updating test section as both dataset need to be indexed together

patel-bhavin · patel-bhavin · commit d81372958888 · 2025-02-28T14:29:32.000-08:00
diff --git a/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml b/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml
@@ -81,8 +81,6 @@ tests:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log
     source: o365
     sourcetype: o365:management:activity
-- name: True Positive Test
-  attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log
     source: o365_messagetrace
     sourcetype: o365:reporting:messagetrace	
diff --git a/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml
@@ -26,7 +26,7 @@ search: |-
     | bin _time span=4hr
     | eval InternetMessageId = lower(InternetMessageId), user = lower(UserId), subject = Subject
     ]
-  | stats values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(ClientProcessName) as process, values(Folder.Path) as file_path, values(Operation) as signature, values(ResultStatus) as result, values(InternetMessageId) as signature_id, count, min(mailtime) as firstTime, max(deltime) as lastTime by user,subject
+  | stats values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Folder.Path) as file_path, values(Operation) as signature, values(ResultStatus) as result, values(InternetMessageId) as signature_id, count, min(mailtime) as firstTime, max(deltime) as lastTime by user,subject
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)`
   | `o365_email_receive_and_hard_delete_takeover_behavior_filter`
@@ -82,8 +82,6 @@ tests:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log
     source: o365
     sourcetype: o365:management:activity
-- name: True Positive Test
-  attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log
     source: o365_messagetrace
     sourcetype: o365:reporting:messagetrace
diff --git a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml
@@ -84,8 +84,6 @@ tests:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log
     source: o365
     sourcetype: o365:management:activity
-- name: True Positive Test
-  attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log
     source: o365_messagetrace
     sourcetype: o365:reporting:messagetrace
diff --git a/detections/cloud/o365_email_send_attachments_excessive_volume.yml b/detections/cloud/o365_email_send_attachments_excessive_volume.yml
@@ -79,8 +79,6 @@ tests:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log
     source: o365
     sourcetype: o365:management:activity
-- name: True Positive Test
-  attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log
     source: o365_messagetrace
     sourcetype: o365:reporting:messagetrace
