adding highlighted fields to keep parameter

imays11 · imays11 · commit a2bee3356bd9 · 2025-12-04T16:19:20.000-05:00
diff --git a/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml b/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/11/04"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/10/21"
+updated_date = "2025/12/04"
 
 [rule]
 author = ["Elastic"]
@@ -124,7 +124,7 @@ timestamp_override = "event.ingested"
 type = "esql"
 
 query = '''
-from logs-aws.cloudtrail*
+from logs-aws.cloudtrail* metadata _id, _version, _index
 // create time window buckets of 10 seconds
 | eval Esql.time_window_date_trunc = date_trunc(10 seconds, @timestamp)
 
@@ -166,7 +166,20 @@ from logs-aws.cloudtrail*
 | where starts_with(Esql.aws_cloudtrail_user_identity_arn_roles, "AWSServiceRoleForConfig") != true
 
 // keep relevant fields (preserving ECS fields and computed time window)
-| keep @timestamp, Esql.time_window_date_trunc, event.action, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.type, aws.cloudtrail.user_identity.access_key_id, source.ip, cloud.account.id, event.provider, user_agent.name, source.as.organization.name, cloud.region
+| keep 
+    @timestamp, 
+    Esql.time_window_date_trunc, 
+    event.action, 
+    aws.cloudtrail.user_identity.arn, 
+    aws.cloudtrail.user_identity.type, 
+    aws.cloudtrail.user_identity.access_key_id, 
+    source.ip, 
+    cloud.account.id, 
+    event.provider, 
+    user_agent.name, 
+    source.as.organization.name, 
+    cloud.region,
+    data_stream.namespace
 
 // count the number of unique API calls per time window and actor
 | stats
@@ -180,14 +193,12 @@ from logs-aws.cloudtrail*
     Esql.event_provider_values = VALUES(event.provider),
     Esql.user_agent_name_values = VALUES(user_agent.name),
     Esql.source_as_organization_name_values = VALUES(source.as.organization.name),
-    Esql.cloud_region_values = VALUES(cloud.region)
+    Esql.cloud_region_values = VALUES(cloud.region),
+    Esql.data_stream_namespace_values = VALUES(data_stream.namespace)
   by Esql.time_window_date_trunc, aws.cloudtrail.user_identity.arn
 
 // filter for more than 5 unique API calls per 10s window
 | where Esql.event_action_count_distinct > 5
-
-// sort the results by the number of unique API calls in descending order
-| sort Esql.event_action_count_distinct desc
 '''
 
 
@@ -215,7 +226,7 @@ field_names = [
   "Esql.source_as_organization_name_values", 
   "Esql.event_provider_values", 
   "Esql.event_action_values", 
-  "Esql.cloud_region_values",
-  "Esql.cloud_account_id_values"
+  "Esql.cloud_account_id_values",
+  "Esql.cloud_region_values"
   ]
 
diff --git a/rules_building_block/discovery_ec2_multi_region_describe_instances.toml b/rules_building_block/discovery_ec2_multi_region_describe_instances.toml
@@ -3,7 +3,7 @@ bypass_bbr_timing = true
 creation_date = "2024/08/26"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/10/20"
+updated_date = "2025/12/04"
 
 [rule]
 author = ["Elastic"]
@@ -112,7 +112,7 @@ timestamp_override = "event.ingested"
 type = "esql"
 
 query = '''
-from logs-aws.cloudtrail-*
+from logs-aws.cloudtrail-* metadata _id, _version, _index
 
 // filter for DescribeInstances API calls
 | where event.dataset == "aws.cloudtrail"
@@ -131,20 +131,28 @@ from logs-aws.cloudtrail-*
     aws.cloudtrail.user_identity.access_key_id,
     aws.cloudtrail.user_identity.type,
     user_agent.original,
+    source.as.organization.name,
     source.ip,
-    @timestamp    
+    @timestamp,
+    data_stream.namespace    
 
 // count the number of unique regions and total API calls within the 30-second window
 | stats
     Esql.cloud_region_count_distinct = count_distinct(cloud.region),
-    Esql.event_count = count(*)
+    Esql.event_count = count(*),
+    Esql.event_timestamp_values = VALUES(@timestamp),
+    Esql.aws_cloudtrail_user_identity_type_values = VALUES(aws.cloudtrail.user_identity.type),
+    Esql.aws_cloudtrail_user_identity_access_key_id_values = VALUES(aws.cloudtrail.user_identity.access_key_id),
+    Esql.source_ip_values = VALUES(source.ip),
+    Esql.user_agent_original_values = VALUES(user_agent.original),
+    Esql.source_as_organization_name_values = VALUES(source.as.organization.name),
+    Esql.cloud_account_id_values = VALUES(cloud.account.id),
+    Esql.cloud_region_values = VALUES(cloud.region),
+    Esql.data_stream_namespace_values = VALUES(data_stream.namespace)
   by Esql.time_window_date_trunc, aws.cloudtrail.user_identity.arn
 
 // filter for resources making DescribeInstances API calls in more than 10 regions within the 30-second window
 | where Esql.cloud_region_count_distinct >= 10 and Esql.event_count >= 10
-
-// sort the results by time window in descending order
-| sort Esql.time_window_date_trunc desc
 '''
 
 
@@ -163,15 +171,17 @@ reference = "https://attack.mitre.org/tactics/TA0007/"
 
 [rule.investigation_fields]
 field_names = [
+    "Esql.cloud_region_count_distinct",
+    "Esql.event_count",
+    "Esql.event_timestamp_values",
     "aws.cloudtrail.user_identity.arn",
-    "target_time_window",
-    "region_count",
-    "window_count",
-    "cloud.account.id",
-    "aws.cloudtrail.user_identity.access_key_id",
-    "aws.cloudtrail.user_identity.type",
-    "user_agent.original",
-    "source.ip",
-    "@timestamp",
+    "Esql.aws_cloudtrail_user_identity_type_values",
+    "Esql.aws_cloudtrail_user_identity_access_key_id_values",
+    "Esql.source_ip_values",
+    "Esql.user_agent_original_values",
+    "Esql.source_as_organization_name_values",
+    "Esql.cloud_account_id_values",
+    "Esql.cloud_region_values",
+    "Esql.data_stream_namespace_values"
 ]
 
