adjusts MITRE ATT&CK mappings

terrancedejesus · terrancedejesus · commit db23c2e3b43a · 2025-12-09T11:34:49.000-05:00
diff --git a/rules/integrations/github/persistence_github_actions_workflow_injection_blocked.toml b/rules/integrations/github/persistence_github_actions_workflow_injection_blocked.toml
@@ -63,6 +63,7 @@ severity = "medium"
 tags = [
     "Domain: Cloud",
     "Use Case: Threat Detection",
+    "Tractic: Initial Access",
     "Tactic: Persistence",
     "Tactic: Execution",
     "Data Source: Github",
@@ -95,23 +96,23 @@ name = "Compromise Software Supply Chain"
 reference = "https://attack.mitre.org/techniques/T1195/002/"
 
 
-[[rule.threat.technique]]
-id = "T1546"
-name = "Event Triggered Execution"
-reference = "https://attack.mitre.org/techniques/T1546/"
-
 
 [rule.threat.tactic]
-id = "TA0003"
-name = "Persistence"
-reference = "https://attack.mitre.org/tactics/TA0003/"
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1059"
 name = "Command and Scripting Interpreter"
 reference = "https://attack.mitre.org/techniques/T1059/"
 
+[[rule.threat.technique]]
+id = "T1546"
+name = "Event Triggered Execution"
+reference = "https://attack.mitre.org/techniques/T1546/"
+
 
 [rule.threat.tactic]
 id = "TA0002"
