[Rule Tuning] Add Missing Metadata to KEEP conditions

w0rk3r · w0rk3r · commit a1d1f245e218 · 2025-12-09T16:40:30.000-03:00
diff --git a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/06/30"
 integration = ["endpoint", "system", "windows", "auditd_manager", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/06/30"
+updated_date = "2025/12/09"
 
 [rule]
 author = ["Elastic"]
@@ -90,7 +90,7 @@ FROM logs-* metadata _id, _version, _index
 // more than 100 spaces in process.command_line
 | eval multi_spaces = LOCATE(process.command_line, space(100)) 
 | where multi_spaces > 0 
-| keep user.name, host.id, host.name, process.command_line, process.executable, process.parent.executable
+| keep user.name, host.id, host.name, process.command_line, process.executable, process.parent.executable, _id
 '''
 
 
diff --git a/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml b/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/07/02"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/12/02"
+updated_date = "2025/12/09"
 
 [rule]
 author = ["Elastic"]
@@ -201,7 +201,8 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index
   Esql.aws_cloudtrail_request_parameters_target_bucket_name,
   Esql.aws_cloudtrail_request_parameters_target_object_key,
   Esql.aws_cloudtrail_request_parameters_kms_key_account_id,
-  Esql.aws_cloudtrail_request_parameters_kms_key_id
+  Esql.aws_cloudtrail_request_parameters_kms_key_id,
+  _id
 '''
 
 
diff --git a/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml b/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/15"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/10/28"
+updated_date = "2025/12/09"
 
 [rule]
 author = ["Elastic"]
@@ -113,7 +113,8 @@ from logs-aws.cloudtrail* metadata _id, _version, _index
     user_agent.original,
     source.ip,
     event.action,
-    @timestamp
+    @timestamp,
+    _id
 '''
 
 
diff --git a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/06/13"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/10/13"
+updated_date = "2025/12/09"
 
 [rule]
 author = ["Elastic"]
@@ -156,7 +156,8 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index
     aws.cloudtrail.user_identity.arn,
     aws.cloudtrail.user_identity.type,
     aws.cloudtrail.user_identity.access_key_id,
-    source.geo.*
+    source.geo.*,
+    _id
 '''
 
 
diff --git a/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml b/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/07/14"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/12/09"
 
 [rule]
 author = ["Elastic"]
@@ -81,7 +81,8 @@ from logs-azure.auditlogs-* metadata _id, _version, _index
     source.geo.region_name,
     source.geo.country_name,
     Esql.azure_auditlogs_properties_auth_oidc_discovery_url_new,
-    Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old
+    Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old,
+    _id
 '''
 
 
