From 9a9f0cf5945fb1ce0aa5fc4e5d45aab0fc7258ed Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Sat, 24 Jul 2021 10:44:06 -0500
Subject: [PATCH] Update azure_kubernetes_events_deleted.yml

---
 rules/cloud/azure_kubernetes_events_deleted.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/cloud/azure_kubernetes_events_deleted.yml b/rules/cloud/azure_kubernetes_events_deleted.yml
index 4693d487b..775c650a0 100644
--- a/rules/cloud/azure_kubernetes_events_deleted.yml
+++ b/rules/cloud/azure_kubernetes_events_deleted.yml
@@ -10,14 +10,14 @@ references:
 logsource:
   service: azure.activitylogs
 detection:
-    selection_operationname:
+    selection_operation_name:
           - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE
-    condition: all of them 
+    condition: selection_operation_name
 level: medium
 tags:
     - attack.defense_evasion
     - attack.t1562
     - attack.t1562.001
 falsepositives:
-- Events deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+- Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.