From 7f894c516a235c96966abfcf2653ec8ef77802df Mon Sep 17 00:00:00 2001
From: Yaron Fruchtmann <yafruch@microsoft.com>
Date: Wed, 12 Aug 2020 12:12:04 +0300
Subject: [PATCH] Fixed output column names

---
 .../InputEntity_Host/ServiceCreatedOnHost.yaml               | 4 ++--
 .../InputEntity_Host/UsersConnectedByHost.yaml               | 4 ++--
 .../InputEntity_IP/IP2Host_HostByTrafficFromIPLeast.yaml     | 2 +-
 .../InputEntity_IP/IP2Host_HostByTrafficFromIPMost.yaml      | 2 +-
 .../InputEntity_IP/IP2Host_HostByTrafficToIPLeast.yaml       | 5 ++---
 .../InputEntity_IP/IP2Host_HostByTrafficToIPMost.yaml        | 3 +--
 .../InputEntity_IP/IP2IP_SrcIPsWithMostDROP.yaml             | 4 ++--
 .../InputEntity_IP/LeastPrevIn_ByIPAddress.yaml              | 4 ++--
 .../InputEntity_IP/LeastPrevOut_ByIPAddress.yaml             | 4 ++--
 9 files changed, 15 insertions(+), 17 deletions(-)

diff --git a/Exploration Queries/InputEntity_Host/ServiceCreatedOnHost.yaml b/Exploration Queries/InputEntity_Host/ServiceCreatedOnHost.yaml
index 5e032484e2..d2474c3717 100644
--- a/Exploration Queries/InputEntity_Host/ServiceCreatedOnHost.yaml	
+++ b/Exploration Queries/InputEntity_Host/ServiceCreatedOnHost.yaml	
@@ -34,8 +34,8 @@ query: |
   and not(ImagePath has '\\WindowsAzure\\GuestAgent_' and ImagePath has '\\GuestAgent\\WindowsAzureGuestAgent.exe')
   | extend Process_Aux_Service_info = pack('ServiceName', Process_Aux_ServiceName, 'ServiceType', ServiceType, 'StartType', StartType, 'ServiceAccount', ServiceAccount)
   | project TimeGenerated, Computer, UserName, Process_Aux_ServiceName, ImagePath, Process_Aux_Service_info
-  | project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=UserName, Process_ImageFile_FullPath=ImagePath
-  | top 10 by TimeGenerated desc nulls last
+  | project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=UserName, Process_ImageFile_FullPath=ImagePath, Process_CreationTimeUtc=TimeGenerated
+  | top 10 by Process_CreationTimeUtc desc nulls last
   };
   // change <HostName> value below
   GetServiceCreationsOnHost('<HostName>')
\ No newline at end of file
diff --git a/Exploration Queries/InputEntity_Host/UsersConnectedByHost.yaml b/Exploration Queries/InputEntity_Host/UsersConnectedByHost.yaml
index 058612d48f..14eea94676 100644
--- a/Exploration Queries/InputEntity_Host/UsersConnectedByHost.yaml	
+++ b/Exploration Queries/InputEntity_Host/UsersConnectedByHost.yaml	
@@ -28,8 +28,8 @@ query: |
   | extend info = pack('UserPrincipalName', UserPrincipalName, 'AppDisplayName', AppDisplayName, 'ClientAppUsed', ClientAppUsed, 'Browser', tostring(Browser), 'ResultType', ResultType, 'ResultDescription', ResultDescription, 'Location', Location, 'StatusCode', StatusCode, 'StatusDetails', StatusDetails)
   | summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, OS, IPAddress, State, City, Latitude, Longitude
   | extend IP_Aux_info = Account_Aux_info
-  | project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, RemoteHost, UserDisplayName, OS, IPAddress, State, City, Latitude, Longitude, Account_Aux_info, IP_Aux_info
-  | top 10 by StartTimeUtc desc nulls last             
+  | project Account_Aux_StartTimeUtc = min_TimeGenerated, Account_Aux_EndTimeUtc = max_TimeGenerated, RemoteHost, UserDisplayName, OS, IPAddress, State, City, Latitude, Longitude, Account_Aux_info, IP_Aux_info
+  | top 10 by Account_Aux_StartTimeUtc desc nulls last             
   | project-rename Account_UnstructuredName=UserDisplayName, Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS, IP_Address=IPAddress, IP_Location_State=State, IP_Location_City=City, IP_Location_Latitude=Latitude, IP_Location_Longitude=Longitude
   };
   // change <HostName> value below
diff --git a/Exploration Queries/InputEntity_IP/IP2Host_HostByTrafficFromIPLeast.yaml b/Exploration Queries/InputEntity_IP/IP2Host_HostByTrafficFromIPLeast.yaml
index ea3b3ae1bb..f2768319e3 100644
--- a/Exploration Queries/InputEntity_IP/IP2Host_HostByTrafficFromIPLeast.yaml	
+++ b/Exploration Queries/InputEntity_IP/IP2Host_HostByTrafficFromIPLeast.yaml	
@@ -22,7 +22,7 @@ query: |
   | where SessionState == 'Disconnected' 
   | where RemoteIP =~ v_IP_Address
   | extend Host_HostName = iff(Computer has '.', HostName, Computer)
-  | summarize Host_Aux_BytesReceived = sum(ReceivedBytes), make_set(LocalIP) by Host_HostName, Host_DnsDomain
+  | summarize Host_Aux_BytesReceived = sum(ReceivedBytes), Host_Aux_LocalIPs=make_set(LocalIP) by Host_HostName, Host_DnsDomain
   | top 10 by Host_Aux_BytesReceived asc nulls last
   };
   HostsReceivingDatafromIP('<Address>')
diff --git a/Exploration Queries/InputEntity_IP/IP2Host_HostByTrafficFromIPMost.yaml b/Exploration Queries/InputEntity_IP/IP2Host_HostByTrafficFromIPMost.yaml
index d8dd8ed5f8..5661557b23 100644
--- a/Exploration Queries/InputEntity_IP/IP2Host_HostByTrafficFromIPMost.yaml	
+++ b/Exploration Queries/InputEntity_IP/IP2Host_HostByTrafficFromIPMost.yaml	
@@ -22,7 +22,7 @@ query: |
   | where SessionState == 'Disconnected'
   | where RemoteIP =~ v_IP_Address
   | extend Host_HostName = iff(Computer has '.', HostName, Computer)
-  | summarize Host_Aux_BytesReceived = sum(ReceivedBytes), make_set(LocalIP) by Host_HostName, Host_DnsDomain
+  | summarize Host_Aux_BytesReceived = sum(ReceivedBytes), Host_Aux_LocalIPs=make_set(LocalIP) by Host_HostName, Host_DnsDomain
   | top 10 by Host_Aux_BytesReceived desc nulls last
   };
   HostsReceivingDatafromIP('<Address>')
\ No newline at end of file
diff --git a/Exploration Queries/InputEntity_IP/IP2Host_HostByTrafficToIPLeast.yaml b/Exploration Queries/InputEntity_IP/IP2Host_HostByTrafficToIPLeast.yaml
index 12580e1e68..0828758b8e 100644
--- a/Exploration Queries/InputEntity_IP/IP2Host_HostByTrafficToIPLeast.yaml	
+++ b/Exploration Queries/InputEntity_IP/IP2Host_HostByTrafficToIPLeast.yaml	
@@ -21,8 +21,7 @@ query: |
   | where SessionState == 'Disconnected' 
   | where RemoteIP =~ v_IP_Address
   | summarize Host_Aux_BytesSent = sum(SentBytes) by Computer, LocalIP
-  | parse Computer with HostName '.' Host_DnsName
-  | extend Host_HostName = iff(Computer has '.', HostName, Computer)
   | top 10 by Host_Aux_BytesSent asc nulls last 
-  };
+  | project-rename Host_UnstructuredName=Computer, Host_Aux_LocalIP=LocalIP
+   };
   HostsSendingDatatoIP('<Address>')
diff --git a/Exploration Queries/InputEntity_IP/IP2Host_HostByTrafficToIPMost.yaml b/Exploration Queries/InputEntity_IP/IP2Host_HostByTrafficToIPMost.yaml
index b5bbf60ac6..f94ff566af 100644
--- a/Exploration Queries/InputEntity_IP/IP2Host_HostByTrafficToIPMost.yaml	
+++ b/Exploration Queries/InputEntity_IP/IP2Host_HostByTrafficToIPMost.yaml	
@@ -21,8 +21,7 @@ query: |
   | where SessionState == 'Disconnected' 
   | where RemoteIP =~ v_IP_Address
   | summarize Host_Aux_BytesSent = sum(SentBytes) by Computer, LocalIP
-  | parse Computer with HostName '.' Host_DnsName
-  | extend Host_HostName = iff(Computer has '.', HostName, Computer)
   | top 10 by Host_Aux_BytesSent desc nulls last 
+  | project-rename Host_UnstructuredName=Computer, Host_Aux_LocalIP=LocalIP 
   };
   HostsSendingDatatoIP('<Address>')
\ No newline at end of file
diff --git a/Exploration Queries/InputEntity_IP/IP2IP_SrcIPsWithMostDROP.yaml b/Exploration Queries/InputEntity_IP/IP2IP_SrcIPsWithMostDROP.yaml
index 4cb212eac4..7177978538 100644
--- a/Exploration Queries/InputEntity_IP/IP2IP_SrcIPsWithMostDROP.yaml	
+++ b/Exploration Queries/InputEntity_IP/IP2IP_SrcIPsWithMostDROP.yaml	
@@ -20,11 +20,11 @@ query: |
   WindowsFirewall
   | where FirewallAction == 'DROP'
     and DestinationIP =~ v_IP_Address
-  | summarize IP_Aux_DropCount = count(), DestPorts = makeset(DestinationPort) by SourceIP
+  | summarize IP_Aux_DropCount = count(), IP_Aux_DestPorts = makeset(DestinationPort) by SourceIP
   | sort by IP_Aux_DropCount
   | serialize rn=row_number()
   | top 10 by rn asc nulls last
-  | project-rename IP_Address = SourceIP
+  | project IP_Address = SourceIP, IP_Aux_DropCount, IP_Aux_DestPorts
   };
   MostDroppedSourceIP('<Address>')
 
diff --git a/Exploration Queries/InputEntity_IP/LeastPrevIn_ByIPAddress.yaml b/Exploration Queries/InputEntity_IP/LeastPrevIn_ByIPAddress.yaml
index c3377740a5..1ce10500ed 100644
--- a/Exploration Queries/InputEntity_IP/LeastPrevIn_ByIPAddress.yaml	
+++ b/Exploration Queries/InputEntity_IP/LeastPrevIn_ByIPAddress.yaml	
@@ -24,10 +24,10 @@ query: |
   | where Direction == 'Inbound' 
   | where RemoteIP has v_IPAddress
   | extend info = pack('LocalPortNumber', LocalPortNumber, 'RemoteIP', RemoteIP, 'Direction', Direction, 'ApplicationProtocol', ApplicationProtocol)
-  | summarize min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, ProcessName , LocalIP, ProcessID
+  | summarize Process_Aux_EarliestSessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, ProcessName , LocalIP, ProcessID
   | extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info
   | top 10 by count_ asc
-  | project min_SessionStartTime, Computer, ProcessName , LocalIP, ProcessID, IP_Aux_info, Process_Aux_info, Host_Aux_info
+  | project Process_Aux_EarliestSessionStartTime, Computer, ProcessName , LocalIP, ProcessID, IP_Aux_info, Process_Aux_info, Host_Aux_info
   | project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer, Process_ProcessId=ProcessID
   };
   // change <Address> value below
diff --git a/Exploration Queries/InputEntity_IP/LeastPrevOut_ByIPAddress.yaml b/Exploration Queries/InputEntity_IP/LeastPrevOut_ByIPAddress.yaml
index c22e1a70d0..0356d4a118 100644
--- a/Exploration Queries/InputEntity_IP/LeastPrevOut_ByIPAddress.yaml	
+++ b/Exploration Queries/InputEntity_IP/LeastPrevOut_ByIPAddress.yaml	
@@ -24,10 +24,10 @@ query: |
   | where Direction == 'Outbound'
   | where LocalIP has v_IP_Address
   | extend info = pack('LocalIP', LocalIP, 'LocalPortNumber', LocalPortNumber, 'Direction', Direction, 'ApplicationProtocol', ApplicationProtocol)
-  | summarize min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, ProcessName, RemoteIP, ProcessID
+  | summarize count(), IP_Aux_info = makeset(info) by Computer, ProcessName, RemoteIP, ProcessID
   | extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info
   | top 10 by count_ asc
-  | project min_SessionStartTime, Computer, ProcessName, RemoteIP, ProcessID, IP_Aux_info, Process_Aux_info, Host_Aux_info
+  | project Computer, ProcessName, RemoteIP, ProcessID, IP_Aux_info, Process_Aux_info, Host_Aux_info
   | project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer, Process_ProcessId=ProcessID
   };
   // change <Address> value below