Update

rules/cloud/m365/microsoft365_activity_by_terminated_user.yml

@@ -20,4 +20,4 @@ falsepositives:
     - Unknown
 level: medium
 tags:
-    - attack.impact
+    - attack.impact

rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml

@@ -21,4 +21,4 @@ falsepositives:
 level: medium
 tags:
     - attack.command_and_control
-    - attack.t1573
+    - attack.t1573

rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml

@@ -21,4 +21,4 @@ falsepositives:
 level: medium
 tags:
     - attack.command_and_control
-    - attack.t1573
+    - attack.t1573

rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml

@@ -1,24 +0,0 @@
-title: Microsoft 365 - Activity from anonymous IP addresses
-id: d8b0a4fe-07a8-41be-bd39-b14afa025d95
-status: experimental
-description: Detects when a Microsoft Cloud App Security reported 
-author: Austin Songer @austinsonger
-date: 2021/08/23
-references:
-    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
-    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
-logsource:
-    category: 
-    service: m365
-detection:
-    selection:
-        eventSource: SecurityComplianceCenter
-        eventName: "Activity from anonymous IP addresses"
-        status: success
-    condition: selection
-falsepositives:
-    - 
-level: medium
-tags:
-    - attack.initial_access
-    - 

rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml

@@ -21,4 +21,4 @@ falsepositives:
 level: medium
 tags:
     - attack.command_and_control
-    - attack.t1573
+    - attack.t1573

rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml

@@ -21,4 +21,4 @@ falsepositives:
 level: low
 tags:
     - attack.exfiltration
-    - attack.t1020
+    - attack.t1020

rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml

@@ -21,4 +21,3 @@ falsepositives:
 level: medium
 tags:
     - attack.exfiltration
-