Merge pull request #3381 from thmcelro/runcommand-fixes

Update run command join key

Detections/MultipleDataSources/RunCommandUEBABreach.yaml

@@ -39,7 +39,7 @@ query: |
   | extend VirtualMachineName = tostring(Scope_s[-1])
   | project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress
   // Create a join key using  the Caller (UPN) and the Caller IP
-  | extend joinkey = hash_md5(strcat(tolower(Caller), CallerIpAddress))
+  | extend joinkey = tolower(Caller)
   // Join the Run Command actions to UEBA data
   | join kind = inner (
       BehaviorAnalytics
@@ -47,7 +47,7 @@ query: |
       | where EventSource == "Azure AD"
       | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights
       | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)
-      | extend joinkey = hash_md5(strcat(tolower(UserPrincipalName), UEBASourceIPLocation))
+      | extend joinkey = tolower(UserPrincipalName)
   ) on joinkey
   | project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights
   // Create a window around the UEBA event times, check to see if the Run Command action was performed within them
@@ -64,5 +64,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: scheduled