[Rule Tuning] updates from documentation review for 7.16 (#1645)

(cherry picked from commit 14c46f50b9)

rules/integrations/aws/exfiltration_rds_snapshot_restored.toml

@@ -7,7 +7,7 @@ integration = "aws"
 [rule]
 author = ["Austin Songer"]
 description = """
-Identifies when an attempt was made to restored RDS Snapshot. Snapshots are sometimes shared by threat actors in order to
+Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to
 exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an
 unauthorized or unexpected AWS account.
 """

rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml

@@ -7,8 +7,8 @@ integration = "aws"
 [rule]
 author = ["Austin Songer"]
 description = """
-Identifies when a user disabled or deleted an EventBridge rule. This activity can result in an unintended loss of
-visibility in applications or breaking the flow with other AWS services.
+Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of
+visibility in applications or a break in the flow with other AWS services.
 """
 false_positives = [
     """

rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml

@@ -7,7 +7,7 @@ integration = "azure"
 [rule]
 author = ["Austin Songer"]
 description = """
-Identifies when Events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. 
+Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes.
 Example events are a container creation, an image pull, or a pod scheduling on a node.  An adversary may delete events
 in Azure Kubernetes in an attempt to evade detection.
 """

rules/integrations/azure/impact_kubernetes_pod_deleted.toml

@@ -7,7 +7,8 @@ integration = "azure"
 [rule]
 author = ["Austin Songer"]
 description = """
-Identifies the deletion of Azure Kubernetes Pods. Adversary may delete a kubernetes pod to disrupt the normal behavior of the environment.
+Identifies the deletion of Azure Kubernetes Pods. Adversaries may delete a Kubernetes pod to disrupt the normal behavior
+of the environment.
 """
 false_positives = [
     """

rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml

@@ -7,10 +7,10 @@ integration = "gcp"
 [rule]
 author = ["Elastic"]
 description = """
-Identifies when a Virtual Private Cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes
-define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These
-destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the
-flow of network traffic in their target's cloud environment.
+Identifies when a Virtual Private Cloud a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP).
+Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other
+destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in
+order to impact the flow of network traffic in their target's cloud environment.
 """
 false_positives = [
     """

rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml

@@ -7,7 +7,7 @@ integration = "o365"
 [rule]
 author = ["Austin Songer"]
 description = """
-Identifies when Microsoft Cloud App Security reported when a single user performs more than 50 downloads within 1 minute.
+Identifies when Microsoft Cloud App Security reports that a single user performs more than 50 downloads within 1 minute.
 """
 false_positives = ["Unknown"]
 from = "now-30m"

rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml

@@ -7,7 +7,8 @@ integration = "o365"
 [rule]
 author = ["Austin Songer"]
 description = """
-Identifies when Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.
+Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected
+with ransomware.
 """
 false_positives = [
     """

rules/promotions/endgame_ransomware_detected.toml

@@ -6,7 +6,7 @@ updated_date = "2021/03/04"
 [rule]
 author = ["Elastic"]
 description = """
-Elastic Endgame detected Ransomware. Click the Elastic Endgame icon in the event.module column or the link in the
+Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the
 rule.reference column for additional information.
 """
 from = "now-15m"

rules/promotions/endgame_ransomware_prevented.toml

@@ -6,7 +6,7 @@ updated_date = "2021/03/04"
 [rule]
 author = ["Elastic"]
 description = """
-Elastic Endgame prevented Ransomware. Click the Elastic Endgame icon in the event.module column or the link in the
+Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the
 rule.reference column for additional information.
 """
 from = "now-15m"

rules/windows/collection_posh_audio_capture.toml

@@ -6,7 +6,7 @@ updated_date = "2021/10/19"
 [rule]
 author = ["Elastic"]
 description = """
-Detects PowerShell Scripts that can record audio, a common feature in popular post-exploitation tooling.
+Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-windows.*"]

rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

@@ -7,7 +7,7 @@ updated_date = "2021/09/27"
 author = ["Elastic"]
 description = """
 Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. 
-This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump Lsass memory
+This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory
 for credential access.
 """
 from = "now-9m"

rules/windows/defense_evasion_dns_over_https_enabled.toml

@@ -5,9 +5,9 @@ updated_date = "2021/10/15"
 
 [rule]
 author = ["Austin Songer"]
-description = """Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide
-the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response
-and originating IP that are used to determine bad actors."""
+description = """Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or
+the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type,
+response, and originating IP, which are used to determine bad actors."""
 
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml

@@ -7,7 +7,7 @@ updated_date = "2021/09/08"
 author = ["Elastic"]
 description = """
 Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value.
-Adversaries may abuse Control.exe to proxy execution of malicious code.
+Adversaries may abuse control.exe to proxy execution of malicious code.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]

rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml

@@ -6,7 +6,7 @@ updated_date = "2021/10/11"
 [rule]
 author = ["Elastic"]
 description = """
-Identifies suspicious process access events from unknown memory region. Endpoint security solutions usually hook userland
+Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland
 Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked
 functions by writing malicious functions that call syscalls directly.
 """

rules/windows/discovery_posh_suspicious_api_functions.toml

@@ -6,9 +6,9 @@ updated_date = "2021/10/14"
 [rule]
 author = ["Elastic"]
 description = """
-This rule detects the use of discovery-related Windows API Functions in Powershell Scripts. Attackers can use these
+This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these
 functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain
-trusts, groups, etc.,
+trusts, groups, etc.
 """
 false_positives = ["Legitimate Powershell Scripts that make use of these Functions"]
 from = "now-9m"

rules/windows/execution_posh_portable_executable.toml

@@ -6,9 +6,9 @@ updated_date = "2021/10/15"
 [rule]
 author = ["Elastic"]
 description = """
-This rule detects the presence of Portable Executables in a PowerShell Script by Looking for its encoded header.
-Attackers embed PEs into PowerShell Scripts for Injecting them into the memory, avoiding defenses by not writing to
-disk.,
+Detects the presence of portable executables (PE) in a PowerShell script by looking for its encoded header.
+Attackers embed PEs into PowerShell scripts for injecting them into the memory, avoiding defenses by not writing to
+disk.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-windows.*"]

rules/windows/impact_backup_file_deletion.toml

@@ -7,7 +7,7 @@ updated_date = "2021/10/01"
 author = ["Elastic"]
 description = """
 Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite.
-Adversaries may delete Backup files to ensure that recovery from a Ransomware attack is less likely.
+Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.
 """
 false_positives = [
     "Certain utilities that delete files for disk cleanup or Administrators manually removing backup files.",