From f0540ea901eaf7d3255cd6ae4794a65ce15b9340 Mon Sep 17 00:00:00 2001
From: iotmaker1 <48168701+iotmaker1@users.noreply.github.com>
Date: Wed, 4 May 2022 09:39:20 -0400
Subject: [PATCH] Update OperationNameValue comparison operator

The OperationNameValue is sometimes mixed lower and uppercase. The lower case value drastically limits the number of results and overlooks the mixed case values of  "Microsoft.Storage/storageAccounts/listKeys/action". Using the =~ operator accommodates the mixed case values.
---
 .../AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Hunting Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml b/Hunting Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml
index a936adc08e..f8f2afa2dd 100644
--- a/Hunting Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml	
+++ b/Hunting Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml	
@@ -20,11 +20,11 @@ relevantTechniques:
 query: |
 
   AzureActivity
-  | where OperationNameValue == "microsoft.storage/storageaccounts/listkeys/action"
+  | where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action"
   | where ActivityStatusValue == "Succeeded" 
   | join kind= inner (
       AzureActivity
-      | where OperationNameValue == "microsoft.storage/storageaccounts/listkeys/action"
+      | where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action"
       | where ActivityStatusValue == "Succeeded" 
       | project ExpectedIpAddress=CallerIpAddress, Caller 
       | evaluate autocluster()