Add RuleIDs and RuleNames to rule metadata, for community rules

PiperOrigin-RevId: 653009204

community/authentication/geoip_user_login_from_multiple_states_or_countries.yaral

@@ -19,6 +19,8 @@ rule geoip_user_login_from_multiple_states_or_countries {
   meta:
     author = "Google Cloud Security"
     description = "Detect multiple user logins from multiple states or countries using Chronicle GeoIP enrichment."
+    rule_id = "mr_3fa832e4-1ac0-42cd-9f0a-357d6b8fb12f"
+    rule_name = "GeoIP User Login From Multiple States Or Countries"
     type = "alert"
     data_source = "microsoft ad, azure ad, okta, aws cloudtrail, google scc"
     tags = "geoip enrichment"

community/authentication/logins_from_terminated_employees.yaral

@@ -19,6 +19,8 @@ rule logins_from_terminated_employees {
   meta:
     author = "Google Cloud Security"
     description = "Allowed Logins from Terminated Employees"
+    rule_id = "mr_69178541-285b-45cb-b723-e2b5d88f22d3"
+    rule_name = "Logins From Terminated Employees"
     assumptions = "This rule requires a context data source such as AzureAD AD Context or Workday to demonstrate the correlation of context logs with event logs"
     type = "alert"
     tags = "user enrichment"

community/aws/cloudtrail/aws_account_leaving_or_removed_from_organization.yaral

@@ -19,6 +19,8 @@ rule aws_account_leaving_or_removed_from_organization {
   meta:
     author = "Google Cloud Security"
     description = "Detect an AWS account attempting to leave or being removed from an AWS organization."
+    rule_id = "mr_eb9b7a74-0ad2-43e1-bf93-376844fe62b6"
+    rule_name = "AWS Account Leaving Or Removed From The Organization"
     mitre_attack_tactic = "Defense Evasion"
     mitre_attack_technique = "Impair Defenses"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1562/"

community/aws/cloudtrail/aws_api_call_outside_of_organization.yaral

@@ -19,6 +19,8 @@ rule aws_api_call_outside_of_organization {
   meta:
     author = "Google Cloud Security"
     description = "Detects API Calls from AWS accounts that are not part of the organization."
+    rule_id = "mr_205120b7-6654-410a-ab6d-e40484e2fafb"
+    rule_name = "AWS API Call Outside Of Organization"
     mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
     mitre_attack_technique = "Valid Accounts: Cloud Accounts"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1078/004/"

community/aws/cloudtrail/aws_cloudtrail_logging_tampered.yaral

@@ -19,6 +19,8 @@ rule aws_cloudtrail_logging_tampered {
   meta:
     author = "Google Cloud Security"
     description = "Detects when CloudTrail logging is updated, stopped or deleted."
+    rule_id = "mr_86f08675-4130-4b47-8978-067c18c8cb55"
+    rule_name = "AWS CloudTrail Logging Tampered"
     mitre_attack_tactic = "Defense Evasion"
     mitre_attack_technique = "Impair Defenses: Disable Cloud Logs"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1562/008/"

community/aws/cloudtrail/aws_config_service_modified.yaral

@@ -19,6 +19,8 @@ rule aws_config_service_modified {
   meta:
     author = "Google Cloud Security"
     description = "Detects when AWS Config Service is updated, stopped or deleted."
+    rule_id = "mr_9a5af6d7-5119-46db-ad24-72d7e873a56b"
+    rule_name = "AWS Config Service Modified"
     mitre_attack_tactic = "Defense Evasion"
     mitre_attack_technique = "Impair Defenses: Disable Cloud Logs"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1562/008/"

community/aws/cloudtrail/aws_console_login_without_mfa.yaral

@@ -19,6 +19,8 @@ rule aws_console_login_without_mfa {
     meta:
       author = "Google Cloud Security"
       description = "Detect when a user logs into AWS console without MFA."
+      rule_id = "mr_b03d1e57-7ed0-49e7-b125-6c18b364ae8c"
+      rule_name = "AWS Console Login Without MFA"
       mitre_attack_tactic = "Initial Access"
       mitre_attack_technique = "Valid Accounts: Cloud Accounts"
       mitre_attack_url = "https://attack.mitre.org/techniques/T1078/004/"

community/aws/cloudtrail/aws_delete_cloudwatch_log_group.yaral

@@ -19,6 +19,8 @@ rule aws_delete_cloudwatch_log_group {
   meta:
     author = "Google Cloud Security"
     description = "Detects when a CloudWatch log group is deleted."
+    rule_id = "mr_e1e4e137-341a-4302-af26-3bfe599bcc98"
+    rule_name = "AWS Delete CloudWatch Log Group"
     mitre_attack_tactic = "Defense Evasion"
     mitre_attack_technique = "Impair Defenses: Disable Cloud Logs"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1562/008/"

community/aws/cloudtrail/aws_delete_vpc_flow_logs.yaral

@@ -19,6 +19,8 @@ rule aws_delete_vpc_flow_logs {
   meta:
     author = "Google Cloud Security"
     description = "Detects when AWS VPC FLow Logs are deleted."
+    rule_id = "mr_b833ecbb-a3fb-4ea6-97dd-2c861c92620b"
+    rule_name = "AWS Delete VPC Flow Logs"
     mitre_attack_tactic = "Defense Evasion"
     mitre_attack_technique = "Impair Defenses: Disable Cloud Logs"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1562/008/"

community/aws/cloudtrail/aws_ec2_ami_or_snapshot_shared_publicly.yaral

@@ -19,6 +19,8 @@ rule aws_ec2_ami_or_snapshot_shared_publicly {
   meta:
     author = "Google Cloud Security"
     description = "Detects when an Amazon EC2 AMI or Snapshot is shared publicly."
+    rule_id = "mr_843a37db-dcd5-40b2-8b55-a00397fd5c0d"
+    rule_name = "AWS EC2 AMI Or Snapshot Shared Publicly"
     mitre_attack_tactic = "Exfiltration"
     mitre_attack_technique = "Transfer Data to Cloud Account"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1537/"

community/aws/cloudtrail/aws_ec2_get_windows_admin_password.yaral

@@ -19,6 +19,8 @@ rule aws_ec2_get_windows_admin_password {
   meta:
     author = "Google Cloud Security"
     description = "Detects a successful attempt to retrieve the encrypted Administrator password for a Windows EC2 instance."
+    rule_id = "mr_92364192-b3c7-4e5d-a1a1-eb7b3adbd0e4"
+    rule_name = "AWS EC2 Get Windows Admin Password"
     mitre_attack_tactic = "Credential Access"
     mitre_attack_technique = "Credentials from Password Stores"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1555/"

community/aws/cloudtrail/aws_ec2_high_number_of_api_calls.yaral

@@ -19,6 +19,8 @@ rule aws_ec2_high_number_of_api_calls {
   meta:
     author = "Google Cloud Security"
     description = "Detect when an EC2 instance makes high number of API calls."
+    rule_id = "mr_d19289e1-4385-4757-bf54-0f61e7a789a4"
+    rule_name = "AWS EC2 High Number Of API Calls"
     mitre_attack_tactic = "Discovery"
     mitre_attack_technique = "Cloud Infrastructure Discovery"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1580/"

community/aws/cloudtrail/aws_ec2_user_data_modified.yaral

@@ -19,6 +19,8 @@ rule aws_ec2_user_data_modified {
   meta:
     author = "Google Cloud Security"
     description = "Detect modifications to user data script on an EC2 instance."
+    rule_id = "mr_3167a29e-abbb-4d72-9f33-93df151d0224"
+    rule_name = "AWS EC2 User Data Modified"
     mitre_attack_tactic = "Privilege Escalation"
     mitre_attack_technique = "Boot or Logon Initialization Scripts"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1037/"

