[Rule Tuning] Update Tags for Cloud Rules

detection_rules/rule_formatter.py

@@ -142,10 +142,11 @@ def _do_write(_data, _contents):
             #     but will at least purge extraneous white space
             query = contents['rule'].pop('query', '').strip()
 
-            tags = contents['rule'].get("tags", [])
-
-            if tags and isinstance(tags, list):
-                contents['rule']["tags"] = list(sorted(set(tags)))
+            # - As tags are expanding, we may want to reconsider the need to have them in alphabetical order
+            # tags = contents['rule'].get("tags", [])
+            #
+            # if tags and isinstance(tags, list):
+            #     contents['rule']["tags"] = list(sorted(set(tags)))
 
         top = OrderedDict()
         bottom = OrderedDict()

rules/aws/collection_cloudtrail_logging_created.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/10"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 21
 rule_id = "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed"
 severity = "low"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/credential_access_aws_iam_assume_role_brute_force.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/07/16"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/16"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ references = [
 risk_score = 47
 rule_id = "ea248a02-bc47-4043-8e94-2885b19b2636"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
 type = "threshold"
 
 query = '''

rules/aws/credential_access_iam_user_addition_to_group.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/04"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserTo
 risk_score = 21
 rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0"
 severity = "low"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/credential_access_secretsmanager_getsecretvalue.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/06"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Nick Jones", "Elastic"]
@@ -27,10 +27,10 @@ references = [
     "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html",
     "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/",
 ]
-risk_score = 21
+risk_score = 73
 rule_id = "a00681e3-9ed6-447c-ab2c-be648821c622"
-severity = "low"
-tags = ["AWS", "Elastic"]
+severity = "high"
+tags = ["AWS", "Elastic", "SecOps", "Data Protection", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_cloudtrail_logging_deleted.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/26"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 47
 rule_id = "7024e2a0-315d-4334-bb1a-441c593e16ab"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_cloudtrail_logging_suspended.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/10"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ references = [
 risk_score = 47
 rule_id = "1aa8fa52-44a7-4dae-b058-f3333b91c8d7"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/15"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 47
 rule_id = "f772ec8a-e182-483c-91d2-72058f76a44c"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_config_service_rule_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/26"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ references = [
 risk_score = 47
 rule_id = "7024e2a0-315d-4334-bb1a-552d604f27bc"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_configuration_recorder_stopped.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/16"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 73
 rule_id = "fbd44836-0d69-4004-a0b4-03c20370c435"
 severity = "high"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_ec2_flow_log_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/15"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 73
 rule_id = "9395fd2c-9947-4472-86ef-4aceb2f7e872"
 severity = "high"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_ec2_network_acl_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/26"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -33,7 +33,7 @@ references = [
 risk_score = 47
 rule_id = "8623535c-1e17-44e1-aa97-7a0699c3037d"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_guardduty_detector_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/28"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 73
 rule_id = "523116c0-d89d-4d7c-82c2-39e6845a78ef"
 severity = "high"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/27"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 21
 rule_id = "227dc608-e558-43d9-b521-150772250bae"
 severity = "low"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Asset Visibility", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_waf_acl_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/21"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 47
 rule_id = "91d04cd4-47a9-4334-ab14-084abe274d49"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/09"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 47
 rule_id = "5beaebc1-cc13-4bfc-9949-776f9e0dc318"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/execution_via_system_manager.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/06"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ references = ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-
 risk_score = 21
 rule_id = "37b211e8-4e2f-440f-86d8-06cc8f158cfa"
 severity = "low"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/exfiltration_ec2_snapshot_change_activity.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/24"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 47
 rule_id = "98fd7407-0bd5-5817-cda0-3fcc33113a56"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Asset Visibility", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/impact_cloudtrail_logging_updated.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/10"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
 risk_score = 21
 rule_id = "3e002465-876f-4f04-b016-84ef48ce7e5d"
 severity = "low"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/impact_cloudwatch_log_group_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 47
 rule_id = "68a7a5a5-a2fc-4a76-ba9f-26849de881b4"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/impact_cloudwatch_log_stream_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/20"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
 risk_score = 47
 rule_id = "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
 type = "query"
 
 query = '''

rules/aws/impact_ec2_disable_ebs_encryption.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/06/05"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ references = [
 risk_score = 47
 rule_id = "bb9b13b2-1700-48a8-a750-b43b0a72ab69"
 severity = "medium"
-tags = ["AWS", "Elastic"]
+tags = ["AWS", "Elastic", "SecOps", "Data Protection", "Continuous Monitoring"]
 type = "query"
 
 query = '''