From 101b781beffbf8ecd87bcffeba471a511fd5c9f2 Mon Sep 17 00:00:00 2001
From: Trevor Miller <Trevormiller6@gmail.com>
Date: Thu, 20 Jan 2022 03:32:30 -0800
Subject: [PATCH] [Rule Tuning] O365 Excessive Single Sign-On Logon Errors
 (#1680)

* Change event.category to authentication

The original had the event.category as "web" the correct value is "authentication"

* Changed updated_date to todays date

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
---
 .../credential_access_user_excessive_sso_logon_errors.toml    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml
index 575ba4890..34a157ec8 100644
--- a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml
+++ b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/05/17"
 maturity = "production"
-updated_date = "2021/10/11"
+updated_date = "2021/12/30"
 integration = "o365"
 
 [rule]
@@ -32,7 +32,7 @@ type = "threshold"
 
 
 query = '''
-event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:web and o365.audit.LogonError:"SsoArtifactInvalidOrExpired"
+event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:"SsoArtifactInvalidOrExpired"
 '''