From 1f813d9e902b0229a91b7c712a7118b3aee0a0c9 Mon Sep 17 00:00:00 2001 From: Yaron Fruchtmann Date: Wed, 21 Oct 2020 10:57:38 +0300 Subject: [PATCH] mapping OMS agent id to reduce chances of creating weak Host entity --- .../InputEntity_Account/UserAccount_FailedLogons.yaml | 2 +- Exploration Queries/InputEntity_IP/MostPrevLxHosts_ByIP.yaml | 2 +- .../InputEntity_Process/LeastPrevIn_ByProcess.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Exploration Queries/InputEntity_Account/UserAccount_FailedLogons.yaml b/Exploration Queries/InputEntity_Account/UserAccount_FailedLogons.yaml index 6e3a5002a3..e3a62dcc95 100644 --- a/Exploration Queries/InputEntity_Account/UserAccount_FailedLogons.yaml +++ b/Exploration Queries/InputEntity_Account/UserAccount_FailedLogons.yaml @@ -27,7 +27,7 @@ query: | | where tolower(Account) contains tolower(v_Account_Name) | extend info = pack('EventID', EventID, 'Account', Account, 'LogonTypeName', LogonTypeName, 'SubStatus', SubStatus, 'AccountType', AccountType, 'WorkstationName', WorkstationName, 'IpAddress', IpAddress) | summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer - | project Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime = max_TimeGenerated, Host_UnstructuredName=Computer, Host_Aux_info + | project Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime = max_TimeGenerated, Host_UnstructuredName=Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId | top 10 by Host_Aux_StartTime asc nulls last }; // change value below diff --git a/Exploration Queries/InputEntity_IP/MostPrevLxHosts_ByIP.yaml b/Exploration Queries/InputEntity_IP/MostPrevLxHosts_ByIP.yaml index 84b393e1bc..d42c12b81b 100644 --- a/Exploration Queries/InputEntity_IP/MostPrevLxHosts_ByIP.yaml +++ b/Exploration Queries/InputEntity_IP/MostPrevLxHosts_ByIP.yaml @@ -25,7 +25,7 @@ query: | | summarize min(EventTime), max(EventTime), count(), Host_Aux_info = makeset(info) by Computer | top 10 by count_ desc nulls last | project Host_Aux_StartTime = min_EventTime, Host_Aux_EndTime = max_EventTime, Computer, Host_Aux_info - | project-rename Host_UnstructuredName=Computer + | project-rename Host_UnstructuredName=Computer, Host_OMSAgentId=SourceComputerId }; // change
value below GetSysLogEventsWithIP('
') diff --git a/Exploration Queries/InputEntity_Process/LeastPrevIn_ByProcess.yaml b/Exploration Queries/InputEntity_Process/LeastPrevIn_ByProcess.yaml index 64ff1a2ae4..252c979ec0 100644 --- a/Exploration Queries/InputEntity_Process/LeastPrevIn_ByProcess.yaml +++ b/Exploration Queries/InputEntity_Process/LeastPrevIn_ByProcess.yaml @@ -30,7 +30,7 @@ query: | | extend Host_Aux_info = IP_Aux_info | top 10 by count_ asc | project min_SessionStartTime, Computer, LocalIP, IP_Aux_info, Host_Aux_info - | project-rename IP_Address=LocalIP, Host_UnstructuredName=Computer, Host_Aux_min_SessionStartTime=min_SessionStartTime + | project-rename IP_Address=LocalIP, Host_UnstructuredName=Computer, Host_Aux_min_SessionStartTime=min_SessionStartTime, Host_OMSAgentId=SourceComputerId }; // change value below GetWireDataInboundWithProcess('')