remove extraquote

patel-bhavin · patel-bhavin · commit e434b1ac3ffc · 2025-07-21T09:44:10.000-07:00
diff --git a/detections/application/cisco_duo_admin_login_unusual_os.yml b/detections/application/cisco_duo_admin_login_unusual_os.yml
@@ -42,7 +42,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A user $user$ has logged in using an unusual OS using browser $access_device.browser$ from $src_ip$.
+  message: A user $user$ has logged in using an unusual OS $access_device.os$ using browser $access_device.browser$ from $src_ip$.
   risk_objects:
   - field: user
     type: user
diff --git a/detections/application/cisco_duo_bulk_policy_deletion.yml b/detections/application/cisco_duo_bulk_policy_deletion.yml
@@ -44,7 +44,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A user $user$ has deleted more than 3 policies"
+  message: A user $user$ has deleted more than 3 policies
   risk_objects:
   - field: user
     type: user
diff --git a/detections/application/cisco_duo_bypass_code_generation.yml b/detections/application/cisco_duo_bypass_code_generation.yml
@@ -41,7 +41,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A user $user$ has generated a bypass code"
+  message: A user $user$ has generated a bypass code
   risk_objects:
   - field: user
     type: user
diff --git a/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml b/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml
@@ -41,7 +41,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A policy has been created or updated to allow devices without screen lock by user $user$ with email $admin_email$"
+  message: A policy has been created or updated to allow devices without screen lock by user $user$ with email $admin_email$
   risk_objects:
   - field: user
     type: user
diff --git a/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml b/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml
@@ -43,7 +43,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A policy has been created or updated to allow network bypass 2FA by user $user$ with email $admin_email$"
+  message: A policy has been created or updated to allow network bypass 2FA by user $user$ with email $admin_email$
   risk_objects:
   - field: user
     type: user
diff --git a/detections/application/cisco_duo_policy_allow_old_flash.yml b/detections/application/cisco_duo_policy_allow_old_flash.yml
@@ -41,7 +41,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A policy has been created or updated to allow old flash by user $user$ with email $admin_email$"
+  message: A policy has been created or updated to allow old flash by user $user$ with email $admin_email$
   risk_objects:
   - field: user
     type: user
diff --git a/detections/application/cisco_duo_policy_allow_old_java.yml b/detections/application/cisco_duo_policy_allow_old_java.yml
@@ -42,7 +42,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A policy has been created or updated to allow old java by user $user$ with email $admin_email$"
+  message: A policy has been created or updated to allow old java by user $user$ with email $admin_email$
   risk_objects:
   - field: user
     type: user
diff --git a/detections/application/cisco_duo_policy_allow_tampered_devices.yml b/detections/application/cisco_duo_policy_allow_tampered_devices.yml
@@ -43,7 +43,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A policy has been created or updated to allow tampered devices by user $user$ with email $admin_email$"
+  message: A policy has been created or updated to allow tampered devices by user $user$ with email $admin_email$
   risk_objects:
   - field: user
     type: user
diff --git a/detections/application/cisco_duo_policy_bypass_2fa.yml b/detections/application/cisco_duo_policy_bypass_2fa.yml
@@ -40,7 +40,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A policy has been created or updated to allow access without 2FA by user $user$ with email $admin_email$"
+  message: A policy has been created or updated to allow access without 2FA by user $user$ with email $admin_email$
   risk_objects:
   - field: user
     type: user
diff --git a/detections/application/cisco_duo_policy_deny_access.yml b/detections/application/cisco_duo_policy_deny_access.yml
@@ -41,7 +41,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A policy has been created or updated to deny access by user $user$ with email $admin_email$"
+  message: A policy has been created or updated to deny access by user $user$ with email $admin_email$
   risk_objects:
   - field: user
     type: user
diff --git a/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml b/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml
@@ -44,7 +44,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A policy has been created or updated to allow access without 2FA for other countries by user $user$ with email $admin_email$"
+  message: A policy has been created or updated to allow access without 2FA for other countries by user $user$ with email $admin_email$
   risk_objects:
   - field: user
     type: user
diff --git a/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml b/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml
@@ -47,7 +47,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A user $user$ has set their status to bypass 2FA from IP Address - $src_ip$"
+  message: A user $user$ has set their status to bypass 2FA from IP Address - $src_ip$
   risk_objects:
   - field: user
     type: user
