@M Nurohmat Thank you for reaching out to us, similar issue has been discussed here - https://github.com/Azure/Azure-Sentinel/issues/8187 request you to check the steps, if it helps to resolve the above mentioned issue, also i am checking the same with my team internally as well.
NRT Authentication Methods Changed for VIP Users
M Nurohmat
100
Reputation points
Cannot created new rule for NRT Authentication Methods Changed for VIP Users
Accepted answer
-
Givary-MSFT 35,296 Reputation points Microsoft Employee
2023-07-20T16:41:03.0733333+00:00
1 additional answer
Sort by: Most helpful
-
Andrew Blumhardt 9,871 Reputation points Microsoft Employee
2023-07-20T12:26:34.7+00:00 Try running your watchlist query standalone to isolate the issue. It seems that is does not like "User Principal Name" for some reason. You could try using summary instead or maybe this the search key to ensure all VIP records in the watchlist are unique. You could try renaming the column first with a project if the spaces are somehow the issue.