-})7+P}IRrbh)(fzHQAwbz7P;o^
zdq>rv&0zbsk8=p>8M1$Eyumx_$vxCw_Yz}9)MT!lH(_nZSARWY##NG>1(^w~>j=W%
zf)xHduoU&D)dH4tNhml|b2Ta*?5DCAHE-lBxVT>S3`Z+v8Wddx4(;FetXbYpuNIYJ
z*EM%QN7;*@Rb57ckI@Z$J2y9QPy4r;O{AbyzHG|ZYguVCRi;De2CWnqc_0tquj022
zrqI9PO`@Rr=RMo!0@aby$L8*cmkRrCjf2(l)U%62VKh>Q)YCJH%CAZD=~YVhPVAM%
zFIoaWr>6_ql|8>lcWb^4RaVu}(wErcnuXh%xm%hwSJwY3sY+R90v-oejUD#_ZMn=s
z6_x|bO8Hd47uqal9ki9UzzW(`32n2=SRca)%-Z*gw0iwyH(Rp>?ex<Mu%eAwb5eay
z^_Vw(!&<V!a<YQLvOUn;7HD1q)^p)BgTmP;rhZTS*LvA}y{V3MRbAT{umH4`GD}g=
z<}mA^8T|ps7psizprf}1>e&5J(KZ7tSnn_ad7EwVx#0LqA9s_@Mt?Y&0NvF!mXcFW
zQ&N)DG?tUq0nO3%w#%%FV%9seYG9^mrM0jgSW-3rI~!aO>^xz;V-Ku18|8NRud>M<
zJglvkGE)=ls)BYiKTT?S{o23GHrn@qExsmrc`4YOX4SCsGTO~q2waW-XIfmd<*)|-
z@YwyYtKpL*LN;U%w~L0a_u;#!^A*qba->kKG*N&oi#uC<ECYG)Ce)Ar_69GGc9gSW
zC!6-)n!*2POyKzPLm&?y&xnG9!0KF_lEO;dO#S%jJ%jWL07;=v;qN`aw2pv?)v~#V
zuknm~@((+VUQ~q@`<eQif|<bJ#NoJbIC#QR+vwAopp>aN%49~3tSFgP6`f`yCjvAE
z9G*cITObajV)nmSp2_ihgBiDQKvHu<<1eb}w8rcrvuNB>(u?gR{xs_M%eH^1o=!Sh
z1&!H?re}Gax^O(m@T5L~4)x4xkqL&1XEimRuhDcCQ1p#kp+6X>vLeg7qE~*EG^efP
zTQ`ien_8Rs;5LOS*wL@@l~vnXSC$i3aIOxR;IRHo%UEf#M$B9>u@0{o=WNLGqF>#z
zZcyN~C@&|j;nbIBXKV6M(OsHrcK3m8N>Q-mXzHJLx3%U2@afr2mNauUiOrjjasiz|
z#i5nsKfWbnm)tVF>n%{DYGg8QF%ar3qiAGSFHh_!aj!BN-j`oDWHG)lkZ7T!F#m$8
z-*0O(2Jk7{HRpI3W8aQqbLztSfL?ECqks$XpLAr_XsoXsuTU#FV0i+ThO7;bKc5&L
z-%$$rcU>nDaNyd!c`W!(FSOe#K3Y566qg!m6oLj#Zyu^1tD6_AvT_8>oZ*YkK~E!>
z(b{Kv-1yagJ@N}=HK(tsnU(gt6jNEEr_Q>l?CQPhZCV;OUqIelh*`VyAQC>!4|jPm
z?UjJ?v(((cOH2%Z1fY`4J&&?~+_&7og#c02H+ahzYKoh82O~k*`HLljj-}WFH!)g9
zpeUxECCZ!?%CglbtPH8JAKygfe&)l|uy67*Lb>To1+9b!Q{_!T<LaOsHxeyd!O%29
z;;*1#t)LNtYx}Ebu`EnPzEk61xtfSTsd`_=QuE!wBeN5fe?tP>q9|kq;e2=|_9@E*
zUenSb$>2G1F{s#&R#9NKE+3zjeTt=he|SoG=uqc_7!<J`3J+COc-qx~SQtCLKsZs%
z@k8DnW|5C6RoYn5U19o@=|^jJc&Cij1*_~IiM|laMQTct^Rq-M<J6`^*vW;r-F5aG
zL@>#P2~KLtak7KcK|gGU)N4d4r3A!DEcl`bI|TCVT}|->s3eubSOy2u5{<{cu$Y_T
zxyZ-x5KHzA&{*Pe-FP6#v)u-u?HJIau+XBUn_!}_QGq64<;n5F@r&I=R947U)#Rgq
z64S=2u6kGkR1%YtDqm<Z25mC2z7DU!u-m!>^^eU3Q^E7bA;S=v=LGL8p+K`Q&bWA@
zvLCUU<x{6!hXm)C%oLX039|*T#U&zUKxVm2L5;&OaUTXT{UQD}Yr_<9RDV6*>a9Ee
zn+w-^+x{+d>*;LSJ$&)U?&J++qR_gY34PIB_w%d6DN4c9YR%p2*SnqhaGz6=LN`-O
z0aP8O(AzB}h%Y+JI~tQuBC7%VeE5v}qYta|P{V!@IIO+Ek6LXXP;Zs_PEs8YKcZ{|
zAV+YWX@PH>ed6A4o1KjwMWqZ23YcB5DajsXr3?%6Yh5|wCDpFDc^{d`9&_Tl<0JfK
zrG#Q5{3WG?q9gnjrG(<6x~Hb&OL~+Rx76y5DD-n@zC)CNI3L#_pfo6Qs=+@(f?Xpu
zQ|82Hm&GT_L}C)fKm6Eam24*lT;MEHX-0Mx31a}xB>YSXW0;xAvt=Dv0u)4d?Wt(U
zx{9>&17*vN=#eG(gAPdvpNtt!NY0><Cj>3yE%k1H{WdT$X1484_4H+SO;Mck-)cXo
znfTO#JA^B~jU#>pJ>3f9<od03>hz2o`oi_w{Spj1uLy;`NU|bYtS*`qbwso-ni6$H
zylz6WVgkFp2rI8heJjk!5%kDc9ExJX@FJ&pG1Yb_X@WcM|J!A4r=ySV00Q50aK#Uy
zBioT_4`rp%J>c<Y;8|mI(Awd}dQauN`EwMGREb>CJRb7ooRlN=(eg1V_62eD!-AvR
zVVrCS`?n~=|6VXyd-C|s6$djN=SVVz*NvdNm`UJnju$Wy<Le#`FUbv+_}l;HBu?3~
zYgo-Ca0QU?_^3B&BO3$Aw=<&bX9^>{k)``IxT69+vEzwc*_8Xs<c1QeU6H;r5|4Am
zmt27^##?-O;LiN*Z@>qprw(xLb;5Q}eZN0{$*l&;_+5eD779Hd)Yf*(fzJiSCp`ws
z_}nyT`vFKQO`QaE6__gb=hYdVTyjqjq*`)wpDPKd|96Ud!J8=;=lU<>##6CCm@P>B
z#AN43`Q5#%*1hk7ztPLUWY*D-K}O+^%)*~qKJc`DKs_)b$NX&c>$Vrt@((0U&<Bi`
z536_O6ly^=*~JY<rtUAR+Ah<NUd%nR`A%~A#;ToDU3SdiU!meAS^13<rr38BZ9Knl
z%eJ?sxRw?c#p}xS;8KD*%5gNKWfVTD%(B}n%mU`vqjhIbusFtd7TASo6*3(%)hm^*
z2E(~3B_3{1$6tg#g$ns<rfS)FHMJY4$!H_$H)Q(1YNq_rqiSm#;|<ZJdVdmp5OEr;
z>viuljK}AITj|D2akRhs$S128!2^48bA&3Bx;hAvUjQ|WZQZ`Ku5NwyQG9vEJH-D>
zdt62hR4J(Z$lI}<mSZiD;*N^&D$q4FqeggkysRrT$cL-6Br|xHvFr$E(=~j~HT?XY
z44hTBZbwjDRGD=fb}jEmlEpmqYg|OcJ%Dh(DwzvfPf*Z9kxlK0Q+8~h%a?ZBbS)SA
zevB&C(&Bb<!w8U~<}ib1n(GZk=5|8@unC3(!Z|n&pcILZ=DwkFyPX5VV|qggxYY_D
z<m=16ns?qPhDsqa@*Gbk5*n$0n)FKNRhdQRrb9aZl7opt4JftaHFm0371Q`QJm+Lp
zN;Ds;s);MBqVH+`JEx>no;XACr)ID+tOT2D^RF=+?`&i@Tb`j?yNQ!kqScl;(nm<J
ooxUgK)ipM!U$RX}uQq9L8?z;*Sq*r5dV_K>C3Ro?2LIvz0<0rlM*si-

literal 15863
zcmZYlWmH^Eum%bTmta8yK?1?u-5r7jcXxMpx8Odw!(hRk!QI_mf(L@z9rB*@o$s#u
zr=Bk9s_I(3*52J+L{aeY{u8rikZ%^Y&L(D#2F@0CwsbZIwic!)PR>sBmQHrIAI`G0
zoW2b<6un7@WbeVp!+Du4z+5k+#PVgt$6%!xJ~JA)VFp;T7Yq5rf@~XNUp7n1Ke%2`
z2<LyONM6b_{{va0a8sGwl*PmH_5>Jxcy`q6cwyD^R@Y4}I0n4MKi_dU(jTt)a?n&~
z=<)fkx(#zgS!yPa-i(@DM>#a$(~&O%hrJh`ubv*9HGirOJNvfCY|tI34d<)?N&PxH
zq^~S$J#(H9>$R)M3--oM*tD{ma5DTdWDob7TSokp7o*<X@BhU5IxK8lJqS=Nj&H^u
z)cq-J`DyZmMnsOYUt!(#qE43rSbg&HrC)y70{FePy+)lpI5R&!yQ=8u$d9VbKd-;}
zJWu%nH#Igj8_cU+G&Y~d#hl74U!dQ9Rfuy$4If`?+^m*sj*a|YHf}7Z$Ju|>U6D_?
zKGj}YT4-t~SlwA8g0j)|qr_c#Op%&GB+|rQq$biN6FRw{;zqB}My)In)VgFdf{|ij
z-xJ{}6a?PrB;?uHr9)O;=3!yi2R9~v*kpgXJBZ+LUU8$fqd(^x5NoN><7$VFzD;Q+
zRS-sCrANTegQllP;LU^Pr$<l}Mo^SQP|c|Z@<6h>;Z#VAmrA=rmc!>!qjykCmqv<L
zNz17R?N2Z2!{kwm{VhjAP{Gairxq@a6s?X#FYno0VF30IO1*H(M+ko&Q%taLxl$39
zj)$FDE4j*3L9dTNt=tv-&goYSacy>ngdqP>lC!87>^hnN<EJiGPXq^Yn!6RnXAfoK
z%qS(I4(i}pr;PtU|M}Cv9e5Q7Fhx-LGYw2YFHaD!LNs8GF`d5ahEH^0jp{@dPrJ?Y
z_-hivcqS5cq(Ut7H056(dsBr<TaE@xK`^Y{xNG(69lm8^IR_n`BtYct!a?{bQ>(yJ
zaC_?`$F>}V+sl3XDf3|)Ly!dBpD{m4Oa&6Y7t=%eL=NE_x|lK~8Z1%hCxoffoaN1S
za}T9iN$mL>?_Zwc5hjxWKkk@ufv2$#yqx=$N)U@liGD9M4_?#fs4mbOBV$_2?mVV`
zJp6ulxV^lPcH6s^W9<kh7=vT0zy92g-83BnyOc~fsD_KHshqy0C!88)Gx2csx;cJf
zPy1PYcyqC8g&BKC|8nICw;;f901Ul3d>AM35YSu59bM+cl|AIxEo`}f-3h%qe#xg+
z8@|bZR5z+(xYS{;%ILD~vU#=ER#_ZAV<FvjR3Rs#7#;36)_i-er*GnT+6UB;n42ki
zwCue06xKmrFZZ`=M^n^|);&&76eqgPA6=VkX6fiuEfCH5mWqbys!v%tA0<O|h^lP|
z({iUwU`UOtjGokX0EfjhRspXEc3PuNIy2qPo@#oB6+%z8+;8>m1^J>S`I(uKcsd$u
z7m7|YSUS$s=WZ6<#gY8nSRyI4UXEC^N6JVVkJ&Ro%IPvniqd@XlKkw<NDXH;%f>}9
z$TaGM>9WtYeawfdOsx~Lf}7-g!eg|p)Qq{XV=+BChP(7gYXw%cf#~b8-T!e>OV5Ng
zRk@sycLvsLP$?KlvH#5O*Y?{FwPQt?Q_fH|Cpf0}phU1uhtNN8@gW);gwkThB`*&L
zeEb>nK_iX$BZ9F>Xa!~*fs@OpT3Z?cNaIN)uCK)U_Lu`bW9pwjmyGet;d*N`-fc$4
z&7Q_|bGELv`OopVL7z{Xj6QUxqMk*y^$qBNS~zl)eKk8fN(Z7Ijzqi~27k4;T`U=<
zuK|EpIoBFjPd9qxYS#{IvgCEK*FV}UtvgWVg1j7*M(tI|)aEUja9#Ac-3~j?eTmSg
ztY-C{56A7!6IOadqsI?pu&?EJO^}a88sbl;x!c<85LQx;o~m(<Xa}-TJDy(Bp(``I
zS~@zO{P}Dc{@Qor6N(V)mu?|pW#{>)nh;ZtLh7c3<kEh0*T4>}t=KZrKp3eFOf?~+
z97S0RivfiZX68}orv<XeAbd96LSjJ-g`7a^k{#~$NyE6W`Cz85z=&xdDhyKS#-)Z3
zft#4>X2B0!3=?^NROmj0Owy+p>^7>AMhjB8TuLQmylq&Y+q6=L!3Q!L!o<dv?K%UY
z+<?2zH14#Dd?i}ly@?sHgh$TK6_7D1pMM3y1+slyZ@E3vhRFoRIjY!KNe^T3qE&NQ
z@O>c6TntPB`a6kL>g5O&b#&Ok43=lA6L6{yhGX&0REsQ)+>lkE@ZMj*=J6a6;n3WB
z`(wyeY$-v@Y5YRuRNd|?-%?NhL~}nD<&>HH;T|*Ky5c=8dqWlbijj!<03(-Z_3lFi
zoe_<uKzZ|)XbhVBXa7-=Nh2P1Rfs`qu+mINyZg85r91FTts$0uMNfoE_b+M+Rk)b>
zPlhn42>1RrNhkCgSJi%G66)+92;nawR>_Dyk>5M#5-Bu35_$s}1#+!#`0i<eIC4#a
zcA@(rvz1$ki@IFvi2NRB$@7(nG06_1``r}P9lI6KATS*EA@bYpE2)C3lUzFtnS=5d
z7hJOvC?CRlr>E&(fs<Mff#5vblZg}!VJ_ec4GxP4s74Sso=cSf_+5$%6gZOKOW#J1
zq;I{D2cF4ww@Jc433ZcG-a}&nzCMeWZ1Fh;(sAE8NzX7?1^UsJ+&JBRaGZJ?o_hMa
z{9Rbd33}b7MO}5cjjf|(+@m8c)=nH~!eCDTp*@MX*xP$XwYYt0Po@u@L{K@qF-xpE
z2&xcG^UA0f;59}597u>!S8I6SSZCCKTFO{bk)}jFhD&o0jp#HH$wkp~s_umsQ(m(D
ze?XsG5>NE0&aD5mY{52ufR%T&!uFa9M@3_E&)9WYS9F4?>d)h&C)|NRY60rLNpi)(
zu(5U`p#3S+yG2kjMl~_^=7ls-<I2OgPSSM#c-H$5aT))@g%1DEhtV9rm#Uw`HaQft
zv~`x*_w1WR9-~(WI~!1}g%ouF;BC*oiw9Hs!s13v*Z#x!rlzBo>5R7Qq%HYm{|O`2
zM=q11+={<RA%V4VN~(w>(sIi`6kM&7PP+JMs;f&9ExldY*8lPi%-^T$N?c3B?FhW6
zyPb6k5~%@;dpYRUOcY;kZJBi{+qh%HIWF8Y++JG7yJ`r<6Jb|z|3HOT-(PK`J3#Y8
z_DgKvQ(_Xi3G$D}0exGJ;YYgtXQ0$Xwftw|@GP1I6aqg=-y&I7`@|jG!lYK%C#q=I
zj>xDwSV5g{H}K=>isU6z4iI0Et4&6WWT<h2UT=JopMT}uihR+x5%&<74{DhAo{oM#
z7u87=bK%pgNTJ)^Kin^Gl@`AkT{da3E>u_EXVs9cDlZvcbenzt_$8~o-NpVo_en}j
zRE!b?uVGCY)ESF*j+I{{h^ZdVTBPBhRZ5HI@`mQc`>2HfQEjk)zRv!}T00~Jm}}1m
zSojvOIgw%20br;)uTjQMiJV|Ip}L@w^YF_qs;LoW*ri=3?<bI=j`#vaA{8c5N(zsK
zllM*NNa0g0k_*1A&Jc6?pCR}V=)5fwW%S_4sHym`!8UU0;@(uYI%)A=$Lv2Hkit7@
z2g4xrK;mr2L2sj>8#vuud1eXxTE0J`A3G>QVe~UMuSnn!c$*{7=9S9tRKC8jexc&C
z8&=k9Ufym#xWtP;z-G6zVOZ4FM7f$G{@!Wghgu2eVJ@b~EfC&uT?13-<#Dw0LvD^R
zy9Hj#9PjijVjoQ&zqZ*iR=y(4-LT)okS}<kV-o4~s_z`EKznoY@;1b|>I2xWxdAGc
zFIEbd{uH)nj;E?HXDl|Uy`<D@6c)IkUbJemVyNv~E0ZPeUln_ra&79!p@b!(It>tW
z!a$3>5OPt`Q-o~&y=Zf4mp4(i(_J%!ioJPUx``q1%cyug92Yy}<6a<Yd_YfN@91~s
z2f&?J)oBamlhe*&Mr1fDU=*TL(~>E>Rxfqhiq_NA3rW&Y!HJRymO_6?hRjnmR)$pm
z;HBp?#Xt=sTy#_l4WF!Ep!iieGI|68OE665gVI-JD)w?Dc$Ltf)NsPdMg`RV3Rp{}
zp@OBMQ>B<xL%Fm<u(=bZwa^d&o<$?*klxLLyQO3J2rRiDa#3n%{N5oKZXOYHUh%Xv
z1yZcxFXN9&LXK|=xpBeV!k&<#@<T@+UoSkkFCfH*Sc?kaFj;4#V+a-SWu5+MkB+F&
z_(BR6Nw;Oi=bbL`(Rc@8P$@~PAc!5N&w5GtW}qSytOS#^*W!O8pz-AulnDM!iphq`
zKWsjNfKkUE4aQN>2i<ifl&L8QGWlb2KYTWC&JhZN#9Ka`%JqkZg5jj>h9H~D#e~Cj
zoDi6jbcEOb`xl>_gZOBv)#!HhM%#V~frzKufI|BebI@(%fG4bX;?plH0Y|2;G*z{N
zyTsp4B}|)M-<#?VQ?7rHd(s3+giXD0J}jNavHRW8Yjjj65CPWFI$s<*AOE;XwP?=U
z>G^UcS7rEQ(jL?SVSTSskBK-E#TsNr_72A(9ER5uce7It&pS4sh)*#a7=FcV6##Za
zsGh>8D0XDHf?4)OGpWKHinHNm);VPO;$h)mBrnv<BwYF3+nL2&mcW#%N#<PC*l~^d
z0V96cX*4N2T!t!LCKjdBkNMy;P*-|!-%E~x>r+RtPW1s^!6eRnzP5KWed=Ve>P6>n
zr!UU@@vytgHJlwbQ9=$*gXZjUEgprPc!6b$jPEip=s+}*edLMsfrrTR?g@mfsE4Av
z=>vK>RYM46G=}@`ryq>E_+<C<a`7&4KXo|1%`7W=VU}u?=bEaixoPin?I(}{7eC=H
z-{h~|H6<J?*Q_*86dO?7*}Mqbt$(AJY(&3nj+e{@L|vRAHvO1%WXqio@-1i~zSafW
znvY6L9>h*&0zj`Bms~c5wsul%eAr&PZ9LT>x)>Y|Y}@MNBkkui?x!nk4#8+j*in^P
zV=(PS<r!R_GUwr6k;Y>>_Pd@4nj%NWw|KL%L<t12`WKEw09cC)V=y=@(x{BDhqk23
z2^|u}vxQv&(4Z_w6o(nU^ZQLd<w(}8)E}}&CYf>*Lzxwsamnz^7DzlL<@A!@7GbcA
zXWVb%kZSFPO)c*UtNy?TYj4b<KBBq!r0=~Yam=dB{GB_YI4Ao#(OWWogUQbQS*fTT
zyFRCC1>!gJ%`|?x8$q%g!9U8E?#7qw_8(PZz9^>Mu;Djh^Jt^2rr3Qx`}dD;Cvgn~
zI^M1=Xiawdd?a4*Tc)2)m!n|Y{?VYiw|Mh$vzj5j{ox^O!jjibZ?Y4uaeZO5`^jwk
z)GSX!MiU-@jq1i1A&rC}L+)kLVwGxA)fVo-Bj&0@uR4C=%DMJ?8Zy1~FS3ppMtmo|
zsZZAL6QhMiKqvpf?P8Ab)6<NGSnNW+7?~ZOr?D>Yqbbt~AidLL?C~H^s&e}1%k@#|
z9Ubf~eq^`@>F!W{xX0Y~aD8~o$Mgh?Pfl(O-)2b;sx;(^#XkMQhDpcn4R83YXp#3x
zp69~;g8^xQgpV_{iuUoyFcA0&2&Aa4ic;5c+c}o*JFCj{ZhMy%+xB%(^F8P$M>U_e
zD$%!%%hC!koP2R7-}k&WEOA2fwb*<*w)k}N-L?~&u<noJ<Jm#6UKA{E)<H$Jz}r4b
zi6CoAXSr(Buz4MNE}xKT;@f6~+E4(@(=M3~(zT&j&1)2jGq)O4Z1|az-?Pq^Nw+P}
z*LLeL5nDIn#s^PT_B&5@dbNEGpLmTM>kK&34)3sD;GJ}}ey&>X%opaVFFP|Bu%3a^
z^0-G-)O>@2lX)}ONPl^$JCXu)5vAneplxi2UgsUZdiDs)EBvN{;u9-6{Cvcv?3o>q
zJy<x1mW#L&_V)E}Qb2b8j1$sde0n~ET(}jZKS&$br5o2^+Pt9z>lrCM$utFZMpuG#
zqZ_GtQS|?TR-cYkg79p!+(V|{CP<ayAj8StDWjpjsoeeausjN+zn=U%O$?q$9<(b@
zj&q$yOnbkM(2}x^(&C+=ls%E+Jt&(01_uzD0=Hwnq|0}{+@uOT^FR1BQ2Q;$8w)0N
z9u?d%cd2K~nqFY<KLRLR{SDz+c~GO}KVKqH@`u{zd^cDhWIT7lW#l&iQPkWgLF5GP
z7{RwS<2PP1_vvV(Xu0D;GF17y=yh*(LN57?_@g%b)(?MbA-3E`Cb}ZDPHvXaRJp)~
zEaLyFz|9-I{+XmmSN{(aDbrIN>4B-r2*f>8A(L0wXe_btF(17^=;s`H)ZPo%)tuGJ
zu<W(lLzhA%2Z5Y;Vl3D~;ou}<(7qFODl>G4x7>lEiD0>?B(7mpXD;<U(kCJTQW0t-
z$%x~bBw~dmlr-%OX6xs8lv3>xwAk+<BSlC|t*oTtI5n>26op6zZFB!Wmz)`oQzFT+
zfl0)=8O6quArNH>#450b(%@+2Ii|`mImFOe2g;JTfnF9up~|1*5V63KN9K5$f^%mL
zjywb<gu!7$5X+dqs!$ikK$H~-ALGV(5*8vwO*0qPbukAjX4z<!-hCXy_;5`Oy7f`k
z9AIS1L{58*!R_s{XV*XGF+~~_HHIqgG#apX75z^DCv6N>-nr|)Wn6MV9udb(x@;^w
zzr%8hn}VPcH5u2GM3wwKxw}YuUolj<hL#kIR)9p&K#*ElG8v)_o!DfkYSdf3+s;U?
zH!f{<!X6O&#F{=I+t?}3<@Y(K)u#dKcURSB#`EP3OZHx4%ih^y-K~gMjP1sTt7Nns
zA^VyZW3$WZEPET--$T8XMZ8{FaTT{gK5`1JrcJii3ZqOXiSTUrd;#u0HB_D3ZL;ev
zK@rz8E=UDpNa}k*C6cgWBox^Q{0v7<<p_Uj{;BBFAu}W~ehSD8mJf8{{@6%@VWNUz
z_<|wurHmg`NOJEh+e5FB)+uhQ^#t;v#LoD#>{F-0P~0sgktJ`g!kE_mOEl;FPphDQ
zV3IK0`ig7BVupn0`ztDwFi=<E5PTAY`yNl3QAL=RkM={f5+`EkAfv}Ko)Qz+5%MvB
z61|_OS58;}UMxS?=*`UYPVz@MWqu>Q=%1BWdC7~Y{BM!J|N1F<+F?fIe?no$+YTR?
zMsdYI`#+d~Qo<yO%;h7HV2yFD*)<2l`J3p?1||B>f+vBMR*p!~-J{o7^Yfo1)9^KK
zb&gN@M-k%w#1bIFaIl1Nk8~*roOvXqbi6q}fn&vaHzndHF=YmHv2VgLl>BI7`R1ZS
zLj7<Bl%kk0Df#F>l+`0+!t;ZQjv^>M)g!4s^<yTH{770Tsj*?5p3%?gX`B}QWsCad
zr0PNjycExP^8rxr#Ah@%dW)rE39pS7iAjr{HBZ7?d5^a9<F;xqQ#Lz|4ed3rm?%e$
zu3EYcxi*Im>#c+M;IPg<2|bS^E9<`@B?s~MmW2Cx)qkelc>n4|{|)(HrT1R~R3987
zpGlF;K?#BVyqp0Ef!(|uG10Dv<~KFn4ll2cv}()f$<r5~3pxVPhwp6V<V02z^MjAy
zI5eNDA4!HMPokW$x6UcRKSRcKmui!donGKg+)0lEJaCgw&{Zt}^c&wiSR2*X(HpRd
zHjf~xQEuJ(4b2E`QNw8O2cJ-GamzJlLslII0~A5BT-&CY_AIK+!Vqel+y8F^vtWP{
zt2vihkg5WRj&mD@Y74dkkWyU6&#j&3Ph)HkK-FEC<W5(aZ3183y0T_%MsIeurO$Vn
z3z%L~n%_P@U3_%-QK^eO+{FD{+p?8orgG)u)Ug+PcGH?u^RPz1_cpS;#p}FVMIdrB
z$#({nO4F;a@YPa@(%|yRFPxKS3s<R%ORM|K*fjH_MlO*qi!Di=Ey<nLyR#dw;(}Wm
zfz0_hOiuWxN>3bDT=#ZHCn1^hFX<yWabY50@M|z>k~&#ZV!VP;G9zQpB)LIF2kuYD
z&qP*({bFUR6+W0mMVc0cmPJ#RH=l_{Nw64supq7_VaDVo1S6CMxsV~k;!{A|5i;m}
zx*@YF-QV?JdQ{KQPzK4|RSC5Cxv(Bsr62w}?<G?1C(g!AifKHql_l}xn1FwM6(7Bm
ziY9ZUe}6AXV&KDisHNN=l@sgam43KVimwh=>?CnkfzR<qFY-q3@E(_ysUDcL7Mg3H
z5&D(mD^oQ(9d=bKt$J;&-9Y1)aj20ryJz|OtF=6bvW%z=j{<x@X3Jc;*-U9R>NZb8
zB>@~Bd_>7nt?CRq&{KzJIa9!5Uwc2cHxM$62kN~a)Af4$AZ4U;C4Wy#Hax|y+e+Mm
zzgq1YCAZw5n(MS%2!&Wp%AgOhXGUymM1tE;lwPn)+D+~B4CJ$qGXT@W#<KeZJJd^8
zOLIar9R8giS?z~#8V-j+i8Tj|JMTU|jz3AU?$YAzuP1d^kDlCR17>QohmAg@g4NDh
zDH2DkOdecMf5+ULeaeCm1yW}{u1qy)F7^K1K^UYzU%ITlkPaNooV^K$wmz7)?V5=o
zp8dRwKcI_U>40KdZaw2B#XvT8{Br#GFz%Q2@{rofN?$I&Ur$w9H*DFNHb#FT+MWG@
zv#N1b<B48D4E7lE;|5beD_=I{B8?`QC=kh<FVBiE%!-JxdDP$aB*^XB^mPl~JQ=Oh
zG1n#7oB(Pix~6Iz@^~evzz3gUP~r<FqrhkRBB1`N*G7t2;<FE0cFa@`gwzn+UW?Y|
zF_n4UBgUj9s~%;TA%=oAJtt?qn>D@h>y7^sG|rdWRZJW}k0HjIFf}Md+5ThM2OPz2
zy23zh$pC<&knMMv7SEunP0Y`kBtcG~Enzny9(Ybvq=|1q-vhdfhPIgX?Qxl#@jq+F
zAXR;URr?zB1v2Oh;RkKIFPtq-TiFDTgK`cM&xpJ`YHOdmAY<>b-21AbY7tR6;d6xt
z75z03algZumNC*!4$R*;zqSmI3DB7B){XOC<HQW{;lWUERy#nW=#&-gP=fG7LciII
zD)7Y<@zoIVB@<z#6`(sfgYXGHNuZ8R&)P$03r;7MW=RFCrvD#6WN*$!muj1V_PM`N
zFXGy_Oq7l^Kph-~b9(B>u)aua)ucmZE5O8@yPI1FM#=jBqM~PC^Dy7ab3g=FK%$4r
zo*0Jkz8DmO$w|NhM_<TgOFSO%(IQ4m(rHT=G4oLiT&}IYO=4R1*tXk^98`6Z96~p$
zPE?IZKi<g5?>{^!xwRu>!tw`;jx;C{ZBIyeE2Fj=>3e2dDXVZS9Q~BmUJa#Z^sG75
z+%#I3Kfg@J5S&>F3HoJ3V_)w-uTz&XOsDH#dz`&ZkeWxKcsN{l-CB6A(7zZ^JPj2>
zrzU;%kdEUkk}SkbPZA;7uaQDPr`qxy`Q|b5&Feo(Eq0|Gd0K`Pp&TkhEkQE>)XC<P
zKpiKEHB=ZXSr`f`#Iy)rdrQH7NkAu64E&Dx&Mgr7BnaaX-*rg|=M=_?553q0T|$>_
zG;+ode!q`JoSf~(AaxgpLA3xay-{y;^ny9-2_;f@X&6*0&*?Xkb-rE^M00aFSX8Qk
zJQ!Tw!kRFY-&+Xiyu?8zl9#2LtN26i9v}md&ZNdU6TbhPG^Q7CMyr}JWN>t!31YAe
zZXEHAU?@HeM%gCQ9%Y(j$4~!>fq;XB8+<cI`AImL-hjc9C?brknmmlJ&gQ$NCJpAb
z^Et#Nf_q8fnUGj&Av9GCi5OoUg~j9ohHN%J;^L!bK~Yx`|2}WEL9LQ^h76W#o}xnI
z-WNXfpW-5SCM>P`s1dpy6GjgsoLZZA(v^OH-R5>PcqXXO3{OocWJ1y$OPfG|V5(ij
z*-O)pt41|(DeW+z8c9GXG$=N;`{}PXv=VP16-GCHHQhwZ$_`|#ez&;7CA{K|X{b9P
zKC_2HU`gMF!sGUdiQYKM=ivQZeDic?{jR<D(=`rYt;L>MbJaRsnaJv*eXD*EN7imt
zfQyvltWu&~Y1zsSI(^2rW5bbMu4=TuR<o^4-V(I2;$muTH-|65zFy_T>$N8l5BmM%
z<&f*S>BMrI?+OFOH*zGl@R?iLHzq(YQqxx{<_eJ4NQ5i#6kl*Py8XbG${;|;;Uyq|
zf5cJkOt8w&Rcs^0?p|F!Z^*o&;Nzt7TIai{2aMWFby+e<_kKF4?s`6#%Ds_geY-{f
z+?*y;lDKT*)&Kk1v|TeP@pozte=>0T={B2xQS@Lp>fq@(-$e0e{R^{=9~WIU{QzBt
zMoVi2!&}+&TEdqmJKfgXx4IkDH}kGJA~r3#^UeoT4PDi74x(y_i{fkf6Fal&$Y<v?
zNKGjwG9H?TOSFs_#f^`d&gfNE$Ziq?LV|D%XX@Q&TGOi?FGRqT4SKa}F}m$li-sTE
z3YU+gC09C62-g6W<W|Oy&?yH&>R$^f0Wgh?pk6XKN$e?q+gl5*t=m^CEK?w(2<H}e
zw?<Ztn#dSKirLxfWYs~Pl#dc}+@b5!Aam$ErUXkUToqIM{O3VdaYXCrxo8Joqdm~T
z(D>&;7I6sc=$>c?S|ekSPxRO$*d!E=J(R-;fATYK4HGlVz^~|dC=Rj~HZmUEf_aB_
zZvl^{Iw|NSQtVSmrU*ztpQ(b7%#Oe8&KT)u@;@N*Uq6t-r4;oO)j0`zNMSCIiv0=K
zqf<%_u^?_E)6{a?^Fg{lt`XzZLP0iDQ!BZh9g2Q$2F$>e#QmzqPx`CsPS93gU>bim
z$ka4CfEpc4zbLP|>#w@kA(z`I>aP~Q^TwdY;W75o#^C^)M1aj#n*yk{=AW?m8k7gg
zFCH-NznddHitMUci5ix#iyVgK7JlfTlxn~&bAzI0=hIzkD!+jiKGmVrx?nDGYZ2-1
zj&Z})$3Qj4u$+9=8idjs1i08&LbZR3g2nf;T;M8nfnMS^To7uEfz%po9iCcn04@Bo
zWv+MOt#PRUAlYPry_CIs$E|T;u0yGEQQYeGuncmtK7p@sv9?FCA%JO&L7vE~-1V<C
z3Ubmv`Eb!t@^I@zV7IV5z<m>&xO~;B>e#t7F9CV_jfrUbUNXR^@ZcLB5tlv@*Y&4}
zSbw*ZnVv@pQGRrNB8|83K?%guZzn{5?uQ_rh8`to`5`x?<ib|(Vwta}e|eLF_|dOF
zg~j4uq9EAn-+cNBo-S{1$j@CEdrU-cH`4F!UH8}yDD%Hlv9~NXWJ~@481a-VELPN4
zDoc-?Rt9<Xa+-}30n4D5loy`kGo%A#O~#4J%J6H-GXLqnL~z>qP^&5-)Ra}oi&;{`
zuqWS?Ny_f~%bNI5D=K;DD|xVBm6U<~6`4|tD?wZ+Z$rA4n`3{<D2uV9hG0)lEBh>)
z46&%3KCfI+jIOVwA^V?~j55x5FZ*N4nZ;M2;ww{XIi(^{vGh2YAMuw>P6z9gp#anz
zN)8$2AJ|n4ig#G&(Uz1&Sg;Dp{M~F_TEylwWXV9qwc*@lWtdCK*gq)PlA+j>#pbAF
zVcJ)LG!^pwmhTz7=L_~+%a8SMUH_JWYE3<=n9Dlf-AM3yJFe&VpcCE@x}YPF(Qr&O
zax#4O^VE=aEBR83A-MW1`P^fEVRT`oE=zaTgIP-@HOg`Px9TQ@r`QghYJ8tUJQ9jZ
z;;BAs6pW|=YY0b1KU_XzMi3a0z!(O`Px*|Rh<2=65T8P(ncWMP%fl(7Q+mIQt4fO+
z)I)BVH+qsF79el`G^L>?VaxzcB8875_36L6%9u8McclrUk_o{@o-&8DV`VDn{~y);
z&x37%oSm#0zBq<^fyOLu$Ta4L`GT{!0V|vxtC@IIw>ja4`9}1BT|K5RW88}Vhd%Rh
z7Ck!G8vy8Od;ps1L3aDaR3s?v`C#kC^jk0(!8}w*+H*?x6CF#J*j^L<hF!}89Z46~
zr7z8x-KPf|_=~2z2RghilgmFFV>=x`9%R8&|7?^#hw61l%-b_@$!#N>u^=%$jCVhc
zn|?OD(n7pwntR5M-(+_0T1FC)@f`)ncsHo@zXOaj_U$zhw{Kd95)*dqU$P*zj5CVv
za|Ha;>^4Dm`qEVRMh)3r4vIX0!xDBCH4nntb)eh(NGrcTa{AdFi}ElWZ+QHmI``1G
zSn|*>{>viWn}d{sQh^*%iX0&Dm6l*Bjh4ELs(q6dj)J_4%e_kjMNY=|`qH;frIYD_
zF60id@7=%GgtTFoa*Y+cxiu*w)xSghKMRXXdoBiBx=YIVI{ial-yi`~T4YXB>*hm?
z@7Jp+z8LOZ5$_f0&aqA925#nGy%+bm>EA@9Yc0|DiB1Pi;qS#g7zfu798$~DH>%$b
z_k1K^OcmvCi=%#c8=kpjJKhmz!^kb{l+$JMw=-nTUUZ4xnZBCtb@GG8v^DZ0+qzsc
zQClVFCXFE$!lrJwHPYNe@^RrVKfgN|p{JDn@%|2pX3EqX8q?9<CC8hG)>fmD+lwZb
zauAQoSlNLxE{J0rVl;ZZ>=QSZ-&eYYM}U$R5q!H+<&6MwNldEQ#o?$58^4xqh0`Dq
z@j}JwZ5(J-&Fx;zeO>O+;2PL-rwWyFT`zB<`*RWqd7;8oouQ^hLD{Z0-)^Z}nYFd`
z^kL%hLz1oyy>jQ1!g+r^q@CsoQkum@`a<tw{f4C`%bCb5V!K6UG21LZV`UFuVL;Dx
z#j99$yA7_)1$C?*RhH(mxZyk?{Wib?YomUFkMZ3uh@+BaHpAiqu+R%w09cIIyU7B&
zQTv#`gr|dr>|q=>g!-Ch#XpzpVcIRCKFmH6%4qpLKb2=zX<B6j84&OWyIoG<Tch}H
zbYD_!x#o(9wi$sa99A7rm|Bp18L$b|Ppm7iKUT6l`$AG5=sR70L>aiyFXvjqf6fnr
z+2}SzVTThq(Z6TYJ+1%`ySDW28(5CVyAQT-2xu=+8g+xY?#bY2+JolbgLHSJY;;e&
zj~2Qwqxx7Id~3Mw#o#`+2UQaNm&3z0UII~eMv(kK_vP?T1|Vp>n}PE)zmxVyC$K3D
zT(4Qo$^Yh?I5NRJxI4V>a@o>ui>9nsKA%dVsMnLzbR;~X#R`{`5QMeSZTVkTa2NV!
z|C1_~5WTUOf~i9ghGPwgM}6!)SNw`g6xIJC@VLYA{5SG)hx2+LX~6YXN4r^m<NCMy
z97xyy>JX}@cG~`4h`^w2HRzVP{}y<8LZxl`9`i^)z^!K7JS|Aiv8IP-$&_`hdy?m~
zuPk7+635`Z6qi;j+Mo9HM`d{k-Yd}m-+aUieKt5iP>vJhb8u*rO8TFQk>Jg_xm6GT
zKh4O#<unbgbl}}B|J~$&cYO*gUQ;*R=ryQyd;$^f%J^{m)QLSLHXO%PsqQzI_fi|Y
zb=!Ec!?N<UO*vRZ^*A$U_>^2`Ity=eJZ*D4UTivhjk#W2wmfI;nVq-F$^yu4m)+*D
zA<`5avDW-feZ=12KPR<XAAjWNyslfaY;)mjT<&3_)zwJ&GVATjRhe)BK$Y>W3i0F6
z({{Nvd-*lqRd*ZOcx~3n^|+&P!WR2?C3?M**=*hpXvsuVVwSjE-m0B+5^KkxySdt%
zbr~yfb&_>qrTy^m^<l9qp^HO_G7O@`e2w*kmM64zWT-4c4Hs(@7h+QjoDR+hYhnNK
z0)uOarCKL9`~S2><}O-z3QYu1fLsG3%0gVc#%M^b09DD4kw1FSkXPfN!Ey}5ciZh>
zzq!=m3p?^`pfb+IRQF|l;={W8c$h$Kd1DXrH{<24K28`06`nh^=9y%r%wz1gg@P!D
zXP`@6fvLfh`+KWXfVsEN9nOAz=1+FJwcwT2=D%ULqs`jMi%}k5$~!w-)E6HAlH%zK
zeZn|%nTD2QWt!H-Lar{2NN!j(fuglmUC~XI{bQ_@c*eGTsmuaaj(0~K$kZ>2Ufbt;
zV4Sf{D{@XNz9Tc|H1j(;a!xzGBO>QC;yZ@g=OfG3r-~^x*ZdO4XV*RKlTUdmqp&}Y
zC|mr&2d8$smPZl4OnPmf;E{N0GOWls49RXGD=)(wkSHTln@YCIxAA7)Z5De~Hhh=h
zt$~`n_qsP)(c>-4ACNLhJ*l>*Wd2Zb<^7`*zx4`fX^4}D=>b}kpXot2MLus|De;2r
z0r6<0u4d%g<RNtG3b`Qp!nHc9fBf_;RL3s?vA)nS!Ip|@jWkERD;&|*^gIp22~L<_
z&^F3h-{wbnAtYT{gP7KL>Zu~-iX>ZxGU4y#<QD(LD(&m+J1Sx*v1Q_42v2k*;dF*!
zjbqpx?vyZRL_YqOmmXT(q<dppmz~4ZoSPFx#!$%>!@_X!`jMxU#afquM?&q47<xc%
z8D2W2)T^0RYLJguU%F5X8&N)$Umk%+QXYgopI%Cw?`i&{1I$_?(pg&O+cHo)n`WU@
z-hCl27mTv(*gO*p(Hgk8belRdOIZ;z^KJ>4kAKM|Kgpd1t%1tNvz<dHkev+oTR5^{
zG!HQ-C%qQb@@`aS-6(wWF!*%@d(7HUvk|-{^aHTfWwzF#Lnp|cC!{aWAwSlGR0G=(
zcy+Toav0R+@2xfH_~pdsuVVTT>3(JOwMipo(VVuc%=$>uPN8dwb=37u4R6zb<<icS
z^42pvsxVAV?`!*xlx1}4nAnUO0i$Wi6ycVto=2vd=&lx#w}{-_Lw&qX7AhCxB$DWE
z7O^e2a#@m~vY%I1{tQA~JP-NEoi~D7QP9@bH`Su7+av9u1z;ZsM);^%H?zbj_JEti
zEcjShscI9GNhA_U4*6GViBu3-RU#=-@XsVNi8DBRkK}^RL`um;xFk#UHsw?Fpqri6
zjq6qIJtTT!_YIl5H2A;mH~Brj9&VE9ag#8VEp41FP<MKVDqOeoBwAPLzFwRDXuyfP
z4ujgfvEnoGaq^m$XkUrddV8zrNUuyc0T4R=kw$HKRLAMKJE^kdvOTXn>$I)!cxl0}
z1YbV;HVH6P1CZ((aaLcC*<R%zZnr_#L*Zn?eK&rB?6&8j_*d5+DdW3T=vF`RTtb7n
zqwri}g1KYyTmphy!*SV^-{fHPmg_cseqyozyE<=Me!n`OX+pcf(ChM(&EhdCYto~4
z_R-lCjXF6q@xjO$ne>4Zv`T{{t4yo+k)~0YiIiH+sYfKM%&32nI>{|`A-D0H@ualq
zkXlWxN1XpTGo?(Fc>Aj!MOxEr=9a2bP>P1!MsLQmRPm&8?v}y^k<7;OKe-i_quq?D
zLJ@nNBG@BWQhm$2XPBh=karZJv<M@&$(cb+s$ckd{6jM&K~;9;wa`UjhC8uQz=AKS
zexvYAN>j|z5{sYVDPFE^uZT)ftMrnqkFU;6@^oG5SJ=qlTsKpgE!_&`7wl3j0dCHN
zuk@zzSklI9@pr_vLFmirLmg2_$z*$5si4~xqQH@x%aQ@zxTT!AdmQRd<onk?C5;AJ
zQqWT9Oj3A=3jLxLnf0G*5F?Y5u!Dpn^2w!xx`iTkWRhTm!q81l5ISfH$rLHcW-wGq
zf)q)349FZQ$*yKqAj?HeUdmD+=j;{WD6~0q2mGliDxg*QiokTvTz(ya27;|`7K3ny
zY7R|a-aWiTL4=oYn>bq-`On{^Fn5?F^nL^yreH-w_f}~^7ekwY{Gtz7xAqkHxAqDK
zsBS$5sBr(os?!Z1gz@F(6K-UjXFw|7e`AxfgjH~e8zU{F5`+<TOe`$^fQ3sXlK@tR
z8=EI&ir7Sdu3<2At<MrdX}`bVg2-zW7?TB6!UV7EG3v+m_CRBjLi9tgX$p#=E4<5{
zB_X*n>`w@ga&LnO6bYc=3-i8OP!=16hej6WWrS*3Eb%IOC?(=`b(BNs*wRxU#<JVA
zy%ozrstp5fs}ph-{F0yTB@V>iUs8Z3GrC+F7fp33UMg?<;4|;I-AR}HYjdgH4!9{U
z&$mdMtif(%uT{Gu;h~M^;zfbZbpG$N1z@f12~HrpLB6fh;cvhH#3P38&w5(m^mu+_
z-+SYF=ZmAKYYD0MdfZK6J(@M098f<PU+)aHbRYujr+;nyVpfGnSzbv|s3CA$?mKc=
zWvBoh+q2Nz(cHrsrGlp>WRWwZNeP*PIAvUBil8t>Ty}~eBI(p}y+?lCYUvcgk2Q;k
z9ZJzZC1jBlXk-GFD1wCCKxcE6y?W(Ouqu(W)HK9ql^f({D0)&8Yl-}hnvas<{9$Th
z^53z@6!z=$M-ch89W|Lu;41qq#FF^xu}iRc<?<RhD>)rtt3oo9upuk@EkfiSj~pE|
zg%a^wwKG*q3;pSFdJ|_1!^_34A$CWv(zUn#;5}POKmRqV&6Ky(JYC#B5_y>#w#<$O
zs<3I2?LMe*rIV$q_yDXdMt<+NcLML!hMWBEX91gJO%F3tFO8Ge05N8uY9&6n>pGjl
zuk6)<MT1qETwoE}lBp`8En-#vyW*zTH3RM8-S^B(vSzi}I>2yc4iRA#{zvX*0q%$y
zms-C?D$@X;Ptl>6g9c$mUlzZ_H<D8ZL&HSoqN6KQ2FAqY29X>gAUy7(Taz2En3&Dq
zpIUlGDZ&FVxvUdsJTgwGT7@OmE`PHx-rGA(M^7&p6~6iAn|T}}chG8g{A+<=DSzJ7
zqtA{m<{0&CZ}3JxT?8~=+en5n>6O$92uNDf3skCZT2E!tsoi`x0{~vHR<Ar~Dll|V
zTUR%=84kL9ULV0tQ1kbuo`*M&x2jR0-8-if?mm1y8*8uS?8YySC3Sr{x(H=5BQRO|
z*g(e^DK4{-b*anMqA8y)Rr8LFuFRi$D%20kn+rI<Hs{6{kG*+ruJ{NE;7Rt*YG1O9
zU94-l6K{s;VoV$AiGURB+@49WhzyR?cgJt;$yn?r{Yhu}r*V~ID3xQbDymCK4a}=z
z8U%648U*U;XT=pYRA10;oGHq|1DaxM4wGbA4K|ZDN}zRv!^Nn_&if23rN*e*n94D3
znmV0#k6=fN3w6mFb|#I0S}H(o8P%%na<uI7SkhUs^+d5XXs7M3=>LYMT^(z~RyA#-
zrm-H;Og}5FsHFlHTjQ84J5oEFH#n%7gve?DfAUZR!D^c|F^xfRuO)22p>j@Ut@Sdq
zoXm372qK`iwxiZDVT2k`YdPZjBZW?Dz(Uf-JL6rW`o&FIbvdbFr8%+I+CyPN!)8rZ
zqtP1oQ1-u>3lpx2DRihKMc^E$MpNMSnU%m<gDvSfOx^`_yNF7Sz}lYTikn<+Ft4;7
z`hVHx)2`YtT+~c^TR&Ys?3&4vZoWQ_68YvlcWNegttt-rBSr3D9xn4~!G_@cb6fXI
zS9aNUq;~w&-E8Dvx&IZ<+R2q)e?m^qaaL=Ry<t}=v9X}u+KGq%W5O+_2!?ec4?k*x
zs=R_`<1&F>T0KFL2>|+1B(V`tZ{1PKx|K^>yGtzGGeEU!*ygNHR&Ru05`|S_IOCd>
zLZ_Yy3mqjU=YRyL6^l|b`zI?+^L!8ByuLkGct%@U^Zxmxuvp&dw~%bVCq+GwdLP>U
zGu6$+E}^t3!C2-g9mf`y6A>QTn6sTXwTfejq87kXnOMpnSq356xaXOCWHmFiyvT2?
zDWfZPEnTr@K~C3P-Vn1fP+A?iMX{s-tXNuxm5;OkN(+&pEiS&TT<IxpOk2sbtQ)5_
z+Zb_eUa?Lb*8tl9WpOaZWzKZwu-O|b*EfW0Oq8@_&+Hor04o!7C~B*9WoNQy3JuFw
zKWo=KEw(M|ioTkJlyyYC`@0zqnm7H<IU1_k2p(89Uf*L(G>+o<QoqoeeHR#oQw{Eo
zy7aH`u(e&9Ls14)9_pxvym*F;FLZCT`uRlW*WMI_sVeGWHh45Ygw1CJWeS`cH88lK
z-A>*-B@lJ$K1%(}h-!G_u@W%1($STBw6wcvDAD_$NA!xv%ErZt%xpdrM})%5lc(XU
zD2)qkPTWeLE|~?Asxxq_sfykn=~SlhnWGjes|x77CESYf#B=*&=HB?EfOFM{bD@vU
zY9)%B3<41Q6r|6XNjV9ZPPxzcFai*jZ^4DH7*mh(lE?21>DRnH{VB})sn7}s?ysy6
zA>_?d_@%S>wX?jGtg%RRFd-?1A{YwhAQw&8<N92v22?m%!8`=|di*&HuG(2d1#=kY
zdSc3YVs`M{P^}WGiM~J*d0NV&zChT*zk3YXr*jmnQ|5(;%wQTv{cZ)0AXp%D9G3-)
zhpZTjgv^RpNCnn{LQRLJ1P6~YzKK8)6j(tZAv@P|?WIu?8ctxK;?5ZV#dl;ZKMdNC
zk2{Y~*Jn=Lh&4S=#4VjB?X$4eDsj=2zJf7MROG`|k#`bh%ZYPPR)|@7>H#0{Fco5i
z2Yv`~QDaHKX;u-awZK*q-k|wpo>6u#ok6%1eCs`8V)A5;rXn9mLNW@CVEWdZW@I?_
zn-P&*T&VY6(XRx=YV-!jbe_C}mbeo~#lFpGRD13XVhwai`=N=0S;R*o)?ZkvjY&W*
zHYhf2r1;kw6DE=5M|-0bQ|OwGU@tok=a>wic|z{)k^;!!fQvKcOi<8?jxX#^Fp*vf
z+cQu~p7V%`oG;Q7mGzoqm$D_73d9A+H>JH57({r~vrf$0ad4$Z|9vwC=r(WN-lBlv
z*0zbX={MQP)80txSI!XsY~U188MpCt`6ST56Mk;jwgG-~k5wZ&Z-D!`5TAF$YtDzY
z62<}zGB=6U;=6#ed2=~4u1{k)yii5`dIzIE^nvD!{yrq{lE_(&UQgZ^PVYOmuN&<~
z9!?GyT=XL*FCziJKN9#vM0QS1r-mQV5cvEI?VOqC#rrY7dvw$me&ogd$WQV}MexE(
z@`y|DLQC?<MexE){U|IUknzf|6Q(pA81L*OEdiTWwR+?Rhom0w-l(~DLFgQoB(!Wi
zMQLJh&D;!clKW+@_(vl$mDXyU_%izx3~nvucaZ^AyjsccLAAqZM)DE#w<!`DRMRlq
zSClkGft9S7f1vZjtWU#!)%dkzuyQ`-^5r`$fBfPV5z<lfpu6*@V@icv=qcnRyN%mx
zO&4DeEkX;e2t#xiyKfp{N4TkL7p-p=VaEtZ^awh>8RiGK5UZ^ae%4odTOr=8ul%+`
zirhjo%`n49(8D{}q$L=nu^Mqnw)hDHd?-@C2Z$}!cK??hJ}R%EJ*TF5x6wh%!yr9o
zFU+MO7F#1TmZTVBv=llbM}lZ#`2EM7z398cl+fCK5PiQ8nX6E+TwL0dx-%{c{V{gm
zFD%rsRQ%S#y3+0a%O9yIt)*UgE%-g;5@X3&I{q9{t<J{QMc<4V2pDdhSQ>wqBH01f
zU*~cGk3-AA^3-`Wb~ci#vLo<TDqZx)v<@kN4_Es$B*X#57TxNMv@AWyxG*#AePzzw
zg=@#ZKPu#Y=LEdyC<@|l0xdF=UK~X2Jv~^f$Q=Xp$TweK1^j%j+x9$}-Z;zN7%i%O
z*@1S)M#;3crods9`S#XwGTZaIm#68oP5D=ipNW>Y4z+2MRhE3I@*h3#QZ8Pm2t^uQ
zNL>Hyq?Fy=JFDM&FT8d?M&xkK(nV?cBkB6{+Cn(mLl91Mi<1k2g3khArkY_CAR$O?
zAsR1~q)H)mc)pv>4xb)0)g9#DT<iKI3-6`~_ZGSrd9CW!{MRay@g>=|t#I@Cj8nR`
zIoY|SpfFZTstbqgq^%5lF-l4n_Qx!%t?aDQ9BY);>?tPO`0fI$0F^929-so0zwQrf
z0*XDHuOGY;#r6<&0>4)@w(G9bmKRopR4vO2ywypwr%JJ>YJ}O3?!9=o9OM7;v8O@x
zL%}sVJTq*N3nR7Ruk0%53rTYV>E^t~Ik)KGqfv7+>f{wio#_<a+6pGoRZ1Me6`Yj*
z=C*Im&ZvSb0VvKQOFG)sGNDSUmHtL#U5{RA!)<nRvTWtzTo25!g^+WTly!rbe^+wq
z6cq!voC(-;!emmp$8uQ%HYB_{>>UX8Iqakfj*yr8_H&(EPT*lmz7s?$!^x#`W0t)#
zI(umi>TWW-I4dfNZwVu7FZnACGP3PDak{80Iq`4J#mmv%`zyf-xD3H-mj;NiWlWMr
zahnckT`0TPPbCzf(6vCQ?*GY5EyG}2_b=$lMcL)rwr6%(DaOF2pkXsM@s}Y;bshPk
zL+Rp@hdCc&W_oJjIWm{`8`Fyo-bH~`#EfRlI&X1VVKBwXdh=kcbNrXjcY=I|8ZiAy
zlwXHs+88*ln!ZfUt~EHe5KwC)kf&`YusR04R*j#bb{^DGsw$uN@_TTv72k)F0cgx7
zKcG@4B028vt0H&EF$&&|51i?$sVd06tmP@AkE7+U^T$ri>12LcW0u9E7vL8EZV#Ht
z9D#}v*Tij#fW@ZyXC5m%_Y-81$nhn&X2Pe=S{F&Ej?PLT{g*K4zHcKZC%+5va&%-l
z48hII)dzJ=Hkmu4#h^Ptub17j;p~ClO4q7_t(*P%@nu_%`$d?m#BBCzn^)}OEIO=t
zps=7q9s)Il5S;83L7aZ92Pq+5`C)K|u!yWi9wMu<L2!l;58JM@CG6Q;^n4j2vdVTY
zKZ^>0FB~d2z?t@|(@`r6Tm?@K4As=v5V%6&pu)0mACK}0*dLrZjNQ}=-(K(D;4*=C
K6OX9~AO0UJ^cF7w

diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz
index 561bf356dde6e249a4d63674322538eec97d606d..f40e96fdeb5570bcf54fd8e4f6dfd6f6cd53347b 100644
GIT binary patch
delta 7553
zcmaLaRaBLYw=QsycxjOC?vM_FMTZ~_i|&?|mRcaZgwhHNL>lStMwUuTr?h}{cW=M{
zK6{VvoQrewT+FL^@r*I&uOYnkNyB!_6M*hL2FAC+oG<_ckU`)H2%vxfDhQx~06GZ#
z9b$k0CJ11G05%BVfB-HC;DG=>2oQk4QxG5o0U{6}1_2TfAO!(35FiHu3J{<K0V)un
z1_2rnpalUs5TFME1`uEb0VWV&1_2fjU<Cm-5MT!Z4iMl30WJ{W1_2%rcm@KzAixI#
z{2(9z0)ikQ1Omb!AOZrSARq<;&p|*O1SCK}5(FS1AO!-_ARq$*vLGM_0`efB00N32
zpacTSAn*bNR6sx#1YUxG8VIO202=!SFdj(qn#dKI4^zfZ)LE}kG|zs9jJDiHC{&}(
zCBg2J>FdK~V)9-xk4~zyy@Ny3bNDM_>GA0gckD)=Dg*qZ6PRAR7f|{CIg%O_C9$nq
zep8*vko>Ih)$yo$^Uw{FW&thEVflbVp^)#Fl;o+RsFF-Ig-`amofmGwzFa82{4oB-
z0Rv>$Q*mLN#R+xvO1gpNcq*O!Gd=9#Uu|bwid6<?Q}5i=V55Zd9ri75R@^dZx@qtA
zQ<evs-&B3+s5&<E?(i#ayO#T+?u9S17s`J_fabBvx3{G|F@utFWa1<A>);(!Nv`nI
zQ6h0q*3NAl>Vyspj)`NvtcsGVfDSA<DLM9|Z2>bAOHuTTUn=7o$-c?;9||&=_s_b=
zHL#h2T-q3;DZ>5t(9<v7{dayg8_>d>^r)+=9myW;zqLtGQD#3-+mw72Q)tn;k%77p
zU+h?;ELX(hN*Pg6xwMK)l3#ujvGqoTA0KRA5$*(&SdwD-uieT8o@CoY`$J)(^1OBG
zjF5!`5*7?E;=tREmosWJ7asR#JF&>|_w0<fnfL~!5Hv%QXEb*&>|?!Bx{l_0DSayD
zwX?r$Nc)TJ2Bv(_bu&(}_A7UicFfstHGYUrmx&Zm3;7Wo&MWe|yu<q5CY*m-T8!NW
zr59kcTFa89Oyj?YH}$%#9iYR~aTgXD>%wj`Y#WahU2DmoPqLR~(BxqCXg7UAS)1D=
z;JV@Ib~AE&d@9p!;-8PhoWW>W)1uobPo&&hHyfSn`Smsk<4cA#4*UKPvP{Vzae|wg
zHxJ?CKfUNa+Gkx>lhrF-`c;1|d%pQ=XfL01w^45`>Kg0vq^VGZuW#VeZtW(!=ohc&
zL8_g;PMk&J@HDx1iR|XAO;+eABzwWNc}}%T9<uX0tF)dA<4Qf^QQ*_6SHVG;cH{UU
zjRhBrpm}e(p<P8}`EOL1`Y{@1TWe9t7lGVch@BYG{5}6uFOFMyS3f)yqCo;rglM4s
z6X-C&MAyfARDI>3t!WnYj~&w@+nu-Vh)`_|NP5%@-l)$+_1nmvkLxm`wUdrvV-|yS
z={|YPNoy}xKY@;(uakQrUe4&Eb%pk#R;d(1Nb7uqZfK@%WvGI7pPKtf0VpHWFG{(U
z*JL_~yT8Ph-5k%h*mDitWjQGqajZ;?mcUB&j_zpQ`%mya=nN??WEnR_&I_IXxpwKN
z9#I$h^sS-LgT=;z$hxf51nVKbM%J&5Z(V6vbV?W^i-XcJAn6rZRKuMZMzXk#%D~jF
z+z+RfMy%{Ee467>mbeHcU<Int7h6@4zYlI9q$Q6}I>Y3xoA;wDLZIrAC9=}1{4j-4
zj9bH;NSoKCR5a%(86!>`0c0xnDgrN)jgp6wZKtz^)1j-^W)*MZq!@8f*Rev_d&ANQ
zbn9g4X?r8zFgeA`)y&r!B<>-7=O1yzB?H614<juofh3_EeT>SFSgQhVl6h4#nB4@(
z2jNQo`$}C~tl#K$jl^bzcumCDQDMG$Ydc^yTZyJhu<DMkPImIm$H}4sskx-d8(ykC
zjTe%(-R7q?m@Dq=Y3gi#<DHsJLeCAiN_>J+f85OZlG*b|IWU*EZ;g-apl1(JQAd?1
z0v04gV_(V~6%y2;XFqM<iBS<o_#f*Va-E&)J9Bb&VEQ%8%?gI{z1GFBLV>N6mM)Uu
zO$IJS3<WMB?FFI}96(TB^aLia`qJB5Usuwl_qnI)(~Qw*g_1qRRf~-|DcPARS+sy8
zrJQ9HEHmG;Zi}jPsobbvB&*0N5^^SMB}Ker)?>~+Nh0LzL+4#%zl_45A{JqH(VESv
z?v|#cDwsKt7BN$RcYYQ;pM*gVUz1casBk>5Hi(wZKI2p9oVB?t8t%VL<9}7twc#50
zDHLr?o$dSeJdwj$0_zD%l#1~4>MoYmtjNd^Ok!>_bi&$+$=N?4;B2m5)3QSq*}aBj
zn&<bcHb}V5ytltvAaaevdwBND=3LA`@b6^F#Pu*{{E)Uq@-lY%W?q<$&pVRsZ?}Uv
zu^Q+&1&|@b$qlFgX>v_sENIKkY{Ni-ZPb-|?wq??8^S}Z$6l;8nxG_`gcIrJndP>3
z*hGBciGk4fi5wD?Eb00w7MROcs<KP_E$wnV<=(>8F@Psb^B22?f8~+sY74>(+{7BW
zkCrshE<cpW{kkah#0NGdmjKdYLr4R-&kVPYFBKCU7+Z#pCaqGj9sjhcFCJKrvX%7l
zpjU(Q2P@Ne60f+hZ4W2ee`na{Df>dS%W66xhK}X_+CS?VZ$5W0dy14u9a6ot{G1Li
zDhZml`GqG>?Pyq!!W+Q4bo3TU7-uI_B<1Z81P492jO|0nEe@=p>OESrf1ObDoB&0J
zitOhkRnY?(BvNhpQG+s8GggSC54wFTvy)a8+EWijG0`&O!B;>GT+{|#P2I+C-`ux%
z#B+t*B9|jtFmE|veO4v*RsF&HSDQw+`E~o~i*2^5Ut^eNH%q41Xp8j<L$5;o>NkIT
zq#azGq<PK_F_FXeOWFD*RF||*;*<S8w&$<Y*umoVs*+Iim<d?I*fAAU=tJsJ^VY(j
zmG$%;g*U;x)z|KNyZo8<y@SWU!CEb{79$$@X5;RbDWlZ~nLY;v%bvtm6NwD%N#if3
zyusxx%(M#^zW1ug7`V%$+NB~dR(W64`R)*w4f>Beir&HM-fdmBT`yo<lb-OboAfm$
zx-%@xb%H_I|2sHLQ0h#=l`5UUv{z}T$_q5(H8J6@7KOytxWCq+ANtW>J7-8_SFfJT
zU=lNLM&ycwY5RSXug_)v!@@O3yS{(Lk@0E+!nq5rie;1QdUQjy@Y`l?#*K37HrC4r
z*oRu%oA#c&2~u2&bBrodbDnl%|MQuRsjrG9f=ox7&Wlf?>>~2TiBkLU6|`i~tK}`E
zIu(g%9tIG{tqSc)w=BlaO0S-O)svno`*E~!DfrmNfcEkQor<JE;X&foNUamkp80G?
zb)eNH;=pdoSib^H7%Xk5cD9;9R7%sf!5UpW>a>QUxATeQBarb$t`g>%FglupKU9!5
z!5Rc#Lk9)w37`z6a(ZAfmUfCD$%dNZY7@d8T*m4m3E{dEdB1E-xGhcGNwY?VoX1<3
z6#B`yvXbbA<4kv}XjC&dTTZ%5{zhdvr(;Cjs)tW47e@obwPejtLc<ZdEPBoZ8@{e&
zcdsypHZvKM-zO-)8w*#=xWPb3K1NdIZujr{ZH)WEF7WtC<9Vn}#2P*Js=n5Qu_-ql
zth(E-yniB~ri4sVGz}rj%CV(%dWMnqqp;oaBt<(~kVTh~IA7XQVXPdttE_es@+F5d
zdZ5G@MRsr5EVz-$H%+O@K^YU_1pL$~?5y0WI2vAdf&QFaD|6n-HKan*@{y{Q)03X$
zUAe#5k&38sC3s8d`V^5Sg2|va|B+xOsbdmrw(>@&Opl=#FOLs}m>S(RaL4hxhT<Dk
z6J_(PV%h{tr=FK3s>s@R>8My5@_vi(oFjD#w3v9$1ui%*js__VdqN)Pb(9+Wv^zv$
zk~Qo~O+8@3f0YZN8Wt&RpwX<mh|PK*t$_Q?v-CzS<wSyg-<)4K-SInBAJT5Md7~=A
zGph;fvEzFNOsyRd(%bF(%``D6$_|B&u16wE`AkX7iKU6s@yZ8NviLkJ@lwfrxnruc
znJf<1j9n*UntKalF{x&TaBo|w;KQoVs`JAWni6?at-egN<fqNHZ#=!hJ*_<QC(<5M
z>ZB*6<&@O(FFw**&4mfkstyPL(}#z61)n+2FGCx%(`+}R{qBA44CE0W?Oh6CDJ0D`
z#yeK!n#~TH4q@+32+24@t%V`xWttKgUfR-o@((xLhcL-v5qs5?y{;W)^I2b;T#fvR
z><kzaY@F|z5Q;~fQsg7Dqi2}alNC`m;>t`M{NUR&cs4Cm@b}KVVVC3W7Not5NkWm&
z6x6K_;>0(d5_|gheKO6Vzs8pppZ;FN#<%4rR@V4H*U%&+FE8vbdY@Jl&5-o0HMhFG
zfah|c4mOics#U9Oq$dp#_K9Jz%%wciI`?lmkc4P)ux)+3_P9sqXTr#P9v(>*U7@Q*
zPAEJn*z!XJG3~I`BNJBpe!F)(tTSk$Z+l4a#=|{}M6m4?M|w1yBc&Y=;!L|gCgrPI
z&oVKQSS}OQ-8vuf!0sC6MXV+k=4nYjkurHE#V4>|VNI}GAt|(4A&0tFAwuxW<R@PC
zslGYh(!i09ZzSgW+4^tfcD9pHmrKImbqgsq8uYM^h+?%%M6pMBR+!fT7^Zu`5^>N1
zClML!C>N?-z^+J|NXKs>Q{}IdaA<`?{_Ya|y(1!^?Ew695EgODSX;pMGT=X95vYQ1
zpQV~m>gJu2_L(#q*LEMvOtx^`z*02zJ)g@tMTh{g`C04unPS@2@|&-UqU!L|3oh7Q
z&acuo`)_lZU6?5*gavIE;i4-$KW$BropMbkg{<5Pi|5}x&<hXh96_ANiv1wmAw`bo
zEmXU0JR|2q(;IcPhqcvu8SXl#cKUmZFD~bz^DEl+w#MTu!s$*;r~H=(XV1&uplZ);
z1`ah_>B|DeWlyeLuX2-HESJvRzFoi`e@BYB5y~}~<D&oKgX&0g);ffdguqA*yW`vz
zDsqmar7W2oSdB`8rjiDYhUr?$L3t*4ou^}cb(Nft*QUBy)3<c-N$h^=I7;;MtTkFc
zA-!<F;op50hY8)d0@9KXXIJ@)jQN$>8_i5}Tugy>wpFovDM=jyo(oBP$w@FXfs^M^
z>me+cTrC#;_s{6pW9SbuE~EBebB6UrMn_oBvD?s2lVuu*VN-F$grJ1XXZ?L;?C>MH
zszYgM4Z2(~+evZ_E)FcYp49#PzFqQakCt<BD~Y&i@mrbaOVH$L<n{y<AOH9@^Ff?9
z$_Vw6!*$`?y>kitMnQ$~A3{7Z+Ez@s5#376WcX?(^m^!HPi4JM?adiq!-tp`6Wo(C
zOBEw-c3+>d7Mfgh=D3;{*_Q{l_J2K>zn*_BUz(Za)NK?9r|sA}FD)}3i`&LGwr-o@
zp5ci_E4IY)8Y?|9p%6W6sJ|4ZeP4Nr=Ob!ST>t8zJCcS^i7pT68FeHL4B~VXkV6<!
z7OymKRx|LTPmhQ;88NFH+?8Z$TpD489Vf!x|KdNM{6CyrCw{6Tq4F<IN*VroWfhU&
zYJkdbLy)jYfBJx{*+FqRu%;RJ4uzC-|M#+s|BQqD+C;VuHwk$ZJDDn7@w+&LxtYsK
zTMDeEo6XrKT-_iFSTmo9jMebxTY}J7$aPdb8InVG53+F7e3&Tbq&TwQvTIZ+h??)n
zL$!*xcJK1r{<Qszwldp1lmBZCouX~m>8ff&5mFiAOE_JB?CZ)CGO1g`{7N5*ox1uv
z0N)|F%F}Z|y-a5>9=Z?U)|(j&((x1ZX~81<tD4=9ez3+j7?i_Y_<C*tz|LjmYK7Tl
zLGT5NVBzD*MVjlvB7I$0n~AN62kgTTX=kxIDN_`solhN#UbonezL%xsEw!~`7t1Wq
z;J);eXg_TCk72gDsN5oc1HO*GU-*$y@$2FFXXEF3pGF~n$$XB)K4l8XNsElYv|z1o
z4#LNWPH8XRPH#Qnk@^d7nr5U2Pg*agI^FSEteQVePokq6U5A)Hp6cBy4lmXYsg@pN
zkIzwtKNH@f4jdvPXx;qKhAV2a?Nh95wxFBhi-z14b7Y|;7!*GV;TzBoXjyaqV%xKu
zMp9Njl?eU3QpM3JV`FeB)S$=e-32Scaj<TaX0?81_jn>|q?;lP{r|+hrE_UKUMuE8
z@Fi&*K>|PJj&*QGIb5q>pZ6rYwCZ!?hn31ZueM{+!Tde8;|SEEO+VEYI^qxT29-{%
z)+}lp4gc+c(iO6!v=!n0`d;hlc$j8aegK_gxH|+<HoR%MGDoSBvf)Tw3}<Yve+`wU
zm6&k>)0cJkw}jAwD8->ESXo^*Pu(edEZ((5&+G0^dt}%zNoMn;ueJ0mc{NWHSK975
z%eg>(UUo0@i)^`(MK1JR7q%9%MO)<<q&o~B38kV5ROd-#(%VK{vR{v{!Ia5^GED>}
zHXM6H@Db}s(>W#v9HIUcW>-;c=1Za;FL0V@YNo16`}u^o*d!w{D6QzQCq1||eDd={
zEKiLpOb;3Rx&POfH+8IaoRVE-!c}9+5n-XG-S`_~1Vq+OA{gJ-X8GI|ermJ(23}w#
z(}arsp{Q8R^GJlvQiRSIS3luHGg{xWU@+~8Q$9NvXCP<%8a#?owYWvLXiIL(iM{#h
zkKN0t&tEmXO*;rKn9n)>FJH1rBpW~4g)d^pL~+kLONk)g;iA=TuWS6ed=<e8U_%<>
zM`{hF=MNCve~w}!Qpn71j22fuya`|9Yk+O7l)Zi4>P-^2Ra5e=GhOYegZx_p-X$z&
zuye^tUGa<PYNZI(Uq!OIVKKNMnL-=d5Mco$8HsO3s6vBBkPsaXNd5kr0t<NG)wq|>
znTW1`j+ZjEqF@~{=7q)ZYfC}z#T#zR*lLqQKK#p<{pJEH#V`K)681m9l+uwyn_ID?
z-gqFe3P+%WxLALYd8KR<e)j9WxA6VeINYl+t91ubi4bPyU;!?$__sdLM)r{f#y(Cy
zzor#r<+*5Tchw}Srf=Pj5Q7E&j(r$Y2wCAPVFfOlm=`8SM|s2EZXjgjd_PgnFH{jo
zeB8OX-8+ZnEyn=5@#L^32M?DFyo6W0^cOD2C#N@(651`ArpdrR!0dK!qOu`DL%p;s
z*Qj9(_J>h?9P1AatB<01-`cL)BlmA#?#}#$rI6`#75EkljRfmvjGaBXdsKaRBJTb^
z6=9AiJ6k%O_$HF=yothr_e=pM{A$sL{M5X)_OT3Cy^7^Xg=zzPgd~eg(%`?5Ntd+A
z`R+WJjkq~ODW}qSt7g<DxA(t|`Ovv_ti}wd$Pyp&ME)7nR5EXdbHhy1@&l>SW1eQ=
z6O7H(E^IH8QZeX*+F4&Eo0D*36M!8@!dsfIuaI2_R~TlUf^7!dV8#lbo(QFk1gOnh
zMWf)p_gzsO`A%g{kP|7}F;S?K*b>z(<9Tj7?w%cX=2Ig>=$?wsZ^CLL_}7R!+dVWG
zUm2Y+Zk(nH1`DE!hQF%86>xVN=$}+#Y}%(-Ki{W6KCvGP{d*WI7Y7fnjPR(}xP;JN
zE1j7nP)o${!{Vlc`S&HAVcw04Ie~CBOtIIfw~|u<3n(cA#01NS@fW7lcoU1}w7SnS
z-k|22oio2t{<kmx((+z7S?1&a`0{%~s*HEgsNEDfMaa=bLglN^k5^>w1(}ta0au!r
zgLN6Br08u)k0vNJuiiv_sN#ja$a?CFh)loV%xx2>lKoL%=Tcn=tMt)LxA3+JMnMsN
zbv$Wse1BL+ph>wO3DbXiA0nDf_5YIcU&g#2>l3Z*R`wC^=8o}`_paKtbLK+7D2(F2
z;L*T}Xc03Kp>ocPZB!Ak<$B%boCm|D4~xB`Mo)JQOqP%aXRxYB%(?y|bH8b&VLgb2
zuJx|R`%2PV_pwjF%&H%zld6_IlLq^h$B<9EI)x|$4X~>oTH7g`*?sI$AA%}OR;pt?
z^c)a`*I^h~eMr7rgS}0TdEYFI#LVH*qMls}&Oh0CfV7>WfClo;yO2LHm}r3|<~CEz
z=D;Kk;l0scPA+1%k@@oegUoW{zp^}fZPY;O%d=-Zd){j^lZxv``i_D>*xNdqZ>1ak
z@pT|-E?JX%?bPp!Dqq%0C!<KxJWd5@bm>3F^eoK#T*7{*e^qg0^54d^KQ?*Ecprsm
zvbkfFIr||*s0Gs<obr*A21Bs!iT{JlO}`h?+f?<JEgVDSksKepF>`r*?%aAYD|T)R
zJAXW1CfTTfmSOoRVCO#`zu*t3cGRVlP1{`dU=o77xvw<+buhBT(1WM}ZLoVu<L^nt
zM2^<CrXhE6I6>Mnk^SsBzb9KA5JVr<<bR?e*Uf%}k*RkIV7)H1RgJJd17g`fHLUtU
zQ(KFO^-#2*L!IfP@7u~oe81yOY+dZJ%U<Oe4NT5JJ4lwUGb&2c1A=_iA;ix4NTtKd
z`q4X4H)!q4=8I8$jkt1Jc|3CD6RZpoP8o#1#cScl$n#JOrxechSy^KH(6`@mTs3Lp
zW=q&b5-fN728pKDo~r%y=YVq1zmxtT)BS3zGLWS%Ewh$~ywMw*QM(iE+eeQiUAua@
z){i1%+VO$#&Led)m{mYD!$BhEkDH39=wHkP*(ECOl)OQTh8&~Se+Dr9N&~wK=#q-N
z6*ZvQB|0I%mqo5ZR-!n66beh4=|O!J!{Jl?)h@XIX+q3pXrvR3QIKuGHTsuQtWOJk
zUyCXO*r<ThKWlcyn)wC8|0d^2Oj3|Fvq?3~7CW^disdgkSMgJ6eZ7y4Nl$(Vlux$W
z5))-KNy>FuEs@Z=GjjgwBU3=ggHc%cB!Ag?me3>L-=g`qB2&vr#m`K>d~BhfzfqtQ
zzs9}hK@BH}zl5__*FF)|e+h{_$GqIz=GM|S|1F26RbJTZeEtfsdbSf4+-D(up9uq|
zdelmi?+xzzu;<;lCtrErc%8bhYf|=r_DGdueMizr>d*Mpkna9OAR0cb=DKG;oJ{09
zDVYXS?UK3Dbwv63*cM?#mU&>MYHoy;QL_C$)yu#pW`1ON(fjG@3>AG5*I{b<G5;df
z-mw_{u#oPQn4fuEQIt3pUcX`f=0Z_?;)&`7`}>`uqQYnVsN8xew57DXGnqvI=LTw~
z0A1xWy*;X|ki)14N{tT|mV91h0Bh5%((Db+B00O3FaN!v_$b^x6;Fc_)~gZIXd6J8
zOtQsi=$A1{_l3tJ{w*e(79NgGYx1Wh<-!gqj&(;$6l*&)+OmBLT`sU}Zq;jPV6fYS
z!hB$uFYI%csbuJ-0&U{Hxm-|cAOlJBQ<cy<bmm+*c>-#HgV=%NQGSxv5Jhb6FY~p-
zW;j90wmCV8+o+(&a0j0UY@j1z6mnUMuy28<D5VDG3VVv5GF-}W*!ym(UDg&Q&*UaF
z!?oOJIz|^Di5}((sb{t-n*YS1Gw*iyknXnjR9q$DhlwXOVdZAITzz^sSbII5Pa`X&
zzG+4x-kTeI>ck*=l)!J^D%|#53IXZ#Onhcs#M(|pb3I?a^@h!a9HE<bq`Pp*@OZ!f
z#5(ko*vDjyuE5?1tJ8sp^1L$Y$02crl%Gv-(?&~HPixThni*-T)2X^s=g_+js%<H%
z*Y!Sd8nf18=Ode}GRnh1inc7_1bWWfpacrhA<iu%A1G26uC$&2*-+b(>+FNY0zt33
zT=8^Sw+vOG>W+c3;stj#;&9{%SMyk08;KC@7~rx##LSgaCGPor@R|wU;NiILsgD;&
ydI2qVJ7~w;^cB;M3Sdaj*Z!8X<h8ICAL(>7Y(#y%d(VG#_~`q7cNk7Gg!*4sfsp+G

delta 10949
zcmb`M1ymf{nzoZ5g=-+Vh2VkU4uN2S00}O^p>arXuMns-1PJa<aCevB+7KYP1%g9x
z*U35e-gD3VGjso$GgHs1u6OOO+TY%L?Ov;%)m0mH_p1Er?*Y_7XlOlyqrLzH+=YO9
z5P$>$$Pj=60jLo0s}T(X&>;W=0x%%}3j(kq00#naApj2o@F9Qz0tg}CJ_Ha!05JqS
zfB+H*AcX)j2q1?53J9Qt04fNeh5#A}poIWB2zUqq^bqg}0vI5G5dxSXfEfZ<Ab=GD
z*dX9B1h7K@2LwEU08R+tf&gv^;DG>M2;hSNeh3hN06_>4f&gI%5P<+u2oQq+aR_({
z0TK`(2?5U_Knen+AwUKKWFbHf0-i&FJOn5}zzYaatOAsNYJ#>35i>F;LD|n9x;Jjg
zme>g1XSJ?MDLXYX@$+SPrS4QAhr{9hw&Us&c8>;=o`61o&Di}y#94ObuH5V)J&x~w
zVT0!4Tl$j_C+VT>6o$+E_XEemB`?g;3LVGG>#SwwVcycpQB*H>3lAFPEC-YdOj&VD
zx;(a#MtDe%>#D%Z3TyJRAkLAZ*F-(;Dcx2~x^=x48#xCP?H|=<obt0fryp;$2Bi$u
zGeytF?WAQ{oF;77XO}%CVlz_GAyVqA^(d)p8d}t<Y^q^R+>p#tcXaLgnZ|j+^5*-M
z(PYo(?8m~)-)q(_9GWpTNJ$=!b-**F4peO$%HL?Q<QOS{A>+(anRwxnQW*HZhc;$9
zG-29p|5Cy>rQgC)TbmO1!^XVCfkRSJaQj~T5&0(%*_a7|o0oZCjRG@@ZWFQWr%f%~
zE*t}*DNLx%^fp-YjiU`q*fsX%`m`4Ltxcf0VjKWgWckR0@$HiZQA&Nurd0nph;IIj
zXB131%8Ad+Xip4dFH?N)#CD2t&z~7x_pnJpHDv8#^TKj0oRZ@3mDGW-fnMI~eZ%Of
zH+vx@oJxvU;X}>EuVO99H!3QR09V=T*^Wfj9T%0rIqAsiWQOVDp!3u)bb9*iUJlRs
z@0b;}#Z7HT6WCo(uA}|92EJdkGB58ZNo;~<qczkERH{@%c45qZ<~2Q0t%r%GeT$!`
zO$V3rWwd9vpQ=B>svqZklIpG0oDqpUV_SDEi??6A5ke3)j3;qFQOHcU@=d1aeex&Y
zNcP;V1ETo6N#ybffp<|n&UeG96RUmXEJtH-na!p*jo2-)cXk8r4PA5c4t0oGm1?Mf
z2<lbV@q-EPsZpB#)MDjZAGSG$H9PHWseA|WkzQt@WNUfHITO3UuXB{!wza*1RP_#D
zryTP~wrTeG@pt;y(NYOV^*Q^9H&nVO=w68@!RZam;)At2eQ(IyF?n1@sk(GN`tO`Z
z?J)IR3*tHU&0H=RDie9;PpWpNu$-uYWjP;3)wlDE|I}tMnUbI7=W?%Rp$Sq5Xg^BW
zG<HuctdMKfFn37J=ODJVHd4PS(=Xyb{5-(8{~pR&W9<D-bw483EM}j@Lg#I;_K!Tv
ztoNxFotf&YSe^q@3HuxO$1b1#@Y?d#cNPNthQ=pfa8ZXmJC1M%WBJ%OyNz-Z9t#|J
zGCfX?c~_(N`Qz*1Lsy68#1H4OHY`gQ-|8RD`p0Vyg~kjV%pzneYU_t=dNWF%H>(d1
zpn%2;X?3qj9B9`HHp%RJ;pzHg3!Pk4a1j&K7+yG1UGNc=d*jg+zD(nwBA@U|F5Cr|
zAn-1mL~L;c{{E&jxJuQ$e^Bh}ZCtw(Q04PdT~Z^tdBr3k7yqP83LC!tQbTARU`SE_
z;qd^u0&hU_31%xBaz*pFp+@VP>)7?PJ^XZYJl8#MVcZVv3LbK|Rij)wdwRqxo9cw7
z7p8zIj=RiUcjKG#I8qu0HLW{zDDgiVn<E+q+8&;JP*T630>6t{q)ikbH5C(Z1*;Jc
z@s3?5;As2BuNxoJEyKSuN~WTD(;Wr=Ey&2K{A{*)A}=Rq+WPvi%;7r+Q-Y$b=SVZ=
zLp5ft%{()=n9hSK87N+HCmyX|S;)1*V@Uavxqy=i0@Ev8`V+gJ+e44skA+2DVwj(4
zQ-U7I8-XFiW4d{dN{)<Y6)BHJMddo|4`^QjwM_D!kl#_t1CwP@j(6*x9$}NePXE*U
zbGAbi`zwhq0d78#RTlm`Ur?I^a)Zv|Y^Z}=NT;vA2e7r-qqWdpeb^)aEl4PQc!zP1
z1ud5*?fq|ogE_6uW{(G}Rvg&|?>E3-AA1HN*nOU-9Et1)5n`#_&NKIwjfmK36E)r%
za^NM4trugC8^hnG3fVVz`%m#T=+2Mlpp%5nI?)UoqzD{dOafb9#xiv%CJiFqgz7zN
zK_*|tL_(P{DtzH69=01+(7!vH|KN&UL`x^&+|?1ayME&=?j+c2D1k$qBNQB^`*_)b
zFY<KnPOINgPM4P3-Fa`)Al1SS-bPX9{E0*yzc^}Hw!W+202Dgn04*A0-`~PyOV<sr
zg}_OP#P5dz8HyR#I!ENFlZj7@f9cvYyz%FZJv{9}8x#2E=1x-1+^+CI)7`?LD{+#E
zqa?yq9(^%4_TK=1zw9V1*U1}uw-8{=1|z-F#P-1YgR8BKZo=>+bGMBr{iHnmbNPj?
zoQ({5hT2Dl+%<EpkIzqG`p;<`b7Y9;=?O*3Eg>E3!x_Kxc(c=dvIkP)F$)Y1eJV{0
zLpDez6?H9?hr*&ZYlO5oTx>7DqYN#RgZd<C^-7|>+O`teR5D1t<Eky!C+KpT54cT#
zAgU$sdrjjI#2qk|^*$;zJn5+Aqv-r;_Q)N(#1vS)qFN3WSL-6i8yAh<)lnQi{bp(c
zLo12|N5>XnpH-ypC8BziviSAx7{L>U?2<~minnXpm!B)_gyyCVKXwNqO<tCL1KX*X
zG`(eRu6HbyJNKW={am44;R=`St7Nvrca@sOe=FNT`Fpq^Terr0Ds>0{t`ssJ{!=f@
zyHfptt=ePbAGq_)_W6Cq)Z*RTdEJLaJM+BuyW9SJ+>_DQ90>u6l(Jfv2k)2BjTmea
zroi<C$7NpnRF`sRhAnD&JtE3$UA_1!+Iv515GK0*r!C4dVwRN~K5X|cuD`XE#Fq6c
zkbwqd=P*9E&p1HBqjS4}Riipv+kuXGCw_nHpeh2RL7WeW56n{xYs_4xCS{umPwy;E
z`41VzO^pMy=ji&Ff9LX%Takdl;<MPH7w}L$?rQ#5*_bg`(dDM+ja^5h#Gb=jcS}%z
z=cckTp*GhEhJ5SAZoO2B5B^B|B&oCn(AnToP8K8Vsr&*zfgx?@^-|5@mtvFFFzfkY
zHSw4r#NPR-$<?Vo&j7o(;oH~R_0KXyjVH*qss2I3_+%9-b$2oE<Zm4Jn@oJbF6R6A
z5O%&UMLj%<F<uusgA~wM=Uw)guSPsBzLu#B8#@Cdwy#ft9OR`R@n-T8?BckCZ195n
z?oWl+dcXzxADpvhrXFBVU(QCsg2hyFQyBe)CKem?lr7X}G*&u?&edPdtBkQ!$W}^?
zw1}t-uxin45~3X*kz=N>^lqj0Wrc`&!b$v0{swsOlcI=Vt#c?yNNK<qV8=yH4~kdW
zJlsLo?J5oyyc=0Jq^#p*#&__7lo>zKT{Ix>y>_CHrhBn2vu}P6YphiW*5ZZTRs~gU
zyIQ@Nj{J9Vi*lLGtwJj9nzPfb%<IX60_%<R*W{$Hj%&?3bE{c*EstjkJgJFok*F(&
ziN)AP7{sKk5|gfk%3{f$RTj+0T7d;&&z|XPDc?^*we_|z?NE{yl&buc<o(%$f=-2d
zkVPFMzHNwp^38g}p?)tGEXRhML8qRy>{T-<A@ib5Y@bE21G8e<L+TR@p;ni^&GwAW
zV+ry{Cr06tmw09E!kz<)r<`q+T+Q0z)yuC=$pcPDGWl_G+@wiZhf6mpxOYIc)8Hwe
z4jJr0m%NJ$W9vC1>%%YUy&*D<?>vktVbPEIjF^XXYi|da%3G$~aIJEuBRUi1I1JL&
zUcHPw#s6-rDiRpd{`PS3TQvM`x}*OfzL4xX#cyFh5MPY*Ju)T%n?D?%O2+LBg5ZxS
z8|!Ml(nDCQ1|FjGcj)4zgVcgM@}av(EINyrbbBxV&R39^ie=E7CZ8t%Rw_eCAxjOc
zSGu657CJ{ce=O*?{HZ4AOBolcu!iFt_KGjBrx1G7N>1rZs;GjE)z^(v5=V^39@Gav
z6BoK9%oaj*A6+(Fu-g?T(yGE+vr`j5vz9R)b|+**az!WbR`ja{WjppeLPpc-<O_kL
zeFT3?!>h3`4ffC6OAwz=_o_b)+{a&JDMS9CoaGx7!MOB8>x7X-?&4Y8C-ub*bbO~#
zN_D-PXCpBTnJ<YJ6vZ<ina0YQE5?%QtE_phOl`g3wy2OLRTG}qFdJky%x2L^?^|@5
zcdw77r_NK&2HTGxo(G$vtzwbRN7^@`WYNA-5e*`kxuZ*!M^1<$&z?=Lpn0^S@G)vo
zB)wz@q1x85Bhp&3KBN*+i6ffTSS>5OVEOs+L(!043}=$!hUl%K@dN=`;<t>GN?0Z$
zLCkYxbxk@@+Pc+B8hJr<Xh5L`Ye1upBBqZ`m4k~;5qMF{E7b1h;_mSF-I@IIo!<VS
zP-Pwc4&*X?=68{(nPGM&A{gt*i?xw-Vq}m%v){0C^~9O*ue;=5>(f0q_7l4o`j`X1
zwzBc;YtxFEucD4VF>^%B13_td^JXjeZ~_LGwT=}tj^{e?W|;f_=udVIF4t4GGIeBK
zkI9kt7?7&^NbER<3LyefscCN*n>ZxUc7^i_JH?a88@&6eHRx3{CVeKY>83QX?45Y-
zdz%a-IjQq9+qZmi&1X+=<Pyohnv-)tf6ud4?MOQ5u@&h^Yn5)TG<8`PUs#BF?)NP-
zsc~1kLSA&kPT#d$hdMFc%Vkhi6x+-v2X4Od1k_Bl9=ZA9!0Gx>lq2-(jE9DpP|c5;
zwNUp#E4TUnxa&eo<mba{Yo;b}Z3)UWHm;?b8@T*+;E&>=!O1HGd%#u&y=IZRp0aJN
zx(Yu_gt;$@4@j)_#ZzxeSE3!?TbhcQyO*w)k+QBVX;jvZ2VNj!#}->4qj032X=kSy
z2~L(1_HX9vGj&<0P2}Z7t-NJ~^3Mjfsm>L=u`o^b7p`_zg&&5$T00fkLDM0%FiVT}
z)j-uDrEo=##!}-tOF}9$=<vb6l-_nl<y5A3)D>;gq0U)~4-R6YA7C9jEs1%MOy=iI
z{wT<Y-ba_Z^EA$;#Q(VMj*iD`_ZEh|F0iAZTo-4Yp|6_EWaFCvPYH(Jh6K+9q5v?f
z!I)rh8SSpv(TBRjC;3N+L@PWKwhJ)0CUzUSl4(l^wfk3#N!=5Vi9}y{JZY-v+oj9m
z6fTM=5@{scD#Mi<HT||WzB5#8+ri!?SL2{gv*u1!kZ!ZW@Hs2B&j6QI#db6=0VKAr
z$pkn&#I`cj98Bu{Vlw8e%eNA`?x~mh3tFlRF#p(WT0Iein+%`K7u#fGMr$DENNfDM
z)(gJ)9>R?th9*>RXTDp=_}qKWu4QHztVT#3LC~vQ^|P<dC@<;5V_uz{KS}5>8_fxz
z`KN^Xmx801n8JwQy=*(KA@ifFGECDEdx1?#ZT%l-&$1-pk3Lr4*mE^nMy4-r4AE*h
z1bat0XO-lBRDa)8uhr_xY62}3h7h?l2vNjUWk;_kceHw)I=P`A`w$ote{}mX`oeQ0
z6&CRk$6m6&gAaYAY?c)bFPq*5amud9o3d4~l>@5Fy1W^X#qZtqa?VOneWwm<Z{;`c
z5a8XH6}zmL(aW~Y92yy+o~1l?B(ztmn|c1o<$>a~OM*oM`zk2O5Ed54(6a6B$1$)}
ze}XY;z)#YCq>0n_#BU483F~%5&5KoB@bU6|;V#l3k&TryN2iK9WFNr{54DOEj4U8C
zdka<|skc5^*XjP^bs~8FQHj8&X61xhqN5?3U;e4gGvrq`n^CsIZQ(nwY`(lS`Lb3-
zt1^9LM3bdNaYtq38;X>V&GZFrmZGj$W|U<Cye^Hmw&fv)$Z7XC5yH#dR-Na(U|fk-
zzrm@QvL72*FLr%d=9HM!U=~l1*Jmron6nN#6*D88L+c(%y1JIuEHW^9toKQn59P^M
z_<dQBs^$3n&`arsXD5?xrUIowkks`XstB)WGcFhraAA+d@pV$slf;^tpngHM{xi+#
z+S37M`(4oQ{}s=F@1ovDp7}92)9AB4r^M_aEzYQQe$a|-`5+yNZgQ`8ezR6(5u|?J
z?NK#95XzO>fk~W_l1lIA`BF|lM!TyZ&9ajd7Lt=4jp36)6se)exy@;A-Ib%Nwu=;U
zSOj>CZBSr|>6&o&dhy_lDXi*E*XB~gldY=1_w1%uI_cb-cL`x}kRDp-4Ywy-H7E!3
z0=87QV%`wK^hL#WxcVLW$q`GNVik{qni<YDq`4nl1$z6fIvDjpNhSH#jgP25c&LL9
z`rRlFf=RW;DR7p#Mm(4IM-F94_J#PTwxd2%O^eFWqn0A;)yvCt6imc>o^|y%pq>OS
z);}D-kWfe0cD{%SrOl9;>?Yu)D1QcOZ=_MjxoL!K>HT4$cmo$Ye%dIh3+ku1t+M_p
z60@zRKSl8P2S#kZ$HUV<Hiq-amQ7imaD`Kb2`-a5Qy;eV8pGbjy)?QTaNo50@Irov
z3o~?i%h~IR`@73DU;T!W(|Y-yCo0+^6Kbc{LZ;ZTjG(cgFzR0t3jWhV>5fP#pI2R$
zw=&V5hoLwky8C=v(k%EWe?Grt4}O_tn3of?s7>5&PEG{lt23u#6W^FcY>J8trYwF9
z;pNzqCKjxBS`1lFXDP2HyJQRg;Kr`c1o6sf+GoWyjs(5scm8&IM1$Yb3zwq&p275!
