FIxing typos

Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml

@@ -1,7 +1,7 @@
 id: 643c2025-9604-47c5-833f-7b4b9378a1f5
 name: Failed AzureAD logons but success logon to AWS Console
 description: |
-  'Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.
+  'Identifies a list of IP addresses with a minimum number (defualt of 5) of failed logon attempts to Azure Active Directory.
   Uses that list to identify any successful AWS Console logons from these IPs within the same timeframe.'
 severity: Medium
 requiredDataConnectors:

Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml

@@ -1,8 +1,8 @@
 id: ba144bf8-75b8-406f-9420-ed74397f9479
 name: IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN
 description: |
-    This query creates a list of IP addresses with a number failed login attempts to AAD 
-    above a set threshold.  It then looks for any successful Palo Alto VPN logins from any
+    This query creates a list of IP addresses with the number of failed login attempts to AAD 
+    above a set threshold ( default of 5 ).  It then looks for any successful Palo Alto VPN logins from any
     of these IPs within the same timeframe.
 severity: Medium
 requiredDataConnectors:

Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml

@@ -1,7 +1,7 @@
 id: 910124df-913c-47e3-a7cd-29e1643fa55e
 name: Failed AWS Console logons but success logon to AzureAD
 description: |
-  'Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.
+  'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to AWS Console.
   Uses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.'
 severity: Medium
 requiredDataConnectors:

Detections/MultipleDataSources/Accountcreatedfromnon-approvedsources.yaml

@@ -1,9 +1,9 @@
 id: 99d589fa-7337-40d7-91a0-c96d0c4fa437
 name: Account created from non-approved sources
 description: |
-  'This query looks for account being created from a domain that is not regularly seen in a tenant.
+  'This query looks for an account being created from a domain that is not regularly seen in a tenant.
     Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.
-    Created accounts should be investigated to ensure they were legitimated created.
+    Created accounts should be investigated to confirm expected creation.
     Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts'
 severity: Medium
 requiredDataConnectors:

Detections/MultipleDataSources/AuditPolicyManipulation_using_auditpol.yaml

@@ -1,8 +1,8 @@
 id: 66276b14-32c5-4226-88e3-080dacc31ce1
 name: Audit policy manipulation using auditpol utility
 description: |
-   This detects attempt to manipulate audit policies using auditpol command.
-   This technique was seen in relation to Solorigate attack but the results can indicate potential  malicious activity used in different attacks.
+   This detects attempts to manipulate audit policies using auditpol command.
+   This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.
    The process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but 
    if the results show unrelated false positives, users may want to uncomment it.
    Refer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol