elastic
diff --git a/‎detection_rules/devtools.py‎
Lines changed: 26 additions & 10 deletions b/‎detection_rules/devtools.py‎
Lines changed: 26 additions & 10 deletions
diff --git a/‎detection_rules/etc/attack-technique-redirects.json‎
Lines changed: 1 addition & 1 deletion b/‎detection_rules/etc/attack-technique-redirects.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎detection_rules/etc/attack-v11.3.json.gz‎
-4.81 MB b/‎detection_rules/etc/attack-v11.3.json.gz‎
-4.81 MB
diff --git a/‎detection_rules/etc/attack-v12.1.json.gz‎
5.19 MB b/‎detection_rules/etc/attack-v12.1.json.gz‎
5.19 MB
diff --git a/‎rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml‎
Lines changed: 2 additions & 2 deletions b/‎rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml‎
Lines changed: 2 additions & 2 deletions b/‎rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎rules/cross-platform/defense_evasion_timestomp_touch.toml‎
Lines changed: 2 additions & 2 deletions b/‎rules/cross-platform/defense_evasion_timestomp_touch.toml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎rules/integrations/aws/collection_cloudtrail_logging_created.toml‎
Lines changed: 5 additions & 5 deletions b/‎rules/integrations/aws/collection_cloudtrail_logging_created.toml‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml‎
Lines changed: 3 additions & 3 deletions b/‎rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎rules/integrations/aws/impact_cloudtrail_logging_updated.toml‎
Lines changed: 3 additions & 3 deletions b/‎rules/integrations/aws/impact_cloudtrail_logging_updated.toml‎
Lines changed: 3 additions & 3 deletions
@@ -28,7 +28,7 @@
 from kibana.connector import Kibana
 
 from . import attack, rule_loader, utils
-from .cli_utils import multi_collection, single_collection
+from .cli_utils import single_collection
 from .docs import IntegrationSecurityDocs
 from .endgame import EndgameSchemaManager
 from .eswrap import CollectEvents, add_range_to_dsl
@@ -1226,13 +1226,14 @@ def refresh_threat_mappings():
 
 
 @attack_group.command('update-rules')
-@multi_collection
-def update_attack_in_rules(rules: RuleCollection) -> List[Optional[TOMLRule]]:
+def update_attack_in_rules() -> List[Optional[TOMLRule]]:
     """Update threat mappings attack data in all rules."""
     new_rules = []
     redirected_techniques = attack.load_techniques_redirect()
     today = time.strftime('%Y/%m/%d')
 
+    rules = RuleCollection.default()
+
     for rule in rules.rules:
         needs_update = False
         valid_threat: List[ThreatMapping] = []
@@ -1241,14 +1242,29 @@ def update_attack_in_rules(rules: RuleCollection) -> List[Optional[TOMLRule]]:
 
         for entry in threat:
             tactic = entry.tactic.name
-            techniques = []
+            technique_ids = []
+            technique_names = []
             for technique in entry.technique or []:
-                techniques.append(technique.id)
-                techniques.extend([st.id for st in technique.subtechnique or []])
+                technique_ids.append(technique.id)
+                technique_names.append(technique.name)
+                technique_ids.extend([st.id for st in technique.subtechnique or []])
+                technique_names.extend([st.name for st in technique.subtechnique or []])
+
+            # check redirected techniques by ID
+            # redirected techniques are technique IDs that have changed but represent the same technique
+            if any([tid for tid in technique_ids if tid in redirected_techniques]):
+                needs_update = True
+                threat_pending_update[tactic] = technique_ids
+                click.echo(f"'{rule.contents.name}' requires update - technique ID change")
 
-            if any([t for t in techniques if t in redirected_techniques]):
+            # check for name change
+            # happens if technique ID is the same but name changes
+            expected_technique_names = [attack.technique_lookup[str(tid)]["name"] for tid in technique_ids]
+            if any([tname for tname in technique_names if tname not in expected_technique_names]):
                 needs_update = True
-                threat_pending_update[tactic] = techniques
+                threat_pending_update[tactic] = technique_ids
+                click.echo(f"'{rule.contents.name}' requires update - technique name change")
+
             else:
                 valid_threat.append(entry)
 
@@ -1265,12 +1281,12 @@ def update_attack_in_rules(rules: RuleCollection) -> List[Optional[TOMLRule]]:
             new_meta = dataclasses.replace(rule.contents.metadata, updated_date=today)
             new_data = dataclasses.replace(rule.contents.data, threat=valid_threat)
             new_contents = dataclasses.replace(rule.contents, data=new_data, metadata=new_meta)
-            new_rule = TOMLRule(contents=new_contents)
+            new_rule = TOMLRule(contents=new_contents, path=rule.path)
             new_rule.save_toml()
             new_rules.append(new_rule)
 
     if new_rules:
-        click.echo(f'{len(new_rules)} rules updated')
+        click.echo(f'\nFinished - {len(new_rules)} rules updated!')
     else:
         click.echo('No rule changes needed')
     return new_rules
@@ -132,5 +132,5 @@
     "T1536": "T1578.004",
     "T1547.011": "T1647"
   },
-  "saved_date": "Tue Oct  4 21:58:48 2022"
+  "saved_date": "Mon Dec 12 12:29:00 2022"
 }
@@ -3,7 +3,7 @@ creation_date = "2020/11/03"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/12"
 
 [rule]
 author = ["Elastic"]
@@ -41,7 +41,7 @@ file where event.type == "deletion" and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
-name = "Indicator Removal on Host"
+name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
 
 
 
@@ -3,7 +3,7 @@ creation_date = "2020/05/04"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/12"
 
 [rule]
 author = ["Elastic"]
@@ -47,7 +47,7 @@ process where event.type in ("start", "process_started") and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
-name = "Indicator Removal on Host"
+name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
 [[rule.threat.technique.subtechnique]]
 id = "T1070.003"
 
@@ -3,7 +3,7 @@ creation_date = "2020/11/03"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/12"
 
 [rule]
 author = ["Elastic"]
@@ -40,7 +40,7 @@ process where event.type == "start" and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
-name = "Indicator Removal on Host"
+name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
 [[rule.threat.technique.subtechnique]]
 id = "T1070.006"
 
@@ -1,19 +1,19 @@
 [metadata]
 creation_date = "2020/06/10"
+integration = "aws"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/12"
 
 [rule]
 author = ["Elastic"]
 description = "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data."
 false_positives = [
     """
     Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent,
-    and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should
-    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should be
+    investigated. If known behavior is causing false positives, it can be exempted from the rule.
     """,
 ]
 from = "now-60m"
@@ -45,7 +45,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1530"
-name = "Data from Cloud Storage Object"
+name = "Data from Cloud Storage"
 reference = "https://attack.mitre.org/techniques/T1530/"
 
 
 
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/05/27"
+integration = "aws"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
-integration = "aws"
+updated_date = "2022/12/12"
 
 [rule]
 author = ["Elastic"]
@@ -51,7 +51,7 @@ event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
-name = "Indicator Removal on Host"
+name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
 
 
 
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/06/10"
+integration = "aws"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
-integration = "aws"
+updated_date = "2022/12/12"
 
 [rule]
 author = ["Elastic"]
@@ -119,7 +119,7 @@ reference = "https://attack.mitre.org/tactics/TA0040/"
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1530"
-name = "Data from Cloud Storage Object"
+name = "Data from Cloud Storage"
 reference = "https://attack.mitre.org/techniques/T1530/"
Original file line number	Diff line number	Diff line change
`@@ -132,5 +132,5 @@`
`132`	`132`	`"T1536": "T1578.004",`
`133`	`133`	`"T1547.011": "T1647"`
`134`	`134`	`},`
`135`		`- "saved_date": "Tue Oct 4 21:58:48 2022"`
	`135`	`+ "saved_date": "Mon Dec 12 12:29:00 2022"`
`136`	`136`	`}`