[bug] MITRE tactics messed up in json-timeline for some rule hits

[crayy8]

Describe the bug
I am testing against the hayabusa-sample-evtx-main dataset and noticed with both regular and live response hayabusa that "MitreTactics" in the json-timeline is messed up sometimes. There are only three examples from the above dataset and they all seem to apply to correlation rules. The vast majority of rule hits properly show the MITRE tactic as just "credaccess"

Example:

Command to find where this is happening

Rules that have this issue:

• 2 hits where found for "PW Spray" in Sec_4648_Med_ExplicitLogon_PW-Spray_Correlation.yml
• 1 hit was found for "" in "PW Guessing" in Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Correlation.yml

Step to Reproduce
Steps to reproduce the behavior:

1. Using latest hayabusa and latest ruleset process the hayabusa-sample-evtx-main sample dataset using a command like "hayabusa-3.0.1-win-x64.exe json-timeline -d ..\hayabusa-sample-evtx-main -o test.json -C -w -a -A -K"

[fukusuket]

@crayy8 Thank you for reporting issue! There seems to have been a problem with the tag formatting process for the result records in the aggregation rules!

@YamatoSecurity I fixed it! Could you check it when you have time?🙏

• fix: mitre tactics tag in json-timeline #1575