From 692daefa1fde047175c35df595657ca436757858 Mon Sep 17 00:00:00 2001 From: Pete Bryan Date: Tue, 7 Mar 2023 12:34:02 -0800 Subject: [PATCH] More validation fixes --- Exploration Queries/InputEntity_Host/MostPrevIn_ByHost.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/Exploration Queries/InputEntity_Host/MostPrevIn_ByHost.yaml b/Exploration Queries/InputEntity_Host/MostPrevIn_ByHost.yaml index 84426560b4..3299bbb50a 100644 --- a/Exploration Queries/InputEntity_Host/MostPrevIn_ByHost.yaml +++ b/Exploration Queries/InputEntity_Host/MostPrevIn_ByHost.yaml @@ -19,6 +19,7 @@ query: | _Im_NetworkSession(hostname_has_any=v_Host_HostName) | where EventResult =~ "success" | where NetworkDirection =~ "Inbound" + | extend LocalAppName = column_ifexists("LocalAppName", "") | extend info = pack('Computer', DvcHostname, 'LocalPortNumber', DstPortNumber, 'DstIpAddr', Dst, 'SrcIpAddr', Src,'Direction', NetworkDirection, 'NetworkProtocol', NetworkProtocol, "LocalAppName", LocalAppName) | summarize Process_Aux_Min_SessionStartTime=min(TimeGenerated), Process_Aux_Max_SessionStartTime=max(TimeGenerated), count(), IP_Aux_info = make_set(info, maxSize=1000) by Src, Dvc | top 10 by count_ desc