diff --git a/rules/integrations/endpoint/elastic_endpoint_security.toml b/rules/integrations/endpoint/elastic_endpoint_security.toml
index 5042a0d654f..bc12e3253a0 100644
--- a/rules/integrations/endpoint/elastic_endpoint_security.toml
+++ b/rules/integrations/endpoint/elastic_endpoint_security.toml
@@ -1,8 +1,7 @@
 [metadata]
 creation_date = "2020/07/08"
 maturity = "production"
-updated_date = "2021/08/25"
-integration = "endpoint"
+updated_date = "2021/09/03"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +25,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.kind:alert and event.module:(endpoint and not endgame) and not event.code: behavior
+event.kind:alert and event.module:(endpoint and not endgame)
 '''
 
 
diff --git a/rules/integrations/endpoint/elastic_endpoint_security_behavior_protection.toml b/rules/integrations/endpoint/elastic_endpoint_security_behavior_protection.toml
deleted file mode 100644
index e11f7d238d2..00000000000
--- a/rules/integrations/endpoint/elastic_endpoint_security_behavior_protection.toml
+++ /dev/null
@@ -1,69 +0,0 @@
-[metadata]
-creation_date = "2021/08/25"
-maturity = "production"
-updated_date = "2021/08/25"
-integration = "endpoint"
-min_stack_version = "7.15.0"
-
-[rule]
-author = ["Elastic"]
-description = """
-Generates a detection alert each time an Elastic Endpoint Security alert is received for Behavior Protection alerts.
-Enabling this rule allows you to immediately begin investigating your Endpoint alerts for Behavior Protection.
-"""
-enabled = true
-from = "now-10m"
-index = ["logs-endpoint.alerts-*"]
-language = "kuery"
-license = "Elastic License v2"
-max_signals = 10000
-name = "Endpoint Security Behavior Protection"
-risk_score = 47
-rule_id = "d516af98-19f3-45bb-b590-dd623535b746"
-rule_name_override = "rule.name"
-severity = "medium"
-tags = ["Elastic", "Endpoint Security"]
-timestamp_override = "event.ingested"
-type = "query"
-
-query = '''
-event.kind:alert and event.module:(endpoint and not endgame) and event.code: behavior
-'''
-
-
-[[rule.exceptions_list]]
-id = "endpoint_list"
-list_id = "endpoint_list"
-namespace_type = "agnostic"
-type = "endpoint"
-
-[[rule.risk_score_mapping]]
-field = "event.risk_score"
-operator = "equals"
-value = ""
-
-[[rule.severity_mapping]]
-field = "event.severity"
-operator = "equals"
-value = "21"
-severity = "low"
-
-[[rule.severity_mapping]]
-field = "event.severity"
-operator = "equals"
-value = "47"
-severity = "medium"
-
-[[rule.severity_mapping]]
-field = "event.severity"
-operator = "equals"
-value = "73"
-severity = "high"
-
-[[rule.severity_mapping]]
-field = "event.severity"
-operator = "equals"
-value = "99"
-severity = "critical"
-
-