From 47502e67011bfca75b176f1112206be0d5873f44 Mon Sep 17 00:00:00 2001
From: Stefan Grimminck <git@stefangrimminck.nl>
Date: Wed, 20 Oct 2021 14:29:57 +0200
Subject: [PATCH] add MITRE technique mapping

---
 rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml | 1 +
 rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml          | 1 +
 2 files changed, 2 insertions(+)

diff --git a/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml b/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml
index b7bcf6e10..d6d22c653 100644
--- a/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml
+++ b/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml
@@ -18,3 +18,4 @@ falsepositives:
 level: medium
 tags:
     - attack.impact
+    - attack.t1485
diff --git a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml
index 342d57448..1ffc14959 100644
--- a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml
+++ b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml
@@ -18,6 +18,7 @@ detection:
 level: low
 tags:
     - attack.impact
+    - attack.t1485
 falsepositives:
  - EKS Cluster being created or deleted may be performed by a system administrator. 
  - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.