From 697b23ff0829db671aa125278cc9bf5e6f6ec68d Mon Sep 17 00:00:00 2001
From: mvelazco <mauricio.velazco@gmail.com>
Date: Thu, 26 Oct 2023 18:04:33 -0400
Subject: [PATCH] typo

---
 .../cloud/o365_block_user_consent_for_risky_apps_disabled.yml   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml b/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml
index 7af6c7353f..293aace484 100644
--- a/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml
+++ b/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml
@@ -9,7 +9,7 @@ data_source:
 - UPDATE_DATA_SOURCE
 description: UPDATE_DESCRIPTION
 search: >
-  `o365_management_activity` `Workload=AzureActiveDirectory Operation="Update authorization policy."
+  `o365_management_activity` Workload=AzureActiveDirectory Operation="Update authorization policy."
   | eval index_number = if(mvfind('ModifiedProperties{}.Name', "AllowUserConsentForRiskyApps") >= 0, mvfind('ModifiedProperties{}.Name', "AllowUserConsentForRiskyApps"), -1)
   | search index_number >= 0 
   | eval AllowUserConsentForRiskyApps = mvindex('ModifiedProperties{}.NewValue',index_number)