Cleanup note field in rules (#1194)

* standardize usage of note field
2021-05-10 13:40:56 -08:00
parent 60f5168f07
commit 6ef5c53b0c
176 changed files with 725 additions and 353 deletions
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/10"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS CloudTrail Log Created"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html",
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/16"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -15,7 +15,9 @@ index = ["filebeat-*", "logs-aws*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS IAM Brute Force of Assume Role Policy"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities",
    "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/04"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -20,7 +20,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS IAM User Addition to Group"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"]
 risk_score = 21
 rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/21"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-aws*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Management Console Brute Force of Root User Identity"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"]
 risk_score = 73
 rule_id = "4d50a94f-2844-43fa-8395-6afbd5e1c5ef"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/06"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Nick Jones", "Elastic"]
@@ -21,7 +21,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Access Secret in Secrets Manager"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html",
    "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/26"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS CloudTrail Log Deleted"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html",
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/10"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -23,7 +23,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS CloudTrail Log Suspended"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html",
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/15"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS CloudWatch Alarm Deletion"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html",
    "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/26"
 maturity = "production"
-updated_date = "2021/04/13"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -23,7 +23,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Config Service Tampering"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html",
    "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/16"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Configuration Recorder Stopped"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html",
    "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/15"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS EC2 Flow Log Deletion"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html",
    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/26"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS EC2 Network Access Control List Deletion"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html",
    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/28"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS GuardDuty Detector Deletion"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html",
    "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/27"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS S3 Bucket Configuration Deletion"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html",
    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/21"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS WAF Access Control List Deletion"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html",
    "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/09"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS WAF Rule or Rule Group Deletion"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html",
    "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/24"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS EC2 Snapshot Activity"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html",
    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/10"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS CloudTrail Log Updated"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html",
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/18"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS CloudWatch Log Group Deletion"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html",
    "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/20"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS CloudWatch Log Stream Deletion"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html",
    "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/05"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS EC2 Encryption Disabled"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html",
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/26"
 maturity = "production"
-updated_date = "2021/04/20"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -23,7 +23,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS IAM Deactivation of MFA Device"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html",
    "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/21"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS IAM Group Deletion"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html",
    "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/21"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS RDS Cluster Deletion"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html",
    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/20"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS RDS Instance/Cluster Stoppage"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html",
    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/11"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -20,7 +20,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Management Console Root Login"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"]
 risk_score = 73
 rule_id = "e2a67480-3b79-403d-96e3-fdd2992c50ef"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/02"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS IAM Password Recovery Requested"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/"]
 risk_score = 21
 rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/06"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -23,7 +23,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Execution via System Manager"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"]
 risk_score = 21
 rule_id = "37b211e8-4e2f-440f-86d8-06cc8f158cfa"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/04"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS EC2 Network Access Control List Creation"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html",
    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/05"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS IAM Group Creation"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html",
    "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/20"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS RDS Cluster Creation"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html",
    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/06"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Root Login Without MFA"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"]
 risk_score = 73
 rule_id = "bc0c6f0d-dab0-47a3-b135-0925f0a333bc"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/06"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,9 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS IAM Assume Role Policy Update"
-note = "The AWS Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"]
 risk_score = 21
 rule_id = "a60326d7-dca7-4fb7-93eb-1ca03a1febbd"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/18"
 maturity = "production"
-updated_date = "2021/03/04"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -24,7 +24,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Event Hub Authorization Rule Created or Updated"
-note = "The Azure Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"]
 risk_score = 47
 rule_id = "b6dce542-2b75-4ffb-b7d6-38787298ba9d"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/31"
 maturity = "production"
-updated_date = "2021/03/04"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Key Vault Modified"
-note = "The Azure Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
    "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/19"
