Isai 74d1715f6e [Rule Tuning] AWS EC2 User Data Retrieval for EC2 Instance (#4808) ...

* [Rule Tuning] AWS EC2 User Data Retrieval for EC2 Instance

- changed execution window
- explicitly added flattened fields to query, to reduce wildcard usage
- added investigation fields
- changed new terms field to evaluate `user.name` over `aws.cloudtrail.user_identity.arn` so that only the role name for Assumed Role identitites is being evaluated instead of each individual session. This should greatly impact performance as most instances of this rule in telemetry is triggered by Assumed Roles.

* Apply suggestions from code review

* remove instanceId parameter

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

2025-06-17 14:51:18 -04:00

..

etc

[Rule Tuning] AWS EC2 User Data Retrieval for EC2 Instance (#4808)

2025-06-17 14:51:18 -04:00

schemas

[New Rule] Threat Intel Email Indicator Match (#4598)

2025-04-22 12:15:36 -03:00

__init__.py

chore: Removing RTAs (#4437)

2025-03-05 12:35:57 +01:00

__main__.py

[FR] Update utility path computation to use pathlib (#3699)

2024-05-23 17:36:51 -04:00

action_connector.py

[DaC] Beta Release (#3889)

2024-08-06 18:07:12 -04:00

action.py

[DaC] Beta Release (#3889)

2024-08-06 18:07:12 -04:00

attack.py

[FR] Update utility path computation to use pathlib (#3699)

2024-05-23 17:36:51 -04:00

beats.py

Account for CCS '::' index pattern (#4258)

2024-11-13 11:17:08 +05:30

cli_utils.py

[Bug] Update Schema Prompt to include new_terms_fields (#4567)

2025-04-17 10:45:51 -04:00

config.py

Feature exclude tactic name (#4593)

2025-04-16 16:02:14 -04:00

custom_rules.py

[Bug] Update Custom Rules Markdown Location (#4565)

2025-03-26 10:00:52 -04:00

custom_schemas.py

[FR] [DAC] Add Support for Known Types to Auto-generated Schemas (#3985)

2024-08-28 10:48:00 -04:00

devtools.py

[FR] Add check-version-lock dev command (#4650)

2025-05-06 13:26:23 -04:00

docs.py

chore: use docs-dev instead of docs dir for docs (#4522)

2025-03-07 14:34:51 +01:00

ecs.py

Account for CCS '::' index pattern (#4258)

2024-11-13 11:17:08 +05:30

endgame.py

[FR] Update utility path computation to use pathlib (#3699)

2024-05-23 17:36:51 -04:00

eswrap.py

Deprecate Experimental ML command (#4669)

2025-05-02 21:01:46 +05:30

exception.py

[DaC] Beta Release (#3889)

2024-08-06 18:07:12 -04:00

generic_loader.py

[DaC] Beta Release (#3889)

2024-08-06 18:07:12 -04:00

ghwrap.py

Update package and install process (#1948)

2022-12-08 15:49:49 -05:00

integrations.py

Refresh ecs, beats, integration manifests & schemas (#4699)

2025-05-05 23:06:40 +05:30

kbwrap.py

[FR] Add Ability to Filter Rule Exports from Kibana (#4783)

2025-06-09 12:21:15 -04:00

main.py

[FR] Add Support for Local Dates Flag (#4582)

2025-04-16 15:41:09 -04:00

misc.py

fix: removing outdated code in Kibana client auth (#4495)

2025-03-24 12:28:36 +01:00

mixins.py

[DaC] Beta Release (#3889)

2024-08-06 18:07:12 -04:00

ml.py

Deprecate Experimental ML command (#4669)

2025-05-02 21:01:46 +05:30

navigator.py

[DaC] Beta Release (#3889)

2024-08-06 18:07:12 -04:00

packaging.py

Bringing back "fix: Cleaning up the hashable content for the rule" (#4621) (#4668)

2025-04-28 21:59:55 +05:30

remote_validation.py

fix: removing outdated code in Kibana client auth (#4495)

2025-03-24 12:28:36 +01:00

rule_formatter.py

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

rule_loader.py

fix: Fixing leftover references to sha256 method (#4690)

2025-04-30 20:34:15 +02:00

rule_validators.py

Enhance Readability of KQL validation check failures (#4329)

2025-01-06 22:18:05 +05:30

rule.py

Bringing back "fix: Cleaning up the hashable content for the rule" (#4621) (#4668)

2025-04-28 21:59:55 +05:30

utils.py

Resolve datetime.utcfromtimestamp deprecation (#4719)

2025-05-19 21:35:07 +05:30

version_lock.py

[DaC] Beta Release (#3889)

2024-08-06 18:07:12 -04:00