Minor search fixes for

observables

detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml

@@ -14,7 +14,7 @@ data_source:
 - Sysmon Event ID 9
 search: '`sysmon` EventCode=9 Device = \\Device\\Harddisk0\\DR0 NOT (Image IN("*\\Windows\\System32\\*",
   "*\\Windows\\SysWOW64\\*")) | stats count min(_time) as firstTime max(_time) as
-  lastTime by dest Image Device ProcessGuid ProcessId EventDescription EventCode
+  lastTime by Computer Image Device ProcessGuid ProcessId EventDescription EventCode
   | rename Computer as dest
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_master_boot_record_drive_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
@@ -41,7 +41,7 @@ tags:
   asset_type: Endpoint
   confidence: 100
   impact: 90
-  message: process accessing MBR $device$ on $dest$
+  message: process accessing MBR $Device$ on $dest$
   mitre_attack_id:
   - T1561.002
   - T1561

detections/endpoint/windows_root_domain_linked_policies_discovery.yml

@@ -13,7 +13,7 @@ data_source:
 - Powershell 4104
 search: '`powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText
   = "*.SearchRooT*" ScriptBlockText = "*.gplink*" | stats count min(_time) as firstTime
-  max(_time) as lastTime by EventCode ScriptBlockText Computer user_id |
+  max(_time) as lastTime by EventCode ScriptBlockText Computer user_id
   | rename Computer as dest, user_id as user 
   | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)`