From 1caa82d3b475bef1fae3601655774c6acbc9560c Mon Sep 17 00:00:00 2001
From: Andrei Banaru <a.banaru@iaea.org>
Date: Fri, 13 Mar 2026 09:41:21 +0100
Subject: [PATCH] fix: replace src with src_user

---
 detections/cloud/azure_ad_pim_role_assigned.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/detections/cloud/azure_ad_pim_role_assigned.yml b/detections/cloud/azure_ad_pim_role_assigned.yml
index 32e02b4cba..53acc8efed 100644
--- a/detections/cloud/azure_ad_pim_role_assigned.yml
+++ b/detections/cloud/azure_ad_pim_role_assigned.yml
@@ -1,7 +1,7 @@
 name: Azure AD PIM Role Assigned
 id: fcd6dfeb-191c-46a0-a29c-c306382145ab
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-13'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -13,7 +13,7 @@ search: |-
       | rename properties.* as *
       | fillnull
       | stats count min(_time) as firstTime max(_time) as lastTime
-        BY dest user src
+        BY dest user src_user
            vendor_account vendor_product signature
       | `security_content_ctime(firstTime)`
       | `security_content_ctime(lastTime)`