Merge pull request #9692 from Azure/users/v-muuppugundu/MultipleRDPIs…

…sues updated by Account=tolower(Account)
Azure · Jan 8, 2024 · e1c92cb · e1c92cb
2 parents 9f06ee7 + db7eeab
commit e1c92cb
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/Detections/SecurityEvent/RDP_MultipleConnectionsFromSingleSystem.yaml b/Detections/SecurityEvent/RDP_MultipleConnectionsFromSingleSystem.yaml
@@ -32,7 +32,7 @@ query: |
   | where TimeGenerated >= ago(endtime)
   | where EventID == 4624 and LogonType == 10
   | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)
-  by Account, IpAddress, AccountType, Activity, LogonTypeName),
+  by Account = tolower(Account), IpAddress, AccountType, Activity, LogonTypeName),
   (WindowsEvent
   | where TimeGenerated >= ago(endtime)
   | where EventID == 4624
@@ -46,7 +46,7 @@ query: |
   | extend Activity="4624 - An account was successfully logged on."
   | extend LogonTypeName="10 - RemoteInteractive"
   | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)
-  by Account, IpAddress, AccountType, Activity, LogonTypeName)
+  by Account = tolower(Account), IpAddress, AccountType, Activity, LogonTypeName)
   )
   | join kind=inner (
   (union isfuzzy=true
@@ -83,7 +83,7 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IpAddress
-version: 1.2.5
+version: 1.2.6
 kind: Scheduled
 metadata:
     source: