[Rule Tunings] AWS Multiple API Calls ESQL rules (#5238)

* [Rule Tunings] AWS Multiple API Calls rules

AWS EC2 Multi-Region DescribeInstances API Calls
Over 2,000 alerts in the last 24 hours. This is a very noisy rule, by design it is alerting on quite normal behavior. There is not much in-the-wild threat behavior that justifies keeping this rule as a standalone alert. As a threat indicator, this is best used as a hunting rule or in correlation with another rule, for example: (GetCallerIdentity new terms + multi region DescribeInstances by same principal)  or (Multiple Discovery API calls + multi region DescribeInstances by same principal) or (multi region DescribeInstances + snapshot/AMI activity by same principal). However, on its own it’s not adding much value over the noise.
- I’m keeping this as ESQL rule but converting it to a BBR
- keeping more fields for further context
- Changing investigation guide to be more relevant for hunting/correlation rule

AWS Discovery API Calls via CLI from a Single Resource
This rule is alerting as expected with low telemetry. It has to remain an ESQL rule as no other rule types can truncate the time window to 10 sec looking for a threshold of unique API calls coming from a single user.
- Keeping as ESQL rule
- Reduced execution window
- Keeping more fields for further context
- Adding highlighted fields
- Updated Investigation guide

* adding highlighted fields to keep parameter

* Apply suggestions from code review

Co-authored-by: Mika Ayenson, PhD <[email protected]>

* Apply suggestion from @imays11

---------

Co-authored-by: Mika Ayenson, PhD <[email protected]>
Co-authored-by: Samirbous <[email protected]>
Co-authored-by: Terrance DeJesus <[email protected]>

Author: 4 people