Update detections/cloud/azure_ad_successful_single_factor_authenticat…

…ion.yml

detections/cloud/azure_ad_successful_single_factor_authentication.yml

@@ -10,8 +10,8 @@ description: The following analytic identifies a successful authentication event
   This could be evidence of a missconfiguration, a policy violation or an account
   take over attempt that should be investigated
 data_source: []
-search: ' `azuread`  body.category=SignInLogs body.properties.authenticationRequirement=singleFactorAuthentication
-  body.properties.authenticationDetails{}.succeeded=true | rename body.properties.*
+search: ' `azuread`  category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication
+  properties.authenticationDetails{}.succeeded=true | rename properties.*
   as * |  stats values(userPrincipalName) by _time, ipAddress, appDisplayName, authenticationRequirement
   | `azure_ad_successful_single_factor_authentication_filter`'
 how_to_implement: You must install the latest version of  Splunk Add-on for Microsoft
@@ -30,7 +30,7 @@ tags:
   asset_type: Azure Active Directory
   confidence: 90
   impact: 50
-  message: Successful authentication for user $body.properties.userPrincipalName$
+  message: Successful authentication for user $properties.userPrincipalName$
     without MFA
   mitre_attack_id:
   - T1586
@@ -52,12 +52,12 @@ tags:
   - Splunk Cloud
   required_fields:
   - _time
-  - body.category
-  - body.properties.authenticationRequirement
-  - body.properties.authenticationDetails
-  - body.properties.userPrincipalName
-  - body.properties.ipAddress
-  - body.properties.appDisplayName
+  - category
+  - properties.authenticationRequirement
+  - properties.authenticationDetails
+  - properties.userPrincipalName
+  - properties.ipAddress
+  - properties.appDisplayName
   risk_score: 45
   security_domain: identity
 tests: