Skip to content

Commit 7186803

Browse files
nterl0knterl0k
authored
Update o365_excessive_os_vendors_authenticating_from_user.yml
1 parent d9e1183 commit 7186803

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

detections/cloud/o365_excessive_os_vendors_authenticating_from_user.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ drilldown_searches:
3434
earliest_offset: $info_min_time$
3535
latest_offset: $info_max_time$
3636
- name: Investigate logons from $user$
37-
search: '`o365_management_activity` Operation IN (UserLoginFailed,UserLoggedIn) $user|s$'
37+
search: '`o365_management_activity` Operation IN (UserLoginFailed,UserLoggedIn) "$user$"'
3838
earliest_offset: $info_min_time$
3939
latest_offset: $info_max_time$
4040
tags:

0 commit comments

Comments
 (0)