diff --git a/detection_rules/rule_formatter.py b/detection_rules/rule_formatter.py
index 854b17f29..d8c224e06 100644
--- a/detection_rules/rule_formatter.py
+++ b/detection_rules/rule_formatter.py
@@ -142,10 +142,11 @@ def toml_write(rule_contents, outfile=None):
             #     but will at least purge extraneous white space
             query = contents['rule'].pop('query', '').strip()
 
-            tags = contents['rule'].get("tags", [])
-
-            if tags and isinstance(tags, list):
-                contents['rule']["tags"] = list(sorted(set(tags)))
+            # - As tags are expanding, we may want to reconsider the need to have them in alphabetical order
+            # tags = contents['rule'].get("tags", [])
+            #
+            # if tags and isinstance(tags, list):
+            #     contents['rule']["tags"] = list(sorted(set(tags)))
 
         top = OrderedDict()
         bottom = OrderedDict()
diff --git a/rules/aws/collection_cloudtrail_logging_created.toml b/rules/aws/collection_cloudtrail_logging_created.toml
index 75245e9ae..4cbb05984 100644
--- a/rules/aws/collection_cloudtrail_logging_created.toml
+++ b/rules/aws/collection_cloudtrail_logging_created.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/06/10"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 21
 rule_id = "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed"
 severity = "low"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml
index f444650a7..86381e16f 100644
--- a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml
+++ b/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/07/16"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/16"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ references = [
 risk_score = 47
 rule_id = "ea248a02-bc47-4043-8e94-2885b19b2636"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
 type = "threshold"
 
 query = '''
diff --git a/rules/aws/credential_access_iam_user_addition_to_group.toml b/rules/aws/credential_access_iam_user_addition_to_group.toml
index 0cd950a7b..ed8657644 100644
--- a/rules/aws/credential_access_iam_user_addition_to_group.toml
+++ b/rules/aws/credential_access_iam_user_addition_to_group.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/06/04"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserTo
 risk_score = 21
 rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0"
 severity = "low"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml b/rules/aws/credential_access_secretsmanager_getsecretvalue.toml
index 3498f44bc..ee5fe5012 100644
--- a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml
+++ b/rules/aws/credential_access_secretsmanager_getsecretvalue.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/06"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Nick Jones", "Elastic"]
@@ -27,10 +27,10 @@ references = [
     "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html",
     "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/",
 ]
-risk_score = 21
+risk_score = 73
 rule_id = "a00681e3-9ed6-447c-ab2c-be648821c622"
-severity = "low"
-tags = ["AWS", "Elastic"]
+severity = "high"
+tags = ["AWS", "Elastic", "SecOps", "Data Protection", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml
index dd1d71708..f5975f602 100644
--- a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml
+++ b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/26"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 47
 rule_id = "7024e2a0-315d-4334-bb1a-441c593e16ab"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml
index 22b1c80cc..1e4e3bb8b 100644
--- a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml
+++ b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/06/10"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ references = [
 risk_score = 47
 rule_id = "1aa8fa52-44a7-4dae-b058-f3333b91c8d7"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml
index 53cf3adb7..9aa767229 100644
--- a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml
+++ b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/06/15"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 47
 rule_id = "f772ec8a-e182-483c-91d2-72058f76a44c"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/defense_evasion_config_service_rule_deletion.toml b/rules/aws/defense_evasion_config_service_rule_deletion.toml
index cf6302504..3a6032ee0 100644
--- a/rules/aws/defense_evasion_config_service_rule_deletion.toml
+++ b/rules/aws/defense_evasion_config_service_rule_deletion.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/06/26"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ references = [
 risk_score = 47
 rule_id = "7024e2a0-315d-4334-bb1a-552d604f27bc"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/aws/defense_evasion_configuration_recorder_stopped.toml
index 021caf468..1d902ad46 100644
