* [Rule Tuning] AWS EC2 Instance Console Login via Assumed Role
No hits in telemetry for this rule yet. Which is good as it is extremely rare and high-risk behavior for an EC2 instance to exhibit any console login behavior.
- used `event.type` as event_category_override field to remove use of `any` in query
- updated description and investigation guide
- updated tags
- updated Mitre mapping
- added highlighted fields
* normalized Sign-In tag
normalized Sign-In tag
* fixing Mitre mapping
* Update rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Isai
f2e2590d62