community/aws/cloudtrail/aws_enable_disable_region.yaral

@@ -19,6 +19,8 @@ rule aws_enable_disable_region {
   meta:
     author = "Google Cloud Security"
     description = "Detects when an AWS region is enabled or disabled."
+    rule_id = "mr_905d6ae2-4acc-4969-a85d-707c78db687f"
+    rule_name = "AWS Enable Or Disable Region"
     mitre_attack_tactic = "Defense Evasion"
     mitre_attack_technique = "Unused/Unsupported Cloud Regions"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1535/"

community/aws/cloudtrail/aws_excessive_successful_discovery_events.yaral

@@ -19,6 +19,8 @@ rule aws_excessive_successful_discovery_events {
   meta:
     author = "Google Cloud Security"
     description = "Detects excessive successful events within a 5 minute timeframe from an IAM User."
+    rule_id = "mr_087edc70-9943-498b-b579-aa6017026e39"
+    rule_name = "AWS Excessive Successful Discovery Events"
     mitre_attack_tactic = "Discovery"
     mitre_attack_technique = "Cloud Infrastructure Discovery"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1580/"

community/aws/cloudtrail/aws_guardduty_disabled.yaral

@@ -19,6 +19,8 @@ rule aws_guardduty_disabled {
   meta:
     author = "Google Cloud Security"
     description = "Detects when a GuardDuty Detector is disabled or suspended."
+    rule_id = "mr_22495d55-4177-425f-9a4e-8d836b01e976"
+    rule_name = "AWS GuardDuty Disabled"
     mitre_attack_tactic = "Defense Evasion"
     mitre_attack_technique = "Impair Defenses"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1562/"

community/aws/cloudtrail/aws_guardduty_publishing_destination_deleted.yaral

@@ -19,6 +19,8 @@ rule aws_guardduty_publishing_destination_deleted {
   meta:
     author = "Google Cloud Security"
     description = "Detects when a GuardDuty Detector's publishing destination has been deleted which will prevent the exporting of findings."
+    rule_id = "mr_630cd3d0-d22f-4e8a-9065-425bdbe1ab32"
+    rule_name = "AWS GuardDuty Publishing Destination Deleted"
     mitre_attack_tactic = "Defense Evasion"
     mitre_attack_technique = "Impair Defenses"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1562/"

community/aws/cloudtrail/aws_guardduty_trusted_or_threat_ip_lists_tampered.yaral

@@ -19,6 +19,8 @@ rule aws_guardduty_trusted_or_threat_ip_lists_tampered {
   meta:
     author = "Google Cloud Security"
     description = "Detects when a GuardDuty Detector's trusted or threat intel IP lists are deleted or disabled."
+    rule_id = "mr_bdf03398-6341-4f2a-a8ce-9056c82fda2e"
+    rule_name = "AWS GuardDuty Trusted Or Threat IP Lists Tampered"
     mitre_attack_tactic = "Defense Evasion"
     mitre_attack_technique = "Impair Defenses"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1562/"

community/aws/cloudtrail/aws_high_number_of_unknown_user_authentication_attempts.yaral

@@ -19,6 +19,8 @@ rule aws_high_number_of_unknown_user_authentication_attempts {
   meta:
     author = "Google Cloud Security"
     description = "Detects when a high number of failed authentication attempts happen for unknown users."
+    rule_id = "mr_3ddfee11-c959-4283-8fb4-1f57bdaaf2b1"
+    rule_name = "AWS High Number Of Unknown User Authentication Attempts"
     mitre_attack_tactic = "Credential Access"
     mitre_attack_technique = "Brute Force: Credential Stuffing"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1110/004/"

community/aws/cloudtrail/aws_iam_access_denied_discovery_events.yaral

@@ -19,6 +19,8 @@ rule aws_iam_access_denied_discovery_events {
   meta:
     author = "Google Cloud Security"
     description = "Detects excessive AccessDenied events within an hour timeframe from an IAM User"
+    rule_id = "mr_a175b0d9-4488-46cc-880a-2408cb301f41"
+    rule_name = "AWS IAM Access Denied Discovery Events"
     mitre_attack_tactic = "Discovery"
     mitre_attack_technique = "Cloud Infrastructure Discovery"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1580/"

community/aws/cloudtrail/aws_iam_activity_by_s3_browser_utility.yaral

@@ -19,6 +19,8 @@ rule aws_iam_activity_by_s3_browser_utility {
   meta:
     author = "Google Cloud Security"
     description = "Detect AWS IAM activities associated with the S3 Browser utility."
+    rule_id = "mr_003e618f-e099-4c72-a170-03d2e03836f9"
+    rule_name = "AWS IAM Activity By S3 Browser Utility"
     reference = "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"
     mitre_attack_tactic = "Persistence"
     mitre_attack_technique = "Account Manipulation"

community/aws/cloudtrail/aws_iam_activity_from_ec2_instance.yaral

@@ -19,6 +19,8 @@ rule aws_iam_activity_from_ec2_instance {
   meta:
     author = "Google Cloud Security"
     description = "Detect AWS IAM activities made by AWS EC2 instances to retain access or escalate privileges."
+    rule_id = "mr_60c7bb2f-2f02-4ac5-bbe0-ba8be871f3fb"
+    rule_name = "AWS IAM Activity From EC2 Instance"
     mitre_attack_tactic = "Persistence"
     mitre_attack_technique = "Account Manipulation"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1098/"

community/aws/cloudtrail/aws_iam_administrator_access_policy_attached.yaral

@@ -19,6 +19,8 @@ rule aws_iam_administrator_access_policy_attached {
   meta:
     author = "Google Cloud Security"
     description = "Detects when AWS IAM AdministratorAccess policy is attached to a user, group or role which can be used for privilege escalation."
+    rule_id = "mr_52c6643b-f6ce-4299-9fb6-05554901800c"
+    rule_name = "AWS IAM Administrator Access Policy Attached"
     mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
     mitre_attack_technique = "Valid Accounts: Cloud Accounts"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1078/004/"

community/aws/cloudtrail/aws_iam_compromised_key_quarantine_policy_attached.yaral

@@ -19,6 +19,8 @@ rule aws_iam_compromised_key_quarantine_policy_attached {
   meta:
     author = "Google Cloud Security"
     description = "Detect when the AWS managed policy AWSCompromisedKeyQuarantine has been attached to a user, role, or group. It is applied by the AWS team in the event that the credentials of an IAM user has been compromised or publicly exposed."
+    rule_id = "mr_3ac90268-e8bd-41b7-8fc1-e10ee165df8e"
+    rule_name = "AWS IAM Compromised Key Quarantine Policy Attached"
     mitre_attack_tactic = "Credential Access"
     mitre_attack_technique = "Unsecured Credentials"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1552/"

community/aws/cloudtrail/aws_kms_key_disabled_or_scheduled_for_deletion.yaral

@@ -19,6 +19,8 @@ rule aws_kms_key_disabled_or_scheduled_for_deletion {
   meta:
     author = "Google Cloud Security"
     description = "Detect when a KMS (Key Management Service) key is disabled or scheduled for deletion."
+    rule_id = "mr_b1947fef-7b98-4c10-8303-d6c9c032d84e"
+    rule_name = "AWS KMS Key Disabled Or Scheduled For Deletion"
     mitre_attack_tactic = "Impact"
     mitre_attack_technique = "Data Destruction"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1485/"

community/aws/cloudtrail/aws_lambda_update_function_code.yaral

@@ -19,6 +19,8 @@ rule aws_lambda_update_function_code {
   meta:
     author = "Google Cloud Security"
     description = "Detects an IAM user attempting to update/modify AWS lambda code."
+    rule_id = "mr_046e8bc7-2d48-4118-ae38-eb095a4333e3"
+    rule_name = "AWS Lambda Update Function Code"
     mitre_attack_tactic = "Execution"
     mitre_attack_technique = "Serverless Execution"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1648/"

community/aws/cloudtrail/aws_lateral_movement_using_iam_session_token.yaral

@@ -19,6 +19,8 @@ rule aws_lateral_movement_using_iam_session_token {
   meta:
     author = "Google Cloud Security"
     description = "Detect when an IAM session token is created and used from a different IP."
+    rule_id = "mr_ac0df875-fe5b-49af-bf2a-3da341177754"
+    rule_name = "AWS Lateral Movement Using IAM Session Token"
     mitre_attack_tactic = "Lateral Movement"
     mitre_attack_technique = "Use Alternate Authentication Material"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1550/"

community/aws/cloudtrail/aws_multi_factor_authentication_disabled.yaral

@@ -19,6 +19,8 @@ rule aws_multi_factor_authentication_disabled {
   meta:
     author = "Google Cloud Security"
     description = "Detects attempts to disable multi-factor authentication for an AWS IAM user."
+    rule_id = "mr_0d6bd993-c80b-4367-a921-5a542ab826b3"
+    rule_name = "AWS MultiFactor Authentication Disabled"
     mitre_attack_tactic = "Credential Access, Defense Evasion, Persistence"
     mitre_attack_technique = "Modify Authentication Process: Multi-Factor Authentication"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1556/006/"

community/aws/cloudtrail/aws_new_mfa_method_registered_for_user.yaral

@@ -19,6 +19,8 @@ rule aws_new_mfa_method_registered_for_user {
   meta:
     author = "Google Cloud Security"
     description = "Detects the registration of a new Multi Factor authentication method for an AWS user."
+    rule_id = "mr_bee2a210-111a-478a-a1a2-caeb9077eca2"
+    rule_name = "AWS New MFA Method Registered For User"
     mitre_attack_tactic = "Credential Access, Defense Evasion, Persistence"
     mitre_attack_technique = "Modify Authentication Process: Multi-Factor Authentication"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1556/006/"

community/aws/cloudtrail/aws_password_policy_change.yaral

@@ -19,6 +19,8 @@ rule aws_password_policy_change {
   meta:
     author = "Google Cloud Security"
     description = "Detects when an existing password policy is updated or deleted in an AWS account."
+    rule_id = "mr_2e66b918-acfc-46ea-b625-58732558005d"
+    rule_name = "AWS Password Policy Change"
     mitre_attack_tactic = "Discovery"
     mitre_attack_technique = "Password Policy Discovery"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1201/"

community/aws/cloudtrail/aws_privilege_escalation_using_iam_access_key.yaral

@@ -19,6 +19,8 @@ rule aws_privilege_escalation_using_iam_access_key {
   meta:
     author = "Google Cloud Security"
     description = "Detect when a user creates a new access key for another user and escalates privileges using this newly created access key from the same IP."
+    rule_id = "mr_a28c56ea-b5e6-4e23-8cb8-f306587b832b"
+    rule_name = "AWS Privilege Escalation Using IAM Access Key"
     mitre_attack_tactic = "Persistence"
     mitre_attack_technique = "Cloud Account"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1136/003/"

community/aws/cloudtrail/aws_privilege_escalation_using_iam_login_profile.yaral

@@ -19,6 +19,8 @@ rule aws_privilege_escalation_using_iam_login_profile {
   meta:
     author = "Google Cloud Security"
     description = "Detect when a user creates or updates a login profile for another user and escalates privileges using this new user from the same IP."
+    rule_id = "mr_b0d13079-dbe7-4c19-a8e9-23f98655a29b"
+    rule_name = "AWS Privilege Escalation Using IAM Login Profile"
     mitre_attack_tactic = "Persistence"
     mitre_attack_technique = "Cloud Account"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1136/003/"

community/aws/cloudtrail/aws_rds_snapshot_shared_publicly.yaral

@@ -19,6 +19,8 @@ rule aws_rds_snapshot_shared_publicly {
   meta:
     author = "Google Cloud Security"
     description = "Detects when an Amazon RDS Snapshot is shared publicly."
+    rule_id = "mr_d87cf718-8a9c-4f1d-bcf0-20f4f5f59d02"
+    rule_name = "AWS RDS Snapshot Shared Publicly"
     mitre_attack_tactic = "Exfiltration"
     mitre_attack_technique = "Transfer Data to Cloud Account"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1537/"

