Prep for Release 9.0 (#4550)

rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml

@@ -2,9 +2,7 @@
 creation_date = "2024/11/04"
 integration = ["aws"]
 maturity = "production"
-min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully"
-min_stack_version = "8.13.0"
-updated_date = "2025/01/15"
+updated_date = "2025/03/20"
 
 [rule]
 author = ["Elastic"]
@@ -134,12 +132,6 @@ from logs-aws.cloudtrail*
 | sort unique_api_count desc
 '''
 
-[rule.investigation_fields]
-field_names = [
-    "time_window",
-    "aws.cloudtrail.user_identity.arn",
-    "unique_api_count"
-]
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
@@ -154,3 +146,6 @@ id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
 
+[rule.investigation_fields]
+field_names = ["time_window", "aws.cloudtrail.user_identity.arn", "unique_api_count"]
+

rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml

@@ -2,16 +2,14 @@
 creation_date = "2024/04/16"
 integration = ["aws"]
 maturity = "production"
-min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
-min_stack_version = "8.13.0"
-updated_date = "2025/01/22"
+updated_date = "2025/03/20"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies AWS EC2 EBS snaphots being shared with another AWS account or made public. EBS virtual disks can be copied into snapshots,
-which can then be shared with an external AWS account or made public. Adversaries may attempt this in order to copy the
-snapshot into an environment they control, to access the data.
+Identifies AWS EC2 EBS snaphots being shared with another AWS account or made public. EBS virtual disks can be copied
+into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this in
+order to copy the snapshot into an environment they control, to access the data.
 """
 false_positives = [
     """
@@ -23,7 +21,6 @@ language = "esql"
 license = "Elastic License v2"
 name = "AWS EC2 EBS Snapshot Shared or Made Public"
 note = """
-
 ## Triage and analysis
 
 ### Investigating AWS EC2 EBS Snapshot Shared or Made Public
@@ -64,7 +61,7 @@ references = [
     "https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html",
     "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html",
     "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump",
-    "https://hackingthe.cloud/aws/exploitation/Misconfigured_Resource-Based_Policies/exploting_public_resources_attack_playbook/"
+    "https://hackingthe.cloud/aws/exploitation/Misconfigured_Resource-Based_Policies/exploting_public_resources_attack_playbook/",
 ]
 risk_score = 21
 rule_id = "4182e486-fc61-11ee-a05d-f661ea17fbce"

rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml

@@ -1,9 +1,7 @@
 [metadata]
 creation_date = "2024/05/01"
 maturity = "production"
-updated_date = "2024/11/07"
-min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully"
-min_stack_version = "8.13.0"
+updated_date = "2025/03/20"
 
 [rule]
 author = ["Elastic"]
@@ -69,7 +67,7 @@ Attackers may attempt to enumerate names until a valid bucket is discovered and
 """
 references = [
     "https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1",
-    "https://docs.aws.amazon.com/cli/latest/reference/s3api/"
+    "https://docs.aws.amazon.com/cli/latest/reference/s3api/",
 ]
 risk_score = 21
 rule_id = "5f0234fd-7f21-42af-8391-511d5fd11d5c"
@@ -81,7 +79,7 @@ tags = [
     "Data Source: AWS S3",
     "Resources: Investigation Guide",
     "Use Case: Log Auditing",
-    "Tactic: Impact"
+    "Tactic: Impact",
 ]
 timestamp_override = "event.ingested"
 type = "esql"
@@ -97,51 +95,44 @@ from logs-aws.cloudtrail*
 | where failed_requests > 40
 '''
 
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1657"
+name = "Financial Theft"
+reference = "https://attack.mitre.org/techniques/T1657/"
+
+
+[rule.threat.tactic]
+id = "TA0040"
+name = "Impact"
+reference = "https://attack.mitre.org/tactics/TA0040/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1580"
+name = "Cloud Infrastructure Discovery"
+reference = "https://attack.mitre.org/techniques/T1580/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1530"
+name = "Data from Cloud Storage"
+reference = "https://attack.mitre.org/techniques/T1530/"
+
+
+[rule.threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"
+
 [rule.investigation_fields]
-field_names = [
-    "source.address",
-    "tls.client.server_name",
-    "cloud.account.id",
-    "failed_requests"
-]
+field_names = ["source.address", "tls.client.server_name", "cloud.account.id", "failed_requests"]
 
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-
-    [rule.threat.tactic]
-    id = "TA0040"
-    name = "Impact"
-    reference = "https://attack.mitre.org/tactics/TA0040/"
-
-        [[rule.threat.technique]]
-        id = "T1657"
-        name = "Financial Theft"
-        reference = "https://attack.mitre.org/techniques/T1657/"
-
-
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-
-    [rule.threat.tactic]
-    id = "TA0007"
-    name = "Discovery"
-    reference = "https://attack.mitre.org/tactics/TA0007/"
-
-        [[rule.threat.technique]]
-        id = "T1580"
-        name = "Cloud Infrastructure Discovery"
-        reference = "https://attack.mitre.org/techniques/T1580/"
-
-
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-
-    [rule.threat.tactic]
-    id = "TA0009"
-    name = "Collection"
-    reference = "https://attack.mitre.org/tactics/TA0009/"
-
-        [[rule.threat.technique]]
-        id = "T1530"
-        name = "Data from Cloud Storage"
-        reference = "https://attack.mitre.org/techniques/T1530/"

rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_extension.toml

@@ -2,16 +2,14 @@
 creation_date = "2024/04/17"
 integration = ["aws"]
 maturity = "production"
-min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
-min_stack_version = "8.13.0"
-updated_date = "2025/01/15"
+updated_date = "2025/03/20"
 
 [rule]
 author = ["Elastic"]
 description = """
 Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the `PutObject` S3 API call
-with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to
-a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.
+with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured
+S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.
 """
 false_positives = [
     """
@@ -24,7 +22,6 @@ language = "esql"
 license = "Elastic License v2"
 name = "Potential AWS S3 Bucket Ransomware Note Uploaded"
 note = """
-
 ## Triage and analysis
 
 ### Investigating Potential AWS S3 Bucket Ransomware Note Uploaded

rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml

@@ -2,18 +2,20 @@
 creation_date = "2024/07/02"
 integration = ["aws"]
 maturity = "production"
-min_stack_comments = "ES|QL rule type in technical preview as of 8.13"
-min_stack_version = "8.13.0"
-updated_date = "2025/02/03"
+updated_date = "2025/03/20"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies `CopyObject` events within an S3 bucket using an AWS KMS key from an external account for encryption. Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS key to deny their victims access to their own data.
+Identifies `CopyObject` events within an S3 bucket using an AWS KMS key from an external account for encryption.
+Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS
+key to deny their victims access to their own data.
 """
 false_positives = [
     """
-    Administrators within an AWS Organization structure may legitimately encrypt bucket objects with a key from an account different from the target bucket. Ensure that this behavior is not part of a legitimate operation before taking action.
+    Administrators within an AWS Organization structure may legitimately encrypt bucket objects with a key from an
+    account different from the target bucket. Ensure that this behavior is not part of a legitimate operation before
+    taking action.
     """,
 ]
 from = "now-9m"
@@ -21,7 +23,6 @@ language = "esql"
 license = "Elastic License v2"
 name = "AWS S3 Object Encryption Using External KMS Key"
 note = """
-
 ## Triage and analysis
 
 ### Investigating AWS S3 Object Encryption Using External KMS Key
@@ -101,6 +102,7 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index
 | keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, target.bucketName, key.account.id, keyId, target.objectName
 '''
 
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]

rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml

@@ -1,10 +1,8 @@
 [metadata]
 creation_date = "2024/08/19"
-integration = ['aws']
+integration = ["aws"]
 maturity = "production"
-updated_date = "2025/01/15"
-min_stack_comments = "ES|QL rule type in technical preview as of 8.13"
-min_stack_version = "8.13.0"
+updated_date = "2025/03/20"
 
 [rule]
 author = ["Elastic"]
@@ -18,35 +16,6 @@ from = "now-9m"
 language = "esql"
 license = "Elastic License v2"
 name = "AWS Signin Single Factor Console Login with Federated User"
-references = [
-    "https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/"
-]
-risk_score = 47
-rule_id = "1f45720e-5ea8-11ef-90d2-f661ea17fbce"
-severity = "medium"
-tags = [
-    "Domain: Cloud",
-    "Data Source: Amazon Web Services",
-    "Data Source: AWS",
-    "Data Source: AWS Sign-In",
-    "Use Case: Threat Detection",
-    "Tactic: Initial Access",
-    "Resources: Investigation Guide",
-]
-timestamp_override = "event.ingested"
-type = "esql"
-
-query = '''
-from logs-aws.cloudtrail-* metadata _id, _version, _index
-| where
-    event.provider == "signin.amazonaws.com"
-    and event.action == "GetSigninToken"
-    and aws.cloudtrail.event_type == "AwsConsoleSignIn"
-    and aws.cloudtrail.user_identity.type == "FederatedUser"
-| dissect aws.cloudtrail.additional_eventdata "{%{?mobile_version_key}=%{mobile_version}, %{?mfa_used_key}=%{mfa_used}}"
-| where mfa_used == "No"
-| keep @timestamp, event.action, aws.cloudtrail.event_type, aws.cloudtrail.user_identity.type
-'''
 note = """## Triage and analysis
 
 > **Disclaimer**:
@@ -82,6 +51,34 @@ Federated users in AWS are granted temporary credentials to access resources, of
 - Review and update IAM policies and roles associated with federated users to ensure they follow the principle of least privilege.
 - Escalate the incident to the incident response team if any malicious activities are detected, and initiate a full security investigation to assess the impact and scope of the breach.
 - Monitor AWS CloudTrail and other relevant logs closely for any further unauthorized access attempts or anomalies related to federated user accounts."""
+references = ["https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/"]
+risk_score = 47
+rule_id = "1f45720e-5ea8-11ef-90d2-f661ea17fbce"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS",
+    "Data Source: AWS Sign-In",
+    "Use Case: Threat Detection",
+    "Tactic: Initial Access",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-aws.cloudtrail-* metadata _id, _version, _index
+| where
+    event.provider == "signin.amazonaws.com"
+    and event.action == "GetSigninToken"
+    and aws.cloudtrail.event_type == "AwsConsoleSignIn"
+    and aws.cloudtrail.user_identity.type == "FederatedUser"
+| dissect aws.cloudtrail.additional_eventdata "{%{?mobile_version_key}=%{mobile_version}, %{?mfa_used_key}=%{mfa_used}}"
+| where mfa_used == "No"
+| keep @timestamp, event.action, aws.cloudtrail.event_type, aws.cloudtrail.user_identity.type
+'''
+
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
@@ -95,7 +92,9 @@ name = "Cloud Accounts"
 reference = "https://attack.mitre.org/techniques/T1078/004/"
 
 
+
 [rule.threat.tactic]
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
+

rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml

@@ -2,9 +2,7 @@
 creation_date = "2024/12/02"
 integration = ["aws"]
 maturity = "production"
-min_stack_comments = "ES|QL available in technical preview."
-min_stack_version = "8.13.0"
-updated_date = "2025/01/10"
+updated_date = "2025/03/20"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml

@@ -2,21 +2,19 @@
 creation_date = "2024/06/13"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/02/03"
-min_stack_comments = "ES|QL rule type in technical preview as of 8.13"
-min_stack_version = "8.13.0"
+updated_date = "2025/03/20"
 
 [rule]
 author = ["Elastic"]
 description = """
-An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by
-creating a new set of credentials for an existing user. This rule looks for use of the IAM `CreateAccessKey` API operation
-to create new programmatic access keys for another IAM user.
+An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a
+new set of credentials for an existing user. This rule looks for use of the IAM `CreateAccessKey` API operation to
+create new programmatic access keys for another IAM user.
 """
 false_positives = [
     """
-    While this can be normal behavior, it should be investigated to ensure validity.
-    Verify whether the user identity should be using the IAM `CreateAccessKey` for the targeted user.
+    While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity
+    should be using the IAM `CreateAccessKey` for the targeted user.
     """,
 ]
 from = "now-6m"
@@ -120,6 +118,42 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index
     aws.cloudtrail.user_identity.type
 '''
 
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+[[rule.threat.technique.subtechnique]]
+id = "T1098.001"
+name = "Additional Cloud Credentials"
+reference = "https://attack.mitre.org/techniques/T1098/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+[[rule.threat.technique.subtechnique]]
+id = "T1098.001"
+name = "Additional Cloud Credentials"
+reference = "https://attack.mitre.org/techniques/T1098/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+
 [rule.investigation_fields]
 field_names = [
     "@timestamp",
@@ -137,36 +171,3 @@ field_names = [
     "aws.cloudtrail.response_elements",
 ]
 
-
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1098"
-name = "Account Manipulation"
-reference = "https://attack.mitre.org/techniques/T1098/"
-[[rule.threat.technique.subtechnique]]
-id = "T1098.001"
-name = "Additional Cloud Credentials"
-reference = "https://attack.mitre.org/techniques/T1098/001/"
-
-[rule.threat.tactic]
-id = "TA0003"
-name = "Persistence"
-reference = "https://attack.mitre.org/tactics/TA0003/"
-
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1098"
-name = "Account Manipulation"
-reference = "https://attack.mitre.org/techniques/T1098/"
-[[rule.threat.technique.subtechnique]]
-id = "T1098.001"
-name = "Additional Cloud Credentials"
-reference = "https://attack.mitre.org/techniques/T1098/001/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
-

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml

@@ -2,23 +2,21 @@
 creation_date = "2024/05/31"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/02/03"
-min_stack_comments = "ES|QL rule type in technical preview as of 8.13."
-min_stack_version = "8.13.0"
+updated_date = "2025/03/20"
 
 [rule]
 author = ["Elastic"]
 description = """
-An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by
-attaching additional permissions to user groups the compromised user account belongs to. This rule looks for use of
-the IAM `AttachGroupPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy
-to an existing IAM user group.
+An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching
+additional permissions to user groups the compromised user account belongs to. This rule looks for use of the IAM
+`AttachGroupPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an
+existing IAM user group.
 """
 false_positives = [
     """
-    While this can be normal behavior, it should be investigated to ensure validity.
-    Verify whether the user identity should be using the IAM `AttachGroupPolicy` API operation
-    to attach the `AdministratorAccess` policy to the user group.
+    While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity
+    should be using the IAM `AttachGroupPolicy` API operation to attach the `AdministratorAccess` policy to the user
+    group.
     """,
 ]
 from = "now-6m"
@@ -119,11 +117,12 @@ id = "T1098.003"
 name = "Additional Cloud Roles"
 reference = "https://attack.mitre.org/techniques/T1098/003/"
 
+
+
 [rule.threat.tactic]
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -135,6 +134,8 @@ id = "T1098.003"
 name = "Additional Cloud Roles"
 reference = "https://attack.mitre.org/techniques/T1098/003/"
 
+
+
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml

@@ -2,22 +2,20 @@
 creation_date = "2024/05/31"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/02/03"
-min_stack_comments = "ES|QL rule type in technical preview as of 8.13."
-min_stack_version = "8.13.0"
+updated_date = "2025/03/20"
 
 [rule]
 author = ["Elastic"]
 description = """
-An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by
-attaching additional permissions to compromised IAM roles. This rule looks for use of the IAM `AttachRolePolicy` API operation
-to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM role.
+An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching
+additional permissions to compromised IAM roles. This rule looks for use of the IAM `AttachRolePolicy` API operation to
+attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM role.
 """
 false_positives = [
     """
-    While this can be normal behavior, it should be investigated to ensure validity.
-    Verify whether the user identity should be using the IAM `AttachRolePolicy` API operation
-    to attach the `AdministratorAccess` policy to the target role.
+    While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity
+    should be using the IAM `AttachRolePolicy` API operation to attach the `AdministratorAccess` policy to the target
+    role.
     """,
 ]
 from = "now-6m"
@@ -118,11 +116,12 @@ id = "T1098.003"
 name = "Additional Cloud Roles"
 reference = "https://attack.mitre.org/techniques/T1098/003/"
 
+
+
 [rule.threat.tactic]
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -134,6 +133,8 @@ id = "T1098.003"
 name = "Additional Cloud Roles"
 reference = "https://attack.mitre.org/techniques/T1098/003/"
 
+
+
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml

@@ -2,22 +2,20 @@
 creation_date = "2024/05/30"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/02/03"
-min_stack_comments = "ES|QL rule type in technical preview as of 8.13."
-min_stack_version = "8.13.0"
+updated_date = "2025/03/20"
 
 [rule]
 author = ["Elastic"]
 description = """
-An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by
-attaching additional permissions to compromised user accounts. This rule looks for use of the IAM `AttachUserPolicy` API operation
+An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching
+additional permissions to compromised user accounts. This rule looks for use of the IAM `AttachUserPolicy` API operation
 to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM user.
 """
 false_positives = [
     """
-    While this can be normal behavior, it should be investigated to ensure validity.
-    Verify whether the user identity should be using the IAM `AttachUserPolicy` API operation
-    to attach the `AdministratorAccess` policy to the target user.
+    While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity
+    should be using the IAM `AttachUserPolicy` API operation to attach the `AdministratorAccess` policy to the target
+    user.
     """,
 ]
 from = "now-6m"
@@ -119,6 +117,42 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index
     source.address
 '''
 
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+[[rule.threat.technique.subtechnique]]
+id = "T1098.003"
+name = "Additional Cloud Roles"
+reference = "https://attack.mitre.org/techniques/T1098/003/"
+
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+[[rule.threat.technique.subtechnique]]
+id = "T1098.003"
+name = "Additional Cloud Roles"
+reference = "https://attack.mitre.org/techniques/T1098/003/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
 [rule.investigation_fields]
 field_names = [
     "@timestamp",
@@ -132,39 +166,6 @@ field_names = [
     "event.outcome",
     "cloud.region",
     "event.provider",
-    "aws.cloudtrail.request_parameters"
+    "aws.cloudtrail.request_parameters",
 ]
 
-
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1098"
-name = "Account Manipulation"
-reference = "https://attack.mitre.org/techniques/T1098/"
-[[rule.threat.technique.subtechnique]]
-id = "T1098.003"
-name = "Additional Cloud Roles"
-reference = "https://attack.mitre.org/techniques/T1098/003/"
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
-
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1098"
-name = "Account Manipulation"
-reference = "https://attack.mitre.org/techniques/T1098/"
-[[rule.threat.technique.subtechnique]]
-id = "T1098.003"
-name = "Additional Cloud Roles"
-reference = "https://attack.mitre.org/techniques/T1098/003/"
-
-[rule.threat.tactic]
-id = "TA0003"
-name = "Persistence"
-reference = "https://attack.mitre.org/tactics/TA0003/"
-