From 8c71bc7d13d902100e9508b84250ddba8ef5cbd7 Mon Sep 17 00:00:00 2001
From: susan <shuhsuan.chang@elastic.co>
Date: Mon, 9 Jun 2025 09:09:05 -0400
Subject: [PATCH] Update rare scripts docs

---
 .../en/stack/ml/anomaly-detection/ootb-ml-jobs-siem.asciidoc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/en/stack/ml/anomaly-detection/ootb-ml-jobs-siem.asciidoc b/docs/en/stack/ml/anomaly-detection/ootb-ml-jobs-siem.asciidoc
index 797f50312..bebf3e054 100644
--- a/docs/en/stack/ml/anomaly-detection/ootb-ml-jobs-siem.asciidoc
+++ b/docs/en/stack/ml/anomaly-detection/ootb-ml-jobs-siem.asciidoc
@@ -415,6 +415,11 @@ they are listed for each job.
 |https://github.com/elastic/kibana/blob/{branch}/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_user_type10_remote_login.json[image:images/link.svg[A link icon]]
 |https://github.com/elastic/kibana/blob/{branch}/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_user_type10_remote_login.json[image:images/link.svg[A link icon]]
 
+|v3_windows_rare_script
+|Looks for rare powershell scripts that may indicate execution of malware, or persistence mechanisms via hash.
+|https://github.com/elastic/kibana/blob/{branch}/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_script.json[image:images/link.svg[A link icon]]
+|https://github.com/elastic/kibana/blob/{branch}/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_script.json[image:images/link.svg[A link icon]]
+
 |===
 // end::security-windows-jobs[]