* [Rule Tuning] AWS CLI with Kali Linux Fingerprint Identified
This rule is performing well in telemetry as expected. I changed this to EQL to avoid the multiple wildcards needed with KQL.
- changed rule type to EQL
- reduced execution window
- updated description, false positive and investigation guide
Script for testing this rule:
Manually perform any action against our AWS account using Kali Linux distribution
#### Screenshot showing working EQL query, still captures the BitPanda behavior this rule was initially designed around.
* add highlighted fields
add highlighted fields
* Update initial_access_kali_user_agent_detected_with_aws_cli.toml
Isai
ed42a9e9dd