[bug] Encoded rules missing rule name

[crayy8]

Describe the bug
There are 4 rules in the live response encoded rule that do not have rule names. I believe the issue is that some rule files have multiple rules in them which is not being accounted for when generating the encoded rules for live response.

Image showing that there are 4 more rule titles than rule file names and that there are no duplicate rule names

The two I saw from the test data are:

• "PW Guessing" from Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Correlation.yml
• "PW Spray" from Sec_4648_Med_ExplicitLogon_PW-Spray_Correlation.yml

Step to Reproduce
Steps to reproduce the behavior:

1. Use latest live response binary and latest encoded ruleset. Run against the hayabusa test data set and observe that some hits (as mentioned above) to not have data in the "rulefile" fields for json-timeline

Expected behavior
All rules have a rule file name so rules can be identified in json-timeline output

[fukusuket]

@crayy8 Thank you for reporting issue! There was a problem in the output processing of the RuleFile field of the correlation rule record!

@YamatoSecurity
I fixed it! Could you check it when you have time?🙏

• fix: output RuleFile field in json-timeline #1576

[YamatoSecurity]

@fukusuket Sorry I didn't properly test the PR before merging. I tried with the live response build but still the rule file name is blank for the correlation rules. Do we not have to add the rule file names when creating the encoded yml file?

[fukusuket]

@YamatoSecurity
Sorry... I was wrong about the confirmation procedure. I fixed it!
Yamato-Security/hayabusa-encoded-rules#8

[YamatoSecurity]

@fukusuket I confirmed that it is working. thanks! @crayy8 If you run update-rules it should be fixed now.