Merge pull request #476 from splunk/aws_cross_account_activity_fix

minor tweak

Author: josehelps

detections/aws_cross_account_activity_from_previously_unseen_account.yml

@@ -15,8 +15,7 @@ author: David Dorsey, Splunk
 search: '`cloudtrail` eventName=AssumeRole | spath output=requestingAccountId path=userIdentity.accountId
   | spath output=requestedAccountId path=resources{}.accountId | search requestingAccountId=*
   | where requestingAccountId != requestedAccountId | inputlookup append=t previously_seen_aws_cross_account_activity
-  | multireport [| stats min(eval(coalesce(firstTime, _time)))
-  as firstTime max(eval(coalesce(lastTime, _time)))
+  | multireport [| stats min(eval(coalesce(firstTime, _time))) as firstTime max(eval(coalesce(lastTime, _time)))
   as lastTime by requestingAccountId, requestedAccountId | outputlookup previously_seen_aws_cross_account_activity
   | where fact=fiction] [| eventstats min(eval(coalesce(firstTime, _time))) as firstTime, 
   max(eval(coalesce(lastTime, _time))) as lastTime by requestingAccountId, requestedAccountId | where firstTime