oren-zohar
diff --git a/‎rules/apm/apm_403_response_to_a_post.toml
+1-1 b/‎rules/apm/apm_403_response_to_a_post.toml
+1-1
diff --git a/‎rules/apm/apm_405_response_method_not_allowed.toml
+2-2 b/‎rules/apm/apm_405_response_method_not_allowed.toml
+2-2
diff --git a/‎rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml
+1-1 b/‎rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml
+1-1
diff --git a/‎rules/integrations/aws/impact_rds_group_deletion.toml
+3-4 b/‎rules/integrations/aws/impact_rds_group_deletion.toml
+3-4
diff --git a/‎rules/integrations/aws/ml_cloudtrail_error_message_spike.toml
+4-4 b/‎rules/integrations/aws/ml_cloudtrail_error_message_spike.toml
+4-4
diff --git a/‎rules/integrations/aws/ml_cloudtrail_rare_error_code.toml
+3-3 b/‎rules/integrations/aws/ml_cloudtrail_rare_error_code.toml
+3-3
diff --git a/‎rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml
+4-4 b/‎rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml
+4-4
diff --git a/‎rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml
+4-4 b/‎rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml
+4-4
@@ -6,7 +6,7 @@ updated_date = "2021/07/13"
 [rule]
 author = ["Elastic"]
 description = """
-A POST request to web application returned a 403 response, which indicates the web application declined to process the
+A POST request to a web application returned a 403 response, which indicates the web application declined to process the
 request because the action requested was not allowed.
 """
 false_positives = [
 
@@ -6,8 +6,8 @@ updated_date = "2021/07/13"
 [rule]
 author = ["Elastic"]
 description = """
-A request to web application returned a 405 response which indicates the web application declined to process the request
-because the HTTP method is not allowed for the resource.
+A request to a web application returned a 405 response, which indicates the web application declined to process the
+request because the HTTP method is not allowed for the resource.
 """
 false_positives = [
     """
 
@@ -8,7 +8,7 @@ integration = "aws"
 author = ["Elastic", "Austin Songer"]
 description = """
 Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon
-VPC feature that you can use to copy network traffic from an elastic network interface. This feature can potentially be
+VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be
 abused to exfiltrate sensitive data from unencrypted internal traffic.
 """
 false_positives = [
 
@@ -6,11 +6,11 @@ integration = "aws"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
-description = "Identifies the deletion of an Amazon Relational Database Service (RDS) Security Group."
+description = "Identifies the deletion of an Amazon Relational Database Service (RDS) Security group."
 false_positives = [
     """
-    A RDS security group deletion may be done by a system or network administrator. Verify whether the user identity,
-    user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar
+    An RDS security group deletion may be done by a system or network administrator. Verify whether the user identity,
+    user agent, and/or hostname should be making changes in your environment. Security group deletions from unfamiliar
     users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the
     rule.
     """,
@@ -49,4 +49,3 @@ reference = "https://attack.mitre.org/techniques/T1531/"
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
-
@@ -32,10 +32,10 @@ The AWS Fleet integration, Filebeat module, or similarly structured data is requ
 
 ### Investigating Spikes in CloudTrail Errors
 Detection alerts from this rule indicate a large spike in the number of CloudTrail log messages that contain a particular error message. The error message in question was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:
-- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_message` field, manifested only very recently, it might be related to recent changes in an automation module or script.
-- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation or lateral movement attempts.
-- Consider the user as identified by the user.name field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.
-- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?"""
+- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_message` field, only manifested recently, it might be related to recent changes in an automation module or script.
+- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation or lateral movement attempts.
+- Consider the user as identified by the user.name field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.
+- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?"""
 references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "78d3d8d9-b476-451d-a9e0-7a5addd70670"
 
@@ -32,10 +32,10 @@ The AWS Fleet integration, Filebeat module, or similarly structured data is requ
 
 Investigating Unusual CloudTrail Error Activity ###
 Detection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:
-- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_code field`, manifested only very recently, it might be related to recent changes in an automation module or script.
+- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_code field`, only manifested recently, it might be related to recent changes in an automation module or script.
 - Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation, or lateral movement attempts.
-- Consider the user as identified by the `user.name` field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.
-- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?"""
+- Consider the user as identified by the `user.name` field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.
+- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?"""
 references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 rule_id = "19de8096-e2b0-4bd8-80c9-34a820813fff"
 
@@ -10,7 +10,7 @@ author = ["Elastic"]
 description = """
 A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from
 a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being
-used by a threat actor in a different geography then the authorized user(s).
+used by a threat actor in a different geography than the authorized user(s).
 """
 false_positives = [
     """
@@ -33,10 +33,10 @@ The AWS Fleet integration, Filebeat module, or similarly structured data is requ
 
 ### Investigating an Unusual CloudTrail Event
 Detection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:
-- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?
-- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.
+- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?
+- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.
 - Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?
-- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.
+- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.
 - Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing."""
 references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
 
@@ -10,7 +10,7 @@ author = ["Elastic"]
 description = """
 A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from
 a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being
-used by a threat actor in a different geography then the authorized user(s).
+used by a threat actor in a different geography than the authorized user(s).
 """
 false_positives = [
     """
@@ -33,10 +33,10 @@ The AWS Fleet integration, Filebeat module, or similarly structured data is requ
 
 ### Investigating an Unusual CloudTrail Event
 Detection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:
-- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?
-- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.
+- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?
+- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.
 - Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?
-- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.
+- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.
 - Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing."""
 references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21