From 94c73e3ad7ea5995c3cad370060ea4a628bf3a9d Mon Sep 17 00:00:00 2001 From: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> Date: Fri, 6 Mar 2026 17:12:45 -0500 Subject: [PATCH] [FR] Minor Typo Fixes (#5784) --- CONTRIBUTING.md | 2 +- hunting/index.md | 4 ++-- hunting/index.yml | 4 ++-- ...redential_access_mfa_bombing_push_notifications.md} | 2 +- ...dential_access_mfa_bombing_push_notifications.toml} | 2 +- .../docs/detect_rare_lsass_process_access_attempts.md | 10 +++++----- ...d_via_lolbins_and_with_low_occurrence_frequency.md} | 4 ++-- ...ble_file_creation_by_an_unusual_microsoft_binary.md | 8 ++++---- .../detect_rare_lsass_process_access_attempts.toml | 10 +++++----- ...via_lolbins_and_with_low_occurrence_frequency.toml} | 4 ++-- ...e_file_creation_by_an_unusual_microsoft_binary.toml | 8 ++++---- rules/README.md | 2 +- .../lateral_movement_onedrive_malware_uploaded.toml | 6 +++--- .../lateral_movement_sharepoint_malware_uploaded.toml | 4 ++-- ...escalation_port_monitor_print_processor_abuse.toml} | 3 +-- tests/test_all_rules.py | 2 +- 16 files changed, 37 insertions(+), 38 deletions(-) rename hunting/okta/docs/{credential_access_mfa_bombing_push_notications.md => credential_access_mfa_bombing_push_notifications.md} (95%) rename hunting/okta/queries/{credential_access_mfa_bombing_push_notications.toml => credential_access_mfa_bombing_push_notifications.toml} (99%) rename hunting/windows/docs/{domain_names_queried_via_lolbins_and_with_low_occurence_frequency.md => domain_names_queried_via_lolbins_and_with_low_occurrence_frequency.md} (89%) rename hunting/windows/queries/{domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml => domain_names_queried_via_lolbins_and_with_low_occurrence_frequency.toml} (96%) rename rules/windows/{privilege_escalation_port_monitor_print_pocessor_abuse.toml => privilege_escalation_port_monitor_print_processor_abuse.toml} (99%) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 859d63bf2..98aaaeb51 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -66,7 +66,7 @@ We'll tag issues and pull requests with the target release if applicable. If a r Of course, feel free to bump your issues if you think they've been neglected for a prolonged period. -Issues and pull requests will be marked as `stale` after 60 days of inactivity. After 7 more days of incactivity, they will be closed automatically. +Issues and pull requests will be marked as `stale` after 60 days of inactivity. After 7 more days of inactivity, they will be closed automatically. If an issue or pull request is marked `stale` and/or closed, this does not mean it is not important, just that there may be more work than available resources over a given time. We feel that it is a better experience to generate activity responding to a stale issue or letting it close, than to let something remain open and neglected for longer periods of time. diff --git a/hunting/index.md b/hunting/index.md index 0d6b79359..05f6f2049 100644 --- a/hunting/index.md +++ b/hunting/index.md @@ -121,7 +121,7 @@ Here are the queries currently available: - [Multiple Application SSO Authentication from the Same Source](./okta/docs/defense_evasion_multiple_application_sso_authentication_repeat_source.md) (ES|QL) - [OAuth Access Token Granted for Public Client App from Multiple Client Addresses](./okta/docs/defense_evasion_multiple_client_sources_reported_for_oauth_access_tokens_granted.md) (ES|QL) - [Password Spraying from Repeat Source](./okta/docs/initial_access_password_spraying_from_repeat_source.md) (ES|QL) -- [Rapid MFA Deny Push Notifications (MFA Bombing)](./okta/docs/credential_access_mfa_bombing_push_notications.md) (ES|QL) +- [Rapid MFA Deny Push Notifications (MFA Bombing)](./okta/docs/credential_access_mfa_bombing_push_notifications.md) (ES|QL) - [Rapid Reset Password Requests for Different Users](./okta/docs/credential_access_rapid_reset_password_requests_for_different_users.md) (ES|QL) - [Rare Occurrence of Domain with User Authentication Events](./okta/docs/persistence_rare_domain_with_user_authentication.md) (ES|QL) - [Rare Occurrence of OAuth Access Token Granted to Public Client App](./okta/docs/defense_evasion_rare_oauth_access_token_granted_by_application.md) (ES|QL) @@ -130,7 +130,7 @@ Here are the queries currently available: ## windows - [DLL Hijack via Masquerading as Microsoft Native Libraries](./windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.md) (ES|QL) -- [DNS Queries via LOLBins with Low Occurence Frequency](./windows/docs/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.md) (ES|QL) +- [DNS Queries via LOLBins with Low Occurrence Frequency](./windows/docs/domain_names_queried_via_lolbins_and_with_low_occurrence_frequency.md) (ES|QL) - [Egress Network Connections with Total Bytes Greater than Threshold](./windows/docs/potential_exfiltration_by_process_total_egress_bytes.md) (ES|QL) - [Excessive RDP Network Activity by Host and User](./windows/docs/excessive_rdp_network_activity_by_source_host_and_user.md) (ES|QL) - [Excessive SMB Network Activity by Process ID](./windows/docs/excessive_smb_network_activity_by_process_id.md) (ES|QL) diff --git a/hunting/index.yml b/hunting/index.yml index bcfdc1168..84f2953e6 100644 --- a/hunting/index.yml +++ b/hunting/index.yml @@ -358,7 +358,7 @@ okta: - T1078.004 223451b0-6eca-11ef-a070-f661ea17fbcc: name: Rapid MFA Deny Push Notifications (MFA Bombing) - path: ./okta/queries/credential_access_mfa_bombing_push_notications.toml + path: ./okta/queries/credential_access_mfa_bombing_push_notifications.toml mitre: - T1621 11666aa0-71d9-11ef-a9be-f661ea17fbcc: @@ -592,7 +592,7 @@ windows: - T1047 1c7be6db-12eb-4281-878d-b6abe0454f36: name: DNS Queries via LOLBins with Low Occurence Frequency - path: ./windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml + path: ./windows/queries/domain_names_queried_via_lolbins_and_with_low_occurrence_frequency.toml mitre: - T1071 386f9cec-bb44-4dd2-8368-45e6fa0a425b: diff --git a/hunting/okta/docs/credential_access_mfa_bombing_push_notications.md b/hunting/okta/docs/credential_access_mfa_bombing_push_notifications.md similarity index 95% rename from hunting/okta/docs/credential_access_mfa_bombing_push_notications.md rename to hunting/okta/docs/credential_access_mfa_bombing_push_notifications.md index c139616e4..0d1f3ef67 100644 --- a/hunting/okta/docs/credential_access_mfa_bombing_push_notications.md +++ b/hunting/okta/docs/credential_access_mfa_bombing_push_notifications.md @@ -10,7 +10,7 @@ - **UUID:** `223451b0-6eca-11ef-a070-f661ea17fbcc` - **Integration:** [okta](https://docs.elastic.co/integrations/okta) - **Language:** `[ES|QL]` -- **Source File:** [Rapid MFA Deny Push Notifications (MFA Bombing)](../queries/credential_access_mfa_bombing_push_notications.toml) +- **Source File:** [Rapid MFA Deny Push Notifications (MFA Bombing)](../queries/credential_access_mfa_bombing_push_notifications.toml) ## Query diff --git a/hunting/okta/queries/credential_access_mfa_bombing_push_notications.toml b/hunting/okta/queries/credential_access_mfa_bombing_push_notifications.toml similarity index 99% rename from hunting/okta/queries/credential_access_mfa_bombing_push_notications.toml rename to hunting/okta/queries/credential_access_mfa_bombing_push_notifications.toml index c680cd003..b0c203602 100644 --- a/hunting/okta/queries/credential_access_mfa_bombing_push_notications.toml +++ b/hunting/okta/queries/credential_access_mfa_bombing_push_notifications.toml @@ -31,4 +31,4 @@ from logs-okta* // Filter for users with more than 5 MFA deny push notifications | where deny_push_count >= 5 """ -] \ No newline at end of file +] diff --git a/hunting/windows/docs/detect_rare_lsass_process_access_attempts.md b/hunting/windows/docs/detect_rare_lsass_process_access_attempts.md index 5fd7bf834..012065c79 100644 --- a/hunting/windows/docs/detect_rare_lsass_process_access_attempts.md +++ b/hunting/windows/docs/detect_rare_lsass_process_access_attempts.md @@ -5,7 +5,7 @@ ## Metadata - **Author:** Elastic -- **Description:** This hunt identifies instances where a process attempts to open the Local Security Authority Subsystem Service (LSASS) memory and where the number of occurences is limited to one unique agent and a low number of attempts. This may indicate either a rare legitimate condition or a malicious process attempting to obtain credentials or inject code into the LSASS. +- **Description:** This hunt identifies instances where a process attempts to open the Local Security Authority Subsystem Service (LSASS) memory and where the number of occurrences is limited to one unique agent and a low number of attempts. This may indicate either a rare legitimate condition or a malicious process attempting to obtain credentials or inject code into the LSASS. - **UUID:** `d0aed6f5-f84c-4da8-bb2a-b5ca0fbb55e0` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) @@ -22,8 +22,8 @@ from logs-endpoint.events.api* | keep process.executable.caseless, host.id /* normalize process paths to reduce known random patterns in process.executable */ | eval process = replace(process.executable.caseless, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| stats occurences = count(process), agents = count_distinct(host.id) by process -| where agents == 1 and occurences <= 10 +| stats occurrences = count(process), agents = count_distinct(host.id) by process +| where agents == 1 and occurrences <= 10 ``` ```sql @@ -35,8 +35,8 @@ from logs-windows.sysmon_operational-* /* normalize process paths to reduce known random patterns in process.executable */ | eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") | eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") -| stats occurences = count(process_path), agents = count_distinct(host.id) by process_path -| where agents == 1 and occurences <= 10 +| stats occurrences = count(process_path), agents = count_distinct(host.id) by process_path +| where agents == 1 and occurrences <= 10 ``` ## Notes diff --git a/hunting/windows/docs/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.md b/hunting/windows/docs/domain_names_queried_via_lolbins_and_with_low_occurrence_frequency.md similarity index 89% rename from hunting/windows/docs/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.md rename to hunting/windows/docs/domain_names_queried_via_lolbins_and_with_low_occurrence_frequency.md index ac182bffb..8e1e62e30 100644 --- a/hunting/windows/docs/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.md +++ b/hunting/windows/docs/domain_names_queried_via_lolbins_and_with_low_occurrence_frequency.md @@ -1,4 +1,4 @@ -# DNS Queries via LOLBins with Low Occurence Frequency +# DNS Queries via LOLBins with Low Occurrence Frequency --- @@ -10,7 +10,7 @@ - **UUID:** `1c7be6db-12eb-4281-878d-b6abe0454f36` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) - **Language:** `[ES|QL]` -- **Source File:** [DNS Queries via LOLBins with Low Occurence Frequency](../queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml) +- **Source File:** [DNS Queries via LOLBins with Low Occurrence Frequency](../queries/domain_names_queried_via_lolbins_and_with_low_occurrence_frequency.toml) ## Query diff --git a/hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary.md b/hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary.md index f485293b9..60ebb59e2 100644 --- a/hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary.md +++ b/hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary.md @@ -22,8 +22,8 @@ from logs-endpoint.events.file-* starts_with(file.Ext.header_bytes, "4d5a") and process.code_signature.status == "trusted" and starts_with(process.code_signature.subject_name, "Microsoft") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe""" | keep process.executable, host.id -| stats occurences = count(*), agents = count_distinct(host.id) by process.executable -| where agents == 1 and occurences <= 10 +| stats occurrences = count(*), agents = count_distinct(host.id) by process.executable +| where agents == 1 and occurrences <= 10 ``` ```sql @@ -32,8 +32,8 @@ from logs-windows.sysmon_operational-* | where host.os.family == "windows" and event.category == "file" and event.action == "FileCreate" and file.extension in ("exe", "dll") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe""" | keep process.executable, host.id -| stats occurences = count(*), agents = count_distinct(host.id) by process.executable -| where agents == 1 and occurences <= 10 +| stats occurrences = count(*), agents = count_distinct(host.id) by process.executable +| where agents == 1 and occurrences <= 10 ``` ## Notes diff --git a/hunting/windows/queries/detect_rare_lsass_process_access_attempts.toml b/hunting/windows/queries/detect_rare_lsass_process_access_attempts.toml index a4505180d..416f10af8 100644 --- a/hunting/windows/queries/detect_rare_lsass_process_access_attempts.toml +++ b/hunting/windows/queries/detect_rare_lsass_process_access_attempts.toml @@ -1,7 +1,7 @@ [hunt] author = "Elastic" description = """ -This hunt identifies instances where a process attempts to open the Local Security Authority Subsystem Service (LSASS) memory and where the number of occurences is limited to one unique agent and a low number of attempts. This may indicate either a rare legitimate condition or a malicious process attempting to obtain credentials or inject code into the LSASS. +This hunt identifies instances where a process attempts to open the Local Security Authority Subsystem Service (LSASS) memory and where the number of occurrences is limited to one unique agent and a low number of attempts. This may indicate either a rare legitimate condition or a malicious process attempting to obtain credentials or inject code into the LSASS. """ integration = ["endpoint", "windows"] uuid = "d0aed6f5-f84c-4da8-bb2a-b5ca0fbb55e0" @@ -17,8 +17,8 @@ from logs-endpoint.events.api* | keep process.executable.caseless, host.id /* normalize process paths to reduce known random patterns in process.executable */ | eval process = replace(process.executable.caseless, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| stats occurences = count(process), agents = count_distinct(host.id) by process -| where agents == 1 and occurences <= 10 +| stats occurrences = count(process), agents = count_distinct(host.id) by process +| where agents == 1 and occurrences <= 10 ''', ''' from logs-windows.sysmon_operational-* @@ -29,8 +29,8 @@ from logs-windows.sysmon_operational-* /* normalize process paths to reduce known random patterns in process.executable */ | eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") | eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") -| stats occurences = count(process_path), agents = count_distinct(host.id) by process_path -| where agents == 1 and occurences <= 10 +| stats occurrences = count(process_path), agents = count_distinct(host.id) by process_path +| where agents == 1 and occurrences <= 10 ''' ] notes = [ diff --git a/hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml b/hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurrence_frequency.toml similarity index 96% rename from hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml rename to hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurrence_frequency.toml index c7473153f..bc4716630 100644 --- a/hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml +++ b/hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurrence_frequency.toml @@ -5,7 +5,7 @@ This hunt looks for DNS queries performed by commonly abused Microsoft binaries """ integration = ["endpoint", "windows"] uuid = "1c7be6db-12eb-4281-878d-b6abe0454f36" -name = "DNS Queries via LOLBins with Low Occurence Frequency" +name = "DNS Queries via LOLBins with Low Occurrence Frequency" language = ["ES|QL"] license = "Elastic License v2" notes = [ @@ -23,4 +23,4 @@ from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* | stats occurrences = count(*), hosts = count_distinct(host.id) by process.name, dns.question.name | where hosts == 1 ''', -] \ No newline at end of file +] diff --git a/hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml b/hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml index 4a3cb454e..f259ae485 100644 --- a/hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml +++ b/hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml @@ -24,8 +24,8 @@ from logs-endpoint.events.file-* starts_with(file.Ext.header_bytes, "4d5a") and process.code_signature.status == "trusted" and starts_with(process.code_signature.subject_name, "Microsoft") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe""" | keep process.executable, host.id -| stats occurences = count(*), agents = count_distinct(host.id) by process.executable -| where agents == 1 and occurences <= 10 +| stats occurrences = count(*), agents = count_distinct(host.id) by process.executable +| where agents == 1 and occurrences <= 10 ''', ''' from logs-windows.sysmon_operational-* @@ -33,7 +33,7 @@ from logs-windows.sysmon_operational-* | where host.os.family == "windows" and event.category == "file" and event.action == "FileCreate" and file.extension in ("exe", "dll") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe""" | keep process.executable, host.id -| stats occurences = count(*), agents = count_distinct(host.id) by process.executable -| where agents == 1 and occurences <= 10 +| stats occurrences = count(*), agents = count_distinct(host.id) by process.executable +| where agents == 1 and occurrences <= 10 ''' ] \ No newline at end of file diff --git a/rules/README.md b/rules/README.md index 7f33b2195..56d5d6b03 100644 --- a/rules/README.md +++ b/rules/README.md @@ -27,5 +27,5 @@ Integration specific rules are stored in the [`integrations/`](integrations) dir | [`gcp/`](integrations/gcp) | Google Cloud Platform (GCP) | | [`google_workspace/`](integrations/google_workspace) | Google Workspace (formerly GSuite) | | [`o365/`](integrations/o365) | Microsoft Office | -| [`okta/`](integrations/okta) | Oka | +| [`okta/`](integrations/okta) | Okta | diff --git a/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml b/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml index f050f51bc..29d2607f6 100644 --- a/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml +++ b/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml @@ -2,14 +2,14 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/02/25" [rule] author = ["Elastic"] description = """ -Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers +Identifies the occurrence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. -Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain +Users can inadvertently share these files without knowing their maliciousness, giving adversaries an opportunity to gain initial access to other endpoints in the environment. """ false_positives = ["Benign files can trigger signatures in the built-in virus protection"] diff --git a/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml b/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml index 4e5dead2c..68a66be67 100644 --- a/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml +++ b/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml @@ -2,12 +2,12 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/02/25" [rule] author = ["Elastic"] description = """ -Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. +Identifies the occurrence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment. diff --git a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml similarity index 99% rename from rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml rename to rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml index 507d5cfaa..e4d788cb9 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/02/25" [rule] author = ["Elastic"] @@ -125,4 +125,3 @@ reference = "https://attack.mitre.org/techniques/T1547/012/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index e764bc550..584b6fba1 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -793,7 +793,7 @@ class TestRuleMetadata(BaseRuleTest): # If the output is not empty, then file(s) have changed in the directory(s) if result: - modified_rules = result.splitlines() + modified_rules = [path for path in result.splitlines() if path.endswith(".toml")] failed_rules = [] for modified_rule_path in modified_rules: diff_output = detection_rules_git("diff", "origin/main", modified_rule_path)