changing operation order

2020-07-16 08:39:56 -07:00 · 2020-07-16 08:39:56 -07:00 · 7f6607ed7f
--- a/Detections/AzureDevOps/AzDOAdminGroupAdditions.yaml
+++ b/Detections/AzureDevOps/AzDOAdminGroupAdditions.yaml
@ -29,7 +29,7 @@ query: |
  ];
  AzureDevOpsAuditing
  | where TimeGenerated >= ago(timeframe)
-  | where OperationName == "Group.UpdateGroupMembership.Add" and Area == "Group"
+  | where Area == "Group" and OperationName == "Group.UpdateGroupMembership.Add"
  | where Details has 'Administrators'
  | where Details has "was added as a member of group" and (Details endswith '\\Project Administrators' or Details endswith '\\Project Collection Administrators')
  | parse Details with AddedIdentity ' was added as a member of group [' EntityName ']\\' GroupName