mapping OMS agent id to reduce chances of creating weak Host entity

2020-10-21 10:57:38 +03:00 · 2020-10-21 10:57:38 +03:00 · 1f813d9e90
--- a/Queries/InputEntity_Account/UserAccount_FailedLogons.yaml
+++ b/Queries/InputEntity_Account/UserAccount_FailedLogons.yaml
@ -27,7 +27,7 @@ query: |
  | where tolower(Account) contains tolower(v_Account_Name)
  | extend info = pack('EventID', EventID, 'Account', Account, 'LogonTypeName', LogonTypeName, 'SubStatus', SubStatus, 'AccountType', AccountType, 'WorkstationName', WorkstationName, 'IpAddress', IpAddress)
  | summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer
-  | project Host_Aux_StartTime=min_TimeGenerated,  Host_Aux_EndTime = max_TimeGenerated, Host_UnstructuredName=Computer, Host_Aux_info
+  | project Host_Aux_StartTime=min_TimeGenerated,  Host_Aux_EndTime = max_TimeGenerated, Host_UnstructuredName=Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId
  | top 10 by Host_Aux_StartTime asc nulls last
  };
  // change <Name> value below
--- a/Queries/InputEntity_IP/MostPrevLxHosts_ByIP.yaml
+++ b/Queries/InputEntity_IP/MostPrevLxHosts_ByIP.yaml
@ -25,7 +25,7 @@ query: |
  | summarize min(EventTime), max(EventTime), count(), Host_Aux_info = makeset(info) by Computer
  | top 10 by count_ desc nulls last 
  | project Host_Aux_StartTime = min_EventTime, Host_Aux_EndTime = max_EventTime, Computer, Host_Aux_info
-  | project-rename Host_UnstructuredName=Computer
+  | project-rename Host_UnstructuredName=Computer, Host_OMSAgentId=SourceComputerId
  };
  // change <Address> value below
  GetSysLogEventsWithIP('<Address>')
--- a/Queries/InputEntity_Process/LeastPrevIn_ByProcess.yaml
+++ b/Queries/InputEntity_Process/LeastPrevIn_ByProcess.yaml
@ -30,7 +30,7 @@ query: |
  | extend Host_Aux_info = IP_Aux_info
  | top 10 by count_ asc
  | project min_SessionStartTime, Computer, LocalIP, IP_Aux_info, Host_Aux_info
-  | project-rename IP_Address=LocalIP, Host_UnstructuredName=Computer, Host_Aux_min_SessionStartTime=min_SessionStartTime
+  | project-rename IP_Address=LocalIP, Host_UnstructuredName=Computer, Host_Aux_min_SessionStartTime=min_SessionStartTime, Host_OMSAgentId=SourceComputerId
  };
  // change <CommandLine> value below
  GetWireDataInboundWithProcess('<CommandLine>')