[Security Content] Tag rules with robust Investigation Guides (#2297)

rules/cross-platform/threat_intel_filebeat8x.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/11/24"
 maturity = "production"
-updated_date = "2022/08/24"
+updated_date = "2022/09/13"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -62,7 +62,7 @@ references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-
 risk_score = 99
 rule_id = "699e9fdb-b77c-4c01-995c-1c15019b9c43"
 severity = "critical"
-tags = ["Elastic", "Windows", "Elastic Endgame", "Network", "Continuous Monitoring", "SecOps", "Monitoring"]
+tags = ["Elastic", "Windows", "Elastic Endgame", "Network", "Continuous Monitoring", "SecOps", "Monitoring", "has_guide"]
 timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
 timeline_title = "Generic Threat Match Timeline"
 type = "threat_match"

rules/cross-platform/threat_intel_fleet_integrations.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/04/21"
 maturity = "production"
-updated_date = "2022/08/24"
+updated_date = "2022/09/13"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -62,7 +62,7 @@ references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-
 risk_score = 99
 rule_id = "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0"
 severity = "critical"
-tags = ["Elastic", "Windows", "Elastic Endgame", "Network", "Continuous Monitoring", "SecOps", "Monitoring"]
+tags = ["Elastic", "Windows", "Elastic Endgame", "Network", "Continuous Monitoring", "SecOps", "Monitoring", "has_guide"]
 timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
 timeline_title = "Generic Threat Match Timeline"
 type = "threat_match"

rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml

@@ -3,7 +3,7 @@ creation_date = "2020/07/16"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/13"
 integration = "aws"
 
 [rule]
@@ -84,7 +84,7 @@ references = [
 risk_score = 47
 rule_id = "ea248a02-bc47-4043-8e94-2885b19b2636"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"]
 type = "threshold"
 
 query = '''

rules/integrations/aws/credential_access_iam_user_addition_to_group.toml

@@ -3,7 +3,7 @@ creation_date = "2020/06/04"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/13"
 integration = "aws"
 
 [rule]
@@ -77,7 +77,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserTo
 risk_score = 21
 rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Credential Access", "Persistence"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Credential Access", "Persistence", "has_guide"]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml

@@ -3,7 +3,7 @@ creation_date = "2020/07/06"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/13"
 integration = "aws"
 
 [rule]
@@ -90,7 +90,7 @@ references = [
 risk_score = 47
 rule_id = "a00681e3-9ed6-447c-ab2c-be648821c622"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Data Protection", "Credential Access"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Data Protection", "Credential Access", "has_guide"]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml

@@ -3,7 +3,7 @@ creation_date = "2020/05/26"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/13"
 integration = "aws"
 
 [rule]
@@ -89,7 +89,7 @@ references = [
 risk_score = 47
 rule_id = "7024e2a0-315d-4334-bb1a-441c593e16ab"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "has_guide"]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml

@@ -3,7 +3,7 @@ creation_date = "2020/06/10"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/13"
 integration = "aws"
 
 [rule]
@@ -93,7 +93,7 @@ references = [
 risk_score = 47
 rule_id = "1aa8fa52-44a7-4dae-b058-f3333b91c8d7"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "has_guide"]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml

@@ -3,7 +3,7 @@ creation_date = "2020/06/15"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/13"
 integration = "aws"
 
 [rule]
@@ -89,7 +89,7 @@ references = [
 risk_score = 47
 rule_id = "f772ec8a-e182-483c-91d2-72058f76a44c"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring", "has_guide"]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml

@@ -3,7 +3,7 @@ creation_date = "2020/06/26"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/13"
 integration = "aws"
 
 [rule]
@@ -91,7 +91,7 @@ references = [
 risk_score = 21
 rule_id = "7024e2a0-315d-4334-bb1a-552d604f27bc"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring", "has_guide"]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml

@@ -3,7 +3,7 @@ creation_date = "2020/06/15"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/13"
 integration = "aws"
 
 [rule]
@@ -89,7 +89,7 @@ references = [
 risk_score = 73
 rule_id = "9395fd2c-9947-4472-86ef-4aceb2f7e872"
 severity = "high"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "has_guide"]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml

@@ -3,7 +3,7 @@ creation_date = "2020/06/24"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/13"
 integration = "aws"
 
