reverting 07579f2bd7 (#5602)

2026-01-22 13:44:18 -05:00
parent 07579f2bd7
commit dcd7dadece
32 changed files with 80 additions and 53 deletions
@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2025/12/16"

 [rule]
 author = ["Nick Jones", "Elastic"]
@@ -51,7 +51,7 @@ This rule looks for the retrieval of credentials from Secrets Manager using `Get

 ### False positive analysis

- Review `entity.id` values for expected combinations of identity and secret value access. If this is an expected behavior, consider adding exceptions to the rule.
+- Review `actor.entity.id` and `target.entity.id` values for expected combinations of identity and secret value access. If this is an expected behavior, consider adding exceptions to the rule.
 - False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions — preferably with a combination of user agent and IP address conditions.

 ### Response and remediation
@@ -2,7 +2,7 @@
 creation_date = "2024/04/12"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2025/12/16"

 [rule]
 author = ["Elastic"]
@@ -94,6 +94,7 @@ field_names = [
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2020/05/26"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ AWS CloudTrail is a service that enables governance, compliance, and operational
 #### Possible investigation steps
 - **Actor & target**
  - Identify `aws.cloudtrail.user_identity.arn`, `user_agent.original`, `source.ip`.
-  - Confirm which trail was deleted (name/ARN, multi-region/organization status) from `aws.cloudtrail.request_parameters`.
+  - Confirm which trail was deleted (name/ARN, multi-region/organization status) from `aws.cloudtrail.request_parameters` or `target.entity.id`.
 - **Blast radius**
  - Determine whether it was the only trail or if organization/multi-region coverage remains.
  - Review preceding `StopLogging` or `UpdateTrail` and subsequent high-risk actions (IAM, S3, KMS, EC2 exports).
@@ -107,6 +107,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2025/06/10"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2025/06/10"

 [rule]
 author = ["Elastic"]
@@ -36,8 +36,8 @@ Amazon CloudTrail is a service that enables governance, compliance, operational
    - Do they look normal for the user?
    - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?
    - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?
- Examine the newly created or modified policy.
- If no policy name is included for event.actions like `PutRolePolicy`, analyze the inline policies attached for unexpected permission changes or additions.
+- Examine the newly created or modified policy highlighted in `target.entity.id`.
+- If no policy name is included for event.actions like `PutRolePolicy`, analyze the inline policies attached to the `actor.entity.id` for unexpected permission changes or additions.
 - If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.

 ### False positive analysis
@@ -99,6 +99,7 @@ field_names = [
    "aws.cloudtrail.user_identity.access_key_id",
    "event.action",
    "event.outcome",
+    "target.entity.id",
    "cloud.account.id",
    "cloud.region",
    "aws.cloudtrail.request_parameters",
@@ -2,7 +2,7 @@
 creation_date = "2020/06/10"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Elastic"]
@@ -33,7 +33,7 @@ AWS CloudTrail is a service that enables governance, compliance, and operational
 #### Possible investigation steps
 - **Actor & scope**
  - Identify `aws.cloudtrail.user_identity.arn`, `user_agent.original`, `source.ip`.
-  - Determine which trail stopped and whether it’s multi-region or organization-wide.
+  - Determine which trail stopped (`target.entity.id`) and whether it’s multi-region or organization-wide.
 - **Timing and impact**
  - When did logging stop and resume (if at all)? Are there overlapping detections indicating activity during the gap?
 - **Correlate activity**
@@ -108,6 +108,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2020/06/15"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Elastic"]
@@ -43,7 +43,7 @@ This rule detects successful calls to the `DeleteAlarms` API via CloudTrail. The
  - Check whether this actor typically performs CloudWatch management or automation tasks.

 - **Review request details**
-  - Inspect `aws.cloudtrail.request_parameters` for the specific alarm names deleted. 
+  - Inspect `aws.cloudtrail.request_parameters` or `target.entity.id` for the specific alarm names deleted. 
  - Determine whether the alarms were security-related (e.g., CloudTrail log delivery, GuardDuty finding rate, or IAM API monitoring alarms).
  - Cross-reference deleted alarms with your organization's list of critical monitoring configurations.

@@ -160,6 +160,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2020/06/16"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Elastic"]
@@ -139,6 +139,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2020/05/28"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Elastic"]
@@ -139,6 +139,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2021/06/29"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Austin Songer", "Elastic"]
@@ -183,6 +183,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2024/04/12"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Elastic"]
@@ -143,6 +143,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Elastic"]
@@ -185,6 +185,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2020/06/09"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Elastic"]
@@ -164,6 +164,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2024/04/16"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Elastic"]
@@ -143,6 +143,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2021/05/05"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -171,6 +171,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2024/06/25"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Elastic"]
@@ -164,6 +164,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2024/07/12"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2025/12/04"

 [rule]
 author = ["Elastic"]
@@ -170,6 +170,7 @@ field_names = [
    "aws.cloudtrail.user_identity.access_key_id",
    "aws.cloudtrail.resources.arn",
    "aws.cloudtrail.resources.type",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2024/11/01"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2025/12/16"

 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-

 - **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` field to identify the user who requested the subscription. Verify if this actor typically performs such actions and has the necessary permissions. It may be unusual for this activity to originate from certain user types, such as an assumed role or federated user.
 - **Review the SNS Subscription Event**: Analyze the specifics of the `Subscribe` action in CloudTrail logs:
-  - **Topic**: Look at the `aws.cloudtrail.request_parameters` field to identify the SNS topic involved in the subscription.
+  - **Topic**: Look at the `aws.cloudtrail.request_parameters` or `target.entity.id` field to identify the SNS topic involved in the subscription.
  - **Protocol and Endpoint**: Review the `aws.cloudtrail.request_parameters` field to confirm the subscription's protocol and endpoint, if available. Confirm if this endpoint is associated with a known or trusted entity.
  - **Subscription Status**: Check the `aws.cloudtrail.response_elements` field for the subscription's current status, noting if it requires confirmation.
 - **Verify Authorization**: Evaluate whether the user typically engages in SNS subscription actions and if they are authorized to do so for the specified topic.
@@ -2,7 +2,7 @@
 creation_date = "2020/05/18"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Elastic"]
@@ -49,7 +49,7 @@ Adversaries may leverage `DeleteLogGroup` to impair forensic visibility, disrupt
 - Determine whether this identity normally modifies CloudWatch Logs or is associated with automation.

 **Review deletion details**
- Inspect `aws.cloudtrail.request_parameters` to determine the exact log group deleted.  
+- Inspect `aws.cloudtrail.request_parameters` or `target.entity.id` to determine the exact log group deleted.  
 - Assess whether the log group provided visibility into:
  - CloudTrail processing,  
  - Network flows (VPC Flow Logs),  
@@ -188,6 +188,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2020/05/20"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Elastic"]
@@ -175,6 +175,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2025/06/02"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Elastic"]
@@ -141,6 +141,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2021/08/27"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Austin Songer", "Elastic"]
@@ -161,6 +161,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2020/05/26"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -153,6 +153,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Elastic"]
@@ -41,7 +41,7 @@ This rule detects the deletion of an RDS DB instance, Aurora DB cluster, or glob

 **Review the Deletion Event**
 - Confirm which action was invoked: `DeleteDBInstance`, `DeleteDBCluster` or `DeleteGlobalCluster`
- Examine `aws.cloudtrail.request_parameters`. Identify which resource was deleted and whether a final snapshot was created before deletion.
+- Examine `aws.cloudtrail.request_parameters` and `target.entity.id`. Identify which resource was deleted and whether a final snapshot was created before deletion.

 **Analyze Source and Access Context**
 - Check `source.ip`, `source.geo` fields and `user_agent.original`
@@ -65,7 +65,7 @@ Search CloudTrail for:
 - Contact the service owner or DB administrator to confirm whether the deletion is expected.

 **Assess Impact and Data Recovery Path**
- Identify which DB instance or cluster was deleted
+- Identify which DB instance or cluster was deleted (`target.entity.id`)
 - Evaluate:
  - Whether automated backups existed.
  - Whether point-in-time recovery is still possible.
@@ -176,6 +176,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2024/06/28"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Elastic"]
@@ -37,7 +37,7 @@ Deletion protection is designed to safeguard RDS DB instances and clusters from
  - Validate whether this principal normally performs RDS lifecycle operations.

 - **Review Event Details**
-  - Inspect `aws.cloudtrail.request_parameters` to confirm the targeted DB instance or cluster identifier.
+  - Inspect `aws.cloudtrail.request_parameters` or `target.entity.id` to confirm the targeted DB instance or cluster identifier.
  - Confirm that the request explicitly contains `deletionProtection=false`.

