[Rule Tunings] AWS ESQL keep fields missing (#6014)

* [Tunings] AWS ESQL keep fields missing

Adding missing keep fields to 2 ESQL rules. 1 additional field name change as well.

* Apply suggestions from @eric

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0"
 min_stack_version = "9.2.0"
-updated_date = "2026/04/10"
+updated_date = "2026/04/29"
 
 [rule]
 author = ["Elastic"]
@@ -212,6 +212,22 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index
 
 // filter for more than 5 unique API calls per 10s window
 | where Esql.event_action_count_distinct > 5
+
+| keep
+    aws.cloudtrail.user_identity.arn,
+    Esql.time_window_date_trunc,
+    Esql.event_action_count_distinct,
+    Esql.event_action_values,
+    Esql.event_timestamp_values,
+    Esql.aws_cloudtrail_user_identity_type_values,
+    Esql.aws_cloudtrail_user_identity_access_key_id_values,
+    Esql.source_ip_values,
+    Esql.cloud_account_id_values,
+    Esql.event_provider_values,
+    Esql.user_agent_name_values,
+    Esql.source_as_organization_name_values,
+    Esql.cloud_region_values,
+    Esql.data_stream_namespace_values
 '''
 
 
@@ -254,6 +270,7 @@ field_names = [
     "Esql.source_as_organization_name_values",
     "Esql.event_provider_values",
     "Esql.event_action_values",
+    "Esql.event_timestamp_values",
     "Esql.cloud_account_id_values",
     "Esql.cloud_region_values",
     "Esql.data_stream_namespace_values",

rules/integrations/aws/discovery_s3_rapid_bucket_posture_api_calls.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0"
 min_stack_version = "9.2.0"
-updated_date = "2026/04/10"
+updated_date = "2026/04/29"
 
 [rule]
 author = ["Elastic"]
@@ -41,7 +41,7 @@ Security scanners, compliance tools, and post-compromise reconnaissance often wa
 - **Access key (`Esql.aws_cloudtrail_user_identity_access_key_id_values`)**: Identify which access key or temporary credential was used. Correlate with IAM last-used metadata for the key or role session.
 
 **Characterize the bucket sweep**
-- **Distinct bucket count (`Esql.bucket_arn_count_distinct`)**: Compare to normal baselines for this identity; values at or just above the threshold may still warrant review for new automation.
+- **Distinct bucket count (`Esql.aws_cloudtrail_resources_arn_count_distinct`)**: Compare to normal baselines for this identity; values at or just above the threshold may still warrant review for new automation.
 - **Bucket ARNs (`Esql.aws_cloudtrail_resources_arn_values`)**: Identify which buckets were touched. Prioritize buckets that store logs, backups, credentials, or regulated data. Search the same time range for write or policy-change APIs (`PutBucket*`, `DeleteBucket*`) on the same buckets.
 
 **Analyze source and client**
@@ -139,7 +139,7 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index
     data_stream.namespace
 
 | stats
-    Esql.bucket_arn_count_distinct = count_distinct(aws.cloudtrail.resources.arn),
+    Esql.aws_cloudtrail_resources_arn_count_distinct = count_distinct(aws.cloudtrail.resources.arn),
     Esql.aws_cloudtrail_resources_arn_values = VALUES(aws.cloudtrail.resources.arn),
     Esql.event_action_values = VALUES(event.action),
     Esql.timestamp_values = VALUES(@timestamp),
@@ -152,7 +152,23 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index
     Esql.data_stream_namespace_values = VALUES(data_stream.namespace)
   by Esql.time_window_date_trunc, aws.cloudtrail.user_identity.arn, source.ip
 
-| where Esql.bucket_arn_count_distinct > 15
+| where Esql.aws_cloudtrail_resources_arn_count_distinct > 15
+
+| keep
+    aws.cloudtrail.user_identity.arn,
+    source.ip,
+    Esql.time_window_date_trunc,
+    Esql.aws_cloudtrail_resources_arn_count_distinct,
+    Esql.aws_cloudtrail_resources_arn_values,
+    Esql.event_action_values,
+    Esql.timestamp_values,
+    Esql.aws_cloudtrail_user_identity_type_values,
+    Esql.aws_cloudtrail_user_identity_access_key_id_values,
+    Esql.cloud_account_id_values,
+    Esql.cloud_region_values,
+    Esql.user_agent_original_values,
+    Esql.source_as_organization_name_values,
+    Esql.data_stream_namespace_values
 '''
 
 
@@ -193,12 +209,13 @@ reference = "https://attack.mitre.org/tactics/TA0009/"
 
 [rule.investigation_fields]
 field_names = [
-    "Esql.bucket_arn_count_distinct",
+    "Esql.aws_cloudtrail_resources_arn_count_distinct",
     "Esql.time_window_date_trunc",
     "aws.cloudtrail.user_identity.arn",
     "source.ip",
     "Esql.aws_cloudtrail_resources_arn_values",
     "Esql.event_action_values",
+    "Esql.timestamp_values",
     "Esql.aws_cloudtrail_user_identity_type_values",
     "Esql.aws_cloudtrail_user_identity_access_key_id_values",
     "Esql.cloud_account_id_values",