diff --git a/detection_rules/rule_loader.py b/detection_rules/rule_loader.py index 79364ff61..cfa136924 100644 --- a/detection_rules/rule_loader.py +++ b/detection_rules/rule_loader.py @@ -135,6 +135,7 @@ class DeprecatedCollection(BaseCollection): id_map: Dict[str, DeprecatedRule] = field(default_factory=dict) file_map: Dict[Path, DeprecatedRule] = field(default_factory=dict) + name_map: Dict[str, DeprecatedRule] = field(default_factory=dict) rules: List[DeprecatedRule] = field(default_factory=list) def __contains__(self, rule: DeprecatedRule): @@ -161,6 +162,7 @@ class RuleCollection(BaseCollection): self.id_map: Dict[definitions.UUIDString, TOMLRule] = {} self.file_map: Dict[Path, TOMLRule] = {} + self.name_map: Dict[definitions.RuleName, TOMLRule] = {} self.rules: List[TOMLRule] = [] self.deprecated: DeprecatedCollection = DeprecatedCollection() self.errors: Dict[Path, Exception] = {} @@ -208,13 +210,17 @@ class RuleCollection(BaseCollection): if is_deprecated: id_map = self.deprecated.id_map file_map = self.deprecated.file_map + name_map = self.deprecated.name_map else: id_map = self.id_map file_map = self.file_map + name_map = self.name_map assert not self.frozen, f"Unable to add rule {rule.name} {rule.id} to a frozen collection" assert rule.id not in id_map, \ f"Rule ID {rule.id} for {rule.name} collides with rule {id_map.get(rule.id).name}" + assert rule.name not in name_map, \ + f"Rule Name {rule.name} for {rule.id} collides with rule ID {name_map.get(rule.name).id}" if rule.path is not None: rule_path = rule.path.resolve() @@ -224,11 +230,13 @@ class RuleCollection(BaseCollection): def add_rule(self, rule: TOMLRule): self._assert_new(rule) self.id_map[rule.id] = rule + self.name_map[rule.name] = rule self.rules.append(rule) def add_deprecated_rule(self, rule: DeprecatedRule): self._assert_new(rule, is_deprecated=True) self.deprecated.id_map[rule.id] = rule + self.deprecated.name_map[rule.name] = rule self.deprecated.rules.append(rule) def load_dict(self, obj: dict, path: Optional[Path] = None) -> Union[TOMLRule, DeprecatedRule]: diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce.toml index ac596cd88..35d7f61be 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce.toml @@ -16,7 +16,7 @@ from = "now-9m" index = ["auditbeat-*", "logs-system.auth-*"] language = "eql" license = "Elastic License v2" -name = "Potential SSH Brute Force Detected" +name = "Potential Linux SSH Brute Force Detected" note = """## Triage and analysis ### Investigating Potential SSH Brute Force Attack diff --git a/rules/macos/credential_access_potential_ssh_bruteforce.toml b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml similarity index 94% rename from rules/macos/credential_access_potential_ssh_bruteforce.toml rename to rules/macos/credential_access_potential_macos_ssh_bruteforce.toml index 987844478..c0092f492 100644 --- a/rules/macos/credential_access_potential_ssh_bruteforce.toml +++ b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/21" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License v2" -name = "Potential SSH Brute Force Detected" +name = "Potential macOS SSH Brute Force Detected" references = ["https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/"] risk_score = 47 rule_id = "ace1e989-a541-44df-93a8-a8b0591b63c0" diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 050ff4d93..0cf4cbc26 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -80,7 +80,7 @@ class TestValidRules(BaseRuleTest): duplicates = {name: paths for name, paths in name_map.items() if len(paths) > 1} if duplicates: - self.fail(f"Found duplicated file names {duplicates}") + self.fail(f"Found duplicated file names: {duplicates}") def test_rule_type_changes(self): """Test that a rule type did not change for a locked version"""