From da69b2f531332e072be94a75e8ca525db9bc82b4 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Mon, 23 Aug 2021 22:09:27 +0000
Subject: [PATCH] Update

---
 ..._suspicious_oauth_app_file_download_activities.yml | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml
index d795148d8..91cbe32c1 100644
--- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml
+++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml
@@ -1,14 +1,14 @@
 title: Microsoft 365 - Suspicious OAuth app file download activities
 id: ee111937-1fe7-40f0-962a-0eb44d57d174
 status: experimental
-description: Detects when a Microsoft Cloud App Security reported 
+description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.
 author: Austin Songer @austinsonger
-date: 2021/08/22
+date: 2021/08/23
 references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: 
+    category: ThreatManagement
     service: m365
 detection:
     selection:
@@ -17,8 +17,7 @@ detection:
         status: success
     condition: selection
 falsepositives:
-    - 
+    - Unknown
 level: medium
 tags:
-    - attack.initial_access
-    - 
\ No newline at end of file
+    - attack.exfiltration
\ No newline at end of file