Errors in new analytic rule updates

[Lennart-Pently]

Multiple newly updated Analytic rules are not able to be updated easily. For a few of them the entity mapping is now broken. For at least one of them the KQL just doesn't compile.

When updating the Analytics rule "AD FS Remote Auth Sync Connection" Version 1.0.1 to 1.0.2 I get the error message "'extend' operator: Failed to resolve scalar expression named 'Account'", referring to the "Account" in the very last line of the Query. - commenting out the last line does fix the error.
Looking in Github under "Solutions/Windows Security Events/Analytic Rules/ADFSRemoteAuthSyncConnection.yaml" I can see that the lastest change to the rule in "initial commit" by [ddamenova] also failed the KqlValidation. So it seems to not be an issue with us specifically.

The second issue is that there are multiple newly updated analytics rules where the Entity Mapping is incomplete. While I do really appreciate the change away from all the custom entities being called things like "Name" and "Name", it would be nice if updates just worked out of the box.
Here are three examples that I remember. I think there were some more but I filled in the Entity mapping myself

• NRT Process executed from binary hidden in Base64 encoded file
• Possible Phishing with CSL and Network Sessions
• AD user enabled and password not set within 48 hours

I'd hugely appreciate a quick update on whether this is an issue with the updates or an issue with how we did something.
Thanks in advance

[v-sudkharat]

Hi @Lennart-Pently, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 16-05-2024. Thanks!