From 31ad81874fee378ea3f951d81d088aac9fb1e737 Mon Sep 17 00:00:00 2001
From: pdr9rc <pedro.gracio@3coresec.com>
Date: Tue, 5 May 2020 11:32:18 +0100
Subject: [PATCH] capitalized titles

corrected capitalization of titles and removed literals from config
---
 rules/cloud/aws_ec2_vm_export_failure.yml |  2 +-
 tools/config/ecs-cloudtrail.yml           | 11 +----------
 2 files changed, 2 insertions(+), 11 deletions(-)

diff --git a/rules/cloud/aws_ec2_vm_export_failure.yml b/rules/cloud/aws_ec2_vm_export_failure.yml
index 8f7fec195..a6db628c5 100644
--- a/rules/cloud/aws_ec2_vm_export_failure.yml
+++ b/rules/cloud/aws_ec2_vm_export_failure.yml
@@ -1,4 +1,4 @@
-title: AWS EC2 VM Export failure
+title: AWS EC2 VM Export Failure
 id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
 status: experimental
 description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
diff --git a/tools/config/ecs-cloudtrail.yml b/tools/config/ecs-cloudtrail.yml
index 37414528b..fe9419bd4 100644
--- a/tools/config/ecs-cloudtrail.yml
+++ b/tools/config/ecs-cloudtrail.yml
@@ -1,4 +1,4 @@
-title: Elastic Common Schema and Elastic Exported Fields mapping for AWS CloudTrail logs
+title: Elastic Common Schema And Elastic Exported Fields Mapping For AWS CloudTrail Logs
 order: 20
 backends:
   - es-qs
@@ -54,15 +54,6 @@ overrides:
       - (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\)\))
       - (\(\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_message.keyword:\*\)\))
       - (\(\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_code.keyword:\*\)\))
-    literals:
-      - ((aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*) OR (event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*))
-      - ((aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:*) OR (event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*))
-      - ((aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*) OR (aws.cloudtrail.response_elements.keyword:*Failure* AND event.action:"ConsoleLogin"))
-      - ((aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:*) OR (aws.cloudtrail.response_elements.keyword:*Failure* AND event.action:"ConsoleLogin"))    
-      - ((event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*) OR (aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*))
-      - ((event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*) OR (aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:*))   
-      - ((aws.cloudtrail.response_elements.keyword:*Failure* AND event.action:"ConsoleLogin") OR (aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*))
-      - ((aws.cloudtrail.response_elements.keyword:*Failure* AND event.action:"ConsoleLogin") OR (aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:*))
   - field: event.outcome
     value: success
     literals: