Merge pull request #962 from Azure/YF_ExpansionWithUEBA

Fixed output column names
2020-08-12 17:35:54 +03:00 · 2020-08-12 17:35:54 +03:00 · 6c40dea8d0
--- a/Queries/InputEntity_Host/ServiceCreatedOnHost.yaml
+++ b/Queries/InputEntity_Host/ServiceCreatedOnHost.yaml
@ -34,8 +34,8 @@ query: |
  and not(ImagePath has '\\WindowsAzure\\GuestAgent_' and ImagePath has '\\GuestAgent\\WindowsAzureGuestAgent.exe')
  | extend Process_Aux_Service_info = pack('ServiceName', Process_Aux_ServiceName, 'ServiceType', ServiceType, 'StartType', StartType, 'ServiceAccount', ServiceAccount)
  | project TimeGenerated, Computer, UserName, Process_Aux_ServiceName, ImagePath, Process_Aux_Service_info
-  | project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=UserName, Process_ImageFile_FullPath=ImagePath
-  | top 10 by TimeGenerated desc nulls last
+  | project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=UserName, Process_ImageFile_FullPath=ImagePath, Process_CreationTimeUtc=TimeGenerated
+  | top 10 by Process_CreationTimeUtc desc nulls last
  };
  // change <HostName> value below
  GetServiceCreationsOnHost('<HostName>')
--- a/Queries/InputEntity_Host/UsersConnectedByHost.yaml
+++ b/Queries/InputEntity_Host/UsersConnectedByHost.yaml
@ -28,8 +28,8 @@ query: |
  | extend info = pack('UserPrincipalName', UserPrincipalName, 'AppDisplayName', AppDisplayName, 'ClientAppUsed', ClientAppUsed, 'Browser', tostring(Browser), 'ResultType', ResultType, 'ResultDescription', ResultDescription, 'Location', Location, 'StatusCode', StatusCode, 'StatusDetails', StatusDetails)
  | summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, OS, IPAddress, State, City, Latitude, Longitude
  | extend IP_Aux_info = Account_Aux_info
-  | project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, RemoteHost, UserDisplayName, OS, IPAddress, State, City, Latitude, Longitude, Account_Aux_info, IP_Aux_info
-  | top 10 by StartTimeUtc desc nulls last             
+  | project Account_Aux_StartTimeUtc = min_TimeGenerated, Account_Aux_EndTimeUtc = max_TimeGenerated, RemoteHost, UserDisplayName, OS, IPAddress, State, City, Latitude, Longitude, Account_Aux_info, IP_Aux_info
+  | top 10 by Account_Aux_StartTimeUtc desc nulls last             
  | project-rename Account_UnstructuredName=UserDisplayName, Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS, IP_Address=IPAddress, IP_Location_State=State, IP_Location_City=City, IP_Location_Latitude=Latitude, IP_Location_Longitude=Longitude
  };
  // change <HostName> value below
--- a/Queries/InputEntity_IP/IP2Host_HostByTrafficFromIPLeast.yaml
+++ b/Queries/InputEntity_IP/IP2Host_HostByTrafficFromIPLeast.yaml
@ -22,7 +22,7 @@ query: |
  | where SessionState == 'Disconnected' 
  | where RemoteIP =~ v_IP_Address
  | extend Host_HostName = iff(Computer has '.', HostName, Computer)
-  | summarize Host_Aux_BytesReceived = sum(ReceivedBytes), make_set(LocalIP) by Host_HostName, Host_DnsDomain
+  | summarize Host_Aux_BytesReceived = sum(ReceivedBytes), Host_Aux_LocalIPs=make_set(LocalIP) by Host_HostName, Host_DnsDomain
  | top 10 by Host_Aux_BytesReceived asc nulls last
  };
  HostsReceivingDatafromIP('<Address>')
--- a/Queries/InputEntity_IP/IP2Host_HostByTrafficFromIPMost.yaml
+++ b/Queries/InputEntity_IP/IP2Host_HostByTrafficFromIPMost.yaml
@ -22,7 +22,7 @@ query: |
  | where SessionState == 'Disconnected'
  | where RemoteIP =~ v_IP_Address
  | extend Host_HostName = iff(Computer has '.', HostName, Computer)
-  | summarize Host_Aux_BytesReceived = sum(ReceivedBytes), make_set(LocalIP) by Host_HostName, Host_DnsDomain
+  | summarize Host_Aux_BytesReceived = sum(ReceivedBytes), Host_Aux_LocalIPs=make_set(LocalIP) by Host_HostName, Host_DnsDomain
  | top 10 by Host_Aux_BytesReceived desc nulls last
  };
  HostsReceivingDatafromIP('<Address>')
--- a/Queries/InputEntity_IP/IP2Host_HostByTrafficToIPLeast.yaml
+++ b/Queries/InputEntity_IP/IP2Host_HostByTrafficToIPLeast.yaml
@ -21,8 +21,7 @@ query: |
  | where SessionState == 'Disconnected' 
  | where RemoteIP =~ v_IP_Address
  | summarize Host_Aux_BytesSent = sum(SentBytes) by Computer, LocalIP
-  | parse Computer with HostName '.' Host_DnsName
-  | extend Host_HostName = iff(Computer has '.', HostName, Computer)
  | top 10 by Host_Aux_BytesSent asc nulls last 
-  };
+  | project-rename Host_UnstructuredName=Computer, Host_Aux_LocalIP=LocalIP
+   };
  HostsSendingDatatoIP('<Address>')
--- a/Queries/InputEntity_IP/IP2Host_HostByTrafficToIPMost.yaml
+++ b/Queries/InputEntity_IP/IP2Host_HostByTrafficToIPMost.yaml
@ -21,8 +21,7 @@ query: |
  | where SessionState == 'Disconnected' 
  | where RemoteIP =~ v_IP_Address
  | summarize Host_Aux_BytesSent = sum(SentBytes) by Computer, LocalIP
-  | parse Computer with HostName '.' Host_DnsName
-  | extend Host_HostName = iff(Computer has '.', HostName, Computer)
  | top 10 by Host_Aux_BytesSent desc nulls last 
+  | project-rename Host_UnstructuredName=Computer, Host_Aux_LocalIP=LocalIP 
  };
  HostsSendingDatatoIP('<Address>')
--- a/Queries/InputEntity_IP/IP2IP_SrcIPsWithMostDROP.yaml
+++ b/Queries/InputEntity_IP/IP2IP_SrcIPsWithMostDROP.yaml
@ -20,11 +20,11 @@ query: |
  WindowsFirewall
  | where FirewallAction == 'DROP'
    and DestinationIP =~ v_IP_Address
-  | summarize IP_Aux_DropCount = count(), DestPorts = makeset(DestinationPort) by SourceIP
+  | summarize IP_Aux_DropCount = count(), IP_Aux_DestPorts = makeset(DestinationPort) by SourceIP
  | sort by IP_Aux_DropCount
  | serialize rn=row_number()
  | top 10 by rn asc nulls last
-  | project-rename IP_Address = SourceIP
+  | project IP_Address = SourceIP, IP_Aux_DropCount, IP_Aux_DestPorts
  };
  MostDroppedSourceIP('<Address>')

--- a/Queries/InputEntity_IP/LeastPrevIn_ByIPAddress.yaml
+++ b/Queries/InputEntity_IP/LeastPrevIn_ByIPAddress.yaml
@ -24,10 +24,10 @@ query: |
  | where Direction == 'Inbound' 
  | where RemoteIP has v_IPAddress
  | extend info = pack('LocalPortNumber', LocalPortNumber, 'RemoteIP', RemoteIP, 'Direction', Direction, 'ApplicationProtocol', ApplicationProtocol)
-  | summarize min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, ProcessName , LocalIP, ProcessID
+  | summarize Process_Aux_EarliestSessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, ProcessName , LocalIP, ProcessID
  | extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info
  | top 10 by count_ asc
-  | project min_SessionStartTime, Computer, ProcessName , LocalIP, ProcessID, IP_Aux_info, Process_Aux_info, Host_Aux_info
+  | project Process_Aux_EarliestSessionStartTime, Computer, ProcessName , LocalIP, ProcessID, IP_Aux_info, Process_Aux_info, Host_Aux_info
  | project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer, Process_ProcessId=ProcessID
  };
  // change <Address> value below
--- a/Queries/InputEntity_IP/LeastPrevOut_ByIPAddress.yaml
+++ b/Queries/InputEntity_IP/LeastPrevOut_ByIPAddress.yaml
@ -24,10 +24,10 @@ query: |
  | where Direction == 'Outbound'
  | where LocalIP has v_IP_Address
  | extend info = pack('LocalIP', LocalIP, 'LocalPortNumber', LocalPortNumber, 'Direction', Direction, 'ApplicationProtocol', ApplicationProtocol)
-  | summarize min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, ProcessName, RemoteIP, ProcessID
+  | summarize count(), IP_Aux_info = makeset(info) by Computer, ProcessName, RemoteIP, ProcessID
  | extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info
  | top 10 by count_ asc
-  | project min_SessionStartTime, Computer, ProcessName, RemoteIP, ProcessID, IP_Aux_info, Process_Aux_info, Host_Aux_info
+  | project Computer, ProcessName, RemoteIP, ProcessID, IP_Aux_info, Process_Aux_info, Host_Aux_info
  | project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer, Process_ProcessId=ProcessID
  };
  // change <Address> value below