Update Analytic rule for missing TTPs

Solutions/Theom/Analytic Rules/TRIS0001_Dev_secrets_unencrypted.yaml

@@ -12,6 +12,10 @@ queryPeriod: 5m
 queryFrequency: 5m
 triggerOperator: gt
 triggerThreshold: 0
+tactics:
+  - CredentialAccess
+relevantTechniques:
+  - T1552
 query: |
    TheomAlerts_CL
      | where customProps_RuleId_s == "TRIS0001" and (priority_s == "P1" or priority_s == "P2")
@@ -29,5 +33,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: deepLink_s
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Theom/Analytic Rules/TRIS0002_National_IDs_unencrypted.yaml

@@ -12,6 +12,11 @@ queryPeriod: 5m
 queryFrequency: 5m
 triggerOperator: gt
 triggerThreshold: 0
+tactics:
+  - Collection
+relevantTechniques:
+  - T1213
+  - T1530
 query: |
    TheomAlerts_CL
      | where customProps_RuleId_s == "TRIS0002" and (priority_s == "P1" or priority_s == "P2")
@@ -29,5 +34,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: deepLink_s
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Theom/Analytic Rules/TRIS0003_Financial_data_unencrypted.yaml

@@ -12,6 +12,11 @@ queryPeriod: 5m
 queryFrequency: 5m
 triggerOperator: gt
 triggerThreshold: 0
+tactics:
+  - Collection
+relevantTechniques:
+  - T1213
+  - T1530
 query: |
    TheomAlerts_CL
      | where customProps_RuleId_s == "TRIS0003" and (priority_s == "P1" or priority_s == "P2")
@@ -29,5 +34,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: deepLink_s
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Theom/Analytic Rules/TRIS0004_Healthcare_data_unencrypted.yaml

@@ -12,6 +12,11 @@ queryPeriod: 5m
 queryFrequency: 5m
 triggerOperator: gt
 triggerThreshold: 0
+tactics:
+  - Collection
+relevantTechniques:
+  - T1213
+  - T1530
 query: |
    TheomAlerts_CL
      | where customProps_RuleId_s == "TRIS0004" and (priority_s == "P1" or priority_s == "P2")
@@ -29,5 +34,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: deepLink_s
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Theom/Analytic Rules/TRIS0005_Unencrypted_public_data_stores.yaml

@@ -12,6 +12,11 @@ queryPeriod: 5m
 queryFrequency: 5m
 triggerOperator: gt
 triggerThreshold: 0
+tactics:
+  - Collection
+relevantTechniques:
+  - T1213
+  - T1530
 query: |
    TheomAlerts_CL
      | where customProps_RuleId_s == "TRIS0005" and (priority_s == "P1" or priority_s == "P2")
@@ -29,5 +34,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: deepLink_s
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Theom/Analytic Rules/TRIS0007-10_TRIS0014_Critical_data_in_API_headers_or_body.yaml

@@ -12,6 +12,10 @@ queryPeriod: 5m
 queryFrequency: 5m
 triggerOperator: gt
 triggerThreshold: 0
+tactics:
+  - Collection
+relevantTechniques:
+  - T1119
 query: |
    TheomAlerts_CL
      | where ( customProps_RuleId_s == "TRIS0007" or customProps_RuleId_s == "TRIS0008" or
@@ -31,5 +35,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: deepLink_s
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Theom/Analytic Rules/TRIS0012_Dev_secrets_exposed.yaml

@@ -12,6 +12,11 @@ queryPeriod: 5m
 queryFrequency: 5m
 triggerOperator: gt
 triggerThreshold: 0
+tactics:
+  - Collection
+relevantTechniques:
+  - T1213
+  - T1530
 query: |
    TheomAlerts_CL
      | where customProps_RuleId_s == "TRIS0012" and (priority_s == "P1" or priority_s == "P2")
@@ -29,5 +34,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: deepLink_s
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Theom/Analytic Rules/TRIS0015_Healthcare_data_exposed.yaml

@@ -12,6 +12,11 @@ queryPeriod: 5m
 queryFrequency: 5m
 triggerOperator: gt
 triggerThreshold: 0
+tactics:
+  - Collection
+relevantTechniques:
+  - T1213
+  - T1530
 query: |
    TheomAlerts_CL
      | where customProps_RuleId_s == "TRIS0015" and (priority_s == "P1" or priority_s == "P2")
@@ -29,5 +34,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: deepLink_s
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Theom/Analytic Rules/TRIS0018_National_IDs_exposed.yaml

@@ -12,6 +12,11 @@ queryPeriod: 5m
 queryFrequency: 5m
 triggerOperator: gt
 triggerThreshold: 0
+tactics:
+  - Collection
+relevantTechniques:
+  - T1213
+  - T1530
 query: |
    TheomAlerts_CL
      | where customProps_RuleId_s == "TRIS0018" and (priority_s == "P1" or priority_s == "P2")
@@ -29,5 +34,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: deepLink_s
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Theom/Analytic Rules/TRIS0026_Financial_data_exposed.yaml

@@ -12,6 +12,11 @@ queryPeriod: 5m
 queryFrequency: 5m
 triggerOperator: gt
 triggerThreshold: 0
+tactics:
+  - Collection
+relevantTechniques:
+  - T1213
+  - T1530
 query: |
    TheomAlerts_CL
      | where customProps_RuleId_s == "TRIS0026" and (priority_s == "P1" or priority_s == "P2")
@@ -29,5 +34,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: deepLink_s
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Theom/Analytic Rules/TRIS0032_Dark_Data_with_large_fin_value.yaml

@@ -12,6 +12,11 @@ queryPeriod: 5m
 queryFrequency: 5m
 triggerOperator: gt
 triggerThreshold: 0
+tactics:
+  - Collection
+relevantTechniques:
+  - T1560
+  - T1530
 query: |
    TheomAlerts_CL
      | where customProps_RuleId_s == "TRIS0032" and (priority_s == "P1" or priority_s == "P2")
@@ -29,5 +34,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: deepLink_s
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Theom/Analytic Rules/TRIS0033_Least_priv_large_value_shadow_DB.yaml

@@ -12,6 +12,11 @@ queryPeriod: 5m
 queryFrequency: 5m
 triggerOperator: gt
 triggerThreshold: 0
+tactics:
+  - Collection
+relevantTechniques:
+  - T1560
+  - T1530
 query: |
    TheomAlerts_CL
      | where customProps_RuleId_s == "TRIS0032" and (priority_s == "P1" or priority_s == "P2")
@@ -29,5 +34,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: deepLink_s
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Theom/Analytic Rules/TRIS0034_Overprovisioned_Roles_Shadow_DB.yaml

@@ -12,6 +12,13 @@ queryPeriod: 5m
 queryFrequency: 5m
 triggerOperator: gt
 triggerThreshold: 0
+tactics:
+  - Collection
+  - PrivilegeEscalation
+relevantTechniques:
+  - T1560
+  - T1530
+  - T1078
 query: |
    TheomAlerts_CL
      | where customProps_RuleId_s == "TRIS0034" and (priority_s == "P1" or priority_s == "P2")
@@ -29,5 +36,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: deepLink_s
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Theom/Analytic Rules/TRIS0035_Shadow_DB_large_datastore_value.yaml

@@ -12,6 +12,11 @@ queryPeriod: 5m
 queryFrequency: 5m
 triggerOperator: gt
 triggerThreshold: 0
+tactics:
+  - Collection
+relevantTechniques:
+  - T1560
+  - T1530
 query: |
    TheomAlerts_CL
      | where customProps_RuleId_s == "TRIS0035" and (priority_s == "P1" or priority_s == "P2")
@@ -29,5 +34,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: deepLink_s
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Theom/Analytic Rules/TRIS0036_Shadow_DB_with_atypical_accesses.yaml

@@ -12,6 +12,13 @@ queryPeriod: 5m
 queryFrequency: 5m
 triggerOperator: gt
 triggerThreshold: 0
+tactics:
+  - Collection
+  - PrivilegeEscalation
+relevantTechniques:
+  - T1560
+  - T1530
+  - T1078
 query: |
    TheomAlerts_CL
      | where customProps_RuleId_s == "TRIS0036" and (priority_s == "P1" or priority_s == "P2")
@@ -29,5 +36,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: deepLink_s
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Theom/Analytic Rules/TheomRisksCritical.yaml

@@ -12,6 +12,31 @@ queryPeriod: 5m
 queryFrequency: 5m
 triggerOperator: gt
 triggerThreshold: 0
+tactics:
+  - Collection
+  - CommandAndControl
+  - CredentialAccess
+  - DefenseEvasion
+  - Discovery
+  - Exfiltration
+  - Impact
+  - Reconnaissance
+relevantTechniques:
+  - T1592
+  - T1589
+  - T1070
+  - T1552
+  - T1619
+  - T1119
+  - T1560
+  - T1530
+  - T1213
+  - T1001
+  - T1041
+  - T1537
+  - T1485
+  - T1486
+  - T1565
 query: |
   TheomAlerts_CL
    | where priority_s == "P1"
@@ -29,5 +54,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: deepLink_s
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled

Solutions/Theom/Analytic Rules/TheomRisksHigh.yaml

@@ -12,6 +12,31 @@ queryPeriod: 5m
 queryFrequency: 5m
 triggerOperator: gt
 triggerThreshold: 0
+tactics:
+  - Collection
+  - CommandAndControl
+  - CredentialAccess
+  - DefenseEvasion
+  - Discovery
+  - Exfiltration
+  - Impact
+  - Reconnaissance
+relevantTechniques:
+  - T1592
+  - T1589
+  - T1070
+  - T1552
+  - T1619
+  - T1119
+  - T1560
+  - T1530
+  - T1213
+  - T1001
+  - T1041
+  - T1537
+  - T1485
+  - T1486
+  - T1565
 query: |
   TheomAlerts_CL
    | where priority_s == "P2"
@@ -29,5 +54,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: deepLink_s
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Theom/Analytic Rules/TheomRisksInsights.yaml

@@ -12,6 +12,31 @@ queryPeriod: 5m
 queryFrequency: 5m
 triggerOperator: gt
 triggerThreshold: 0
+tactics:
+  - Collection
+  - CommandAndControl
+  - CredentialAccess
+  - DefenseEvasion
+  - Discovery
+  - Exfiltration
+  - Impact
+  - Reconnaissance
+relevantTechniques:
+  - T1592
+  - T1589
+  - T1070
+  - T1552
+  - T1619
+  - T1119
+  - T1560
+  - T1530
+  - T1213
+  - T1001
+  - T1041
+  - T1537
+  - T1485
+  - T1486
+  - T1565
 query: |
   TheomAlerts_CL
    | where priority_s == "P5"
@@ -29,5 +54,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: deepLink_s
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Theom/Analytic Rules/TheomRisksLow.yaml

@@ -12,6 +12,31 @@ queryPeriod: 5m
 queryFrequency: 5m
 triggerOperator: gt
 triggerThreshold: 0
+tactics:
+  - Collection
+  - CommandAndControl
+  - CredentialAccess
+  - DefenseEvasion
+  - Discovery
+  - Exfiltration
+  - Impact
+  - Reconnaissance
+relevantTechniques:
+  - T1592
+  - T1589
+  - T1070
+  - T1552
+  - T1619
+  - T1119
+  - T1560
+  - T1530
+  - T1213
+  - T1001
+  - T1041
+  - T1537
+  - T1485
+  - T1486
+  - T1565
 query: |
   TheomAlerts_CL
    | where priority_s == "P4"
@@ -29,5 +54,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: deepLink_s
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Theom/Analytic Rules/TheomRisksMedium.yaml

@@ -12,6 +12,31 @@ queryPeriod: 5m
 queryFrequency: 5m
 triggerOperator: gt
 triggerThreshold: 0
+tactics:
+  - Collection
+  - CommandAndControl
+  - CredentialAccess
+  - DefenseEvasion
+  - Discovery
+  - Exfiltration
+  - Impact
+  - Reconnaissance
+relevantTechniques:
+  - T1592
+  - T1589
+  - T1070
+  - T1552
+  - T1619
+  - T1119
+  - T1560
+  - T1530
+  - T1213
+  - T1001
+  - T1041
+  - T1537
+  - T1485
+  - T1486
+  - T1565
 query: |
   TheomAlerts_CL
    | where priority_s == "P3"
@@ -29,5 +54,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: deepLink_s
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled