Merge branch 'master' into patch-1

Exploration Queries/InputEntity_Account/Acc2Host_HostWithMostFails.yaml

@@ -50,11 +50,11 @@ query: |
                 iff(isnotempty(p_Account_UPNSuffix) and isnotempty(Account_UPNSuffix) ,p_Account_UPNSuffix==Account_UPNSuffix,true )
            )
   | summarize Host_Aux_SuccessfulLoginCount = countif(EventID==SuccessfulLoginEventId), Host_Aux_FailedLoginsCount	= countif(EventID==FailedLoginEventId), Host_Aux_LogonTypes=make_set(LogonType)
-   by Computer, Account
+   by Computer, Account, SourceComputerId, _ResourceId
   | top 10 by Host_Aux_FailedLoginsCount
   | parse Computer with Host_NTDomain '\\' *
   | extend Host_HostName = tostring(split(Computer,'.')[0]), 
-   Host_DnsDomain = strcat_array(array_slice(split(Computer,'.'),1,256),'.')
+   Host_DnsDomain = strcat_array(array_slice(split(Computer,'.'),1,256),'.'), Host_OMSAgentID=SourceComputerId, Host_AzureID = _ResourceId
   | project-away Computer, Account  
   };
   MostFailedLogins('<Name>','<NTDomain>','<UPNSuffix>')

Exploration Queries/InputEntity_Account/UserAccount_SuccessLogons.yaml

@@ -26,8 +26,8 @@ query: |
   | where AccountType == 'User'
   | where tolower(Account) contains tolower(v_Account_Name)
   | extend info = pack('EventID', EventID, 'Account', Account, 'LogonTypeName', LogonTypeName, 'SubStatus', SubStatus, 'AccountType', AccountType, 'WorkstationName', WorkstationName, 'IpAddress', IpAddress)
-  | summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer
-  | project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info
+  | summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId, _ResourceId
+  | project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId, Host_AzureID=_ResourceId
   | project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated
   | top 10 by Host_Aux_StartTime asc nulls last
   };

Exploration Queries/InputEntity_File/HostwithFile.yaml

@@ -20,8 +20,8 @@ query: |
   let GetFilesHost = (v_File_Name:string){
   SecurityEvent
   | where CommandLine contains v_File_Name or ServiceFileName contains v_File_Name or ServiceName contains v_File_Name
-  | summarize min(TimeGenerated), max(TimeGenerated) by Computer
-  | project min_TimeGenerated, max_TimeGenerated, Computer
+  | summarize min(TimeGenerated), max(TimeGenerated) by Computer, Host_OMSAgentID=SourceComputerId, Host_AzureID = _ResourceId
+  | project min_TimeGenerated, max_TimeGenerated, Computer, Host_OMSAgentID, Host_AzureID
   | project-rename Host_UnstructuredName=Computer, Host_Aux_min_TimeGenerated=min_TimeGenerated, Host_Aux_max_TimeGenerated=max_TimeGenerated
   | top 10 by Host_Aux_min_TimeGenerated desc nulls last
   };

Exploration Queries/InputEntity_Process/WinHosts_WithThisProcess.yaml

@@ -26,10 +26,10 @@ query: |
   | where EventID == 4688
   | where NewProcessName has v_Process_ImageFile_FullPath
   | extend info = pack('Account', Account, 'NewProcessName', NewProcessName, 'CommandLine', CommandLine)
-  | summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer
-  | project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info
+  | summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId, _ResourceId
+  | project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info, SourceComputerId, _ResourceId
   | top 10 by min_TimeGenerated asc nulls last
-  | project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated
+  | project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated, Host_OMSAgentID=SourceComputerId, Host_AzureID_ResourceId
   };
   // change <CommandLine> value below
   GetHostsWithProcess('<CommandLine>')