diff --git a/Exploration Queries/InputEntity_Host/LeastPrevIn_ByHost.yaml b/Exploration Queries/InputEntity_Host/LeastPrevIn_ByHost.yaml index 09c0fc855d..48741cdb0a 100644 --- a/Exploration Queries/InputEntity_Host/LeastPrevIn_ByHost.yaml +++ b/Exploration Queries/InputEntity_Host/LeastPrevIn_ByHost.yaml @@ -26,8 +26,8 @@ query: | | summarize Process_Aux_Min_SessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by ProcessName , LocalIP, ProcessID | extend Process_Aux_info = IP_Aux_info | top 10 by count_ asc - | project Process_Aux_Min_SessionStartTime, ProcessName , LocalIP, ProcessID, IP_Aux_info, Process_Aux_info - | project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName, Process_ProcessId=ProcessID + | project Process_Aux_Min_SessionStartTime, ProcessName , LocalIP, IP_Aux_info, Process_Aux_info, Process_ProcessId=tostring(ProcessID) + | project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName }; // change value below GetWireDataInboundWithHost('') diff --git a/Exploration Queries/InputEntity_Host/LeastPrevOut_ByHost.yaml b/Exploration Queries/InputEntity_Host/LeastPrevOut_ByHost.yaml index 4c114ebb5e..97dcef6d45 100644 --- a/Exploration Queries/InputEntity_Host/LeastPrevOut_ByHost.yaml +++ b/Exploration Queries/InputEntity_Host/LeastPrevOut_ByHost.yaml @@ -26,8 +26,8 @@ query: | | summarize Process_Aux_Min_SessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by ProcessName, RemoteIP, ProcessID | extend Process_Aux_info = IP_Aux_info | top 10 by count_ asc - | project Process_Aux_Min_SessionStartTime, ProcessName, RemoteIP, ProcessID, IP_Aux_info, Process_Aux_info - | project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName, Process_ProcessId=ProcessID + | project Process_Aux_Min_SessionStartTime, ProcessName, RemoteIP, IP_Aux_info, Process_Aux_info, Process_ProcessId=tostring(ProcessID) + | project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName }; // change value below GetWireDataOutboundWithHost('') diff --git a/Exploration Queries/InputEntity_Host/LeastPrevProcess_ByHost.yaml b/Exploration Queries/InputEntity_Host/LeastPrevProcess_ByHost.yaml index 3558205099..c42a1de285 100644 --- a/Exploration Queries/InputEntity_Host/LeastPrevProcess_ByHost.yaml +++ b/Exploration Queries/InputEntity_Host/LeastPrevProcess_ByHost.yaml @@ -24,7 +24,7 @@ query: | | extend info = pack('HostName', HostName, 'HostIP', HostIP) | summarize Process_Aux_StartTime=min(EventTime), Process_Aux_EndTime=max(EventTime), count(), Process_Aux_info = makeset(info) by Computer, ProcessName, ProcessID | top 10 by count_ asc nulls last - | project Process_Aux_StartTime, Process_Aux_EndTime, Process_Host_UnstructuredName=Computer, Process_ProcessId=ProcessID, Process_ImageFile_FullPath=ProcessName, Process_Aux_info + | project Process_Aux_StartTime, Process_Aux_EndTime, Process_Host_UnstructuredName=Computer, Process_ProcessId=tostring(ProcessID), Process_ImageFile_FullPath=ProcessName, Process_Aux_info }; // change value below GetSysLogEventsOnHost('') diff --git a/Exploration Queries/InputEntity_IP/LeastPrevIn_ByIPAddress.yaml b/Exploration Queries/InputEntity_IP/LeastPrevIn_ByIPAddress.yaml index d5f66d17c2..4462e0f0be 100644 --- a/Exploration Queries/InputEntity_IP/LeastPrevIn_ByIPAddress.yaml +++ b/Exploration Queries/InputEntity_IP/LeastPrevIn_ByIPAddress.yaml @@ -27,8 +27,8 @@ query: | | summarize Process_Aux_EarliestSessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, ProcessName , LocalIP, ProcessID | extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info | top 10 by count_ asc - | project Process_Aux_EarliestSessionStartTime, Computer, ProcessName , LocalIP, ProcessID, IP_Aux_info, Process_Aux_info, Host_Aux_info - | project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer, Process_ProcessId=ProcessID + | project Process_Aux_EarliestSessionStartTime, Computer, ProcessName , LocalIP, Process_ProcessId=tostring(ProcessID), IP_Aux_info, Process_Aux_info, Host_Aux_info + | project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer }; // change
value below GetWireDataInboundWithIp('
') diff --git a/Exploration Queries/InputEntity_IP/LeastPrevOut_ByIPAddress.yaml b/Exploration Queries/InputEntity_IP/LeastPrevOut_ByIPAddress.yaml index 24bae2e550..9889a77b95 100644 --- a/Exploration Queries/InputEntity_IP/LeastPrevOut_ByIPAddress.yaml +++ b/Exploration Queries/InputEntity_IP/LeastPrevOut_ByIPAddress.yaml @@ -27,8 +27,8 @@ query: | | summarize count(), IP_Aux_info = makeset(info) by Computer, ProcessName, RemoteIP, ProcessID | extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info | top 10 by count_ asc - | project Computer, ProcessName, RemoteIP, ProcessID, IP_Aux_info, Process_Aux_info, Host_Aux_info - | project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer, Process_ProcessId=ProcessID + | project Computer, ProcessName, RemoteIP, Process_ProcessId=tostring(ProcessID), IP_Aux_info, Process_Aux_info, Host_Aux_info + | project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer }; // change
value below GetWireDataOutboundWithIp('
')