Update conditions

rules/cloud/aws_ec2_download_userdata.yml

@@ -16,7 +16,7 @@ detection:
   selection_eventname:
     - eventName: DescribeInstanceAttribute
   timeframe: 30m
-  condition: selection_source AND selection_eventname AND selection_requesttype | count() > 10
+  condition: all of them | count() > 10
 level: medium
 falsepositives:
     - Assets management software like device42

rules/cloud/aws_guardduty_disruption.yml

@@ -11,11 +11,10 @@ logsource:
 detection:
   selection_source:
     - eventSource: guardduty.amazonaws.com
-  events:
-    - eventName:
-        - CreateIPSet
-  condition: selection_source AND events
-level: medium
+  selection_eventName:
+    - eventName: CreateIPSet
+  condition: all of them
+level: high
 falsepositives:
     - Valid change in the GuardDuty (e.g. to ignore internal scanners)
 tags: