From f60f76f7885d3fe91328363fecfd1c93aa85d02d Mon Sep 17 00:00:00 2001
From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Date: Wed, 2 Oct 2024 15:50:22 -0400
Subject: [PATCH] [Rule Tuning] Fixing Incorrect ES|QL Operator Use - AWS
 Service Quotas Multi-Region `GetServiceQuota` Request (#4118)

* fixing single equal operator

* Additional data source tag for consistency

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

(cherry picked from commit 45a347580c5141b890f5180de2a2e315d10710f1)
---
 ...ry_servicequotas_multi_region_service_quota_requests.toml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml b/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml
index 304b46b52be..da2742f27cb 100644
--- a/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml
+++ b/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2024/08/26"
 maturity = "production"
-updated_date = "2024/08/26"
+updated_date = "2024/10/02"
 
 [rule]
 author = ["Elastic"]
@@ -25,6 +25,7 @@ severity = "low"
 tags = [
     "Domain: Cloud",
     "Data Source: AWS",
+    "Data Source: Amazon Web Services",
     "Data Source: AWS Service Quotas",
     "Use Case: Threat Detection",
     "Tactic: Discovery",
@@ -36,7 +37,7 @@ query = '''
 from logs-aws.cloudtrail-*
 
 // filter for GetServiceQuota API calls
-| where event.dataset == "aws.cloudtrail" and event.provider = "servicequotas.amazonaws.com" and event.action == "GetServiceQuota"
+| where event.dataset == "aws.cloudtrail" and event.provider == "servicequotas.amazonaws.com" and event.action == "GetServiceQuota"
 
 // truncate the timestamp to a 30-second window
 | eval target_time_window = DATE_TRUNC(30 seconds, @timestamp)