adjust aws rule index patterns and tags (#3595)

rules/integrations/aws/collection_cloudtrail_logging_created.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2023/10/24"
+updated_date = "2024/04/14"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
     """,
 ]
 from = "now-60m"
-index = ["filebeat-*", "logs-aws*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"

rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2024/01/05"
+updated_date = "2024/04/14"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ used to delegate access to users or services. An adversary may attempt to enumer
 role exists before attempting to assume or hijack the discovered role.
 """
 from = "now-20m"
-index = ["filebeat-*", "logs-aws*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS IAM Brute Force of Assume Role Policy"

rules/integrations/aws/credential_access_iam_user_addition_to_group.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2023/10/24"
+updated_date = "2024/04/14"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ false_positives = [
     """,
 ]
 from = "now-60m"
-index = ["filebeat-*", "logs-aws*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"

rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2024/03/07"
+updated_date = "2024/04/14"
 
 [rule]
 author = ["Nick Jones", "Elastic"]
@@ -20,7 +20,7 @@ false_positives = [
     """,
 ]
 from = "now-60m"
-index = ["filebeat-*", "logs-aws.cloudtrail*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"

rules/integrations/aws/credential_access_root_console_failure_brute_force.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2024/01/05"
+updated_date = "2024/04/14"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ false_positives = [
     """,
 ]
 from = "now-20m"
-index = ["filebeat-*", "logs-aws*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Management Console Brute Force of Root User Identity"

rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2023/10/24"
+updated_date = "2024/04/14"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
     """,
 ]
 from = "now-60m"
-index = ["filebeat-*", "logs-aws*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"

rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2023/10/24"
+updated_date = "2024/04/14"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,7 @@ false_positives = [
     """,
 ]
 from = "now-60m"
-index = ["filebeat-*", "logs-aws*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"

rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2023/10/24"
+updated_date = "2024/04/14"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
     """,
 ]
 from = "now-60m"
-index = ["filebeat-*", "logs-aws*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"

rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2023/10/24"
+updated_date = "2024/04/14"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -21,7 +21,7 @@ false_positives = [
     """,
 ]
 from = "now-60m"
-index = ["filebeat-*", "logs-aws*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"

rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2023/10/24"
+updated_date = "2024/04/14"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
     """,
 ]
 from = "now-60m"
-index = ["filebeat-*", "logs-aws*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"

rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2023/10/24"
+updated_date = "2024/04/14"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ false_positives = [
     """,
 ]
 from = "now-60m"
-index = ["filebeat-*", "logs-aws*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"

rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2023/10/24"
+updated_date = "2024/04/14"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ false_positives = [
     """,
 ]
 from = "now-60m"
-index = ["filebeat-*", "logs-aws*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"

rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2023/10/24"
+updated_date = "2024/04/14"
 
 [rule]
 author = ["Austin Songer"]
@@ -18,7 +18,7 @@ false_positives = [
     """,
 ]
 from = "now-60m"
-index = ["filebeat-*", "logs-aws*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"

rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2023/10/24"
+updated_date = "2024/04/14"
 
 [rule]
 author = ["Austin Songer"]
@@ -18,7 +18,7 @@ false_positives = [
     """,
 ]
 from = "now-60m"
-index = ["filebeat-*", "logs-aws*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"

rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2023/10/24"
+updated_date = "2024/04/14"
 
 [rule]
 author = ["Austin Songer"]
@@ -17,7 +17,7 @@ false_positives = [
     """,
 ]
 from = "now-25m"
-index = ["filebeat-*", "logs-aws*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS SAML Activity"

rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2023/10/24"
+updated_date = "2024/04/14"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ false_positives = [
     """,
 ]
 from = "now-60m"
-index = ["filebeat-*", "logs-aws*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"

rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2023/10/24"
+updated_date = "2024/04/14"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
     """,
 ]
 from = "now-60m"
-index = ["filebeat-*", "logs-aws*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"

rules/integrations/aws/defense_evasion_waf_acl_deletion.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2023/10/24"
+updated_date = "2024/04/14"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
     """,
 ]
 from = "now-60m"
-index = ["filebeat-*", "logs-aws*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"

rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2023/10/24"
+updated_date = "2024/04/14"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
     """,
 ]
 from = "now-60m"
-index = ["filebeat-*", "logs-aws*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"

rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2023/10/24"
+updated_date = "2024/04/14"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -21,7 +21,7 @@ false_positives = [
     """,
 ]
 from = "now-60m"
-index = ["filebeat-*", "logs-aws*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"

rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2023/10/24"
+updated_date = "2024/04/14"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ false_positives = [
     """,
 ]
 from = "now-60m"
-index = ["filebeat-*", "logs-aws*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"

rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml

@@ -4,7 +4,8 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2023/10/24"
+updated_date = "2024/04/14"
+
 [rule]
 author = ["Elastic", "Austin Songer"]
 description = """
@@ -19,7 +20,7 @@ false_positives = [
     """,
 ]
 from = "now-60m"
-index = ["filebeat-*", "logs-aws*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"