 maturity = "production"
-updated_date = "2021/03/04"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Storage Account Key Regenerated"
-note = "The Azure Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal",
 ]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/14"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -24,7 +24,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Application Credential Modification"
-note = "The Azure Fleet Integration or Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/",
 ]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/17"
 maturity = "production"
-updated_date = "2021/03/04"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Diagnostic Settings Deletion"
-note = "The Azure Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings"]
 risk_score = 47
 rule_id = "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/14"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -23,7 +23,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Service Principal Addition"
-note = "The Azure Fleet Integration or Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/",
    "https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/18"
 maturity = "production"
-updated_date = "2021/03/04"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Event Hub Deletion"
-note = "The Azure Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about",
    "https://azure.microsoft.com/en-in/services/event-hubs/",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/18"
 maturity = "production"
-updated_date = "2021/03/04"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Firewall Policy Deletion"
-note = "The Azure Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview"]
 risk_score = 21
 rule_id = "e02bd3ea-72c6-4181-ac2b-0f83d17ad969"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/31"
 maturity = "production"
-updated_date = "2021/03/04"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Network Watcher Deletion"
-note = "The Azure Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview"]
 risk_score = 47
 rule_id = "323cb487-279d-4218-bcbd-a568efe930c6"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/20"
 maturity = "production"
-updated_date = "2021/03/04"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Blob Container Access Level Modification"
-note = "The Azure Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent"]
 risk_score = 21
 rule_id = "2636aa6c-88b5-4337-9c31-8d0192a8ef45"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/17"
 maturity = "production"
-updated_date = "2021/03/04"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -24,7 +24,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Command Execution on Virtual Machine"
-note = "The Azure Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://adsecurity.org/?p=4277",
    "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/01"
 maturity = "production"
-updated_date = "2021/03/04"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Automation Runbook Deleted"
-note = "The Azure Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
    "https://github.com/hausec/PowerZure",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/17"
 maturity = "production"
-updated_date = "2021/03/04"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -23,7 +23,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Resource Group Deletion"
-note = "The Azure Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal",
 ]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/04"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic", "Willem D'Haese"]
@@ -16,7 +16,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Active Directory High Risk Sign-in"
-note = "The Azure Fleet Integration or Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk",
    "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/14"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Active Directory PowerShell Sign-in"
-note = "The Azure Fleet Integration or Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/",
    "https://docs.microsoft.com/en-us/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/01"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -15,11 +15,16 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Possible Consent Grant Attack via Azure-Registered Application"
-note = """- The Azure Filebeat module must be enabled to use this rule.
+note = """## Triage and analysis
+
 - In a consent grant attack, an attacker tricks an end user into granting a malicious application consent to access their data, usually via a phishing attack. After the malicious application has been granted consent, it has account-level access to data without the need for an organizational account.
 - Normal remediation steps, like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts, are not effective against this type of attack, since these are third-party applications and are external to the organization.
 - Security analysts should review the list of trusted applications for any suspicious items.
-"""
+
+
+## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide",
 ]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/31"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -23,7 +23,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure External Guest User Invitation"
-note = "The Azure Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0"]
 risk_score = 21
 rule_id = "141e9b3a-ff37-4756-989d-05d7cbf35b0e"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/18"
 maturity = "production"
-updated_date = "2021/03/04"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -15,7 +15,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Automation Account Created"
-note = "The Azure Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
    "https://github.com/hausec/PowerZure",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/18"
 maturity = "production"
-updated_date = "2021/03/04"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Automation Runbook Created or Modified"
-note = "The Azure Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
    "https://github.com/hausec/PowerZure",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/18"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -15,7 +15,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Automation Webhook Created"
-note = "The Azure Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
    "https://github.com/hausec/PowerZure",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/01"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Conditional Access Policy Modified"
-note = "The Azure Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"]
 risk_score = 47
 rule_id = "bc48bba7-4a23-4232-b551-eca3ca1e3f20"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/24"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -23,7 +23,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Global Administrator Role Addition to PIM User"
-note = "The Azure Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles",
 ]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/01"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Privilege Identity Management Role Modified"
-note = "The Azure Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles",
    "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/20"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Multi-Factor Authentication Disabled for an Azure User"
-note = "The Azure Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 risk_score = 47
 rule_id = "dafa3235-76dc-40e2-9f71-1773b96d24cf"
 severity = "medium"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/20"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -15,7 +15,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "User Added as Owner for Azure Application"
-note = "The Azure Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 risk_score = 21
 rule_id = "774f5e28-7b75-4a58-b94e-41bf060fdd86"
 severity = "low"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/20"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,9 @@ index = ["filebeat-*", "logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "User Added as Owner for Azure Service Principal"
-note = "The Azure Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals",
 ]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/07"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,9 @@ index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.
 language = "eql"
 license = "Elastic License v2"
 name = "Hosts File Modified"
-note = "For Windows systems using Auditbeat, this rule requires adding 'C:/Windows/System32/drivers/etc' as an additional path in the 'file_integrity' module of auditbeat.yml."
