From 709cfddcbe35ed3add01b0fb81023c6f6617e011 Mon Sep 17 00:00:00 2001
From: Leandro Maciel <leandrojmp@gmail.com>
Date: Fri, 8 Mar 2024 16:01:27 -0300
Subject: [PATCH] fix: correct the provider for the create, delete and modify
 routes in EC2 VPCs (#3500)

---
 rules/integrations/aws/persistence_route_table_created.toml     | 2 +-
 .../aws/persistence_route_table_modified_or_deleted.toml        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml
index a1957e6b9..a3107b252 100644
--- a/rules/integrations/aws/persistence_route_table_created.toml
+++ b/rules/integrations/aws/persistence_route_table_created.toml
@@ -39,7 +39,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and
+event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and
 event.outcome:success
 '''
 
diff --git a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml
index fbfda67e6..a1b287b2a 100644
--- a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml
+++ b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml
@@ -43,7 +43,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or
+event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or
 DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success
 '''