Merge pull request #45 from f-bader/bugfix/44

Add additional check if subTechnique already exists

README.md

@@ -179,6 +179,12 @@ This way the following KQL query will be converted...
 
 ## Changelog
 
+### 2.4.4
+ * FIX: Duplicated MITRE subTechniques in rare cases
+
+### 2.4.3
+ * FIX: Fix upstream issues with [powershell-yaml](https://github.com/cloudbase/powershell-yaml)
+
 ### 2.4.2
  * FIX: Arm to YAML used `techniques` instead of `relevantTechniques`
 

src/SentinelARConverter.psd1

@@ -12,7 +12,7 @@
     RootModule        = 'SentinelARConverter.psm1'
 
     # Version number of this module.
-    ModuleVersion     = '2.4.3'
+    ModuleVersion     = '2.4.4'
 
     # Supported PSEditions
     # CompatiblePSEditions = @()

src/public/Convert-SentinelARArmToYaml.ps1

@@ -358,11 +358,14 @@ function Convert-SentinelARArmToYaml {
                             if ( -not $AnalyticsRuleCleaned.Contains($KeyName) ) {
                                 $AnalyticsRuleCleaned.Add($KeyName, @())
                             }
-                            # Add subTechnique if the mainTechnique is not already present
-                            if (-not($AnalyticsRuleCleaned[$KeyName].contains($technique))) {
+
+                            if ( $AnalyticsRuleCleaned[$KeyName].contains($value) ) {
+                                # Do nothing if subTechnique is already present
+                            } elseif (-not($AnalyticsRuleCleaned[$KeyName].contains($technique))) {
+                                # Add subTechnique if the mainTechnique is not already present
                                 $AnalyticsRuleCleaned[$KeyName] += $value
-                                # Replace mainTechnique with subTechnique
                             } else {
+                                # Replace mainTechnique with subTechnique
                                 $AnalyticsRuleCleaned[$KeyName][$AnalyticsRuleCleaned[$KeyName].indexOf($technique)] = $value
                             }
                         }