2058 add setup field to metadata (#2061)

* Convert config header to setup in note field * Parse note field into separate setup and note field with marko gfm * only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com> Removed changes from: - rules/cross-platform/impact_hosts_file_modified.toml - rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml - rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml - rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml - rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml - rules/integrations/google_workspace/google_workspace_policy_modified.toml - rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml - rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml - rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml - rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml - rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml - rules/integrations/kubernetes/execution_user_exec_to_pod.toml - rules/windows/credential_access_lsass_memdump_file_created.toml - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml - rules/windows/defense_evasion_suspicious_certutil_commands.toml - rules/windows/execution_command_shell_started_by_svchost.toml (selectively cherry picked from commit a52751494e)
2022-07-18 15:41:32 -04:00
parent c2bcfc575f
commit 62298d92f4
416 changed files with 944 additions and 804 deletions
@@ -33,6 +33,10 @@ Currently supported arguments:
 Environment variables using the argument format: `DR_<UPPERCASED_ARG_NAME>` will be parsed in commands which expect it.
 EX: `DR_USER=joe`

+
+Using the environment variable `DR_BYPASS_NOTE_VALIDATION_AND_PARSE` will bypass the Detection Rules validation on the `note` field in toml files.
+
+
 ## Importing rules into the repo

 You can import rules into the repo using the `create-rule` or `import-rules` commands. Both of these commands will
@@ -6,33 +6,39 @@
 import copy
 import dataclasses
 import json
+import os
 import typing
 from abc import ABC, abstractmethod
 from dataclasses import dataclass, field
 from functools import cached_property
 from pathlib import Path
-from typing import Literal, Union, Optional, List, Any, Dict, Tuple
+from typing import Any, Dict, List, Literal, Optional, Tuple, Union
 from uuid import uuid4

 import eql
+import kql
+from marko.block import Document as MarkoDocument
+from marko.ext.gfm import gfm
 from marshmallow import ValidationError, validates_schema

-import kql
-from . import beats
-from . import ecs
-from . import utils
+from . import beats, ecs, utils
 from .misc import load_current_package_version
 from .mixins import MarshmallowDataclassMixin, StackCompatMixin
-from .rule_formatter import toml_write, nested_normalize
-from .schemas import SCHEMA_DIR, definitions, downgrade, get_stack_schemas, get_min_supported_stack_version
+from .rule_formatter import nested_normalize, toml_write
+from .schemas import (SCHEMA_DIR, definitions, downgrade,
+                      get_min_supported_stack_version, get_stack_schemas)
 from .schemas.stack_compat import get_restricted_fields
 from .semver import Version
 from .utils import cached

-BUILD_FIELD_VERSIONS = {"required_fields": (Version('8.3'), None)}
 _META_SCHEMA_REQ_DEFAULTS = {}
 MIN_FLEET_PACKAGE_VERSION = '7.13.0'

+BUILD_FIELD_VERSIONS = {
+    "required_fields": (Version('8.3'), None),
+    "setup": (Version("8.3"), None)
+}
+

@dataclass(frozen=True)
 class RuleMeta(MarshmallowDataclassMixin):
@@ -221,6 +227,89 @@ class BaseRuleData(MarshmallowDataclassMixin, StackCompatMixin):
        fields: List[dataclasses.Field, ...] = list(dataclasses.fields(self))
        return get_restricted_fields(fields)

