updated from command

terrancedejesus · terrancedejesus · commit a3f56d4aa8ee · 2025-11-23T22:23:41.000-05:00
diff --git a/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml b/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml
@@ -95,7 +95,7 @@ timestamp_override = "event.ingested"
 type = "esql"
 
 query = '''
-FROM logs-*
+FROM logs-aws.cloudtrail*, logs-endpoint.* METADATA _id, _version, _index
 | WHERE
   // CloudTrail SSM SendCommand with AWS-RunShellScript
   (

Original file line number	Diff line number	Diff line change
`@@ -95,7 +95,7 @@ timestamp_override = "event.ingested"`
`95`	`95`	`type = "esql"`
`96`	`96`
`97`	`97`	`query = '''`
`98`		`-FROM logs-*`
	`98`	`+FROM logs-aws.cloudtrail, logs-endpoint. METADATA _id, _version, _index`
`99`	`99`	`\| WHERE`
`100`	`100`	`// CloudTrail SSM SendCommand with AWS-RunShellScript`
`101`	`101`	`(`