 - **Contextualize the Change**
@@ -144,6 +144,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2024/04/30"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2025/09/05"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ This rule detects when a new SSH public key is uploaded to an AWS EC2 instance u
 #### Possible Investigation Steps:

 - **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.
- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the SSH public key upload. Look for any unusual parameters that could suggest unauthorized or malicious modifications. Determine the targeted EC2 instance.
+- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the SSH public key upload. Look for any unusual parameters that could suggest unauthorized or malicious modifications. Use the `target.entity.id` field to determine the targeted EC2 instance.
 - **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.
 - **Contextualize with Timestamp**: Use the `@timestamp` field to check when the SSH public key was uploaded. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.
 - **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.
@@ -2,7 +2,7 @@
 creation_date = "2024/04/20"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Elastic"]
@@ -154,6 +154,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2024/04/30"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Elastic"]
@@ -133,6 +133,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2024/06/27"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Elastic"]
@@ -175,6 +175,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2024/06/29"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Elastic"]
@@ -47,7 +47,7 @@ establish persistence, or bypass internal network restrictions.
    - Additional changes included in the same modification request (e.g., master user changes, security group updates)

 - **Validate the target resource**
-  - Determine the sensitivity of the instance:
+  - Determine the sensitivity of the instance (`target.entity.id`):
    - What data does it store?
    - Is it production, staging, dev, or ephemeral?
  - Confirm whether the instance was previously private.
@@ -176,6 +176,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2021/05/10"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/01/16"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -164,6 +164,7 @@ field_names = [
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -2,7 +2,7 @@
 creation_date = "2024/11/04"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2025/12/16"

 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ unauthorized user. Customer-managed policies are policies created and controlled
 specific permissions to roles or users when attached. This rule identifies potential privilege escalation by flagging
 cases where a customer-managed policy is attached to a role by an unexpected actor, which could signal unauthorized
 access or misuse. Attackers may attach policies to roles to expand permissions and elevate their privileges within the
-AWS environment. This is a New Terms rule that uses the "cloud.account.id", "user.name" and "entity.target.id" fields to
+AWS environment. This is a New Terms rule that uses the "cloud.account.id", "user.name" and "target.entity.id" fields to
 check if the combination of the actor identity and target role name has not been seen before.
 """
 false_positives = [
@@ -37,7 +37,7 @@ This rule detects when a customer-managed IAM policy is attached to a role by an

 - **Identify the Initiating User and Target Role**:
  - **User Identity**: Examine the `aws.cloudtrail.user_identity.arn` field to determine the user who initiated the policy attachment. Confirm if this user typically has permissions to modify IAM roles and if their activity is consistent with their usual responsibilities.
-  - **Target Role**: Review `entity.target.id` to identify the role to which the policy was attached. Assess whether modifying this role is expected for this user or if this action is unusual in your environment.
+  - **Target Role**: Review `target.entity.id` to identify the role to which the policy was attached. Assess whether modifying this role is expected for this user or if this action is unusual in your environment.

 - **Analyze the Attached Policy**:
  - **Policy ARN**: Inspect the `aws.cloudtrail.request_parameters` field to identify the specific customer-managed policy attached to the role. Evaluate if this policy grants sensitive permissions, especially permissions that could enable privileged actions or data access.
@@ -122,7 +122,7 @@ field_names = [
    "source.ip",
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
-    "entity.target.id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -132,7 +132,7 @@ field_names = [

 [rule.new_terms]
 field = "new_terms_fields"
-value = ["cloud.account.id", "user.name", "entity.target.id"]
+value = ["cloud.account.id", "user.name", "target.entity.id"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
 value = "now-7d"
@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2025/12/16"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies AWS CloudTrail events where an IAM role's trust policy has been updated by an IAM user or Assumed Role
 identity. The trust policy is a JSON document that defines which principals are allowed to assume the role. An attacker
 may attempt to modify this policy to gain the privileges of the role. This is a New Terms rule, which means it will only
-trigger once for each unique combination of the "cloud.account.id", "user.name" and "entity.target.id" fields, that have
+trigger once for each unique combination of the "cloud.account.id", "user.name" and "target.entity.id" fields, that have
 not been seen making this API request.
 """
 false_positives = [
@@ -36,7 +36,7 @@ The role trust policy is a JSON document in which you define the principals you

 - Review the `aws.cloudtrail.user_identity.arn` to determine the IAM User that performed the action. 
 - If an AssumedRole identity type performed the action review the `aws.cloudtrail.user_identity.session_context.session_issuer.arn` field to determine which role was used.
- Review the `entity.target.id` field to confirm the role that was updated.
+- Review the `target.entity.id` field to confirm the role that was updated.
 - Within the `aws.cloudtrail.request_parameters` field, review the `policyDocument` to understand the changes made to the trust policy.
 - If `aws.cloudtrail.user_identity.access_key_id` is present, investigate the access key used to perform the action as it may be compromised.
 - Identify the user account that performed the action and whether it should perform this kind of action.
@@ -119,7 +119,7 @@ field_names = [
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.access_key_id",
-    "entity.target.id",
+    "target.entity.id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
@@ -129,7 +129,7 @@ field_names = [

 [rule.new_terms]
 field = "new_terms_fields"
-value = ["cloud.account.id", "user.name", "entity.target.id"]
+value = ["cloud.account.id", "user.name", "target.entity.id"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
 value = "now-7d"