diff --git a/packages/aws/data_stream/guardduty/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/guardduty/elasticsearch/ingest_pipeline/default.yml
index 8bd3e651764..0d9cab8ec35 100644
--- a/packages/aws/data_stream/guardduty/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/aws/data_stream/guardduty/elasticsearch/ingest_pipeline/default.yml
@@ -15,6 +15,11 @@ processors:
       target_field: event.original
       ignore_missing: true
       if: 'ctx.event?.original == null'
+  - remove:
+      field: message
+      ignore_missing: true
+      if: 'ctx.event?.original != null'
+      description: 'The `message` field is no longer required if the document has an `event.original` field.'      
   - json:
       field: event.original
       target_field: json
diff --git a/packages/aws/data_stream/inspector/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/inspector/elasticsearch/ingest_pipeline/default.yml
index 00b578fd23c..1d9a1c4a455 100644
--- a/packages/aws/data_stream/inspector/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/aws/data_stream/inspector/elasticsearch/ingest_pipeline/default.yml
@@ -15,6 +15,11 @@ processors:
       target_field: event.original
       ignore_missing: true
       if: 'ctx.event?.original == null'
+  - remove:
+      field: message
+      ignore_missing: true
+      if: 'ctx.event?.original != null'
+      description: 'The `message` field is no longer required if the document has an `event.original` field.'      
   - json:
       field: event.original
       target_field: json
diff --git a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml
index 76b3973b811..5846848f4d5 100644
--- a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml
@@ -22,6 +22,11 @@ processors:
       target_field: event.original
       ignore_missing: true
       if: 'ctx.event?.original == null'
+  - remove:
+      field: message
+      ignore_missing: true
+      if: 'ctx.event?.original != null'
+      description: 'The `message` field is no longer required if the document has an `event.original` field.'      
   - json:
       field: event.original
       target_field: json
diff --git a/packages/aws/data_stream/securityhub_insights/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/securityhub_insights/elasticsearch/ingest_pipeline/default.yml
index 2cc7e5384a8..932bdf2ba5b 100644
--- a/packages/aws/data_stream/securityhub_insights/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/aws/data_stream/securityhub_insights/elasticsearch/ingest_pipeline/default.yml
@@ -15,6 +15,11 @@ processors:
       target_field: event.original
       ignore_missing: true
       if: 'ctx.event?.original == null'
+  - remove:
+      field: message
+      ignore_missing: true
+      if: 'ctx.event?.original != null'
+      description: 'The `message` field is no longer required if the document has an `event.original` field.'      
   - json:
       field: event.original
       target_field: json
diff --git a/packages/aws/data_stream/waf/_dev/test/pipeline/test-waf.log-expected.json b/packages/aws/data_stream/waf/_dev/test/pipeline/test-waf.log-expected.json
index f0852ca8657..7c345a8d6b4 100644
--- a/packages/aws/data_stream/waf/_dev/test/pipeline/test-waf.log-expected.json
+++ b/packages/aws/data_stream/waf/_dev/test/pipeline/test-waf.log-expected.json
@@ -430,4 +430,4 @@
             ]
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/packages/aws/data_stream/waf/fields/fields.yml b/packages/aws/data_stream/waf/fields/fields.yml
index b4a9343da97..8a3d247d701 100644
--- a/packages/aws/data_stream/waf/fields/fields.yml
+++ b/packages/aws/data_stream/waf/fields/fields.yml
@@ -13,6 +13,48 @@
       type: nested
       description: |
         The list of non-terminating rules in the rule group that match the request. These are always COUNT rules (non-terminating rules that match)
+      fields:
+        - name: action
+          type: keyword
+        - name: ruleId
+          type: keyword
+        - name: ruleMatchDetails
+          type: nested
+          fields:
+            - name: conditionType
+              type: keyword
+            - name: location
+              type: keyword
+            - name: matchedData
+              type: keyword
+    - name: rule_group_list
+      type: nested
+      fields:
+        - name: nonTerminatingMatchingRules
+          type: nested
+          fields:
+            - name: action
+              type: keyword
+            - name: ruleId
+              type: keyword
+            - name: ruleMatchDetails
+              type: nested
+              fields:
+                - name: conditionType
+                  type: keyword
+                - name: location
+                  type: keyword
+                - name: matchedData
+                  type: keyword
+        - name: ruleGroupId
+          type: keyword
+        - name: terminatingRule
+          type: group
+          fields:
+            - name: action
+              type: keyword
+            - name: ruleId
+              type: keyword
     - name: rate_based_rule_list
       type: nested
       description: |
@@ -37,3 +79,10 @@
       type: nested
       description: |
         Detailed information about the terminating rule that matched the request. A terminating rule has an action that ends the inspection process against a web request. Possible actions for a terminating rule are ALLOW and BLOCK. This is only populated for SQL injection and cross-site scripting (XSS) match rule statements. As with all rule statements that inspect for more than one thing, AWS WAF applies the action on the first match and stops inspecting the web request. A web request with a terminating action could contain other threats, in addition to the one reported in the log.
