From 12e65474a849755409c32850f150bd8c6166e26d Mon Sep 17 00:00:00 2001
From: ehudk-msft <73052016+ehudk-msft@users.noreply.github.com>
Date: Sat, 31 Oct 2020 00:52:42 +0200
Subject: [PATCH] Update Threat Intel Matches to GitHub Audit Logs.yaml

---
 .../GitHub/Threat Intel Matches to GitHub Audit Logs.yaml       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Detections/GitHub/Threat Intel Matches to GitHub Audit Logs.yaml b/Detections/GitHub/Threat Intel Matches to GitHub Audit Logs.yaml
index 66b7e873a9..e58670b7dc 100644
--- a/Detections/GitHub/Threat Intel Matches to GitHub Audit Logs.yaml	
+++ b/Detections/GitHub/Threat Intel Matches to GitHub Audit Logs.yaml	
@@ -32,7 +32,7 @@ query: |
     | where TimeGenerated >= ago(24h)
     | extend GitHubAudit_TimeGenerated = TimeGenerated
   )
-  on on $left.TI_ipEntity == $right.IPaddress
+  on $left.TI_ipEntity == $right.IPaddress
   | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
   | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress
   | extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor