Merge pull request #13372 from andrewj-t/fix/NonDCActiveDirectoryReplication

Update NonDCActiveDirectoryReplication - fix swapped fields

Author: v-atulyadav

Solutions/Windows Security Events/Analytic Rules/NonDCActiveDirectoryReplication.yaml

@@ -20,7 +20,7 @@ status: Available
 tactics:
   - CredentialAccess
 relevantTechniques:
-  - T1003
+  - T1003.006
 query: |
   // Enter a reference list of hostnames for your DC servers
   //let DCServersList = dynamic (["DC01.simulandlabs.com","DC02.simulandlabs.com"]);
@@ -44,7 +44,7 @@ query: |
   | project-reorder TimeGenerated, Computer, Account, IpAddress
   | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
   | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
-  | extend AccountName = tostring(split(Account, "\\")[0]), AccountNTDomain = tostring(split(Account, "\\")[1])
+  | extend AccountNTDomain = tostring(split(Account, "\\")[0]), AccountName = tostring(split(Account, "\\")[1])
 
 entityMappings:
   - entityType: Account
@@ -67,5 +67,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IpAddress
-version: 1.0.4
+version: 1.0.5
 kind: Scheduled

Solutions/Windows Security Events/Data/Solution_Windows Security Events.json

@@ -87,7 +87,7 @@
 
   ],
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Windows Security Events\\",
-  "Version": "3.0.9",
+  "Version": "3.0.10",
   "TemplateSpec": true,
   "StaticDataConnectorIds": [
     "SecurityEvents",

Solutions/Windows Security Events/Package/3.0.10.zip

@@ -982,7 +982,7 @@
           {
             "name": "huntingquery38",
             "type": "Microsoft.Common.Section",
-            "label": "User Account added to Built in Domain Local or Global Group",
+            "label": "User Account added to Built in Sensitive or Privileged Domain Local or Global Group",
             "elements": [
               {
                 "name": "huntingquery38-text",