feat: add more clarification to the test (#3710)

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>

rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml

@@ -7,6 +7,7 @@ references:
     - https://twitter.com/mrd0x/status/1511489821247684615
 author: Florian Roth
 date: 2022/04/06
+modified: 2022/11/18
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -15,15 +16,14 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        Image|endswith: '\DumpMinitool.exe'
-    selection_original_name:
-        OriginalName: 'DumpMinitool.exe'
-    selection_flags:
+    selection_img:
+        - Image|endswith: '\DumpMinitool.exe'
+        - OriginalFileName: 'DumpMinitool.exe'
+    selection_cli:
         CommandLine|contains|all:
             - ' --processId '
             - ' --dumpType Full'
-    condition: 1 of selection*
+    condition: 1 of selection_*
 falsepositives:
     - Unknown
 level: medium

tests/test_rules.py

@@ -871,7 +871,8 @@ class TestRules(unittest.TestCase):
     def test_field_name_typo(self):
         # add "OriginalFilename" after Aurora switched to SourceFilename
         # add "ProviderName" after special case powershell classic is resolved
-        typos = ["ServiceFilename", "TargetFileName", "SourceFileName", "Commandline", "Targetobject"]
+        # typos is a list of tuples where each tuple contains ("The typo", "The correct version")
+        typos = [("ServiceFilename", "ServiceFileName"), ("TargetFileName", "TargetFilename"), ("SourceFileName", "OriginalFileName"), ("Commandline", "CommandLine"), ("Targetobject", "TargetObject"), ("OriginalName", "OriginalFileName")]
         faulty_rules = []
         for file in self.yield_next_rule_file_path(self.path_to_rules):
             detection = self.get_rule_part(file_path=file, part_name="detection")
@@ -880,8 +881,8 @@ class TestRules(unittest.TestCase):
                     if isinstance(detection[search_identifier], dict):
                         for field in detection[search_identifier]:
                             for typo in typos:
-                                if typo in field:
-                                    print(Fore.RED + "Rule {} has a common typo ({}) in selection ({}/{})".format(file, typo, search_identifier, field))
+                                if typo[0] in field:
+                                    print(Fore.RED + "Rule {} has a common typo ({}) which should be ({}) in selection ({}/{})".format(file, typo[0], typo[1], search_identifier, field))
                                     faulty_rules.append(file)
 
         self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with common typos in field names.")