Fixing some typos, also changing name back to original for the NewAppOrServicePrincipalCred detection as this is already published in the UX and I don't want to affect discovery of this.

2020-12-20 13:18:15 -08:00 · 2020-12-20 13:18:15 -08:00 · 2a44560530
--- a/Detections/AuditLogs/FirstAppOrServicePrincipalCredential.yaml
+++ b/Detections/AuditLogs/FirstAppOrServicePrincipalCredential.yaml
@ -1,5 +1,5 @@
 id: 2cfc3c6e-f424-4b88-9cc9-c89f482d016a
-name: First access credential added to Application or Service Principal where now credential was present
+name: First access credential added to Application or Service Principal where no credential was present
 description: |
  'This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.
  If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.
@ -40,7 +40,6 @@ query: |
  | extend UserAgent = iff(AdditionalDetails[0].key == "User-Agent",tostring(AdditionalDetails[0].value),"")
  | extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
  | extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
-  // 
  // The below line is currently commented out but Azure Sentinel users can modify this query to show only Application or only Service Principal events in their environment
  //| where targetType =~ "Application" // or targetType =~ "ServicePrincipal"
  | project-away new_value_set, old_value_set
--- a/Detections/AuditLogs/NewAppOrServicePrincipalCredential.yaml
+++ b/Detections/AuditLogs/NewAppOrServicePrincipalCredential.yaml
@ -1,5 +1,5 @@
 id: 79566f41-df67-4e10-a703-c38a6213afd8
-name: Additional access credential added to Application or Service Principal
+name: New access credential added to Application or Service Principal
 description: |
  'This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.
  If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.
@ -42,7 +42,6 @@ query: |
  | extend UserAgent = iff(AdditionalDetails[0].key == "User-Agent",tostring(AdditionalDetails[0].value),"")
  | extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
  | extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
-  // 
  // The below line is currently commented out but Azure Sentinel users can modify this query to show only Application or only Service Principal events in their environment
  //| where targetType =~ "Application" // or targetType =~ "ServicePrincipal"
  | project-away diff, new_value_set, old_value_set
--- a/Queries/OfficeActivity/AnomolousUserAccessingOtherUsersMailbox.yaml
+++ b/Queries/OfficeActivity/AnomolousUserAccessingOtherUsersMailbox.yaml
@ -1,7 +1,7 @@
 id: 271e8881-3044-4332-a5f4-42264c2e0315
-name: Anomalous access to other users mailboxes.
+name: Anomalous access to other user's mailboxes
 description: |
-  'Looks for users accessing multiple other user's mailboxes or accessing multiple folders in another users mailbox'
+  'Identifies users accessing multiple other user's mailboxes or accessing multiple folders in another user's mailbox'
 requiredDataConnectors:
  - connectorId: Office365
    dataTypes: