more output field fixes

Author: nasbench

detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml

@@ -17,9 +17,14 @@ data_source:
 - Sysmon EventID 1 AND Sysmon EventID 3
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=dllhost.exe
-  Processes.action!="blocked" by host _time span=1h Processes.process_id Processes.process_name
-  Processes.dest Processes.process_path Processes.process Processes.parent_process_name
-  Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
+  Processes.action!="blocked" by host _time span=1h 
+  Processes.action Processes.dest Processes.original_file_name
+  Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
+  Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
+  Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
+  Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
+  Processes.user Processes.user_id Processes.vendor_product
+  | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | regex process="(?i)(dllhost\.exe.{0,4}$)"
   | rename dest as src | join host process_id [| tstats `security_content_summariesonly`
   count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port)

detections/endpoint/windows_rundll32_webdav_with_network_connection.yml

@@ -28,7 +28,12 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   [ | tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest
   latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port
   FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port!=0 NOT (All_Traffic.dest_ip
-  IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16))  by host All_Traffic.process_id
+  IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)) 
+  by host All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out
+  All_Traffic.dest  All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol
+  All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port
+  All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.direction
+  All_Traffic.process_id
   | `drop_dm_object_name(All_Traffic)`] | `windows_rundll32_webdav_with_network_connection_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related