+    @cached_property
+    def data_validator(self) -> Optional['DataValidator']:
+        return DataValidator(is_elastic_rule=self.is_elastic_rule, **self.to_dict())
+
+    @cached_property
+    def parsed_note(self) -> Optional[MarkoDocument]:
+        dv = self.data_validator
+        if dv:
+            return dv.parsed_note
+
+    @property
+    def is_elastic_rule(self):
+        return 'elastic' in [a.lower() for a in self.author]
+
+
+class DataValidator:
+    """Additional validation beyond base marshmallow schema validation."""
+
+    def __init__(self,
+                 name: definitions.RuleName,
+                 is_elastic_rule: bool,
+                 note: Optional[definitions.Markdown] = None,
+                 setup: Optional[str] = None,
+                 **extras):
+        # only define fields needing additional validation
+        self.name = name
+        self.is_elastic_rule = is_elastic_rule
+        self.note = note
+        self.setup = setup
+
+        self._setup_in_note = False
+
+    @cached_property
+    def parsed_note(self) -> Optional[MarkoDocument]:
+        if self.note:
+            return gfm.parse(self.note)
+
+    @property
+    def setup_in_note(self):
+        return self._setup_in_note
+
+    @setup_in_note.setter
+    def setup_in_note(self, value: bool):
+        self._setup_in_note = value
+
+    @cached_property
+    def skip_validate_note(self) -> bool:
+        return os.environ.get('DR_BYPASS_NOTE_VALIDATION_AND_PARSE') is not None
+
+    def validate_note(self):
+        if self.skip_validate_note or not self.note:
+            return
+
+        try:
+            for child in self.parsed_note.children:
+                if child.get_type() == "Heading":
+                    header = gfm.renderer.render_children(child)
+
+                    if header.lower() == "setup":
+
+                        # check that the Setup header is correctly formatted at level 2
+                        if child.level != 2:
+                            raise ValidationError(f"Setup section with wrong header level: {child.level}")
+
+                        # check that the Setup header is capitalized
+                        if child.level == 2 and header != "Setup":
+                            raise ValidationError(f"Setup header has improper casing: {header}")
+
+                        self.setup_in_note = True
+
+                    else:
+                        # check that the header Config does not exist in the Setup section
+                        if child.level == 2 and "config" in header.lower():
+                            raise ValidationError(f"Setup header contains Config: {header}")
+
+        except Exception as e:
+            raise ValidationError(f"Invalid markdown in rule `{self.name}`: {e}. To bypass validation on the `note`"
+                                  f"field, use the environment variable `DR_BYPASS_NOTE_VALIDATION_AND_PARSE`")
+
+        # raise if setup header is in note and in setup
+        if self.setup_in_note and self.setup:
+            raise ValidationError("Setup header found in both note and setup fields.")
+

@dataclass
 class QueryValidator:
@@ -577,14 +666,13 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin):
        super()._post_dict_transform(obj)

        self.add_related_integrations(obj)
-        self.add_required_fields(obj)
-        self.add_setup(obj)
+        self._add_required_fields(obj)
+        self._add_setup(obj)

        # validate new fields against the schema
        rule_type = obj['type']
        subclass = self.get_data_subclass(rule_type)
        subclass.from_dict(obj)
-
        return obj

    def add_related_integrations(self, obj: dict) -> None:
@@ -592,7 +680,7 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin):
        # field_name = "related_integrations"
        ...

-    def add_required_fields(self, obj: dict) -> None:
+    def _add_required_fields(self, obj: dict) -> None:
        """Add restricted field required_fields to the obj, derived from the query AST."""
        if isinstance(self.data, QueryRuleData) and self.data.language != 'lucene':
            index = obj.get('index') or []
@@ -604,10 +692,55 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin):
        if self.check_restricted_field_version(field_name=field_name):
            obj.setdefault(field_name, required_fields)

-    def add_setup(self, obj: dict) -> None:
+    def _add_setup(self, obj: dict) -> None:
        """Add restricted field setup to the obj."""
-        # field_name = "setup"
-        ...
+        rule_note = obj.get("note", "")
+        field_name = "setup"
+        field_value = obj.get(field_name)
+
+        if not self.check_explicit_restricted_field_version(field_name):
+            return
+
+        data_validator = self.data.data_validator
+
+        if not data_validator.skip_validate_note and data_validator.setup_in_note and not field_value:
+            parsed_note = self.data.parsed_note
+
+            # parse note tree
+            for i, child in enumerate(parsed_note.children):
+                if child.get_type() == "Heading" and "Setup" in gfm.render(child):
+                    field_value = self._get_setup_content(parsed_note.children[i + 1:])
+
+                    # clean up old note field
+                    investigation_guide = rule_note.replace("## Setup\n\n", "")
+                    investigation_guide = investigation_guide.replace(field_value, "").strip()
+                    obj["note"] = investigation_guide
+                    obj[field_name] = field_value
+                    break
+
+    @cached
+    def _get_setup_content(self, note_tree: list) -> str:
+        """Get note paragraph starting from the setup header."""
+        setup = []
+        for child in note_tree:
+            if child.get_type() == "BlankLine" or child.get_type() == "LineBreak":
+                setup.append("\n")
+            elif child.get_type() == "CodeSpan":
+                setup.append(f"`{gfm.renderer.render_raw_text(child)}`")
+            elif child.get_type() == "Paragraph":
+                setup.append(self._get_setup_content(child.children))
+                setup.append("\n")
+            elif child.get_type() == "FencedCode":
+                setup.append(f"```\n{self._get_setup_content(child.children)}\n```")
+                setup.append("\n")
+            elif child.get_type() == "RawText":
+                setup.append(child.children)
+            elif child.get_type() == "Heading" and child.level >= 2:
+                break
+            else:
+                setup.append(self._get_setup_content(child.children))
+
+        return "".join(setup).strip()

    def check_explicit_restricted_field_version(self, field_name: str) -> bool:
        """Explicitly check restricted fields against global min and max versions."""
@@ -619,19 +752,21 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin):
        min_stack, max_stack = self.data.get_restricted_fields.get(field_name)
        return self.compare_field_versions(min_stack, max_stack)

-    def compare_field_versions(self, min_stack: Version, max_stack: Version) -> bool:
-        """Check current rule version is witihin min and max stack versions."""
+    @staticmethod
+    def compare_field_versions(min_stack: Version, max_stack: Version) -> bool:
+        """Check current rule version is within min and max stack versions."""
        current_version = Version(load_current_package_version())
        max_stack = max_stack or current_version
        return Version(min_stack) <= current_version >= Version(max_stack)

    @validates_schema
-    def validate_query(self, value: dict, **kwargs):
-        """Validate queries by calling into the validator for the relevant method."""
+    def post_validation(self, value: dict, **kwargs):
+        """Additional validations beyond base marshmallow schemas."""
        data: AnyRuleData = value["data"]
        metadata: RuleMeta = value["metadata"]

-        return data.validate_query(metadata)
+        data.validate_query(metadata)
+        data.data_validator.validate_note()

    def to_dict(self, strip_none_values=True) -> dict:
        # Load schemas directly from the data and metadata classes to avoid schema ambiguity which can
@@ -797,4 +932,4 @@ def get_unique_query_fields(rule: TOMLRule) -> List[str]:


 # avoid a circular import
-from .rule_validators import KQLValidator, EQLValidator  # noqa: E402
+from .rule_validators import EQLValidator, KQLValidator  # noqa: E402
@@ -1,4 +1,5 @@
 jsl==0.2.4
+marko
 pytoml
 toml==0.10.0
 requests~=2.27
@@ -17,7 +17,7 @@ language = "eql"
 license = "Elastic License v2"
 max_signals = 33
 name = "Potential Cookies Theft via Browser Debugging"
-note = """## Config
+note = """## Setup

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
@@ -44,8 +44,8 @@ process where event.type in ("start", "process_started", "info") and
             "google-chrome-beta",
             "google-chrome",
             "msedge.exe") and
-   process.args : ("--remote-debugging-port=*", 
-                   "--remote-debugging-targets=*",  
+   process.args : ("--remote-debugging-port=*",
+                   "--remote-debugging-targets=*",
                   "--remote-debugging-pipe=*") and
   process.args : "--user-data-dir=*" and not process.args:"--remote-debugging-port=0"
 '''
@@ -14,7 +14,7 @@ index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.
 language = "eql"
 license = "Elastic License v2"
 name = "WebServer Access Logs Deleted"
-note = """## Config
+note = """## Setup

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
@@ -27,10 +27,10 @@ type = "eql"

 query = '''
 file where event.type == "deletion" and
-  file.path : ("C:\\inetpub\\logs\\LogFiles\\*.log", 
+  file.path : ("C:\\inetpub\\logs\\LogFiles\\*.log",
               "/var/log/apache*/access.log",
-               "/etc/httpd/logs/access_log", 
-               "/var/log/httpd/access_log", 
+               "/etc/httpd/logs/access_log",
+               "/var/log/httpd/access_log",
               "/var/www/*/logs/access.log")
 '''

@@ -14,7 +14,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Tampering of Bash Command-Line History"
-note = """## Config
+note = """## Setup

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
@@ -16,7 +16,7 @@ index = ["logs-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Elastic Agent Service Terminated"
-note = """## Config
+note = """## Setup

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
@@ -31,18 +31,18 @@ query = '''
 process where
 /* net, sc or wmic stopping or deleting Elastic Agent on Windows */
 (event.type == "start" and
-  process.name : ("net.exe", "sc.exe", "wmic.exe","powershell.exe","taskkill.exe","PsKill.exe","ProcessHacker.exe") and 
+  process.name : ("net.exe", "sc.exe", "wmic.exe","powershell.exe","taskkill.exe","PsKill.exe","ProcessHacker.exe") and
  process.args : ("stopservice","uninstall", "stop", "disabled","Stop-Process","terminate","suspend") and
-  process.args : ("elasticendpoint", "Elastic Agent","elastic-agent","elastic-endpoint")) 
+  process.args : ("elasticendpoint", "Elastic Agent","elastic-agent","elastic-endpoint"))
 or
 /* service or systemctl used to stop Elastic Agent on Linux */
 (event.type == "end" and
-  (process.name : ("systemctl","service") and 
-    process.args : ("elastic-agent", "stop")) 
-  or 
+  (process.name : ("systemctl","service") and
+    process.args : ("elastic-agent", "stop"))
+  or
  /* Unload Elastic Agent extension on MacOS */
  (process.name : "kextunload" and
-    process.args : "com.apple.iokit.EndpointSecurity" and 
+    process.args : "com.apple.iokit.EndpointSecurity" and
    event.action : "end"))
 '''

@@ -15,7 +15,7 @@ language = "eql"
 license = "Elastic License v2"
 max_signals = 33
 name = "Timestomping using Touch Command"
-note = """## Config
+note = """## Setup

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
@@ -15,7 +15,7 @@ index = ["logs-endpoint.events.*", "auditbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Security Software Discovery via Grep"
-note = """## Config
+note = """## Setup

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
@@ -21,7 +21,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Virtual Machine Fingerprinting via Grep"
-note = """## Config
+note = """## Setup

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
@@ -36,7 +36,7 @@ type = "eql"
 query = '''
 process where event.type == "start" and
 process.name in ("grep", "egrep") and user.id != "0" and
- process.args : ("parallels*", "vmware*", "virtualbox*") and process.args : "Manufacturer*" and 
+ process.args : ("parallels*", "vmware*", "virtualbox*") and process.args : "Manufacturer*" and
 not process.parent.executable in ("/Applications/Docker.app/Contents/MacOS/Docker", "/usr/libexec/kcare/virt-what")
 '''

@@ -15,7 +15,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Python Script Execution via Command Line"
-note = """## Config
+note = """## Setup

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
@@ -11,7 +11,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Reverse Shell Activity via Terminal"
-note = """## Config
+note = """## Setup

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
@@ -14,7 +14,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious JAVA Child Process"
-note = """## Config
+note = """## Setup

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
@@ -16,7 +16,7 @@ index = ["filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Zoom Meeting with no Passcode"
-note = """## Config
+note = """## Setup

 The Zoom Filebeat module or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -20,7 +20,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS CloudTrail Log Created"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -16,7 +16,7 @@ index = ["filebeat-*", "logs-aws*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS IAM Brute Force of Assume Role Policy"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -21,7 +21,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS IAM User Addition to Group"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"]
@@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-aws*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Management Console Brute Force of Root User Identity"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"]
@@ -22,7 +22,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Access Secret in Secrets Manager"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -20,7 +20,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS CloudTrail Log Deleted"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -24,7 +24,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS CloudTrail Log Suspended"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -20,7 +20,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS CloudWatch Alarm Deletion"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -24,7 +24,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Config Service Tampering"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -20,7 +20,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Configuration Recorder Stopped"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -23,7 +23,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS EC2 Flow Log Deletion"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -23,7 +23,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS EC2 Network Access Control List Deletion"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -20,7 +20,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS ElastiCache Security Group Created"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html"]
@@ -32,7 +32,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and 
+event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and
 event.outcome:success
 '''

