elastic
diff --git a/‎detection_rules/cli_utils.py‎
Lines changed: 1 addition & 1 deletion b/‎detection_rules/cli_utils.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎detection_rules/etc/deprecated_rules.json‎
Lines changed: 5 additions & 0 deletions b/‎detection_rules/etc/deprecated_rules.json‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎detection_rules/etc/integration-manifests.json.gz‎
2.21 KB b/‎detection_rules/etc/integration-manifests.json.gz‎
2.21 KB
diff --git a/‎detection_rules/etc/integration-schemas.json.gz‎
38.9 KB b/‎detection_rules/etc/integration-schemas.json.gz‎
38.9 KB
diff --git a/‎detection_rules/etc/non-ecs-schema.json‎
Lines changed: 6 additions & 2 deletions b/‎detection_rules/etc/non-ecs-schema.json‎
Lines changed: 6 additions & 2 deletions
@@ -375,7 +375,7 @@ def rule_prompt(  # noqa: PLR0912, PLR0913, PLR0915
         # if failing due to a query, loop until resolved or terminated
         while True:
             try:
-                contents["query"] = click.edit(contents["query"], extension=".eql")
+                contents["query"] = click.edit(contents["query"], extension=".eql")  # type: ignore[reportUnknownArgumentType]
                 rule = TOMLRule(
                     path=Path(path),
                     contents=TOMLRuleContents.from_dict({"rule": contents, "metadata": meta}),
 
@@ -359,6 +359,11 @@
     "rule_name": "Potential Persistence via Cron Job",
     "stack_version": "7.14.0"
   },
+  "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
+    "deprecation_date": "2025/11/21",
+    "rule_name": "Deprecated - AWS Root Login Without MFA",
+    "stack_version": "8.19"
+  },
   "c6474c34-4953-447a-903e-9fcb7b6661aa": {
     "deprecation_date": "2021/04/15",
     "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
 
@@ -145,7 +145,10 @@
     "kibana.alert.rule.threat.tactic.id": "keyword",
     "kibana.alert.workflow_status": "keyword",
     "kibana.alert.rule.rule_id": "keyword",
-    "kibana.alert.rule.name": "keyword"
+    "kibana.alert.rule.name": "keyword", 
+    "kibana.alert.risk_score": "long",
+    "kibana.alert.rule.type": "keyword",
+    "kibana.alert.rule.threat.tactic.name": "keyword"
   },
   "logs-google_workspace*": {
     "gsuite.admin": "keyword",
@@ -202,7 +205,8 @@
     "azure.activitylogs.properties.resourceDisplayName": "keyword",
     "azure.activitylogs.properties.appDisplayName": "keyword",
     "azure.activitylogs.properties.requestbody.properties.roleDefinitionId": "keyword",
-    "azure.activitylogs.properties.responseBody": "keyword"
+    "azure.activitylogs.properties.responseBody": "keyword",
+    "azure.activitylogs.properties.status_code": "keyword"
   },
   "logs-azure.graphactivitylogs-*": {
     "azure.graphactivitylogs.properties.c_idtyp": "keyword",