You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Multiple newly updated Analytic rules are not able to be updated easily. For a few of them the entity mapping is now broken. For at least one of them the KQL just doesn't compile.
When updating the Analytics rule "AD FS Remote Auth Sync Connection" Version 1.0.1 to 1.0.2 I get the error message "'extend' operator: Failed to resolve scalar expression named 'Account'", referring to the "Account" in the very last line of the Query. - commenting out the last line does fix the error.
Looking in Github under "Solutions/Windows Security Events/Analytic Rules/ADFSRemoteAuthSyncConnection.yaml" I can see that the lastest change to the rule in "initial commit" by [ddamenova] also failed the KqlValidation. So it seems to not be an issue with us specifically.
The second issue is that there are multiple newly updated analytics rules where the Entity Mapping is incomplete. While I do really appreciate the change away from all the custom entities being called things like "Name" and "Name", it would be nice if updates just worked out of the box.
Here are three examples that I remember. I think there were some more but I filled in the Entity mapping myself
NRT Process executed from binary hidden in Base64 encoded file
Possible Phishing with CSL and Network Sessions
AD user enabled and password not set within 48 hours
I'd hugely appreciate a quick update on whether this is an issue with the updates or an issue with how we did something.
Thanks in advance
The text was updated successfully, but these errors were encountered:
Multiple newly updated Analytic rules are not able to be updated easily. For a few of them the entity mapping is now broken. For at least one of them the KQL just doesn't compile.
When updating the Analytics rule "AD FS Remote Auth Sync Connection" Version 1.0.1 to 1.0.2 I get the error message "'extend' operator: Failed to resolve scalar expression named 'Account'", referring to the "Account" in the very last line of the Query. - commenting out the last line does fix the error.
Looking in Github under "Solutions/Windows Security Events/Analytic Rules/ADFSRemoteAuthSyncConnection.yaml" I can see that the lastest change to the rule in "initial commit" by [ddamenova] also failed the KqlValidation. So it seems to not be an issue with us specifically.
The second issue is that there are multiple newly updated analytics rules where the Entity Mapping is incomplete. While I do really appreciate the change away from all the custom entities being called things like "Name" and "Name", it would be nice if updates just worked out of the box.
Here are three examples that I remember. I think there were some more but I filled in the Entity mapping myself
I'd hugely appreciate a quick update on whether this is an issue with the updates or an issue with how we did something.
Thanks in advance
The text was updated successfully, but these errors were encountered: