updated tags and linted

terrancedejesus · terrancedejesus · commit d8087096bf53 · 2025-10-27T13:18:52.000-04:00
diff --git a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml
@@ -59,16 +59,18 @@ Azure Diagnostic Settings are crucial for monitoring and logging platform activi
 """
 references = [
     "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings",
-    "https://www.microsoft.com/en-us/security/blog/2025/10/20/inside-the-attack-chain-threat-activity-targeting-azure-blob-storage/"]
+    "https://www.microsoft.com/en-us/security/blog/2025/10/20/inside-the-attack-chain-threat-activity-targeting-azure-blob-storage/",
+]
 risk_score = 47
 rule_id = "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de"
 severity = "medium"
 tags = [
     "Domain: Cloud",
     "Data Source: Azure",
     "Data Source: Azure Activity Logs",
+    "Use Case: Threat Detection",
     "Tactic: Defense Evasion",
-    "Resources: Investigation Guide"
+    "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "new_terms"
@@ -79,18 +81,6 @@ event.dataset:azure.activitylogs
     and event.outcome:(Success or success)
 '''
 
-[rule.investigation_fields]
-field_names = [
-    "@timestamp",
-    "event.action",
-    "source.ip",
-    "azure.activitylogs.identity.authorization.evidence.principal_type",
-    "azure.activitylogs.identity.authorization.evidence.role_assignment_scope",
-    "azure.activitylogs.properties.entity",
-    "azure.activitylogs.identity.claims.appid",
-    "azure.resource.name",
-    "azure.resource.provider"
-]
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
@@ -109,11 +99,25 @@ name = "Disable or Modify Cloud Logs"
 reference = "https://attack.mitre.org/techniques/T1562/008/"
 
 
+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "event.action",
+    "source.ip",
+    "azure.activitylogs.identity.authorization.evidence.principal_type",
+    "azure.activitylogs.identity.authorization.evidence.role_assignment_scope",
+    "azure.activitylogs.properties.entity",
+    "azure.activitylogs.identity.claims.appid",
+    "azure.resource.name",
+    "azure.resource.provider",
+]
+
 [rule.new_terms]
 field = "new_terms_fields"
 value = ["azure.resource.group"]
