From b41c8c2902dd38f8e514096b11b31b45a8bd0ed6 Mon Sep 17 00:00:00 2001
From: pyth0n1c <emcginnis@splunk.com>
Date: Tue, 13 Aug 2024 13:28:52 -0700
Subject: [PATCH] Fixed naming of fields

---
 detections/endpoint/crowdstrike_medium_severity_alert.yml     | 4 ++--
 .../crowdstrike_privilege_escalation_for_non_admin_user.yml   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/detections/endpoint/crowdstrike_medium_severity_alert.yml b/detections/endpoint/crowdstrike_medium_severity_alert.yml
index ff760f1983..c71c3192db 100644
--- a/detections/endpoint/crowdstrike_medium_severity_alert.yml
+++ b/detections/endpoint/crowdstrike_medium_severity_alert.yml
@@ -53,8 +53,8 @@ tags:
   risk_score: 49
   security_domain: endpoint
   manual_test: This detection is marked manual test because the attack_data file and 
-    TA do not provide the src_host and src_ip fields.  src_host is required to be 
-    present for the Risk Message Validation Integration Testing. 
+    TA do not provide the event.EndpointIp and event.EndpointName fields.  event.EndpointName 
+    is required to be present for the Risk Message Validation Integration Testing. 
     This will be investigated and is a tracked issue.
 tests:
 - name: True Positive Test
diff --git a/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml b/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml
index 8e5a7337fd..b02ac4a1ad 100644
--- a/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml
+++ b/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml
@@ -53,8 +53,8 @@ tags:
   risk_score: 49
   security_domain: endpoint
   manual_test: This detection is marked manual test because the attack_data file and 
-    TA do not provide the src_host and src_ip fields.  src_host is required to be 
-    present for the Risk Message Validation Integration Testing. 
+    TA do not provide the event.EndpointIp and event.EndpointName fields. event.EndpointName 
+    is required to be present for the Risk Message Validation Integration Testing. 
     This will be investigated and is a tracked issue.
 tests:
 - name: True Positive Test