[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429)

* initial commit * addressing flake errors * added apm to _get_packagted_integrations logic * addressed flake errors * adjusted integration schema and updated rules to be a list * updated several rules and removed a unit test * updated rules with logs-* only index patterns * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * addressed flake errors * integration is none is windows, endpoint or apm * adding rules with accepted incoming changes from main * fixed tag and tactic alignment errors from unit testing * adjusted unit testing logic for integration tags; added more exclusion rules * adjusted test_integration logic to be rule resistent and skip if -8.3 * adjusted comments for unit test skip * fixed merge conflicts from main * changing test_integration_tag to remove logic for rule version comparisons * added integration tag to new rule * adjusted rules updated_date value * ignore guided onboarding rule in unit tests * added integration tag to new rule Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
2023-01-04 09:30:07 -05:00
parent 46eccea704
commit 4312d8c958
671 changed files with 3359 additions and 2291 deletions
@@ -53,7 +53,7 @@ class RuleMeta(MarshmallowDataclassMixin):

    # Optional fields
    comments: Optional[str]
-    integration: Optional[str]
+    integration: Optional[Union[str, List[str]]]
    maturity: Optional[definitions.Maturity]
    min_stack_version: Optional[definitions.SemVer]
    min_stack_comments: Optional[str]
@@ -958,7 +958,13 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin):
                datasets.update(set(str(n) for n in node if isinstance(n, kql.ast.Value)))

        if not datasets:
-            return
+            # windows and endpoint integration do not have event.dataset fields in queries
+            # integration is None to remove duplicate references upstream in Kibana
+            rule_integrations = self.metadata.get("integration", [])
+            if rule_integrations:
+                for integration in rule_integrations:
+                    if integration in ["windows", "endpoint", "apm"]:
+                        packaged_integrations.append({"package": integration, "integration": None})

        for value in sorted(datasets):
            integration = 'Unknown'
@@ -52,6 +52,11 @@ dev = ["pep8-naming==0.7.0", "PyGithub==1.55", "flake8==3.8.1", "pyflakes==2.2.0
 package-data = {"kql" = ["*.g"]}
 packages = ["detection_rules",	"kql",	"kibana",	"rta"]

+[tool.pytest.ini_options]
+filterwarnings = [
+	"ignore::DeprecationWarning"
+]
+
 [build-system]
 requires = ["setuptools", "wheel", "setuptools_scm"]
 build-backend = "setuptools.build_meta"
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
+integration = ["apm"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
+integration = ["apm"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
+integration = ["apm"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2022/10/18"
+integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/10/18"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -14,11 +15,10 @@ standard port a protocol uses to bypass filtering or muddle analysis/parsing of
 """
 false_positives = [
    """
-    SSH over ports apart from the traditional port 22 is highly uncommon.
-    This rule alerts the usage of the such uncommon ports by the ssh service.
-    Tuning is needed to have higher confidence.
-    If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a
-    combination whitelisted ports for such legitimate ssh activities.
+    SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such
+    uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and
+    noisy in your environment, consider adding exceptions — preferably with a combination whitelisted ports for such
+    legitimate ssh activities.
    """,
 ]
 from = "now-9m"
@@ -26,9 +26,7 @@ index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Non-Standard Port SSH connection"
-references = [
-    "https://attack.mitre.org/techniques/T1571/"
-]
+references = ["https://attack.mitre.org/techniques/T1571/"]
 risk_score = 21
 rule_id = "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9"
 severity = "low"
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2020/12/21"
+integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2020/11/03"
+integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/12"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2020/05/04"
+integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/12"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -3,7 +3,8 @@ creation_date = "2022/05/23"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/15"
+integration = ["endpoint"]

 [rule]
 author = ["Elastic"]
@@ -14,7 +15,7 @@ may also indicate an issue with the agent itself and should be addressed to ensu
 stable state.
 """
 from = "now-9m"
-index = ["logs-*"]
+index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Elastic Agent Service Terminated"
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2022/10/18"
+integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/11/01"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -11,8 +12,8 @@ description = """
 This rules identifies a process created from an executable with a space appended to the end of the filename. This may
 indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of
 certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can
-hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so
-that the OS automatically executes the file when it's double-clicked.
+hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name
+so that the OS automatically executes the file when it's double-clicked.
 """
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
@@ -35,7 +36,7 @@ type = "eql"

 query = '''
 process where host.os.type:("linux","macos") and
-  event.type == "start" and 
+  event.type == "start" and
  (process.executable regex~ """/[a-z0-9\s_\-\\./]+\s""") and not
  process.name in ("ls", "find", "grep", "xkbcomp")
 '''
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2020/11/03"
+integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/12"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2020/12/20"
+integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/10/11"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2021/09/29"
+integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2021/01/12"
+integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -25,21 +26,22 @@ query = '''
 event.category:process and event.type:(start or process_started) and process.name:espl and process.args:eyJkZWJ1ZyI6*
 '''

+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
+id = "T1059"
 name = "Command and Scripting Interpreter"
 reference = "https://attack.mitre.org/techniques/T1059/"
-id = "T1059"
 [[rule.threat.technique.subtechnique]]
 id = "T1059.006"
 name = "Python"
 reference = "https://attack.mitre.org/techniques/T1059/006/"


+
 [rule.threat.tactic]
+id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-id = "TA0002"
-

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2021/01/13"
+integration = ["endpoint"]
 maturity = "development"
-updated_date = "2022/08/24"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2020/01/07"
+integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/10/11"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2021/01/19"
+integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/11/07"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -63,7 +64,7 @@ references = [
    "https://github.com/christophetd/log4shell-vulnerable-app",
    "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf",
    "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security",
-    "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046"
+    "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046",
 ]
 risk_score = 47
 rule_id = "8acb7614-1d92-4359-bfcf-478b6d9de150"
@@ -1,15 +1,17 @@
 [metadata]
 creation_date = "2021/12/10"
+integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/11/07"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
 description = """
 Identifies an outbound network connection by JAVA to LDAP, RMI or DNS standard ports followed by a suspicious JAVA child
-processes. This may indicate an attempt to exploit a JAVA/NDI (Java Naming and Directory Interface) injection vulnerability.
+processes. This may indicate an attempt to exploit a JAVA/NDI (Java Naming and Directory Interface) injection
+vulnerability.
 """
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
@@ -17,11 +19,11 @@ language = "eql"
 license = "Elastic License v2"
 name = "Potential JAVA/JNDI Exploitation Attempt"
 references = [
-"https://www.lunasec.io/docs/blog/log4j-zero-day/",
-"https://github.com/christophetd/log4shell-vulnerable-app",
-"https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf",
-"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security",
-"https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046"
+    "https://www.lunasec.io/docs/blog/log4j-zero-day/",
+    "https://github.com/christophetd/log4shell-vulnerable-app",
+    "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf",
+    "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security",
+    "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046",
 ]
 risk_score = 73
 rule_id = "c3f5e1d8-910e-43b4-8d44-d748e498ca86"
@@ -69,12 +71,15 @@ id = "T1059.007"
 name = "JavaScript"
 reference = "https://attack.mitre.org/techniques/T1059/007/"

+
 [[rule.threat.technique]]
 id = "T1203"
 name = "Exploitation for Client Execution"
 reference = "https://attack.mitre.org/techniques/T1203/"

+
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
+
@@ -11,14 +11,10 @@ description = """
 This rule helps you test and practice using alerts with Elastic Security as you get set up. It’s not a sign of threat
 activity.
 """
-false_positives = [
-    """
-    This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts.
-    """,
-]
-max_signals = 1
-interval = "24h"
 enabled = false
+false_positives = [
+    "This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts.",
+]
 from = "now-24h"
 index = [
    "apm-*-transaction*",
@@ -29,10 +25,12 @@ index = [
    "packetbeat-*",
    "traces-apm*",
    "winlogbeat-*",
-    "-*elastic-cloud-logs-*"
+    "-*elastic-cloud-logs-*",
 ]
+interval = "24h"
 language = "kuery"
 license = "Elastic License v2"
+max_signals = 1
 name = "My First Rule"
 note = """
 This is a test alert.
@@ -55,6 +53,9 @@ query = '''
 event.kind:"event"
 '''

+
+
 [rule.threshold]
 field = ["host.name"]
 value = 1
+
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2020/07/07"
+integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2022/10/11"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -103,16 +104,17 @@ any where
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1565"
-reference = "https://attack.mitre.org/techniques/T1565/"
 name = "Data Manipulation"
+reference = "https://attack.mitre.org/techniques/T1565/"
 [[rule.threat.technique.subtechnique]]
 id = "T1565.001"
-reference = "https://attack.mitre.org/techniques/T1565/001/"
 name = "Stored Data Manipulation"
+reference = "https://attack.mitre.org/techniques/T1565/001/"



 [rule.threat.tactic]
 id = "TA0040"
-reference = "https://attack.mitre.org/tactics/TA0040/"
 name = "Impact"
+reference = "https://attack.mitre.org/tactics/TA0040/"
+
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2020/12/21"
+integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2021/01/19"
+integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2020/12/22"
+integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2021/01/26"
+integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2020/04/23"
+integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -80,3 +81,4 @@ framework = "MITRE ATT&CK"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2021/02/03"
+integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2020/04/13"
+integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/06/10"
-integration = "aws"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/12"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/07/16"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -84,7 +84,15 @@ references = [
 risk_score = 47
 rule_id = "ea248a02-bc47-4043-8e94-2885b19b2636"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"]
+tags = [
+    "Elastic",
+    "Cloud",
+    "AWS",
+    "Continuous Monitoring",
+    "SecOps",
+    "Identity and Access",
+    "Investigation Guide",
+]
 type = "threshold"

 query = '''
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/06/04"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -77,7 +77,17 @@ references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserTo
 risk_score = 21
 rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Credential Access", "Persistence", "Investigation Guide"]
+tags = [
+    "Elastic",
+    "Cloud",
+    "AWS",
+    "Continuous Monitoring",
+    "SecOps",
+    "Identity and Access",
+    "Credential Access",
+    "Persistence",
+    "Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "query"

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/07/21"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/07/06"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Nick Jones", "Elastic"]
@@ -90,7 +90,16 @@ references = [
 risk_score = 47
 rule_id = "a00681e3-9ed6-447c-ab2c-be648821c622"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Data Protection", "Credential Access", "Investigation Guide"]
+tags = [
+    "Elastic",
+    "Cloud",
+    "AWS",
+    "Continuous Monitoring",
+    "SecOps",
+    "Data Protection",
+    "Credential Access",
+    "Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "query"

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/05/26"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -12,8 +12,8 @@ description = "Identifies the deletion of an AWS log trail. An adversary may del
 false_positives = [
    """
    Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent,
-    and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should
-    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should be
+    investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
 from = "now-60m"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/06/10"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/06/15"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -12,8 +12,8 @@ description = "Identifies the deletion of an AWS CloudWatch alarm. An adversary
 false_positives = [
    """
    Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm
-    deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it
-    can be exempted from the rule.
+    deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can
+    be exempted from the rule.
    """,
 ]
 from = "now-60m"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/06/26"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/06/16"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/06/15"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -15,8 +15,8 @@ in an attempt to evade defenses.
 false_positives = [
    """
    Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log
-    deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it
-    can be exempted from the rule.
+    deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can
+    be exempted from the rule.
    """,
 ]
 from = "now-60m"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/05/26"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -15,8 +15,8 @@ ingress/egress entries.
 false_positives = [
    """
    Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or
-    hostname should be making changes in your environment. Network ACL deletions by unfamiliar users or hosts should
-    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    hostname should be making changes in your environment. Network ACL deletions by unfamiliar users or hosts should be
+    investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
 from = "now-60m"
@@ -1,19 +1,20 @@
 [metadata]
 creation_date = "2021/07/19"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Austin Songer"]
 description = "Identifies when an ElastiCache security group has been created."
 false_positives = [
    """
-    A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user
-    agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users
-    or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity,
+    user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar
+    users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the
+    rule.
    """,
 ]
 from = "now-60m"
@@ -25,7 +26,9 @@ name = "AWS ElastiCache Security Group Created"
 note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
-references = ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html"]
+references = [
+    "https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html",
+]
 risk_score = 21
 rule_id = "7b3da11a-60a2-412e-8aa7-011e1eb9ed47"
 severity = "low"
@@ -38,19 +41,22 @@ event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and ev
 event.outcome:success
 '''

+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.007"
+name = "Disable or Modify Cloud Firewall"
+reference = "https://attack.mitre.org/techniques/T1562/007/"
+

-  [[rule.threat.technique.subtechnique]]
-  id = "T1562.007"
-  name = "Disable or Modify Cloud Firewall"
-  reference = "https://attack.mitre.org/techniques/T1562/007/"

 [rule.threat.tactic]
-name = "Defense Evasion"
 id = "TA0005"
+name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
@@ -1,20 +1,20 @@
 [metadata]
 creation_date = "2021/07/19"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Austin Songer"]
 description = "Identifies when an ElastiCache security group has been modified or deleted."
 false_positives = [
    """
-    A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity,
-    user agent, and/or hostname should be making changes in your environment. Security Group deletions by unfamiliar
-    users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the
-    rule.
+    A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user
+    identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions by
+    unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
+    from the rule.
    """,
 ]
 from = "now-60m"
@@ -47,13 +47,15 @@ framework = "MITRE ATT&CK"
 id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.007"
+name = "Disable or Modify Cloud Firewall"
+reference = "https://attack.mitre.org/techniques/T1562/007/"
+

-  [[rule.threat.technique.subtechnique]]
-  id = "T1562.007"
-  name = "Disable or Modify Cloud Firewall"
-  reference = "https://attack.mitre.org/techniques/T1562/007/"

 [rule.threat.tactic]
-name = "Defense Evasion"
 id = "TA0005"
+name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/05/28"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -15,8 +15,8 @@ all existing findings are lost.
 false_positives = [
    """
    The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user
-    agent, and/or hostname should be making changes in your environment. Detector deletions by unfamiliar users or
-    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    agent, and/or hostname should be making changes in your environment. Detector deletions by unfamiliar users or hosts
+    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
 from = "now-60m"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/05/27"
-integration = "aws"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/12"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/05/21"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -12,8 +12,8 @@ description = "Identifies the deletion of a specified AWS Web Application Firewa
 false_positives = [
    """
    Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent,
-    and/or hostname should be making changes in your environment. Web ACL deletions by unfamiliar users or hosts
-    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    and/or hostname should be making changes in your environment. Web ACL deletions by unfamiliar users or hosts should
+    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
 from = "now-60m"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/06/09"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -58,3 +58,4 @@ reference = "https://attack.mitre.org/techniques/T1562/001/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/05/05"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -50,26 +50,25 @@ event.outcome:success
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
-reference = "https://attack.mitre.org/techniques/T1020/"
-name = "Automated Exfiltration"
 id = "T1020"
+name = "Automated Exfiltration"
+reference = "https://attack.mitre.org/techniques/T1020/"


 [rule.threat.tactic]
-reference = "https://attack.mitre.org/tactics/TA0010/"
-name = "Exfiltration"
 id = "TA0010"
-
-
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
-reference = "https://attack.mitre.org/techniques/T1074/"
-name = "Data Staged"
 id = "T1074"
+name = "Data Staged"
+reference = "https://attack.mitre.org/techniques/T1074/"


 [rule.threat.tactic]
-reference = "https://attack.mitre.org/tactics/TA0009/"
-name = "Collection"
 id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"
+
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/06/24"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -90,7 +90,16 @@ references = [
 risk_score = 47
 rule_id = "98fd7407-0bd5-5817-cda0-3fcc33113a56"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility", "Exfiltration", "Investigation Guide"]
+tags = [
+    "Elastic",
+    "Cloud",
+    "AWS",
+    "Continuous Monitoring",
+    "SecOps",
+    "Asset Visibility",
+    "Exfiltration",
+    "Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "query"

@@ -1,15 +1,16 @@
 [metadata]
 creation_date = "2021/04/22"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic", "Austin Songer"]
 description = """
-Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information.
+Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or
+exfiltrate information.
 """
 false_positives = [
    """
@@ -43,24 +44,25 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
-reference = "https://attack.mitre.org/techniques/T1537/"
 id = "T1537"
 name = "Transfer Data to Cloud Account"
+reference = "https://attack.mitre.org/techniques/T1537/"


 [rule.threat.tactic]
-reference = "https://attack.mitre.org/tactics/TA0010/"
 id = "TA0010"
 name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
-reference = "https://attack.mitre.org/techniques/T1005/"
 id = "T1005"
 name = "Data from Local System"
+reference = "https://attack.mitre.org/techniques/T1005/"


 [rule.threat.tactic]
-reference = "https://attack.mitre.org/tactics/TA0009/"
 id = "TA0009"
 name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"
+
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/06/06"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -42,7 +42,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti
 framework = "MITRE ATT&CK"

 [rule.threat.tactic]
-name = "Exfiltration"
 id = "TA0010"
+name = "Exfiltration"
 reference = "https://attack.mitre.org/tactics/TA0010/"

@@ -1,23 +1,23 @@
 [metadata]
 creation_date = "2021/06/29"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Austin Songer"]
 description = """
-Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to
-exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an
-unauthorized or unexpected AWS account.
+Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order
+to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified,
+verify if the snapshot was shared with an unauthorized or unexpected AWS account.
 """
 false_positives = [
    """
    Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent,
-    and/or hostname should be making changes in your environment. Snapshot restoration by unfamiliar users or hosts should
-    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    and/or hostname should be making changes in your environment. Snapshot restoration by unfamiliar users or hosts
+    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
 index = ["filebeat-*", "logs-aws*"]
@@ -43,19 +43,22 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti
 event.outcome:success
 '''

+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
+id = "T1578"
 name = "Modify Cloud Compute Infrastructure"
 reference = "https://attack.mitre.org/techniques/T1578/"
-id = "T1578"
 [[rule.threat.technique.subtechnique]]
 id = "T1578.004"
 name = "Revert Cloud Instance"
 reference = "https://attack.mitre.org/techniques/T1578/004/"


