From f740f7ca1e4c432f1532480e8559fdd1e20afbf7 Mon Sep 17 00:00:00 2001
From: Diana Damenova <ddamenova@microsoft.com>
Date: Fri, 15 Dec 2023 15:35:08 -0500
Subject: [PATCH] readding fullname mapping

---
 .../DisabledAccIPSigninWithRareRiskyOps.yaml                  | 2 ++
 .../MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml      | 4 ++++
 Detections/MultipleDataSources/HostAADCorrelation.yaml        | 2 ++
 Detections/MultipleDataSources/MailBoxTampering.yaml          | 2 ++
 .../MultipleDataSources/PrestigeRansomwareIOCsOct22.yaml      | 4 ++++
 Detections/MultipleDataSources/RunCommandUEBABreach.yaml      | 4 ++--
 6 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/Detections/MultipleDataSources/DisabledAccIPSigninWithRareRiskyOps.yaml b/Detections/MultipleDataSources/DisabledAccIPSigninWithRareRiskyOps.yaml
index 017fe0f8b5..8b9768aeac 100644
--- a/Detections/MultipleDataSources/DisabledAccIPSigninWithRareRiskyOps.yaml
+++ b/Detections/MultipleDataSources/DisabledAccIPSigninWithRareRiskyOps.yaml
@@ -80,6 +80,8 @@ query: |
 entityMappings:
   - entityType: Account
     fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalName
       - identifier: Name
         columnName: AccountName
       - identifier: UPNSuffix
diff --git a/Detections/MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml b/Detections/MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml
index ebef877de6..f06da824d9 100644
--- a/Detections/MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml
+++ b/Detections/MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml
@@ -144,12 +144,16 @@ query: |
 entityMappings:
   - entityType: Account
     fieldMappings:
+      - identifier: FullName
+        columnName: UserName
       - identifier: Name
         columnName: AccountName
       - identifier: NTDomain
         columnName: AccountNTDomain
   - entityType: Host
     fieldMappings:
+      - identifier: FullName
+        columnName: Computer
       - identifier: HostName
         columnName: HostName
       - identifier: NTDomain
diff --git a/Detections/MultipleDataSources/HostAADCorrelation.yaml b/Detections/MultipleDataSources/HostAADCorrelation.yaml
index 6fec7145f9..07fc1dae5c 100644
--- a/Detections/MultipleDataSources/HostAADCorrelation.yaml
+++ b/Detections/MultipleDataSources/HostAADCorrelation.yaml
@@ -80,6 +80,8 @@ query: |
 entityMappings:
   - entityType: Account
     fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalName
       - identifier: Name
         columnName: AccountName
       - identifier: UPNSuffix
diff --git a/Detections/MultipleDataSources/MailBoxTampering.yaml b/Detections/MultipleDataSources/MailBoxTampering.yaml
index a701af7459..293af176a5 100644
--- a/Detections/MultipleDataSources/MailBoxTampering.yaml
+++ b/Detections/MultipleDataSources/MailBoxTampering.yaml
@@ -69,6 +69,8 @@ query: |
 entityMappings:
   - entityType: Account
     fieldMappings:
+      - identifier: FullName
+        columnName: Initiatedby
       - identifier: Name
         columnName: AccountName
       - identifier: UPNSuffix
diff --git a/Detections/MultipleDataSources/PrestigeRansomwareIOCsOct22.yaml b/Detections/MultipleDataSources/PrestigeRansomwareIOCsOct22.yaml
index dcdb9755c5..fce5bb71ab 100644
--- a/Detections/MultipleDataSources/PrestigeRansomwareIOCsOct22.yaml
+++ b/Detections/MultipleDataSources/PrestigeRansomwareIOCsOct22.yaml
@@ -97,6 +97,8 @@ entityMappings:
         columnName: FileHashCustomEntity
   - entityType: Account
     fieldMappings:
+      - identifier: FullName
+        columnName: InitiatingProcessAccountName
       - identifier: Name
         columnName: AccountName
       - identifier: UPNSuffix
@@ -107,6 +109,8 @@ entityMappings:
         columnName: ProcessCustomEntity
   - entityType: Host
     fieldMappings:
+      - identifier: FullName
+        columnName: DeviceName
       - identifier: HostName
         columnName: HostName
       - identifier: NTDomain
diff --git a/Detections/MultipleDataSources/RunCommandUEBABreach.yaml b/Detections/MultipleDataSources/RunCommandUEBABreach.yaml
index d7d5078593..90e7107375 100644
--- a/Detections/MultipleDataSources/RunCommandUEBABreach.yaml
+++ b/Detections/MultipleDataSources/RunCommandUEBABreach.yaml
@@ -54,12 +54,12 @@ query: |
   | where StartTime between (UEBAWindowStart .. UEBAWindowEnd)
   | project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights
   | extend AccountName = tostring(split(Caller, "@")[0]), AccountUPNSuffix = tostring(split(Caller, "@")[1])
-  | extend timestamp = StartTime, AccountCustomEntity=Caller
+  | extend timestamp = StartTime
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: Caller
       - identifier: Name
         columnName: AccountName
       - identifier: UPNSuffix