From 70d1e6d0f3ab384ffa7d5b508bfb603de4e58d79 Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Mon, 22 Nov 2021 22:45:35 -0600
Subject: [PATCH] Update azure_kubernetes_cronjob.yml

---
 rules/cloud/azure/azure_kubernetes_cronjob.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/cloud/azure/azure_kubernetes_cronjob.yml b/rules/cloud/azure/azure_kubernetes_cronjob.yml
index 14b801150..fe86dc939 100644
--- a/rules/cloud/azure/azure_kubernetes_cronjob.yml
+++ b/rules/cloud/azure/azure_kubernetes_cronjob.yml
@@ -15,10 +15,13 @@ logsource:
 detection:
     selection1:
           properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH/CRONJOBS/WRITE
+    selection2: 
           properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH/JOBS/WRITE
+    selection3:
           properties.message: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH/CRONJOBS/WRITE
+    selection4:
           properties.message: ICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH/JOBS/WRITE
-    condition: selection1
+    condition: selection1 or selection2 or selection3 or selection4
 level: medium
 tags:
     - attack.persistence