readding fullname mapping

2023-12-15 15:35:08 -05:00 · 2023-12-15 15:35:08 -05:00 · f740f7ca1e
--- a/Detections/MultipleDataSources/DisabledAccIPSigninWithRareRiskyOps.yaml
+++ b/Detections/MultipleDataSources/DisabledAccIPSigninWithRareRiskyOps.yaml
@ -80,6 +80,8 @@ query: |
 entityMappings:
  - entityType: Account
    fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalName
      - identifier: Name
        columnName: AccountName
      - identifier: UPNSuffix
--- a/Detections/MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml
+++ b/Detections/MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml
@ -144,12 +144,16 @@ query: |
 entityMappings:
  - entityType: Account
    fieldMappings:
+      - identifier: FullName
+        columnName: UserName
      - identifier: Name
        columnName: AccountName
      - identifier: NTDomain
        columnName: AccountNTDomain
  - entityType: Host
    fieldMappings:
+      - identifier: FullName
+        columnName: Computer
      - identifier: HostName
        columnName: HostName
      - identifier: NTDomain
--- a/Detections/MultipleDataSources/HostAADCorrelation.yaml
+++ b/Detections/MultipleDataSources/HostAADCorrelation.yaml
@ -80,6 +80,8 @@ query: |
 entityMappings:
  - entityType: Account
    fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalName
      - identifier: Name
        columnName: AccountName
      - identifier: UPNSuffix
--- a/Detections/MultipleDataSources/MailBoxTampering.yaml
+++ b/Detections/MultipleDataSources/MailBoxTampering.yaml
@ -69,6 +69,8 @@ query: |
 entityMappings:
  - entityType: Account
    fieldMappings:
+      - identifier: FullName
+        columnName: Initiatedby
      - identifier: Name
        columnName: AccountName
      - identifier: UPNSuffix
--- a/Detections/MultipleDataSources/PrestigeRansomwareIOCsOct22.yaml
+++ b/Detections/MultipleDataSources/PrestigeRansomwareIOCsOct22.yaml
@ -97,6 +97,8 @@ entityMappings:
        columnName: FileHashCustomEntity
  - entityType: Account
    fieldMappings:
+      - identifier: FullName
+        columnName: InitiatingProcessAccountName
      - identifier: Name
        columnName: AccountName
      - identifier: UPNSuffix
@ -107,6 +109,8 @@ entityMappings:
        columnName: ProcessCustomEntity
  - entityType: Host
    fieldMappings:
+      - identifier: FullName
+        columnName: DeviceName
      - identifier: HostName
        columnName: HostName
      - identifier: NTDomain
--- a/Detections/MultipleDataSources/RunCommandUEBABreach.yaml
+++ b/Detections/MultipleDataSources/RunCommandUEBABreach.yaml
@ -54,12 +54,12 @@ query: |
  | where StartTime between (UEBAWindowStart .. UEBAWindowEnd)
  | project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights
  | extend AccountName = tostring(split(Caller, "@")[0]), AccountUPNSuffix = tostring(split(Caller, "@")[1])
-  | extend timestamp = StartTime, AccountCustomEntity=Caller
+  | extend timestamp = StartTime
 entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: Caller
      - identifier: Name
        columnName: AccountName
      - identifier: UPNSuffix