From ce658f9e1c6388b6059e404d8cf93730183579de Mon Sep 17 00:00:00 2001
From: keyboardcrunch <40863898+keyboardcrunch@users.noreply.github.com>
Date: Fri, 18 Dec 2020 13:43:47 -0600
Subject: [PATCH] Update sunburst_campaign.yml

---
 queries/apt/sunburst_campaign.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/queries/apt/sunburst_campaign.yml b/queries/apt/sunburst_campaign.yml
index 4b99cb8..8513635 100644
--- a/queries/apt/sunburst_campaign.yml
+++ b/queries/apt/sunburst_campaign.yml
@@ -12,6 +12,7 @@ query: DstIp In ("13.59.205.66","54.193.127.66","54.215.192.52","34.203.203.23",
 false_positives:
 tags:
    - UNC2452
+   - DarkHalo
    - SolarWinds
 references:
    - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html