KQL fix

Solutions/Global Secure Access/Analytic Rules/Office 365 - SharePoint_Downloads_byNewUserAgent.yaml

@@ -49,7 +49,7 @@ query: |
       | where isnotempty(UserAgent)
       | where UserAgent in~ (FrequentUAOffice)
       | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OfficeObjectIdCount = dcount(OfficeObjectId), OfficeObjectIdList = make_set(OfficeObjectId), UserAgentSeenCount = count()
-          by RecordType, Operation, UserAgent, UserType, UserId, ClientIP = ClientIp, OfficeWorkload, Site_Url;
+          by RecordType, Operation, UserAgent, UserType, UserId, ClientIP , OfficeWorkload, Site_Url;
   
   // EnrichedMicrosoft365AuditLogs - Base Events
   let BaseeventsEnriched = EnrichedMicrosoft365AuditLogs
@@ -78,10 +78,11 @@ query: |
       | where Operation in (szOperations)
       | extend UserAgent = tostring(parse_json(tostring(AdditionalProperties)).UserAgent)
       | extend Site_Url = tostring(parse_json(tostring(AdditionalProperties)).SiteUrl)
+      | extend  ClientIP = ClientIp
       | where isnotempty(UserAgent)
       | where UserAgent in (FrequentUAEnriched)
       | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ObjectIdCount = dcount(ObjectId), ObjectIdList = make_set(ObjectId), UserAgentSeenCount = count()
-          by RecordType, Operation, UserAgent, UserId, ClientIP = ClientIp, Site_Url;
+          by RecordType, Operation, UserAgent, UserId,ClientIP, Site_Url;
   
   // Combine Baseline and Recent Activity, Calculate Deviation, and Deduplicate
   let UserBehaviorAnalysisOffice = UserBaseLineOffice