z2xr7oKNt)@ZM>7QyCGrx>m-<0b*d3{?1;6Wrd>K$9M8b7M<PF?%V1wJDfecZHnTYO
zdszM_3#Gk6eN6f%3q{Lq%zTGY(K`C%`wd>H#NTNJdHI-j=UQy)dlW9b2EYA!WrEae
z{cUtQeVd+wP8Vqn>{>yTUEZ6G=TwBSnQc3F-Bbp{rw*gO0-*cSz?KPhA(CdK)muaG
zd7G$9^c8_k90%5Y8+aKP;`(XxvtsrZ<pTY^hCM?|+SLUFDaBUy50h!`15xYdt40x}
zAf_Ec*<TWhgp4beN@lW%;&y7rrc_2Sv3K$<Pv0IC!ZP-uC}TS0{*#3UXc^v;T~4Ge
zPPU+;{C0R--jC`{Yk8qG8ghP3(3XNLp~aX?Gm6ELZ6KSJJd8hvn5AThXsTd8xHWt|
z>Zs&3;&%SM?w@dkudxIkU&}MS;l`2D<6Y<c18~12h)P+?A!RYEoz47fhigIkeCJ+5
z=6kbYKg6sHP_w*{=>EueAel_tE%L=)Pd1Si?|?n-s(H*@fz@lgYb~F|9%hAOAMpz8
zV8rT;%fRkYX|l4vKu_sY-v=U*_HIV+HieGq&8tx2JxH+Wb(ODAW*BMo^ajF0_-9b1
z>A^@NK3%-T=jp7TG*9opiWt?*w`zD%-(c&Ju)+5#*`o&;&iZ9a`%$8@@TA+hkKDVw
zw-$ql>z%WBT#6vg^<N5`L9M$wnHbkRQjh3LHvbtqSij+9?Z-^Th-0|ht%B>B_WGFg
z{Iub-C{cI2Q%x*9s$YtVc{ICL`gaKh|7M|YW!J6KN+kYap;CADvrzCJQ&+yK3J4K*
zyKK&5Y4EwC7|Ns?s;T#!Xl$w=oE|XLJZZ6@<8!7k`q_^e!RQ}fY6-hdw;l|i2=kim
z9gi;rnVi*+?48ZVKcH1E@P*pq&)<rXo@WkcUzVY*pQ_$A-#bT*C2UZ@kELl)Kn79I
zeJqy~r@n^>QCP$*H_#@)SE{Qx2|Y*W@QNRg%liuolkkyen<ggZ^n`_U=3C#p8(>Z-
z1~-D~QomVabbI`Fe#U;UTJnN$^~AU-#as}R^HTBbS_hha5i5seqsqG5(j`D6+3#G8
z9#}19jKt$#9o7{Fg6%TFenJ?6fz$z|5>AE<d@b%+3_>@&7;9Su=Q2B&h9&Vu?y{=a
zTI_u7YYU<K3!cMI8jgHB-<oaU1fB%wS(keLgKZs?2{JE=hH=A*-{1(<Bj>A~X8IJj
z@|n<EN|{w_P0S9L=3w=tvwCv&#t^oY(ZR<POWUYG1%}C;rthtgwA{h-;zS@<a=dk>
zTxa})wURKOK7NZ`N7V$*3%PWU6uiyX@Ld<tbah+Z=m+9!n$qqH>IDN-!vxQ759ByY
z41IHzX$D5^+5BS|OF))bzKd;2W2{fuzjKW)z_-8reO&ZL(aCFyroPuE><au=9#YF_
zL)yT#iu__#Ox$umda8%pEK|y6^_a#O17>@nw^C=9g`7`U@;aZF%YUn(XvpI`j_SsR
z1+(vMS}$2%NrlJ2?9xI><cUdtNpTk3!PZo2>_-aG=jr0coH6^79dE5lY_G2}x@V<w
ziD!6uwhjkd9r{*S!^Iv3`9+{44z|0I=&LtmmB;Df_`*ahc*8;tCn1|}1LP0_1!~Nu
z7~+wJ?Z0-J=Oga8<Z?uu#RjZH<{b7S)4xKG<uhkr7LV^IuSwQ*<Qe7y+#uo!z&2_U
zE{*Z?SqIMUHYfjFH=1kD8SHv8LUzucW?mt3ULa|S$f!`NJ>PMlRu!D%hF#*5^9syl
zZEgh>Im3$(NN@&zvi*CTfzEO2)sy~NBKC_n!a@Bvupgqi=~fEF_H<2NkczZ~;=Js;
z8pVBjKAdg@Tvd|_^-nH}FVxK_bJl@Iz$RCU_sc~|78f57Q&l_dtu7rve8u0mLg{Dm
z>;?UOz~x$2(PrFS3y34&%d^(Mb35jiD{$(Y`#$%EFmRJCTIG5}Xd}{Vefhz1%`#Sm
z@O;X>?mm)jErc_F6fnNMLH{x)wN29fWpQ?*<30=+PW`s!-BV-lLk>iHi`zwS?`}5K
zmf3xHL5Z5^V|5dKtub2r75|+r&+s*P`t-9i7XKZkq_8QM%^zR8`F{z3j5^Y8Gxkao
zU+8@Mj1ZTqlz%}70f|^ND!Y72K&Z)7YA($Nu91)il*1_XRnb+=`5gDTZbF!(x)=X-
zSWK86T{5p8%<XydZnSv`HzEx|W%lx?n{KpV!@Kx=3y1|i>b|z2AK{g$6psT=gf4SO
z(8h6_x+ymw6GwfJdVb6%Z-Zpxo@w{uK2u$s9h=^8EC;iS(4l{GJ-;$KVZ$MEONO|@
z^AVw=sDo*$pI$j3)xk$R46NUbYIih>#dWQhD6~704TU*__t~<Ytd~!$h~8%uMEltl
zYKYO5>lD!(Sn)nSD;w*ZvaH$!e~hnV{g_(m?Yz6h8jeKI!67DQ>5fm>A(MGWi7ZUA
zK4hOM&Go|%rH^M8_X)DGWW=ZRf9$exh_SqN52O#ozCaVHZj|~ya<KI5G$s~>&(d8x
zQ%*;J`95><dH#yDeB5L*VQg#@y(Q&E!b+!dO+#bP>|8~M2ENUPkpix+2RJ!$`Aye@
z=kUJAOS7z?kY39VB(me%U(Jk}yzf?<2p-O9JXn07w<xF=d1|`~+_+M`8Brh0Y`ng=
zkXLUp*t?f|;QFxl5!y)7%%GX!R*~``lnWILn(cPO%FEf8aaAH64w}soEXSD*?sL6X
z-Zmc&rUaFbd7{pfsZyfbUxT*A&o4v!J7+_V8bu`Sx3tgKXFn~Zh_4D3EV^@;oK$4v
z(@UqOMut$rP@LbD_XI3lP_rB}ergaCHaX;PpeY`TcwMF8ELydw@q8{<E(L}7>{{FK
z?yj?$Jqot$5s`c50DTaBs?&0pgA#S!Fhwz0UD@kmvd6=k;q`TTipF5S5?eumM>@&p
zS9&=qDly&3_w$#8&E1zdjyb6ZoS)=B!HBoFYp!#*y|M21q#J^f2U&Aj@1RB}|N4h<
zM&7)*uBfm}5VLF-;eBXS$kH4Aq)wMO4p)1M{lq0kX6s(GkpF<mXE7cMu+K@)6oxqr
zpXMNkT=7g%vaK|T_Md`5=7(R+ukvWsw_hd352;DL;3FuAS0HZlZv=N_)~juIe#rEl
zp036e9DsGW1CVfZcVy8<p}q4U?T36pmAM4QBaOvU^p>a)`Igjy!ip*Fv2P;gJ5vqJ
z+vfQi{Z*-@s+D*K^UsePMMiTe$RfkhYIaR2vS)Gx3cnWW%=m+ov`?=+2v^*vtzWB;
z|M+ZhQO6{`%4et7x)N1<hGS9vk=g8u)?6<tKSlM;6?|Ms=B4h)p7nH&vz0LN%)zI*
z{yb4$IM)RsQ4%cYBG;4DcDkGeR|xF0blKN&<c|05$x<i$a)V(ZEU{_AUc%_BScKn{
zo}YhMwk0rX8F3%9wrVhVO+%i%bZ;rp9Q|CJyXaI|wEO3a_5{*RUc~M~+^vPcGeUGl
zdY*6tIK#+F)um0>i;@=jlvkQF@1P>5hHzZ6ai7(o1d2RkLYZAcd#f35ouk>@Cu3`n
z7+tTGK7WTgiD`u^NfhaPmF3KIy2cT*iOZT_`P+*<sD)`NX4y$`{StESTQ!vVPMxR`
zOcvSshORhKi_`pRCQU{1+Lq5(N_RR3r1S4SjdK9@(KOL<JqvBSoLN~)O}#<jO;T&=
z7p*2acCXiOdKnQPsTw)mVhi!$2xV<mP30+irJGv9^QB5(7}<l@dYc>yCoWR`6-xf0
zg^QkR;12q+Cr!;z6l0>FZAX)Wt4Cr<De=3E4qfEwYmvZe`Mq><h@{HDQB$3H$(TUV
zB*_mmf|G8pb`p8GtBs_Omw1)Gq$PTwEI(XrZ`HMFW$pzYPGsH%vvHQC&~Begz&B*t
zGkb>67Ic*qU5Pd!?VQh#xgu37!x9>tI8h}Dz;^QGs_umM@e?;}A^{U(+-2x3-Buo+
z1n2&e8$*oH{8!<MUWdg_X_diELXB$iuxGIa(Z=;u9mb5T`49bUjflHurm1l1c<Csd
z(RKDUoMG_+n(6R>iA<y{wOqfQu`T480)6-lhjBwAr)RaD5*L+xin+*Bul)U|<P{-s
zFoKZ+w^Vq|P0M{c{;osS%O4__<af8qoRzzvETYPXZ(4S66vCd=n}5k`44q!DiF+Qm
z1xxg*1&>T1Ww&K({yxm~%Y5g4dhanaztw{Yf(gpItgA+Bt#~0Q`G{R4#rqvt{2Enw
z4B|$2r`(g&Y#H*MRR@H5%jXJ%V5qgY;4CM#iW2^?CHuh}Tr-41p;iAFHv>{p(CL!R
z+8vRaV81Ixe?O8_zC^i2NCkB@aUrxl&|H(e<w|<RwX*p(DQq7BevKjshN1JRDf;9z
zw5VWS^$c9-#YcFKVu3i85SG^i7ni#|_;D?Pk(OvT^V`rh36%xI)6P8owlO$(u<kux
z?YC1u%!b>-?=vz(8)b}{7iW)uQSvNBtse|1mL!OAy(Taexuri&!#v7y4;81CFzzMU
zOt>7{+*NcnizrumJ~Av7rlBF@qA96b04aj1m$rwp#2((_b!Ia!Z}=@=U+;%E?q`M{
zARSX5Bt)>Zwlj>k;qvTf<LrXelawB;ibu33%8i-Z89r<**FWlt28dOs@z&^JS~*o{
zD@s|`Huv`#eQVL5Z%R;~&(BJ^U3%`@$e^Dq$Tdq&f}1%VU6;>~k%pE*s{}gqs}mj^
z>BE;fj|2=VO0PQ_MnJNDI_z^3x}67GcsVVSBkSC%x>hx}6&`FuKhD7ibEJ<HlC3ZJ
zC(x63hhP)D8*`73Y$cC}DK2Lx%9t0D>tQsTZ>7tR`YyD^YZ(+Q7BL0#KB3)=Q?Ms~
zL!c#Bu3pb3x$9r1SKJ-)j$Jn2sCb8WVxa!EbA~`@!}hknOeLizlI7=v=qKTB$s2te
zXR)8gZ(-Xd$LZNlfrgAA+gaW=9NEe0wjuja&_>5u$R_>>Lvs1)mk<`))`#CY6xCOi
z(N}JFpB+r!KG^t>f(P?xlt&yDz5RUa7e6Tc>BG*_V?|{v4!EKZ5i9;wcOB8UgP_b#
zn7naP`>yKbR1{s+NKQzwlWE3-({YQ66C*Db=@B`lho*V<{5-bPpz6=AVd@vT^hKwW
z_w$NB`f+QwFnD(5u$}MDGc>jf6K2<C1oKG{0A*jD9t^cJww&ueY-(CUL|R|oQ_i=U
zBZYrKpfT?*%x+wSMmKBrI<^VVe-w;uPs8MY_0#n<Ggwt2UWnsHd35eLu=$-})0Q*Y
z_6*OYt7YjzX6t-rE9jGmdRfCW*<#;n{CLGD&<SH)bez*_dLzjvV0HW6+LYawO3TA_
z9bRUj+{B45z{aPLJ3!V17+bJ47ftHfV6*E0NNBBjqPE`eP_&6gaT<sb`<)_;kLCcZ
zVTrAuFXLVLg@z~iOK346w)^ETdnEsT0RLmtUud}|GfiKRB*xHYGEEPI{wD$aZ{B^u
z+auZH_n*z+FAVojD*^toCP&s`&<*PUuD3rr`_IDH5((mqKMEXK$3lZ2<H5FV8vm`Y
zSOTRxMb-^mX)WBDh3!?F#%xr|D<8_NjJqzMDj;#Pb`;`ONDg59AB78*j=~aJ7!*fj
z3~B^u)55&njWsMZ(zPKNQG)vaQ5fUM*S>y?WB9N81pjySjw`G+-VU<x6nrg|tiVA0
z&ja}Xe=JqE;^OgNukf!6fPWja4-B#C`d8=huPgjxQ7*K33vOKwvH$%{z`wL=|Dxh=
zGqL{fZz1rnY`E)zgfaX7o81cjS3^Cnu+q4_UM2spzW*!Z{*OO}YuwifW4P2e)R`0;
KiTC3Nk^c>|_5F?j

diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py
index bca4b212c27..1d8002cf06f 100644
--- a/detection_rules/schemas/definitions.py
+++ b/detection_rules/schemas/definitions.py
@@ -178,7 +178,7 @@ def validator(value):
     'Use Case: Vulnerability'
 ]
 NonEmptyStr = NewType('NonEmptyStr', str, validate=validate.Length(min=1))
-MACHINE_LEARNING_PACKAGES = ['LMD', 'DGA', 'DED', 'ProblemChild', 'Beaconing', 'PAD']
+MACHINE_LEARNING_PACKAGES = ['LMD', 'DGA', 'DED', 'ProblemChild', 'Beaconing']
 AlertSuppressionGroupBy = NewType('AlertSuppressionGroupBy', List[NonEmptyStr], validate=validate.Length(min=1, max=3))
 AlertSuppressionMissing = NewType('AlertSuppressionMissing', str,
                                   validate=validate.OneOf(['suppress', 'doNotSuppress']))
diff --git a/pyproject.toml b/pyproject.toml
index 70d18547558..05ea663ddf3 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "0.4.24"
+version = "0.4.23"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"
diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml
deleted file mode 100644
index 52fad6ef61e..00000000000
--- a/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml
+++ /dev/null
@@ -1,99 +0,0 @@
-[metadata]
-creation_date = "2025/02/18"
-integration = ["pad", "endpoint", "sysmon_linux"]
-maturity = "production"
-updated_date = "2025/02/18"
-
-[rule]
-anomaly_threshold = 75
-author = ["Elastic"]
-description = """
-A machine learning job has detected an increase in the execution of privileged commands by a user, suggesting potential privileged access activity. 
-This may indicate an attempt by the user to gain unauthorized access to sensitive or restricted parts of the system.
-"""
-from = "now-3h"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "pad_linux_high_count_privileged_process_events_by_user"
-name = "Spike in Privileged Command Execution by a User"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/pad"
-]
-risk_score = 21
-rule_id = "bd1eadf6-3ac6-4e66-91aa-4a1e6711915f"
-setup = """## Setup
-
-The rule requires the Privileged Access Detection integration assets to be installed, as well as Linux logs collected by integrations such as Elastic Defend and Sysmon Linux.
-
-### Privileged Access Detection Setup
-The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
-
-#### Prerequisite Requirements:
-- Fleet is required for Privileged Access Detection.
-- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
-- Linux events collected by [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Sysmon Linux](https://docs.elastic.co/en/integrations/sysmon_linux) integration.
-- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
-- To add Sysmon Linux integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
-
-#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
-- Go to the Kibana homepage. Under Management, click Integrations.
-- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
-- Follow the instructions under the **Installation** section.
-- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
-"""
-severity = "low"
-tags = [
-    "Use Case: Privileged Access Detection",
-    "Rule Type: ML",
-    "Rule Type: Machine Learning",
-    "Tactic: Privilege Escalation",
-    "Resources: Investigation Guide"
-]
-type = "machine_learning"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Spike in Privileged Command Execution by a User
-
-Machine learning models are employed to monitor and analyze user behavior, specifically focusing on the execution of privileged commands. These models identify anomalies that may suggest unauthorized access attempts. Adversaries often exploit valid accounts to escalate privileges and access sensitive systems. The detection rule leverages ML to flag unusual spikes in command execution, indicating potential misuse of privileged access.
-
-### Possible investigation steps
-
-- Review the specific user account associated with the spike in privileged command execution to determine if the activity aligns with their typical behavior or job role.
-- Analyze the timeline of the command execution spike to identify any patterns or specific times when the activity occurred, which may correlate with known maintenance windows or unusual access times.
-- Cross-reference the commands executed with known privileged command lists to assess whether the commands are typical for the user's role or indicative of potential misuse.
-- Check for any recent changes in the user's access rights or group memberships that might explain the increase in privileged command execution.
-- Investigate any recent login activity for the user, including source IP addresses and devices, to identify any anomalies or unauthorized access attempts.
-- Review any associated alerts or logs for the same user or system around the time of the spike to gather additional context or corroborating evidence of potential unauthorized access.
-
-### False positive analysis
-
-- Routine administrative tasks by IT staff may trigger the rule. To manage this, create exceptions for known maintenance windows or specific user accounts that regularly perform these tasks.
-- Automated scripts or scheduled jobs that execute privileged commands can be mistaken for anomalies. Identify and whitelist these scripts or jobs to prevent false alerts.
-- Users with newly assigned roles that require elevated privileges might cause a temporary spike in command execution. Monitor these users initially and adjust the model's sensitivity or add exceptions as needed.
-- Software updates or installations that require elevated permissions can lead to false positives. Document these events and exclude them from the anomaly detection criteria.
-- Training or onboarding sessions where users are learning to use new systems with privileged access can result in increased command execution. Temporarily adjust thresholds or exclude these users during the training period.
-
-### Response and remediation
-
-- Immediately isolate the affected user account to prevent further execution of privileged commands. This can be done by disabling the account or changing its password.
-- Review recent privileged command execution logs to identify any unauthorized or suspicious activities performed by the user. Focus on commands that could alter system configurations or access sensitive data.
-- Conduct a thorough investigation to determine if the user's credentials have been compromised. This may involve checking for signs of phishing attacks or unauthorized access from unusual locations or devices.
-- If unauthorized access is confirmed, reset the affected user's credentials and any other accounts that may have been accessed using the compromised credentials.
-- Notify the security team and relevant stakeholders about the incident, providing details of the detected anomaly and actions taken so far.
-- Implement additional monitoring on the affected systems and user accounts to detect any further suspicious activities or attempts to regain unauthorized access.
-- Review and update access controls and permissions to ensure that users have the minimum necessary privileges, reducing the risk of privilege escalation in the future."""
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
\ No newline at end of file
diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml
deleted file mode 100644
index 85afe5b4a97..00000000000
--- a/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml
+++ /dev/null
@@ -1,99 +0,0 @@
-[metadata]
-creation_date = "2025/02/18"
-integration = ["pad", "endpoint", "sysmon_linux"]
-maturity = "production"
-updated_date = "2025/02/18"
-
-[rule]
-anomaly_threshold = 75
-author = ["Elastic"]
-description = """
-A machine learning job has identified an unusually high median command line entropy for privileged commands executed by a user, suggesting possible privileged access activity through command lines.
-High entropy often indicates that the commands may be obfuscated or deliberately complex, which can be a sign of suspicious or unauthorized use of privileged access.
-"""
-from = "now-3h"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "pad_linux_high_median_process_command_line_entropy_by_user"
-name = "High Command Line Entropy Detected for Privileged Commands"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/pad"
-]
-risk_score = 21
-rule_id = "0cbbb5e0-f93a-47fe-ab72-8213366c38f1"
-setup = """## Setup
-
-The rule requires the Privileged Access Detection integration assets to be installed, as well as Linux logs collected by integrations such as Elastic Defend and Sysmon Linux.
-
-### Privileged Access Detection Setup
-The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
-
-#### Prerequisite Requirements:
-- Fleet is required for Privileged Access Detection.
-- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
-- Linux events collected by [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Sysmon Linux](https://docs.elastic.co/en/integrations/sysmon_linux) integration.
-- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
-- To add Sysmon Linux integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
-
-#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
-- Go to the Kibana homepage. Under Management, click Integrations.
-- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
-- Follow the instructions under the **Installation** section.
-- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
-"""
-severity = "low"
-tags = [
-    "Use Case: Privileged Access Detection",
-    "Rule Type: ML",
-    "Rule Type: Machine Learning",
-    "Tactic: Privilege Escalation",
-    "Resources: Investigation Guide"
-]
-type = "machine_learning"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating High Command Line Entropy Detected for Privileged Commands
-
-Machine learning models analyze command line inputs to identify high entropy, which may indicate obfuscation or complexity in privileged commands. Adversaries exploit this by using intricate or encoded commands to mask unauthorized activities. The detection rule leverages this analysis to flag potential privilege escalation attempts, aiding in early threat identification and response.
-
-### Possible investigation steps
-
-- Review the command line inputs flagged by the alert to identify any patterns or specific obfuscation techniques used.
-- Cross-reference the user account associated with the alert against known valid accounts and recent access logs to determine if the activity aligns with expected behavior.
-- Analyze the context of the commands executed, including the time of execution and the systems targeted, to assess the potential impact and scope of the activity.
-- Check for any recent changes in user privileges or roles that might explain the execution of privileged commands.
-- Investigate any related alerts or logs that might provide additional context or corroborate the suspicious activity, such as failed login attempts or unusual network connections.
-- Consult with the user or relevant personnel to verify if the commands were part of legitimate administrative tasks or if they indicate unauthorized access.
-
-### False positive analysis
-
-- Legitimate administrative scripts may have high entropy due to complex or encoded commands. Review and whitelist these scripts to prevent unnecessary alerts.
-- Automated deployment tools often use obfuscated commands for security reasons. Identify and exclude these tools from the rule to reduce false positives.
-- Security software updates might execute encoded commands as part of their process. Monitor and create exceptions for these updates to avoid misclassification.
-- Developers and IT staff may use complex command lines for testing or debugging. Establish a baseline of normal activity for these users and adjust the rule accordingly.
-- Scheduled tasks or cron jobs with encoded commands can trigger alerts. Document and exclude these tasks if they are verified as non-threatening.
-
-### Response and remediation
-
-- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
-- Review and terminate any suspicious or unauthorized processes running under privileged accounts on the affected system.
-- Reset passwords for all privileged accounts involved, ensuring they meet strong password policies to prevent unauthorized access.
-- Conduct a thorough audit of recent privileged command executions to identify any unauthorized changes or data access, and revert any malicious modifications.
-- Implement additional monitoring on the affected system and related accounts to detect any further suspicious activities.
-- Escalate the incident to the security operations center (SOC) for a comprehensive investigation and to determine if other systems are affected.
-- Update and reinforce endpoint protection measures to detect and block similar obfuscation or high-entropy command line activities in the future."""
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
\ No newline at end of file
diff --git a/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml
deleted file mode 100644
index 19313bc572e..00000000000
--- a/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml
+++ /dev/null
@@ -1,98 +0,0 @@
-[metadata]
-creation_date = "2025/02/18"
-integration = ["pad", "endpoint", "sysmon_linux"]
-maturity = "production"
-updated_date = "2025/02/18"
-
-[rule]
-anomaly_threshold = 75
-author = ["Elastic"]
-description = """
-A machine learning job has detected an unusual process run for privileged commands by a user, indicating potential privileged access activity.
-"""
-from = "now-1h"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "pad_linux_rare_process_executed_by_user"
-name = "Unusual Process Detected for Privileged Commands by a User"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/pad"
-]
-risk_score = 21
-rule_id = "5eac16ab-6d4f-427b-9715-f33e1b745fc7"
-setup = """## Setup
-
-The rule requires the Privileged Access Detection integration assets to be installed, as well as Linux logs collected by integrations such as Elastic Defend and Sysmon Linux.
-
-### Privileged Access Detection Setup
-The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
-
-#### Prerequisite Requirements:
-- Fleet is required for Privileged Access Detection.
-- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
-- Linux events collected by [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Sysmon Linux](https://docs.elastic.co/en/integrations/sysmon_linux) integration.
-- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
-- To add Sysmon Linux integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
-
-#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
-- Go to the Kibana homepage. Under Management, click Integrations.
-- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
-- Follow the instructions under the **Installation** section.
-- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
-"""
-severity = "low"
-tags = [
-    "Use Case: Privileged Access Detection",
-    "Rule Type: ML",
-    "Rule Type: Machine Learning",
-    "Tactic: Privilege Escalation",
-    "Resources: Investigation Guide"
-]
-type = "machine_learning"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Unusual Process Detected for Privileged Commands by a User
-
-Machine learning models are employed to identify anomalies in process execution, particularly those involving privileged commands. Adversaries may exploit legitimate user accounts to execute unauthorized privileged actions, aiming for privilege escalation. This detection rule leverages ML to flag atypical processes, indicating potential misuse of elevated access, thus aiding in early threat identification.
-
-### Possible investigation steps
-
-- Review the specific user account associated with the alert to determine if the account has a history of executing privileged commands or if this is an anomaly.
-- Examine the process details, including the command line arguments and the parent process, to identify if the process is legitimate or potentially malicious.
-- Check the timestamp of the process execution to correlate with any other suspicious activities or alerts that occurred around the same time.
-- Investigate the source IP address or host from which the command was executed to verify if it is a known and trusted location for the user.
-- Look into recent authentication logs for the user account to identify any unusual login patterns or access from unfamiliar devices.
-- Assess the user's role and permissions to determine if the execution of such privileged commands aligns with their job responsibilities.
-
-### False positive analysis
-
-- Routine administrative tasks by IT staff may trigger alerts. Review and whitelist known administrative processes that are regularly executed by trusted personnel.
-- Automated scripts or scheduled tasks that perform privileged operations can be flagged. Identify and exclude these scripts if they are verified as part of normal operations.
-- Software updates or installations that require elevated privileges might be detected. Ensure that these processes are documented and excluded if they are part of standard maintenance procedures.
-- Development or testing environments where privileged commands are frequently used for legitimate purposes can cause false positives. Consider creating exceptions for these environments after thorough validation.
-- Temporary elevated access granted for specific projects or tasks can lead to alerts. Monitor and document these instances, and adjust the detection rule to accommodate such temporary changes.
-
-### Response and remediation
-
-- Immediately isolate the affected user account to prevent further unauthorized privileged actions. This can be done by disabling the account or changing its password.
-- Review and terminate any suspicious processes or sessions initiated by the user account to contain potential malicious activity.
-- Conduct a thorough audit of recent privileged commands executed by the user to identify any unauthorized changes or actions that need to be reversed.
-- Escalate the incident to the security operations team for further investigation and to determine if additional systems or accounts have been compromised.
-- Implement additional monitoring on the affected system and user account to detect any further anomalous behavior or attempts at privilege escalation.
-- Review and update access controls and permissions for the affected user account to ensure they align with the principle of least privilege.
-- Document the incident, including actions taken and lessons learned, to improve response strategies and prevent recurrence."""
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
\ No newline at end of file
diff --git a/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml
deleted file mode 100644
index bb301ab153f..00000000000
--- a/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml
+++ /dev/null
@@ -1,103 +0,0 @@
-[metadata]
-creation_date = "2025/02/18"
-integration = ["pad","okta"]
-maturity = "production"
-updated_date = "2025/02/18"
-
-[rule]
-anomaly_threshold = 75
-author = ["Elastic"]
-description = """
-A machine learning job has detected an unusually high number of active concurrent sessions initiated by a user, indicating potential privileged access activity.
-A sudden surge in concurrent active sessions by a user may indicate an attempt to abuse valid credentials for privilege escalation or maintain persistence.
-Adversaries might be leveraging multiple sessions to execute privileged operations, evade detection, or perform unauthorized actions across different systems.
-"""
-from = "now-3h"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "pad_okta_high_sum_concurrent_sessions_by_user"
-name = "Unusual Spike in Concurrent Active Sessions by a User"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/pad"
-]
-risk_score = 21
-rule_id = "a300dea6-e228-40e1-9123-a339e207378b"
-setup = """## Setup
-
-The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta.
-
-### Privileged Access Detection Setup
-The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
-
-#### Prerequisite Requirements:
-- Fleet is required for Privileged Access Detection.
-- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
-- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration.
-- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
-
-#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
-- Go to the Kibana homepage. Under Management, click Integrations.
-- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
-- Follow the instructions under the **Installation** section.
-- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
-"""
-severity = "low"
-tags = [
-    "Use Case: Privileged Access Detection",
-    "Rule Type: ML",
-    "Rule Type: Machine Learning",
-    "Tactic: Privilege Escalation",
-    "Resources: Investigation Guide"
-]
-type = "machine_learning"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Unusual Spike in Concurrent Active Sessions by a User
-
-The detection of unusual spikes in concurrent active sessions leverages machine learning to identify anomalies in user behavior, particularly those suggesting privilege misuse. Adversaries may exploit valid credentials to initiate multiple sessions, aiming to escalate privileges or evade detection. This rule identifies such anomalies, flagging potential unauthorized access or privilege escalation attempts.
-
-### Possible investigation steps
-
-- Review the user's recent activity logs to identify any unusual patterns or deviations from their typical behavior, focusing on the timestamps and systems accessed during the spike in concurrent sessions.
-- Check for any recent changes in the user's access privileges or roles that might explain the increase in session activity, ensuring that these changes were authorized and documented.
-- Investigate the source IP addresses and geolocations associated with the concurrent sessions to determine if they align with the user's known locations or if they suggest potential unauthorized access.
-- Analyze the specific actions performed during the concurrent sessions to identify any attempts at privilege escalation or unauthorized access to sensitive systems or data.
-- Correlate the user's session activity with any other security alerts or incidents to assess if this behavior is part of a larger pattern of suspicious activity.
-
-### False positive analysis
-
-- High-volume legitimate activities such as system updates or batch processing can trigger false positives. Exclude these activities by identifying and whitelisting known processes or users involved in such operations.
-- Users with roles that require multiple concurrent sessions, like system administrators or developers, may naturally exhibit this behavior. Create exceptions for these roles by defining baseline session patterns and adjusting thresholds accordingly.
-- Automated scripts or tools that require multiple logins for monitoring or maintenance tasks can be mistaken for suspicious activity. Document and exclude these scripts by associating them with specific user accounts or service accounts.
-- Temporary spikes due to legitimate business needs, such as end-of-quarter financial processing, can be misinterpreted. Implement a process to temporarily adjust detection parameters during known high-activity periods.
-- Shared accounts used by multiple team members can lead to an increase in concurrent sessions. Encourage the use of individual accounts and implement monitoring to differentiate between shared and individual account activities.
-
-### Response and remediation
-
-- Immediately isolate the user account showing unusual concurrent session activity to prevent further unauthorized access or privilege escalation.
-- Conduct a thorough review of the affected systems and sessions to identify any unauthorized changes or actions performed during the spike in activity.
-- Reset the credentials of the compromised user account and enforce a password change policy to ensure the account is secured.
-- Analyze logs and session data to determine the source of the unauthorized access, identifying any potential entry points or vulnerabilities exploited.
-- Escalate the incident to the security operations team for further investigation and to assess the need for additional security measures or incident response actions.
-- Implement additional monitoring on the affected systems and user accounts to detect any further suspicious activity or attempts to regain access.
-- Review and update access controls and permissions to ensure that only authorized users have the necessary privileges, reducing the risk of future privilege escalation attempts."""
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1068"
-name = "Exploitation for Privilege Escalation"
-reference = "https://attack.mitre.org/techniques/T1068/"
-
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
\ No newline at end of file
diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml
deleted file mode 100644
index 3e4041e22dd..00000000000
--- a/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml
+++ /dev/null
@@ -1,99 +0,0 @@
-[metadata]
-creation_date = "2025/02/18"
-integration = ["pad","okta"]
-maturity = "production"
-updated_date = "2025/02/18"
-
-[rule]
-anomaly_threshold = 75
-author = ["Elastic"]
-description = """
-A machine learning job has identified a user performing privileged operations in Okta from an uncommon device, indicating potential privileged access activity.
-This could signal a compromised account, an attacker using stolen credentials, or an insider threat leveraging an unauthorized device to escalate privileges.
-"""
-from = "now-1h"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "pad_okta_rare_host_name_by_user"
-name = "Unusual Host Name for Okta Privileged Operations Detected"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/pad"
-]
-risk_score = 21
-rule_id = "8c9ae3e2-f0b1-4b2c-9eba-bd87c2db914f"
-setup = """## Setup
-
-The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta.
-
-### Privileged Access Detection Setup
-The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
-
-#### Prerequisite Requirements:
-- Fleet is required for Privileged Access Detection.
-- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
-- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration.
-- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
-
-#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
-- Go to the Kibana homepage. Under Management, click Integrations.
-- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
-- Follow the instructions under the **Installation** section.
-- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
-"""
-severity = "low"
-tags = [
-    "Use Case: Privileged Access Detection",
-    "Rule Type: ML",
-    "Rule Type: Machine Learning",
-    "Tactic: Privilege Escalation",
-    "Resources: Investigation Guide"
-]
-type = "machine_learning"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Unusual Host Name for Okta Privileged Operations Detected
-
-Okta is a widely used identity management service that facilitates secure user authentication and access control. Adversaries may exploit Okta by using stolen credentials or unauthorized devices to perform privileged operations, potentially leading to privilege escalation. The detection rule leverages machine learning to identify anomalies in host names associated with privileged actions, flagging unusual device usage that may indicate compromised accounts or insider threats.
-
-### Possible investigation steps
-
-- Review the alert details to identify the specific user and host name involved in the unusual activity.
-- Check the user's recent login history and device usage patterns in Okta to determine if the host name has been used before or if it is indeed uncommon.
-- Investigate the geographical location and IP address associated with the unusual host name to assess if it aligns with the user's typical access patterns.
-- Examine any recent changes to the user's account, such as password resets or modifications to multi-factor authentication settings, to identify potential signs of compromise.
-- Correlate the alert with other security logs and alerts to identify any related suspicious activities or patterns that could indicate a broader attack or insider threat.
-- Contact the user to verify if they recognize the device and host name, and if they were performing the privileged operations at the time of the alert.
-- If unauthorized access is confirmed, follow incident response procedures to secure the account, such as resetting credentials and reviewing access permissions.
-
-### False positive analysis
-
-- Users accessing Okta from new or temporary devices may trigger false positives. Regularly update the list of approved devices to include these new devices if they are legitimate.
-- Employees traveling or working remotely might use different devices or networks, causing alerts. Implement a process to verify and whitelist these devices when travel or remote work is expected.
-- IT staff performing legitimate administrative tasks from shared or uncommon devices can be mistaken for threats. Maintain a log of such activities and cross-reference with alerts to identify and exclude these benign actions.
-- Changes in device naming conventions or system upgrades can result in unusual host names. Ensure that any planned changes are communicated and documented to adjust the detection parameters accordingly.
-- Regularly review and refine the machine learning model's training data to minimize false positives by incorporating feedback from security teams on legitimate activities that were incorrectly flagged.
-
-### Response and remediation
-
-- Immediately isolate the device associated with the unusual host name from the network to prevent further unauthorized access or potential lateral movement.
-- Revoke any active sessions and reset the credentials for the affected Okta account to prevent further unauthorized access.
-- Conduct a thorough review of recent privileged operations performed by the affected account to identify any unauthorized changes or access.
-- Notify the security operations team and relevant stakeholders about the potential compromise for further investigation and monitoring.
-- Implement additional monitoring on the affected account and similar privileged accounts to detect any further suspicious activities.
-- Review and update access controls and policies to ensure that only authorized devices can perform privileged operations in Okta.
-- Consider enabling multi-factor authentication (MFA) for all privileged accounts to add an additional layer of security against unauthorized access."""
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
\ No newline at end of file
diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml
deleted file mode 100644
index 660d58058d1..00000000000
--- a/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml
+++ /dev/null
@@ -1,99 +0,0 @@
-[metadata]
-creation_date = "2025/02/18"
-integration = ["pad","okta"]
-maturity = "production"
-updated_date = "2025/02/18"
-
-[rule]
-anomaly_threshold = 75
-author = ["Elastic"]
-description = """
-A machine learning job has identified a user performing privileged operations in Okta from an uncommon geographical location, indicating potential privileged access activity.
-This could suggest a compromised account, unauthorized access, or an attacker using stolen credentials to escalate privileges.
-"""
-from = "now-1h"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "pad_okta_rare_region_name_by_user"
-name = "Unusual Region Name for Okta Privileged Operations Detected"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/pad"
-]
-risk_score = 21
-rule_id = "a8f7187f-76d6-4c1d-a1d5-1ff301ccc120"
-setup = """## Setup
-
-The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta.
-
-### Privileged Access Detection Setup
-The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
-
-#### Prerequisite Requirements:
-- Fleet is required for Privileged Access Detection.
-- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
-- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration.
-- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
-
-#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
-- Go to the Kibana homepage. Under Management, click Integrations.
-- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
-- Follow the instructions under the **Installation** section.
-- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
-"""
-severity = "low"
-tags = [
-    "Use Case: Privileged Access Detection",
-    "Rule Type: ML",
-    "Rule Type: Machine Learning",
-    "Tactic: Privilege Escalation",
-    "Resources: Investigation Guide"
-]
-type = "machine_learning"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Unusual Region Name for Okta Privileged Operations Detected
-
-Okta is a widely used identity management service that controls access to applications and data. Adversaries may exploit stolen credentials to perform privileged operations from unusual locations, bypassing security measures. The detection rule leverages machine learning to identify anomalies in user activity, such as access from uncommon regions, indicating potential unauthorized access or privilege escalation attempts.
-
-### Possible investigation steps
-
-- Review the alert details to identify the user account involved and the specific unusual region from which the privileged operations were detected.
-- Check the user's recent login history and activity logs in Okta to determine if there are other instances of access from uncommon regions or any other suspicious activities.
-- Verify with the user or their manager whether the access from the unusual region was expected or authorized, and if the user is currently traveling or using a VPN.
-- Investigate any recent changes to the user's account, such as password resets or modifications to multi-factor authentication settings, to identify potential signs of compromise.
-- Correlate the detected activity with other security logs and alerts to identify any related incidents or patterns that might indicate a broader attack or compromise.
-- Assess the risk and impact of the detected activity by determining the specific privileged operations performed and whether any sensitive data or systems were accessed.
-- If unauthorized access is confirmed, follow the organization's incident response procedures to contain and remediate the threat, including resetting the user's credentials and reviewing access permissions.
-
-### False positive analysis
-
-- Users traveling for business may trigger false positives if they access Okta from uncommon regions. To manage this, create exceptions for users with known travel patterns by updating their profiles with expected travel locations.
-- Remote employees working from different geographical locations than usual can cause false alerts. Implement a process to regularly update the list of approved remote work locations for these users.
-- Employees using VPNs that route through different countries might be flagged. Identify and whitelist common VPN exit nodes used by your organization to prevent these false positives.
-- Temporary assignments or projects in different regions can lead to alerts. Establish a communication protocol for employees to notify the security team of such assignments, allowing for temporary exceptions to be made.
-- Consider time-based analysis to differentiate between legitimate access during business hours and suspicious activity at unusual times, reducing false positives from legitimate users accessing Okta from uncommon regions.
-
-### Response and remediation
-
-- Immediately isolate the affected user account by disabling it to prevent further unauthorized access or privilege escalation.
-- Conduct a thorough review of recent privileged operations performed by the affected account to identify any unauthorized changes or access.
-- Reset the password for the compromised account and enforce multi-factor authentication (MFA) to enhance security.
-- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
-- Review and update access controls and permissions for the affected account to ensure they align with the principle of least privilege.
-- Monitor for any additional suspicious activity across other accounts and systems to identify potential lateral movement or further compromise.
-- Document the incident details and response actions taken for future reference and to improve incident response processes."""
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
\ No newline at end of file
diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml
deleted file mode 100644
index 8afedb028fb..00000000000
--- a/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml
+++ /dev/null
@@ -1,98 +0,0 @@
-[metadata]
-creation_date = "2025/02/18"
-integration = ["pad","okta"]
-maturity = "production"
-updated_date = "2025/02/18"
-
-[rule]
-anomaly_threshold = 75
-author = ["Elastic"]
-description = """
-A machine learning job has identified a user performing privileged operations in Okta from an uncommon source IP, indicating potential privileged access activity.
-This could suggest an account compromise, misuse of administrative privileges, or an attacker leveraging a new network location to escalate privileges.
-"""
-from = "now-1h"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "pad_okta_rare_source_ip_by_user"
-name = "Unusual Source IP for Okta Privileged Operations Detected"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/pad"
-]
-risk_score = 21
-rule_id = "fbb10f1e-77cb-42f9-994e-5da17fc3fc15"
-setup = """## Setup
-
-The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta.
-
-### Privileged Access Detection Setup
-The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
-
-#### Prerequisite Requirements:
-- Fleet is required for Privileged Access Detection.
-- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
-- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration.
-- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
-
-#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
-- Go to the Kibana homepage. Under Management, click Integrations.
-- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
-- Follow the instructions under the **Installation** section.
-- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
-"""
-severity = "low"
-tags = [
-    "Use Case: Privileged Access Detection",
-    "Rule Type: ML",
-    "Rule Type: Machine Learning",
-    "Tactic: Privilege Escalation",
-    "Resources: Investigation Guide"
-]
-type = "machine_learning"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Unusual Source IP for Okta Privileged Operations Detected
-
-Okta is a widely used identity management service that controls access to applications and data. Adversaries may exploit Okta by using stolen credentials to perform privileged operations from unfamiliar IP addresses, indicating potential misuse or compromise. The detection rule leverages machine learning to identify deviations in IP usage patterns, flagging unusual access attempts that could signify privilege escalation or account compromise.
-
-### Possible investigation steps
-
-- Review the source IP address flagged by the alert to determine its geolocation and assess if it aligns with the user's typical access patterns or known locations.
-- Check the Okta logs for the specific user account to identify any other recent activities from the same IP address or any other unusual IP addresses.
-- Investigate the timing and nature of the privileged operations performed to determine if they align with the user's normal behavior or job responsibilities.
-- Correlate the flagged IP address with any known threat intelligence feeds to check for any history of malicious activity associated with it.
-- Contact the user to verify if they were aware of the access attempt and if they have recently used a new network location or VPN service.
-- Examine any recent changes to the user's account settings or permissions that could indicate unauthorized modifications.
-
-### False positive analysis
-
-- Employees traveling or working remotely may trigger alerts due to accessing Okta from new IP addresses. To manage this, maintain a list of known IP ranges for remote work and travel, and configure exceptions for these ranges.
-- Use of VPNs or proxy services can result in access from unfamiliar IPs. Regularly update the list of approved VPN or proxy IP addresses and exclude them from triggering alerts.
-- Changes in corporate network infrastructure, such as new IP allocations, can cause false positives. Ensure that any changes in network configurations are communicated to the security team to update the detection rule's exceptions.
-- Scheduled maintenance or testing activities by IT staff might appear as unusual access. Document and whitelist IP addresses used during these activities to prevent unnecessary alerts.
-- Third-party integrations or services that access Okta on behalf of users can be mistaken for suspicious activity. Identify and whitelist these services' IP addresses to avoid false positives.
-
-### Response and remediation
-
-- Immediately isolate the affected user account by temporarily disabling it to prevent further unauthorized access.
-- Conduct a thorough review of recent privileged operations performed by the affected account to identify any unauthorized changes or data access.
-- Reset the password for the compromised account and enforce multi-factor authentication (MFA) to enhance security.
-- Notify the security team and relevant stakeholders about the potential compromise for further investigation and monitoring.
-- Review and update access logs to ensure all unusual IP addresses are flagged and monitored for any future access attempts.
-- Implement network-based restrictions to block the identified unusual IP address from accessing the Okta environment.
-- Conduct a post-incident analysis to identify the root cause and update security policies and procedures to prevent similar incidents in the future."""
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
\ No newline at end of file
diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml
deleted file mode 100644
index 2aa4d26b546..00000000000
--- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml
+++ /dev/null
@@ -1,108 +0,0 @@
-[metadata]
-creation_date = "2025/02/18"
-integration = ["pad","okta"]
-maturity = "production"
-updated_date = "2025/02/18"
-
-[rule]
-anomaly_threshold = 75
-author = ["Elastic"]
-description = """
-A machine learning job has identified an unusual spike in Okta group application assignment change events, indicating potential privileged access activity.
-Threat actors might be assigning applications to groups to escalate access, maintain persistence, or facilitate lateral movement within an organization’s environment.
-"""
-from = "now-3h"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "pad_okta_spike_in_group_application_assignment_changes"
-name = "Spike in Group Application Assignment Change Events"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/pad"
-]
-risk_score = 21
-rule_id = "3278313c-d6cd-4d49-aa24-644e1da6623c"
-setup = """## Setup
-
-The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta.
-
-### Privileged Access Detection Setup
-The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
-
-#### Prerequisite Requirements:
-- Fleet is required for Privileged Access Detection.
-- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
-- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration.
-- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
-
-#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
-- Go to the Kibana homepage. Under Management, click Integrations.
-- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
-- Follow the instructions under the **Installation** section.
-- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
-"""
-severity = "low"
-tags = [
-    "Use Case: Privileged Access Detection",
-    "Rule Type: ML",
-    "Rule Type: Machine Learning",
-    "Tactic: Privilege Escalation",
-    "Resources: Investigation Guide"
-]
-type = "machine_learning"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Spike in Group Application Assignment Change Events
-
-In modern environments, identity and access management systems like Okta manage user access to applications. Adversaries may exploit these systems by altering group application assignments to gain unauthorized access or escalate privileges. The detection rule leverages machine learning to identify unusual spikes in these changes, signaling potential misuse and enabling timely investigation of privilege escalation activities.
-
-### Possible investigation steps
-
-- Review the specific group application assignment change events that triggered the alert to identify which groups and applications were involved.
-- Analyze the timeline of the changes to determine if there is a pattern or specific time frame when the spike occurred.
-- Investigate the user accounts associated with the changes to assess if they have a history of suspicious activity or if they belong to high-risk roles.
-- Check for any recent changes in group membership or application access policies that could explain the spike in assignment changes.
-- Correlate the events with other security alerts or logs to identify any concurrent suspicious activities, such as failed login attempts or unusual access patterns.
-- Consult with the IT or security team to verify if there were any legitimate administrative activities or changes that could have caused the spike.
-
-### False positive analysis
-
-- Routine administrative changes in group application assignments can trigger false positives. Regularly review and document these changes to differentiate them from suspicious activities.
-- Automated processes or scripts that frequently update group assignments may cause spikes. Identify and whitelist these processes to prevent unnecessary alerts.
-- Organizational restructuring or onboarding/offboarding activities can lead to increased group assignment changes. Temporarily adjust the detection thresholds or exclude these events during known periods of high activity.
-- Changes related to application updates or migrations might be flagged. Coordinate with IT teams to schedule these changes and exclude them from monitoring during the update window.
-- Frequent changes by trusted users or administrators can be excluded by creating exceptions for specific user accounts or roles, ensuring that only unexpected changes trigger alerts.
-
-### Response and remediation
-
-- Immediately isolate affected user accounts and groups to prevent further unauthorized access or privilege escalation.
-- Revert any unauthorized group application assignments to their previous state to mitigate potential misuse.
-- Conduct a thorough review of recent changes in group application assignments to identify any additional unauthorized modifications.
-- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems or accounts have been compromised.
-- Implement additional monitoring on the affected accounts and groups to detect any further suspicious activity.
-- Review and update access controls and group assignment policies to prevent similar unauthorized changes in the future.
-- Coordinate with the IT and security teams to ensure that all affected systems and applications are patched and secured against known vulnerabilities."""
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1098"
-name = "Account Manipulation"
-reference = "https://attack.mitre.org/techniques/T1098/"
-
-[[rule.threat.technique]]
-id = "T1068"
-name = "Exploitation for Privilege Escalation"
-reference = "https://attack.mitre.org/techniques/T1068/"
-
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
\ No newline at end of file
diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml
deleted file mode 100644
index 6b501e7bf02..00000000000
--- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml
+++ /dev/null
@@ -1,103 +0,0 @@
-[metadata]
-creation_date = "2025/02/18"
-integration = ["pad","okta"]
-maturity = "production"
-updated_date = "2025/02/18"
-
-[rule]
-anomaly_threshold = 75
-author = ["Elastic"]
-description = """
-A machine learning job has identified an unusual spike in Okta group lifecycle change events, indicating potential privileged access activity.
-Adversaries may be altering group structures to escalate privileges, maintain persistence, or facilitate lateral movement within an organization’s identity management system.
-"""
-from = "now-3h"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "pad_okta_spike_in_group_lifecycle_changes"
-name = "Spike in Group Lifecycle Change Events"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/pad"
-]
-risk_score = 21
-rule_id = "aa28f01d-bc93-4c8f-bc01-6f67f2a0a833"
-setup = """## Setup
-
-The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta.
-
-### Privileged Access Detection Setup
-The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
-
-#### Prerequisite Requirements:
-- Fleet is required for Privileged Access Detection.
-- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
-- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration.
-- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
-
-#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
-- Go to the Kibana homepage. Under Management, click Integrations.
-- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
-- Follow the instructions under the **Installation** section.
-- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
-"""
-severity = "low"
-tags = [
-    "Use Case: Privileged Access Detection",
-    "Rule Type: ML",
-    "Rule Type: Machine Learning",
-    "Tactic: Privilege Escalation",
-    "Resources: Investigation Guide"
-]
-type = "machine_learning"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Spike in Group Lifecycle Change Events
-
-In identity management systems like Okta, group lifecycle changes are crucial for managing user access and permissions. Adversaries may exploit these changes to escalate privileges or maintain unauthorized access. The detection rule leverages machine learning to identify unusual spikes in these events, signaling potential misuse. By focusing on privilege escalation tactics, it helps security analysts pinpoint and investigate suspicious activities.
-
-### Possible investigation steps
-
-- Review the specific group lifecycle change events that triggered the alert to identify which groups were altered and the nature of the changes.
-- Examine the user accounts associated with the changes to determine if they have a history of suspicious activity or if they have recently been granted elevated privileges.
-- Check the timestamps of the group changes to see if they coincide with other unusual activities or known attack patterns within the organization.
-- Investigate any recent access requests or approvals related to the affected groups to ensure they were legitimate and authorized.
-- Correlate the group changes with other security alerts or logs to identify potential lateral movement or privilege escalation attempts by adversaries.
-- Assess the current membership of the affected groups to ensure no unauthorized users have been added or legitimate users removed.
-
-### False positive analysis
-
-- Routine administrative changes in group memberships can trigger false positives. Security teams should identify and whitelist these regular activities to prevent unnecessary alerts.
-- Automated processes or scripts that modify group structures for legitimate reasons may cause spikes. Exclude these known processes by creating exceptions in the detection rule.
-- Large-scale onboarding or offboarding events can lead to a temporary increase in group lifecycle changes. Coordinate with HR or relevant departments to anticipate these events and adjust monitoring thresholds accordingly.
-- Changes due to system integrations or updates might be misinterpreted as suspicious. Document and exclude these events by maintaining an updated list of integration activities.
-- Regular audits or compliance checks that involve group modifications should be recognized and filtered out to avoid false alarms.
-
-### Response and remediation
-
-- Immediately isolate affected user accounts and groups to prevent further unauthorized access or privilege escalation. This can be done by temporarily disabling accounts or removing them from critical groups.
-- Conduct a thorough review of recent group lifecycle changes to identify unauthorized modifications. Revert any unauthorized changes to restore the original group structures and permissions.
-- Implement additional monitoring on the affected accounts and groups to detect any further suspicious activities. This includes setting up alerts for any new group changes or access attempts.
-- Escalate the incident to the security operations team for a deeper investigation into potential lateral movement or persistence mechanisms used by the adversary.
-- Review and update access controls and group management policies to ensure they align with the principle of least privilege, minimizing the risk of privilege escalation.
-- Coordinate with the IT and security teams to apply patches or updates to any vulnerabilities identified during the investigation that may have been exploited for privilege escalation.
-- Document the incident, including all actions taken, and conduct a post-incident review to identify lessons learned and improve future response strategies."""
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1068"
-name = "Exploitation for Privilege Escalation"
-reference = "https://attack.mitre.org/techniques/T1068/"
-
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
\ No newline at end of file
diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml
deleted file mode 100644
index 52850c7584a..00000000000
--- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml
+++ /dev/null
@@ -1,103 +0,0 @@
-[metadata]
-creation_date = "2025/02/18"
-integration = ["pad","okta"]
-maturity = "production"
-updated_date = "2025/02/18"
-
-[rule]
-anomaly_threshold = 75
-author = ["Elastic"]
-description = """
-A machine learning job has identified an unusual spike in Okta group membership events, indicating potential privileged access activity.
-Attackers or malicious insiders might be adding accounts to privileged groups to escalate their access, potentially leading to unauthorized actions or data breaches.
-"""
-from = "now-3h"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "pad_okta_spike_in_group_membership_changes"
-name = "Spike in Group Membership Events"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/pad"
-]
-risk_score = 21
-rule_id = "138520d2-11ff-4288-a80e-a45b36dca4b1"
-setup = """## Setup
-
-The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta.
-
-### Privileged Access Detection Setup
-The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
-
-#### Prerequisite Requirements:
-- Fleet is required for Privileged Access Detection.
-- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
-- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration.
-- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
-
-#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
-- Go to the Kibana homepage. Under Management, click Integrations.
-- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
-- Follow the instructions under the **Installation** section.
-- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
-"""
-severity = "low"
-tags = [
-    "Use Case: Privileged Access Detection",
-    "Rule Type: ML",
-    "Rule Type: Machine Learning",
-    "Tactic: Privilege Escalation",
-    "Resources: Investigation Guide"
-]
-type = "machine_learning"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Spike in Group Membership Events
-
-In modern IT environments, group membership management is crucial for controlling access to resources. Adversaries may exploit this by adding accounts to privileged groups, thereby escalating their access rights. The detection rule leverages machine learning to identify unusual spikes in group membership events, signaling potential unauthorized access attempts. This proactive approach helps in mitigating risks associated with privilege escalation.
-
-### Possible investigation steps
-
-- Review the specific Okta group membership events that triggered the alert to identify which accounts were added to privileged groups.
-- Cross-reference the accounts added with known user roles and responsibilities to determine if the changes align with expected access patterns.
-- Check recent activity logs for the accounts added to privileged groups to identify any suspicious or unauthorized actions following the group membership change.
-- Investigate the source of the group membership changes, including the user or system that initiated the changes, to assess if it was a legitimate administrative action.
-- Analyze historical data for similar spikes in group membership events to determine if this is part of a recurring pattern or an isolated incident.
-- Consult with the IT or security team to verify if there were any recent changes in access policies or group management procedures that could explain the spike.
-
-### False positive analysis
-
-- Routine administrative tasks may trigger spikes in group membership events, such as scheduled updates or onboarding processes. Users can create exceptions for these known activities to prevent false alerts.
-- Automated scripts or tools that manage group memberships for legitimate purposes might cause false positives. Identifying and excluding these scripts from monitoring can reduce unnecessary alerts.
-- Changes in group membership due to organizational restructuring or policy updates can appear as spikes. Documenting these changes and adjusting the detection parameters accordingly can help mitigate false positives.
-- Frequent legitimate access requests to privileged groups during specific business cycles, like end-of-quarter financial reviews, can be excluded by setting time-based exceptions.
-- Regular audits or compliance checks that involve temporary access to privileged groups should be accounted for by creating temporary exceptions during these periods.
-
-### Response and remediation
-
-- Immediately isolate the affected accounts by removing them from any privileged groups to prevent further unauthorized access.
-- Conduct a thorough review of recent group membership changes in Okta to identify any other unauthorized additions and remove them as necessary.
-- Reset passwords and enforce multi-factor authentication for the affected accounts to secure them against further compromise.
-- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.
-- Implement additional monitoring on the affected accounts and privileged groups to detect any further suspicious activity.
-- Review and update access control policies to ensure that only authorized personnel can modify group memberships, reducing the risk of future unauthorized changes.
-- Document the incident and response actions taken, and conduct a post-incident review to identify any gaps in the current security posture and improve future response efforts."""
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1068"
-name = "Exploitation for Privilege Escalation"
-reference = "https://attack.mitre.org/techniques/T1068/"
-
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
\ No newline at end of file
diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml
deleted file mode 100644
index 7dbba917a9b..00000000000
--- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml
+++ /dev/null
@@ -1,108 +0,0 @@
-[metadata]
-creation_date = "2025/02/18"
-integration = ["pad","okta"]
-maturity = "production"
-updated_date = "2025/02/18"
-
-[rule]
-anomaly_threshold = 75
-author = ["Elastic"]
-description = """
-A machine learning job has identified an unusual spike in Okta group privilege change events, indicating potential privileged access activity.
-Attackers might be elevating privileges by adding themselves or compromised accounts to high-privilege groups, enabling further access or persistence.
-"""
-from = "now-3h"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "pad_okta_spike_in_group_privilege_changes"
-name = "Spike in Group Privilege Change Events"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/pad"
-]
-risk_score = 21
-rule_id = "02b4420d-eda2-4529-9e46-4a60eccb7e2d"
-setup = """## Setup
-
-The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta.
-
-### Privileged Access Detection Setup
-The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
-
-#### Prerequisite Requirements:
-- Fleet is required for Privileged Access Detection.
-- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
-- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration.
-- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
-
-#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
-- Go to the Kibana homepage. Under Management, click Integrations.
-- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
-- Follow the instructions under the **Installation** section.
-- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
-"""
-severity = "low"
-tags = [
-    "Use Case: Privileged Access Detection",
-    "Rule Type: ML",
-    "Rule Type: Machine Learning",
-    "Tactic: Privilege Escalation",
-    "Resources: Investigation Guide"
-]
-type = "machine_learning"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Spike in Group Privilege Change Events
-
-In environments using Okta, group privilege changes are crucial for managing access. Adversaries may exploit this by adding themselves to privileged groups, gaining unauthorized access. The detection rule leverages machine learning to identify unusual spikes in these events, signaling potential privilege escalation attempts, thus aiding in early threat detection and response.
-
-### Possible investigation steps
-
-- Review the specific group privilege change events identified by the machine learning job to determine which accounts were added to privileged groups.
-- Cross-reference the accounts involved in the privilege changes with recent login activity to identify any unusual or suspicious access patterns.
-- Check the history of privilege changes for the affected groups to see if there is a pattern of unauthorized access or if this is an isolated incident.
-- Investigate the source IP addresses and locations associated with the privilege change events to identify any anomalies or unexpected geolocations.
-- Examine any recent changes to the accounts involved, such as password resets or multi-factor authentication (MFA) modifications, to assess if they have been compromised.
-- Collaborate with the affected users or their managers to verify if the privilege changes were authorized and legitimate.
-
-### False positive analysis
-
-- Routine administrative tasks may trigger spikes in group privilege changes. Regularly scheduled audits or updates to group memberships should be documented and excluded from alerts.
-- Automated scripts or tools that manage user access can cause frequent changes. Identify these scripts and create exceptions for their activity to prevent false positives.
-- Organizational restructuring or mergers often lead to bulk updates in group privileges. During these periods, temporarily adjust the sensitivity of the detection rule or whitelist specific activities.
-- Onboarding or offboarding processes can result in a high volume of legitimate group changes. Coordinate with HR and IT to anticipate these events and adjust monitoring accordingly.
-- Changes in security policies or compliance requirements might necessitate widespread privilege adjustments. Ensure these policy-driven changes are communicated to the security team to avoid unnecessary alerts.
-
-### Response and remediation
-
-- Immediately isolate the affected accounts by removing them from any high-privilege groups to prevent further unauthorized access.
-- Conduct a thorough review of recent group membership changes in Okta to identify any other unauthorized privilege escalations.
-- Reset passwords and enforce multi-factor authentication for the affected accounts to secure them against further compromise.
-- Notify the security team and relevant stakeholders about the incident for awareness and potential escalation if further suspicious activity is detected.
-- Implement additional monitoring on the affected accounts and privileged groups to detect any further unauthorized changes or access attempts.
-- Review and update access control policies to ensure that only authorized personnel can modify group memberships, reducing the risk of future privilege escalation.
-- Document the incident, including all actions taken, to improve response strategies and inform future security measures."""
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1098"
-name = "Account Manipulation"
-reference = "https://attack.mitre.org/techniques/T1098/"
-
-[[rule.threat.technique]]
-id = "T1068"
-name = "Exploitation for Privilege Escalation"
-reference = "https://attack.mitre.org/techniques/T1068/"
-
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
\ No newline at end of file
diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml
deleted file mode 100644
index cac477ef970..00000000000
--- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml
+++ /dev/null
@@ -1,102 +0,0 @@
-[metadata]
-creation_date = "2025/02/18"
-integration = ["pad","okta"]
-maturity = "production"
-updated_date = "2025/02/18"
-
-[rule]
-anomaly_threshold = 75
-author = ["Elastic"]
-description = """
-A machine learning job has identified an unusual spike in Okta user lifecycle management change events, indicating potential privileged access activity.
-Threat actors may manipulate user accounts to gain higher access rights or persist within the environment.
-"""
-from = "now-3h"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "pad_okta_spike_in_user_lifecycle_management_changes"
-name = "Spike in User Lifecycle Management Change Events"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/pad"
-]
-risk_score = 21
-rule_id = "178770e0-5c20-4246-b430-e216a2888b23"
-setup = """## Setup
-
-The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta.
-
-### Privileged Access Detection Setup
-The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
-
-#### Prerequisite Requirements:
-- Fleet is required for Privileged Access Detection.
-- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
-- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration.
-- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
-
-#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
-- Go to the Kibana homepage. Under Management, click Integrations.
-- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
-- Follow the instructions under the **Installation** section.
-- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
-"""
-severity = "low"
-tags = [
-    "Use Case: Privileged Access Detection",
-    "Rule Type: ML",
-    "Rule Type: Machine Learning",
-    "Tactic: Privilege Escalation",
-    "Resources: Investigation Guide"
-]
-type = "machine_learning"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Spike in User Lifecycle Management Change Events
-
-User lifecycle management in environments like Okta involves creating, modifying, and deleting user accounts. Adversaries may exploit this by manipulating accounts to escalate privileges or maintain access. The detection rule leverages machine learning to identify unusual spikes in these events, signaling potential misuse. By focusing on anomalies, it aids in early detection of privilege escalation tactics.
-
-### Possible investigation steps
-
-- Review the specific user accounts involved in the lifecycle management change events to identify any patterns or anomalies, such as multiple changes in a short period or changes made by unusual sources.
-- Check the timestamps of the change events to determine if they align with normal business hours or if they occurred during unusual times, which might indicate suspicious activity.
-- Investigate the source IP addresses and locations associated with the change events to identify any unusual or unauthorized access points.
-- Examine the types of changes made to the user accounts, such as privilege escalations or role modifications, to assess if they align with legitimate business needs.
-- Cross-reference the user accounts involved with recent security alerts or incidents to determine if they have been previously flagged for suspicious activity.
-- Consult with the account owners or relevant department heads to verify if the changes were authorized and necessary for business operations.
-
-### False positive analysis
-
-- Routine administrative tasks such as bulk user account updates or scheduled maintenance can trigger spikes in user lifecycle management events. To manage this, create exceptions for known maintenance windows or bulk operations.
-- Automated processes or scripts that regularly modify user accounts may cause false positives. Identify these processes and exclude them from the detection rule to prevent unnecessary alerts.
-- Onboarding or offboarding periods with high user account activity can lead to spikes. Adjust the detection thresholds temporarily during these periods or exclude specific user groups involved in these activities.
-- Integration with third-party applications that frequently update user attributes might result in false positives. Review and whitelist these applications to reduce noise in the detection system.
-
-### Response and remediation
-
-- Immediately isolate the affected user accounts to prevent further unauthorized access or privilege escalation. This can be done by disabling the accounts or changing their passwords.
-- Review and revoke any unauthorized permissions or roles that were assigned during the spike in user lifecycle management change events. Ensure that only legitimate access rights are restored.
-- Conduct a thorough audit of recent user account changes to identify any additional accounts that may have been manipulated. Pay special attention to accounts with elevated privileges.
-- Notify the security team and relevant stakeholders about the incident to ensure awareness and coordination for further investigation and response.
-- Implement additional monitoring on the affected accounts and related systems to detect any further suspicious activity or attempts to regain unauthorized access.
-- Escalate the incident to higher-level security management if the scope of the breach is extensive or if sensitive data may have been compromised.
-- Review and update access management policies and procedures to prevent similar incidents in the future, ensuring that changes to user accounts are logged and regularly reviewed."""
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1098"
-name = "Account Manipulation"
-reference = "https://attack.mitre.org/techniques/T1098/"
-
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
\ No newline at end of file
diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml
deleted file mode 100644
index 81252548660..00000000000
--- a/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml
+++ /dev/null
@@ -1,105 +0,0 @@
-[metadata]
-creation_date = "2025/02/18"
-integration = ["pad", "endpoint", "windows"]
-maturity = "production"
-updated_date = "2025/02/18"
-
-[rule]
-anomaly_threshold = 75
-author = ["Elastic"]
-description = """
-A machine learning job has identified a spike in group management events for a user, indicating potential privileged access activity.
-The machine learning has flagged an abnormal rise in group management actions (such as adding or removing users from privileged groups),
-which could point to an attempt to escalate privileges or unauthorized modifications to group memberships.
-"""
-from = "now-3h"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "pad_windows_high_count_group_management_events"
-name = "Spike in Group Management Events"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/pad"
-]
-risk_score = 21
-rule_id = "751b0329-7295-4682-b9c7-4473b99add69"
-setup = """## Setup
-
-The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows.
-
-### Privileged Access Detection Setup
-The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
-
-#### Prerequisite Requirements:
-- Fleet is required for Privileged Access Detection.
-- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
-- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration.
-- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
-- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
-
-#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
-- Go to the Kibana homepage. Under Management, click Integrations.
-- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
-- Follow the instructions under the **Installation** section.
-- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
-"""
-severity = "low"
-tags = [
-    "Use Case: Privileged Access Detection",
-    "Rule Type: ML",
-    "Rule Type: Machine Learning",
-    "Tactic: Privilege Escalation",
-    "Resources: Investigation Guide"
-]
-type = "machine_learning"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Spike in Group Management Events
-
-The detection of spikes in group management events leverages machine learning to monitor and identify unusual patterns in user activities related to group memberships. Adversaries may exploit this by adding or removing users from privileged groups to escalate privileges or alter access controls. The detection rule identifies these anomalies, flagging potential unauthorized modifications indicative of privilege escalation attempts.
-
-### Possible investigation steps
-
-- Review the specific user account associated with the spike in group management events to determine if the activity aligns with their typical behavior or role.
-- Check the timeline of the group management events to identify any patterns or sequences that might suggest unauthorized access or privilege escalation attempts.
-- Investigate the source IP addresses and devices used during the group management events to verify if they are consistent with the user's usual access points or if they indicate potential compromise.
-- Examine recent changes to privileged groups, focusing on additions or removals of users, to assess if these modifications were authorized and necessary.
-- Cross-reference the flagged events with any recent support tickets or change requests to confirm if the actions were legitimate and documented.
-- Look for any other related alerts or anomalies in the same timeframe that might indicate a broader security incident or coordinated attack.
-
-### False positive analysis
-
-- Routine administrative tasks can trigger spikes in group management events, such as scheduled user onboarding or offboarding. To manage this, create exceptions for known periods of increased activity.
-- Automated scripts or tools that manage group memberships might cause false positives. Identify these scripts and exclude their activities from the rule's monitoring.
-- Changes in organizational structure, like department mergers, can lead to legitimate spikes. Document these changes and adjust the rule's sensitivity temporarily.
-- Regular audits or compliance checks that involve group membership reviews may appear as anomalies. Schedule these activities and inform the monitoring team to prevent false alerts.
-- High turnover rates in certain departments can result in frequent group changes. Monitor these departments separately and adjust thresholds accordingly.
-
-### Response and remediation
-
-- Immediately isolate the affected user account by disabling it to prevent further unauthorized group management activities.
-- Review and audit recent changes to group memberships, focusing on privileged groups, to identify any unauthorized additions or removals.
-- Revert any unauthorized changes to group memberships to restore the intended access controls.
-- Conduct a thorough investigation to determine the source of the anomaly, including checking for compromised credentials or insider threats.
-- Reset the password for the affected user account and enforce multi-factor authentication to enhance security.
-- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.
-- Implement additional monitoring on the affected account and related privileged groups to detect any further suspicious activities."""
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1098"
-name = "Account Manipulation"
-reference = "https://attack.mitre.org/techniques/T1098/"
-
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
\ No newline at end of file
diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml
deleted file mode 100644
index 64756c4dc9b..00000000000
--- a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml
+++ /dev/null
@@ -1,102 +0,0 @@
-[metadata]
-creation_date = "2025/02/18"
-integration = ["pad", "endpoint", "windows"]
-maturity = "production"
-updated_date = "2025/02/18"
-
-[rule]
-anomaly_threshold = 75
-author = ["Elastic"]
-description = """
-A machine learning job has detected a surge in special logon events for a user, indicating potential privileged access activity.
-A sudden spike in these events could suggest an attacker or malicious insider gaining elevated access, possibly for lateral movement or privilege escalation.
-"""
-from = "now-3h"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "pad_windows_high_count_special_logon_events"
-name = "Spike in Special Logon Events"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/pad"
-]
-risk_score = 21
-rule_id = "097ef0b8-fb21-4e45-ad89-d81666349c6a"
-setup = """## Setup
-
-The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows.
-
-### Privileged Access Detection Setup
-The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
-
-#### Prerequisite Requirements:
-- Fleet is required for Privileged Access Detection.
-- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
-- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration.
-- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
-- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
-
-#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
-- Go to the Kibana homepage. Under Management, click Integrations.
-- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
-- Follow the instructions under the **Installation** section.
-- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
-"""
-severity = "low"
-tags = [
-    "Use Case: Privileged Access Detection",
-    "Rule Type: ML",
-    "Rule Type: Machine Learning",
-    "Tactic: Privilege Escalation",
-    "Resources: Investigation Guide"
-]
-type = "machine_learning"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Spike in Special Logon Events
-
-Special logon events are crucial for tracking privileged access, often indicating administrative actions. Adversaries exploit these by gaining elevated access to perform unauthorized activities, such as lateral movement or privilege escalation. The detection rule leverages machine learning to identify unusual spikes in these events, signaling potential misuse and enabling timely investigation of suspicious privileged access activities.
-
-### Possible investigation steps
-
-- Review the user account associated with the spike in special logon events to determine if the account is expected to have privileged access.
-- Check the time and frequency of the special logon events to identify any unusual patterns or times that deviate from the user's normal behavior.
-- Investigate the source IP addresses and devices from which the special logon events originated to verify if they are known and trusted.
-- Examine recent changes or activities performed by the user account to identify any unauthorized or suspicious actions that may indicate privilege escalation or lateral movement.
-- Correlate the special logon events with other security alerts or logs, such as failed login attempts or changes in user permissions, to gather additional context and evidence of potential malicious activity.
-
-### False positive analysis
-
-- Regular administrative tasks by IT staff can trigger spikes in special logon events. To manage this, create exceptions for known administrative accounts that frequently perform legitimate privileged actions.
-- Scheduled automated processes or scripts that require elevated access may cause false positives. Identify these processes and exclude them from the detection rule to prevent unnecessary alerts.
-- Software updates or system maintenance activities often involve multiple privileged logons. Document these events and adjust the detection thresholds temporarily during known maintenance windows to reduce false positives.
-- Users with roles that inherently require frequent privileged access, such as system administrators or security personnel, may trigger alerts. Maintain a list of such roles and apply exclusions where appropriate to avoid constant alerts for expected behavior.
-
-### Response and remediation
-
-- Immediately isolate the affected user account to prevent further unauthorized access. Disable the account or change its credentials to stop any ongoing malicious activity.
-- Conduct a thorough review of recent activities associated with the affected account to identify any unauthorized changes or access to sensitive systems and data.
-- If lateral movement is suspected, isolate any systems accessed by the compromised account to prevent further spread of the threat.
-- Escalate the incident to the security operations center (SOC) or incident response team for a detailed investigation and to determine the full scope of the breach.
-- Implement additional monitoring on the affected systems and accounts to detect any further suspicious activities or attempts to regain access.
-- Review and update access controls and permissions to ensure that only necessary privileges are granted, reducing the risk of privilege escalation.
-- Enhance detection capabilities by tuning existing monitoring tools to better identify similar spikes in special logon events, leveraging insights from the current incident."""
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1068"
-name = "Exploitation for Privilege Escalation"
-reference = "https://attack.mitre.org/techniques/T1068/"
-
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
\ No newline at end of file
diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml
deleted file mode 100644
index 65600aba0ce..00000000000
--- a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml
+++ /dev/null
@@ -1,104 +0,0 @@
-[metadata]
-creation_date = "2025/02/18"
-integration = ["pad", "endpoint", "windows"]
-maturity = "production"
-updated_date = "2025/02/18"
-
-[rule]
-anomaly_threshold = 75
-author = ["Elastic"]
-description = """
-A machine learning job has detected an unusual increase in special privilege usage events, such as privileged operations and service calls, for a user, suggesting potential unauthorized privileged access.
-A sudden spike in these events may indicate an attempt to escalate privileges, execute unauthorized tasks, or maintain persistence within a system.
-"""
-from = "now-3h"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "pad_windows_high_count_special_privilege_use_events"
-name = "Spike in Special Privilege Use Events"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/pad"
-]
-risk_score = 21
-rule_id = "6fb2280a-d91a-4e64-a97e-1332284d9391"
-setup = """## Setup
-
-The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows.
-
-### Privileged Access Detection Setup
-The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
-
-#### Prerequisite Requirements:
-- Fleet is required for Privileged Access Detection.
-- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
-- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration.
-- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
-- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
-
-#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
-- Go to the Kibana homepage. Under Management, click Integrations.
-- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
-- Follow the instructions under the **Installation** section.
-- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
-"""
-severity = "low"
-tags = [
-    "Use Case: Privileged Access Detection",
-    "Rule Type: ML",
-    "Rule Type: Machine Learning",
-    "Tactic: Privilege Escalation",
-    "Resources: Investigation Guide"
-]
-type = "machine_learning"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Spike in Special Privilege Use Events
-
-Machine learning models monitor special privilege use, identifying anomalies that suggest unauthorized access. Adversaries exploit these privileges to escalate access, execute unauthorized actions, or maintain system persistence. The detection rule leverages ML to spot unusual spikes in privileged operations, flagging potential misuse for further investigation.
-
-### Possible investigation steps
-
-- Review the user account associated with the spike in special privilege use events to determine if the activity aligns with their normal behavior or job role.
-- Examine the specific privileged operations and service calls that were flagged to identify any unusual or unauthorized actions.
-- Check for any recent changes in user permissions or group memberships that could explain the increase in privilege use.
-- Investigate any corresponding logs or alerts around the same timeframe to identify potential indicators of compromise or related suspicious activities.
-- Assess the system or application where the privilege escalation occurred for any signs of exploitation or unauthorized access attempts.
-- Correlate the detected spike with known threat intelligence or recent security advisories to determine if it matches any known attack patterns or vulnerabilities.
-
-### False positive analysis
-
-- Routine administrative tasks by IT personnel can trigger false positives. Regularly review and whitelist known administrative accounts to prevent unnecessary alerts.
-- Scheduled maintenance activities often involve elevated privileges. Document and exclude these activities from monitoring during known maintenance windows.
-- Automated scripts or services that require elevated privileges may cause spikes. Identify and exclude these scripts or services from the rule to reduce false positives.
-- Software updates or installations can lead to temporary spikes in privilege use. Coordinate with IT to recognize these events and adjust monitoring rules accordingly.
-- Frequent legitimate use of privileged operations by certain users or roles should be analyzed. Establish a baseline for these users and adjust the detection threshold to accommodate their normal activity levels.
-
-### Response and remediation
-
-- Immediately isolate the affected user account to prevent further unauthorized privileged operations. Disable the account or change its credentials to stop potential misuse.
-- Conduct a thorough review of recent privileged operations and service calls associated with the user account to identify any unauthorized actions or changes made during the spike.
-- Revoke any unnecessary privileges or access rights from the affected user account to minimize the risk of future exploitation.
-- Implement additional monitoring on the affected system and user account to detect any further suspicious activities or attempts to regain unauthorized access.
-- Escalate the incident to the security operations team for a deeper investigation into potential privilege escalation techniques used, referencing MITRE ATT&CK technique T1068.
-- Review and update access control policies and privilege management practices to ensure they align with the principle of least privilege, reducing the risk of similar incidents.
-- Conduct a post-incident analysis to identify any gaps in detection or response and enhance the machine learning model's ability to detect similar threats in the future."""
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1068"
-name = "Exploitation for Privilege Escalation"
-reference = "https://attack.mitre.org/techniques/T1068/"
-
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
\ No newline at end of file
diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml
deleted file mode 100644
index b9fa58a1cc4..00000000000
--- a/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml
+++ /dev/null
@@ -1,104 +0,0 @@
-[metadata]
-creation_date = "2025/02/18"
-integration = ["pad", "endpoint", "windows"]
-maturity = "production"
-updated_date = "2025/02/18"
-
-[rule]
-anomaly_threshold = 75
-author = ["Elastic"]
-description = """
-A machine learning job has identified a spike in user account management events for a user, indicating potential privileged access activity.
-This indicates an unusual increase in actions related to managing user accounts (such as creating, modifying, or deleting accounts),
-which could be a sign of an attempt to escalate privileges or unauthorized activity involving account management.
-"""
-from = "now-3h"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "pad_windows_high_count_user_account_management_events"
-name = "Spike in User Account Management Events"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/pad"
-]
-risk_score = 21
-rule_id = "37cca4d4-92ab-4a33-a4f8-44a7a380ccda"
-setup = """## Setup
-
-The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows.
-
-### Privileged Access Detection Setup
-The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
-
-#### Prerequisite Requirements:
-- Fleet is required for Privileged Access Detection.
-- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
-- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration.
-- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
-- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
-
-#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
-- Go to the Kibana homepage. Under Management, click Integrations.
-- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
-- Follow the instructions under the **Installation** section.
-- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
-"""
-severity = "low"
-tags = [
-    "Use Case: Privileged Access Detection",
-    "Rule Type: ML",
-    "Rule Type: Machine Learning",
-    "Tactic: Privilege Escalation",
-    "Resources: Investigation Guide"
-]
-type = "machine_learning"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Spike in User Account Management Events
-
-The detection rule leverages machine learning to identify unusual spikes in user account management activities, such as account creation or modification, which may indicate privilege escalation attempts. Adversaries exploit these activities to gain unauthorized access or elevate privileges. By analyzing patterns and deviations from normal behavior, the rule helps detect potential misuse, enabling timely intervention.
-
-### Possible investigation steps
-
-- Review the specific user account(s) involved in the spike to determine if the activity aligns with their typical behavior or role within the organization.
-- Examine the timestamps of the account management events to identify any patterns or anomalies, such as activity occurring outside of normal business hours.
-- Check for any recent changes in user permissions or roles that could explain the spike in account management events.
-- Investigate any associated IP addresses or devices used during the account management activities to determine if they are known and trusted within the organization.
-- Look for any correlated alerts or logs that might indicate concurrent suspicious activities, such as failed login attempts or access to sensitive resources.
-- Consult with the user or their manager to verify if the account management activities were authorized and legitimate.
-
-### False positive analysis
-
-- Routine administrative tasks can trigger spikes in user account management events. Regularly scheduled account audits or bulk updates by IT staff may appear as unusual activity. To manage this, create exceptions for known maintenance periods or specific administrative accounts.
-- Automated scripts or tools used for user provisioning and de-provisioning can cause false positives. Identify these scripts and exclude their activity from the rule to prevent unnecessary alerts.
-- Onboarding or offboarding processes that involve creating or deleting multiple user accounts in a short period can be mistaken for privilege escalation attempts. Document these processes and adjust the rule to recognize these patterns as normal behavior.
-- Changes in organizational structure, such as mergers or departmental shifts, may lead to increased account management activities. Update the rule to accommodate these changes by temporarily adjusting thresholds or excluding specific user groups during transition periods.
-
-### Response and remediation
-
-- Immediately isolate the affected user account to prevent further unauthorized access or privilege escalation. This can be done by disabling the account or changing its password.
-- Review recent account management activities for the affected user to identify any unauthorized changes or suspicious patterns. This includes checking for new account creations, modifications, or deletions.
-- Conduct a thorough audit of the affected system and network segment to identify any additional compromised accounts or systems. Look for signs of lateral movement or further exploitation attempts.
-- Revert any unauthorized changes made to user accounts or system configurations to their original state, ensuring that no backdoors or unauthorized access points remain.
-- Notify the security team and relevant stakeholders about the incident, providing them with details of the spike in user account management events and any identified malicious activities.
-- Implement additional monitoring and alerting for the affected user account and related systems to detect any further suspicious activities promptly.
-- Review and update access controls and user account management policies to prevent similar incidents in the future, ensuring that only authorized personnel have the necessary privileges."""
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1068"
-name = "Exploitation for Privilege Escalation"
-reference = "https://attack.mitre.org/techniques/T1068/"
-
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
\ No newline at end of file
diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml
deleted file mode 100644
index f0cc44add56..00000000000
--- a/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml
+++ /dev/null
@@ -1,99 +0,0 @@
-[metadata]
-creation_date = "2025/02/18"
-integration = ["pad", "endpoint", "windows"]
-maturity = "production"
-updated_date = "2025/02/18"
-
-[rule]
-anomaly_threshold = 75
-author = ["Elastic"]
-description = """
-A machine learning job has identified a user performing privileged operations in Windows from an uncommon device, indicating potential privileged access activity.
-This could signal a compromised account, an attacker using stolen credentials, or an insider threat leveraging an unauthorized device to escalate privileges.
-"""
-from = "now-1h"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "pad_windows_rare_device_by_user"
-name = "Unusual Host Name for Windows Privileged Operations Detected"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/pad"
-]
-risk_score = 21
-rule_id = "2bca4fcd-5228-4472-9071-148903a31057"
-setup = """## Setup
-
-The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows.
-
-### Privileged Access Detection Setup
-The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
-
-#### Prerequisite Requirements:
-- Fleet is required for Privileged Access Detection.
-- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
-- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration.
-- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
-- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
-
-#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
-- Go to the Kibana homepage. Under Management, click Integrations.
-- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
-- Follow the instructions under the **Installation** section.
-- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
-"""
-severity = "low"
-tags = [
-    "Use Case: Privileged Access Detection",
-    "Rule Type: ML",
-    "Rule Type: Machine Learning",
-    "Tactic: Privilege Escalation",
-    "Resources: Investigation Guide"
-]
-type = "machine_learning"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Unusual Host Name for Windows Privileged Operations Detected
-
-Machine learning models analyze patterns of privileged operations in Windows environments to identify anomalies, such as access from uncommon devices. Adversaries may exploit stolen credentials or unauthorized devices to escalate privileges. This detection rule flags such anomalies, indicating potential threats like compromised accounts or insider attacks, by assessing deviations from typical host usage patterns.
-
-### Possible investigation steps
-
-- Review the alert details to identify the specific user and host involved in the unusual privileged operation.
-- Check the historical login patterns for the user to determine if the host has been used previously or if this is a new occurrence.
-- Investigate the host's identity and location to assess if it aligns with the user's typical access patterns or if it appears suspicious.
-- Examine recent activity logs for the user and host to identify any other unusual or unauthorized actions that may indicate a broader compromise.
-- Verify if there are any known vulnerabilities or security incidents associated with the host that could have facilitated unauthorized access.
-- Contact the user to confirm whether they recognize the host and the privileged operations performed, ensuring to rule out legitimate use.
-
-### False positive analysis
-
-- Users accessing systems from new or temporary devices, such as during travel or remote work, may trigger false positives. Regularly update the list of approved devices for users who frequently change their access points.
-- IT administrators performing maintenance or updates from different machines can be mistaken for suspicious activity. Implement a process to log and approve such activities in advance to prevent unnecessary alerts.
-- Employees using virtual machines or remote desktop services might appear as accessing from uncommon devices. Ensure these environments are recognized and whitelisted if they are part of regular operations.
-- Changes in network infrastructure, such as new IP addresses or subnets, can lead to false positives. Keep the machine learning model updated with the latest network configurations to minimize these alerts.
-- Temporary use of shared devices in collaborative workspaces can trigger alerts. Establish a protocol for logging shared device usage to differentiate between legitimate and suspicious activities.
-
-### Response and remediation
-
-- Immediately isolate the affected device from the network to prevent further unauthorized access or lateral movement.
-- Revoke or reset the credentials of the compromised account to prevent further misuse and unauthorized access.
-- Conduct a thorough review of recent privileged operations performed by the affected account to identify any unauthorized changes or actions.
-- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.
-- Implement additional monitoring on the affected account and device to detect any further suspicious activities.
-- Review and update access controls and permissions to ensure that only authorized devices and users can perform privileged operations.
-- Consider implementing multi-factor authentication (MFA) for privileged accounts to enhance security and prevent unauthorized access."""
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml
deleted file mode 100644
index 204de8e5076..00000000000
--- a/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml
+++ /dev/null
@@ -1,119 +0,0 @@
-[metadata]
-creation_date = "2025/02/18"
-integration = ["pad", "endpoint", "windows"]
-maturity = "production"
-updated_date = "2025/02/18"
-
-[rule]
-anomaly_threshold = 75
-author = ["Elastic"]
-description = """
-A machine learning job has detected a user accessing an uncommon group name for privileged operations, indicating potential privileged access activity.
-This indicates that a user has accessed a group name that is unusual for their typical operations, particularly for actions requiring elevated privileges.
-This could point to an attempt to manipulate group memberships or escalate privileges on a system.
-"""
-from = "now-1h"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "pad_windows_rare_group_name_by_user"
-name = "Unusual Group Name Accessed by a User"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/pad"
-]
-risk_score = 21
-rule_id = "fb5d91d0-3b94-4f91-bf20-b6fbc4b2480a"
-setup = """## Setup
-
-The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows.
-
-### Privileged Access Detection Setup
-The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
-
-#### Prerequisite Requirements:
-- Fleet is required for Privileged Access Detection.
-- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
-- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration.
-- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
-- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
-
-#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
-- Go to the Kibana homepage. Under Management, click Integrations.
-- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
-- Follow the instructions under the **Installation** section.
-- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
-"""
-severity = "low"
-tags = [
-    "Use Case: Privileged Access Detection",
-    "Rule Type: ML",
-    "Rule Type: Machine Learning",
-    "Tactic: Privilege Escalation",
-    "Resources: Investigation Guide"
-]
-type = "machine_learning"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Unusual Group Name Accessed by a User
-
-In IT environments, group names often define access levels and permissions. Adversaries may exploit this by accessing or altering uncommon group names to escalate privileges. The detection rule leverages machine learning to identify deviations from a user's typical access patterns, flagging unusual group name access as a potential indicator of privilege escalation attempts. This proactive approach helps in early detection of unauthorized access activities.
-
-### Possible investigation steps
-
-- Review the alert details to identify the specific user and the unusual group name accessed. Note the timestamp of the access for further context.
-- Check the user's historical access patterns to determine if this group name access is indeed anomalous compared to their typical behavior.
-- Investigate the permissions and roles associated with the unusual group name to assess the potential impact of the access.
-- Examine recent changes to the user's account, such as password resets or modifications to account settings, which might indicate account compromise.
-- Correlate this event with other security alerts or logs, such as login attempts from unusual locations or times, to identify potential indicators of compromise.
-- Contact the user or their manager to verify if the access was legitimate and authorized, documenting any explanations provided.
-- If unauthorized access is suspected, initiate a security incident response process to mitigate any potential threats and prevent further unauthorized access.
-
-### False positive analysis
-
-- Routine administrative tasks may trigger alerts if administrators access uncommon group names for legitimate system maintenance. To manage this, create exceptions for known administrative accounts performing regular tasks.
-- Automated scripts or services that require access to various group names for operational purposes might be flagged. Identify these scripts and whitelist their activities to prevent false positives.
-- Temporary project groups or newly created groups for specific tasks can appear unusual. Document and monitor these groups, and update the machine learning model to recognize them as non-threatening.
-- Cross-departmental collaborations may involve users accessing group names outside their usual scope. Establish a process to review and approve such access, and adjust the detection rule to accommodate these scenarios.
-- Changes in user roles or responsibilities can lead to access pattern deviations. Ensure that role changes are communicated to the security team to update access baselines accordingly.
-
-### Response and remediation
-
-- Immediately isolate the affected user account to prevent further unauthorized access or privilege escalation. This can be done by disabling the account or changing its password.
-- Review and audit the group membership changes associated with the unusual group name to identify any unauthorized modifications. Revert any unauthorized changes to restore the original group settings.
-- Conduct a thorough investigation of the user's recent activities to identify any other suspicious actions or access patterns that may indicate further compromise.
-- Notify the security team and relevant stakeholders about the potential privilege escalation attempt to ensure awareness and coordinated response efforts.
-- Implement additional monitoring on the affected user account and the unusual group name to detect any further unauthorized access attempts.
-- Review and update access control policies to ensure that only authorized users have access to sensitive group names and privileged operations.
-- Consider implementing additional security measures, such as multi-factor authentication, for accessing sensitive group names to prevent unauthorized access in the future."""
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1068"
-name = "Exploitation for Privilege Escalation"
-reference = "https://attack.mitre.org/techniques/T1068/"
-
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
-
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1069"
-name = "Permission Groups Discovery"
-reference = "https://attack.mitre.org/techniques/T1069/"
-
-[rule.threat.tactic]
-id = "TA0007"
-name = "Discovery"
-reference = "https://attack.mitre.org/tactics/TA0007/"
-
diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml
deleted file mode 100644
index 1c98a8dd459..00000000000
--- a/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml
+++ /dev/null
@@ -1,104 +0,0 @@
-[metadata]
-creation_date = "2025/02/18"
-integration = ["pad", "endpoint", "windows"]
-maturity = "production"
-updated_date = "2025/02/18"
-
-[rule]
-anomaly_threshold = 75
-author = ["Elastic"]
-description = """
-A machine learning job has identified a user leveraging an uncommon privilege type for privileged operations, indicating potential privileged access activity.
-This indicates that a user is performing operations requiring elevated privileges but is using a privilege type that is not typically seen in their baseline logs.
-"""
-from = "now-1h"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "pad_windows_rare_privilege_assigned_to_user"
-name = "Unusual Privilege Type assigned to a User"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/pad"
-]
-risk_score = 21
-rule_id = "27569131-560e-441e-b556-0b9180af3332"
-setup = """## Setup
-
-The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows.
-
-### Privileged Access Detection Setup
-The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
-
-#### Prerequisite Requirements:
-- Fleet is required for Privileged Access Detection.
-- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
-- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration.
-- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
-- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
-
-#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
-- Go to the Kibana homepage. Under Management, click Integrations.
-- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
-- Follow the instructions under the **Installation** section.
-- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
-"""
-severity = "low"
-tags = [
-    "Use Case: Privileged Access Detection",
-    "Rule Type: ML",
-    "Rule Type: Machine Learning",
-    "Tactic: Privilege Escalation",
-    "Resources: Investigation Guide"
-]
-type = "machine_learning"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Unusual Privilege Type assigned to a User
-
-In modern IT environments, privilege management is crucial for maintaining security. Adversaries may exploit uncommon privilege types to perform unauthorized actions, bypassing standard detection. The detection rule leverages machine learning to identify deviations from normal privilege usage patterns, flagging potential privilege escalation attempts. By analyzing user behavior against established baselines, it helps detect and mitigate unauthorized access risks.
-
-### Possible investigation steps
-
-- Review the user's recent activity logs to identify any unusual or unauthorized actions associated with the uncommon privilege type.
-- Cross-reference the identified privilege type with the user's role and responsibilities to determine if the usage is justified or anomalous.
-- Check for any recent changes in the user's account settings or privilege assignments that could explain the deviation from the baseline.
-- Investigate any recent system or application changes that might have introduced new privilege types or altered existing ones.
-- Consult with the user's manager or relevant department to verify if there was a legitimate need for the unusual privilege type usage.
-- Analyze the timeline of events leading up to the alert to identify any potential indicators of compromise or privilege escalation attempts.
-
-### False positive analysis
-
-- Users with multiple roles may trigger false positives if they occasionally use privileges associated with less common roles. Regularly review and update role-based access controls to ensure they reflect current responsibilities.
-- Temporary project assignments can lead to unusual privilege usage. Implement a process to document and approve temporary privilege changes, and exclude these documented cases from triggering alerts.
-- System administrators or IT staff might use uncommon privileges during maintenance or troubleshooting. Establish a whitelist for known maintenance activities and exclude these from the detection rule.
-- Automated scripts or applications that require elevated privileges might be flagged. Ensure these scripts are registered and their privilege usage is documented, then exclude them from the rule.
-- New employees or contractors may initially use privileges that seem unusual. Monitor their activity closely during the onboarding period and adjust baselines as their normal usage patterns become clear.
-
-### Response and remediation
-
-- Immediately isolate the affected user account to prevent further unauthorized access or privilege escalation. This can be done by disabling the account or changing its credentials.
-- Review and revoke any unusual or unnecessary privileges assigned to the user account to ensure it aligns with their normal operational requirements.
-- Conduct a thorough audit of recent activities performed by the user account to identify any unauthorized actions or data access that may have occurred.
-- Notify the security operations team and relevant stakeholders about the incident for further investigation and to ensure coordinated response efforts.
-- Implement additional monitoring on the affected user account and similar accounts to detect any further suspicious activities or privilege misuse.
-- Update and reinforce access control policies to prevent similar privilege escalation attempts, ensuring that privilege assignments are regularly reviewed and validated.
-- Document the incident details, response actions taken, and lessons learned to improve future incident response and privilege management processes."""
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1068"
-name = "Exploitation for Privilege Escalation"
-reference = "https://attack.mitre.org/techniques/T1068/"
-
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
\ No newline at end of file
diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml
deleted file mode 100644
index d48ce24dbc0..00000000000
--- a/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml
+++ /dev/null
@@ -1,99 +0,0 @@
-[metadata]
-creation_date = "2025/02/18"
-integration = ["pad", "endpoint", "windows"]
-maturity = "production"
-updated_date = "2025/02/18"
-
-[rule]
-anomaly_threshold = 75
-author = ["Elastic"]
-description = """
-A machine learning job has identified a user performing privileged operations in Windows from an uncommon geographical location, indicating potential privileged access activity.
-This could suggest a compromised account, unauthorized access, or an attacker using stolen credentials to escalate privileges.
-"""
-from = "now-1h"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "pad_windows_rare_region_name_by_user"
-name = "Unusual Region Name for Windows Privileged Operations Detected"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/pad"
-]
-risk_score = 21
-rule_id = "d2703b82-f92c-4489-a4a7-62aa29a62542"
-setup = """## Setup
-
-The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows.
-
-### Privileged Access Detection Setup
-The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
-
-#### Prerequisite Requirements:
-- Fleet is required for Privileged Access Detection.
-- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
-- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration.
-- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
-- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
-
-#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
-- Go to the Kibana homepage. Under Management, click Integrations.
-- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
-- Follow the instructions under the **Installation** section.
-- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
-"""
-severity = "low"
-tags = [
-    "Use Case: Privileged Access Detection",
-    "Rule Type: ML",
-    "Rule Type: Machine Learning",
-    "Tactic: Privilege Escalation",
-    "Resources: Investigation Guide"
-]
-type = "machine_learning"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Unusual Region Name for Windows Privileged Operations Detected
-
-The detection leverages machine learning to identify privileged operations from atypical geographic locations, which may indicate compromised accounts or unauthorized access. Adversaries exploit this by using stolen credentials to perform privilege escalation. The rule flags such anomalies, aiding in early detection of potential security breaches.
-
-### Possible investigation steps
-
-- Review the alert details to identify the user account involved and the specific geographic location flagged as unusual.
-- Check the user's recent login history and patterns to determine if the location is indeed uncommon for this user.
-- Investigate any recent changes to the user's account, such as password resets or modifications to account permissions, that could indicate compromise.
-- Correlate the alert with other security events or logs, such as VPN connections or remote access logs, to identify any unauthorized access attempts.
-- Contact the user to verify if they were traveling or using a legitimate remote access method from the flagged location.
-- Assess the risk by determining if the privileged operations performed align with the user's role and responsibilities within the organization.
-
-### False positive analysis
-
-- Users traveling for business or personal reasons may trigger alerts when accessing systems from uncommon locations. To manage this, create exceptions for known travel patterns or use a VPN to simulate access from a common location.
-- Remote employees or contractors working from different regions might cause false positives. Regularly update the list of approved remote work locations to prevent unnecessary alerts.
-- Use of cloud services or VPNs that route traffic through different geographic locations can lead to false positives. Implement a whitelist for known IP addresses associated with these services.
-- Scheduled maintenance or administrative tasks performed by IT staff from different locations can be mistaken for unauthorized access. Document and schedule these activities to avoid triggering alerts.
-- Employees using personal devices with location services disabled may appear to be accessing from unusual regions. Encourage the use of company-approved devices with location tracking enabled to ensure accurate detection.
-
-### Response and remediation
-
-- Immediately isolate the affected user account to prevent further unauthorized access. Disable the account temporarily until the investigation is complete.
-- Review recent login activity and privileged operations performed by the affected account to identify any unauthorized changes or actions.
-- Reset the password for the compromised account and enforce multi-factor authentication (MFA) to enhance security.
-- Conduct a thorough review of the affected system and network for any signs of additional compromise or lateral movement by the attacker.
-- Notify the security team and relevant stakeholders about the incident for awareness and further action if needed.
-- Restore any unauthorized changes made during the incident from backups or logs, ensuring system integrity is maintained.
-- Update security policies and access controls to prevent similar incidents, focusing on restricting privileged operations from uncommon geographic locations."""
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
\ No newline at end of file
diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml
deleted file mode 100644
index d949acd50f7..00000000000
--- a/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml
+++ /dev/null
@@ -1,98 +0,0 @@
-[metadata]
-creation_date = "2025/02/18"
-integration = ["pad", "endpoint", "windows"]
-maturity = "production"
-updated_date = "2025/02/18"
-
-[rule]
-anomaly_threshold = 75
-author = ["Elastic"]
-description = """
-A machine learning job has identified a user performing privileged operations in Windows from an uncommon source IP, indicating potential privileged access activity.
-This could suggest an account compromise, misuse of administrative privileges, or an attacker leveraging a new network location to escalate privileges.
-"""
-from = "now-1h"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "pad_windows_rare_source_ip_by_user"
-name = "Unusual Source IP for Windows Privileged Operations Detected"
-references = [
-    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
-    "https://docs.elastic.co/en/integrations/pad"
-]
-risk_score = 21
-rule_id = "08be5599-3719-4bbd-8cbc-7e9cff556881"
-setup = """## Setup
-
-The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows.
-
-### Privileged Access Detection Setup
-The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
-
-#### Prerequisite Requirements:
-- Fleet is required for Privileged Access Detection.
-- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
-- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration.
-- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
-- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
-
-#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
-- Go to the Kibana homepage. Under Management, click Integrations.
-- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
-- Follow the instructions under the **Installation** section.
-- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
-"""
-severity = "low"
-tags = [
-    "Use Case: Privileged Access Detection",
-    "Rule Type: ML",
-    "Rule Type: Machine Learning",
-    "Tactic: Privilege Escalation",
-    "Resources: Investigation Guide"
-]
-type = "machine_learning"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Unusual Source IP for Windows Privileged Operations Detected
-
-Machine learning models analyze network patterns to identify anomalies, such as privileged operations from uncommon IPs. Adversaries may exploit this by using compromised accounts or new network locations to escalate privileges. This detection rule leverages ML to flag such deviations, indicating potential misuse or compromise, aiding in early threat identification and response.
-
-### Possible investigation steps
-
-- Review the source IP address flagged by the alert to determine if it is associated with known or trusted locations, such as corporate offices or VPN endpoints.
-- Check the user account involved in the alert for any recent changes or unusual activity, such as password resets, privilege changes, or login attempts from other uncommon locations.
-- Analyze the timeline of the privileged operations performed to identify any patterns or sequences that may indicate malicious intent or unauthorized access.
-- Correlate the alert with other security events or logs, such as firewall logs, VPN logs, or endpoint security alerts, to gather additional context about the source IP and user activity.
-- Investigate any recent changes in network configurations or access policies that might explain the unusual source IP, such as new VPN configurations or changes in IP address allocations.
-
-### False positive analysis
-
-- Employees working remotely or traveling may trigger alerts due to accessing systems from new IP addresses. Regularly update the list of known IP addresses for remote workers to reduce false positives.
-- Use of VPNs or proxy services can result in unusual IP addresses being flagged. Maintain a whitelist of IP addresses associated with approved VPN or proxy services.
-- Scheduled maintenance or administrative tasks performed by IT staff from different network locations might be misidentified. Document and exclude these known activities from triggering alerts.
-- Cloud service providers often use dynamic IP ranges that can appear unusual. Identify and whitelist IP ranges associated with trusted cloud services to prevent unnecessary alerts.
-- Implement a review process for flagged events to quickly identify and dismiss benign activities, ensuring that only genuine threats are escalated for further investigation.
-
-### Response and remediation
-
-- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
-- Verify the legitimacy of the source IP by cross-referencing with known IP addresses and geolocations associated with the user. If the IP is confirmed to be malicious, block it at the firewall and update threat intelligence feeds.
-- Reset the credentials of the compromised account and enforce a password change for all accounts with similar access levels to prevent further unauthorized access.
-- Conduct a thorough review of recent privileged operations performed by the affected account to identify any unauthorized changes or data access, and revert any malicious modifications.
-- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems or accounts have been compromised.
-- Implement additional monitoring on the affected system and user account to detect any further suspicious activity, leveraging enhanced logging and alerting mechanisms.
-- Review and update access controls and privilege management policies to ensure that only necessary privileges are granted, reducing the risk of privilege escalation in the future."""
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
\ No newline at end of file