--- a/rules/aws/defense_evasion_configuration_recorder_stopped.toml
+++ b/rules/aws/defense_evasion_configuration_recorder_stopped.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/06/16"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 73
 rule_id = "fbd44836-0d69-4004-a0b4-03c20370c435"
 severity = "high"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml
index 0d3805bb2..4de7fd7d9 100644
--- a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml
+++ b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/06/15"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 73
 rule_id = "9395fd2c-9947-4472-86ef-4aceb2f7e872"
 severity = "high"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml
index 09ddee603..62c466743 100644
--- a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml
+++ b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/26"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -33,7 +33,7 @@ references = [
 risk_score = 47
 rule_id = "8623535c-1e17-44e1-aa97-7a0699c3037d"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/aws/defense_evasion_guardduty_detector_deletion.toml
index 1f0494d7a..bd5957e5e 100644
--- a/rules/aws/defense_evasion_guardduty_detector_deletion.toml
+++ b/rules/aws/defense_evasion_guardduty_detector_deletion.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/28"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 73
 rule_id = "523116c0-d89d-4d7c-82c2-39e6845a78ef"
 severity = "high"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml
index 0e2832693..5df2c971a 100644
--- a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml
+++ b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/27"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 21
 rule_id = "227dc608-e558-43d9-b521-150772250bae"
 severity = "low"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Asset Visibility", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/defense_evasion_waf_acl_deletion.toml b/rules/aws/defense_evasion_waf_acl_deletion.toml
index 77eab6bc2..c6a0d333c 100644
--- a/rules/aws/defense_evasion_waf_acl_deletion.toml
+++ b/rules/aws/defense_evasion_waf_acl_deletion.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 47
 rule_id = "91d04cd4-47a9-4334-ab14-084abe274d49"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml
index bdbbf081f..7bd745dcc 100644
--- a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml
+++ b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/06/09"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 47
 rule_id = "5beaebc1-cc13-4bfc-9949-776f9e0dc318"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/execution_via_system_manager.toml b/rules/aws/execution_via_system_manager.toml
index f072b8504..d34b32212 100644
--- a/rules/aws/execution_via_system_manager.toml
+++ b/rules/aws/execution_via_system_manager.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/06"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ references = ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-
 risk_score = 21
 rule_id = "37b211e8-4e2f-440f-86d8-06cc8f158cfa"
 severity = "low"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml
index 2e1c777c2..a71b4caad 100644
--- a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml
+++ b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/06/24"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 47
 rule_id = "98fd7407-0bd5-5817-cda0-3fcc33113a56"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Asset Visibility", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/impact_cloudtrail_logging_updated.toml b/rules/aws/impact_cloudtrail_logging_updated.toml
index cc0b7df65..8c1ba99d0 100644
--- a/rules/aws/impact_cloudtrail_logging_updated.toml
+++ b/rules/aws/impact_cloudtrail_logging_updated.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/06/10"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 21
 rule_id = "3e002465-876f-4f04-b016-84ef48ce7e5d"
 severity = "low"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/impact_cloudwatch_log_group_deletion.toml b/rules/aws/impact_cloudwatch_log_group_deletion.toml
index 2d022652f..81c6142d1 100644
--- a/rules/aws/impact_cloudwatch_log_group_deletion.toml
+++ b/rules/aws/impact_cloudwatch_log_group_deletion.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 47
 rule_id = "68a7a5a5-a2fc-4a76-ba9f-26849de881b4"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/aws/impact_cloudwatch_log_stream_deletion.toml
index 52e61d8f6..5eec117e9 100644
--- a/rules/aws/impact_cloudwatch_log_stream_deletion.toml
+++ b/rules/aws/impact_cloudwatch_log_stream_deletion.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/20"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 47
 rule_id = "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/impact_ec2_disable_ebs_encryption.toml b/rules/aws/impact_ec2_disable_ebs_encryption.toml
index a2c3e5e90..cd6980fd2 100644
--- a/rules/aws/impact_ec2_disable_ebs_encryption.toml
+++ b/rules/aws/impact_ec2_disable_ebs_encryption.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/06/05"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ references = [
 risk_score = 47
 rule_id = "bb9b13b2-1700-48a8-a750-b43b0a72ab69"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Data Protection", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/impact_iam_deactivate_mfa_device.toml b/rules/aws/impact_iam_deactivate_mfa_device.toml
index 465d85476..29099b1ef 100644
--- a/rules/aws/impact_iam_deactivate_mfa_device.toml
+++ b/rules/aws/impact_iam_deactivate_mfa_device.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/26"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ references = [
 risk_score = 47
 rule_id = "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/impact_iam_group_deletion.toml b/rules/aws/impact_iam_group_deletion.toml
index 8c57abef6..5224ced98 100644
--- a/rules/aws/impact_iam_group_deletion.toml
+++ b/rules/aws/impact_iam_group_deletion.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 21
 rule_id = "867616ec-41e5-4edc-ada2-ab13ab45de8a"
 severity = "low"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/impact_rds_cluster_deletion.toml b/rules/aws/impact_rds_cluster_deletion.toml
index a7fab6dfd..4817dd8a5 100644
--- a/rules/aws/impact_rds_cluster_deletion.toml
+++ b/rules/aws/impact_rds_cluster_deletion.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -33,7 +33,7 @@ references = [
 risk_score = 47
 rule_id = "9055ece6-2689-4224-a0e0-b04881e1f8ad"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Asset Visibility", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/impact_rds_instance_cluster_stoppage.toml b/rules/aws/impact_rds_instance_cluster_stoppage.toml
index 0aa03af7d..1313b6b3a 100644
--- a/rules/aws/impact_rds_instance_cluster_stoppage.toml
+++ b/rules/aws/impact_rds_instance_cluster_stoppage.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/20"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ references = [
 risk_score = 47
 rule_id = "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Asset Visibility", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/initial_access_console_login_root.toml b/rules/aws/initial_access_console_login_root.toml
index 40b5781cc..ef2ef7493 100644
--- a/rules/aws/initial_access_console_login_root.toml
+++ b/rules/aws/initial_access_console_login_root.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/06/11"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm
 risk_score = 73
 rule_id = "e2a67480-3b79-403d-96e3-fdd2992c50ef"
 severity = "high"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/initial_access_password_recovery.toml b/rules/aws/initial_access_password_recovery.toml
index dc4c7a57b..93701f04e 100644
--- a/rules/aws/initial_access_password_recovery.toml
+++ b/rules/aws/initial_access_password_recovery.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/07/02"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = ["https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-c
 risk_score = 21
 rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c"
 severity = "low"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/persistence_ec2_network_acl_creation.toml b/rules/aws/persistence_ec2_network_acl_creation.toml
index eb7effaf3..7c2c3ee2d 100644
--- a/rules/aws/persistence_ec2_network_acl_creation.toml
+++ b/rules/aws/persistence_ec2_network_acl_creation.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/06/04"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -33,7 +33,7 @@ references = [
 risk_score = 21
 rule_id = "39144f38-5284-4f8e-a2ae-e3fd628d90b0"
 severity = "low"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/persistence_iam_group_creation.toml b/rules/aws/persistence_iam_group_creation.toml
index fb625fde3..216a23009 100644
--- a/rules/aws/persistence_iam_group_creation.toml
+++ b/rules/aws/persistence_iam_group_creation.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/06/05"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 21
 rule_id = "169f3a93-efc7-4df2-94d6-0d9438c310d1"
 severity = "low"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/persistence_rds_cluster_creation.toml b/rules/aws/persistence_rds_cluster_creation.toml
index bbf0e2ca0..6d3f8f87b 100644
--- a/rules/aws/persistence_rds_cluster_creation.toml
+++ b/rules/aws/persistence_rds_cluster_creation.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/20"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -33,7 +33,7 @@ references = [
 risk_score = 21
 rule_id = "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d"
