diff --git a/rules/aws/collection_cloudtrail_logging_created.toml b/rules/aws/collection_cloudtrail_logging_created.toml index ca7778c34bc..7da5d96a7e0 100644 --- a/rules/aws/collection_cloudtrail_logging_created.toml +++ b/rules/aws/collection_cloudtrail_logging_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml index c09e7356da8..6bfab916af0 100644 --- a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ used to delegate access to users or services. An adversary may attempt to enumer role exists before attempting to assume or hijack the discovered role. """ from = "now-20m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] language = "kuery" license = "Elastic License" name = "AWS IAM Brute Force of Assume Role Policy" diff --git a/rules/aws/credential_access_iam_user_addition_to_group.toml b/rules/aws/credential_access_iam_user_addition_to_group.toml index a830af683d6..e51a30a5d51 100644 --- a/rules/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/aws/credential_access_iam_user_addition_to_group.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/04" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml b/rules/aws/credential_access_secretsmanager_getsecretvalue.toml index bb47fc8e3ea..34ddfcf643f 100644 --- a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml +++ b/rules/aws/credential_access_secretsmanager_getsecretvalue.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Nick Jones", "Elastic"] @@ -17,7 +17,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml index b36490d8f6e..d783c3d4124 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml index 40715e3a37f..27942f01b25 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 38710ac57c9..94c3bf9c9d2 100644 --- a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/15" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/defense_evasion_config_service_rule_deletion.toml b/rules/aws/defense_evasion_config_service_rule_deletion.toml index 7ad19aff84f..af1e402b050 100644 --- a/rules/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/aws/defense_evasion_config_service_rule_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/26" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/aws/defense_evasion_configuration_recorder_stopped.toml index a6dfd93f343..8a6df25b73e 100644 --- a/rules/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/aws/defense_evasion_configuration_recorder_stopped.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/16" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml index 0356cb062d1..5a5e474899d 100644 --- a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/15" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml index 6a83c02b875..13d63264eb0 100644 --- a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/aws/defense_evasion_guardduty_detector_deletion.toml index 6cb7fde4449..c092a0d6709 100644 --- a/rules/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/aws/defense_evasion_guardduty_detector_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/28" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 4c41d160bb8..72c9878466c 100644 --- a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/27" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/defense_evasion_waf_acl_deletion.toml b/rules/aws/defense_evasion_waf_acl_deletion.toml index b572c134b05..d40e36ed1a5 100644 --- a/rules/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/aws/defense_evasion_waf_acl_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index e348e3e9b18..b29e04aa123 100644 --- a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/09" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/execution_via_system_manager.toml b/rules/aws/execution_via_system_manager.toml index 6e9b441f632..00ddc66b981 100644 --- a/rules/aws/execution_via_system_manager.toml +++ b/rules/aws/execution_via_system_manager.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml index 6cd570188f6..3f3e4ed08fc 100644 --- a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/24" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/impact_cloudtrail_logging_updated.toml b/rules/aws/impact_cloudtrail_logging_updated.toml index 0ce340082d4..0bc0e0e33c2 100644 --- a/rules/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/aws/impact_cloudtrail_logging_updated.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/impact_cloudwatch_log_group_deletion.toml b/rules/aws/impact_cloudwatch_log_group_deletion.toml index 50f50495c46..da99d8a9ee5 100644 --- a/rules/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/aws/impact_cloudwatch_log_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/aws/impact_cloudwatch_log_stream_deletion.toml index 51622a020be..57fd213fdda 100644 --- a/rules/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/aws/impact_cloudwatch_log_stream_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/impact_ec2_disable_ebs_encryption.toml b/rules/aws/impact_ec2_disable_ebs_encryption.toml index f632a276e86..d4b0471fa0e 100644 --- a/rules/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/aws/impact_ec2_disable_ebs_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/05" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/impact_iam_deactivate_mfa_device.toml b/rules/aws/impact_iam_deactivate_mfa_device.toml index ea43ca8e3ac..7b7bf4f65fa 100644 --- a/rules/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/aws/impact_iam_deactivate_mfa_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/impact_iam_group_deletion.toml b/rules/aws/impact_iam_group_deletion.toml index 9ca348eb40d..1d7ec06d511 100644 --- a/rules/aws/impact_iam_group_deletion.toml +++ b/rules/aws/impact_iam_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/impact_rds_cluster_deletion.toml b/rules/aws/impact_rds_cluster_deletion.toml index f272da4ebaf..816d570e002 100644 --- a/rules/aws/impact_rds_cluster_deletion.toml +++ b/rules/aws/impact_rds_cluster_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/impact_rds_instance_cluster_stoppage.toml b/rules/aws/impact_rds_instance_cluster_stoppage.toml index df12b381c16..bd1904c1743 100644 --- a/rules/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/aws/impact_rds_instance_cluster_stoppage.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/initial_access_console_login_root.toml b/rules/aws/initial_access_console_login_root.toml index 888f65a9c91..73c0b57d8e9 100644 --- a/rules/aws/initial_access_console_login_root.toml +++ b/rules/aws/initial_access_console_login_root.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/11" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/initial_access_password_recovery.toml b/rules/aws/initial_access_password_recovery.toml index 022cceb7da4..4a13623bdf3 100644 --- a/rules/aws/initial_access_password_recovery.toml +++ b/rules/aws/initial_access_password_recovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/persistence_ec2_network_acl_creation.toml b/rules/aws/persistence_ec2_network_acl_creation.toml index 017a2ea0f0d..4735d369bec 100644 --- a/rules/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/aws/persistence_ec2_network_acl_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/04" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/persistence_iam_group_creation.toml b/rules/aws/persistence_iam_group_creation.toml index 576ff989b0f..c5519741c7f 100644 --- a/rules/aws/persistence_iam_group_creation.toml +++ b/rules/aws/persistence_iam_group_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/05" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/persistence_rds_cluster_creation.toml b/rules/aws/persistence_rds_cluster_creation.toml index a06773759e1..1ee2631d643 100644 --- a/rules/aws/persistence_rds_cluster_creation.toml +++ b/rules/aws/persistence_rds_cluster_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/privilege_escalation_root_login_without_mfa.toml b/rules/aws/privilege_escalation_root_login_without_mfa.toml index bf036409673..199bab3acd4 100644 --- a/rules/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/aws/privilege_escalation_root_login_without_mfa.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/31" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/aws/privilege_escalation_updateassumerolepolicy.toml index d9e520d579b..f04cdf023fa 100644 --- a/rules/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/aws/privilege_escalation_updateassumerolepolicy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License"