community/aws/cloudtrail/aws_s3_made_public_by_acl.yaral

@@ -18,6 +18,8 @@ rule aws_s3_made_public_by_acl {
   meta:
     author = "Google Cloud Security"
     description = "Detect when an AWS S3 bucket is made public using ACL."
+    rule_id = "mr_f0255a99-d90c-4640-a56e-0145f2672c2c"
+    rule_name = "AWS S3 Bucket Made Public By ACL"
     mitre_attack_tactic = "Defense Evasion"
     mitre_attack_technique = "Impair Defenses"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1562/"

community/aws/cloudtrail/aws_s3_public_access_block_removed.yaral

@@ -18,6 +18,8 @@ rule aws_s3_public_access_block_removed {
   meta:
     author = "Google Cloud Security"
     description = "Detect when the S3 Public Access Block configuration has been removed from a bucket or an account."
+    rule_id = "mr_07638aec-6719-467b-9fee-8de4993087fa"
+    rule_name = "AWS S3 Public Access Block Removed"
     mitre_attack_tactic = "Defense Evasion"
     mitre_attack_technique = "Impair Defenses"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1562/"

community/aws/cloudtrail/aws_saml_identity_provider_changes.yaral

@@ -19,6 +19,8 @@ rule aws_saml_identity_provider_changes {
   meta:
     author = "Google Cloud Security"
     description = "Detects create, update or delete events of a SAML provider in AWS."
+    rule_id = "mr_2f36760a-241d-4ace-9142-db0ccf1992b7"
+    rule_name = "AWS SAML Identity Provider Changes"
     mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
     mitre_attack_technique = "Valid Accounts"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1078/"

community/aws/cloudtrail/aws_security_group_open_to_world.yaral

@@ -19,6 +19,8 @@ rule aws_security_group_open_to_world {
   meta:
     author = "Google Cloud Security"
     description = "Detect when an AWS security group is opened to the world (0.0.0.0/0) or (::/0)"
+    rule_id = "mr_51e7e8c9-f460-4207-8aa9-70a58d3d1ee3"
+    rule_name = "AWS Security Group Open To The World"
     mitre_attack_tactic = "Defense Evasion"
     mitre_attack_technique = "Impair Defenses"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1562/"

community/aws/cloudtrail/aws_ses_service_modification.yaral

@@ -19,6 +19,8 @@ rule aws_ses_service_modification {
   meta:
     author = "Google Cloud Security"
     description = "Detect when the Amazon Simple Email Service (SES) has been modified where an attacker can modify Amazon SES service to propagate phishing emails campaigns."
+    rule_id = "mr_223bad6a-9c6a-4038-9990-18d3545598aa"
+    rule_name = "AWS SES Service Modification"
     mitre_attack_tactic = "Impact"
     mitre_attack_technique = "Resource Hijacking"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1496/"

community/aws/cloudtrail/aws_successful_api_from_tor_exit_node.yaral

@@ -19,6 +19,8 @@ rule aws_successful_api_from_tor_exit_node {
   meta:
     author = "Google Cloud Security"
     description = "Detects successful API executions from a Tor exit node."
+    rule_id = "mr_17232c2a-188e-4d6e-85b6-836cdc779655"
+    rule_name = "AWS Successful API From Tor Exit Node"
     mitre_attack_tactic = "Execution"
     mitre_attack_technique = "User Execution"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1204/"

community/aws/cloudtrail/aws_successful_console_authentication_from_multiple_ips.yaral

@@ -19,6 +19,8 @@ rule aws_successful_console_authentication_from_multiple_ips {
   meta:
     author = "Google Cloud Security"
     description = "Detects when an AWS user successfully authenticating from more than one unique IP address within 5 minutes."
+    rule_id = "mr_4a221c43-1059-4247-a7a6-69d8ce4dca2c"
+    rule_name = "AWS Successful Console Authentication From Multiple IPs"
     mitre_attack_tactic = "Resource Development"
     mitre_attack_technique = "Compromise Accounts"
     mitre_attack_url = "https://attack.mitre.org/techniques/T1586/"