Fix typos discovered by codespell (#1430)

detection_rules/beats.py

@@ -109,7 +109,7 @@ def _flatten_schema(schema: list, prefix="") -> list:
     for s in schema:
         if s.get("type") == "group":
             nested_prefix = prefix + s["name"] + "."
-            # beats is complicated. it seems lke we would expect a zoom.webhook.*, for the zoom.webhook dataset,
+            # beats is complicated. it seems like we would expect a zoom.webhook.*, for the zoom.webhook dataset,
             # but instead it's just at zoom.* directly.
             #
             # we have what looks like zoom.zoom.*, but should actually just be zoom.*.

rta/delete_volume_shadows.py

@@ -8,7 +8,7 @@
 # signal.rule.name: Volume Shadow Copy Deletion via VssAdmin
 # ELastic Detection: Volume Shadow Copy Deletion via WMIC
 # ATT&CK: T1107
-# Description: Uses both vssadmin.exe and wmic.exe to delete volumne shadow copies.
+# Description: Uses both vssadmin.exe and wmic.exe to delete volume shadow copies.
 
 from . import common
 

rta/enum_commands.py

@@ -52,7 +52,7 @@ def main(args=None):
 
     parser = argparse.ArgumentParser()
     parser.add_argument('-s', '--sample', dest="sample", default=len(commands), type=int,
-                        help="Number of commands to run, choosen at random from the list of enumeration commands")
+                        help="Number of commands to run, chosen at random from the list of enumeration commands")
     args = parser.parse_args(args)
     sample = min(len(commands), args.sample)
 
@@ -65,7 +65,7 @@ def main(args=None):
         common.log("About to call {}".format(command))
         if command in slow_commands:
             common.execute(command, kill=True, timeout=15)
-            common.log("[output surpressed]", log_type='-')
+            common.log("[output suppressed]", log_type='-')
         else:
             common.execute(command)
 

rta/iqy_file_writes.py

@@ -40,7 +40,7 @@ def main():
     fake_doc_iqy = os.path.abspath("test_word.iqy")
     common.execute([msoffice_path, "/c", "echo", "test", ">", fake_doc_iqy])
 
-    # Brwoser writing IQY file
+    # Browser writing IQY file
     fake_browser_iqy = os.path.abspath("test_browser.iqy")
     common.execute([browser_path, "/c", "echo", "test", ">", fake_browser_iqy])
 

rta/smb_connection.py

@@ -26,7 +26,7 @@ def main(ip=None):
     s.connect((ip, 445))
     common.log("Sending HELLO")
     s.send(b"HELLO!")
-    common.log("Shutting down the conection...")
+    common.log("Shutting down the connection...")
     s.close()
     common.log("Closed connection to {}:{}".format(ip, SMB_PORT))
 

rta/winrar_encrypted.py

@@ -87,7 +87,7 @@ def main(password="s0l33t"):
     #            original_file_name == "*rar*" - no
     #            signature_signer == "*win.rar*" -no
     #            output filename == "*.rar" - no
-    common.log("Test case 6: FP, shoudln't alert, run with myapp.exe", log_type="!")
+    common.log("Test case 6: FP, shouldn't alert, run with myapp.exe", log_type="!")
     common.execute([MY_APP, "-hpbadargument"])
 
     common.log("Cleanup", "-")

rules/ml/ml_high_count_network_events.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/04/05"
 maturity = "production"
-updated_date = "2021/06/15"
+updated_date = "2021/08/14"
 
 [rule]
 anomaly_threshold = 75
@@ -15,7 +15,7 @@ also produce such a surge in traffic.
 """
 false_positives = [
     """
-    Business workflows that occur very occasionally, and involve an unsual surge in network trafic, 
+    Business workflows that occur very occasionally, and involve an unusual surge in network traffic, 
     can trigger this alert. A new business workflow or a surge in business activity may trigger this alert.
     A misconfigured network application or firewall may trigger this alert.
     """,

rules/windows/discovery_net_view.toml

@@ -26,7 +26,7 @@ process where event.type in ("start", "process_started") and
   (process.args : "view" or (process.args : "time" and process.args : "\\\\*"))
 
 
-  /* expand when ancestory is available
+  /* expand when ancestry is available
   and not descendant of [process where event.type == ("start", "process_started") and process.name : "cmd.exe" and
                            ((process.parent.name : "userinit.exe") or
                             (process.parent.name : "gpscript.exe") or

rules/windows/discovery_post_exploitation_external_ip_lookup.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/04"
 maturity = "production"
-updated_date = "2021/04/23"
+updated_date = "2021/08/14"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
-name = "External IP Lookup fron Non-Browser Process"
+name = "External IP Lookup from Non-Browser Process"
 references = [
     "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation",
     "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware",

tests/test_toml_formatter.py

@@ -17,7 +17,7 @@ tmp_file = 'tmp_file.toml'
 
 
 class TestRuleTomlFormatter(unittest.TestCase):
-    """Test that the cutom toml formatting is not compromising the integrity of the data."""
+    """Test that the custom toml formatting is not compromising the integrity of the data."""
     with open(get_etc_path('test_toml.json'), 'r') as f:
         test_data = json.load(f)