Fix errors in KeyvaultMassSecretRetrieval.yaml

[ep3p]

Change(s):

1. Remove isnotempty( conditions, that are removing desired results.
2. Put a limit in make_set and make_list.
3. Do not show by default all columns from arg_max(CalledIPAddress, *)

Reason for Change(s):

1. Different operations do not have the same columns. For example SecretGet uses identity_claim_oid_g instead of identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g. The same happened with clientInfo_s, not every operation has this column.
2. Put a limit on results size.
3. It's difficult to interpret results.

The same happens with:

https://github.com/Azure/Azure-Sentinel/blob/ee97399b426a21878776c4c7b4835efc04b47393/Detections/AzureDiagnostics/TimeSeriesKeyvaultAccessAnomaly.yaml https://github.com/Azure/Azure-Sentinel/blob/ee97399b426a21878776c4c7b4835efc04b47393/Detections/AzureDiagnostics/KeyVaultSensitiveOperations.yaml https://github.com/Azure/Azure-Sentinel/blob/d11b7c5e8610b075bd0284044153c7a1e75d720d/Detections/AzureDiagnostics/NRT_KeyVaultSensitiveOperations.yaml ...

Version Updated:

• Yes

Testing Completed:

• No, this query needs to be checked against tenants that do not have some of the columns.

Checked that the validations are passing and have addressed any issues that are present:

• Yes

[v-spadarthi]

@aprakash13 : Please review the Detections. Thanks!

[v-mchatla]

Hi @aprakash13 Can you please review and provide your feedback on the PR changes. Thanks

[v-spadarthi]

Hi @aprakash13 Can you please review and provide your feedback on the PR changes. Thanks

[NikTripathi]

@aprakash13 Please have a look. Thanks

[shainw]

@ep3p - We are having the original author, @ashwin-patil, review these. Thanks for the feedback as the queries originally written 3 years back and logging has changed for sure.

[v-spadarthi]

@ep3p : Please resolve the conflicts. Thanks!!