From 8664ef59f47dc5cea783bf7124c680b6a47db9fa Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Tue, 22 Feb 2022 15:26:28 -0300
Subject: [PATCH] Update
 persistence_azure_conditional_access_policy_modified.toml (#1788)

---
 ...sistence_azure_conditional_access_policy_modified.toml | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml
index ef3b874a3..fc6635d00 100644
--- a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml
+++ b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/01"
 maturity = "production"
-updated_date = "2021/07/20"
+updated_date = "2022/02/20"
 integration = "azure"
 
 [rule]
@@ -30,11 +30,7 @@ type = "query"
 
 query = '''
 event.dataset:(azure.activitylogs or azure.auditlogs) and
-  (
-    azure.activitylogs.operation_name:"Update policy" or
-    azure.auditlogs.operation_name:"Update policy"
-  ) and
-  event.outcome:(Success or success)
+event.action:"Update conditional access policy" and event.outcome:(Success or success)
 '''