+note = """## Config
+
+For Windows systems using Auditbeat, this rule requires adding 'C:/Windows/System32/drivers/etc' as an additional path in the 'file_integrity' module of auditbeat.yml."""
 references = ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"]
 risk_score = 47
 rule_id = "9c260313-c811-4ec8-ab89-8f6530e0246c"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/14"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,9 @@ index = ["filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Zoom Meeting with no Passcode"
-note = "This rule requires the Zoom Filebeat module."
+note = """## Config
+
+The Zoom Filebeat module or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://blog.zoom.us/a-message-to-our-users/",
    "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/04/21"
 maturity = "production"
-updated_date = "2021/04/21"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -14,8 +14,8 @@ interval = "9m"
 language = "kuery"
 license = "Elastic License v2"
 name = "Threat Intel Filebeat Module Indicator Match"
-note = """
-## Triage and Analysis
+note = """## Triage and Analysis
+
 If an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.

 - `threatintel.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/23"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP Pub/Sub Subscription Creation"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://cloud.google.com/pubsub/docs/overview"]
 risk_score = 21
 rule_id = "d62b64a8-a7c9-43e5-aee3-15a725a794e7"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/23"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP Pub/Sub Topic Creation"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://cloud.google.com/pubsub/docs/admin"]
 risk_score = 21
 rule_id = "a10d3d9d-0f65-48f1-8b25-af175e2594f5"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/21"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP Firewall Rule Creation"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://cloud.google.com/vpc/docs/firewalls"]
 risk_score = 21
 rule_id = "30562697-9859-4ae0-a8c5-dab45d664170"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/21"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP Firewall Rule Deletion"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://cloud.google.com/vpc/docs/firewalls"]
 risk_score = 47
 rule_id = "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/21"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP Firewall Rule Modification"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://cloud.google.com/vpc/docs/firewalls"]
 risk_score = 47
 rule_id = "2783d84f-5091-4d7d-9319-9fceda8fa71b"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/21"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -23,7 +23,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP Logging Bucket Deletion"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://cloud.google.com/logging/docs/buckets", "https://cloud.google.com/logging/docs/storage"]
 risk_score = 47
 rule_id = "5663b693-0dea-4f2e-8275-f1ae5ff2de8e"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP Logging Sink Deletion"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://cloud.google.com/logging/docs/export"]
 risk_score = 47
 rule_id = "51859fa0-d86b-4214-bf48-ebb30ed91305"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/23"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP Pub/Sub Subscription Deletion"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://cloud.google.com/pubsub/docs/overview"]
 risk_score = 21
 rule_id = "cc89312d-6f47-48e4-a87c-4977bd4633c3"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP Pub/Sub Topic Deletion"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://cloud.google.com/pubsub/docs/overview"]
 risk_score = 21
 rule_id = "3202e172-01b1-4738-a932-d024c514ba72"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/22"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP Storage Bucket Configuration Modification"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://cloud.google.com/storage/docs/key-terms#buckets"]
 risk_score = 47
 rule_id = "97359fd8-757d-4b1d-9af1-ef29e4a8680e"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/21"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP Storage Bucket Permissions Modification"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://cloud.google.com/storage/docs/access-control/iam-permissions"]
 risk_score = 47
 rule_id = "2326d1b2-9acf-4dee-bd21-867ea7378b4d"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/22"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP Logging Sink Modification"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://cloud.google.com/logging/docs/export#how_sinks_work"]
 risk_score = 21
 rule_id = "184dfe52-2999-42d9-b9d1-d1ca54495a61"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/22"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP IAM Role Deletion"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://cloud.google.com/iam/docs/understanding-roles"]
 risk_score = 21
 rule_id = "e2fb5b18-e33c-4270-851e-c3d675c9afcd"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/22"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP Service Account Deletion"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://cloud.google.com/iam/docs/service-accounts"]
 risk_score = 47
 rule_id = "8fb75dda-c47a-4e34-8ecd-34facf7aad13"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/22"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP Service Account Disabled"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://cloud.google.com/iam/docs/service-accounts"]
 risk_score = 47
 rule_id = "bca7d28e-4a48-47b1-adb7-5074310e9a61"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/21"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP Storage Bucket Deletion"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://cloud.google.com/storage/docs/key-terms#buckets"]
 risk_score = 47
 rule_id = "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/22"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP Virtual Private Cloud Network Deletion"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://cloud.google.com/vpc/docs/vpc"]
 risk_score = 47
 rule_id = "c58c3081-2e1d-4497-8491-e73a45d1a6d6"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/22"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP Virtual Private Cloud Route Creation"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.com/vpc/docs/using-routes"]
 risk_score = 21
 rule_id = "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/22"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP Virtual Private Cloud Route Deletion"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.com/vpc/docs/using-routes"]
 risk_score = 47
 rule_id = "a17bcc91-297b-459b-b5ce-bc7460d8f82a"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/21"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP IAM Custom Role Creation"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://cloud.google.com/iam/docs/understanding-custom-roles"]
 risk_score = 47
 rule_id = "aa8007f0-d1df-49ef-8520-407857594827"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/21"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP IAM Service Account Key Deletion"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://cloud.google.com/iam/docs/service-accounts",
    "https://cloud.google.com/iam/docs/creating-managing-service-account-keys",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/21"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -23,7 +23,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP Service Account Key Creation"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://cloud.google.com/iam/docs/service-accounts",
    "https://cloud.google.com/iam/docs/creating-managing-service-account-keys",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/22"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -23,7 +23,9 @@ index = ["filebeat-*", "logs-gcp*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "GCP Service Account Creation"
-note = "The GCP Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://cloud.google.com/iam/docs/service-accounts"]
 risk_score = 21
 rule_id = "7ceb2216-47dd-4e64-9433-cddc99727623"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,11 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "Application Added to Google Workspace Domain"
-note = """### Important Information Regarding Google Workspace Event Lag Times
+note = """## Config
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
 - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
 - This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
 - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,11 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "Domain Added to Google Workspace Trusted Domains"
-note = """### Important Information Regarding Google Workspace Event Lag Times
+note = """## Config
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
 - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
 - This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
 - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,11 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "Google Workspace Admin Role Deletion"
-note = """### Important Information Regarding Google Workspace Event Lag Times
+note = """## Config
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
 - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
 - This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
 - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,11 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "Google Workspace MFA Enforcement Disabled"
-note = """### Important Information Regarding Google Workspace Event Lag Times
+note = """## Config
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
 - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
 - This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
 - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,11 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "Google Workspace Password Policy Modified"
-note = """### Important Information Regarding Google Workspace Event Lag Times
+note = """## Config
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
 - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
 - This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
 - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,11 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "MFA Disabled for Google Workspace Organization"
-note = """### Important Information Regarding Google Workspace Event Lag Times
+note = """## Config
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
 - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
 - This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
 - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,11 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "Google Workspace Admin Role Assigned to a User"
-note = """### Important Information Regarding Google Workspace Event Lag Times
+note = """## Config
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
 - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
 - This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
 - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/12"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,11 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "Google Workspace API Access Granted via Domain-Wide Delegation of Authority"
-note = """### Important Information Regarding Google Workspace Event Lag Times
+note = """## Config
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
 - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
 - This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
 - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,11 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "Google Workspace Custom Admin Role Created"
-note = """### Important Information Regarding Google Workspace Event Lag Times
+note = """## Config
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
 - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
 - This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
 - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,11 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "Google Workspace Role Modified"
-note = """### Important Information Regarding Google Workspace Event Lag Times
+note = """## Config
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
 - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
 - This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
 - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/21"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,9 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential Persistence via Login Hook"
-note = "Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system."
+note = """## Triage and analysis
+
+Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system."""
 references = ["https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js"]
 risk_score = 47
 rule_id = "ac412404-57a5-476f-858f-4e8fbb4f48d8"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/03/29"
 maturity = "production"
-updated_date = "2021/03/29"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic", "Gary Blackwell", "Austin Songer"]
@@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-o365*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Microsoft 365 New Inbox Rule Created"
-note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide",
    "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/30"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-o365*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Attempts to Brute Force a Microsoft 365 User Account"
-note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 risk_score = 73
 rule_id = "26f68dba-ce29-497b-8e13-b4fde1db5a2d"
 severity = "high"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/01"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-o365*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential Password Spraying of Microsoft 365 User Accounts"
-note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 risk_score = 73
 rule_id = "3efee4f0-182a-40a8-a835-102c68a4175d"
 severity = "high"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/20"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/10"

 [rule]
 author = ["Elastic"]
@@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-o365*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Microsoft 365 Exchange DLP Policy Removed"
-note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule."
+note = """## Config
+
+The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps",
    "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide",
--- a/Show More
+++ b/Show More