 severity = "low"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Asset Visibility", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/privilege_escalation_root_login_without_mfa.toml b/rules/aws/privilege_escalation_root_login_without_mfa.toml
index 23c263180..2439fda80 100644
--- a/rules/aws/privilege_escalation_root_login_without_mfa.toml
+++ b/rules/aws/privilege_escalation_root_login_without_mfa.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm
 risk_score = 21
 rule_id = "bc0c6f0d-dab0-47a3-b135-0925f0a333bc"
 severity = "low"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/aws/privilege_escalation_updateassumerolepolicy.toml
index 4b0f3ae19..55f218367 100644
--- a/rules/aws/privilege_escalation_updateassumerolepolicy.toml
+++ b/rules/aws/privilege_escalation_updateassumerolepolicy.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-
 risk_score = 21
 rule_id = "a60326d7-dca7-4fb7-93eb-1ca03a1febbd"
 severity = "low"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml
index 34d5e2ecb..a297f5ed4 100644
--- a/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml
+++ b/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/05/21"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ references = [
 risk_score = 73
 rule_id = "3805c3dc-f82c-4f8d-891e-63c24d3102b0"
 severity = "high"
-tags = ["Elastic", "Okta"]
+tags = ["Elastic", "Okta", "SecOps", "Identity and Access", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml
index f75c37ce1..5ba864315 100644
--- a/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml
+++ b/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/07/16"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/16"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ references = [
 risk_score = 47
 rule_id = "42bf698b-4738-445b-8231-c834ddefd8a0"
 severity = "medium"
-tags = ["Elastic", "Okta"]
+tags = ["Elastic", "Okta", "SecOps", "Identity and Access", "Continuous Monitoring"]
 type = "threshold"
 
 query = '''
diff --git a/rules/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/okta/impact_attempt_to_revoke_okta_api_token.toml
index 45020099a..c759f3fbf 100644
--- a/rules/okta/impact_attempt_to_revoke_okta_api_token.toml
+++ b/rules/okta/impact_attempt_to_revoke_okta_api_token.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/05/21"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 21
 rule_id = "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7"
 severity = "low"
-tags = ["Elastic", "Okta"]
+tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/okta/impact_possible_okta_dos_attack.toml b/rules/okta/impact_possible_okta_dos_attack.toml
index b1794efc5..44e2a3473 100644
--- a/rules/okta/impact_possible_okta_dos_attack.toml
+++ b/rules/okta/impact_possible_okta_dos_attack.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/05/21"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ references = [
 risk_score = 47
 rule_id = "e6e3ecff-03dd-48ec-acbd-54a04de10c68"
 severity = "medium"
-tags = ["Elastic", "Okta"]
+tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml
index 7e29f4183..33e877ccd 100644
--- a/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml
+++ b/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/05/21"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -23,7 +23,7 @@ references = [
 risk_score = 47
 rule_id = "f994964f-6fce-4d75-8e79-e16ccc412588"
 severity = "medium"
-tags = ["Elastic", "Okta"]
+tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml b/rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml
index fb4ca253d..14e078909 100644
--- a/rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml
+++ b/rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/05/21"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 21
 rule_id = "cc92c835-da92-45c9-9f29-b4992ad621a0"
 severity = "low"
-tags = ["Elastic", "Okta"]
+tags = ["Elastic", "Okta", "SecOps", "Identity and Access", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/okta/okta_attempt_to_delete_okta_policy.toml b/rules/okta/okta_attempt_to_delete_okta_policy.toml
index d502221f3..447f14917 100644
--- a/rules/okta/okta_attempt_to_delete_okta_policy.toml
+++ b/rules/okta/okta_attempt_to_delete_okta_policy.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/28"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/05/28"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ references = [
 risk_score = 21
 rule_id = "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9"
 severity = "low"
-tags = ["Elastic", "Okta"]
+tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml b/rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml
index 2e7ff7890..c23ceb26f 100644
--- a/rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml
+++ b/rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/05/21"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 21
 rule_id = "000047bb-b27a-47ec-8b62-ef1a5d2c9e19"
 severity = "low"
-tags = ["Elastic", "Okta"]
