From 0a18b42445f5e78af3ebdfbbacd02c2ecda105a9 Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Fri, 26 Nov 2021 11:41:33 -0600
Subject: [PATCH] Update azure_unusual_authentication_interruption.yml

---
 .../azure/azure_unusual_authentication_interruption.yml     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/cloud/azure/azure_unusual_authentication_interruption.yml b/rules/cloud/azure/azure_unusual_authentication_interruption.yml
index 3ce409cf1..397ea2b05 100644
--- a/rules/cloud/azure/azure_unusual_authentication_interruption.yml
+++ b/rules/cloud/azure/azure_unusual_authentication_interruption.yml
@@ -10,13 +10,13 @@ logsource:
   product: azure
   service: azure.signinlogs
 detection:
-  selection:
+  selection1:
     ResultType: 50097
     ResultDescription: 'Device authentication is required'
-  selection:
+  selection2:
     ResultType: 50155
     ResultDescription: 'DeviceAuthenticationFailed'
-  selection:
+  selection3:
     ResultType: 50158
     ResultDescription: 'ExternalSecurityChallenge - External security challenge was not satisfied'
     condition: selection1 or selection2 or selection3