[Rule Tuning] Update Cloud Rule Syntax (#1061)

* update cloud syntax
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

rules/aws/collection_cloudtrail_logging_created.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/10"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:CreateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success
 '''
 
 

rules/aws/credential_access_iam_user_addition_to_group.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/04"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:AddUserToGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success
 '''
 
 

rules/aws/defense_evasion_cloudtrail_logging_deleted.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/26"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:DeleteTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success
 '''
 
 

rules/aws/defense_evasion_cloudtrail_logging_suspended.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/10"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -36,7 +36,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:StopLogging and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success
 '''
 
 

rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/15"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:DeleteAlarms and event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success
 '''
 
 

rules/aws/defense_evasion_config_service_rule_deletion.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/26"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -36,7 +36,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset: aws.cloudtrail and event.action: DeleteConfigRule and event.provider: config.amazonaws.com
+event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:DeleteConfigRule
 '''
 
 

rules/aws/defense_evasion_configuration_recorder_stopped.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/16"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:StopConfigurationRecorder and event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success
 '''
 
 

rules/aws/defense_evasion_ec2_flow_log_deletion.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/15"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -35,7 +35,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:DeleteFlowLogs and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success
 '''
 
 

rules/aws/defense_evasion_ec2_network_acl_deletion.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/26"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -37,7 +37,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success
 '''
 
 

rules/aws/defense_evasion_guardduty_detector_deletion.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/28"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -35,7 +35,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:DeleteDetector and event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success
 '''
 
 

rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/27"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -35,7 +35,10 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or DeleteBucketEncryption or DeleteBucketLifecycle) and event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and
+  event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or
+                DeleteBucketEncryption or DeleteBucketLifecycle)
+  and event.outcome:success
 '''
 
 

rules/aws/defense_evasion_waf_acl_deletion.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/21"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:DeleteWebACL and event.dataset:aws.cloudtrail and event.outcome:success
+event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success
 '''
 
 

rules/aws/impact_cloudtrail_logging_updated.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/10"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:UpdateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success
 '''
 
 

rules/aws/impact_cloudwatch_log_group_deletion.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -35,7 +35,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:DeleteLogGroup and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success
 '''
 
 

rules/aws/impact_cloudwatch_log_stream_deletion.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/20"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -35,7 +35,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:DeleteLogStream and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success
 '''
 
 

rules/aws/impact_ec2_disable_ebs_encryption.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/05"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -36,7 +36,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:DisableEbsEncryptionByDefault and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success
 '''
 
 

rules/aws/impact_iam_deactivate_mfa_device.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/26"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -36,7 +36,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:DeactivateMFADevice and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeactivateMFADevice and event.outcome:success
 '''
 
 

rules/aws/impact_iam_group_deletion.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/21"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -35,7 +35,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:DeleteGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success
 '''
 
 

rules/aws/impact_rds_cluster_deletion.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/21"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -37,7 +37,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.outcome:success
 '''
 
 

rules/aws/impact_rds_instance_cluster_stoppage.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/20"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -34,7 +34,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:(StopDBCluster or StopDBInstance) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success
 '''
 
 

rules/aws/initial_access_console_login_root.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/11"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:ConsoleLogin and event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and aws.cloudtrail.user_identity.type:Root and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success
 '''
 
 

rules/aws/initial_access_password_recovery.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/02"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:PasswordRecoveryRequested and event.provider:signin.amazonaws.com and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success
 '''
 
 

rules/aws/persistence_ec2_network_acl_creation.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/04"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -37,7 +37,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success
 '''
 
 

rules/aws/persistence_iam_group_creation.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/05"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -35,7 +35,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:CreateGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success
 '''
 
 

rules/aws/persistence_rds_cluster_creation.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/20"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -37,7 +37,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:(CreateDBCluster or CreateGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success
 '''
 
 

rules/aws/privilege_escalation_root_login_without_mfa.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/06"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,10 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and
+  aws.cloudtrail.user_identity.type:Root and
+  aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and
+  event.outcome:success
 '''
 
 

rules/azure/persistence_azure_automation_webhook_created.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/18"
 maturity = "production"
-updated_date = "2021/03/04"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,6 @@ rule_id = "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62"
 severity = "low"
 tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"]
 timestamp_override = "event.ingested"
-to = "now-25m"
 type = "query"
 
 query = '''

rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/22"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -29,6 +29,6 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.buckets.update and event.outcome:success
+event.dataset:(googlecloud.audit or gcp.audit) and event.action:"storage.buckets.update" and event.outcome:success
 '''
 

rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/21"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.setIamPermissions and event.outcome:success
+event.dataset:(googlecloud.audit or gcp.audit) and event.action:"storage.setIamPermissions" and event.outcome:success
 '''
 
 

rules/gcp/impact_gcp_storage_bucket_deleted.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/21"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.buckets.delete
+event.dataset:(googlecloud.audit or gcp.audit) and event.action:"storage.buckets.delete"
 '''
 
 

rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/22"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/22"
 
 [rule]
 author = ["Elastic"]
@@ -31,6 +31,6 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:(googlecloud.audit or gcp.audit) and event.action:(v*.compute.routes.insert or beta.compute.routes.insert)
+event.dataset:(googlecloud.audit or gcp.audit) and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert")
 '''