[Rule Tuning] Update Tags for Cloud Rules (#99)

* [Rule Tuning] Update Tags for Cloud Rules

* commenting out specifying alphabetical tag order in rule formatter

* Update rule_formatter.py

* py lint

* Lint fix comments

* update modified dates

* Update credential_access_secretsmanager_getsecretvalue.toml

* adding Continuous Monitoring tag

* update tags

* fixed and in tags

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

Author: bm11100

detection_rules/rule_formatter.py

@@ -142,10 +142,11 @@ def _do_write(_data, _contents):
             #     but will at least purge extraneous white space
             query = contents['rule'].pop('query', '').strip()
 
-            tags = contents['rule'].get("tags", [])
-
-            if tags and isinstance(tags, list):
-                contents['rule']["tags"] = list(sorted(set(tags)))
+            # - As tags are expanding, we may want to reconsider the need to have them in alphabetical order
+            # tags = contents['rule'].get("tags", [])
+            #
+            # if tags and isinstance(tags, list):
+            #     contents['rule']["tags"] = list(sorted(set(tags)))
 
         top = OrderedDict()
         bottom = OrderedDict()

rules/aws/collection_cloudtrail_logging_created.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/10"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 21
 rule_id = "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed"
 severity = "low"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/credential_access_aws_iam_assume_role_brute_force.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/07/16"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/16"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ references = [
 risk_score = 47
 rule_id = "ea248a02-bc47-4043-8e94-2885b19b2636"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
 type = "threshold"
 
 query = '''

rules/aws/credential_access_iam_user_addition_to_group.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/04"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserTo
 risk_score = 21
 rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0"
 severity = "low"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/credential_access_secretsmanager_getsecretvalue.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/06"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Nick Jones", "Elastic"]
@@ -27,10 +27,10 @@ references = [
     "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html",
     "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/",
 ]
-risk_score = 21
+risk_score = 73
 rule_id = "a00681e3-9ed6-447c-ab2c-be648821c622"
-severity = "low"
-tags = ["AWS", "Elastic"]
+severity = "high"
+tags = ["AWS", "Elastic", "SecOps", "Data Protection", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_cloudtrail_logging_deleted.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/26"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 47
 rule_id = "7024e2a0-315d-4334-bb1a-441c593e16ab"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_cloudtrail_logging_suspended.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/10"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ references = [
 risk_score = 47
 rule_id = "1aa8fa52-44a7-4dae-b058-f3333b91c8d7"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/15"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 47
 rule_id = "f772ec8a-e182-483c-91d2-72058f76a44c"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_config_service_rule_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/26"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ references = [
 risk_score = 47
 rule_id = "7024e2a0-315d-4334-bb1a-552d604f27bc"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_configuration_recorder_stopped.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/16"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 73
 rule_id = "fbd44836-0d69-4004-a0b4-03c20370c435"
 severity = "high"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
 type = "query"
 
 query = '''