+tags = ["Elastic", "Okta", "SecOps", "Identity and Access", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/okta/okta_attempt_to_modify_okta_network_zone.toml b/rules/okta/okta_attempt_to_modify_okta_network_zone.toml
index e19450ec8..e36499144 100644
--- a/rules/okta/okta_attempt_to_modify_okta_network_zone.toml
+++ b/rules/okta/okta_attempt_to_modify_okta_network_zone.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/05/21"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ references = [
 risk_score = 47
 rule_id = "e48236ca-b67a-4b4e-840c-fdc7782bc0c3"
 severity = "medium"
-tags = ["Elastic", "Okta"]
+tags = ["Elastic", "Okta", "SecOps", "Network", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/okta/okta_attempt_to_modify_okta_policy.toml b/rules/okta/okta_attempt_to_modify_okta_policy.toml
index 58a849a2f..cdc392d0d 100644
--- a/rules/okta/okta_attempt_to_modify_okta_policy.toml
+++ b/rules/okta/okta_attempt_to_modify_okta_policy.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/05/21"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ references = [
 risk_score = 21
 rule_id = "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45"
 severity = "low"
-tags = ["Elastic", "Okta"]
+tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml
index dfece9f50..1bb963b75 100644
--- a/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml
+++ b/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/07/01"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/01"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 47
 rule_id = "cd16fb10-0261-46e8-9932-a0336278cdbe"
 severity = "medium"
-tags = ["Elastic", "Okta"]
+tags = ["Elastic", "Okta", "SecOps", "Identity and Access", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/okta/okta_threat_detected_by_okta_threatinsight.toml b/rules/okta/okta_threat_detected_by_okta_threatinsight.toml
index e56cce1c6..894049959 100644
--- a/rules/okta/okta_threat_detected_by_okta_threatinsight.toml
+++ b/rules/okta/okta_threat_detected_by_okta_threatinsight.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/05/21"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -23,7 +23,7 @@ references = [
 risk_score = 47
 rule_id = "6885d2ae-e008-4762-b98a-e8e1cd3a81e9"
 severity = "medium"
-tags = ["Elastic", "Okta"]
+tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml
index 67b05bd7a..c949443d7 100644
--- a/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml
+++ b/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/05/21"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 21
 rule_id = "b8075894-0b62-46e5-977c-31275da34419"
 severity = "low"
-tags = ["Elastic", "Okta"]
+tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/okta/persistence_attempt_to_create_okta_api_token.toml
index 01a5aa6c5..0160ae57c 100644
--- a/rules/okta/persistence_attempt_to_create_okta_api_token.toml
+++ b/rules/okta/persistence_attempt_to_create_okta_api_token.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/05/21"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ references = [
 risk_score = 21
 rule_id = "96b9f4ea-0e8c-435b-8d53-2096e75fcac5"
 severity = "low"
-tags = ["Elastic", "Okta"]
+tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml
index 1a80d800b..a8a3403da 100644
--- a/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml
+++ b/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/20"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/05/20"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 21
 rule_id = "cd89602e-9db0-48e3-9391-ae3bf241acd8"
 severity = "low"
-tags = ["Elastic", "Okta"]
+tags = ["Elastic", "Okta", "SecOps", "Identity and Access", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/okta/persistence_attempt_to_deactivate_okta_policy.toml b/rules/okta/persistence_attempt_to_deactivate_okta_policy.toml
index df081aaaa..f2c467ca6 100644
--- a/rules/okta/persistence_attempt_to_deactivate_okta_policy.toml
+++ b/rules/okta/persistence_attempt_to_deactivate_okta_policy.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/05/21"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ references = [
 risk_score = 21
 rule_id = "b719a170-3bdb-4141-b0e3-13e3cf627bfe"
 severity = "low"
-tags = ["Elastic", "Okta"]
+tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"]
 type = "query"
 
 query = '''
diff --git a/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml
index 4eeaf0b01..3ba50a016 100644
--- a/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml
+++ b/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/05/21"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 21
 rule_id = "729aa18d-06a6-41c7-b175-b65b739b1181"
 severity = "low"
-tags = ["Elastic", "Okta"]
+tags = ["Elastic", "Okta", "SecOps", "Identity and Access", "Continuous Monitoring"]
 type = "query"
 
 query = '''