Azure Sentinel To-Go (Part1): A Lab w/ Prerecorded Data 😈 & a Custom Logs Pipe via ARM Templates 🚀

Cyb3rWard0g - firstly, a huge thanks for putting this post together; it's helped cement some fundamental Sentinel concepts I was struggling to get a handle on.

One quick question; I've deployed the Sentinel2Go Azure Sentinel + Custom Log Pipeline template with the large mordor-large-apt29 dataset and the Logstat-EventHub pipeline.  This has given me 263,620 entries, and following a slight tweak to the syntax of your example (see below) I've created an Analytics Rule to create Incidents.

I thought I'd test Sentinel's Incident Investigation capabilities by creating a second Incident for the same computer/user so started looking closer at the https://mordordatasets.com/introduction.html only to find that none of the Hostnames match what I was expecting; instead of https://mordordatasets.com/mordor_shire.html or https://mordordatasets.com/mordor_erebor.html environments I appear to have demvals.local.  Am I missing something really obvious here...?

prerecorded_CL
| extend a=parse_json(Message)
| where a.SourceName == "Microsoft-Windows-Security-Auditing"
| where a.EventID == 4624 and a.LogonType == 3 and a.TargetUserName !endswith "$"
| project path_s, Hostname=tostring(a.Hostname), TargetLogonId=tostring(a.TargetLogonId), TargetUserName=tostring(a.TargetUserName)
| join kind= inner
(
  prerecorded_CL
  | extend b=parse_json(Message)
  | where b.EventID == 4688 and b.TargetLogonId != "0x3e4"
  | project ParentProcessName=b.ParentProcessName,
    NewProcessname=b.NewProcessName,
    CommandLine=b.CommandLine,
    TargetLogonId=tostring(b.TargetLogonId),
    Hostname=tostring(b.Hostname),
    TargetUserName=tostring(b.TargetUserName)
)
on TargetLogonId
| project-away TargetLogonId, TargetLogonId1
| extend AccountCustomEntity = TargetUserName
| extend HostCustomEntity = Hostname