Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

terrancedejesus · Samirbous · web-flow · commit 431162d1b6c5 · 2025-12-04T14:47:45.000-05:00
Co-authored-by: Samirbous &lt;64742097+Samirbous@users.noreply.github.com&gt;
diff --git a/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml b/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml
@@ -96,7 +96,7 @@ timestamp_override = "event.ingested"
 type = "esql"
 
 query = '''
-FROM logs-aws.cloudtrail*, logs-endpoint.* METADATA _id, _version, _index
+FROM logs-aws.cloudtrail*, logs-endpoint.events.process-* METADATA _id, _version, _index
 | WHERE
   // CloudTrail SSM SendCommand with AWS-RunShellScript
   (

Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,7 @@ timestamp_override = "event.ingested"`
`96`	`96`	`type = "esql"`
`97`	`97`
`98`	`98`	`query = '''`
`99`		`-FROM logs-aws.cloudtrail, logs-endpoint. METADATA _id, _version, _index`
	`99`	`+FROM logs-aws.cloudtrail, logs-endpoint.events.process- METADATA _id, _version, _index`
`100`	`100`	`\| WHERE`
`101`	`101`	`// CloudTrail SSM SendCommand with AWS-RunShellScript`
`102`	`102`	`(`