+
 [rule.threat.tactic]
+id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-id = "TA0005"
+
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/10/17"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Austin Songer"]
@@ -14,9 +14,10 @@ visibility in applications or a break in the flow with other AWS services.
 """
 false_positives = [
    """
-    EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or
-    hostname should be making changes in your environment. EventBridge Rules being deleted or disabled by unfamiliar users should
-    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user
+    agent, and/or hostname should be making changes in your environment. EventBridge Rules being deleted or disabled by
+    unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the
+    rule.
    """,
 ]
 from = "now-20m"
@@ -38,7 +39,6 @@ tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitorin
 timestamp_override = "event.ingested"
 type = "query"

-
 query = '''
 event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and
 event.outcome:success
@@ -48,14 +48,13 @@ event.outcome:success
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
+id = "T1489"
 name = "Service Stop"
 reference = "https://attack.mitre.org/techniques/T1489/"
-id = "T1489"
+

 [rule.threat.tactic]
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"

-
-
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/06/10"
-integration = "aws"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/12"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/05/18"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/05/20"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -93,7 +93,16 @@ references = [
 risk_score = 47
 rule_id = "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Impact", "Investigation Guide"]
+tags = [
+    "Elastic",
+    "Cloud",
+    "AWS",
+    "Continuous Monitoring",
+    "SecOps",
+    "Log Auditing",
+    "Impact",
+    "Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "query"

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/06/05"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,17 +1,17 @@
 [metadata]
 creation_date = "2021/08/27"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Austin Songer"]
 description = """
-Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that
-is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to
-deleting the File System, or the adversary will be unable to delete the File System.
+Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target
+that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior
+to deleting the File System, or the adversary will be unable to delete the File System.
 """
 false_positives = [
    """
@@ -45,6 +45,7 @@ event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com
 event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success
 '''

+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/05/26"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -106,3 +106,4 @@ reference = "https://attack.mitre.org/techniques/T1531/"
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
+
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/05/21"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -15,8 +15,8 @@ group does not delete resources that are members of the group; it only deletes t
 false_positives = [
    """
    A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or
-    hostname should be making changes in your environment. Resource group deletions by unfamiliar users or hosts
-    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    hostname should be making changes in your environment. Resource group deletions by unfamiliar users or hosts should
+    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
 from = "now-60m"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/09/21"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/21"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Xavier Pich"]
@@ -16,9 +16,9 @@ decrypted, which means that data becomes unrecoverable.
 """
 false_positives = [
    """
-    A KMS customer managed key may be disabled or scheduled for deletion by a system administrator. Verify whether the user identity, user agent, 
-    and/or hostname should be making changes in your environment. Key deletions by unfamiliar users should be investigated. If known behavior is
-    causing false positives, it can be exempted from the rule.
+    A KMS customer managed key may be disabled or scheduled for deletion by a system administrator. Verify whether the
+    user identity, user agent, and/or hostname should be making changes in your environment. Key deletions by unfamiliar
+    users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
 from = "now-60m"
@@ -45,12 +45,15 @@ query = '''
 event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success
 '''

+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1485"
 name = "Data Destruction"
 reference = "https://attack.mitre.org/techniques/T1485/"
+
+
 [rule.threat.tactic]
 id = "TA0040"
 name = "Impact"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/06/05"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -51,3 +51,4 @@ reference = "https://attack.mitre.org/techniques/T1531/"
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
+
@@ -1,22 +1,22 @@
 [metadata]
 creation_date = "2020/05/21"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
 description = """
-Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database
-cluster, or database instance.
+Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster,
+or database instance.
 """
 false_positives = [
    """
-    Clusters or instances may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname
-    should be making changes in your environment. Cluster or instance deletions by unfamiliar users or hosts should be
-    investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    Clusters or instances may be deleted by a system administrator. Verify whether the user identity, user agent, and/or
+    hostname should be making changes in your environment. Cluster or instance deletions by unfamiliar users or hosts
+    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
 from = "now-60m"
@@ -34,8 +34,7 @@ references = [
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html",
    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html",
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-instance.html",
-    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBInstance.html"
-
+    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBInstance.html",
 ]
 risk_score = 47
 rule_id = "9055ece6-2689-4224-a0e0-b04881e1f8ad"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/05/20"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/06/11"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -72,7 +72,15 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm
 risk_score = 47
 rule_id = "e2a67480-3b79-403d-96e3-fdd2992c50ef"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"]
+tags = [
+    "Elastic",
+    "Cloud",
+    "AWS",
+    "Continuous Monitoring",
+    "SecOps",
+    "Identity and Access",
+    "Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "query"

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/07/02"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/07/06"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -89,7 +89,16 @@ references = ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-
 risk_score = 21
 rule_id = "37b211e8-4e2f-440f-86d8-06cc8f158cfa"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Initial Access", "Investigation Guide"]
+tags = [
+    "Elastic",
+    "Cloud",
+    "AWS",
+    "Continuous Monitoring",
+    "SecOps",
+    "Log Auditing",
+    "Initial Access",
+    "Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "query"

@@ -4,7 +4,7 @@ maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 updated_date = "2022/09/13"
-integration = "aws"
+integration = ["aws"]

 [rule]
 anomaly_threshold = 50
@@ -4,7 +4,7 @@ maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 updated_date = "2022/09/13"
-integration = "aws"
+integration = ["aws"]

 [rule]
 anomaly_threshold = 50
@@ -4,7 +4,7 @@ maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 updated_date = "2022/09/13"
-integration = "aws"
+integration = ["aws"]

 [rule]
 anomaly_threshold = 50
@@ -4,7 +4,7 @@ maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 updated_date = "2022/09/13"
-integration = "aws"
+integration = ["aws"]

 [rule]
 anomaly_threshold = 50
@@ -4,7 +4,7 @@ maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 updated_date = "2022/09/13"
-integration = "aws"
+integration = ["aws"]

 [rule]
 anomaly_threshold = 75
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/06/04"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -15,8 +15,8 @@ ACL with a specified rule number.
 false_positives = [
    """
    Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or
-    hostname should be making changes in your environment. Network ACL creations by unfamiliar users or hosts should
-    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    hostname should be making changes in your environment. Network ACL creations by unfamiliar users or hosts should be
+    investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
 from = "now-60m"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/05/05"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -15,9 +15,9 @@ pivot in an AWS environment.
 """
 false_positives = [
    """
-    A security group may be created by a system or network administrator. Verify whether the user identity, user
-    agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users
-    or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    A security group may be created by a system or network administrator. Verify whether the user identity, user agent,
+    and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts
+    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
 from = "now-30m"
@@ -48,24 +48,24 @@ RevokeSecurityGroupIngress) and event.outcome:success
 framework = "MITRE ATT&CK"

 [rule.threat.tactic]
-name = "Persistence"
 id = "TA0003"
+name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.007"
+name = "Disable or Modify Cloud Firewall"
+reference = "https://attack.mitre.org/techniques/T1562/007/"
+

-  [[rule.threat.technique.subtechnique]]
-  id = "T1562.007"
-  name = "Disable or Modify Cloud Firewall"
-  reference = "https://attack.mitre.org/techniques/T1562/007/"

 [rule.threat.tactic]
-name = "Defense Evasion"
 id = "TA0005"
+name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/06/05"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/05/20"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -15,8 +15,8 @@ across multiple regions.
 false_positives = [
    """
    Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent,
-    and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts
-    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should
+    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
 from = "now-60m"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/06/05"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -12,8 +12,8 @@ description = "Identifies the creation of an Amazon Relational Database Service
 false_positives = [
    """
    An RDS security group may be created by a system or network administrator. Verify whether the user identity, user
-    agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users
-    or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or
+    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
 from = "now-60m"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/06/06"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/04/12"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -16,8 +16,8 @@ and could introduce security vulnerabilities.
 false_positives = [
    """
    Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent,
-    and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts
-    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should
+    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
 from = "now-60m"
@@ -33,8 +33,8 @@ references = ["https://docs.aws.amazon.com/redshift/latest/APIReference/API_Crea
 risk_score = 21
 rule_id = "015cca13-8832-49ac-a01b-a396114809f6"
 severity = "low"
-timestamp_override = "event.ingested"
 tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility", "Persistence"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/05/10"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/05/10"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -43,19 +43,19 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1098"
-reference = "https://attack.mitre.org/techniques/T1098/"
 name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"


 [rule.threat.tactic]
 id = "TA0003"
-reference = "https://attack.mitre.org/tactics/TA0003/"
 name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"

 [rule.threat.tactic]
 id = "TA0006"
-reference = "https://attack.mitre.org/tactics/TA0006/"
 name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/07/19"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Austin Songer"]
@@ -12,8 +12,8 @@ description = "Identifies when a Route53 private hosted zone has been associated
 false_positives = [
    """
    A private hosted zone may be asssociated with a VPC by a system or network administrator. Verify whether the user
-    identity, user agent, and/or hostname should be making changes in your environment. If known behavior is
-    causing false positives, it can be exempted from the rule.
+    identity, user agent, and/or hostname should be making changes in your environment. If known behavior is causing
+    false positives, it can be exempted from the rule.
    """,
 ]
 from = "now-60m"
@@ -43,11 +43,12 @@ event.outcome:success
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1098"
-reference = "https://attack.mitre.org/techniques/T1098/"
 name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+

 [rule.threat.tactic]
 id = "TA0003"
-reference = "https://attack.mitre.org/tactics/TA0003/"
 name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"

@@ -1,20 +1,20 @@
 [metadata]
 creation_date = "2021/06/05"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic", "Austin Songer"]
 description = "Identifies when an AWS Route Table has been created."
 false_positives = [
    """
-    Route Tables may be created by a system or network administrators. Verify whether the user identity, user
-    agent, and/or hostname should be making changes in your environment. Route Table creation by unfamiliar users or
-    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
-    Automated processes that use Terraform may lead to false positives.
+    Route Tables may be created by a system or network administrators. Verify whether the user identity, user agent,
+    and/or hostname should be making changes in your environment. Route Table creation by unfamiliar users or hosts
+    should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Automated
+    processes that use Terraform may lead to false positives.
    """,
 ]
 from = "now-60m"
@@ -48,6 +48,7 @@ event.outcome:success
 framework = "MITRE ATT&CK"

 [rule.threat.tactic]
-reference = "https://attack.mitre.org/tactics/TA0003/"
-name = "Persistence"
 id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
@@ -1,20 +1,20 @@
 [metadata]
 creation_date = "2021/06/05"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic", "Austin Songer"]
 description = "Identifies when an AWS Route Table has been modified or deleted."
 false_positives = [
    """
-    Route Table could be modified or deleted by a system administrator. Verify whether the user identity,
-    user agent, and/or hostname should be making changes in your environment. Route Table being modified
-    from unfamiliar users should be investigated. If known behavior is causing false positives, it can be
-    exempted from the rule. Also automated processes that use Terraform may lead to false positives.
+    Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent,
+    and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users
+    should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Also
+    automated processes that use Terraform may lead to false positives.
    """,
 ]
 from = "now-60m"
@@ -47,10 +47,12 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve
 DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success
 '''

+
 [[rule.threat]]
 framework = "MITRE ATT&CK"

 [rule.threat.tactic]
-reference = "https://attack.mitre.org/tactics/TA0003/"
-name = "Persistence"
 id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
@@ -1,21 +1,19 @@
 [metadata]
 creation_date = "2021/09/22"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Austin Songer"]
-description = """
-Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.
-"""
+description = "Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target."
 false_positives = [
    """
    SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or
-    hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should
-    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be
+    investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
 from = "now-25m"
@@ -42,6 +40,7 @@ event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazon
 UpdateSAMLProvider) and event.outcome:success
 '''

+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -54,6 +53,7 @@ name = "Application Access Token"
 reference = "https://attack.mitre.org/techniques/T1550/001/"


+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/07/06"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -81,7 +81,15 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm
 risk_score = 73
 rule_id = "bc0c6f0d-dab0-47a3-b135-0925f0a333bc"
 severity = "high"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"]
+tags = [
+    "Elastic",
+    "Cloud",
+    "AWS",
+    "Continuous Monitoring",
+    "SecOps",
+    "Identity and Access",
+    "Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "query"

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/05/17"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Austin Songer"]
@@ -12,19 +12,15 @@ description = """
 Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access
 AWS resources. An adversary could use those credentials to move laterally and escalate privileges.
 """
-false_positives = [
-    """
-    Automated processes that use Terraform may lead to false positives.
-    """,
-]
+false_positives = ["Automated processes that use Terraform may lead to false positives."]
 index = ["filebeat-*", "logs-aws*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Security Token Service (STS) AssumeRole Usage"
-references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"]
 note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"]
 risk_score = 21
 rule_id = "93075852-b0f5-4b8b-89c3-a226efae5726"
 severity = "low"
@@ -37,6 +33,7 @@ event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.acti
 aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success
 '''

+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -66,3 +63,4 @@ reference = "https://attack.mitre.org/techniques/T1550/001/"
 id = "TA0008"
 name = "Lateral Movement"
 reference = "https://attack.mitre.org/tactics/TA0008/"
+
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/05/17"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Austin Songer"]
@@ -14,9 +14,9 @@ escalate privileges.
 """
 false_positives = [
    """
-    GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user
-    agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or
-    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent,
+    and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should
+    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
 index = ["filebeat-*", "logs-aws*"]
@@ -26,10 +26,7 @@ name = "AWS STS GetSessionToken Abuse"
 note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
-references = [
-    "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html",
-]
-
+references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html"]
 risk_score = 21
 rule_id = "b45ab1d2-712f-4f01-a751-df3826969807"
 severity = "low"
@@ -72,3 +69,4 @@ reference = "https://attack.mitre.org/techniques/T1550/001/"
 id = "TA0008"
 name = "Lateral Movement"
 reference = "https://attack.mitre.org/tactics/TA0008/"
+
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/07/06"
+integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
-integration = "aws"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -84,7 +84,15 @@ references = ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-
 risk_score = 21
 rule_id = "a60326d7-dca7-4fb7-93eb-1ca03a1febbd"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"]
+tags = [
+    "Elastic",
+    "Cloud",
+    "AWS",
+    "Continuous Monitoring",
+    "SecOps",
+    "Identity and Access",
+    "Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "query"

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/08/18"
-integration = "azure"
+integration = ["azure"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/12"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,11 +1,10 @@
 [metadata]
 creation_date = "2021/08/12"
+integration = ["azure"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "azure"
-
+updated_date = "2022/12/14"

 [rule]
 author = ["Austin Songer"]
@@ -16,9 +15,10 @@ internal traffic.
 """
 false_positives = [
    """
-    Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity,
-    user agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar
-    users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, user
+    agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar
+    users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the
+    rule.
    """,
 ]
 from = "now-25m"
@@ -32,8 +32,8 @@ The Azure Fleet integration, Filebeat module, or similarly structured data is re
 references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"]
 risk_score = 47
 rule_id = "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f"
-tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Monitoring"]
 severity = "medium"
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Monitoring"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -48,16 +48,16 @@ event.outcome:(Success or success)
 '''


-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
-reference = "https://attack.mitre.org/techniques/T1040/"
-name = "Network Sniffing"
 id = "T1040"
+name = "Network Sniffing"
+reference = "https://attack.mitre.org/techniques/T1040/"


 [rule.threat.tactic]
-reference = "https://attack.mitre.org/tactics/TA0006/"
-name = "Credential Access"
 id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/08/31"
+integration = ["azure"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/11/07"
-integration = "azure"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ The Azure Fleet integration, Filebeat module, or similarly structured data is re
 references = [
    "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
    "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault",
-    "https://www.elastic.co/security-labs/detect-credential-access"
+    "https://www.elastic.co/security-labs/detect-credential-access",
 ]
 risk_score = 47
 rule_id = "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/08/19"
+integration = ["azure"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "azure"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/12/14"
+integration = ["azure"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "azure"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/09/01"
+integration = ["azure"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "azure"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -39,10 +39,12 @@ event.dataset:azure.activitylogs and
    event.outcome:(Success or success)
 '''

+
 [[rule.threat]]
 framework = "MITRE ATT&CK"

 [rule.threat.tactic]
-reference = "https://attack.mitre.org/tactics/TA0005/"
-name = "Defense Evasion"
 id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
@@ -1,22 +1,22 @@
 [metadata]
 creation_date = "2021/09/22"
+integration = ["azure"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "azure"
+updated_date = "2022/12/14"

 [rule]
 author = ["Austin Songer"]
 description = """
-Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure
-Blob. An adversary may modify the permissions on a blob to weaken their target's security controls
-or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.
+Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An
+adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may
+inadvertently modify the permissions, which could lead to data exposure or loss.
 """
 false_positives = [
    """
-    Blob permissions may be modified by system administrators. Verify that the configuration change was
-    expected. Exceptions can be added to this rule to filter expected behavior.
+    Blob permissions may be modified by system administrators. Verify that the configuration change was expected.
+    Exceptions can be added to this rule to filter expected behavior.
    """,
 ]
 index = ["filebeat-*", "logs-azure*"]
@@ -54,3 +54,4 @@ reference = "https://attack.mitre.org/techniques/T1222/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/08/17"
+integration = ["azure"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "azure"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/12/14"
+integration = ["azure"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
-integration = "azure"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -87,7 +87,15 @@ references = [
 risk_score = 21
 rule_id = "60b6b72f-0fbc-47e7-9895-9ba7627a8b50"
 severity = "low"
-tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"]
+tags = [
+    "Elastic",
+    "Cloud",
+    "Azure",
+    "Continuous Monitoring",
+    "SecOps",
+    "Identity and Access",
+    "Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "query"

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/08/18"
+integration = ["azure"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "azure"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -15,8 +15,8 @@ volumes of events and data. An adversary may delete an Event Hub in an attempt t
 false_positives = [
    """
    Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or
-    resource name should be making changes in your environment. Event Hub deletions by unfamiliar users or hosts
-    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    resource name should be making changes in your environment. Event Hub deletions by unfamiliar users or hosts should
+    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
 from = "now-25m"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/08/18"
+integration = ["azure"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "azure"
+updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -15,8 +15,8 @@ defenses and/or to eliminate barriers to their objective.
 false_positives = [
    """
    Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname,
-    and/or resource name should be making changes in your environment. Firewall policy deletions by unfamiliar users
-    or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    and/or resource name should be making changes in your environment. Firewall policy deletions by unfamiliar users or
+    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
 from = "now-25m"
--- a/Show More
+++ b/Show More