Update dllhost_with_no_command_line_arguments_with_network.yml

Author: nasbench

detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml

@@ -28,8 +28,13 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   | `security_content_ctime(lastTime)` | regex process="(?i)(dllhost\.exe.{0,4}$)"
   | rename dest as src | join host process_id [| tstats `security_content_summariesonly`
   count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port)
-  as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port
-  != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `dllhost_with_no_command_line_arguments_with_network_filter`'
+  as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 
+  by host All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out
+  All_Traffic.dest  All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol
+  All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port
+  All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.direction
+  All_Traffic.process_id
+  | `drop_dm_object_name(All_Traffic)`] | `dllhost_with_no_command_line_arguments_with_network_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,