updated hunting query description

2023-10-17 12:49:24 +05:30 · 2023-10-17 12:49:24 +05:30 · 81f7656820
--- a/Queries/AdminPrivilegeGrant.yaml
+++ b/Queries/AdminPrivilegeGrant.yaml
@ -1,7 +1,7 @@
 id: 5309ea6b-463c-4449-a3c4-2fc8ee0080ee
 name: Admin privilege granted (Okta)
 description: |
-  'Query checks for admin permissions granted to users/groups, often used by adversaries for access and privilege elevation. Verify known behavior and filter expected actions.'
+  'Query checks for admin permissions granted to users/groups, often used by adversaries for access and privilege elevation.'
 description-detailed: |
  'This query searches for successful grant of administrator permissions to user/groups. Adversaries often attempt to assign administrator permission to users/group to maintain access as well as to elevate privileges.
   Please verify that the behavior is known and filter out anything that is expected.
--- a/Queries/ImpersonationSession.yaml
+++ b/Queries/ImpersonationSession.yaml
@ -1,7 +1,7 @@
 id: 96fb9b37-e2b7-45f6-9b2a-cb9cdfd2b0fc
 name: Initiate impersonation session (Okta) 
 description: |
-    'User.session.impersonation, usually triggered by Okta Support, are rare. This query checks for impersonation events used in LAPSUS$ breach. Review these events and correlate with legitimate Okta support tickets to identify anomalies'
+    'User.session.impersonation, usually triggered by Okta Support, are rare. This query checks for impersonation events used in LAPSUS$ breach.'
 description-detailed: |
  'User.session.impersonation are generally speaking rare events normally triggered when an Okta Support person requests admin access for troubleshooting. This query searches for impersonation events used in LAPSUS$ breach.
   Please review user.session.impersonation events and co-relate that with legitimate opened Okta support tickets to determine if these are anomalous.
--- a/Queries/RareMFAOperation.yaml
+++ b/Queries/RareMFAOperation.yaml
@ -1,7 +1,7 @@
 id: 18667b4a-18e5-4982-ba75-92ace62bc79c
 name: Rare MFA Operations (Okta)
 description: |
-  'MFA prevents credential compromise. This query checks for rare MFA operations like deactivation, update, reset, and bypass attempts often used by adversaries to compromise networks/accounts. Verify known behavior and filter expected actions.'
+  'MFA prevents credential compromise. This query checks for rare MFA operations like deactivation, update, reset, and bypass attempts often used by adversaries to compromise networks/accounts.'
 description-detailed: |
  'Multi-Factor Authentication (MFA) helps prevent credential compromise.This query searches for rare MFA operations like deactivating, updating, resetting and attempts to bypass MFA.
   Adversaries often attempt these operations to compromise networks and high-value accounts.Please verify that the behavior is known and filter out anything that is expected.
--- a/Queries/UserPasswordReset.yaml
+++ b/Queries/UserPasswordReset.yaml
@ -1,7 +1,7 @@
 id: 38da2aa3-4778-4d88-9178-3c5c14758b05
 name: User password reset(Okta)
 description: |
-    'Adversaries often manipulate accounts for access. This query checks for admin attempts to reset user passwords in Okta logs. As this can be a known activity, filter out expected actions.'
+    'Adversaries often manipulate accounts for access. This query checks for admin attempts to reset user passwords in Okta logs.'
 description-detailed: |
  'Adversaries often manipulate accounts to maintain access to victim systems. Account manipulation may consist of actions that preserves adversary access to a compromised account, such as by modifying credentials. 
   This query searches for attempts to reset user passwords in Okta logs by an admin. Since this can also be a known activity, please filter out anything that is expected.