@@ -47,7 +47,7 @@ reference = "https://attack.mitre.org/techniques/T1562/"
  id = "T1562.007"
  name = "Disable or Modify Cloud Firewall"
  reference = "https://attack.mitre.org/techniques/T1562/007/"
-  
+
 [rule.threat.tactic]
 name = "Defense Evasion"
 id = "TA0005"
@@ -21,7 +21,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS ElastiCache Security Group Modified or Deleted"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/Welcome.html"]
@@ -33,8 +33,8 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or 
-"Authorize Cache Security Group Ingress" or  "Revoke Cache Security Group Ingress" or "AuthorizeCacheSecurityGroupEgress" or 
+event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or
+"Authorize Cache Security Group Ingress" or  "Revoke Cache Security Group Ingress" or "AuthorizeCacheSecurityGroupEgress" or
 "RevokeCacheSecurityGroupEgress") and event.outcome:success
 '''

@@ -23,7 +23,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS GuardDuty Detector Deletion"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -20,7 +20,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS S3 Bucket Configuration Deletion"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -20,7 +20,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS WAF Access Control List Deletion"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -20,7 +20,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS WAF Rule or Rule Group Deletion"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -24,7 +24,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS EC2 Full Network Packet Capture Detected"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -39,8 +39,8 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and 
-event.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and 
+event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and
+event.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and
 event.outcome:success
 '''

@@ -23,7 +23,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS EC2 Snapshot Activity"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -22,7 +22,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS EC2 VM Export Failure"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance"]
@@ -20,7 +20,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS RDS Snapshot Export"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html"]
@@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-aws*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS RDS Snapshot Restored"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -12,7 +12,7 @@ visibility in applications or a break in the flow with other AWS services.
 """
 false_positives = [
    """
-    EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or 
+    EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or
    hostname should be making changes in your environment. EventBridge Rules being deleted or disabled by unfamiliar users should
    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
@@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-aws*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS EventBridge Rule Disabled or Deleted"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -38,7 +38,7 @@ type = "query"


 query = '''
-event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and 
+event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and
 event.outcome:success
 '''

@@ -20,7 +20,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS CloudTrail Log Updated"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -23,7 +23,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS CloudWatch Log Group Deletion"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -23,7 +23,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS CloudWatch Log Stream Deletion"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -23,7 +23,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS EC2 Encryption Disabled"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -24,7 +24,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS EFS File System or Mount Deleted"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -39,7 +39,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and 
+event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and
 event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success
 '''

@@ -24,7 +24,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS IAM Deactivation of MFA Device"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -23,7 +23,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS IAM Group Deletion"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -21,7 +21,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS RDS Security Group Deletion"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSecurityGroup.html"]
@@ -23,7 +23,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Deletion of RDS Instance or Cluster"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -43,7 +43,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) 
+event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance)
 and event.outcome:success
 '''

@@ -20,7 +20,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS RDS Instance/Cluster Stoppage"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -21,7 +21,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Management Console Root Login"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"]
@@ -23,7 +23,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS IAM Password Recovery Requested"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"]
@@ -24,7 +24,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Execution via System Manager"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"]
@@ -24,7 +24,7 @@ license = "Elastic License v2"
 machine_learning_job_id = "high_distinct_count_error_message"
 name = "Spike in AWS Error Messages"
 note = """
-## Config
+## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

@@ -24,7 +24,7 @@ license = "Elastic License v2"
 machine_learning_job_id = "rare_error_code"
 name = "Rare AWS Error Code"
 note = """
-## Config
+## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

@@ -25,7 +25,7 @@ license = "Elastic License v2"
 machine_learning_job_id = "rare_method_for_a_city"
 name = "Unusual City For an AWS Command"
 note = """
-## Config
+## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

@@ -25,7 +25,7 @@ license = "Elastic License v2"
 machine_learning_job_id = "rare_method_for_a_country"
 name = "Unusual Country For an AWS Command"
 note = """
-## Config
+## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

@@ -24,7 +24,7 @@ license = "Elastic License v2"
 machine_learning_job_id = "rare_method_for_a_username"
 name = "Unusual AWS Command for a User"
 note = """
-## Config
+## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

@@ -23,7 +23,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS EC2 Network Access Control List Creation"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -24,7 +24,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Security Group Configuration Change Detection"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html"]
@@ -36,8 +36,8 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or 
-CreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or 
+event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or
+CreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or
 RevokeSecurityGroupIngress) and event.outcome:success
 '''

@@ -23,7 +23,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS IAM Group Creation"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -23,7 +23,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS RDS Cluster Creation"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -20,7 +20,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS RDS Security Group Creation"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBSecurityGroup.html"]
@@ -20,7 +20,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS RDS Instance Creation"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html"]
@@ -7,8 +7,8 @@ integration = "aws"
 [rule]
 author = ["Elastic"]
 description = """
-Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user 
-may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured 
+Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user
+may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured
 and could introduce security vulnerabilities.
 """
 false_positives = [
@@ -24,7 +24,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Redshift Cluster Creation"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.aws.amazon.com/redshift/latest/APIReference/API_CreateCluster.html"]
@@ -23,7 +23,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Route 53 Domain Transfer Lock Disabled"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -21,7 +21,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Route 53 Domain Transferred to Another Account"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html"]
@@ -20,7 +20,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Route53 private hosted zone associated with a VPC"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html"]
@@ -32,7 +32,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and 
+event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and
 event.outcome:success
 '''

@@ -21,7 +21,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Route Table Created"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -37,7 +37,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and 
+event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and
 event.outcome:success
 '''

@@ -9,9 +9,9 @@ author = ["Elastic", "Austin Songer"]
 description = "Identifies when an AWS Route Table has been modified or deleted."
 false_positives = [
    """
-    Route Table could be modified or deleted by a system administrator. Verify whether the user identity, 
+    Route Table could be modified or deleted by a system administrator. Verify whether the user identity,
    user agent, and/or hostname should be making changes in your environment. Route Table being modified
-    from unfamiliar users should be investigated. If known behavior is causing false positives, it can be 
+    from unfamiliar users should be investigated. If known behavior is causing false positives, it can be
    exempted from the rule. Also automated processes that use Terraform may lead to false positives.
    """,
 ]
@@ -21,7 +21,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Route Table Modified or Deleted"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -11,7 +11,7 @@ Identifies when SAML activity has occurred in AWS. An adversary could manipulate
 """
 false_positives = [
    """
-    SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or 
+    SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or
    hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should
    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
@@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-aws*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS SAML Activity"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -36,7 +36,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or 
+event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or
 UpdateSAMLProvider) and event.outcome:success
 '''

@@ -22,7 +22,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Root Login Without MFA"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"]
@@ -20,7 +20,7 @@ language = "kuery"
 license = "Elastic License v2"
 name = "AWS Security Token Service (STS) AssumeRole Usage"
 references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"]
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 risk_score = 21
@@ -31,7 +31,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and 
+event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and
 aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success
 '''

@@ -7,13 +7,13 @@ integration = "aws"
 [rule]
 author = ["Austin Songer"]
 description = """
-Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and 
+Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and
 escalate privileges.
 """
 false_positives = [
    """
-    GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user 
-    agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or 
+    GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user
+    agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or
    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-aws*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS STS GetSessionToken Abuse"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -36,7 +36,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and 
+event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and
 aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success
 '''

@@ -23,7 +23,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS IAM Assume Role Policy Update"
-note = """## Config
+note = """## Setup

 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"]
@@ -25,7 +25,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Event Hub Authorization Rule Created or Updated"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"]
@@ -14,7 +14,7 @@ internal traffic.
 """
 false_positives = [
    """
-    Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, 
+    Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity,
    user agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar
    users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
@@ -24,7 +24,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Full Network Packet Capture Detected"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"]
@@ -41,7 +41,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:
        "MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION" or
        "MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION" or
        "MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE"
-    ) and 
+    ) and
 event.outcome:(Success or success)
 '''

@@ -23,7 +23,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Key Vault Modified"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -23,7 +23,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Storage Account Key Regenerated"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -25,7 +25,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Application Credential Modification"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Blob Permissions Modification"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles"]
@@ -35,7 +35,7 @@ type = "query"
 query = '''
 event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(
     "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MANAGEOWNERSHIP/ACTION" or
-     "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION") and 
+     "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION") and
  event.outcome:(Success or success)
 '''

@@ -23,7 +23,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Diagnostic Settings Deletion"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings"]
@@ -24,7 +24,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Service Principal Addition"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Event Hub Deletion"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Firewall Policy Deletion"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview"]
@@ -7,12 +7,12 @@ integration = "azure"
 [rule]
 author = ["Austin Songer"]
 description = """
-Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall 
+Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall
 (WAF) Policy in an attempt to evade defenses and/or to eliminate barriers to their objective.
 """
 false_positives = [
    """
-    Azure Front Web Application Firewall (WAF) Policy deletions may be done by a system or network administrator. Verify whether the username, 
+    Azure Front Web Application Firewall (WAF) Policy deletions may be done by a system or network administrator. Verify whether the username,
    hostname, and/or resource name should be making changes in your environment. Azure Front Web Application Firewall (WAF) Policy deletions by
    unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
@@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -23,7 +23,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Kubernetes Events Deleted"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -37,7 +37,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and 
+event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and
 event.outcome:(Success or success)
 '''

@@ -23,7 +23,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Network Watcher Deletion"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview"]
@@ -23,7 +23,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Alert Suppression Rule Created or Modified"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -38,7 +38,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and 
+event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and
 event.outcome: "success"
 '''

@@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Blob Container Access Level Modification"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent"]
@@ -25,7 +25,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Command Execution on Virtual Machine"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -15,7 +15,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Automation Runbook Deleted"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -25,7 +25,7 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Service Principal Credentials Added"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf"]
@@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Kubernetes Pods Deleted"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -36,7 +36,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and 
+event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and
 event.outcome:(Success or success)
 '''

@@ -24,7 +24,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Resource Group Deletion"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -13,7 +13,7 @@ appliance, virtual hub, or virtual router.
 false_positives = [
    """
    Virtual Network Device modification or deletion may be performed by a system administrator. Verify
-    whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+    whether the user identity, user agent, and/or hostname should be making changes in your environment.
    Virtual Network Device modification or deletion by unfamiliar users should be investigated. If known
    behavior is causing false positives, it can be exempted from the rule.
    """,
@@ -23,7 +23,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Virtual Network Device Modified or Deleted"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"]
@@ -40,7 +40,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:("MICROSO
 "MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION" or "MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE" or
 "MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE" or "MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE" or
 "MICROSOFT.NETWORK/VIRTUALHUBS/DELETE" or "MICROSOFT.NETWORK/VIRTUALHUBS/WRITE" or
-"MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE" or "MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE") and 
+"MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE" or "MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE") and
 event.outcome:(Success or success)
 '''

@@ -17,7 +17,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Active Directory High Risk Sign-in"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -8,14 +8,14 @@ integration = "azure"
 author = ["Austin Songer"]
 description = """
 Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning
-and heuristics. 
+and heuristics.
 """
 from = "now-25m"
 index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Active Directory High Risk User Sign-in Heuristic"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Active Directory PowerShell Sign-in"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -23,7 +23,7 @@ note = """## Triage and analysis
 - Security analysts should review the list of trusted applications for any suspicious items.


-## Config
+## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
@@ -37,7 +37,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and 
+event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and
  (
    azure.activitylogs.operation_name:"Consent to application" or
    azure.auditlogs.operation_name:"Consent to application" or
@@ -24,7 +24,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure External Guest User Invitation"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0"]
@@ -16,7 +16,7 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Automation Account Created"
-note = """## Config
+note = """## Setup

 The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
--- a/Show More
+++ b/Show More