From 01f6b5c5f2f043d784eff41cedc00001aba22fd3 Mon Sep 17 00:00:00 2001
From: Emanuel <222579485+EFA006@users.noreply.github.com>
Date: Mon, 9 Mar 2026 16:56:53 +0100
Subject: [PATCH] Fix JSON formatting in o365.json

---
 rules/detection/high/o365.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/detection/high/o365.json b/rules/detection/high/o365.json
index f286280..ad9863d 100644
--- a/rules/detection/high/o365.json
+++ b/rules/detection/high/o365.json
@@ -67,7 +67,7 @@
   },
   {
     "title": "O365 Activity from Tor IP Address",
-    "expression": "o365.audit.Operation!='UserLoginFailed' && contains(to_string(\"cybersift.threat_info\".threats), 'Tor')",
+    "expression": "o365.audit.Operation!='UserLoginFailed' && contains(to_string("cybersift.threat_info".threats), 'Tor')",
     "severity": "high",
     "type": "o365"
   },