Update rules/linux/command_and_control_aws_cli_endpoint_url_used.toml

Co-authored-by: Samirbous <[email protected]>

Author: Aegrah

rules/linux/command_and_control_aws_cli_endpoint_url_used.toml

@@ -47,7 +47,7 @@ type = "new_terms"
 timestamp_override = "event.ingested"
 query = '''
 host.os.type:"linux" and event.category:"process" and
-event.action:("exec" or "exec_event" or "executed" or "process_started") and
+event.action:("exec" or "exec_event" or "executed" or "process_started", "ProcessRollup2") and
 process.name:"aws" and process.args:"--endpoint-url"
 '''
 note = """## Triage and analysis