Fix datatypes indentations

2019-12-09 11:52:08 +02:00 · 2019-12-09 11:52:08 +02:00 · c743164b28
--- a/Detections/MultipleDataSources/NetworkEndpointCorrelation.yaml
+++ b/Detections/MultipleDataSources/NetworkEndpointCorrelation.yaml
@ -6,8 +6,8 @@ description: |
 severity: Medium
 requiredDataConnectors:
  - connectorId: TrendMicro
-  - dataTypes:
-    - CommonSecurityLog
+    dataTypes:
+      - CommonSecurityLog
  - connectorId: SecurityEvents
    dataTypes:
      - SecurityEvent
--- a/Detections/MultipleDataSources/PhosphorusIOCs.yaml
+++ b/Detections/MultipleDataSources/PhosphorusIOCs.yaml
@ -9,7 +9,7 @@ requiredDataConnectors:
    dataTypes:
      - DnsEvents
  - connectorId: AzureMonitor(VMInsights)
-  - dataTypes:
+    dataTypes:
      - VMConnection
  - connectorId: CiscoASA
    dataTypes:
--- a/Detections/MultipleDataSources/SigninFirewallCorrelation.yaml
+++ b/Detections/MultipleDataSources/SigninFirewallCorrelation.yaml
@ -7,7 +7,7 @@ description: |
 severity: Medium
 requiredDataConnectors:
  - connectorId: CiscoASA
-  - dataTypes:
+    dataTypes:
      - CommonSecurityLog
  - connectorId: AzureActiveDirectory
    dataTypes:
--- a/Queries/MultipleDataSources/CobaltDNSBeacon.yaml
+++ b/Queries/MultipleDataSources/CobaltDNSBeacon.yaml
@ -9,7 +9,7 @@ requiredDataConnectors:
    dataTypes:
      - DnsEvents
  - connectorId: AzureMonitor(VMInsights)
-      dataTypes:
+    dataTypes:
      - VMConnection
 tactics:
  - CommandAndControl
--- a/Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml
+++ b/Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml
@ -12,10 +12,10 @@ requiredDataConnectors:
    dataTypes:
      - CommonSecurityLog
  - connectorId: AzureMonitor(WireData)
-      dataTypes:
+    dataTypes:
      - WireData
  - connectorId: AzureMonitor(VMInsights)
-      dataTypes:
+    dataTypes:
      - VMConnection
 tactics:
  - CommmandAndControl
--- a/Queries/MultipleDataSources/TrackingPrivAccounts.yaml
+++ b/Queries/MultipleDataSources/TrackingPrivAccounts.yaml
@ -23,7 +23,7 @@ requiredDataConnectors:
    dataTypes:
      - SecurityEvent
  - connectorId: AzureMonitor(IIS)
-      dataTypes:
+    dataTypes:
      - W3CIISLog
 tactics:
  - PrivilegeEscalation
--- a/Queries/MultipleDataSources/UseragentExploitPentest.yaml
+++ b/Queries/MultipleDataSources/UseragentExploitPentest.yaml
@ -14,7 +14,7 @@ requiredDataConnectors:
    dataTypes:
      - AWSCloudTrail
  - connectorId: AzureMonitor(IIS)
-      dataTypes:
+    dataTypes:
      - W3CIISLog
 tactics:
  - InitialAccess
--- a/Queries/ThreatIntelligenceIndicator/FileEntity_VMConnection.yaml
+++ b/Queries/ThreatIntelligenceIndicator/FileEntity_VMConnection.yaml
@ -5,7 +5,7 @@ description: |
  As File name matches can create noise, this is best as hunting query'
 requiredDataConnectors:
  - connectorId: AzureMonitor(VMInsights)
-  - dataTypes:
+    dataTypes:
      - VMConnection
  - connectorId: ThreatIntelligence
    dataTypes:
--- a/Queries/ThreatIntelligenceIndicator/FileEntity_WireData.yaml
+++ b/Queries/ThreatIntelligenceIndicator/FileEntity_WireData.yaml
@ -5,7 +5,7 @@ description: |
  As File name matches can create noise, this is best as hunting query'
 requiredDataConnectors:
  - connectorId: AzureMonitor(WireData)
-      dataTypes:
+    dataTypes:
      - WireData
  - connectorId: ThreatIntelligence
    dataTypes:
--- a/Queries/W3CIISLog/ClientIPwithManyUserAgents.yaml
+++ b/Queries/W3CIISLog/ClientIPwithManyUserAgents.yaml
@ -8,7 +8,7 @@ description: |
  Win32 Status code mapping - https://msdn.microsoft.com/en-us/library/cc231199.aspx'
 requiredDataConnectors:
  - connectorId: AzureMonitor(IIS)
-      dataTypes:
+    dataTypes:
      - W3CIISLog
 tactics:
  - InitialAccess
--- a/Queries/W3CIISLog/PotentialWebshell.yaml
+++ b/Queries/W3CIISLog/PotentialWebshell.yaml
@ -8,7 +8,7 @@ description: |
  There could be some web sites like wikis with articles on os commands and pages that include the os //commands in the URLs that might cause FP.'
 requiredDataConnectors:
  - connectorId: AzureMonitor(IIS)
-      dataTypes:
+    dataTypes:
      - W3CIISLog
 tactics:
  - Persistence
--- a/Queries/W3CIISLog/Potential_IIS_BF.yaml
+++ b/Queries/W3CIISLog/Potential_IIS_BF.yaml
@ -10,7 +10,7 @@ description: |
  Win32 Status code mapping - https://msdn.microsoft.com/en-us/library/cc231199.aspx'
 requiredDataConnectors:
  - connectorId: AzureMonitor(IIS)
-      dataTypes:
+    dataTypes:
      - W3CIISLog
 tactics:
  - CredentialAccess
--- a/Queries/W3CIISLog/Potential_IIS_CodeInject.yaml
+++ b/Queries/W3CIISLog/Potential_IIS_CodeInject.yaml
@ -6,7 +6,7 @@ description: |
  The initial goal of this detection is to flag these events when they occur and give an opportunity to review the data and filter out authorized activity.'
 requiredDataConnectors:
  - connectorId: AzureMonitor(IIS)
-      dataTypes:
+    dataTypes:
      - W3CIISLog
 tactics:
  - InitialAccess
--- a/Queries/W3CIISLog/RareUserAgentStrings.yaml
+++ b/Queries/W3CIISLog/RareUserAgentStrings.yaml
@ -5,7 +5,7 @@ description: |
 severity: Low
 requiredDataConnectors:
  - connectorId: AzureMonitor(IIS)
-      dataTypes:
+    dataTypes:
      - W3CIISLog
 tactics:
  - InitialAccess