[Rule Tuning] Tag Categorization Updates (#380)

* Add new categorization tags

* Change updated_date to 2020/10/26

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100

rules/apm/apm_403_response_to_a_post.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/02/18"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ references = ["https://en.wikipedia.org/wiki/HTTP_403"]
 risk_score = 47
 rule_id = "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e"
 severity = "medium"
-tags = ["APM", "Elastic"]
+tags = ["Elastic", "APM"]
 type = "query"
 
 query = '''

rules/apm/apm_405_response_method_not_allowed.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/02/18"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ references = ["https://en.wikipedia.org/wiki/HTTP_405"]
 risk_score = 47
 rule_id = "75ee75d8-c180-481c-ba88-ee50129a6aef"
 severity = "medium"
-tags = ["APM", "Elastic"]
+tags = ["Elastic", "APM"]
 type = "query"
 
 query = '''

rules/apm/apm_null_user_agent.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/02/18"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ references = ["https://en.wikipedia.org/wiki/User_agent"]
 risk_score = 47
 rule_id = "43303fd4-4839-4e48-b2b2-803ab060758d"
 severity = "medium"
-tags = ["APM", "Elastic"]
+tags = ["Elastic", "APM"]
 type = "query"
 
 query = '''

rules/apm/apm_sqlmap_user_agent.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/02/18"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ references = ["http://sqlmap.org/"]
 risk_score = 47
 rule_id = "d49cc73f-7a16-4def-89ce-9fc7127d7820"
 severity = "medium"
-tags = ["APM", "Elastic"]
+tags = ["Elastic", "APM"]
 type = "query"
 
 query = '''

rules/aws/collection_cloudtrail_logging_created.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/10"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 21
 rule_id = "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed"
 severity = "low"
-tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"]
 type = "query"
 
 query = '''

rules/aws/credential_access_aws_iam_assume_role_brute_force.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/07/16"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ references = [
 risk_score = 47
 rule_id = "ea248a02-bc47-4043-8e94-2885b19b2636"
 severity = "medium"
-tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "threshold"
 
 query = '''

rules/aws/credential_access_iam_user_addition_to_group.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/04"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserTo
 risk_score = 21
 rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0"
 severity = "low"
-tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"
 
 query = '''

rules/aws/credential_access_root_console_failure_brute_force.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/07/21"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm
 risk_score = 73
 rule_id = "4d50a94f-2844-43fa-8395-6afbd5e1c5ef"
 severity = "high"
-tags = ["AWS", "Continuous Monitoring", "Elastic", "Identity and Access", "SecOps"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "threshold"
 
 query = '''
@@ -51,3 +51,4 @@ reference = "https://attack.mitre.org/tactics/TA0006/"
 [rule.threshold]
 field = "cloud.account.id"
 value = 10
+

rules/aws/credential_access_secretsmanager_getsecretvalue.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Nick Jones", "Elastic"]
@@ -30,7 +30,7 @@ references = [
 risk_score = 73
 rule_id = "a00681e3-9ed6-447c-ab2c-be648821c622"
 severity = "high"
-tags = ["AWS", "Elastic", "SecOps", "Data Protection", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Data Protection"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_cloudtrail_logging_deleted.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/26"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 47
 rule_id = "7024e2a0-315d-4334-bb1a-441c593e16ab"
 severity = "medium"
-tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_cloudtrail_logging_suspended.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/10"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ references = [
 risk_score = 47
 rule_id = "1aa8fa52-44a7-4dae-b058-f3333b91c8d7"
 severity = "medium"
-tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/15"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 47
 rule_id = "f772ec8a-e182-483c-91d2-72058f76a44c"
 severity = "medium"
-tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_config_service_rule_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/26"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ references = [
 risk_score = 47
 rule_id = "7024e2a0-315d-4334-bb1a-552d604f27bc"
 severity = "medium"
-tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_configuration_recorder_stopped.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/16"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 73
 rule_id = "fbd44836-0d69-4004-a0b4-03c20370c435"
 severity = "high"
-tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_ec2_flow_log_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/15"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 73
 rule_id = "9395fd2c-9947-4472-86ef-4aceb2f7e872"
 severity = "high"
-tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_ec2_network_acl_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/26"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -33,7 +33,7 @@ references = [
 risk_score = 47
 rule_id = "8623535c-1e17-44e1-aa97-7a0699c3037d"
 severity = "medium"
-tags = ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_guardduty_detector_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/28"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 73
 rule_id = "523116c0-d89d-4d7c-82c2-39e6845a78ef"
 severity = "high"
-tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/27"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 21
 rule_id = "227dc608-e558-43d9-b521-150772250bae"
 severity = "low"
-tags = ["AWS", "Elastic", "SecOps", "Asset Visibility", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_waf_acl_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 47
 rule_id = "91d04cd4-47a9-4334-ab14-084abe274d49"
 severity = "medium"
-tags = ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/09"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 47
 rule_id = "5beaebc1-cc13-4bfc-9949-776f9e0dc318"
 severity = "medium"
-tags = ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security"]
 type = "query"
 
 query = '''

rules/aws/execution_via_system_manager.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ references = ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-
 risk_score = 21
 rule_id = "37b211e8-4e2f-440f-86d8-06cc8f158cfa"
 severity = "low"
-tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"]
 type = "query"
 
 query = '''

rules/aws/exfiltration_ec2_snapshot_change_activity.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/24"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 47
 rule_id = "98fd7407-0bd5-5817-cda0-3fcc33113a56"
 severity = "medium"
-tags = ["AWS", "Elastic", "SecOps", "Asset Visibility", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"]
 type = "query"
 
 query = '''

rules/aws/impact_cloudtrail_logging_updated.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/10"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 21
 rule_id = "3e002465-876f-4f04-b016-84ef48ce7e5d"
 severity = "low"
-tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"]
 type = "query"
 
 query = '''

rules/aws/impact_cloudwatch_log_group_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 47
 rule_id = "68a7a5a5-a2fc-4a76-ba9f-26849de881b4"
 severity = "medium"
-tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"]
 type = "query"
 
 query = '''

rules/aws/impact_cloudwatch_log_stream_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/20"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 47
 rule_id = "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17"
 severity = "medium"
-tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"]
 type = "query"
 
 query = '''

rules/aws/impact_ec2_disable_ebs_encryption.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/05"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ references = [
 risk_score = 47
 rule_id = "bb9b13b2-1700-48a8-a750-b43b0a72ab69"
 severity = "medium"
-tags = ["AWS", "Elastic", "SecOps", "Data Protection", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Data Protection"]
 type = "query"
 
 query = '''

rules/aws/impact_iam_deactivate_mfa_device.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/26"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ references = [
 risk_score = 47
 rule_id = "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958"
 severity = "medium"
-tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"]
 type = "query"
 
 query = '''

rules/aws/impact_iam_group_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 21
 rule_id = "867616ec-41e5-4edc-ada2-ab13ab45de8a"
 severity = "low"
-tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"]
 type = "query"
 
 query = '''

rules/aws/impact_rds_cluster_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -33,7 +33,7 @@ references = [
 risk_score = 47
 rule_id = "9055ece6-2689-4224-a0e0-b04881e1f8ad"
 severity = "medium"
-tags = ["AWS", "Elastic", "SecOps", "Asset Visibility", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"]
 type = "query"
 
 query = '''

rules/aws/impact_rds_instance_cluster_stoppage.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/20"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ references = [
 risk_score = 47
 rule_id = "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d"
 severity = "medium"
-tags = ["AWS", "Elastic", "SecOps", "Asset Visibility", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"]
 type = "query"
 
 query = '''

rules/aws/initial_access_console_login_root.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/11"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm
 risk_score = 73
 rule_id = "e2a67480-3b79-403d-96e3-fdd2992c50ef"
 severity = "high"
-tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"
 
 query = '''

rules/aws/initial_access_password_recovery.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/07/02"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = ["https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-c
 risk_score = 21
 rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c"
 severity = "low"
-tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"
 
 query = '''

rules/aws/persistence_ec2_network_acl_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/04"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -33,7 +33,7 @@ references = [
 risk_score = 21
 rule_id = "39144f38-5284-4f8e-a2ae-e3fd628d90b0"
 severity = "low"
-tags = ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security"]
 type = "query"
 
 query = '''

rules/aws/persistence_iam_group_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/05"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 21
 rule_id = "169f3a93-efc7-4df2-94d6-0d9438c310d1"
 severity = "low"
-tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"
 
 query = '''

rules/aws/persistence_rds_cluster_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/20"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -33,7 +33,7 @@ references = [
 risk_score = 21
 rule_id = "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d"
 severity = "low"
-tags = ["AWS", "Elastic", "SecOps", "Asset Visibility", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"]
 type = "query"
 
 query = '''

rules/aws/privilege_escalation_root_login_without_mfa.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm
 risk_score = 73
 rule_id = "bc0c6f0d-dab0-47a3-b135-0925f0a333bc"
 severity = "high"
-tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"
 
 query = '''

rules/aws/privilege_escalation_updateassumerolepolicy.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-
 risk_score = 21
 rule_id = "a60326d7-dca7-4fb7-93eb-1ca03a1febbd"
 severity = "low"
-tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"
 
 query = '''

rules/azure/collection_update_event_hub_auth_rule.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/23"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-acces
 risk_score = 47
 rule_id = "b6dce542-2b75-4ffb-b7d6-38787298ba9d"
 severity = "medium"
-tags = ["Azure", "Elastic", "SecOps", "Continuous Monitoring", "Logging"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"]
 type = "query"
 
 query = '''

rules/azure/credential_access_key_vault_modified.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/31"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/23"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 47
 rule_id = "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec"
 severity = "medium"
-tags = ["Elastic", "Azure", "SecOps", "Continuous Monitoring", "Data Protection"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Data Protection"]
 type = "query"
 
 query = '''

rules/azure/credential_access_storage_account_key_regenerated.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/19"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/23"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ references = [
 risk_score = 21
 rule_id = "1e0b832e-957e-43ae-b319-db82d228c908"
 severity = "low"
-tags = ["Azure", "Elastic", "SecOps", "Continuous Monitoring", "Identity and Access"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"
 
 query = '''

rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/17"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/23"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = ["https://docs.microsoft.com/en-us/azure/azure-monitor/platform/dia
 risk_score = 47
 rule_id = "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de"
 severity = "medium"
-tags = ["Elastic", "Azure", "SecOps", "Continuous Monitoring", "Monitoring"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Monitoring"]
 type = "query"
 
 query = '''

rules/azure/defense_evasion_event_hub_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/23"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 47
 rule_id = "e0f36de1-0342-453d-95a9-a068b257b053"
 severity = "medium"
-tags = ["Azure", "Elastic", "SecOps", "Continuous Monitoring", "Logging"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"]
 type = "query"
 
 query = '''

rules/azure/defense_evasion_firewall_policy_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/23"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ references = ["https://docs.microsoft.com/en-us/azure/firewall-manager/policy-ov
 risk_score = 21
 rule_id = "e02bd3ea-72c6-4181-ac2b-0f83d17ad969"
 severity = "low"
-tags = ["Azure", "Elastic", "SecOps", "Continuous Monitoring", "Network"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Network Security"]
 type = "query"
 
 query = '''

rules/azure/defense_evasion_network_watcher_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/31"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/23"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = ["https://docs.microsoft.com/en-us/azure/network-watcher/network-wa
 risk_score = 47
 rule_id = "323cb487-279d-4218-bcbd-a568efe930c6"
 severity = "medium"
-tags = ["Elastic", "Azure", "SecOps", "Continuous Monitoring", "Network"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Network Security"]
 type = "query"
 
 query = '''

rules/azure/discovery_blob_container_access_mod.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/20"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/23"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ references = ["https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-re
 risk_score = 21
 rule_id = "2636aa6c-88b5-4337-9c31-8d0192a8ef45"
 severity = "low"
-tags = ["Elastic", "Azure", "SecOps", "Continuous Monitoring", "Asset Visibility"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Asset Visibility"]
 type = "query"
 
 query = '''

rules/azure/execution_command_virtual_machine.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/17"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/23"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -34,7 +34,7 @@ references = [
 risk_score = 47
 rule_id = "60884af6-f553-4a6c-af13-300047455491"
 severity = "medium"
-tags = ["Azure", "Elastic", "SecOps", "Continuous Monitoring", "Logging"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"]
 type = "query"
 
 query = '''

rules/azure/impact_azure_automation_runbook_deleted.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/01"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/23"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ references = [
 risk_score = 21
 rule_id = "8ddab73b-3d15-4e5d-9413-47f05553c1d7"
 severity = "low"
-tags = ["Elastic", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"]
 type = "query"
 
 query = '''

rules/azure/impact_resource_group_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/17"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/23"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 47
 rule_id = "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f"
 severity = "medium"
-tags = ["Elastic", "Azure", "SecOps", "Continuous Monitoring", "Logging"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"]
 type = "query"
 
 query = '''

rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/01"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/01"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ references = [
 risk_score = 47
 rule_id = "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38"
 severity = "medium"
-tags = ["Elastic", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"
 
 query = '''

rules/azure/initial_access_external_guest_user_invite.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/31"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/23"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ references = ["https://docs.microsoft.com/en-us/azure/governance/policy/samples/
 risk_score = 21
 rule_id = "141e9b3a-ff37-4756-989d-05d7cbf35b0e"
 severity = "low"
-tags = ["Elastic", "Azure", "SecOps", "Continuous Monitoring", "Identity and Access"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"
 
 query = '''

rules/azure/persistence_azure_automation_account_created.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/23"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ references = [
 risk_score = 21
 rule_id = "df26fd74-1baa-4479-b42e-48da84642330"
 severity = "low"
-tags = ["Azure", "Continuous Monitoring", "Elastic", "Identity and Access", "SecOps"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"
 
 query = '''

rules/azure/persistence_azure_automation_runbook_created_or_modified.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/23"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ references = [
 risk_score = 21
 rule_id = "16280f1e-57e6-4242-aa21-bb4d16f13b2f"
 severity = "low"
-tags = ["Elastic", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"]
 type = "query"
 
 query = '''

rules/azure/persistence_azure_automation_webhook_created.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/23"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ references = [
 risk_score = 21
 rule_id = "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62"
 severity = "low"
-tags = ["Elastic", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"]
 to = "now-25m"
 type = "query"
 

rules/azure/persistence_azure_conditional_access_policy_modified.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/01"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/01"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ references = ["https://docs.microsoft.com/en-us/azure/active-directory/condition
 risk_score = 47
 rule_id = "bc48bba7-4a23-4232-b551-eca3ca1e3f20"
 severity = "medium"
-tags = ["Elastic", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"]
 type = "query"
 
 query = '''

rules/azure/persistence_azure_pim_user_added_global_admin.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/24"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/24"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 73
 rule_id = "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8"
 severity = "high"
-tags = ["Elastic", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"
 
 query = '''

rules/azure/persistence_azure_privileged_identity_management_role_modified.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/01"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/23"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ references = [
 risk_score = 47
 rule_id = "7882cebf-6cf1-4de3-9662-213aa13e8b80"
 severity = "medium"
-tags = ["Elastic", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"
 
 query = '''

rules/azure/persistence_mfa_disabled_for_azure_user.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/20"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/23"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ note = "The Azure Filebeat module must be enabled to use this rule."
 risk_score = 47
 rule_id = "dafa3235-76dc-40e2-9f71-1773b96d24cf"
 severity = "medium"
-tags = ["Elastic", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"
 
 query = '''

rules/azure/persistence_user_added_as_owner_for_azure_application.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/20"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/23"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ note = "The Azure Filebeat module must be enabled to use this rule."
 risk_score = 21
 rule_id = "774f5e28-7b75-4a58-b94e-41bf060fdd86"
 severity = "low"
-tags = ["Elastic", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"]
 type = "query"
 
 query = '''

rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/20"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/23"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ references = [
 risk_score = 21
 rule_id = "38e5acdd-5f20-4d99-8fe4-f0a1a592077f"
 severity = "low"
-tags = ["Elastic", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"]
 type = "query"
 
 query = '''

rules/cross-platform/impact_hosts_file_modified.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/07/07"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/30"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ references = ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat
 risk_score = 47
 rule_id = "9c260313-c811-4ec8-ab89-8f6530e0246c"
 severity = "medium"
-tags = ["Elastic", "Linux", "Windows", "macOS"]
+tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Impact"]
 type = "query"
 
 query = '''

rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml

@@ -3,7 +3,7 @@ creation_date = "2020/09/14"
 ecs_version = ["1.6.0"]
 maturity = "development"
 query_schema_validation = false
-updated_date = "2020/09/15"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,15 @@ references = [
 risk_score = 47
 rule_id = "58ac2aa5-6718-427c-a845-5f3ac5af00ba"
 severity = "medium"
-tags = ["Elastic", "SecOps", "Continuous Monitoring", "Configuration Audit"]
+tags = [
+    "Elastic",
+    "Application",
+    "Communication",
+    "Zoom",
+    "Continuous Monitoring",
+    "SecOps",
+    "Configuration Audit",
+]
 type = "query"
 
 query = '''
@@ -47,3 +55,4 @@ reference = "https://attack.mitre.org/techniques/T1190/"
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
+

rules/gcp/collection_gcp_pub_sub_subscription_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/23"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/23"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ references = ["https://cloud.google.com/pubsub/docs/overview"]
 risk_score = 21
 rule_id = "d62b64a8-a7c9-43e5-aee3-15a725a794e7"
 severity = "low"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Logging"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Log Auditing"]
 type = "query"
 
 query = '''

rules/gcp/collection_gcp_pub_sub_topic_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/23"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/23"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ references = ["https://cloud.google.com/pubsub/docs/admin"]
 risk_score = 21
 rule_id = "a10d3d9d-0f65-48f1-8b25-af175e2594f5"
 severity = "low"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Logging"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Log Auditing"]
 type = "query"
 
 query = '''

rules/gcp/credential_access_gcp_iam_service_account_key_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/21"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/21"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 21
 rule_id = "9890ee61-d061-403d-9bf6-64934c51f638"
 severity = "low"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"
 
 query = '''

rules/gcp/credential_access_gcp_key_created_for_service_account.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/21"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/21"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ references = [
 risk_score = 21
 rule_id = "0e5acaae-6a64-4bbc-adb8-27649c03f7e1"
 severity = "low"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"
 
 query = '''
@@ -52,3 +52,4 @@ reference = "https://attack.mitre.org/techniques/T1098/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+

rules/gcp/defense_evasion_gcp_firewall_rule_created.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/21"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/21"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ references = ["https://cloud.google.com/vpc/docs/firewalls"]
 risk_score = 21
 rule_id = "30562697-9859-4ae0-a8c5-dab45d664170"
 severity = "low"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"]
 type = "query"
 
 query = '''
@@ -47,3 +47,4 @@ reference = "https://attack.mitre.org/techniques/T1562/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/21"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/21"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ references = ["https://cloud.google.com/vpc/docs/firewalls"]
 risk_score = 47
 rule_id = "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1"
 severity = "medium"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"]
 type = "query"
 
 query = '''
@@ -46,3 +46,4 @@ reference = "https://attack.mitre.org/techniques/T1562/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/21"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/21"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ references = ["https://cloud.google.com/vpc/docs/firewalls"]
 risk_score = 47
 rule_id = "2783d84f-5091-4d7d-9319-9fceda8fa71b"
 severity = "medium"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"]
 type = "query"
 
 query = '''
@@ -46,3 +46,4 @@ reference = "https://attack.mitre.org/techniques/T1562/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/21"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/21"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ references = ["https://cloud.google.com/logging/docs/buckets", "https://cloud.go
 risk_score = 47
 rule_id = "5663b693-0dea-4f2e-8275-f1ae5ff2de8e"
 severity = "medium"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Logging"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Log Auditing"]
 type = "query"
 
 query = '''

rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/18"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ references = ["https://cloud.google.com/logging/docs/export"]
 risk_score = 47
 rule_id = "51859fa0-d86b-4214-bf48-ebb30ed91305"
 severity = "medium"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Logging"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Log Auditing"]
 type = "query"
 
 query = '''

rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/23"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/23"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ references = ["https://cloud.google.com/pubsub/docs/overview"]
 risk_score = 21
 rule_id = "cc89312d-6f47-48e4-a87c-4977bd4633c3"
 severity = "low"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Logging"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Log Auditing"]
 type = "query"
 
 query = '''

rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/18"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ references = ["https://cloud.google.com/pubsub/docs/overview"]
 risk_score = 21
 rule_id = "3202e172-01b1-4738-a932-d024c514ba72"
 severity = "low"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Logging"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Log Auditing"]
 type = "query"
 
 query = '''

rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/22"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/22"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -25,9 +25,10 @@ references = ["https://cloud.google.com/storage/docs/key-terms#buckets"]
 risk_score = 47
 rule_id = "97359fd8-757d-4b1d-9af1-ef29e4a8680e"
 severity = "medium"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"
 
 query = '''
 event.dataset:googlecloud.audit and event.action:storage.buckets.update and event.outcome:success
 '''
+

rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/21"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/21"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ references = ["https://cloud.google.com/storage/docs/access-control/iam-permissi
 risk_score = 47
 rule_id = "2326d1b2-9acf-4dee-bd21-867ea7378b4d"
 severity = "medium"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"
 
 query = '''
@@ -46,3 +46,4 @@ reference = "https://attack.mitre.org/techniques/T1222/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/gcp/exfiltration_gcp_logging_sink_modification.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/22"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/22"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ references = ["https://cloud.google.com/logging/docs/export#how_sinks_work"]
 risk_score = 21
 rule_id = "184dfe52-2999-42d9-b9d1-d1ca54495a61"
 severity = "low"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Logging"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Log Auditing"]
 type = "query"
 
 query = '''

rules/gcp/impact_gcp_iam_role_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/22"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/22"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ references = ["https://cloud.google.com/iam/docs/understanding-roles"]
 risk_score = 21
 rule_id = "e2fb5b18-e33c-4270-851e-c3d675c9afcd"
 severity = "low"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"
 
 query = '''

rules/gcp/impact_gcp_service_account_deleted.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/22"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/22"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = ["https://cloud.google.com/iam/docs/service-accounts"]
 risk_score = 47
 rule_id = "8fb75dda-c47a-4e34-8ecd-34facf7aad13"
 severity = "medium"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"
 
 query = '''
@@ -48,3 +48,4 @@ reference = "https://attack.mitre.org/techniques/T1531/"
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
+

rules/gcp/impact_gcp_service_account_disabled.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/22"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/22"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = ["https://cloud.google.com/iam/docs/service-accounts"]
 risk_score = 47
 rule_id = "bca7d28e-4a48-47b1-adb7-5074310e9a61"
 severity = "medium"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"
 
 query = '''

rules/gcp/impact_gcp_storage_bucket_deleted.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/21"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/21"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ references = ["https://cloud.google.com/storage/docs/key-terms#buckets"]
 risk_score = 47
 rule_id = "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331"
 severity = "medium"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Monitoring"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Monitoring"]
 type = "query"
 
 query = '''
@@ -46,3 +46,4 @@ reference = "https://attack.mitre.org/techniques/T1485/"
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
+

rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/22"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/22"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -27,9 +27,10 @@ references = ["https://cloud.google.com/vpc/docs/vpc"]
 risk_score = 47
 rule_id = "c58c3081-2e1d-4497-8491-e73a45d1a6d6"
 severity = "medium"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"]
 type = "query"
 
 query = '''
 event.dataset:googlecloud.audit and event.action:v*.compute.networks.delete and event.outcome:success
 '''
+

rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/22"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/22"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -27,9 +27,10 @@ references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.
 risk_score = 21
 rule_id = "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8"
 severity = "low"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"]
 type = "query"
 
 query = '''
 event.dataset:googlecloud.audit and event.action:(v*.compute.routes.insert or beta.compute.routes.insert)
 '''
+

rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/22"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/22"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -27,9 +27,10 @@ references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.
 risk_score = 47
 rule_id = "a17bcc91-297b-459b-b5ce-bc7460d8f82a"
 severity = "medium"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"]
 type = "query"
 
 query = '''
 event.dataset:googlecloud.audit and event.action:v*.compute.routes.delete and event.outcome:success
 '''
+

rules/gcp/initial_access_gcp_iam_custom_role_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/21"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/21"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ references = ["https://cloud.google.com/iam/docs/understanding-custom-roles"]
 risk_score = 47
 rule_id = "aa8007f0-d1df-49ef-8520-407857594827"
 severity = "medium"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"
 
 query = '''
@@ -47,8 +47,6 @@ reference = "https://attack.mitre.org/techniques/T1078/"
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
-
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]

rules/gcp/persistence_gcp_service_account_created.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/22"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/22"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ references = ["https://cloud.google.com/iam/docs/service-accounts"]
 risk_score = 21
 rule_id = "7ceb2216-47dd-4e64-9433-cddc99727623"
 severity = "low"
-tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"]
+tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"]
 type = "query"
 
 query = '''
@@ -49,3 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1136/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+

rules/linux/credential_access_tcpdump_activity.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ name = "Network Sniffing via Tcpdump"
 risk_score = 21
 rule_id = "7a137d76-ce3d-48e2-947d-2747796a78c0"
 severity = "low"
-tags = ["Elastic", "Linux"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"]
 type = "query"
 
 query = '''

rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/04/24"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ name = "Attempt to Disable IPTables or Firewall"
 risk_score = 47
 rule_id = "125417b8-d3df-479f-8418-12d7e034fee3"
 severity = "medium"
-tags = ["Elastic", "Linux"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
 type = "query"
 
 query = '''

rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/04/27"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ name = "Attempt to Disable Syslog Service"
 risk_score = 47
 rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194"
 severity = "medium"
-tags = ["Elastic", "Linux"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
 type = "query"
 
 query = '''

rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/04/17"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,7 @@ name = "Base16 or Base32 Encoding/Decoding Activity"
 risk_score = 21
 rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795"
 severity = "low"
-tags = ["Elastic", "Linux"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
 type = "query"
 
 query = '''

rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/04/17"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,7 @@ name = "Base64 Encoding/Decoding Activity"
 risk_score = 21
 rule_id = "97f22dab-84e8-409d-955e-dacd1d31670b"
 severity = "low"
-tags = ["Elastic", "Linux"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
 type = "query"
 
 query = '''

rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/04"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ name = "Deletion of Bash Command Line History"
 risk_score = 47
 rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba"
 severity = "medium"
-tags = ["Elastic", "Linux"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
 type = "query"
 
 query = '''

rules/linux/defense_evasion_disable_selinux_attempt.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/04/22"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ name = "Potential Disabling of SELinux"
 risk_score = 47
 rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e"
 severity = "medium"
-tags = ["Elastic", "Linux"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
 type = "query"
 
 query = '''

rules/linux/defense_evasion_file_deletion_via_shred.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/04/27"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ name = "File Deletion via Shred"
 risk_score = 21
 rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4"
 severity = "low"
-tags = ["Elastic", "Linux"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
 type = "query"
 
 query = '''

rules/linux/defense_evasion_file_mod_writable_dir.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/04/21"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ name = "File Permission Modification in Writable Directory"
 risk_score = 21
 rule_id = "9f9a2a82-93a8-4b1a-8778-1780895626d4"
 severity = "low"
-tags = ["Elastic", "Linux"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
 type = "query"
 
 query = '''

rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/04/17"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,7 @@ name = "Hex Encoding/Decoding Activity"
 risk_score = 21
 rule_id = "a9198571-b135-4a76-b055-e3e5a476fd83"
 severity = "low"
-tags = ["Elastic", "Linux"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
 type = "query"
 
 query = '''

rules/linux/defense_evasion_hidden_file_dir_tmp.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/04/29"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ name = "Creation of Hidden Files and Directories"
 risk_score = 47
 rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae"
 severity = "medium"
-tags = ["Elastic", "Linux"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
 type = "query"
 
 query = '''

rules/linux/defense_evasion_kernel_module_removal.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/04/24"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ references = ["http://man7.org/linux/man-pages/man8/modprobe.8.html"]
 risk_score = 73
 rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef"
 severity = "high"
-tags = ["Elastic", "Linux"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
 type = "query"
 
 query = '''

rules/linux/discovery_kernel_module_enumeration.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/04/23"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ name = "Enumeration of Kernel Modules"
 risk_score = 47
 rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504"
 severity = "medium"
-tags = ["Elastic", "Linux"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"]
 type = "query"
 
 query = '''

rules/linux/discovery_virtual_machine_fingerprinting.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/04/27"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ name = "Virtual Machine Fingerprinting"
 risk_score = 73
 rule_id = "5b03c9fb-9945-4d2f-9568-fd690fee3fba"
 severity = "high"
-tags = ["Elastic", "Linux"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"]
 type = "query"
 
 query = '''

rules/linux/discovery_whoami_commmand.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ name = "User Discovery via Whoami"
 risk_score = 21
 rule_id = "120559c6-5e24-49f4-9e30-8ffe697df6b9"
 severity = "low"
-tags = ["Elastic", "Linux"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"]
 type = "query"
 
 query = '''

rules/linux/execution_perl_tty_shell.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/04/16"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/03"
+updated_date = "2020/10/26"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ name = "Interactive Terminal Spawned via Perl"
 risk_score = 73
 rule_id = "05e5a668-7b51-4a67-93ab-e9af405c9ef3"
 severity = "high"
-tags = ["Elastic", "Linux"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"]
 type = "query"
 
 query = '''