Reordering key

Author: ljstella

detections/cloud/o365_bec_email_hiding_rule_created.yml

@@ -7,6 +7,7 @@ author: '0xC0FFEEEE, Github Community'
 status: production
 type: TTP
 description: This analytic detects mailbox rule creation, a common technique used in Business Email Compromise. It uses a scoring mechanism to identify a combination of attributes often featured in mailbox rules created by attackers. This may indicate that an attacker has gained access to the account.
+data_source: []
 search: |-
     `o365_management_activity` Workload=Exchange Operation IN ("New-InboxRule", "Set-InboxRule")
     | stats min(_time) as firstTime, max(_time) as lastTime, values(Operation) as Operation, latest(Name) as Name, latest(MarkAsRead) as MarkAsRead, latest(MoveToFolder) as MoveToFolder by object_id user
@@ -44,7 +45,6 @@ threat_objects:
       type: signature
 analytic_story:
     - Office 365 Account Takeover
-data_source: []
 asset_type: O365 Tenant
 mitre_attack_id:
     - T1564.008