From be162b95829e33e4262326c8ab4edff6d76effa1 Mon Sep 17 00:00:00 2001
From: dluxtron <106139814+dluxtron@users.noreply.github.com>
Date: Thu, 27 Jun 2024 06:58:32 +1000
Subject: [PATCH] fixing yaml

---
 .../windows_ad_dangerous_deny_acl_modification.yml           | 5 +++--
 detections/cloud/azure_ad_privileged_role_assigned.yml       | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/detections/application/windows_ad_dangerous_deny_acl_modification.yml b/detections/application/windows_ad_dangerous_deny_acl_modification.yml
index 1229261bbc..f5895b853d 100644
--- a/detections/application/windows_ad_dangerous_deny_acl_modification.yml
+++ b/detections/application/windows_ad_dangerous_deny_acl_modification.yml
@@ -8,7 +8,8 @@ type: TTP
 data_source:
 - Windows Security 5136
 description: ACL modification event denying the ability to enumerate permissions.  
-search: '`wineventlog_security` EventCode=5136
+search: >-
+  `wineventlog_security` EventCode=5136
   | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId 
   | rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)" 
   | rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)" 
@@ -29,7 +30,7 @@ search: '`wineventlog_security` EventCode=5136
   | stats values(aceType) as aceType values(aceFlags) as aceFlags values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) as aceInheritedTypeGuid by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID
   | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",'aceControlAccessRights')
   | search aceType IN ("Access denied",D) AND aceAccessRights IN ("Full control","Read permissions",RC)
-  | `windows_ad_dangerous_deny_acl_modification_filter`'
+  | `windows_ad_dangerous_deny_acl_modification_filter`
 how_to_implement: See link in references for how to configure logging for these eventcodes. Include lookups for SID resolution if evt_resolve_ad_obj is set to 0. 
 known_false_positives: None. 
 references:
diff --git a/detections/cloud/azure_ad_privileged_role_assigned.yml b/detections/cloud/azure_ad_privileged_role_assigned.yml
index 5e5313d90e..a59deb4212 100644
--- a/detections/cloud/azure_ad_privileged_role_assigned.yml
+++ b/detections/cloud/azure_ad_privileged_role_assigned.yml
@@ -2,7 +2,7 @@ name: Azure AD Privileged Role Assigned
 id: a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a
 version: 4
 date: '2024-06-25'
-author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
+author: Mauricio Velazco, Gowthamaraj Rajendran, Dean Luxton, Splunk
 status: production
 type: TTP
 description: The following analytic identifies the assignment of sensitive and privileged