[Rule Tuning] adjust duplicate ssh brute force rule names and add unit test (#2321)

* added unit test for duplicate rule names * adjusted macos file name and updated date values * removed unit test and added assertion error in rule loader * addressed flake errors * addressed flake errors * Update rules/linux/credential_access_potential_linux_ssh_bruteforce.toml
2022-09-26 10:04:38 -04:00
parent 4366702b34
commit b00de3e445
4 changed files with 12 additions and 4 deletions
@@ -135,6 +135,7 @@ class DeprecatedCollection(BaseCollection):

    id_map: Dict[str, DeprecatedRule] = field(default_factory=dict)
    file_map: Dict[Path, DeprecatedRule] = field(default_factory=dict)
+    name_map: Dict[str, DeprecatedRule] = field(default_factory=dict)
    rules: List[DeprecatedRule] = field(default_factory=list)

    def __contains__(self, rule: DeprecatedRule):
@@ -161,6 +162,7 @@ class RuleCollection(BaseCollection):

        self.id_map: Dict[definitions.UUIDString, TOMLRule] = {}
        self.file_map: Dict[Path, TOMLRule] = {}
+        self.name_map: Dict[definitions.RuleName, TOMLRule] = {}
        self.rules: List[TOMLRule] = []
        self.deprecated: DeprecatedCollection = DeprecatedCollection()
        self.errors: Dict[Path, Exception] = {}
@@ -208,13 +210,17 @@ class RuleCollection(BaseCollection):
        if is_deprecated:
            id_map = self.deprecated.id_map
            file_map = self.deprecated.file_map
+            name_map = self.deprecated.name_map
        else:
            id_map = self.id_map
            file_map = self.file_map
+            name_map = self.name_map

        assert not self.frozen, f"Unable to add rule {rule.name} {rule.id} to a frozen collection"
        assert rule.id not in id_map, \
            f"Rule ID {rule.id} for {rule.name} collides with rule {id_map.get(rule.id).name}"
+        assert rule.name not in name_map, \
+            f"Rule Name {rule.name} for {rule.id} collides with rule ID {name_map.get(rule.name).id}"

        if rule.path is not None:
            rule_path = rule.path.resolve()
@@ -224,11 +230,13 @@ class RuleCollection(BaseCollection):
    def add_rule(self, rule: TOMLRule):
        self._assert_new(rule)
        self.id_map[rule.id] = rule
+        self.name_map[rule.name] = rule
        self.rules.append(rule)

    def add_deprecated_rule(self, rule: DeprecatedRule):
        self._assert_new(rule, is_deprecated=True)
        self.deprecated.id_map[rule.id] = rule
+        self.deprecated.name_map[rule.name] = rule
        self.deprecated.rules.append(rule)

    def load_dict(self, obj: dict, path: Optional[Path] = None) -> Union[TOMLRule, DeprecatedRule]:
@@ -16,7 +16,7 @@ from = "now-9m"
 index = ["auditbeat-*", "logs-system.auth-*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Potential SSH Brute Force Detected"
+name = "Potential Linux SSH Brute Force Detected"
 note = """## Triage and analysis

 ### Investigating Potential SSH Brute Force Attack
@@ -3,7 +3,7 @@ creation_date = "2020/11/16"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/21"

 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Potential SSH Brute Force Detected"
+name = "Potential macOS SSH Brute Force Detected"
 references = ["https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/"]
 risk_score = 47
 rule_id = "ace1e989-a541-44df-93a8-a8b0591b63c0"
@@ -80,7 +80,7 @@ class TestValidRules(BaseRuleTest):

        duplicates = {name: paths for name, paths in name_map.items() if len(paths) > 1}
        if duplicates:
-            self.fail(f"Found duplicated file names {duplicates}")
+            self.fail(f"Found duplicated file names: {duplicates}")

    def test_rule_type_changes(self):
        """Test that a rule type did not change for a locked version"""