From ac50c195cb460ce7d0b35509293db4d3192691ac Mon Sep 17 00:00:00 2001
From: terrancedejesus <terrance.dejesus@elastic.co>
Date: Thu, 9 Jan 2025 16:34:16 -0500
Subject: [PATCH 1/3] updating rule

---
 ...ential_access_retrieve_secure_string_parameters_via_ssm.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml b/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml
index b77b7bdd90c..5c835701fb9 100644
--- a/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml
+++ b/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml
@@ -71,7 +71,7 @@ severity = "medium"
 tags = [
     "Domain: Cloud",
     "Data Source: AWS",
-    "Data Source: Amazon Web Services",
+    "Data Source: Amazon Web Service",
     "Data Source: AWS Systems Manager",
     "Tactic: Credential Access",
     "Resources: Investigation Guide",

From adf97297465e640baf0a8063665193b648edb246 Mon Sep 17 00:00:00 2001
From: terrancedejesus <terrance.dejesus@elastic.co>
Date: Thu, 9 Jan 2025 16:45:23 -0500
Subject: [PATCH 2/3] updated date

---
 ...ential_access_retrieve_secure_string_parameters_via_ssm.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml b/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml
index 5c835701fb9..e52d30ab96a 100644
--- a/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml
+++ b/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/04/12"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2024/07/23"
+updated_date = "2025/01/09"
 
 [rule]
 author = ["Elastic"]

From 5ec2acd60aec9c7e0f83b77e2624485f310aa8f1 Mon Sep 17 00:00:00 2001
From: terrancedejesus <terrance.dejesus@elastic.co>
Date: Thu, 9 Jan 2025 18:38:32 -0500
Subject: [PATCH 3/3] changing mitre

---
 ...cess_retrieve_secure_string_parameters_via_ssm.toml | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml b/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml
index e52d30ab96a..794dc33ed24 100644
--- a/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml
+++ b/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml
@@ -91,13 +91,9 @@ event.dataset: aws.cloudtrail
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
-id = "T1555"
-name = "Credentials from Password Stores"
-reference = "https://attack.mitre.org/techniques/T1555/"
-[[rule.threat.technique.subtechnique]]
-id = "T1555.006"
-name = "Cloud Secrets Management Stores"
-reference = "https://attack.mitre.org/techniques/T1555/006/"
+id = "T1557"
+name = "Adversary-in-the-Middle"
+reference = "https://attack.mitre.org/techniques/T1557/"