[Rule Tunings] AWS New Terms History Window Reduction (#5479)

I reduced the history window for new terms rules that were either:
- `now-14 days`
- showing slow performance metrics

There are still several AWS rules with a `now-10d` window but they are not showing any performance issues so I'd like to leave them as is for now.

First Time Seen AWS Secret Value Accessed in Secrets Manager
- removed `BatchGetSecretValue` API call since this calls `GetSecretValue`
- removed the user_agent exclusions from this one, too easy to bypass.

AWS EC2 User Data Retrieval for EC2 Instance
- excluded more benign AWS services from telemetry

AWS IAM Assume Role Policy Update
- removed use of cloudformation exclusion, this should be captured as well

Author: imays11

rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/12/17"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/09/08"
+updated_date = "2025/12/16"
 
 [rule]
 author = ["Elastic"]
@@ -181,6 +181,6 @@ field = "new_terms_fields"
 value = ["source.address", "tls.client.server_name"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-7d"
+value = "now-5d"
 
 

rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml

@@ -2,17 +2,17 @@
 creation_date = "2020/07/06"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/12/12"
+updated_date = "2025/12/16"
 
 [rule]
 author = ["Nick Jones", "Elastic"]
 description = """
 An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may
 attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time
-a specific user identity has programmatically retrieved a secret value from Secrets Manager using the `GetSecretValue`
-or `BatchGetSecretValue` actions. This rule assumes that AWS services such as Lambda functions and EC2 instances are
-setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An
-adversary with access to a compromised AWS service would rely on its' attached role to access the secrets in Secrets Manager.
+a specific user identity has programmatically retrieved a secret value from Secrets Manager using the GetSecretValue
+action. This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with IAM role's
+assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with access to a
+compromised AWS service would rely on its' attached role to access the secrets in Secrets Manager.
 """
 false_positives = [
     """
@@ -22,7 +22,6 @@ false_positives = [
 ]
 from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
-interval = "5m"
 language = "kuery"
 license = "Elastic License v2"
 name = "First Time Seen AWS Secret Value Accessed in Secrets Manager"
@@ -32,7 +31,7 @@ note = """## Triage and analysis
 
 AWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.
 
-This rule looks for the retrieval of credentials from Secrets Manager using `GetSecretValue` or `BatchGetSecretValue` API calls. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a secret value from Secrets Manager.
+This rule looks for the retrieval of credentials from Secrets Manager using `GetSecretValue` API calls. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a secret value from Secrets Manager.
 
 #### Possible investigation steps
 
@@ -95,26 +94,12 @@ timestamp_override = "event.ingested"
 type = "new_terms"
 
 query = '''
-event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and
-    event.action: (GetSecretValue or BatchGetSecretValue) and event.outcome:success and
-    not user_agent.name: ("Chrome" or "Firefox" or "Safari" or "Edge" or "Brave" or "Opera" or "Boto3")
+event.dataset: aws.cloudtrail 
+    and event.provider: secretsmanager.amazonaws.com 
+    and event.action: GetSecretValue 
+    and event.outcome: success
 '''
 
-[rule.investigation_fields]
-field_names = [
-    "@timestamp",
-    "user.name",
-    "user_agent.original",
-    "source.ip",
-    "aws.cloudtrail.user_identity.arn",
-    "aws.cloudtrail.user_identity.type",
-    "aws.cloudtrail.user_identity.access_key_id",
-    "event.action",
-    "event.outcome",
-    "cloud.account.id",
-    "cloud.region",
-    "aws.cloudtrail.request_parameters"
-]
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
@@ -134,11 +119,27 @@ id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+]
+
 [rule.new_terms]
 field = "new_terms_fields"
 value = ["cloud.account.id", "user.name"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-10d"
+value = "now-5d"
 
 

rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/04/12"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/07/09"
+updated_date = "2025/12/16"
 
 [rule]
 author = ["Elastic"]
@@ -125,4 +125,4 @@ field = "new_terms_fields"
 value = ["cloud.account.id", "user.name"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-10d"
+value = "now-5d"

rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/04/14"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/07/10"
+updated_date = "2025/12/16"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,6 @@ gather sensitive data from the instance such as hardcoded credentials or to iden
 a New Terms rule that identifies the first time an IAM user or role requests the user data for a specific EC2 instance.
 """
 from = "now-6m"
-interval = "5m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "kuery"
 license = "Elastic License v2"
@@ -91,7 +90,10 @@ event.dataset: "aws.cloudtrail"
     and aws.cloudtrail.flattened.request_parameters.attribute: "userData"
     and not aws.cloudtrail.user_identity.invoked_by: (
         "AWS Internal" or
-        "cloudformation.amazonaws.com"
+        "cloudformation.amazonaws.com" or 
+        "aidevops.amazonaws.com" or 
+        "elasticmapreduce.amazonaws.com" or 
+        "aiops.amazonaws.com"
     )
 '''
 
@@ -147,6 +149,6 @@ field = "new_terms_fields"
 value = ["cloud.account.id", "user.name", "aws.cloudtrail.flattened.request_parameters.instanceId"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-14d"
+value = "now-5d"
 
 

rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/11/01"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/09/09"
+updated_date = "2025/12/16"
 
 [rule]
 author = ["Elastic"]
@@ -150,6 +150,6 @@ field = "new_terms_fields"
 value = ["cloud.account.id", "user.name", "aws.cloudtrail.flattened.request_parameters.protocol"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-14d"
+value = "now-7d"
 
 

rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/01/15"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/07/10"
+updated_date = "2025/12/16"
 
 [rule]
 author = ["Elastic"]
@@ -138,6 +138,6 @@ field = "new_terms_fields"
 value = ["cloud.account.id", "user.name", "tls.client.server_name"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-14d"
+value = "now-7d"
 
 

rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/11/12"
+updated_date = "2025/12/16"
 
 [rule]
 author = ["Elastic"]
@@ -168,6 +168,6 @@ field = "new_terms_fields"
 value = ["aws.cloudtrail.user_identity.arn"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-14d"
+value = "now-7d"
 
 

rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/11/04"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/10/17"
+updated_date = "2025/12/16"
 
 [rule]
 author = ["Elastic"]
@@ -135,6 +135,6 @@ field = "new_terms_fields"
 value = ["cloud.account.id", "user.name", "target.entity.id"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-14d"
+value = "now-7d"
 
 

rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/10/17"
+updated_date = "2025/12/16"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,6 @@ false_positives = [
 ]
 from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
-interval = "5m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS IAM Assume Role Policy Update"
@@ -90,7 +89,6 @@ event.dataset: "aws.cloudtrail"
     and event.provider: "iam.amazonaws.com"
     and event.action: "UpdateAssumeRolePolicy"
     and event.outcome: "success"
-    and not source.address: "cloudformation.amazonaws.com"
 '''
 
 
@@ -134,6 +132,6 @@ field = "new_terms_fields"
 value = ["cloud.account.id", "user.name", "target.entity.id"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-14d"
+value = "now-7d"
 
 

rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml

@@ -2,18 +2,25 @@
 creation_date = "2021/05/17"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/06/18"
+updated_date = "2025/12/16"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
 description = """
-Identifies when a service has assumed a role in AWS Security Token Service (STS). Services can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation. This is a New Terms rule that identifies when a service assumes a role in AWS Security Token Service (STS) to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for unauthorized access, privilege escalation, or lateral movement within an AWS environment.
+Identifies when a service has assumed a role in AWS Security Token Service (STS). Services can assume a role to obtain
+temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege
+escalation. This is a New Terms rule that identifies when a service assumes a role in AWS Security Token Service (STS)
+to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for
+unauthorized access, privilege escalation, or lateral movement within an AWS environment.
 """
 false_positives = [
-    "AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes. AWS services might assume roles to access AWS resources as part of their standard operations. Automated workflows might assume roles to perform periodic tasks such as data backups, updates, or deployments.",
+    """
+    AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes. AWS
+    services might assume roles to access AWS resources as part of their standard operations. Automated workflows might
+    assume roles to perform periodic tasks such as data backups, updates, or deployments.
+    """,
 ]
 from = "now-6m"
-interval = "5m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "kuery"
 license = "Elastic License v2"
@@ -99,24 +106,6 @@ event.dataset: "aws.cloudtrail"
           "autoscaling.amazonaws.com")
 '''
 
-[rule.investigation_fields]
-field_names = [
-    "@timestamp",
-    "source.address",
-    "user_agent.original",
-    "aws.cloudtrail.user_identity.invoked_by",
-    "aws.cloudtrail.user_identity.type",
-    "aws.cloudtrail.flattened.response_elements.credentials.accessKeyId",
-    "event.action",
-    "event.outcome",
-    "aws.cloudtrail.resources.arn",
-    "aws.cloudtrail.resources.type",
-    "aws.cloudtrail.flattened.request_parameters.roleSessionName",
-    "cloud.region",
-    "cloud.account.id",
-    "aws.cloudtrail.request_parameters",
-    "aws.cloudtrail.response_elements"
-]
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
@@ -148,11 +137,30 @@ id = "TA0008"
 name = "Lateral Movement"
 reference = "https://attack.mitre.org/tactics/TA0008/"
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "source.address",
+    "user_agent.original",
+    "aws.cloudtrail.user_identity.invoked_by",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.flattened.response_elements.credentials.accessKeyId",
+    "event.action",
+    "event.outcome",
+    "aws.cloudtrail.resources.arn",
+    "aws.cloudtrail.resources.type",
+    "aws.cloudtrail.flattened.request_parameters.roleSessionName",
+    "cloud.region",
+    "cloud.account.id",
+    "aws.cloudtrail.request_parameters",
+    "aws.cloudtrail.response_elements",
+]
+
 [rule.new_terms]
 field = "new_terms_fields"
 value = ["aws.cloudtrail.user_identity.invoked_by", "aws.cloudtrail.resources.arn"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-10d"
+value = "now-5d"