minor update

patel-bhavin · web-flow · commit d9e118313457 · 2025-01-14T11:14:32.000-08:00
diff --git a/detections/cloud/o365_excessive_os_vendors_authenticating_from_user.yml b/detections/cloud/o365_excessive_os_vendors_authenticating_from_user.yml
@@ -7,7 +7,7 @@ status: production
 type: TTP
 description: The following analytic identifies when multiple operating systems are used to authenticate to Azure/EntraID/Office 365 by the same user account over a short period of time. This activity could be indicative of attackers enumerating various logon capabilities of Azure/EntraID/Office 365 and attempting to discover weaknesses in the organizational MFA or conditional access configurations. Usage of the tools like "MFASweep" will trigger this detection.
 data_source: 
-- Office 365 Universal Audit Log
+- O365
 search: '`o365_management_activity` Operation IN (UserLoginFailed,UserLoggedIn)
 | eval -time = _time
 | bin _time span=15m
@@ -50,7 +50,7 @@ tags:
   - name: src
     type: IP Address
     role:
-    - Victim
+    - Attacker
   - name: user
     type: User
     role:
