Merge branch 'main' into 2700-bug-missing-spaces-between-logic-operators-does-not-raise-error

Author: eric-forte-elastic

detection_rules/etc/deprecated_rules.json

@@ -174,6 +174,11 @@
     "rule_name": "Deprecated - Container Workload Protection",
     "stack_version": "8.14"
   },
+  "573f6e7a-7acf-4bcd-ad42-c4969124d3c0": {
+    "deprecation_date": "2025/07/09",
+    "rule_name": "Deprecated - Azure Virtual Network Device Modified or Deleted",
+    "stack_version": "8.18"
+  },
   "5e87f165-45c2-4b80-bfa5-52822552c997": {
     "deprecation_date": "2022/03/16",
     "rule_name": "Potential PrintNightmare File Modification",
@@ -309,6 +314,11 @@
     "rule_name": "Base64 Encoding/Decoding Activity",
     "stack_version": "7.14.0"
   },
+  "98fd7407-0bd5-5817-cda0-3fcc33113a56": {
+    "deprecation_date": "2025/07/16",
+    "rule_name": "Deprecated - AWS EC2 Snapshot Activity",
+    "stack_version": "8.18"
+  },
   "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": {
     "deprecation_date": "2023/02/16",
     "rule_name": "Google Workspace User Group Access Modified to Allow External Access",

detection_rules/etc/non-ecs-schema.json

@@ -155,28 +155,18 @@
     "auditd.data.a3": "keyword"
   },
   "logs-aws.cloudtrail-*": {
-    "aws.cloudtrail.flattened.request_parameters.cidrIp": "keyword",
-    "aws.cloudtrail.flattened.request_parameters.fromPort": "keyword",
-    "aws.cloudtrail.flattened.request_parameters.roleArn": "keyword",
-    "aws.cloudtrail.flattened.request_parameters.roleName": "keyword",
-    "aws.cloudtrail.flattened.request_parameters.policyArn": "keyword",
+    "aws.cloudtrail.flattened.request_parameters.ipPermissions.items.ipRanges.items.cidrIp": "keyword",
+    "aws.cloudtrail.flattened.request_parameters.ipPermissions.items.fromPort": "keyword",
     "aws.cloudtrail.flattened.request_parameters.serialNumber": "keyword",
     "aws.cloudtrail.flattened.request_parameters.x-amz-server-side-encryption-customer-algorithm": "keyword",
-    "aws.cloudtrail.flattened.additional_eventdata.SSEApplied": "keyword",
-    "aws.cloudtrail.flattened.request_parameters.bucketName": "keyword",
-    "aws.cloudtrail.flattened.request_parameters.key": "keyword",
     "aws.cloudtrail.flattened.request_parameters.includeDeprecated": "keyword",
     "aws.cloudtrail.flattened.request_parameters.withDecryption": "boolean",
     "aws.cloudtrail.flattened.request_parameters.instanceId": "keyword",
-    "aws.cloudtrail.flattened.request_parameters.dryRun": "boolean",
-    "aws.cloudtrail.flattened.request_parameters.clientToken": "keyword",
-    "aws.cloudtrail.flattened.response_elements.s3BucketName": "keyword",
-    "aws.cloudtrail.flattened.response_elements.tableArn": "keyword",
     "aws.cloudtrail.flattened.request_parameters.attribute": "keyword",
     "aws.cloudtrail.flattened.request_parameters.reason": "keyword",
     "aws.cloudtrail.flattened.request_parameters.omitted": "keyword",
-    "aws.cloudtrail.flattened.request_parameters.ownersSet.items.owner": "keyword",
-    "aws.cloudtrail.flattened.response_elements.documentDescription.documentType": "keyword"
+    "aws.cloudtrail.flattened.response_elements.documentDescription.documentType": "keyword",
+    "aws.cloudtrail.flattened.request_parameters.groupSet.items.groupId": "keyword"
   },
   "logs-azure.signinlogs-*": {
     "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword",
@@ -203,6 +193,10 @@
     "azure.auditlogs.properties.target_resources.0.modified_properties.3.new_value": "keyword",
     "azure.auditlogs.properties.target_resources.0.modified_properties.2.new_value": "keyword",
     "azure.auditlogs.properties.additional_details.value": "keyword"
+  },
+  "logs-azure.platformlogs-*": {
+    "azure.platformlogs.identity.claim.upn": "keyword",
+    "azure.platformlogs.properties.id": "keyword"
   },
    "logs-o365.audit-*": {
      "o365.audit.ExtendedProperties.ResultStatusDetail": "keyword",