 [rule]
@@ -90,7 +90,7 @@ references = [
 risk_score = 47
 rule_id = "98fd7407-0bd5-5817-cda0-3fcc33113a56"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility", "Exfiltration"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility", "Exfiltration", "has_guide"]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/integrations/aws/impact_cloudtrail_logging_updated.toml

@@ -3,7 +3,7 @@ creation_date = "2020/06/10"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/13"
 integration = "aws"
 
 [rule]
@@ -89,7 +89,7 @@ references = [
 risk_score = 21
 rule_id = "3e002465-876f-4f04-b016-84ef48ce7e5d"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "has_guide"]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml

@@ -3,7 +3,7 @@ creation_date = "2020/05/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/13"
 integration = "aws"
 
 [rule]
@@ -94,7 +94,7 @@ references = [
 risk_score = 47
 rule_id = "68a7a5a5-a2fc-4a76-ba9f-26849de881b4"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "has_guide"]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml

@@ -3,7 +3,7 @@ creation_date = "2020/05/20"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/13"
 integration = "aws"
 
 [rule]
@@ -93,7 +93,7 @@ references = [
 risk_score = 47
 rule_id = "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Impact"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Impact", "has_guide"]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/integrations/aws/impact_iam_deactivate_mfa_device.toml

@@ -3,7 +3,7 @@ creation_date = "2020/05/26"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/13"
 integration = "aws"
 
 [rule]
@@ -85,7 +85,7 @@ references = [
 risk_score = 47
 rule_id = "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring", "has_guide"]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/integrations/aws/initial_access_console_login_root.toml

@@ -3,7 +3,7 @@ creation_date = "2020/06/11"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/13"
 integration = "aws"
 
 [rule]
@@ -72,7 +72,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm
 risk_score = 47
 rule_id = "e2a67480-3b79-403d-96e3-fdd2992c50ef"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/integrations/aws/initial_access_via_system_manager.toml

@@ -3,7 +3,7 @@ creation_date = "2020/07/06"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/13"
 integration = "aws"
 
 [rule]
@@ -89,7 +89,7 @@ references = ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-
 risk_score = 21
 rule_id = "37b211e8-4e2f-440f-86d8-06cc8f158cfa"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Initial Access"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Initial Access", "has_guide"]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/integrations/aws/ml_cloudtrail_error_message_spike.toml

@@ -3,7 +3,7 @@ creation_date = "2020/07/13"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/13"
 integration = "aws"
 
 [rule]
@@ -101,6 +101,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
 risk_score = 21
 rule_id = "78d3d8d9-b476-451d-a9e0-7a5addd70670"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "ML"]
+tags = ["Elastic", "Cloud", "AWS", "ML", "has_guide"]
 type = "machine_learning"
 

rules/integrations/aws/ml_cloudtrail_rare_error_code.toml

@@ -3,7 +3,7 @@ creation_date = "2020/07/13"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/13"
 integration = "aws"
 
 [rule]
@@ -104,6 +104,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
 risk_score = 21
 rule_id = "19de8096-e2b0-4bd8-80c9-34a820813fff"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "ML"]
+tags = ["Elastic", "Cloud", "AWS", "ML", "has_guide"]
 type = "machine_learning"
 

rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml

@@ -3,7 +3,7 @@ creation_date = "2020/07/13"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/13"
 integration = "aws"
 
 [rule]
@@ -106,6 +106,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
 risk_score = 21
 rule_id = "809b70d3-e2c3-455e-af1b-2626a5a1a276"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "ML"]
+tags = ["Elastic", "Cloud", "AWS", "ML", "has_guide"]
 type = "machine_learning"
 

rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml

@@ -3,7 +3,7 @@ creation_date = "2020/07/13"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/13"
 integration = "aws"
 
 [rule]
@@ -106,6 +106,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
 risk_score = 21
 rule_id = "dca28dee-c999-400f-b640-50a081cc0fd1"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "ML"]
+tags = ["Elastic", "Cloud", "AWS", "ML", "has_guide"]
 type = "machine_learning"
 

rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml

@@ -3,7 +3,7 @@ creation_date = "2020/07/13"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/13"
 integration = "aws"
 
 [rule]
@@ -104,6 +104,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
 risk_score = 21
 rule_id = "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "ML"]
+tags = ["Elastic", "Cloud", "AWS", "ML", "has_guide"]
 type = "machine_learning"