adjusted order of investigation fields

Author: terrancedejesus

rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml

@@ -90,21 +90,21 @@ and process.args: (
 [rule.investigation_fields]
 field_names = [
     "@timestamp",
-    "cloud.region",
+    "process.user.name",
+    "process.entry_leader.group.name",
+    "process.entry_leader.real_user.name",
+    "event.action",
     "event.type",
     "host.os.type",
     "host.os.kernel",
     "process.entry_leader.executable",
-    "process.entry_leader.group.name",
-    "process.entry_leader.real_user.name",
     "process.entry_leader.working_directory",
     "process.parent.executable",
     "process.executable",
     "process.hash.sha256",
     "process.parent.command_line",
     "process.command_line",
-    "process.args",
-    "process.user.name"
+    "process.args"
 ]
 
 [[rule.threat]]

rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml

@@ -94,16 +94,17 @@ event.dataset:aws.cloudtrail
 
 [rule.investigation_fields]
 field_names = [
-    "event.action",
-    "event.outcome",
-    "cloud.region",
-    "user_agent.original",
+    "@timestamp",
     "user.name",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
     "source.address",
-    "aws.cloudtrail.request_parameters",
+    "user_agent.original",
     "aws.cloudtrail.flattened.request_parameters.name",
-    "aws.cloudtrail.user_identity.type",
-    "aws.cloudtrail.user_identity.arn"
+    "event.action",
+    "event.outcome",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters"
 ]
 
 [[rule.threat]]

rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml

@@ -109,10 +109,10 @@ from logs-aws.cloudtrail-*
 
 [rule.investigation_fields]
 field_names = [
-    "region_count",
-    "window_count",
+    "aws.cloudtrail.user_identity.arn",
     "target_time_window",
-    "aws.cloudtrail.user_identity.arn"
+    "region_count",
+    "window_count"
 ]
 
 [[rule.threat]]

rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml

@@ -102,13 +102,15 @@ event.dataset: "aws.cloudtrail"
 
 [rule.investigation_fields]
 field_names = [
+    "@timestamp",
+    "user.name",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.arn",
+    "user_agent.original",
     "event.action",
     "event.outcome",
     "cloud.region",
-    "user_agent.original",
-    "user.name",
-    "aws.cloudtrail.user_identity.type",
-    "aws.cloudtrail.user_identity.arn"
+    "aws.cloudtrail.request_parameters"
 ]
 
 [[rule.threat]]

rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml

@@ -85,16 +85,16 @@ event.dataset: "aws.cloudtrail"
 
 [rule.investigation_fields]
 field_names = [
+    "@timestamp",
+    "user.name",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "user_agent.original",
     "event.action",
     "event.outcome",
     "cloud.region",
-    "related.user",
-    "user.name",
-    "user_agent.original",
     "aws.cloudtrail.request_parameters",
     "aws.cloudtrail.response_elements",
-    "aws.cloudtrail.user_identity.arn",
-    "aws.cloudtrail.user_identity.type"
 ]
 
 [[rule.threat]]

rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml

@@ -83,17 +83,18 @@ event.dataset: "aws.cloudtrail"
 
 [rule.investigation_fields]
 field_names = [
+    "@timestamp",
+    "user.name",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "user_agent.original",
     "event.action",
     "event.outcome",
     "cloud.region",
-    "user_agent.original",
-    "user.name",
-    "aws.cloudtrail.request_parameters",
     "aws.cloudtrail.flattened.request_parameters.protocol",
     "aws.cloudtrail.flattened.request_parameters.topicArn",
     "aws.cloudtrail.flattened.response_elements.subscriptionArn",
-    "aws.cloudtrail.user_identity.type",
-    "aws.cloudtrail.user_identity.arn"
+    "aws.cloudtrail.request_parameters"
 ]
 
 [[rule.threat]]

rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml

@@ -99,10 +99,10 @@ from logs-aws.cloudtrail*
 
 [rule.investigation_fields]
 field_names = [
-    "failed_requests",
-    "tls.client.server_name",
     "source.address",
-    "cloud.account.id"
+    "tls.client.server_name",
+    "cloud.account.id",
+    "failed_requests"
 ]
 
 [[rule.threat]]

rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml

@@ -103,18 +103,17 @@ event.dataset: "aws.cloudtrail"
 [rule.investigation_fields]
 field_names = [
    "@timestamp",
-   "cloud.region",
-   "event.provider",
+   "user.name",
+   "aws.cloudtrail.user_identity.arn",
+   "aws.cloudtrail.user_identity.type",
+   "user_agent.original",
+   "aws.cloudtrail.flattened.request_parameters.instanceId",
    "event.action",
    "event.outcome",
-   "related.user",
-   "user_agent.original",
-   "user.name",
+   "cloud.region",
+   "event.provider",
    "aws.cloudtrail.request_parameters",
-   "aws.cloudtrail.response_elements",
-   "aws.cloudtrail.flattened.request_parameters.instanceId",
-   "aws.cloudtrail.user_identity.arn",
-   "aws.cloudtrail.user_identity.type"
+   "aws.cloudtrail.response_elements"
 ]
 
 

rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml

@@ -98,16 +98,16 @@ event.dataset: "aws.cloudtrail"
 
 [rule.investigation_fields]
 field_names = [
+    "@timestamp",
+    "user.name",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "user_agent.original",
     "event.action",
     "event.outcome",
     "cloud.region",
-    "related.user",
-    "user_agent.original",
-    "user.name",
     "aws.cloudtrail.request_parameters",
-    "aws.cloudtrail.response_elements",
-    "aws.cloudtrail.user_identity.arn",
-    "aws.cloudtrail.user_identity.type"
+    "aws.cloudtrail.response_elements"
 ]
 
 [[rule.threat]]

rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml

@@ -123,18 +123,17 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index
 [rule.investigation_fields]
 field_names = [
     "@timestamp",
-    "cloud.region",
-    "event.provider",
-    "event.action",
-    "event.outcome",
     "user.name",
-    "user.target.name",
-    "related.user",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
     "user_agent.original",
+    "user.target.name",
+    "event.action",
+    "event.outcome",
+    "cloud.region",
+    "event.provider",
     "aws.cloudtrail.request_parameters",
     "aws.cloudtrail.response_elements",
-    "aws.cloudtrail.user_identity.arn",
-    "aws.cloudtrail.user_identity.type"
 ]