Update AVTarrask.yaml

Detections/SecurityAlert/AVTarrask.yaml

@@ -19,13 +19,14 @@ tactics:
 relevantTechniques:
   - T1053
 query: |
-  let Tarrask_threats = dynamic(["HackTool:Win64/Tarrask!MS", "HackTool:Win64/Ligolo!MSR", "Behavior:Win32/ScheduledTaskHide.A"]);
+  let Tarrask_threats = dynamic(["HackTool:Win64/Tarrask!MS", "HackTool:Win64/Ligolo!MSR", "Behavior:Win32/ScheduledTaskHide.A", "Tarrask"]);
   DeviceInfo
   | extend DeviceName = tolower(DeviceName)
-  | join ( SecurityAlert
+  | join kind=rightouter ( SecurityAlert
   | where ProviderName == "MDATP"
+  | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
   | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
-  | where ThreatFamilyName in (Tarrask_threats)
+  | where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)
   | extend CompromisedEntity = tolower(CompromisedEntity)
   ) on $left.DeviceName == $right.CompromisedEntity
 entityMappings:
@@ -38,4 +39,4 @@ entityMappings:
       - identifier: Address
         columnName: PublicIP
 version: 1.0.0
-kind: scheduled
+kind: scheduled