Corrects multiple detection rule's techniques-tactics mappings.

2022-02-23 09:50:28 +02:00 · 2022-02-23 09:50:28 +02:00 · 433260395a
--- a/Detections/DeviceNetworkEvents/SolarWinds_SUNBURST_Network-IOCs.yaml
+++ b/Detections/DeviceNetworkEvents/SolarWinds_SUNBURST_Network-IOCs.yaml
@ -17,6 +17,9 @@ triggerThreshold: 0
 tactics:
  - Execution
  - Persistence
+  - InitialAccess
+relevantTechniques:
+  - T1195
 query:  |

  let SunburstURL=dynamic(["panhardware.com","databasegalore.com","avsvmcloud.com","freescanonline.com","thedoccloud.com","deftsecurity.com"]);
@ -54,5 +57,5 @@ entityMappings:
        columnName: HashAlgorithm
      - identifier: Value
        columnName: FileHashCustomEntity
-version: 1.0.0
-kind: Scheduled
+version: 1.0.1
+kind: Scheduled
--- a/Detections/MultipleDataSources/MFADisable.yaml
+++ b/Detections/MultipleDataSources/MFADisable.yaml
@ -16,6 +16,9 @@ triggerOperator: gt
 triggerThreshold: 0
 tactics:
  - CredentialAccess
+  - Persistence
+relevantTechniques:
+  - T1098
 query: |

 (union isfuzzy=true
@ -45,5 +48,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
-kind: Scheduled
+version: 1.0.1
+kind: Scheduled
--- a/Detections/SecurityEvent/PotentialKerberoast.yaml
+++ b/Detections/SecurityEvent/PotentialKerberoast.yaml
@ -21,6 +21,8 @@ triggerOperator: gt
 triggerThreshold: 0
 tactics:
  - CredentialAccess
+relevantTechniques:
+  - T1558
 query: |

  let starttime = 1d;
@ -75,5 +77,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
-kind: Scheduled
+version: 1.0.1
+kind: Scheduled
--- a/Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml
+++ b/Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml
@ -19,7 +19,7 @@ triggerThreshold: 0
 tactics:
  - InitialAccess
 relevantTechniques:
-  - T1078.004
+  - T1078
 tags:
  - Solorigate
  - NOBELIUM
@ -48,5 +48,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
-kind: Scheduled
+version: 1.0.1
+kind: Scheduled