From cfcef33aad05e0cb10c80a753e80e6273ccb2656 Mon Sep 17 00:00:00 2001
From: Andreas Rogge <arogge90@gmail.com>
Date: Wed, 29 Jan 2025 10:56:53 +0100
Subject: [PATCH] Update NRT_AuthenticationMethodsChangedforVIPUsers.yaml

Added square brackets to watchlist query because column names with spaces cannot be referenced by just using ".
---
 .../NRT_AuthenticationMethodsChangedforVIPUsers.yaml          | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml
index 14932813fe4..986b5ace21c 100644
--- a/Solutions/Microsoft Entra ID/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml	
+++ b/Solutions/Microsoft Entra ID/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml	
@@ -15,7 +15,7 @@ tags:
   - AADSecOpsGuide
 query: |
   let security_info_actions = dynamic(["User registered security info", "User changed default security info", "User deleted security info", "Admin updated security info", "User reviewed security info", "Admin deleted security info", "Admin registered security info"]);
-  let VIPUsers = (_GetWatchlist('VIPUsers') | distinct "User Principal Name");
+  let VIPUsers = (_GetWatchlist('VIPUsers') | distinct ["User Principal Name"]);
   AuditLogs
   | where Category =~ "UserManagement"
   | where ActivityDisplayName in (security_info_actions)
@@ -62,5 +62,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: InitiatingIpAddress
-version: 1.0.3
+version: 1.0.4
 kind: NRT