From b262d535cb940c17428f631e57e376a1c489f60c Mon Sep 17 00:00:00 2001
From: Thomas McElroy <62295189+thmcelro@users.noreply.github.com>
Date: Thu, 4 Nov 2021 16:15:38 +0000
Subject: [PATCH 1/2] Update run command join key

- The join key merged the IP address and UPN, this is not required and the join can be performed on just the UPN.
---
 Detections/MultipleDataSources/RunCommandUEBABreach.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Detections/MultipleDataSources/RunCommandUEBABreach.yaml b/Detections/MultipleDataSources/RunCommandUEBABreach.yaml
index 08f75815b4..97ae5a1a92 100644
--- a/Detections/MultipleDataSources/RunCommandUEBABreach.yaml
+++ b/Detections/MultipleDataSources/RunCommandUEBABreach.yaml
@@ -39,7 +39,7 @@ query: |
   | extend VirtualMachineName = tostring(Scope_s[-1])
   | project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress
   // Create a join key using  the Caller (UPN) and the Caller IP
-  | extend joinkey = hash_md5(strcat(tolower(Caller), CallerIpAddress))
+  | extend joinkey = tolower(Caller)
   // Join the Run Command actions to UEBA data
   | join kind = inner (
       BehaviorAnalytics
@@ -47,7 +47,7 @@ query: |
       | where EventSource == "Azure AD"
       | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights
       | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)
-      | extend joinkey = hash_md5(strcat(tolower(UserPrincipalName), UEBASourceIPLocation))
+      | extend joinkey = tolower(UserPrincipalName)
   ) on joinkey
   | project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights
   // Create a window around the UEBA event times, check to see if the Run Command action was performed within them

From 577e15db686c4a10dc82098915a8eb8cefb81401 Mon Sep 17 00:00:00 2001
From: Thomas McElroy <62295189+thmcelro@users.noreply.github.com>
Date: Thu, 4 Nov 2021 16:18:17 +0000
Subject: [PATCH 2/2] Update RunCommandUEBABreach.yaml

---
 Detections/MultipleDataSources/RunCommandUEBABreach.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Detections/MultipleDataSources/RunCommandUEBABreach.yaml b/Detections/MultipleDataSources/RunCommandUEBABreach.yaml
index 97ae5a1a92..5f252a976a 100644
--- a/Detections/MultipleDataSources/RunCommandUEBABreach.yaml
+++ b/Detections/MultipleDataSources/RunCommandUEBABreach.yaml
@@ -64,5 +64,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: scheduled
\ No newline at end of file