+      fields:
+        - name: conditionType
+          type: keyword
+        - name: location
+          type: keyword
+        - name: matchedData
+          type: keyword
diff --git a/packages/aws/docs/waf.md b/packages/aws/docs/waf.md
index b696af26fbb..c2297bd2819 100644
--- a/packages/aws/docs/waf.md
+++ b/packages/aws/docs/waf.md
@@ -77,13 +77,27 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
 | aws.s3.object.key | The AWS S3 Object key. | keyword |
 | aws.waf.arn | AWS ARN of ACL | keyword |
 | aws.waf.id | ID of ACL | keyword |
-| aws.waf.non_terminating_matching_rules | The list of non-terminating rules in the rule group that match the request. These are always COUNT rules (non-terminating rules that match) | nested |
+| aws.waf.non_terminating_matching_rules.action |  | keyword |
+| aws.waf.non_terminating_matching_rules.ruleId |  | keyword |
+| aws.waf.non_terminating_matching_rules.ruleMatchDetails.conditionType |  | keyword |
+| aws.waf.non_terminating_matching_rules.ruleMatchDetails.location |  | keyword |
+| aws.waf.non_terminating_matching_rules.ruleMatchDetails.matchedData |  | keyword |
 | aws.waf.rate_based_rule_list | The list of rate-based rules that acted on the request. | nested |
 | aws.waf.request.headers | List of request headers | flattened |
 | aws.waf.rule_group_list | The list of rule groups that acted on this request. | nested |
+| aws.waf.rule_group_list.nonTerminatingMatchingRules.action |  | keyword |
+| aws.waf.rule_group_list.nonTerminatingMatchingRules.ruleId |  | keyword |
+| aws.waf.rule_group_list.nonTerminatingMatchingRules.ruleMatchDetails.conditionType |  | keyword |
+| aws.waf.rule_group_list.nonTerminatingMatchingRules.ruleMatchDetails.location |  | keyword |
+| aws.waf.rule_group_list.nonTerminatingMatchingRules.ruleMatchDetails.matchedData |  | keyword |
+| aws.waf.rule_group_list.ruleGroupId |  | keyword |
+| aws.waf.rule_group_list.terminatingRule.action |  | keyword |
+| aws.waf.rule_group_list.terminatingRule.ruleId |  | keyword |
 | aws.waf.source.id | The source ID. This field shows the ID of the associated resource. | keyword |
 | aws.waf.source.name | The source of the request. Possible values: CF for Amazon CloudFront, APIGW for Amazon API Gateway, ALB for Application Load Balancer, and APPSYNC for AWS AppSync. | keyword |
-| aws.waf.terminating_rule_match_details | Detailed information about the terminating rule that matched the request. A terminating rule has an action that ends the inspection process against a web request. Possible actions for a terminating rule are ALLOW and BLOCK. This is only populated for SQL injection and cross-site scripting (XSS) match rule statements. As with all rule statements that inspect for more than one thing, AWS WAF applies the action on the first match and stops inspecting the web request. A web request with a terminating action could contain other threats, in addition to the one reported in the log. | nested |
+| aws.waf.terminating_rule_match_details.conditionType |  | keyword |
+| aws.waf.terminating_rule_match_details.location |  | keyword |
+| aws.waf.terminating_rule_match_details.matchedData |  | keyword |
 | cloud.image.id | Image ID for the cloud instance. | keyword |
 | data_stream.dataset | Data stream dataset. | constant_keyword |
 | data_stream.namespace | Data stream namespace. | constant_keyword |
diff --git a/packages/aws/manifest.yml b/packages/aws/manifest.yml
index 13b432345a8..dfae8dab2f0 100644
--- a/packages/aws/manifest.yml
+++ b/packages/aws/manifest.yml
@@ -1,4 +1,4 @@
-format_version: 3.0.0
+format_version: 3.3.1
 name: aws
 title: AWS
 version: 2.36.2