From 9e3948a7c62a08d277d56ac21d877ca1736c26f6 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Wed, 27 Dec 2023 14:54:14 +0200 Subject: [PATCH 01/34] Add OCSF parser --- OCSF/README.md | 7 + OCSF/ocsf/CHANGELOG.md | 8 + OCSF/ocsf/_meta/fields.yml | 8884 ++++++++++++++++++++ OCSF/ocsf/_meta/manifest.yml | 8 + OCSF/ocsf/_meta/smart-descriptions.json | 0 OCSF/ocsf/ingest/parser.yml | 19 + OCSF/ocsf/tests/test_file_activity.json | 184 + OCSF/ocsf/tests/test_process_activity.json | 142 + 8 files changed, 9252 insertions(+) create mode 100644 OCSF/README.md create mode 100644 OCSF/ocsf/CHANGELOG.md create mode 100644 OCSF/ocsf/_meta/fields.yml create mode 100644 OCSF/ocsf/_meta/manifest.yml create mode 100644 OCSF/ocsf/_meta/smart-descriptions.json create mode 100644 OCSF/ocsf/ingest/parser.yml create mode 100644 OCSF/ocsf/tests/test_file_activity.json create mode 100644 OCSF/ocsf/tests/test_process_activity.json diff --git a/OCSF/README.md b/OCSF/README.md new file mode 100644 index 000000000..e60aa9bf8 --- /dev/null +++ b/OCSF/README.md @@ -0,0 +1,7 @@ +# OCSF + +## Description +OCSF + +## Intakes +* diff --git a/OCSF/ocsf/CHANGELOG.md b/OCSF/ocsf/CHANGELOG.md new file mode 100644 index 000000000..11bddf32c --- /dev/null +++ b/OCSF/ocsf/CHANGELOG.md @@ -0,0 +1,8 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [Unreleased] diff --git a/OCSF/ocsf/_meta/fields.yml b/OCSF/ocsf/_meta/fields.yml new file mode 100644 index 000000000..e69aa21b1 --- /dev/null +++ b/OCSF/ocsf/_meta/fields.yml @@ -0,0 +1,8884 @@ +input.type: + description: Type of filebeat input. + name: input.type + type: keyword +log.offset: + description: Log offset. + name: log.offset + type: long +ocsf.access_mask: + description: The access mask in a platform-native format. + name: ocsf.access_mask + type: long +ocsf.activity_id: + description: The normalized identifier of the activity that triggered the event. + name: ocsf.activity_id + type: keyword +ocsf.activity_name: + description: The event activity name, as defined by the activity_id. + name: ocsf.activity_name + type: keyword +ocsf.actor.authorizations.decision: + description: Authorization Result/outcome, e.g. allowed, denied. + name: ocsf.actor.authorizations.decision + type: keyword +ocsf.actor.authorizations.policy.desc: + description: The description of the policy. + name: ocsf.actor.authorizations.policy.desc + type: keyword +ocsf.actor.authorizations.policy.group.desc: + description: The group description. + name: ocsf.actor.authorizations.policy.group.desc + type: keyword +ocsf.actor.authorizations.policy.group.name: + description: The group name. + name: ocsf.actor.authorizations.policy.group.name + type: keyword +ocsf.actor.authorizations.policy.group.privileges: + description: The group privileges. + name: ocsf.actor.authorizations.policy.group.privileges + type: keyword +ocsf.actor.authorizations.policy.group.type: + description: The type of the group or account. + name: ocsf.actor.authorizations.policy.group.type + type: keyword +ocsf.actor.authorizations.policy.group.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.authorizations.policy.group.uid + type: keyword +ocsf.actor.authorizations.policy.name: + description: "The policy name. For example: IAM Policy." + name: ocsf.actor.authorizations.policy.name + type: keyword +ocsf.actor.authorizations.policy.uid: + description: A unique identifier of the policy instance. + name: ocsf.actor.authorizations.policy.uid + type: keyword +ocsf.actor.authorizations.policy.version: + description: The policy version number. + name: ocsf.actor.authorizations.policy.version + type: keyword +ocsf.actor.idp.name: + description: The name of the identity provider. + name: ocsf.actor.idp.name + type: keyword +ocsf.actor.idp.uid: + description: The unique identifier of the identity provider. + name: ocsf.actor.idp.uid + type: keyword +ocsf.actor.invoked_by: + description: + The name of the service that invoked the activity as described in the + event. + name: ocsf.actor.invoked_by + type: keyword +ocsf.actor.process.auid: + description: The audit user assigned at login by the audit subsystem. + name: ocsf.actor.process.auid + type: keyword +ocsf.actor.process.cmd_line: + description: + The full command line used to launch an application, service, process, + or job. + name: ocsf.actor.process.cmd_line + type: keyword +ocsf.actor.process.container.hash.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.actor.process.container.hash.algorithm + type: keyword +ocsf.actor.process.container.hash.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.actor.process.container.hash.algorithm_id + type: keyword +ocsf.actor.process.container.hash.value: + description: The digital fingerprint value. + name: ocsf.actor.process.container.hash.value + type: keyword +ocsf.actor.process.container.image.labels: + description: The image labels. + name: ocsf.actor.process.container.image.labels + type: keyword +ocsf.actor.process.container.image.name: + description: The image name. + name: ocsf.actor.process.container.image.name + type: keyword +ocsf.actor.process.container.image.path: + description: The full path to the image file. + name: ocsf.actor.process.container.image.path + type: keyword +ocsf.actor.process.container.image.tag: + description: The tag used by the container. It can indicate version, format, OS. + name: ocsf.actor.process.container.image.tag + type: keyword +ocsf.actor.process.container.image.uid: + description: The unique image ID. + name: ocsf.actor.process.container.image.uid + type: keyword +ocsf.actor.process.container.name: + description: The container name. + name: ocsf.actor.process.container.name + type: keyword +ocsf.actor.process.container.network_driver: + description: + The network driver used by the container. For example, bridge, overlay, + host, none, etc. + name: ocsf.actor.process.container.network_driver + type: keyword +ocsf.actor.process.container.orchestrator: + description: + The orchestrator managing the container, such as ECS, EKS, K8s, or + OpenShift. + name: ocsf.actor.process.container.orchestrator + type: keyword +ocsf.actor.process.container.pod_uuid: + description: + The unique identifier of the pod (or equivalent) that the container + is executing on. + name: ocsf.actor.process.container.pod_uuid + type: keyword +ocsf.actor.process.container.runtime: + description: The backend running the container, such as containerd or cri-o. + name: ocsf.actor.process.container.runtime + type: keyword +ocsf.actor.process.container.size: + description: The size of the container image. + name: ocsf.actor.process.container.size + type: long +ocsf.actor.process.container.tag: + description: The tag used by the container. It can indicate version, format, OS. + name: ocsf.actor.process.container.tag + type: keyword +ocsf.actor.process.container.uid: + description: + The full container unique identifier for this instantiation of the + container. + name: ocsf.actor.process.container.uid + type: keyword +ocsf.actor.process.created_time: + description: The time when the process was created/started. + name: ocsf.actor.process.created_time + type: date +ocsf.actor.process.created_time_dt: + description: The time when the process was created/started. + name: ocsf.actor.process.created_time_dt + type: date +ocsf.actor.process.egid: + description: The effective group under which this process is running. + name: ocsf.actor.process.egid + type: keyword +ocsf.actor.process.euid: + description: The effective user under which this process is running. + name: ocsf.actor.process.euid + type: keyword +ocsf.actor.process.file.accessed_time: + description: The time when the file was last accessed. + name: ocsf.actor.process.file.accessed_time + type: date +ocsf.actor.process.file.accessed_time_dt: + description: The time when the file was last accessed. + name: ocsf.actor.process.file.accessed_time_dt + type: date +ocsf.actor.process.file.accessor.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.actor.process.file.accessor.account.name + type: keyword +ocsf.actor.process.file.accessor.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.file.accessor.account.type + type: keyword +ocsf.actor.process.file.accessor.account.type_id: + description: The normalized account type identifier. + name: ocsf.actor.process.file.accessor.account.type_id + type: keyword +ocsf.actor.process.file.accessor.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.actor.process.file.accessor.account.uid + type: keyword +ocsf.actor.process.file.accessor.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.file.accessor.credential_uid + type: keyword +ocsf.actor.process.file.accessor.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.actor.process.file.accessor.domain + type: keyword +ocsf.actor.process.file.accessor.email_addr: + description: The user's email address. + name: ocsf.actor.process.file.accessor.email_addr + type: keyword +ocsf.actor.process.file.accessor.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.actor.process.file.accessor.full_name + type: keyword +ocsf.actor.process.file.accessor.groups.desc: + description: The group description. + name: ocsf.actor.process.file.accessor.groups.desc + type: keyword +ocsf.actor.process.file.accessor.groups.name: + description: The group name. + name: ocsf.actor.process.file.accessor.groups.name + type: keyword +ocsf.actor.process.file.accessor.groups.privileges: + description: The group privileges. + name: ocsf.actor.process.file.accessor.groups.privileges + type: keyword +ocsf.actor.process.file.accessor.groups.type: + description: The type of the group or account. + name: ocsf.actor.process.file.accessor.groups.type + type: keyword +ocsf.actor.process.file.accessor.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.process.file.accessor.groups.uid + type: keyword +ocsf.actor.process.file.accessor.name: + description: The username. For example, janedoe1. + name: ocsf.actor.process.file.accessor.name + type: keyword +ocsf.actor.process.file.accessor.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.actor.process.file.accessor.org.name + type: keyword +ocsf.actor.process.file.accessor.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.actor.process.file.accessor.org.ou_name + type: keyword +ocsf.actor.process.file.accessor.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.actor.process.file.accessor.org.ou_uid + type: keyword +ocsf.actor.process.file.accessor.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.actor.process.file.accessor.org.uid + type: keyword +ocsf.actor.process.file.accessor.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.actor.process.file.accessor.type + type: keyword +ocsf.actor.process.file.accessor.type_id: + description: The account type identifier. + name: ocsf.actor.process.file.accessor.type_id + type: keyword +ocsf.actor.process.file.accessor.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.actor.process.file.accessor.uid + type: keyword +ocsf.actor.process.file.accessor.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.actor.process.file.accessor.uid_alt + type: keyword +ocsf.actor.process.file.attributes: + description: The Bitmask value that represents the file attributes. + name: ocsf.actor.process.file.attributes + type: long +ocsf.actor.process.file.company_name: + description: + "The name of the company that published the file. For example: Microsoft + Corporation." + name: ocsf.actor.process.file.company_name + type: keyword +ocsf.actor.process.file.confidentiality: + description: + The file content confidentiality, normalized to the confidentiality_id + value. In the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.file.confidentiality + type: keyword +ocsf.actor.process.file.confidentiality_id: + description: The normalized identifier of the file content confidentiality indicator. + name: ocsf.actor.process.file.confidentiality_id + type: keyword +ocsf.actor.process.file.created_time: + description: The time when the file was created. + name: ocsf.actor.process.file.created_time + type: date +ocsf.actor.process.file.created_time_dt: + description: The time when the file was created. + name: ocsf.actor.process.file.created_time_dt + type: date +ocsf.actor.process.file.creator.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.actor.process.file.creator.account.name + type: keyword +ocsf.actor.process.file.creator.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.file.creator.account.type + type: keyword +ocsf.actor.process.file.creator.account.type_id: + description: The normalized account type identifier. + name: ocsf.actor.process.file.creator.account.type_id + type: keyword +ocsf.actor.process.file.creator.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.actor.process.file.creator.account.uid + type: keyword +ocsf.actor.process.file.creator.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.file.creator.credential_uid + type: keyword +ocsf.actor.process.file.creator.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.actor.process.file.creator.domain + type: keyword +ocsf.actor.process.file.creator.email_addr: + description: The user's email address. + name: ocsf.actor.process.file.creator.email_addr + type: keyword +ocsf.actor.process.file.creator.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.actor.process.file.creator.full_name + type: keyword +ocsf.actor.process.file.creator.groups.desc: + description: The group description. + name: ocsf.actor.process.file.creator.groups.desc + type: keyword +ocsf.actor.process.file.creator.groups.name: + description: The group name. + name: ocsf.actor.process.file.creator.groups.name + type: keyword +ocsf.actor.process.file.creator.groups.privileges: + description: The group privileges. + name: ocsf.actor.process.file.creator.groups.privileges + type: keyword +ocsf.actor.process.file.creator.groups.type: + description: The type of the group or account. + name: ocsf.actor.process.file.creator.groups.type + type: keyword +ocsf.actor.process.file.creator.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.process.file.creator.groups.uid + type: keyword +ocsf.actor.process.file.creator.name: + description: The name of the city. + name: ocsf.actor.process.file.creator.name + type: keyword +ocsf.actor.process.file.creator.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.actor.process.file.creator.org.name + type: keyword +ocsf.actor.process.file.creator.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.actor.process.file.creator.org.ou_name + type: keyword +ocsf.actor.process.file.creator.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.actor.process.file.creator.org.ou_uid + type: keyword +ocsf.actor.process.file.creator.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.actor.process.file.creator.org.uid + type: keyword +ocsf.actor.process.file.creator.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.actor.process.file.creator.type + type: keyword +ocsf.actor.process.file.creator.type_id: + description: The account type identifier. + name: ocsf.actor.process.file.creator.type_id + type: keyword +ocsf.actor.process.file.creator.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.actor.process.file.creator.uid + type: keyword +ocsf.actor.process.file.creator.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.actor.process.file.creator.uid_alt + type: keyword +ocsf.actor.process.file.desc: + description: + "The description of the file, as returned by file system. For example: + the description as returned by the Unix file command or the Windows file type." + name: ocsf.actor.process.file.desc + type: keyword +ocsf.actor.process.file.hashes.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.actor.process.file.hashes.algorithm + type: keyword +ocsf.actor.process.file.hashes.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.actor.process.file.hashes.algorithm_id + type: keyword +ocsf.actor.process.file.hashes.value: + description: The digital fingerprint value. + name: ocsf.actor.process.file.hashes.value + type: keyword +ocsf.actor.process.file.is_system: + description: The indication of whether the object is part of the operating system. + name: ocsf.actor.process.file.is_system + type: boolean +ocsf.actor.process.file.mime_type: + description: + The Multipurpose Internet Mail Extensions (MIME) type of the file, + if applicable. + name: ocsf.actor.process.file.mime_type + type: keyword +ocsf.actor.process.file.modified_time: + description: The time when the file was last modified. + name: ocsf.actor.process.file.modified_time + type: date +ocsf.actor.process.file.modified_time_dt: + description: The time when the file was last modified. + name: ocsf.actor.process.file.modified_time_dt + type: date +ocsf.actor.process.file.modifier.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.actor.process.file.modifier.account.name + type: keyword +ocsf.actor.process.file.modifier.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.file.modifier.account.type + type: keyword +ocsf.actor.process.file.modifier.account.type_id: + description: The normalized account type identifier. + name: ocsf.actor.process.file.modifier.account.type_id + type: keyword +ocsf.actor.process.file.modifier.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.actor.process.file.modifier.account.uid + type: keyword +ocsf.actor.process.file.modifier.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.file.modifier.credential_uid + type: keyword +ocsf.actor.process.file.modifier.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.actor.process.file.modifier.domain + type: keyword +ocsf.actor.process.file.modifier.email_addr: + description: "The image name. For example: elixir." + name: ocsf.actor.process.file.modifier.email_addr + type: keyword +ocsf.actor.process.file.modifier.full_name: + description: The user's email address. + name: ocsf.actor.process.file.modifier.full_name + type: keyword +ocsf.actor.process.file.modifier.groups.desc: + description: The group description. + name: ocsf.actor.process.file.modifier.groups.desc + type: keyword +ocsf.actor.process.file.modifier.groups.name: + description: The group name. + name: ocsf.actor.process.file.modifier.groups.name + type: keyword +ocsf.actor.process.file.modifier.groups.privileges: + description: The group privileges. + name: ocsf.actor.process.file.modifier.groups.privileges + type: keyword +ocsf.actor.process.file.modifier.groups.type: + description: The type of the group or account. + name: ocsf.actor.process.file.modifier.groups.type + type: keyword +ocsf.actor.process.file.modifier.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.process.file.modifier.groups.uid + type: keyword +ocsf.actor.process.file.modifier.name: + description: The username. For example, janedoe1. + name: ocsf.actor.process.file.modifier.name + type: keyword +ocsf.actor.process.file.modifier.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.actor.process.file.modifier.org.name + type: keyword +ocsf.actor.process.file.modifier.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.actor.process.file.modifier.org.ou_name + type: keyword +ocsf.actor.process.file.modifier.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.actor.process.file.modifier.org.ou_uid + type: keyword +ocsf.actor.process.file.modifier.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.actor.process.file.modifier.org.uid + type: keyword +ocsf.actor.process.file.modifier.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.actor.process.file.modifier.type + type: keyword +ocsf.actor.process.file.modifier.type_id: + description: The account type identifier. + name: ocsf.actor.process.file.modifier.type_id + type: keyword +ocsf.actor.process.file.modifier.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.actor.process.file.modifier.uid + type: keyword +ocsf.actor.process.file.modifier.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.actor.process.file.modifier.uid_alt + type: keyword +ocsf.actor.process.file.name: + description: "The name of the file. For example: svchost.exe." + name: ocsf.actor.process.file.name + type: keyword +ocsf.actor.process.file.owner.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.actor.process.file.owner.account.name + type: keyword +ocsf.actor.process.file.owner.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.file.owner.account.type + type: keyword +ocsf.actor.process.file.owner.account.type_id: + description: The normalized account type identifier. + name: ocsf.actor.process.file.owner.account.type_id + type: keyword +ocsf.actor.process.file.owner.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.actor.process.file.owner.account.uid + type: keyword +ocsf.actor.process.file.owner.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.file.owner.credential_uid + type: keyword +ocsf.actor.process.file.owner.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.actor.process.file.owner.domain + type: keyword +ocsf.actor.process.file.owner.email_addr: + description: The user's email address. + name: ocsf.actor.process.file.owner.email_addr + type: keyword +ocsf.actor.process.file.owner.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.actor.process.file.owner.full_name + type: keyword +ocsf.actor.process.file.owner.groups.desc: + description: The group description. + name: ocsf.actor.process.file.owner.groups.desc + type: keyword +ocsf.actor.process.file.owner.groups.name: + description: The group name. + name: ocsf.actor.process.file.owner.groups.name + type: keyword +ocsf.actor.process.file.owner.groups.privileges: + description: The group privileges. + name: ocsf.actor.process.file.owner.groups.privileges + type: keyword +ocsf.actor.process.file.owner.groups.type: + description: The type of the group or account. + name: ocsf.actor.process.file.owner.groups.type + type: keyword +ocsf.actor.process.file.owner.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.process.file.owner.groups.uid + type: keyword +ocsf.actor.process.file.owner.name: + description: The username. For example, janedoe1. + name: ocsf.actor.process.file.owner.name + type: keyword +ocsf.actor.process.file.owner.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.actor.process.file.owner.org.name + type: keyword +ocsf.actor.process.file.owner.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.actor.process.file.owner.org.ou_name + type: keyword +ocsf.actor.process.file.owner.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.actor.process.file.owner.org.ou_uid + type: keyword +ocsf.actor.process.file.owner.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.actor.process.file.owner.org.uid + type: keyword +ocsf.actor.process.file.owner.type: + description: + The event occurred on a personal device.The type of the user. For example, + System, AWS IAM User, etc. + name: ocsf.actor.process.file.owner.type + type: keyword +ocsf.actor.process.file.owner.type_id: + description: The account type identifier. + name: ocsf.actor.process.file.owner.type_id + type: keyword +ocsf.actor.process.file.owner.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.actor.process.file.owner.uid + type: keyword +ocsf.actor.process.file.owner.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.actor.process.file.owner.uid_alt + type: keyword +ocsf.actor.process.file.parent_folder: + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + name: ocsf.actor.process.file.parent_folder + type: keyword +ocsf.actor.process.file.path: + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + name: ocsf.actor.process.file.path + type: keyword +ocsf.actor.process.file.product.feature.name: + description: The name of the feature. + name: ocsf.actor.process.file.product.feature.name + type: keyword +ocsf.actor.process.file.product.feature.uid: + description: The unique identifier of the feature. + name: ocsf.actor.process.file.product.feature.uid + type: keyword +ocsf.actor.process.file.product.feature.version: + description: The version of the feature. + name: ocsf.actor.process.file.product.feature.version + type: keyword +ocsf.actor.process.file.product.lang: + description: + "The two letter lower case language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French)." + name: ocsf.actor.process.file.product.lang + type: keyword +ocsf.actor.process.file.product.name: + description: The name of the feature. + name: ocsf.actor.process.file.product.name + type: keyword +ocsf.actor.process.file.product.path: + description: The installation path of the product. + name: ocsf.actor.process.file.product.path + type: keyword +ocsf.actor.process.file.product.uid: + description: The unique identifier of the feature. + name: ocsf.actor.process.file.product.uid + type: keyword +ocsf.actor.process.file.product.url_string: + description: The URL pointing towards the product. + name: ocsf.actor.process.file.product.url_string + type: keyword +ocsf.actor.process.file.product.vendor_name: + description: The name of the vendor of the product. + name: ocsf.actor.process.file.product.vendor_name + type: keyword +ocsf.actor.process.file.product.version: + description: + "The version of the product, as defined by the event source. For example: + 2013.1.3-beta." + name: ocsf.actor.process.file.product.version + type: keyword +ocsf.actor.process.file.security_descriptor: + description: The object security descriptor. + name: ocsf.actor.process.file.security_descriptor + type: keyword +ocsf.actor.process.file.signature.algorithm: + description: + The digital signature algorithm used to create the signature, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.actor.process.file.signature.algorithm + type: keyword +ocsf.actor.process.file.signature.algorithm_id: + description: The identifier of the normalized digital signature algorithm. + name: ocsf.actor.process.file.signature.algorithm_id + type: keyword +ocsf.actor.process.file.signature.certificate.created_time: + description: The time when the certificate was created. + name: ocsf.actor.process.file.signature.certificate.created_time + type: date +ocsf.actor.process.file.signature.certificate.created_time_dt: + description: The time when the certificate was created. + name: ocsf.actor.process.file.signature.certificate.created_time_dt + type: date +ocsf.actor.process.file.signature.certificate.expiration_time: + description: The expiration time of the certificate. + name: ocsf.actor.process.file.signature.certificate.expiration_time + type: date +ocsf.actor.process.file.signature.certificate.expiration_time_dt: + description: The expiration time of the certificate. + name: ocsf.actor.process.file.signature.certificate.expiration_time_dt + type: date +ocsf.actor.process.file.signature.certificate.fingerprints.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.actor.process.file.signature.certificate.fingerprints.algorithm + type: keyword +ocsf.actor.process.file.signature.certificate.fingerprints.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.actor.process.file.signature.certificate.fingerprints.algorithm_id + type: keyword +ocsf.actor.process.file.signature.certificate.fingerprints.value: + description: The digital fingerprint value. + name: ocsf.actor.process.file.signature.certificate.fingerprints.value + type: keyword +ocsf.actor.process.file.signature.certificate.issuer: + description: The certificate issuer distinguished name. + name: ocsf.actor.process.file.signature.certificate.issuer + type: keyword +ocsf.actor.process.file.signature.certificate.serial_number: + description: The serial number of the certificate used to create the digital signature. + name: ocsf.actor.process.file.signature.certificate.serial_number + type: keyword +ocsf.actor.process.file.signature.certificate.subject: + description: The certificate subject distinguished name. + name: ocsf.actor.process.file.signature.certificate.subject + type: keyword +ocsf.actor.process.file.signature.certificate.version: + description: The certificate version. + name: ocsf.actor.process.file.signature.certificate.version + type: keyword +ocsf.actor.process.file.signature.created_time: + description: The time when the digital signature was created. + name: ocsf.actor.process.file.signature.created_time + type: date +ocsf.actor.process.file.signature.created_time_dt: + description: The time when the digital signature was created. + name: ocsf.actor.process.file.signature.created_time_dt + type: date +ocsf.actor.process.file.signature.developer_uid: + description: The developer ID on the certificate that signed the file. + name: ocsf.actor.process.file.signature.developer_uid + type: keyword +ocsf.actor.process.file.signature.digest.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.actor.process.file.signature.digest.algorithm + type: keyword +ocsf.actor.process.file.signature.digest.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.actor.process.file.signature.digest.algorithm_id + type: keyword +ocsf.actor.process.file.signature.digest.value: + description: The digital fingerprint value. + name: ocsf.actor.process.file.signature.digest.value + type: keyword +ocsf.actor.process.file.size: + description: The size of data, in bytes. + name: ocsf.actor.process.file.size + type: long +ocsf.actor.process.file.type: + description: The file type. + name: ocsf.actor.process.file.type + type: keyword +ocsf.actor.process.file.type_id: + description: The file type ID. + name: ocsf.actor.process.file.type_id + type: keyword +ocsf.actor.process.file.uid: + description: + The unique identifier of the file as defined by the storage system, + such the file system file ID. + name: ocsf.actor.process.file.uid + type: keyword +ocsf.actor.process.file.version: + description: "The file version. For example: 8.0.7601.17514." + name: ocsf.actor.process.file.version + type: keyword +ocsf.actor.process.file.xattributes: + description: + An unordered collection of zero or more name/value pairs where each + pair represents a file or folder extended attribute. + name: ocsf.actor.process.file.xattributes + type: flattened +ocsf.actor.process.group.desc: + description: The group description. + name: ocsf.actor.process.group.desc + type: keyword +ocsf.actor.process.group.name: + description: The group name. + name: ocsf.actor.process.group.name + type: keyword +ocsf.actor.process.group.privileges: + description: The group privileges. + name: ocsf.actor.process.group.privileges + type: keyword +ocsf.actor.process.group.type: + description: The type of the group or account. + name: ocsf.actor.process.group.type + type: keyword +ocsf.actor.process.group.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.process.group.uid + type: keyword +ocsf.actor.process.integrity: + description: + The process integrity level, normalized to the caption of the direction_id + value. In the case of 'Other', it is defined by the event source (Windows only). + name: ocsf.actor.process.integrity + type: keyword +ocsf.actor.process.integrity_id: + description: The normalized identifier of the process integrity level (Windows only). + name: ocsf.actor.process.integrity_id + type: keyword +ocsf.actor.process.lineage: + description: + "The lineage of the process, represented by a list of paths for each + ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']." + name: ocsf.actor.process.lineage + type: keyword +ocsf.actor.process.loaded_modules: + description: The list of loaded module names. + name: ocsf.actor.process.loaded_modules + type: keyword +ocsf.actor.process.name: + description: "The friendly name of the process, for example: Notepad++." + name: ocsf.actor.process.name + type: keyword +ocsf.actor.process.namespace_pid: + description: + If running under a process namespace (such as in a container), the + process identifier within that process namespace. + name: ocsf.actor.process.namespace_pid + type: long +ocsf.actor.process.parent_process.auid: + description: The audit user assigned at login by the audit subsystem. + name: ocsf.actor.process.parent_process.auid + type: keyword +ocsf.actor.process.parent_process.cmd_line: + description: + The full command line used to launch an application, service, process, + or job. + name: ocsf.actor.process.parent_process.cmd_line + type: keyword +ocsf.actor.process.parent_process.container.hash.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.actor.process.parent_process.container.hash.algorithm + type: keyword +ocsf.actor.process.parent_process.container.hash.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.actor.process.parent_process.container.hash.algorithm_id + type: keyword +ocsf.actor.process.parent_process.container.hash.value: + description: The digital fingerprint value. + name: ocsf.actor.process.parent_process.container.hash.value + type: keyword +ocsf.actor.process.parent_process.container.image.labels: + description: The image labels. + name: ocsf.actor.process.parent_process.container.image.labels + type: keyword +ocsf.actor.process.parent_process.container.image.name: + description: The image name. + name: ocsf.actor.process.parent_process.container.image.name + type: keyword +ocsf.actor.process.parent_process.container.image.path: + description: The full path to the image file. + name: ocsf.actor.process.parent_process.container.image.path + type: keyword +ocsf.actor.process.parent_process.container.image.tag: + description: The tag used by the container. It can indicate version, format, OS. + name: ocsf.actor.process.parent_process.container.image.tag + type: keyword +ocsf.actor.process.parent_process.container.image.uid: + description: The unique image ID. + name: ocsf.actor.process.parent_process.container.image.uid + type: keyword +ocsf.actor.process.parent_process.container.name: + description: The container name. + name: ocsf.actor.process.parent_process.container.name + type: keyword +ocsf.actor.process.parent_process.container.network_driver: + description: + The network driver used by the container. For example, bridge, overlay, + host, none, etc. + name: ocsf.actor.process.parent_process.container.network_driver + type: keyword +ocsf.actor.process.parent_process.container.orchestrator: + description: + The orchestrator managing the container, such as ECS, EKS, K8s, or + OpenShift. + name: ocsf.actor.process.parent_process.container.orchestrator + type: keyword +ocsf.actor.process.parent_process.container.pod_uuid: + description: + The unique identifier of the pod (or equivalent) that the container + is executing on. + name: ocsf.actor.process.parent_process.container.pod_uuid + type: keyword +ocsf.actor.process.parent_process.container.runtime: + description: The backend running the container, such as containerd or cri-o. + name: ocsf.actor.process.parent_process.container.runtime + type: keyword +ocsf.actor.process.parent_process.container.size: + description: The size of the container image. + name: ocsf.actor.process.parent_process.container.size + type: long +ocsf.actor.process.parent_process.container.tag: + description: The tag used by the container. It can indicate version, format, OS. + name: ocsf.actor.process.parent_process.container.tag + type: keyword +ocsf.actor.process.parent_process.container.uid: + description: + The full container unique identifier for this instantiation of the + container. + name: ocsf.actor.process.parent_process.container.uid + type: keyword +ocsf.actor.process.parent_process.created_time: + description: The time when the process was created/started. + name: ocsf.actor.process.parent_process.created_time + type: date +ocsf.actor.process.parent_process.created_time_dt: + description: The time when the process was created/started. + name: ocsf.actor.process.parent_process.created_time_dt + type: date +ocsf.actor.process.parent_process.egid: + description: The effective group under which this process is running. + name: ocsf.actor.process.parent_process.egid + type: keyword +ocsf.actor.process.parent_process.euid: + description: The effective user under which this process is running. + name: ocsf.actor.process.parent_process.euid + type: keyword +ocsf.actor.process.parent_process.file.accessed_time: + description: The time when the file was last accessed. + name: ocsf.actor.process.parent_process.file.accessed_time + type: date +ocsf.actor.process.parent_process.file.accessed_time_dt: + description: The time when the file was last accessed. + name: ocsf.actor.process.parent_process.file.accessed_time_dt + type: date +ocsf.actor.process.parent_process.file.accessor.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.actor.process.parent_process.file.accessor.account.name + type: keyword +ocsf.actor.process.parent_process.file.accessor.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.parent_process.file.accessor.account.type + type: keyword +ocsf.actor.process.parent_process.file.accessor.account.type_id: + description: The normalized account type identifier. + name: ocsf.actor.process.parent_process.file.accessor.account.type_id + type: keyword +ocsf.actor.process.parent_process.file.accessor.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.actor.process.parent_process.file.accessor.account.uid + type: keyword +ocsf.actor.process.parent_process.file.accessor.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.parent_process.file.accessor.credential_uid + type: keyword +ocsf.actor.process.parent_process.file.accessor.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.actor.process.parent_process.file.accessor.domain + type: keyword +ocsf.actor.process.parent_process.file.accessor.email_addr: + description: The user's email address. + name: ocsf.actor.process.parent_process.file.accessor.email_addr + type: keyword +ocsf.actor.process.parent_process.file.accessor.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.actor.process.parent_process.file.accessor.full_name + type: keyword +ocsf.actor.process.parent_process.file.accessor.groups.desc: + description: The group description. + name: ocsf.actor.process.parent_process.file.accessor.groups.desc + type: keyword +ocsf.actor.process.parent_process.file.accessor.groups.name: + description: The group name. + name: ocsf.actor.process.parent_process.file.accessor.groups.name + type: keyword +ocsf.actor.process.parent_process.file.accessor.groups.privileges: + description: The group privileges. + name: ocsf.actor.process.parent_process.file.accessor.groups.privileges + type: keyword +ocsf.actor.process.parent_process.file.accessor.groups.type: + description: The type of the group or account. + name: ocsf.actor.process.parent_process.file.accessor.groups.type + type: keyword +ocsf.actor.process.parent_process.file.accessor.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.process.parent_process.file.accessor.groups.uid + type: keyword +ocsf.actor.process.parent_process.file.accessor.name: + description: The username. For example, janedoe1. + name: ocsf.actor.process.parent_process.file.accessor.name + type: keyword +ocsf.actor.process.parent_process.file.accessor.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.actor.process.parent_process.file.accessor.org.name + type: keyword +ocsf.actor.process.parent_process.file.accessor.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.actor.process.parent_process.file.accessor.org.ou_name + type: keyword +ocsf.actor.process.parent_process.file.accessor.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.actor.process.parent_process.file.accessor.org.ou_uid + type: keyword +ocsf.actor.process.parent_process.file.accessor.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.actor.process.parent_process.file.accessor.org.uid + type: keyword +ocsf.actor.process.parent_process.file.accessor.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.actor.process.parent_process.file.accessor.type + type: keyword +ocsf.actor.process.parent_process.file.accessor.type_id: + description: The account type identifier. + name: ocsf.actor.process.parent_process.file.accessor.type_id + type: keyword +ocsf.actor.process.parent_process.file.accessor.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.actor.process.parent_process.file.accessor.uid + type: keyword +ocsf.actor.process.parent_process.file.accessor.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.actor.process.parent_process.file.accessor.uid_alt + type: keyword +ocsf.actor.process.parent_process.file.attributes: + description: The Bitmask value that represents the file attributes. + name: ocsf.actor.process.parent_process.file.attributes + type: long +ocsf.actor.process.parent_process.file.company_name: + description: + "The name of the company that published the file. For example: Microsoft + Corporation." + name: ocsf.actor.process.parent_process.file.company_name + type: keyword +ocsf.actor.process.parent_process.file.confidentiality: + description: + The file content confidentiality, normalized to the confidentiality_id + value. In the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.parent_process.file.confidentiality + type: keyword +ocsf.actor.process.parent_process.file.confidentiality_id: + description: The normalized identifier of the file content confidentiality indicator. + name: ocsf.actor.process.parent_process.file.confidentiality_id + type: keyword +ocsf.actor.process.parent_process.file.created_time: + description: The time when the file was created. + name: ocsf.actor.process.parent_process.file.created_time + type: date +ocsf.actor.process.parent_process.file.created_time_dt: + description: The time when the file was created. + name: ocsf.actor.process.parent_process.file.created_time_dt + type: date +ocsf.actor.process.parent_process.file.creator.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.actor.process.parent_process.file.creator.account.name + type: keyword +ocsf.actor.process.parent_process.file.creator.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.parent_process.file.creator.account.type + type: keyword +ocsf.actor.process.parent_process.file.creator.account.type_id: + description: The normalized account type identifier. + name: ocsf.actor.process.parent_process.file.creator.account.type_id + type: keyword +ocsf.actor.process.parent_process.file.creator.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.actor.process.parent_process.file.creator.account.uid + type: keyword +ocsf.actor.process.parent_process.file.creator.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.parent_process.file.creator.credential_uid + type: keyword +ocsf.actor.process.parent_process.file.creator.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.actor.process.parent_process.file.creator.domain + type: keyword +ocsf.actor.process.parent_process.file.creator.email_addr: + description: The user's email address. + name: ocsf.actor.process.parent_process.file.creator.email_addr + type: keyword +ocsf.actor.process.parent_process.file.creator.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.actor.process.parent_process.file.creator.full_name + type: keyword +ocsf.actor.process.parent_process.file.creator.groups.desc: + description: The group description. + name: ocsf.actor.process.parent_process.file.creator.groups.desc + type: keyword +ocsf.actor.process.parent_process.file.creator.groups.name: + description: The group name. + name: ocsf.actor.process.parent_process.file.creator.groups.name + type: keyword +ocsf.actor.process.parent_process.file.creator.groups.privileges: + description: The group privileges. + name: ocsf.actor.process.parent_process.file.creator.groups.privileges + type: keyword +ocsf.actor.process.parent_process.file.creator.groups.type: + description: The type of the group or account. + name: ocsf.actor.process.parent_process.file.creator.groups.type + type: keyword +ocsf.actor.process.parent_process.file.creator.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.process.parent_process.file.creator.groups.uid + type: keyword +ocsf.actor.process.parent_process.file.creator.name: + description: The name of the city. + name: ocsf.actor.process.parent_process.file.creator.name + type: keyword +ocsf.actor.process.parent_process.file.creator.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.actor.process.parent_process.file.creator.org.name + type: keyword +ocsf.actor.process.parent_process.file.creator.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.actor.process.parent_process.file.creator.org.ou_name + type: keyword +ocsf.actor.process.parent_process.file.creator.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.actor.process.parent_process.file.creator.org.ou_uid + type: keyword +ocsf.actor.process.parent_process.file.creator.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.actor.process.parent_process.file.creator.org.uid + type: keyword +ocsf.actor.process.parent_process.file.creator.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.actor.process.parent_process.file.creator.type + type: keyword +ocsf.actor.process.parent_process.file.creator.type_id: + description: The account type identifier. + name: ocsf.actor.process.parent_process.file.creator.type_id + type: keyword +ocsf.actor.process.parent_process.file.creator.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.actor.process.parent_process.file.creator.uid + type: keyword +ocsf.actor.process.parent_process.file.creator.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.actor.process.parent_process.file.creator.uid_alt + type: keyword +ocsf.actor.process.parent_process.file.desc: + description: + "The description of the file, as returned by file system. For example: + the description as returned by the Unix file command or the Windows file type." + name: ocsf.actor.process.parent_process.file.desc + type: keyword +ocsf.actor.process.parent_process.file.hashes.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.actor.process.parent_process.file.hashes.algorithm + type: keyword +ocsf.actor.process.parent_process.file.hashes.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.actor.process.parent_process.file.hashes.algorithm_id + type: keyword +ocsf.actor.process.parent_process.file.hashes.value: + description: The digital fingerprint value. + name: ocsf.actor.process.parent_process.file.hashes.value + type: keyword +ocsf.actor.process.parent_process.file.is_system: + description: The indication of whether the object is part of the operating system. + name: ocsf.actor.process.parent_process.file.is_system + type: boolean +ocsf.actor.process.parent_process.file.mime_type: + description: + The Multipurpose Internet Mail Extensions (MIME) type of the file, + if applicable. + name: ocsf.actor.process.parent_process.file.mime_type + type: keyword +ocsf.actor.process.parent_process.file.modified_time: + description: The time when the file was last modified. + name: ocsf.actor.process.parent_process.file.modified_time + type: date +ocsf.actor.process.parent_process.file.modified_time_dt: + description: The time when the file was last modified. + name: ocsf.actor.process.parent_process.file.modified_time_dt + type: date +ocsf.actor.process.parent_process.file.modifier.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.actor.process.parent_process.file.modifier.account.name + type: keyword +ocsf.actor.process.parent_process.file.modifier.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.parent_process.file.modifier.account.type + type: keyword +ocsf.actor.process.parent_process.file.modifier.account.type_id: + description: The normalized account type identifier. + name: ocsf.actor.process.parent_process.file.modifier.account.type_id + type: keyword +ocsf.actor.process.parent_process.file.modifier.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.actor.process.parent_process.file.modifier.account.uid + type: keyword +ocsf.actor.process.parent_process.file.modifier.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.parent_process.file.modifier.credential_uid + type: keyword +ocsf.actor.process.parent_process.file.modifier.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.actor.process.parent_process.file.modifier.domain + type: keyword +ocsf.actor.process.parent_process.file.modifier.email_addr: + description: "The image name. For example: elixir." + name: ocsf.actor.process.parent_process.file.modifier.email_addr + type: keyword +ocsf.actor.process.parent_process.file.modifier.full_name: + description: The user's email address. + name: ocsf.actor.process.parent_process.file.modifier.full_name + type: keyword +ocsf.actor.process.parent_process.file.modifier.groups.desc: + description: The group description. + name: ocsf.actor.process.parent_process.file.modifier.groups.desc + type: keyword +ocsf.actor.process.parent_process.file.modifier.groups.name: + description: The group name. + name: ocsf.actor.process.parent_process.file.modifier.groups.name + type: keyword +ocsf.actor.process.parent_process.file.modifier.groups.privileges: + description: The group privileges. + name: ocsf.actor.process.parent_process.file.modifier.groups.privileges + type: keyword +ocsf.actor.process.parent_process.file.modifier.groups.type: + description: The type of the group or account. + name: ocsf.actor.process.parent_process.file.modifier.groups.type + type: keyword +ocsf.actor.process.parent_process.file.modifier.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.process.parent_process.file.modifier.groups.uid + type: keyword +ocsf.actor.process.parent_process.file.modifier.name: + description: The username. For example, janedoe1. + name: ocsf.actor.process.parent_process.file.modifier.name + type: keyword +ocsf.actor.process.parent_process.file.modifier.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.actor.process.parent_process.file.modifier.org.name + type: keyword +ocsf.actor.process.parent_process.file.modifier.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.actor.process.parent_process.file.modifier.org.ou_name + type: keyword +ocsf.actor.process.parent_process.file.modifier.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.actor.process.parent_process.file.modifier.org.ou_uid + type: keyword +ocsf.actor.process.parent_process.file.modifier.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.actor.process.parent_process.file.modifier.org.uid + type: keyword +ocsf.actor.process.parent_process.file.modifier.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.actor.process.parent_process.file.modifier.type + type: keyword +ocsf.actor.process.parent_process.file.modifier.type_id: + description: The account type identifier. + name: ocsf.actor.process.parent_process.file.modifier.type_id + type: keyword +ocsf.actor.process.parent_process.file.modifier.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.actor.process.parent_process.file.modifier.uid + type: keyword +ocsf.actor.process.parent_process.file.modifier.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.actor.process.parent_process.file.modifier.uid_alt + type: keyword +ocsf.actor.process.parent_process.file.name: + description: "The name of the file. For example: svchost.exe." + name: ocsf.actor.process.parent_process.file.name + type: keyword +ocsf.actor.process.parent_process.file.owner.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.actor.process.parent_process.file.owner.account.name + type: keyword +ocsf.actor.process.parent_process.file.owner.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.parent_process.file.owner.account.type + type: keyword +ocsf.actor.process.parent_process.file.owner.account.type_id: + description: The normalized account type identifier. + name: ocsf.actor.process.parent_process.file.owner.account.type_id + type: keyword +ocsf.actor.process.parent_process.file.owner.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.actor.process.parent_process.file.owner.account.uid + type: keyword +ocsf.actor.process.parent_process.file.owner.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.parent_process.file.owner.credential_uid + type: keyword +ocsf.actor.process.parent_process.file.owner.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.actor.process.parent_process.file.owner.domain + type: keyword +ocsf.actor.process.parent_process.file.owner.email_addr: + description: The user's email address. + name: ocsf.actor.process.parent_process.file.owner.email_addr + type: keyword +ocsf.actor.process.parent_process.file.owner.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.actor.process.parent_process.file.owner.full_name + type: keyword +ocsf.actor.process.parent_process.file.owner.groups.desc: + description: The group description. + name: ocsf.actor.process.parent_process.file.owner.groups.desc + type: keyword +ocsf.actor.process.parent_process.file.owner.groups.name: + description: The group name. + name: ocsf.actor.process.parent_process.file.owner.groups.name + type: keyword +ocsf.actor.process.parent_process.file.owner.groups.privileges: + description: The group privileges. + name: ocsf.actor.process.parent_process.file.owner.groups.privileges + type: keyword +ocsf.actor.process.parent_process.file.owner.groups.type: + description: The type of the group or account. + name: ocsf.actor.process.parent_process.file.owner.groups.type + type: keyword +ocsf.actor.process.parent_process.file.owner.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.process.parent_process.file.owner.groups.uid + type: keyword +ocsf.actor.process.parent_process.file.owner.name: + description: The username. For example, janedoe1. + name: ocsf.actor.process.parent_process.file.owner.name + type: keyword +ocsf.actor.process.parent_process.file.owner.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.actor.process.parent_process.file.owner.org.name + type: keyword +ocsf.actor.process.parent_process.file.owner.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.actor.process.parent_process.file.owner.org.ou_name + type: keyword +ocsf.actor.process.parent_process.file.owner.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.actor.process.parent_process.file.owner.org.ou_uid + type: keyword +ocsf.actor.process.parent_process.file.owner.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.actor.process.parent_process.file.owner.org.uid + type: keyword +ocsf.actor.process.parent_process.file.owner.type: + description: + The event occurred on a personal device.The type of the user. For example, + System, AWS IAM User, etc. + name: ocsf.actor.process.parent_process.file.owner.type + type: keyword +ocsf.actor.process.parent_process.file.owner.type_id: + description: The account type identifier. + name: ocsf.actor.process.parent_process.file.owner.type_id + type: keyword +ocsf.actor.process.parent_process.file.owner.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.actor.process.parent_process.file.owner.uid + type: keyword +ocsf.actor.process.parent_process.file.owner.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.actor.process.parent_process.file.owner.uid_alt + type: keyword +ocsf.actor.process.parent_process.file.parent_folder: + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + name: ocsf.actor.process.parent_process.file.parent_folder + type: keyword +ocsf.actor.process.parent_process.file.path: + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + name: ocsf.actor.process.parent_process.file.path + type: keyword +ocsf.actor.process.parent_process.file.product.feature.name: + description: The name of the feature. + name: ocsf.actor.process.parent_process.file.product.feature.name + type: keyword +ocsf.actor.process.parent_process.file.product.feature.uid: + description: The unique identifier of the feature. + name: ocsf.actor.process.parent_process.file.product.feature.uid + type: keyword +ocsf.actor.process.parent_process.file.product.feature.version: + description: The version of the feature. + name: ocsf.actor.process.parent_process.file.product.feature.version + type: keyword +ocsf.actor.process.parent_process.file.product.lang: + description: + "The two letter lower case language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French)." + name: ocsf.actor.process.parent_process.file.product.lang + type: keyword +ocsf.actor.process.parent_process.file.product.name: + description: The name of the feature. + name: ocsf.actor.process.parent_process.file.product.name + type: keyword +ocsf.actor.process.parent_process.file.product.path: + description: The installation path of the product. + name: ocsf.actor.process.parent_process.file.product.path + type: keyword +ocsf.actor.process.parent_process.file.product.uid: + description: The unique identifier of the feature. + name: ocsf.actor.process.parent_process.file.product.uid + type: keyword +ocsf.actor.process.parent_process.file.product.url_string: + description: The URL pointing towards the product. + name: ocsf.actor.process.parent_process.file.product.url_string + type: keyword +ocsf.actor.process.parent_process.file.product.vendor_name: + description: The name of the vendor of the product. + name: ocsf.actor.process.parent_process.file.product.vendor_name + type: keyword +ocsf.actor.process.parent_process.file.product.version: + description: + "The version of the product, as defined by the event source. For example: + 2013.1.3-beta." + name: ocsf.actor.process.parent_process.file.product.version + type: keyword +ocsf.actor.process.parent_process.file.security_descriptor: + description: The object security descriptor. + name: ocsf.actor.process.parent_process.file.security_descriptor + type: keyword +ocsf.actor.process.parent_process.file.signature.algorithm: + description: + The digital signature algorithm used to create the signature, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.actor.process.parent_process.file.signature.algorithm + type: keyword +ocsf.actor.process.parent_process.file.signature.algorithm_id: + description: The identifier of the normalized digital signature algorithm. + name: ocsf.actor.process.parent_process.file.signature.algorithm_id + type: keyword +ocsf.actor.process.parent_process.file.signature.certificate.created_time: + description: The time when the certificate was created. + name: ocsf.actor.process.parent_process.file.signature.certificate.created_time + type: date +ocsf.actor.process.parent_process.file.signature.certificate.created_time_dt: + description: The time when the certificate was created. + name: ocsf.actor.process.parent_process.file.signature.certificate.created_time_dt + type: date +ocsf.actor.process.parent_process.file.signature.certificate.expiration_time: + description: The expiration time of the certificate. + name: ocsf.actor.process.parent_process.file.signature.certificate.expiration_time + type: date +ocsf.actor.process.parent_process.file.signature.certificate.expiration_time_dt: + description: The expiration time of the certificate. + name: ocsf.actor.process.parent_process.file.signature.certificate.expiration_time_dt + type: date +ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm + type: keyword +ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm_id + type: keyword +ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.value: + description: The digital fingerprint value. + name: ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.value + type: keyword +ocsf.actor.process.parent_process.file.signature.certificate.issuer: + description: The certificate issuer distinguished name. + name: ocsf.actor.process.parent_process.file.signature.certificate.issuer + type: keyword +ocsf.actor.process.parent_process.file.signature.certificate.serial_number: + description: The serial number of the certificate used to create the digital signature. + name: ocsf.actor.process.parent_process.file.signature.certificate.serial_number + type: keyword +ocsf.actor.process.parent_process.file.signature.certificate.subject: + description: The certificate subject distinguished name. + name: ocsf.actor.process.parent_process.file.signature.certificate.subject + type: keyword +ocsf.actor.process.parent_process.file.signature.certificate.version: + description: The certificate version. + name: ocsf.actor.process.parent_process.file.signature.certificate.version + type: keyword +ocsf.actor.process.parent_process.file.signature.created_time: + description: The time when the digital signature was created. + name: ocsf.actor.process.parent_process.file.signature.created_time + type: date +ocsf.actor.process.parent_process.file.signature.created_time_dt: + description: The time when the digital signature was created. + name: ocsf.actor.process.parent_process.file.signature.created_time_dt + type: date +ocsf.actor.process.parent_process.file.signature.developer_uid: + description: The developer ID on the certificate that signed the file. + name: ocsf.actor.process.parent_process.file.signature.developer_uid + type: keyword +ocsf.actor.process.parent_process.file.signature.digest.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.actor.process.parent_process.file.signature.digest.algorithm + type: keyword +ocsf.actor.process.parent_process.file.signature.digest.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.actor.process.parent_process.file.signature.digest.algorithm_id + type: keyword +ocsf.actor.process.parent_process.file.signature.digest.value: + description: The digital fingerprint value. + name: ocsf.actor.process.parent_process.file.signature.digest.value + type: keyword +ocsf.actor.process.parent_process.file.size: + description: The size of data, in bytes. + name: ocsf.actor.process.parent_process.file.size + type: long +ocsf.actor.process.parent_process.file.type: + description: The file type. + name: ocsf.actor.process.parent_process.file.type + type: keyword +ocsf.actor.process.parent_process.file.type_id: + description: The file type ID. + name: ocsf.actor.process.parent_process.file.type_id + type: keyword +ocsf.actor.process.parent_process.file.uid: + description: + The unique identifier of the file as defined by the storage system, + such the file system file ID. + name: ocsf.actor.process.parent_process.file.uid + type: keyword +ocsf.actor.process.parent_process.file.version: + description: "The file version. For example: 8.0.7601.17514." + name: ocsf.actor.process.parent_process.file.version + type: keyword +ocsf.actor.process.parent_process.file.xattributes: + description: + An unordered collection of zero or more name/value pairs where each + pair represents a file or folder extended attribute. + name: ocsf.actor.process.parent_process.file.xattributes + type: flattened +ocsf.actor.process.parent_process.group.desc: + description: The group description. + name: ocsf.actor.process.parent_process.group.desc + type: keyword +ocsf.actor.process.parent_process.group.name: + description: The group name. + name: ocsf.actor.process.parent_process.group.name + type: keyword +ocsf.actor.process.parent_process.group.privileges: + description: The group privileges. + name: ocsf.actor.process.parent_process.group.privileges + type: keyword +ocsf.actor.process.parent_process.group.type: + description: The type of the group or account. + name: ocsf.actor.process.parent_process.group.type + type: keyword +ocsf.actor.process.parent_process.group.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.process.parent_process.group.uid + type: keyword +ocsf.actor.process.parent_process.integrity: + description: + The process integrity level, normalized to the caption of the direction_id + value. In the case of 'Other', it is defined by the event source (Windows only). + name: ocsf.actor.process.parent_process.integrity + type: keyword +ocsf.actor.process.parent_process.integrity_id: + description: The normalized identifier of the process integrity level (Windows only). + name: ocsf.actor.process.parent_process.integrity_id + type: keyword +ocsf.actor.process.parent_process.lineage: + description: + "The lineage of the process, represented by a list of paths for each + ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']." + name: ocsf.actor.process.parent_process.lineage + type: keyword +ocsf.actor.process.parent_process.loaded_modules: + description: The list of loaded module names. + name: ocsf.actor.process.parent_process.loaded_modules + type: keyword +ocsf.actor.process.parent_process.name: + description: "The friendly name of the process, for example: Notepad++." + name: ocsf.actor.process.parent_process.name + type: keyword +ocsf.actor.process.parent_process.namespace_pid: + description: + If running under a process namespace (such as in a container), the + process identifier within that process namespace. + name: ocsf.actor.process.parent_process.namespace_pid + type: long +ocsf.actor.process.parent_process.parent_process: + description: + The parent process of this process object. It is recommended to only + populate this field for the first process object, to prevent deep nesting. + name: ocsf.actor.process.parent_process.parent_process + type: flattened +ocsf.actor.process.parent_process.parent_process_keyword: + description: "" + name: ocsf.actor.process.parent_process.parent_process_keyword + type: keyword +ocsf.actor.process.parent_process.pid: + description: + The process identifier, as reported by the operating system. Process + ID (PID) is a number used by the operating system to uniquely identify an active + process. + name: ocsf.actor.process.parent_process.pid + type: long +ocsf.actor.process.parent_process.sandbox: + description: + The name of the containment jail (i.e., sandbox). For example, hardened_ps, + high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + name: ocsf.actor.process.parent_process.sandbox + type: keyword +ocsf.actor.process.parent_process.session.created_time: + description: The time when the session was created. + name: ocsf.actor.process.parent_process.session.created_time + type: date +ocsf.actor.process.parent_process.session.created_time_dt: + description: The time when the session was created. + name: ocsf.actor.process.parent_process.session.created_time_dt + type: date +ocsf.actor.process.parent_process.session.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.parent_process.session.credential_uid + type: keyword +ocsf.actor.process.parent_process.session.expiration_time: + description: The session expiration time. + name: ocsf.actor.process.parent_process.session.expiration_time + type: date +ocsf.actor.process.parent_process.session.expiration_time_dt: + description: The session expiration time. + name: ocsf.actor.process.parent_process.session.expiration_time_dt + type: date +ocsf.actor.process.parent_process.session.is_remote: + description: The indication of whether the session is remote. + name: ocsf.actor.process.parent_process.session.is_remote + type: boolean +ocsf.actor.process.parent_process.session.issuer: + description: The identifier of the session issuer. + name: ocsf.actor.process.parent_process.session.issuer + type: keyword +ocsf.actor.process.parent_process.session.mfa: + description: "" + name: ocsf.actor.process.parent_process.session.mfa + type: boolean +ocsf.actor.process.parent_process.session.uid: + description: The unique identifier of the session. + name: ocsf.actor.process.parent_process.session.uid + type: keyword +ocsf.actor.process.parent_process.session.uuid: + description: The universally unique identifier of the session. + name: ocsf.actor.process.parent_process.session.uuid + type: keyword +ocsf.actor.process.parent_process.terminated_time: + description: The time when the process was terminated. + name: ocsf.actor.process.parent_process.terminated_time + type: date +ocsf.actor.process.parent_process.terminated_time_dt: + description: The time when the process was terminated. + name: ocsf.actor.process.parent_process.terminated_time_dt + type: date +ocsf.actor.process.parent_process.tid: + description: + The Identifier of the thread associated with the event, as returned + by the operating system. + name: ocsf.actor.process.parent_process.tid + type: long +ocsf.actor.process.parent_process.uid: + description: + A unique identifier for this process assigned by the producer (tool). + Facilitates correlation of a process event with other events for that process. + name: ocsf.actor.process.parent_process.uid + type: keyword +ocsf.actor.process.parent_process.user.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.actor.process.parent_process.user.account.name + type: keyword +ocsf.actor.process.parent_process.user.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.parent_process.user.account.type + type: keyword +ocsf.actor.process.parent_process.user.account.type_id: + description: The normalized account type identifier. + name: ocsf.actor.process.parent_process.user.account.type_id + type: keyword +ocsf.actor.process.parent_process.user.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.actor.process.parent_process.user.account.uid + type: keyword +ocsf.actor.process.parent_process.user.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.parent_process.user.credential_uid + type: keyword +ocsf.actor.process.parent_process.user.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.actor.process.parent_process.user.domain + type: keyword +ocsf.actor.process.parent_process.user.email_addr: + description: The user's email address. + name: ocsf.actor.process.parent_process.user.email_addr + type: keyword +ocsf.actor.process.parent_process.user.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.actor.process.parent_process.user.full_name + type: keyword +ocsf.actor.process.parent_process.user.groups.desc: + description: The group description. + name: ocsf.actor.process.parent_process.user.groups.desc + type: keyword +ocsf.actor.process.parent_process.user.groups.name: + description: The group name. + name: ocsf.actor.process.parent_process.user.groups.name + type: keyword +ocsf.actor.process.parent_process.user.groups.privileges: + description: The group privileges. + name: ocsf.actor.process.parent_process.user.groups.privileges + type: keyword +ocsf.actor.process.parent_process.user.groups.type: + description: The type of the group or account. + name: ocsf.actor.process.parent_process.user.groups.type + type: keyword +ocsf.actor.process.parent_process.user.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.process.parent_process.user.groups.uid + type: keyword +ocsf.actor.process.parent_process.user.name: + description: The username. For example, janedoe1. + name: ocsf.actor.process.parent_process.user.name + type: keyword +ocsf.actor.process.parent_process.user.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.actor.process.parent_process.user.org.name + type: keyword +ocsf.actor.process.parent_process.user.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.actor.process.parent_process.user.org.ou_name + type: keyword +ocsf.actor.process.parent_process.user.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.actor.process.parent_process.user.org.ou_uid + type: keyword +ocsf.actor.process.parent_process.user.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.actor.process.parent_process.user.org.uid + type: keyword +ocsf.actor.process.parent_process.user.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.actor.process.parent_process.user.type + type: keyword +ocsf.actor.process.parent_process.user.type_id: + description: The account type identifier. + name: ocsf.actor.process.parent_process.user.type_id + type: keyword +ocsf.actor.process.parent_process.user.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.actor.process.parent_process.user.uid + type: keyword +ocsf.actor.process.parent_process.user.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.actor.process.parent_process.user.uid_alt + type: keyword +ocsf.actor.process.parent_process.xattributes: + description: + An unordered collection of zero or more name/value pairs that represent + a process extended attribute. + name: ocsf.actor.process.parent_process.xattributes + type: flattened +ocsf.actor.process.pid: + description: + The process identifier, as reported by the operating system. Process + ID (PID) is a number used by the operating system to uniquely identify an active + process. + name: ocsf.actor.process.pid + type: long +ocsf.actor.process.sandbox: + description: + The name of the containment jail (i.e., sandbox). For example, hardened_ps, + high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + name: ocsf.actor.process.sandbox + type: keyword +ocsf.actor.process.session.created_time: + description: The time when the session was created. + name: ocsf.actor.process.session.created_time + type: date +ocsf.actor.process.session.created_time_dt: + description: The time when the session was created. + name: ocsf.actor.process.session.created_time_dt + type: date +ocsf.actor.process.session.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.session.credential_uid + type: keyword +ocsf.actor.process.session.expiration_time: + description: The session expiration time. + name: ocsf.actor.process.session.expiration_time + type: date +ocsf.actor.process.session.expiration_time_dt: + description: The session expiration time. + name: ocsf.actor.process.session.expiration_time_dt + type: date +ocsf.actor.process.session.is_remote: + description: The indication of whether the session is remote. + name: ocsf.actor.process.session.is_remote + type: boolean +ocsf.actor.process.session.issuer: + description: The identifier of the session issuer. + name: ocsf.actor.process.session.issuer + type: keyword +ocsf.actor.process.session.mfa: + description: "" + name: ocsf.actor.process.session.mfa + type: boolean +ocsf.actor.process.session.uid: + description: The unique identifier of the session. + name: ocsf.actor.process.session.uid + type: keyword +ocsf.actor.process.session.uuid: + description: The universally unique identifier of the session. + name: ocsf.actor.process.session.uuid + type: keyword +ocsf.actor.process.terminated_time: + description: The time when the process was terminated. + name: ocsf.actor.process.terminated_time + type: date +ocsf.actor.process.terminated_time_dt: + description: The time when the process was terminated. + name: ocsf.actor.process.terminated_time_dt + type: date +ocsf.actor.process.tid: + description: + The Identifier of the thread associated with the event, as returned + by the operating system. + name: ocsf.actor.process.tid + type: long +ocsf.actor.process.uid: + description: + A unique identifier for this process assigned by the producer (tool). + Facilitates correlation of a process event with other events for that process. + name: ocsf.actor.process.uid + type: keyword +ocsf.actor.process.user.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.actor.process.user.account.name + type: keyword +ocsf.actor.process.user.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.user.account.type + type: keyword +ocsf.actor.process.user.account.type_id: + description: The normalized account type identifier. + name: ocsf.actor.process.user.account.type_id + type: keyword +ocsf.actor.process.user.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.actor.process.user.account.uid + type: keyword +ocsf.actor.process.user.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.user.credential_uid + type: keyword +ocsf.actor.process.user.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.actor.process.user.domain + type: keyword +ocsf.actor.process.user.email_addr: + description: The user's email address. + name: ocsf.actor.process.user.email_addr + type: keyword +ocsf.actor.process.user.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.actor.process.user.full_name + type: keyword +ocsf.actor.process.user.groups.desc: + description: The group description. + name: ocsf.actor.process.user.groups.desc + type: keyword +ocsf.actor.process.user.groups.name: + description: The group name. + name: ocsf.actor.process.user.groups.name + type: keyword +ocsf.actor.process.user.groups.privileges: + description: The group privileges. + name: ocsf.actor.process.user.groups.privileges + type: keyword +ocsf.actor.process.user.groups.type: + description: The type of the group or account. + name: ocsf.actor.process.user.groups.type + type: keyword +ocsf.actor.process.user.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.process.user.groups.uid + type: keyword +ocsf.actor.process.user.name: + description: The username. For example, janedoe1. + name: ocsf.actor.process.user.name + type: keyword +ocsf.actor.process.user.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.actor.process.user.org.name + type: keyword +ocsf.actor.process.user.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.actor.process.user.org.ou_name + type: keyword +ocsf.actor.process.user.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.actor.process.user.org.ou_uid + type: keyword +ocsf.actor.process.user.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.actor.process.user.org.uid + type: keyword +ocsf.actor.process.user.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.actor.process.user.type + type: keyword +ocsf.actor.process.user.type_id: + description: The account type identifier. + name: ocsf.actor.process.user.type_id + type: keyword +ocsf.actor.process.user.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.actor.process.user.uid + type: keyword +ocsf.actor.process.user.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.actor.process.user.uid_alt + type: keyword +ocsf.actor.process.xattributes: + description: + An unordered collection of zero or more name/value pairs that represent + a process extended attribute. + name: ocsf.actor.process.xattributes + type: flattened +ocsf.actor.session.created_time: + description: The time when the session was created. + name: ocsf.actor.session.created_time + type: date +ocsf.actor.session.created_time_dt: + description: The time when the session was created. + name: ocsf.actor.session.created_time_dt + type: date +ocsf.actor.session.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.session.credential_uid + type: keyword +ocsf.actor.session.expiration_time: + description: The session expiration time. + name: ocsf.actor.session.expiration_time + type: date +ocsf.actor.session.expiration_time_dt: + description: The session expiration time. + name: ocsf.actor.session.expiration_time_dt + type: date +ocsf.actor.session.is_remote: + description: The indication of whether the session is remote. + name: ocsf.actor.session.is_remote + type: boolean +ocsf.actor.session.issuer: + description: The identifier of the session issuer. + name: ocsf.actor.session.issuer + type: keyword +ocsf.actor.session.mfa: + description: "" + name: ocsf.actor.session.mfa + type: boolean +ocsf.actor.session.uid: + description: The unique identifier of the session. + name: ocsf.actor.session.uid + type: keyword +ocsf.actor.session.uuid: + description: The universally unique identifier of the session. + name: ocsf.actor.session.uuid + type: keyword +ocsf.actor.user.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.actor.user.account.name + type: keyword +ocsf.actor.user.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.actor.user.account.type + type: keyword +ocsf.actor.user.account.type_id: + description: The normalized account type identifier. + name: ocsf.actor.user.account.type_id + type: keyword +ocsf.actor.user.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.actor.user.account.uid + type: keyword +ocsf.actor.user.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.user.credential_uid + type: keyword +ocsf.actor.user.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.actor.user.domain + type: keyword +ocsf.actor.user.email_addr: + description: The user's email address. + name: ocsf.actor.user.email_addr + type: keyword +ocsf.actor.user.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.actor.user.full_name + type: keyword +ocsf.actor.user.groups.desc: + description: The group description. + name: ocsf.actor.user.groups.desc + type: keyword +ocsf.actor.user.groups.name: + description: The group name. + name: ocsf.actor.user.groups.name + type: keyword +ocsf.actor.user.groups.privileges: + description: The group privileges. + name: ocsf.actor.user.groups.privileges + type: keyword +ocsf.actor.user.groups.type: + description: The type of the group or account. + name: ocsf.actor.user.groups.type + type: keyword +ocsf.actor.user.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.user.groups.uid + type: keyword +ocsf.actor.user.name: + description: The username. For example, janedoe1. + name: ocsf.actor.user.name + type: keyword +ocsf.actor.user.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.actor.user.org.name + type: keyword +ocsf.actor.user.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.actor.user.org.ou_name + type: keyword +ocsf.actor.user.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.actor.user.org.ou_uid + type: keyword +ocsf.actor.user.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.actor.user.org.uid + type: keyword +ocsf.actor.user.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.actor.user.type + type: keyword +ocsf.actor.user.type_id: + description: The account type identifier. + name: ocsf.actor.user.type_id + type: keyword +ocsf.actor.user.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.actor.user.uid + type: keyword +ocsf.actor.user.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.actor.user.uid_alt + type: keyword +ocsf.actual_permissions: + description: The permissions that were granted to the in a platform-native format. + name: ocsf.actual_permissions + type: long +ocsf.analytic.category: + description: The analytic category. + name: ocsf.analytic.category + type: keyword +ocsf.analytic.desc: + description: The description of the analytic that generated the finding. + name: ocsf.analytic.desc + type: keyword +ocsf.analytic.name: + description: The name of the analytic that generated the finding. + name: ocsf.analytic.name + type: keyword +ocsf.analytic.related_analytics.category: + description: The analytic category. + name: ocsf.analytic.related_analytics.category + type: keyword +ocsf.analytic.related_analytics.desc: + description: The description of the analytic that generated the finding. + name: ocsf.analytic.related_analytics.desc + type: keyword +ocsf.analytic.related_analytics.name: + description: The name of the analytic that generated the finding. + name: ocsf.analytic.related_analytics.name + type: keyword +ocsf.analytic.related_analytics.related_analytics: + description: "" + name: ocsf.analytic.related_analytics.related_analytics + type: flattened +ocsf.analytic.related_analytics.type: + description: The analytic type. + name: ocsf.analytic.related_analytics.type + type: keyword +ocsf.analytic.related_analytics.type_id: + description: The analytic type ID. + name: ocsf.analytic.related_analytics.type_id + type: keyword +ocsf.analytic.related_analytics.uid: + description: The unique identifier of the analytic that generated the finding. + name: ocsf.analytic.related_analytics.uid + type: keyword +ocsf.analytic.related_analytics.version: + description: "The analytic version. For example: 1.1." + name: ocsf.analytic.related_analytics.version + type: keyword +ocsf.analytic.type: + description: The analytic type. + name: ocsf.analytic.type + type: keyword +ocsf.analytic.type_id: + description: The analytic type ID. + name: ocsf.analytic.type_id + type: keyword +ocsf.analytic.uid: + description: The unique identifier of the analytic that generated the finding. + name: ocsf.analytic.uid + type: keyword +ocsf.analytic.version: + description: "The analytic version. For example: 1.1." + name: ocsf.analytic.version + type: keyword +ocsf.answers.class: + description: + "The class of DNS data contained in this resource record. See RFC1035. + For example: IN." + name: ocsf.answers.class + type: keyword +ocsf.answers.flag_ids: + description: The list of DNS answer header flag IDs. + name: ocsf.answers.flag_ids + type: keyword +ocsf.answers.flags: + description: The list of DNS answer header flags. + name: ocsf.answers.flags + type: keyword +ocsf.answers.packet_uid: + description: + The DNS packet identifier assigned by the program that generated the + query. The identifier is copied to the response. + name: ocsf.answers.packet_uid + type: keyword +ocsf.answers.rdata: + description: + The data describing the DNS resource. The meaning of this data depends + on the type and class of the resource record. + name: ocsf.answers.rdata + type: keyword +ocsf.answers.ttl: + description: + The time interval that the resource record may be cached. Zero value + means that the resource record can only be used for the transaction in progress, + and should not be cached. + name: ocsf.answers.ttl + type: long +ocsf.answers.type: + description: + "The type of data contained in this resource record. See RFC1035. For + example: CNAME." + name: ocsf.answers.type + type: keyword +ocsf.api.operation: + description: Verb/Operation associated with the request. + name: ocsf.api.operation + type: keyword +ocsf.api.request.flags: + description: + The list of communication flags, normalized to the captions of the + flag_ids values. In the case of 'Other', they are defined by the event source. + name: ocsf.api.request.flags + type: keyword +ocsf.api.request.uid: + description: The unique request identifier. + name: ocsf.api.request.uid + type: keyword +ocsf.api.response.code: + description: The numeric response sent to a request. + name: ocsf.api.response.code + type: long +ocsf.api.response.error: + description: Error Code. + name: ocsf.api.response.error + type: keyword +ocsf.api.response.error_message: + description: Error Message. + name: ocsf.api.response.error_message + type: keyword +ocsf.api.response.flags: + description: + The list of communication flags, normalized to the captions of the + flag_ids values. In the case of 'Other', they are defined by the event source. + name: ocsf.api.response.flags + type: keyword +ocsf.api.response.message: + description: The description of the event, as defined by the event source. + name: ocsf.api.response.message + type: keyword +ocsf.api.service.labels: + description: The list of labels associated with the service. + name: ocsf.api.service.labels + type: keyword +ocsf.api.service.name: + description: The name of the service. + name: ocsf.api.service.name + type: keyword +ocsf.api.service.uid: + description: The unique identifier of the service. + name: ocsf.api.service.uid + type: keyword +ocsf.api.service.version: + description: The version of the service. + name: ocsf.api.service.version + type: keyword +ocsf.api.version: + description: The version of the API service. + name: ocsf.api.version + type: keyword +ocsf.app.feature.name: + description: The name of the feature. + name: ocsf.app.feature.name + type: keyword +ocsf.app.feature.uid: + description: The unique identifier of the feature. + name: ocsf.app.feature.uid + type: keyword +ocsf.app.feature.version: + description: The version of the feature. + name: ocsf.app.feature.version + type: keyword +ocsf.app.lang: + description: The two letter lower case language codes, as defined by ISO 639-1. + name: ocsf.app.lang + type: keyword +ocsf.app.name: + description: The CIS benchmark name. + name: ocsf.app.name + type: keyword +ocsf.app.path: + description: The installation path of the product. + name: ocsf.app.path + type: keyword +ocsf.app.uid: + description: The unique identifier of the product. + name: ocsf.app.uid + type: keyword +ocsf.app.url_string: + description: The URL pointing towards the product. + name: ocsf.app.url_string + type: keyword +ocsf.app.vendor_name: + description: The name of the vendor of the product. + name: ocsf.app.vendor_name + type: keyword +ocsf.app.version: + description: The version of the product, as defined by the event source. + name: ocsf.app.version + type: keyword +ocsf.app_name: + description: The name of the application that is associated with the event or object. + name: ocsf.app_name + type: keyword +ocsf.attacks.tactics.name: + description: + The tactic name that is associated with the attack technique, as defined + by ATT&CK MatrixTM. + name: ocsf.attacks.tactics.name + type: keyword +ocsf.attacks.tactics.uid: + description: + The tactic ID that is associated with the attack technique, as defined + by ATT&CK MatrixTM. + name: ocsf.attacks.tactics.uid + type: keyword +ocsf.attacks.technique.name: + description: + "The name of the attack technique, as defined by ATT&CK MatrixTM. For + example: Drive-by Compromise." + name: ocsf.attacks.technique.name + type: keyword +ocsf.attacks.technique.uid: + description: + "The unique identifier of the attack technique, as defined by ATT&CK + MatrixTM. For example: T1189." + name: ocsf.attacks.technique.uid + type: keyword +ocsf.attacks.version: + description: The ATT&CK Matrix version. + name: ocsf.attacks.version + type: keyword +ocsf.attempt: + description: The attempt number for attempting to deliver the email. + name: ocsf.attempt + type: long +ocsf.auth_protocol: + description: + The authentication protocol as defined by the caption of 'auth_protocol_id'. + In the case of 'Other', it is defined by the event source. + name: ocsf.auth_protocol + type: keyword +ocsf.auth_protocol_id: + description: + The normalized identifier of the authentication protocol used to create + the user session. + name: ocsf.auth_protocol_id + type: keyword +ocsf.banner: + description: + The initial SMTP connection response that a messaging server receives + after it connects to a email server. + name: ocsf.banner + type: keyword +ocsf.base_address: + description: The memory address that was access or requested. + name: ocsf.base_address + type: keyword +ocsf.capabilities: + description: A list of RDP capabilities. + name: ocsf.capabilities + type: keyword +ocsf.category_name: + description: + "The event category name, as defined by category_uid value: Identity + & Access Management." + name: ocsf.category_name + type: keyword +ocsf.category_uid: + description: + The category unique identifier of the event.3 Identity & Access ManagementIdentity + & Access Management (IAM) events relate to the supervision of the system's authentication + and access control model. Examples of such events are the success or failure of + authentication, granting of authority, password change, entity change, privileged + use etc. + name: ocsf.category_uid + type: keyword +ocsf.certificate.created_time: + description: The time when the certificate was created. + name: ocsf.certificate.created_time + type: date +ocsf.certificate.created_time_dt: + description: The time when the certificate was created. + name: ocsf.certificate.created_time_dt + type: date +ocsf.certificate.expiration_time: + description: The expiration time of the certificate. + name: ocsf.certificate.expiration_time + type: date +ocsf.certificate.expiration_time_dt: + description: The expiration time of the certificate. + name: ocsf.certificate.expiration_time_dt + type: date +ocsf.certificate.fingerprints.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.certificate.fingerprints.algorithm + type: keyword +ocsf.certificate.fingerprints.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.certificate.fingerprints.algorithm_id + type: keyword +ocsf.certificate.fingerprints.value: + description: The digital fingerprint value. + name: ocsf.certificate.fingerprints.value + type: keyword +ocsf.certificate.issuer: + description: The certificate issuer distinguished name. + name: ocsf.certificate.issuer + type: keyword +ocsf.certificate.serial_number: + description: The serial number of the certificate used to create the digital signature. + name: ocsf.certificate.serial_number + type: keyword +ocsf.certificate.subject: + description: The certificate subject distinguished name. + name: ocsf.certificate.subject + type: keyword +ocsf.certificate.version: + description: The certificate version. + name: ocsf.certificate.version + type: keyword +ocsf.certificate_chain: + description: The list of observed certificates in an RDP TLS connection. + name: ocsf.certificate_chain + type: keyword +ocsf.cis_benchmark_result.desc: + description: The CIS benchmark description. + name: ocsf.cis_benchmark_result.desc + type: keyword +ocsf.cis_benchmark_result.name: + description: The CIS benchmark name. + name: ocsf.cis_benchmark_result.name + type: keyword +ocsf.cis_benchmark_result.remediation.desc: + description: The description of the remediation strategy. + name: ocsf.cis_benchmark_result.remediation.desc + type: keyword +ocsf.cis_benchmark_result.remediation.kb_articles: + description: The KB article/s related to the entity. + name: ocsf.cis_benchmark_result.remediation.kb_articles + type: keyword +ocsf.cis_benchmark_result.rule.category: + description: The rule category. + name: ocsf.cis_benchmark_result.rule.category + type: keyword +ocsf.cis_benchmark_result.rule.desc: + description: The description of the rule that generated the event. + name: ocsf.cis_benchmark_result.rule.desc + type: keyword +ocsf.cis_benchmark_result.rule.name: + description: The name of the rule that generated the event. + name: ocsf.cis_benchmark_result.rule.name + type: keyword +ocsf.cis_benchmark_result.rule.type: + description: The rule type. + name: ocsf.cis_benchmark_result.rule.type + type: keyword +ocsf.cis_benchmark_result.rule.uid: + description: The unique identifier of the rule that generated the event. + name: ocsf.cis_benchmark_result.rule.uid + type: keyword +ocsf.cis_benchmark_result.rule.version: + description: The rule version. + name: ocsf.cis_benchmark_result.rule.version + type: keyword +ocsf.cis_csc.control: + description: The CIS critical security control. + name: ocsf.cis_csc.control + type: keyword +ocsf.cis_csc.version: + description: The CIS critical security control version. + name: ocsf.cis_csc.version + type: keyword +ocsf.class_name: + description: "The event class name, as defined by class_uid value: Security Finding." + name: ocsf.class_name + type: keyword +ocsf.class_uid: + description: + The unique identifier of a class. A Class describes the attributes + available in an event.2001 Security FindingSecurity Finding events describe findings, + detections, anomalies, alerts and/or actions performed by security products. + name: ocsf.class_uid + type: keyword +ocsf.client_dialects: + description: The list of SMB dialects that the client speaks. + name: ocsf.client_dialects + type: keyword +ocsf.client_hassh.algorithm: + description: + "The concatenation of key exchange, encryption, authentication and + compression algorithms (separated by ';'). NOTE: This is not the underlying + algorithm for the hash implementation." + name: ocsf.client_hassh.algorithm + type: keyword +ocsf.client_hassh.fingerprint.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.client_hassh.fingerprint.algorithm + type: keyword +ocsf.client_hassh.fingerprint.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.client_hassh.fingerprint.algorithm_id + type: keyword +ocsf.client_hassh.fingerprint.value: + description: The digital fingerprint value. + name: ocsf.client_hassh.fingerprint.value + type: keyword +ocsf.cloud.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.cloud.account.name + type: keyword +ocsf.cloud.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.cloud.account.type + type: keyword +ocsf.cloud.account.type_id: + description: The normalized account type identifier. + name: ocsf.cloud.account.type_id + type: keyword +ocsf.cloud.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.cloud.account.uid + type: keyword +ocsf.cloud.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.cloud.org.name + type: keyword +ocsf.cloud.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.cloud.org.ou_name + type: keyword +ocsf.cloud.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.cloud.org.ou_uid + type: keyword +ocsf.cloud.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.cloud.org.uid + type: keyword +ocsf.cloud.project_uid: + description: The unique identifier of a Cloud project. + name: ocsf.cloud.project_uid + type: keyword +ocsf.cloud.provider: + description: + The unique name of the Cloud services provider, such as AWS, MS Azure, + GCP, etc. + name: ocsf.cloud.provider + type: keyword +ocsf.cloud.region: + description: The name of the cloud region, as defined by the cloud provider. + name: ocsf.cloud.region + type: keyword +ocsf.cloud.zone: + description: + The availability zone in the cloud region, as defined by the cloud + provider. + name: ocsf.cloud.zone + type: keyword +ocsf.codes: + description: The list of return codes to the FTP command. + name: ocsf.codes + type: long +ocsf.command: + description: The command name. + name: ocsf.command + type: keyword +ocsf.command_responses: + description: The list of responses to the FTP command. + name: ocsf.command_responses + type: keyword +ocsf.comment: + description: The user provided comment about why the entity was changed. + name: ocsf.comment + type: keyword +ocsf.compliance.requirements: + description: + A list of applicable compliance requirements for which this finding + is related to. + name: ocsf.compliance.requirements + type: keyword +ocsf.compliance.status: + description: + The event status, normalized to the caption of the status_id value. + In the case of 'Other', it is defined by the event source. + name: ocsf.compliance.status + type: keyword +ocsf.compliance.status_detail: + description: + The status details contains additional information about the event + outcome. + name: ocsf.compliance.status_detail + type: keyword +ocsf.component: + description: + The name or relative pathname of a sub-component of the data object, + if applicable. + name: ocsf.component + type: keyword +ocsf.confidence: + description: + The confidence, normalized to the caption of the confidence_id value. + In the case of 'Other', it is defined by the event source. + name: ocsf.confidence + type: keyword +ocsf.confidence_id: + description: + The normalized confidence refers to the accuracy of the rule that created + the finding. A rule with a low confidence means that the finding scope is wide + and may create finding reports that may not be malicious in nature. + name: ocsf.confidence_id + type: keyword +ocsf.confidence_score: + description: The confidence score as reported by the event source. + name: ocsf.confidence_score + type: long +ocsf.connection_info.boundary: + description: + The boundary of the connection, normalized to the caption of 'boundary_id'. + In the case of 'Other', it is defined by the event source.For cloud connections, + this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional + networks, this is described as Local, Internal, or External. + name: ocsf.connection_info.boundary + type: keyword +ocsf.connection_info.boundary_id: + description: + The normalized identifier of the boundary of the connection. For cloud + connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). + For traditional networks, this is described as Local, Internal, or External. + name: ocsf.connection_info.boundary_id + type: keyword +ocsf.connection_info.direction: + description: + The direction of the initiated connection, traffic, or email, normalized + to the caption of the direction_id value. In the case of 'Other', it is defined + by the event source. + name: ocsf.connection_info.direction + type: keyword +ocsf.connection_info.direction_id: + description: + The normalized identifier of the direction of the initiated connection, + traffic, or email. + name: ocsf.connection_info.direction_id + type: keyword +ocsf.connection_info.protocol_name: + description: + "The TCP/IP protocol name in lowercase, as defined by the Internet + Assigned Numbers Authority (IANA). See Protocol Numbers. For example: tcp or udp." + name: ocsf.connection_info.protocol_name + type: keyword +ocsf.connection_info.protocol_num: + description: + "The TCP/IP protocol number, as defined by the Internet Assigned Numbers + Authority (IANA). Use -1 if the protocol is not defined by IANA. See Protocol + Numbers. For example: 6 for TCP and 17 for UDP." + name: ocsf.connection_info.protocol_num + type: keyword +ocsf.connection_info.protocol_ver: + description: The Internet Protocol version. + name: ocsf.connection_info.protocol_ver + type: keyword +ocsf.connection_info.protocol_ver_id: + description: The Internet Protocol version identifier. + name: ocsf.connection_info.protocol_ver_id + type: keyword +ocsf.connection_info.tcp_flags: + description: The network connection TCP header flags (i.e., control bits). + name: ocsf.connection_info.tcp_flags + type: long +ocsf.connection_info.uid: + description: The unique identifier of the connection. + name: ocsf.connection_info.uid + type: keyword +ocsf.connection_uid: + description: The network connection identifier. + name: ocsf.connection_uid + type: keyword +ocsf.count: + description: + The number of times that events in the same logical group occurred + during the event Start Time to End Time period. + name: ocsf.count + type: long +ocsf.create_mask: + description: The original Windows mask that is required to create the object. + name: ocsf.create_mask + type: keyword +ocsf.data_sources: + description: The data sources for the finding. + name: ocsf.data_sources + type: keyword +ocsf.dce_rpc.command: + description: The request command (e.g. REQUEST, BIND). + name: ocsf.dce_rpc.command + type: keyword +ocsf.dce_rpc.command_response: + description: The reply to the request command (e.g. RESPONSE, BINDACK or FAULT). + name: ocsf.dce_rpc.command_response + type: keyword +ocsf.dce_rpc.flags: + description: The list of interface flags. + name: ocsf.dce_rpc.flags + type: keyword +ocsf.dce_rpc.opnum: + description: + An operation number used to identify a specific remote procedure call + (RPC) method or a method in an interface. + name: ocsf.dce_rpc.opnum + type: long +ocsf.dce_rpc.rpc_interface.ack_reason: + description: + An integer that provides a reason code or additional information about + the acknowledgment result. + name: ocsf.dce_rpc.rpc_interface.ack_reason + type: long +ocsf.dce_rpc.rpc_interface.ack_result: + description: An integer that denotes the acknowledgment result of the DCE/RPC call. + name: ocsf.dce_rpc.rpc_interface.ack_result + type: long +ocsf.dce_rpc.rpc_interface.uuid: + description: The unique identifier of the particular remote procedure or service. + name: ocsf.dce_rpc.rpc_interface.uuid + type: keyword +ocsf.dce_rpc.rpc_interface.version: + description: The version of the DCE/RPC protocol being used in the session. + name: ocsf.dce_rpc.rpc_interface.version + type: keyword +ocsf.device.autoscale_uid: + description: The unique identifier of the cloud autoscale configuration. + name: ocsf.device.autoscale_uid + type: keyword +ocsf.device.created_time: + description: The time when the device was known to have been created. + name: ocsf.device.created_time + type: date +ocsf.device.created_time_dt: + description: TThe time when the device was known to have been created. + name: ocsf.device.created_time_dt + type: date +ocsf.device.desc: + description: + The description of the device, ordinarily as reported by the operating + system. + name: ocsf.device.desc + type: keyword +ocsf.device.domain: + description: "The network domain where the device resides. For example: work.example.com." + name: ocsf.device.domain + type: keyword +ocsf.device.first_seen_time: + description: The initial discovery time of the device. + name: ocsf.device.first_seen_time + type: date +ocsf.device.first_seen_time_dt: + description: The initial discovery time of the device. + name: ocsf.device.first_seen_time_dt + type: date +ocsf.device.groups.desc: + description: The group description. + name: ocsf.device.groups.desc + type: keyword +ocsf.device.groups.name: + description: The group name. + name: ocsf.device.groups.name + type: keyword +ocsf.device.groups.privileges: + description: The group privileges. + name: ocsf.device.groups.privileges + type: keyword +ocsf.device.groups.type: + description: The type of the group or account. + name: ocsf.device.groups.type + type: keyword +ocsf.device.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.device.groups.uid + type: keyword +ocsf.device.hostname: + description: The devicename. + name: ocsf.device.hostname + type: keyword +ocsf.device.hw_info.bios_date: + description: "The BIOS date. For example: 03/31/16." + name: ocsf.device.hw_info.bios_date + type: keyword +ocsf.device.hw_info.bios_manufacturer: + description: "The BIOS manufacturer. For example: LENOVO." + name: ocsf.device.hw_info.bios_manufacturer + type: keyword +ocsf.device.hw_info.bios_ver: + description: "The BIOS version. For example: LENOVO G5ETA2WW (2.62)." + name: ocsf.device.hw_info.bios_ver + type: keyword +ocsf.device.hw_info.chassis: + description: + The chassis type describes the system enclosure or physical form factor. + Such as the following examples for Windows Windows Chassis Types. + name: ocsf.device.hw_info.chassis + type: keyword +ocsf.device.hw_info.cpu_bits: + description: + "The cpu architecture, the number of bits used for addressing in memory. + For example: 32 or 64." + name: ocsf.device.hw_info.cpu_bits + type: long +ocsf.device.hw_info.cpu_cores: + description: + "The number of processor cores in all installed processors. For Example: + 42." + name: ocsf.device.hw_info.cpu_cores + type: long +ocsf.device.hw_info.cpu_count: + description: "The number of physical processors on a system. For example: 1." + name: ocsf.device.hw_info.cpu_count + type: long +ocsf.device.hw_info.cpu_speed: + description: "The speed of the processor in Mhz. For Example: 4200." + name: ocsf.device.hw_info.cpu_speed + type: long +ocsf.device.hw_info.cpu_type: + description: "The processor type. For example: x86 Family 6 Model 37 Stepping 5." + name: ocsf.device.hw_info.cpu_type + type: keyword +ocsf.device.hw_info.desktop_display.color_depth: + description: The numeric color depth. + name: ocsf.device.hw_info.desktop_display.color_depth + type: long +ocsf.device.hw_info.desktop_display.physical_height: + description: The numeric physical height of display. + name: ocsf.device.hw_info.desktop_display.physical_height + type: long +ocsf.device.hw_info.desktop_display.physical_orientation: + description: The numeric physical orientation of display. + name: ocsf.device.hw_info.desktop_display.physical_orientation + type: long +ocsf.device.hw_info.desktop_display.physical_width: + description: The numeric physical width of display. + name: ocsf.device.hw_info.desktop_display.physical_width + type: long +ocsf.device.hw_info.desktop_display.scale_factor: + description: The numeric scale factor of display. + name: ocsf.device.hw_info.desktop_display.scale_factor + type: long +ocsf.device.hw_info.keyboard_info.function_keys: + description: The number of function keys on client keyboard. + name: ocsf.device.hw_info.keyboard_info.function_keys + type: long +ocsf.device.hw_info.keyboard_info.ime: + description: The Input Method Editor (IME) file name. + name: ocsf.device.hw_info.keyboard_info.ime + type: keyword +ocsf.device.hw_info.keyboard_info.keyboard_layout: + description: The keyboard locale identifier name (e.g., en-US). + name: ocsf.device.hw_info.keyboard_info.keyboard_layout + type: keyword +ocsf.device.hw_info.keyboard_info.keyboard_subtype: + description: The keyboard numeric code. + name: ocsf.device.hw_info.keyboard_info.keyboard_subtype + type: long +ocsf.device.hw_info.keyboard_info.keyboard_type: + description: The keyboard type (e.g., xt, ico). + name: ocsf.device.hw_info.keyboard_info.keyboard_type + type: keyword +ocsf.device.hw_info.ram_size: + description: "The total amount of installed RAM, in Megabytes. For example: 2048." + name: ocsf.device.hw_info.ram_size + type: long +ocsf.device.hw_info.serial_number: + description: The device manufacturer serial number. + name: ocsf.device.hw_info.serial_number + type: keyword +ocsf.device.hypervisor: + description: + The name of the hypervisor running on the device. For example, Xen, + VMware, Hyper-V, VirtualBox, etc. + name: ocsf.device.hypervisor + type: keyword +ocsf.device.image.labels: + description: The image labels. + name: ocsf.device.image.labels + type: keyword +ocsf.device.image.name: + description: "The image name. For example: elixir." + name: ocsf.device.image.name + type: keyword +ocsf.device.image.path: + description: The full path to the image file. + name: ocsf.device.image.path + type: keyword +ocsf.device.image.tag: + description: "The image tag. For example: 1.11-alpine." + name: ocsf.device.image.tag + type: keyword +ocsf.device.image.uid: + description: "The unique image ID. For example: 77af4d6b9913." + name: ocsf.device.image.uid + type: keyword +ocsf.device.imei: + description: + The International Mobile Station Equipment Identifier that is associated + with the device. + name: ocsf.device.imei + type: keyword +ocsf.device.instance_uid: + description: The unique identifier of a VM instance. + name: ocsf.device.instance_uid + type: keyword +ocsf.device.interface_name: + description: The name of the network interface (e.g. eth2). + name: ocsf.device.interface_name + type: keyword +ocsf.device.interface_uid: + description: The unique identifier of the network interface. + name: ocsf.device.interface_uid + type: keyword +ocsf.device.ip: + description: The device IP address, in either IPv4 or IPv6 format. + name: ocsf.device.ip + type: ip +ocsf.device.is_compliant: + description: The event occurred on a compliant device. + name: ocsf.device.is_compliant + type: boolean +ocsf.device.is_managed: + description: The event occurred on a managed device. + name: ocsf.device.is_managed + type: boolean +ocsf.device.is_personal: + description: The event occurred on a personal device. + name: ocsf.device.is_personal + type: boolean +ocsf.device.is_trusted: + description: The event occurred on a trusted device. + name: ocsf.device.is_trusted + type: boolean +ocsf.device.last_seen_time: + description: The most recent discovery time of the device. + name: ocsf.device.last_seen_time + type: date +ocsf.device.last_seen_time_dt: + description: The most recent discovery time of the device. + name: ocsf.device.last_seen_time_dt + type: date +ocsf.device.location.city: + description: The name of the city. + name: ocsf.device.location.city + type: keyword +ocsf.device.location.continent: + description: The name of the continent. + name: ocsf.device.location.continent + type: keyword +ocsf.device.location.coordinates: + description: + A two-element array, containing a longitude/latitude pair. The format + conforms with GeoJSON. + name: ocsf.device.location.coordinates + type: geo_point +ocsf.device.location.country: + description: + The ISO 3166-1 Alpha-2 country code. For the complete list of country + codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + name: ocsf.device.location.country + type: keyword +ocsf.device.location.desc: + description: The description of the geographical location. + name: ocsf.device.location.desc + type: keyword +ocsf.device.location.is_on_premises: + description: The indication of whether the location is on premises. + name: ocsf.device.location.is_on_premises + type: boolean +ocsf.device.location.isp: + description: The name of the Internet Service Provider (ISP). + name: ocsf.device.location.isp + type: keyword +ocsf.device.location.postal_code: + description: The postal code of the location. + name: ocsf.device.location.postal_code + type: keyword +ocsf.device.location.provider: + description: The provider of the geographical location data. + name: ocsf.device.location.provider + type: keyword +ocsf.device.location.region: + description: + The alphanumeric code that identifies the principal subdivision (e.g. + province or state) of the country. Region codes are defined at ISO 3166-2 and + have a limit of three characters. For example, see the region codes for the US. + name: ocsf.device.location.region + type: keyword +ocsf.device.mac: + description: The device Media Access Control (MAC) address. + name: ocsf.device.mac + type: keyword +ocsf.device.modified_time: + description: The time when the device was last known to have been modified. + name: ocsf.device.modified_time + type: date +ocsf.device.modified_time_dt: + description: The time when the device was last known to have been modified. + name: ocsf.device.modified_time_dt + type: date +ocsf.device.name: + description: + The alternate device name, ordinarily as assigned by an administrator. + The Name could be any other string that helps to identify the device, such as + a phone number; for example 310-555-1234. + name: ocsf.device.name + type: keyword +ocsf.device.network_interfaces.hostname: + description: The hostname associated with the network interface. + name: ocsf.device.network_interfaces.hostname + type: keyword +ocsf.device.network_interfaces.ip: + description: The IP address associated with the network interface. + name: ocsf.device.network_interfaces.ip + type: ip +ocsf.device.network_interfaces.mac: + description: The MAC address of the network interface. + name: ocsf.device.network_interfaces.mac + type: keyword +ocsf.device.network_interfaces.name: + description: The name of the network interface. + name: ocsf.device.network_interfaces.name + type: keyword +ocsf.device.network_interfaces.namespace: + description: + The namespace is useful in merger or acquisition situations. For example, + when similar entities exists that you need to keep separate. + name: ocsf.device.network_interfaces.namespace + type: keyword +ocsf.device.network_interfaces.subnet_prefix: + description: + The subnet prefix length determines the number of bits used to represent + the network part of the IP address. The remaining bits are reserved for identifying + individual hosts within that subnet. + name: ocsf.device.network_interfaces.subnet_prefix + type: long +ocsf.device.network_interfaces.type: + description: The type of network interface. + name: ocsf.device.network_interfaces.type + type: keyword +ocsf.device.network_interfaces.type_id: + description: The network interface type identifier. + name: ocsf.device.network_interfaces.type_id + type: keyword +ocsf.device.network_interfaces.uid: + description: The unique identifier for the network interface. + name: ocsf.device.network_interfaces.uid + type: keyword +ocsf.device.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.device.org.name + type: keyword +ocsf.device.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.device.org.ou_name + type: keyword +ocsf.device.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.device.org.ou_uid + type: keyword +ocsf.device.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.device.org.uid + type: keyword +ocsf.device.os.build: + description: The operating system build number. + name: ocsf.device.os.build + type: keyword +ocsf.device.os.country: + description: + The operating system country code, as defined by the ISO 3166-1 standard + (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 + codes. + name: ocsf.device.os.country + type: keyword +ocsf.device.os.cpu_bits: + description: + The cpu architecture, the number of bits used for addressing in memory. + For example, 32 or 64. + name: ocsf.device.os.cpu_bits + type: long +ocsf.device.os.edition: + description: The operating system edition. For example, Professional. + name: ocsf.device.os.edition + type: keyword +ocsf.device.os.lang: + description: The two letter lower case language codes, as defined by ISO 639-1. + name: ocsf.device.os.lang + type: keyword +ocsf.device.os.name: + description: The operating system name. + name: ocsf.device.os.name + type: keyword +ocsf.device.os.sp_name: + description: The name of the latest Service Pack. + name: ocsf.device.os.sp_name + type: keyword +ocsf.device.os.sp_ver: + description: The version number of the latest Service Pack. + name: ocsf.device.os.sp_ver + type: keyword +ocsf.device.os.type: + description: The type of the operating system. + name: ocsf.device.os.type + type: keyword +ocsf.device.os.type_id: + description: The type identifier of the operating system. + name: ocsf.device.os.type_id + type: keyword +ocsf.device.os.version: + description: + The version of the OS running on the device that originated the event. + For example, "Windows 10", "OS X 10.7", or "iOS 9". + name: ocsf.device.os.version + type: keyword +ocsf.device.region: + description: + The region where the virtual machine is located. For example, an AWS + Region. + name: ocsf.device.region + type: keyword +ocsf.device.risk_level: + description: + The risk level, normalized to the caption of the risk_level_id value. + In the case of 'Other', it is defined by the event source. + name: ocsf.device.risk_level + type: keyword +ocsf.device.risk_level_id: + description: The normalized risk level id. + name: ocsf.device.risk_level_id + type: keyword +ocsf.device.risk_score: + description: The risk score as reported by the event source. + name: ocsf.device.risk_score + type: long +ocsf.device.subnet: + description: The subnet mask. + name: ocsf.device.subnet + type: ip_range +ocsf.device.subnet_uid: + description: The unique identifier of a virtual subnet. + name: ocsf.device.subnet_uid + type: keyword +ocsf.device.type: + description: + The device type. For example, unknown, server, desktop, laptop, tablet, + mobile, virtual, browser, or other. + name: ocsf.device.type + type: keyword +ocsf.device.type_id: + description: The device type ID. + name: ocsf.device.type_id + type: keyword +ocsf.device.uid: + description: + The unique identifier of the device. For example the Windows TargetSID + or AWS EC2 ARN. + name: ocsf.device.uid + type: keyword +ocsf.device.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.device.uid_alt + type: keyword +ocsf.device.vlan_uid: + description: The Virtual LAN identifier. + name: ocsf.device.vlan_uid + type: keyword +ocsf.device.vpc_uid: + description: The unique identifier of the Virtual Private Cloud (VPC). + name: ocsf.device.vpc_uid + type: keyword +ocsf.dialect: + description: The negotiated protocol dialect. + name: ocsf.dialect + type: keyword +ocsf.direction: + description: The direction of the email, as defined by the direction_id value. + name: ocsf.direction + type: keyword +ocsf.direction_id: + description: The direction of the email relative to the scanning host or organization. + name: ocsf.direction_id + type: keyword +ocsf.disposition: + description: + The event disposition name, normalized to the caption of the disposition_id + value. In the case of 'Other', it is defined by the event source. + name: ocsf.disposition + type: keyword +ocsf.disposition_id: + description: + When security issues, such as malware or policy violations, are detected + and possibly corrected, then disposition_id describes the action taken by the + security product. + name: ocsf.disposition_id + type: keyword +ocsf.driver.file.accessed_time: + description: The time when the file was last accessed. + name: ocsf.driver.file.accessed_time + type: date +ocsf.driver.file.accessed_time_dt: + description: The time when the file was last accessed. + name: ocsf.driver.file.accessed_time_dt + type: date +ocsf.driver.file.accessor.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.driver.file.accessor.account.name + type: keyword +ocsf.driver.file.accessor.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.driver.file.accessor.account.type + type: keyword +ocsf.driver.file.accessor.account.type_id: + description: The normalized account type identifier. + name: ocsf.driver.file.accessor.account.type_id + type: keyword +ocsf.driver.file.accessor.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.driver.file.accessor.account.uid + type: keyword +ocsf.driver.file.accessor.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.driver.file.accessor.credential_uid + type: keyword +ocsf.driver.file.accessor.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.driver.file.accessor.domain + type: keyword +ocsf.driver.file.accessor.email_addr: + description: The user's email address. + name: ocsf.driver.file.accessor.email_addr + type: keyword +ocsf.driver.file.accessor.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.driver.file.accessor.full_name + type: keyword +ocsf.driver.file.accessor.groups.desc: + description: The group description. + name: ocsf.driver.file.accessor.groups.desc + type: keyword +ocsf.driver.file.accessor.groups.name: + description: The group name. + name: ocsf.driver.file.accessor.groups.name + type: keyword +ocsf.driver.file.accessor.groups.privileges: + description: The group privileges. + name: ocsf.driver.file.accessor.groups.privileges + type: keyword +ocsf.driver.file.accessor.groups.type: + description: The type of the group or account. + name: ocsf.driver.file.accessor.groups.type + type: keyword +ocsf.driver.file.accessor.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.driver.file.accessor.groups.uid + type: keyword +ocsf.driver.file.accessor.name: + description: The username. For example, janedoe1. + name: ocsf.driver.file.accessor.name + type: keyword +ocsf.driver.file.accessor.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.driver.file.accessor.org.name + type: keyword +ocsf.driver.file.accessor.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.driver.file.accessor.org.ou_name + type: keyword +ocsf.driver.file.accessor.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.driver.file.accessor.org.ou_uid + type: keyword +ocsf.driver.file.accessor.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.driver.file.accessor.org.uid + type: keyword +ocsf.driver.file.accessor.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.driver.file.accessor.type + type: keyword +ocsf.driver.file.accessor.type_id: + description: The account type identifier. + name: ocsf.driver.file.accessor.type_id + type: keyword +ocsf.driver.file.accessor.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.driver.file.accessor.uid + type: keyword +ocsf.driver.file.accessor.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.driver.file.accessor.uid_alt + type: keyword +ocsf.driver.file.attributes: + description: The Bitmask value that represents the file attributes. + name: ocsf.driver.file.attributes + type: long +ocsf.driver.file.company_name: + description: + "The name of the company that published the file. For example: Microsoft + Corporation." + name: ocsf.driver.file.company_name + type: keyword +ocsf.driver.file.confidentiality: + description: + The file content confidentiality, normalized to the confidentiality_id + value. In the case of 'Other', it is defined by the event source. + name: ocsf.driver.file.confidentiality + type: keyword +ocsf.driver.file.confidentiality_id: + description: The normalized identifier of the file content confidentiality indicator. + name: ocsf.driver.file.confidentiality_id + type: keyword +ocsf.driver.file.created_time: + description: The time when the file was created. + name: ocsf.driver.file.created_time + type: date +ocsf.driver.file.created_time_dt: + description: The time when the file was created. + name: ocsf.driver.file.created_time_dt + type: date +ocsf.driver.file.creator.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.driver.file.creator.account.name + type: keyword +ocsf.driver.file.creator.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.driver.file.creator.account.type + type: keyword +ocsf.driver.file.creator.account.type_id: + description: The normalized account type identifier. + name: ocsf.driver.file.creator.account.type_id + type: keyword +ocsf.driver.file.creator.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.driver.file.creator.account.uid + type: keyword +ocsf.driver.file.creator.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.driver.file.creator.credential_uid + type: keyword +ocsf.driver.file.creator.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.driver.file.creator.domain + type: keyword +ocsf.driver.file.creator.email_addr: + description: The user's email address. + name: ocsf.driver.file.creator.email_addr + type: keyword +ocsf.driver.file.creator.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.driver.file.creator.full_name + type: keyword +ocsf.driver.file.creator.groups.desc: + description: The group description. + name: ocsf.driver.file.creator.groups.desc + type: keyword +ocsf.driver.file.creator.groups.name: + description: The group name. + name: ocsf.driver.file.creator.groups.name + type: keyword +ocsf.driver.file.creator.groups.privileges: + description: The group privileges. + name: ocsf.driver.file.creator.groups.privileges + type: keyword +ocsf.driver.file.creator.groups.type: + description: The type of the group or account. + name: ocsf.driver.file.creator.groups.type + type: keyword +ocsf.driver.file.creator.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.driver.file.creator.groups.uid + type: keyword +ocsf.driver.file.creator.name: + description: The username. For example, janedoe1. + name: ocsf.driver.file.creator.name + type: keyword +ocsf.driver.file.creator.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.driver.file.creator.org.name + type: keyword +ocsf.driver.file.creator.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.driver.file.creator.org.ou_name + type: keyword +ocsf.driver.file.creator.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.driver.file.creator.org.ou_uid + type: keyword +ocsf.driver.file.creator.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.driver.file.creator.org.uid + type: keyword +ocsf.driver.file.creator.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.driver.file.creator.type + type: keyword +ocsf.driver.file.creator.type_id: + description: The account type identifier. + name: ocsf.driver.file.creator.type_id + type: keyword +ocsf.driver.file.creator.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.driver.file.creator.uid + type: keyword +ocsf.driver.file.creator.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.driver.file.creator.uid_alt + type: keyword +ocsf.driver.file.desc: + description: + "The description of the file, as returned by file system. For example: + the description as returned by the Unix file command or the Windows file type." + name: ocsf.driver.file.desc + type: keyword +ocsf.driver.file.hashes.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.driver.file.hashes.algorithm + type: keyword +ocsf.driver.file.hashes.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.driver.file.hashes.algorithm_id + type: keyword +ocsf.driver.file.hashes.value: + description: The digital fingerprint value. + name: ocsf.driver.file.hashes.value + type: keyword +ocsf.driver.file.is_system: + description: The indication of whether the object is part of the operating system. + name: ocsf.driver.file.is_system + type: boolean +ocsf.driver.file.mime_type: + description: + The Multipurpose Internet Mail Extensions (MIME) type of the file, + if applicable. + name: ocsf.driver.file.mime_type + type: keyword +ocsf.driver.file.modified_time: + description: The time when the file was last modified. + name: ocsf.driver.file.modified_time + type: date +ocsf.driver.file.modified_time_dt: + description: The time when the file was last modified. + name: ocsf.driver.file.modified_time_dt + type: date +ocsf.driver.file.modifier.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.driver.file.modifier.account.name + type: keyword +ocsf.driver.file.modifier.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.driver.file.modifier.account.type + type: keyword +ocsf.driver.file.modifier.account.type_id: + description: The normalized account type identifier. + name: ocsf.driver.file.modifier.account.type_id + type: keyword +ocsf.driver.file.modifier.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.driver.file.modifier.account.uid + type: keyword +ocsf.driver.file.modifier.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.driver.file.modifier.credential_uid + type: keyword +ocsf.driver.file.modifier.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.driver.file.modifier.domain + type: keyword +ocsf.driver.file.modifier.email_addr: + description: The user's email address. + name: ocsf.driver.file.modifier.email_addr + type: keyword +ocsf.driver.file.modifier.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.driver.file.modifier.full_name + type: keyword +ocsf.driver.file.modifier.groups.desc: + description: The group description. + name: ocsf.driver.file.modifier.groups.desc + type: keyword +ocsf.driver.file.modifier.groups.name: + description: The group name. + name: ocsf.driver.file.modifier.groups.name + type: keyword +ocsf.driver.file.modifier.groups.privileges: + description: The group privileges. + name: ocsf.driver.file.modifier.groups.privileges + type: keyword +ocsf.driver.file.modifier.groups.type: + description: The type of the group or account. + name: ocsf.driver.file.modifier.groups.type + type: keyword +ocsf.driver.file.modifier.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.driver.file.modifier.groups.uid + type: keyword +ocsf.driver.file.modifier.name: + description: The username. For example, janedoe1. + name: ocsf.driver.file.modifier.name + type: keyword +ocsf.driver.file.modifier.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.driver.file.modifier.org.name + type: keyword +ocsf.driver.file.modifier.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.driver.file.modifier.org.ou_name + type: keyword +ocsf.driver.file.modifier.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.driver.file.modifier.org.ou_uid + type: keyword +ocsf.driver.file.modifier.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.driver.file.modifier.org.uid + type: keyword +ocsf.driver.file.modifier.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.driver.file.modifier.type + type: keyword +ocsf.driver.file.modifier.type_id: + description: The account type identifier. + name: ocsf.driver.file.modifier.type_id + type: keyword +ocsf.driver.file.modifier.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.driver.file.modifier.uid + type: keyword +ocsf.driver.file.modifier.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.driver.file.modifier.uid_alt + type: keyword +ocsf.driver.file.name: + description: "The name of the file. For example: svchost.exe." + name: ocsf.driver.file.name + type: keyword +ocsf.driver.file.owner.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.driver.file.owner.account.name + type: keyword +ocsf.driver.file.owner.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.driver.file.owner.account.type + type: keyword +ocsf.driver.file.owner.account.type_id: + description: The normalized account type identifier. + name: ocsf.driver.file.owner.account.type_id + type: keyword +ocsf.driver.file.owner.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.driver.file.owner.account.uid + type: keyword +ocsf.driver.file.owner.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.driver.file.owner.credential_uid + type: keyword +ocsf.driver.file.owner.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.driver.file.owner.domain + type: keyword +ocsf.driver.file.owner.email_addr: + description: The user's email address. + name: ocsf.driver.file.owner.email_addr + type: keyword +ocsf.driver.file.owner.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.driver.file.owner.full_name + type: keyword +ocsf.driver.file.owner.groups.desc: + description: The group description. + name: ocsf.driver.file.owner.groups.desc + type: keyword +ocsf.driver.file.owner.groups.name: + description: The group name. + name: ocsf.driver.file.owner.groups.name + type: keyword +ocsf.driver.file.owner.groups.privileges: + description: The group privileges. + name: ocsf.driver.file.owner.groups.privileges + type: keyword +ocsf.driver.file.owner.groups.type: + description: The type of the group or account. + name: ocsf.driver.file.owner.groups.type + type: keyword +ocsf.driver.file.owner.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.driver.file.owner.groups.uid + type: keyword +ocsf.driver.file.owner.name: + description: The username. For example, janedoe1. + name: ocsf.driver.file.owner.name + type: keyword +ocsf.driver.file.owner.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.driver.file.owner.org.name + type: keyword +ocsf.driver.file.owner.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.driver.file.owner.org.ou_name + type: keyword +ocsf.driver.file.owner.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.driver.file.owner.org.ou_uid + type: keyword +ocsf.driver.file.owner.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.driver.file.owner.org.uid + type: keyword +ocsf.driver.file.owner.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.driver.file.owner.type + type: keyword +ocsf.driver.file.owner.type_id: + description: The account type identifier. + name: ocsf.driver.file.owner.type_id + type: keyword +ocsf.driver.file.owner.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.driver.file.owner.uid + type: keyword +ocsf.driver.file.owner.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.driver.file.owner.uid_alt + type: keyword +ocsf.driver.file.parent_folder: + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + name: ocsf.driver.file.parent_folder + type: keyword +ocsf.driver.file.path: + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + name: ocsf.driver.file.path + type: keyword +ocsf.driver.file.product.feature.name: + description: The name of the feature. + name: ocsf.driver.file.product.feature.name + type: keyword +ocsf.driver.file.product.feature.uid: + description: The unique identifier of the feature. + name: ocsf.driver.file.product.feature.uid + type: keyword +ocsf.driver.file.product.feature.version: + description: The version of the feature. + name: ocsf.driver.file.product.feature.version + type: keyword +ocsf.driver.file.product.lang: + description: + "The two letter lower case language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French)." + name: ocsf.driver.file.product.lang + type: keyword +ocsf.driver.file.product.name: + description: The name of the product. + name: ocsf.driver.file.product.name + type: keyword +ocsf.driver.file.product.path: + description: The installation path of the product. + name: ocsf.driver.file.product.path + type: keyword +ocsf.driver.file.product.uid: + description: The unique identifier of the product. + name: ocsf.driver.file.product.uid + type: keyword +ocsf.driver.file.product.vendor_name: + description: The name of the vendor of the product. + name: ocsf.driver.file.product.vendor_name + type: keyword +ocsf.driver.file.product.version: + description: + "The version of the product, as defined by the event source. For example: + 2013.1.3-beta." + name: ocsf.driver.file.product.version + type: keyword +ocsf.driver.file.security_descriptor: + description: The object security descriptor. + name: ocsf.driver.file.security_descriptor + type: keyword +ocsf.driver.file.signature.algorithm: + description: + The digital signature algorithm used to create the signature, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.driver.file.signature.algorithm + type: keyword +ocsf.driver.file.signature.algorithm_id: + description: The identifier of the normalized digital signature algorithm. + name: ocsf.driver.file.signature.algorithm_id + type: keyword +ocsf.driver.file.signature.certificate.created_time: + description: The time when the certificate was created. + name: ocsf.driver.file.signature.certificate.created_time + type: date +ocsf.driver.file.signature.certificate.created_time_dt: + description: The time when the certificate was created. + name: ocsf.driver.file.signature.certificate.created_time_dt + type: date +ocsf.driver.file.signature.certificate.expiration_time: + description: The expiration time of the certificate. + name: ocsf.driver.file.signature.certificate.expiration_time + type: date +ocsf.driver.file.signature.certificate.expiration_time_dt: + description: The expiration time of the certificate. + name: ocsf.driver.file.signature.certificate.expiration_time_dt + type: date +ocsf.driver.file.signature.certificate.fingerprints.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.driver.file.signature.certificate.fingerprints.algorithm + type: keyword +ocsf.driver.file.signature.certificate.fingerprints.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.driver.file.signature.certificate.fingerprints.algorithm_id + type: keyword +ocsf.driver.file.signature.certificate.fingerprints.value: + description: The digital fingerprint value. + name: ocsf.driver.file.signature.certificate.fingerprints.value + type: keyword +ocsf.driver.file.signature.certificate.issuer: + description: The certificate issuer distinguished name. + name: ocsf.driver.file.signature.certificate.issuer + type: keyword +ocsf.driver.file.signature.certificate.serial_number: + description: The serial number of the certificate used to create the digital signature. + name: ocsf.driver.file.signature.certificate.serial_number + type: keyword +ocsf.driver.file.signature.certificate.subject: + description: The certificate subject distinguished name. + name: ocsf.driver.file.signature.certificate.subject + type: keyword +ocsf.driver.file.signature.certificate.version: + description: The certificate version. + name: ocsf.driver.file.signature.certificate.version + type: keyword +ocsf.driver.file.signature.created_time: + description: The time when the digital signature was created. + name: ocsf.driver.file.signature.created_time + type: date +ocsf.driver.file.signature.created_time_dt: + description: The time when the digital signature was created. + name: ocsf.driver.file.signature.created_time_dt + type: date +ocsf.driver.file.signature.developer_uid: + description: The developer ID on the certificate that signed the file. + name: ocsf.driver.file.signature.developer_uid + type: keyword +ocsf.driver.file.signature.digest.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.driver.file.signature.digest.algorithm + type: keyword +ocsf.driver.file.signature.digest.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.driver.file.signature.digest.algorithm_id + type: keyword +ocsf.driver.file.signature.digest.value: + description: The digital fingerprint value. + name: ocsf.driver.file.signature.digest.value + type: keyword +ocsf.driver.file.size: + description: The size of data, in bytes. + name: ocsf.driver.file.size + type: long +ocsf.driver.file.type: + description: The file type. + name: ocsf.driver.file.type + type: keyword +ocsf.driver.file.type_id: + description: The file type ID. + name: ocsf.driver.file.type_id + type: keyword +ocsf.driver.file.uid: + description: + The unique identifier of the file as defined by the storage system, + such the file system file ID. + name: ocsf.driver.file.uid + type: keyword +ocsf.driver.file.version: + description: "The file version. For example: 8.0.7601.17514." + name: ocsf.driver.file.version + type: keyword +ocsf.driver.file.xattributes: + description: + An unordered collection of zero or more name/value pairs where each + pair represents a file or folder extended attribute. + name: ocsf.driver.file.xattributes + type: flattened +ocsf.dst_endpoint.domain: + description: The name of the domain. + name: ocsf.dst_endpoint.domain + type: keyword +ocsf.dst_endpoint.hostname: + description: The fully qualified name of the endpoint. + name: ocsf.dst_endpoint.hostname + type: keyword +ocsf.dst_endpoint.instance_uid: + description: The unique identifier of a VM instance. + name: ocsf.dst_endpoint.instance_uid + type: keyword +ocsf.dst_endpoint.interface_name: + description: The name of the network interface (e.g. eth2). + name: ocsf.dst_endpoint.interface_name + type: keyword +ocsf.dst_endpoint.interface_uid: + description: The unique identifier of the network interface. + name: ocsf.dst_endpoint.interface_uid + type: keyword +ocsf.dst_endpoint.intermediate_ips: + description: + The intermediate IP Addresses. For example, the IP addresses in the + HTTP X-Forwarded-For header. + name: ocsf.dst_endpoint.intermediate_ips + type: ip +ocsf.dst_endpoint.ip: + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + name: ocsf.dst_endpoint.ip + type: ip +ocsf.dst_endpoint.location.city: + description: The name of the city. + name: ocsf.dst_endpoint.location.city + type: keyword +ocsf.dst_endpoint.location.continent: + description: The name of the continent. + name: ocsf.dst_endpoint.location.continent + type: keyword +ocsf.dst_endpoint.location.coordinates: + description: + A two-element array, containing a longitude/latitude pair. The format + conforms with GeoJSON. + name: ocsf.dst_endpoint.location.coordinates + type: geo_point +ocsf.dst_endpoint.location.country: + description: + The ISO 3166-1 Alpha-2 country code. For the complete list of country + codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + name: ocsf.dst_endpoint.location.country + type: keyword +ocsf.dst_endpoint.location.desc: + description: The description of the geographical location. + name: ocsf.dst_endpoint.location.desc + type: keyword +ocsf.dst_endpoint.location.is_on_premises: + description: The indication of whether the location is on premises. + name: ocsf.dst_endpoint.location.is_on_premises + type: boolean +ocsf.dst_endpoint.location.isp: + description: The name of the Internet Service Provider (ISP). + name: ocsf.dst_endpoint.location.isp + type: keyword +ocsf.dst_endpoint.location.postal_code: + description: The postal code of the location. + name: ocsf.dst_endpoint.location.postal_code + type: keyword +ocsf.dst_endpoint.location.provider: + description: The provider of the geographical location data. + name: ocsf.dst_endpoint.location.provider + type: keyword +ocsf.dst_endpoint.location.region: + description: + The alphanumeric code that identifies the principal subdivision (e.g. + province or state) of the country. Region codes are defined at ISO 3166-2 and + have a limit of three characters. For example, see the region codes for the US. + name: ocsf.dst_endpoint.location.region + type: keyword +ocsf.dst_endpoint.mac: + description: The Media Access Control (MAC) address of the endpoint. + name: ocsf.dst_endpoint.mac + type: keyword +ocsf.dst_endpoint.name: + description: The short name of the endpoint. + name: ocsf.dst_endpoint.name + type: keyword +ocsf.dst_endpoint.port: + description: The port used for communication within the network connection. + name: ocsf.dst_endpoint.port + type: long +ocsf.dst_endpoint.subnet_uid: + description: The unique identifier of a virtual subnet. + name: ocsf.dst_endpoint.subnet_uid + type: keyword +ocsf.dst_endpoint.svc_name: + description: + The service name in service-to-service connections. For example, AWS + VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection + is coming from or going to an AWS service. + name: ocsf.dst_endpoint.svc_name + type: keyword +ocsf.dst_endpoint.uid: + description: The unique identifier of the endpoint. + name: ocsf.dst_endpoint.uid + type: keyword +ocsf.dst_endpoint.vlan_uid: + description: The Virtual LAN identifier. + name: ocsf.dst_endpoint.vlan_uid + type: keyword +ocsf.dst_endpoint.vpc_uid: + description: The unique identifier of the Virtual Private Cloud (VPC). + name: ocsf.dst_endpoint.vpc_uid + type: keyword +ocsf.duration: + description: + The event duration or aggregate time, the amount of time the event + covers from start_time to end_time in milliseconds. + name: ocsf.duration + type: long +ocsf.email.cc: + description: The email header Cc values, as defined by RFC 5322. + name: ocsf.email.cc + type: keyword +ocsf.email.delivered_to: + description: The Delivered-To email header field. + name: ocsf.email.delivered_to + type: keyword +ocsf.email.from: + description: The email header From values, as defined by RFC 5322. + name: ocsf.email.from + type: keyword +ocsf.email.message_uid: + description: The email header Message-Id value, as defined by RFC 5322. + name: ocsf.email.message_uid + type: keyword +ocsf.email.raw_header: + description: The email authentication header. + name: ocsf.email.raw_header + type: keyword +ocsf.email.reply_to: + description: The email header Reply-To values, as defined by RFC 5322. + name: ocsf.email.reply_to + type: keyword +ocsf.email.size: + description: The size in bytes of the email, including attachments. + name: ocsf.email.size + type: long +ocsf.email.smtp_from: + description: The value of the SMTP MAIL FROM command. + name: ocsf.email.smtp_from + type: keyword +ocsf.email.smtp_to: + description: The value of the SMTP envelope RCPT TO command. + name: ocsf.email.smtp_to + type: keyword +ocsf.email.subject: + description: The email header Subject value, as defined by RFC 5322. + name: ocsf.email.subject + type: keyword +ocsf.email.to: + description: The email header To values, as defined by RFC 5322. + name: ocsf.email.to + type: keyword +ocsf.email.uid: + description: The email unique identifier. + name: ocsf.email.uid + type: keyword +ocsf.email.x_originating_ip: + description: The X-Originating-IP header identifying the emails originating IP address(es). + name: ocsf.email.x_originating_ip + type: ip +ocsf.email_auth.dkim: + description: The DomainKeys Identified Mail (DKIM) status of the email. + name: ocsf.email_auth.dkim + type: keyword +ocsf.email_auth.dkim_domain: + description: The DomainKeys Identified Mail (DKIM) signing domain of the email. + name: ocsf.email_auth.dkim_domain + type: keyword +ocsf.email_auth.dkim_signature: + description: + The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving + system. + name: ocsf.email_auth.dkim_signature + type: keyword +ocsf.email_auth.dmarc: + description: + The Domain-based Message Authentication, Reporting and Conformance + (DMARC) status of the email. + name: ocsf.email_auth.dmarc + type: keyword +ocsf.email_auth.dmarc_override: + description: + The Domain-based Message Authentication, Reporting and Conformance + (DMARC) override action. + name: ocsf.email_auth.dmarc_override + type: keyword +ocsf.email_auth.dmarc_policy: + description: + The Domain-based Message Authentication, Reporting and Conformance + (DMARC) policy status. + name: ocsf.email_auth.dmarc_policy + type: keyword +ocsf.email_auth.spf: + description: The Sender Policy Framework (SPF) status of the email. + name: ocsf.email_auth.spf + type: keyword +ocsf.email_uid: + description: + The unique identifier of the email, used to correlate related email + alert and activity events. + name: ocsf.email_uid + type: keyword +ocsf.end_time: + description: + The end time of a time period, or the time of the most recent event + included in the aggregate event. + name: ocsf.end_time + type: date +ocsf.end_time_dt: + description: + The end time of a time period, or the time of the most recent event + included in the aggregate event. + name: ocsf.end_time_dt + type: date +ocsf.enrichments.data: + description: + The enrichment data associated with the attribute and value. The meaning + of this data depends on the type the enrichment record. + name: ocsf.enrichments.data + type: flattened +ocsf.enrichments.name: + description: The name of the attribute to which the enriched data pertains. + name: ocsf.enrichments.name + type: keyword +ocsf.enrichments.provider: + description: The enrichment data provider name. + name: ocsf.enrichments.provider + type: keyword +ocsf.enrichments.type: + description: The enrichment type. For example, location. + name: ocsf.enrichments.type + type: keyword +ocsf.enrichments.value: + description: The value of the attribute to which the enriched data pertains. + name: ocsf.enrichments.value + type: keyword +ocsf.entity.data: + description: The managed entity content as a JSON object. + name: ocsf.entity.data + type: flattened +ocsf.entity.name: + description: The name of the managed entity. + name: ocsf.entity.name + type: keyword +ocsf.entity.type: + description: The managed entity type. + name: ocsf.entity.type + type: keyword +ocsf.entity.uid: + description: The identifier of the managed entity. + name: ocsf.entity.uid + type: keyword +ocsf.entity.version: + description: The version of the managed entity. + name: ocsf.entity.version + type: keyword +ocsf.entity_result.data: + description: The managed entity content as a JSON object. + name: ocsf.entity_result.data + type: flattened +ocsf.entity_result.name: + description: The name of the managed entity. + name: ocsf.entity_result.name + type: keyword +ocsf.entity_result.type: + description: The managed entity type. + name: ocsf.entity_result.type + type: keyword +ocsf.entity_result.uid: + description: The identifier of the managed entity. + name: ocsf.entity_result.uid + type: keyword +ocsf.entity_result.version: + description: The version of the managed entity. + name: ocsf.entity_result.version + type: keyword +ocsf.evidence: + description: The data the finding exposes to the analyst. + name: ocsf.evidence + type: flattened +ocsf.exit_code: + description: + The exit code reported by a process when it terminates. The convention + is that zero indicates success and any non-zero exit code indicates that some + error occurred. + name: ocsf.exit_code + type: keyword +ocsf.expiration_time: + description: The share expiration time. + name: ocsf.expiration_time + type: date +ocsf.expiration_time_dt: + description: The share expiration time. + name: ocsf.expiration_time_dt + type: date +ocsf.file.accessed_time: + description: The time when the file was last accessed. + name: ocsf.file.accessed_time + type: date +ocsf.file.accessed_time_dt: + description: The time when the file was last accessed. + name: ocsf.file.accessed_time_dt + type: date +ocsf.file.accessor.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.file.accessor.account.name + type: keyword +ocsf.file.accessor.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.file.accessor.account.type + type: keyword +ocsf.file.accessor.account.type_id: + description: The normalized account type identifier. + name: ocsf.file.accessor.account.type_id + type: keyword +ocsf.file.accessor.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.file.accessor.account.uid + type: keyword +ocsf.file.accessor.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.file.accessor.credential_uid + type: keyword +ocsf.file.accessor.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.file.accessor.domain + type: keyword +ocsf.file.accessor.email_addr: + description: The user's email address. + name: ocsf.file.accessor.email_addr + type: keyword +ocsf.file.accessor.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.file.accessor.full_name + type: keyword +ocsf.file.accessor.groups.desc: + description: The group description. + name: ocsf.file.accessor.groups.desc + type: keyword +ocsf.file.accessor.groups.name: + description: The group name. + name: ocsf.file.accessor.groups.name + type: keyword +ocsf.file.accessor.groups.privileges: + description: The group privileges. + name: ocsf.file.accessor.groups.privileges + type: keyword +ocsf.file.accessor.groups.type: + description: The type of the group or account. + name: ocsf.file.accessor.groups.type + type: keyword +ocsf.file.accessor.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.file.accessor.groups.uid + type: keyword +ocsf.file.accessor.name: + description: The username. For example, janedoe1. + name: ocsf.file.accessor.name + type: keyword +ocsf.file.accessor.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.file.accessor.org.name + type: keyword +ocsf.file.accessor.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.file.accessor.org.ou_name + type: keyword +ocsf.file.accessor.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.file.accessor.org.ou_uid + type: keyword +ocsf.file.accessor.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.file.accessor.org.uid + type: keyword +ocsf.file.accessor.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.file.accessor.type + type: keyword +ocsf.file.accessor.type_id: + description: The account type identifier. + name: ocsf.file.accessor.type_id + type: keyword +ocsf.file.accessor.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.file.accessor.uid + type: keyword +ocsf.file.accessor.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.file.accessor.uid_alt + type: keyword +ocsf.file.attributes: + description: The Bitmask value that represents the file attributes. + name: ocsf.file.attributes + type: long +ocsf.file.company_name: + description: + "The name of the company that published the file. For example: Microsoft + Corporation." + name: ocsf.file.company_name + type: keyword +ocsf.file.confidentiality: + description: + The file content confidentiality, normalized to the confidentiality_id + value. In the case of 'Other', it is defined by the event source. + name: ocsf.file.confidentiality + type: keyword +ocsf.file.confidentiality_id: + description: The normalized identifier of the file content confidentiality indicator. + name: ocsf.file.confidentiality_id + type: keyword +ocsf.file.created_time: + description: The time when the file was created. + name: ocsf.file.created_time + type: date +ocsf.file.created_time_dt: + description: The time when the file was created. + name: ocsf.file.created_time_dt + type: date +ocsf.file.creator.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.file.creator.account.name + type: keyword +ocsf.file.creator.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.file.creator.account.type + type: keyword +ocsf.file.creator.account.type_id: + description: The normalized account type identifier. + name: ocsf.file.creator.account.type_id + type: keyword +ocsf.file.creator.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.file.creator.account.uid + type: keyword +ocsf.file.creator.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.file.creator.credential_uid + type: keyword +ocsf.file.creator.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.file.creator.domain + type: keyword +ocsf.file.creator.email_addr: + description: The user's email address. + name: ocsf.file.creator.email_addr + type: keyword +ocsf.file.creator.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.file.creator.full_name + type: keyword +ocsf.file.creator.groups.desc: + description: The group description. + name: ocsf.file.creator.groups.desc + type: keyword +ocsf.file.creator.groups.name: + description: The group name. + name: ocsf.file.creator.groups.name + type: keyword +ocsf.file.creator.groups.privileges: + description: The group privileges. + name: ocsf.file.creator.groups.privileges + type: keyword +ocsf.file.creator.groups.type: + description: The type of the group or account. + name: ocsf.file.creator.groups.type + type: keyword +ocsf.file.creator.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.file.creator.groups.uid + type: keyword +ocsf.file.creator.name: + description: The username. For example, janedoe1. + name: ocsf.file.creator.name + type: keyword +ocsf.file.creator.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.file.creator.org.name + type: keyword +ocsf.file.creator.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.file.creator.org.ou_name + type: keyword +ocsf.file.creator.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.file.creator.org.ou_uid + type: keyword +ocsf.file.creator.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.file.creator.org.uid + type: keyword +ocsf.file.creator.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.file.creator.type + type: keyword +ocsf.file.creator.type_id: + description: The account type identifier. + name: ocsf.file.creator.type_id + type: keyword +ocsf.file.creator.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.file.creator.uid + type: keyword +ocsf.file.creator.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.file.creator.uid_alt + type: keyword +ocsf.file.desc: + description: + "The description of the file, as returned by file system. For example: + the description as returned by the Unix file command or the Windows file type." + name: ocsf.file.desc + type: keyword +ocsf.file.hashes.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.file.hashes.algorithm + type: keyword +ocsf.file.hashes.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.file.hashes.algorithm_id + type: keyword +ocsf.file.hashes.value: + description: The digital fingerprint value. + name: ocsf.file.hashes.value + type: keyword +ocsf.file.is_system: + description: The indication of whether the object is part of the operating system. + name: ocsf.file.is_system + type: boolean +ocsf.file.mime_type: + description: + The Multipurpose Internet Mail Extensions (MIME) type of the file, + if applicable. + name: ocsf.file.mime_type + type: keyword +ocsf.file.modified_time: + description: The time when the file was last modified. + name: ocsf.file.modified_time + type: date +ocsf.file.modified_time_dt: + description: The time when the file was last modified. + name: ocsf.file.modified_time_dt + type: date +ocsf.file.modifier.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.file.modifier.account.name + type: keyword +ocsf.file.modifier.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.file.modifier.account.type + type: keyword +ocsf.file.modifier.account.type_id: + description: The normalized account type identifier. + name: ocsf.file.modifier.account.type_id + type: keyword +ocsf.file.modifier.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.file.modifier.account.uid + type: keyword +ocsf.file.modifier.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.file.modifier.credential_uid + type: keyword +ocsf.file.modifier.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.file.modifier.domain + type: keyword +ocsf.file.modifier.email_addr: + description: The user's email address. + name: ocsf.file.modifier.email_addr + type: keyword +ocsf.file.modifier.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.file.modifier.full_name + type: keyword +ocsf.file.modifier.groups.desc: + description: The group description. + name: ocsf.file.modifier.groups.desc + type: keyword +ocsf.file.modifier.groups.name: + description: The group name. + name: ocsf.file.modifier.groups.name + type: keyword +ocsf.file.modifier.groups.privileges: + description: The group privileges. + name: ocsf.file.modifier.groups.privileges + type: keyword +ocsf.file.modifier.groups.type: + description: The type of the group or account. + name: ocsf.file.modifier.groups.type + type: keyword +ocsf.file.modifier.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.file.modifier.groups.uid + type: keyword +ocsf.file.modifier.name: + description: The username. For example, janedoe1. + name: ocsf.file.modifier.name + type: keyword +ocsf.file.modifier.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.file.modifier.org.name + type: keyword +ocsf.file.modifier.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.file.modifier.org.ou_name + type: keyword +ocsf.file.modifier.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.file.modifier.org.ou_uid + type: keyword +ocsf.file.modifier.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.file.modifier.org.uid + type: keyword +ocsf.file.modifier.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.file.modifier.type + type: keyword +ocsf.file.modifier.type_id: + description: The account type identifier. + name: ocsf.file.modifier.type_id + type: keyword +ocsf.file.modifier.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.file.modifier.uid + type: keyword +ocsf.file.modifier.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.file.modifier.uid_alt + type: keyword +ocsf.file.name: + description: "The name of the file. For example: svchost.exe." + name: ocsf.file.name + type: keyword +ocsf.file.owner.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.file.owner.account.name + type: keyword +ocsf.file.owner.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.file.owner.account.type + type: keyword +ocsf.file.owner.account.type_id: + description: The normalized account type identifier. + name: ocsf.file.owner.account.type_id + type: keyword +ocsf.file.owner.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.file.owner.account.uid + type: keyword +ocsf.file.owner.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.file.owner.credential_uid + type: keyword +ocsf.file.owner.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.file.owner.domain + type: keyword +ocsf.file.owner.email_addr: + description: The user's email address. + name: ocsf.file.owner.email_addr + type: keyword +ocsf.file.owner.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.file.owner.full_name + type: keyword +ocsf.file.owner.groups.desc: + description: The group description. + name: ocsf.file.owner.groups.desc + type: keyword +ocsf.file.owner.groups.name: + description: The group name. + name: ocsf.file.owner.groups.name + type: keyword +ocsf.file.owner.groups.privileges: + description: The group privileges. + name: ocsf.file.owner.groups.privileges + type: keyword +ocsf.file.owner.groups.type: + description: The type of the group or account. + name: ocsf.file.owner.groups.type + type: keyword +ocsf.file.owner.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.file.owner.groups.uid + type: keyword +ocsf.file.owner.name: + description: The username. For example, janedoe1. + name: ocsf.file.owner.name + type: keyword +ocsf.file.owner.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.file.owner.org.name + type: keyword +ocsf.file.owner.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.file.owner.org.ou_name + type: keyword +ocsf.file.owner.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.file.owner.org.ou_uid + type: keyword +ocsf.file.owner.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.file.owner.org.uid + type: keyword +ocsf.file.owner.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.file.owner.type + type: keyword +ocsf.file.owner.type_id: + description: The account type identifier. + name: ocsf.file.owner.type_id + type: keyword +ocsf.file.owner.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.file.owner.uid + type: keyword +ocsf.file.owner.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.file.owner.uid_alt + type: keyword +ocsf.file.parent_folder: + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + name: ocsf.file.parent_folder + type: keyword +ocsf.file.path: + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + name: ocsf.file.path + type: keyword +ocsf.file.product.feature.name: + description: The name of the feature. + name: ocsf.file.product.feature.name + type: keyword +ocsf.file.product.feature.uid: + description: The unique identifier of the feature. + name: ocsf.file.product.feature.uid + type: keyword +ocsf.file.product.feature.version: + description: The version of the feature. + name: ocsf.file.product.feature.version + type: keyword +ocsf.file.product.lang: + description: + "The two letter lower case language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French)." + name: ocsf.file.product.lang + type: keyword +ocsf.file.product.name: + description: The name of the product. + name: ocsf.file.product.name + type: keyword +ocsf.file.product.path: + description: The installation path of the product. + name: ocsf.file.product.path + type: keyword +ocsf.file.product.uid: + description: The unique identifier of the product. + name: ocsf.file.product.uid + type: keyword +ocsf.file.product.url_string: + description: The URL pointing towards the product. + name: ocsf.file.product.url_string + type: keyword +ocsf.file.product.vendor_name: + description: The name of the vendor of the product. + name: ocsf.file.product.vendor_name + type: keyword +ocsf.file.product.version: + description: + "The version of the product, as defined by the event source. For example: + 2013.1.3-beta." + name: ocsf.file.product.version + type: keyword +ocsf.file.security_descriptor: + description: The object security descriptor. + name: ocsf.file.security_descriptor + type: keyword +ocsf.file.signature.algorithm: + description: + The digital signature algorithm used to create the signature, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.file.signature.algorithm + type: keyword +ocsf.file.signature.algorithm_id: + description: The identifier of the normalized digital signature algorithm. + name: ocsf.file.signature.algorithm_id + type: keyword +ocsf.file.signature.certificate.created_time: + description: The time when the certificate was created. + name: ocsf.file.signature.certificate.created_time + type: date +ocsf.file.signature.certificate.created_time_dt: + description: The time when the certificate was created. + name: ocsf.file.signature.certificate.created_time_dt + type: date +ocsf.file.signature.certificate.expiration_time: + description: The expiration time of the certificate. + name: ocsf.file.signature.certificate.expiration_time + type: date +ocsf.file.signature.certificate.expiration_time_dt: + description: The expiration time of the certificate. + name: ocsf.file.signature.certificate.expiration_time_dt + type: date +ocsf.file.signature.certificate.fingerprints.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.file.signature.certificate.fingerprints.algorithm + type: keyword +ocsf.file.signature.certificate.fingerprints.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.file.signature.certificate.fingerprints.algorithm_id + type: keyword +ocsf.file.signature.certificate.fingerprints.value: + description: The digital fingerprint value. + name: ocsf.file.signature.certificate.fingerprints.value + type: keyword +ocsf.file.signature.certificate.issuer: + description: The certificate issuer distinguished name. + name: ocsf.file.signature.certificate.issuer + type: keyword +ocsf.file.signature.certificate.serial_number: + description: The serial number of the certificate used to create the digital signature. + name: ocsf.file.signature.certificate.serial_number + type: keyword +ocsf.file.signature.certificate.subject: + description: The certificate subject distinguished name. + name: ocsf.file.signature.certificate.subject + type: keyword +ocsf.file.signature.certificate.version: + description: The certificate version. + name: ocsf.file.signature.certificate.version + type: keyword +ocsf.file.signature.created_time: + description: The time when the digital signature was created. + name: ocsf.file.signature.created_time + type: date +ocsf.file.signature.created_time_dt: + description: The time when the digital signature was created. + name: ocsf.file.signature.created_time_dt + type: date +ocsf.file.signature.developer_uid: + description: The developer ID on the certificate that signed the file. + name: ocsf.file.signature.developer_uid + type: keyword +ocsf.file.signature.digest.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.file.signature.digest.algorithm + type: keyword +ocsf.file.signature.digest.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.file.signature.digest.algorithm_id + type: keyword +ocsf.file.signature.digest.value: + description: The digital fingerprint value. + name: ocsf.file.signature.digest.value + type: keyword +ocsf.file.size: + description: The size of data, in bytes. + name: ocsf.file.size + type: long +ocsf.file.type: + description: The file type. + name: ocsf.file.type + type: keyword +ocsf.file.type_id: + description: The file type ID. + name: ocsf.file.type_id + type: keyword +ocsf.file.uid: + description: + The unique identifier of the file as defined by the storage system, + such the file system file ID. + name: ocsf.file.uid + type: keyword +ocsf.file.version: + description: "The file version. For example: 8.0.7601.17514." + name: ocsf.file.version + type: keyword +ocsf.file.xattributes: + description: + An unordered collection of zero or more name/value pairs where each + pair represents a file or folder extended attribute. + name: ocsf.file.xattributes + type: flattened +ocsf.file_diff: + description: + File content differences used for change detection. For example, a + common use case is to identify itemized changes within INI or configuration/property + setting values. + name: ocsf.file_diff + type: keyword +ocsf.file_result.accessed_time: + description: The time when the file was last accessed. + name: ocsf.file_result.accessed_time + type: date +ocsf.file_result.accessed_time_dt: + description: The time when the file was last accessed. + name: ocsf.file_result.accessed_time_dt + type: date +ocsf.file_result.accessor.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.file_result.accessor.account.name + type: keyword +ocsf.file_result.accessor.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.file_result.accessor.account.type + type: keyword +ocsf.file_result.accessor.account.type_id: + description: The normalized account type identifier. + name: ocsf.file_result.accessor.account.type_id + type: keyword +ocsf.file_result.accessor.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.file_result.accessor.account.uid + type: keyword +ocsf.file_result.accessor.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.file_result.accessor.credential_uid + type: keyword +ocsf.file_result.accessor.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.file_result.accessor.domain + type: keyword +ocsf.file_result.accessor.email_addr: + description: The user's email address. + name: ocsf.file_result.accessor.email_addr + type: keyword +ocsf.file_result.accessor.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.file_result.accessor.full_name + type: keyword +ocsf.file_result.accessor.groups.desc: + description: The group description. + name: ocsf.file_result.accessor.groups.desc + type: keyword +ocsf.file_result.accessor.groups.name: + description: The group name. + name: ocsf.file_result.accessor.groups.name + type: keyword +ocsf.file_result.accessor.groups.privileges: + description: The group privileges. + name: ocsf.file_result.accessor.groups.privileges + type: keyword +ocsf.file_result.accessor.groups.type: + description: The type of the group or account. + name: ocsf.file_result.accessor.groups.type + type: keyword +ocsf.file_result.accessor.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.file_result.accessor.groups.uid + type: keyword +ocsf.file_result.accessor.name: + description: The username. For example, janedoe1. + name: ocsf.file_result.accessor.name + type: keyword +ocsf.file_result.accessor.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.file_result.accessor.org.name + type: keyword +ocsf.file_result.accessor.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.file_result.accessor.org.ou_name + type: keyword +ocsf.file_result.accessor.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.file_result.accessor.org.ou_uid + type: keyword +ocsf.file_result.accessor.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.file_result.accessor.org.uid + type: keyword +ocsf.file_result.accessor.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.file_result.accessor.type + type: keyword +ocsf.file_result.accessor.type_id: + description: The account type identifier. + name: ocsf.file_result.accessor.type_id + type: keyword +ocsf.file_result.accessor.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.file_result.accessor.uid + type: keyword +ocsf.file_result.accessor.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.file_result.accessor.uid_alt + type: keyword +ocsf.file_result.attributes: + description: The Bitmask value that represents the file attributes. + name: ocsf.file_result.attributes + type: long +ocsf.file_result.company_name: + description: + "The name of the company that published the file. For example: Microsoft + Corporation." + name: ocsf.file_result.company_name + type: keyword +ocsf.file_result.confidentiality: + description: + The file content confidentiality, normalized to the confidentiality_id + value. In the case of 'Other', it is defined by the event source. + name: ocsf.file_result.confidentiality + type: keyword +ocsf.file_result.confidentiality_id: + description: The normalized identifier of the file content confidentiality indicator. + name: ocsf.file_result.confidentiality_id + type: keyword +ocsf.file_result.created_time: + description: The time when the file was created. + name: ocsf.file_result.created_time + type: date +ocsf.file_result.created_time_dt: + description: The time when the file was created. + name: ocsf.file_result.created_time_dt + type: date +ocsf.file_result.creator.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.file_result.creator.account.name + type: keyword +ocsf.file_result.creator.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.file_result.creator.account.type + type: keyword +ocsf.file_result.creator.account.type_id: + description: The normalized account type identifier. + name: ocsf.file_result.creator.account.type_id + type: keyword +ocsf.file_result.creator.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.file_result.creator.account.uid + type: keyword +ocsf.file_result.creator.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.file_result.creator.credential_uid + type: keyword +ocsf.file_result.creator.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.file_result.creator.domain + type: keyword +ocsf.file_result.creator.email_addr: + description: The user's email address. + name: ocsf.file_result.creator.email_addr + type: keyword +ocsf.file_result.creator.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.file_result.creator.full_name + type: keyword +ocsf.file_result.creator.groups.desc: + description: The group description. + name: ocsf.file_result.creator.groups.desc + type: keyword +ocsf.file_result.creator.groups.name: + description: The group name. + name: ocsf.file_result.creator.groups.name + type: keyword +ocsf.file_result.creator.groups.privileges: + description: The group privileges. + name: ocsf.file_result.creator.groups.privileges + type: keyword +ocsf.file_result.creator.groups.type: + description: The type of the group or account. + name: ocsf.file_result.creator.groups.type + type: keyword +ocsf.file_result.creator.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.file_result.creator.groups.uid + type: keyword +ocsf.file_result.creator.name: + description: The username. For example, janedoe1. + name: ocsf.file_result.creator.name + type: keyword +ocsf.file_result.creator.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.file_result.creator.org.name + type: keyword +ocsf.file_result.creator.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.file_result.creator.org.ou_name + type: keyword +ocsf.file_result.creator.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.file_result.creator.org.ou_uid + type: keyword +ocsf.file_result.creator.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.file_result.creator.org.uid + type: keyword +ocsf.file_result.creator.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.file_result.creator.type + type: keyword +ocsf.file_result.creator.type_id: + description: The account type identifier. + name: ocsf.file_result.creator.type_id + type: keyword +ocsf.file_result.creator.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.file_result.creator.uid + type: keyword +ocsf.file_result.creator.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.file_result.creator.uid_alt + type: keyword +ocsf.file_result.desc: + description: + "The description of the file, as returned by file system. For example: + the description as returned by the Unix file command or the Windows file type." + name: ocsf.file_result.desc + type: keyword +ocsf.file_result.hashes.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.file_result.hashes.algorithm + type: keyword +ocsf.file_result.hashes.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.file_result.hashes.algorithm_id + type: keyword +ocsf.file_result.hashes.value: + description: The digital fingerprint value. + name: ocsf.file_result.hashes.value + type: keyword +ocsf.file_result.is_system: + description: The indication of whether the object is part of the operating system. + name: ocsf.file_result.is_system + type: boolean +ocsf.file_result.mime_type: + description: + The Multipurpose Internet Mail Extensions (MIME) type of the file, + if applicable. + name: ocsf.file_result.mime_type + type: keyword +ocsf.file_result.modified_time: + description: The time when the file was last modified. + name: ocsf.file_result.modified_time + type: date +ocsf.file_result.modified_time_dt: + description: The time when the file was last modified. + name: ocsf.file_result.modified_time_dt + type: date +ocsf.file_result.modifier.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.file_result.modifier.account.name + type: keyword +ocsf.file_result.modifier.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.file_result.modifier.account.type + type: keyword +ocsf.file_result.modifier.account.type_id: + description: The normalized account type identifier. + name: ocsf.file_result.modifier.account.type_id + type: keyword +ocsf.file_result.modifier.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.file_result.modifier.account.uid + type: keyword +ocsf.file_result.modifier.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.file_result.modifier.credential_uid + type: keyword +ocsf.file_result.modifier.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.file_result.modifier.domain + type: keyword +ocsf.file_result.modifier.email_addr: + description: The user's email address. + name: ocsf.file_result.modifier.email_addr + type: keyword +ocsf.file_result.modifier.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.file_result.modifier.full_name + type: keyword +ocsf.file_result.modifier.groups.desc: + description: The group description. + name: ocsf.file_result.modifier.groups.desc + type: keyword +ocsf.file_result.modifier.groups.name: + description: The group name. + name: ocsf.file_result.modifier.groups.name + type: keyword +ocsf.file_result.modifier.groups.privileges: + description: The group privileges. + name: ocsf.file_result.modifier.groups.privileges + type: keyword +ocsf.file_result.modifier.groups.type: + description: The type of the group or account. + name: ocsf.file_result.modifier.groups.type + type: keyword +ocsf.file_result.modifier.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.file_result.modifier.groups.uid + type: keyword +ocsf.file_result.modifier.name: + description: The username. For example, janedoe1. + name: ocsf.file_result.modifier.name + type: keyword +ocsf.file_result.modifier.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.file_result.modifier.org.name + type: keyword +ocsf.file_result.modifier.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.file_result.modifier.org.ou_name + type: keyword +ocsf.file_result.modifier.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.file_result.modifier.org.ou_uid + type: keyword +ocsf.file_result.modifier.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.file_result.modifier.org.uid + type: keyword +ocsf.file_result.modifier.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.file_result.modifier.type + type: keyword +ocsf.file_result.modifier.type_id: + description: The account type identifier. + name: ocsf.file_result.modifier.type_id + type: keyword +ocsf.file_result.modifier.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.file_result.modifier.uid + type: keyword +ocsf.file_result.modifier.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.file_result.modifier.uid_alt + type: keyword +ocsf.file_result.name: + description: "The name of the file. For example: svchost.exe." + name: ocsf.file_result.name + type: keyword +ocsf.file_result.owner.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.file_result.owner.account.name + type: keyword +ocsf.file_result.owner.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.file_result.owner.account.type + type: keyword +ocsf.file_result.owner.account.type_id: + description: The normalized account type identifier. + name: ocsf.file_result.owner.account.type_id + type: keyword +ocsf.file_result.owner.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.file_result.owner.account.uid + type: keyword +ocsf.file_result.owner.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.file_result.owner.credential_uid + type: keyword +ocsf.file_result.owner.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.file_result.owner.domain + type: keyword +ocsf.file_result.owner.email_addr: + description: The user's email address. + name: ocsf.file_result.owner.email_addr + type: keyword +ocsf.file_result.owner.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.file_result.owner.full_name + type: keyword +ocsf.file_result.owner.groups.desc: + description: The group description. + name: ocsf.file_result.owner.groups.desc + type: keyword +ocsf.file_result.owner.groups.name: + description: The group name. + name: ocsf.file_result.owner.groups.name + type: keyword +ocsf.file_result.owner.groups.privileges: + description: The group privileges. + name: ocsf.file_result.owner.groups.privileges + type: keyword +ocsf.file_result.owner.groups.type: + description: The type of the group or account. + name: ocsf.file_result.owner.groups.type + type: keyword +ocsf.file_result.owner.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.file_result.owner.groups.uid + type: keyword +ocsf.file_result.owner.name: + description: The username. For example, janedoe1. + name: ocsf.file_result.owner.name + type: keyword +ocsf.file_result.owner.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.file_result.owner.org.name + type: keyword +ocsf.file_result.owner.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.file_result.owner.org.ou_name + type: keyword +ocsf.file_result.owner.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.file_result.owner.org.ou_uid + type: keyword +ocsf.file_result.owner.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.file_result.owner.org.uid + type: keyword +ocsf.file_result.owner.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.file_result.owner.type + type: keyword +ocsf.file_result.owner.type_id: + description: The account type identifier. + name: ocsf.file_result.owner.type_id + type: keyword +ocsf.file_result.owner.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.file_result.owner.uid + type: keyword +ocsf.file_result.owner.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.file_result.owner.uid_alt + type: keyword +ocsf.file_result.parent_folder: + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + name: ocsf.file_result.parent_folder + type: keyword +ocsf.file_result.path: + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + name: ocsf.file_result.path + type: keyword +ocsf.file_result.product.feature.name: + description: The name of the feature. + name: ocsf.file_result.product.feature.name + type: keyword +ocsf.file_result.product.feature.uid: + description: The unique identifier of the feature. + name: ocsf.file_result.product.feature.uid + type: keyword +ocsf.file_result.product.feature.version: + description: The version of the feature. + name: ocsf.file_result.product.feature.version + type: keyword +ocsf.file_result.product.lang: + description: + "The two letter lower case language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French)." + name: ocsf.file_result.product.lang + type: keyword +ocsf.file_result.product.name: + description: The name of the product. + name: ocsf.file_result.product.name + type: keyword +ocsf.file_result.product.path: + description: The installation path of the product. + name: ocsf.file_result.product.path + type: keyword +ocsf.file_result.product.uid: + description: The unique identifier of the product. + name: ocsf.file_result.product.uid + type: keyword +ocsf.file_result.product.vendor_name: + description: The name of the vendor of the product. + name: ocsf.file_result.product.vendor_name + type: keyword +ocsf.file_result.product.version: + description: + "The version of the product, as defined by the event source. For example: + 2013.1.3-beta." + name: ocsf.file_result.product.version + type: keyword +ocsf.file_result.security_descriptor: + description: The object security descriptor. + name: ocsf.file_result.security_descriptor + type: keyword +ocsf.file_result.signature.algorithm: + description: + The digital signature algorithm used to create the signature, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.file_result.signature.algorithm + type: keyword +ocsf.file_result.signature.algorithm_id: + description: The identifier of the normalized digital signature algorithm. + name: ocsf.file_result.signature.algorithm_id + type: keyword +ocsf.file_result.signature.certificate.created_time: + description: The time when the certificate was created. + name: ocsf.file_result.signature.certificate.created_time + type: date +ocsf.file_result.signature.certificate.created_time_dt: + description: The time when the certificate was created. + name: ocsf.file_result.signature.certificate.created_time_dt + type: date +ocsf.file_result.signature.certificate.expiration_time: + description: The expiration time of the certificate. + name: ocsf.file_result.signature.certificate.expiration_time + type: date +ocsf.file_result.signature.certificate.expiration_time_dt: + description: The expiration time of the certificate. + name: ocsf.file_result.signature.certificate.expiration_time_dt + type: date +ocsf.file_result.signature.certificate.fingerprints.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.file_result.signature.certificate.fingerprints.algorithm + type: keyword +ocsf.file_result.signature.certificate.fingerprints.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.file_result.signature.certificate.fingerprints.algorithm_id + type: keyword +ocsf.file_result.signature.certificate.fingerprints.value: + description: The digital fingerprint value. + name: ocsf.file_result.signature.certificate.fingerprints.value + type: keyword +ocsf.file_result.signature.certificate.issuer: + description: The certificate issuer distinguished name. + name: ocsf.file_result.signature.certificate.issuer + type: keyword +ocsf.file_result.signature.certificate.serial_number: + description: The serial number of the certificate used to create the digital signature. + name: ocsf.file_result.signature.certificate.serial_number + type: keyword +ocsf.file_result.signature.certificate.subject: + description: The certificate subject distinguished name. + name: ocsf.file_result.signature.certificate.subject + type: keyword +ocsf.file_result.signature.certificate.version: + description: The certificate version. + name: ocsf.file_result.signature.certificate.version + type: keyword +ocsf.file_result.signature.created_time: + description: The time when the digital signature was created. + name: ocsf.file_result.signature.created_time + type: date +ocsf.file_result.signature.created_time_dt: + description: The time when the digital signature was created. + name: ocsf.file_result.signature.created_time_dt + type: date +ocsf.file_result.signature.developer_uid: + description: The developer ID on the certificate that signed the file. + name: ocsf.file_result.signature.developer_uid + type: keyword +ocsf.file_result.signature.digest.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.file_result.signature.digest.algorithm + type: keyword +ocsf.file_result.signature.digest.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.file_result.signature.digest.algorithm_id + type: keyword +ocsf.file_result.signature.digest.value: + description: The digital fingerprint value. + name: ocsf.file_result.signature.digest.value + type: keyword +ocsf.file_result.size: + description: The size of data, in bytes. + name: ocsf.file_result.size + type: long +ocsf.file_result.type: + description: The file type. + name: ocsf.file_result.type + type: keyword +ocsf.file_result.type_id: + description: The file type ID. + name: ocsf.file_result.type_id + type: keyword +ocsf.file_result.uid: + description: + The unique identifier of the file as defined by the storage system, + such the file system file ID. + name: ocsf.file_result.uid + type: keyword +ocsf.file_result.version: + description: "The file version. For example: 8.0.7601.17514." + name: ocsf.file_result.version + type: keyword +ocsf.file_result.xattributes: + description: + An unordered collection of zero or more name/value pairs where each + pair represents a file or folder extended attribute. + name: ocsf.file_result.xattributes + type: flattened +ocsf.finding.created_time: + description: The time when the finding was created. + name: ocsf.finding.created_time + type: date +ocsf.finding.created_time_dt: + description: The time when the finding was created. + name: ocsf.finding.created_time_dt + type: date +ocsf.finding.desc: + description: The description of the reported finding. + name: ocsf.finding.desc + type: keyword +ocsf.finding.first_seen_time: + description: The time when the finding was first observed. + name: ocsf.finding.first_seen_time + type: date +ocsf.finding.first_seen_time_dt: + description: The time when the finding was first observed. + name: ocsf.finding.first_seen_time_dt + type: date +ocsf.finding.last_seen_time: + description: The time when the finding was most recently observed. + name: ocsf.finding.last_seen_time + type: date +ocsf.finding.last_seen_time_dt: + description: The time when the finding was most recently observed. + name: ocsf.finding.last_seen_time_dt + type: date +ocsf.finding.modified_time: + description: The time when the finding was last modified. + name: ocsf.finding.modified_time + type: date +ocsf.finding.modified_time_dt: + description: The time when the finding was last modified. + name: ocsf.finding.modified_time_dt + type: date +ocsf.finding.product_uid: + description: The unique identifier of the product that reported the finding. + name: ocsf.finding.product_uid + type: keyword +ocsf.finding.related_events.product_uid: + description: The unique identifier of the product that reported the related event. + name: ocsf.finding.related_events.product_uid + type: keyword +ocsf.finding.related_events.type: + description: "The type of the related event. For example: Process Activity: Launch." + name: ocsf.finding.related_events.type + type: keyword +ocsf.finding.related_events.type_uid: + description: "The unique identifier of the related event type. For example: 100701." + name: ocsf.finding.related_events.type_uid + type: keyword +ocsf.finding.related_events.uid: + description: The unique identifier of the related event. + name: ocsf.finding.related_events.uid + type: keyword +ocsf.finding.remediation.desc: + description: The description of the remediation strategy. + name: ocsf.finding.remediation.desc + type: keyword +ocsf.finding.remediation.kb_articles: + description: The KB article/s related to the entity. + name: ocsf.finding.remediation.kb_articles + type: keyword +ocsf.finding.src_url: + description: The URL pointing to the source of the finding. + name: ocsf.finding.src_url + type: keyword +ocsf.finding.supporting_data: + description: Additional data supporting a finding as provided by security tool. + name: ocsf.finding.supporting_data + type: flattened +ocsf.finding.title: + description: The title of the reported finding. + name: ocsf.finding.title + type: keyword +ocsf.finding.types: + description: One or more types of the reported finding. + name: ocsf.finding.types + type: keyword +ocsf.finding.uid: + description: The unique identifier of the reported finding. + name: ocsf.finding.uid + type: keyword +ocsf.group.desc: + description: The group description. + name: ocsf.group.desc + type: keyword +ocsf.group.name: + description: The group name. + name: ocsf.group.name + type: keyword +ocsf.group.privileges: + description: The group privileges. + name: ocsf.group.privileges + type: keyword +ocsf.group.type: + description: The type of the group or account. + name: ocsf.group.type + type: keyword +ocsf.group.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.group.uid + type: keyword +ocsf.http_request.args: + description: The arguments sent along with the HTTP request. + name: ocsf.http_request.args + type: keyword +ocsf.http_request.http_headers.name: + description: The name of the header. + name: ocsf.http_request.http_headers.name + type: keyword +ocsf.http_request.http_headers.value: + description: The value of the header. + name: ocsf.http_request.http_headers.value + type: keyword +ocsf.http_request.http_method: + description: + The HTTP request method indicates the desired action to be performed + for a given resource. + name: ocsf.http_request.http_method + type: keyword +ocsf.http_request.referrer: + description: + The request header that identifies the address of the previous web + page, which is linked to the current web page or resource being requested. + name: ocsf.http_request.referrer + type: keyword +ocsf.http_request.uid: + description: The unique identifier of the http request. + name: ocsf.http_request.uid + type: keyword +ocsf.http_request.url.categories: + description: The Website categorization names, as defined by category_ids enum values. + name: ocsf.http_request.url.categories + type: keyword +ocsf.http_request.url.category_ids: + description: The Website categorization identifies. + name: ocsf.http_request.url.category_ids + type: keyword +ocsf.http_request.url.hostname: + description: + The URL host as extracted from the URL. For example, www.example.com + from www.example.com/download/trouble. + name: ocsf.http_request.url.hostname + type: keyword +ocsf.http_request.url.path: + description: + The URL path as extracted from the URL. For example, /download/trouble + from www.example.com/download/trouble. + name: ocsf.http_request.url.path + type: keyword +ocsf.http_request.url.port: + description: The URL port. For example, 80. + name: ocsf.http_request.url.port + type: long +ocsf.http_request.url.query_string: + description: + The query portion of the URL. For example, the query portion of the + URL http://www.example.com/search?q=bad&sort=date is q=bad&sort=date. + name: ocsf.http_request.url.query_string + type: keyword +ocsf.http_request.url.resource_type: + description: The context in which a resource was retrieved in a web request. + name: ocsf.http_request.url.resource_type + type: keyword +ocsf.http_request.url.scheme: + description: The scheme portion of the URL. For example, http, https, ftp, or sftp. + name: ocsf.http_request.url.scheme + type: keyword +ocsf.http_request.url.subdomain: + description: + The subdomain portion of the URL. For example, sub in https://sub.example.com + or sub2.sub1 in https://sub2.sub1.example.com. + name: ocsf.http_request.url.subdomain + type: keyword +ocsf.http_request.url.url_string: + description: The URL string. See RFC 1738. For example, http://www.example.com/download/trouble.exe. + name: ocsf.http_request.url.url_string + type: keyword +ocsf.http_request.user_agent: + description: The request header that identifies the operating system and web browser. + name: ocsf.http_request.user_agent + type: keyword +ocsf.http_request.version: + description: The Hypertext Transfer Protocol (HTTP) version. + name: ocsf.http_request.version + type: keyword +ocsf.http_request.x_forwarded_for: + description: + The X-Forwarded-For header identifying the originating IP address(es) + of a client connecting to a web server through an HTTP proxy or a load balancer. + name: ocsf.http_request.x_forwarded_for + type: ip +ocsf.http_response.code: + description: The numeric code sent from the web server to the requester. + name: ocsf.http_response.code + type: long +ocsf.http_response.content_type: + description: + The request header that identifies the original media type of the resource + (prior to any content encoding applied for sending). + name: ocsf.http_response.content_type + type: keyword +ocsf.http_response.latency: + description: The HTTP response latency. In seconds, milliseconds, etc. + name: ocsf.http_response.latency + type: long +ocsf.http_response.length: + description: The HTTP response length, in number of bytes. + name: ocsf.http_response.length + type: long +ocsf.http_response.message: + description: The description of the event, as defined by the event source. + name: ocsf.http_response.message + type: keyword +ocsf.http_response.status: + description: The response status. + name: ocsf.http_response.status + type: keyword +ocsf.http_status: + description: + The Hypertext Transfer Protocol (HTTP) status code returned to the + client. + name: ocsf.http_status + type: long +ocsf.identifier_cookie: + description: The client identifier cookie during client/server exchange. + name: ocsf.identifier_cookie + type: keyword +ocsf.impact: + description: + The impact , normalized to the caption of the impact_id value. In the + case of 'Other', it is defined by the event source. + name: ocsf.impact + type: keyword +ocsf.impact_id: + description: The normalized impact of the finding. + name: ocsf.impact_id + type: keyword +ocsf.impact_score: + description: The impact of the finding, valid range 0-100. + name: ocsf.impact_score + type: long +ocsf.injection_type: + description: + The process injection method, normalized to the caption of the injection_type_id + value. In the case of 'Other', it is defined by the event source. + name: ocsf.injection_type + type: keyword +ocsf.injection_type_id: + description: The normalized identifier of the process injection method. + name: ocsf.injection_type_id + type: keyword +ocsf.is_cleartext: + description: + "Indicates whether the credentials were passed in clear text.Note: + True if the credentials were passed in a clear text protocol such as FTP or TELNET, + or if Windows detected that a user's logon password was passed to the authentication + package in clear text." + name: ocsf.is_cleartext + type: boolean +ocsf.is_mfa: + description: Indicates whether Multi Factor Authentication was used during authentication. + name: ocsf.is_mfa + type: boolean +ocsf.is_new_logon: + description: + Indicates logon is from a device not seen before or a first time account + logon. + name: ocsf.is_new_logon + type: boolean +ocsf.is_remote: + description: The attempted authentication is over a remote connection. + name: ocsf.is_remote + type: boolean +ocsf.is_renewal: + description: The indication of whether this is a lease/session renewal event. + name: ocsf.is_renewal + type: boolean +ocsf.kernel.is_system: + description: The indication of whether the object is part of the operating system. + name: ocsf.kernel.is_system + type: boolean +ocsf.kernel.name: + description: The name of the kernel resource. + name: ocsf.kernel.name + type: keyword +ocsf.kernel.path: + description: The full path of the kernel resource. + name: ocsf.kernel.path + type: keyword +ocsf.kernel.system_call: + description: The system call that was invoked. + name: ocsf.kernel.system_call + type: keyword +ocsf.kernel.type: + description: The type of the kernel resource. + name: ocsf.kernel.type + type: keyword +ocsf.kernel.type_id: + description: The type id of the kernel resource. + name: ocsf.kernel.type_id + type: keyword +ocsf.kill_chain.phase: + description: The cyber kill chain phase. + name: ocsf.kill_chain.phase + type: keyword +ocsf.kill_chain.phase_id: + description: The cyber kill chain phase identifier. + name: ocsf.kill_chain.phase_id + type: keyword +ocsf.lease_dur: + description: + This represents the length of the DHCP lease in seconds. This is present + in DHCP Ack events. (activity_id = 1) + name: ocsf.lease_dur + type: long +ocsf.logon_type: + description: + The logon type, normalized to the caption of the logon_type_id value. + In the case of 'Other', it is defined by the event source. + name: ocsf.logon_type + type: keyword +ocsf.logon_type_id: + description: The normalized logon type identifier + name: ocsf.logon_type_id + type: keyword +ocsf.malware.classification_ids: + description: The list of normalized identifiers of the malware classifications. + name: ocsf.malware.classification_ids + type: keyword +ocsf.malware.classifications: + description: + The list of malware classifications, normalized to the captions of + the classification_id values. In the case of 'Other', they are defined by the + event source. + name: ocsf.malware.classifications + type: keyword +ocsf.malware.cves.created_time: + description: + The Record Creation Date identifies when the CVE ID was issued to a + CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. + Note that the Record Creation Date does not necessarily indicate when this vulnerability + was discovered, shared with the affected vendor, publicly disclosed, or updated + in CVE. + name: ocsf.malware.cves.created_time + type: date +ocsf.malware.cves.created_time_dt: + description: + The Record Creation Date identifies when the CVE ID was issued to a + CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. + Note that the Record Creation Date does not necessarily indicate when this vulnerability + was discovered, shared with the affected vendor, publicly disclosed, or updated + in CVE. + name: ocsf.malware.cves.created_time_dt + type: date +ocsf.malware.cves.cvss.base_score: + description: The CVSS base score. + name: ocsf.malware.cves.cvss.base_score + type: double +ocsf.malware.cves.cvss.depth: + description: + The CVSS depth represents a depth of the equation used to calculate + CVSS score. + name: ocsf.malware.cves.cvss.depth + type: keyword +ocsf.malware.cves.cvss.metrics.name: + description: The name of the metric. + name: ocsf.malware.cves.cvss.metrics.name + type: keyword +ocsf.malware.cves.cvss.metrics.value: + description: The value of the metric. + name: ocsf.malware.cves.cvss.metrics.value + type: keyword +ocsf.malware.cves.cvss.overall_score: + description: + The CVSS overall score, impacted by base, temporal, and environmental + metrics. + name: ocsf.malware.cves.cvss.overall_score + type: double +ocsf.malware.cves.cvss.severity: + description: + The Common Vulnerability Scoring System (CVSS) Qualitative Severity + Rating. A textual representation of the numeric score. + name: ocsf.malware.cves.cvss.severity + type: keyword +ocsf.malware.cves.cvss.vector_string: + description: + "The CVSS vector string is a text representation of a set of CVSS metrics. + It is commonly used to record or transfer CVSS metric information in a concise + form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H." + name: ocsf.malware.cves.cvss.vector_string + type: keyword +ocsf.malware.cves.cvss.version: + description: The CVSS version. + name: ocsf.malware.cves.cvss.version + type: keyword +ocsf.malware.cves.cwe_uid: + description: + "The Common Weakness Enumeration (CWE) unique identifier. For example: + CWE-787." + name: ocsf.malware.cves.cwe_uid + type: keyword +ocsf.malware.cves.cwe_url: + description: Common Weakness Enumeration (CWE) definition URL. + name: ocsf.malware.cves.cwe_url + type: keyword +ocsf.malware.cves.modified_time: + description: The Record Modified Date identifies when the CVE record was last updated. + name: ocsf.malware.cves.modified_time + type: date +ocsf.malware.cves.modified_time_dt: + description: The Record Modified Date identifies when the CVE record was last updated. + name: ocsf.malware.cves.modified_time_dt + type: date +ocsf.malware.cves.product.feature.name: + description: The name of the feature. + name: ocsf.malware.cves.product.feature.name + type: keyword +ocsf.malware.cves.product.feature.uid: + description: The unique identifier of the feature. + name: ocsf.malware.cves.product.feature.uid + type: keyword +ocsf.malware.cves.product.feature.version: + description: The version of the feature. + name: ocsf.malware.cves.product.feature.version + type: keyword +ocsf.malware.cves.product.lang: + description: The two letter lower case language codes, as defined by ISO 639-1. + name: ocsf.malware.cves.product.lang + type: keyword +ocsf.malware.cves.product.name: + description: The name of the product. + name: ocsf.malware.cves.product.name + type: keyword +ocsf.malware.cves.product.path: + description: The installation path of the product. + name: ocsf.malware.cves.product.path + type: keyword +ocsf.malware.cves.product.uid: + description: The unique identifier of the product. + name: ocsf.malware.cves.product.uid + type: keyword +ocsf.malware.cves.product.url_string: + description: The URL pointing towards the product. + name: ocsf.malware.cves.product.url_string + type: keyword +ocsf.malware.cves.product.vendor_name: + description: The name of the vendor of the product. + name: ocsf.malware.cves.product.vendor_name + type: keyword +ocsf.malware.cves.product.version: + description: + "The version of the product, as defined by the event source. For example: + 2013.1.3-beta." + name: ocsf.malware.cves.product.version + type: keyword +ocsf.malware.cves.type: + description: + The vulnerability type as selected from a large dropdown menu during + CVE refinement. + name: ocsf.malware.cves.type + type: keyword +ocsf.malware.cves.uid: + description: + "The Common Vulnerabilities and Exposures unique number assigned to + a specific computer vulnerability. A CVE Identifier begins with 4 digits representing + the year followed by a sequence of digits that acts as a unique identifier. For + example: CVE-2021-12345." + name: ocsf.malware.cves.uid + type: keyword +ocsf.malware.name: + description: The malware name, as reported by the detection engine. + name: ocsf.malware.name + type: keyword +ocsf.malware.path: + description: The filesystem path of the malware that was observed. + name: ocsf.malware.path + type: keyword +ocsf.malware.provider: + description: The provider of the malware information. + name: ocsf.malware.provider + type: keyword +ocsf.malware.uid: + description: + The malware unique identifier, as reported by the detection engine. + For example a virus id or an IPS signature id. + name: ocsf.malware.uid + type: keyword +ocsf.message: + description: The description of the event, as defined by the event source. + name: ocsf.message + type: keyword +ocsf.metadata.correlation_uid: + description: The unique identifier used to correlate events. + name: ocsf.metadata.correlation_uid + type: keyword +ocsf.metadata.event_code: + description: The Event ID or Code that the product uses to describe the event. + name: ocsf.metadata.event_code + type: keyword +ocsf.metadata.extension.name: + description: "The schema extension name. For example: dev." + name: ocsf.metadata.extension.name + type: keyword +ocsf.metadata.extension.uid: + description: "The schema extension unique identifier. For example: 999." + name: ocsf.metadata.extension.uid + type: keyword +ocsf.metadata.extension.version: + description: "The schema extension version. For example: 1.0.0-alpha.2." + name: ocsf.metadata.extension.version + type: keyword +ocsf.metadata.labels: + description: + The list of category labels attached to the event or specific attributes. + Labels are user defined tags or aliases added at normalization time. + name: ocsf.metadata.labels + type: keyword +ocsf.metadata.log_name: + description: + "The event log name. For example, syslog file name or Windows logging + subsystem: Security." + name: ocsf.metadata.log_name + type: keyword +ocsf.metadata.log_provider: + description: + The logging provider or logging service that logged the event. For + example, Microsoft-Windows-Security-Auditing. + name: ocsf.metadata.log_provider + type: keyword +ocsf.metadata.log_version: + description: + The event log schema version that specifies the format of the original + event. For example syslog version or Cisco Log Schema Version. + name: ocsf.metadata.log_version + type: keyword +ocsf.metadata.logged_time: + description: + The time when the logging system collected and logged the event. This + attribute is distinct from the event time in that event time typically contain + the time extracted from the original event. Most of the time, these two times + will be different. + name: ocsf.metadata.logged_time + type: date +ocsf.metadata.logged_time_dt: + description: + The time when the logging system collected and logged the event. This + attribute is distinct from the event time in that event time typically contain + the time extracted from the original event. Most of the time, these two times + will be different. + name: ocsf.metadata.logged_time_dt + type: date +ocsf.metadata.modified_time: + description: The time when the event was last modified or enriched. + name: ocsf.metadata.modified_time + type: date +ocsf.metadata.modified_time_dt: + description: The time when the event was last modified or enriched. + name: ocsf.metadata.modified_time_dt + type: date +ocsf.metadata.original_time: + description: + The original event time as reported by the event source. For example, + the time in the original format from system event log such as Syslog on Unix/Linux + and the System event file on Windows. Omit if event is generated instead of collected + via logs. + name: ocsf.metadata.original_time + type: keyword +ocsf.metadata.processed_time: + description: The event processed time, such as an ETL operation. + name: ocsf.metadata.processed_time + type: date +ocsf.metadata.processed_time_dt: + description: The event processed time, such as an ETL operation. + name: ocsf.metadata.processed_time_dt + type: date +ocsf.metadata.product.feature.name: + description: The name of the feature. + name: ocsf.metadata.product.feature.name + type: keyword +ocsf.metadata.product.feature.uid: + description: The unique identifier of the feature. + name: ocsf.metadata.product.feature.uid + type: keyword +ocsf.metadata.product.feature.version: + description: The version of the feature. + name: ocsf.metadata.product.feature.version + type: keyword +ocsf.metadata.product.lang: + description: + "The two letter lowercase language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French)." + name: ocsf.metadata.product.lang + type: keyword +ocsf.metadata.product.name: + description: The name of the product. + name: ocsf.metadata.product.name + type: keyword +ocsf.metadata.product.path: + description: The installation path of the product. + name: ocsf.metadata.product.path + type: keyword +ocsf.metadata.product.uid: + description: The unique identifier of the product. + name: ocsf.metadata.product.uid + type: keyword +ocsf.metadata.product.url_string: + description: The URL pointing towards the product. + name: ocsf.metadata.product.url_string + type: keyword +ocsf.metadata.product.vendor_name: + description: The name of the vendor of the product. + name: ocsf.metadata.product.vendor_name + type: keyword +ocsf.metadata.product.version: + description: + "The version of the product, as defined by the event source. For example: + 2013.1.3-beta." + name: ocsf.metadata.product.version + type: keyword +ocsf.metadata.profiles: + description: The list of profiles used to create the event. + name: ocsf.metadata.profiles + type: keyword +ocsf.metadata.sequence: + description: + Sequence number of the event. The sequence number is a value available + in some events, to make the exact ordering of events unambiguous, regardless of + the event time precision. + name: ocsf.metadata.sequence + type: long +ocsf.metadata.uid: + description: The logging system-assigned unique identifier of an event instance. + name: ocsf.metadata.uid + type: keyword +ocsf.metadata.version: + description: + "The version of the OCSF schema, using Semantic Versioning Specification + (SemVer). For example: 1.0.0. Event consumers use the version to determine the + available event attributes." + name: ocsf.metadata.version + type: keyword +ocsf.module.base_address: + description: The memory address where the module was loaded. + name: ocsf.module.base_address + type: keyword +ocsf.module.file.accessed_time: + description: The time when the file was last accessed. + name: ocsf.module.file.accessed_time + type: date +ocsf.module.file.accessed_time_dt: + description: The time when the file was last accessed. + name: ocsf.module.file.accessed_time_dt + type: date +ocsf.module.file.accessor.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.module.file.accessor.account.name + type: keyword +ocsf.module.file.accessor.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.module.file.accessor.account.type + type: keyword +ocsf.module.file.accessor.account.type_id: + description: The normalized account type identifier. + name: ocsf.module.file.accessor.account.type_id + type: keyword +ocsf.module.file.accessor.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.module.file.accessor.account.uid + type: keyword +ocsf.module.file.accessor.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.module.file.accessor.credential_uid + type: keyword +ocsf.module.file.accessor.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.module.file.accessor.domain + type: keyword +ocsf.module.file.accessor.email_addr: + description: The user's email address. + name: ocsf.module.file.accessor.email_addr + type: keyword +ocsf.module.file.accessor.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.module.file.accessor.full_name + type: keyword +ocsf.module.file.accessor.groups.desc: + description: The group description. + name: ocsf.module.file.accessor.groups.desc + type: keyword +ocsf.module.file.accessor.groups.name: + description: The group name. + name: ocsf.module.file.accessor.groups.name + type: keyword +ocsf.module.file.accessor.groups.privileges: + description: The group privileges. + name: ocsf.module.file.accessor.groups.privileges + type: keyword +ocsf.module.file.accessor.groups.type: + description: The type of the group or account. + name: ocsf.module.file.accessor.groups.type + type: keyword +ocsf.module.file.accessor.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.module.file.accessor.groups.uid + type: keyword +ocsf.module.file.accessor.name: + description: The username. For example, janedoe1. + name: ocsf.module.file.accessor.name + type: keyword +ocsf.module.file.accessor.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.module.file.accessor.org.name + type: keyword +ocsf.module.file.accessor.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.module.file.accessor.org.ou_name + type: keyword +ocsf.module.file.accessor.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.module.file.accessor.org.ou_uid + type: keyword +ocsf.module.file.accessor.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.module.file.accessor.org.uid + type: keyword +ocsf.module.file.accessor.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.module.file.accessor.type + type: keyword +ocsf.module.file.accessor.type_id: + description: The account type identifier. + name: ocsf.module.file.accessor.type_id + type: keyword +ocsf.module.file.accessor.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.module.file.accessor.uid + type: keyword +ocsf.module.file.accessor.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.module.file.accessor.uid_alt + type: keyword +ocsf.module.file.attributes: + description: The Bitmask value that represents the file attributes. + name: ocsf.module.file.attributes + type: long +ocsf.module.file.company_name: + description: + "The name of the company that published the file. For example: Microsoft + Corporation." + name: ocsf.module.file.company_name + type: keyword +ocsf.module.file.confidentiality: + description: + The file content confidentiality, normalized to the confidentiality_id + value. In the case of 'Other', it is defined by the event source. + name: ocsf.module.file.confidentiality + type: keyword +ocsf.module.file.confidentiality_id: + description: The normalized identifier of the file content confidentiality indicator. + name: ocsf.module.file.confidentiality_id + type: keyword +ocsf.module.file.created_time: + description: The time when the file was created. + name: ocsf.module.file.created_time + type: date +ocsf.module.file.created_time_dt: + description: The time when the file was created. + name: ocsf.module.file.created_time_dt + type: date +ocsf.module.file.creator.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.module.file.creator.account.name + type: keyword +ocsf.module.file.creator.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.module.file.creator.account.type + type: keyword +ocsf.module.file.creator.account.type_id: + description: The normalized account type identifier. + name: ocsf.module.file.creator.account.type_id + type: keyword +ocsf.module.file.creator.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.module.file.creator.account.uid + type: keyword +ocsf.module.file.creator.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.module.file.creator.credential_uid + type: keyword +ocsf.module.file.creator.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.module.file.creator.domain + type: keyword +ocsf.module.file.creator.email_addr: + description: The user's email address. + name: ocsf.module.file.creator.email_addr + type: keyword +ocsf.module.file.creator.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.module.file.creator.full_name + type: keyword +ocsf.module.file.creator.groups.desc: + description: The group description. + name: ocsf.module.file.creator.groups.desc + type: keyword +ocsf.module.file.creator.groups.name: + description: The group name. + name: ocsf.module.file.creator.groups.name + type: keyword +ocsf.module.file.creator.groups.privileges: + description: The group privileges. + name: ocsf.module.file.creator.groups.privileges + type: keyword +ocsf.module.file.creator.groups.type: + description: The type of the group or account. + name: ocsf.module.file.creator.groups.type + type: keyword +ocsf.module.file.creator.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.module.file.creator.groups.uid + type: keyword +ocsf.module.file.creator.name: + description: The username. For example, janedoe1. + name: ocsf.module.file.creator.name + type: keyword +ocsf.module.file.creator.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.module.file.creator.org.name + type: keyword +ocsf.module.file.creator.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.module.file.creator.org.ou_name + type: keyword +ocsf.module.file.creator.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.module.file.creator.org.ou_uid + type: keyword +ocsf.module.file.creator.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.module.file.creator.org.uid + type: keyword +ocsf.module.file.creator.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.module.file.creator.type + type: keyword +ocsf.module.file.creator.type_id: + description: The account type identifier. + name: ocsf.module.file.creator.type_id + type: keyword +ocsf.module.file.creator.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.module.file.creator.uid + type: keyword +ocsf.module.file.creator.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.module.file.creator.uid_alt + type: keyword +ocsf.module.file.desc: + description: + "The description of the file, as returned by file system. For example: + the description as returned by the Unix file command or the Windows file type." + name: ocsf.module.file.desc + type: keyword +ocsf.module.file.hashes.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.module.file.hashes.algorithm + type: keyword +ocsf.module.file.hashes.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.module.file.hashes.algorithm_id + type: keyword +ocsf.module.file.hashes.value: + description: The digital fingerprint value. + name: ocsf.module.file.hashes.value + type: keyword +ocsf.module.file.is_system: + description: The indication of whether the object is part of the operating system. + name: ocsf.module.file.is_system + type: boolean +ocsf.module.file.mime_type: + description: + The Multipurpose Internet Mail Extensions (MIME) type of the file, + if applicable. + name: ocsf.module.file.mime_type + type: keyword +ocsf.module.file.modified_time: + description: The time when the file was last modified. + name: ocsf.module.file.modified_time + type: date +ocsf.module.file.modified_time_dt: + description: The time when the file was last modified. + name: ocsf.module.file.modified_time_dt + type: date +ocsf.module.file.modifier.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.module.file.modifier.account.name + type: keyword +ocsf.module.file.modifier.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.module.file.modifier.account.type + type: keyword +ocsf.module.file.modifier.account.type_id: + description: The normalized account type identifier. + name: ocsf.module.file.modifier.account.type_id + type: keyword +ocsf.module.file.modifier.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.module.file.modifier.account.uid + type: keyword +ocsf.module.file.modifier.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.module.file.modifier.credential_uid + type: keyword +ocsf.module.file.modifier.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.module.file.modifier.domain + type: keyword +ocsf.module.file.modifier.email_addr: + description: The user's email address. + name: ocsf.module.file.modifier.email_addr + type: keyword +ocsf.module.file.modifier.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.module.file.modifier.full_name + type: keyword +ocsf.module.file.modifier.groups.desc: + description: The group description. + name: ocsf.module.file.modifier.groups.desc + type: keyword +ocsf.module.file.modifier.groups.name: + description: The group name. + name: ocsf.module.file.modifier.groups.name + type: keyword +ocsf.module.file.modifier.groups.privileges: + description: The group privileges. + name: ocsf.module.file.modifier.groups.privileges + type: keyword +ocsf.module.file.modifier.groups.type: + description: The type of the group or account. + name: ocsf.module.file.modifier.groups.type + type: keyword +ocsf.module.file.modifier.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.module.file.modifier.groups.uid + type: keyword +ocsf.module.file.modifier.name: + description: The username. For example, janedoe1. + name: ocsf.module.file.modifier.name + type: keyword +ocsf.module.file.modifier.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.module.file.modifier.org.name + type: keyword +ocsf.module.file.modifier.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.module.file.modifier.org.ou_name + type: keyword +ocsf.module.file.modifier.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.module.file.modifier.org.ou_uid + type: keyword +ocsf.module.file.modifier.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.module.file.modifier.org.uid + type: keyword +ocsf.module.file.modifier.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.module.file.modifier.type + type: keyword +ocsf.module.file.modifier.type_id: + description: The account type identifier. + name: ocsf.module.file.modifier.type_id + type: keyword +ocsf.module.file.modifier.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.module.file.modifier.uid + type: keyword +ocsf.module.file.modifier.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.module.file.modifier.uid_alt + type: keyword +ocsf.module.file.name: + description: "The name of the file. For example: svchost.exe." + name: ocsf.module.file.name + type: keyword +ocsf.module.file.owner.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.module.file.owner.account.name + type: keyword +ocsf.module.file.owner.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.module.file.owner.account.type + type: keyword +ocsf.module.file.owner.account.type_id: + description: The normalized account type identifier. + name: ocsf.module.file.owner.account.type_id + type: keyword +ocsf.module.file.owner.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.module.file.owner.account.uid + type: keyword +ocsf.module.file.owner.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.module.file.owner.credential_uid + type: keyword +ocsf.module.file.owner.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.module.file.owner.domain + type: keyword +ocsf.module.file.owner.email_addr: + description: The user's email address. + name: ocsf.module.file.owner.email_addr + type: keyword +ocsf.module.file.owner.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.module.file.owner.full_name + type: keyword +ocsf.module.file.owner.groups.desc: + description: The group description. + name: ocsf.module.file.owner.groups.desc + type: keyword +ocsf.module.file.owner.groups.name: + description: The group name. + name: ocsf.module.file.owner.groups.name + type: keyword +ocsf.module.file.owner.groups.privileges: + description: The group privileges. + name: ocsf.module.file.owner.groups.privileges + type: keyword +ocsf.module.file.owner.groups.type: + description: The type of the group or account. + name: ocsf.module.file.owner.groups.type + type: keyword +ocsf.module.file.owner.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.module.file.owner.groups.uid + type: keyword +ocsf.module.file.owner.name: + description: The username. For example, janedoe1. + name: ocsf.module.file.owner.name + type: keyword +ocsf.module.file.owner.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.module.file.owner.org.name + type: keyword +ocsf.module.file.owner.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.module.file.owner.org.ou_name + type: keyword +ocsf.module.file.owner.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.module.file.owner.org.ou_uid + type: keyword +ocsf.module.file.owner.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.module.file.owner.org.uid + type: keyword +ocsf.module.file.owner.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.module.file.owner.type + type: keyword +ocsf.module.file.owner.type_id: + description: The account type identifier. + name: ocsf.module.file.owner.type_id + type: keyword +ocsf.module.file.owner.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.module.file.owner.uid + type: keyword +ocsf.module.file.owner.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.module.file.owner.uid_alt + type: keyword +ocsf.module.file.parent_folder: + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + name: ocsf.module.file.parent_folder + type: keyword +ocsf.module.file.path: + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + name: ocsf.module.file.path + type: keyword +ocsf.module.file.product.feature.name: + description: The name of the feature. + name: ocsf.module.file.product.feature.name + type: keyword +ocsf.module.file.product.feature.uid: + description: The unique identifier of the feature. + name: ocsf.module.file.product.feature.uid + type: keyword +ocsf.module.file.product.feature.version: + description: The version of the feature. + name: ocsf.module.file.product.feature.version + type: keyword +ocsf.module.file.product.lang: + description: + "The two letter lower case language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French)." + name: ocsf.module.file.product.lang + type: keyword +ocsf.module.file.product.name: + description: The name of the product. + name: ocsf.module.file.product.name + type: keyword +ocsf.module.file.product.path: + description: The installation path of the product. + name: ocsf.module.file.product.path + type: keyword +ocsf.module.file.product.uid: + description: The unique identifier of the product. + name: ocsf.module.file.product.uid + type: keyword +ocsf.module.file.product.vendor_name: + description: The name of the vendor of the product. + name: ocsf.module.file.product.vendor_name + type: keyword +ocsf.module.file.product.version: + description: + "The version of the product, as defined by the event source. For example: + 2013.1.3-beta." + name: ocsf.module.file.product.version + type: keyword +ocsf.module.file.security_descriptor: + description: The object security descriptor. + name: ocsf.module.file.security_descriptor + type: keyword +ocsf.module.file.signature.algorithm: + description: + The digital signature algorithm used to create the signature, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.module.file.signature.algorithm + type: keyword +ocsf.module.file.signature.algorithm_id: + description: The identifier of the normalized digital signature algorithm. + name: ocsf.module.file.signature.algorithm_id + type: keyword +ocsf.module.file.signature.certificate.created_time: + description: The time when the certificate was created. + name: ocsf.module.file.signature.certificate.created_time + type: date +ocsf.module.file.signature.certificate.created_time_dt: + description: The time when the certificate was created. + name: ocsf.module.file.signature.certificate.created_time_dt + type: date +ocsf.module.file.signature.certificate.expiration_time: + description: The expiration time of the certificate. + name: ocsf.module.file.signature.certificate.expiration_time + type: date +ocsf.module.file.signature.certificate.expiration_time_dt: + description: The expiration time of the certificate. + name: ocsf.module.file.signature.certificate.expiration_time_dt + type: date +ocsf.module.file.signature.certificate.fingerprints.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.module.file.signature.certificate.fingerprints.algorithm + type: keyword +ocsf.module.file.signature.certificate.fingerprints.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.module.file.signature.certificate.fingerprints.algorithm_id + type: keyword +ocsf.module.file.signature.certificate.fingerprints.value: + description: The digital fingerprint value. + name: ocsf.module.file.signature.certificate.fingerprints.value + type: keyword +ocsf.module.file.signature.certificate.issuer: + description: The certificate issuer distinguished name. + name: ocsf.module.file.signature.certificate.issuer + type: keyword +ocsf.module.file.signature.certificate.serial_number: + description: The serial number of the certificate used to create the digital signature. + name: ocsf.module.file.signature.certificate.serial_number + type: keyword +ocsf.module.file.signature.certificate.subject: + description: The certificate subject distinguished name. + name: ocsf.module.file.signature.certificate.subject + type: keyword +ocsf.module.file.signature.certificate.version: + description: The certificate version. + name: ocsf.module.file.signature.certificate.version + type: keyword +ocsf.module.file.signature.created_time: + description: The time when the digital signature was created. + name: ocsf.module.file.signature.created_time + type: date +ocsf.module.file.signature.created_time_dt: + description: The time when the digital signature was created. + name: ocsf.module.file.signature.created_time_dt + type: date +ocsf.module.file.signature.developer_uid: + description: The developer ID on the certificate that signed the file. + name: ocsf.module.file.signature.developer_uid + type: keyword +ocsf.module.file.signature.digest.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.module.file.signature.digest.algorithm + type: keyword +ocsf.module.file.signature.digest.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.module.file.signature.digest.algorithm_id + type: keyword +ocsf.module.file.signature.digest.value: + description: The digital fingerprint value. + name: ocsf.module.file.signature.digest.value + type: keyword +ocsf.module.file.size: + description: The size of data, in bytes. + name: ocsf.module.file.size + type: long +ocsf.module.file.type: + description: The file type. + name: ocsf.module.file.type + type: keyword +ocsf.module.file.type_id: + description: The file type ID. + name: ocsf.module.file.type_id + type: keyword +ocsf.module.file.uid: + description: + The unique identifier of the file as defined by the storage system, + such the file system file ID. + name: ocsf.module.file.uid + type: keyword +ocsf.module.file.version: + description: "The file version. For example: 8.0.7601.17514." + name: ocsf.module.file.version + type: keyword +ocsf.module.file.xattributes: + description: + An unordered collection of zero or more name/value pairs where each + pair represents a file or folder extended attribute. + name: ocsf.module.file.xattributes + type: flattened +ocsf.module.function_name: + description: + The entry-point function of the module. The system calls the entry-point + function whenever a process or thread loads or unloads the module. + name: ocsf.module.function_name + type: keyword +ocsf.module.load_type: + description: + The load type, normalized to the caption of the load_type_id value. + In the case of 'Other', it is defined by the event source. It describes how the + module was loaded in memory. + name: ocsf.module.load_type + type: keyword +ocsf.module.load_type_id: + description: + The normalized identifier of the load type. It identifies how the module + was loaded in memory. + name: ocsf.module.load_type_id + type: keyword +ocsf.module.start_address: + description: The start address of the execution. + name: ocsf.module.start_address + type: keyword +ocsf.module.type: + description: The module type. + name: ocsf.module.type + type: keyword +ocsf.name: + description: The name of the data affiliated with the command. + name: ocsf.name + type: keyword +ocsf.nist: + description: + The NIST Cybersecurity Framework recommendations for managing the cybersecurity + risk. + name: ocsf.nist + type: keyword +ocsf.observables.name: + description: + "The full name of the observable attribute. The name is a pointer/reference + to an attribute within the event data. For example: file.name." + name: ocsf.observables.name + type: keyword +ocsf.observables.reputation.base_score: + description: The reputation score as reported by the event source. + name: ocsf.observables.reputation.base_score + type: double +ocsf.observables.reputation.provider: + description: The provider of the reputation information. + name: ocsf.observables.reputation.provider + type: keyword +ocsf.observables.reputation.score: + description: + The reputation score, normalized to the caption of the score_id value. + In the case of 'Other', it is defined by the event source. + name: ocsf.observables.reputation.score + type: keyword +ocsf.observables.reputation.score_id: + description: The normalized reputation score identifier. + name: ocsf.observables.reputation.score_id + type: keyword +ocsf.observables.type: + description: The observable value type name. + name: ocsf.observables.type + type: keyword +ocsf.observables.type_id: + description: The observable value type identifier. + name: ocsf.observables.type_id + type: keyword +ocsf.observables.value: + description: The value associated with the observable attribute. + name: ocsf.observables.value + type: keyword +ocsf.open_type: + description: Indicates how the file was opened (e.g. normal, delete on close). + name: ocsf.open_type + type: keyword +ocsf.port: + description: The dynamic port established for impending data transfers. + name: ocsf.port + type: long +ocsf.privileges: + description: The list of sensitive privileges, assigned to the new user session. + name: ocsf.privileges + type: keyword +ocsf.protocol_ver: + description: The Protocol version. + name: ocsf.protocol_ver + type: keyword +ocsf.proxy.domain: + description: The name of the domain. + name: ocsf.proxy.domain + type: keyword +ocsf.proxy.hostname: + description: The fully qualified name of the endpoint. + name: ocsf.proxy.hostname + type: keyword +ocsf.proxy.instance_uid: + description: The unique identifier of a VM instance. + name: ocsf.proxy.instance_uid + type: keyword +ocsf.proxy.interface_name: + description: The name of the network interface (e.g. eth2). + name: ocsf.proxy.interface_name + type: keyword +ocsf.proxy.interface_uid: + description: The unique identifier of the network interface. + name: ocsf.proxy.interface_uid + type: keyword +ocsf.proxy.intermediate_ips: + description: + The intermediate IP Addresses. For example, the IP addresses in the + HTTP X-Forwarded-For header. + name: ocsf.proxy.intermediate_ips + type: ip +ocsf.proxy.ip: + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + name: ocsf.proxy.ip + type: ip +ocsf.proxy.location.city: + description: The name of the city. + name: ocsf.proxy.location.city + type: keyword +ocsf.proxy.location.continent: + description: The name of the continent. + name: ocsf.proxy.location.continent + type: keyword +ocsf.proxy.location.coordinates: + description: + A two-element array, containing a longitude/latitude pair. The format + conforms with GeoJSON. + name: ocsf.proxy.location.coordinates + type: geo_point +ocsf.proxy.location.country: + description: + The ISO 3166-1 Alpha-2 country code. For the complete list of country + codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + name: ocsf.proxy.location.country + type: keyword +ocsf.proxy.location.desc: + description: The description of the geographical location. + name: ocsf.proxy.location.desc + type: keyword +ocsf.proxy.location.is_on_premises: + description: The indication of whether the location is on premises. + name: ocsf.proxy.location.is_on_premises + type: boolean +ocsf.proxy.location.isp: + description: The name of the Internet Service Provider (ISP). + name: ocsf.proxy.location.isp + type: keyword +ocsf.proxy.location.postal_code: + description: The postal code of the location. + name: ocsf.proxy.location.postal_code + type: keyword +ocsf.proxy.location.provider: + description: The provider of the geographical location data. + name: ocsf.proxy.location.provider + type: keyword +ocsf.proxy.location.region: + description: + The alphanumeric code that identifies the principal subdivision (e.g. + province or state) of the country. Region codes are defined at ISO 3166-2 and + have a limit of three characters. For example, see the region codes for the US. + name: ocsf.proxy.location.region + type: keyword +ocsf.proxy.mac: + description: The Media Access Control (MAC) address of the endpoint. + name: ocsf.proxy.mac + type: keyword +ocsf.proxy.name: + description: The short name of the endpoint. + name: ocsf.proxy.name + type: keyword +ocsf.proxy.port: + description: The port used for communication within the network connection. + name: ocsf.proxy.port + type: long +ocsf.proxy.subnet_uid: + description: The unique identifier of a virtual subnet. + name: ocsf.proxy.subnet_uid + type: keyword +ocsf.proxy.svc_name: + description: + The service name in service-to-service connections. For example, AWS + VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection + is coming from or going to an AWS service. + name: ocsf.proxy.svc_name + type: keyword +ocsf.proxy.uid: + description: The unique identifier of the endpoint. + name: ocsf.proxy.uid + type: keyword +ocsf.proxy.vlan_uid: + description: The Virtual LAN identifier. + name: ocsf.proxy.vlan_uid + type: keyword +ocsf.proxy.vpc_uid: + description: The unique identifier of the Virtual Private Cloud (VPC). + name: ocsf.proxy.vpc_uid + type: keyword +ocsf.query.class: + description: + "The class of resource records being queried. See RFC1035. For example: + IN." + name: ocsf.query.class + type: keyword +ocsf.query.hostname: + description: "The hostname or domain being queried. For example: www.example.com" + name: ocsf.query.hostname + type: keyword +ocsf.query.opcode: + description: The DNS opcode specifies the type of the query message. + name: ocsf.query.opcode + type: keyword +ocsf.query.opcode_id: + description: The DNS opcode ID specifies the normalized query message type. + name: ocsf.query.opcode_id + type: keyword +ocsf.query.packet_uid: + description: + The DNS packet identifier assigned by the program that generated the + query. The identifier is copied to the response. + name: ocsf.query.packet_uid + type: keyword +ocsf.query.type: + description: + "The type of resource records being queried. See RFC1035. For example: + A, AAAA, CNAME, MX, and NS." + name: ocsf.query.type + type: keyword +ocsf.query_time: + description: The Domain Name System (DNS) query time. + name: ocsf.query_time + type: date +ocsf.query_time_dt: + description: The Domain Name System (DNS) query time. + name: ocsf.query_time_dt + type: date +ocsf.raw_data: + description: The event data as received from the event source. + name: ocsf.raw_data + type: flattened +ocsf.raw_data_keyword: + description: "" + name: ocsf.raw_data_keyword + type: keyword +ocsf.rcode: + description: + The DNS server response code, normalized to the caption of the rcode_id + value. In the case of 'Other', it is defined by the event source. + name: ocsf.rcode + type: keyword +ocsf.rcode_id: + description: The normalized identifier of the DNS server response code. + name: ocsf.rcode_id + type: keyword +ocsf.relay.hostname: + description: The hostname associated with the network interface. + name: ocsf.relay.hostname + type: keyword +ocsf.relay.ip: + description: The IP address associated with the network interface. + name: ocsf.relay.ip + type: ip +ocsf.relay.mac: + description: The MAC address of the network interface. + name: ocsf.relay.mac + type: keyword +ocsf.relay.name: + description: The name of the network interface. + name: ocsf.relay.name + type: keyword +ocsf.relay.namespace: + description: + The namespace is useful in merger or acquisition situations. For example, + when similar entities exists that you need to keep separate. + name: ocsf.relay.namespace + type: keyword +ocsf.relay.subnet_prefix: + description: + The subnet prefix length determines the number of bits used to represent + the network part of the IP address. The remaining bits are reserved for identifying + individual hosts within that subnet. + name: ocsf.relay.subnet_prefix + type: long +ocsf.relay.type: + description: The type of network interface. + name: ocsf.relay.type + type: keyword +ocsf.relay.type_id: + description: The network interface type identifier. + name: ocsf.relay.type_id + type: keyword +ocsf.relay.uid: + description: The unique identifier for the network interface. + name: ocsf.relay.uid + type: keyword +ocsf.remote_display.color_depth: + description: The numeric color depth. + name: ocsf.remote_display.color_depth + type: long +ocsf.remote_display.physical_height: + description: The numeric physical height of display. + name: ocsf.remote_display.physical_height + type: long +ocsf.remote_display.physical_orientation: + description: The numeric physical orientation of display. + name: ocsf.remote_display.physical_orientation + type: long +ocsf.remote_display.physical_width: + description: The numeric physical width of display. + name: ocsf.remote_display.physical_width + type: long +ocsf.remote_display.scale_factor: + description: The numeric scale factor of display. + name: ocsf.remote_display.scale_factor + type: long +ocsf.request.flags: + description: + The list of communication flags, normalized to the captions of the + flag_ids values. In the case of 'Other', they are defined by the event source. + name: ocsf.request.flags + type: date +ocsf.request.uid: + description: The unique request identifier. + name: ocsf.request.uid + type: keyword +ocsf.requested_permissions: + description: The permissions mask that were requested by the process. + name: ocsf.requested_permissions + type: long +ocsf.resource.cloud_partition: + description: + "The canonical cloud partition name to which the region is assigned + (e.g. AWS Partitions: aws, aws-cn, aws-us-gov)." + name: ocsf.resource.cloud_partition + type: keyword +ocsf.resource.criticality: + description: The criticality of the resource as defined by the event source. + name: ocsf.resource.criticality + type: keyword +ocsf.resource.data: + description: Additional data describing the resource. + name: ocsf.resource.data + type: flattened +ocsf.resource.group.desc: + description: The group description. + name: ocsf.resource.group.desc + type: keyword +ocsf.resource.group.name: + description: The group name. + name: ocsf.resource.group.name + type: keyword +ocsf.resource.group.privileges: + description: The group privileges. + name: ocsf.resource.group.privileges + type: keyword +ocsf.resource.group.type: + description: The type of the group or account. + name: ocsf.resource.group.type + type: keyword +ocsf.resource.group.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.resource.group.uid + type: keyword +ocsf.resource.labels: + description: The list of labels/tags associated to a resource. + name: ocsf.resource.labels + type: keyword +ocsf.resource.name: + description: The name of the resource. + name: ocsf.resource.name + type: keyword +ocsf.resource.owner.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.resource.owner.account.name + type: keyword +ocsf.resource.owner.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.resource.owner.account.type + type: keyword +ocsf.resource.owner.account.type_id: + description: The normalized account type identifier. + name: ocsf.resource.owner.account.type_id + type: keyword +ocsf.resource.owner.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.resource.owner.account.uid + type: keyword +ocsf.resource.owner.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.resource.owner.credential_uid + type: keyword +ocsf.resource.owner.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.resource.owner.domain + type: keyword +ocsf.resource.owner.email_addr: + description: The user's email address. + name: ocsf.resource.owner.email_addr + type: keyword +ocsf.resource.owner.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.resource.owner.full_name + type: keyword +ocsf.resource.owner.groups.desc: + description: The group description. + name: ocsf.resource.owner.groups.desc + type: keyword +ocsf.resource.owner.groups.name: + description: The group name. + name: ocsf.resource.owner.groups.name + type: keyword +ocsf.resource.owner.groups.privileges: + description: The group privileges. + name: ocsf.resource.owner.groups.privileges + type: keyword +ocsf.resource.owner.groups.type: + description: The type of the group or account. + name: ocsf.resource.owner.groups.type + type: keyword +ocsf.resource.owner.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.resource.owner.groups.uid + type: keyword +ocsf.resource.owner.name: + description: The username. For example, janedoe1. + name: ocsf.resource.owner.name + type: keyword +ocsf.resource.owner.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.resource.owner.org.name + type: keyword +ocsf.resource.owner.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.resource.owner.org.ou_name + type: keyword +ocsf.resource.owner.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.resource.owner.org.ou_uid + type: keyword +ocsf.resource.owner.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.resource.owner.org.uid + type: keyword +ocsf.resource.owner.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.resource.owner.type + type: keyword +ocsf.resource.owner.type_id: + description: The account type identifier. + name: ocsf.resource.owner.type_id + type: keyword +ocsf.resource.owner.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.resource.owner.uid + type: keyword +ocsf.resource.owner.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.resource.owner.uid_alt + type: keyword +ocsf.resource.region: + description: The cloud region of the resource. + name: ocsf.resource.region + type: keyword +ocsf.resource.type: + description: The resource type as defined by the event source. + name: ocsf.resource.type + type: keyword +ocsf.resource.uid: + description: The unique identifier of the resource. + name: ocsf.resource.uid + type: keyword +ocsf.resource.version: + description: The version of the resource. For example 1.2.3. + name: ocsf.resource.version + type: keyword +ocsf.resources.cloud_partition: + description: + "The canonical cloud partition name to which the region is assigned + (e.g. AWS Partitions: aws, aws-cn, aws-us-gov)." + name: ocsf.resources.cloud_partition + type: keyword +ocsf.resources.criticality: + description: The criticality of the resource as defined by the event source. + name: ocsf.resources.criticality + type: keyword +ocsf.resources.data: + description: Additional data describing the resource. + name: ocsf.resources.data + type: flattened +ocsf.resources.group.desc: + description: The group description. + name: ocsf.resources.group.desc + type: keyword +ocsf.resources.group.name: + description: The group name. + name: ocsf.resources.group.name + type: keyword +ocsf.resources.group.privileges: + description: The group privileges. + name: ocsf.resources.group.privileges + type: keyword +ocsf.resources.group.type: + description: The type of the group or account. + name: ocsf.resources.group.type + type: keyword +ocsf.resources.group.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.resources.group.uid + type: keyword +ocsf.resources.labels: + description: The list of labels/tags associated to a resource. + name: ocsf.resources.labels + type: keyword +ocsf.resources.name: + description: The name of the resource. + name: ocsf.resources.name + type: keyword +ocsf.resources.owner.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.resources.owner.account.name + type: keyword +ocsf.resources.owner.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.resources.owner.account.type + type: keyword +ocsf.resources.owner.account.type_id: + description: The normalized account type identifier. + name: ocsf.resources.owner.account.type_id + type: keyword +ocsf.resources.owner.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.resources.owner.account.uid + type: keyword +ocsf.resources.owner.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.resources.owner.credential_uid + type: keyword +ocsf.resources.owner.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.resources.owner.domain + type: keyword +ocsf.resources.owner.email_addr: + description: The user's email address. + name: ocsf.resources.owner.email_addr + type: keyword +ocsf.resources.owner.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.resources.owner.full_name + type: keyword +ocsf.resources.owner.groups.desc: + description: The group description. + name: ocsf.resources.owner.groups.desc + type: keyword +ocsf.resources.owner.groups.name: + description: The group name. + name: ocsf.resources.owner.groups.name + type: keyword +ocsf.resources.owner.groups.privileges: + description: The group privileges. + name: ocsf.resources.owner.groups.privileges + type: keyword +ocsf.resources.owner.groups.type: + description: The type of the group or account. + name: ocsf.resources.owner.groups.type + type: keyword +ocsf.resources.owner.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.resources.owner.groups.uid + type: keyword +ocsf.resources.owner.name: + description: The username. For example, janedoe1. + name: ocsf.resources.owner.name + type: keyword +ocsf.resources.owner.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.resources.owner.org.name + type: keyword +ocsf.resources.owner.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.resources.owner.org.ou_name + type: keyword +ocsf.resources.owner.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.resources.owner.org.ou_uid + type: keyword +ocsf.resources.owner.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.resources.owner.org.uid + type: keyword +ocsf.resources.owner.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.resources.owner.type + type: keyword +ocsf.resources.owner.type_id: + description: The account type identifier. + name: ocsf.resources.owner.type_id + type: keyword +ocsf.resources.owner.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.resources.owner.uid + type: keyword +ocsf.resources.owner.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.resources.owner.uid_alt + type: keyword +ocsf.resources.region: + description: The cloud region of the resource. + name: ocsf.resources.region + type: keyword +ocsf.resources.type: + description: The resource type as defined by the event source. + name: ocsf.resources.type + type: keyword +ocsf.resources.uid: + description: The unique identifier of the resource. + name: ocsf.resources.uid + type: keyword +ocsf.resources.version: + description: The version of the resource. For example 1.2.3. + name: ocsf.resources.version + type: keyword +ocsf.response.code: + description: The numeric response sent to a request. + name: ocsf.response.code + type: long +ocsf.response.error: + description: Error Code. + name: ocsf.response.error + type: keyword +ocsf.response.error_message: + description: Error Message. + name: ocsf.response.error_message + type: keyword +ocsf.response.flags: + description: + The list of communication flags, normalized to the captions of the + flag_ids values. In the case of 'Other', they are defined by the event source. + name: ocsf.response.flags + type: keyword +ocsf.response.message: + description: The description of the event, as defined by the event source. + name: ocsf.response.message + type: keyword +ocsf.response_time: + description: The Domain Name System (DNS) response time. + name: ocsf.response_time + type: date +ocsf.response_time_dt: + description: The Domain Name System (DNS) response time. + name: ocsf.response_time_dt + type: date +ocsf.risk_level: + description: + The risk level, normalized to the caption of the risk_level_id value. + In the case of 'Other', it is defined by the event source. + name: ocsf.risk_level + type: keyword +ocsf.risk_level_id: + description: The normalized risk level id. + name: ocsf.risk_level_id + type: keyword +ocsf.risk_score: + description: The risk score as reported by the event source. + name: ocsf.risk_score + type: long +ocsf.server_hassh.algorithm: + description: + "The concatenation of key exchange, encryption, authentication and + compression algorithms (separated by ';'). NOTE: This is not the underlying + algorithm for the hash implementation." + name: ocsf.server_hassh.algorithm + type: keyword +ocsf.server_hassh.fingerprint.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.server_hassh.fingerprint.algorithm + type: keyword +ocsf.server_hassh.fingerprint.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.server_hassh.fingerprint.algorithm_id + type: keyword +ocsf.server_hassh.fingerprint.value: + description: The digital fingerprint value. + name: ocsf.server_hassh.fingerprint.value + type: keyword +ocsf.service.labels: + description: The list of labels associated with the service. + name: ocsf.service.labels + type: keyword +ocsf.service.name: + description: The name of the service. + name: ocsf.service.name + type: keyword +ocsf.service.uid: + description: The unique identifier of the service. + name: ocsf.service.uid + type: keyword +ocsf.service.version: + description: The version of the service. + name: ocsf.service.version + type: keyword +ocsf.session.created_time: + description: The time when the session was created. + name: ocsf.session.created_time + type: date +ocsf.session.created_time_dt: + description: The time when the session was created. + name: ocsf.session.created_time_dt + type: date +ocsf.session.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.session.credential_uid + type: keyword +ocsf.session.expiration_time: + description: The session expiration time. + name: ocsf.session.expiration_time + type: date +ocsf.session.expiration_time_dt: + description: The session expiration time. + name: ocsf.session.expiration_time_dt + type: date +ocsf.session.is_remote: + description: The indication of whether the session is remote. + name: ocsf.session.is_remote + type: boolean +ocsf.session.issuer: + description: The identifier of the session issuer. + name: ocsf.session.issuer + type: keyword +ocsf.session.mfa: + description: "" + name: ocsf.session.mfa + type: boolean +ocsf.session.uid: + description: The unique identifier of the session. + name: ocsf.session.uid + type: keyword +ocsf.session.uuid: + description: The universally unique identifier of the session. + name: ocsf.session.uuid + type: keyword +ocsf.severity: + description: + The event severity, normalized to the caption of the severity_id value. + In the case of 'Other', it is defined by the event source. + name: ocsf.severity + type: keyword +ocsf.severity_id: + description: + The normalized identifier of the event severity. The normalized severity + is a measurement the effort and expense required to manage and resolve an event + or incident. Smaller numerical values represent lower impact events, and larger + numerical values represent higher impact events. + name: ocsf.severity_id + type: long +ocsf.share: + description: The SMB share name. + name: ocsf.share + type: keyword +ocsf.share_type: + description: + The SMB share type, normalized to the caption of the share_type_id + value. In the case of 'Other', it is defined by the event source. + name: ocsf.share_type + type: keyword +ocsf.share_type_id: + description: The normalized identifier of the SMB share type. + name: ocsf.share_type_id + type: keyword +ocsf.size: + description: The memory size that was access or requested. + name: ocsf.size + type: long +ocsf.smtp_hello: + description: The value of the SMTP HELO or EHLO command sent by the initiator (client). + name: ocsf.smtp_hello + type: keyword +ocsf.src_endpoint.domain: + description: The name of the domain. + name: ocsf.src_endpoint.domain + type: keyword +ocsf.src_endpoint.hostname: + description: The fully qualified name of the endpoint. + name: ocsf.src_endpoint.hostname + type: keyword +ocsf.src_endpoint.instance_uid: + description: The unique identifier of a VM instance. + name: ocsf.src_endpoint.instance_uid + type: keyword +ocsf.src_endpoint.interface_name: + description: The name of the network interface (e.g. eth2). + name: ocsf.src_endpoint.interface_name + type: keyword +ocsf.src_endpoint.interface_uid: + description: The unique identifier of the network interface. + name: ocsf.src_endpoint.interface_uid + type: keyword +ocsf.src_endpoint.intermediate_ips: + description: + The intermediate IP Addresses. For example, the IP addresses in the + HTTP X-Forwarded-For header. + name: ocsf.src_endpoint.intermediate_ips + type: ip +ocsf.src_endpoint.ip: + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + name: ocsf.src_endpoint.ip + type: ip +ocsf.src_endpoint.location.city: + description: The name of the city. + name: ocsf.src_endpoint.location.city + type: keyword +ocsf.src_endpoint.location.continent: + description: The name of the continent. + name: ocsf.src_endpoint.location.continent + type: keyword +ocsf.src_endpoint.location.coordinates: + description: + A two-element array, containing a longitude/latitude pair. The format + conforms with GeoJSON. + name: ocsf.src_endpoint.location.coordinates + type: geo_point +ocsf.src_endpoint.location.country: + description: + The ISO 3166-1 Alpha-2 country code. For the complete list of country + codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + name: ocsf.src_endpoint.location.country + type: keyword +ocsf.src_endpoint.location.desc: + description: The description of the geographical location. + name: ocsf.src_endpoint.location.desc + type: keyword +ocsf.src_endpoint.location.is_on_premises: + description: The indication of whether the location is on premises. + name: ocsf.src_endpoint.location.is_on_premises + type: boolean +ocsf.src_endpoint.location.isp: + description: The name of the Internet Service Provider (ISP). + name: ocsf.src_endpoint.location.isp + type: keyword +ocsf.src_endpoint.location.postal_code: + description: The postal code of the location. + name: ocsf.src_endpoint.location.postal_code + type: keyword +ocsf.src_endpoint.location.provider: + description: The provider of the geographical location data. + name: ocsf.src_endpoint.location.provider + type: keyword +ocsf.src_endpoint.location.region: + description: + The alphanumeric code that identifies the principal subdivision (e.g. + province or state) of the country. Region codes are defined at ISO 3166-2 and + have a limit of three characters. For example, see the region codes for the US. + name: ocsf.src_endpoint.location.region + type: keyword +ocsf.src_endpoint.mac: + description: The Media Access Control (MAC) address of the endpoint. + name: ocsf.src_endpoint.mac + type: keyword +ocsf.src_endpoint.name: + description: The short name of the endpoint. + name: ocsf.src_endpoint.name + type: keyword +ocsf.src_endpoint.port: + description: The port used for communication within the network connection. + name: ocsf.src_endpoint.port + type: long +ocsf.src_endpoint.subnet_uid: + description: The unique identifier of a virtual subnet. + name: ocsf.src_endpoint.subnet_uid + type: keyword +ocsf.src_endpoint.svc_name: + description: + The service name in service-to-service connections. For example, AWS + VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection + is coming from or going to an AWS service. + name: ocsf.src_endpoint.svc_name + type: keyword +ocsf.src_endpoint.uid: + description: The unique identifier of the endpoint. + name: ocsf.src_endpoint.uid + type: keyword +ocsf.src_endpoint.vlan_uid: + description: The Virtual LAN identifier. + name: ocsf.src_endpoint.vlan_uid + type: keyword +ocsf.src_endpoint.vpc_uid: + description: The unique identifier of the Virtual Private Cloud (VPC). + name: ocsf.src_endpoint.vpc_uid + type: keyword +ocsf.start_time: + description: + The start time of a time period, or the time of the least recent event + included in the aggregate event. + name: ocsf.start_time + type: date +ocsf.start_time_dt: + description: + The start time of a time period, or the time of the least recent event + included in the aggregate event. + name: ocsf.start_time_dt + type: date +ocsf.state: + description: The normalized state of a security finding. + name: ocsf.state + type: keyword +ocsf.state_id: + description: The normalized state identifier of a security finding. + name: ocsf.state_id + type: keyword +ocsf.status: + description: + The event status, normalized to the caption of the status_id value. + In the case of 'Other', it is defined by the event source. + name: ocsf.status + type: keyword +ocsf.status_code: + description: + The event status code, as reported by the event source. For example, + in a Windows Failed Authentication event, this would be the value of 'Failure + Code', e.g. 0x18. + name: ocsf.status_code + type: keyword +ocsf.status_detail: + description: + The status details contains additional information about the event + outcome. + name: ocsf.status_detail + type: keyword +ocsf.status_id: + description: The normalized identifier of the event status. + name: ocsf.status_id + type: keyword +#ocsf.time: +# description: The normalized event occurrence time. +# name: ocsf.time +# type: date +ocsf.time_dt: + description: The normalized event occurrence time. + name: ocsf.time_dt + type: date +ocsf.timezone_offset: + description: + The number of minutes that the reported event time is ahead or behind + UTC, in the range -1,080 to +1,080. + name: ocsf.timezone_offset + type: long +ocsf.tls.alert: + description: + The integer value of TLS alert if present. The alerts are defined in + the TLS specification in RFC-2246. + name: ocsf.tls.alert + type: long +ocsf.tls.certificate.created_time: + description: The time when the certificate was created. + name: ocsf.tls.certificate.created_time + type: date +ocsf.tls.certificate.created_time_dt: + description: The time when the certificate was created. + name: ocsf.tls.certificate.created_time_dt + type: date +ocsf.tls.certificate.expiration_time: + description: The expiration time of the certificate. + name: ocsf.tls.certificate.expiration_time + type: date +ocsf.tls.certificate.expiration_time_dt: + description: The expiration time of the certificate. + name: ocsf.tls.certificate.expiration_time_dt + type: date +ocsf.tls.certificate.fingerprints.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.tls.certificate.fingerprints.algorithm + type: keyword +ocsf.tls.certificate.fingerprints.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.tls.certificate.fingerprints.algorithm_id + type: keyword +ocsf.tls.certificate.fingerprints.value: + description: The digital fingerprint value. + name: ocsf.tls.certificate.fingerprints.value + type: keyword +ocsf.tls.certificate.issuer: + description: The certificate issuer distinguished name. + name: ocsf.tls.certificate.issuer + type: keyword +ocsf.tls.certificate.serial_number: + description: The serial number of the certificate used to create the digital signature. + name: ocsf.tls.certificate.serial_number + type: keyword +ocsf.tls.certificate.subject: + description: The certificate subject distinguished name. + name: ocsf.tls.certificate.subject + type: keyword +ocsf.tls.certificate.version: + description: The certificate version. + name: ocsf.tls.certificate.version + type: keyword +ocsf.tls.certificate_chain: + description: + The Chain of Certificate Serial Numbers field provides a chain of Certificate + Issuer Serial Numbers leading to the Root Certificate Issuer. + name: ocsf.tls.certificate_chain + type: keyword +ocsf.tls.cipher: + description: The negotiated cipher suite. + name: ocsf.tls.cipher + type: keyword +ocsf.tls.client_ciphers: + description: + The client cipher suites that were exchanged during the TLS handshake + negotiation. + name: ocsf.tls.client_ciphers + type: keyword +ocsf.tls.extension_list.data: + description: + The data contains information specific to the particular extension + type. + name: ocsf.tls.extension_list.data + type: flattened +ocsf.tls.extension_list.type: + description: "The TLS extension type. For example: Server Name." + name: ocsf.tls.extension_list.type + type: keyword +ocsf.tls.extension_list.type_id: + description: + The TLS extension type identifier. See The Transport Layer Security + (TLS) extension page. + name: ocsf.tls.extension_list.type_id + type: keyword +ocsf.tls.handshake_dur: + description: + The amount of total time for the TLS handshake to complete after the + TCP connection is established, including client-side delays, in milliseconds. + name: ocsf.tls.handshake_dur + type: long +ocsf.tls.ja3_hash.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.tls.ja3_hash.algorithm + type: keyword +ocsf.tls.ja3_hash.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.tls.ja3_hash.algorithm_id + type: keyword +ocsf.tls.ja3_hash.value: + description: The digital fingerprint value. + name: ocsf.tls.ja3_hash.value + type: keyword +ocsf.tls.ja3s_hash.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.tls.ja3s_hash.algorithm + type: keyword +ocsf.tls.ja3s_hash.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.tls.ja3s_hash.algorithm_id + type: keyword +ocsf.tls.ja3s_hash.value: + description: The digital fingerprint value. + name: ocsf.tls.ja3s_hash.value + type: keyword +ocsf.tls.key_length: + description: The length of the encryption key. + name: ocsf.tls.key_length + type: long +ocsf.tls.sans.name: + description: Name of SAN (e.g. The actual IP Address or domain.) + name: ocsf.tls.sans.name + type: keyword +ocsf.tls.sans.type: + description: Type descriptor of SAN (e.g. IP Address/domain/etc.) + name: ocsf.tls.sans.type + type: keyword +ocsf.tls.server_ciphers: + description: + The server cipher suites that were exchanged during the TLS handshake + negotiation. + name: ocsf.tls.server_ciphers + type: keyword +ocsf.tls.sni: + description: The Server Name Indication (SNI) extension sent by the client. + name: ocsf.tls.sni + type: keyword +ocsf.tls.version: + description: The TLS protocol version. + name: ocsf.tls.version + type: keyword +ocsf.traffic.bytes: + description: The total number of bytes (in and out). + name: ocsf.traffic.bytes + type: long +ocsf.traffic.bytes_in: + description: The number of bytes sent from the destination to the source. + name: ocsf.traffic.bytes_in + type: long +ocsf.traffic.bytes_out: + description: The number of bytes sent from the source to the destination. + name: ocsf.traffic.bytes_out + type: long +ocsf.traffic.packets: + description: The total number of packets (in and out). + name: ocsf.traffic.packets + type: long +ocsf.traffic.packets_in: + description: The number of packets sent from the destination to the source. + name: ocsf.traffic.packets_in + type: long +ocsf.traffic.packets_out: + description: The number of packets sent from the source to the destination. + name: ocsf.traffic.packets_out + type: long +ocsf.transaction_uid: + description: + The unique identifier of the transaction. This is typically a random + number generated from the client to associate a dhcp request/response pair. + name: ocsf.transaction_uid + type: keyword +ocsf.tree_uid: + description: + The tree id is a unique SMB identifier which represents an open connection + to a share. + name: ocsf.tree_uid + type: keyword +ocsf.type: + description: The type of FTP network connection (e.g. active, passive). + name: ocsf.type + type: keyword +ocsf.type_name: + description: The event type name, as defined by the type_uid. + name: ocsf.type_name + type: keyword +ocsf.type_uid: + description: + 'The event type ID. It identifies the events semantics and structure. + The value is calculated by the logging system as: class_uid \* 100 + activity_id.' + name: ocsf.type_uid + type: keyword +ocsf.unmapped: + description: + The attributes that are not mapped to the event schema. The names and + values of those attributes are specific to the event source. + name: ocsf.unmapped + type: flattened +ocsf.url.categories: + description: The Website categorization names, as defined by category_ids enum values. + name: ocsf.url.categories + type: keyword +ocsf.url.category_ids: + description: The Website categorization identifies. + name: ocsf.url.category_ids + type: keyword +ocsf.url.hostname: + description: The URL host as extracted from the URL. + name: ocsf.url.hostname + type: keyword +ocsf.url.path: + description: The URL path as extracted from the URL. + name: ocsf.url.path + type: keyword +ocsf.url.port: + description: The URL port. + name: ocsf.url.port + type: long +ocsf.url.query_string: + description: The query portion of the URL. + name: ocsf.url.query_string + type: keyword +ocsf.url.resource_type: + description: The context in which a resource was retrieved in a web request. + name: ocsf.url.resource_type + type: keyword +ocsf.url.scheme: + description: The scheme portion of the URL. + name: ocsf.url.scheme + type: keyword +ocsf.url.subdomain: + description: The subdomain portion of the URL. + name: ocsf.url.subdomain + type: keyword +ocsf.url.url_string: + description: The URL string. See RFC 1738. + name: ocsf.url.url_string + type: keyword +ocsf.user.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.user.account.name + type: keyword +ocsf.user.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.user.account.type + type: keyword +ocsf.user.account.type_id: + description: The normalized account type identifier. + name: ocsf.user.account.type_id + type: keyword +ocsf.user.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.user.account.uid + type: keyword +ocsf.user.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.user.credential_uid + type: keyword +ocsf.user.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.user.domain + type: keyword +ocsf.user.email_addr: + description: The user's email address. + name: ocsf.user.email_addr + type: keyword +ocsf.user.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.user.full_name + type: keyword +ocsf.user.groups.desc: + description: The group description. + name: ocsf.user.groups.desc + type: keyword +ocsf.user.groups.name: + description: The group name. + name: ocsf.user.groups.name + type: keyword +ocsf.user.groups.privileges: + description: The group privileges. + name: ocsf.user.groups.privileges + type: keyword +ocsf.user.groups.type: + description: The type of the group or account. + name: ocsf.user.groups.type + type: keyword +ocsf.user.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.user.groups.uid + type: keyword +ocsf.user.name: + description: The username. For example, janedoe1. + name: ocsf.user.name + type: keyword +ocsf.user.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.user.org.name + type: keyword +ocsf.user.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.user.org.ou_name + type: keyword +ocsf.user.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.user.org.ou_uid + type: keyword +ocsf.user.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.user.org.uid + type: keyword +ocsf.user.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.user.type + type: keyword +ocsf.user.type_id: + description: The account type identifier. + name: ocsf.user.type_id + type: keyword +ocsf.user.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.user.uid + type: keyword +ocsf.user.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.user.uid_alt + type: keyword +ocsf.user_result.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.user_result.account.name + type: keyword +ocsf.user_result.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.user_result.account.type + type: keyword +ocsf.user_result.account.type_id: + description: The normalized account type identifier. + name: ocsf.user_result.account.type_id + type: keyword +ocsf.user_result.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.user_result.account.uid + type: keyword +ocsf.user_result.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.user_result.credential_uid + type: keyword +ocsf.user_result.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.user_result.domain + type: keyword +ocsf.user_result.email_addr: + description: The user's email address. + name: ocsf.user_result.email_addr + type: keyword +ocsf.user_result.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.user_result.full_name + type: keyword +ocsf.user_result.groups.desc: + description: The group description. + name: ocsf.user_result.groups.desc + type: keyword +ocsf.user_result.groups.name: + description: The group name. + name: ocsf.user_result.groups.name + type: keyword +ocsf.user_result.groups.privileges: + description: The group privileges. + name: ocsf.user_result.groups.privileges + type: keyword +ocsf.user_result.groups.type: + description: The type of the group or account. + name: ocsf.user_result.groups.type + type: keyword +ocsf.user_result.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.user_result.groups.uid + type: keyword +ocsf.user_result.name: + description: The username. For example, janedoe1. + name: ocsf.user_result.name + type: keyword +ocsf.user_result.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.user_result.org.name + type: keyword +ocsf.user_result.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.user_result.org.ou_name + type: keyword +ocsf.user_result.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.user_result.org.ou_uid + type: keyword +ocsf.user_result.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.user_result.org.uid + type: keyword +ocsf.user_result.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.user_result.type + type: keyword +ocsf.user_result.type_id: + description: The account type identifier. + name: ocsf.user_result.type_id + type: keyword +ocsf.user_result.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.user_result.uid + type: keyword +ocsf.user_result.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.user_result.uid_alt + type: keyword +ocsf.vulnerabilities.cve.created_time: + description: + The Record Creation Date identifies when the CVE ID was issued to a + CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. + Note that the Record Creation Date does not necessarily indicate when this vulnerability + was discovered, shared with the affected vendor, publicly disclosed, or updated + in CVE. + name: ocsf.vulnerabilities.cve.created_time + type: date +ocsf.vulnerabilities.cve.created_time_dt: + description: + The Record Creation Date identifies when the CVE ID was issued to a + CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. + Note that the Record Creation Date does not necessarily indicate when this vulnerability + was discovered, shared with the affected vendor, publicly disclosed, or updated + in CVE. + name: ocsf.vulnerabilities.cve.created_time_dt + type: date +ocsf.vulnerabilities.cve.cvss.base_score: + description: "The CVSS base score. For example: 9.1." + name: ocsf.vulnerabilities.cve.cvss.base_score + type: double +ocsf.vulnerabilities.cve.cvss.depth: + description: + The CVSS depth represents a depth of the equation used to calculate + CVSS score. + name: ocsf.vulnerabilities.cve.cvss.depth + type: keyword +ocsf.vulnerabilities.cve.cvss.metrics.name: + description: The name of the metric. + name: ocsf.vulnerabilities.cve.cvss.metrics.name + type: keyword +ocsf.vulnerabilities.cve.cvss.metrics.value: + description: The value of the metric. + name: ocsf.vulnerabilities.cve.cvss.metrics.value + type: keyword +ocsf.vulnerabilities.cve.cvss.overall_score: + description: + "The CVSS overall score, impacted by base, temporal, and environmental + metrics. For example: 9.1." + name: ocsf.vulnerabilities.cve.cvss.overall_score + type: double +ocsf.vulnerabilities.cve.cvss.severity: + description: + The Common Vulnerability Scoring System (CVSS) Qualitative Severity + Rating. A textual representation of the numeric score. + name: ocsf.vulnerabilities.cve.cvss.severity + type: keyword +ocsf.vulnerabilities.cve.cvss.vector_string: + description: + "The CVSS vector string is a text representation of a set of CVSS metrics. + It is commonly used to record or transfer CVSS metric information in a concise + form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H." + name: ocsf.vulnerabilities.cve.cvss.vector_string + type: keyword +ocsf.vulnerabilities.cve.cvss.version: + description: "The CVSS version. For example: 3.1." + name: ocsf.vulnerabilities.cve.cvss.version + type: keyword +ocsf.vulnerabilities.cve.cwe_uid: + description: + "The Common Weakness Enumeration (CWE) unique identifier. For example: + CWE-787." + name: ocsf.vulnerabilities.cve.cwe_uid + type: keyword +ocsf.vulnerabilities.cve.cwe_url: + description: "Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html." + name: ocsf.vulnerabilities.cve.cwe_url + type: keyword +ocsf.vulnerabilities.cve.modified_time: + description: The Record Modified Date identifies when the CVE record was last updated. + name: ocsf.vulnerabilities.cve.modified_time + type: date +ocsf.vulnerabilities.cve.modified_time_dt: + description: The Record Modified Date identifies when the CVE record was last updated. + name: ocsf.vulnerabilities.cve.modified_time_dt + type: date +ocsf.vulnerabilities.cve.product.feature.name: + description: The name of the feature. + name: ocsf.vulnerabilities.cve.product.feature.name + type: keyword +ocsf.vulnerabilities.cve.product.feature.uid: + description: The unique identifier of the feature. + name: ocsf.vulnerabilities.cve.product.feature.uid + type: keyword +ocsf.vulnerabilities.cve.product.feature.version: + description: The version of the feature. + name: ocsf.vulnerabilities.cve.product.feature.version + type: keyword +ocsf.vulnerabilities.cve.product.lang: + description: + "The two letter lower case language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French)." + name: ocsf.vulnerabilities.cve.product.lang + type: keyword +ocsf.vulnerabilities.cve.product.name: + description: The name of the product. + name: ocsf.vulnerabilities.cve.product.name + type: keyword +ocsf.vulnerabilities.cve.product.path: + description: The installation path of the product. + name: ocsf.vulnerabilities.cve.product.path + type: keyword +ocsf.vulnerabilities.cve.product.uid: + description: The unique identifier of the product. + name: ocsf.vulnerabilities.cve.product.uid + type: keyword +ocsf.vulnerabilities.cve.product.url_string: + description: The URL pointing towards the product. + name: ocsf.vulnerabilities.cve.product.url_string + type: keyword +ocsf.vulnerabilities.cve.product.vendor_name: + description: The name of the vendor of the product. + name: ocsf.vulnerabilities.cve.product.vendor_name + type: keyword +ocsf.vulnerabilities.cve.product.version: + description: + "The version of the product, as defined by the event source. For example: + 2013.1.3-beta." + name: ocsf.vulnerabilities.cve.product.version + type: keyword +ocsf.vulnerabilities.cve.type: + description: + The vulnerability type as selected from a large dropdown menu during + CVE refinement. + name: ocsf.vulnerabilities.cve.type + type: keyword +ocsf.vulnerabilities.cve.uid: + description: + "The Common Vulnerabilities and Exposures unique number assigned to + a specific computer vulnerability. A CVE Identifier begins with 4 digits representing + the year followed by a sequence of digits that acts as a unique identifier. For + example: CVE-2021-12345." + name: ocsf.vulnerabilities.cve.uid + type: keyword +ocsf.vulnerabilities.desc: + description: The description of the vulnerability. + name: ocsf.vulnerabilities.desc + type: keyword +ocsf.vulnerabilities.fix_available: + description: Indicates if a fix is available for the reported vulnerability. + name: ocsf.vulnerabilities.fix_available + type: boolean +ocsf.vulnerabilities.kb_articles: + description: The KB article/s related to the entity. + name: ocsf.vulnerabilities.kb_articles + type: keyword +ocsf.vulnerabilities.packages.architecture: + description: + Architecture is a shorthand name describing the type of computer hardware + the packaged software is meant to run on. + name: ocsf.vulnerabilities.packages.architecture + type: keyword +ocsf.vulnerabilities.packages.epoch: + description: + The software package epoch. Epoch is a way to define weighted dependencies + based on version numbers. + name: ocsf.vulnerabilities.packages.epoch + type: long +ocsf.vulnerabilities.packages.license: + description: The software license applied to this package. + name: ocsf.vulnerabilities.packages.license + type: keyword +ocsf.vulnerabilities.packages.name: + description: The software package name. + name: ocsf.vulnerabilities.packages.name + type: keyword +ocsf.vulnerabilities.packages.release: + description: Release is the number of times a version of the software has been packaged. + name: ocsf.vulnerabilities.packages.release + type: keyword +ocsf.vulnerabilities.packages.version: + description: The software package version. + name: ocsf.vulnerabilities.packages.version + type: keyword +ocsf.vulnerabilities.references: + description: Supporting reference URLs. + name: ocsf.vulnerabilities.references + type: keyword +ocsf.vulnerabilities.related_vulnerabilities: + description: List of vulnerabilities that are related to this vulnerability. + name: ocsf.vulnerabilities.related_vulnerabilities + type: keyword +ocsf.vulnerabilities.severity: + description: + The event severity, normalized to the caption of the severity_id value. + In the case of 'Other', it is defined by the event source. + name: ocsf.vulnerabilities.severity + type: keyword +ocsf.vulnerabilities.title: + description: The title of the vulnerability. + name: ocsf.vulnerabilities.title + type: keyword +ocsf.vulnerabilities.vendor_name: + description: The vendor who identified the vulnerability. + name: ocsf.vulnerabilities.vendor_name + type: keyword +ocsf.web_resources.data: + description: + Details of the web resource, e.g, file details, search results or application-defined + resource. + name: ocsf.web_resources.data + type: flattened +ocsf.web_resources.desc: + description: Description of the web resource. + name: ocsf.web_resources.desc + type: keyword +ocsf.web_resources.labels: + description: The list of labels/tags associated to a resource. + name: ocsf.web_resources.labels + type: keyword +ocsf.web_resources.name: + description: The name of the web resource. + name: ocsf.web_resources.name + type: keyword +ocsf.web_resources.type: + description: The web resource type as defined by the event source. + name: ocsf.web_resources.type + type: keyword +ocsf.web_resources.uid: + description: The unique identifier of the web resource. + name: ocsf.web_resources.uid + type: keyword +ocsf.web_resources.url_string: + description: The URL pointing towards the source of the web resource. + name: ocsf.web_resources.url_string + type: keyword +ocsf.web_resources_result.data: + description: + Details of the web resource, e.g, file details, search results or application-defined + resource. + name: ocsf.web_resources_result.data + type: flattened +ocsf.web_resources_result.desc: + description: Description of the web resource. + name: ocsf.web_resources_result.desc + type: keyword +ocsf.web_resources_result.labels: + description: The list of labels/tags associated to a resource. + name: ocsf.web_resources_result.labels + type: keyword +ocsf.web_resources_result.name: + description: The name of the web resource. + name: ocsf.web_resources_result.name + type: keyword +ocsf.web_resources_result.type: + description: The web resource type as defined by the event source. + name: ocsf.web_resources_result.type + type: keyword +ocsf.web_resources_result.uid: + description: The unique identifier of the web resource. + name: ocsf.web_resources_result.uid + type: keyword +ocsf.web_resources_result.url_string: + description: The URL pointing towards the source of the web resource. + name: ocsf.web_resources_result.url_string + type: keyword +process.group.id: + description: "" + name: process.group.id + type: keyword +process.group.name: + description: "" + name: process.group.name + type: keyword +process.parent.user.domain: + description: "" + name: process.parent.user.domain + type: keyword +process.parent.user.email: + description: "" + name: process.parent.user.email + type: keyword +process.parent.user.full_name: + description: "" + name: process.parent.user.full_name + type: keyword +process.parent.user.group.id: + description: "" + name: process.parent.user.group.id + type: keyword +process.parent.user.group.name: + description: "" + name: process.parent.user.group.name + type: keyword +process.user.domain: + description: "" + name: process.user.domain + type: keyword +process.user.email: + description: "" + name: process.user.email + type: keyword +process.user.full_name: + description: "" + name: process.user.full_name + type: keyword +process.user.group.id: + description: "" + name: process.user.group.id + type: keyword +process.user.group.name: + description: "" + name: process.user.group.name + type: keyword diff --git a/OCSF/ocsf/_meta/manifest.yml b/OCSF/ocsf/_meta/manifest.yml new file mode 100644 index 000000000..768c4626c --- /dev/null +++ b/OCSF/ocsf/_meta/manifest.yml @@ -0,0 +1,8 @@ +uuid: a9c959ac-78ec-47a4-924e-8156a77cebf5 +name: OCSF +slug: ocsf + +description: >- + The description of the intake + +data_sources: diff --git a/OCSF/ocsf/_meta/smart-descriptions.json b/OCSF/ocsf/_meta/smart-descriptions.json new file mode 100644 index 000000000..e69de29bb diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml new file mode 100644 index 000000000..246ed1a23 --- /dev/null +++ b/OCSF/ocsf/ingest/parser.yml @@ -0,0 +1,19 @@ +name: ocsf +pipeline: + - name: parse_message + external: + name: json.parse-json + properties: + input_field: '{{original.message}}' + output_field: message + + - name: set_fields + +stages: + set_fields: + actions: + - set: + "@timestamp": "{{parse_message.message.time | to_rfc3339}}" + + ocsf: "{{parse_message.message}}" + process: "{{parse_message.message.process}}" diff --git a/OCSF/ocsf/tests/test_file_activity.json b/OCSF/ocsf/tests/test_file_activity.json new file mode 100644 index 000000000..af17d8168 --- /dev/null +++ b/OCSF/ocsf/tests/test_file_activity.json @@ -0,0 +1,184 @@ +{ + "input": { + "message": "{\"message\": \"memorial vacation gains\", \"status\": \"jet\", \"time\": 1703680765007341, \"file\": {\"name\": \"validation.mp4\", \"owner\": {\"name\": \"Grid\", \"type\": \"System\", \"uid\": \"f7982966-a4b4-11ee-a3fa-0242ac110004\", \"type_id\": 3, \"credential_uid\": \"f7982dd0-a4b4-11ee-b2ca-0242ac110004\", \"uid_alt\": \"mud faculty coast\"}, \"type\": \"Folder\", \"version\": \"1.0.0\", \"path\": \"rc sharp flow/tells.hqx/validation.mp4\", \"product\": {\"name\": \"opens subdivision marc\", \"version\": \"1.0.0\", \"uid\": \"f79834c4-a4b4-11ee-bc9e-0242ac110004\", \"lang\": \"en\", \"url_string\": \"flyer\", \"vendor_name\": \"assumes defensive pets\"}, \"type_id\": 2, \"parent_folder\": \"rc sharp flow/tells.hqx\", \"accessed_time\": 1703680765008026, \"hashes\": [{\"value\": \"90DDECE3C6BD7FFFE83AF4D6DA7D1D47BDD3BC4B8C55E4FB6014A6197DA2199E\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"modified_time\": 1703680765008073}, \"device\": {\"name\": \"coated sacred waiver\", \"type\": \"Browser\", \"os\": {\"name\": \"producers assessing iran\", \"type\": \"HP-UX\", \"type_id\": 402, \"lang\": \"en\", \"sp_name\": \"mod booth seller\", \"sp_ver\": 45}, \"ip\": \"250.253.200.33\", \"hostname\": \"trends.org\", \"uid\": \"f798170a-a4b4-11ee-91ce-0242ac110004\", \"type_id\": 8, \"created_time\": 1703680765007313, \"imei\": \"genetics half institutional\", \"instance_uid\": \"f7980b52-a4b4-11ee-9b5a-0242ac110004\", \"interface_name\": \"visitors fa trinity\", \"interface_uid\": \"f798130e-a4b4-11ee-8b87-0242ac110004\", \"network_interfaces\": [{\"name\": \"ons physically championship\", \"type\": \"Wireless\", \"hostname\": \"overhead.mil\", \"mac\": \"9D:F9:D3:48:CD:B9:EC:8B\", \"namespace\": \"sociology collectible myers\", \"type_id\": 2}], \"region\": \"first universe furnishings\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"cult c table\", \"uid\": \"f7975f7c-a4b4-11ee-9e82-0242ac110004\", \"feature\": {\"name\": \"quad back ne\", \"version\": \"1.0.0\", \"uid\": \"f7976a76-a4b4-11ee-ba7c-0242ac110004\"}, \"lang\": \"en\", \"vendor_name\": \"kazakhstan yugoslavia danish\"}, \"profiles\": [], \"log_name\": \"conjunction wa alot\", \"log_provider\": \"answering gb single\", \"log_version\": \"exposure dx maui\", \"logged_time\": 1703680765002867, \"original_time\": \"postings hawaii aaa\"}, \"severity\": \"High\", \"duration\": 62, \"type_name\": \"File System Activity: Encrypt\", \"category_name\": \"System Activity\", \"activity_id\": 10, \"type_uid\": 100110, \"class_uid\": 1001, \"category_uid\": 1, \"class_name\": \"File System Activity\", \"timezone_offset\": 8, \"activity_name\": \"Encrypt\", \"actor\": {\"process\": {\"name\": \"Interventions\", \"pid\": 18, \"file\": {\"name\": \"level.doc\", \"type\": \"Symbolic Link\", \"path\": \"matthew eos tests/secondary.m3u/level.doc\", \"product\": {\"name\": \"fr subsequent administration\", \"version\": \"1.0.0\", \"uid\": \"f7977eee-a4b4-11ee-bfd5-0242ac110004\", \"lang\": \"en\", \"vendor_name\": \"combining concentrate gmt\"}, \"uid\": \"f797833a-a4b4-11ee-b077-0242ac110004\", \"type_id\": 7, \"parent_folder\": \"matthew eos tests/secondary.m3u\", \"confidentiality\": \"cigarettes subjects terrain\", \"created_time\": 1703680765003470, \"hashes\": [{\"value\": \"8F489E765ADD66CEA532CA1AFF150E01610199E3\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"98062F4DEE9A192C300D278008F1B6A2CB646B356D0DE1EFC340001AE12A69098A73CEB81AE52DA4A6D2158B11CD671482A7862402909FCB7C8588D490E677E6\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"user\": {\"name\": \"Acoustic\", \"type\": \"configuration\", \"uid\": \"f797ac16-a4b4-11ee-9910-0242ac110004\", \"org\": {\"name\": \"could director frankfurt\", \"uid\": \"f797b9fe-a4b4-11ee-a468-0242ac110004\", \"ou_name\": \"larry about arbitrary\"}, \"type_id\": 99, \"full_name\": \"Dannie Meagan\", \"email_addr\": \"Jen@atmosphere.mobi\"}, \"uid\": \"f797dcc2-a4b4-11ee-9f52-0242ac110004\", \"cmd_line\": \"buck advocacy initiatives\", \"created_time\": 1703680765005764, \"lineage\": [\"legend investigated adjustments\", \"sheet eligible regardless\"], \"sandbox\": \"survivors launched lodging\"}, \"user\": {\"name\": \"Tribes\", \"type\": \"System\", \"uid\": \"f797fc8e-a4b4-11ee-adc3-0242ac110004\", \"type_id\": 3, \"email_addr\": \"Wenona@gnu.name\"}, \"invoked_by\": \"beat tables rising\"}, \"end_time\": 1703680764999344, \"file_diff\": \"remote surprise tale\", \"severity_id\": 4, \"status_detail\": \"not jar user\", \"status_id\": 99}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"message\": \"memorial vacation gains\", \"status\": \"jet\", \"time\": 1703680765007341, \"file\": {\"name\": \"validation.mp4\", \"owner\": {\"name\": \"Grid\", \"type\": \"System\", \"uid\": \"f7982966-a4b4-11ee-a3fa-0242ac110004\", \"type_id\": 3, \"credential_uid\": \"f7982dd0-a4b4-11ee-b2ca-0242ac110004\", \"uid_alt\": \"mud faculty coast\"}, \"type\": \"Folder\", \"version\": \"1.0.0\", \"path\": \"rc sharp flow/tells.hqx/validation.mp4\", \"product\": {\"name\": \"opens subdivision marc\", \"version\": \"1.0.0\", \"uid\": \"f79834c4-a4b4-11ee-bc9e-0242ac110004\", \"lang\": \"en\", \"url_string\": \"flyer\", \"vendor_name\": \"assumes defensive pets\"}, \"type_id\": 2, \"parent_folder\": \"rc sharp flow/tells.hqx\", \"accessed_time\": 1703680765008026, \"hashes\": [{\"value\": \"90DDECE3C6BD7FFFE83AF4D6DA7D1D47BDD3BC4B8C55E4FB6014A6197DA2199E\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"modified_time\": 1703680765008073}, \"device\": {\"name\": \"coated sacred waiver\", \"type\": \"Browser\", \"os\": {\"name\": \"producers assessing iran\", \"type\": \"HP-UX\", \"type_id\": 402, \"lang\": \"en\", \"sp_name\": \"mod booth seller\", \"sp_ver\": 45}, \"ip\": \"250.253.200.33\", \"hostname\": \"trends.org\", \"uid\": \"f798170a-a4b4-11ee-91ce-0242ac110004\", \"type_id\": 8, \"created_time\": 1703680765007313, \"imei\": \"genetics half institutional\", \"instance_uid\": \"f7980b52-a4b4-11ee-9b5a-0242ac110004\", \"interface_name\": \"visitors fa trinity\", \"interface_uid\": \"f798130e-a4b4-11ee-8b87-0242ac110004\", \"network_interfaces\": [{\"name\": \"ons physically championship\", \"type\": \"Wireless\", \"hostname\": \"overhead.mil\", \"mac\": \"9D:F9:D3:48:CD:B9:EC:8B\", \"namespace\": \"sociology collectible myers\", \"type_id\": 2}], \"region\": \"first universe furnishings\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"cult c table\", \"uid\": \"f7975f7c-a4b4-11ee-9e82-0242ac110004\", \"feature\": {\"name\": \"quad back ne\", \"version\": \"1.0.0\", \"uid\": \"f7976a76-a4b4-11ee-ba7c-0242ac110004\"}, \"lang\": \"en\", \"vendor_name\": \"kazakhstan yugoslavia danish\"}, \"profiles\": [], \"log_name\": \"conjunction wa alot\", \"log_provider\": \"answering gb single\", \"log_version\": \"exposure dx maui\", \"logged_time\": 1703680765002867, \"original_time\": \"postings hawaii aaa\"}, \"severity\": \"High\", \"duration\": 62, \"type_name\": \"File System Activity: Encrypt\", \"category_name\": \"System Activity\", \"activity_id\": 10, \"type_uid\": 100110, \"class_uid\": 1001, \"category_uid\": 1, \"class_name\": \"File System Activity\", \"timezone_offset\": 8, \"activity_name\": \"Encrypt\", \"actor\": {\"process\": {\"name\": \"Interventions\", \"pid\": 18, \"file\": {\"name\": \"level.doc\", \"type\": \"Symbolic Link\", \"path\": \"matthew eos tests/secondary.m3u/level.doc\", \"product\": {\"name\": \"fr subsequent administration\", \"version\": \"1.0.0\", \"uid\": \"f7977eee-a4b4-11ee-bfd5-0242ac110004\", \"lang\": \"en\", \"vendor_name\": \"combining concentrate gmt\"}, \"uid\": \"f797833a-a4b4-11ee-b077-0242ac110004\", \"type_id\": 7, \"parent_folder\": \"matthew eos tests/secondary.m3u\", \"confidentiality\": \"cigarettes subjects terrain\", \"created_time\": 1703680765003470, \"hashes\": [{\"value\": \"8F489E765ADD66CEA532CA1AFF150E01610199E3\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"98062F4DEE9A192C300D278008F1B6A2CB646B356D0DE1EFC340001AE12A69098A73CEB81AE52DA4A6D2158B11CD671482A7862402909FCB7C8588D490E677E6\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"user\": {\"name\": \"Acoustic\", \"type\": \"configuration\", \"uid\": \"f797ac16-a4b4-11ee-9910-0242ac110004\", \"org\": {\"name\": \"could director frankfurt\", \"uid\": \"f797b9fe-a4b4-11ee-a468-0242ac110004\", \"ou_name\": \"larry about arbitrary\"}, \"type_id\": 99, \"full_name\": \"Dannie Meagan\", \"email_addr\": \"Jen@atmosphere.mobi\"}, \"uid\": \"f797dcc2-a4b4-11ee-9f52-0242ac110004\", \"cmd_line\": \"buck advocacy initiatives\", \"created_time\": 1703680765005764, \"lineage\": [\"legend investigated adjustments\", \"sheet eligible regardless\"], \"sandbox\": \"survivors launched lodging\"}, \"user\": {\"name\": \"Tribes\", \"type\": \"System\", \"uid\": \"f797fc8e-a4b4-11ee-adc3-0242ac110004\", \"type_id\": 3, \"email_addr\": \"Wenona@gnu.name\"}, \"invoked_by\": \"beat tables rising\"}, \"end_time\": 1703680764999344, \"file_diff\": \"remote surprise tale\", \"severity_id\": 4, \"status_detail\": \"not jar user\", \"status_id\": 99}", + "@timestamp": "2023-12-27T12:39:25.007341Z", + "ocsf": { + "activity_id": "10", + "activity_name": "Encrypt", + "actor": { + "invoked_by": "beat tables rising", + "process": { + "cmd_line": "buck advocacy initiatives", + "created_time": 1703680765005764, + "file": { + "confidentiality": "cigarettes subjects terrain", + "created_time": 1703680765003470, + "hashes": [ + { + "algorithm": "SHA-1", + "algorithm_id": "2", + "value": "8F489E765ADD66CEA532CA1AFF150E01610199E3" + }, + { + "algorithm": "CTPH", + "algorithm_id": "5", + "value": "98062F4DEE9A192C300D278008F1B6A2CB646B356D0DE1EFC340001AE12A69098A73CEB81AE52DA4A6D2158B11CD671482A7862402909FCB7C8588D490E677E6" + } + ], + "name": "level.doc", + "parent_folder": "matthew eos tests/secondary.m3u", + "path": "matthew eos tests/secondary.m3u/level.doc", + "product": { + "lang": "en", + "name": "fr subsequent administration", + "uid": "f7977eee-a4b4-11ee-bfd5-0242ac110004", + "vendor_name": "combining concentrate gmt", + "version": "1.0.0" + }, + "type": "Symbolic Link", + "type_id": "7", + "uid": "f797833a-a4b4-11ee-b077-0242ac110004" + }, + "lineage": [ + "legend investigated adjustments", + "sheet eligible regardless" + ], + "name": "Interventions", + "pid": 18, + "sandbox": "survivors launched lodging", + "uid": "f797dcc2-a4b4-11ee-9f52-0242ac110004", + "user": { + "email_addr": "Jen@atmosphere.mobi", + "full_name": "Dannie Meagan", + "name": "Acoustic", + "org": { + "name": "could director frankfurt", + "ou_name": "larry about arbitrary", + "uid": "f797b9fe-a4b4-11ee-a468-0242ac110004" + }, + "type": "configuration", + "type_id": "99", + "uid": "f797ac16-a4b4-11ee-9910-0242ac110004" + } + }, + "user": { + "email_addr": "Wenona@gnu.name", + "name": "Tribes", + "type": "System", + "type_id": "3", + "uid": "f797fc8e-a4b4-11ee-adc3-0242ac110004" + } + }, + "category_name": "System Activity", + "category_uid": "1", + "class_name": "File System Activity", + "class_uid": "1001", + "device": { + "created_time": 1703680765007313, + "hostname": "trends.org", + "imei": "genetics half institutional", + "instance_uid": "f7980b52-a4b4-11ee-9b5a-0242ac110004", + "interface_name": "visitors fa trinity", + "interface_uid": "f798130e-a4b4-11ee-8b87-0242ac110004", + "ip": "250.253.200.33", + "name": "coated sacred waiver", + "network_interfaces": [ + { + "hostname": "overhead.mil", + "mac": "9D:F9:D3:48:CD:B9:EC:8B", + "name": "ons physically championship", + "namespace": "sociology collectible myers", + "type": "Wireless", + "type_id": "2" + } + ], + "os": { + "lang": "en", + "name": "producers assessing iran", + "sp_name": "mod booth seller", + "sp_ver": "45", + "type": "HP-UX", + "type_id": "402" + }, + "region": "first universe furnishings", + "type": "Browser", + "type_id": "8", + "uid": "f798170a-a4b4-11ee-91ce-0242ac110004" + }, + "duration": 62, + "end_time": 1703680764999344, + "file": { + "accessed_time": 1703680765008026, + "hashes": [ + { + "algorithm": "SHA-256", + "algorithm_id": "3", + "value": "90DDECE3C6BD7FFFE83AF4D6DA7D1D47BDD3BC4B8C55E4FB6014A6197DA2199E" + } + ], + "modified_time": 1703680765008073, + "name": "validation.mp4", + "owner": { + "credential_uid": "f7982dd0-a4b4-11ee-b2ca-0242ac110004", + "name": "Grid", + "type": "System", + "type_id": "3", + "uid": "f7982966-a4b4-11ee-a3fa-0242ac110004", + "uid_alt": "mud faculty coast" + }, + "parent_folder": "rc sharp flow/tells.hqx", + "path": "rc sharp flow/tells.hqx/validation.mp4", + "product": { + "lang": "en", + "name": "opens subdivision marc", + "uid": "f79834c4-a4b4-11ee-bc9e-0242ac110004", + "url_string": "flyer", + "vendor_name": "assumes defensive pets", + "version": "1.0.0" + }, + "type": "Folder", + "type_id": "2", + "version": "1.0.0" + }, + "file_diff": "remote surprise tale", + "message": "memorial vacation gains", + "metadata": { + "log_name": "conjunction wa alot", + "log_provider": "answering gb single", + "log_version": "exposure dx maui", + "logged_time": 1703680765002867, + "original_time": "postings hawaii aaa", + "product": { + "feature": { + "name": "quad back ne", + "uid": "f7976a76-a4b4-11ee-ba7c-0242ac110004", + "version": "1.0.0" + }, + "lang": "en", + "name": "cult c table", + "uid": "f7975f7c-a4b4-11ee-9e82-0242ac110004", + "vendor_name": "kazakhstan yugoslavia danish" + }, + "profiles": [], + "version": "1.0.0" + }, + "severity": "High", + "severity_id": 4, + "status": "jet", + "status_detail": "not jar user", + "status_id": "99", + "timezone_offset": 8, + "type_name": "File System Activity: Encrypt", + "type_uid": "100110" + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_process_activity.json b/OCSF/ocsf/tests/test_process_activity.json new file mode 100644 index 000000000..d54361c61 --- /dev/null +++ b/OCSF/ocsf/tests/test_process_activity.json @@ -0,0 +1,142 @@ +{ + "input": { + "message": "{\"message\": \"ln centered engaged\", \"process\": {\"name\": \"Christine\", \"pid\": 49, \"file\": {\"name\": \"capture.key\", \"type\": \"Named Pipe\", \"path\": \"retrieval result greece/cooking.dds/capture.key\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"pac olympus bs\", \"issuer\": \"noble medal hay\", \"fingerprints\": [{\"value\": \"07A7C43357C379B3AE9EF43EF042D2A9741BE1BED49FBC735D4A00A6C2FCDABB\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1703680986265475, \"expiration_time\": 1703680986265487, \"serial_number\": \"po anna nudist\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"type_id\": 6, \"accessor\": {\"name\": \"Tools\", \"type\": \"impaired\", \"domain\": \"style mining rob\", \"type_id\": 99, \"full_name\": \"Ezra Carolyn\"}, \"creator\": {\"name\": \"Permits\", \"type\": \"System\", \"uid\": \"7b797c12-a4b5-11ee-ac2e-0242ac110004\", \"org\": {\"name\": \"goods hebrew tops\", \"uid\": \"7b798234-a4b5-11ee-9a21-0242ac110004\", \"ou_name\": \"horses titles sensor\", \"ou_uid\": \"7b798fb8-a4b5-11ee-baaa-0242ac110004\"}, \"groups\": [{\"name\": \"checking say elimination\", \"type\": \"protein rush spirituality\", \"uid\": \"7b7997c4-a4b5-11ee-b340-0242ac110004\"}, {\"name\": \"amd wc entering\", \"type\": \"strengths charge airport\", \"uid\": \"7b79a106-a4b5-11ee-b7d4-0242ac110004\"}], \"type_id\": 3, \"credential_uid\": \"7b79a5de-a4b5-11ee-bdf5-0242ac110004\"}, \"parent_folder\": \"retrieval result greece/cooking.dds\", \"security_descriptor\": \"relates competition influences\"}, \"user\": {\"type\": \"User\", \"domain\": \"rich fascinating babies\", \"uid\": \"7b79b0d8-a4b5-11ee-9d3b-0242ac110004\", \"type_id\": 1}, \"uid\": \"7b79ba2e-a4b5-11ee-9da9-0242ac110004\", \"session\": {\"uid\": \"7b79bfe2-a4b5-11ee-9790-0242ac110004\", \"uuid\": \"7b79c348-a4b5-11ee-a78e-0242ac110004\", \"issuer\": \"acquire soundtrack dentists\", \"created_time\": 1703680986267749, \"expiration_time\": 1703680986267759, \"is_remote\": false}, \"cmd_line\": \"template photographs thickness\", \"created_time\": 1703680986267769, \"parent_process\": {\"name\": \"Norway\", \"pid\": 97, \"file\": {\"attributes\": 20, \"name\": \"graduates.xlr\", \"type\": \"Character Device\", \"path\": \"dj hat sacrifice/anthropology.xml/graduates.xlr\", \"desc\": \"wife richardson tough\", \"type_id\": 3, \"accessor\": {\"name\": \"Walker\", \"type\": \"User\", \"domain\": \"adaptive vocal connect\", \"uid\": \"7b79d72a-a4b5-11ee-9491-0242ac110004\", \"type_id\": 1, \"credential_uid\": \"7b79db26-a4b5-11ee-9622-0242ac110004\"}, \"parent_folder\": \"dj hat sacrifice/anthropology.xml\", \"hashes\": [{\"value\": \"EF7CC4A402D8013B9E9699D07CBC14E3C55F5C5077C0E966DE86C3EE2751C748AEFF871E8DF294BCF1EA48DAC792946F2059A9A61F8BCB009BAC23FBEE1874CB\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"2E7435702BABF778619110BEFDD08E463FD9D525111EBEB5B7B7C35582EC89818D1758C14029D6962C0CA58552B0516B1C3D4AFCC3A9B8E655F57842FBA4B305\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"is_system\": false}, \"user\": {\"name\": \"Examples\", \"type\": \"User\", \"type_id\": 1, \"uid_alt\": \"headers yo regard\"}, \"uid\": \"7b79eda0-a4b5-11ee-b42e-0242ac110004\", \"session\": {\"uid\": \"7b79f30e-a4b5-11ee-ba3b-0242ac110004\", \"issuer\": \"incoming execute acdbentity\", \"created_time\": 1703680986268969, \"is_remote\": false}, \"cmd_line\": \"assessed he compaq\", \"created_time\": 1703680986268986, \"parent_process\": {\"name\": \"Zinc\", \"pid\": 58, \"file\": {\"attributes\": 74, \"name\": \"poverty.pdb\", \"type\": \"interests\", \"path\": \"besides fail stays/price.csr/poverty.pdb\", \"type_id\": 99, \"creator\": {\"name\": \"Succeed\", \"type\": \"Unknown\", \"domain\": \"tutorial niger essentially\", \"uid\": \"7b7a0682-a4b5-11ee-8137-0242ac110004\", \"type_id\": 0, \"uid_alt\": \"keeps face grain\"}, \"parent_folder\": \"besides fail stays/price.csr\", \"accessed_time\": 1703680986269471, \"hashes\": [{\"value\": \"DE27F1003BAC8F2CFA275C185BFCB7AF130EC26C2A381565EF1E0D53561298D740AE99098293A5DA2D77E710184E30BB3AC29B571921CEC6D9466DF5747EACEE\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"2CB1B780138BC273459232EDDA0E4B96\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"user\": {\"name\": \"Sheep\", \"type\": \"Unknown\", \"domain\": \"delivery commented support\", \"type_id\": 0, \"full_name\": \"Kiyoko Dominic\", \"email_addr\": \"Felicita@luxury.edu\", \"uid_alt\": \"gibson ga proprietary\"}, \"uid\": \"7b7a2054-a4b5-11ee-a6b9-0242ac110004\", \"cmd_line\": \"muscle performing worry\", \"created_time\": 1703680986270129, \"xattributes\": {}}}}, \"time\": 1703680986272045, \"device\": {\"name\": \"evening conditions deny\", \"type\": \"Mobile\", \"ip\": \"15.108.66.75\", \"hostname\": \"nurse.coop\", \"mac\": \"BB:9D:1F:28:EF:88:89:59\", \"type_id\": 5, \"instance_uid\": \"7b7a5902-a4b5-11ee-9f52-0242ac110004\", \"interface_name\": \"label ok research\", \"interface_uid\": \"7b7a649c-a4b5-11ee-89b8-0242ac110004\", \"is_compliant\": true, \"is_personal\": false, \"modified_time\": 1703680986272022, \"region\": \"lender scenarios lawyers\", \"subnet_uid\": \"7b7a6abe-a4b5-11ee-974d-0242ac110004\", \"uid_alt\": \"fifty acres evanescence\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"satisfied believe eq\", \"version\": \"1.0.0\", \"path\": \"arabic reg noise\", \"uid\": \"7b7a2f72-a4b5-11ee-9478-0242ac110004\", \"lang\": \"en\", \"url_string\": \"dumb\", \"vendor_name\": \"stunning reviewed climbing\"}, \"profiles\": [], \"log_name\": \"gpl saving steven\", \"log_provider\": \"weak inquiry relation\", \"original_time\": \"florists alot midlands\"}, \"severity\": \"Unknown\", \"type_name\": \"Process Activity: Launch\", \"category_name\": \"System Activity\", \"activity_id\": 1, \"type_uid\": 100701, \"class_uid\": 1007, \"category_uid\": 1, \"class_name\": \"Process Activity\", \"timezone_offset\": 96, \"activity_name\": \"Launch\", \"actor\": {\"user\": {\"name\": \"Aluminum\", \"type\": \"System\", \"uid\": \"7b7a45ca-a4b5-11ee-9086-0242ac110004\", \"type_id\": 3}, \"invoked_by\": \"montreal cisco legal\"}, \"severity_id\": 0}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"message\": \"ln centered engaged\", \"process\": {\"name\": \"Christine\", \"pid\": 49, \"file\": {\"name\": \"capture.key\", \"type\": \"Named Pipe\", \"path\": \"retrieval result greece/cooking.dds/capture.key\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"pac olympus bs\", \"issuer\": \"noble medal hay\", \"fingerprints\": [{\"value\": \"07A7C43357C379B3AE9EF43EF042D2A9741BE1BED49FBC735D4A00A6C2FCDABB\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1703680986265475, \"expiration_time\": 1703680986265487, \"serial_number\": \"po anna nudist\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"type_id\": 6, \"accessor\": {\"name\": \"Tools\", \"type\": \"impaired\", \"domain\": \"style mining rob\", \"type_id\": 99, \"full_name\": \"Ezra Carolyn\"}, \"creator\": {\"name\": \"Permits\", \"type\": \"System\", \"uid\": \"7b797c12-a4b5-11ee-ac2e-0242ac110004\", \"org\": {\"name\": \"goods hebrew tops\", \"uid\": \"7b798234-a4b5-11ee-9a21-0242ac110004\", \"ou_name\": \"horses titles sensor\", \"ou_uid\": \"7b798fb8-a4b5-11ee-baaa-0242ac110004\"}, \"groups\": [{\"name\": \"checking say elimination\", \"type\": \"protein rush spirituality\", \"uid\": \"7b7997c4-a4b5-11ee-b340-0242ac110004\"}, {\"name\": \"amd wc entering\", \"type\": \"strengths charge airport\", \"uid\": \"7b79a106-a4b5-11ee-b7d4-0242ac110004\"}], \"type_id\": 3, \"credential_uid\": \"7b79a5de-a4b5-11ee-bdf5-0242ac110004\"}, \"parent_folder\": \"retrieval result greece/cooking.dds\", \"security_descriptor\": \"relates competition influences\"}, \"user\": {\"type\": \"User\", \"domain\": \"rich fascinating babies\", \"uid\": \"7b79b0d8-a4b5-11ee-9d3b-0242ac110004\", \"type_id\": 1}, \"uid\": \"7b79ba2e-a4b5-11ee-9da9-0242ac110004\", \"session\": {\"uid\": \"7b79bfe2-a4b5-11ee-9790-0242ac110004\", \"uuid\": \"7b79c348-a4b5-11ee-a78e-0242ac110004\", \"issuer\": \"acquire soundtrack dentists\", \"created_time\": 1703680986267749, \"expiration_time\": 1703680986267759, \"is_remote\": false}, \"cmd_line\": \"template photographs thickness\", \"created_time\": 1703680986267769, \"parent_process\": {\"name\": \"Norway\", \"pid\": 97, \"file\": {\"attributes\": 20, \"name\": \"graduates.xlr\", \"type\": \"Character Device\", \"path\": \"dj hat sacrifice/anthropology.xml/graduates.xlr\", \"desc\": \"wife richardson tough\", \"type_id\": 3, \"accessor\": {\"name\": \"Walker\", \"type\": \"User\", \"domain\": \"adaptive vocal connect\", \"uid\": \"7b79d72a-a4b5-11ee-9491-0242ac110004\", \"type_id\": 1, \"credential_uid\": \"7b79db26-a4b5-11ee-9622-0242ac110004\"}, \"parent_folder\": \"dj hat sacrifice/anthropology.xml\", \"hashes\": [{\"value\": \"EF7CC4A402D8013B9E9699D07CBC14E3C55F5C5077C0E966DE86C3EE2751C748AEFF871E8DF294BCF1EA48DAC792946F2059A9A61F8BCB009BAC23FBEE1874CB\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"2E7435702BABF778619110BEFDD08E463FD9D525111EBEB5B7B7C35582EC89818D1758C14029D6962C0CA58552B0516B1C3D4AFCC3A9B8E655F57842FBA4B305\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"is_system\": false}, \"user\": {\"name\": \"Examples\", \"type\": \"User\", \"type_id\": 1, \"uid_alt\": \"headers yo regard\"}, \"uid\": \"7b79eda0-a4b5-11ee-b42e-0242ac110004\", \"session\": {\"uid\": \"7b79f30e-a4b5-11ee-ba3b-0242ac110004\", \"issuer\": \"incoming execute acdbentity\", \"created_time\": 1703680986268969, \"is_remote\": false}, \"cmd_line\": \"assessed he compaq\", \"created_time\": 1703680986268986, \"parent_process\": {\"name\": \"Zinc\", \"pid\": 58, \"file\": {\"attributes\": 74, \"name\": \"poverty.pdb\", \"type\": \"interests\", \"path\": \"besides fail stays/price.csr/poverty.pdb\", \"type_id\": 99, \"creator\": {\"name\": \"Succeed\", \"type\": \"Unknown\", \"domain\": \"tutorial niger essentially\", \"uid\": \"7b7a0682-a4b5-11ee-8137-0242ac110004\", \"type_id\": 0, \"uid_alt\": \"keeps face grain\"}, \"parent_folder\": \"besides fail stays/price.csr\", \"accessed_time\": 1703680986269471, \"hashes\": [{\"value\": \"DE27F1003BAC8F2CFA275C185BFCB7AF130EC26C2A381565EF1E0D53561298D740AE99098293A5DA2D77E710184E30BB3AC29B571921CEC6D9466DF5747EACEE\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"2CB1B780138BC273459232EDDA0E4B96\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"user\": {\"name\": \"Sheep\", \"type\": \"Unknown\", \"domain\": \"delivery commented support\", \"type_id\": 0, \"full_name\": \"Kiyoko Dominic\", \"email_addr\": \"Felicita@luxury.edu\", \"uid_alt\": \"gibson ga proprietary\"}, \"uid\": \"7b7a2054-a4b5-11ee-a6b9-0242ac110004\", \"cmd_line\": \"muscle performing worry\", \"created_time\": 1703680986270129, \"xattributes\": {}}}}, \"time\": 1703680986272045, \"device\": {\"name\": \"evening conditions deny\", \"type\": \"Mobile\", \"ip\": \"15.108.66.75\", \"hostname\": \"nurse.coop\", \"mac\": \"BB:9D:1F:28:EF:88:89:59\", \"type_id\": 5, \"instance_uid\": \"7b7a5902-a4b5-11ee-9f52-0242ac110004\", \"interface_name\": \"label ok research\", \"interface_uid\": \"7b7a649c-a4b5-11ee-89b8-0242ac110004\", \"is_compliant\": true, \"is_personal\": false, \"modified_time\": 1703680986272022, \"region\": \"lender scenarios lawyers\", \"subnet_uid\": \"7b7a6abe-a4b5-11ee-974d-0242ac110004\", \"uid_alt\": \"fifty acres evanescence\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"satisfied believe eq\", \"version\": \"1.0.0\", \"path\": \"arabic reg noise\", \"uid\": \"7b7a2f72-a4b5-11ee-9478-0242ac110004\", \"lang\": \"en\", \"url_string\": \"dumb\", \"vendor_name\": \"stunning reviewed climbing\"}, \"profiles\": [], \"log_name\": \"gpl saving steven\", \"log_provider\": \"weak inquiry relation\", \"original_time\": \"florists alot midlands\"}, \"severity\": \"Unknown\", \"type_name\": \"Process Activity: Launch\", \"category_name\": \"System Activity\", \"activity_id\": 1, \"type_uid\": 100701, \"class_uid\": 1007, \"category_uid\": 1, \"class_name\": \"Process Activity\", \"timezone_offset\": 96, \"activity_name\": \"Launch\", \"actor\": {\"user\": {\"name\": \"Aluminum\", \"type\": \"System\", \"uid\": \"7b7a45ca-a4b5-11ee-9086-0242ac110004\", \"type_id\": 3}, \"invoked_by\": \"montreal cisco legal\"}, \"severity_id\": 0}", + "@timestamp": "2023-12-27T12:43:06.272045Z", + "ocsf": { + "activity_id": "1", + "activity_name": "Launch", + "actor": { + "invoked_by": "montreal cisco legal", + "user": { + "name": "Aluminum", + "type": "System", + "type_id": "3", + "uid": "7b7a45ca-a4b5-11ee-9086-0242ac110004" + } + }, + "category_name": "System Activity", + "category_uid": "1", + "class_name": "Process Activity", + "class_uid": "1007", + "device": { + "hostname": "nurse.coop", + "instance_uid": "7b7a5902-a4b5-11ee-9f52-0242ac110004", + "interface_name": "label ok research", + "interface_uid": "7b7a649c-a4b5-11ee-89b8-0242ac110004", + "ip": "15.108.66.75", + "is_compliant": true, + "is_personal": false, + "mac": "BB:9D:1F:28:EF:88:89:59", + "modified_time": 1703680986272022, + "name": "evening conditions deny", + "region": "lender scenarios lawyers", + "subnet_uid": "7b7a6abe-a4b5-11ee-974d-0242ac110004", + "type": "Mobile", + "type_id": "5", + "uid_alt": "fifty acres evanescence" + }, + "message": "ln centered engaged", + "metadata": { + "log_name": "gpl saving steven", + "log_provider": "weak inquiry relation", + "original_time": "florists alot midlands", + "product": { + "lang": "en", + "name": "satisfied believe eq", + "path": "arabic reg noise", + "uid": "7b7a2f72-a4b5-11ee-9478-0242ac110004", + "url_string": "dumb", + "vendor_name": "stunning reviewed climbing", + "version": "1.0.0" + }, + "profiles": [], + "version": "1.0.0" + }, + "process": { + "file": { + "creator": { + "groups": [ + {}, + {} + ] + }, + "signature": { + "certificate": { + "fingerprints": [ + {} + ] + } + } + }, + "parent_process": { + "file": { + "hashes": [ + {}, + {} + ] + }, + "parent_process": { + "file": { + "hashes": [ + {}, + {} + ] + } + } + } + }, + "severity": "Unknown", + "severity_id": 0, + "timezone_offset": 96, + "type_name": "Process Activity: Launch", + "type_uid": "100701" + }, + "process": { + "file": { + "creator": { + "groups": [ + {}, + {} + ] + }, + "signature": { + "certificate": { + "fingerprints": [ + {} + ] + } + } + }, + "name": "Christine", + "parent_process": { + "file": { + "hashes": [ + {}, + {} + ] + }, + "parent_process": { + "file": { + "hashes": [ + {}, + {} + ] + } + } + }, + "pid": 49, + "user": { + "domain": "rich fascinating babies" + } + } + } +} \ No newline at end of file From c5960957c557264b94354cc36665130fee4ed540 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Fri, 26 Jan 2024 11:48:15 +0200 Subject: [PATCH 02/34] Add fields --- OCSF/README.md | 4 +- OCSF/ocsf/_meta/smart-descriptions.json | 3 + OCSF/ocsf/ingest/parser.yml | 303 ++++++++++++++++++++- OCSF/ocsf/tests/test_file_activity.json | 2 +- OCSF/ocsf/tests/test_process_activity.json | 40 +-- 5 files changed, 314 insertions(+), 38 deletions(-) diff --git a/OCSF/README.md b/OCSF/README.md index e60aa9bf8..f27b1e647 100644 --- a/OCSF/README.md +++ b/OCSF/README.md @@ -1,7 +1,9 @@ # OCSF ## Description + OCSF ## Intakes -* + +- diff --git a/OCSF/ocsf/_meta/smart-descriptions.json b/OCSF/ocsf/_meta/smart-descriptions.json index e69de29bb..c44dc44f3 100644 --- a/OCSF/ocsf/_meta/smart-descriptions.json +++ b/OCSF/ocsf/_meta/smart-descriptions.json @@ -0,0 +1,3 @@ +[ + +] \ No newline at end of file diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index 246ed1a23..e893b23ec 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -1,19 +1,312 @@ name: ocsf pipeline: - - name: parse_message + - name: parse_event external: name: json.parse-json properties: - input_field: '{{original.message}}' + input_field: "{{original.message}}" output_field: message + - name: parse_date_end_time_dt + external: + name: date.parse + properties: + input_field: '{{ parse_event.message.end_time_dt }}' + output_field: datetime + filter: '{{ parse_event.message.end_time_dt != None and parse_event.message.end_time_dt != '''' }}' + + - name: parse_date_end_time + external: + name: date.parse + properties: + input_field: '{{ parse_event.message.end_time }}' + output_field: datetime + filter: '{{ parse_event.message.end_time != None and parse_event.message.end_time != '''' }}' + + - name: parse_date_timestamp_from_time_dt + external: + name: date.parse + properties: + input_field: '{{ parse_event.message.time_dt }}' + output_field: datetime + filter: '{{ parse_event.message.time_dt != None and parse_event.message.time_dt != '''' }}' + + - name: parse_date_timestamp_from_time + external: + name: date.parse + properties: + input_field: '{{ parse_event.message.time }}' + output_field: datetime + filter: '{{ parse_event.message.time != None and parse_event.message.time != '''' }}' + + - name: parse_date_time_dt + external: + name: date.parse + properties: + input_field: '{{ parse_event.message.time_dt }}' + output_field: datetime + filter: '{{ parse_event.message.time_dt != None and parse_event.message.time_dt != '''' }}' + + - name: parse_date_time + external: + name: date.parse + properties: + input_field: '{{ parse_event.message.time }}' + output_field: datetime + filter: '{{ parse_event.message.time != None and parse_event.message.time != '''' }}' + + - name: parse_date_metadata_logged_time_dt + external: + name: date.parse + properties: + input_field: '{{ parse_event.message.metadata.logged_time_dt }}' + output_field: datetime + filter: '{{ parse_event.message.metadata.logged_time_dt != None and parse_event.message.metadata.logged_time_dt != '''' }}' + + - name: parse_date_metadata_logged_time + external: + name: date.parse + properties: + input_field: '{{ parse_event.message.metadata.logged_time }}' + output_field: datetime + filter: '{{ parse_event.message.metadata.logged_time != None and parse_event.message.metadata.logged_time != '''' }}' + + - name: parse_date_metadata_modified_time_dt + external: + name: date.parse + properties: + input_field: '{{ parse_event.message.metadata.modified_time_dt }}' + output_field: datetime + filter: '{{ parse_event.message.metadata.modified_time_dt != None and parse_event.message.metadata.modified_time_dt != '''' }}' + + - name: parse_date_metadata_modified_time + external: + name: date.parse + properties: + input_field: '{{ parse_event.message.metadata.modified_time }}' + output_field: datetime + filter: '{{ parse_event.message.metadata.modified_time != None and parse_event.message.metadata.modified_time != '''' }}' + + - name: parse_date_metadata_processed_time_dt + external: + name: date.parse + properties: + input_field: '{{ parse_event.message.metadata.processed_time_dt }}' + output_field: datetime + filter: '{{ parse_event.message.metadata.processed_time_dt != None and parse_event.message.metadata.processed_time_dt != '''' }}' + + - name: parse_date_metadata_processed_time + external: + name: date.parse + properties: + input_field: '{{ parse_event.message.metadata.processed_time }}' + output_field: datetime + filter: '{{ parse_event.message.metadata.processed_time != None and parse_event.message.metadata.processed_time != '''' }}' + + - name: parse_date_start_time_dt + external: + name: date.parse + properties: + input_field: '{{ parse_event.message.start_time_dt }}' + output_field: datetime + filter: '{{ parse_event.message.start_time_dt != None and parse_event.message.start_time_dt != '''' }}' + + - name: parse_date_start_time + external: + name: date.parse + properties: + input_field: '{{ parse_event.message.start_time }}' + output_field: datetime + filter: '{{ parse_event.message.start_time != None and parse_event.message.start_time != '''' }}' + + - name: set_event_kind + - name: set_event_category + - name: set_event_type + - name: set_common_fields - name: set_fields stages: + set_event_kind: + actions: + - set: + event.kind: "event" + filter: "{{parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,3001,3002,3003,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,5001,5002,6001,6002,6003,6004]}}" + + - set: + event.kind: "alert" + filter: "{{parse_event.message.class_uid == 2001}}" + + set_event_category: + actions: + - set: + event.category: ["malware"] + filter: "{{parse_event.message.class_uid == 2001 and parse_event.message.malware != null}}" + + - set: + event.category: [ "vulnerability" ] + filter: "{{parse_event.message.class_uid == 2001 and parse_event.message.vulnerabilities != null}}" + + - set: + event.category: [ "iam" ] + filter: "{{parse_event.message.class_uid in [3001, 3005, 3006]}}" + + - set: + event.category: [ "authentication" ] + filter: "{{parse_event.message.class_uid == 3002}}" + + - set: + event.category: [ "session" ] + filter: "{{parse_event.message.class_uid == 3003}}" + + - set: + event.category: [ "network" ] + filter: "{{parse_event.message.class_uid in [4001, 4003, 4004, 4005, 4007, 4008, 4010]}}" + + - set: + event.category: [ "api" ] + filter: "{{parse_event.message.class_uid in [4002, 4006]}}" + + - set: + event.category: [ "file" ] + filter: "{{parse_event.message.class_uid in [1001, 4006, 4008, 4010, 4011]}}" + + - set: + event.category: [ "email" ] + filter: "{{parse_event.message.class_uid in [4009, 4011, 4012]}}" + + - set: + event.category: [ "web" ] + filter: "{{parse_event.message.class_uid in [6003, 6004]}}" + + - set: + event.category: [ "package" ] + filter: "{{parse_event.message.class_uid == 6002}}" + + - set: + event.category: [ "configuration" ] + filter: "{{parse_event.message.class_uid == 5002}}" + + - set: + event.category: [ "driver" ] + filter: "{{parse_event.message.class_uid in [1002, 1003]}}" + + - set: + event.category: [ "process" ] + filter: "{{parse_event.message.class_uid == 1007}}" + + set_event_type: + actions: + - set: + event.type: ["info"] + filter: "{{parse_event.message.class_uid in [1001,1002,1003,1007,2001,3001,3002,3003,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,5001,5002,6002,6003,6004]}}" + + - set: + event.type: ["user"] + filter: "{{parse_event.message.class_uid in [3001, 3006]}}" + + - set: + event.type: ["group"] + filter: "{{parse_event.message.class_uid in [3005]}}" + + - set: + event.type: ["protocol"] + filter: "{{parse_event.message.class_uid in [4003,4004,4005,4007,4008]}}" + + - set: + event.type: ["creation"] + filter: "{{parse_event.message.class_uid in [1001,3001,4006,5002] and parse_event.message.activity_name in ['Create','File Create','Log']}}" + + - set: + event.type: ["access"] + filter: "{{parse_event.message.class_uid in [1001,4006,4010,5002,6004] and parse_event.message.activity_name in ['Read','File Open','Preview','Open','Access Grant','Access Deny','Access Revoke','Access Error','Log']}}" + + - set: + event.type: ["deletion"] + filter: "{{parse_event.message.class_uid in [1001,3001,4010,6002] and parse_event.message.activity_name in ['Delete','Remove']}}" + + - set: + event.type: ["start"] + filter: "{{parse_event.message.class_uid in [1007,3002,4001,4007,6002] and parse_event.message.activity_name in ['Launch','Logon','Open','Start']}}" + + - set: + event.type: ["end"] + filter: "{{parse_event.message.class_uid in [1007,3002,4001,4007,6002] and parse_event.message.activity_name in ['Terminate','Logoff','Close','Stop']}}" + + - set: + event.type: ["denied"] + filter: "{{parse_event.message.class_uid in [4001, 4003, 4004, 4007] and parse_event.message.activity_name in ['Refuse','Decline']}}" + + - set: + event.type: ["allowed"] + filter: "{{parse_event.message.class_uid in [4004] and parse_event.message.activity_name in ['Ack']}}" + + - set: + event.type: ["change"] + filter: "{{parse_event.message.class_uid in [1001, 4006, 4010] and parse_event.message.activity_name in ['Update','File Supersede','File Overwrite','Update','Rename']}}" + + - set: + event.type: ["connection"] + filter: "{{parse_event.message.class_uid in [4005] and parse_event.message.activity_name in ['Connect Request','Connect Response']}}" + + - set: + event.type: ["installation"] + filter: "{{parse_event.message.class_uid in [6002] and parse_event.message.activity_name in ['Install']}}" + + - set: + event.type: ["error"] + filter: "{{parse_event.message.class_uid in [6004] and parse_event.message.activity_name in ['Access Error']}}" + + set_common_fields: + actions: + - set: + cloud.account.id: "{{parse_event.message.cloud.account.uid}}" + cloud.account.name: "{{parse_event.message.cloud.account.name}}" + cloud.availability_zone: "{{parse_event.message.cloud.zone}}" + cloud.project.id: "{{parse_event.message.cloud.project_uid}}" + cloud.provider: "{{parse_event.message.cloud.provider}}" + cloud.region: "{{parse_event.message.cloud.region}}" + + event.action: "{{parse_event.message.activity_name.lower().replace(': ', '-')}}" + event.code: "{{parse_event.message.metadata.event_code}}" + event.duration: "{{parse_event.message.duration * 1_000_000}}" # in nanoseconds + # event.id: "{{parse_event.message.metadata.uid}}" # @todo we can't assign this. use custom field? + event.provider: "{{parse_event.message.metadata.log_provider}}" + event.sequence: "{{parse_event.message.metadata.sequence}}" + + event.severity: "{{parse_event.message.severity_id}}" + + - set: + event.provider: "{{parse_event.message.metadata.product.vendor_name}}" + filter: "{{parse_event.message.metadata.log_provider == None}}" + + - set: + event.end: "{{parse_date_end_time_dt.datetime}}" + filter: "{{parse_date_end_time_dt.datetime != None}}" + + - set: + event.end: "{{parse_date_end_time.datetime}}" + filter: "{{parse_date_end_time.datetime != None}}" + + - set: + event.start: "{{parse_date_start_time_dt.datetime}}" + filter: "{{parse_date_start_time_dt.datetime != None}}" + + - set: + event.start: "{{parse_date_start_time.datetime}}" + filter: "{{parse_date_start_time.datetime != None}}" + + - translate: + dictionary: + 0: "unknown" + 1: "success" + 2: "failure" + mapping: + parse_event.message.status_id: event.outcome + set_fields: actions: - set: - "@timestamp": "{{parse_message.message.time | to_rfc3339}}" + #"@timestamp": "{{parse_event.message.time | to_rfc3339}}" - ocsf: "{{parse_message.message}}" - process: "{{parse_message.message.process}}" + ocsf: "{{parse_event.message}}" + #process: "{{parse_event.message.process}}" diff --git a/OCSF/ocsf/tests/test_file_activity.json b/OCSF/ocsf/tests/test_file_activity.json index af17d8168..1b4dbd587 100644 --- a/OCSF/ocsf/tests/test_file_activity.json +++ b/OCSF/ocsf/tests/test_file_activity.json @@ -181,4 +181,4 @@ "type_uid": "100110" } } -} \ No newline at end of file +} diff --git a/OCSF/ocsf/tests/test_process_activity.json b/OCSF/ocsf/tests/test_process_activity.json index d54361c61..cb6effc9c 100644 --- a/OCSF/ocsf/tests/test_process_activity.json +++ b/OCSF/ocsf/tests/test_process_activity.json @@ -64,32 +64,21 @@ "process": { "file": { "creator": { - "groups": [ - {}, - {} - ] + "groups": [{}, {}] }, "signature": { "certificate": { - "fingerprints": [ - {} - ] + "fingerprints": [{}] } } }, "parent_process": { "file": { - "hashes": [ - {}, - {} - ] + "hashes": [{}, {}] }, "parent_process": { "file": { - "hashes": [ - {}, - {} - ] + "hashes": [{}, {}] } } } @@ -103,33 +92,22 @@ "process": { "file": { "creator": { - "groups": [ - {}, - {} - ] + "groups": [{}, {}] }, "signature": { "certificate": { - "fingerprints": [ - {} - ] + "fingerprints": [{}] } } }, "name": "Christine", "parent_process": { "file": { - "hashes": [ - {}, - {} - ] + "hashes": [{}, {}] }, "parent_process": { "file": { - "hashes": [ - {}, - {} - ] + "hashes": [{}, {}] } } }, @@ -139,4 +117,4 @@ } } } -} \ No newline at end of file +} From 1b6c577049d7c46d5f4fce71b15eb5da48d07745 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 30 Jan 2024 16:06:31 +0200 Subject: [PATCH 03/34] Combine all pipelines --- OCSF/ocsf/ingest/parser.yml | 689 ++++++++++++++++++--- OCSF/ocsf/tests/test_file_activity.json | 206 ++---- OCSF/ocsf/tests/test_process_activity.json | 138 ++--- 3 files changed, 693 insertions(+), 340 deletions(-) diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index e893b23ec..17d7d599a 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -11,113 +11,113 @@ pipeline: external: name: date.parse properties: - input_field: '{{ parse_event.message.end_time_dt }}' + input_field: "{{ parse_event.message.end_time_dt }}" output_field: datetime - filter: '{{ parse_event.message.end_time_dt != None and parse_event.message.end_time_dt != '''' }}' + filter: "{{ parse_event.message.end_time_dt != None and parse_event.message.end_time_dt != '' }}" - name: parse_date_end_time external: name: date.parse properties: - input_field: '{{ parse_event.message.end_time }}' + input_field: "{{ parse_event.message.end_time }}" output_field: datetime - filter: '{{ parse_event.message.end_time != None and parse_event.message.end_time != '''' }}' + filter: "{{ parse_event.message.end_time != None and parse_event.message.end_time != '' }}" - name: parse_date_timestamp_from_time_dt external: name: date.parse properties: - input_field: '{{ parse_event.message.time_dt }}' + input_field: "{{ parse_event.message.time_dt }}" output_field: datetime - filter: '{{ parse_event.message.time_dt != None and parse_event.message.time_dt != '''' }}' + filter: "{{ parse_event.message.time_dt != None and parse_event.message.time_dt != '' }}" - name: parse_date_timestamp_from_time external: name: date.parse properties: - input_field: '{{ parse_event.message.time }}' + input_field: "{{ parse_event.message.time }}" output_field: datetime - filter: '{{ parse_event.message.time != None and parse_event.message.time != '''' }}' + filter: "{{ parse_event.message.time != None and parse_event.message.time != '' }}" - name: parse_date_time_dt external: name: date.parse properties: - input_field: '{{ parse_event.message.time_dt }}' + input_field: "{{ parse_event.message.time_dt }}" output_field: datetime - filter: '{{ parse_event.message.time_dt != None and parse_event.message.time_dt != '''' }}' + filter: "{{ parse_event.message.time_dt != None and parse_event.message.time_dt != '' }}" - name: parse_date_time external: name: date.parse properties: - input_field: '{{ parse_event.message.time }}' + input_field: "{{ parse_event.message.time }}" output_field: datetime - filter: '{{ parse_event.message.time != None and parse_event.message.time != '''' }}' + filter: "{{ parse_event.message.time != None and parse_event.message.time != '' }}" - name: parse_date_metadata_logged_time_dt external: name: date.parse properties: - input_field: '{{ parse_event.message.metadata.logged_time_dt }}' + input_field: "{{ parse_event.message.metadata.logged_time_dt }}" output_field: datetime - filter: '{{ parse_event.message.metadata.logged_time_dt != None and parse_event.message.metadata.logged_time_dt != '''' }}' + filter: "{{ parse_event.message.metadata.logged_time_dt != None and parse_event.message.metadata.logged_time_dt != '' }}" - name: parse_date_metadata_logged_time external: name: date.parse properties: - input_field: '{{ parse_event.message.metadata.logged_time }}' + input_field: "{{ parse_event.message.metadata.logged_time }}" output_field: datetime - filter: '{{ parse_event.message.metadata.logged_time != None and parse_event.message.metadata.logged_time != '''' }}' + filter: "{{ parse_event.message.metadata.logged_time != None and parse_event.message.metadata.logged_time != '' }}" - name: parse_date_metadata_modified_time_dt external: name: date.parse properties: - input_field: '{{ parse_event.message.metadata.modified_time_dt }}' + input_field: "{{ parse_event.message.metadata.modified_time_dt }}" output_field: datetime - filter: '{{ parse_event.message.metadata.modified_time_dt != None and parse_event.message.metadata.modified_time_dt != '''' }}' + filter: "{{ parse_event.message.metadata.modified_time_dt != None and parse_event.message.metadata.modified_time_dt != '' }}" - name: parse_date_metadata_modified_time external: name: date.parse properties: - input_field: '{{ parse_event.message.metadata.modified_time }}' + input_field: "{{ parse_event.message.metadata.modified_time }}" output_field: datetime - filter: '{{ parse_event.message.metadata.modified_time != None and parse_event.message.metadata.modified_time != '''' }}' + filter: "{{ parse_event.message.metadata.modified_time != None and parse_event.message.metadata.modified_time != '' }}" - name: parse_date_metadata_processed_time_dt external: name: date.parse properties: - input_field: '{{ parse_event.message.metadata.processed_time_dt }}' + input_field: "{{ parse_event.message.metadata.processed_time_dt }}" output_field: datetime - filter: '{{ parse_event.message.metadata.processed_time_dt != None and parse_event.message.metadata.processed_time_dt != '''' }}' + filter: "{{ parse_event.message.metadata.processed_time_dt != None and parse_event.message.metadata.processed_time_dt != '' }}" - name: parse_date_metadata_processed_time external: name: date.parse properties: - input_field: '{{ parse_event.message.metadata.processed_time }}' + input_field: "{{ parse_event.message.metadata.processed_time }}" output_field: datetime - filter: '{{ parse_event.message.metadata.processed_time != None and parse_event.message.metadata.processed_time != '''' }}' + filter: "{{ parse_event.message.metadata.processed_time != None and parse_event.message.metadata.processed_time != '' }}" - name: parse_date_start_time_dt external: name: date.parse properties: - input_field: '{{ parse_event.message.start_time_dt }}' + input_field: "{{ parse_event.message.start_time_dt }}" output_field: datetime - filter: '{{ parse_event.message.start_time_dt != None and parse_event.message.start_time_dt != '''' }}' + filter: "{{ parse_event.message.start_time_dt != None and parse_event.message.start_time_dt != '' }}" - name: parse_date_start_time external: name: date.parse properties: - input_field: '{{ parse_event.message.start_time }}' + input_field: "{{ parse_event.message.start_time }}" output_field: datetime - filter: '{{ parse_event.message.start_time != None and parse_event.message.start_time != '''' }}' + filter: "{{ parse_event.message.start_time != None and parse_event.message.start_time != '' }}" - name: set_event_kind - name: set_event_category @@ -125,6 +125,69 @@ pipeline: - name: set_common_fields - name: set_fields + - name: pipeline_object_actor + filter: + "{{ parse_event.message.class_uid != None and parse_event.message.class_uid + in [1001,1002,1003,1004,1005,1006,1007,3001,3002,3003,3004,3005,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,5001,5002,6001,6002,6003,6004] + and parse_event.message.actor != None }}" + + # - name: pipeline_object_attack + # filter: '{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,2001,4001,4002,4003,4005,4006,4007,4008,4009,4011,4012] and parse_event.message.attacks != None }}' + + - name: pipeline_object_network_connection_info + filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [4001,4002,4003,4005,4006,4007,4008] and parse_event.message.connection_info != None }}" + + - name: pipeline_object_device + filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,3001,3002,3003,3004,3005,4001,4002,4003,4004,4005,4006,4007,4008,4009,4011,4012,5001,5002,6001,6002,6004] and parse_event.message.device != None }}" + + - name: pipeline_object_http_request + filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [3001,3002,4002,6003,6004] and parse_event.message.http_request != None }}" + + - name: pipeline_object_malware + filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [2001,4001,4002,4003,4005,4006,4007,4008,4009,4011,4012] and parse_event.message.malware != None }}" + + - name: pipeline_object_network_endpoint + filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [3001,3002,3003,3005,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,6001,6003,6004] and parse_event.message.dst_endpoint != None or parse_event.message.src_endpoint != None }}" + + - name: pipeline_object_process + filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [1004,1007,2001] and parse_event.message.process != None }}" + + - name: pipeline_object_proxy + filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [4001,4002,4003,4005,4006,4007,4008] and parse_event.message.proxy != None }}" + + - name: pipeline_object_tls + filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [4001,4002,4003,4005,4006,4007,4008] and parse_event.message.tls != None }}" + + - name: pipeline_object_traffic + filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [4001,4002,4003,4005,4006,4007,4008] and parse_event.message.traffic != None }}" + + - name: pipeline_object_user + filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [3001,3002,3003,3005,3006] and parse_event.message.user != None }}" + + - name: pipeline_object_file + filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [1001,4006,4010,4011] }}" + + - name: pipeline_object_system_activity_helper + filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [1002,1005,1006] }}" + + - name: pipeline_category_system_activity + filter: "{{ parse_event.message.category_uid != None and parse_event.message.category_uid == 1 }}" + + - name: pipeline_category_findings + filter: "{{ parse_event.message.category_uid != None and parse_event.message.category_uid == 2 }}" + + - name: pipeline_category_identity_and_access_management + filter: "{{ parse_event.message.category_uid != None and parse_event.message.category_uid == 3 }}" + + - name: pipeline_category_network_activity + filter: "{{ parse_event.message.category_uid != None and parse_event.message.category_uid == 4 }}" + + - name: pipeline_category_application_activity + filter: "{{ parse_event.message.category_uid != None and parse_event.message.category_uid == 6 }}" + + - name: pipeline_category_discovery + filter: "{{ parse_event.message.category_uid != None and parse_event.message.category_uid == 5 }}" + stages: set_event_kind: actions: @@ -143,55 +206,55 @@ stages: filter: "{{parse_event.message.class_uid == 2001 and parse_event.message.malware != null}}" - set: - event.category: [ "vulnerability" ] + event.category: ["vulnerability"] filter: "{{parse_event.message.class_uid == 2001 and parse_event.message.vulnerabilities != null}}" - set: - event.category: [ "iam" ] + event.category: ["iam"] filter: "{{parse_event.message.class_uid in [3001, 3005, 3006]}}" - set: - event.category: [ "authentication" ] + event.category: ["authentication"] filter: "{{parse_event.message.class_uid == 3002}}" - set: - event.category: [ "session" ] + event.category: ["session"] filter: "{{parse_event.message.class_uid == 3003}}" - set: - event.category: [ "network" ] + event.category: ["network"] filter: "{{parse_event.message.class_uid in [4001, 4003, 4004, 4005, 4007, 4008, 4010]}}" - set: - event.category: [ "api" ] + event.category: ["api"] filter: "{{parse_event.message.class_uid in [4002, 4006]}}" - set: - event.category: [ "file" ] + event.category: ["file"] filter: "{{parse_event.message.class_uid in [1001, 4006, 4008, 4010, 4011]}}" - set: - event.category: [ "email" ] + event.category: ["email"] filter: "{{parse_event.message.class_uid in [4009, 4011, 4012]}}" - set: - event.category: [ "web" ] + event.category: ["web"] filter: "{{parse_event.message.class_uid in [6003, 6004]}}" - set: - event.category: [ "package" ] + event.category: ["package"] filter: "{{parse_event.message.class_uid == 6002}}" - set: - event.category: [ "configuration" ] + event.category: ["configuration"] filter: "{{parse_event.message.class_uid == 5002}}" - set: - event.category: [ "driver" ] + event.category: ["driver"] filter: "{{parse_event.message.class_uid in [1002, 1003]}}" - set: - event.category: [ "process" ] + event.category: ["process"] filter: "{{parse_event.message.class_uid == 1007}}" set_event_type: @@ -200,59 +263,59 @@ stages: event.type: ["info"] filter: "{{parse_event.message.class_uid in [1001,1002,1003,1007,2001,3001,3002,3003,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,5001,5002,6002,6003,6004]}}" - - set: + - set: event.type: ["user"] filter: "{{parse_event.message.class_uid in [3001, 3006]}}" - - - set: + + - set: event.type: ["group"] filter: "{{parse_event.message.class_uid in [3005]}}" - - - set: - event.type: ["protocol"] - filter: "{{parse_event.message.class_uid in [4003,4004,4005,4007,4008]}}" - - - set: + + - set: + event.type: ["protocol"] + filter: "{{parse_event.message.class_uid in [4003,4004,4005,4007,4008]}}" + + - set: event.type: ["creation"] filter: "{{parse_event.message.class_uid in [1001,3001,4006,5002] and parse_event.message.activity_name in ['Create','File Create','Log']}}" - - - set: + + - set: event.type: ["access"] filter: "{{parse_event.message.class_uid in [1001,4006,4010,5002,6004] and parse_event.message.activity_name in ['Read','File Open','Preview','Open','Access Grant','Access Deny','Access Revoke','Access Error','Log']}}" - - - set: + + - set: event.type: ["deletion"] filter: "{{parse_event.message.class_uid in [1001,3001,4010,6002] and parse_event.message.activity_name in ['Delete','Remove']}}" - - - set: - event.type: ["start"] + + - set: + event.type: ["start"] filter: "{{parse_event.message.class_uid in [1007,3002,4001,4007,6002] and parse_event.message.activity_name in ['Launch','Logon','Open','Start']}}" - - - set: + + - set: event.type: ["end"] filter: "{{parse_event.message.class_uid in [1007,3002,4001,4007,6002] and parse_event.message.activity_name in ['Terminate','Logoff','Close','Stop']}}" - - - set: + + - set: event.type: ["denied"] filter: "{{parse_event.message.class_uid in [4001, 4003, 4004, 4007] and parse_event.message.activity_name in ['Refuse','Decline']}}" - - set: + - set: event.type: ["allowed"] filter: "{{parse_event.message.class_uid in [4004] and parse_event.message.activity_name in ['Ack']}}" - - - set: + + - set: event.type: ["change"] filter: "{{parse_event.message.class_uid in [1001, 4006, 4010] and parse_event.message.activity_name in ['Update','File Supersede','File Overwrite','Update','Rename']}}" - - - set: + + - set: event.type: ["connection"] filter: "{{parse_event.message.class_uid in [4005] and parse_event.message.activity_name in ['Connect Request','Connect Response']}}" - - - set: + + - set: event.type: ["installation"] filter: "{{parse_event.message.class_uid in [6002] and parse_event.message.activity_name in ['Install']}}" - - - set: + + - set: event.type: ["error"] filter: "{{parse_event.message.class_uid in [6004] and parse_event.message.activity_name in ['Access Error']}}" @@ -304,9 +367,489 @@ stages: parse_event.message.status_id: event.outcome set_fields: + actions: [] + #- set: + #ocsf: "{{parse_event.message}}" + #process: "{{parse_event.message.process}}" + + pipeline_object_actor: actions: - set: - #"@timestamp": "{{parse_event.message.time | to_rfc3339}}" + container.id: '{{ parse_event.message.parse_event.message.actor.process.container.uid }}' + container.image.name: '{{ parse_event.message.parse_event.message.actor.process.container.image.name }}' + - set: + container.image.tag: + - '{{ parse_event.message.parse_event.message.actor.process.container.image.tag }}' + filter: '{{ parse_event.message.actor.process.container.image.tag != None }}' + - set: + container.labels: '{{ parse_event.message.parse_event.message.actor.process.container.image.labels }}' + orchestrator.type: '{{ parse_event.message.parse_event.message.actor.process.container.orchestrator }}' + container.name: '{{ parse_event.message.parse_event.message.actor.process.container.name }}' + container.runtime: '{{ parse_event.message.parse_event.message.actor.process.container.runtime }}' + file.accessed: '{{ parse_event.message.parse_event.message.actor.process.file.accessed_time }}' + file.created: '{{ parse_event.message.parse_event.message.actor.process.file.created_time }}' + file.directory: '{{ parse_event.message.parse_event.message.actor.process.file.parent_folder }}' + file.inode: '{{ parse_event.message.parse_event.message.actor.process.file.uid }}' + file.mime_type: '{{ parse_event.message.parse_event.message.actor.process.file.mime_type }}' + file.mtime: '{{ parse_event.message.parse_event.message.actor.process.file.modified_time }}' + file.name: '{{ parse_event.message.parse_event.message.actor.process.file.name }}' + file.owner: '{{ parse_event.message.parse_event.message.actor.process.file.owner.name }}' + file.path: '{{ parse_event.message.parse_event.message.actor.process.file.path }}' + file.size: '{{ parse_event.message.parse_event.message.actor.process.file.size }}' + file.type: '{{ parse_event.message.parse_event.message.actor.process.file.type }}' + file.uid: '{{ parse_event.message.parse_event.message.actor.process.file.owner.uid }}' + file.x509.issuer.distinguished_name: '{{ parse_event.message.parse_event.message.actor.process.file.signature.certificate.issuer }}' + file.x509.not_after: '{{ parse_event.message.parse_event.message.actor.process.file.signature.certificate.expiration_time }}' + file.x509.serial_number: '{{ parse_event.message.parse_event.message.actor.process.file.signature.certificate.serial_number }}' + file.x509.subject.distinguished_name: '{{ parse_event.message.parse_event.message.actor.process.file.signature.certificate.subject }}' + file.x509.version_number: '{{ parse_event.message.parse_event.message.actor.process.file.signature.certificate.version }}' + process.command_line: '{{ parse_event.message.parse_event.message.actor.process.cmd_line }}' + process.end: '{{ parse_event.message.parse_event.message.actor.process.terminated_time }}' + - set: + process.group.id: + - '{{ parse_event.message.parse_event.message.actor.process.egid }}' + filter: '{{ parse_event.message.actor.process.egid != None }}' + - set: + process.group.id: + - '{{ parse_event.message.parse_event.message.actor.process.group.uid }}' + filter: '{{ parse_event.message.actor.process.group.uid != None }}' + - set: + process.group.name: '{{ parse_event.message.parse_event.message.actor.process.group.name }}' + process.name: '{{ parse_event.message.parse_event.message.actor.process.name }}' + process.pid: '{{ parse_event.message.parse_event.message.actor.process.pid }}' + process.start: '{{ parse_event.message.parse_event.message.actor.process.created_time }}' + process.thread.id: '{{ parse_event.message.parse_event.message.actor.process.tid }}' + process.entity_id: '{{ parse_event.message.parse_event.message.actor.process.uid }}' + process.user.domain: '{{ parse_event.message.parse_event.message.actor.process.user.domain }}' + process.user.email: '{{ parse_event.message.parse_event.message.actor.process.user.email_addr }}' + process.user.full_name: '{{ parse_event.message.parse_event.message.actor.process.user.full_name }}' + - set: + process.user.id: + - '{{ parse_event.message.parse_event.message.actor.process.euid }}' + filter: '{{ parse_event.message.actor.process.euid != None }}' + - set: + process.user.id: + - '{{ parse_event.message.parse_event.message.actor.process.user.uid }}' + filter: '{{ parse_event.message.actor.process.user.uid != None }}' + - set: + process.user.name: '{{ parse_event.message.parse_event.message.actor.process.user.name }}' + user.domain: '{{ parse_event.message.parse_event.message.actor.user.domain }}' + user.email: '{{ parse_event.message.parse_event.message.actor.user.email_addr }}' + user.full_name: '{{ parse_event.message.parse_event.message.actor.user.full_name }}' + user.id: '{{ parse_event.message.parse_event.message.actor.user.uid }}' + user.name: '{{ parse_event.message.parse_event.message.actor.user.name }}' + process.parent.command_line: '{{ parse_event.message.parse_event.message.actor.process.parent_process.cmd_line }}' + process.parent.end: '{{ parse_event.message.parse_event.message.actor.process.parent_process.terminated_time }}' + - set: + process.parent.group.id: + - '{{ parse_event.message.parse_event.message.actor.process.parent_process.egid }}' + filter: '{{ parse_event.message.actor.process.parent_process.egid != None }}' + - set: + process.parent.group.id: + - '{{ parse_event.message.parse_event.message.actor.process.parent_process.group.uid }}' + filter: '{{ parse_event.message.actor.process.parent_process.group.uid != None }}' + - set: + process.parent.group.name: '{{ parse_event.message.parse_event.message.actor.process.parent_process.group.name }}' + process.parent.name: '{{ parse_event.message.parse_event.message.actor.process.parent_process.name }}' + process.parent.pid: '{{ parse_event.message.parse_event.message.actor.process.parent_process.pid }}' + process.parent.start: '{{ parse_event.message.parse_event.message.actor.process.parent_process.created_time }}' + process.parent.thread.id: '{{ parse_event.message.parse_event.message.actor.process.parent_process.tid }}' + process.parent.entity_id: '{{ parse_event.message.parse_event.message.actor.process.parent_process.uid }}' + process.parent.user.domain: '{{ parse_event.message.parse_event.message.actor.process.parent_process.user.domain }}' + process.parent.user.email: '{{ parse_event.message.parse_event.message.actor.process.parent_process.user.email_addr }}' + process.parent.user.full_name: '{{ parse_event.message.parse_event.message.actor.process.parent_process.user.full_name }}' + - set: + process.parent.user.id: + - '{{ parse_event.message.parse_event.message.actor.process.parent_process.euid }}' + filter: '{{ parse_event.message.actor.process.parent_process.euid != None }}' + - set: + process.parent.user.id: + - '{{ parse_event.message.parse_event.message.actor.process.parent_process.user.uid }}' + filter: '{{ parse_event.message.actor.process.parent_process.user.uid != None }}' + - set: + process.parent.user.name: '{{ parse_event.message.parse_event.message.actor.process.parent_process.user.name }}' - ocsf: "{{parse_event.message}}" - #process: "{{parse_event.message.process}}" + pipeline_object_network_connection_info: + actions: + - set: + network.iana_number: '{{ parse_event.message.parse_event.message.connection_info.protocol_num }}' + - set: + network.direction: + - internal + filter: '{{ parse_event.message.connection_info.boundary != None and parse_event.message.connection_info.boundary == ''Internal'' }}' + - set: + network.direction: + - external + filter: '{{ parse_event.message.connection_info.boundary != None and parse_event.message.connection_info.boundary == ''External'' }}' + - set: + network.direction: + - inbound + filter: '{{ parse_event.message.connection_info.direction != None and parse_event.message.connection_info.direction == ''Inbound'' }}' + - set: + network.direction: + - outbound + filter: '{{ parse_event.message.connection_info.direction != None and parse_event.message.connection_info.direction == ''Outbound'' }}' + - set: + network.direction: + - unknown + filter: '{{ parse_event.message.connection_info.direction != None and parse_event.message.connection_info.direction == ''Unknown'' or parse_event.message.connection_info.boundary != None and parse_event.message.connection_info.boundary == ''Unknown'' }}' + pipeline_object_device: + actions: + - set: + host.domain: '{{ parse_event.message.parse_event.message.device.domain }}' + host.geo.city_name: '{{ parse_event.message.parse_event.message.device.location.city }}' + host.geo.continent_name: '{{ parse_event.message.parse_event.message.device.location.continent }}' + host.geo.country_iso_code: '{{ parse_event.message.parse_event.message.device.location.country }}' + host.geo.location: '{{ parse_event.message.parse_event.message.device.location.coordinates }}' + host.geo.name: '{{ parse_event.message.parse_event.message.device.location.desc }}' + host.geo.postal_code: '{{ parse_event.message.parse_event.message.device.location.postal_code }}' + host.geo.region_iso_code: '{{ parse_event.message.parse_event.message.device.location.region }}' + host.hostname: '{{ parse_event.message.parse_event.message.device.hostname }}' + host.id: '{{ parse_event.message.parse_event.message.device.uid }}' + - set: + host.ip: + - '{{ parse_event.message.parse_event.message.device.ip }}' + filter: '{{ parse_event.message.device.ip != None }}' + - set: + host.mac: + - '{{ parse_event.message.parse_event.message.device.mac }}' + filter: '{{ parse_event.message.device.mac != None }}' + - set: + host.os.name: '{{ parse_event.message.parse_event.message.device.os.name }}' + - set: + host.os.type: '{{ parse_event.message.parse_event.message.device.os.type }}' + filter: '{{ parse_event.message.device.os.type != None and parse_event.message.device.os.type in [''Linux'',''Windows'',''Android'',''macOS'',''iOS''] }}' + - set: + host.os.version: '{{ parse_event.message.parse_event.message.device.os.build }}' + host.risk.static_level: '{{ parse_event.message.parse_event.message.device.risk_level }}' + host.risk.static_score: '{{ parse_event.message.parse_event.message.device.risk_score }}' + host.type: '{{ parse_event.message.parse_event.message.device.type }}' + network.vlan.id: '{{ parse_event.message.parse_event.message.device.vlan_uid }}' + pipeline_object_http_request: + actions: + - set: + http.request.id: '{{ parse_event.message.parse_event.message.http_request.uid }}' + http.request.method: '{{ parse_event.message.parse_event.message.http_request.http_method }}' + http.request.referrer: '{{ parse_event.message.parse_event.message.http_request.referrer }}' + http.version: '{{ parse_event.message.parse_event.message.http_request.version }}' + url.domain: '{{ parse_event.message.parse_event.message.http_request.url.hostname }}' + url.original: '{{ parse_event.message.parse_event.message.http_request.url.url_string }}' + url.path: '{{ parse_event.message.parse_event.message.http_request.url.path }}' + url.port: '{{ parse_event.message.parse_event.message.http_request.url.port }}' + url.query: '{{ parse_event.message.parse_event.message.http_request.url.query_string }}' + url.scheme: '{{ parse_event.message.parse_event.message.http_request.url.scheme }}' + url.subdomain: '{{ parse_event.message.parse_event.message.http_request.url.subdomain }}' + user_agent.original: '{{ parse_event.message.parse_event.message.http_request.user_agent }}' + pipeline_object_malware: + actions: [ ] + pipeline_object_network_endpoint: + actions: + - set: + source.domain: + - '{{ parse_event.message.parse_event.message.src_endpoint.domain }}' + filter: '{{ parse_event.message.src_endpoint.domain != None }}' + - set: + source.geo.city_name: '{{ parse_event.message.parse_event.message.src_endpoint.location.city }}' + source.geo.continent_name: '{{ parse_event.message.parse_event.message.src_endpoint.location.continent }}' + source.geo.location: '{{ parse_event.message.parse_event.message.src_endpoint.location.coordinates }}' + source.geo.country_iso_code: '{{ parse_event.message.parse_event.message.src_endpoint.location.country }}' + source.geo.name: '{{ parse_event.message.parse_event.message.src_endpoint.location.desc }}' + source.geo.postal_code: '{{ parse_event.message.parse_event.message.src_endpoint.location.postal_code }}' + source.geo.region_iso_code: '{{ parse_event.message.parse_event.message.src_endpoint.location.region }}' + - set: + source.domain: + - '{{ parse_event.message.parse_event.message.src_endpoint.hostname }}' + filter: '{{ parse_event.message.src_endpoint.hostname != None }}' + - set: + source.ip: '{{ parse_event.message.parse_event.message.src_endpoint.ip }}' + source.mac: '{{ parse_event.message.parse_event.message.src_endpoint.mac }}' + source.port: '{{ parse_event.message.parse_event.message.src_endpoint.port }}' + - set: + network.application: + - '{{ parse_event.message.parse_event.message.src_endpoint.svc_name }}' + filter: '{{ parse_event.message.src_endpoint.svc_name != None }}' + - set: + destination.domain: + - '{{ parse_event.message.parse_event.message.dst_endpoint.domain }}' + filter: '{{ parse_event.message.dst_endpoint.domain != None }}' + - set: + destination.geo.city_name: '{{ parse_event.message.parse_event.message.dst_endpoint.location.city }}' + destination.geo.continent_name: '{{ parse_event.message.parse_event.message.dst_endpoint.location.continent }}' + destination.geo.location: '{{ parse_event.message.parse_event.message.dst_endpoint.location.coordinates }}' + destination.geo.country_iso_code: '{{ parse_event.message.parse_event.message.dst_endpoint.location.country }}' + destination.geo.name: '{{ parse_event.message.parse_event.message.dst_endpoint.location.desc }}' + destination.geo.postal_code: '{{ parse_event.message.parse_event.message.dst_endpoint.location.postal_code }}' + destination.geo.region_iso_code: '{{ parse_event.message.parse_event.message.dst_endpoint.location.region }}' + - set: + destination.domain: + - '{{ parse_event.message.parse_event.message.dst_endpoint.hostname }}' + filter: '{{ parse_event.message.dst_endpoint.hostname != None }}' + - set: + destination.ip: '{{ parse_event.message.parse_event.message.dst_endpoint.ip }}' + destination.mac: '{{ parse_event.message.parse_event.message.dst_endpoint.mac }}' + destination.port: '{{ parse_event.message.parse_event.message.dst_endpoint.port }}' + - set: + network.application: + - '{{ parse_event.message.parse_event.message.dst_endpoint.svc_name }}' + filter: '{{ parse_event.message.dst_endpoint.svc_name != None }}' + pipeline_object_process: + actions: + - set: + container.id: '{{ parse_event.message.parse_event.message.process.container.uid }}' + container.image.name: '{{ parse_event.message.parse_event.message.process.container.image.name }}' + - set: + container.image.tag: + - '{{ parse_event.message.parse_event.message.process.container.image.tag }}' + filter: '{{ parse_event.message.process.container.image.tag != None }}' + - set: + container.labels: '{{ parse_event.message.parse_event.message.process.container.image.labels }}' + orchestrator.type: '{{ parse_event.message.parse_event.message.process.container.orchestrator }}' + container.name: '{{ parse_event.message.parse_event.message.process.container.name }}' + container.runtime: '{{ parse_event.message.parse_event.message.process.container.runtime }}' + file.accessed: '{{ parse_event.message.parse_event.message.process.file.accessed_time }}' + file.created: '{{ parse_event.message.parse_event.message.process.file.created_time }}' + file.directory: '{{ parse_event.message.parse_event.message.process.file.parent_folder }}' + file.inode: '{{ parse_event.message.parse_event.message.process.file.uid }}' + file.mime_type: '{{ parse_event.message.parse_event.message.process.file.mime_type }}' + file.mtime: '{{ parse_event.message.parse_event.message.process.file.modified_time }}' + file.name: '{{ parse_event.message.parse_event.message.process.file.name }}' + file.owner: '{{ parse_event.message.parse_event.message.process.file.owner.name }}' + file.path: '{{ parse_event.message.parse_event.message.process.file.path }}' + file.size: '{{ parse_event.message.parse_event.message.process.file.size }}' + file.type: '{{ parse_event.message.parse_event.message.process.file.type }}' + file.uid: '{{ parse_event.message.parse_event.message.process.file.owner.uid }}' + file.x509.issuer.distinguished_name: '{{ parse_event.message.parse_event.message.process.file.signature.certificate.issuer }}' + file.x509.not_after: '{{ parse_event.message.parse_event.message.process.file.signature.certificate.expiration_time }}' + file.x509.serial_number: '{{ parse_event.message.parse_event.message.process.file.signature.certificate.serial_number }}' + file.x509.subject.distinguished_name: '{{ parse_event.message.parse_event.message.process.file.signature.certificate.subject }}' + file.x509.version_number: '{{ parse_event.message.parse_event.message.process.file.signature.certificate.version }}' + process.command_line: '{{ parse_event.message.parse_event.message.process.cmd_line }}' + process.end: '{{ parse_event.message.parse_event.message.process.terminated_time }}' + - set: + process.group.id: + - '{{ parse_event.message.parse_event.message.process.egid }}' + filter: '{{ parse_event.message.process.egid != None }}' + - set: + process.group.id: + - '{{ parse_event.message.parse_event.message.process.group.uid }}' + filter: '{{ parse_event.message.process.group.uid != None }}' + - set: + process.group.name: '{{ parse_event.message.parse_event.message.process.group.name }}' + process.name: '{{ parse_event.message.parse_event.message.process.name }}' + process.pid: '{{ parse_event.message.parse_event.message.process.pid }}' + process.start: '{{ parse_event.message.parse_event.message.process.created_time }}' + process.thread.id: '{{ parse_event.message.parse_event.message.process.tid }}' + process.entity_id: '{{ parse_event.message.parse_event.message.process.uid }}' + process.user.domain: '{{ parse_event.message.parse_event.message.process.user.domain }}' + process.user.email: '{{ parse_event.message.parse_event.message.process.user.email_addr }}' + process.user.full_name: '{{ parse_event.message.parse_event.message.process.user.full_name }}' + - set: + process.user.id: + - '{{ parse_event.message.parse_event.message.process.euid }}' + filter: '{{ parse_event.message.process.euid != None }}' + - set: + process.user.id: + - '{{ parse_event.message.parse_event.message.process.user.uid }}' + filter: '{{ parse_event.message.process.user.uid != None }}' + - set: + process.user.name: '{{ parse_event.message.parse_event.message.process.user.name }}' + process.parent.command_line: '{{ parse_event.message.parse_event.message.process.parent_process.cmd_line }}' + process.parent.end: '{{ parse_event.message.parse_event.message.process.parent_process.terminated_time }}' + - set: + process.parent.group.id: + - '{{ parse_event.message.parse_event.message.process.parent_process.egid }}' + filter: '{{ parse_event.message.process.parent_process.egid != None }}' + - set: + process.parent.group.id: + - '{{ parse_event.message.parse_event.message.process.parent_process.group.uid }}' + filter: '{{ parse_event.message.process.parent_process.group.uid != None }}' + - set: + process.parent.group.name: '{{ parse_event.message.parse_event.message.process.parent_process.group.name }}' + process.parent.name: '{{ parse_event.message.parse_event.message.process.parent_process.name }}' + process.parent.pid: '{{ parse_event.message.parse_event.message.process.parent_process.pid }}' + process.parent.start: '{{ parse_event.message.parse_event.message.process.parent_process.created_time }}' + process.parent.thread.id: '{{ parse_event.message.parse_event.message.process.parent_process.tid }}' + process.parent.entity_id: '{{ parse_event.message.parse_event.message.process.parent_process.uid }}' + process.parent.user.domain: '{{ parse_event.message.parse_event.message.process.parent_process.user.domain }}' + process.parent.user.email: '{{ parse_event.message.parse_event.message.process.parent_process.user.email_addr }}' + process.parent.user.full_name: '{{ parse_event.message.parse_event.message.process.parent_process.user.full_name }}' + - set: + process.parent.user.id: + - '{{ parse_event.message.parse_event.message.process.parent_process.euid }}' + filter: '{{ parse_event.message.process.parent_process.euid != None }}' + - set: + process.parent.user.id: + - '{{ parse_event.message.parse_event.message.process.parent_process.user.uid }}' + filter: '{{ parse_event.message.process.parent_process.user.uid != None }}' + - set: + process.parent.user.name: '{{ parse_event.message.parse_event.message.process.parent_process.user.name }}' + pipeline_object_proxy: + actions: [ ] + pipeline_object_tls: + actions: + - set: + tls.cipher: '{{ parse_event.message.parse_event.message.tls.cipher }}' + tls.client.ja3: '{{ parse_event.message.parse_event.message.tls.ja3_hash.value }}' + tls.client.server_name: '{{ parse_event.message.parse_event.message.tls.sni }}' + tls.client.x509.issuer.distinguished_name: '{{ parse_event.message.parse_event.message.tls.certificate.issuer }}' + tls.client.x509.not_after: '{{ parse_event.message.parse_event.message.tls.certificate.expiration_time }}' + tls.client.x509.serial_number: '{{ parse_event.message.parse_event.message.tls.certificate.serial_number }}' + tls.client.x509.subject.distinguished_name: '{{ parse_event.message.parse_event.message.tls.certificate.subject }}' + tls.client.x509.version_number: '{{ parse_event.message.parse_event.message.tls.certificate.version }}' + tls.server.ja3s: '{{ parse_event.message.parse_event.message.tls.ja3s_hash.value }}' + tls.version: '{{ parse_event.message.parse_event.message.tls.version }}' + pipeline_object_traffic: + actions: + - set: + destination.bytes: '{{ parse_event.message.parse_event.message.traffic.bytes_in }}' + source.bytes: '{{ parse_event.message.parse_event.message.traffic.bytes_out }}' + destination.packets: '{{ parse_event.message.parse_event.message.traffic.packets_in }}' + source.packets: '{{ parse_event.message.parse_event.message.traffic.packets_out }}' + network.bytes: '{{ parse_event.message.parse_event.message.traffic.bytes }}' + network.packets: '{{ parse_event.message.parse_event.message.traffic.packets }}' + pipeline_object_user: + actions: + - set: + user.target.domain: '{{ parse_event.message.parse_event.message.user.domain }}' + user.target.email: '{{ parse_event.message.parse_event.message.user.email_addr }}' + user.target.full_name: '{{ parse_event.message.parse_event.message.user.full_name }}' + user.target.id: '{{ parse_event.message.parse_event.message.user.uid }}' + user.target.name: '{{ parse_event.message.parse_event.message.user.name }}' + pipeline_object_file: + actions: + - set: + file.accessed: '{{ parse_event.message.parse_event.message.file.accessed_time }}' + file.created: '{{ parse_event.message.parse_event.message.file.created_time }}' + file.directory: '{{ parse_event.message.parse_event.message.file.parent_folder }}' + file.inode: '{{ parse_event.message.parse_event.message.file.uid }}' + file.mime_type: '{{ parse_event.message.parse_event.message.file.mime_type }}' + file.mtime: '{{ parse_event.message.parse_event.message.file.modified_time }}' + file.name: '{{ parse_event.message.parse_event.message.file.name }}' + file.owner: '{{ parse_event.message.parse_event.message.file.owner.name }}' + file.path: '{{ parse_event.message.parse_event.message.file.path }}' + file.size: '{{ parse_event.message.parse_event.message.file.size }}' + file.type: '{{ parse_event.message.parse_event.message.file.type }}' + file.uid: '{{ parse_event.message.parse_event.message.file.owner.uid }}' + file.x509.issuer.distinguished_name: '{{ parse_event.message.parse_event.message.file.signature.certificate.issuer }}' + file.x509.not_after: '{{ parse_event.message.parse_event.message.file.signature.certificate.expiration_time }}' + file.x509.serial_number: '{{ parse_event.message.parse_event.message.file.signature.certificate.serial_number }}' + file.x509.subject.distinguished_name: '{{ parse_event.message.parse_event.message.file.signature.certificate.subject }}' + file.x509.version_number: '{{ parse_event.message.parse_event.message.file.signature.certificate.version }}' + pipeline_object_system_activity_helper: + actions: + - set: + file.accessed: '{{ parse_event.message.parse_event.message.job.file.accessed_time }}' + file.created: '{{ parse_event.message.parse_event.message.job.file.created_time }}' + file.directory: '{{ parse_event.message.parse_event.message.job.file.parent_folder }}' + file.inode: '{{ parse_event.message.parse_event.message.job.file.uid }}' + file.mime_type: '{{ parse_event.message.parse_event.message.job.file.mime_type }}' + file.mtime: '{{ parse_event.message.parse_event.message.job.file.modified_time }}' + file.name: '{{ parse_event.message.parse_event.message.job.file.name }}' + file.owner: '{{ parse_event.message.parse_event.message.job.file.owner.name }}' + file.path: '{{ parse_event.message.parse_event.message.job.file.path }}' + file.size: '{{ parse_event.message.parse_event.message.job.file.size }}' + file.type: '{{ parse_event.message.parse_event.message.job.file.type }}' + file.uid: '{{ parse_event.message.parse_event.message.job.file.owner.uid }}' + file.x509.issuer.distinguished_name: '{{ parse_event.message.parse_event.message.job.file.signature.certificate.issuer }}' + file.x509.not_after: '{{ parse_event.message.parse_event.message.job.file.signature.certificate.expiration_time }}' + file.x509.serial_number: '{{ parse_event.message.parse_event.message.job.file.signature.certificate.serial_number }}' + file.x509.subject.distinguished_name: '{{ parse_event.message.parse_event.message.job.file.signature.certificate.subject }}' + file.x509.version_number: '{{ parse_event.message.parse_event.message.job.file.signature.certificate.version }}' + pipeline_category_system_activity: + actions: + - set: + user.target.domain: '{{ parse_event.message.parse_event.message.job.user.domain }}' + user.target.email: '{{ parse_event.message.parse_event.message.job.user.email_addr }}' + user.target.full_name: '{{ parse_event.message.parse_event.message.job.user.full_name }}' + user.target.id: '{{ parse_event.message.parse_event.message.job.user.uid }}' + user.target.name: '{{ parse_event.message.parse_event.message.job.user.name }}' + process.exit_code: '{{ parse_event.message.parse_event.message.exit_code }}' + pipeline_category_findings: + actions: + - set: + event.reference: '{{ parse_event.message.parse_event.message.finding.src_url }}' + event.risk_score: '{{ parse_event.message.parse_event.message.risk_score }}' + pipeline_category_identity_and_access_management: + actions: + - set: + user.changes.domain: '{{ parse_event.message.parse_event.message.user_result.domain }}' + user.changes.email: '{{ parse_event.message.parse_event.message.user_result.email_addr }}' + user.changes.full_name: '{{ parse_event.message.parse_event.message.user_result.full_name }}' + user.changes.id: '{{ parse_event.message.parse_event.message.user_result.uid }}' + user.changes.name: '{{ parse_event.message.parse_event.message.user_result.name }}' + service.name: '{{ parse_event.message.parse_event.message.service.name }}' + service.id: '{{ parse_event.message.parse_event.message.service.uid }}' + service.version: '{{ parse_event.message.parse_event.message.service.version }}' + group.name: '{{ parse_event.message.parse_event.message.group.name }}' + group.id: '{{ parse_event.message.parse_event.message.group.uid }}' + pipeline_category_network_activity: + actions: + - set: + dns.question.name: '{{ parse_event.message.parse_event.message.query.hostname }}' + - set: + dns.id: + - '{{ parse_event.message.parse_event.message.query.packet_uid }}' + filter: '{{ parse_event.message.query.packet_uid != None }}' + - set: + dns.question.class: + - '{{ parse_event.message.parse_event.message.query.class }}' + filter: '{{ parse_event.message.query.class != None }}' + - set: + dns.question.type: + - '{{ parse_event.message.parse_event.message.query.type }}' + filter: '{{ parse_event.message.query.type != None }}' + - set: + dns.response_code: '{{ parse_event.message.parse_event.message.rcode }}' + http.response.status_code: '{{ parse_event.message.parse_event.message.response.code }}' + http.response.body.bytes: '{{ parse_event.message.parse_event.message.http_response.length }}' + http.response.body.content: '{{ parse_event.message.parse_event.message.http_response.message }}' + observer.hostname: '{{ parse_event.message.parse_event.message.relay.hostname }}' + observer.ip: '{{ parse_event.message.parse_event.message.relay.ip }}' + observer.mac: '{{ parse_event.message.parse_event.message.relay.mac }}' + observer.name: '{{ parse_event.message.parse_event.message.relay.name }}' + observer.type: '{{ parse_event.message.parse_event.message.relay.type }}' + http.request.id: '{{ parse_event.message.parse_event.message.request.uid }}' + tls.server.certificate_chain: '{{ parse_event.message.parse_event.message.certificate_chain }}' + email.cc.address: '{{ parse_event.message.parse_event.message.email.cc }}' + email.local_id: '{{ parse_event.message.parse_event.message.email.uid }}' + - set: + email.from.address: + - '{{ parse_event.message.parse_event.message.email.from }}' + filter: '{{ parse_event.message.email.from != None }}' + - set: + email.message_id: '{{ parse_event.message.parse_event.message.email.message_uid }}' + - set: + email.reply_to.address: + - '{{ parse_event.message.parse_event.message.email.reply_to }}' + filter: '{{ parse_event.message.email.reply_to != None }}' + - set: + email.subject: '{{ parse_event.message.parse_event.message.email.subject }}' + email.to.address: '{{ parse_event.message.parse_event.message.email.to }}' + email.local_id: '{{ parse_event.message.parse_event.message.email_uid }}' + url.query: '{{ parse_event.message.parse_event.message.url.query_string }}' + url.domain: '{{ parse_event.message.parse_event.message.url.hostname }}' + url.path: '{{ parse_event.message.parse_event.message.url.path }}' + url.port: '{{ parse_event.message.parse_event.message.url.port }}' + url.scheme: '{{ parse_event.message.parse_event.message.url.scheme }}' + url.subdomain: '{{ parse_event.message.parse_event.message.url.subdomain }}' + url.original: '{{ parse_event.message.parse_event.message.url.url_string }}' + - set: + email.attachments.file.size: '{{ parse_event.message.parse_event.message.file.size }}' + filter: '{{ parse_event.message.file.size != None and and }}' + - set: + email.attachments.file.name: '{{ parse_event.message.parse_event.message.file.name }}' + filter: '{{ parse_event.message.file.name != None and and }}' + pipeline_category_application_activity: + actions: + - set: + http.response.status_code: '{{ parse_event.message.parse_event.message.http_response.code }}' + http.response.body.bytes: '{{ parse_event.message.parse_event.message.http_response.length }}' + http.response.body.content: '{{ parse_event.message.parse_event.message.http_response.message }}' + pipeline_category_discovery: + actions: + - set: + rule.category: '{{ parse_event.message.parse_event.message.cis_benchmark_result.rule.category }}' + rule.description: '{{ parse_event.message.parse_event.message.cis_benchmark_result.rule.desc }}' + rule.name: '{{ parse_event.message.parse_event.message.cis_benchmark_result.rule.name }}' + rule.uuid: '{{ parse_event.message.parse_event.message.cis_benchmark_result.rule.uid }}' + rule.version: '{{ parse_event.message.parse_event.message.cis_benchmark_result.rule.version }}' diff --git a/OCSF/ocsf/tests/test_file_activity.json b/OCSF/ocsf/tests/test_file_activity.json index 1b4dbd587..d8c9bdbbb 100644 --- a/OCSF/ocsf/tests/test_file_activity.json +++ b/OCSF/ocsf/tests/test_file_activity.json @@ -10,175 +10,43 @@ }, "expected": { "message": "{\"message\": \"memorial vacation gains\", \"status\": \"jet\", \"time\": 1703680765007341, \"file\": {\"name\": \"validation.mp4\", \"owner\": {\"name\": \"Grid\", \"type\": \"System\", \"uid\": \"f7982966-a4b4-11ee-a3fa-0242ac110004\", \"type_id\": 3, \"credential_uid\": \"f7982dd0-a4b4-11ee-b2ca-0242ac110004\", \"uid_alt\": \"mud faculty coast\"}, \"type\": \"Folder\", \"version\": \"1.0.0\", \"path\": \"rc sharp flow/tells.hqx/validation.mp4\", \"product\": {\"name\": \"opens subdivision marc\", \"version\": \"1.0.0\", \"uid\": \"f79834c4-a4b4-11ee-bc9e-0242ac110004\", \"lang\": \"en\", \"url_string\": \"flyer\", \"vendor_name\": \"assumes defensive pets\"}, \"type_id\": 2, \"parent_folder\": \"rc sharp flow/tells.hqx\", \"accessed_time\": 1703680765008026, \"hashes\": [{\"value\": \"90DDECE3C6BD7FFFE83AF4D6DA7D1D47BDD3BC4B8C55E4FB6014A6197DA2199E\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"modified_time\": 1703680765008073}, \"device\": {\"name\": \"coated sacred waiver\", \"type\": \"Browser\", \"os\": {\"name\": \"producers assessing iran\", \"type\": \"HP-UX\", \"type_id\": 402, \"lang\": \"en\", \"sp_name\": \"mod booth seller\", \"sp_ver\": 45}, \"ip\": \"250.253.200.33\", \"hostname\": \"trends.org\", \"uid\": \"f798170a-a4b4-11ee-91ce-0242ac110004\", \"type_id\": 8, \"created_time\": 1703680765007313, \"imei\": \"genetics half institutional\", \"instance_uid\": \"f7980b52-a4b4-11ee-9b5a-0242ac110004\", \"interface_name\": \"visitors fa trinity\", \"interface_uid\": \"f798130e-a4b4-11ee-8b87-0242ac110004\", \"network_interfaces\": [{\"name\": \"ons physically championship\", \"type\": \"Wireless\", \"hostname\": \"overhead.mil\", \"mac\": \"9D:F9:D3:48:CD:B9:EC:8B\", \"namespace\": \"sociology collectible myers\", \"type_id\": 2}], \"region\": \"first universe furnishings\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"cult c table\", \"uid\": \"f7975f7c-a4b4-11ee-9e82-0242ac110004\", \"feature\": {\"name\": \"quad back ne\", \"version\": \"1.0.0\", \"uid\": \"f7976a76-a4b4-11ee-ba7c-0242ac110004\"}, \"lang\": \"en\", \"vendor_name\": \"kazakhstan yugoslavia danish\"}, \"profiles\": [], \"log_name\": \"conjunction wa alot\", \"log_provider\": \"answering gb single\", \"log_version\": \"exposure dx maui\", \"logged_time\": 1703680765002867, \"original_time\": \"postings hawaii aaa\"}, \"severity\": \"High\", \"duration\": 62, \"type_name\": \"File System Activity: Encrypt\", \"category_name\": \"System Activity\", \"activity_id\": 10, \"type_uid\": 100110, \"class_uid\": 1001, \"category_uid\": 1, \"class_name\": \"File System Activity\", \"timezone_offset\": 8, \"activity_name\": \"Encrypt\", \"actor\": {\"process\": {\"name\": \"Interventions\", \"pid\": 18, \"file\": {\"name\": \"level.doc\", \"type\": \"Symbolic Link\", \"path\": \"matthew eos tests/secondary.m3u/level.doc\", \"product\": {\"name\": \"fr subsequent administration\", \"version\": \"1.0.0\", \"uid\": \"f7977eee-a4b4-11ee-bfd5-0242ac110004\", \"lang\": \"en\", \"vendor_name\": \"combining concentrate gmt\"}, \"uid\": \"f797833a-a4b4-11ee-b077-0242ac110004\", \"type_id\": 7, \"parent_folder\": \"matthew eos tests/secondary.m3u\", \"confidentiality\": \"cigarettes subjects terrain\", \"created_time\": 1703680765003470, \"hashes\": [{\"value\": \"8F489E765ADD66CEA532CA1AFF150E01610199E3\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"98062F4DEE9A192C300D278008F1B6A2CB646B356D0DE1EFC340001AE12A69098A73CEB81AE52DA4A6D2158B11CD671482A7862402909FCB7C8588D490E677E6\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"user\": {\"name\": \"Acoustic\", \"type\": \"configuration\", \"uid\": \"f797ac16-a4b4-11ee-9910-0242ac110004\", \"org\": {\"name\": \"could director frankfurt\", \"uid\": \"f797b9fe-a4b4-11ee-a468-0242ac110004\", \"ou_name\": \"larry about arbitrary\"}, \"type_id\": 99, \"full_name\": \"Dannie Meagan\", \"email_addr\": \"Jen@atmosphere.mobi\"}, \"uid\": \"f797dcc2-a4b4-11ee-9f52-0242ac110004\", \"cmd_line\": \"buck advocacy initiatives\", \"created_time\": 1703680765005764, \"lineage\": [\"legend investigated adjustments\", \"sheet eligible regardless\"], \"sandbox\": \"survivors launched lodging\"}, \"user\": {\"name\": \"Tribes\", \"type\": \"System\", \"uid\": \"f797fc8e-a4b4-11ee-adc3-0242ac110004\", \"type_id\": 3, \"email_addr\": \"Wenona@gnu.name\"}, \"invoked_by\": \"beat tables rising\"}, \"end_time\": 1703680764999344, \"file_diff\": \"remote surprise tale\", \"severity_id\": 4, \"status_detail\": \"not jar user\", \"status_id\": 99}", - "@timestamp": "2023-12-27T12:39:25.007341Z", - "ocsf": { - "activity_id": "10", - "activity_name": "Encrypt", - "actor": { - "invoked_by": "beat tables rising", - "process": { - "cmd_line": "buck advocacy initiatives", - "created_time": 1703680765005764, - "file": { - "confidentiality": "cigarettes subjects terrain", - "created_time": 1703680765003470, - "hashes": [ - { - "algorithm": "SHA-1", - "algorithm_id": "2", - "value": "8F489E765ADD66CEA532CA1AFF150E01610199E3" - }, - { - "algorithm": "CTPH", - "algorithm_id": "5", - "value": "98062F4DEE9A192C300D278008F1B6A2CB646B356D0DE1EFC340001AE12A69098A73CEB81AE52DA4A6D2158B11CD671482A7862402909FCB7C8588D490E677E6" - } - ], - "name": "level.doc", - "parent_folder": "matthew eos tests/secondary.m3u", - "path": "matthew eos tests/secondary.m3u/level.doc", - "product": { - "lang": "en", - "name": "fr subsequent administration", - "uid": "f7977eee-a4b4-11ee-bfd5-0242ac110004", - "vendor_name": "combining concentrate gmt", - "version": "1.0.0" - }, - "type": "Symbolic Link", - "type_id": "7", - "uid": "f797833a-a4b4-11ee-b077-0242ac110004" - }, - "lineage": [ - "legend investigated adjustments", - "sheet eligible regardless" - ], - "name": "Interventions", - "pid": 18, - "sandbox": "survivors launched lodging", - "uid": "f797dcc2-a4b4-11ee-9f52-0242ac110004", - "user": { - "email_addr": "Jen@atmosphere.mobi", - "full_name": "Dannie Meagan", - "name": "Acoustic", - "org": { - "name": "could director frankfurt", - "ou_name": "larry about arbitrary", - "uid": "f797b9fe-a4b4-11ee-a468-0242ac110004" - }, - "type": "configuration", - "type_id": "99", - "uid": "f797ac16-a4b4-11ee-9910-0242ac110004" - } - }, - "user": { - "email_addr": "Wenona@gnu.name", - "name": "Tribes", - "type": "System", - "type_id": "3", - "uid": "f797fc8e-a4b4-11ee-adc3-0242ac110004" - } + "event": { + "action": "encrypt", + "category": [ + "file" + ], + "duration": 62000000, + "end": "2023-12-27T12:39:24.999344Z", + "kind": "event", + "provider": "answering gb single", + "severity": 4, + "type": [ + "info" + ] + }, + "host": { + "mac": [ + "null" + ] + }, + "process": { + "group": { + "id": [ + "null" + ] }, - "category_name": "System Activity", - "category_uid": "1", - "class_name": "File System Activity", - "class_uid": "1001", - "device": { - "created_time": 1703680765007313, - "hostname": "trends.org", - "imei": "genetics half institutional", - "instance_uid": "f7980b52-a4b4-11ee-9b5a-0242ac110004", - "interface_name": "visitors fa trinity", - "interface_uid": "f798130e-a4b4-11ee-8b87-0242ac110004", - "ip": "250.253.200.33", - "name": "coated sacred waiver", - "network_interfaces": [ - { - "hostname": "overhead.mil", - "mac": "9D:F9:D3:48:CD:B9:EC:8B", - "name": "ons physically championship", - "namespace": "sociology collectible myers", - "type": "Wireless", - "type_id": "2" - } - ], - "os": { - "lang": "en", - "name": "producers assessing iran", - "sp_name": "mod booth seller", - "sp_ver": "45", - "type": "HP-UX", - "type_id": "402" - }, - "region": "first universe furnishings", - "type": "Browser", - "type_id": "8", - "uid": "f798170a-a4b4-11ee-91ce-0242ac110004" - }, - "duration": 62, - "end_time": 1703680764999344, - "file": { - "accessed_time": 1703680765008026, - "hashes": [ - { - "algorithm": "SHA-256", - "algorithm_id": "3", - "value": "90DDECE3C6BD7FFFE83AF4D6DA7D1D47BDD3BC4B8C55E4FB6014A6197DA2199E" - } - ], - "modified_time": 1703680765008073, - "name": "validation.mp4", - "owner": { - "credential_uid": "f7982dd0-a4b4-11ee-b2ca-0242ac110004", - "name": "Grid", - "type": "System", - "type_id": "3", - "uid": "f7982966-a4b4-11ee-a3fa-0242ac110004", - "uid_alt": "mud faculty coast" - }, - "parent_folder": "rc sharp flow/tells.hqx", - "path": "rc sharp flow/tells.hqx/validation.mp4", - "product": { - "lang": "en", - "name": "opens subdivision marc", - "uid": "f79834c4-a4b4-11ee-bc9e-0242ac110004", - "url_string": "flyer", - "vendor_name": "assumes defensive pets", - "version": "1.0.0" - }, - "type": "Folder", - "type_id": "2", - "version": "1.0.0" - }, - "file_diff": "remote surprise tale", - "message": "memorial vacation gains", - "metadata": { - "log_name": "conjunction wa alot", - "log_provider": "answering gb single", - "log_version": "exposure dx maui", - "logged_time": 1703680765002867, - "original_time": "postings hawaii aaa", - "product": { - "feature": { - "name": "quad back ne", - "uid": "f7976a76-a4b4-11ee-ba7c-0242ac110004", - "version": "1.0.0" - }, - "lang": "en", - "name": "cult c table", - "uid": "f7975f7c-a4b4-11ee-9e82-0242ac110004", - "vendor_name": "kazakhstan yugoslavia danish" - }, - "profiles": [], - "version": "1.0.0" - }, - "severity": "High", - "severity_id": 4, - "status": "jet", - "status_detail": "not jar user", - "status_id": "99", - "timezone_offset": 8, - "type_name": "File System Activity: Encrypt", - "type_uid": "100110" + "user": { + "id": [ + "null" + ] + } + }, + "sekoiaio": { + "intake": { + "parsing_warnings": [ + "Cannot set field 'host.ip' with given definition in stage 'pipeline_object_device'. Cannot convert value in field 'host.ip' to type 'ip'" + ] + } } } -} +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_process_activity.json b/OCSF/ocsf/tests/test_process_activity.json index cb6effc9c..be3bfde98 100644 --- a/OCSF/ocsf/tests/test_process_activity.json +++ b/OCSF/ocsf/tests/test_process_activity.json @@ -10,111 +10,53 @@ }, "expected": { "message": "{\"message\": \"ln centered engaged\", \"process\": {\"name\": \"Christine\", \"pid\": 49, \"file\": {\"name\": \"capture.key\", \"type\": \"Named Pipe\", \"path\": \"retrieval result greece/cooking.dds/capture.key\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"pac olympus bs\", \"issuer\": \"noble medal hay\", \"fingerprints\": [{\"value\": \"07A7C43357C379B3AE9EF43EF042D2A9741BE1BED49FBC735D4A00A6C2FCDABB\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1703680986265475, \"expiration_time\": 1703680986265487, \"serial_number\": \"po anna nudist\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"type_id\": 6, \"accessor\": {\"name\": \"Tools\", \"type\": \"impaired\", \"domain\": \"style mining rob\", \"type_id\": 99, \"full_name\": \"Ezra Carolyn\"}, \"creator\": {\"name\": \"Permits\", \"type\": \"System\", \"uid\": \"7b797c12-a4b5-11ee-ac2e-0242ac110004\", \"org\": {\"name\": \"goods hebrew tops\", \"uid\": \"7b798234-a4b5-11ee-9a21-0242ac110004\", \"ou_name\": \"horses titles sensor\", \"ou_uid\": \"7b798fb8-a4b5-11ee-baaa-0242ac110004\"}, \"groups\": [{\"name\": \"checking say elimination\", \"type\": \"protein rush spirituality\", \"uid\": \"7b7997c4-a4b5-11ee-b340-0242ac110004\"}, {\"name\": \"amd wc entering\", \"type\": \"strengths charge airport\", \"uid\": \"7b79a106-a4b5-11ee-b7d4-0242ac110004\"}], \"type_id\": 3, \"credential_uid\": \"7b79a5de-a4b5-11ee-bdf5-0242ac110004\"}, \"parent_folder\": \"retrieval result greece/cooking.dds\", \"security_descriptor\": \"relates competition influences\"}, \"user\": {\"type\": \"User\", \"domain\": \"rich fascinating babies\", \"uid\": \"7b79b0d8-a4b5-11ee-9d3b-0242ac110004\", \"type_id\": 1}, \"uid\": \"7b79ba2e-a4b5-11ee-9da9-0242ac110004\", \"session\": {\"uid\": \"7b79bfe2-a4b5-11ee-9790-0242ac110004\", \"uuid\": \"7b79c348-a4b5-11ee-a78e-0242ac110004\", \"issuer\": \"acquire soundtrack dentists\", \"created_time\": 1703680986267749, \"expiration_time\": 1703680986267759, \"is_remote\": false}, \"cmd_line\": \"template photographs thickness\", \"created_time\": 1703680986267769, \"parent_process\": {\"name\": \"Norway\", \"pid\": 97, \"file\": {\"attributes\": 20, \"name\": \"graduates.xlr\", \"type\": \"Character Device\", \"path\": \"dj hat sacrifice/anthropology.xml/graduates.xlr\", \"desc\": \"wife richardson tough\", \"type_id\": 3, \"accessor\": {\"name\": \"Walker\", \"type\": \"User\", \"domain\": \"adaptive vocal connect\", \"uid\": \"7b79d72a-a4b5-11ee-9491-0242ac110004\", \"type_id\": 1, \"credential_uid\": \"7b79db26-a4b5-11ee-9622-0242ac110004\"}, \"parent_folder\": \"dj hat sacrifice/anthropology.xml\", \"hashes\": [{\"value\": \"EF7CC4A402D8013B9E9699D07CBC14E3C55F5C5077C0E966DE86C3EE2751C748AEFF871E8DF294BCF1EA48DAC792946F2059A9A61F8BCB009BAC23FBEE1874CB\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"2E7435702BABF778619110BEFDD08E463FD9D525111EBEB5B7B7C35582EC89818D1758C14029D6962C0CA58552B0516B1C3D4AFCC3A9B8E655F57842FBA4B305\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"is_system\": false}, \"user\": {\"name\": \"Examples\", \"type\": \"User\", \"type_id\": 1, \"uid_alt\": \"headers yo regard\"}, \"uid\": \"7b79eda0-a4b5-11ee-b42e-0242ac110004\", \"session\": {\"uid\": \"7b79f30e-a4b5-11ee-ba3b-0242ac110004\", \"issuer\": \"incoming execute acdbentity\", \"created_time\": 1703680986268969, \"is_remote\": false}, \"cmd_line\": \"assessed he compaq\", \"created_time\": 1703680986268986, \"parent_process\": {\"name\": \"Zinc\", \"pid\": 58, \"file\": {\"attributes\": 74, \"name\": \"poverty.pdb\", \"type\": \"interests\", \"path\": \"besides fail stays/price.csr/poverty.pdb\", \"type_id\": 99, \"creator\": {\"name\": \"Succeed\", \"type\": \"Unknown\", \"domain\": \"tutorial niger essentially\", \"uid\": \"7b7a0682-a4b5-11ee-8137-0242ac110004\", \"type_id\": 0, \"uid_alt\": \"keeps face grain\"}, \"parent_folder\": \"besides fail stays/price.csr\", \"accessed_time\": 1703680986269471, \"hashes\": [{\"value\": \"DE27F1003BAC8F2CFA275C185BFCB7AF130EC26C2A381565EF1E0D53561298D740AE99098293A5DA2D77E710184E30BB3AC29B571921CEC6D9466DF5747EACEE\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"2CB1B780138BC273459232EDDA0E4B96\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"user\": {\"name\": \"Sheep\", \"type\": \"Unknown\", \"domain\": \"delivery commented support\", \"type_id\": 0, \"full_name\": \"Kiyoko Dominic\", \"email_addr\": \"Felicita@luxury.edu\", \"uid_alt\": \"gibson ga proprietary\"}, \"uid\": \"7b7a2054-a4b5-11ee-a6b9-0242ac110004\", \"cmd_line\": \"muscle performing worry\", \"created_time\": 1703680986270129, \"xattributes\": {}}}}, \"time\": 1703680986272045, \"device\": {\"name\": \"evening conditions deny\", \"type\": \"Mobile\", \"ip\": \"15.108.66.75\", \"hostname\": \"nurse.coop\", \"mac\": \"BB:9D:1F:28:EF:88:89:59\", \"type_id\": 5, \"instance_uid\": \"7b7a5902-a4b5-11ee-9f52-0242ac110004\", \"interface_name\": \"label ok research\", \"interface_uid\": \"7b7a649c-a4b5-11ee-89b8-0242ac110004\", \"is_compliant\": true, \"is_personal\": false, \"modified_time\": 1703680986272022, \"region\": \"lender scenarios lawyers\", \"subnet_uid\": \"7b7a6abe-a4b5-11ee-974d-0242ac110004\", \"uid_alt\": \"fifty acres evanescence\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"satisfied believe eq\", \"version\": \"1.0.0\", \"path\": \"arabic reg noise\", \"uid\": \"7b7a2f72-a4b5-11ee-9478-0242ac110004\", \"lang\": \"en\", \"url_string\": \"dumb\", \"vendor_name\": \"stunning reviewed climbing\"}, \"profiles\": [], \"log_name\": \"gpl saving steven\", \"log_provider\": \"weak inquiry relation\", \"original_time\": \"florists alot midlands\"}, \"severity\": \"Unknown\", \"type_name\": \"Process Activity: Launch\", \"category_name\": \"System Activity\", \"activity_id\": 1, \"type_uid\": 100701, \"class_uid\": 1007, \"category_uid\": 1, \"class_name\": \"Process Activity\", \"timezone_offset\": 96, \"activity_name\": \"Launch\", \"actor\": {\"user\": {\"name\": \"Aluminum\", \"type\": \"System\", \"uid\": \"7b7a45ca-a4b5-11ee-9086-0242ac110004\", \"type_id\": 3}, \"invoked_by\": \"montreal cisco legal\"}, \"severity_id\": 0}", - "@timestamp": "2023-12-27T12:43:06.272045Z", - "ocsf": { - "activity_id": "1", - "activity_name": "Launch", - "actor": { - "invoked_by": "montreal cisco legal", - "user": { - "name": "Aluminum", - "type": "System", - "type_id": "3", - "uid": "7b7a45ca-a4b5-11ee-9086-0242ac110004" - } - }, - "category_name": "System Activity", - "category_uid": "1", - "class_name": "Process Activity", - "class_uid": "1007", - "device": { - "hostname": "nurse.coop", - "instance_uid": "7b7a5902-a4b5-11ee-9f52-0242ac110004", - "interface_name": "label ok research", - "interface_uid": "7b7a649c-a4b5-11ee-89b8-0242ac110004", - "ip": "15.108.66.75", - "is_compliant": true, - "is_personal": false, - "mac": "BB:9D:1F:28:EF:88:89:59", - "modified_time": 1703680986272022, - "name": "evening conditions deny", - "region": "lender scenarios lawyers", - "subnet_uid": "7b7a6abe-a4b5-11ee-974d-0242ac110004", - "type": "Mobile", - "type_id": "5", - "uid_alt": "fifty acres evanescence" - }, - "message": "ln centered engaged", - "metadata": { - "log_name": "gpl saving steven", - "log_provider": "weak inquiry relation", - "original_time": "florists alot midlands", - "product": { - "lang": "en", - "name": "satisfied believe eq", - "path": "arabic reg noise", - "uid": "7b7a2f72-a4b5-11ee-9478-0242ac110004", - "url_string": "dumb", - "vendor_name": "stunning reviewed climbing", - "version": "1.0.0" - }, - "profiles": [], - "version": "1.0.0" - }, - "process": { - "file": { - "creator": { - "groups": [{}, {}] - }, - "signature": { - "certificate": { - "fingerprints": [{}] - } - } - }, - "parent_process": { - "file": { - "hashes": [{}, {}] - }, - "parent_process": { - "file": { - "hashes": [{}, {}] - } - } - } - }, - "severity": "Unknown", - "severity_id": 0, - "timezone_offset": 96, - "type_name": "Process Activity: Launch", - "type_uid": "100701" + "event": { + "action": "launch", + "category": [ + "process" + ], + "kind": "event", + "provider": "weak inquiry relation", + "severity": 0, + "type": [ + "start" + ] + }, + "host": { + "mac": [ + "null" + ] }, "process": { - "file": { - "creator": { - "groups": [{}, {}] - }, - "signature": { - "certificate": { - "fingerprints": [{}] - } - } + "group": { + "id": [ + "null" + ] }, - "name": "Christine", - "parent_process": { - "file": { - "hashes": [{}, {}] + "parent": { + "group": { + "id": [ + "null" + ] }, - "parent_process": { - "file": { - "hashes": [{}, {}] - } + "user": { + "id": [ + "null" + ] } }, - "pid": 49, "user": { - "domain": "rich fascinating babies" + "id": [ + "null" + ] + } + }, + "sekoiaio": { + "intake": { + "parsing_warnings": [ + "Cannot set field 'host.ip' with given definition in stage 'pipeline_object_device'. Cannot convert value in field 'host.ip' to type 'ip'" + ] } } } -} +} \ No newline at end of file From bd553ac716f79c59c6233ff112382b725d276a43 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 30 Jan 2024 16:08:32 +0200 Subject: [PATCH 04/34] Apply prettier --- OCSF/ocsf/ingest/parser.yml | 687 ++++++++++++++++++------------------ 1 file changed, 344 insertions(+), 343 deletions(-) diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index 17d7d599a..bcd30998b 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -367,489 +367,490 @@ stages: parse_event.message.status_id: event.outcome set_fields: - actions: [] + actions: + [] #- set: - #ocsf: "{{parse_event.message}}" - #process: "{{parse_event.message.process}}" + #ocsf: "{{parse_event.message}}" + #process: "{{parse_event.message.process}}" pipeline_object_actor: actions: - set: - container.id: '{{ parse_event.message.parse_event.message.actor.process.container.uid }}' - container.image.name: '{{ parse_event.message.parse_event.message.actor.process.container.image.name }}' + container.id: "{{ parse_event.message.parse_event.message.actor.process.container.uid }}" + container.image.name: "{{ parse_event.message.parse_event.message.actor.process.container.image.name }}" - set: container.image.tag: - - '{{ parse_event.message.parse_event.message.actor.process.container.image.tag }}' - filter: '{{ parse_event.message.actor.process.container.image.tag != None }}' - - set: - container.labels: '{{ parse_event.message.parse_event.message.actor.process.container.image.labels }}' - orchestrator.type: '{{ parse_event.message.parse_event.message.actor.process.container.orchestrator }}' - container.name: '{{ parse_event.message.parse_event.message.actor.process.container.name }}' - container.runtime: '{{ parse_event.message.parse_event.message.actor.process.container.runtime }}' - file.accessed: '{{ parse_event.message.parse_event.message.actor.process.file.accessed_time }}' - file.created: '{{ parse_event.message.parse_event.message.actor.process.file.created_time }}' - file.directory: '{{ parse_event.message.parse_event.message.actor.process.file.parent_folder }}' - file.inode: '{{ parse_event.message.parse_event.message.actor.process.file.uid }}' - file.mime_type: '{{ parse_event.message.parse_event.message.actor.process.file.mime_type }}' - file.mtime: '{{ parse_event.message.parse_event.message.actor.process.file.modified_time }}' - file.name: '{{ parse_event.message.parse_event.message.actor.process.file.name }}' - file.owner: '{{ parse_event.message.parse_event.message.actor.process.file.owner.name }}' - file.path: '{{ parse_event.message.parse_event.message.actor.process.file.path }}' - file.size: '{{ parse_event.message.parse_event.message.actor.process.file.size }}' - file.type: '{{ parse_event.message.parse_event.message.actor.process.file.type }}' - file.uid: '{{ parse_event.message.parse_event.message.actor.process.file.owner.uid }}' - file.x509.issuer.distinguished_name: '{{ parse_event.message.parse_event.message.actor.process.file.signature.certificate.issuer }}' - file.x509.not_after: '{{ parse_event.message.parse_event.message.actor.process.file.signature.certificate.expiration_time }}' - file.x509.serial_number: '{{ parse_event.message.parse_event.message.actor.process.file.signature.certificate.serial_number }}' - file.x509.subject.distinguished_name: '{{ parse_event.message.parse_event.message.actor.process.file.signature.certificate.subject }}' - file.x509.version_number: '{{ parse_event.message.parse_event.message.actor.process.file.signature.certificate.version }}' - process.command_line: '{{ parse_event.message.parse_event.message.actor.process.cmd_line }}' - process.end: '{{ parse_event.message.parse_event.message.actor.process.terminated_time }}' + - "{{ parse_event.message.parse_event.message.actor.process.container.image.tag }}" + filter: "{{ parse_event.message.actor.process.container.image.tag != None }}" + - set: + container.labels: "{{ parse_event.message.parse_event.message.actor.process.container.image.labels }}" + orchestrator.type: "{{ parse_event.message.parse_event.message.actor.process.container.orchestrator }}" + container.name: "{{ parse_event.message.parse_event.message.actor.process.container.name }}" + container.runtime: "{{ parse_event.message.parse_event.message.actor.process.container.runtime }}" + file.accessed: "{{ parse_event.message.parse_event.message.actor.process.file.accessed_time }}" + file.created: "{{ parse_event.message.parse_event.message.actor.process.file.created_time }}" + file.directory: "{{ parse_event.message.parse_event.message.actor.process.file.parent_folder }}" + file.inode: "{{ parse_event.message.parse_event.message.actor.process.file.uid }}" + file.mime_type: "{{ parse_event.message.parse_event.message.actor.process.file.mime_type }}" + file.mtime: "{{ parse_event.message.parse_event.message.actor.process.file.modified_time }}" + file.name: "{{ parse_event.message.parse_event.message.actor.process.file.name }}" + file.owner: "{{ parse_event.message.parse_event.message.actor.process.file.owner.name }}" + file.path: "{{ parse_event.message.parse_event.message.actor.process.file.path }}" + file.size: "{{ parse_event.message.parse_event.message.actor.process.file.size }}" + file.type: "{{ parse_event.message.parse_event.message.actor.process.file.type }}" + file.uid: "{{ parse_event.message.parse_event.message.actor.process.file.owner.uid }}" + file.x509.issuer.distinguished_name: "{{ parse_event.message.parse_event.message.actor.process.file.signature.certificate.issuer }}" + file.x509.not_after: "{{ parse_event.message.parse_event.message.actor.process.file.signature.certificate.expiration_time }}" + file.x509.serial_number: "{{ parse_event.message.parse_event.message.actor.process.file.signature.certificate.serial_number }}" + file.x509.subject.distinguished_name: "{{ parse_event.message.parse_event.message.actor.process.file.signature.certificate.subject }}" + file.x509.version_number: "{{ parse_event.message.parse_event.message.actor.process.file.signature.certificate.version }}" + process.command_line: "{{ parse_event.message.parse_event.message.actor.process.cmd_line }}" + process.end: "{{ parse_event.message.parse_event.message.actor.process.terminated_time }}" - set: process.group.id: - - '{{ parse_event.message.parse_event.message.actor.process.egid }}' - filter: '{{ parse_event.message.actor.process.egid != None }}' + - "{{ parse_event.message.parse_event.message.actor.process.egid }}" + filter: "{{ parse_event.message.actor.process.egid != None }}" - set: process.group.id: - - '{{ parse_event.message.parse_event.message.actor.process.group.uid }}' - filter: '{{ parse_event.message.actor.process.group.uid != None }}' - - set: - process.group.name: '{{ parse_event.message.parse_event.message.actor.process.group.name }}' - process.name: '{{ parse_event.message.parse_event.message.actor.process.name }}' - process.pid: '{{ parse_event.message.parse_event.message.actor.process.pid }}' - process.start: '{{ parse_event.message.parse_event.message.actor.process.created_time }}' - process.thread.id: '{{ parse_event.message.parse_event.message.actor.process.tid }}' - process.entity_id: '{{ parse_event.message.parse_event.message.actor.process.uid }}' - process.user.domain: '{{ parse_event.message.parse_event.message.actor.process.user.domain }}' - process.user.email: '{{ parse_event.message.parse_event.message.actor.process.user.email_addr }}' - process.user.full_name: '{{ parse_event.message.parse_event.message.actor.process.user.full_name }}' + - "{{ parse_event.message.parse_event.message.actor.process.group.uid }}" + filter: "{{ parse_event.message.actor.process.group.uid != None }}" + - set: + process.group.name: "{{ parse_event.message.parse_event.message.actor.process.group.name }}" + process.name: "{{ parse_event.message.parse_event.message.actor.process.name }}" + process.pid: "{{ parse_event.message.parse_event.message.actor.process.pid }}" + process.start: "{{ parse_event.message.parse_event.message.actor.process.created_time }}" + process.thread.id: "{{ parse_event.message.parse_event.message.actor.process.tid }}" + process.entity_id: "{{ parse_event.message.parse_event.message.actor.process.uid }}" + process.user.domain: "{{ parse_event.message.parse_event.message.actor.process.user.domain }}" + process.user.email: "{{ parse_event.message.parse_event.message.actor.process.user.email_addr }}" + process.user.full_name: "{{ parse_event.message.parse_event.message.actor.process.user.full_name }}" - set: process.user.id: - - '{{ parse_event.message.parse_event.message.actor.process.euid }}' - filter: '{{ parse_event.message.actor.process.euid != None }}' + - "{{ parse_event.message.parse_event.message.actor.process.euid }}" + filter: "{{ parse_event.message.actor.process.euid != None }}" - set: process.user.id: - - '{{ parse_event.message.parse_event.message.actor.process.user.uid }}' - filter: '{{ parse_event.message.actor.process.user.uid != None }}' - - set: - process.user.name: '{{ parse_event.message.parse_event.message.actor.process.user.name }}' - user.domain: '{{ parse_event.message.parse_event.message.actor.user.domain }}' - user.email: '{{ parse_event.message.parse_event.message.actor.user.email_addr }}' - user.full_name: '{{ parse_event.message.parse_event.message.actor.user.full_name }}' - user.id: '{{ parse_event.message.parse_event.message.actor.user.uid }}' - user.name: '{{ parse_event.message.parse_event.message.actor.user.name }}' - process.parent.command_line: '{{ parse_event.message.parse_event.message.actor.process.parent_process.cmd_line }}' - process.parent.end: '{{ parse_event.message.parse_event.message.actor.process.parent_process.terminated_time }}' + - "{{ parse_event.message.parse_event.message.actor.process.user.uid }}" + filter: "{{ parse_event.message.actor.process.user.uid != None }}" + - set: + process.user.name: "{{ parse_event.message.parse_event.message.actor.process.user.name }}" + user.domain: "{{ parse_event.message.parse_event.message.actor.user.domain }}" + user.email: "{{ parse_event.message.parse_event.message.actor.user.email_addr }}" + user.full_name: "{{ parse_event.message.parse_event.message.actor.user.full_name }}" + user.id: "{{ parse_event.message.parse_event.message.actor.user.uid }}" + user.name: "{{ parse_event.message.parse_event.message.actor.user.name }}" + process.parent.command_line: "{{ parse_event.message.parse_event.message.actor.process.parent_process.cmd_line }}" + process.parent.end: "{{ parse_event.message.parse_event.message.actor.process.parent_process.terminated_time }}" - set: process.parent.group.id: - - '{{ parse_event.message.parse_event.message.actor.process.parent_process.egid }}' - filter: '{{ parse_event.message.actor.process.parent_process.egid != None }}' + - "{{ parse_event.message.parse_event.message.actor.process.parent_process.egid }}" + filter: "{{ parse_event.message.actor.process.parent_process.egid != None }}" - set: process.parent.group.id: - - '{{ parse_event.message.parse_event.message.actor.process.parent_process.group.uid }}' - filter: '{{ parse_event.message.actor.process.parent_process.group.uid != None }}' - - set: - process.parent.group.name: '{{ parse_event.message.parse_event.message.actor.process.parent_process.group.name }}' - process.parent.name: '{{ parse_event.message.parse_event.message.actor.process.parent_process.name }}' - process.parent.pid: '{{ parse_event.message.parse_event.message.actor.process.parent_process.pid }}' - process.parent.start: '{{ parse_event.message.parse_event.message.actor.process.parent_process.created_time }}' - process.parent.thread.id: '{{ parse_event.message.parse_event.message.actor.process.parent_process.tid }}' - process.parent.entity_id: '{{ parse_event.message.parse_event.message.actor.process.parent_process.uid }}' - process.parent.user.domain: '{{ parse_event.message.parse_event.message.actor.process.parent_process.user.domain }}' - process.parent.user.email: '{{ parse_event.message.parse_event.message.actor.process.parent_process.user.email_addr }}' - process.parent.user.full_name: '{{ parse_event.message.parse_event.message.actor.process.parent_process.user.full_name }}' + - "{{ parse_event.message.parse_event.message.actor.process.parent_process.group.uid }}" + filter: "{{ parse_event.message.actor.process.parent_process.group.uid != None }}" + - set: + process.parent.group.name: "{{ parse_event.message.parse_event.message.actor.process.parent_process.group.name }}" + process.parent.name: "{{ parse_event.message.parse_event.message.actor.process.parent_process.name }}" + process.parent.pid: "{{ parse_event.message.parse_event.message.actor.process.parent_process.pid }}" + process.parent.start: "{{ parse_event.message.parse_event.message.actor.process.parent_process.created_time }}" + process.parent.thread.id: "{{ parse_event.message.parse_event.message.actor.process.parent_process.tid }}" + process.parent.entity_id: "{{ parse_event.message.parse_event.message.actor.process.parent_process.uid }}" + process.parent.user.domain: "{{ parse_event.message.parse_event.message.actor.process.parent_process.user.domain }}" + process.parent.user.email: "{{ parse_event.message.parse_event.message.actor.process.parent_process.user.email_addr }}" + process.parent.user.full_name: "{{ parse_event.message.parse_event.message.actor.process.parent_process.user.full_name }}" - set: process.parent.user.id: - - '{{ parse_event.message.parse_event.message.actor.process.parent_process.euid }}' - filter: '{{ parse_event.message.actor.process.parent_process.euid != None }}' + - "{{ parse_event.message.parse_event.message.actor.process.parent_process.euid }}" + filter: "{{ parse_event.message.actor.process.parent_process.euid != None }}" - set: process.parent.user.id: - - '{{ parse_event.message.parse_event.message.actor.process.parent_process.user.uid }}' - filter: '{{ parse_event.message.actor.process.parent_process.user.uid != None }}' + - "{{ parse_event.message.parse_event.message.actor.process.parent_process.user.uid }}" + filter: "{{ parse_event.message.actor.process.parent_process.user.uid != None }}" - set: - process.parent.user.name: '{{ parse_event.message.parse_event.message.actor.process.parent_process.user.name }}' + process.parent.user.name: "{{ parse_event.message.parse_event.message.actor.process.parent_process.user.name }}" pipeline_object_network_connection_info: actions: - set: - network.iana_number: '{{ parse_event.message.parse_event.message.connection_info.protocol_num }}' + network.iana_number: "{{ parse_event.message.parse_event.message.connection_info.protocol_num }}" - set: network.direction: - internal - filter: '{{ parse_event.message.connection_info.boundary != None and parse_event.message.connection_info.boundary == ''Internal'' }}' + filter: "{{ parse_event.message.connection_info.boundary != None and parse_event.message.connection_info.boundary == 'Internal' }}" - set: network.direction: - external - filter: '{{ parse_event.message.connection_info.boundary != None and parse_event.message.connection_info.boundary == ''External'' }}' + filter: "{{ parse_event.message.connection_info.boundary != None and parse_event.message.connection_info.boundary == 'External' }}" - set: network.direction: - inbound - filter: '{{ parse_event.message.connection_info.direction != None and parse_event.message.connection_info.direction == ''Inbound'' }}' + filter: "{{ parse_event.message.connection_info.direction != None and parse_event.message.connection_info.direction == 'Inbound' }}" - set: network.direction: - outbound - filter: '{{ parse_event.message.connection_info.direction != None and parse_event.message.connection_info.direction == ''Outbound'' }}' + filter: "{{ parse_event.message.connection_info.direction != None and parse_event.message.connection_info.direction == 'Outbound' }}" - set: network.direction: - unknown - filter: '{{ parse_event.message.connection_info.direction != None and parse_event.message.connection_info.direction == ''Unknown'' or parse_event.message.connection_info.boundary != None and parse_event.message.connection_info.boundary == ''Unknown'' }}' + filter: "{{ parse_event.message.connection_info.direction != None and parse_event.message.connection_info.direction == 'Unknown' or parse_event.message.connection_info.boundary != None and parse_event.message.connection_info.boundary == 'Unknown' }}" pipeline_object_device: actions: - set: - host.domain: '{{ parse_event.message.parse_event.message.device.domain }}' - host.geo.city_name: '{{ parse_event.message.parse_event.message.device.location.city }}' - host.geo.continent_name: '{{ parse_event.message.parse_event.message.device.location.continent }}' - host.geo.country_iso_code: '{{ parse_event.message.parse_event.message.device.location.country }}' - host.geo.location: '{{ parse_event.message.parse_event.message.device.location.coordinates }}' - host.geo.name: '{{ parse_event.message.parse_event.message.device.location.desc }}' - host.geo.postal_code: '{{ parse_event.message.parse_event.message.device.location.postal_code }}' - host.geo.region_iso_code: '{{ parse_event.message.parse_event.message.device.location.region }}' - host.hostname: '{{ parse_event.message.parse_event.message.device.hostname }}' - host.id: '{{ parse_event.message.parse_event.message.device.uid }}' + host.domain: "{{ parse_event.message.parse_event.message.device.domain }}" + host.geo.city_name: "{{ parse_event.message.parse_event.message.device.location.city }}" + host.geo.continent_name: "{{ parse_event.message.parse_event.message.device.location.continent }}" + host.geo.country_iso_code: "{{ parse_event.message.parse_event.message.device.location.country }}" + host.geo.location: "{{ parse_event.message.parse_event.message.device.location.coordinates }}" + host.geo.name: "{{ parse_event.message.parse_event.message.device.location.desc }}" + host.geo.postal_code: "{{ parse_event.message.parse_event.message.device.location.postal_code }}" + host.geo.region_iso_code: "{{ parse_event.message.parse_event.message.device.location.region }}" + host.hostname: "{{ parse_event.message.parse_event.message.device.hostname }}" + host.id: "{{ parse_event.message.parse_event.message.device.uid }}" - set: host.ip: - - '{{ parse_event.message.parse_event.message.device.ip }}' - filter: '{{ parse_event.message.device.ip != None }}' + - "{{ parse_event.message.parse_event.message.device.ip }}" + filter: "{{ parse_event.message.device.ip != None }}" - set: host.mac: - - '{{ parse_event.message.parse_event.message.device.mac }}' - filter: '{{ parse_event.message.device.mac != None }}' + - "{{ parse_event.message.parse_event.message.device.mac }}" + filter: "{{ parse_event.message.device.mac != None }}" - set: - host.os.name: '{{ parse_event.message.parse_event.message.device.os.name }}' + host.os.name: "{{ parse_event.message.parse_event.message.device.os.name }}" - set: - host.os.type: '{{ parse_event.message.parse_event.message.device.os.type }}' - filter: '{{ parse_event.message.device.os.type != None and parse_event.message.device.os.type in [''Linux'',''Windows'',''Android'',''macOS'',''iOS''] }}' + host.os.type: "{{ parse_event.message.parse_event.message.device.os.type }}" + filter: "{{ parse_event.message.device.os.type != None and parse_event.message.device.os.type in ['Linux','Windows','Android','macOS','iOS'] }}" - set: - host.os.version: '{{ parse_event.message.parse_event.message.device.os.build }}' - host.risk.static_level: '{{ parse_event.message.parse_event.message.device.risk_level }}' - host.risk.static_score: '{{ parse_event.message.parse_event.message.device.risk_score }}' - host.type: '{{ parse_event.message.parse_event.message.device.type }}' - network.vlan.id: '{{ parse_event.message.parse_event.message.device.vlan_uid }}' + host.os.version: "{{ parse_event.message.parse_event.message.device.os.build }}" + host.risk.static_level: "{{ parse_event.message.parse_event.message.device.risk_level }}" + host.risk.static_score: "{{ parse_event.message.parse_event.message.device.risk_score }}" + host.type: "{{ parse_event.message.parse_event.message.device.type }}" + network.vlan.id: "{{ parse_event.message.parse_event.message.device.vlan_uid }}" pipeline_object_http_request: actions: - set: - http.request.id: '{{ parse_event.message.parse_event.message.http_request.uid }}' - http.request.method: '{{ parse_event.message.parse_event.message.http_request.http_method }}' - http.request.referrer: '{{ parse_event.message.parse_event.message.http_request.referrer }}' - http.version: '{{ parse_event.message.parse_event.message.http_request.version }}' - url.domain: '{{ parse_event.message.parse_event.message.http_request.url.hostname }}' - url.original: '{{ parse_event.message.parse_event.message.http_request.url.url_string }}' - url.path: '{{ parse_event.message.parse_event.message.http_request.url.path }}' - url.port: '{{ parse_event.message.parse_event.message.http_request.url.port }}' - url.query: '{{ parse_event.message.parse_event.message.http_request.url.query_string }}' - url.scheme: '{{ parse_event.message.parse_event.message.http_request.url.scheme }}' - url.subdomain: '{{ parse_event.message.parse_event.message.http_request.url.subdomain }}' - user_agent.original: '{{ parse_event.message.parse_event.message.http_request.user_agent }}' + http.request.id: "{{ parse_event.message.parse_event.message.http_request.uid }}" + http.request.method: "{{ parse_event.message.parse_event.message.http_request.http_method }}" + http.request.referrer: "{{ parse_event.message.parse_event.message.http_request.referrer }}" + http.version: "{{ parse_event.message.parse_event.message.http_request.version }}" + url.domain: "{{ parse_event.message.parse_event.message.http_request.url.hostname }}" + url.original: "{{ parse_event.message.parse_event.message.http_request.url.url_string }}" + url.path: "{{ parse_event.message.parse_event.message.http_request.url.path }}" + url.port: "{{ parse_event.message.parse_event.message.http_request.url.port }}" + url.query: "{{ parse_event.message.parse_event.message.http_request.url.query_string }}" + url.scheme: "{{ parse_event.message.parse_event.message.http_request.url.scheme }}" + url.subdomain: "{{ parse_event.message.parse_event.message.http_request.url.subdomain }}" + user_agent.original: "{{ parse_event.message.parse_event.message.http_request.user_agent }}" pipeline_object_malware: - actions: [ ] + actions: [] pipeline_object_network_endpoint: actions: - set: source.domain: - - '{{ parse_event.message.parse_event.message.src_endpoint.domain }}' - filter: '{{ parse_event.message.src_endpoint.domain != None }}' + - "{{ parse_event.message.parse_event.message.src_endpoint.domain }}" + filter: "{{ parse_event.message.src_endpoint.domain != None }}" - set: - source.geo.city_name: '{{ parse_event.message.parse_event.message.src_endpoint.location.city }}' - source.geo.continent_name: '{{ parse_event.message.parse_event.message.src_endpoint.location.continent }}' - source.geo.location: '{{ parse_event.message.parse_event.message.src_endpoint.location.coordinates }}' - source.geo.country_iso_code: '{{ parse_event.message.parse_event.message.src_endpoint.location.country }}' - source.geo.name: '{{ parse_event.message.parse_event.message.src_endpoint.location.desc }}' - source.geo.postal_code: '{{ parse_event.message.parse_event.message.src_endpoint.location.postal_code }}' - source.geo.region_iso_code: '{{ parse_event.message.parse_event.message.src_endpoint.location.region }}' + source.geo.city_name: "{{ parse_event.message.parse_event.message.src_endpoint.location.city }}" + source.geo.continent_name: "{{ parse_event.message.parse_event.message.src_endpoint.location.continent }}" + source.geo.location: "{{ parse_event.message.parse_event.message.src_endpoint.location.coordinates }}" + source.geo.country_iso_code: "{{ parse_event.message.parse_event.message.src_endpoint.location.country }}" + source.geo.name: "{{ parse_event.message.parse_event.message.src_endpoint.location.desc }}" + source.geo.postal_code: "{{ parse_event.message.parse_event.message.src_endpoint.location.postal_code }}" + source.geo.region_iso_code: "{{ parse_event.message.parse_event.message.src_endpoint.location.region }}" - set: source.domain: - - '{{ parse_event.message.parse_event.message.src_endpoint.hostname }}' - filter: '{{ parse_event.message.src_endpoint.hostname != None }}' + - "{{ parse_event.message.parse_event.message.src_endpoint.hostname }}" + filter: "{{ parse_event.message.src_endpoint.hostname != None }}" - set: - source.ip: '{{ parse_event.message.parse_event.message.src_endpoint.ip }}' - source.mac: '{{ parse_event.message.parse_event.message.src_endpoint.mac }}' - source.port: '{{ parse_event.message.parse_event.message.src_endpoint.port }}' + source.ip: "{{ parse_event.message.parse_event.message.src_endpoint.ip }}" + source.mac: "{{ parse_event.message.parse_event.message.src_endpoint.mac }}" + source.port: "{{ parse_event.message.parse_event.message.src_endpoint.port }}" - set: network.application: - - '{{ parse_event.message.parse_event.message.src_endpoint.svc_name }}' - filter: '{{ parse_event.message.src_endpoint.svc_name != None }}' + - "{{ parse_event.message.parse_event.message.src_endpoint.svc_name }}" + filter: "{{ parse_event.message.src_endpoint.svc_name != None }}" - set: destination.domain: - - '{{ parse_event.message.parse_event.message.dst_endpoint.domain }}' - filter: '{{ parse_event.message.dst_endpoint.domain != None }}' + - "{{ parse_event.message.parse_event.message.dst_endpoint.domain }}" + filter: "{{ parse_event.message.dst_endpoint.domain != None }}" - set: - destination.geo.city_name: '{{ parse_event.message.parse_event.message.dst_endpoint.location.city }}' - destination.geo.continent_name: '{{ parse_event.message.parse_event.message.dst_endpoint.location.continent }}' - destination.geo.location: '{{ parse_event.message.parse_event.message.dst_endpoint.location.coordinates }}' - destination.geo.country_iso_code: '{{ parse_event.message.parse_event.message.dst_endpoint.location.country }}' - destination.geo.name: '{{ parse_event.message.parse_event.message.dst_endpoint.location.desc }}' - destination.geo.postal_code: '{{ parse_event.message.parse_event.message.dst_endpoint.location.postal_code }}' - destination.geo.region_iso_code: '{{ parse_event.message.parse_event.message.dst_endpoint.location.region }}' + destination.geo.city_name: "{{ parse_event.message.parse_event.message.dst_endpoint.location.city }}" + destination.geo.continent_name: "{{ parse_event.message.parse_event.message.dst_endpoint.location.continent }}" + destination.geo.location: "{{ parse_event.message.parse_event.message.dst_endpoint.location.coordinates }}" + destination.geo.country_iso_code: "{{ parse_event.message.parse_event.message.dst_endpoint.location.country }}" + destination.geo.name: "{{ parse_event.message.parse_event.message.dst_endpoint.location.desc }}" + destination.geo.postal_code: "{{ parse_event.message.parse_event.message.dst_endpoint.location.postal_code }}" + destination.geo.region_iso_code: "{{ parse_event.message.parse_event.message.dst_endpoint.location.region }}" - set: destination.domain: - - '{{ parse_event.message.parse_event.message.dst_endpoint.hostname }}' - filter: '{{ parse_event.message.dst_endpoint.hostname != None }}' + - "{{ parse_event.message.parse_event.message.dst_endpoint.hostname }}" + filter: "{{ parse_event.message.dst_endpoint.hostname != None }}" - set: - destination.ip: '{{ parse_event.message.parse_event.message.dst_endpoint.ip }}' - destination.mac: '{{ parse_event.message.parse_event.message.dst_endpoint.mac }}' - destination.port: '{{ parse_event.message.parse_event.message.dst_endpoint.port }}' + destination.ip: "{{ parse_event.message.parse_event.message.dst_endpoint.ip }}" + destination.mac: "{{ parse_event.message.parse_event.message.dst_endpoint.mac }}" + destination.port: "{{ parse_event.message.parse_event.message.dst_endpoint.port }}" - set: network.application: - - '{{ parse_event.message.parse_event.message.dst_endpoint.svc_name }}' - filter: '{{ parse_event.message.dst_endpoint.svc_name != None }}' + - "{{ parse_event.message.parse_event.message.dst_endpoint.svc_name }}" + filter: "{{ parse_event.message.dst_endpoint.svc_name != None }}" pipeline_object_process: actions: - set: - container.id: '{{ parse_event.message.parse_event.message.process.container.uid }}' - container.image.name: '{{ parse_event.message.parse_event.message.process.container.image.name }}' + container.id: "{{ parse_event.message.parse_event.message.process.container.uid }}" + container.image.name: "{{ parse_event.message.parse_event.message.process.container.image.name }}" - set: container.image.tag: - - '{{ parse_event.message.parse_event.message.process.container.image.tag }}' - filter: '{{ parse_event.message.process.container.image.tag != None }}' - - set: - container.labels: '{{ parse_event.message.parse_event.message.process.container.image.labels }}' - orchestrator.type: '{{ parse_event.message.parse_event.message.process.container.orchestrator }}' - container.name: '{{ parse_event.message.parse_event.message.process.container.name }}' - container.runtime: '{{ parse_event.message.parse_event.message.process.container.runtime }}' - file.accessed: '{{ parse_event.message.parse_event.message.process.file.accessed_time }}' - file.created: '{{ parse_event.message.parse_event.message.process.file.created_time }}' - file.directory: '{{ parse_event.message.parse_event.message.process.file.parent_folder }}' - file.inode: '{{ parse_event.message.parse_event.message.process.file.uid }}' - file.mime_type: '{{ parse_event.message.parse_event.message.process.file.mime_type }}' - file.mtime: '{{ parse_event.message.parse_event.message.process.file.modified_time }}' - file.name: '{{ parse_event.message.parse_event.message.process.file.name }}' - file.owner: '{{ parse_event.message.parse_event.message.process.file.owner.name }}' - file.path: '{{ parse_event.message.parse_event.message.process.file.path }}' - file.size: '{{ parse_event.message.parse_event.message.process.file.size }}' - file.type: '{{ parse_event.message.parse_event.message.process.file.type }}' - file.uid: '{{ parse_event.message.parse_event.message.process.file.owner.uid }}' - file.x509.issuer.distinguished_name: '{{ parse_event.message.parse_event.message.process.file.signature.certificate.issuer }}' - file.x509.not_after: '{{ parse_event.message.parse_event.message.process.file.signature.certificate.expiration_time }}' - file.x509.serial_number: '{{ parse_event.message.parse_event.message.process.file.signature.certificate.serial_number }}' - file.x509.subject.distinguished_name: '{{ parse_event.message.parse_event.message.process.file.signature.certificate.subject }}' - file.x509.version_number: '{{ parse_event.message.parse_event.message.process.file.signature.certificate.version }}' - process.command_line: '{{ parse_event.message.parse_event.message.process.cmd_line }}' - process.end: '{{ parse_event.message.parse_event.message.process.terminated_time }}' + - "{{ parse_event.message.parse_event.message.process.container.image.tag }}" + filter: "{{ parse_event.message.process.container.image.tag != None }}" + - set: + container.labels: "{{ parse_event.message.parse_event.message.process.container.image.labels }}" + orchestrator.type: "{{ parse_event.message.parse_event.message.process.container.orchestrator }}" + container.name: "{{ parse_event.message.parse_event.message.process.container.name }}" + container.runtime: "{{ parse_event.message.parse_event.message.process.container.runtime }}" + file.accessed: "{{ parse_event.message.parse_event.message.process.file.accessed_time }}" + file.created: "{{ parse_event.message.parse_event.message.process.file.created_time }}" + file.directory: "{{ parse_event.message.parse_event.message.process.file.parent_folder }}" + file.inode: "{{ parse_event.message.parse_event.message.process.file.uid }}" + file.mime_type: "{{ parse_event.message.parse_event.message.process.file.mime_type }}" + file.mtime: "{{ parse_event.message.parse_event.message.process.file.modified_time }}" + file.name: "{{ parse_event.message.parse_event.message.process.file.name }}" + file.owner: "{{ parse_event.message.parse_event.message.process.file.owner.name }}" + file.path: "{{ parse_event.message.parse_event.message.process.file.path }}" + file.size: "{{ parse_event.message.parse_event.message.process.file.size }}" + file.type: "{{ parse_event.message.parse_event.message.process.file.type }}" + file.uid: "{{ parse_event.message.parse_event.message.process.file.owner.uid }}" + file.x509.issuer.distinguished_name: "{{ parse_event.message.parse_event.message.process.file.signature.certificate.issuer }}" + file.x509.not_after: "{{ parse_event.message.parse_event.message.process.file.signature.certificate.expiration_time }}" + file.x509.serial_number: "{{ parse_event.message.parse_event.message.process.file.signature.certificate.serial_number }}" + file.x509.subject.distinguished_name: "{{ parse_event.message.parse_event.message.process.file.signature.certificate.subject }}" + file.x509.version_number: "{{ parse_event.message.parse_event.message.process.file.signature.certificate.version }}" + process.command_line: "{{ parse_event.message.parse_event.message.process.cmd_line }}" + process.end: "{{ parse_event.message.parse_event.message.process.terminated_time }}" - set: process.group.id: - - '{{ parse_event.message.parse_event.message.process.egid }}' - filter: '{{ parse_event.message.process.egid != None }}' + - "{{ parse_event.message.parse_event.message.process.egid }}" + filter: "{{ parse_event.message.process.egid != None }}" - set: process.group.id: - - '{{ parse_event.message.parse_event.message.process.group.uid }}' - filter: '{{ parse_event.message.process.group.uid != None }}' - - set: - process.group.name: '{{ parse_event.message.parse_event.message.process.group.name }}' - process.name: '{{ parse_event.message.parse_event.message.process.name }}' - process.pid: '{{ parse_event.message.parse_event.message.process.pid }}' - process.start: '{{ parse_event.message.parse_event.message.process.created_time }}' - process.thread.id: '{{ parse_event.message.parse_event.message.process.tid }}' - process.entity_id: '{{ parse_event.message.parse_event.message.process.uid }}' - process.user.domain: '{{ parse_event.message.parse_event.message.process.user.domain }}' - process.user.email: '{{ parse_event.message.parse_event.message.process.user.email_addr }}' - process.user.full_name: '{{ parse_event.message.parse_event.message.process.user.full_name }}' + - "{{ parse_event.message.parse_event.message.process.group.uid }}" + filter: "{{ parse_event.message.process.group.uid != None }}" + - set: + process.group.name: "{{ parse_event.message.parse_event.message.process.group.name }}" + process.name: "{{ parse_event.message.parse_event.message.process.name }}" + process.pid: "{{ parse_event.message.parse_event.message.process.pid }}" + process.start: "{{ parse_event.message.parse_event.message.process.created_time }}" + process.thread.id: "{{ parse_event.message.parse_event.message.process.tid }}" + process.entity_id: "{{ parse_event.message.parse_event.message.process.uid }}" + process.user.domain: "{{ parse_event.message.parse_event.message.process.user.domain }}" + process.user.email: "{{ parse_event.message.parse_event.message.process.user.email_addr }}" + process.user.full_name: "{{ parse_event.message.parse_event.message.process.user.full_name }}" - set: process.user.id: - - '{{ parse_event.message.parse_event.message.process.euid }}' - filter: '{{ parse_event.message.process.euid != None }}' + - "{{ parse_event.message.parse_event.message.process.euid }}" + filter: "{{ parse_event.message.process.euid != None }}" - set: process.user.id: - - '{{ parse_event.message.parse_event.message.process.user.uid }}' - filter: '{{ parse_event.message.process.user.uid != None }}' + - "{{ parse_event.message.parse_event.message.process.user.uid }}" + filter: "{{ parse_event.message.process.user.uid != None }}" - set: - process.user.name: '{{ parse_event.message.parse_event.message.process.user.name }}' - process.parent.command_line: '{{ parse_event.message.parse_event.message.process.parent_process.cmd_line }}' - process.parent.end: '{{ parse_event.message.parse_event.message.process.parent_process.terminated_time }}' + process.user.name: "{{ parse_event.message.parse_event.message.process.user.name }}" + process.parent.command_line: "{{ parse_event.message.parse_event.message.process.parent_process.cmd_line }}" + process.parent.end: "{{ parse_event.message.parse_event.message.process.parent_process.terminated_time }}" - set: process.parent.group.id: - - '{{ parse_event.message.parse_event.message.process.parent_process.egid }}' - filter: '{{ parse_event.message.process.parent_process.egid != None }}' + - "{{ parse_event.message.parse_event.message.process.parent_process.egid }}" + filter: "{{ parse_event.message.process.parent_process.egid != None }}" - set: process.parent.group.id: - - '{{ parse_event.message.parse_event.message.process.parent_process.group.uid }}' - filter: '{{ parse_event.message.process.parent_process.group.uid != None }}' - - set: - process.parent.group.name: '{{ parse_event.message.parse_event.message.process.parent_process.group.name }}' - process.parent.name: '{{ parse_event.message.parse_event.message.process.parent_process.name }}' - process.parent.pid: '{{ parse_event.message.parse_event.message.process.parent_process.pid }}' - process.parent.start: '{{ parse_event.message.parse_event.message.process.parent_process.created_time }}' - process.parent.thread.id: '{{ parse_event.message.parse_event.message.process.parent_process.tid }}' - process.parent.entity_id: '{{ parse_event.message.parse_event.message.process.parent_process.uid }}' - process.parent.user.domain: '{{ parse_event.message.parse_event.message.process.parent_process.user.domain }}' - process.parent.user.email: '{{ parse_event.message.parse_event.message.process.parent_process.user.email_addr }}' - process.parent.user.full_name: '{{ parse_event.message.parse_event.message.process.parent_process.user.full_name }}' + - "{{ parse_event.message.parse_event.message.process.parent_process.group.uid }}" + filter: "{{ parse_event.message.process.parent_process.group.uid != None }}" + - set: + process.parent.group.name: "{{ parse_event.message.parse_event.message.process.parent_process.group.name }}" + process.parent.name: "{{ parse_event.message.parse_event.message.process.parent_process.name }}" + process.parent.pid: "{{ parse_event.message.parse_event.message.process.parent_process.pid }}" + process.parent.start: "{{ parse_event.message.parse_event.message.process.parent_process.created_time }}" + process.parent.thread.id: "{{ parse_event.message.parse_event.message.process.parent_process.tid }}" + process.parent.entity_id: "{{ parse_event.message.parse_event.message.process.parent_process.uid }}" + process.parent.user.domain: "{{ parse_event.message.parse_event.message.process.parent_process.user.domain }}" + process.parent.user.email: "{{ parse_event.message.parse_event.message.process.parent_process.user.email_addr }}" + process.parent.user.full_name: "{{ parse_event.message.parse_event.message.process.parent_process.user.full_name }}" - set: process.parent.user.id: - - '{{ parse_event.message.parse_event.message.process.parent_process.euid }}' - filter: '{{ parse_event.message.process.parent_process.euid != None }}' + - "{{ parse_event.message.parse_event.message.process.parent_process.euid }}" + filter: "{{ parse_event.message.process.parent_process.euid != None }}" - set: process.parent.user.id: - - '{{ parse_event.message.parse_event.message.process.parent_process.user.uid }}' - filter: '{{ parse_event.message.process.parent_process.user.uid != None }}' + - "{{ parse_event.message.parse_event.message.process.parent_process.user.uid }}" + filter: "{{ parse_event.message.process.parent_process.user.uid != None }}" - set: - process.parent.user.name: '{{ parse_event.message.parse_event.message.process.parent_process.user.name }}' + process.parent.user.name: "{{ parse_event.message.parse_event.message.process.parent_process.user.name }}" pipeline_object_proxy: - actions: [ ] + actions: [] pipeline_object_tls: actions: - set: - tls.cipher: '{{ parse_event.message.parse_event.message.tls.cipher }}' - tls.client.ja3: '{{ parse_event.message.parse_event.message.tls.ja3_hash.value }}' - tls.client.server_name: '{{ parse_event.message.parse_event.message.tls.sni }}' - tls.client.x509.issuer.distinguished_name: '{{ parse_event.message.parse_event.message.tls.certificate.issuer }}' - tls.client.x509.not_after: '{{ parse_event.message.parse_event.message.tls.certificate.expiration_time }}' - tls.client.x509.serial_number: '{{ parse_event.message.parse_event.message.tls.certificate.serial_number }}' - tls.client.x509.subject.distinguished_name: '{{ parse_event.message.parse_event.message.tls.certificate.subject }}' - tls.client.x509.version_number: '{{ parse_event.message.parse_event.message.tls.certificate.version }}' - tls.server.ja3s: '{{ parse_event.message.parse_event.message.tls.ja3s_hash.value }}' - tls.version: '{{ parse_event.message.parse_event.message.tls.version }}' + tls.cipher: "{{ parse_event.message.parse_event.message.tls.cipher }}" + tls.client.ja3: "{{ parse_event.message.parse_event.message.tls.ja3_hash.value }}" + tls.client.server_name: "{{ parse_event.message.parse_event.message.tls.sni }}" + tls.client.x509.issuer.distinguished_name: "{{ parse_event.message.parse_event.message.tls.certificate.issuer }}" + tls.client.x509.not_after: "{{ parse_event.message.parse_event.message.tls.certificate.expiration_time }}" + tls.client.x509.serial_number: "{{ parse_event.message.parse_event.message.tls.certificate.serial_number }}" + tls.client.x509.subject.distinguished_name: "{{ parse_event.message.parse_event.message.tls.certificate.subject }}" + tls.client.x509.version_number: "{{ parse_event.message.parse_event.message.tls.certificate.version }}" + tls.server.ja3s: "{{ parse_event.message.parse_event.message.tls.ja3s_hash.value }}" + tls.version: "{{ parse_event.message.parse_event.message.tls.version }}" pipeline_object_traffic: actions: - set: - destination.bytes: '{{ parse_event.message.parse_event.message.traffic.bytes_in }}' - source.bytes: '{{ parse_event.message.parse_event.message.traffic.bytes_out }}' - destination.packets: '{{ parse_event.message.parse_event.message.traffic.packets_in }}' - source.packets: '{{ parse_event.message.parse_event.message.traffic.packets_out }}' - network.bytes: '{{ parse_event.message.parse_event.message.traffic.bytes }}' - network.packets: '{{ parse_event.message.parse_event.message.traffic.packets }}' + destination.bytes: "{{ parse_event.message.parse_event.message.traffic.bytes_in }}" + source.bytes: "{{ parse_event.message.parse_event.message.traffic.bytes_out }}" + destination.packets: "{{ parse_event.message.parse_event.message.traffic.packets_in }}" + source.packets: "{{ parse_event.message.parse_event.message.traffic.packets_out }}" + network.bytes: "{{ parse_event.message.parse_event.message.traffic.bytes }}" + network.packets: "{{ parse_event.message.parse_event.message.traffic.packets }}" pipeline_object_user: actions: - set: - user.target.domain: '{{ parse_event.message.parse_event.message.user.domain }}' - user.target.email: '{{ parse_event.message.parse_event.message.user.email_addr }}' - user.target.full_name: '{{ parse_event.message.parse_event.message.user.full_name }}' - user.target.id: '{{ parse_event.message.parse_event.message.user.uid }}' - user.target.name: '{{ parse_event.message.parse_event.message.user.name }}' + user.target.domain: "{{ parse_event.message.parse_event.message.user.domain }}" + user.target.email: "{{ parse_event.message.parse_event.message.user.email_addr }}" + user.target.full_name: "{{ parse_event.message.parse_event.message.user.full_name }}" + user.target.id: "{{ parse_event.message.parse_event.message.user.uid }}" + user.target.name: "{{ parse_event.message.parse_event.message.user.name }}" pipeline_object_file: actions: - set: - file.accessed: '{{ parse_event.message.parse_event.message.file.accessed_time }}' - file.created: '{{ parse_event.message.parse_event.message.file.created_time }}' - file.directory: '{{ parse_event.message.parse_event.message.file.parent_folder }}' - file.inode: '{{ parse_event.message.parse_event.message.file.uid }}' - file.mime_type: '{{ parse_event.message.parse_event.message.file.mime_type }}' - file.mtime: '{{ parse_event.message.parse_event.message.file.modified_time }}' - file.name: '{{ parse_event.message.parse_event.message.file.name }}' - file.owner: '{{ parse_event.message.parse_event.message.file.owner.name }}' - file.path: '{{ parse_event.message.parse_event.message.file.path }}' - file.size: '{{ parse_event.message.parse_event.message.file.size }}' - file.type: '{{ parse_event.message.parse_event.message.file.type }}' - file.uid: '{{ parse_event.message.parse_event.message.file.owner.uid }}' - file.x509.issuer.distinguished_name: '{{ parse_event.message.parse_event.message.file.signature.certificate.issuer }}' - file.x509.not_after: '{{ parse_event.message.parse_event.message.file.signature.certificate.expiration_time }}' - file.x509.serial_number: '{{ parse_event.message.parse_event.message.file.signature.certificate.serial_number }}' - file.x509.subject.distinguished_name: '{{ parse_event.message.parse_event.message.file.signature.certificate.subject }}' - file.x509.version_number: '{{ parse_event.message.parse_event.message.file.signature.certificate.version }}' + file.accessed: "{{ parse_event.message.parse_event.message.file.accessed_time }}" + file.created: "{{ parse_event.message.parse_event.message.file.created_time }}" + file.directory: "{{ parse_event.message.parse_event.message.file.parent_folder }}" + file.inode: "{{ parse_event.message.parse_event.message.file.uid }}" + file.mime_type: "{{ parse_event.message.parse_event.message.file.mime_type }}" + file.mtime: "{{ parse_event.message.parse_event.message.file.modified_time }}" + file.name: "{{ parse_event.message.parse_event.message.file.name }}" + file.owner: "{{ parse_event.message.parse_event.message.file.owner.name }}" + file.path: "{{ parse_event.message.parse_event.message.file.path }}" + file.size: "{{ parse_event.message.parse_event.message.file.size }}" + file.type: "{{ parse_event.message.parse_event.message.file.type }}" + file.uid: "{{ parse_event.message.parse_event.message.file.owner.uid }}" + file.x509.issuer.distinguished_name: "{{ parse_event.message.parse_event.message.file.signature.certificate.issuer }}" + file.x509.not_after: "{{ parse_event.message.parse_event.message.file.signature.certificate.expiration_time }}" + file.x509.serial_number: "{{ parse_event.message.parse_event.message.file.signature.certificate.serial_number }}" + file.x509.subject.distinguished_name: "{{ parse_event.message.parse_event.message.file.signature.certificate.subject }}" + file.x509.version_number: "{{ parse_event.message.parse_event.message.file.signature.certificate.version }}" pipeline_object_system_activity_helper: actions: - set: - file.accessed: '{{ parse_event.message.parse_event.message.job.file.accessed_time }}' - file.created: '{{ parse_event.message.parse_event.message.job.file.created_time }}' - file.directory: '{{ parse_event.message.parse_event.message.job.file.parent_folder }}' - file.inode: '{{ parse_event.message.parse_event.message.job.file.uid }}' - file.mime_type: '{{ parse_event.message.parse_event.message.job.file.mime_type }}' - file.mtime: '{{ parse_event.message.parse_event.message.job.file.modified_time }}' - file.name: '{{ parse_event.message.parse_event.message.job.file.name }}' - file.owner: '{{ parse_event.message.parse_event.message.job.file.owner.name }}' - file.path: '{{ parse_event.message.parse_event.message.job.file.path }}' - file.size: '{{ parse_event.message.parse_event.message.job.file.size }}' - file.type: '{{ parse_event.message.parse_event.message.job.file.type }}' - file.uid: '{{ parse_event.message.parse_event.message.job.file.owner.uid }}' - file.x509.issuer.distinguished_name: '{{ parse_event.message.parse_event.message.job.file.signature.certificate.issuer }}' - file.x509.not_after: '{{ parse_event.message.parse_event.message.job.file.signature.certificate.expiration_time }}' - file.x509.serial_number: '{{ parse_event.message.parse_event.message.job.file.signature.certificate.serial_number }}' - file.x509.subject.distinguished_name: '{{ parse_event.message.parse_event.message.job.file.signature.certificate.subject }}' - file.x509.version_number: '{{ parse_event.message.parse_event.message.job.file.signature.certificate.version }}' + file.accessed: "{{ parse_event.message.parse_event.message.job.file.accessed_time }}" + file.created: "{{ parse_event.message.parse_event.message.job.file.created_time }}" + file.directory: "{{ parse_event.message.parse_event.message.job.file.parent_folder }}" + file.inode: "{{ parse_event.message.parse_event.message.job.file.uid }}" + file.mime_type: "{{ parse_event.message.parse_event.message.job.file.mime_type }}" + file.mtime: "{{ parse_event.message.parse_event.message.job.file.modified_time }}" + file.name: "{{ parse_event.message.parse_event.message.job.file.name }}" + file.owner: "{{ parse_event.message.parse_event.message.job.file.owner.name }}" + file.path: "{{ parse_event.message.parse_event.message.job.file.path }}" + file.size: "{{ parse_event.message.parse_event.message.job.file.size }}" + file.type: "{{ parse_event.message.parse_event.message.job.file.type }}" + file.uid: "{{ parse_event.message.parse_event.message.job.file.owner.uid }}" + file.x509.issuer.distinguished_name: "{{ parse_event.message.parse_event.message.job.file.signature.certificate.issuer }}" + file.x509.not_after: "{{ parse_event.message.parse_event.message.job.file.signature.certificate.expiration_time }}" + file.x509.serial_number: "{{ parse_event.message.parse_event.message.job.file.signature.certificate.serial_number }}" + file.x509.subject.distinguished_name: "{{ parse_event.message.parse_event.message.job.file.signature.certificate.subject }}" + file.x509.version_number: "{{ parse_event.message.parse_event.message.job.file.signature.certificate.version }}" pipeline_category_system_activity: actions: - set: - user.target.domain: '{{ parse_event.message.parse_event.message.job.user.domain }}' - user.target.email: '{{ parse_event.message.parse_event.message.job.user.email_addr }}' - user.target.full_name: '{{ parse_event.message.parse_event.message.job.user.full_name }}' - user.target.id: '{{ parse_event.message.parse_event.message.job.user.uid }}' - user.target.name: '{{ parse_event.message.parse_event.message.job.user.name }}' - process.exit_code: '{{ parse_event.message.parse_event.message.exit_code }}' + user.target.domain: "{{ parse_event.message.parse_event.message.job.user.domain }}" + user.target.email: "{{ parse_event.message.parse_event.message.job.user.email_addr }}" + user.target.full_name: "{{ parse_event.message.parse_event.message.job.user.full_name }}" + user.target.id: "{{ parse_event.message.parse_event.message.job.user.uid }}" + user.target.name: "{{ parse_event.message.parse_event.message.job.user.name }}" + process.exit_code: "{{ parse_event.message.parse_event.message.exit_code }}" pipeline_category_findings: actions: - set: - event.reference: '{{ parse_event.message.parse_event.message.finding.src_url }}' - event.risk_score: '{{ parse_event.message.parse_event.message.risk_score }}' + event.reference: "{{ parse_event.message.parse_event.message.finding.src_url }}" + event.risk_score: "{{ parse_event.message.parse_event.message.risk_score }}" pipeline_category_identity_and_access_management: actions: - set: - user.changes.domain: '{{ parse_event.message.parse_event.message.user_result.domain }}' - user.changes.email: '{{ parse_event.message.parse_event.message.user_result.email_addr }}' - user.changes.full_name: '{{ parse_event.message.parse_event.message.user_result.full_name }}' - user.changes.id: '{{ parse_event.message.parse_event.message.user_result.uid }}' - user.changes.name: '{{ parse_event.message.parse_event.message.user_result.name }}' - service.name: '{{ parse_event.message.parse_event.message.service.name }}' - service.id: '{{ parse_event.message.parse_event.message.service.uid }}' - service.version: '{{ parse_event.message.parse_event.message.service.version }}' - group.name: '{{ parse_event.message.parse_event.message.group.name }}' - group.id: '{{ parse_event.message.parse_event.message.group.uid }}' + user.changes.domain: "{{ parse_event.message.parse_event.message.user_result.domain }}" + user.changes.email: "{{ parse_event.message.parse_event.message.user_result.email_addr }}" + user.changes.full_name: "{{ parse_event.message.parse_event.message.user_result.full_name }}" + user.changes.id: "{{ parse_event.message.parse_event.message.user_result.uid }}" + user.changes.name: "{{ parse_event.message.parse_event.message.user_result.name }}" + service.name: "{{ parse_event.message.parse_event.message.service.name }}" + service.id: "{{ parse_event.message.parse_event.message.service.uid }}" + service.version: "{{ parse_event.message.parse_event.message.service.version }}" + group.name: "{{ parse_event.message.parse_event.message.group.name }}" + group.id: "{{ parse_event.message.parse_event.message.group.uid }}" pipeline_category_network_activity: actions: - set: - dns.question.name: '{{ parse_event.message.parse_event.message.query.hostname }}' + dns.question.name: "{{ parse_event.message.parse_event.message.query.hostname }}" - set: dns.id: - - '{{ parse_event.message.parse_event.message.query.packet_uid }}' - filter: '{{ parse_event.message.query.packet_uid != None }}' + - "{{ parse_event.message.parse_event.message.query.packet_uid }}" + filter: "{{ parse_event.message.query.packet_uid != None }}" - set: dns.question.class: - - '{{ parse_event.message.parse_event.message.query.class }}' - filter: '{{ parse_event.message.query.class != None }}' + - "{{ parse_event.message.parse_event.message.query.class }}" + filter: "{{ parse_event.message.query.class != None }}" - set: dns.question.type: - - '{{ parse_event.message.parse_event.message.query.type }}' - filter: '{{ parse_event.message.query.type != None }}' - - set: - dns.response_code: '{{ parse_event.message.parse_event.message.rcode }}' - http.response.status_code: '{{ parse_event.message.parse_event.message.response.code }}' - http.response.body.bytes: '{{ parse_event.message.parse_event.message.http_response.length }}' - http.response.body.content: '{{ parse_event.message.parse_event.message.http_response.message }}' - observer.hostname: '{{ parse_event.message.parse_event.message.relay.hostname }}' - observer.ip: '{{ parse_event.message.parse_event.message.relay.ip }}' - observer.mac: '{{ parse_event.message.parse_event.message.relay.mac }}' - observer.name: '{{ parse_event.message.parse_event.message.relay.name }}' - observer.type: '{{ parse_event.message.parse_event.message.relay.type }}' - http.request.id: '{{ parse_event.message.parse_event.message.request.uid }}' - tls.server.certificate_chain: '{{ parse_event.message.parse_event.message.certificate_chain }}' - email.cc.address: '{{ parse_event.message.parse_event.message.email.cc }}' - email.local_id: '{{ parse_event.message.parse_event.message.email.uid }}' + - "{{ parse_event.message.parse_event.message.query.type }}" + filter: "{{ parse_event.message.query.type != None }}" + - set: + dns.response_code: "{{ parse_event.message.parse_event.message.rcode }}" + http.response.status_code: "{{ parse_event.message.parse_event.message.response.code }}" + http.response.body.bytes: "{{ parse_event.message.parse_event.message.http_response.length }}" + http.response.body.content: "{{ parse_event.message.parse_event.message.http_response.message }}" + observer.hostname: "{{ parse_event.message.parse_event.message.relay.hostname }}" + observer.ip: "{{ parse_event.message.parse_event.message.relay.ip }}" + observer.mac: "{{ parse_event.message.parse_event.message.relay.mac }}" + observer.name: "{{ parse_event.message.parse_event.message.relay.name }}" + observer.type: "{{ parse_event.message.parse_event.message.relay.type }}" + http.request.id: "{{ parse_event.message.parse_event.message.request.uid }}" + tls.server.certificate_chain: "{{ parse_event.message.parse_event.message.certificate_chain }}" + email.cc.address: "{{ parse_event.message.parse_event.message.email.cc }}" + email.local_id: "{{ parse_event.message.parse_event.message.email.uid }}" - set: email.from.address: - - '{{ parse_event.message.parse_event.message.email.from }}' - filter: '{{ parse_event.message.email.from != None }}' + - "{{ parse_event.message.parse_event.message.email.from }}" + filter: "{{ parse_event.message.email.from != None }}" - set: - email.message_id: '{{ parse_event.message.parse_event.message.email.message_uid }}' + email.message_id: "{{ parse_event.message.parse_event.message.email.message_uid }}" - set: email.reply_to.address: - - '{{ parse_event.message.parse_event.message.email.reply_to }}' - filter: '{{ parse_event.message.email.reply_to != None }}' - - set: - email.subject: '{{ parse_event.message.parse_event.message.email.subject }}' - email.to.address: '{{ parse_event.message.parse_event.message.email.to }}' - email.local_id: '{{ parse_event.message.parse_event.message.email_uid }}' - url.query: '{{ parse_event.message.parse_event.message.url.query_string }}' - url.domain: '{{ parse_event.message.parse_event.message.url.hostname }}' - url.path: '{{ parse_event.message.parse_event.message.url.path }}' - url.port: '{{ parse_event.message.parse_event.message.url.port }}' - url.scheme: '{{ parse_event.message.parse_event.message.url.scheme }}' - url.subdomain: '{{ parse_event.message.parse_event.message.url.subdomain }}' - url.original: '{{ parse_event.message.parse_event.message.url.url_string }}' - - set: - email.attachments.file.size: '{{ parse_event.message.parse_event.message.file.size }}' - filter: '{{ parse_event.message.file.size != None and and }}' - - set: - email.attachments.file.name: '{{ parse_event.message.parse_event.message.file.name }}' - filter: '{{ parse_event.message.file.name != None and and }}' + - "{{ parse_event.message.parse_event.message.email.reply_to }}" + filter: "{{ parse_event.message.email.reply_to != None }}" + - set: + email.subject: "{{ parse_event.message.parse_event.message.email.subject }}" + email.to.address: "{{ parse_event.message.parse_event.message.email.to }}" + email.local_id: "{{ parse_event.message.parse_event.message.email_uid }}" + url.query: "{{ parse_event.message.parse_event.message.url.query_string }}" + url.domain: "{{ parse_event.message.parse_event.message.url.hostname }}" + url.path: "{{ parse_event.message.parse_event.message.url.path }}" + url.port: "{{ parse_event.message.parse_event.message.url.port }}" + url.scheme: "{{ parse_event.message.parse_event.message.url.scheme }}" + url.subdomain: "{{ parse_event.message.parse_event.message.url.subdomain }}" + url.original: "{{ parse_event.message.parse_event.message.url.url_string }}" + - set: + email.attachments.file.size: "{{ parse_event.message.parse_event.message.file.size }}" + filter: "{{ parse_event.message.file.size != None and and }}" + - set: + email.attachments.file.name: "{{ parse_event.message.parse_event.message.file.name }}" + filter: "{{ parse_event.message.file.name != None and and }}" pipeline_category_application_activity: actions: - set: - http.response.status_code: '{{ parse_event.message.parse_event.message.http_response.code }}' - http.response.body.bytes: '{{ parse_event.message.parse_event.message.http_response.length }}' - http.response.body.content: '{{ parse_event.message.parse_event.message.http_response.message }}' + http.response.status_code: "{{ parse_event.message.parse_event.message.http_response.code }}" + http.response.body.bytes: "{{ parse_event.message.parse_event.message.http_response.length }}" + http.response.body.content: "{{ parse_event.message.parse_event.message.http_response.message }}" pipeline_category_discovery: actions: - set: - rule.category: '{{ parse_event.message.parse_event.message.cis_benchmark_result.rule.category }}' - rule.description: '{{ parse_event.message.parse_event.message.cis_benchmark_result.rule.desc }}' - rule.name: '{{ parse_event.message.parse_event.message.cis_benchmark_result.rule.name }}' - rule.uuid: '{{ parse_event.message.parse_event.message.cis_benchmark_result.rule.uid }}' - rule.version: '{{ parse_event.message.parse_event.message.cis_benchmark_result.rule.version }}' + rule.category: "{{ parse_event.message.parse_event.message.cis_benchmark_result.rule.category }}" + rule.description: "{{ parse_event.message.parse_event.message.cis_benchmark_result.rule.desc }}" + rule.name: "{{ parse_event.message.parse_event.message.cis_benchmark_result.rule.name }}" + rule.uuid: "{{ parse_event.message.parse_event.message.cis_benchmark_result.rule.uid }}" + rule.version: "{{ parse_event.message.parse_event.message.cis_benchmark_result.rule.version }}" From 6c4144c9bea9e97f76803e7ad86ca35368783e17 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 30 Jan 2024 16:23:35 +0200 Subject: [PATCH 05/34] Add dumb smart descriptions --- OCSF/ocsf/_meta/fields.yml | 1209 -------------------- OCSF/ocsf/_meta/smart-descriptions.json | 304 ++++- OCSF/ocsf/ingest/parser.yml | 5 +- OCSF/ocsf/tests/test_file_activity.json | 133 +++ OCSF/ocsf/tests/test_network_activity.json | 19 + OCSF/ocsf/tests/test_process_activity.json | 79 ++ 6 files changed, 535 insertions(+), 1214 deletions(-) create mode 100644 OCSF/ocsf/tests/test_network_activity.json diff --git a/OCSF/ocsf/_meta/fields.yml b/OCSF/ocsf/_meta/fields.yml index e69aa21b1..cfd5a51d6 100644 --- a/OCSF/ocsf/_meta/fields.yml +++ b/OCSF/ocsf/_meta/fields.yml @@ -78,12 +78,6 @@ ocsf.actor.process.auid: description: The audit user assigned at login by the audit subsystem. name: ocsf.actor.process.auid type: keyword -ocsf.actor.process.cmd_line: - description: - The full command line used to launch an application, service, process, - or job. - name: ocsf.actor.process.cmd_line - type: keyword ocsf.actor.process.container.hash.algorithm: description: The hash algorithm used to create the digital fingerprint, normalized @@ -101,52 +95,26 @@ ocsf.actor.process.container.hash.value: description: The digital fingerprint value. name: ocsf.actor.process.container.hash.value type: keyword -ocsf.actor.process.container.image.labels: - description: The image labels. - name: ocsf.actor.process.container.image.labels - type: keyword -ocsf.actor.process.container.image.name: - description: The image name. - name: ocsf.actor.process.container.image.name - type: keyword ocsf.actor.process.container.image.path: description: The full path to the image file. name: ocsf.actor.process.container.image.path type: keyword -ocsf.actor.process.container.image.tag: - description: The tag used by the container. It can indicate version, format, OS. - name: ocsf.actor.process.container.image.tag - type: keyword ocsf.actor.process.container.image.uid: description: The unique image ID. name: ocsf.actor.process.container.image.uid type: keyword -ocsf.actor.process.container.name: - description: The container name. - name: ocsf.actor.process.container.name - type: keyword ocsf.actor.process.container.network_driver: description: The network driver used by the container. For example, bridge, overlay, host, none, etc. name: ocsf.actor.process.container.network_driver type: keyword -ocsf.actor.process.container.orchestrator: - description: - The orchestrator managing the container, such as ECS, EKS, K8s, or - OpenShift. - name: ocsf.actor.process.container.orchestrator - type: keyword ocsf.actor.process.container.pod_uuid: description: The unique identifier of the pod (or equivalent) that the container is executing on. name: ocsf.actor.process.container.pod_uuid type: keyword -ocsf.actor.process.container.runtime: - description: The backend running the container, such as containerd or cri-o. - name: ocsf.actor.process.container.runtime - type: keyword ocsf.actor.process.container.size: description: The size of the container image. name: ocsf.actor.process.container.size @@ -155,32 +123,10 @@ ocsf.actor.process.container.tag: description: The tag used by the container. It can indicate version, format, OS. name: ocsf.actor.process.container.tag type: keyword -ocsf.actor.process.container.uid: - description: - The full container unique identifier for this instantiation of the - container. - name: ocsf.actor.process.container.uid - type: keyword -ocsf.actor.process.created_time: - description: The time when the process was created/started. - name: ocsf.actor.process.created_time - type: date ocsf.actor.process.created_time_dt: description: The time when the process was created/started. name: ocsf.actor.process.created_time_dt type: date -ocsf.actor.process.egid: - description: The effective group under which this process is running. - name: ocsf.actor.process.egid - type: keyword -ocsf.actor.process.euid: - description: The effective user under which this process is running. - name: ocsf.actor.process.euid - type: keyword -ocsf.actor.process.file.accessed_time: - description: The time when the file was last accessed. - name: ocsf.actor.process.file.accessed_time - type: date ocsf.actor.process.file.accessed_time_dt: description: The time when the file was last accessed. name: ocsf.actor.process.file.accessed_time_dt @@ -313,10 +259,6 @@ ocsf.actor.process.file.confidentiality_id: description: The normalized identifier of the file content confidentiality indicator. name: ocsf.actor.process.file.confidentiality_id type: keyword -ocsf.actor.process.file.created_time: - description: The time when the file was created. - name: ocsf.actor.process.file.created_time - type: date ocsf.actor.process.file.created_time_dt: description: The time when the file was created. name: ocsf.actor.process.file.created_time_dt @@ -456,16 +398,6 @@ ocsf.actor.process.file.is_system: description: The indication of whether the object is part of the operating system. name: ocsf.actor.process.file.is_system type: boolean -ocsf.actor.process.file.mime_type: - description: - The Multipurpose Internet Mail Extensions (MIME) type of the file, - if applicable. - name: ocsf.actor.process.file.mime_type - type: keyword -ocsf.actor.process.file.modified_time: - description: The time when the file was last modified. - name: ocsf.actor.process.file.modified_time - type: date ocsf.actor.process.file.modified_time_dt: description: The time when the file was last modified. name: ocsf.actor.process.file.modified_time_dt @@ -576,10 +508,6 @@ ocsf.actor.process.file.modifier.uid_alt: GUID or AWS user Principal ID. name: ocsf.actor.process.file.modifier.uid_alt type: keyword -ocsf.actor.process.file.name: - description: "The name of the file. For example: svchost.exe." - name: ocsf.actor.process.file.name - type: keyword ocsf.actor.process.file.owner.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.actor.process.file.owner.account.name @@ -642,10 +570,6 @@ ocsf.actor.process.file.owner.groups.uid: this is the security identifier (SID) of the group. name: ocsf.actor.process.file.owner.groups.uid type: keyword -ocsf.actor.process.file.owner.name: - description: The username. For example, janedoe1. - name: ocsf.actor.process.file.owner.name - type: keyword ocsf.actor.process.file.owner.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.actor.process.file.owner.org.name @@ -678,26 +602,12 @@ ocsf.actor.process.file.owner.type_id: description: The account type identifier. name: ocsf.actor.process.file.owner.type_id type: keyword -ocsf.actor.process.file.owner.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.actor.process.file.owner.uid - type: keyword ocsf.actor.process.file.owner.uid_alt: description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.actor.process.file.owner.uid_alt type: keyword -ocsf.actor.process.file.parent_folder: - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - name: ocsf.actor.process.file.parent_folder - type: keyword -ocsf.actor.process.file.path: - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - name: ocsf.actor.process.file.path - type: keyword ocsf.actor.process.file.product.feature.name: description: The name of the feature. name: ocsf.actor.process.file.product.feature.name @@ -765,10 +675,6 @@ ocsf.actor.process.file.signature.certificate.created_time_dt: description: The time when the certificate was created. name: ocsf.actor.process.file.signature.certificate.created_time_dt type: date -ocsf.actor.process.file.signature.certificate.expiration_time: - description: The expiration time of the certificate. - name: ocsf.actor.process.file.signature.certificate.expiration_time - type: date ocsf.actor.process.file.signature.certificate.expiration_time_dt: description: The expiration time of the certificate. name: ocsf.actor.process.file.signature.certificate.expiration_time_dt @@ -790,22 +696,6 @@ ocsf.actor.process.file.signature.certificate.fingerprints.value: description: The digital fingerprint value. name: ocsf.actor.process.file.signature.certificate.fingerprints.value type: keyword -ocsf.actor.process.file.signature.certificate.issuer: - description: The certificate issuer distinguished name. - name: ocsf.actor.process.file.signature.certificate.issuer - type: keyword -ocsf.actor.process.file.signature.certificate.serial_number: - description: The serial number of the certificate used to create the digital signature. - name: ocsf.actor.process.file.signature.certificate.serial_number - type: keyword -ocsf.actor.process.file.signature.certificate.subject: - description: The certificate subject distinguished name. - name: ocsf.actor.process.file.signature.certificate.subject - type: keyword -ocsf.actor.process.file.signature.certificate.version: - description: The certificate version. - name: ocsf.actor.process.file.signature.certificate.version - type: keyword ocsf.actor.process.file.signature.created_time: description: The time when the digital signature was created. name: ocsf.actor.process.file.signature.created_time @@ -835,24 +725,10 @@ ocsf.actor.process.file.signature.digest.value: description: The digital fingerprint value. name: ocsf.actor.process.file.signature.digest.value type: keyword -ocsf.actor.process.file.size: - description: The size of data, in bytes. - name: ocsf.actor.process.file.size - type: long -ocsf.actor.process.file.type: - description: The file type. - name: ocsf.actor.process.file.type - type: keyword ocsf.actor.process.file.type_id: description: The file type ID. name: ocsf.actor.process.file.type_id type: keyword -ocsf.actor.process.file.uid: - description: - The unique identifier of the file as defined by the storage system, - such the file system file ID. - name: ocsf.actor.process.file.uid - type: keyword ocsf.actor.process.file.version: description: "The file version. For example: 8.0.7601.17514." name: ocsf.actor.process.file.version @@ -867,10 +743,6 @@ ocsf.actor.process.group.desc: description: The group description. name: ocsf.actor.process.group.desc type: keyword -ocsf.actor.process.group.name: - description: The group name. - name: ocsf.actor.process.group.name - type: keyword ocsf.actor.process.group.privileges: description: The group privileges. name: ocsf.actor.process.group.privileges @@ -879,12 +751,6 @@ ocsf.actor.process.group.type: description: The type of the group or account. name: ocsf.actor.process.group.type type: keyword -ocsf.actor.process.group.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.process.group.uid - type: keyword ocsf.actor.process.integrity: description: The process integrity level, normalized to the caption of the direction_id @@ -905,10 +771,6 @@ ocsf.actor.process.loaded_modules: description: The list of loaded module names. name: ocsf.actor.process.loaded_modules type: keyword -ocsf.actor.process.name: - description: "The friendly name of the process, for example: Notepad++." - name: ocsf.actor.process.name - type: keyword ocsf.actor.process.namespace_pid: description: If running under a process namespace (such as in a container), the @@ -919,12 +781,6 @@ ocsf.actor.process.parent_process.auid: description: The audit user assigned at login by the audit subsystem. name: ocsf.actor.process.parent_process.auid type: keyword -ocsf.actor.process.parent_process.cmd_line: - description: - The full command line used to launch an application, service, process, - or job. - name: ocsf.actor.process.parent_process.cmd_line - type: keyword ocsf.actor.process.parent_process.container.hash.algorithm: description: The hash algorithm used to create the digital fingerprint, normalized @@ -1002,22 +858,10 @@ ocsf.actor.process.parent_process.container.uid: container. name: ocsf.actor.process.parent_process.container.uid type: keyword -ocsf.actor.process.parent_process.created_time: - description: The time when the process was created/started. - name: ocsf.actor.process.parent_process.created_time - type: date ocsf.actor.process.parent_process.created_time_dt: description: The time when the process was created/started. name: ocsf.actor.process.parent_process.created_time_dt type: date -ocsf.actor.process.parent_process.egid: - description: The effective group under which this process is running. - name: ocsf.actor.process.parent_process.egid - type: keyword -ocsf.actor.process.parent_process.euid: - description: The effective user under which this process is running. - name: ocsf.actor.process.parent_process.euid - type: keyword ocsf.actor.process.parent_process.file.accessed_time: description: The time when the file was last accessed. name: ocsf.actor.process.parent_process.file.accessed_time @@ -1708,10 +1552,6 @@ ocsf.actor.process.parent_process.group.desc: description: The group description. name: ocsf.actor.process.parent_process.group.desc type: keyword -ocsf.actor.process.parent_process.group.name: - description: The group name. - name: ocsf.actor.process.parent_process.group.name - type: keyword ocsf.actor.process.parent_process.group.privileges: description: The group privileges. name: ocsf.actor.process.parent_process.group.privileges @@ -1720,12 +1560,6 @@ ocsf.actor.process.parent_process.group.type: description: The type of the group or account. name: ocsf.actor.process.parent_process.group.type type: keyword -ocsf.actor.process.parent_process.group.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.process.parent_process.group.uid - type: keyword ocsf.actor.process.parent_process.integrity: description: The process integrity level, normalized to the caption of the direction_id @@ -1746,10 +1580,6 @@ ocsf.actor.process.parent_process.loaded_modules: description: The list of loaded module names. name: ocsf.actor.process.parent_process.loaded_modules type: keyword -ocsf.actor.process.parent_process.name: - description: "The friendly name of the process, for example: Notepad++." - name: ocsf.actor.process.parent_process.name - type: keyword ocsf.actor.process.parent_process.namespace_pid: description: If running under a process namespace (such as in a container), the @@ -1766,13 +1596,6 @@ ocsf.actor.process.parent_process.parent_process_keyword: description: "" name: ocsf.actor.process.parent_process.parent_process_keyword type: keyword -ocsf.actor.process.parent_process.pid: - description: - The process identifier, as reported by the operating system. Process - ID (PID) is a number used by the operating system to uniquely identify an active - process. - name: ocsf.actor.process.parent_process.pid - type: long ocsf.actor.process.parent_process.sandbox: description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, @@ -1821,26 +1644,10 @@ ocsf.actor.process.parent_process.session.uuid: description: The universally unique identifier of the session. name: ocsf.actor.process.parent_process.session.uuid type: keyword -ocsf.actor.process.parent_process.terminated_time: - description: The time when the process was terminated. - name: ocsf.actor.process.parent_process.terminated_time - type: date ocsf.actor.process.parent_process.terminated_time_dt: description: The time when the process was terminated. name: ocsf.actor.process.parent_process.terminated_time_dt type: date -ocsf.actor.process.parent_process.tid: - description: - The Identifier of the thread associated with the event, as returned - by the operating system. - name: ocsf.actor.process.parent_process.tid - type: long -ocsf.actor.process.parent_process.uid: - description: - A unique identifier for this process assigned by the producer (tool). - Facilitates correlation of a process event with other events for that process. - name: ocsf.actor.process.parent_process.uid - type: keyword ocsf.actor.process.parent_process.user.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.actor.process.parent_process.user.account.name @@ -1865,22 +1672,6 @@ ocsf.actor.process.parent_process.user.credential_uid: Key ID. name: ocsf.actor.process.parent_process.user.credential_uid type: keyword -ocsf.actor.process.parent_process.user.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.actor.process.parent_process.user.domain - type: keyword -ocsf.actor.process.parent_process.user.email_addr: - description: The user's email address. - name: ocsf.actor.process.parent_process.user.email_addr - type: keyword -ocsf.actor.process.parent_process.user.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.actor.process.parent_process.user.full_name - type: keyword ocsf.actor.process.parent_process.user.groups.desc: description: The group description. name: ocsf.actor.process.parent_process.user.groups.desc @@ -1903,10 +1694,6 @@ ocsf.actor.process.parent_process.user.groups.uid: this is the security identifier (SID) of the group. name: ocsf.actor.process.parent_process.user.groups.uid type: keyword -ocsf.actor.process.parent_process.user.name: - description: The username. For example, janedoe1. - name: ocsf.actor.process.parent_process.user.name - type: keyword ocsf.actor.process.parent_process.user.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.actor.process.parent_process.user.org.name @@ -1937,12 +1724,6 @@ ocsf.actor.process.parent_process.user.type_id: description: The account type identifier. name: ocsf.actor.process.parent_process.user.type_id type: keyword -ocsf.actor.process.parent_process.user.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.actor.process.parent_process.user.uid - type: keyword ocsf.actor.process.parent_process.user.uid_alt: description: The alternate user identifier. For example, the Active Directory user @@ -1955,13 +1736,6 @@ ocsf.actor.process.parent_process.xattributes: a process extended attribute. name: ocsf.actor.process.parent_process.xattributes type: flattened -ocsf.actor.process.pid: - description: - The process identifier, as reported by the operating system. Process - ID (PID) is a number used by the operating system to uniquely identify an active - process. - name: ocsf.actor.process.pid - type: long ocsf.actor.process.sandbox: description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, @@ -2010,26 +1784,10 @@ ocsf.actor.process.session.uuid: description: The universally unique identifier of the session. name: ocsf.actor.process.session.uuid type: keyword -ocsf.actor.process.terminated_time: - description: The time when the process was terminated. - name: ocsf.actor.process.terminated_time - type: date ocsf.actor.process.terminated_time_dt: description: The time when the process was terminated. name: ocsf.actor.process.terminated_time_dt type: date -ocsf.actor.process.tid: - description: - The Identifier of the thread associated with the event, as returned - by the operating system. - name: ocsf.actor.process.tid - type: long -ocsf.actor.process.uid: - description: - A unique identifier for this process assigned by the producer (tool). - Facilitates correlation of a process event with other events for that process. - name: ocsf.actor.process.uid - type: keyword ocsf.actor.process.user.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.actor.process.user.account.name @@ -2054,22 +1812,6 @@ ocsf.actor.process.user.credential_uid: Key ID. name: ocsf.actor.process.user.credential_uid type: keyword -ocsf.actor.process.user.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.actor.process.user.domain - type: keyword -ocsf.actor.process.user.email_addr: - description: The user's email address. - name: ocsf.actor.process.user.email_addr - type: keyword -ocsf.actor.process.user.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.actor.process.user.full_name - type: keyword ocsf.actor.process.user.groups.desc: description: The group description. name: ocsf.actor.process.user.groups.desc @@ -2092,10 +1834,6 @@ ocsf.actor.process.user.groups.uid: this is the security identifier (SID) of the group. name: ocsf.actor.process.user.groups.uid type: keyword -ocsf.actor.process.user.name: - description: The username. For example, janedoe1. - name: ocsf.actor.process.user.name - type: keyword ocsf.actor.process.user.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.actor.process.user.org.name @@ -2126,12 +1864,6 @@ ocsf.actor.process.user.type_id: description: The account type identifier. name: ocsf.actor.process.user.type_id type: keyword -ocsf.actor.process.user.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.actor.process.user.uid - type: keyword ocsf.actor.process.user.uid_alt: description: The alternate user identifier. For example, the Active Directory user @@ -2210,22 +1942,6 @@ ocsf.actor.user.credential_uid: Key ID. name: ocsf.actor.user.credential_uid type: keyword -ocsf.actor.user.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.actor.user.domain - type: keyword -ocsf.actor.user.email_addr: - description: The user's email address. - name: ocsf.actor.user.email_addr - type: keyword -ocsf.actor.user.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.actor.user.full_name - type: keyword ocsf.actor.user.groups.desc: description: The group description. name: ocsf.actor.user.groups.desc @@ -2248,10 +1964,6 @@ ocsf.actor.user.groups.uid: this is the security identifier (SID) of the group. name: ocsf.actor.user.groups.uid type: keyword -ocsf.actor.user.name: - description: The username. For example, janedoe1. - name: ocsf.actor.user.name - type: keyword ocsf.actor.user.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.actor.user.org.name @@ -2282,12 +1994,6 @@ ocsf.actor.user.type_id: description: The account type identifier. name: ocsf.actor.user.type_id type: keyword -ocsf.actor.user.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.actor.user.uid - type: keyword ocsf.actor.user.uid_alt: description: The alternate user identifier. For example, the Active Directory user @@ -2619,10 +2325,6 @@ ocsf.certificate.version: description: The certificate version. name: ocsf.certificate.version type: keyword -ocsf.certificate_chain: - description: The list of observed certificates in an RDP TLS connection. - name: ocsf.certificate_chain - type: keyword ocsf.cis_benchmark_result.desc: description: The CIS benchmark description. name: ocsf.cis_benchmark_result.desc @@ -2639,30 +2341,10 @@ ocsf.cis_benchmark_result.remediation.kb_articles: description: The KB article/s related to the entity. name: ocsf.cis_benchmark_result.remediation.kb_articles type: keyword -ocsf.cis_benchmark_result.rule.category: - description: The rule category. - name: ocsf.cis_benchmark_result.rule.category - type: keyword -ocsf.cis_benchmark_result.rule.desc: - description: The description of the rule that generated the event. - name: ocsf.cis_benchmark_result.rule.desc - type: keyword -ocsf.cis_benchmark_result.rule.name: - description: The name of the rule that generated the event. - name: ocsf.cis_benchmark_result.rule.name - type: keyword ocsf.cis_benchmark_result.rule.type: description: The rule type. name: ocsf.cis_benchmark_result.rule.type type: keyword -ocsf.cis_benchmark_result.rule.uid: - description: The unique identifier of the rule that generated the event. - name: ocsf.cis_benchmark_result.rule.uid - type: keyword -ocsf.cis_benchmark_result.rule.version: - description: The rule version. - name: ocsf.cis_benchmark_result.rule.version - type: keyword ocsf.cis_csc.control: description: The CIS critical security control. name: ocsf.cis_csc.control @@ -2710,10 +2392,6 @@ ocsf.client_hassh.fingerprint.value: description: The digital fingerprint value. name: ocsf.client_hassh.fingerprint.value type: keyword -ocsf.cloud.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.cloud.account.name - type: keyword ocsf.cloud.account.type: description: The account type, normalized to the caption of 'account_type_id'. In @@ -2724,10 +2402,6 @@ ocsf.cloud.account.type_id: description: The normalized account type identifier. name: ocsf.cloud.account.type_id type: keyword -ocsf.cloud.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.cloud.account.uid - type: keyword ocsf.cloud.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.cloud.org.name @@ -2750,26 +2424,6 @@ ocsf.cloud.org.uid: Directory or AWS Org ID. name: ocsf.cloud.org.uid type: keyword -ocsf.cloud.project_uid: - description: The unique identifier of a Cloud project. - name: ocsf.cloud.project_uid - type: keyword -ocsf.cloud.provider: - description: - The unique name of the Cloud services provider, such as AWS, MS Azure, - GCP, etc. - name: ocsf.cloud.provider - type: keyword -ocsf.cloud.region: - description: The name of the cloud region, as defined by the cloud provider. - name: ocsf.cloud.region - type: keyword -ocsf.cloud.zone: - description: - The availability zone in the cloud region, as defined by the cloud - provider. - name: ocsf.cloud.zone - type: keyword ocsf.codes: description: The list of return codes to the FTP command. name: ocsf.codes @@ -2855,23 +2509,6 @@ ocsf.connection_info.direction_id: traffic, or email. name: ocsf.connection_info.direction_id type: keyword -ocsf.connection_info.protocol_name: - description: - "The TCP/IP protocol name in lowercase, as defined by the Internet - Assigned Numbers Authority (IANA). See Protocol Numbers. For example: tcp or udp." - name: ocsf.connection_info.protocol_name - type: keyword -ocsf.connection_info.protocol_num: - description: - "The TCP/IP protocol number, as defined by the Internet Assigned Numbers - Authority (IANA). Use -1 if the protocol is not defined by IANA. See Protocol - Numbers. For example: 6 for TCP and 17 for UDP." - name: ocsf.connection_info.protocol_num - type: keyword -ocsf.connection_info.protocol_ver: - description: The Internet Protocol version. - name: ocsf.connection_info.protocol_ver - type: keyword ocsf.connection_info.protocol_ver_id: description: The Internet Protocol version identifier. name: ocsf.connection_info.protocol_ver_id @@ -2956,10 +2593,6 @@ ocsf.device.desc: system. name: ocsf.device.desc type: keyword -ocsf.device.domain: - description: "The network domain where the device resides. For example: work.example.com." - name: ocsf.device.domain - type: keyword ocsf.device.first_seen_time: description: The initial discovery time of the device. name: ocsf.device.first_seen_time @@ -2990,10 +2623,6 @@ ocsf.device.groups.uid: this is the security identifier (SID) of the group. name: ocsf.device.groups.uid type: keyword -ocsf.device.hostname: - description: The devicename. - name: ocsf.device.hostname - type: keyword ocsf.device.hw_info.bios_date: description: "The BIOS date. For example: 03/31/16." name: ocsf.device.hw_info.bios_date @@ -3128,10 +2757,6 @@ ocsf.device.interface_uid: description: The unique identifier of the network interface. name: ocsf.device.interface_uid type: keyword -ocsf.device.ip: - description: The device IP address, in either IPv4 or IPv6 format. - name: ocsf.device.ip - type: ip ocsf.device.is_compliant: description: The event occurred on a compliant device. name: ocsf.device.is_compliant @@ -3156,30 +2781,6 @@ ocsf.device.last_seen_time_dt: description: The most recent discovery time of the device. name: ocsf.device.last_seen_time_dt type: date -ocsf.device.location.city: - description: The name of the city. - name: ocsf.device.location.city - type: keyword -ocsf.device.location.continent: - description: The name of the continent. - name: ocsf.device.location.continent - type: keyword -ocsf.device.location.coordinates: - description: - A two-element array, containing a longitude/latitude pair. The format - conforms with GeoJSON. - name: ocsf.device.location.coordinates - type: geo_point -ocsf.device.location.country: - description: - The ISO 3166-1 Alpha-2 country code. For the complete list of country - codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - name: ocsf.device.location.country - type: keyword -ocsf.device.location.desc: - description: The description of the geographical location. - name: ocsf.device.location.desc - type: keyword ocsf.device.location.is_on_premises: description: The indication of whether the location is on premises. name: ocsf.device.location.is_on_premises @@ -3188,25 +2789,10 @@ ocsf.device.location.isp: description: The name of the Internet Service Provider (ISP). name: ocsf.device.location.isp type: keyword -ocsf.device.location.postal_code: - description: The postal code of the location. - name: ocsf.device.location.postal_code - type: keyword ocsf.device.location.provider: description: The provider of the geographical location data. name: ocsf.device.location.provider type: keyword -ocsf.device.location.region: - description: - The alphanumeric code that identifies the principal subdivision (e.g. - province or state) of the country. Region codes are defined at ISO 3166-2 and - have a limit of three characters. For example, see the region codes for the US. - name: ocsf.device.location.region - type: keyword -ocsf.device.mac: - description: The device Media Access Control (MAC) address. - name: ocsf.device.mac - type: keyword ocsf.device.modified_time: description: The time when the device was last known to have been modified. name: ocsf.device.modified_time @@ -3215,13 +2801,6 @@ ocsf.device.modified_time_dt: description: The time when the device was last known to have been modified. name: ocsf.device.modified_time_dt type: date -ocsf.device.name: - description: - The alternate device name, ordinarily as assigned by an administrator. - The Name could be any other string that helps to identify the device, such as - a phone number; for example 310-555-1234. - name: ocsf.device.name - type: keyword ocsf.device.network_interfaces.hostname: description: The hostname associated with the network interface. name: ocsf.device.network_interfaces.hostname @@ -3285,10 +2864,6 @@ ocsf.device.org.uid: Directory or AWS Org ID. name: ocsf.device.org.uid type: keyword -ocsf.device.os.build: - description: The operating system build number. - name: ocsf.device.os.build - type: keyword ocsf.device.os.country: description: The operating system country code, as defined by the ISO 3166-1 standard @@ -3310,10 +2885,6 @@ ocsf.device.os.lang: description: The two letter lower case language codes, as defined by ISO 639-1. name: ocsf.device.os.lang type: keyword -ocsf.device.os.name: - description: The operating system name. - name: ocsf.device.os.name - type: keyword ocsf.device.os.sp_name: description: The name of the latest Service Pack. name: ocsf.device.os.sp_name @@ -3342,20 +2913,10 @@ ocsf.device.region: Region. name: ocsf.device.region type: keyword -ocsf.device.risk_level: - description: - The risk level, normalized to the caption of the risk_level_id value. - In the case of 'Other', it is defined by the event source. - name: ocsf.device.risk_level - type: keyword ocsf.device.risk_level_id: description: The normalized risk level id. name: ocsf.device.risk_level_id type: keyword -ocsf.device.risk_score: - description: The risk score as reported by the event source. - name: ocsf.device.risk_score - type: long ocsf.device.subnet: description: The subnet mask. name: ocsf.device.subnet @@ -3364,32 +2925,16 @@ ocsf.device.subnet_uid: description: The unique identifier of a virtual subnet. name: ocsf.device.subnet_uid type: keyword -ocsf.device.type: - description: - The device type. For example, unknown, server, desktop, laptop, tablet, - mobile, virtual, browser, or other. - name: ocsf.device.type - type: keyword ocsf.device.type_id: description: The device type ID. name: ocsf.device.type_id type: keyword -ocsf.device.uid: - description: - The unique identifier of the device. For example the Windows TargetSID - or AWS EC2 ARN. - name: ocsf.device.uid - type: keyword ocsf.device.uid_alt: description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.device.uid_alt type: keyword -ocsf.device.vlan_uid: - description: The Virtual LAN identifier. - name: ocsf.device.vlan_uid - type: keyword ocsf.device.vpc_uid: description: The unique identifier of the Virtual Private Cloud (VPC). name: ocsf.device.vpc_uid @@ -3419,10 +2964,6 @@ ocsf.disposition_id: security product. name: ocsf.disposition_id type: keyword -ocsf.driver.file.accessed_time: - description: The time when the file was last accessed. - name: ocsf.driver.file.accessed_time - type: date ocsf.driver.file.accessed_time_dt: description: The time when the file was last accessed. name: ocsf.driver.file.accessed_time_dt @@ -3555,10 +3096,6 @@ ocsf.driver.file.confidentiality_id: description: The normalized identifier of the file content confidentiality indicator. name: ocsf.driver.file.confidentiality_id type: keyword -ocsf.driver.file.created_time: - description: The time when the file was created. - name: ocsf.driver.file.created_time - type: date ocsf.driver.file.created_time_dt: description: The time when the file was created. name: ocsf.driver.file.created_time_dt @@ -3698,16 +3235,6 @@ ocsf.driver.file.is_system: description: The indication of whether the object is part of the operating system. name: ocsf.driver.file.is_system type: boolean -ocsf.driver.file.mime_type: - description: - The Multipurpose Internet Mail Extensions (MIME) type of the file, - if applicable. - name: ocsf.driver.file.mime_type - type: keyword -ocsf.driver.file.modified_time: - description: The time when the file was last modified. - name: ocsf.driver.file.modified_time - type: date ocsf.driver.file.modified_time_dt: description: The time when the file was last modified. name: ocsf.driver.file.modified_time_dt @@ -3820,10 +3347,6 @@ ocsf.driver.file.modifier.uid_alt: GUID or AWS user Principal ID. name: ocsf.driver.file.modifier.uid_alt type: keyword -ocsf.driver.file.name: - description: "The name of the file. For example: svchost.exe." - name: ocsf.driver.file.name - type: keyword ocsf.driver.file.owner.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.driver.file.owner.account.name @@ -3886,10 +3409,6 @@ ocsf.driver.file.owner.groups.uid: this is the security identifier (SID) of the group. name: ocsf.driver.file.owner.groups.uid type: keyword -ocsf.driver.file.owner.name: - description: The username. For example, janedoe1. - name: ocsf.driver.file.owner.name - type: keyword ocsf.driver.file.owner.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.driver.file.owner.org.name @@ -3920,26 +3439,12 @@ ocsf.driver.file.owner.type_id: description: The account type identifier. name: ocsf.driver.file.owner.type_id type: keyword -ocsf.driver.file.owner.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.driver.file.owner.uid - type: keyword ocsf.driver.file.owner.uid_alt: description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.driver.file.owner.uid_alt type: keyword -ocsf.driver.file.parent_folder: - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - name: ocsf.driver.file.parent_folder - type: keyword -ocsf.driver.file.path: - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - name: ocsf.driver.file.path - type: keyword ocsf.driver.file.product.feature.name: description: The name of the feature. name: ocsf.driver.file.product.feature.name @@ -4003,10 +3508,6 @@ ocsf.driver.file.signature.certificate.created_time_dt: description: The time when the certificate was created. name: ocsf.driver.file.signature.certificate.created_time_dt type: date -ocsf.driver.file.signature.certificate.expiration_time: - description: The expiration time of the certificate. - name: ocsf.driver.file.signature.certificate.expiration_time - type: date ocsf.driver.file.signature.certificate.expiration_time_dt: description: The expiration time of the certificate. name: ocsf.driver.file.signature.certificate.expiration_time_dt @@ -4028,22 +3529,6 @@ ocsf.driver.file.signature.certificate.fingerprints.value: description: The digital fingerprint value. name: ocsf.driver.file.signature.certificate.fingerprints.value type: keyword -ocsf.driver.file.signature.certificate.issuer: - description: The certificate issuer distinguished name. - name: ocsf.driver.file.signature.certificate.issuer - type: keyword -ocsf.driver.file.signature.certificate.serial_number: - description: The serial number of the certificate used to create the digital signature. - name: ocsf.driver.file.signature.certificate.serial_number - type: keyword -ocsf.driver.file.signature.certificate.subject: - description: The certificate subject distinguished name. - name: ocsf.driver.file.signature.certificate.subject - type: keyword -ocsf.driver.file.signature.certificate.version: - description: The certificate version. - name: ocsf.driver.file.signature.certificate.version - type: keyword ocsf.driver.file.signature.created_time: description: The time when the digital signature was created. name: ocsf.driver.file.signature.created_time @@ -4073,24 +3558,10 @@ ocsf.driver.file.signature.digest.value: description: The digital fingerprint value. name: ocsf.driver.file.signature.digest.value type: keyword -ocsf.driver.file.size: - description: The size of data, in bytes. - name: ocsf.driver.file.size - type: long -ocsf.driver.file.type: - description: The file type. - name: ocsf.driver.file.type - type: keyword ocsf.driver.file.type_id: description: The file type ID. name: ocsf.driver.file.type_id type: keyword -ocsf.driver.file.uid: - description: - The unique identifier of the file as defined by the storage system, - such the file system file ID. - name: ocsf.driver.file.uid - type: keyword ocsf.driver.file.version: description: "The file version. For example: 8.0.7601.17514." name: ocsf.driver.file.version @@ -4101,14 +3572,6 @@ ocsf.driver.file.xattributes: pair represents a file or folder extended attribute. name: ocsf.driver.file.xattributes type: flattened -ocsf.dst_endpoint.domain: - description: The name of the domain. - name: ocsf.dst_endpoint.domain - type: keyword -ocsf.dst_endpoint.hostname: - description: The fully qualified name of the endpoint. - name: ocsf.dst_endpoint.hostname - type: keyword ocsf.dst_endpoint.instance_uid: description: The unique identifier of a VM instance. name: ocsf.dst_endpoint.instance_uid @@ -4127,34 +3590,6 @@ ocsf.dst_endpoint.intermediate_ips: HTTP X-Forwarded-For header. name: ocsf.dst_endpoint.intermediate_ips type: ip -ocsf.dst_endpoint.ip: - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - name: ocsf.dst_endpoint.ip - type: ip -ocsf.dst_endpoint.location.city: - description: The name of the city. - name: ocsf.dst_endpoint.location.city - type: keyword -ocsf.dst_endpoint.location.continent: - description: The name of the continent. - name: ocsf.dst_endpoint.location.continent - type: keyword -ocsf.dst_endpoint.location.coordinates: - description: - A two-element array, containing a longitude/latitude pair. The format - conforms with GeoJSON. - name: ocsf.dst_endpoint.location.coordinates - type: geo_point -ocsf.dst_endpoint.location.country: - description: - The ISO 3166-1 Alpha-2 country code. For the complete list of country - codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - name: ocsf.dst_endpoint.location.country - type: keyword -ocsf.dst_endpoint.location.desc: - description: The description of the geographical location. - name: ocsf.dst_endpoint.location.desc - type: keyword ocsf.dst_endpoint.location.is_on_premises: description: The indication of whether the location is on premises. name: ocsf.dst_endpoint.location.is_on_premises @@ -4163,44 +3598,18 @@ ocsf.dst_endpoint.location.isp: description: The name of the Internet Service Provider (ISP). name: ocsf.dst_endpoint.location.isp type: keyword -ocsf.dst_endpoint.location.postal_code: - description: The postal code of the location. - name: ocsf.dst_endpoint.location.postal_code - type: keyword ocsf.dst_endpoint.location.provider: description: The provider of the geographical location data. name: ocsf.dst_endpoint.location.provider type: keyword -ocsf.dst_endpoint.location.region: - description: - The alphanumeric code that identifies the principal subdivision (e.g. - province or state) of the country. Region codes are defined at ISO 3166-2 and - have a limit of three characters. For example, see the region codes for the US. - name: ocsf.dst_endpoint.location.region - type: keyword -ocsf.dst_endpoint.mac: - description: The Media Access Control (MAC) address of the endpoint. - name: ocsf.dst_endpoint.mac - type: keyword ocsf.dst_endpoint.name: description: The short name of the endpoint. name: ocsf.dst_endpoint.name type: keyword -ocsf.dst_endpoint.port: - description: The port used for communication within the network connection. - name: ocsf.dst_endpoint.port - type: long ocsf.dst_endpoint.subnet_uid: description: The unique identifier of a virtual subnet. name: ocsf.dst_endpoint.subnet_uid type: keyword -ocsf.dst_endpoint.svc_name: - description: - The service name in service-to-service connections. For example, AWS - VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection - is coming from or going to an AWS service. - name: ocsf.dst_endpoint.svc_name - type: keyword ocsf.dst_endpoint.uid: description: The unique identifier of the endpoint. name: ocsf.dst_endpoint.uid @@ -4219,30 +3628,14 @@ ocsf.duration: covers from start_time to end_time in milliseconds. name: ocsf.duration type: long -ocsf.email.cc: - description: The email header Cc values, as defined by RFC 5322. - name: ocsf.email.cc - type: keyword ocsf.email.delivered_to: description: The Delivered-To email header field. name: ocsf.email.delivered_to type: keyword -ocsf.email.from: - description: The email header From values, as defined by RFC 5322. - name: ocsf.email.from - type: keyword -ocsf.email.message_uid: - description: The email header Message-Id value, as defined by RFC 5322. - name: ocsf.email.message_uid - type: keyword ocsf.email.raw_header: description: The email authentication header. name: ocsf.email.raw_header type: keyword -ocsf.email.reply_to: - description: The email header Reply-To values, as defined by RFC 5322. - name: ocsf.email.reply_to - type: keyword ocsf.email.size: description: The size in bytes of the email, including attachments. name: ocsf.email.size @@ -4255,18 +3648,6 @@ ocsf.email.smtp_to: description: The value of the SMTP envelope RCPT TO command. name: ocsf.email.smtp_to type: keyword -ocsf.email.subject: - description: The email header Subject value, as defined by RFC 5322. - name: ocsf.email.subject - type: keyword -ocsf.email.to: - description: The email header To values, as defined by RFC 5322. - name: ocsf.email.to - type: keyword -ocsf.email.uid: - description: The email unique identifier. - name: ocsf.email.uid - type: keyword ocsf.email.x_originating_ip: description: The X-Originating-IP header identifying the emails originating IP address(es). name: ocsf.email.x_originating_ip @@ -4307,18 +3688,6 @@ ocsf.email_auth.spf: description: The Sender Policy Framework (SPF) status of the email. name: ocsf.email_auth.spf type: keyword -ocsf.email_uid: - description: - The unique identifier of the email, used to correlate related email - alert and activity events. - name: ocsf.email_uid - type: keyword -ocsf.end_time: - description: - The end time of a time period, or the time of the most recent event - included in the aggregate event. - name: ocsf.end_time - type: date ocsf.end_time_dt: description: The end time of a time period, or the time of the most recent event @@ -4391,13 +3760,6 @@ ocsf.evidence: description: The data the finding exposes to the analyst. name: ocsf.evidence type: flattened -ocsf.exit_code: - description: - The exit code reported by a process when it terminates. The convention - is that zero indicates success and any non-zero exit code indicates that some - error occurred. - name: ocsf.exit_code - type: keyword ocsf.expiration_time: description: The share expiration time. name: ocsf.expiration_time @@ -4406,10 +3768,6 @@ ocsf.expiration_time_dt: description: The share expiration time. name: ocsf.expiration_time_dt type: date -ocsf.file.accessed_time: - description: The time when the file was last accessed. - name: ocsf.file.accessed_time - type: date ocsf.file.accessed_time_dt: description: The time when the file was last accessed. name: ocsf.file.accessed_time_dt @@ -4542,10 +3900,6 @@ ocsf.file.confidentiality_id: description: The normalized identifier of the file content confidentiality indicator. name: ocsf.file.confidentiality_id type: keyword -ocsf.file.created_time: - description: The time when the file was created. - name: ocsf.file.created_time - type: date ocsf.file.created_time_dt: description: The time when the file was created. name: ocsf.file.created_time_dt @@ -4685,16 +4039,6 @@ ocsf.file.is_system: description: The indication of whether the object is part of the operating system. name: ocsf.file.is_system type: boolean -ocsf.file.mime_type: - description: - The Multipurpose Internet Mail Extensions (MIME) type of the file, - if applicable. - name: ocsf.file.mime_type - type: keyword -ocsf.file.modified_time: - description: The time when the file was last modified. - name: ocsf.file.modified_time - type: date ocsf.file.modified_time_dt: description: The time when the file was last modified. name: ocsf.file.modified_time_dt @@ -4807,10 +4151,6 @@ ocsf.file.modifier.uid_alt: GUID or AWS user Principal ID. name: ocsf.file.modifier.uid_alt type: keyword -ocsf.file.name: - description: "The name of the file. For example: svchost.exe." - name: ocsf.file.name - type: keyword ocsf.file.owner.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.file.owner.account.name @@ -4873,10 +4213,6 @@ ocsf.file.owner.groups.uid: this is the security identifier (SID) of the group. name: ocsf.file.owner.groups.uid type: keyword -ocsf.file.owner.name: - description: The username. For example, janedoe1. - name: ocsf.file.owner.name - type: keyword ocsf.file.owner.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.file.owner.org.name @@ -4907,26 +4243,12 @@ ocsf.file.owner.type_id: description: The account type identifier. name: ocsf.file.owner.type_id type: keyword -ocsf.file.owner.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.file.owner.uid - type: keyword ocsf.file.owner.uid_alt: description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.file.owner.uid_alt type: keyword -ocsf.file.parent_folder: - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - name: ocsf.file.parent_folder - type: keyword -ocsf.file.path: - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - name: ocsf.file.path - type: keyword ocsf.file.product.feature.name: description: The name of the feature. name: ocsf.file.product.feature.name @@ -4994,10 +4316,6 @@ ocsf.file.signature.certificate.created_time_dt: description: The time when the certificate was created. name: ocsf.file.signature.certificate.created_time_dt type: date -ocsf.file.signature.certificate.expiration_time: - description: The expiration time of the certificate. - name: ocsf.file.signature.certificate.expiration_time - type: date ocsf.file.signature.certificate.expiration_time_dt: description: The expiration time of the certificate. name: ocsf.file.signature.certificate.expiration_time_dt @@ -5019,22 +4337,6 @@ ocsf.file.signature.certificate.fingerprints.value: description: The digital fingerprint value. name: ocsf.file.signature.certificate.fingerprints.value type: keyword -ocsf.file.signature.certificate.issuer: - description: The certificate issuer distinguished name. - name: ocsf.file.signature.certificate.issuer - type: keyword -ocsf.file.signature.certificate.serial_number: - description: The serial number of the certificate used to create the digital signature. - name: ocsf.file.signature.certificate.serial_number - type: keyword -ocsf.file.signature.certificate.subject: - description: The certificate subject distinguished name. - name: ocsf.file.signature.certificate.subject - type: keyword -ocsf.file.signature.certificate.version: - description: The certificate version. - name: ocsf.file.signature.certificate.version - type: keyword ocsf.file.signature.created_time: description: The time when the digital signature was created. name: ocsf.file.signature.created_time @@ -5064,24 +4366,10 @@ ocsf.file.signature.digest.value: description: The digital fingerprint value. name: ocsf.file.signature.digest.value type: keyword -ocsf.file.size: - description: The size of data, in bytes. - name: ocsf.file.size - type: long -ocsf.file.type: - description: The file type. - name: ocsf.file.type - type: keyword ocsf.file.type_id: description: The file type ID. name: ocsf.file.type_id type: keyword -ocsf.file.uid: - description: - The unique identifier of the file as defined by the storage system, - such the file system file ID. - name: ocsf.file.uid - type: keyword ocsf.file.version: description: "The file version. For example: 8.0.7601.17514." name: ocsf.file.version @@ -5781,10 +5069,6 @@ ocsf.file_result.xattributes: pair represents a file or folder extended attribute. name: ocsf.file_result.xattributes type: flattened -ocsf.finding.created_time: - description: The time when the finding was created. - name: ocsf.finding.created_time - type: date ocsf.finding.created_time_dt: description: The time when the finding was created. name: ocsf.finding.created_time_dt @@ -5845,10 +5129,6 @@ ocsf.finding.remediation.kb_articles: description: The KB article/s related to the entity. name: ocsf.finding.remediation.kb_articles type: keyword -ocsf.finding.src_url: - description: The URL pointing to the source of the finding. - name: ocsf.finding.src_url - type: keyword ocsf.finding.supporting_data: description: Additional data supporting a finding as provided by security tool. name: ocsf.finding.supporting_data @@ -5869,10 +5149,6 @@ ocsf.group.desc: description: The group description. name: ocsf.group.desc type: keyword -ocsf.group.name: - description: The group name. - name: ocsf.group.name - type: keyword ocsf.group.privileges: description: The group privileges. name: ocsf.group.privileges @@ -5881,12 +5157,6 @@ ocsf.group.type: description: The type of the group or account. name: ocsf.group.type type: keyword -ocsf.group.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.group.uid - type: keyword ocsf.http_request.args: description: The arguments sent along with the HTTP request. name: ocsf.http_request.args @@ -5899,22 +5169,6 @@ ocsf.http_request.http_headers.value: description: The value of the header. name: ocsf.http_request.http_headers.value type: keyword -ocsf.http_request.http_method: - description: - The HTTP request method indicates the desired action to be performed - for a given resource. - name: ocsf.http_request.http_method - type: keyword -ocsf.http_request.referrer: - description: - The request header that identifies the address of the previous web - page, which is linked to the current web page or resource being requested. - name: ocsf.http_request.referrer - type: keyword -ocsf.http_request.uid: - description: The unique identifier of the http request. - name: ocsf.http_request.uid - type: keyword ocsf.http_request.url.categories: description: The Website categorization names, as defined by category_ids enum values. name: ocsf.http_request.url.categories @@ -5923,64 +5177,16 @@ ocsf.http_request.url.category_ids: description: The Website categorization identifies. name: ocsf.http_request.url.category_ids type: keyword -ocsf.http_request.url.hostname: - description: - The URL host as extracted from the URL. For example, www.example.com - from www.example.com/download/trouble. - name: ocsf.http_request.url.hostname - type: keyword -ocsf.http_request.url.path: - description: - The URL path as extracted from the URL. For example, /download/trouble - from www.example.com/download/trouble. - name: ocsf.http_request.url.path - type: keyword -ocsf.http_request.url.port: - description: The URL port. For example, 80. - name: ocsf.http_request.url.port - type: long -ocsf.http_request.url.query_string: - description: - The query portion of the URL. For example, the query portion of the - URL http://www.example.com/search?q=bad&sort=date is q=bad&sort=date. - name: ocsf.http_request.url.query_string - type: keyword ocsf.http_request.url.resource_type: description: The context in which a resource was retrieved in a web request. name: ocsf.http_request.url.resource_type type: keyword -ocsf.http_request.url.scheme: - description: The scheme portion of the URL. For example, http, https, ftp, or sftp. - name: ocsf.http_request.url.scheme - type: keyword -ocsf.http_request.url.subdomain: - description: - The subdomain portion of the URL. For example, sub in https://sub.example.com - or sub2.sub1 in https://sub2.sub1.example.com. - name: ocsf.http_request.url.subdomain - type: keyword -ocsf.http_request.url.url_string: - description: The URL string. See RFC 1738. For example, http://www.example.com/download/trouble.exe. - name: ocsf.http_request.url.url_string - type: keyword -ocsf.http_request.user_agent: - description: The request header that identifies the operating system and web browser. - name: ocsf.http_request.user_agent - type: keyword -ocsf.http_request.version: - description: The Hypertext Transfer Protocol (HTTP) version. - name: ocsf.http_request.version - type: keyword ocsf.http_request.x_forwarded_for: description: The X-Forwarded-For header identifying the originating IP address(es) of a client connecting to a web server through an HTTP proxy or a load balancer. name: ocsf.http_request.x_forwarded_for type: ip -ocsf.http_response.code: - description: The numeric code sent from the web server to the requester. - name: ocsf.http_response.code - type: long ocsf.http_response.content_type: description: The request header that identifies the original media type of the resource @@ -5991,14 +5197,6 @@ ocsf.http_response.latency: description: The HTTP response latency. In seconds, milliseconds, etc. name: ocsf.http_response.latency type: long -ocsf.http_response.length: - description: The HTTP response length, in number of bytes. - name: ocsf.http_response.length - type: long -ocsf.http_response.message: - description: The description of the event, as defined by the event source. - name: ocsf.http_response.message - type: keyword ocsf.http_response.status: description: The response status. name: ocsf.http_response.status @@ -6273,18 +5471,10 @@ ocsf.malware.uid: For example a virus id or an IPS signature id. name: ocsf.malware.uid type: keyword -ocsf.message: - description: The description of the event, as defined by the event source. - name: ocsf.message - type: keyword ocsf.metadata.correlation_uid: description: The unique identifier used to correlate events. name: ocsf.metadata.correlation_uid type: keyword -ocsf.metadata.event_code: - description: The Event ID or Code that the product uses to describe the event. - name: ocsf.metadata.event_code - type: keyword ocsf.metadata.extension.name: description: "The schema extension name. For example: dev." name: ocsf.metadata.extension.name @@ -6297,24 +5487,12 @@ ocsf.metadata.extension.version: description: "The schema extension version. For example: 1.0.0-alpha.2." name: ocsf.metadata.extension.version type: keyword -ocsf.metadata.labels: - description: - The list of category labels attached to the event or specific attributes. - Labels are user defined tags or aliases added at normalization time. - name: ocsf.metadata.labels - type: keyword ocsf.metadata.log_name: description: "The event log name. For example, syslog file name or Windows logging subsystem: Security." name: ocsf.metadata.log_name type: keyword -ocsf.metadata.log_provider: - description: - The logging provider or logging service that logged the event. For - example, Microsoft-Windows-Security-Auditing. - name: ocsf.metadata.log_provider - type: keyword ocsf.metadata.log_version: description: The event log schema version that specifies the format of the original @@ -6409,17 +5587,6 @@ ocsf.metadata.profiles: description: The list of profiles used to create the event. name: ocsf.metadata.profiles type: keyword -ocsf.metadata.sequence: - description: - Sequence number of the event. The sequence number is a value available - in some events, to make the exact ordering of events unambiguous, regardless of - the event time precision. - name: ocsf.metadata.sequence - type: long -ocsf.metadata.uid: - description: The logging system-assigned unique identifier of an event instance. - name: ocsf.metadata.uid - type: keyword ocsf.metadata.version: description: "The version of the OCSF schema, using Semantic Versioning Specification @@ -6431,10 +5598,6 @@ ocsf.module.base_address: description: The memory address where the module was loaded. name: ocsf.module.base_address type: keyword -ocsf.module.file.accessed_time: - description: The time when the file was last accessed. - name: ocsf.module.file.accessed_time - type: date ocsf.module.file.accessed_time_dt: description: The time when the file was last accessed. name: ocsf.module.file.accessed_time_dt @@ -6567,10 +5730,6 @@ ocsf.module.file.confidentiality_id: description: The normalized identifier of the file content confidentiality indicator. name: ocsf.module.file.confidentiality_id type: keyword -ocsf.module.file.created_time: - description: The time when the file was created. - name: ocsf.module.file.created_time - type: date ocsf.module.file.created_time_dt: description: The time when the file was created. name: ocsf.module.file.created_time_dt @@ -6710,16 +5869,6 @@ ocsf.module.file.is_system: description: The indication of whether the object is part of the operating system. name: ocsf.module.file.is_system type: boolean -ocsf.module.file.mime_type: - description: - The Multipurpose Internet Mail Extensions (MIME) type of the file, - if applicable. - name: ocsf.module.file.mime_type - type: keyword -ocsf.module.file.modified_time: - description: The time when the file was last modified. - name: ocsf.module.file.modified_time - type: date ocsf.module.file.modified_time_dt: description: The time when the file was last modified. name: ocsf.module.file.modified_time_dt @@ -6832,10 +5981,6 @@ ocsf.module.file.modifier.uid_alt: GUID or AWS user Principal ID. name: ocsf.module.file.modifier.uid_alt type: keyword -ocsf.module.file.name: - description: "The name of the file. For example: svchost.exe." - name: ocsf.module.file.name - type: keyword ocsf.module.file.owner.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.module.file.owner.account.name @@ -6898,10 +6043,6 @@ ocsf.module.file.owner.groups.uid: this is the security identifier (SID) of the group. name: ocsf.module.file.owner.groups.uid type: keyword -ocsf.module.file.owner.name: - description: The username. For example, janedoe1. - name: ocsf.module.file.owner.name - type: keyword ocsf.module.file.owner.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.module.file.owner.org.name @@ -6932,26 +6073,12 @@ ocsf.module.file.owner.type_id: description: The account type identifier. name: ocsf.module.file.owner.type_id type: keyword -ocsf.module.file.owner.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.module.file.owner.uid - type: keyword ocsf.module.file.owner.uid_alt: description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.module.file.owner.uid_alt type: keyword -ocsf.module.file.parent_folder: - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - name: ocsf.module.file.parent_folder - type: keyword -ocsf.module.file.path: - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - name: ocsf.module.file.path - type: keyword ocsf.module.file.product.feature.name: description: The name of the feature. name: ocsf.module.file.product.feature.name @@ -7015,10 +6142,6 @@ ocsf.module.file.signature.certificate.created_time_dt: description: The time when the certificate was created. name: ocsf.module.file.signature.certificate.created_time_dt type: date -ocsf.module.file.signature.certificate.expiration_time: - description: The expiration time of the certificate. - name: ocsf.module.file.signature.certificate.expiration_time - type: date ocsf.module.file.signature.certificate.expiration_time_dt: description: The expiration time of the certificate. name: ocsf.module.file.signature.certificate.expiration_time_dt @@ -7040,22 +6163,6 @@ ocsf.module.file.signature.certificate.fingerprints.value: description: The digital fingerprint value. name: ocsf.module.file.signature.certificate.fingerprints.value type: keyword -ocsf.module.file.signature.certificate.issuer: - description: The certificate issuer distinguished name. - name: ocsf.module.file.signature.certificate.issuer - type: keyword -ocsf.module.file.signature.certificate.serial_number: - description: The serial number of the certificate used to create the digital signature. - name: ocsf.module.file.signature.certificate.serial_number - type: keyword -ocsf.module.file.signature.certificate.subject: - description: The certificate subject distinguished name. - name: ocsf.module.file.signature.certificate.subject - type: keyword -ocsf.module.file.signature.certificate.version: - description: The certificate version. - name: ocsf.module.file.signature.certificate.version - type: keyword ocsf.module.file.signature.created_time: description: The time when the digital signature was created. name: ocsf.module.file.signature.created_time @@ -7085,24 +6192,10 @@ ocsf.module.file.signature.digest.value: description: The digital fingerprint value. name: ocsf.module.file.signature.digest.value type: keyword -ocsf.module.file.size: - description: The size of data, in bytes. - name: ocsf.module.file.size - type: long -ocsf.module.file.type: - description: The file type. - name: ocsf.module.file.type - type: keyword ocsf.module.file.type_id: description: The file type ID. name: ocsf.module.file.type_id type: keyword -ocsf.module.file.uid: - description: - The unique identifier of the file as defined by the storage system, - such the file system file ID. - name: ocsf.module.file.uid - type: keyword ocsf.module.file.version: description: "The file version. For example: 8.0.7601.17514." name: ocsf.module.file.version @@ -7314,16 +6407,6 @@ ocsf.proxy.vpc_uid: description: The unique identifier of the Virtual Private Cloud (VPC). name: ocsf.proxy.vpc_uid type: keyword -ocsf.query.class: - description: - "The class of resource records being queried. See RFC1035. For example: - IN." - name: ocsf.query.class - type: keyword -ocsf.query.hostname: - description: "The hostname or domain being queried. For example: www.example.com" - name: ocsf.query.hostname - type: keyword ocsf.query.opcode: description: The DNS opcode specifies the type of the query message. name: ocsf.query.opcode @@ -7332,18 +6415,6 @@ ocsf.query.opcode_id: description: The DNS opcode ID specifies the normalized query message type. name: ocsf.query.opcode_id type: keyword -ocsf.query.packet_uid: - description: - The DNS packet identifier assigned by the program that generated the - query. The identifier is copied to the response. - name: ocsf.query.packet_uid - type: keyword -ocsf.query.type: - description: - "The type of resource records being queried. See RFC1035. For example: - A, AAAA, CNAME, MX, and NS." - name: ocsf.query.type - type: keyword ocsf.query_time: description: The Domain Name System (DNS) query time. name: ocsf.query_time @@ -7360,32 +6431,10 @@ ocsf.raw_data_keyword: description: "" name: ocsf.raw_data_keyword type: keyword -ocsf.rcode: - description: - The DNS server response code, normalized to the caption of the rcode_id - value. In the case of 'Other', it is defined by the event source. - name: ocsf.rcode - type: keyword ocsf.rcode_id: description: The normalized identifier of the DNS server response code. name: ocsf.rcode_id type: keyword -ocsf.relay.hostname: - description: The hostname associated with the network interface. - name: ocsf.relay.hostname - type: keyword -ocsf.relay.ip: - description: The IP address associated with the network interface. - name: ocsf.relay.ip - type: ip -ocsf.relay.mac: - description: The MAC address of the network interface. - name: ocsf.relay.mac - type: keyword -ocsf.relay.name: - description: The name of the network interface. - name: ocsf.relay.name - type: keyword ocsf.relay.namespace: description: The namespace is useful in merger or acquisition situations. For example, @@ -7399,10 +6448,6 @@ ocsf.relay.subnet_prefix: individual hosts within that subnet. name: ocsf.relay.subnet_prefix type: long -ocsf.relay.type: - description: The type of network interface. - name: ocsf.relay.type - type: keyword ocsf.relay.type_id: description: The network interface type identifier. name: ocsf.relay.type_id @@ -7437,10 +6482,6 @@ ocsf.request.flags: flag_ids values. In the case of 'Other', they are defined by the event source. name: ocsf.request.flags type: date -ocsf.request.uid: - description: The unique request identifier. - name: ocsf.request.uid - type: keyword ocsf.requested_permissions: description: The permissions mask that were requested by the process. name: ocsf.requested_permissions @@ -7781,10 +6822,6 @@ ocsf.resources.version: description: The version of the resource. For example 1.2.3. name: ocsf.resources.version type: keyword -ocsf.response.code: - description: The numeric response sent to a request. - name: ocsf.response.code - type: long ocsf.response.error: description: Error Code. name: ocsf.response.error @@ -7821,10 +6858,6 @@ ocsf.risk_level_id: description: The normalized risk level id. name: ocsf.risk_level_id type: keyword -ocsf.risk_score: - description: The risk score as reported by the event source. - name: ocsf.risk_score - type: long ocsf.server_hassh.algorithm: description: "The concatenation of key exchange, encryption, authentication and @@ -7853,18 +6886,6 @@ ocsf.service.labels: description: The list of labels associated with the service. name: ocsf.service.labels type: keyword -ocsf.service.name: - description: The name of the service. - name: ocsf.service.name - type: keyword -ocsf.service.uid: - description: The unique identifier of the service. - name: ocsf.service.uid - type: keyword -ocsf.service.version: - description: The version of the service. - name: ocsf.service.version - type: keyword ocsf.session.created_time: description: The time when the session was created. name: ocsf.session.created_time @@ -7913,14 +6934,6 @@ ocsf.severity: In the case of 'Other', it is defined by the event source. name: ocsf.severity type: keyword -ocsf.severity_id: - description: - The normalized identifier of the event severity. The normalized severity - is a measurement the effort and expense required to manage and resolve an event - or incident. Smaller numerical values represent lower impact events, and larger - numerical values represent higher impact events. - name: ocsf.severity_id - type: long ocsf.share: description: The SMB share name. name: ocsf.share @@ -7943,14 +6956,6 @@ ocsf.smtp_hello: description: The value of the SMTP HELO or EHLO command sent by the initiator (client). name: ocsf.smtp_hello type: keyword -ocsf.src_endpoint.domain: - description: The name of the domain. - name: ocsf.src_endpoint.domain - type: keyword -ocsf.src_endpoint.hostname: - description: The fully qualified name of the endpoint. - name: ocsf.src_endpoint.hostname - type: keyword ocsf.src_endpoint.instance_uid: description: The unique identifier of a VM instance. name: ocsf.src_endpoint.instance_uid @@ -7969,34 +6974,6 @@ ocsf.src_endpoint.intermediate_ips: HTTP X-Forwarded-For header. name: ocsf.src_endpoint.intermediate_ips type: ip -ocsf.src_endpoint.ip: - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - name: ocsf.src_endpoint.ip - type: ip -ocsf.src_endpoint.location.city: - description: The name of the city. - name: ocsf.src_endpoint.location.city - type: keyword -ocsf.src_endpoint.location.continent: - description: The name of the continent. - name: ocsf.src_endpoint.location.continent - type: keyword -ocsf.src_endpoint.location.coordinates: - description: - A two-element array, containing a longitude/latitude pair. The format - conforms with GeoJSON. - name: ocsf.src_endpoint.location.coordinates - type: geo_point -ocsf.src_endpoint.location.country: - description: - The ISO 3166-1 Alpha-2 country code. For the complete list of country - codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - name: ocsf.src_endpoint.location.country - type: keyword -ocsf.src_endpoint.location.desc: - description: The description of the geographical location. - name: ocsf.src_endpoint.location.desc - type: keyword ocsf.src_endpoint.location.is_on_premises: description: The indication of whether the location is on premises. name: ocsf.src_endpoint.location.is_on_premises @@ -8005,44 +6982,18 @@ ocsf.src_endpoint.location.isp: description: The name of the Internet Service Provider (ISP). name: ocsf.src_endpoint.location.isp type: keyword -ocsf.src_endpoint.location.postal_code: - description: The postal code of the location. - name: ocsf.src_endpoint.location.postal_code - type: keyword ocsf.src_endpoint.location.provider: description: The provider of the geographical location data. name: ocsf.src_endpoint.location.provider type: keyword -ocsf.src_endpoint.location.region: - description: - The alphanumeric code that identifies the principal subdivision (e.g. - province or state) of the country. Region codes are defined at ISO 3166-2 and - have a limit of three characters. For example, see the region codes for the US. - name: ocsf.src_endpoint.location.region - type: keyword -ocsf.src_endpoint.mac: - description: The Media Access Control (MAC) address of the endpoint. - name: ocsf.src_endpoint.mac - type: keyword ocsf.src_endpoint.name: description: The short name of the endpoint. name: ocsf.src_endpoint.name type: keyword -ocsf.src_endpoint.port: - description: The port used for communication within the network connection. - name: ocsf.src_endpoint.port - type: long ocsf.src_endpoint.subnet_uid: description: The unique identifier of a virtual subnet. name: ocsf.src_endpoint.subnet_uid type: keyword -ocsf.src_endpoint.svc_name: - description: - The service name in service-to-service connections. For example, AWS - VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection - is coming from or going to an AWS service. - name: ocsf.src_endpoint.svc_name - type: keyword ocsf.src_endpoint.uid: description: The unique identifier of the endpoint. name: ocsf.src_endpoint.uid @@ -8055,12 +7006,6 @@ ocsf.src_endpoint.vpc_uid: description: The unique identifier of the Virtual Private Cloud (VPC). name: ocsf.src_endpoint.vpc_uid type: keyword -ocsf.start_time: - description: - The start time of a time period, or the time of the least recent event - included in the aggregate event. - name: ocsf.start_time - type: date ocsf.start_time_dt: description: The start time of a time period, or the time of the least recent event @@ -8098,10 +7043,6 @@ ocsf.status_id: description: The normalized identifier of the event status. name: ocsf.status_id type: keyword -#ocsf.time: -# description: The normalized event occurrence time. -# name: ocsf.time -# type: date ocsf.time_dt: description: The normalized event occurrence time. name: ocsf.time_dt @@ -8126,10 +7067,6 @@ ocsf.tls.certificate.created_time_dt: description: The time when the certificate was created. name: ocsf.tls.certificate.created_time_dt type: date -ocsf.tls.certificate.expiration_time: - description: The expiration time of the certificate. - name: ocsf.tls.certificate.expiration_time - type: date ocsf.tls.certificate.expiration_time_dt: description: The expiration time of the certificate. name: ocsf.tls.certificate.expiration_time_dt @@ -8151,38 +7088,12 @@ ocsf.tls.certificate.fingerprints.value: description: The digital fingerprint value. name: ocsf.tls.certificate.fingerprints.value type: keyword -ocsf.tls.certificate.issuer: - description: The certificate issuer distinguished name. - name: ocsf.tls.certificate.issuer - type: keyword -ocsf.tls.certificate.serial_number: - description: The serial number of the certificate used to create the digital signature. - name: ocsf.tls.certificate.serial_number - type: keyword -ocsf.tls.certificate.subject: - description: The certificate subject distinguished name. - name: ocsf.tls.certificate.subject - type: keyword -ocsf.tls.certificate.version: - description: The certificate version. - name: ocsf.tls.certificate.version - type: keyword ocsf.tls.certificate_chain: description: The Chain of Certificate Serial Numbers field provides a chain of Certificate Issuer Serial Numbers leading to the Root Certificate Issuer. name: ocsf.tls.certificate_chain type: keyword -ocsf.tls.cipher: - description: The negotiated cipher suite. - name: ocsf.tls.cipher - type: keyword -ocsf.tls.client_ciphers: - description: - The client cipher suites that were exchanged during the TLS handshake - negotiation. - name: ocsf.tls.client_ciphers - type: keyword ocsf.tls.extension_list.data: description: The data contains information specific to the particular extension @@ -8218,10 +7129,6 @@ ocsf.tls.ja3_hash.algorithm_id: create the digital fingerprint. name: ocsf.tls.ja3_hash.algorithm_id type: keyword -ocsf.tls.ja3_hash.value: - description: The digital fingerprint value. - name: ocsf.tls.ja3_hash.value - type: keyword ocsf.tls.ja3s_hash.algorithm: description: The hash algorithm used to create the digital fingerprint, normalized @@ -8235,10 +7142,6 @@ ocsf.tls.ja3s_hash.algorithm_id: create the digital fingerprint. name: ocsf.tls.ja3s_hash.algorithm_id type: keyword -ocsf.tls.ja3s_hash.value: - description: The digital fingerprint value. - name: ocsf.tls.ja3s_hash.value - type: keyword ocsf.tls.key_length: description: The length of the encryption key. name: ocsf.tls.key_length @@ -8257,38 +7160,6 @@ ocsf.tls.server_ciphers: negotiation. name: ocsf.tls.server_ciphers type: keyword -ocsf.tls.sni: - description: The Server Name Indication (SNI) extension sent by the client. - name: ocsf.tls.sni - type: keyword -ocsf.tls.version: - description: The TLS protocol version. - name: ocsf.tls.version - type: keyword -ocsf.traffic.bytes: - description: The total number of bytes (in and out). - name: ocsf.traffic.bytes - type: long -ocsf.traffic.bytes_in: - description: The number of bytes sent from the destination to the source. - name: ocsf.traffic.bytes_in - type: long -ocsf.traffic.bytes_out: - description: The number of bytes sent from the source to the destination. - name: ocsf.traffic.bytes_out - type: long -ocsf.traffic.packets: - description: The total number of packets (in and out). - name: ocsf.traffic.packets - type: long -ocsf.traffic.packets_in: - description: The number of packets sent from the destination to the source. - name: ocsf.traffic.packets_in - type: long -ocsf.traffic.packets_out: - description: The number of packets sent from the source to the destination. - name: ocsf.traffic.packets_out - type: long ocsf.transaction_uid: description: The unique identifier of the transaction. This is typically a random @@ -8329,38 +7200,10 @@ ocsf.url.category_ids: description: The Website categorization identifies. name: ocsf.url.category_ids type: keyword -ocsf.url.hostname: - description: The URL host as extracted from the URL. - name: ocsf.url.hostname - type: keyword -ocsf.url.path: - description: The URL path as extracted from the URL. - name: ocsf.url.path - type: keyword -ocsf.url.port: - description: The URL port. - name: ocsf.url.port - type: long -ocsf.url.query_string: - description: The query portion of the URL. - name: ocsf.url.query_string - type: keyword ocsf.url.resource_type: description: The context in which a resource was retrieved in a web request. name: ocsf.url.resource_type type: keyword -ocsf.url.scheme: - description: The scheme portion of the URL. - name: ocsf.url.scheme - type: keyword -ocsf.url.subdomain: - description: The subdomain portion of the URL. - name: ocsf.url.subdomain - type: keyword -ocsf.url.url_string: - description: The URL string. See RFC 1738. - name: ocsf.url.url_string - type: keyword ocsf.user.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.user.account.name @@ -8385,22 +7228,6 @@ ocsf.user.credential_uid: Key ID. name: ocsf.user.credential_uid type: keyword -ocsf.user.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.user.domain - type: keyword -ocsf.user.email_addr: - description: The user's email address. - name: ocsf.user.email_addr - type: keyword -ocsf.user.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.user.full_name - type: keyword ocsf.user.groups.desc: description: The group description. name: ocsf.user.groups.desc @@ -8423,10 +7250,6 @@ ocsf.user.groups.uid: this is the security identifier (SID) of the group. name: ocsf.user.groups.uid type: keyword -ocsf.user.name: - description: The username. For example, janedoe1. - name: ocsf.user.name - type: keyword ocsf.user.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.user.org.name @@ -8457,12 +7280,6 @@ ocsf.user.type_id: description: The account type identifier. name: ocsf.user.type_id type: keyword -ocsf.user.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.user.uid - type: keyword ocsf.user.uid_alt: description: The alternate user identifier. For example, the Active Directory user @@ -8493,22 +7310,6 @@ ocsf.user_result.credential_uid: Key ID. name: ocsf.user_result.credential_uid type: keyword -ocsf.user_result.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.user_result.domain - type: keyword -ocsf.user_result.email_addr: - description: The user's email address. - name: ocsf.user_result.email_addr - type: keyword -ocsf.user_result.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.user_result.full_name - type: keyword ocsf.user_result.groups.desc: description: The group description. name: ocsf.user_result.groups.desc @@ -8531,10 +7332,6 @@ ocsf.user_result.groups.uid: this is the security identifier (SID) of the group. name: ocsf.user_result.groups.uid type: keyword -ocsf.user_result.name: - description: The username. For example, janedoe1. - name: ocsf.user_result.name - type: keyword ocsf.user_result.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.user_result.org.name @@ -8565,12 +7362,6 @@ ocsf.user_result.type_id: description: The account type identifier. name: ocsf.user_result.type_id type: keyword -ocsf.user_result.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.user_result.uid - type: keyword ocsf.user_result.uid_alt: description: The alternate user identifier. For example, the Active Directory user diff --git a/OCSF/ocsf/_meta/smart-descriptions.json b/OCSF/ocsf/_meta/smart-descriptions.json index c44dc44f3..9e9b49d12 100644 --- a/OCSF/ocsf/_meta/smart-descriptions.json +++ b/OCSF/ocsf/_meta/smart-descriptions.json @@ -1,3 +1,303 @@ [ - -] \ No newline at end of file + { + "value": "File System Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 1001 + } + }, + { + "value": "Kernel Extension Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 1002 + } + }, + { + "value": "Kernel Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 1003 + } + }, + { + "value": "Memory Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 1004 + } + }, + { + "value": "Module Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 1005 + } + }, + { + "value": "Scheduled Job Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 1006 + } + }, + { + "value": "Process Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 1007 + } + }, + { + "value": "Security Finding", + "conditions": { + "field": "ocsf.category_uid", + "value": 2001 + } + }, + { + "value": "Vulnerability Finding", + "conditions": { + "field": "ocsf.category_uid", + "value": 2002 + } + }, + { + "value": "Compliance Finding", + "conditions": { + "field": "ocsf.category_uid", + "value": 2003 + } + }, + { + "value": "Detection Finding", + "conditions": { + "field": "ocsf.category_uid", + "value": 2004 + } + }, + { + "value": "Incident Finding", + "conditions": { + "field": "ocsf.category_uid", + "value": 2005 + } + }, + { + "value": "Account Change", + "conditions": { + "field": "ocsf.category_uid", + "value": 3001 + } + }, + { + "value": "Authentication", + "conditions": { + "field": "ocsf.category_uid", + "value": 3002 + } + }, + { + "value": "Authorize Session", + "conditions": { + "field": "ocsf.category_uid", + "value": 3003 + } + }, + { + "value": "Entity Management", + "conditions": { + "field": "ocsf.category_uid", + "value": 3004 + } + }, + { + "value": "User Access Management", + "conditions": { + "field": "ocsf.category_uid", + "value": 3005 + } + }, + { + "value": "Group Management", + "conditions": { + "field": "ocsf.category_uid", + "value": 3006 + } + }, + { + "value": "Network Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 4001 + } + }, + { + "value": "HTTP Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 4002 + } + }, + { + "value": "DNS Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 4003 + } + }, + { + "value": "DHCP Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 4004 + } + }, + { + "value": "RDP Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 4005 + } + }, + { + "value": "SMB Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 4006 + } + }, + { + "value": "SSH Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 4007 + } + }, + { + "value": "FTP Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 4008 + } + }, + { + "value": "Email Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 4009 + } + }, + { + "value": "Network File Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 4010 + } + }, + { + "value": "Email File Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 4011 + } + }, + { + "value": "Email URL Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 4012 + } + }, + { + "value": "NTP Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 4013 + } + }, + { + "value": "Device Inventory Info", + "conditions": { + "field": "ocsf.category_uid", + "value": 5001 + } + }, + { + "value": "Device Config State", + "conditions": { + "field": "ocsf.category_uid", + "value": 5002 + } + }, + { + "value": "User Inventory Info", + "conditions": { + "field": "ocsf.category_uid", + "value": 5003 + } + }, + { + "value": "Operating System Patch State", + "conditions": { + "field": "ocsf.category_uid", + "value": 5004 + } + }, + { + "value": "Device Config State Change", + "conditions": { + "field": "ocsf.category_uid", + "value": 5019 + } + }, + { + "value": "Web Resources Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 6001 + } + }, + { + "value": "Application Lifecycle", + "conditions": { + "field": "ocsf.category_uid", + "value": 6002 + } + }, + { + "value": "API Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 6003 + } + }, + { + "value": "Web Resource Access Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 6004 + } + }, + { + "value": "Datastore Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 6005 + } + }, + { + "value": "File Hosting Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 6006 + } + }, + { + "value": "Scan Activity", + "conditions": { + "field": "ocsf.category_uid", + "value": 6007 + } + } +] diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index bcd30998b..e632e168d 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -368,9 +368,8 @@ stages: set_fields: actions: - [] - #- set: - #ocsf: "{{parse_event.message}}" + - set: + ocsf: "{{parse_event.message}}" #process: "{{parse_event.message.process}}" pipeline_object_actor: diff --git a/OCSF/ocsf/tests/test_file_activity.json b/OCSF/ocsf/tests/test_file_activity.json index d8c9bdbbb..ef376abd6 100644 --- a/OCSF/ocsf/tests/test_file_activity.json +++ b/OCSF/ocsf/tests/test_file_activity.json @@ -29,6 +29,139 @@ "null" ] }, + "ocsf": { + "activity_id": "10", + "activity_name": "Encrypt", + "actor": { + "invoked_by": "beat tables rising", + "process": { + "file": { + "confidentiality": "cigarettes subjects terrain", + "hashes": [ + { + "algorithm": "SHA-1", + "algorithm_id": "2", + "value": "8F489E765ADD66CEA532CA1AFF150E01610199E3" + }, + { + "algorithm": "CTPH", + "algorithm_id": "5", + "value": "98062F4DEE9A192C300D278008F1B6A2CB646B356D0DE1EFC340001AE12A69098A73CEB81AE52DA4A6D2158B11CD671482A7862402909FCB7C8588D490E677E6" + } + ], + "product": { + "lang": "en", + "name": "fr subsequent administration", + "uid": "f7977eee-a4b4-11ee-bfd5-0242ac110004", + "vendor_name": "combining concentrate gmt", + "version": "1.0.0" + }, + "type_id": "7" + }, + "lineage": [ + "legend investigated adjustments", + "sheet eligible regardless" + ], + "sandbox": "survivors launched lodging", + "user": { + "org": { + "name": "could director frankfurt", + "ou_name": "larry about arbitrary", + "uid": "f797b9fe-a4b4-11ee-a468-0242ac110004" + }, + "type": "configuration", + "type_id": "99" + } + }, + "user": { + "type": "System", + "type_id": "3" + } + }, + "category_name": "System Activity", + "category_uid": "1", + "class_name": "File System Activity", + "class_uid": "1001", + "device": { + "created_time": 1703680765007313, + "imei": "genetics half institutional", + "instance_uid": "f7980b52-a4b4-11ee-9b5a-0242ac110004", + "interface_name": "visitors fa trinity", + "interface_uid": "f798130e-a4b4-11ee-8b87-0242ac110004", + "network_interfaces": [ + { + "hostname": "overhead.mil", + "mac": "9D:F9:D3:48:CD:B9:EC:8B", + "name": "ons physically championship", + "namespace": "sociology collectible myers", + "type": "Wireless", + "type_id": "2" + } + ], + "os": { + "lang": "en", + "sp_name": "mod booth seller", + "sp_ver": "45", + "type": "HP-UX", + "type_id": "402" + }, + "region": "first universe furnishings", + "type_id": "8" + }, + "duration": 62, + "file": { + "hashes": [ + { + "algorithm": "SHA-256", + "algorithm_id": "3", + "value": "90DDECE3C6BD7FFFE83AF4D6DA7D1D47BDD3BC4B8C55E4FB6014A6197DA2199E" + } + ], + "owner": { + "credential_uid": "f7982dd0-a4b4-11ee-b2ca-0242ac110004", + "type": "System", + "type_id": "3", + "uid_alt": "mud faculty coast" + }, + "product": { + "lang": "en", + "name": "opens subdivision marc", + "uid": "f79834c4-a4b4-11ee-bc9e-0242ac110004", + "url_string": "flyer", + "vendor_name": "assumes defensive pets", + "version": "1.0.0" + }, + "type_id": "2", + "version": "1.0.0" + }, + "file_diff": "remote surprise tale", + "metadata": { + "log_name": "conjunction wa alot", + "log_version": "exposure dx maui", + "logged_time": 1703680765002867, + "original_time": "postings hawaii aaa", + "product": { + "feature": { + "name": "quad back ne", + "uid": "f7976a76-a4b4-11ee-ba7c-0242ac110004", + "version": "1.0.0" + }, + "lang": "en", + "name": "cult c table", + "uid": "f7975f7c-a4b4-11ee-9e82-0242ac110004", + "vendor_name": "kazakhstan yugoslavia danish" + }, + "profiles": [], + "version": "1.0.0" + }, + "severity": "High", + "status": "jet", + "status_detail": "not jar user", + "status_id": "99", + "timezone_offset": 8, + "type_name": "File System Activity: Encrypt", + "type_uid": "100110" + }, "process": { "group": { "id": [ diff --git a/OCSF/ocsf/tests/test_network_activity.json b/OCSF/ocsf/tests/test_network_activity.json new file mode 100644 index 000000000..d1816f8f8 --- /dev/null +++ b/OCSF/ocsf/tests/test_network_activity.json @@ -0,0 +1,19 @@ +{ + "input": { + "message": "{\"message\": \"soup mcdonald tale\", \"status\": \"Unknown\", \"time\": 1706622672156258, \"metadata\": {\"version\": \"1.1.0\", \"extension\": {\"name\": \"kidney discusses largely\", \"version\": \"1.1.0\", \"uid\": \"a0e5dc3a-bf76-11ee-9644-0242ac110005\"}, \"product\": {\"name\": \"contributions democrats hunter\", \"version\": \"1.1.0\", \"path\": \"purchased routes a\", \"uid\": \"a0e65110-bf76-11ee-84fa-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"transit beyond forecasts\"}, \"labels\": [\"reaches\", \"douglas\"], \"profiles\": [], \"correlation_uid\": \"a0e658ea-bf76-11ee-830f-0242ac110005\", \"log_name\": \"snake mixed discovered\", \"log_provider\": \"belongs pn asylum\", \"original_time\": \"summit morrison gate\", \"tenant_uid\": \"a0e65f8e-bf76-11ee-a65b-0242ac110005\"}, \"connection_info\": {\"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_num\": 19}, \"severity\": \"Critical\", \"type_name\": \"Network Activity: Reset\", \"category_name\": \"Network Activity\", \"activity_id\": 3, \"type_uid\": 400103, \"class_uid\": 4001, \"category_uid\": 4, \"class_name\": \"Network Activity\", \"timezone_offset\": 90, \"activity_name\": \"Reset\", \"dst_endpoint\": {\"name\": \"malawi ron affect\", \"port\": 22941, \"type\": \"Tablet\", \"ip\": \"250.43.118.90\", \"uid\": \"a0e5bd9a-bf76-11ee-a3b1-0242ac110005\", \"hostname\": \"asian.com\", \"mac\": \"DA:34:54:FF:33:42:DF:C8\", \"type_id\": 4, \"instance_uid\": \"a0e5c498-bf76-11ee-b200-0242ac110005\", \"interface_name\": \"decorating obesity pushed\", \"interface_uid\": \"a0e5ca88-bf76-11ee-bfe8-0242ac110005\", \"svc_name\": \"alt directed dramatically\"}, \"severity_id\": 5, \"src_endpoint\": {\"name\": \"switch rod prominent\", \"port\": 46077, \"type\": \"Mobile\", \"domain\": \"family commented opening\", \"ip\": \"159.228.37.237\", \"uid\": \"a0e57024-bf76-11ee-9a6c-0242ac110005\", \"hostname\": \"gbp.mil\", \"type_id\": 5, \"instance_uid\": \"a0e583de-bf76-11ee-9957-0242ac110005\", \"interface_name\": \"military hook wagon\", \"interface_uid\": \"a0e58e6a-bf76-11ee-860b-0242ac110005\", \"svc_name\": \"estimates inclusion incorporated\"}, \"status_code\": \"apollo\", \"status_id\": 0}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"message\": \"soup mcdonald tale\", \"status\": \"Unknown\", \"time\": 1706622672156258, \"metadata\": {\"version\": \"1.1.0\", \"extension\": {\"name\": \"kidney discusses largely\", \"version\": \"1.1.0\", \"uid\": \"a0e5dc3a-bf76-11ee-9644-0242ac110005\"}, \"product\": {\"name\": \"contributions democrats hunter\", \"version\": \"1.1.0\", \"path\": \"purchased routes a\", \"uid\": \"a0e65110-bf76-11ee-84fa-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"transit beyond forecasts\"}, \"labels\": [\"reaches\", \"douglas\"], \"profiles\": [], \"correlation_uid\": \"a0e658ea-bf76-11ee-830f-0242ac110005\", \"log_name\": \"snake mixed discovered\", \"log_provider\": \"belongs pn asylum\", \"original_time\": \"summit morrison gate\", \"tenant_uid\": \"a0e65f8e-bf76-11ee-a65b-0242ac110005\"}, \"connection_info\": {\"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_num\": 19}, \"severity\": \"Critical\", \"type_name\": \"Network Activity: Reset\", \"category_name\": \"Network Activity\", \"activity_id\": 3, \"type_uid\": 400103, \"class_uid\": 4001, \"category_uid\": 4, \"class_name\": \"Network Activity\", \"timezone_offset\": 90, \"activity_name\": \"Reset\", \"dst_endpoint\": {\"name\": \"malawi ron affect\", \"port\": 22941, \"type\": \"Tablet\", \"ip\": \"250.43.118.90\", \"uid\": \"a0e5bd9a-bf76-11ee-a3b1-0242ac110005\", \"hostname\": \"asian.com\", \"mac\": \"DA:34:54:FF:33:42:DF:C8\", \"type_id\": 4, \"instance_uid\": \"a0e5c498-bf76-11ee-b200-0242ac110005\", \"interface_name\": \"decorating obesity pushed\", \"interface_uid\": \"a0e5ca88-bf76-11ee-bfe8-0242ac110005\", \"svc_name\": \"alt directed dramatically\"}, \"severity_id\": 5, \"src_endpoint\": {\"name\": \"switch rod prominent\", \"port\": 46077, \"type\": \"Mobile\", \"domain\": \"family commented opening\", \"ip\": \"159.228.37.237\", \"uid\": \"a0e57024-bf76-11ee-9a6c-0242ac110005\", \"hostname\": \"gbp.mil\", \"type_id\": 5, \"instance_uid\": \"a0e583de-bf76-11ee-9957-0242ac110005\", \"interface_name\": \"military hook wagon\", \"interface_uid\": \"a0e58e6a-bf76-11ee-860b-0242ac110005\", \"svc_name\": \"estimates inclusion incorporated\"}, \"status_code\": \"apollo\", \"status_id\": 0}", + "sekoiaio": { + "intake": { + "parsing_error": "'AttributeError'" + } + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_process_activity.json b/OCSF/ocsf/tests/test_process_activity.json index be3bfde98..dda3caff8 100644 --- a/OCSF/ocsf/tests/test_process_activity.json +++ b/OCSF/ocsf/tests/test_process_activity.json @@ -27,6 +27,85 @@ "null" ] }, + "ocsf": { + "activity_id": "1", + "activity_name": "Launch", + "actor": { + "invoked_by": "montreal cisco legal", + "user": { + "type": "System", + "type_id": "3" + } + }, + "category_name": "System Activity", + "category_uid": "1", + "class_name": "Process Activity", + "class_uid": "1007", + "device": { + "instance_uid": "7b7a5902-a4b5-11ee-9f52-0242ac110004", + "interface_name": "label ok research", + "interface_uid": "7b7a649c-a4b5-11ee-89b8-0242ac110004", + "is_compliant": true, + "is_personal": false, + "modified_time": 1703680986272022, + "region": "lender scenarios lawyers", + "subnet_uid": "7b7a6abe-a4b5-11ee-974d-0242ac110004", + "type_id": "5", + "uid_alt": "fifty acres evanescence" + }, + "metadata": { + "log_name": "gpl saving steven", + "original_time": "florists alot midlands", + "product": { + "lang": "en", + "name": "satisfied believe eq", + "path": "arabic reg noise", + "uid": "7b7a2f72-a4b5-11ee-9478-0242ac110004", + "url_string": "dumb", + "vendor_name": "stunning reviewed climbing", + "version": "1.0.0" + }, + "profiles": [], + "version": "1.0.0" + }, + "process": { + "file": { + "creator": { + "groups": [ + {}, + {} + ] + }, + "signature": { + "certificate": { + "fingerprints": [ + {} + ] + } + } + }, + "parent_process": { + "file": { + "hashes": [ + {}, + {} + ] + }, + "parent_process": { + "file": { + "hashes": [ + {}, + {} + ] + } + } + } + }, + "severity": "Unknown", + "timezone_offset": 96, + "type_name": "Process Activity: Launch", + "type_uid": "100701" + }, "process": { "group": { "id": [ From 27b76842614f0cffffff70d37795be220b670187 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 30 Jan 2024 17:02:16 +0200 Subject: [PATCH 06/34] Add dumb smart descriptions --- OCSF/ocsf/_meta/fields.yml | 4 +- OCSF/ocsf/_meta/smart-descriptions.json | 430 ++++++++++++--------- OCSF/ocsf/tests/test_file_activity.json | 4 +- OCSF/ocsf/tests/test_process_activity.json | 4 +- 4 files changed, 264 insertions(+), 178 deletions(-) diff --git a/OCSF/ocsf/_meta/fields.yml b/OCSF/ocsf/_meta/fields.yml index cfd5a51d6..74eb2dc1e 100644 --- a/OCSF/ocsf/_meta/fields.yml +++ b/OCSF/ocsf/_meta/fields.yml @@ -13,7 +13,7 @@ ocsf.access_mask: ocsf.activity_id: description: The normalized identifier of the activity that triggered the event. name: ocsf.activity_id - type: keyword + type: long ocsf.activity_name: description: The event activity name, as defined by the activity_id. name: ocsf.activity_name @@ -2275,7 +2275,7 @@ ocsf.category_uid: authentication, granting of authority, password change, entity change, privileged use etc. name: ocsf.category_uid - type: keyword + type: long ocsf.certificate.created_time: description: The time when the certificate was created. name: ocsf.certificate.created_time diff --git a/OCSF/ocsf/_meta/smart-descriptions.json b/OCSF/ocsf/_meta/smart-descriptions.json index 9e9b49d12..011a09e1b 100644 --- a/OCSF/ocsf/_meta/smart-descriptions.json +++ b/OCSF/ocsf/_meta/smart-descriptions.json @@ -1,303 +1,389 @@ [ { "value": "File System Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 1001 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 1001 + } + ] }, { "value": "Kernel Extension Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 1002 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 1002 + } + ] }, { "value": "Kernel Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 1003 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 1003 + } + ] }, { "value": "Memory Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 1004 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 1004 + } + ] }, { "value": "Module Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 1005 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 1005 + } + ] }, { "value": "Scheduled Job Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 1006 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 1006 + } + ] }, { "value": "Process Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 1007 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 1007 + } + ] }, { "value": "Security Finding", - "conditions": { - "field": "ocsf.category_uid", - "value": 2001 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 2001 + } + ] }, { "value": "Vulnerability Finding", - "conditions": { - "field": "ocsf.category_uid", - "value": 2002 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 2002 + } + ] }, { "value": "Compliance Finding", - "conditions": { - "field": "ocsf.category_uid", - "value": 2003 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 2003 + } + ] }, { "value": "Detection Finding", - "conditions": { - "field": "ocsf.category_uid", - "value": 2004 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 2004 + } + ] }, { "value": "Incident Finding", - "conditions": { - "field": "ocsf.category_uid", - "value": 2005 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 2005 + } + ] }, { "value": "Account Change", - "conditions": { - "field": "ocsf.category_uid", - "value": 3001 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 3001 + } + ] }, { "value": "Authentication", - "conditions": { - "field": "ocsf.category_uid", - "value": 3002 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 3002 + } + ] }, { "value": "Authorize Session", - "conditions": { - "field": "ocsf.category_uid", - "value": 3003 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 3003 + } + ] }, { "value": "Entity Management", - "conditions": { - "field": "ocsf.category_uid", - "value": 3004 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 3004 + } + ] }, { "value": "User Access Management", - "conditions": { - "field": "ocsf.category_uid", - "value": 3005 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 3005 + } + ] }, { "value": "Group Management", - "conditions": { - "field": "ocsf.category_uid", - "value": 3006 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 3006 + } + ] }, { "value": "Network Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 4001 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 4001 + } + ] }, { "value": "HTTP Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 4002 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 4002 + } + ] }, { "value": "DNS Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 4003 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 4003 + } + ] }, { "value": "DHCP Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 4004 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 4004 + } + ] }, { "value": "RDP Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 4005 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 4005 + } + ] }, { "value": "SMB Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 4006 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 4006 + } + ] }, { "value": "SSH Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 4007 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 4007 + } + ] }, { "value": "FTP Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 4008 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 4008 + } + ] }, { "value": "Email Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 4009 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 4009 + } + ] }, { "value": "Network File Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 4010 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 4010 + } + ] }, { "value": "Email File Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 4011 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 4011 + } + ] }, { "value": "Email URL Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 4012 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 4012 + } + ] }, { "value": "NTP Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 4013 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 4013 + } + ] }, { "value": "Device Inventory Info", - "conditions": { - "field": "ocsf.category_uid", - "value": 5001 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 5001 + } + ] }, { "value": "Device Config State", - "conditions": { - "field": "ocsf.category_uid", - "value": 5002 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 5002 + } + ] }, { "value": "User Inventory Info", - "conditions": { - "field": "ocsf.category_uid", - "value": 5003 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 5003 + } + ] }, { "value": "Operating System Patch State", - "conditions": { - "field": "ocsf.category_uid", - "value": 5004 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 5004 + } + ] }, { "value": "Device Config State Change", - "conditions": { - "field": "ocsf.category_uid", - "value": 5019 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 5019 + } + ] }, { "value": "Web Resources Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 6001 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 6001 + } + ] }, { "value": "Application Lifecycle", - "conditions": { - "field": "ocsf.category_uid", - "value": 6002 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 6002 + } + ] }, { "value": "API Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 6003 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 6003 + } + ] }, { "value": "Web Resource Access Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 6004 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 6004 + } + ] }, { "value": "Datastore Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 6005 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 6005 + } + ] }, { "value": "File Hosting Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 6006 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 6006 + } + ] }, { "value": "Scan Activity", - "conditions": { - "field": "ocsf.category_uid", - "value": 6007 - } + "conditions": [ + { + "field": "ocsf.category_uid", + "value": 6007 + } + ] } ] diff --git a/OCSF/ocsf/tests/test_file_activity.json b/OCSF/ocsf/tests/test_file_activity.json index ef376abd6..463cd65cb 100644 --- a/OCSF/ocsf/tests/test_file_activity.json +++ b/OCSF/ocsf/tests/test_file_activity.json @@ -30,7 +30,7 @@ ] }, "ocsf": { - "activity_id": "10", + "activity_id": 10, "activity_name": "Encrypt", "actor": { "invoked_by": "beat tables rising", @@ -79,7 +79,7 @@ } }, "category_name": "System Activity", - "category_uid": "1", + "category_uid": 1, "class_name": "File System Activity", "class_uid": "1001", "device": { diff --git a/OCSF/ocsf/tests/test_process_activity.json b/OCSF/ocsf/tests/test_process_activity.json index dda3caff8..dd3892085 100644 --- a/OCSF/ocsf/tests/test_process_activity.json +++ b/OCSF/ocsf/tests/test_process_activity.json @@ -28,7 +28,7 @@ ] }, "ocsf": { - "activity_id": "1", + "activity_id": 1, "activity_name": "Launch", "actor": { "invoked_by": "montreal cisco legal", @@ -38,7 +38,7 @@ } }, "category_name": "System Activity", - "category_uid": "1", + "category_uid": 1, "class_name": "Process Activity", "class_uid": "1007", "device": { From da27c9c8a93233bcb9467b13db4d8feae286ee9b Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 30 Jan 2024 17:37:51 +0200 Subject: [PATCH 07/34] Fix parser --- OCSF/_meta/logo.png | Bin 0 -> 35988 bytes OCSF/ocsf/_meta/fields.yml | 7669 +---------------- OCSF/ocsf/_meta/logo.png | Bin 0 -> 35988 bytes OCSF/ocsf/ingest/parser.yml | 799 +- .../tests/test_application_activity_1.json | 33 + .../tests/test_application_activity_2.json | 42 + .../tests/test_application_activity_3.json | 35 + OCSF/ocsf/tests/test_discovery_1.json | 30 + OCSF/ocsf/tests/test_discovery_2.json | 30 + OCSF/ocsf/tests/test_file_activity.json | 185 - OCSF/ocsf/tests/test_findings_1.json | 32 + OCSF/ocsf/tests/test_iam_1.json | 28 + OCSF/ocsf/tests/test_iam_2.json | 21 + OCSF/ocsf/tests/test_iam_3.json | 29 + OCSF/ocsf/tests/test_iam_4.json | 26 + OCSF/ocsf/tests/test_network_activity.json | 19 - OCSF/ocsf/tests/test_network_activity_1.json | 51 + OCSF/ocsf/tests/test_network_activity_10.json | 51 + OCSF/ocsf/tests/test_network_activity_11.json | 31 + OCSF/ocsf/tests/test_network_activity_12.json | 36 + OCSF/ocsf/tests/test_network_activity_2.json | 55 + OCSF/ocsf/tests/test_network_activity_3.json | 42 + OCSF/ocsf/tests/test_network_activity_4.json | 73 + OCSF/ocsf/tests/test_network_activity_5.json | 57 + OCSF/ocsf/tests/test_network_activity_6.json | 59 + OCSF/ocsf/tests/test_network_activity_7.json | 59 + OCSF/ocsf/tests/test_network_activity_8.json | 56 + OCSF/ocsf/tests/test_network_activity_9.json | 31 + OCSF/ocsf/tests/test_process_activity.json | 141 - OCSF/ocsf/tests/test_system_activity_1.json | 27 + OCSF/ocsf/tests/test_system_activity_2.json | 32 + OCSF/ocsf/tests/test_system_activity_3.json | 33 + OCSF/ocsf/tests/test_system_activity_4.json | 28 + OCSF/ocsf/tests/test_system_activity_5.json | 33 + OCSF/ocsf/tests/test_system_activity_6.json | 33 + OCSF/ocsf/tests/test_system_activity_7.json | 26 + 36 files changed, 1541 insertions(+), 8391 deletions(-) create mode 100644 OCSF/_meta/logo.png create mode 100644 OCSF/ocsf/_meta/logo.png create mode 100644 OCSF/ocsf/tests/test_application_activity_1.json create mode 100644 OCSF/ocsf/tests/test_application_activity_2.json create mode 100644 OCSF/ocsf/tests/test_application_activity_3.json create mode 100644 OCSF/ocsf/tests/test_discovery_1.json create mode 100644 OCSF/ocsf/tests/test_discovery_2.json delete mode 100644 OCSF/ocsf/tests/test_file_activity.json create mode 100644 OCSF/ocsf/tests/test_findings_1.json create mode 100644 OCSF/ocsf/tests/test_iam_1.json create mode 100644 OCSF/ocsf/tests/test_iam_2.json create mode 100644 OCSF/ocsf/tests/test_iam_3.json create mode 100644 OCSF/ocsf/tests/test_iam_4.json delete mode 100644 OCSF/ocsf/tests/test_network_activity.json create mode 100644 OCSF/ocsf/tests/test_network_activity_1.json create mode 100644 OCSF/ocsf/tests/test_network_activity_10.json create mode 100644 OCSF/ocsf/tests/test_network_activity_11.json create mode 100644 OCSF/ocsf/tests/test_network_activity_12.json create mode 100644 OCSF/ocsf/tests/test_network_activity_2.json create mode 100644 OCSF/ocsf/tests/test_network_activity_3.json create mode 100644 OCSF/ocsf/tests/test_network_activity_4.json create mode 100644 OCSF/ocsf/tests/test_network_activity_5.json create mode 100644 OCSF/ocsf/tests/test_network_activity_6.json create mode 100644 OCSF/ocsf/tests/test_network_activity_7.json create mode 100644 OCSF/ocsf/tests/test_network_activity_8.json create mode 100644 OCSF/ocsf/tests/test_network_activity_9.json delete mode 100644 OCSF/ocsf/tests/test_process_activity.json create mode 100644 OCSF/ocsf/tests/test_system_activity_1.json create mode 100644 OCSF/ocsf/tests/test_system_activity_2.json create mode 100644 OCSF/ocsf/tests/test_system_activity_3.json create mode 100644 OCSF/ocsf/tests/test_system_activity_4.json create mode 100644 OCSF/ocsf/tests/test_system_activity_5.json create mode 100644 OCSF/ocsf/tests/test_system_activity_6.json create mode 100644 OCSF/ocsf/tests/test_system_activity_7.json diff --git a/OCSF/_meta/logo.png b/OCSF/_meta/logo.png new file mode 100644 index 0000000000000000000000000000000000000000..3bf9ac73e6e41ac60628c19cd0c3da925b9bcb7d GIT binary patch literal 35988 zcmV(!K;^%QP)d!t^SaoQ7jIC5W`pLtjJ0@p4x)GrY7r z!@M)Nvc5%R3ube!LSjb4_8@<&IJD#1mq0I+!Z*6LzeQ!Od_HtDRI`6Q!-zg7mYN`d ztZOn-KDo9uv92?v)P*@&CXbYXH&`^WuGWw|E1#h|x$Zl@x|cm&eKuCiMP{*qM1?t8 z*_lw2Y&jWskcw(P7IcHoMQ1Ogq?~a%S1e8?lbAWjy`4W_)G4I!iqqD zWjipgtF}dBvqfa|IA_mdti%egMfxb~GBGs*t*mL4_9`!346Imi6;l_E38xi-lE@RcSx z$NuF!U+b4D<2_t4%DVcK8a>7ND$2O$JX|-*{^>ekEX=&EylO*IA7~IV?4?I z<33jHIa)Byz0{L6G{p8xz@cujew&?AOuMyOsMxVpd;*ogQ2+n{#B@?lQve4L77QE< z68;$e_x>dO{x>1&M^pNc8Zs*L_w?#J^eyLKE#Fx2fa9(8JA(Uih(rD1YW(!!-7UrG zPwDJx>CMYizR71@CCA6If|g>|@~-{imT}juNzR@xYdidxv_*XCgygZDrEB4(I_oYv_6~;KOI z!>_*jY9AP37<(9ujN!BPpY89Ttlr}}1gE_NZhtTkjuM>?r_(t%XEFjx4Q8W4_e>^_ zXMJ;X*&FluqTxWq?}p|6$G8QheV=W8`Qsn+CsX?)V=k8sF!28b?%g*G^kXRUw*85o zj(Y;9pLEwLb=vJFkJ+dJf*^>3EQ@~wcQuVT227^8_2t;nZaf?aE?D%sj{gWcyJume z+lQf@VZdfE82B>Jr_4$jnQZ|c&Vl;Wy*EhXK@x6lutL5=i%XN*ue6@YJzcXwrg33DR z90Lj9>@4w6NG3C9nKGZuCvf-bWmhlx=dCopL`gnzb|1XzCjF7{Zfp}PDcr8iXe|({d0BqPBl%xJ$`ho# zM2}~)0zj|ImIP5&&0rSP#`hxr$4V{NJ+n2m9dZ@xcACiL&dxF!91{uLP672}>P94L z#{@fGd-Q|An{Gln^^VtPEnZ)B{e%9csMq0vscN)t3IrKHHD2?DcgSXO$P*Z^AYTR~ zA{uU*Ex1Or$?1*l?)lx5kB(ZdYi4WlaQ_=yeH~@?nE|00Vit$9TM5e1&n-`0e>Qj1 zi*q-;AH1HW_}p3Un^yA5^;&~VYd(jQ+^+~GVR`Vn04<-Ow+1Q8Pyo~PEQ4I3g{d_xq%b)5}<_g)NB$E{s~nYZ9p2Q9Av%Ni~dOs(G+) zQ|>I)LVML&7GA8y98SAY(Ii05!yF}nu?k)_4YxGq9W(-EIc7jnz(2i(qT>>?WJv%h z#u7#I+~)F8Jn(p!?dhACpBl5JiB&>^dEeAO7Q!URO;bqBU!ll=Yj)>eK&}JFRJz!* zJcsLD2t>yncH&5u0D-6~kdGyI%RH+_xvB@b>NR*gCL=-71b`M^GU-x1kOId7t+ks+ z@niqMV_=p-rI5=8yGVl9+Um&c6I@aRldkcGQ0mFU!o@H)_MK}igt|nFY&8<~Iz47p zmdT~E5LYWn03N_i_*2i^99Ts8;SIwP1KnEQ+$4VI7{8!jRYd{Nh*t)oq~YzG-rchHbW=rbD1>C7Z8L88;e1vjC{4K-rb+E_&{PWMFH_M=x*wx5s z*WzVLZO;q&N~NND)?;AylSaoqGq1Kso|Ivo)wC zc6M~M?{9QJB)U4e7I@%(H*D2zRI#9560a-*LKO*6Om?Ru=8MLux_^KMj@3F)hvgjx z2CP==!ok7uG1>vUAa{A4ij9g0UQhE92tGg0pPu6TQZlZ;`4cw#sk|}sz{7khhp3a{ zU-G=fEUlw9n`>n1WPW34Yjzap^*`U8shhC4iLRycQ*#Zg-;h{LWLGv1jmK*LRK-YFC*`n{1nV~&MqE~*vgd5umCt+ zW!K0TdE40jS0{f=toC(v_WaigtwA>!T#Id*v~1y2R#jD~RU0I*YIk^jYfHgtx8+91 z30iL|p0nQ1!SP#i%9~WKq9ClK5vb58QQi}aA1_!Q`1HX8Pn?9FBr{ZbNRW}1lQ~ud zFxYlRrsgMJ&UCd2rL43xz2tM)jivMRf&^McNhBx=>Ip017yiNiTFb3bUJ0D8v)4*a z89sR#R*UfI@5BhXP(?JF5F1AxHh|)~x8Q*dRZs~o(|kFdA*9l_u@E!V&bHwc&`&R| zU}4p=2$%9A7DTMAGS0h`EOi>Bb^y)tO3;x@UN|@=kBqfeQ4vJdN*L%JTxiBQIOB!h zhdY&U!N^znGCXgNs<7p921xQ_p~LyDb~01~HyK2@WEQdo(3%y2!sTTiraB%C1l|2y zBZDG6H`_A}km!0XR-*RE>oh4^tg&{o4~B)%*-7<*7?k#-@b2$B~L-tNW_L$NXzb$f(D0Tzoo1x)tdPb}B> zYHGMxtRiL2!2_q0s6M24SLpD^nRc_(S{S_IFqX0xCAeW3MFaU%QtaN9rD^!zhS6!^ z8XAuxckFY_nN@s`=qpq>zbH{|yy*+L?>Xb?oZSdLF%*kbEM!PgurzWqG1J-6cHk`j zU&ozBC3{||`QJ)KRP4`xc`-fNoc-t;o|2;B3xrULg3pqvv?!nyWpu{E{(B9d`X;tV zY{eo~_><_2(uKE;Y)`bKt#)vOFIK+&9;t_r#hORyhe)>if?}n60$XY0tXHqlNEDSR zPV=JC)l(k!xvb%r?|ND<@|^tjpa1Qd~gP=x<(G$(gU-kHSBd7WmJMM zkaFbZ(+bXQ*gtvy5lk;4s6S(yAU2O69C2}}a4KnYvG~Eg#KqmOpYD{Yyp&<2A_g9Q zcDUH4tacy{cHqnw&IyGqba+ZbTw^(M4;%R~LiiG)G^epclSUOsczE_8? z>KOoDK`RP|uBrLeHf5EYe6iwC1QC%7XhrCvnVzpKA+vcP=)mlsC>$eg&Vtx1nmm%q zh;6aE;Am;(S=q2!&6JaT(e}+(6I~tc32ty{+^*!$1?rFH^RjBRdzak(9S;b-^#GCa zx>-Sqf`*Z0QT2e>NNY3Mp4s`4CwwxI!!&LhmBS*8bz`iO^+hYbkjj1#AR?C@W5i9FZU)vRz{t+>m zgaQI4;#F16c5gKD(6rW_F`2Af$O;-Ui>_cxOBCH(Pru`-Y6xTHL9bzWYJRI-eQ<}~ zzveYpButXAF+tVn91l}+^YGx{j8QZ;Yi#?+1$7t|!R#90JBt)Y!D*R2GNK2F1w@2s(pxOmm&+*Rzv3qV^Yx0{z7mxlqo7%_0_UvS< zyQ5t}w9>R8?Vv(2ShbHMyZLl04%bV*c+RYd6qwUEt7`X#7j!M5b(l||0SOw8NZCU3 zvu$gv9r|F@VN?XfprWb@GH4}Z{glvIkK;&XRT`MB!- ziH7wvsj6#gqWzkz*PO6YsR$tUT&^f4v~C7J{r?uk?)la|G$ca><2;BR4_mp9b;5=+ zx!*ER&GVg;t#(aX-#K9ne2UBun~jcNr}Z6=0f>utmpw|Yzf(Y^8h&Ju`>06Rh27pc zjP94w#IZe_Z{Ii=E7^3^VJgw?MRc?=!s}g|ehm9$2t8Jco)l3Qge-_fXUP}2dolqZOtWUn_M-=4~I6|o>rCS#WYpA%p1Mo$;b4+)eXQEn-r>0z+x{{qazyZziUl+ zEJ^7NPveH=C!xi*tsDZ}z!GS!6c7n($X-p)!|skp1#aMYmzwQDiS0DdOpd7kF8+j@ z*%&dL0cG%tuxX^dX`Kv=Q^3XEVV2UZk0SD$6PViSeb2cS3&Gu>Jxp7Ay#I} zBvJ7%8%EkWZAFF?#E@`FqDc5WtJ;5VMSjCEkwoj~*k1R!wWg1#J2*EDy=dr}lq6X+K1Z|lBS^Klry+Z}6kdz&9>rqI zKz-x-pS#dTBz~;}chk?~EM&2oe36%EM;~Q7z0Ji;FQ2;78QLU=0dP3s`O%LOb?Tm3 z#kn0?{9}Ip>ETr9{g|RZwM$D7BGB<GLhQH1(k(8jx{%TXZat})Qj)dWfIpt zS6H8`ixXhS`rBhzE_YXpH3=vclOlzrAa>F>^Y+9!RHoz^TbA-ntY0Bj;tUnCIs%y^l)q>E>KOTP#GRRTJqL9v^%@pl{X{2N1efFxOnt#F9AY3+kI# zT#KY=$o4niV9#5@~G_senKv3R#8%=B2PIf^=1_0IHF+YL95CwKli) zM)!HZ=TY<6lZEb1R>Kn8s283e!)A?4E=hJ~3k`MOP5pAjWhhrsS|*Jyut@?G=~Ufk z6160>_wEAVcsJbg=1iT}+%39XmWa=3M4k`PN=dT+{8N9^juAqMF^Ck1c`(ZKT=GPz z05w`>oHB_#5ziL@oE~4WY&Erdgex*bY76Q{>8XIkxGeu2+ywGLX%J=xa#OrT!q(C#{1$k+?e4uCA+{ zUcUv@L{if{*(*LYljGmZtIi*F8cQX%Ph3=u9)M6Jq8GVAnom9F8cG7YGnqegyz|B(B^%w~k!ax67o_I~rVv>0;ubdTS zVG5dHYogKdOLH+3*Xs@ts|v+Mpo^)mX%hG(f=>x}jLa5Lfl8&WqL{s4D#bJv>{+G| z>bMzVdk=OujiuU`NHBVTb#o1P;jh0l7$~eEZI_*=FMFEYA3FpG%wxAR=}pvtdkNaq z4rfW+@&sHx0Px>n`iSNC`r&?fVMWHNrm24C%1`>{c0EU;v2~Ave3If`RRl<=r$BsB zbVM)_=I~=SgV>trDf7t8mf`#r^EzX;nQzobqXo?M!k^o$2AA13A%Tqwd<5~}2f z4_`MmCd|?PSX7m(%oV~`fx7qvsZf%}C9=%n`@uK0;}v$k`3CoQaJBR7hnw{gIe(PC z_@$DVhq;cwXlilQyZ2%>S|2-(u^cXgSDQsZvwP3 zFWFqn+$OxSu9+Ud9=cDeR)X%Etk{3{>ptj(e;+PF7QajrO~WIL-A&5GKvkNQCs;6D zt%6+g!l@KkHMqvU8wveJ(uhpD@NX4E+_@d|+w*q?-dsDrXDg8fDUOf@8KNX;->x+k z3R{BF=O)lppX>!BCO%=BgZ$dhD{J8Z{W=xE?h zn|(Xb%z#~-dOIZ&YLvup!ygI@Mz>vjnn*GwCp(nwXMM5aJ- zu0#^TMib=MqG9^=N7l*uZ$IJyh(`>#A+Qz+)K$1>sU-!}5}+aB70d{Y-!5>CFR_u` zb+ei+ko;!BY&V$nN<*r5_-wLGOcSoU|JeSa)ZhP4H{o! zp@jMx_C5Ot^<1MJg6T*+<{)`gmhNIISb#@2ufN&z4>am*;E9c-%*OVH`GUGz%#{@o zbCg^bhYuUyw%ob39U4Zn76UUR(na-%Dt2dWKvVCrlFClZI7T;BS%OZ|_lSj?m>x&} zM`LSa7I8~Og;HV^?pN1b@i7ucGZpbPfP`02go0pNN6q;2hCT7JNfStsT2)YW8oXsj zV#I*VzM4oOb$zzj*Z7$6@2(<+zcggbs!5P^I^5Xmd(^|maAc@731WrzynNeubFM!a zMH61C)e0$3F+0bb6zZxQ?LZKcK8R{7GKdvK0o7jQvVXp{HoA)(MCNs2Ix$yf= zGIe~+oKv-$9A7AEHDCV!{EzSZ&VxQKYA|2|%{Yb2IW#h{-Snn{|%~SMJ|D8Wr6-TsM;gdt%I2n6 z6QJ`f=fz^x2C7g!{{u(21SRPNwqp9IZ!6w_a>Q!BWzU&`YM(;qn&R3T zE)pYm6tl1fSR)R0a2XD%3c^+I&VCC}QpXeEzTgAF&E^g4O$8M1v;<&v?Fues3?VSx zUBY5d`-ktg48!=vvs^Yy_9+I&=w#IhR>8S1A&vFnnQ&%>u%@~_sey3&+@*1a3zE#8=69GG>{bjg5jESArqZ$}Z+b^p}Yg%kg zPHyKawUkxQ{EEmZrCKG4))ePbdFW)#1xCrt$DeQQaxnvFZT|3Fp0azt(wIFB#n2#Wb;QQG-d-X4F z*P&46Bn?~()d+eVwMzKGUJ(1}fNmU;+(Iuf{0s|KF>EeX0`@TOmWn<_b{05yfj`}@NT`Jj^JxK;CKY(t z7sW7i#E1#EvT&YgjT|gOZzXJ(>@rx07AA;lebH>MZsr88mSIGP7nQeqs-^Zy(nn$I zibbxwxq|hM(u{k+M*0A*_=YCB{Qik;+8=9nxZkoG4(?ac(Q1}rV{=2*qXgEb1 zCGqkfQ^+fmA;6k-Y8WfbD21!GFu9v0SteV}0N2Pw3%OthZY)QwvoqlO#8({ncg?MI zd#G4B5iX%bxjlXf|5ZrE9&t61R&8VFU@WLq5{GTN^{4-t_U*m`iYBlKYqj0&b~SRuV75klH}6CcuH3K{ zoVOJyh~z<$_RUvc(cxq#TFTwDV{T=D$_*;gl)_c(f#8mBQE^e4+meXc|5+*q?G?ZZ z5s14vd_SPjilg`C0v9Lz`(okB{&WbiQumPAz0Sy!vr&g);4;A|2DNZ?=w=H=>q{?P zJH$TS@`LeYvee2_FO@=uC3(y*rR55R`aH}iFa z(|OXcFYN^HZ|tym@^Ok*_+Tz55Ayq8qCvvAq*%1LhW-8G6+?UAdNO$ZJ(Y01GZ+G4 z2Guj%C;A?K+Dfo84JSS5XiU>a8tzglv*O{hutdOT#E?5wL~Yu6*yxu4u?PrWgYfiQ~SBPg`Xi@wDUH3444A!MF4^ zIRlXT*r;n(Dneir-b3QP%tIjlp(;??OyJA2Br}%)G3__ zy)BPDvQa}>F&D1Ys-cO`TBmUpFp)lDVIKpgSU0XC>EUeM2knoFDqX@x{dc;ZILt1< z$N=vO7p6kMj%|PtL$w!$&hP$~hL2)d;roIYT<^52xD*V6-i9oUWo@YCd}}+AhTR-+ zExT^7LLVCB7RM?HTz#@pFZ*;L6A!p$tPtV+9v(%&$_qj8+qtZx>B;#8t9?8Kb4$9s z!vaxWHE{tSN}W*3NMgnHg_gQp1&vR)gc8j)hTm1Vz1HcigT@2W#wC_nmwhxcNVyv> zat0DzmjB4$eUJn!lZq5KdY(|)Ztgn3G>yT;;L&>u{(A33#3P|qT(F^uRx_>@ye2yb za;a%_FOMs2^tc%{5kP{Cdih5anI9x709(@Ii{mQ)Plko>9<&49=atqg*CUw|;+o2; zG_M#S!c>H^Q!rn4TP+K-8U{|q9BeoArNw}}>)(jNY8oF|`4n=A%g@4%mEfk1L9xj# zjY=za4OC*}lqY4^)c59sPYEzi2I_9`)k62)l0_fsZG&{0=BhRwdAqe*oW@6xJ1x@u zC5*dBX`@%MA=xm^ZfPz2FH+VAEZg%i3n?OCyA-~x98)1)bN>A7wR#%fM$-bCK8C%K zqgNHoVurG)m(pZ3Iny^=s}>gA%vHm#@cB(&W%JsD1w5bN25r&r{TGWS`S#5%n!+AP zY~K_D9C9JtuQ@BaT;CS7L%cy3j{;_h-%7J8wH{ev_n*dfJlRr%rp9n))3A#r;a0Xj zuCmARX&iw8;uga7!aj+?E}n}TUXtIkMMoJIQA-+x^tPB?)pM8;gZvg=sVCxBCPGf# zJ0&yoMw>ibr$cGF3INv7^!}BLx+Jziq54PpYTM zEOHAiFJRUX-8Sr(D!G9Rgsaxk11;q8@aX*f($doW{OIV~`r=rBr#iG65(QqLwOrS7 zA(qqRc_nF*08-4ko9kD_5OFAbOk9PtnkL=PJwUH3W{3<|^&Y3~71|^oP0#GU|DT;1 z@jL#+-~1)6L2Ts`SKGtxL(Y<*+q6}NXV*o-HF$Mu7TV<jBpsab4pD+ddfsYnb{C`SnVc@sKd?c?9FZzK3tBd+O~^ zPR#7mC$TE5U_w{}@i_eTa*hKHLZNVsABCyd+fPm7u*(6n9=KAJ(N;3R-xUa#8zw3DgB;tZ;nn&@XsH6nzzbf$zSZR8v2aCqS%q?9S(n#uMZDUF)0ENmkMSNSti;s{tl zi%R_mCoLpl$S~))q8x7EO3H|Q@ya)*u==sw-o-8@9n^9>2~;gK97VFv=srPQaq|2V zxa#>!PznUp_QZy7@o9BepMO`AYhiUu2;cSO!Hq!MWCWjijm8jt*I$vR;TXnD!eb9^ zF-owK2<24ieA&R2C*vGvo;jC2jpH5-U2bo$!XE z9>1%pz)F>kT_JtEoX->1lFfNMEei;1U0Jm?`bCeXxKJc9*up|_E+}_k)3F2MTxIT&{$5dNMX-&JK8a8@>*14y$$Y}$tAx9V$3S0>x)1w2Cz~vwDXgCUDCv%LF zu)#1*TENu=uJh6h^XkTqZ`N@Quk|PmiIBHF)TFsGfW)El8UAX%?^;DVXn7ckDD#hl zQwK?eAdcmC&-N>jbxf4rz%{&*=v;UQokx}tUYGlbv7lN@B@iRxlFY*UzHQEsL1NtN@a zm#Y+Uy#`gp>`B9i^Sc1n*Wvy%yu6V}BxYxq4_0=lFsKmMeD2hk|6GCnHhvfn*Ky7H zaanfJPz<2C0?X1zXMW?eX~60L*X$tPB9W!xTTU%irTtcQh#Nh*Lv_fhBEZof3+v0+ zt?7sFOn!ue-(CK>`B~%af820U?%)`;Vhdb9?^oz@OoX-xoiST|xlm>^?3t{PO0>o6 z9bHe1_4Apl&TFrYCDuoK1+|=B@HuM>gc=nle-gM-RPXmLb|_4oY>VEkUUcLBkqVDX`HskFZI6` zfGgv(%U4>`0$KT35cJJ3B<;{f%7dFJejV>Udh9px1KjTT`doj9_Usz~v!hWxhgzKR zOzK5IK^~TLZQ=^?wRHD%jRi4qHG%8F*AH(Yo`@^B5--b#O>m&)PA{W!y^`jbrvKU_ zp4iYkpDncizl>B3l~9-#(l(gG($eJyIzqu~5;S_H>eaK#Pv}JqUpr0=|KKeSQ$@Xq zDM#MK(;rLB7xGR=2d?mAv&bKn)BZ7-$O~M5et@~4z_mKF-6mVTPB2#h&*J^>zJ=YWX z3lr4!dA-Q84bCH5tjFayfq_Pc-^8%gETIFWM9&krZhramPrqc*cA)*J&b)C&mRF~N zD}DAIhlVlo;+geW3i?>UdbHmJ{%Z|f;pSqyqq58zAQ1|fR@pq@=ahj z`kYs?gJbJUKI$OL#DYi~u&ms^3=8`oY*nS)j$opJt8Wa{apg&2>aR)Z;92oj6?zr$ zQKjMfz{vtp*pN8c$Wc?!7D<+1yaHEUj_cv-z-gt9>*!cOVcbL8a1W@3hZBJHdC!r0 zrxo9ad|*pHaSmWh;Wltp_#O^p)CJy_X$*WNa1|#zy|2k6uh`LXB8UejA<2>6t}zGs zopZd|4MBJZp4o-A5|*wor*Btn@SCCi=9T*3D}J=NzEozGwB?sZ!g(G;H| zVC53XBt438akvVN&OsEo!pR99i$DGVT*bs7JMpP3v3@kd`?Z?NR3nq`NqgOi5Wg{W z_{Xb%O#v&~oUg*Jcw$ol*N%-O8Eb&RROpEi+^!8=(PhvZ^+ifrAJkhfM&vav zP2p%KjCg;yjD% zniMMFS|qNPk8)UEXd4!dj3FY}n+m>g*4S-f{R<&Uc}d#pbRO;)cpHtlE=h5H4GD&n zft;0G6}YAau6N#(GZ87zBChX$ChdtPW2l-0uAzyynnZBd`Sn+#BULivy4Jwev|K51 zEP#=tSdu;Q-4}P78l0nya?Zq-D8KcE1S+f*<8bQ|xGMD9jMpODtO0@RvA{Jn*)E+T z_Bqhd(G?tON-2B1jw^uOZI*Bau8m0paqW@e3aIk5<8Z+*8kbhXI{vL7xVc8}?cj@Z zMqDo!$yh0EecmJ8mao)t&8y%#D{w94Jb|mjnLO-e(YZ*V!hXEKMh88SECRLtdm(mD zd?l_~Zddk$J9S)(3bl=<1g^5iC04CHg5D~Vy(e4!1m2o)j>TRTlG>(G+zDLSHUL-Y z$Mo7kQc$f;7kjTRS;?|V&o1IhcD_vT0<@0pYlug9duuNrK!@w1BrHZTYhd1If ztO8?u#1%2brsu5QjeN?2lGG3t#v5{M!DC5f4uvFs}?UwfxS1=4!aTRpykP5EV>@ojtXXuTl zidUD+KxJITXR1^;8D^e57r8NC*IXQ$A9!1;;)*-dwt#ED6xS%01n0O4xq~{cJZkZp z%@+9d>&Umwg{yE2y&$fME-AIb;4^n%xIz3Z6;z?dvdQCziJu%-Qo}6|xXSw+fvagh zi)%&|*K}Ios>y@_eP9h2!2izfe$zztFl`v}NW_*(pOfSZ+r^?6jwfXEro>kR7LbBq zLl#$B|Jo+V=A1R?O8qMzim*ISVJFVDSuh^n*BO^C00%rU)}X_Is{Msv1*S&9UlXi}E$o!! zyZr{PO7me)Jk$RaSL!5d5tVqQOr31t8QHu^qa~Z*f@3)KakCUonEMM{VcIO8`(Gul ztS>D?Iv)<)fPoU2fHrWIT$96&MVBJ}$)-a``eJ(etp+QNh)O63BZNSI+(A zbHp@$0kqQjFke|h9^h#rFCgNI5*N7U!Ycb5-K5~fHl+SO8p(iV)AcZYUV0%lIPmUT zw#Zyntv+LhT!t3V`xTZtzyr%$FCPizB?E9#3rG-BB;L7_I!6L0$ zf`>a$U6F+1D@ZCSy`w-1a;vSq=R?qSdo&CqHR4KMh16^cGBK#OU~ge4)Xu<_|8r$; z^Bh;?;iFGwe2I^4IecyswG&;6rO_SA)Ny^3z1Jjfbp-E!MVli<9vG=DmJKS*uhgB* zPh4db#vL5WI0=ld&@hWmOjyvQNfSQW6_X|nB?=+M2}y&E73xCSl%QC(E=U>)m6d_G zw6gPmaAjaaau+vu5+>96$jxMiq?@Uk&f4GeUZhq_?>i_s92JlhM(4Tbeb0H$InSvk zc?iM~&;kHdzUef~9X)*$omopF8tp5>N`#%P7_plNlj(wM_&5=ZIRadL(`On({+(M8 zrNb~T9~ab;ZvL>v&W>&|#1M(#x;ymc-L^Q1Q6cz3L!#B3r{_OB7NyZzp?efZ2TL7#6VR@C-4sl9}(qOZ2%_Tnj{-Q)u% zZgqyvT@BR1m4ld}%5Y`G?yrW+WfTsi?^CarC+}ao+3`O^Yj))ql;e50VE8F0#)&p^ zUnz;j^jiuUE-we42o%eywawL;3uC=VB#xb*S>0TlUuH}a-zzXkVx?ppy_%*3%pwBM z51+1QPExURt{_}BCs}4LYFi#P1yo^kl1@|n@Z)Ts#hfIG(WpcYNO$mY9-QH=i{H%N z>|{pr+@IF*AKA+WFJBK#VvHS;=ewcYBDhv98cmhE-~keN;BAdstgz$H*IfLoBxO+~ zebQ^|n@f^NTwF+}lC^4%kgckisbZxkucX*7Azy%MLV6-pI0S`Ga4kIp*B?Im?vZeP zlFi0KXEPvu9~ngfWkr(~)wkEB@FRcaPJXi2%*F<8Z2Wlt-tCLmu3h`)+A-|n5q4Yl z((hvT?%lii&E1Ya6<*}8F#oyb@Z9CX9Z00Sn`?Of{ARDkR;>4!aP{^v$%~`iy}Uf1 z%19%zKiR|nZtab&qTQwu4x8<1=NGB`fNPN!tI&%;|7+E})auXSXH92Z-&zI;(&F6#-)+y`=r8{5?ljom&LDxazqW@toBb% zkA>bEX&yqJ9rR$>Yj^p6tj^nxynsakoY6-P*5K5(7;J{hxXtR{K*Yxg<^{GZ;{n0+ zoH+m1^s8R>d&>G=%yFnGUH?-L=5yg%RCCdYm5g58;M!PD&)DQqnwNvi)8up@pQqi1 z153ndgC4^MO= ztci_Re=necSIaC}g?zmzIQ4ic1A(YkrE#b32gtf+DSj1ciFGSj$#OC^SN@u-#Ybi$ zp`kv)=0$_+7vE2Gox8_IvL?I`a>83Ttwzwn6<|lH(%1nzSkCTYb#qOhO zSS{2JB4VrPX>l!;^tn$Z)&vFR@}(LZeNf$8wUm~Q5RE6qO%L{ee0OLJw7@pA!&oFkUb4tc@@1FsdIqqVUaSxHCN+; zwK#|q;99B{i)vc2w661TOY=!_h91Ze3|Fw_WCm29%Zb>G(ltDAEqd%ave1?Gi5lD- zxN4bVgrgN)oh&gi|MM0HvFQz0-x38Nd$sUK!-Ud~BbODdKz!mB6bZ$T?FiSy3Gf8x zFha8K{Nk96Xg7(z$IX=&HDPN}kcEnvPh!hGJ$#(cq}P{b&U2jF>%dE@oL&i)9l9*M z+ut|JRJ9K^FE1U4<^ir2IVlJ6F4Z5Y>6ztNmez6k;qCk5!vloVft63ioNQpu(4iE1 zFAOobdf;lYK1bwSMfD$Kmo%+vZxMvJ<~G;Y*B8?1wS|TCbzHTp6&7`dy$y|qNXc5* z=p`0aL#okz^lEGa2*mNSh%ZC+H7%;D9NTr0hq~UZn7BmyZ5-V|`{VVE$>C9KWo2~W z#4UIUUhRf>i9>;pOYVL_@~=H3A4F_c`c`UHgR3aomMj7@Ja%Db=EB?O$9khJF3_3C z#B;(mUsXF~IERVIk3=uMN?g+kfhrT}D zyW2(~@stcDMwrV79e+NUsBqVc1!W%b)S|^kKg4tVnzX!vhO|>MlAL6%)PT5han}ip zJwJ%8HA*<_;b8UU@ff@WJ3ndR{-x7qFH%;bhr3XZQh#mL%xa`g*!UB-?(X0-HGy+4 zF0KB(m?NjG^{-vEx#oH_`%(1BJPCKlm&z08}FtmR_k+uJ!TNN z+OxtchMQJ<%(DCdaY-8~N7x%8;Nr(~N(eF>#1_RmaAgp^RxqW4Q!%qXEx^_58DWaV zW^o8xFSY!1gzGgJEgvSkB)!}zt0UCPVYh?lfT~VAbV0OaQQm^8S`zVu`Du$ip*XC@ z)O>&6Rc3S=hRRdQ*K)doB&{uWz-tDcC=2q#?Lh?oQ1C7*nCfMl8&k3{?Boc59cZ5! z4O=q{UCoSC!&|0GW3kGN8jV-0RdU|^8qDq~7;8e8NwU$8&y_TIY0+5G&uvVtf!p}- z)V@451T!O?vO`&Y)xsCYe#`zbKn`q6Gmd15gsvv)RKvv}<-&ks3MUcmMycrPdcV z$7xk*fa|

Y_%3ii<_9b*8gg#-z`%)Aqv|Ylbl0(*FlZ_b;y5J+d8ab@K4G-40 z16+r#_U3;Y+cU&#eYZ*IbjE;H?3ggPdhWbUJIY&gBbVUQOQP`SPkv=HmnF-ZtL{^R zc1Q+89@*^9$>pdJkQB|lFn9x~m@|4moI{GtzCQ>#L8Sx@OlP=lrm8FrDs?2Txu-^; zpk(DgK8YmVq5G8+PhyFMX_LtN9tFOJ82_k6ACzPe0$l%^lXtU;Tas(ykTzy5Siy(G zvAX(Nl?V}4~XHk*9MJ-EpeJc)0z5K2e-kGlqUAXY?83|5dH&>}~qqDaooN6-7 z0;sZi1`jad6d&vAToyaFlup*PeG&q(0(ErW=4TegA(l{p_b#Phh@Lx`k=lbIM!%(O zlfoK}X@_ONT8^{RtPkHlTd~vIpQjScD$>K?+g+Em25W!5C?Hn_0MgzQv0h;H)jac5 zUBmr%Yz~viOuEMtu2gDq`@z3C?t}jNdQAYyuXw|z*RG@G+v)6 zV9n%q37C5Y3u!WB!^+42_b58_VU`@rVkW7H|%s~W!L=9V33 z_Kh>EYaI0&;-oyMGU|-g1u=tlB0fHh!6H2eARn>M>`Tl{(U@YJ+Hj z399lVMGYp;XErbVXD-_{vzS>XsFk}??2Y%E-WSWvx)G=%#$Q&^>twepNsFW5y1p$d z&*Ntv^*Q7^D$8r*^Nm|=p(0^rQlA7?<}1YIN34N`G$`Z?#5F}I#gMT$Ym1Cc@W^OE zcoq84^MLh(w=8P}I(Ldt5?%#&eOYJlly+>_cR;ATK}c)~?0~b=RApydThrNBc2=S% zr8*T?6Idk^659jomDKeHt`+1#mO{GsExV1`AljofXv}5ReCWd~_XKYYVNNf*m z!Yg@35VJ&`J-ztvNyXl))9GYFt7EaeXAf)8|5BBna-Q4uha@kEbGann(^Q(*LWSl!yx&<}5GJti?HqaiUlFUz< z#otGEqcW*8&}6*XQCFJvj7FsUyYWE>xoIb6%CWo5Ol)1dc?RMq?ZtpycX>Bksg|3` zWymUNk3h>(xXUaoT>#l*U93hX#`om?0+vHKb>#zFSXCFMq{k!n3U}3+I?3uWgX?35 zj#F!3Nq4C5#bPv2h=?q&jNkgE4aAzl9kw3^po)3R_8p{Jx;(;WSTlm|NhN@cXMJvF zEZQ=vV^=rR1lUv(sz!egb-zoQI}^5{7@T#Gcj4`lTzyr`_bwrjNTl5%4o z(oQ{yx)`-v8UN*O+tW|zH!un;Z2;G6rEe+9jo4q&q_P^+d7TgJAzX2 ztybDE>OgI+y@lv$BuT!V<@E!~)c-AKc+AS9`jE)pE&FgR6C6Y0Ul< zH{GcDrzEchHCA-JvLS7}&>_w`5xxzKNhB@hQLtv*_BhB(jUGmT84za6COwOgLYm@+Ie%UGw0Doj7B2| z7L7)`dW}rtlIGZxiA2KpLB*3K&^|g(eloQ-r$o4wQ#g1i3L1@^=nCl|C27gRPSp1( zmaDE~Z5^}s9u4$CDGFC(Qe<(QzR~fmU#{JKx3lA1B+_p1MkhW=3Rf3$Li~SgG|?P{ zf~WnB3ZIHl#!ygxVmXO;p1@sNT77P)ByMgZlQ=S;jMsGRmUOY!h?;Wyz=})^f+DST zqvG!+k3K}79hPIE)$&j4rh!y4-#2c(+sYH%{qWZ0pxFYUp%8o?h>@v_ zig*`$Gq896rM>y?o3FIHZyvrFpWi*=Hh`Q+l$gB1e9?(5<|z<>H4(cQ^-q{3C<6vpy0{8nGU-^UY)o}QjWB7R^#<{>ApDj&wh97tL!Nt)?uao`RT zG|%g(#@}PpjS8DcK+H)BH1Pke72YD958j^~D#z+LsunyPN~@V!0xTBmlkxFn%?Up0 z(~$mch{^h+I{>Q$#7b6LpQ<8$dXLD~sDNWt&@ursMu2OqA@eX-29(cKwvpwfpr{0C z2_mx9iG{D@dC|fpF^D!Z0d&M5)FmAsx!H=?iI!aUGLk-{F?{w329^K{u7t-ZOJmtX zqyF>Pzwq&<{^5(G{tEuU-+l~x@jFfa*7uC@JRzeO=;*ydg|Hy^c}ihNT0SjW@66o7 zNRsGQGF*}u2C#flTBfBEi0*TJ%Rst#&_9|F%qS=>r>?+69A|P&qT{XykJ)p@D&7-K zTnADa^R42ETSaziasUN*j`FNyw78I>knvle+uq;o$zQ*C^5WMoezZ5$AqdQ&yN||| zlX!ie=!Ii3*9dfhTeQeqAI%Zt;}3@*H|{>BkpYrdY3i+uoH~|B!4>jm z!%jDR+7_=yZT;=R)F|AMYV2%C?>p8`qjR0J7jOMIJb>qK%LFUf8od!2-#B?QkC8}{ zdhAuWMzs2-Au(JV!gBaU0wsShB(G;_0 zLjL;d9$cj=xK@$MPWbf1ktE>(p(IIva#f`^UQk9Or9~xCIc<7jac%;xF&a5;<6=s? zm5iW`dx^;```@EVti$>vr!2S49zjo7IqidMx9|TvIlMA7B)P(v6M$DPPL^`%@$7D+_lP=axhWh5)wTOX%w+i2(Z@Z&P<3pT$gQb&dn`NTn$0gjy@duFadYTP$aN^ zeP==~i1wz6oq0oc9^ohu>i5tj{|z#x261#uG+m2U@e6a5iPuYN;Ydg z@Dc0o?6ByY?@2%-6d(YX&E#_XS(GVU)49mqT6F#7CqKN?da815d@!cgQE<)fFg$s- zCYO&jqnJoE3RJp%uRVcG|t8*zit0cv_H5z zgO?`5IF7emRs%Cn1(Rq5J17W3&USJP#H5UH3qfj_wGP$AVQHWp22wKDq`iPnfYT9rJXYn~MFsb^X3X@zhyA#~g4* z`=L6C4#vSLU`pZrgm3m)uCm1yg1IO97|cEQ_)^@rI6CZb@n==}?jbB!#hnxCZiNVL z8(pi`UoIs6(v6lHt1v7|H$;ssCb)Wij}=3@id7Lm1+mmgOR-=65t|$5T?@}sW4PP5 zu&Y@bVhB*D`N~Kx<#AyLGo!;2R=P6&URR2p5ylo&;>8{i0t-s-Qzi?#*e1HyRCPRtNY@vZkGs}RvpRO*UC@0Lh+>W`kI?l$4N=bdbuvfR0XOK=dx^!I}}ko z@a&@>$)&0@_vqsIB34(aBp+p<|3M;tuC*W1Gc-An7x1NFI$1ubE88?d>Anw-&!g#`7*M$HIYa%~~nzTDZ_V9NOc=v{u;lvHTW?9WIQipy(Xp z#Iw-lS!GYoQ9Z#IwU{PWq=vF7j5+eOqcZkQfQjLTNkwqeK2UV}N7KoJDc-u)R>vxJ z^?9rN_q|A$+2zfnLqz=lGsauqu}N2&fDv{_$_nXo(2qPm96wRctTg2qrb($>7BG>m z^?-5+=Q3Q8=4@w@mb9&FG45p0fXlKt`8qV*E7kyp#NA%STkzEmQd#5n;rv{Xt7n^_ z5~epIs;%{)!gu1u

    oiASo!Fl{s%Be~@xz-rp>_c)$-(C^qF)?wTgFhlOxrhu9` zC}r8!6Q~;C)5@?&YHaW<6X94!P^W_nh(4*@$SG~J8u5Vpk?}e6@YODPv@}+$Sh$xa zY+h1oGTx9w6i_OSTmOB=WBIr|dRRBJzp8d#=0fQLd)Xz`a{&J;}N+fas67jyX}>v@GE zPZR9(VSajf{OoZrD$82@HX6FawNJ4CRY#*Tc-~gdzLUwZg{hj%i2frpo~0Rre2`u3 zWoJ#q+w!19UHt6Ez~wv~MFIB^R>~@8pD%QIv4rxIM=>>c+SJA9Dq(BNS(fA0B(1D? z3E_W?PfJlUURf)kWNp`(S>TtOk)RqVc$3}Lbqj{W^zx=Rmt((SH8~usymQkk)2h#mU~h4noc)ui*8s=59{g|Z#0^+iVRW-f~ehGx#T@* zeW&M0*|&Q)Ta5%y zA?-(PuxgZnH7=abd~SJTW!7`jQa?S3-Va!Y@=|8=vsK){@-Yyu%wimE_p_%a$W(q{ zdNDk!yS1dZd|ewlXTmWT^^&W_7-cIBvk=P~&HzH30k|OR!N_E4XraerWz@+F6gGIX zjIM042K-yl9}WvL01&jj2pQ4u`v;rd#6{UC5fyR)m6CEFU6rU}Efye(L^H{F-?8?G z@F1`*FB@jwu2(rv2oKVrr{XFr^1^Hn^t_IP=efF!4{5>zViLB2f#|pG+EPE-Vnt6R z$OkkT+Mi|eIWCOPQhSCwmUghrft8IR8>1_uXcX5xyesj0<9oX$WJInW5eR-LMAku2VG3MX;Z_P?5#Z&bO4w4=v zX$4_Y6ihgdC@XNx&Bt~PgsEKqs^CTT@hB%4*r67ql6X4eXIqCQ$TErI+#KYmy zXy)3CdsW>lJD!>x10K-?GW`N(Vq8nb#0W7q7P+y0bCpP?p547Wv=`%lh@n=7K4Il- zck6Bt;`h?gkQPu2UCT{;p5cC%wK5}=1@+|&n2@lEP&nMLkeq>5_}G(G64&#Dq&3%5!GQruoF!mj^6S4M`+NM; zztNw$tDBcvSR0?4OOms9sG+Q~(e*1~0BgVx^(E3NcYB-RI6v4s(^waxFbu2x28p87 zO{$h#d#w@s{zGDo5F!YFEFnQ6{IEoVL>f}HBuEg1AjH1!q?nE=t)f)KQVps_GGZs* z_e?iST}xXf_c^C$&dl_7Zu|B-=R0Sn-=L2C0AB!xL=@LR+~I^0brs_#H01ayz*c7r z9jng=RRxIXgP@4$Xxa8s*+hi3>m**etf`EgGhV&YmhE^?+l-zMzzC&11}NgnUZ@3u zVj#-sRSjA&fN{dveL$|^x?~zAgvED2bk4NjTL>XMdi3n^Gx`l^R!}OhKu0@wBZIv_ zwO24!410KX06%x<%1w-IFT4;Y%yWC(_Uh7aa9QN*T3PHq8U6CeRFjmi zvbg{1flZ+;`dX;QSf)>*D;^Y7n{|XKi{ODk18q^gh73U)^ zSBBB)X|x^T+qOoKVNL-82!*TNfbf%r9b@Gxfn73MFu_F-yaD6`;Y7D?Sa1Be6+_1w z3v{LO5?yHosogZNJG8|x7FVOvUdeg>AP@1e81$b_w6-zpT)=@S>;){cpev^r>kh|Q zwBz`C4M&gWu!U_e`dlr9DY8HeN*NpxB0q-kuv-z%l)lwy4vaYHH5TOcD6o7L23XrT zsVS@$_DVQ`9GkoN@>9yOY=UnA zG|7ZFWFZh0nob_yaoiB}seKB{=Ci08I%wNs?xu|cCn2~RxQx>S1SM)oE@zvHmn)(V z=J)FY;$F_l-Y17?!DhV%3|TUMeEZ3>XO5=4fTw>1sGy357*%X$%S$sI-*L%|e!ZI2 zuJsRSnjHF!TD+(~q@4tDLB+qr+eGaHbeftHU zzD3)yZ{M+FC&qTre>Lq^9*@*b3{ICy8Rqm<(a>VdRnhB>b*iUQBMsGSRR5AX-(WNv zYYR}RgBPm5s_lsl$BvyL@BTI?7Yn~B;|5W_Ot}WQ;Y%yaw3SPjFWdrQ`{Nwh zuWg9!-nMP|(gduoBwS%#fY(dVcX=^v!=blL*fxPITsUFdsZ$3J_U_$#Se)L&dXHhj zB@#=lju{rqEQ+N!=o#mDlK02o|2>YLD9E^lmaA&9*w^%(Fn#LOE?rE8g@uD-Y~K7a zEra6}#t|!DW5V{|XY<~j+xNVVQ%Nhi;4+rD1xvs+6yFE?@)7O7+OubSOMNEY{xS`! zTDq;7;%L*!VDJNl1Qj*P6peC|0hm)T5WmR0I-R6bHNA1sw% zaP#h++bciu`Ft*q+wDo>@?;QSe3^4Rz9$}+i?zyoYSzw}QwTe?Z?QRwOodiW(5ND( zqIkX71`H{1T}eUy9^NZyQM^BiqWG4`SjuR%bCImiW6nKsbge?WG1f)Pf&NdKM=<31yc3r%2 zx-wPmTO6JIfp8dBCxt>33l-_vvuEMw5I0FuRw8LoSV35lWGNDe1im5i0|Gyd6w}pB zGlQJsn=M4k7*4@Ow#|6u+`=~mS<$^v*T&5Y{>)QqVA*0TGN|4ww9l}tdcl zj*9LS)+Pso^o^h}R6`jELF8x@nRpeMC>k(Lf(@d8zUXzci4ssWzX`g+u-x>PP;t|D z!b;X~=PVIAgZRGs8aLPfzN)S4HaJSMOe;hCD|{dLK(y4b1Oe5k{|9gcq~XsAL90R2 z6>?HfpAU+9p4OyGsKa+qfL9J;=Fg5Pt2VXJ2O znfwOk#q!JhiS#r=nt5t9lyn?qkAfQoSLp{ zd(Rs&Z{CQS0L4$zJT?Es)A_WVkv!DMk#%*yqiR+A6nMaJg=9r0=w7ctR7^P(7EPV9 z#@@}+suk`iUarhHBBC~N>GdWn+<9HULQXiufNy*jt`7} z)vBs=i9(V#1eGH)=5so=v2C%pYEY)UEh z{vEDJCm=RW%A=r(WR-zj@QiF{M%G{QmWkt~zveJH?d5{dvYxC8RjPYaCYL z19SMIMxMzbRSo(Jr!H7&sgm!}G@xs>CvGvu^i-Z#r&I|s%2!=!>*NoyQ)O=&3WdWe z9N#v!HI{!NtdXwHylPK4BjI#wb_%aY9Hl+%VhI)~t8xXZZFVc%>T@+8%gH0fRfJ#>-2%B1Z zX%)Px7rx4$jY_bMtb4;*!df*ms}4k zQdm$ezQ*Ii@4-^Oq2&(da^0Xi&qd@KDOOTV5Zx8%mD5gZE3BNX z_zC*kAN}J;D%6QzTE1Xp^zK)`+1ZlTDPg!OqxU}`tr0ujljxMZ^$sb%bL&6oj)S_j z-|Bo3{x>?x-}Cu6gLUO zf1Ep{zrIf4UD^M-Nv_+$Tu1ME@9|GQ`SO!JJwEh$?>#}halW|Ro=MghtKZ3^P4;W z5_|lIR|kv;KKtS2(W5!n8P(A1($daS7jjDPE{QNnTv=VHX4AAkH1_368NoW}C*uBH z#=lmo>n{OAt-yT~o1mY*vU5N*<@kM=9Y$afNa3%z1K*Hak3=MD*_7DTg#oZywHWQ$ zQLj*5tYq^USRZ<_?}L(lKV8vd#HAJl#D>CkJ}H!1#2 zcdi`a8ZDMI&qu5ubFrB0@#G4R+UZ&)t7^j2ZAKs+oyJTQdDf{$=W)^#A6*MCyh-VY zWFBj})m7ufM_m_Pt{Y*wzO%EA&UV@sNSYfE-XC6VNUZ$1r9a})qbnRn!BvQ6s@l^L zM~UTD7E0-iA?&U@BHg*_htmhZC?mP9JEXUHM-x`N2EH7_= zHPm?B;LAHSH#eyDp;c$J{(f@{K6>DKWVl)lPnagKcuU1dPj^6-XW;1MHu-Oj-L$i- z*C7Jxij+gimJW-1ZhZAa(hsO*(w4D>X@UC3&#vpea((Ej+iudujKg$)IN+lx4&p

    LwN}{DV4~m1r+l$rNX@8Em-r2hgr`!lVrw zRBywAEv(qz)irPfTmAUq=kSShHNT7=EYmZ(T=`ECZoK{ut`G+)9Wv$nLn~>`2(Cx{ zOgUV$zDZw0+iCSO3oFq=tu$*G`tJT@=s*p8B5r%+Vrh!7>JD)eaOLlgl_|fFLsJA{ zi(u95?)n;%>#g8=bA97Cu2>z1T4|=ZIkX~H4p~?c|NeJ>#N;yL{osmeYw~&|^kAJU zVhZ-my1qYcVzhO*@L=M3p76p;=#XRErrCsWmOh}yL2*P|!n1tOGbryLwdao*lIwfq z%GY)`oS@n{=iD65$G-pkQGdiZHp9%L^U$C!Btx&PxwVpN2orNA1h6JP0fc{OL(|lr zrD>W)3DG!FHuu=J?`x16PU$^=#8CTTa@``=j!Wik=Rwc&q6xS@e)Gd&f5gOc#_yai z^wd%@+JjAu<_gKxmP@OtBdVaOi1CyvxZ-3ctmZr7RUV8HshaN#o{x?bS5|*^>Kg7( zIYu+o^5P=ix}O@qeFgrA@a0+$$(7@kFW$KM=Ev_mCGS&t=c%Xo%hSUtUi#8~=kC$N zX;;_gqSb1N%#E?o76tRPiD}xx(m_EUajaCjG*c^&7jj8zER^uNWLF65ju*=-%kzwI z7&7*Ca661&c9ECR{n?M+FXZrHf7jTNFUkLLmGR*%xeSHm%3~{+t4H2@=x$tn^w1Lz z9njr)JL%Ck-Stm@26dj^I5b?JT%Lt12p7pZhHE^m`wyKb>KLPrFA!tGqUxtB%M;^C znCdBqU)xjmC&H`&Z&pJ13h7`JGPkf|>psn^>utK>V!VDnoe2F|kYo&6cKlKt_u8cM9y!g<0PC-Y@d9Bfz>%7TgBplXq zHf1zzh9Pj=usxw=XUe(Lbrj*Pkqez2BuZzItOxHMlQxd>UHY+&y`&TA4_O zBzqybMklhGrxR<_&0dd&!n#sQVUXI=qyWbnwNF&{6M)54n9p0h>p=+a(PU&wo0`EY zd&%_#%`Ikl^BB3Ns-cE!tXQ38;>xAnwj0g-YAjT%$BgRH-n5Px(H2^1xzPXCtT-;$qN^&Cu9$|o3SfT8 zlvZ+)FkCO*zA09o5>0GJcH4D#DNL=JGPjmBJS5b*OLD0;5K|{!+p|*1YKFiryoJ0y z2CnUD*~LP%ANwZgd~=;!R)wuwraH;^t2L|w!uqDjMt`kH#BN(WE4uk zHY^vvA;*_GGRPUoft7 z%k%^1b#rEZH5z<$t*Olhq@#sLtDK!v3@>V`Wsw|oaPr1+)-jFrV)B%@{vY;DSLex9 zc(y6B#dz>)T*b>-pU+tGN^Il|6;JXU?X+|q#c_@a>zc)}ORilh)7K0eQ6tYZwMs5j zq)FC6HHDE{KHL6SCY36xq1z~OW0+buvS`G<}PmwFb=xXrt8kxSPk}ESmT6X%Z ztzwke^o+`EVM8|^oOe8S*q^j-x>#HzYpTHdgfOqG)?y*fx~w^pT+@qZZ$6cP{nz{wR{9Z@O_$#)#bUJmvNErzQbw#cA!_mXS;gOW?G?S`9KOa`BcnE3(L zww|h;{p$MHnHts4EI(z}fu~h-ms}(7Pr1U9T=Of5z{6`P)pTThN94=HV_qAd!>wFC zxUwo|*Uu~_{u9^H{{h$N+Uy?J-~!XwYd90>C?10!W@&tgzF}o*tay_f1Pd z+a~3MYqPv}#pe&f#Bl6}54h{51w2Y@UI35MobmX@=6aP}b)8(X9S&TJHN2M9_C{$a z4zGv7W?V+Ch0sk8i6-SDb5(NJG(pRhI;}#2_E@i_eFu4L+D%t-!}k61A}15hjy8%F z8%zveXs(58v-@1f0{2*|fr5Kxu`>%pwY*Bjic17H4ZrT<$cFI7wjy`br z6Hgp&Mm=Rc5L)-$f5*K_hij?BRTrrnL8xLMNv?E{2uu+~3KJiNS8a`&fXdT_t-rB|PN>eXZP$g7VW(W}AY$MvkYx_arJm+w<#_I1kG z=Nb(>6KMz~v&Gm*mm@*1Ev3~x&Hj_rJ*BDaQmJ}lwJcks|IN*&8K0e5SSoaFzMu?% z>-~@a@Xa5$JwF7x^ZDm*d;ZRjzeK#4?}6**-YaKp<; zr7~)^w6I#t#p1o&VrMa6X(@xE+4OQ^09@~T>6_bkeuv<9hBxZ>f$Jv3Ur>;B<(@kZ zaczd<3THDR46QUB#P#!8L1#i&2n48vXv)WNY90|XMph=jw6HQh*6W~6ET;{uuqO8G zcB(WT={Hw?;ww8aqgX$vtwF0}%SjKL-w$!sb=?ia)sS2PHWXI}E+T@5W2XndH3(jO z*wPw6yIM>}mEQJ&^BEh(%{+^tT5@g>T%X^@ix1f+ZVX&>)7vE1?T$ZUybP{-T@N`A zr#QC5a>Y`t3tg%mR&||Yn`~`F7*d(+0=po4Pz){FtaV~(oi_Pcr0?@^hwJ9Xfss0R z$Gy#Ua>et;9@nDex*M8nqZh7pF9fSzgy^$?cnWPfwvDRbg<>+&%Y`DCiCeqU(^jNr z3QGUEUfI4$^Tdv?=$UZkx5eizxZK~_D_62gHGAO7rT{ro8_m#aIOOUIj&r)t;>InI zEsw=}xB#f4q0i66=Q6EyE!y{e(>+(Vw>I|Fae0r^qs`q~i401~SRtp<2@{4e(wTpX%Y8o%_AWKUbj>Cn|*&#x>8?yj$~uv|TVD)9WeoXw;%nT%#xsZ8o0WKf-7EQluXY!l&e zin${i4L4Kig5k|O zp6FV1fa^xT=3(iPx&81nub;VIKwP35A8t0dY#Iw=!Er=E!&BX{)WGVd=)QF!916oo zUU)NJt}QI#<_Av*+b7pnod?=_3oa5Ndx6-f?Rry~j>Xo1Q@9m6-4;uz7KW$k+9gt3s~bp2}xl zzIS9;boJV-Rqt>ORWE@!4o)F0i!bh{B8l~Y=fC)cf^;);4icB=EF6IhR^yvty|4X$lHjXINl zD?V1dk<~260ah5y!(v{mg!^%dt*Pw&Bv)fK(jctMUWY|pk-6dHzX>cuSN@i?qi#yVVipCr@|u8bfK z7gwyAhF&LEJzpCOezDbRHNdrPrLiCBzm&xE%w&q$eB0w?T6#zu-MNocyJ34iM!GeX z>pRy?i0kX{a7Al|=Ew`C%-~uyo_2MnH<78y45*zhl7u5J^5l;2Jke^K>BTuERD#{b z&!4YD>bTP7DnosJ;YtnF`ig$Kltr$($$q-vU6yFIxZLTYGN6h?Wo)ISAqij`hK=x| zAIj81K`>F6CRP|n*J@F4eGBVr-?(m2+rz|lyB}PcE*mbc zQ5mHV;zVX;R}vxe>x;6%&W1x^ekFR# zU0-s%_KB;!dvX)=@GT=lqsYXR(cpHt-ps6y1(%sjX{cAC6T7YrYK4_xm+-fgzVnXA zgs}sQt)RgUT!pTqVSDthFQ4C$;e$SL-C7?quFACJ%9|ODN-lW&{JCn;wV+{|Rvst* z!HD-nq>-ed-KH*yrq@I-Cur;^DDXbC*CxC zT(5qPSZW(wo3MC^hH$l25r>yIfx7Z)tigy|wrRn9Uc=F~J^ZhXQam3y);X(jgrwta}F9+o` z!IE#k?g+yW__11=3qI+jJx6jC`Q=|E*Ui%(uMZ3@SA^U&0io*84|9Kx^5oi-+w@=} z<2cQxk)O#8EKpp-3acAfGE99k=%~X>ZCyDL>sD%hkL&uy;i}~3XNAxief5o*5F6b1 zRa`3yu9o98OwUix3~G(#PoS=Ii`Qsr!A3)KRfhiA^OO4ZXK>ww)-TRHERQapBX<~9 zDNLv#fHIVD7@s>LQv%lP!?@4wk5*9$aWd1=1p zIlH`ILujkfP}VD@S&y+-c7~h2S}hOex|JxRU7aPKblIp95oJo>wLAek{n1`Os=Z!O0#4Ott64aa#M13cCli7 z`rVJ(U(G1{6*ef&ZhWd;A2Uc}vJ zMVVDJ1*5*&Ofs;J{Ti~iXmS?Dr{Dhgh0N0-O?q+0>&V<%2Jv25Q-pUrx~6n z&Dwa|IWEq>p6mCoj>tr#ZdHQo*pKCUamFilPLoK&^4|--{UMVy(dqfLh9d{W zeX;4eaDyo40(_TF;dU-^MKs?E3?(X8=OtI}o4)?)B92%53!uGRr_2-wY$&h=xp{&F zV^1igfoH(dV!1FE?bk}ny->#0A#e@O7SDZ7u1<&RMI5hm0_T8*OrI-kC`GQWWmD35 zOULe{4w)vV zzyFSdy7hE)@2%a>cFW&FNW9dwEy;#mVfj&OCDowIhg6+vVfU#{U7K01txc4Ry=puW zv==I8yIh+Y9JK=*JCWJj<9hp7|$CFCBlx!)JoDK~o3IGVSmt zwDGwz7Foj(rfmyBunx|a$RQZ;mdN+6$?El3U??$#S)b!Ivl`el53Xi?c(}q#@yhM} z(3KBA9MZ;_}mWnM9R<7_D#4VSwFBTn{x-ObsxsV|h+8WU{CTnBC z*=}lH>;3nj$ZG5K zb(6+mZ0V!V&)>Ml;b+B^j?hs)gq!MmX?gqTnyPsX2i1a(1<~e^s_Rs}7ilxOV6Fm- zxD$q}GCfJI=CE+Rw7HODs`G%S#H`O*Lpavup>CYb>r;0Zf*2I*bo9N zU1_9`-jM-|jjcTEpdtv(>phaK&1W+VQ%JW8DQP_0iv(IO0%N|KXqX|navrXmN9N%- z&ZKUQ>nrAAGFU%lZT+_AXG*Te^=OcWgGnw`?X?~)9?O*%t64Q;aAPd*g5YycV4G?v zuDafxhn2wbO5b|Z{u|c^&YbJk)~RBZCphe$ep~+?T#r^>m$X*h;WUbRwBBp^m1rVY ztj#aw^BGOk4Az$kY{jq_3oZD41^Xu0@+Yr}v8@E}hdB@b{rvjCnbg7X{Q5T5S8~Ov zg!|Z25f3<9@Q>Qw-rm~U`3&dRqgJ4**|f>kwsD_D?B7^wC354}udmKjN>p|--RZ@1&lX8JT+bU@J&2jx$@?lAO3LE9E@8h&24Z~ zi?gRz{dZke^ukLdbK_FQ>%C}Y<$6GEBjaM=YB@Z=F3tr9lbKf5tzj9jkCH0~EDoA) zKlAzvr>@suc=U~1jw_rfX{<2tO<1p}|HUisK$t&rqM}C?4-Wad%pZYkh&bXzMu4lZ zhGo2VxB~3v_S-K#gnNu0+}Cs6$G_2YcRY9>p6-3_!TavJV*wlgMCd2T7*D4i<46Lk!>2TFb z!S@i)8=|2*dv!2!D@v|!oF!NMWWlsxXRut^g_Ra9SrWsmg{nga7L}7$LvpRB=5tD5 zEE(PfChLbg^@tmL{jX=vbsbzs1}fI_BLHi$HVppj)$!rE9-k+%g;{~UI#Wc!+u;a{ zK$<3uZnfdzinVnMr_Digr3GDu8BWV$Cbf+Jh2hn#}UKbOp+_>!oMe1 z+R2_d*FW1kpPxp`IE+(DX^4lGt#M2Au$87nXFW&ZKypT{PZ__p;PBOPJagAI}aQ(f- z^}q{U_e=ZWI(g-P)zNP<;VQP#Hbk0DqOXNj*K9U)k7S82x2OKg`%#;k*^Lv zn9>PXUk|zN6Kth7TsbI?vh0B@3#tf=iajuog>Ohx6FO_&=`MUjCbpwZ!Fjl?Mt*=F z%z$gl8aApbSfEhQmX)n&e(Mr5m)$$A@c@=!;W?DWakf_o3&~Z->5n$ogX_*!TEiO0 zCf(|=)SXvuZmEOnBhr(f|+vXa&_0M#AKEY?9)XuA?Me@c9ezt1!m&${C#k(9}c*-z`nWGEK9DK z#UlAXnoD1v*MRe!dYYyOv_7t?ZuXh(XXv^o1mH$C1Gj$N8*u%*kIlzL11GC>9X?1n zq=;gj{+=|(qgVrL3RW}2^AI>w=f>+vhy5x4q48*;+m92E@y;EOSZJwa`$T>z@Oz&-QIGncrG0a!Xq%x~(r{ z(i2zJ82i|_R?EOja}ui=+n#V^%$AD_SQi~1H}uH&!{CY(3UWR44%Z$RQDQTgi^Q8% zj984S5Uic7hYRpm8@>v({?MaX)2M2;hMj&>ahYGjHUFxR>3yht$-09l@p?GmdMZEL zVihYrmLV)df>onQm^Jw?yEz_3ozUr~%+liygi%GE&{21FLYwp%W1R;y!>x9htNuOb zS~~C!SC|cKuSJ{a<6vcLXaK9=AOdW-b}lz)ef|XN`U*n`A#0{s5hRzm+#;xITqi3F zdfQ8`N94NSbFTZq>J_d-qtZn}d)mNCaXVcZWmYhP+D#{JU(&pXb-3ZKY09HkLg(gE zG{-TMyHOLI_7Jb-CYF*1T+iubVf=EB=A{iqQ+Uwx*i>lM6w7^|z6|p`*3I96y8*IF z09L5nc8z2G(A}aVO(+z3RF$c%B70@CVUb7qc4yx zJJ!wobhv4l5-Wu0i){s57L8}UaD10hW|7PRSErEuW#OKIO*`4$@l=~_YM212VMgtv z^(Df65kF{nB9z{Ka8Jc}iPk|{Svp?F*VY3r7n5^zDOQAKl*4q#q>bUVwx#I8XitAVh*OANO>SP`>_hVO@oqY(+-E5_+hcxvn7_y zIX*Uvgh`YTR`(!$s<$O9t4ilf2sdsNmT&R~5}E=P*`*@r8m6Whir!7Z4<4+5*N_6P z%`h@}J`I_FsF=b+#L>U)Nw}NkgFXoMR60R%%^E^UFH@)?~cGS>tRG8z9lgQnt2Sc{fj7 z4~bRYORhqv8Lr$w0${^RW!K$r46?LO+yYhsu<8N|6?=)R z`*xUIffW{N5TDAy89KyU`>N96KK+}fT3jvd92HyrXxp09B!;3QBNQzi2$KZ$H#&_X z5XGP~m!p&u$rntSKa!$n+c9ULtn(q^xE?f3vv+NAT}=%2E7#x~8;DonlvqprwlmT0 zmk!94<@f5R@mf{Rktj>Bnt)i@94fcCRvDo}Fd8Xb1(689s|Bf{bR*dk2(BfdA%<{| z9!(ayOCjM3BEnV9kQ5a5AAXjr$NE=iu1Da?IHb<^Tf=o7TzzS9buWe?1gxiGa6T)g zTeTkzR7p}*4MStR3N?(4g*WFXM!U@ku<@KsE`&w0_lKV0S})-@?=!9~M+}Hh=g()} zI>bU=3xp z&}OHezhJdXW&ZKgHmTj+ovk!X6%)5Fwl_3-e>+NJY#v=KN-z69=X%uUT6yW~jdQiQ zxVUk5adCO^?%m~;u_4MoaXSB}#_Y=6>u|G)pJ+tdVh z3w+Q;_nTnuWNT)z0j|>Vw!gVnN@Rq`U&i_oqGnuILol?Nn zj$u2!-?`Q+(j>D~dl_?=>#EVjW=d<2D;KKZC-1vB*N5)8`YtnGffcIM_O35i-~F9f zvz4rC70Y3|#Qg`Z-iX&qsl~OvhcWK;6tEV;f?RD~7vTaIANxFBCpYToUE5rzhOVXH z{g;fW7Ur&4KeWR!R+{Yhc%5w3+PT(T16wiGwshN&2{|cFal9X|L5Ftut~5+OAlEzB zvK?k#y{g$Zx>j)2BH6^hoGS5NygG4R9G6_L?YIefl!dTSHBDXTo^O;h*XOzRU%aB0 zovg`nO}S#ol#E+dO{P&ANRP$L)vNJ3+vWTfmC5L(cpb;XGV9sa*Qkb*bPwx?c-?p-IN*9tX6|+@EHq&$Pr(((z;|&T^-8(k z8gPB_@-JnRssW=ITPQ_F>rcQs;M(Vcz0_)icB{zV5t>$QCRs_pPq<<{JQz2fF=B%6 zg|2I+sTtL>0XMj8=$xzwk8#}?a6PkYU4u`Jtzcu$JT6+{)H#(yMh0B_Lo!%ZQ8t9G zbI8~FD=>kT z6Py9pzLr0+yB29$!eDv+1}&PRg&knM46ctIxqdX@`a(2(Kb@Uch0M6KOpKW5WS)le zL@&8QZn++ua2?EFJDTA2d`e|XCeqmDm`Q1-vX0IZBa>Zly+N+~?zsB8=K5#%T>tO; z>OOxcor$T6w9VDZ_+Z-#R{CL4;K=pYF5=Z2T))01Tz!E=dJ{>@CXyhT%)@lth81;F zCxl!tAzrBg*Z=D21h2$c#5Of>Wd^;iAbVP!&Thdm*A3UcYlp7^SKn|by_=nm8ya_6 z(Y2Okc9nr(WgFZtT&D(H{}HN~uSUYKifTMH(X~pKA;k(OvuR9k23-44K0l!D=96fE z8wL&jbxL`9{8Wvs$zUCD?Kh43CqgsZ*|q67b8Zl!ihwK|aLuP`GRwjs1FroepKqAi zoAXQS+ZjUTz?WP#a5W4Xg4nRtTkocJM9>rC;j83290&v^CIW5wd!|5369AeZ(baq* z6%DJFP*{{7!eZ@`9e2zg`~K;A=ObTX>%ulfT?V`cbFe>{RF z+1{l#H?z6i+Cn5w7e8t9#c2&yHo+C5OF0ciJi+zS;x*XKdQ))n$4}b&=#4Sy8mOo-#^?-yb zpsHxgV3~$Sk)BQ`u6+DV6R>pJnh5}lH@OBci|cES2QkL$uokJ;#((?hmQQj;WN7WT ztCA*oQ>9wwKJteABt=8|@M%ix{R$yFNERow5>9dyOD zeEewX?$ER6VG?_;&Cibfr=Smk2 zcRmD%%y=T#he0Q0&DRWF2!^d5pU!V?Ih0{?ZPIvvmO8o0aSf-BlefGv%?;EJ;qY&6`o!#{ovt|fAP zSGL2xrDWAh5`uFZGA$Qj|E|JQo>g4tZ!=W?J6EWJcy-6MUO6Dwpo{z*Iv9fMLuamd z4Y=gWJjoKhEK7A4{VOlV%ixsje9{tLl4;6?eU(0YDQT0q^&)DeaUHQnA3>=0i4)g1 z7TfXahAaD5`UA5ae${E8ZVz1PqE;Dq_6xr&{lXzvT*rAW`fYNR{)o}2s(VTCNMt&; zme2pRxtn%xspsMx%y{jHsv};VE?$1OUaH{Q+BoWQII(&eezL?he%FcXjXN8yCxMHd zxcY7`!rdR%?&x1#ah0!v`Z&1C^`@Wlg+kIZDird$?B@15OcF!41H;`gby)73ee(F- zmL5BeLVTaU@}zy~ho61!@W^8;PaZ#h>n&cq>@?2_t}K7}F2##)`W#p-<8i+_K_(|J~0?V;8-cUk{R*9^M_JaN3MsBU#dF7RlpjRH=9B~>wf6j|% zXYbrunG8C;VqRZaS-C^4e2#EEUpFRkY5U@!(=*1CIJx+BpTm=Q9}m3p+_fk)9OzVk Y0hymDP;*a@`~Uy|07*qoM6N<$f~~+8Hvj+t literal 0 HcmV?d00001 diff --git a/OCSF/ocsf/_meta/fields.yml b/OCSF/ocsf/_meta/fields.yml index 74eb2dc1e..a4a5807dc 100644 --- a/OCSF/ocsf/_meta/fields.yml +++ b/OCSF/ocsf/_meta/fields.yml @@ -1,7675 +1,44 @@ -input.type: - description: Type of filebeat input. - name: input.type - type: keyword -log.offset: - description: Log offset. - name: log.offset - type: long -ocsf.access_mask: - description: The access mask in a platform-native format. - name: ocsf.access_mask - type: long -ocsf.activity_id: - description: The normalized identifier of the activity that triggered the event. - name: ocsf.activity_id - type: long -ocsf.activity_name: - description: The event activity name, as defined by the activity_id. - name: ocsf.activity_name - type: keyword -ocsf.actor.authorizations.decision: - description: Authorization Result/outcome, e.g. allowed, denied. - name: ocsf.actor.authorizations.decision - type: keyword -ocsf.actor.authorizations.policy.desc: - description: The description of the policy. - name: ocsf.actor.authorizations.policy.desc - type: keyword -ocsf.actor.authorizations.policy.group.desc: - description: The group description. - name: ocsf.actor.authorizations.policy.group.desc - type: keyword -ocsf.actor.authorizations.policy.group.name: - description: The group name. - name: ocsf.actor.authorizations.policy.group.name - type: keyword -ocsf.actor.authorizations.policy.group.privileges: - description: The group privileges. - name: ocsf.actor.authorizations.policy.group.privileges - type: keyword -ocsf.actor.authorizations.policy.group.type: - description: The type of the group or account. - name: ocsf.actor.authorizations.policy.group.type - type: keyword -ocsf.actor.authorizations.policy.group.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.authorizations.policy.group.uid - type: keyword -ocsf.actor.authorizations.policy.name: - description: "The policy name. For example: IAM Policy." - name: ocsf.actor.authorizations.policy.name - type: keyword -ocsf.actor.authorizations.policy.uid: - description: A unique identifier of the policy instance. - name: ocsf.actor.authorizations.policy.uid - type: keyword -ocsf.actor.authorizations.policy.version: - description: The policy version number. - name: ocsf.actor.authorizations.policy.version - type: keyword -ocsf.actor.idp.name: - description: The name of the identity provider. - name: ocsf.actor.idp.name - type: keyword -ocsf.actor.idp.uid: - description: The unique identifier of the identity provider. - name: ocsf.actor.idp.uid - type: keyword -ocsf.actor.invoked_by: - description: - The name of the service that invoked the activity as described in the - event. - name: ocsf.actor.invoked_by - type: keyword -ocsf.actor.process.auid: - description: The audit user assigned at login by the audit subsystem. - name: ocsf.actor.process.auid - type: keyword -ocsf.actor.process.container.hash.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.actor.process.container.hash.algorithm - type: keyword -ocsf.actor.process.container.hash.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.actor.process.container.hash.algorithm_id - type: keyword -ocsf.actor.process.container.hash.value: - description: The digital fingerprint value. - name: ocsf.actor.process.container.hash.value - type: keyword -ocsf.actor.process.container.image.path: - description: The full path to the image file. - name: ocsf.actor.process.container.image.path - type: keyword -ocsf.actor.process.container.image.uid: - description: The unique image ID. - name: ocsf.actor.process.container.image.uid - type: keyword -ocsf.actor.process.container.network_driver: - description: - The network driver used by the container. For example, bridge, overlay, - host, none, etc. - name: ocsf.actor.process.container.network_driver - type: keyword -ocsf.actor.process.container.pod_uuid: - description: - The unique identifier of the pod (or equivalent) that the container - is executing on. - name: ocsf.actor.process.container.pod_uuid - type: keyword -ocsf.actor.process.container.size: - description: The size of the container image. - name: ocsf.actor.process.container.size - type: long -ocsf.actor.process.container.tag: - description: The tag used by the container. It can indicate version, format, OS. - name: ocsf.actor.process.container.tag - type: keyword -ocsf.actor.process.created_time_dt: - description: The time when the process was created/started. - name: ocsf.actor.process.created_time_dt - type: date -ocsf.actor.process.file.accessed_time_dt: - description: The time when the file was last accessed. - name: ocsf.actor.process.file.accessed_time_dt - type: date -ocsf.actor.process.file.accessor.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.actor.process.file.accessor.account.name - type: keyword -ocsf.actor.process.file.accessor.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.file.accessor.account.type - type: keyword -ocsf.actor.process.file.accessor.account.type_id: - description: The normalized account type identifier. - name: ocsf.actor.process.file.accessor.account.type_id - type: keyword -ocsf.actor.process.file.accessor.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.actor.process.file.accessor.account.uid - type: keyword -ocsf.actor.process.file.accessor.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.file.accessor.credential_uid - type: keyword -ocsf.actor.process.file.accessor.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.actor.process.file.accessor.domain - type: keyword -ocsf.actor.process.file.accessor.email_addr: - description: The user's email address. - name: ocsf.actor.process.file.accessor.email_addr - type: keyword -ocsf.actor.process.file.accessor.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.actor.process.file.accessor.full_name - type: keyword -ocsf.actor.process.file.accessor.groups.desc: - description: The group description. - name: ocsf.actor.process.file.accessor.groups.desc - type: keyword -ocsf.actor.process.file.accessor.groups.name: - description: The group name. - name: ocsf.actor.process.file.accessor.groups.name - type: keyword -ocsf.actor.process.file.accessor.groups.privileges: - description: The group privileges. - name: ocsf.actor.process.file.accessor.groups.privileges - type: keyword -ocsf.actor.process.file.accessor.groups.type: - description: The type of the group or account. - name: ocsf.actor.process.file.accessor.groups.type - type: keyword -ocsf.actor.process.file.accessor.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.process.file.accessor.groups.uid - type: keyword -ocsf.actor.process.file.accessor.name: - description: The username. For example, janedoe1. - name: ocsf.actor.process.file.accessor.name - type: keyword -ocsf.actor.process.file.accessor.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.actor.process.file.accessor.org.name - type: keyword -ocsf.actor.process.file.accessor.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.actor.process.file.accessor.org.ou_name - type: keyword -ocsf.actor.process.file.accessor.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.actor.process.file.accessor.org.ou_uid - type: keyword -ocsf.actor.process.file.accessor.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.actor.process.file.accessor.org.uid - type: keyword -ocsf.actor.process.file.accessor.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.actor.process.file.accessor.type - type: keyword -ocsf.actor.process.file.accessor.type_id: - description: The account type identifier. - name: ocsf.actor.process.file.accessor.type_id - type: keyword -ocsf.actor.process.file.accessor.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.actor.process.file.accessor.uid - type: keyword -ocsf.actor.process.file.accessor.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.actor.process.file.accessor.uid_alt - type: keyword -ocsf.actor.process.file.attributes: - description: The Bitmask value that represents the file attributes. - name: ocsf.actor.process.file.attributes - type: long -ocsf.actor.process.file.company_name: - description: - "The name of the company that published the file. For example: Microsoft - Corporation." - name: ocsf.actor.process.file.company_name - type: keyword -ocsf.actor.process.file.confidentiality: - description: - The file content confidentiality, normalized to the confidentiality_id - value. In the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.file.confidentiality - type: keyword -ocsf.actor.process.file.confidentiality_id: - description: The normalized identifier of the file content confidentiality indicator. - name: ocsf.actor.process.file.confidentiality_id - type: keyword -ocsf.actor.process.file.created_time_dt: - description: The time when the file was created. - name: ocsf.actor.process.file.created_time_dt - type: date -ocsf.actor.process.file.creator.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.actor.process.file.creator.account.name - type: keyword -ocsf.actor.process.file.creator.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.file.creator.account.type - type: keyword -ocsf.actor.process.file.creator.account.type_id: - description: The normalized account type identifier. - name: ocsf.actor.process.file.creator.account.type_id - type: keyword -ocsf.actor.process.file.creator.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.actor.process.file.creator.account.uid - type: keyword -ocsf.actor.process.file.creator.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.file.creator.credential_uid - type: keyword -ocsf.actor.process.file.creator.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.actor.process.file.creator.domain - type: keyword -ocsf.actor.process.file.creator.email_addr: - description: The user's email address. - name: ocsf.actor.process.file.creator.email_addr - type: keyword -ocsf.actor.process.file.creator.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.actor.process.file.creator.full_name - type: keyword -ocsf.actor.process.file.creator.groups.desc: - description: The group description. - name: ocsf.actor.process.file.creator.groups.desc - type: keyword -ocsf.actor.process.file.creator.groups.name: - description: The group name. - name: ocsf.actor.process.file.creator.groups.name - type: keyword -ocsf.actor.process.file.creator.groups.privileges: - description: The group privileges. - name: ocsf.actor.process.file.creator.groups.privileges - type: keyword -ocsf.actor.process.file.creator.groups.type: - description: The type of the group or account. - name: ocsf.actor.process.file.creator.groups.type - type: keyword -ocsf.actor.process.file.creator.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.process.file.creator.groups.uid - type: keyword -ocsf.actor.process.file.creator.name: - description: The name of the city. - name: ocsf.actor.process.file.creator.name - type: keyword -ocsf.actor.process.file.creator.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.actor.process.file.creator.org.name - type: keyword -ocsf.actor.process.file.creator.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.actor.process.file.creator.org.ou_name - type: keyword -ocsf.actor.process.file.creator.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.actor.process.file.creator.org.ou_uid - type: keyword -ocsf.actor.process.file.creator.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.actor.process.file.creator.org.uid - type: keyword -ocsf.actor.process.file.creator.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.actor.process.file.creator.type - type: keyword -ocsf.actor.process.file.creator.type_id: - description: The account type identifier. - name: ocsf.actor.process.file.creator.type_id - type: keyword -ocsf.actor.process.file.creator.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.actor.process.file.creator.uid - type: keyword -ocsf.actor.process.file.creator.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.actor.process.file.creator.uid_alt - type: keyword -ocsf.actor.process.file.desc: - description: - "The description of the file, as returned by file system. For example: - the description as returned by the Unix file command or the Windows file type." - name: ocsf.actor.process.file.desc - type: keyword -ocsf.actor.process.file.hashes.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.actor.process.file.hashes.algorithm - type: keyword -ocsf.actor.process.file.hashes.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.actor.process.file.hashes.algorithm_id - type: keyword -ocsf.actor.process.file.hashes.value: - description: The digital fingerprint value. - name: ocsf.actor.process.file.hashes.value - type: keyword -ocsf.actor.process.file.is_system: - description: The indication of whether the object is part of the operating system. - name: ocsf.actor.process.file.is_system - type: boolean -ocsf.actor.process.file.modified_time_dt: - description: The time when the file was last modified. - name: ocsf.actor.process.file.modified_time_dt - type: date -ocsf.actor.process.file.modifier.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.actor.process.file.modifier.account.name - type: keyword -ocsf.actor.process.file.modifier.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.file.modifier.account.type - type: keyword -ocsf.actor.process.file.modifier.account.type_id: - description: The normalized account type identifier. - name: ocsf.actor.process.file.modifier.account.type_id - type: keyword -ocsf.actor.process.file.modifier.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.actor.process.file.modifier.account.uid - type: keyword -ocsf.actor.process.file.modifier.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.file.modifier.credential_uid - type: keyword -ocsf.actor.process.file.modifier.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.actor.process.file.modifier.domain - type: keyword -ocsf.actor.process.file.modifier.email_addr: - description: "The image name. For example: elixir." - name: ocsf.actor.process.file.modifier.email_addr - type: keyword -ocsf.actor.process.file.modifier.full_name: - description: The user's email address. - name: ocsf.actor.process.file.modifier.full_name - type: keyword -ocsf.actor.process.file.modifier.groups.desc: - description: The group description. - name: ocsf.actor.process.file.modifier.groups.desc - type: keyword -ocsf.actor.process.file.modifier.groups.name: - description: The group name. - name: ocsf.actor.process.file.modifier.groups.name - type: keyword -ocsf.actor.process.file.modifier.groups.privileges: - description: The group privileges. - name: ocsf.actor.process.file.modifier.groups.privileges - type: keyword -ocsf.actor.process.file.modifier.groups.type: - description: The type of the group or account. - name: ocsf.actor.process.file.modifier.groups.type - type: keyword -ocsf.actor.process.file.modifier.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.process.file.modifier.groups.uid - type: keyword -ocsf.actor.process.file.modifier.name: - description: The username. For example, janedoe1. - name: ocsf.actor.process.file.modifier.name - type: keyword -ocsf.actor.process.file.modifier.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.actor.process.file.modifier.org.name - type: keyword -ocsf.actor.process.file.modifier.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.actor.process.file.modifier.org.ou_name - type: keyword -ocsf.actor.process.file.modifier.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.actor.process.file.modifier.org.ou_uid - type: keyword -ocsf.actor.process.file.modifier.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.actor.process.file.modifier.org.uid - type: keyword -ocsf.actor.process.file.modifier.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.actor.process.file.modifier.type - type: keyword -ocsf.actor.process.file.modifier.type_id: - description: The account type identifier. - name: ocsf.actor.process.file.modifier.type_id - type: keyword -ocsf.actor.process.file.modifier.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.actor.process.file.modifier.uid - type: keyword -ocsf.actor.process.file.modifier.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.actor.process.file.modifier.uid_alt - type: keyword -ocsf.actor.process.file.owner.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.actor.process.file.owner.account.name - type: keyword -ocsf.actor.process.file.owner.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.file.owner.account.type - type: keyword -ocsf.actor.process.file.owner.account.type_id: - description: The normalized account type identifier. - name: ocsf.actor.process.file.owner.account.type_id - type: keyword -ocsf.actor.process.file.owner.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.actor.process.file.owner.account.uid - type: keyword -ocsf.actor.process.file.owner.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.file.owner.credential_uid - type: keyword -ocsf.actor.process.file.owner.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.actor.process.file.owner.domain - type: keyword -ocsf.actor.process.file.owner.email_addr: - description: The user's email address. - name: ocsf.actor.process.file.owner.email_addr - type: keyword -ocsf.actor.process.file.owner.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.actor.process.file.owner.full_name - type: keyword -ocsf.actor.process.file.owner.groups.desc: - description: The group description. - name: ocsf.actor.process.file.owner.groups.desc - type: keyword -ocsf.actor.process.file.owner.groups.name: - description: The group name. - name: ocsf.actor.process.file.owner.groups.name - type: keyword -ocsf.actor.process.file.owner.groups.privileges: - description: The group privileges. - name: ocsf.actor.process.file.owner.groups.privileges - type: keyword -ocsf.actor.process.file.owner.groups.type: - description: The type of the group or account. - name: ocsf.actor.process.file.owner.groups.type - type: keyword -ocsf.actor.process.file.owner.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.process.file.owner.groups.uid - type: keyword -ocsf.actor.process.file.owner.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.actor.process.file.owner.org.name - type: keyword -ocsf.actor.process.file.owner.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.actor.process.file.owner.org.ou_name - type: keyword -ocsf.actor.process.file.owner.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.actor.process.file.owner.org.ou_uid - type: keyword -ocsf.actor.process.file.owner.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.actor.process.file.owner.org.uid - type: keyword -ocsf.actor.process.file.owner.type: - description: - The event occurred on a personal device.The type of the user. For example, - System, AWS IAM User, etc. - name: ocsf.actor.process.file.owner.type - type: keyword -ocsf.actor.process.file.owner.type_id: - description: The account type identifier. - name: ocsf.actor.process.file.owner.type_id - type: keyword -ocsf.actor.process.file.owner.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.actor.process.file.owner.uid_alt - type: keyword -ocsf.actor.process.file.product.feature.name: - description: The name of the feature. - name: ocsf.actor.process.file.product.feature.name - type: keyword -ocsf.actor.process.file.product.feature.uid: - description: The unique identifier of the feature. - name: ocsf.actor.process.file.product.feature.uid - type: keyword -ocsf.actor.process.file.product.feature.version: - description: The version of the feature. - name: ocsf.actor.process.file.product.feature.version - type: keyword -ocsf.actor.process.file.product.lang: - description: - "The two letter lower case language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French)." - name: ocsf.actor.process.file.product.lang - type: keyword -ocsf.actor.process.file.product.name: - description: The name of the feature. - name: ocsf.actor.process.file.product.name - type: keyword -ocsf.actor.process.file.product.path: - description: The installation path of the product. - name: ocsf.actor.process.file.product.path - type: keyword -ocsf.actor.process.file.product.uid: - description: The unique identifier of the feature. - name: ocsf.actor.process.file.product.uid - type: keyword -ocsf.actor.process.file.product.url_string: - description: The URL pointing towards the product. - name: ocsf.actor.process.file.product.url_string - type: keyword -ocsf.actor.process.file.product.vendor_name: - description: The name of the vendor of the product. - name: ocsf.actor.process.file.product.vendor_name - type: keyword -ocsf.actor.process.file.product.version: - description: - "The version of the product, as defined by the event source. For example: - 2013.1.3-beta." - name: ocsf.actor.process.file.product.version - type: keyword -ocsf.actor.process.file.security_descriptor: - description: The object security descriptor. - name: ocsf.actor.process.file.security_descriptor - type: keyword -ocsf.actor.process.file.signature.algorithm: - description: - The digital signature algorithm used to create the signature, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.actor.process.file.signature.algorithm - type: keyword -ocsf.actor.process.file.signature.algorithm_id: - description: The identifier of the normalized digital signature algorithm. - name: ocsf.actor.process.file.signature.algorithm_id - type: keyword -ocsf.actor.process.file.signature.certificate.created_time: - description: The time when the certificate was created. - name: ocsf.actor.process.file.signature.certificate.created_time - type: date -ocsf.actor.process.file.signature.certificate.created_time_dt: - description: The time when the certificate was created. - name: ocsf.actor.process.file.signature.certificate.created_time_dt - type: date -ocsf.actor.process.file.signature.certificate.expiration_time_dt: - description: The expiration time of the certificate. - name: ocsf.actor.process.file.signature.certificate.expiration_time_dt - type: date -ocsf.actor.process.file.signature.certificate.fingerprints.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.actor.process.file.signature.certificate.fingerprints.algorithm - type: keyword -ocsf.actor.process.file.signature.certificate.fingerprints.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.actor.process.file.signature.certificate.fingerprints.algorithm_id - type: keyword -ocsf.actor.process.file.signature.certificate.fingerprints.value: - description: The digital fingerprint value. - name: ocsf.actor.process.file.signature.certificate.fingerprints.value - type: keyword -ocsf.actor.process.file.signature.created_time: - description: The time when the digital signature was created. - name: ocsf.actor.process.file.signature.created_time - type: date -ocsf.actor.process.file.signature.created_time_dt: - description: The time when the digital signature was created. - name: ocsf.actor.process.file.signature.created_time_dt - type: date -ocsf.actor.process.file.signature.developer_uid: - description: The developer ID on the certificate that signed the file. - name: ocsf.actor.process.file.signature.developer_uid - type: keyword -ocsf.actor.process.file.signature.digest.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.actor.process.file.signature.digest.algorithm - type: keyword -ocsf.actor.process.file.signature.digest.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.actor.process.file.signature.digest.algorithm_id - type: keyword -ocsf.actor.process.file.signature.digest.value: - description: The digital fingerprint value. - name: ocsf.actor.process.file.signature.digest.value - type: keyword -ocsf.actor.process.file.type_id: - description: The file type ID. - name: ocsf.actor.process.file.type_id - type: keyword -ocsf.actor.process.file.version: - description: "The file version. For example: 8.0.7601.17514." - name: ocsf.actor.process.file.version - type: keyword -ocsf.actor.process.file.xattributes: - description: - An unordered collection of zero or more name/value pairs where each - pair represents a file or folder extended attribute. - name: ocsf.actor.process.file.xattributes - type: flattened -ocsf.actor.process.group.desc: - description: The group description. - name: ocsf.actor.process.group.desc - type: keyword -ocsf.actor.process.group.privileges: - description: The group privileges. - name: ocsf.actor.process.group.privileges - type: keyword -ocsf.actor.process.group.type: - description: The type of the group or account. - name: ocsf.actor.process.group.type - type: keyword -ocsf.actor.process.integrity: - description: - The process integrity level, normalized to the caption of the direction_id - value. In the case of 'Other', it is defined by the event source (Windows only). - name: ocsf.actor.process.integrity - type: keyword -ocsf.actor.process.integrity_id: - description: The normalized identifier of the process integrity level (Windows only). - name: ocsf.actor.process.integrity_id - type: keyword -ocsf.actor.process.lineage: - description: - "The lineage of the process, represented by a list of paths for each - ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']." - name: ocsf.actor.process.lineage - type: keyword -ocsf.actor.process.loaded_modules: - description: The list of loaded module names. - name: ocsf.actor.process.loaded_modules - type: keyword -ocsf.actor.process.namespace_pid: - description: - If running under a process namespace (such as in a container), the - process identifier within that process namespace. - name: ocsf.actor.process.namespace_pid - type: long -ocsf.actor.process.parent_process.auid: - description: The audit user assigned at login by the audit subsystem. - name: ocsf.actor.process.parent_process.auid - type: keyword -ocsf.actor.process.parent_process.container.hash.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.actor.process.parent_process.container.hash.algorithm - type: keyword -ocsf.actor.process.parent_process.container.hash.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.actor.process.parent_process.container.hash.algorithm_id - type: keyword -ocsf.actor.process.parent_process.container.hash.value: - description: The digital fingerprint value. - name: ocsf.actor.process.parent_process.container.hash.value - type: keyword -ocsf.actor.process.parent_process.container.image.labels: - description: The image labels. - name: ocsf.actor.process.parent_process.container.image.labels - type: keyword -ocsf.actor.process.parent_process.container.image.name: - description: The image name. - name: ocsf.actor.process.parent_process.container.image.name - type: keyword -ocsf.actor.process.parent_process.container.image.path: - description: The full path to the image file. - name: ocsf.actor.process.parent_process.container.image.path - type: keyword -ocsf.actor.process.parent_process.container.image.tag: - description: The tag used by the container. It can indicate version, format, OS. - name: ocsf.actor.process.parent_process.container.image.tag - type: keyword -ocsf.actor.process.parent_process.container.image.uid: - description: The unique image ID. - name: ocsf.actor.process.parent_process.container.image.uid - type: keyword -ocsf.actor.process.parent_process.container.name: - description: The container name. - name: ocsf.actor.process.parent_process.container.name - type: keyword -ocsf.actor.process.parent_process.container.network_driver: - description: - The network driver used by the container. For example, bridge, overlay, - host, none, etc. - name: ocsf.actor.process.parent_process.container.network_driver - type: keyword -ocsf.actor.process.parent_process.container.orchestrator: - description: - The orchestrator managing the container, such as ECS, EKS, K8s, or - OpenShift. - name: ocsf.actor.process.parent_process.container.orchestrator - type: keyword -ocsf.actor.process.parent_process.container.pod_uuid: - description: - The unique identifier of the pod (or equivalent) that the container - is executing on. - name: ocsf.actor.process.parent_process.container.pod_uuid - type: keyword -ocsf.actor.process.parent_process.container.runtime: - description: The backend running the container, such as containerd or cri-o. - name: ocsf.actor.process.parent_process.container.runtime - type: keyword -ocsf.actor.process.parent_process.container.size: - description: The size of the container image. - name: ocsf.actor.process.parent_process.container.size - type: long -ocsf.actor.process.parent_process.container.tag: - description: The tag used by the container. It can indicate version, format, OS. - name: ocsf.actor.process.parent_process.container.tag - type: keyword -ocsf.actor.process.parent_process.container.uid: - description: - The full container unique identifier for this instantiation of the - container. - name: ocsf.actor.process.parent_process.container.uid - type: keyword -ocsf.actor.process.parent_process.created_time_dt: - description: The time when the process was created/started. - name: ocsf.actor.process.parent_process.created_time_dt - type: date -ocsf.actor.process.parent_process.file.accessed_time: - description: The time when the file was last accessed. - name: ocsf.actor.process.parent_process.file.accessed_time - type: date -ocsf.actor.process.parent_process.file.accessed_time_dt: - description: The time when the file was last accessed. - name: ocsf.actor.process.parent_process.file.accessed_time_dt - type: date -ocsf.actor.process.parent_process.file.accessor.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.actor.process.parent_process.file.accessor.account.name - type: keyword -ocsf.actor.process.parent_process.file.accessor.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.parent_process.file.accessor.account.type - type: keyword -ocsf.actor.process.parent_process.file.accessor.account.type_id: - description: The normalized account type identifier. - name: ocsf.actor.process.parent_process.file.accessor.account.type_id - type: keyword -ocsf.actor.process.parent_process.file.accessor.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.actor.process.parent_process.file.accessor.account.uid - type: keyword -ocsf.actor.process.parent_process.file.accessor.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.parent_process.file.accessor.credential_uid - type: keyword -ocsf.actor.process.parent_process.file.accessor.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.actor.process.parent_process.file.accessor.domain - type: keyword -ocsf.actor.process.parent_process.file.accessor.email_addr: - description: The user's email address. - name: ocsf.actor.process.parent_process.file.accessor.email_addr - type: keyword -ocsf.actor.process.parent_process.file.accessor.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.actor.process.parent_process.file.accessor.full_name - type: keyword -ocsf.actor.process.parent_process.file.accessor.groups.desc: - description: The group description. - name: ocsf.actor.process.parent_process.file.accessor.groups.desc - type: keyword -ocsf.actor.process.parent_process.file.accessor.groups.name: - description: The group name. - name: ocsf.actor.process.parent_process.file.accessor.groups.name - type: keyword -ocsf.actor.process.parent_process.file.accessor.groups.privileges: - description: The group privileges. - name: ocsf.actor.process.parent_process.file.accessor.groups.privileges - type: keyword -ocsf.actor.process.parent_process.file.accessor.groups.type: - description: The type of the group or account. - name: ocsf.actor.process.parent_process.file.accessor.groups.type - type: keyword -ocsf.actor.process.parent_process.file.accessor.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.process.parent_process.file.accessor.groups.uid - type: keyword -ocsf.actor.process.parent_process.file.accessor.name: - description: The username. For example, janedoe1. - name: ocsf.actor.process.parent_process.file.accessor.name - type: keyword -ocsf.actor.process.parent_process.file.accessor.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.actor.process.parent_process.file.accessor.org.name - type: keyword -ocsf.actor.process.parent_process.file.accessor.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.actor.process.parent_process.file.accessor.org.ou_name - type: keyword -ocsf.actor.process.parent_process.file.accessor.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.actor.process.parent_process.file.accessor.org.ou_uid - type: keyword -ocsf.actor.process.parent_process.file.accessor.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.actor.process.parent_process.file.accessor.org.uid - type: keyword -ocsf.actor.process.parent_process.file.accessor.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.actor.process.parent_process.file.accessor.type - type: keyword -ocsf.actor.process.parent_process.file.accessor.type_id: - description: The account type identifier. - name: ocsf.actor.process.parent_process.file.accessor.type_id - type: keyword -ocsf.actor.process.parent_process.file.accessor.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.actor.process.parent_process.file.accessor.uid - type: keyword -ocsf.actor.process.parent_process.file.accessor.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.actor.process.parent_process.file.accessor.uid_alt - type: keyword -ocsf.actor.process.parent_process.file.attributes: - description: The Bitmask value that represents the file attributes. - name: ocsf.actor.process.parent_process.file.attributes - type: long -ocsf.actor.process.parent_process.file.company_name: - description: - "The name of the company that published the file. For example: Microsoft - Corporation." - name: ocsf.actor.process.parent_process.file.company_name - type: keyword -ocsf.actor.process.parent_process.file.confidentiality: - description: - The file content confidentiality, normalized to the confidentiality_id - value. In the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.parent_process.file.confidentiality - type: keyword -ocsf.actor.process.parent_process.file.confidentiality_id: - description: The normalized identifier of the file content confidentiality indicator. - name: ocsf.actor.process.parent_process.file.confidentiality_id - type: keyword -ocsf.actor.process.parent_process.file.created_time: - description: The time when the file was created. - name: ocsf.actor.process.parent_process.file.created_time - type: date -ocsf.actor.process.parent_process.file.created_time_dt: - description: The time when the file was created. - name: ocsf.actor.process.parent_process.file.created_time_dt - type: date -ocsf.actor.process.parent_process.file.creator.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.actor.process.parent_process.file.creator.account.name - type: keyword -ocsf.actor.process.parent_process.file.creator.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.parent_process.file.creator.account.type - type: keyword -ocsf.actor.process.parent_process.file.creator.account.type_id: - description: The normalized account type identifier. - name: ocsf.actor.process.parent_process.file.creator.account.type_id - type: keyword -ocsf.actor.process.parent_process.file.creator.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.actor.process.parent_process.file.creator.account.uid - type: keyword -ocsf.actor.process.parent_process.file.creator.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.parent_process.file.creator.credential_uid - type: keyword -ocsf.actor.process.parent_process.file.creator.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.actor.process.parent_process.file.creator.domain - type: keyword -ocsf.actor.process.parent_process.file.creator.email_addr: - description: The user's email address. - name: ocsf.actor.process.parent_process.file.creator.email_addr - type: keyword -ocsf.actor.process.parent_process.file.creator.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.actor.process.parent_process.file.creator.full_name - type: keyword -ocsf.actor.process.parent_process.file.creator.groups.desc: - description: The group description. - name: ocsf.actor.process.parent_process.file.creator.groups.desc - type: keyword -ocsf.actor.process.parent_process.file.creator.groups.name: - description: The group name. - name: ocsf.actor.process.parent_process.file.creator.groups.name - type: keyword -ocsf.actor.process.parent_process.file.creator.groups.privileges: - description: The group privileges. - name: ocsf.actor.process.parent_process.file.creator.groups.privileges - type: keyword -ocsf.actor.process.parent_process.file.creator.groups.type: - description: The type of the group or account. - name: ocsf.actor.process.parent_process.file.creator.groups.type - type: keyword -ocsf.actor.process.parent_process.file.creator.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.process.parent_process.file.creator.groups.uid - type: keyword -ocsf.actor.process.parent_process.file.creator.name: - description: The name of the city. - name: ocsf.actor.process.parent_process.file.creator.name - type: keyword -ocsf.actor.process.parent_process.file.creator.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.actor.process.parent_process.file.creator.org.name - type: keyword -ocsf.actor.process.parent_process.file.creator.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.actor.process.parent_process.file.creator.org.ou_name - type: keyword -ocsf.actor.process.parent_process.file.creator.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.actor.process.parent_process.file.creator.org.ou_uid - type: keyword -ocsf.actor.process.parent_process.file.creator.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.actor.process.parent_process.file.creator.org.uid - type: keyword -ocsf.actor.process.parent_process.file.creator.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.actor.process.parent_process.file.creator.type - type: keyword -ocsf.actor.process.parent_process.file.creator.type_id: - description: The account type identifier. - name: ocsf.actor.process.parent_process.file.creator.type_id - type: keyword -ocsf.actor.process.parent_process.file.creator.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.actor.process.parent_process.file.creator.uid - type: keyword -ocsf.actor.process.parent_process.file.creator.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.actor.process.parent_process.file.creator.uid_alt - type: keyword -ocsf.actor.process.parent_process.file.desc: - description: - "The description of the file, as returned by file system. For example: - the description as returned by the Unix file command or the Windows file type." - name: ocsf.actor.process.parent_process.file.desc - type: keyword -ocsf.actor.process.parent_process.file.hashes.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.actor.process.parent_process.file.hashes.algorithm - type: keyword -ocsf.actor.process.parent_process.file.hashes.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.actor.process.parent_process.file.hashes.algorithm_id - type: keyword -ocsf.actor.process.parent_process.file.hashes.value: - description: The digital fingerprint value. - name: ocsf.actor.process.parent_process.file.hashes.value - type: keyword -ocsf.actor.process.parent_process.file.is_system: - description: The indication of whether the object is part of the operating system. - name: ocsf.actor.process.parent_process.file.is_system - type: boolean -ocsf.actor.process.parent_process.file.mime_type: - description: - The Multipurpose Internet Mail Extensions (MIME) type of the file, - if applicable. - name: ocsf.actor.process.parent_process.file.mime_type - type: keyword -ocsf.actor.process.parent_process.file.modified_time: - description: The time when the file was last modified. - name: ocsf.actor.process.parent_process.file.modified_time - type: date -ocsf.actor.process.parent_process.file.modified_time_dt: - description: The time when the file was last modified. - name: ocsf.actor.process.parent_process.file.modified_time_dt - type: date -ocsf.actor.process.parent_process.file.modifier.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.actor.process.parent_process.file.modifier.account.name - type: keyword -ocsf.actor.process.parent_process.file.modifier.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.parent_process.file.modifier.account.type - type: keyword -ocsf.actor.process.parent_process.file.modifier.account.type_id: - description: The normalized account type identifier. - name: ocsf.actor.process.parent_process.file.modifier.account.type_id - type: keyword -ocsf.actor.process.parent_process.file.modifier.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.actor.process.parent_process.file.modifier.account.uid - type: keyword -ocsf.actor.process.parent_process.file.modifier.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.parent_process.file.modifier.credential_uid - type: keyword -ocsf.actor.process.parent_process.file.modifier.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.actor.process.parent_process.file.modifier.domain - type: keyword -ocsf.actor.process.parent_process.file.modifier.email_addr: - description: "The image name. For example: elixir." - name: ocsf.actor.process.parent_process.file.modifier.email_addr - type: keyword -ocsf.actor.process.parent_process.file.modifier.full_name: - description: The user's email address. - name: ocsf.actor.process.parent_process.file.modifier.full_name - type: keyword -ocsf.actor.process.parent_process.file.modifier.groups.desc: - description: The group description. - name: ocsf.actor.process.parent_process.file.modifier.groups.desc - type: keyword -ocsf.actor.process.parent_process.file.modifier.groups.name: - description: The group name. - name: ocsf.actor.process.parent_process.file.modifier.groups.name - type: keyword -ocsf.actor.process.parent_process.file.modifier.groups.privileges: - description: The group privileges. - name: ocsf.actor.process.parent_process.file.modifier.groups.privileges - type: keyword -ocsf.actor.process.parent_process.file.modifier.groups.type: - description: The type of the group or account. - name: ocsf.actor.process.parent_process.file.modifier.groups.type - type: keyword -ocsf.actor.process.parent_process.file.modifier.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.process.parent_process.file.modifier.groups.uid - type: keyword -ocsf.actor.process.parent_process.file.modifier.name: - description: The username. For example, janedoe1. - name: ocsf.actor.process.parent_process.file.modifier.name - type: keyword -ocsf.actor.process.parent_process.file.modifier.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.actor.process.parent_process.file.modifier.org.name - type: keyword -ocsf.actor.process.parent_process.file.modifier.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.actor.process.parent_process.file.modifier.org.ou_name - type: keyword -ocsf.actor.process.parent_process.file.modifier.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.actor.process.parent_process.file.modifier.org.ou_uid - type: keyword -ocsf.actor.process.parent_process.file.modifier.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.actor.process.parent_process.file.modifier.org.uid - type: keyword -ocsf.actor.process.parent_process.file.modifier.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.actor.process.parent_process.file.modifier.type - type: keyword -ocsf.actor.process.parent_process.file.modifier.type_id: - description: The account type identifier. - name: ocsf.actor.process.parent_process.file.modifier.type_id - type: keyword -ocsf.actor.process.parent_process.file.modifier.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.actor.process.parent_process.file.modifier.uid - type: keyword -ocsf.actor.process.parent_process.file.modifier.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.actor.process.parent_process.file.modifier.uid_alt - type: keyword -ocsf.actor.process.parent_process.file.name: - description: "The name of the file. For example: svchost.exe." - name: ocsf.actor.process.parent_process.file.name - type: keyword -ocsf.actor.process.parent_process.file.owner.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.actor.process.parent_process.file.owner.account.name - type: keyword -ocsf.actor.process.parent_process.file.owner.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.parent_process.file.owner.account.type - type: keyword -ocsf.actor.process.parent_process.file.owner.account.type_id: - description: The normalized account type identifier. - name: ocsf.actor.process.parent_process.file.owner.account.type_id - type: keyword -ocsf.actor.process.parent_process.file.owner.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.actor.process.parent_process.file.owner.account.uid - type: keyword -ocsf.actor.process.parent_process.file.owner.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.parent_process.file.owner.credential_uid - type: keyword -ocsf.actor.process.parent_process.file.owner.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.actor.process.parent_process.file.owner.domain - type: keyword -ocsf.actor.process.parent_process.file.owner.email_addr: - description: The user's email address. - name: ocsf.actor.process.parent_process.file.owner.email_addr - type: keyword -ocsf.actor.process.parent_process.file.owner.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.actor.process.parent_process.file.owner.full_name - type: keyword -ocsf.actor.process.parent_process.file.owner.groups.desc: - description: The group description. - name: ocsf.actor.process.parent_process.file.owner.groups.desc - type: keyword -ocsf.actor.process.parent_process.file.owner.groups.name: - description: The group name. - name: ocsf.actor.process.parent_process.file.owner.groups.name - type: keyword -ocsf.actor.process.parent_process.file.owner.groups.privileges: - description: The group privileges. - name: ocsf.actor.process.parent_process.file.owner.groups.privileges - type: keyword -ocsf.actor.process.parent_process.file.owner.groups.type: - description: The type of the group or account. - name: ocsf.actor.process.parent_process.file.owner.groups.type - type: keyword -ocsf.actor.process.parent_process.file.owner.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.process.parent_process.file.owner.groups.uid - type: keyword -ocsf.actor.process.parent_process.file.owner.name: - description: The username. For example, janedoe1. - name: ocsf.actor.process.parent_process.file.owner.name - type: keyword -ocsf.actor.process.parent_process.file.owner.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.actor.process.parent_process.file.owner.org.name - type: keyword -ocsf.actor.process.parent_process.file.owner.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.actor.process.parent_process.file.owner.org.ou_name - type: keyword -ocsf.actor.process.parent_process.file.owner.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.actor.process.parent_process.file.owner.org.ou_uid - type: keyword -ocsf.actor.process.parent_process.file.owner.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.actor.process.parent_process.file.owner.org.uid - type: keyword -ocsf.actor.process.parent_process.file.owner.type: - description: - The event occurred on a personal device.The type of the user. For example, - System, AWS IAM User, etc. - name: ocsf.actor.process.parent_process.file.owner.type - type: keyword -ocsf.actor.process.parent_process.file.owner.type_id: - description: The account type identifier. - name: ocsf.actor.process.parent_process.file.owner.type_id - type: keyword -ocsf.actor.process.parent_process.file.owner.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.actor.process.parent_process.file.owner.uid - type: keyword -ocsf.actor.process.parent_process.file.owner.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.actor.process.parent_process.file.owner.uid_alt - type: keyword -ocsf.actor.process.parent_process.file.parent_folder: - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - name: ocsf.actor.process.parent_process.file.parent_folder - type: keyword -ocsf.actor.process.parent_process.file.path: - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - name: ocsf.actor.process.parent_process.file.path - type: keyword -ocsf.actor.process.parent_process.file.product.feature.name: - description: The name of the feature. - name: ocsf.actor.process.parent_process.file.product.feature.name - type: keyword -ocsf.actor.process.parent_process.file.product.feature.uid: - description: The unique identifier of the feature. - name: ocsf.actor.process.parent_process.file.product.feature.uid - type: keyword -ocsf.actor.process.parent_process.file.product.feature.version: - description: The version of the feature. - name: ocsf.actor.process.parent_process.file.product.feature.version - type: keyword -ocsf.actor.process.parent_process.file.product.lang: - description: - "The two letter lower case language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French)." - name: ocsf.actor.process.parent_process.file.product.lang - type: keyword -ocsf.actor.process.parent_process.file.product.name: - description: The name of the feature. - name: ocsf.actor.process.parent_process.file.product.name - type: keyword -ocsf.actor.process.parent_process.file.product.path: - description: The installation path of the product. - name: ocsf.actor.process.parent_process.file.product.path - type: keyword -ocsf.actor.process.parent_process.file.product.uid: - description: The unique identifier of the feature. - name: ocsf.actor.process.parent_process.file.product.uid - type: keyword -ocsf.actor.process.parent_process.file.product.url_string: - description: The URL pointing towards the product. - name: ocsf.actor.process.parent_process.file.product.url_string - type: keyword -ocsf.actor.process.parent_process.file.product.vendor_name: - description: The name of the vendor of the product. - name: ocsf.actor.process.parent_process.file.product.vendor_name - type: keyword -ocsf.actor.process.parent_process.file.product.version: - description: - "The version of the product, as defined by the event source. For example: - 2013.1.3-beta." - name: ocsf.actor.process.parent_process.file.product.version - type: keyword -ocsf.actor.process.parent_process.file.security_descriptor: - description: The object security descriptor. - name: ocsf.actor.process.parent_process.file.security_descriptor - type: keyword -ocsf.actor.process.parent_process.file.signature.algorithm: - description: - The digital signature algorithm used to create the signature, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.actor.process.parent_process.file.signature.algorithm - type: keyword -ocsf.actor.process.parent_process.file.signature.algorithm_id: - description: The identifier of the normalized digital signature algorithm. - name: ocsf.actor.process.parent_process.file.signature.algorithm_id - type: keyword -ocsf.actor.process.parent_process.file.signature.certificate.created_time: - description: The time when the certificate was created. - name: ocsf.actor.process.parent_process.file.signature.certificate.created_time - type: date -ocsf.actor.process.parent_process.file.signature.certificate.created_time_dt: - description: The time when the certificate was created. - name: ocsf.actor.process.parent_process.file.signature.certificate.created_time_dt - type: date -ocsf.actor.process.parent_process.file.signature.certificate.expiration_time: - description: The expiration time of the certificate. - name: ocsf.actor.process.parent_process.file.signature.certificate.expiration_time - type: date -ocsf.actor.process.parent_process.file.signature.certificate.expiration_time_dt: - description: The expiration time of the certificate. - name: ocsf.actor.process.parent_process.file.signature.certificate.expiration_time_dt - type: date -ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm - type: keyword -ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm_id - type: keyword -ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.value: - description: The digital fingerprint value. - name: ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.value - type: keyword -ocsf.actor.process.parent_process.file.signature.certificate.issuer: - description: The certificate issuer distinguished name. - name: ocsf.actor.process.parent_process.file.signature.certificate.issuer - type: keyword -ocsf.actor.process.parent_process.file.signature.certificate.serial_number: - description: The serial number of the certificate used to create the digital signature. - name: ocsf.actor.process.parent_process.file.signature.certificate.serial_number - type: keyword -ocsf.actor.process.parent_process.file.signature.certificate.subject: - description: The certificate subject distinguished name. - name: ocsf.actor.process.parent_process.file.signature.certificate.subject - type: keyword -ocsf.actor.process.parent_process.file.signature.certificate.version: - description: The certificate version. - name: ocsf.actor.process.parent_process.file.signature.certificate.version - type: keyword -ocsf.actor.process.parent_process.file.signature.created_time: - description: The time when the digital signature was created. - name: ocsf.actor.process.parent_process.file.signature.created_time - type: date -ocsf.actor.process.parent_process.file.signature.created_time_dt: - description: The time when the digital signature was created. - name: ocsf.actor.process.parent_process.file.signature.created_time_dt - type: date -ocsf.actor.process.parent_process.file.signature.developer_uid: - description: The developer ID on the certificate that signed the file. - name: ocsf.actor.process.parent_process.file.signature.developer_uid - type: keyword -ocsf.actor.process.parent_process.file.signature.digest.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.actor.process.parent_process.file.signature.digest.algorithm - type: keyword -ocsf.actor.process.parent_process.file.signature.digest.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.actor.process.parent_process.file.signature.digest.algorithm_id - type: keyword -ocsf.actor.process.parent_process.file.signature.digest.value: - description: The digital fingerprint value. - name: ocsf.actor.process.parent_process.file.signature.digest.value - type: keyword -ocsf.actor.process.parent_process.file.size: - description: The size of data, in bytes. - name: ocsf.actor.process.parent_process.file.size - type: long -ocsf.actor.process.parent_process.file.type: - description: The file type. - name: ocsf.actor.process.parent_process.file.type - type: keyword -ocsf.actor.process.parent_process.file.type_id: - description: The file type ID. - name: ocsf.actor.process.parent_process.file.type_id - type: keyword -ocsf.actor.process.parent_process.file.uid: - description: - The unique identifier of the file as defined by the storage system, - such the file system file ID. - name: ocsf.actor.process.parent_process.file.uid - type: keyword -ocsf.actor.process.parent_process.file.version: - description: "The file version. For example: 8.0.7601.17514." - name: ocsf.actor.process.parent_process.file.version - type: keyword -ocsf.actor.process.parent_process.file.xattributes: - description: - An unordered collection of zero or more name/value pairs where each - pair represents a file or folder extended attribute. - name: ocsf.actor.process.parent_process.file.xattributes - type: flattened -ocsf.actor.process.parent_process.group.desc: - description: The group description. - name: ocsf.actor.process.parent_process.group.desc - type: keyword -ocsf.actor.process.parent_process.group.privileges: - description: The group privileges. - name: ocsf.actor.process.parent_process.group.privileges - type: keyword -ocsf.actor.process.parent_process.group.type: - description: The type of the group or account. - name: ocsf.actor.process.parent_process.group.type - type: keyword -ocsf.actor.process.parent_process.integrity: - description: - The process integrity level, normalized to the caption of the direction_id - value. In the case of 'Other', it is defined by the event source (Windows only). - name: ocsf.actor.process.parent_process.integrity - type: keyword -ocsf.actor.process.parent_process.integrity_id: - description: The normalized identifier of the process integrity level (Windows only). - name: ocsf.actor.process.parent_process.integrity_id - type: keyword -ocsf.actor.process.parent_process.lineage: - description: - "The lineage of the process, represented by a list of paths for each - ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']." - name: ocsf.actor.process.parent_process.lineage - type: keyword -ocsf.actor.process.parent_process.loaded_modules: - description: The list of loaded module names. - name: ocsf.actor.process.parent_process.loaded_modules - type: keyword -ocsf.actor.process.parent_process.namespace_pid: - description: - If running under a process namespace (such as in a container), the - process identifier within that process namespace. - name: ocsf.actor.process.parent_process.namespace_pid - type: long -ocsf.actor.process.parent_process.parent_process: - description: - The parent process of this process object. It is recommended to only - populate this field for the first process object, to prevent deep nesting. - name: ocsf.actor.process.parent_process.parent_process - type: flattened -ocsf.actor.process.parent_process.parent_process_keyword: - description: "" - name: ocsf.actor.process.parent_process.parent_process_keyword - type: keyword -ocsf.actor.process.parent_process.sandbox: - description: - The name of the containment jail (i.e., sandbox). For example, hardened_ps, - high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - name: ocsf.actor.process.parent_process.sandbox - type: keyword -ocsf.actor.process.parent_process.session.created_time: - description: The time when the session was created. - name: ocsf.actor.process.parent_process.session.created_time - type: date -ocsf.actor.process.parent_process.session.created_time_dt: - description: The time when the session was created. - name: ocsf.actor.process.parent_process.session.created_time_dt - type: date -ocsf.actor.process.parent_process.session.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.parent_process.session.credential_uid - type: keyword -ocsf.actor.process.parent_process.session.expiration_time: - description: The session expiration time. - name: ocsf.actor.process.parent_process.session.expiration_time - type: date -ocsf.actor.process.parent_process.session.expiration_time_dt: - description: The session expiration time. - name: ocsf.actor.process.parent_process.session.expiration_time_dt - type: date -ocsf.actor.process.parent_process.session.is_remote: - description: The indication of whether the session is remote. - name: ocsf.actor.process.parent_process.session.is_remote - type: boolean -ocsf.actor.process.parent_process.session.issuer: - description: The identifier of the session issuer. - name: ocsf.actor.process.parent_process.session.issuer - type: keyword -ocsf.actor.process.parent_process.session.mfa: - description: "" - name: ocsf.actor.process.parent_process.session.mfa - type: boolean -ocsf.actor.process.parent_process.session.uid: - description: The unique identifier of the session. - name: ocsf.actor.process.parent_process.session.uid - type: keyword -ocsf.actor.process.parent_process.session.uuid: - description: The universally unique identifier of the session. - name: ocsf.actor.process.parent_process.session.uuid - type: keyword -ocsf.actor.process.parent_process.terminated_time_dt: - description: The time when the process was terminated. - name: ocsf.actor.process.parent_process.terminated_time_dt - type: date -ocsf.actor.process.parent_process.user.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.actor.process.parent_process.user.account.name - type: keyword -ocsf.actor.process.parent_process.user.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.parent_process.user.account.type - type: keyword -ocsf.actor.process.parent_process.user.account.type_id: - description: The normalized account type identifier. - name: ocsf.actor.process.parent_process.user.account.type_id - type: keyword -ocsf.actor.process.parent_process.user.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.actor.process.parent_process.user.account.uid - type: keyword -ocsf.actor.process.parent_process.user.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.parent_process.user.credential_uid - type: keyword -ocsf.actor.process.parent_process.user.groups.desc: - description: The group description. - name: ocsf.actor.process.parent_process.user.groups.desc - type: keyword -ocsf.actor.process.parent_process.user.groups.name: - description: The group name. - name: ocsf.actor.process.parent_process.user.groups.name - type: keyword -ocsf.actor.process.parent_process.user.groups.privileges: - description: The group privileges. - name: ocsf.actor.process.parent_process.user.groups.privileges - type: keyword -ocsf.actor.process.parent_process.user.groups.type: - description: The type of the group or account. - name: ocsf.actor.process.parent_process.user.groups.type - type: keyword -ocsf.actor.process.parent_process.user.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.process.parent_process.user.groups.uid - type: keyword -ocsf.actor.process.parent_process.user.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.actor.process.parent_process.user.org.name - type: keyword -ocsf.actor.process.parent_process.user.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.actor.process.parent_process.user.org.ou_name - type: keyword -ocsf.actor.process.parent_process.user.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.actor.process.parent_process.user.org.ou_uid - type: keyword -ocsf.actor.process.parent_process.user.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.actor.process.parent_process.user.org.uid - type: keyword -ocsf.actor.process.parent_process.user.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.actor.process.parent_process.user.type - type: keyword -ocsf.actor.process.parent_process.user.type_id: - description: The account type identifier. - name: ocsf.actor.process.parent_process.user.type_id - type: keyword -ocsf.actor.process.parent_process.user.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.actor.process.parent_process.user.uid_alt - type: keyword -ocsf.actor.process.parent_process.xattributes: - description: - An unordered collection of zero or more name/value pairs that represent - a process extended attribute. - name: ocsf.actor.process.parent_process.xattributes - type: flattened -ocsf.actor.process.sandbox: - description: - The name of the containment jail (i.e., sandbox). For example, hardened_ps, - high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - name: ocsf.actor.process.sandbox - type: keyword -ocsf.actor.process.session.created_time: - description: The time when the session was created. - name: ocsf.actor.process.session.created_time - type: date -ocsf.actor.process.session.created_time_dt: - description: The time when the session was created. - name: ocsf.actor.process.session.created_time_dt - type: date -ocsf.actor.process.session.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.session.credential_uid - type: keyword -ocsf.actor.process.session.expiration_time: - description: The session expiration time. - name: ocsf.actor.process.session.expiration_time - type: date -ocsf.actor.process.session.expiration_time_dt: - description: The session expiration time. - name: ocsf.actor.process.session.expiration_time_dt - type: date -ocsf.actor.process.session.is_remote: - description: The indication of whether the session is remote. - name: ocsf.actor.process.session.is_remote - type: boolean -ocsf.actor.process.session.issuer: - description: The identifier of the session issuer. - name: ocsf.actor.process.session.issuer - type: keyword -ocsf.actor.process.session.mfa: - description: "" - name: ocsf.actor.process.session.mfa - type: boolean -ocsf.actor.process.session.uid: - description: The unique identifier of the session. - name: ocsf.actor.process.session.uid - type: keyword -ocsf.actor.process.session.uuid: - description: The universally unique identifier of the session. - name: ocsf.actor.process.session.uuid - type: keyword -ocsf.actor.process.terminated_time_dt: - description: The time when the process was terminated. - name: ocsf.actor.process.terminated_time_dt - type: date -ocsf.actor.process.user.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.actor.process.user.account.name - type: keyword -ocsf.actor.process.user.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.user.account.type - type: keyword -ocsf.actor.process.user.account.type_id: - description: The normalized account type identifier. - name: ocsf.actor.process.user.account.type_id - type: keyword -ocsf.actor.process.user.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.actor.process.user.account.uid - type: keyword -ocsf.actor.process.user.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.user.credential_uid - type: keyword -ocsf.actor.process.user.groups.desc: - description: The group description. - name: ocsf.actor.process.user.groups.desc - type: keyword -ocsf.actor.process.user.groups.name: - description: The group name. - name: ocsf.actor.process.user.groups.name - type: keyword -ocsf.actor.process.user.groups.privileges: - description: The group privileges. - name: ocsf.actor.process.user.groups.privileges - type: keyword -ocsf.actor.process.user.groups.type: - description: The type of the group or account. - name: ocsf.actor.process.user.groups.type - type: keyword -ocsf.actor.process.user.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.process.user.groups.uid - type: keyword -ocsf.actor.process.user.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.actor.process.user.org.name - type: keyword -ocsf.actor.process.user.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.actor.process.user.org.ou_name - type: keyword -ocsf.actor.process.user.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.actor.process.user.org.ou_uid - type: keyword -ocsf.actor.process.user.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.actor.process.user.org.uid - type: keyword -ocsf.actor.process.user.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.actor.process.user.type - type: keyword -ocsf.actor.process.user.type_id: - description: The account type identifier. - name: ocsf.actor.process.user.type_id - type: keyword -ocsf.actor.process.user.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.actor.process.user.uid_alt - type: keyword -ocsf.actor.process.xattributes: - description: - An unordered collection of zero or more name/value pairs that represent - a process extended attribute. - name: ocsf.actor.process.xattributes - type: flattened -ocsf.actor.session.created_time: - description: The time when the session was created. - name: ocsf.actor.session.created_time - type: date -ocsf.actor.session.created_time_dt: - description: The time when the session was created. - name: ocsf.actor.session.created_time_dt - type: date -ocsf.actor.session.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.session.credential_uid - type: keyword -ocsf.actor.session.expiration_time: - description: The session expiration time. - name: ocsf.actor.session.expiration_time - type: date -ocsf.actor.session.expiration_time_dt: - description: The session expiration time. - name: ocsf.actor.session.expiration_time_dt - type: date -ocsf.actor.session.is_remote: - description: The indication of whether the session is remote. - name: ocsf.actor.session.is_remote - type: boolean -ocsf.actor.session.issuer: - description: The identifier of the session issuer. - name: ocsf.actor.session.issuer - type: keyword -ocsf.actor.session.mfa: - description: "" - name: ocsf.actor.session.mfa - type: boolean -ocsf.actor.session.uid: - description: The unique identifier of the session. - name: ocsf.actor.session.uid - type: keyword -ocsf.actor.session.uuid: - description: The universally unique identifier of the session. - name: ocsf.actor.session.uuid - type: keyword -ocsf.actor.user.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.actor.user.account.name - type: keyword -ocsf.actor.user.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.actor.user.account.type - type: keyword -ocsf.actor.user.account.type_id: - description: The normalized account type identifier. - name: ocsf.actor.user.account.type_id - type: keyword -ocsf.actor.user.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.actor.user.account.uid - type: keyword -ocsf.actor.user.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.user.credential_uid - type: keyword -ocsf.actor.user.groups.desc: - description: The group description. - name: ocsf.actor.user.groups.desc - type: keyword -ocsf.actor.user.groups.name: - description: The group name. - name: ocsf.actor.user.groups.name - type: keyword -ocsf.actor.user.groups.privileges: - description: The group privileges. - name: ocsf.actor.user.groups.privileges - type: keyword -ocsf.actor.user.groups.type: - description: The type of the group or account. - name: ocsf.actor.user.groups.type - type: keyword -ocsf.actor.user.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.user.groups.uid - type: keyword -ocsf.actor.user.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.actor.user.org.name - type: keyword -ocsf.actor.user.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.actor.user.org.ou_name - type: keyword -ocsf.actor.user.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.actor.user.org.ou_uid - type: keyword -ocsf.actor.user.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.actor.user.org.uid - type: keyword -ocsf.actor.user.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.actor.user.type - type: keyword -ocsf.actor.user.type_id: - description: The account type identifier. - name: ocsf.actor.user.type_id - type: keyword -ocsf.actor.user.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.actor.user.uid_alt - type: keyword -ocsf.actual_permissions: - description: The permissions that were granted to the in a platform-native format. - name: ocsf.actual_permissions - type: long -ocsf.analytic.category: - description: The analytic category. - name: ocsf.analytic.category - type: keyword -ocsf.analytic.desc: - description: The description of the analytic that generated the finding. - name: ocsf.analytic.desc - type: keyword -ocsf.analytic.name: - description: The name of the analytic that generated the finding. - name: ocsf.analytic.name - type: keyword -ocsf.analytic.related_analytics.category: - description: The analytic category. - name: ocsf.analytic.related_analytics.category - type: keyword -ocsf.analytic.related_analytics.desc: - description: The description of the analytic that generated the finding. - name: ocsf.analytic.related_analytics.desc - type: keyword -ocsf.analytic.related_analytics.name: - description: The name of the analytic that generated the finding. - name: ocsf.analytic.related_analytics.name - type: keyword -ocsf.analytic.related_analytics.related_analytics: - description: "" - name: ocsf.analytic.related_analytics.related_analytics - type: flattened -ocsf.analytic.related_analytics.type: - description: The analytic type. - name: ocsf.analytic.related_analytics.type - type: keyword -ocsf.analytic.related_analytics.type_id: - description: The analytic type ID. - name: ocsf.analytic.related_analytics.type_id - type: keyword -ocsf.analytic.related_analytics.uid: - description: The unique identifier of the analytic that generated the finding. - name: ocsf.analytic.related_analytics.uid - type: keyword -ocsf.analytic.related_analytics.version: - description: "The analytic version. For example: 1.1." - name: ocsf.analytic.related_analytics.version - type: keyword -ocsf.analytic.type: - description: The analytic type. - name: ocsf.analytic.type - type: keyword -ocsf.analytic.type_id: - description: The analytic type ID. - name: ocsf.analytic.type_id - type: keyword -ocsf.analytic.uid: - description: The unique identifier of the analytic that generated the finding. - name: ocsf.analytic.uid - type: keyword -ocsf.analytic.version: - description: "The analytic version. For example: 1.1." - name: ocsf.analytic.version - type: keyword -ocsf.answers.class: - description: - "The class of DNS data contained in this resource record. See RFC1035. - For example: IN." - name: ocsf.answers.class - type: keyword -ocsf.answers.flag_ids: - description: The list of DNS answer header flag IDs. - name: ocsf.answers.flag_ids - type: keyword -ocsf.answers.flags: - description: The list of DNS answer header flags. - name: ocsf.answers.flags - type: keyword -ocsf.answers.packet_uid: - description: - The DNS packet identifier assigned by the program that generated the - query. The identifier is copied to the response. - name: ocsf.answers.packet_uid - type: keyword -ocsf.answers.rdata: - description: - The data describing the DNS resource. The meaning of this data depends - on the type and class of the resource record. - name: ocsf.answers.rdata - type: keyword -ocsf.answers.ttl: - description: - The time interval that the resource record may be cached. Zero value - means that the resource record can only be used for the transaction in progress, - and should not be cached. - name: ocsf.answers.ttl - type: long -ocsf.answers.type: - description: - "The type of data contained in this resource record. See RFC1035. For - example: CNAME." - name: ocsf.answers.type - type: keyword -ocsf.api.operation: - description: Verb/Operation associated with the request. - name: ocsf.api.operation - type: keyword -ocsf.api.request.flags: - description: - The list of communication flags, normalized to the captions of the - flag_ids values. In the case of 'Other', they are defined by the event source. - name: ocsf.api.request.flags - type: keyword -ocsf.api.request.uid: - description: The unique request identifier. - name: ocsf.api.request.uid - type: keyword -ocsf.api.response.code: - description: The numeric response sent to a request. - name: ocsf.api.response.code - type: long -ocsf.api.response.error: - description: Error Code. - name: ocsf.api.response.error - type: keyword -ocsf.api.response.error_message: - description: Error Message. - name: ocsf.api.response.error_message - type: keyword -ocsf.api.response.flags: - description: - The list of communication flags, normalized to the captions of the - flag_ids values. In the case of 'Other', they are defined by the event source. - name: ocsf.api.response.flags - type: keyword -ocsf.api.response.message: - description: The description of the event, as defined by the event source. - name: ocsf.api.response.message - type: keyword -ocsf.api.service.labels: - description: The list of labels associated with the service. - name: ocsf.api.service.labels - type: keyword -ocsf.api.service.name: - description: The name of the service. - name: ocsf.api.service.name - type: keyword -ocsf.api.service.uid: - description: The unique identifier of the service. - name: ocsf.api.service.uid - type: keyword -ocsf.api.service.version: - description: The version of the service. - name: ocsf.api.service.version - type: keyword -ocsf.api.version: - description: The version of the API service. - name: ocsf.api.version - type: keyword -ocsf.app.feature.name: - description: The name of the feature. - name: ocsf.app.feature.name - type: keyword -ocsf.app.feature.uid: - description: The unique identifier of the feature. - name: ocsf.app.feature.uid - type: keyword -ocsf.app.feature.version: - description: The version of the feature. - name: ocsf.app.feature.version - type: keyword -ocsf.app.lang: - description: The two letter lower case language codes, as defined by ISO 639-1. - name: ocsf.app.lang - type: keyword -ocsf.app.name: - description: The CIS benchmark name. - name: ocsf.app.name - type: keyword -ocsf.app.path: - description: The installation path of the product. - name: ocsf.app.path - type: keyword -ocsf.app.uid: - description: The unique identifier of the product. - name: ocsf.app.uid - type: keyword -ocsf.app.url_string: - description: The URL pointing towards the product. - name: ocsf.app.url_string - type: keyword -ocsf.app.vendor_name: - description: The name of the vendor of the product. - name: ocsf.app.vendor_name - type: keyword -ocsf.app.version: - description: The version of the product, as defined by the event source. - name: ocsf.app.version - type: keyword -ocsf.app_name: - description: The name of the application that is associated with the event or object. - name: ocsf.app_name - type: keyword -ocsf.attacks.tactics.name: - description: - The tactic name that is associated with the attack technique, as defined - by ATT&CK MatrixTM. - name: ocsf.attacks.tactics.name - type: keyword -ocsf.attacks.tactics.uid: - description: - The tactic ID that is associated with the attack technique, as defined - by ATT&CK MatrixTM. - name: ocsf.attacks.tactics.uid - type: keyword -ocsf.attacks.technique.name: - description: - "The name of the attack technique, as defined by ATT&CK MatrixTM. For - example: Drive-by Compromise." - name: ocsf.attacks.technique.name - type: keyword -ocsf.attacks.technique.uid: - description: - "The unique identifier of the attack technique, as defined by ATT&CK - MatrixTM. For example: T1189." - name: ocsf.attacks.technique.uid - type: keyword -ocsf.attacks.version: - description: The ATT&CK Matrix version. - name: ocsf.attacks.version - type: keyword -ocsf.attempt: - description: The attempt number for attempting to deliver the email. - name: ocsf.attempt - type: long -ocsf.auth_protocol: - description: - The authentication protocol as defined by the caption of 'auth_protocol_id'. - In the case of 'Other', it is defined by the event source. - name: ocsf.auth_protocol - type: keyword -ocsf.auth_protocol_id: - description: - The normalized identifier of the authentication protocol used to create - the user session. - name: ocsf.auth_protocol_id - type: keyword -ocsf.banner: - description: - The initial SMTP connection response that a messaging server receives - after it connects to a email server. - name: ocsf.banner - type: keyword -ocsf.base_address: - description: The memory address that was access or requested. - name: ocsf.base_address - type: keyword -ocsf.capabilities: - description: A list of RDP capabilities. - name: ocsf.capabilities - type: keyword -ocsf.category_name: - description: - "The event category name, as defined by category_uid value: Identity - & Access Management." - name: ocsf.category_name - type: keyword -ocsf.category_uid: - description: - The category unique identifier of the event.3 Identity & Access ManagementIdentity - & Access Management (IAM) events relate to the supervision of the system's authentication - and access control model. Examples of such events are the success or failure of - authentication, granting of authority, password change, entity change, privileged - use etc. - name: ocsf.category_uid - type: long -ocsf.certificate.created_time: - description: The time when the certificate was created. - name: ocsf.certificate.created_time - type: date -ocsf.certificate.created_time_dt: - description: The time when the certificate was created. - name: ocsf.certificate.created_time_dt - type: date -ocsf.certificate.expiration_time: - description: The expiration time of the certificate. - name: ocsf.certificate.expiration_time - type: date -ocsf.certificate.expiration_time_dt: - description: The expiration time of the certificate. - name: ocsf.certificate.expiration_time_dt - type: date -ocsf.certificate.fingerprints.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.certificate.fingerprints.algorithm - type: keyword -ocsf.certificate.fingerprints.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.certificate.fingerprints.algorithm_id - type: keyword -ocsf.certificate.fingerprints.value: - description: The digital fingerprint value. - name: ocsf.certificate.fingerprints.value - type: keyword -ocsf.certificate.issuer: - description: The certificate issuer distinguished name. - name: ocsf.certificate.issuer - type: keyword -ocsf.certificate.serial_number: - description: The serial number of the certificate used to create the digital signature. - name: ocsf.certificate.serial_number - type: keyword -ocsf.certificate.subject: - description: The certificate subject distinguished name. - name: ocsf.certificate.subject - type: keyword -ocsf.certificate.version: - description: The certificate version. - name: ocsf.certificate.version - type: keyword -ocsf.cis_benchmark_result.desc: - description: The CIS benchmark description. - name: ocsf.cis_benchmark_result.desc - type: keyword -ocsf.cis_benchmark_result.name: - description: The CIS benchmark name. - name: ocsf.cis_benchmark_result.name - type: keyword -ocsf.cis_benchmark_result.remediation.desc: - description: The description of the remediation strategy. - name: ocsf.cis_benchmark_result.remediation.desc - type: keyword -ocsf.cis_benchmark_result.remediation.kb_articles: - description: The KB article/s related to the entity. - name: ocsf.cis_benchmark_result.remediation.kb_articles - type: keyword -ocsf.cis_benchmark_result.rule.type: - description: The rule type. - name: ocsf.cis_benchmark_result.rule.type - type: keyword -ocsf.cis_csc.control: - description: The CIS critical security control. - name: ocsf.cis_csc.control - type: keyword -ocsf.cis_csc.version: - description: The CIS critical security control version. - name: ocsf.cis_csc.version - type: keyword -ocsf.class_name: - description: "The event class name, as defined by class_uid value: Security Finding." - name: ocsf.class_name - type: keyword -ocsf.class_uid: - description: - The unique identifier of a class. A Class describes the attributes - available in an event.2001 Security FindingSecurity Finding events describe findings, - detections, anomalies, alerts and/or actions performed by security products. - name: ocsf.class_uid - type: keyword -ocsf.client_dialects: - description: The list of SMB dialects that the client speaks. - name: ocsf.client_dialects - type: keyword -ocsf.client_hassh.algorithm: - description: - "The concatenation of key exchange, encryption, authentication and - compression algorithms (separated by ';'). NOTE: This is not the underlying - algorithm for the hash implementation." - name: ocsf.client_hassh.algorithm - type: keyword -ocsf.client_hassh.fingerprint.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.client_hassh.fingerprint.algorithm - type: keyword -ocsf.client_hassh.fingerprint.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.client_hassh.fingerprint.algorithm_id - type: keyword -ocsf.client_hassh.fingerprint.value: - description: The digital fingerprint value. - name: ocsf.client_hassh.fingerprint.value - type: keyword -ocsf.cloud.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.cloud.account.type - type: keyword -ocsf.cloud.account.type_id: - description: The normalized account type identifier. - name: ocsf.cloud.account.type_id - type: keyword -ocsf.cloud.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.cloud.org.name - type: keyword -ocsf.cloud.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.cloud.org.ou_name - type: keyword -ocsf.cloud.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.cloud.org.ou_uid - type: keyword -ocsf.cloud.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.cloud.org.uid - type: keyword -ocsf.codes: - description: The list of return codes to the FTP command. - name: ocsf.codes - type: long -ocsf.command: - description: The command name. - name: ocsf.command - type: keyword -ocsf.command_responses: - description: The list of responses to the FTP command. - name: ocsf.command_responses - type: keyword -ocsf.comment: - description: The user provided comment about why the entity was changed. - name: ocsf.comment - type: keyword -ocsf.compliance.requirements: - description: - A list of applicable compliance requirements for which this finding - is related to. - name: ocsf.compliance.requirements - type: keyword -ocsf.compliance.status: - description: - The event status, normalized to the caption of the status_id value. - In the case of 'Other', it is defined by the event source. - name: ocsf.compliance.status - type: keyword -ocsf.compliance.status_detail: - description: - The status details contains additional information about the event - outcome. - name: ocsf.compliance.status_detail - type: keyword -ocsf.component: - description: - The name or relative pathname of a sub-component of the data object, - if applicable. - name: ocsf.component - type: keyword -ocsf.confidence: - description: - The confidence, normalized to the caption of the confidence_id value. - In the case of 'Other', it is defined by the event source. - name: ocsf.confidence - type: keyword -ocsf.confidence_id: - description: - The normalized confidence refers to the accuracy of the rule that created - the finding. A rule with a low confidence means that the finding scope is wide - and may create finding reports that may not be malicious in nature. - name: ocsf.confidence_id - type: keyword -ocsf.confidence_score: - description: The confidence score as reported by the event source. - name: ocsf.confidence_score - type: long -ocsf.connection_info.boundary: - description: - The boundary of the connection, normalized to the caption of 'boundary_id'. - In the case of 'Other', it is defined by the event source.For cloud connections, - this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional - networks, this is described as Local, Internal, or External. - name: ocsf.connection_info.boundary - type: keyword -ocsf.connection_info.boundary_id: - description: - The normalized identifier of the boundary of the connection. For cloud - connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). - For traditional networks, this is described as Local, Internal, or External. - name: ocsf.connection_info.boundary_id - type: keyword -ocsf.connection_info.direction: - description: - The direction of the initiated connection, traffic, or email, normalized - to the caption of the direction_id value. In the case of 'Other', it is defined - by the event source. - name: ocsf.connection_info.direction - type: keyword -ocsf.connection_info.direction_id: - description: - The normalized identifier of the direction of the initiated connection, - traffic, or email. - name: ocsf.connection_info.direction_id - type: keyword -ocsf.connection_info.protocol_ver_id: - description: The Internet Protocol version identifier. - name: ocsf.connection_info.protocol_ver_id - type: keyword -ocsf.connection_info.tcp_flags: - description: The network connection TCP header flags (i.e., control bits). - name: ocsf.connection_info.tcp_flags - type: long -ocsf.connection_info.uid: - description: The unique identifier of the connection. - name: ocsf.connection_info.uid - type: keyword -ocsf.connection_uid: - description: The network connection identifier. - name: ocsf.connection_uid - type: keyword -ocsf.count: - description: - The number of times that events in the same logical group occurred - during the event Start Time to End Time period. - name: ocsf.count - type: long -ocsf.create_mask: - description: The original Windows mask that is required to create the object. - name: ocsf.create_mask - type: keyword -ocsf.data_sources: - description: The data sources for the finding. - name: ocsf.data_sources - type: keyword -ocsf.dce_rpc.command: - description: The request command (e.g. REQUEST, BIND). - name: ocsf.dce_rpc.command - type: keyword -ocsf.dce_rpc.command_response: - description: The reply to the request command (e.g. RESPONSE, BINDACK or FAULT). - name: ocsf.dce_rpc.command_response - type: keyword -ocsf.dce_rpc.flags: - description: The list of interface flags. - name: ocsf.dce_rpc.flags - type: keyword -ocsf.dce_rpc.opnum: - description: - An operation number used to identify a specific remote procedure call - (RPC) method or a method in an interface. - name: ocsf.dce_rpc.opnum - type: long -ocsf.dce_rpc.rpc_interface.ack_reason: - description: - An integer that provides a reason code or additional information about - the acknowledgment result. - name: ocsf.dce_rpc.rpc_interface.ack_reason - type: long -ocsf.dce_rpc.rpc_interface.ack_result: - description: An integer that denotes the acknowledgment result of the DCE/RPC call. - name: ocsf.dce_rpc.rpc_interface.ack_result - type: long -ocsf.dce_rpc.rpc_interface.uuid: - description: The unique identifier of the particular remote procedure or service. - name: ocsf.dce_rpc.rpc_interface.uuid - type: keyword -ocsf.dce_rpc.rpc_interface.version: - description: The version of the DCE/RPC protocol being used in the session. - name: ocsf.dce_rpc.rpc_interface.version - type: keyword -ocsf.device.autoscale_uid: - description: The unique identifier of the cloud autoscale configuration. - name: ocsf.device.autoscale_uid - type: keyword -ocsf.device.created_time: - description: The time when the device was known to have been created. - name: ocsf.device.created_time - type: date -ocsf.device.created_time_dt: - description: TThe time when the device was known to have been created. - name: ocsf.device.created_time_dt - type: date -ocsf.device.desc: - description: - The description of the device, ordinarily as reported by the operating - system. - name: ocsf.device.desc - type: keyword -ocsf.device.first_seen_time: - description: The initial discovery time of the device. - name: ocsf.device.first_seen_time - type: date -ocsf.device.first_seen_time_dt: - description: The initial discovery time of the device. - name: ocsf.device.first_seen_time_dt - type: date -ocsf.device.groups.desc: - description: The group description. - name: ocsf.device.groups.desc - type: keyword -ocsf.device.groups.name: - description: The group name. - name: ocsf.device.groups.name - type: keyword -ocsf.device.groups.privileges: - description: The group privileges. - name: ocsf.device.groups.privileges - type: keyword -ocsf.device.groups.type: - description: The type of the group or account. - name: ocsf.device.groups.type - type: keyword -ocsf.device.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.device.groups.uid - type: keyword -ocsf.device.hw_info.bios_date: - description: "The BIOS date. For example: 03/31/16." - name: ocsf.device.hw_info.bios_date - type: keyword -ocsf.device.hw_info.bios_manufacturer: - description: "The BIOS manufacturer. For example: LENOVO." - name: ocsf.device.hw_info.bios_manufacturer - type: keyword -ocsf.device.hw_info.bios_ver: - description: "The BIOS version. For example: LENOVO G5ETA2WW (2.62)." - name: ocsf.device.hw_info.bios_ver - type: keyword -ocsf.device.hw_info.chassis: - description: - The chassis type describes the system enclosure or physical form factor. - Such as the following examples for Windows Windows Chassis Types. - name: ocsf.device.hw_info.chassis - type: keyword -ocsf.device.hw_info.cpu_bits: - description: - "The cpu architecture, the number of bits used for addressing in memory. - For example: 32 or 64." - name: ocsf.device.hw_info.cpu_bits - type: long -ocsf.device.hw_info.cpu_cores: - description: - "The number of processor cores in all installed processors. For Example: - 42." - name: ocsf.device.hw_info.cpu_cores - type: long -ocsf.device.hw_info.cpu_count: - description: "The number of physical processors on a system. For example: 1." - name: ocsf.device.hw_info.cpu_count - type: long -ocsf.device.hw_info.cpu_speed: - description: "The speed of the processor in Mhz. For Example: 4200." - name: ocsf.device.hw_info.cpu_speed - type: long -ocsf.device.hw_info.cpu_type: - description: "The processor type. For example: x86 Family 6 Model 37 Stepping 5." - name: ocsf.device.hw_info.cpu_type - type: keyword -ocsf.device.hw_info.desktop_display.color_depth: - description: The numeric color depth. - name: ocsf.device.hw_info.desktop_display.color_depth - type: long -ocsf.device.hw_info.desktop_display.physical_height: - description: The numeric physical height of display. - name: ocsf.device.hw_info.desktop_display.physical_height - type: long -ocsf.device.hw_info.desktop_display.physical_orientation: - description: The numeric physical orientation of display. - name: ocsf.device.hw_info.desktop_display.physical_orientation - type: long -ocsf.device.hw_info.desktop_display.physical_width: - description: The numeric physical width of display. - name: ocsf.device.hw_info.desktop_display.physical_width - type: long -ocsf.device.hw_info.desktop_display.scale_factor: - description: The numeric scale factor of display. - name: ocsf.device.hw_info.desktop_display.scale_factor - type: long -ocsf.device.hw_info.keyboard_info.function_keys: - description: The number of function keys on client keyboard. - name: ocsf.device.hw_info.keyboard_info.function_keys - type: long -ocsf.device.hw_info.keyboard_info.ime: - description: The Input Method Editor (IME) file name. - name: ocsf.device.hw_info.keyboard_info.ime - type: keyword -ocsf.device.hw_info.keyboard_info.keyboard_layout: - description: The keyboard locale identifier name (e.g., en-US). - name: ocsf.device.hw_info.keyboard_info.keyboard_layout - type: keyword -ocsf.device.hw_info.keyboard_info.keyboard_subtype: - description: The keyboard numeric code. - name: ocsf.device.hw_info.keyboard_info.keyboard_subtype - type: long -ocsf.device.hw_info.keyboard_info.keyboard_type: - description: The keyboard type (e.g., xt, ico). - name: ocsf.device.hw_info.keyboard_info.keyboard_type - type: keyword -ocsf.device.hw_info.ram_size: - description: "The total amount of installed RAM, in Megabytes. For example: 2048." - name: ocsf.device.hw_info.ram_size - type: long -ocsf.device.hw_info.serial_number: - description: The device manufacturer serial number. - name: ocsf.device.hw_info.serial_number - type: keyword -ocsf.device.hypervisor: - description: - The name of the hypervisor running on the device. For example, Xen, - VMware, Hyper-V, VirtualBox, etc. - name: ocsf.device.hypervisor - type: keyword -ocsf.device.image.labels: - description: The image labels. - name: ocsf.device.image.labels - type: keyword -ocsf.device.image.name: - description: "The image name. For example: elixir." - name: ocsf.device.image.name - type: keyword -ocsf.device.image.path: - description: The full path to the image file. - name: ocsf.device.image.path - type: keyword -ocsf.device.image.tag: - description: "The image tag. For example: 1.11-alpine." - name: ocsf.device.image.tag - type: keyword -ocsf.device.image.uid: - description: "The unique image ID. For example: 77af4d6b9913." - name: ocsf.device.image.uid - type: keyword -ocsf.device.imei: - description: - The International Mobile Station Equipment Identifier that is associated - with the device. - name: ocsf.device.imei - type: keyword -ocsf.device.instance_uid: - description: The unique identifier of a VM instance. - name: ocsf.device.instance_uid - type: keyword -ocsf.device.interface_name: - description: The name of the network interface (e.g. eth2). - name: ocsf.device.interface_name - type: keyword -ocsf.device.interface_uid: - description: The unique identifier of the network interface. - name: ocsf.device.interface_uid - type: keyword -ocsf.device.is_compliant: - description: The event occurred on a compliant device. - name: ocsf.device.is_compliant - type: boolean -ocsf.device.is_managed: - description: The event occurred on a managed device. - name: ocsf.device.is_managed - type: boolean -ocsf.device.is_personal: - description: The event occurred on a personal device. - name: ocsf.device.is_personal - type: boolean -ocsf.device.is_trusted: - description: The event occurred on a trusted device. - name: ocsf.device.is_trusted - type: boolean -ocsf.device.last_seen_time: - description: The most recent discovery time of the device. - name: ocsf.device.last_seen_time - type: date -ocsf.device.last_seen_time_dt: - description: The most recent discovery time of the device. - name: ocsf.device.last_seen_time_dt - type: date -ocsf.device.location.is_on_premises: - description: The indication of whether the location is on premises. - name: ocsf.device.location.is_on_premises - type: boolean -ocsf.device.location.isp: - description: The name of the Internet Service Provider (ISP). - name: ocsf.device.location.isp - type: keyword -ocsf.device.location.provider: - description: The provider of the geographical location data. - name: ocsf.device.location.provider - type: keyword -ocsf.device.modified_time: - description: The time when the device was last known to have been modified. - name: ocsf.device.modified_time - type: date -ocsf.device.modified_time_dt: - description: The time when the device was last known to have been modified. - name: ocsf.device.modified_time_dt - type: date -ocsf.device.network_interfaces.hostname: - description: The hostname associated with the network interface. - name: ocsf.device.network_interfaces.hostname - type: keyword -ocsf.device.network_interfaces.ip: - description: The IP address associated with the network interface. - name: ocsf.device.network_interfaces.ip - type: ip -ocsf.device.network_interfaces.mac: - description: The MAC address of the network interface. - name: ocsf.device.network_interfaces.mac - type: keyword -ocsf.device.network_interfaces.name: - description: The name of the network interface. - name: ocsf.device.network_interfaces.name - type: keyword -ocsf.device.network_interfaces.namespace: - description: - The namespace is useful in merger or acquisition situations. For example, - when similar entities exists that you need to keep separate. - name: ocsf.device.network_interfaces.namespace - type: keyword -ocsf.device.network_interfaces.subnet_prefix: - description: - The subnet prefix length determines the number of bits used to represent - the network part of the IP address. The remaining bits are reserved for identifying - individual hosts within that subnet. - name: ocsf.device.network_interfaces.subnet_prefix - type: long -ocsf.device.network_interfaces.type: - description: The type of network interface. - name: ocsf.device.network_interfaces.type - type: keyword -ocsf.device.network_interfaces.type_id: - description: The network interface type identifier. - name: ocsf.device.network_interfaces.type_id - type: keyword -ocsf.device.network_interfaces.uid: - description: The unique identifier for the network interface. - name: ocsf.device.network_interfaces.uid - type: keyword -ocsf.device.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.device.org.name - type: keyword -ocsf.device.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.device.org.ou_name - type: keyword -ocsf.device.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.device.org.ou_uid - type: keyword -ocsf.device.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.device.org.uid - type: keyword -ocsf.device.os.country: - description: - The operating system country code, as defined by the ISO 3166-1 standard - (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 - codes. - name: ocsf.device.os.country - type: keyword -ocsf.device.os.cpu_bits: - description: - The cpu architecture, the number of bits used for addressing in memory. - For example, 32 or 64. - name: ocsf.device.os.cpu_bits - type: long -ocsf.device.os.edition: - description: The operating system edition. For example, Professional. - name: ocsf.device.os.edition - type: keyword -ocsf.device.os.lang: - description: The two letter lower case language codes, as defined by ISO 639-1. - name: ocsf.device.os.lang - type: keyword -ocsf.device.os.sp_name: - description: The name of the latest Service Pack. - name: ocsf.device.os.sp_name - type: keyword -ocsf.device.os.sp_ver: - description: The version number of the latest Service Pack. - name: ocsf.device.os.sp_ver - type: keyword -ocsf.device.os.type: - description: The type of the operating system. - name: ocsf.device.os.type - type: keyword -ocsf.device.os.type_id: - description: The type identifier of the operating system. - name: ocsf.device.os.type_id - type: keyword -ocsf.device.os.version: - description: - The version of the OS running on the device that originated the event. - For example, "Windows 10", "OS X 10.7", or "iOS 9". - name: ocsf.device.os.version - type: keyword -ocsf.device.region: - description: - The region where the virtual machine is located. For example, an AWS - Region. - name: ocsf.device.region - type: keyword -ocsf.device.risk_level_id: - description: The normalized risk level id. - name: ocsf.device.risk_level_id - type: keyword -ocsf.device.subnet: - description: The subnet mask. - name: ocsf.device.subnet - type: ip_range -ocsf.device.subnet_uid: - description: The unique identifier of a virtual subnet. - name: ocsf.device.subnet_uid - type: keyword -ocsf.device.type_id: - description: The device type ID. - name: ocsf.device.type_id - type: keyword -ocsf.device.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.device.uid_alt - type: keyword -ocsf.device.vpc_uid: - description: The unique identifier of the Virtual Private Cloud (VPC). - name: ocsf.device.vpc_uid - type: keyword -ocsf.dialect: - description: The negotiated protocol dialect. - name: ocsf.dialect - type: keyword -ocsf.direction: - description: The direction of the email, as defined by the direction_id value. - name: ocsf.direction - type: keyword -ocsf.direction_id: - description: The direction of the email relative to the scanning host or organization. - name: ocsf.direction_id - type: keyword -ocsf.disposition: - description: - The event disposition name, normalized to the caption of the disposition_id - value. In the case of 'Other', it is defined by the event source. - name: ocsf.disposition - type: keyword -ocsf.disposition_id: - description: - When security issues, such as malware or policy violations, are detected - and possibly corrected, then disposition_id describes the action taken by the - security product. - name: ocsf.disposition_id - type: keyword -ocsf.driver.file.accessed_time_dt: - description: The time when the file was last accessed. - name: ocsf.driver.file.accessed_time_dt - type: date -ocsf.driver.file.accessor.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.driver.file.accessor.account.name - type: keyword -ocsf.driver.file.accessor.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.driver.file.accessor.account.type - type: keyword -ocsf.driver.file.accessor.account.type_id: - description: The normalized account type identifier. - name: ocsf.driver.file.accessor.account.type_id - type: keyword -ocsf.driver.file.accessor.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.driver.file.accessor.account.uid - type: keyword -ocsf.driver.file.accessor.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.driver.file.accessor.credential_uid - type: keyword -ocsf.driver.file.accessor.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.driver.file.accessor.domain - type: keyword -ocsf.driver.file.accessor.email_addr: - description: The user's email address. - name: ocsf.driver.file.accessor.email_addr - type: keyword -ocsf.driver.file.accessor.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.driver.file.accessor.full_name - type: keyword -ocsf.driver.file.accessor.groups.desc: - description: The group description. - name: ocsf.driver.file.accessor.groups.desc - type: keyword -ocsf.driver.file.accessor.groups.name: - description: The group name. - name: ocsf.driver.file.accessor.groups.name - type: keyword -ocsf.driver.file.accessor.groups.privileges: - description: The group privileges. - name: ocsf.driver.file.accessor.groups.privileges - type: keyword -ocsf.driver.file.accessor.groups.type: - description: The type of the group or account. - name: ocsf.driver.file.accessor.groups.type - type: keyword -ocsf.driver.file.accessor.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.driver.file.accessor.groups.uid - type: keyword -ocsf.driver.file.accessor.name: - description: The username. For example, janedoe1. - name: ocsf.driver.file.accessor.name - type: keyword -ocsf.driver.file.accessor.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.driver.file.accessor.org.name - type: keyword -ocsf.driver.file.accessor.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.driver.file.accessor.org.ou_name - type: keyword -ocsf.driver.file.accessor.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.driver.file.accessor.org.ou_uid - type: keyword -ocsf.driver.file.accessor.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.driver.file.accessor.org.uid - type: keyword -ocsf.driver.file.accessor.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.driver.file.accessor.type - type: keyword -ocsf.driver.file.accessor.type_id: - description: The account type identifier. - name: ocsf.driver.file.accessor.type_id - type: keyword -ocsf.driver.file.accessor.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.driver.file.accessor.uid - type: keyword -ocsf.driver.file.accessor.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.driver.file.accessor.uid_alt - type: keyword -ocsf.driver.file.attributes: - description: The Bitmask value that represents the file attributes. - name: ocsf.driver.file.attributes - type: long -ocsf.driver.file.company_name: - description: - "The name of the company that published the file. For example: Microsoft - Corporation." - name: ocsf.driver.file.company_name - type: keyword -ocsf.driver.file.confidentiality: - description: - The file content confidentiality, normalized to the confidentiality_id - value. In the case of 'Other', it is defined by the event source. - name: ocsf.driver.file.confidentiality - type: keyword -ocsf.driver.file.confidentiality_id: - description: The normalized identifier of the file content confidentiality indicator. - name: ocsf.driver.file.confidentiality_id - type: keyword -ocsf.driver.file.created_time_dt: - description: The time when the file was created. - name: ocsf.driver.file.created_time_dt - type: date -ocsf.driver.file.creator.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.driver.file.creator.account.name - type: keyword -ocsf.driver.file.creator.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.driver.file.creator.account.type - type: keyword -ocsf.driver.file.creator.account.type_id: - description: The normalized account type identifier. - name: ocsf.driver.file.creator.account.type_id - type: keyword -ocsf.driver.file.creator.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.driver.file.creator.account.uid - type: keyword -ocsf.driver.file.creator.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.driver.file.creator.credential_uid - type: keyword -ocsf.driver.file.creator.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.driver.file.creator.domain - type: keyword -ocsf.driver.file.creator.email_addr: - description: The user's email address. - name: ocsf.driver.file.creator.email_addr - type: keyword -ocsf.driver.file.creator.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.driver.file.creator.full_name - type: keyword -ocsf.driver.file.creator.groups.desc: - description: The group description. - name: ocsf.driver.file.creator.groups.desc - type: keyword -ocsf.driver.file.creator.groups.name: - description: The group name. - name: ocsf.driver.file.creator.groups.name - type: keyword -ocsf.driver.file.creator.groups.privileges: - description: The group privileges. - name: ocsf.driver.file.creator.groups.privileges - type: keyword -ocsf.driver.file.creator.groups.type: - description: The type of the group or account. - name: ocsf.driver.file.creator.groups.type - type: keyword -ocsf.driver.file.creator.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.driver.file.creator.groups.uid - type: keyword -ocsf.driver.file.creator.name: - description: The username. For example, janedoe1. - name: ocsf.driver.file.creator.name - type: keyword -ocsf.driver.file.creator.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.driver.file.creator.org.name - type: keyword -ocsf.driver.file.creator.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.driver.file.creator.org.ou_name - type: keyword -ocsf.driver.file.creator.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.driver.file.creator.org.ou_uid - type: keyword -ocsf.driver.file.creator.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.driver.file.creator.org.uid - type: keyword -ocsf.driver.file.creator.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.driver.file.creator.type - type: keyword -ocsf.driver.file.creator.type_id: - description: The account type identifier. - name: ocsf.driver.file.creator.type_id - type: keyword -ocsf.driver.file.creator.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.driver.file.creator.uid - type: keyword -ocsf.driver.file.creator.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.driver.file.creator.uid_alt - type: keyword -ocsf.driver.file.desc: - description: - "The description of the file, as returned by file system. For example: - the description as returned by the Unix file command or the Windows file type." - name: ocsf.driver.file.desc - type: keyword -ocsf.driver.file.hashes.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.driver.file.hashes.algorithm - type: keyword -ocsf.driver.file.hashes.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.driver.file.hashes.algorithm_id - type: keyword -ocsf.driver.file.hashes.value: - description: The digital fingerprint value. - name: ocsf.driver.file.hashes.value - type: keyword -ocsf.driver.file.is_system: - description: The indication of whether the object is part of the operating system. - name: ocsf.driver.file.is_system - type: boolean -ocsf.driver.file.modified_time_dt: - description: The time when the file was last modified. - name: ocsf.driver.file.modified_time_dt - type: date -ocsf.driver.file.modifier.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.driver.file.modifier.account.name - type: keyword -ocsf.driver.file.modifier.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.driver.file.modifier.account.type - type: keyword -ocsf.driver.file.modifier.account.type_id: - description: The normalized account type identifier. - name: ocsf.driver.file.modifier.account.type_id - type: keyword -ocsf.driver.file.modifier.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.driver.file.modifier.account.uid - type: keyword -ocsf.driver.file.modifier.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.driver.file.modifier.credential_uid - type: keyword -ocsf.driver.file.modifier.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.driver.file.modifier.domain - type: keyword -ocsf.driver.file.modifier.email_addr: - description: The user's email address. - name: ocsf.driver.file.modifier.email_addr - type: keyword -ocsf.driver.file.modifier.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.driver.file.modifier.full_name - type: keyword -ocsf.driver.file.modifier.groups.desc: - description: The group description. - name: ocsf.driver.file.modifier.groups.desc - type: keyword -ocsf.driver.file.modifier.groups.name: - description: The group name. - name: ocsf.driver.file.modifier.groups.name - type: keyword -ocsf.driver.file.modifier.groups.privileges: - description: The group privileges. - name: ocsf.driver.file.modifier.groups.privileges - type: keyword -ocsf.driver.file.modifier.groups.type: - description: The type of the group or account. - name: ocsf.driver.file.modifier.groups.type - type: keyword -ocsf.driver.file.modifier.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.driver.file.modifier.groups.uid - type: keyword -ocsf.driver.file.modifier.name: - description: The username. For example, janedoe1. - name: ocsf.driver.file.modifier.name - type: keyword -ocsf.driver.file.modifier.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.driver.file.modifier.org.name - type: keyword -ocsf.driver.file.modifier.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.driver.file.modifier.org.ou_name - type: keyword -ocsf.driver.file.modifier.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.driver.file.modifier.org.ou_uid - type: keyword -ocsf.driver.file.modifier.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.driver.file.modifier.org.uid - type: keyword -ocsf.driver.file.modifier.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.driver.file.modifier.type - type: keyword -ocsf.driver.file.modifier.type_id: - description: The account type identifier. - name: ocsf.driver.file.modifier.type_id - type: keyword -ocsf.driver.file.modifier.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.driver.file.modifier.uid - type: keyword -ocsf.driver.file.modifier.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.driver.file.modifier.uid_alt - type: keyword -ocsf.driver.file.owner.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.driver.file.owner.account.name - type: keyword -ocsf.driver.file.owner.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.driver.file.owner.account.type - type: keyword -ocsf.driver.file.owner.account.type_id: - description: The normalized account type identifier. - name: ocsf.driver.file.owner.account.type_id - type: keyword -ocsf.driver.file.owner.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.driver.file.owner.account.uid - type: keyword -ocsf.driver.file.owner.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.driver.file.owner.credential_uid - type: keyword -ocsf.driver.file.owner.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.driver.file.owner.domain - type: keyword -ocsf.driver.file.owner.email_addr: - description: The user's email address. - name: ocsf.driver.file.owner.email_addr - type: keyword -ocsf.driver.file.owner.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.driver.file.owner.full_name - type: keyword -ocsf.driver.file.owner.groups.desc: - description: The group description. - name: ocsf.driver.file.owner.groups.desc - type: keyword -ocsf.driver.file.owner.groups.name: - description: The group name. - name: ocsf.driver.file.owner.groups.name - type: keyword -ocsf.driver.file.owner.groups.privileges: - description: The group privileges. - name: ocsf.driver.file.owner.groups.privileges - type: keyword -ocsf.driver.file.owner.groups.type: - description: The type of the group or account. - name: ocsf.driver.file.owner.groups.type - type: keyword -ocsf.driver.file.owner.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.driver.file.owner.groups.uid - type: keyword -ocsf.driver.file.owner.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.driver.file.owner.org.name - type: keyword -ocsf.driver.file.owner.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.driver.file.owner.org.ou_name - type: keyword -ocsf.driver.file.owner.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.driver.file.owner.org.ou_uid - type: keyword -ocsf.driver.file.owner.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.driver.file.owner.org.uid - type: keyword -ocsf.driver.file.owner.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.driver.file.owner.type - type: keyword -ocsf.driver.file.owner.type_id: - description: The account type identifier. - name: ocsf.driver.file.owner.type_id - type: keyword -ocsf.driver.file.owner.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.driver.file.owner.uid_alt - type: keyword -ocsf.driver.file.product.feature.name: - description: The name of the feature. - name: ocsf.driver.file.product.feature.name - type: keyword -ocsf.driver.file.product.feature.uid: - description: The unique identifier of the feature. - name: ocsf.driver.file.product.feature.uid - type: keyword -ocsf.driver.file.product.feature.version: - description: The version of the feature. - name: ocsf.driver.file.product.feature.version - type: keyword -ocsf.driver.file.product.lang: - description: - "The two letter lower case language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French)." - name: ocsf.driver.file.product.lang - type: keyword -ocsf.driver.file.product.name: - description: The name of the product. - name: ocsf.driver.file.product.name - type: keyword -ocsf.driver.file.product.path: - description: The installation path of the product. - name: ocsf.driver.file.product.path - type: keyword -ocsf.driver.file.product.uid: - description: The unique identifier of the product. - name: ocsf.driver.file.product.uid - type: keyword -ocsf.driver.file.product.vendor_name: - description: The name of the vendor of the product. - name: ocsf.driver.file.product.vendor_name - type: keyword -ocsf.driver.file.product.version: - description: - "The version of the product, as defined by the event source. For example: - 2013.1.3-beta." - name: ocsf.driver.file.product.version - type: keyword -ocsf.driver.file.security_descriptor: - description: The object security descriptor. - name: ocsf.driver.file.security_descriptor - type: keyword -ocsf.driver.file.signature.algorithm: - description: - The digital signature algorithm used to create the signature, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.driver.file.signature.algorithm - type: keyword -ocsf.driver.file.signature.algorithm_id: - description: The identifier of the normalized digital signature algorithm. - name: ocsf.driver.file.signature.algorithm_id - type: keyword -ocsf.driver.file.signature.certificate.created_time: - description: The time when the certificate was created. - name: ocsf.driver.file.signature.certificate.created_time - type: date -ocsf.driver.file.signature.certificate.created_time_dt: - description: The time when the certificate was created. - name: ocsf.driver.file.signature.certificate.created_time_dt - type: date -ocsf.driver.file.signature.certificate.expiration_time_dt: - description: The expiration time of the certificate. - name: ocsf.driver.file.signature.certificate.expiration_time_dt - type: date -ocsf.driver.file.signature.certificate.fingerprints.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.driver.file.signature.certificate.fingerprints.algorithm - type: keyword -ocsf.driver.file.signature.certificate.fingerprints.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.driver.file.signature.certificate.fingerprints.algorithm_id - type: keyword -ocsf.driver.file.signature.certificate.fingerprints.value: - description: The digital fingerprint value. - name: ocsf.driver.file.signature.certificate.fingerprints.value - type: keyword -ocsf.driver.file.signature.created_time: - description: The time when the digital signature was created. - name: ocsf.driver.file.signature.created_time - type: date -ocsf.driver.file.signature.created_time_dt: - description: The time when the digital signature was created. - name: ocsf.driver.file.signature.created_time_dt - type: date -ocsf.driver.file.signature.developer_uid: - description: The developer ID on the certificate that signed the file. - name: ocsf.driver.file.signature.developer_uid - type: keyword -ocsf.driver.file.signature.digest.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.driver.file.signature.digest.algorithm - type: keyword -ocsf.driver.file.signature.digest.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.driver.file.signature.digest.algorithm_id - type: keyword -ocsf.driver.file.signature.digest.value: - description: The digital fingerprint value. - name: ocsf.driver.file.signature.digest.value - type: keyword -ocsf.driver.file.type_id: - description: The file type ID. - name: ocsf.driver.file.type_id - type: keyword -ocsf.driver.file.version: - description: "The file version. For example: 8.0.7601.17514." - name: ocsf.driver.file.version - type: keyword -ocsf.driver.file.xattributes: - description: - An unordered collection of zero or more name/value pairs where each - pair represents a file or folder extended attribute. - name: ocsf.driver.file.xattributes - type: flattened -ocsf.dst_endpoint.instance_uid: - description: The unique identifier of a VM instance. - name: ocsf.dst_endpoint.instance_uid - type: keyword -ocsf.dst_endpoint.interface_name: - description: The name of the network interface (e.g. eth2). - name: ocsf.dst_endpoint.interface_name - type: keyword -ocsf.dst_endpoint.interface_uid: - description: The unique identifier of the network interface. - name: ocsf.dst_endpoint.interface_uid - type: keyword -ocsf.dst_endpoint.intermediate_ips: - description: - The intermediate IP Addresses. For example, the IP addresses in the - HTTP X-Forwarded-For header. - name: ocsf.dst_endpoint.intermediate_ips - type: ip -ocsf.dst_endpoint.location.is_on_premises: - description: The indication of whether the location is on premises. - name: ocsf.dst_endpoint.location.is_on_premises - type: boolean -ocsf.dst_endpoint.location.isp: - description: The name of the Internet Service Provider (ISP). - name: ocsf.dst_endpoint.location.isp - type: keyword -ocsf.dst_endpoint.location.provider: - description: The provider of the geographical location data. - name: ocsf.dst_endpoint.location.provider - type: keyword -ocsf.dst_endpoint.name: - description: The short name of the endpoint. - name: ocsf.dst_endpoint.name - type: keyword -ocsf.dst_endpoint.subnet_uid: - description: The unique identifier of a virtual subnet. - name: ocsf.dst_endpoint.subnet_uid - type: keyword -ocsf.dst_endpoint.uid: - description: The unique identifier of the endpoint. - name: ocsf.dst_endpoint.uid - type: keyword -ocsf.dst_endpoint.vlan_uid: - description: The Virtual LAN identifier. - name: ocsf.dst_endpoint.vlan_uid - type: keyword -ocsf.dst_endpoint.vpc_uid: - description: The unique identifier of the Virtual Private Cloud (VPC). - name: ocsf.dst_endpoint.vpc_uid - type: keyword -ocsf.duration: - description: - The event duration or aggregate time, the amount of time the event - covers from start_time to end_time in milliseconds. - name: ocsf.duration - type: long -ocsf.email.delivered_to: - description: The Delivered-To email header field. - name: ocsf.email.delivered_to - type: keyword -ocsf.email.raw_header: - description: The email authentication header. - name: ocsf.email.raw_header - type: keyword -ocsf.email.size: - description: The size in bytes of the email, including attachments. - name: ocsf.email.size - type: long -ocsf.email.smtp_from: - description: The value of the SMTP MAIL FROM command. - name: ocsf.email.smtp_from - type: keyword -ocsf.email.smtp_to: - description: The value of the SMTP envelope RCPT TO command. - name: ocsf.email.smtp_to - type: keyword -ocsf.email.x_originating_ip: - description: The X-Originating-IP header identifying the emails originating IP address(es). - name: ocsf.email.x_originating_ip - type: ip -ocsf.email_auth.dkim: - description: The DomainKeys Identified Mail (DKIM) status of the email. - name: ocsf.email_auth.dkim - type: keyword -ocsf.email_auth.dkim_domain: - description: The DomainKeys Identified Mail (DKIM) signing domain of the email. - name: ocsf.email_auth.dkim_domain - type: keyword -ocsf.email_auth.dkim_signature: - description: - The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving - system. - name: ocsf.email_auth.dkim_signature - type: keyword -ocsf.email_auth.dmarc: - description: - The Domain-based Message Authentication, Reporting and Conformance - (DMARC) status of the email. - name: ocsf.email_auth.dmarc - type: keyword -ocsf.email_auth.dmarc_override: - description: - The Domain-based Message Authentication, Reporting and Conformance - (DMARC) override action. - name: ocsf.email_auth.dmarc_override - type: keyword -ocsf.email_auth.dmarc_policy: - description: - The Domain-based Message Authentication, Reporting and Conformance - (DMARC) policy status. - name: ocsf.email_auth.dmarc_policy - type: keyword -ocsf.email_auth.spf: - description: The Sender Policy Framework (SPF) status of the email. - name: ocsf.email_auth.spf - type: keyword -ocsf.end_time_dt: - description: - The end time of a time period, or the time of the most recent event - included in the aggregate event. - name: ocsf.end_time_dt - type: date -ocsf.enrichments.data: - description: - The enrichment data associated with the attribute and value. The meaning - of this data depends on the type the enrichment record. - name: ocsf.enrichments.data - type: flattened -ocsf.enrichments.name: - description: The name of the attribute to which the enriched data pertains. - name: ocsf.enrichments.name - type: keyword -ocsf.enrichments.provider: - description: The enrichment data provider name. - name: ocsf.enrichments.provider - type: keyword -ocsf.enrichments.type: - description: The enrichment type. For example, location. - name: ocsf.enrichments.type - type: keyword -ocsf.enrichments.value: - description: The value of the attribute to which the enriched data pertains. - name: ocsf.enrichments.value - type: keyword -ocsf.entity.data: - description: The managed entity content as a JSON object. - name: ocsf.entity.data - type: flattened -ocsf.entity.name: - description: The name of the managed entity. - name: ocsf.entity.name - type: keyword -ocsf.entity.type: - description: The managed entity type. - name: ocsf.entity.type - type: keyword -ocsf.entity.uid: - description: The identifier of the managed entity. - name: ocsf.entity.uid - type: keyword -ocsf.entity.version: - description: The version of the managed entity. - name: ocsf.entity.version - type: keyword -ocsf.entity_result.data: - description: The managed entity content as a JSON object. - name: ocsf.entity_result.data - type: flattened -ocsf.entity_result.name: - description: The name of the managed entity. - name: ocsf.entity_result.name - type: keyword -ocsf.entity_result.type: - description: The managed entity type. - name: ocsf.entity_result.type - type: keyword -ocsf.entity_result.uid: - description: The identifier of the managed entity. - name: ocsf.entity_result.uid - type: keyword -ocsf.entity_result.version: - description: The version of the managed entity. - name: ocsf.entity_result.version - type: keyword -ocsf.evidence: - description: The data the finding exposes to the analyst. - name: ocsf.evidence - type: flattened -ocsf.expiration_time: - description: The share expiration time. - name: ocsf.expiration_time - type: date -ocsf.expiration_time_dt: - description: The share expiration time. - name: ocsf.expiration_time_dt - type: date -ocsf.file.accessed_time_dt: - description: The time when the file was last accessed. - name: ocsf.file.accessed_time_dt - type: date -ocsf.file.accessor.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.file.accessor.account.name - type: keyword -ocsf.file.accessor.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.file.accessor.account.type - type: keyword -ocsf.file.accessor.account.type_id: - description: The normalized account type identifier. - name: ocsf.file.accessor.account.type_id - type: keyword -ocsf.file.accessor.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.file.accessor.account.uid - type: keyword -ocsf.file.accessor.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.file.accessor.credential_uid - type: keyword -ocsf.file.accessor.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.file.accessor.domain - type: keyword -ocsf.file.accessor.email_addr: - description: The user's email address. - name: ocsf.file.accessor.email_addr - type: keyword -ocsf.file.accessor.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.file.accessor.full_name - type: keyword -ocsf.file.accessor.groups.desc: - description: The group description. - name: ocsf.file.accessor.groups.desc - type: keyword -ocsf.file.accessor.groups.name: - description: The group name. - name: ocsf.file.accessor.groups.name - type: keyword -ocsf.file.accessor.groups.privileges: - description: The group privileges. - name: ocsf.file.accessor.groups.privileges - type: keyword -ocsf.file.accessor.groups.type: - description: The type of the group or account. - name: ocsf.file.accessor.groups.type - type: keyword -ocsf.file.accessor.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.file.accessor.groups.uid - type: keyword -ocsf.file.accessor.name: - description: The username. For example, janedoe1. - name: ocsf.file.accessor.name - type: keyword -ocsf.file.accessor.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.file.accessor.org.name - type: keyword -ocsf.file.accessor.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.file.accessor.org.ou_name - type: keyword -ocsf.file.accessor.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.file.accessor.org.ou_uid - type: keyword -ocsf.file.accessor.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.file.accessor.org.uid - type: keyword -ocsf.file.accessor.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.file.accessor.type - type: keyword -ocsf.file.accessor.type_id: - description: The account type identifier. - name: ocsf.file.accessor.type_id - type: keyword -ocsf.file.accessor.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.file.accessor.uid - type: keyword -ocsf.file.accessor.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.file.accessor.uid_alt - type: keyword -ocsf.file.attributes: - description: The Bitmask value that represents the file attributes. - name: ocsf.file.attributes - type: long -ocsf.file.company_name: - description: - "The name of the company that published the file. For example: Microsoft - Corporation." - name: ocsf.file.company_name - type: keyword -ocsf.file.confidentiality: - description: - The file content confidentiality, normalized to the confidentiality_id - value. In the case of 'Other', it is defined by the event source. - name: ocsf.file.confidentiality - type: keyword -ocsf.file.confidentiality_id: - description: The normalized identifier of the file content confidentiality indicator. - name: ocsf.file.confidentiality_id - type: keyword -ocsf.file.created_time_dt: - description: The time when the file was created. - name: ocsf.file.created_time_dt - type: date -ocsf.file.creator.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.file.creator.account.name - type: keyword -ocsf.file.creator.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.file.creator.account.type - type: keyword -ocsf.file.creator.account.type_id: - description: The normalized account type identifier. - name: ocsf.file.creator.account.type_id - type: keyword -ocsf.file.creator.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.file.creator.account.uid - type: keyword -ocsf.file.creator.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.file.creator.credential_uid - type: keyword -ocsf.file.creator.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.file.creator.domain - type: keyword -ocsf.file.creator.email_addr: - description: The user's email address. - name: ocsf.file.creator.email_addr - type: keyword -ocsf.file.creator.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.file.creator.full_name - type: keyword -ocsf.file.creator.groups.desc: - description: The group description. - name: ocsf.file.creator.groups.desc - type: keyword -ocsf.file.creator.groups.name: - description: The group name. - name: ocsf.file.creator.groups.name - type: keyword -ocsf.file.creator.groups.privileges: - description: The group privileges. - name: ocsf.file.creator.groups.privileges - type: keyword -ocsf.file.creator.groups.type: - description: The type of the group or account. - name: ocsf.file.creator.groups.type - type: keyword -ocsf.file.creator.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.file.creator.groups.uid - type: keyword -ocsf.file.creator.name: - description: The username. For example, janedoe1. - name: ocsf.file.creator.name - type: keyword -ocsf.file.creator.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.file.creator.org.name - type: keyword -ocsf.file.creator.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.file.creator.org.ou_name - type: keyword -ocsf.file.creator.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.file.creator.org.ou_uid - type: keyword -ocsf.file.creator.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.file.creator.org.uid - type: keyword -ocsf.file.creator.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.file.creator.type - type: keyword -ocsf.file.creator.type_id: - description: The account type identifier. - name: ocsf.file.creator.type_id - type: keyword -ocsf.file.creator.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.file.creator.uid - type: keyword -ocsf.file.creator.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.file.creator.uid_alt - type: keyword -ocsf.file.desc: - description: - "The description of the file, as returned by file system. For example: - the description as returned by the Unix file command or the Windows file type." - name: ocsf.file.desc - type: keyword -ocsf.file.hashes.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.file.hashes.algorithm - type: keyword -ocsf.file.hashes.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.file.hashes.algorithm_id - type: keyword -ocsf.file.hashes.value: - description: The digital fingerprint value. - name: ocsf.file.hashes.value - type: keyword -ocsf.file.is_system: - description: The indication of whether the object is part of the operating system. - name: ocsf.file.is_system - type: boolean -ocsf.file.modified_time_dt: - description: The time when the file was last modified. - name: ocsf.file.modified_time_dt - type: date -ocsf.file.modifier.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.file.modifier.account.name - type: keyword -ocsf.file.modifier.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.file.modifier.account.type - type: keyword -ocsf.file.modifier.account.type_id: - description: The normalized account type identifier. - name: ocsf.file.modifier.account.type_id - type: keyword -ocsf.file.modifier.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.file.modifier.account.uid - type: keyword -ocsf.file.modifier.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.file.modifier.credential_uid - type: keyword -ocsf.file.modifier.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.file.modifier.domain - type: keyword -ocsf.file.modifier.email_addr: - description: The user's email address. - name: ocsf.file.modifier.email_addr - type: keyword -ocsf.file.modifier.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.file.modifier.full_name - type: keyword -ocsf.file.modifier.groups.desc: - description: The group description. - name: ocsf.file.modifier.groups.desc - type: keyword -ocsf.file.modifier.groups.name: - description: The group name. - name: ocsf.file.modifier.groups.name - type: keyword -ocsf.file.modifier.groups.privileges: - description: The group privileges. - name: ocsf.file.modifier.groups.privileges - type: keyword -ocsf.file.modifier.groups.type: - description: The type of the group or account. - name: ocsf.file.modifier.groups.type - type: keyword -ocsf.file.modifier.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.file.modifier.groups.uid - type: keyword -ocsf.file.modifier.name: - description: The username. For example, janedoe1. - name: ocsf.file.modifier.name - type: keyword -ocsf.file.modifier.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.file.modifier.org.name - type: keyword -ocsf.file.modifier.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.file.modifier.org.ou_name - type: keyword -ocsf.file.modifier.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.file.modifier.org.ou_uid - type: keyword -ocsf.file.modifier.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.file.modifier.org.uid - type: keyword -ocsf.file.modifier.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.file.modifier.type - type: keyword -ocsf.file.modifier.type_id: - description: The account type identifier. - name: ocsf.file.modifier.type_id - type: keyword -ocsf.file.modifier.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.file.modifier.uid - type: keyword -ocsf.file.modifier.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.file.modifier.uid_alt - type: keyword -ocsf.file.owner.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.file.owner.account.name - type: keyword -ocsf.file.owner.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.file.owner.account.type - type: keyword -ocsf.file.owner.account.type_id: - description: The normalized account type identifier. - name: ocsf.file.owner.account.type_id - type: keyword -ocsf.file.owner.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.file.owner.account.uid - type: keyword -ocsf.file.owner.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.file.owner.credential_uid - type: keyword -ocsf.file.owner.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.file.owner.domain - type: keyword -ocsf.file.owner.email_addr: - description: The user's email address. - name: ocsf.file.owner.email_addr - type: keyword -ocsf.file.owner.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.file.owner.full_name - type: keyword -ocsf.file.owner.groups.desc: - description: The group description. - name: ocsf.file.owner.groups.desc - type: keyword -ocsf.file.owner.groups.name: - description: The group name. - name: ocsf.file.owner.groups.name - type: keyword -ocsf.file.owner.groups.privileges: - description: The group privileges. - name: ocsf.file.owner.groups.privileges - type: keyword -ocsf.file.owner.groups.type: - description: The type of the group or account. - name: ocsf.file.owner.groups.type - type: keyword -ocsf.file.owner.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.file.owner.groups.uid - type: keyword -ocsf.file.owner.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.file.owner.org.name - type: keyword -ocsf.file.owner.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.file.owner.org.ou_name - type: keyword -ocsf.file.owner.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.file.owner.org.ou_uid - type: keyword -ocsf.file.owner.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.file.owner.org.uid - type: keyword -ocsf.file.owner.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.file.owner.type - type: keyword -ocsf.file.owner.type_id: - description: The account type identifier. - name: ocsf.file.owner.type_id - type: keyword -ocsf.file.owner.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.file.owner.uid_alt - type: keyword -ocsf.file.product.feature.name: - description: The name of the feature. - name: ocsf.file.product.feature.name - type: keyword -ocsf.file.product.feature.uid: - description: The unique identifier of the feature. - name: ocsf.file.product.feature.uid - type: keyword -ocsf.file.product.feature.version: - description: The version of the feature. - name: ocsf.file.product.feature.version - type: keyword -ocsf.file.product.lang: - description: - "The two letter lower case language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French)." - name: ocsf.file.product.lang - type: keyword -ocsf.file.product.name: - description: The name of the product. - name: ocsf.file.product.name - type: keyword -ocsf.file.product.path: - description: The installation path of the product. - name: ocsf.file.product.path - type: keyword -ocsf.file.product.uid: - description: The unique identifier of the product. - name: ocsf.file.product.uid - type: keyword -ocsf.file.product.url_string: - description: The URL pointing towards the product. - name: ocsf.file.product.url_string - type: keyword -ocsf.file.product.vendor_name: - description: The name of the vendor of the product. - name: ocsf.file.product.vendor_name - type: keyword -ocsf.file.product.version: - description: - "The version of the product, as defined by the event source. For example: - 2013.1.3-beta." - name: ocsf.file.product.version - type: keyword -ocsf.file.security_descriptor: - description: The object security descriptor. - name: ocsf.file.security_descriptor - type: keyword -ocsf.file.signature.algorithm: - description: - The digital signature algorithm used to create the signature, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.file.signature.algorithm - type: keyword -ocsf.file.signature.algorithm_id: - description: The identifier of the normalized digital signature algorithm. - name: ocsf.file.signature.algorithm_id - type: keyword -ocsf.file.signature.certificate.created_time: - description: The time when the certificate was created. - name: ocsf.file.signature.certificate.created_time - type: date -ocsf.file.signature.certificate.created_time_dt: - description: The time when the certificate was created. - name: ocsf.file.signature.certificate.created_time_dt - type: date -ocsf.file.signature.certificate.expiration_time_dt: - description: The expiration time of the certificate. - name: ocsf.file.signature.certificate.expiration_time_dt - type: date -ocsf.file.signature.certificate.fingerprints.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.file.signature.certificate.fingerprints.algorithm - type: keyword -ocsf.file.signature.certificate.fingerprints.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.file.signature.certificate.fingerprints.algorithm_id - type: keyword -ocsf.file.signature.certificate.fingerprints.value: - description: The digital fingerprint value. - name: ocsf.file.signature.certificate.fingerprints.value - type: keyword -ocsf.file.signature.created_time: - description: The time when the digital signature was created. - name: ocsf.file.signature.created_time - type: date -ocsf.file.signature.created_time_dt: - description: The time when the digital signature was created. - name: ocsf.file.signature.created_time_dt - type: date -ocsf.file.signature.developer_uid: - description: The developer ID on the certificate that signed the file. - name: ocsf.file.signature.developer_uid - type: keyword -ocsf.file.signature.digest.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.file.signature.digest.algorithm - type: keyword -ocsf.file.signature.digest.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.file.signature.digest.algorithm_id - type: keyword -ocsf.file.signature.digest.value: - description: The digital fingerprint value. - name: ocsf.file.signature.digest.value - type: keyword -ocsf.file.type_id: - description: The file type ID. - name: ocsf.file.type_id - type: keyword -ocsf.file.version: - description: "The file version. For example: 8.0.7601.17514." - name: ocsf.file.version - type: keyword -ocsf.file.xattributes: - description: - An unordered collection of zero or more name/value pairs where each - pair represents a file or folder extended attribute. - name: ocsf.file.xattributes - type: flattened -ocsf.file_diff: - description: - File content differences used for change detection. For example, a - common use case is to identify itemized changes within INI or configuration/property - setting values. - name: ocsf.file_diff - type: keyword -ocsf.file_result.accessed_time: - description: The time when the file was last accessed. - name: ocsf.file_result.accessed_time - type: date -ocsf.file_result.accessed_time_dt: - description: The time when the file was last accessed. - name: ocsf.file_result.accessed_time_dt - type: date -ocsf.file_result.accessor.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.file_result.accessor.account.name - type: keyword -ocsf.file_result.accessor.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.file_result.accessor.account.type - type: keyword -ocsf.file_result.accessor.account.type_id: - description: The normalized account type identifier. - name: ocsf.file_result.accessor.account.type_id - type: keyword -ocsf.file_result.accessor.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.file_result.accessor.account.uid - type: keyword -ocsf.file_result.accessor.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.file_result.accessor.credential_uid - type: keyword -ocsf.file_result.accessor.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.file_result.accessor.domain - type: keyword -ocsf.file_result.accessor.email_addr: - description: The user's email address. - name: ocsf.file_result.accessor.email_addr - type: keyword -ocsf.file_result.accessor.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.file_result.accessor.full_name - type: keyword -ocsf.file_result.accessor.groups.desc: - description: The group description. - name: ocsf.file_result.accessor.groups.desc - type: keyword -ocsf.file_result.accessor.groups.name: - description: The group name. - name: ocsf.file_result.accessor.groups.name - type: keyword -ocsf.file_result.accessor.groups.privileges: - description: The group privileges. - name: ocsf.file_result.accessor.groups.privileges - type: keyword -ocsf.file_result.accessor.groups.type: - description: The type of the group or account. - name: ocsf.file_result.accessor.groups.type - type: keyword -ocsf.file_result.accessor.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.file_result.accessor.groups.uid - type: keyword -ocsf.file_result.accessor.name: - description: The username. For example, janedoe1. - name: ocsf.file_result.accessor.name - type: keyword -ocsf.file_result.accessor.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.file_result.accessor.org.name - type: keyword -ocsf.file_result.accessor.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.file_result.accessor.org.ou_name - type: keyword -ocsf.file_result.accessor.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.file_result.accessor.org.ou_uid - type: keyword -ocsf.file_result.accessor.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.file_result.accessor.org.uid - type: keyword -ocsf.file_result.accessor.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.file_result.accessor.type - type: keyword -ocsf.file_result.accessor.type_id: - description: The account type identifier. - name: ocsf.file_result.accessor.type_id - type: keyword -ocsf.file_result.accessor.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.file_result.accessor.uid - type: keyword -ocsf.file_result.accessor.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.file_result.accessor.uid_alt - type: keyword -ocsf.file_result.attributes: - description: The Bitmask value that represents the file attributes. - name: ocsf.file_result.attributes - type: long -ocsf.file_result.company_name: - description: - "The name of the company that published the file. For example: Microsoft - Corporation." - name: ocsf.file_result.company_name - type: keyword -ocsf.file_result.confidentiality: - description: - The file content confidentiality, normalized to the confidentiality_id - value. In the case of 'Other', it is defined by the event source. - name: ocsf.file_result.confidentiality - type: keyword -ocsf.file_result.confidentiality_id: - description: The normalized identifier of the file content confidentiality indicator. - name: ocsf.file_result.confidentiality_id - type: keyword -ocsf.file_result.created_time: - description: The time when the file was created. - name: ocsf.file_result.created_time - type: date -ocsf.file_result.created_time_dt: - description: The time when the file was created. - name: ocsf.file_result.created_time_dt - type: date -ocsf.file_result.creator.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.file_result.creator.account.name - type: keyword -ocsf.file_result.creator.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.file_result.creator.account.type - type: keyword -ocsf.file_result.creator.account.type_id: - description: The normalized account type identifier. - name: ocsf.file_result.creator.account.type_id - type: keyword -ocsf.file_result.creator.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.file_result.creator.account.uid - type: keyword -ocsf.file_result.creator.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.file_result.creator.credential_uid - type: keyword -ocsf.file_result.creator.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.file_result.creator.domain - type: keyword -ocsf.file_result.creator.email_addr: - description: The user's email address. - name: ocsf.file_result.creator.email_addr - type: keyword -ocsf.file_result.creator.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.file_result.creator.full_name - type: keyword -ocsf.file_result.creator.groups.desc: - description: The group description. - name: ocsf.file_result.creator.groups.desc - type: keyword -ocsf.file_result.creator.groups.name: - description: The group name. - name: ocsf.file_result.creator.groups.name - type: keyword -ocsf.file_result.creator.groups.privileges: - description: The group privileges. - name: ocsf.file_result.creator.groups.privileges - type: keyword -ocsf.file_result.creator.groups.type: - description: The type of the group or account. - name: ocsf.file_result.creator.groups.type - type: keyword -ocsf.file_result.creator.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.file_result.creator.groups.uid - type: keyword -ocsf.file_result.creator.name: - description: The username. For example, janedoe1. - name: ocsf.file_result.creator.name - type: keyword -ocsf.file_result.creator.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.file_result.creator.org.name - type: keyword -ocsf.file_result.creator.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.file_result.creator.org.ou_name - type: keyword -ocsf.file_result.creator.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.file_result.creator.org.ou_uid - type: keyword -ocsf.file_result.creator.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.file_result.creator.org.uid - type: keyword -ocsf.file_result.creator.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.file_result.creator.type - type: keyword -ocsf.file_result.creator.type_id: - description: The account type identifier. - name: ocsf.file_result.creator.type_id - type: keyword -ocsf.file_result.creator.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.file_result.creator.uid - type: keyword -ocsf.file_result.creator.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.file_result.creator.uid_alt - type: keyword -ocsf.file_result.desc: - description: - "The description of the file, as returned by file system. For example: - the description as returned by the Unix file command or the Windows file type." - name: ocsf.file_result.desc - type: keyword -ocsf.file_result.hashes.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.file_result.hashes.algorithm - type: keyword -ocsf.file_result.hashes.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.file_result.hashes.algorithm_id - type: keyword -ocsf.file_result.hashes.value: - description: The digital fingerprint value. - name: ocsf.file_result.hashes.value - type: keyword -ocsf.file_result.is_system: - description: The indication of whether the object is part of the operating system. - name: ocsf.file_result.is_system - type: boolean -ocsf.file_result.mime_type: - description: - The Multipurpose Internet Mail Extensions (MIME) type of the file, - if applicable. - name: ocsf.file_result.mime_type - type: keyword -ocsf.file_result.modified_time: - description: The time when the file was last modified. - name: ocsf.file_result.modified_time - type: date -ocsf.file_result.modified_time_dt: - description: The time when the file was last modified. - name: ocsf.file_result.modified_time_dt - type: date -ocsf.file_result.modifier.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.file_result.modifier.account.name - type: keyword -ocsf.file_result.modifier.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.file_result.modifier.account.type - type: keyword -ocsf.file_result.modifier.account.type_id: - description: The normalized account type identifier. - name: ocsf.file_result.modifier.account.type_id - type: keyword -ocsf.file_result.modifier.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.file_result.modifier.account.uid - type: keyword -ocsf.file_result.modifier.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.file_result.modifier.credential_uid - type: keyword -ocsf.file_result.modifier.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.file_result.modifier.domain - type: keyword -ocsf.file_result.modifier.email_addr: - description: The user's email address. - name: ocsf.file_result.modifier.email_addr - type: keyword -ocsf.file_result.modifier.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.file_result.modifier.full_name - type: keyword -ocsf.file_result.modifier.groups.desc: - description: The group description. - name: ocsf.file_result.modifier.groups.desc - type: keyword -ocsf.file_result.modifier.groups.name: - description: The group name. - name: ocsf.file_result.modifier.groups.name - type: keyword -ocsf.file_result.modifier.groups.privileges: - description: The group privileges. - name: ocsf.file_result.modifier.groups.privileges - type: keyword -ocsf.file_result.modifier.groups.type: - description: The type of the group or account. - name: ocsf.file_result.modifier.groups.type - type: keyword -ocsf.file_result.modifier.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.file_result.modifier.groups.uid - type: keyword -ocsf.file_result.modifier.name: - description: The username. For example, janedoe1. - name: ocsf.file_result.modifier.name - type: keyword -ocsf.file_result.modifier.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.file_result.modifier.org.name - type: keyword -ocsf.file_result.modifier.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.file_result.modifier.org.ou_name - type: keyword -ocsf.file_result.modifier.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.file_result.modifier.org.ou_uid - type: keyword -ocsf.file_result.modifier.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.file_result.modifier.org.uid - type: keyword -ocsf.file_result.modifier.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.file_result.modifier.type - type: keyword -ocsf.file_result.modifier.type_id: - description: The account type identifier. - name: ocsf.file_result.modifier.type_id - type: keyword -ocsf.file_result.modifier.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.file_result.modifier.uid - type: keyword -ocsf.file_result.modifier.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.file_result.modifier.uid_alt - type: keyword -ocsf.file_result.name: - description: "The name of the file. For example: svchost.exe." - name: ocsf.file_result.name - type: keyword -ocsf.file_result.owner.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.file_result.owner.account.name - type: keyword -ocsf.file_result.owner.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.file_result.owner.account.type - type: keyword -ocsf.file_result.owner.account.type_id: - description: The normalized account type identifier. - name: ocsf.file_result.owner.account.type_id - type: keyword -ocsf.file_result.owner.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.file_result.owner.account.uid - type: keyword -ocsf.file_result.owner.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.file_result.owner.credential_uid - type: keyword -ocsf.file_result.owner.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.file_result.owner.domain - type: keyword -ocsf.file_result.owner.email_addr: - description: The user's email address. - name: ocsf.file_result.owner.email_addr - type: keyword -ocsf.file_result.owner.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.file_result.owner.full_name - type: keyword -ocsf.file_result.owner.groups.desc: - description: The group description. - name: ocsf.file_result.owner.groups.desc - type: keyword -ocsf.file_result.owner.groups.name: - description: The group name. - name: ocsf.file_result.owner.groups.name - type: keyword -ocsf.file_result.owner.groups.privileges: - description: The group privileges. - name: ocsf.file_result.owner.groups.privileges - type: keyword -ocsf.file_result.owner.groups.type: - description: The type of the group or account. - name: ocsf.file_result.owner.groups.type - type: keyword -ocsf.file_result.owner.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.file_result.owner.groups.uid - type: keyword -ocsf.file_result.owner.name: - description: The username. For example, janedoe1. - name: ocsf.file_result.owner.name - type: keyword -ocsf.file_result.owner.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.file_result.owner.org.name - type: keyword -ocsf.file_result.owner.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.file_result.owner.org.ou_name - type: keyword -ocsf.file_result.owner.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.file_result.owner.org.ou_uid - type: keyword -ocsf.file_result.owner.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.file_result.owner.org.uid - type: keyword -ocsf.file_result.owner.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.file_result.owner.type - type: keyword -ocsf.file_result.owner.type_id: - description: The account type identifier. - name: ocsf.file_result.owner.type_id - type: keyword -ocsf.file_result.owner.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.file_result.owner.uid - type: keyword -ocsf.file_result.owner.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.file_result.owner.uid_alt - type: keyword -ocsf.file_result.parent_folder: - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - name: ocsf.file_result.parent_folder - type: keyword -ocsf.file_result.path: - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - name: ocsf.file_result.path - type: keyword -ocsf.file_result.product.feature.name: - description: The name of the feature. - name: ocsf.file_result.product.feature.name - type: keyword -ocsf.file_result.product.feature.uid: - description: The unique identifier of the feature. - name: ocsf.file_result.product.feature.uid - type: keyword -ocsf.file_result.product.feature.version: - description: The version of the feature. - name: ocsf.file_result.product.feature.version - type: keyword -ocsf.file_result.product.lang: - description: - "The two letter lower case language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French)." - name: ocsf.file_result.product.lang - type: keyword -ocsf.file_result.product.name: - description: The name of the product. - name: ocsf.file_result.product.name - type: keyword -ocsf.file_result.product.path: - description: The installation path of the product. - name: ocsf.file_result.product.path - type: keyword -ocsf.file_result.product.uid: - description: The unique identifier of the product. - name: ocsf.file_result.product.uid - type: keyword -ocsf.file_result.product.vendor_name: - description: The name of the vendor of the product. - name: ocsf.file_result.product.vendor_name - type: keyword -ocsf.file_result.product.version: - description: - "The version of the product, as defined by the event source. For example: - 2013.1.3-beta." - name: ocsf.file_result.product.version - type: keyword -ocsf.file_result.security_descriptor: - description: The object security descriptor. - name: ocsf.file_result.security_descriptor - type: keyword -ocsf.file_result.signature.algorithm: - description: - The digital signature algorithm used to create the signature, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.file_result.signature.algorithm - type: keyword -ocsf.file_result.signature.algorithm_id: - description: The identifier of the normalized digital signature algorithm. - name: ocsf.file_result.signature.algorithm_id - type: keyword -ocsf.file_result.signature.certificate.created_time: - description: The time when the certificate was created. - name: ocsf.file_result.signature.certificate.created_time - type: date -ocsf.file_result.signature.certificate.created_time_dt: - description: The time when the certificate was created. - name: ocsf.file_result.signature.certificate.created_time_dt - type: date -ocsf.file_result.signature.certificate.expiration_time: - description: The expiration time of the certificate. - name: ocsf.file_result.signature.certificate.expiration_time - type: date -ocsf.file_result.signature.certificate.expiration_time_dt: - description: The expiration time of the certificate. - name: ocsf.file_result.signature.certificate.expiration_time_dt - type: date -ocsf.file_result.signature.certificate.fingerprints.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.file_result.signature.certificate.fingerprints.algorithm - type: keyword -ocsf.file_result.signature.certificate.fingerprints.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.file_result.signature.certificate.fingerprints.algorithm_id - type: keyword -ocsf.file_result.signature.certificate.fingerprints.value: - description: The digital fingerprint value. - name: ocsf.file_result.signature.certificate.fingerprints.value - type: keyword -ocsf.file_result.signature.certificate.issuer: - description: The certificate issuer distinguished name. - name: ocsf.file_result.signature.certificate.issuer - type: keyword -ocsf.file_result.signature.certificate.serial_number: - description: The serial number of the certificate used to create the digital signature. - name: ocsf.file_result.signature.certificate.serial_number - type: keyword -ocsf.file_result.signature.certificate.subject: - description: The certificate subject distinguished name. - name: ocsf.file_result.signature.certificate.subject - type: keyword -ocsf.file_result.signature.certificate.version: - description: The certificate version. - name: ocsf.file_result.signature.certificate.version - type: keyword -ocsf.file_result.signature.created_time: - description: The time when the digital signature was created. - name: ocsf.file_result.signature.created_time - type: date -ocsf.file_result.signature.created_time_dt: - description: The time when the digital signature was created. - name: ocsf.file_result.signature.created_time_dt - type: date -ocsf.file_result.signature.developer_uid: - description: The developer ID on the certificate that signed the file. - name: ocsf.file_result.signature.developer_uid - type: keyword -ocsf.file_result.signature.digest.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.file_result.signature.digest.algorithm - type: keyword -ocsf.file_result.signature.digest.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.file_result.signature.digest.algorithm_id - type: keyword -ocsf.file_result.signature.digest.value: - description: The digital fingerprint value. - name: ocsf.file_result.signature.digest.value - type: keyword -ocsf.file_result.size: - description: The size of data, in bytes. - name: ocsf.file_result.size - type: long -ocsf.file_result.type: - description: The file type. - name: ocsf.file_result.type - type: keyword -ocsf.file_result.type_id: - description: The file type ID. - name: ocsf.file_result.type_id - type: keyword -ocsf.file_result.uid: - description: - The unique identifier of the file as defined by the storage system, - such the file system file ID. - name: ocsf.file_result.uid - type: keyword -ocsf.file_result.version: - description: "The file version. For example: 8.0.7601.17514." - name: ocsf.file_result.version - type: keyword -ocsf.file_result.xattributes: - description: - An unordered collection of zero or more name/value pairs where each - pair represents a file or folder extended attribute. - name: ocsf.file_result.xattributes - type: flattened -ocsf.finding.created_time_dt: - description: The time when the finding was created. - name: ocsf.finding.created_time_dt - type: date -ocsf.finding.desc: - description: The description of the reported finding. - name: ocsf.finding.desc - type: keyword -ocsf.finding.first_seen_time: - description: The time when the finding was first observed. - name: ocsf.finding.first_seen_time - type: date -ocsf.finding.first_seen_time_dt: - description: The time when the finding was first observed. - name: ocsf.finding.first_seen_time_dt - type: date -ocsf.finding.last_seen_time: - description: The time when the finding was most recently observed. - name: ocsf.finding.last_seen_time - type: date -ocsf.finding.last_seen_time_dt: - description: The time when the finding was most recently observed. - name: ocsf.finding.last_seen_time_dt - type: date -ocsf.finding.modified_time: - description: The time when the finding was last modified. - name: ocsf.finding.modified_time - type: date -ocsf.finding.modified_time_dt: - description: The time when the finding was last modified. - name: ocsf.finding.modified_time_dt - type: date -ocsf.finding.product_uid: - description: The unique identifier of the product that reported the finding. - name: ocsf.finding.product_uid - type: keyword -ocsf.finding.related_events.product_uid: - description: The unique identifier of the product that reported the related event. - name: ocsf.finding.related_events.product_uid - type: keyword -ocsf.finding.related_events.type: - description: "The type of the related event. For example: Process Activity: Launch." - name: ocsf.finding.related_events.type - type: keyword -ocsf.finding.related_events.type_uid: - description: "The unique identifier of the related event type. For example: 100701." - name: ocsf.finding.related_events.type_uid - type: keyword -ocsf.finding.related_events.uid: - description: The unique identifier of the related event. - name: ocsf.finding.related_events.uid - type: keyword -ocsf.finding.remediation.desc: - description: The description of the remediation strategy. - name: ocsf.finding.remediation.desc - type: keyword -ocsf.finding.remediation.kb_articles: - description: The KB article/s related to the entity. - name: ocsf.finding.remediation.kb_articles - type: keyword -ocsf.finding.supporting_data: - description: Additional data supporting a finding as provided by security tool. - name: ocsf.finding.supporting_data - type: flattened -ocsf.finding.title: - description: The title of the reported finding. - name: ocsf.finding.title - type: keyword -ocsf.finding.types: - description: One or more types of the reported finding. - name: ocsf.finding.types - type: keyword -ocsf.finding.uid: - description: The unique identifier of the reported finding. - name: ocsf.finding.uid - type: keyword -ocsf.group.desc: - description: The group description. - name: ocsf.group.desc - type: keyword -ocsf.group.privileges: - description: The group privileges. - name: ocsf.group.privileges - type: keyword -ocsf.group.type: - description: The type of the group or account. - name: ocsf.group.type - type: keyword -ocsf.http_request.args: - description: The arguments sent along with the HTTP request. - name: ocsf.http_request.args - type: keyword -ocsf.http_request.http_headers.name: - description: The name of the header. - name: ocsf.http_request.http_headers.name - type: keyword -ocsf.http_request.http_headers.value: - description: The value of the header. - name: ocsf.http_request.http_headers.value - type: keyword -ocsf.http_request.url.categories: - description: The Website categorization names, as defined by category_ids enum values. - name: ocsf.http_request.url.categories - type: keyword -ocsf.http_request.url.category_ids: - description: The Website categorization identifies. - name: ocsf.http_request.url.category_ids - type: keyword -ocsf.http_request.url.resource_type: - description: The context in which a resource was retrieved in a web request. - name: ocsf.http_request.url.resource_type - type: keyword -ocsf.http_request.x_forwarded_for: - description: - The X-Forwarded-For header identifying the originating IP address(es) - of a client connecting to a web server through an HTTP proxy or a load balancer. - name: ocsf.http_request.x_forwarded_for - type: ip -ocsf.http_response.content_type: - description: - The request header that identifies the original media type of the resource - (prior to any content encoding applied for sending). - name: ocsf.http_response.content_type - type: keyword -ocsf.http_response.latency: - description: The HTTP response latency. In seconds, milliseconds, etc. - name: ocsf.http_response.latency - type: long -ocsf.http_response.status: - description: The response status. - name: ocsf.http_response.status - type: keyword -ocsf.http_status: - description: - The Hypertext Transfer Protocol (HTTP) status code returned to the - client. - name: ocsf.http_status - type: long -ocsf.identifier_cookie: - description: The client identifier cookie during client/server exchange. - name: ocsf.identifier_cookie - type: keyword -ocsf.impact: - description: - The impact , normalized to the caption of the impact_id value. In the - case of 'Other', it is defined by the event source. - name: ocsf.impact - type: keyword -ocsf.impact_id: - description: The normalized impact of the finding. - name: ocsf.impact_id - type: keyword -ocsf.impact_score: - description: The impact of the finding, valid range 0-100. - name: ocsf.impact_score - type: long -ocsf.injection_type: - description: - The process injection method, normalized to the caption of the injection_type_id - value. In the case of 'Other', it is defined by the event source. - name: ocsf.injection_type - type: keyword -ocsf.injection_type_id: - description: The normalized identifier of the process injection method. - name: ocsf.injection_type_id - type: keyword -ocsf.is_cleartext: - description: - "Indicates whether the credentials were passed in clear text.Note: - True if the credentials were passed in a clear text protocol such as FTP or TELNET, - or if Windows detected that a user's logon password was passed to the authentication - package in clear text." - name: ocsf.is_cleartext - type: boolean -ocsf.is_mfa: - description: Indicates whether Multi Factor Authentication was used during authentication. - name: ocsf.is_mfa - type: boolean -ocsf.is_new_logon: - description: - Indicates logon is from a device not seen before or a first time account - logon. - name: ocsf.is_new_logon - type: boolean -ocsf.is_remote: - description: The attempted authentication is over a remote connection. - name: ocsf.is_remote - type: boolean -ocsf.is_renewal: - description: The indication of whether this is a lease/session renewal event. - name: ocsf.is_renewal - type: boolean -ocsf.kernel.is_system: - description: The indication of whether the object is part of the operating system. - name: ocsf.kernel.is_system - type: boolean -ocsf.kernel.name: - description: The name of the kernel resource. - name: ocsf.kernel.name - type: keyword -ocsf.kernel.path: - description: The full path of the kernel resource. - name: ocsf.kernel.path - type: keyword -ocsf.kernel.system_call: - description: The system call that was invoked. - name: ocsf.kernel.system_call - type: keyword -ocsf.kernel.type: - description: The type of the kernel resource. - name: ocsf.kernel.type - type: keyword -ocsf.kernel.type_id: - description: The type id of the kernel resource. - name: ocsf.kernel.type_id - type: keyword -ocsf.kill_chain.phase: - description: The cyber kill chain phase. - name: ocsf.kill_chain.phase - type: keyword -ocsf.kill_chain.phase_id: - description: The cyber kill chain phase identifier. - name: ocsf.kill_chain.phase_id - type: keyword -ocsf.lease_dur: - description: - This represents the length of the DHCP lease in seconds. This is present - in DHCP Ack events. (activity_id = 1) - name: ocsf.lease_dur - type: long -ocsf.logon_type: - description: - The logon type, normalized to the caption of the logon_type_id value. - In the case of 'Other', it is defined by the event source. - name: ocsf.logon_type - type: keyword -ocsf.logon_type_id: - description: The normalized logon type identifier - name: ocsf.logon_type_id - type: keyword -ocsf.malware.classification_ids: - description: The list of normalized identifiers of the malware classifications. - name: ocsf.malware.classification_ids - type: keyword -ocsf.malware.classifications: - description: - The list of malware classifications, normalized to the captions of - the classification_id values. In the case of 'Other', they are defined by the - event source. - name: ocsf.malware.classifications - type: keyword -ocsf.malware.cves.created_time: - description: - The Record Creation Date identifies when the CVE ID was issued to a - CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. - Note that the Record Creation Date does not necessarily indicate when this vulnerability - was discovered, shared with the affected vendor, publicly disclosed, or updated - in CVE. - name: ocsf.malware.cves.created_time - type: date -ocsf.malware.cves.created_time_dt: - description: - The Record Creation Date identifies when the CVE ID was issued to a - CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. - Note that the Record Creation Date does not necessarily indicate when this vulnerability - was discovered, shared with the affected vendor, publicly disclosed, or updated - in CVE. - name: ocsf.malware.cves.created_time_dt - type: date -ocsf.malware.cves.cvss.base_score: - description: The CVSS base score. - name: ocsf.malware.cves.cvss.base_score - type: double -ocsf.malware.cves.cvss.depth: - description: - The CVSS depth represents a depth of the equation used to calculate - CVSS score. - name: ocsf.malware.cves.cvss.depth - type: keyword -ocsf.malware.cves.cvss.metrics.name: - description: The name of the metric. - name: ocsf.malware.cves.cvss.metrics.name - type: keyword -ocsf.malware.cves.cvss.metrics.value: - description: The value of the metric. - name: ocsf.malware.cves.cvss.metrics.value - type: keyword -ocsf.malware.cves.cvss.overall_score: - description: - The CVSS overall score, impacted by base, temporal, and environmental - metrics. - name: ocsf.malware.cves.cvss.overall_score - type: double -ocsf.malware.cves.cvss.severity: - description: - The Common Vulnerability Scoring System (CVSS) Qualitative Severity - Rating. A textual representation of the numeric score. - name: ocsf.malware.cves.cvss.severity - type: keyword -ocsf.malware.cves.cvss.vector_string: - description: - "The CVSS vector string is a text representation of a set of CVSS metrics. - It is commonly used to record or transfer CVSS metric information in a concise - form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H." - name: ocsf.malware.cves.cvss.vector_string - type: keyword -ocsf.malware.cves.cvss.version: - description: The CVSS version. - name: ocsf.malware.cves.cvss.version - type: keyword -ocsf.malware.cves.cwe_uid: - description: - "The Common Weakness Enumeration (CWE) unique identifier. For example: - CWE-787." - name: ocsf.malware.cves.cwe_uid - type: keyword -ocsf.malware.cves.cwe_url: - description: Common Weakness Enumeration (CWE) definition URL. - name: ocsf.malware.cves.cwe_url - type: keyword -ocsf.malware.cves.modified_time: - description: The Record Modified Date identifies when the CVE record was last updated. - name: ocsf.malware.cves.modified_time - type: date -ocsf.malware.cves.modified_time_dt: - description: The Record Modified Date identifies when the CVE record was last updated. - name: ocsf.malware.cves.modified_time_dt - type: date -ocsf.malware.cves.product.feature.name: - description: The name of the feature. - name: ocsf.malware.cves.product.feature.name - type: keyword -ocsf.malware.cves.product.feature.uid: - description: The unique identifier of the feature. - name: ocsf.malware.cves.product.feature.uid - type: keyword -ocsf.malware.cves.product.feature.version: - description: The version of the feature. - name: ocsf.malware.cves.product.feature.version - type: keyword -ocsf.malware.cves.product.lang: - description: The two letter lower case language codes, as defined by ISO 639-1. - name: ocsf.malware.cves.product.lang - type: keyword -ocsf.malware.cves.product.name: - description: The name of the product. - name: ocsf.malware.cves.product.name - type: keyword -ocsf.malware.cves.product.path: - description: The installation path of the product. - name: ocsf.malware.cves.product.path - type: keyword -ocsf.malware.cves.product.uid: - description: The unique identifier of the product. - name: ocsf.malware.cves.product.uid - type: keyword -ocsf.malware.cves.product.url_string: - description: The URL pointing towards the product. - name: ocsf.malware.cves.product.url_string - type: keyword -ocsf.malware.cves.product.vendor_name: - description: The name of the vendor of the product. - name: ocsf.malware.cves.product.vendor_name - type: keyword -ocsf.malware.cves.product.version: - description: - "The version of the product, as defined by the event source. For example: - 2013.1.3-beta." - name: ocsf.malware.cves.product.version - type: keyword -ocsf.malware.cves.type: - description: - The vulnerability type as selected from a large dropdown menu during - CVE refinement. - name: ocsf.malware.cves.type - type: keyword -ocsf.malware.cves.uid: - description: - "The Common Vulnerabilities and Exposures unique number assigned to - a specific computer vulnerability. A CVE Identifier begins with 4 digits representing - the year followed by a sequence of digits that acts as a unique identifier. For - example: CVE-2021-12345." - name: ocsf.malware.cves.uid - type: keyword -ocsf.malware.name: - description: The malware name, as reported by the detection engine. - name: ocsf.malware.name - type: keyword -ocsf.malware.path: - description: The filesystem path of the malware that was observed. - name: ocsf.malware.path - type: keyword -ocsf.malware.provider: - description: The provider of the malware information. - name: ocsf.malware.provider - type: keyword -ocsf.malware.uid: - description: - The malware unique identifier, as reported by the detection engine. - For example a virus id or an IPS signature id. - name: ocsf.malware.uid - type: keyword -ocsf.metadata.correlation_uid: - description: The unique identifier used to correlate events. - name: ocsf.metadata.correlation_uid - type: keyword -ocsf.metadata.extension.name: - description: "The schema extension name. For example: dev." - name: ocsf.metadata.extension.name - type: keyword -ocsf.metadata.extension.uid: - description: "The schema extension unique identifier. For example: 999." - name: ocsf.metadata.extension.uid - type: keyword -ocsf.metadata.extension.version: - description: "The schema extension version. For example: 1.0.0-alpha.2." - name: ocsf.metadata.extension.version - type: keyword -ocsf.metadata.log_name: - description: - "The event log name. For example, syslog file name or Windows logging - subsystem: Security." - name: ocsf.metadata.log_name - type: keyword -ocsf.metadata.log_version: - description: - The event log schema version that specifies the format of the original - event. For example syslog version or Cisco Log Schema Version. - name: ocsf.metadata.log_version - type: keyword -ocsf.metadata.logged_time: - description: - The time when the logging system collected and logged the event. This - attribute is distinct from the event time in that event time typically contain - the time extracted from the original event. Most of the time, these two times - will be different. - name: ocsf.metadata.logged_time - type: date -ocsf.metadata.logged_time_dt: - description: - The time when the logging system collected and logged the event. This - attribute is distinct from the event time in that event time typically contain - the time extracted from the original event. Most of the time, these two times - will be different. - name: ocsf.metadata.logged_time_dt - type: date -ocsf.metadata.modified_time: - description: The time when the event was last modified or enriched. - name: ocsf.metadata.modified_time - type: date -ocsf.metadata.modified_time_dt: - description: The time when the event was last modified or enriched. - name: ocsf.metadata.modified_time_dt - type: date -ocsf.metadata.original_time: - description: - The original event time as reported by the event source. For example, - the time in the original format from system event log such as Syslog on Unix/Linux - and the System event file on Windows. Omit if event is generated instead of collected - via logs. - name: ocsf.metadata.original_time - type: keyword -ocsf.metadata.processed_time: - description: The event processed time, such as an ETL operation. - name: ocsf.metadata.processed_time - type: date -ocsf.metadata.processed_time_dt: - description: The event processed time, such as an ETL operation. - name: ocsf.metadata.processed_time_dt - type: date -ocsf.metadata.product.feature.name: - description: The name of the feature. - name: ocsf.metadata.product.feature.name - type: keyword -ocsf.metadata.product.feature.uid: - description: The unique identifier of the feature. - name: ocsf.metadata.product.feature.uid - type: keyword -ocsf.metadata.product.feature.version: - description: The version of the feature. - name: ocsf.metadata.product.feature.version - type: keyword -ocsf.metadata.product.lang: - description: - "The two letter lowercase language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French)." - name: ocsf.metadata.product.lang - type: keyword -ocsf.metadata.product.name: - description: The name of the product. - name: ocsf.metadata.product.name - type: keyword -ocsf.metadata.product.path: - description: The installation path of the product. - name: ocsf.metadata.product.path - type: keyword -ocsf.metadata.product.uid: - description: The unique identifier of the product. - name: ocsf.metadata.product.uid - type: keyword -ocsf.metadata.product.url_string: - description: The URL pointing towards the product. - name: ocsf.metadata.product.url_string - type: keyword -ocsf.metadata.product.vendor_name: - description: The name of the vendor of the product. - name: ocsf.metadata.product.vendor_name - type: keyword -ocsf.metadata.product.version: - description: - "The version of the product, as defined by the event source. For example: - 2013.1.3-beta." - name: ocsf.metadata.product.version - type: keyword -ocsf.metadata.profiles: - description: The list of profiles used to create the event. - name: ocsf.metadata.profiles - type: keyword -ocsf.metadata.version: - description: - "The version of the OCSF schema, using Semantic Versioning Specification - (SemVer). For example: 1.0.0. Event consumers use the version to determine the - available event attributes." - name: ocsf.metadata.version - type: keyword -ocsf.module.base_address: - description: The memory address where the module was loaded. - name: ocsf.module.base_address - type: keyword -ocsf.module.file.accessed_time_dt: - description: The time when the file was last accessed. - name: ocsf.module.file.accessed_time_dt - type: date -ocsf.module.file.accessor.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.module.file.accessor.account.name - type: keyword -ocsf.module.file.accessor.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.module.file.accessor.account.type - type: keyword -ocsf.module.file.accessor.account.type_id: - description: The normalized account type identifier. - name: ocsf.module.file.accessor.account.type_id - type: keyword -ocsf.module.file.accessor.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.module.file.accessor.account.uid - type: keyword -ocsf.module.file.accessor.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.module.file.accessor.credential_uid - type: keyword -ocsf.module.file.accessor.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.module.file.accessor.domain - type: keyword -ocsf.module.file.accessor.email_addr: - description: The user's email address. - name: ocsf.module.file.accessor.email_addr - type: keyword -ocsf.module.file.accessor.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.module.file.accessor.full_name - type: keyword -ocsf.module.file.accessor.groups.desc: - description: The group description. - name: ocsf.module.file.accessor.groups.desc - type: keyword -ocsf.module.file.accessor.groups.name: - description: The group name. - name: ocsf.module.file.accessor.groups.name - type: keyword -ocsf.module.file.accessor.groups.privileges: - description: The group privileges. - name: ocsf.module.file.accessor.groups.privileges - type: keyword -ocsf.module.file.accessor.groups.type: - description: The type of the group or account. - name: ocsf.module.file.accessor.groups.type - type: keyword -ocsf.module.file.accessor.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.module.file.accessor.groups.uid - type: keyword -ocsf.module.file.accessor.name: - description: The username. For example, janedoe1. - name: ocsf.module.file.accessor.name - type: keyword -ocsf.module.file.accessor.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.module.file.accessor.org.name - type: keyword -ocsf.module.file.accessor.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.module.file.accessor.org.ou_name - type: keyword -ocsf.module.file.accessor.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.module.file.accessor.org.ou_uid - type: keyword -ocsf.module.file.accessor.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.module.file.accessor.org.uid - type: keyword -ocsf.module.file.accessor.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.module.file.accessor.type - type: keyword -ocsf.module.file.accessor.type_id: - description: The account type identifier. - name: ocsf.module.file.accessor.type_id - type: keyword -ocsf.module.file.accessor.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.module.file.accessor.uid - type: keyword -ocsf.module.file.accessor.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.module.file.accessor.uid_alt - type: keyword -ocsf.module.file.attributes: - description: The Bitmask value that represents the file attributes. - name: ocsf.module.file.attributes - type: long -ocsf.module.file.company_name: - description: - "The name of the company that published the file. For example: Microsoft - Corporation." - name: ocsf.module.file.company_name - type: keyword -ocsf.module.file.confidentiality: - description: - The file content confidentiality, normalized to the confidentiality_id - value. In the case of 'Other', it is defined by the event source. - name: ocsf.module.file.confidentiality - type: keyword -ocsf.module.file.confidentiality_id: - description: The normalized identifier of the file content confidentiality indicator. - name: ocsf.module.file.confidentiality_id - type: keyword -ocsf.module.file.created_time_dt: - description: The time when the file was created. - name: ocsf.module.file.created_time_dt - type: date -ocsf.module.file.creator.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.module.file.creator.account.name - type: keyword -ocsf.module.file.creator.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.module.file.creator.account.type - type: keyword -ocsf.module.file.creator.account.type_id: - description: The normalized account type identifier. - name: ocsf.module.file.creator.account.type_id - type: keyword -ocsf.module.file.creator.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.module.file.creator.account.uid - type: keyword -ocsf.module.file.creator.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.module.file.creator.credential_uid - type: keyword -ocsf.module.file.creator.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.module.file.creator.domain - type: keyword -ocsf.module.file.creator.email_addr: - description: The user's email address. - name: ocsf.module.file.creator.email_addr - type: keyword -ocsf.module.file.creator.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.module.file.creator.full_name - type: keyword -ocsf.module.file.creator.groups.desc: - description: The group description. - name: ocsf.module.file.creator.groups.desc - type: keyword -ocsf.module.file.creator.groups.name: - description: The group name. - name: ocsf.module.file.creator.groups.name - type: keyword -ocsf.module.file.creator.groups.privileges: - description: The group privileges. - name: ocsf.module.file.creator.groups.privileges - type: keyword -ocsf.module.file.creator.groups.type: - description: The type of the group or account. - name: ocsf.module.file.creator.groups.type - type: keyword -ocsf.module.file.creator.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.module.file.creator.groups.uid - type: keyword -ocsf.module.file.creator.name: - description: The username. For example, janedoe1. - name: ocsf.module.file.creator.name - type: keyword -ocsf.module.file.creator.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.module.file.creator.org.name - type: keyword -ocsf.module.file.creator.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.module.file.creator.org.ou_name - type: keyword -ocsf.module.file.creator.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.module.file.creator.org.ou_uid - type: keyword -ocsf.module.file.creator.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.module.file.creator.org.uid - type: keyword -ocsf.module.file.creator.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.module.file.creator.type - type: keyword -ocsf.module.file.creator.type_id: - description: The account type identifier. - name: ocsf.module.file.creator.type_id - type: keyword -ocsf.module.file.creator.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.module.file.creator.uid - type: keyword -ocsf.module.file.creator.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.module.file.creator.uid_alt - type: keyword -ocsf.module.file.desc: - description: - "The description of the file, as returned by file system. For example: - the description as returned by the Unix file command or the Windows file type." - name: ocsf.module.file.desc - type: keyword -ocsf.module.file.hashes.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.module.file.hashes.algorithm - type: keyword -ocsf.module.file.hashes.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.module.file.hashes.algorithm_id - type: keyword -ocsf.module.file.hashes.value: - description: The digital fingerprint value. - name: ocsf.module.file.hashes.value - type: keyword -ocsf.module.file.is_system: - description: The indication of whether the object is part of the operating system. - name: ocsf.module.file.is_system - type: boolean -ocsf.module.file.modified_time_dt: - description: The time when the file was last modified. - name: ocsf.module.file.modified_time_dt - type: date -ocsf.module.file.modifier.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.module.file.modifier.account.name - type: keyword -ocsf.module.file.modifier.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.module.file.modifier.account.type - type: keyword -ocsf.module.file.modifier.account.type_id: - description: The normalized account type identifier. - name: ocsf.module.file.modifier.account.type_id - type: keyword -ocsf.module.file.modifier.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.module.file.modifier.account.uid - type: keyword -ocsf.module.file.modifier.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.module.file.modifier.credential_uid - type: keyword -ocsf.module.file.modifier.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.module.file.modifier.domain - type: keyword -ocsf.module.file.modifier.email_addr: - description: The user's email address. - name: ocsf.module.file.modifier.email_addr - type: keyword -ocsf.module.file.modifier.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.module.file.modifier.full_name - type: keyword -ocsf.module.file.modifier.groups.desc: - description: The group description. - name: ocsf.module.file.modifier.groups.desc - type: keyword -ocsf.module.file.modifier.groups.name: - description: The group name. - name: ocsf.module.file.modifier.groups.name - type: keyword -ocsf.module.file.modifier.groups.privileges: - description: The group privileges. - name: ocsf.module.file.modifier.groups.privileges - type: keyword -ocsf.module.file.modifier.groups.type: - description: The type of the group or account. - name: ocsf.module.file.modifier.groups.type - type: keyword -ocsf.module.file.modifier.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.module.file.modifier.groups.uid - type: keyword -ocsf.module.file.modifier.name: - description: The username. For example, janedoe1. - name: ocsf.module.file.modifier.name - type: keyword -ocsf.module.file.modifier.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.module.file.modifier.org.name - type: keyword -ocsf.module.file.modifier.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.module.file.modifier.org.ou_name - type: keyword -ocsf.module.file.modifier.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.module.file.modifier.org.ou_uid - type: keyword -ocsf.module.file.modifier.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.module.file.modifier.org.uid - type: keyword -ocsf.module.file.modifier.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.module.file.modifier.type - type: keyword -ocsf.module.file.modifier.type_id: - description: The account type identifier. - name: ocsf.module.file.modifier.type_id - type: keyword -ocsf.module.file.modifier.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.module.file.modifier.uid - type: keyword -ocsf.module.file.modifier.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.module.file.modifier.uid_alt - type: keyword -ocsf.module.file.owner.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.module.file.owner.account.name - type: keyword -ocsf.module.file.owner.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.module.file.owner.account.type - type: keyword -ocsf.module.file.owner.account.type_id: - description: The normalized account type identifier. - name: ocsf.module.file.owner.account.type_id - type: keyword -ocsf.module.file.owner.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.module.file.owner.account.uid - type: keyword -ocsf.module.file.owner.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.module.file.owner.credential_uid - type: keyword -ocsf.module.file.owner.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.module.file.owner.domain - type: keyword -ocsf.module.file.owner.email_addr: - description: The user's email address. - name: ocsf.module.file.owner.email_addr - type: keyword -ocsf.module.file.owner.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.module.file.owner.full_name - type: keyword -ocsf.module.file.owner.groups.desc: - description: The group description. - name: ocsf.module.file.owner.groups.desc - type: keyword -ocsf.module.file.owner.groups.name: - description: The group name. - name: ocsf.module.file.owner.groups.name - type: keyword -ocsf.module.file.owner.groups.privileges: - description: The group privileges. - name: ocsf.module.file.owner.groups.privileges - type: keyword -ocsf.module.file.owner.groups.type: - description: The type of the group or account. - name: ocsf.module.file.owner.groups.type - type: keyword -ocsf.module.file.owner.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.module.file.owner.groups.uid - type: keyword -ocsf.module.file.owner.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.module.file.owner.org.name - type: keyword -ocsf.module.file.owner.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.module.file.owner.org.ou_name - type: keyword -ocsf.module.file.owner.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.module.file.owner.org.ou_uid - type: keyword -ocsf.module.file.owner.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.module.file.owner.org.uid - type: keyword -ocsf.module.file.owner.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.module.file.owner.type - type: keyword -ocsf.module.file.owner.type_id: - description: The account type identifier. - name: ocsf.module.file.owner.type_id - type: keyword -ocsf.module.file.owner.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.module.file.owner.uid_alt - type: keyword -ocsf.module.file.product.feature.name: - description: The name of the feature. - name: ocsf.module.file.product.feature.name - type: keyword -ocsf.module.file.product.feature.uid: - description: The unique identifier of the feature. - name: ocsf.module.file.product.feature.uid - type: keyword -ocsf.module.file.product.feature.version: - description: The version of the feature. - name: ocsf.module.file.product.feature.version - type: keyword -ocsf.module.file.product.lang: - description: - "The two letter lower case language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French)." - name: ocsf.module.file.product.lang - type: keyword -ocsf.module.file.product.name: - description: The name of the product. - name: ocsf.module.file.product.name - type: keyword -ocsf.module.file.product.path: - description: The installation path of the product. - name: ocsf.module.file.product.path - type: keyword -ocsf.module.file.product.uid: - description: The unique identifier of the product. - name: ocsf.module.file.product.uid - type: keyword -ocsf.module.file.product.vendor_name: - description: The name of the vendor of the product. - name: ocsf.module.file.product.vendor_name - type: keyword -ocsf.module.file.product.version: - description: - "The version of the product, as defined by the event source. For example: - 2013.1.3-beta." - name: ocsf.module.file.product.version - type: keyword -ocsf.module.file.security_descriptor: - description: The object security descriptor. - name: ocsf.module.file.security_descriptor - type: keyword -ocsf.module.file.signature.algorithm: - description: - The digital signature algorithm used to create the signature, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.module.file.signature.algorithm - type: keyword -ocsf.module.file.signature.algorithm_id: - description: The identifier of the normalized digital signature algorithm. - name: ocsf.module.file.signature.algorithm_id - type: keyword -ocsf.module.file.signature.certificate.created_time: - description: The time when the certificate was created. - name: ocsf.module.file.signature.certificate.created_time - type: date -ocsf.module.file.signature.certificate.created_time_dt: - description: The time when the certificate was created. - name: ocsf.module.file.signature.certificate.created_time_dt - type: date -ocsf.module.file.signature.certificate.expiration_time_dt: - description: The expiration time of the certificate. - name: ocsf.module.file.signature.certificate.expiration_time_dt - type: date -ocsf.module.file.signature.certificate.fingerprints.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.module.file.signature.certificate.fingerprints.algorithm - type: keyword -ocsf.module.file.signature.certificate.fingerprints.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.module.file.signature.certificate.fingerprints.algorithm_id - type: keyword -ocsf.module.file.signature.certificate.fingerprints.value: - description: The digital fingerprint value. - name: ocsf.module.file.signature.certificate.fingerprints.value - type: keyword -ocsf.module.file.signature.created_time: - description: The time when the digital signature was created. - name: ocsf.module.file.signature.created_time - type: date -ocsf.module.file.signature.created_time_dt: - description: The time when the digital signature was created. - name: ocsf.module.file.signature.created_time_dt - type: date -ocsf.module.file.signature.developer_uid: - description: The developer ID on the certificate that signed the file. - name: ocsf.module.file.signature.developer_uid - type: keyword -ocsf.module.file.signature.digest.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.module.file.signature.digest.algorithm - type: keyword -ocsf.module.file.signature.digest.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.module.file.signature.digest.algorithm_id - type: keyword -ocsf.module.file.signature.digest.value: - description: The digital fingerprint value. - name: ocsf.module.file.signature.digest.value - type: keyword -ocsf.module.file.type_id: - description: The file type ID. - name: ocsf.module.file.type_id - type: keyword -ocsf.module.file.version: - description: "The file version. For example: 8.0.7601.17514." - name: ocsf.module.file.version - type: keyword -ocsf.module.file.xattributes: - description: - An unordered collection of zero or more name/value pairs where each - pair represents a file or folder extended attribute. - name: ocsf.module.file.xattributes - type: flattened -ocsf.module.function_name: - description: - The entry-point function of the module. The system calls the entry-point - function whenever a process or thread loads or unloads the module. - name: ocsf.module.function_name - type: keyword -ocsf.module.load_type: - description: - The load type, normalized to the caption of the load_type_id value. - In the case of 'Other', it is defined by the event source. It describes how the - module was loaded in memory. - name: ocsf.module.load_type - type: keyword -ocsf.module.load_type_id: - description: - The normalized identifier of the load type. It identifies how the module - was loaded in memory. - name: ocsf.module.load_type_id - type: keyword -ocsf.module.start_address: - description: The start address of the execution. - name: ocsf.module.start_address - type: keyword -ocsf.module.type: - description: The module type. - name: ocsf.module.type - type: keyword -ocsf.name: - description: The name of the data affiliated with the command. - name: ocsf.name - type: keyword -ocsf.nist: - description: - The NIST Cybersecurity Framework recommendations for managing the cybersecurity - risk. - name: ocsf.nist - type: keyword -ocsf.observables.name: - description: - "The full name of the observable attribute. The name is a pointer/reference - to an attribute within the event data. For example: file.name." - name: ocsf.observables.name - type: keyword -ocsf.observables.reputation.base_score: - description: The reputation score as reported by the event source. - name: ocsf.observables.reputation.base_score - type: double -ocsf.observables.reputation.provider: - description: The provider of the reputation information. - name: ocsf.observables.reputation.provider - type: keyword -ocsf.observables.reputation.score: - description: - The reputation score, normalized to the caption of the score_id value. - In the case of 'Other', it is defined by the event source. - name: ocsf.observables.reputation.score - type: keyword -ocsf.observables.reputation.score_id: - description: The normalized reputation score identifier. - name: ocsf.observables.reputation.score_id - type: keyword -ocsf.observables.type: - description: The observable value type name. - name: ocsf.observables.type - type: keyword -ocsf.observables.type_id: - description: The observable value type identifier. - name: ocsf.observables.type_id - type: keyword -ocsf.observables.value: - description: The value associated with the observable attribute. - name: ocsf.observables.value - type: keyword -ocsf.open_type: - description: Indicates how the file was opened (e.g. normal, delete on close). - name: ocsf.open_type - type: keyword -ocsf.port: - description: The dynamic port established for impending data transfers. - name: ocsf.port - type: long -ocsf.privileges: - description: The list of sensitive privileges, assigned to the new user session. - name: ocsf.privileges - type: keyword -ocsf.protocol_ver: - description: The Protocol version. - name: ocsf.protocol_ver - type: keyword -ocsf.proxy.domain: - description: The name of the domain. - name: ocsf.proxy.domain - type: keyword -ocsf.proxy.hostname: - description: The fully qualified name of the endpoint. - name: ocsf.proxy.hostname - type: keyword -ocsf.proxy.instance_uid: - description: The unique identifier of a VM instance. - name: ocsf.proxy.instance_uid - type: keyword -ocsf.proxy.interface_name: - description: The name of the network interface (e.g. eth2). - name: ocsf.proxy.interface_name - type: keyword -ocsf.proxy.interface_uid: - description: The unique identifier of the network interface. - name: ocsf.proxy.interface_uid - type: keyword -ocsf.proxy.intermediate_ips: - description: - The intermediate IP Addresses. For example, the IP addresses in the - HTTP X-Forwarded-For header. - name: ocsf.proxy.intermediate_ips - type: ip -ocsf.proxy.ip: - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - name: ocsf.proxy.ip - type: ip -ocsf.proxy.location.city: - description: The name of the city. - name: ocsf.proxy.location.city - type: keyword -ocsf.proxy.location.continent: - description: The name of the continent. - name: ocsf.proxy.location.continent - type: keyword -ocsf.proxy.location.coordinates: - description: - A two-element array, containing a longitude/latitude pair. The format - conforms with GeoJSON. - name: ocsf.proxy.location.coordinates - type: geo_point -ocsf.proxy.location.country: - description: - The ISO 3166-1 Alpha-2 country code. For the complete list of country - codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - name: ocsf.proxy.location.country - type: keyword -ocsf.proxy.location.desc: - description: The description of the geographical location. - name: ocsf.proxy.location.desc - type: keyword -ocsf.proxy.location.is_on_premises: - description: The indication of whether the location is on premises. - name: ocsf.proxy.location.is_on_premises - type: boolean -ocsf.proxy.location.isp: - description: The name of the Internet Service Provider (ISP). - name: ocsf.proxy.location.isp - type: keyword -ocsf.proxy.location.postal_code: - description: The postal code of the location. - name: ocsf.proxy.location.postal_code - type: keyword -ocsf.proxy.location.provider: - description: The provider of the geographical location data. - name: ocsf.proxy.location.provider - type: keyword -ocsf.proxy.location.region: - description: - The alphanumeric code that identifies the principal subdivision (e.g. - province or state) of the country. Region codes are defined at ISO 3166-2 and - have a limit of three characters. For example, see the region codes for the US. - name: ocsf.proxy.location.region - type: keyword -ocsf.proxy.mac: - description: The Media Access Control (MAC) address of the endpoint. - name: ocsf.proxy.mac - type: keyword -ocsf.proxy.name: - description: The short name of the endpoint. - name: ocsf.proxy.name - type: keyword -ocsf.proxy.port: - description: The port used for communication within the network connection. - name: ocsf.proxy.port - type: long -ocsf.proxy.subnet_uid: - description: The unique identifier of a virtual subnet. - name: ocsf.proxy.subnet_uid - type: keyword -ocsf.proxy.svc_name: - description: - The service name in service-to-service connections. For example, AWS - VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection - is coming from or going to an AWS service. - name: ocsf.proxy.svc_name - type: keyword -ocsf.proxy.uid: - description: The unique identifier of the endpoint. - name: ocsf.proxy.uid - type: keyword -ocsf.proxy.vlan_uid: - description: The Virtual LAN identifier. - name: ocsf.proxy.vlan_uid - type: keyword -ocsf.proxy.vpc_uid: - description: The unique identifier of the Virtual Private Cloud (VPC). - name: ocsf.proxy.vpc_uid - type: keyword -ocsf.query.opcode: - description: The DNS opcode specifies the type of the query message. - name: ocsf.query.opcode - type: keyword -ocsf.query.opcode_id: - description: The DNS opcode ID specifies the normalized query message type. - name: ocsf.query.opcode_id - type: keyword -ocsf.query_time: - description: The Domain Name System (DNS) query time. - name: ocsf.query_time - type: date -ocsf.query_time_dt: - description: The Domain Name System (DNS) query time. - name: ocsf.query_time_dt - type: date -ocsf.raw_data: - description: The event data as received from the event source. - name: ocsf.raw_data - type: flattened -ocsf.raw_data_keyword: - description: "" - name: ocsf.raw_data_keyword - type: keyword -ocsf.rcode_id: - description: The normalized identifier of the DNS server response code. - name: ocsf.rcode_id - type: keyword -ocsf.relay.namespace: - description: - The namespace is useful in merger or acquisition situations. For example, - when similar entities exists that you need to keep separate. - name: ocsf.relay.namespace - type: keyword -ocsf.relay.subnet_prefix: - description: - The subnet prefix length determines the number of bits used to represent - the network part of the IP address. The remaining bits are reserved for identifying - individual hosts within that subnet. - name: ocsf.relay.subnet_prefix - type: long -ocsf.relay.type_id: - description: The network interface type identifier. - name: ocsf.relay.type_id - type: keyword -ocsf.relay.uid: - description: The unique identifier for the network interface. - name: ocsf.relay.uid - type: keyword -ocsf.remote_display.color_depth: - description: The numeric color depth. - name: ocsf.remote_display.color_depth - type: long -ocsf.remote_display.physical_height: - description: The numeric physical height of display. - name: ocsf.remote_display.physical_height - type: long -ocsf.remote_display.physical_orientation: - description: The numeric physical orientation of display. - name: ocsf.remote_display.physical_orientation - type: long -ocsf.remote_display.physical_width: - description: The numeric physical width of display. - name: ocsf.remote_display.physical_width - type: long -ocsf.remote_display.scale_factor: - description: The numeric scale factor of display. - name: ocsf.remote_display.scale_factor - type: long -ocsf.request.flags: - description: - The list of communication flags, normalized to the captions of the - flag_ids values. In the case of 'Other', they are defined by the event source. - name: ocsf.request.flags - type: date -ocsf.requested_permissions: - description: The permissions mask that were requested by the process. - name: ocsf.requested_permissions - type: long -ocsf.resource.cloud_partition: - description: - "The canonical cloud partition name to which the region is assigned - (e.g. AWS Partitions: aws, aws-cn, aws-us-gov)." - name: ocsf.resource.cloud_partition - type: keyword -ocsf.resource.criticality: - description: The criticality of the resource as defined by the event source. - name: ocsf.resource.criticality - type: keyword -ocsf.resource.data: - description: Additional data describing the resource. - name: ocsf.resource.data - type: flattened -ocsf.resource.group.desc: - description: The group description. - name: ocsf.resource.group.desc - type: keyword -ocsf.resource.group.name: - description: The group name. - name: ocsf.resource.group.name - type: keyword -ocsf.resource.group.privileges: - description: The group privileges. - name: ocsf.resource.group.privileges - type: keyword -ocsf.resource.group.type: - description: The type of the group or account. - name: ocsf.resource.group.type - type: keyword -ocsf.resource.group.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.resource.group.uid - type: keyword -ocsf.resource.labels: - description: The list of labels/tags associated to a resource. - name: ocsf.resource.labels - type: keyword -ocsf.resource.name: - description: The name of the resource. - name: ocsf.resource.name - type: keyword -ocsf.resource.owner.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.resource.owner.account.name - type: keyword -ocsf.resource.owner.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.resource.owner.account.type - type: keyword -ocsf.resource.owner.account.type_id: - description: The normalized account type identifier. - name: ocsf.resource.owner.account.type_id - type: keyword -ocsf.resource.owner.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.resource.owner.account.uid - type: keyword -ocsf.resource.owner.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.resource.owner.credential_uid - type: keyword -ocsf.resource.owner.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.resource.owner.domain - type: keyword -ocsf.resource.owner.email_addr: - description: The user's email address. - name: ocsf.resource.owner.email_addr - type: keyword -ocsf.resource.owner.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.resource.owner.full_name - type: keyword -ocsf.resource.owner.groups.desc: - description: The group description. - name: ocsf.resource.owner.groups.desc - type: keyword -ocsf.resource.owner.groups.name: - description: The group name. - name: ocsf.resource.owner.groups.name - type: keyword -ocsf.resource.owner.groups.privileges: - description: The group privileges. - name: ocsf.resource.owner.groups.privileges - type: keyword -ocsf.resource.owner.groups.type: - description: The type of the group or account. - name: ocsf.resource.owner.groups.type - type: keyword -ocsf.resource.owner.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.resource.owner.groups.uid - type: keyword -ocsf.resource.owner.name: - description: The username. For example, janedoe1. - name: ocsf.resource.owner.name - type: keyword -ocsf.resource.owner.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.resource.owner.org.name - type: keyword -ocsf.resource.owner.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.resource.owner.org.ou_name - type: keyword -ocsf.resource.owner.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.resource.owner.org.ou_uid - type: keyword -ocsf.resource.owner.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.resource.owner.org.uid - type: keyword -ocsf.resource.owner.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.resource.owner.type - type: keyword -ocsf.resource.owner.type_id: - description: The account type identifier. - name: ocsf.resource.owner.type_id - type: keyword -ocsf.resource.owner.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.resource.owner.uid - type: keyword -ocsf.resource.owner.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.resource.owner.uid_alt - type: keyword -ocsf.resource.region: - description: The cloud region of the resource. - name: ocsf.resource.region - type: keyword -ocsf.resource.type: - description: The resource type as defined by the event source. - name: ocsf.resource.type - type: keyword -ocsf.resource.uid: - description: The unique identifier of the resource. - name: ocsf.resource.uid - type: keyword -ocsf.resource.version: - description: The version of the resource. For example 1.2.3. - name: ocsf.resource.version - type: keyword -ocsf.resources.cloud_partition: - description: - "The canonical cloud partition name to which the region is assigned - (e.g. AWS Partitions: aws, aws-cn, aws-us-gov)." - name: ocsf.resources.cloud_partition - type: keyword -ocsf.resources.criticality: - description: The criticality of the resource as defined by the event source. - name: ocsf.resources.criticality - type: keyword -ocsf.resources.data: - description: Additional data describing the resource. - name: ocsf.resources.data - type: flattened -ocsf.resources.group.desc: - description: The group description. - name: ocsf.resources.group.desc - type: keyword -ocsf.resources.group.name: - description: The group name. - name: ocsf.resources.group.name - type: keyword -ocsf.resources.group.privileges: - description: The group privileges. - name: ocsf.resources.group.privileges - type: keyword -ocsf.resources.group.type: - description: The type of the group or account. - name: ocsf.resources.group.type - type: keyword -ocsf.resources.group.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.resources.group.uid - type: keyword -ocsf.resources.labels: - description: The list of labels/tags associated to a resource. - name: ocsf.resources.labels - type: keyword -ocsf.resources.name: - description: The name of the resource. - name: ocsf.resources.name - type: keyword -ocsf.resources.owner.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.resources.owner.account.name - type: keyword -ocsf.resources.owner.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.resources.owner.account.type - type: keyword -ocsf.resources.owner.account.type_id: - description: The normalized account type identifier. - name: ocsf.resources.owner.account.type_id - type: keyword -ocsf.resources.owner.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.resources.owner.account.uid - type: keyword -ocsf.resources.owner.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.resources.owner.credential_uid - type: keyword -ocsf.resources.owner.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." - name: ocsf.resources.owner.domain - type: keyword -ocsf.resources.owner.email_addr: - description: The user's email address. - name: ocsf.resources.owner.email_addr - type: keyword -ocsf.resources.owner.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.resources.owner.full_name - type: keyword -ocsf.resources.owner.groups.desc: - description: The group description. - name: ocsf.resources.owner.groups.desc - type: keyword -ocsf.resources.owner.groups.name: - description: The group name. - name: ocsf.resources.owner.groups.name - type: keyword -ocsf.resources.owner.groups.privileges: - description: The group privileges. - name: ocsf.resources.owner.groups.privileges - type: keyword -ocsf.resources.owner.groups.type: - description: The type of the group or account. - name: ocsf.resources.owner.groups.type - type: keyword -ocsf.resources.owner.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.resources.owner.groups.uid - type: keyword -ocsf.resources.owner.name: - description: The username. For example, janedoe1. - name: ocsf.resources.owner.name - type: keyword -ocsf.resources.owner.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.resources.owner.org.name - type: keyword -ocsf.resources.owner.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.resources.owner.org.ou_name - type: keyword -ocsf.resources.owner.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.resources.owner.org.ou_uid - type: keyword -ocsf.resources.owner.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.resources.owner.org.uid - type: keyword -ocsf.resources.owner.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.resources.owner.type - type: keyword -ocsf.resources.owner.type_id: - description: The account type identifier. - name: ocsf.resources.owner.type_id - type: keyword -ocsf.resources.owner.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.resources.owner.uid - type: keyword -ocsf.resources.owner.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.resources.owner.uid_alt - type: keyword -ocsf.resources.region: - description: The cloud region of the resource. - name: ocsf.resources.region - type: keyword -ocsf.resources.type: - description: The resource type as defined by the event source. - name: ocsf.resources.type - type: keyword -ocsf.resources.uid: - description: The unique identifier of the resource. - name: ocsf.resources.uid - type: keyword -ocsf.resources.version: - description: The version of the resource. For example 1.2.3. - name: ocsf.resources.version - type: keyword -ocsf.response.error: - description: Error Code. - name: ocsf.response.error - type: keyword -ocsf.response.error_message: - description: Error Message. - name: ocsf.response.error_message - type: keyword -ocsf.response.flags: - description: - The list of communication flags, normalized to the captions of the - flag_ids values. In the case of 'Other', they are defined by the event source. - name: ocsf.response.flags - type: keyword -ocsf.response.message: - description: The description of the event, as defined by the event source. - name: ocsf.response.message - type: keyword -ocsf.response_time: - description: The Domain Name System (DNS) response time. - name: ocsf.response_time - type: date -ocsf.response_time_dt: - description: The Domain Name System (DNS) response time. - name: ocsf.response_time_dt - type: date -ocsf.risk_level: - description: - The risk level, normalized to the caption of the risk_level_id value. - In the case of 'Other', it is defined by the event source. - name: ocsf.risk_level - type: keyword -ocsf.risk_level_id: - description: The normalized risk level id. - name: ocsf.risk_level_id - type: keyword -ocsf.server_hassh.algorithm: - description: - "The concatenation of key exchange, encryption, authentication and - compression algorithms (separated by ';'). NOTE: This is not the underlying - algorithm for the hash implementation." - name: ocsf.server_hassh.algorithm - type: keyword -ocsf.server_hassh.fingerprint.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.server_hassh.fingerprint.algorithm - type: keyword -ocsf.server_hassh.fingerprint.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.server_hassh.fingerprint.algorithm_id - type: keyword -ocsf.server_hassh.fingerprint.value: - description: The digital fingerprint value. - name: ocsf.server_hassh.fingerprint.value - type: keyword -ocsf.service.labels: - description: The list of labels associated with the service. - name: ocsf.service.labels - type: keyword -ocsf.session.created_time: - description: The time when the session was created. - name: ocsf.session.created_time - type: date -ocsf.session.created_time_dt: - description: The time when the session was created. - name: ocsf.session.created_time_dt - type: date -ocsf.session.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.session.credential_uid - type: keyword -ocsf.session.expiration_time: - description: The session expiration time. - name: ocsf.session.expiration_time - type: date -ocsf.session.expiration_time_dt: - description: The session expiration time. - name: ocsf.session.expiration_time_dt - type: date -ocsf.session.is_remote: - description: The indication of whether the session is remote. - name: ocsf.session.is_remote - type: boolean -ocsf.session.issuer: - description: The identifier of the session issuer. - name: ocsf.session.issuer - type: keyword -ocsf.session.mfa: - description: "" - name: ocsf.session.mfa - type: boolean -ocsf.session.uid: - description: The unique identifier of the session. - name: ocsf.session.uid - type: keyword -ocsf.session.uuid: - description: The universally unique identifier of the session. - name: ocsf.session.uuid - type: keyword -ocsf.severity: - description: - The event severity, normalized to the caption of the severity_id value. - In the case of 'Other', it is defined by the event source. - name: ocsf.severity - type: keyword -ocsf.share: - description: The SMB share name. - name: ocsf.share - type: keyword -ocsf.share_type: - description: - The SMB share type, normalized to the caption of the share_type_id - value. In the case of 'Other', it is defined by the event source. - name: ocsf.share_type - type: keyword -ocsf.share_type_id: - description: The normalized identifier of the SMB share type. - name: ocsf.share_type_id - type: keyword -ocsf.size: - description: The memory size that was access or requested. - name: ocsf.size - type: long -ocsf.smtp_hello: - description: The value of the SMTP HELO or EHLO command sent by the initiator (client). - name: ocsf.smtp_hello - type: keyword -ocsf.src_endpoint.instance_uid: - description: The unique identifier of a VM instance. - name: ocsf.src_endpoint.instance_uid - type: keyword -ocsf.src_endpoint.interface_name: - description: The name of the network interface (e.g. eth2). - name: ocsf.src_endpoint.interface_name - type: keyword -ocsf.src_endpoint.interface_uid: - description: The unique identifier of the network interface. - name: ocsf.src_endpoint.interface_uid - type: keyword -ocsf.src_endpoint.intermediate_ips: - description: - The intermediate IP Addresses. For example, the IP addresses in the - HTTP X-Forwarded-For header. - name: ocsf.src_endpoint.intermediate_ips - type: ip -ocsf.src_endpoint.location.is_on_premises: - description: The indication of whether the location is on premises. - name: ocsf.src_endpoint.location.is_on_premises - type: boolean -ocsf.src_endpoint.location.isp: - description: The name of the Internet Service Provider (ISP). - name: ocsf.src_endpoint.location.isp - type: keyword -ocsf.src_endpoint.location.provider: - description: The provider of the geographical location data. - name: ocsf.src_endpoint.location.provider - type: keyword -ocsf.src_endpoint.name: - description: The short name of the endpoint. - name: ocsf.src_endpoint.name - type: keyword -ocsf.src_endpoint.subnet_uid: - description: The unique identifier of a virtual subnet. - name: ocsf.src_endpoint.subnet_uid - type: keyword -ocsf.src_endpoint.uid: - description: The unique identifier of the endpoint. - name: ocsf.src_endpoint.uid - type: keyword -ocsf.src_endpoint.vlan_uid: - description: The Virtual LAN identifier. - name: ocsf.src_endpoint.vlan_uid - type: keyword -ocsf.src_endpoint.vpc_uid: - description: The unique identifier of the Virtual Private Cloud (VPC). - name: ocsf.src_endpoint.vpc_uid - type: keyword -ocsf.start_time_dt: - description: - The start time of a time period, or the time of the least recent event - included in the aggregate event. - name: ocsf.start_time_dt - type: date -ocsf.state: - description: The normalized state of a security finding. - name: ocsf.state - type: keyword -ocsf.state_id: - description: The normalized state identifier of a security finding. - name: ocsf.state_id - type: keyword -ocsf.status: - description: - The event status, normalized to the caption of the status_id value. - In the case of 'Other', it is defined by the event source. - name: ocsf.status - type: keyword -ocsf.status_code: - description: - The event status code, as reported by the event source. For example, - in a Windows Failed Authentication event, this would be the value of 'Failure - Code', e.g. 0x18. - name: ocsf.status_code - type: keyword -ocsf.status_detail: - description: - The status details contains additional information about the event - outcome. - name: ocsf.status_detail - type: keyword -ocsf.status_id: - description: The normalized identifier of the event status. - name: ocsf.status_id - type: keyword -ocsf.time_dt: - description: The normalized event occurrence time. - name: ocsf.time_dt - type: date -ocsf.timezone_offset: - description: - The number of minutes that the reported event time is ahead or behind - UTC, in the range -1,080 to +1,080. - name: ocsf.timezone_offset - type: long -ocsf.tls.alert: - description: - The integer value of TLS alert if present. The alerts are defined in - the TLS specification in RFC-2246. - name: ocsf.tls.alert - type: long -ocsf.tls.certificate.created_time: - description: The time when the certificate was created. - name: ocsf.tls.certificate.created_time - type: date -ocsf.tls.certificate.created_time_dt: - description: The time when the certificate was created. - name: ocsf.tls.certificate.created_time_dt - type: date -ocsf.tls.certificate.expiration_time_dt: - description: The expiration time of the certificate. - name: ocsf.tls.certificate.expiration_time_dt - type: date -ocsf.tls.certificate.fingerprints.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.tls.certificate.fingerprints.algorithm - type: keyword -ocsf.tls.certificate.fingerprints.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.tls.certificate.fingerprints.algorithm_id - type: keyword -ocsf.tls.certificate.fingerprints.value: - description: The digital fingerprint value. - name: ocsf.tls.certificate.fingerprints.value - type: keyword -ocsf.tls.certificate_chain: - description: - The Chain of Certificate Serial Numbers field provides a chain of Certificate - Issuer Serial Numbers leading to the Root Certificate Issuer. - name: ocsf.tls.certificate_chain - type: keyword -ocsf.tls.extension_list.data: - description: - The data contains information specific to the particular extension - type. - name: ocsf.tls.extension_list.data - type: flattened -ocsf.tls.extension_list.type: - description: "The TLS extension type. For example: Server Name." - name: ocsf.tls.extension_list.type - type: keyword -ocsf.tls.extension_list.type_id: - description: - The TLS extension type identifier. See The Transport Layer Security - (TLS) extension page. - name: ocsf.tls.extension_list.type_id - type: keyword -ocsf.tls.handshake_dur: - description: - The amount of total time for the TLS handshake to complete after the - TCP connection is established, including client-side delays, in milliseconds. - name: ocsf.tls.handshake_dur - type: long -ocsf.tls.ja3_hash.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.tls.ja3_hash.algorithm - type: keyword -ocsf.tls.ja3_hash.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.tls.ja3_hash.algorithm_id - type: keyword -ocsf.tls.ja3s_hash.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.tls.ja3s_hash.algorithm - type: keyword -ocsf.tls.ja3s_hash.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.tls.ja3s_hash.algorithm_id - type: keyword -ocsf.tls.key_length: - description: The length of the encryption key. - name: ocsf.tls.key_length - type: long -ocsf.tls.sans.name: - description: Name of SAN (e.g. The actual IP Address or domain.) - name: ocsf.tls.sans.name - type: keyword -ocsf.tls.sans.type: - description: Type descriptor of SAN (e.g. IP Address/domain/etc.) - name: ocsf.tls.sans.type - type: keyword -ocsf.tls.server_ciphers: - description: - The server cipher suites that were exchanged during the TLS handshake - negotiation. - name: ocsf.tls.server_ciphers - type: keyword -ocsf.transaction_uid: - description: - The unique identifier of the transaction. This is typically a random - number generated from the client to associate a dhcp request/response pair. - name: ocsf.transaction_uid - type: keyword -ocsf.tree_uid: - description: - The tree id is a unique SMB identifier which represents an open connection - to a share. - name: ocsf.tree_uid - type: keyword -ocsf.type: - description: The type of FTP network connection (e.g. active, passive). - name: ocsf.type - type: keyword -ocsf.type_name: - description: The event type name, as defined by the type_uid. - name: ocsf.type_name - type: keyword -ocsf.type_uid: - description: - 'The event type ID. It identifies the events semantics and structure. - The value is calculated by the logging system as: class_uid \* 100 + activity_id.' - name: ocsf.type_uid - type: keyword -ocsf.unmapped: - description: - The attributes that are not mapped to the event schema. The names and - values of those attributes are specific to the event source. - name: ocsf.unmapped - type: flattened -ocsf.url.categories: - description: The Website categorization names, as defined by category_ids enum values. - name: ocsf.url.categories - type: keyword -ocsf.url.category_ids: - description: The Website categorization identifies. - name: ocsf.url.category_ids - type: keyword -ocsf.url.resource_type: - description: The context in which a resource was retrieved in a web request. - name: ocsf.url.resource_type - type: keyword -ocsf.user.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.user.account.name - type: keyword -ocsf.user.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.user.account.type - type: keyword -ocsf.user.account.type_id: - description: The normalized account type identifier. - name: ocsf.user.account.type_id - type: keyword -ocsf.user.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.user.account.uid - type: keyword -ocsf.user.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.user.credential_uid - type: keyword -ocsf.user.groups.desc: - description: The group description. - name: ocsf.user.groups.desc - type: keyword -ocsf.user.groups.name: - description: The group name. - name: ocsf.user.groups.name - type: keyword -ocsf.user.groups.privileges: - description: The group privileges. - name: ocsf.user.groups.privileges - type: keyword -ocsf.user.groups.type: - description: The type of the group or account. - name: ocsf.user.groups.type - type: keyword -ocsf.user.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.user.groups.uid - type: keyword -ocsf.user.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.user.org.name - type: keyword -ocsf.user.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.user.org.ou_name - type: keyword -ocsf.user.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.user.org.ou_uid - type: keyword -ocsf.user.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.user.org.uid - type: keyword -ocsf.user.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.user.type - type: keyword -ocsf.user.type_id: - description: The account type identifier. - name: ocsf.user.type_id - type: keyword -ocsf.user.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.user.uid_alt - type: keyword -ocsf.user_result.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.user_result.account.name - type: keyword -ocsf.user_result.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.user_result.account.type - type: keyword -ocsf.user_result.account.type_id: - description: The normalized account type identifier. - name: ocsf.user_result.account.type_id - type: keyword -ocsf.user_result.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.user_result.account.uid - type: keyword -ocsf.user_result.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.user_result.credential_uid - type: keyword -ocsf.user_result.groups.desc: - description: The group description. - name: ocsf.user_result.groups.desc - type: keyword -ocsf.user_result.groups.name: - description: The group name. - name: ocsf.user_result.groups.name - type: keyword -ocsf.user_result.groups.privileges: - description: The group privileges. - name: ocsf.user_result.groups.privileges - type: keyword -ocsf.user_result.groups.type: - description: The type of the group or account. - name: ocsf.user_result.groups.type - type: keyword -ocsf.user_result.groups.uid: - description: - The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.user_result.groups.uid - type: keyword -ocsf.user_result.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.user_result.org.name - type: keyword -ocsf.user_result.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.user_result.org.ou_name - type: keyword -ocsf.user_result.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.user_result.org.ou_uid - type: keyword -ocsf.user_result.org.uid: - description: - The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.user_result.org.uid - type: keyword -ocsf.user_result.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.user_result.type - type: keyword -ocsf.user_result.type_id: - description: The account type identifier. - name: ocsf.user_result.type_id - type: keyword -ocsf.user_result.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.user_result.uid_alt - type: keyword -ocsf.vulnerabilities.cve.created_time: - description: - The Record Creation Date identifies when the CVE ID was issued to a - CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. - Note that the Record Creation Date does not necessarily indicate when this vulnerability - was discovered, shared with the affected vendor, publicly disclosed, or updated - in CVE. - name: ocsf.vulnerabilities.cve.created_time - type: date -ocsf.vulnerabilities.cve.created_time_dt: - description: - The Record Creation Date identifies when the CVE ID was issued to a - CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. - Note that the Record Creation Date does not necessarily indicate when this vulnerability - was discovered, shared with the affected vendor, publicly disclosed, or updated - in CVE. - name: ocsf.vulnerabilities.cve.created_time_dt - type: date -ocsf.vulnerabilities.cve.cvss.base_score: - description: "The CVSS base score. For example: 9.1." - name: ocsf.vulnerabilities.cve.cvss.base_score - type: double -ocsf.vulnerabilities.cve.cvss.depth: - description: - The CVSS depth represents a depth of the equation used to calculate - CVSS score. - name: ocsf.vulnerabilities.cve.cvss.depth - type: keyword -ocsf.vulnerabilities.cve.cvss.metrics.name: - description: The name of the metric. - name: ocsf.vulnerabilities.cve.cvss.metrics.name - type: keyword -ocsf.vulnerabilities.cve.cvss.metrics.value: - description: The value of the metric. - name: ocsf.vulnerabilities.cve.cvss.metrics.value - type: keyword -ocsf.vulnerabilities.cve.cvss.overall_score: - description: - "The CVSS overall score, impacted by base, temporal, and environmental - metrics. For example: 9.1." - name: ocsf.vulnerabilities.cve.cvss.overall_score - type: double -ocsf.vulnerabilities.cve.cvss.severity: - description: - The Common Vulnerability Scoring System (CVSS) Qualitative Severity - Rating. A textual representation of the numeric score. - name: ocsf.vulnerabilities.cve.cvss.severity - type: keyword -ocsf.vulnerabilities.cve.cvss.vector_string: - description: - "The CVSS vector string is a text representation of a set of CVSS metrics. - It is commonly used to record or transfer CVSS metric information in a concise - form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H." - name: ocsf.vulnerabilities.cve.cvss.vector_string - type: keyword -ocsf.vulnerabilities.cve.cvss.version: - description: "The CVSS version. For example: 3.1." - name: ocsf.vulnerabilities.cve.cvss.version - type: keyword -ocsf.vulnerabilities.cve.cwe_uid: - description: - "The Common Weakness Enumeration (CWE) unique identifier. For example: - CWE-787." - name: ocsf.vulnerabilities.cve.cwe_uid - type: keyword -ocsf.vulnerabilities.cve.cwe_url: - description: "Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html." - name: ocsf.vulnerabilities.cve.cwe_url - type: keyword -ocsf.vulnerabilities.cve.modified_time: - description: The Record Modified Date identifies when the CVE record was last updated. - name: ocsf.vulnerabilities.cve.modified_time - type: date -ocsf.vulnerabilities.cve.modified_time_dt: - description: The Record Modified Date identifies when the CVE record was last updated. - name: ocsf.vulnerabilities.cve.modified_time_dt - type: date -ocsf.vulnerabilities.cve.product.feature.name: - description: The name of the feature. - name: ocsf.vulnerabilities.cve.product.feature.name - type: keyword -ocsf.vulnerabilities.cve.product.feature.uid: - description: The unique identifier of the feature. - name: ocsf.vulnerabilities.cve.product.feature.uid - type: keyword -ocsf.vulnerabilities.cve.product.feature.version: - description: The version of the feature. - name: ocsf.vulnerabilities.cve.product.feature.version - type: keyword -ocsf.vulnerabilities.cve.product.lang: - description: - "The two letter lower case language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French)." - name: ocsf.vulnerabilities.cve.product.lang - type: keyword -ocsf.vulnerabilities.cve.product.name: - description: The name of the product. - name: ocsf.vulnerabilities.cve.product.name - type: keyword -ocsf.vulnerabilities.cve.product.path: - description: The installation path of the product. - name: ocsf.vulnerabilities.cve.product.path - type: keyword -ocsf.vulnerabilities.cve.product.uid: - description: The unique identifier of the product. - name: ocsf.vulnerabilities.cve.product.uid - type: keyword -ocsf.vulnerabilities.cve.product.url_string: - description: The URL pointing towards the product. - name: ocsf.vulnerabilities.cve.product.url_string - type: keyword -ocsf.vulnerabilities.cve.product.vendor_name: - description: The name of the vendor of the product. - name: ocsf.vulnerabilities.cve.product.vendor_name - type: keyword -ocsf.vulnerabilities.cve.product.version: - description: - "The version of the product, as defined by the event source. For example: - 2013.1.3-beta." - name: ocsf.vulnerabilities.cve.product.version - type: keyword -ocsf.vulnerabilities.cve.type: - description: - The vulnerability type as selected from a large dropdown menu during - CVE refinement. - name: ocsf.vulnerabilities.cve.type - type: keyword -ocsf.vulnerabilities.cve.uid: - description: - "The Common Vulnerabilities and Exposures unique number assigned to - a specific computer vulnerability. A CVE Identifier begins with 4 digits representing - the year followed by a sequence of digits that acts as a unique identifier. For - example: CVE-2021-12345." - name: ocsf.vulnerabilities.cve.uid - type: keyword -ocsf.vulnerabilities.desc: - description: The description of the vulnerability. - name: ocsf.vulnerabilities.desc - type: keyword -ocsf.vulnerabilities.fix_available: - description: Indicates if a fix is available for the reported vulnerability. - name: ocsf.vulnerabilities.fix_available - type: boolean -ocsf.vulnerabilities.kb_articles: - description: The KB article/s related to the entity. - name: ocsf.vulnerabilities.kb_articles - type: keyword -ocsf.vulnerabilities.packages.architecture: - description: - Architecture is a shorthand name describing the type of computer hardware - the packaged software is meant to run on. - name: ocsf.vulnerabilities.packages.architecture - type: keyword -ocsf.vulnerabilities.packages.epoch: - description: - The software package epoch. Epoch is a way to define weighted dependencies - based on version numbers. - name: ocsf.vulnerabilities.packages.epoch - type: long -ocsf.vulnerabilities.packages.license: - description: The software license applied to this package. - name: ocsf.vulnerabilities.packages.license - type: keyword -ocsf.vulnerabilities.packages.name: - description: The software package name. - name: ocsf.vulnerabilities.packages.name - type: keyword -ocsf.vulnerabilities.packages.release: - description: Release is the number of times a version of the software has been packaged. - name: ocsf.vulnerabilities.packages.release - type: keyword -ocsf.vulnerabilities.packages.version: - description: The software package version. - name: ocsf.vulnerabilities.packages.version - type: keyword -ocsf.vulnerabilities.references: - description: Supporting reference URLs. - name: ocsf.vulnerabilities.references - type: keyword -ocsf.vulnerabilities.related_vulnerabilities: - description: List of vulnerabilities that are related to this vulnerability. - name: ocsf.vulnerabilities.related_vulnerabilities - type: keyword -ocsf.vulnerabilities.severity: - description: - The event severity, normalized to the caption of the severity_id value. - In the case of 'Other', it is defined by the event source. - name: ocsf.vulnerabilities.severity - type: keyword -ocsf.vulnerabilities.title: - description: The title of the vulnerability. - name: ocsf.vulnerabilities.title - type: keyword -ocsf.vulnerabilities.vendor_name: - description: The vendor who identified the vulnerability. - name: ocsf.vulnerabilities.vendor_name - type: keyword -ocsf.web_resources.data: - description: - Details of the web resource, e.g, file details, search results or application-defined - resource. - name: ocsf.web_resources.data - type: flattened -ocsf.web_resources.desc: - description: Description of the web resource. - name: ocsf.web_resources.desc - type: keyword -ocsf.web_resources.labels: - description: The list of labels/tags associated to a resource. - name: ocsf.web_resources.labels - type: keyword -ocsf.web_resources.name: - description: The name of the web resource. - name: ocsf.web_resources.name - type: keyword -ocsf.web_resources.type: - description: The web resource type as defined by the event source. - name: ocsf.web_resources.type - type: keyword -ocsf.web_resources.uid: - description: The unique identifier of the web resource. - name: ocsf.web_resources.uid - type: keyword -ocsf.web_resources.url_string: - description: The URL pointing towards the source of the web resource. - name: ocsf.web_resources.url_string - type: keyword -ocsf.web_resources_result.data: - description: - Details of the web resource, e.g, file details, search results or application-defined - resource. - name: ocsf.web_resources_result.data - type: flattened -ocsf.web_resources_result.desc: - description: Description of the web resource. - name: ocsf.web_resources_result.desc - type: keyword -ocsf.web_resources_result.labels: - description: The list of labels/tags associated to a resource. - name: ocsf.web_resources_result.labels - type: keyword -ocsf.web_resources_result.name: - description: The name of the web resource. - name: ocsf.web_resources_result.name - type: keyword -ocsf.web_resources_result.type: - description: The web resource type as defined by the event source. - name: ocsf.web_resources_result.type - type: keyword -ocsf.web_resources_result.uid: - description: The unique identifier of the web resource. - name: ocsf.web_resources_result.uid - type: keyword -ocsf.web_resources_result.url_string: - description: The URL pointing towards the source of the web resource. - name: ocsf.web_resources_result.url_string +ocsf: + description: '' + name: ocsf type: keyword + process.group.id: - description: "" + description: '' name: process.group.id type: keyword + process.group.name: - description: "" + description: '' name: process.group.name type: keyword + process.parent.user.domain: - description: "" + description: '' name: process.parent.user.domain type: keyword + process.parent.user.email: - description: "" + description: '' name: process.parent.user.email type: keyword + process.parent.user.full_name: - description: "" + description: '' name: process.parent.user.full_name type: keyword -process.parent.user.group.id: - description: "" - name: process.parent.user.group.id - type: keyword -process.parent.user.group.name: - description: "" - name: process.parent.user.group.name - type: keyword + process.user.domain: - description: "" + description: '' name: process.user.domain type: keyword + process.user.email: - description: "" + description: '' name: process.user.email type: keyword + process.user.full_name: - description: "" + description: '' name: process.user.full_name type: keyword -process.user.group.id: - description: "" - name: process.user.group.id - type: keyword -process.user.group.name: - description: "" - name: process.user.group.name - type: keyword diff --git a/OCSF/ocsf/_meta/logo.png b/OCSF/ocsf/_meta/logo.png new file mode 100644 index 0000000000000000000000000000000000000000..3bf9ac73e6e41ac60628c19cd0c3da925b9bcb7d GIT binary patch literal 35988 zcmV(!K;^%QP)d!t^SaoQ7jIC5W`pLtjJ0@p4x)GrY7r z!@M)Nvc5%R3ube!LSjb4_8@<&IJD#1mq0I+!Z*6LzeQ!Od_HtDRI`6Q!-zg7mYN`d ztZOn-KDo9uv92?v)P*@&CXbYXH&`^WuGWw|E1#h|x$Zl@x|cm&eKuCiMP{*qM1?t8 z*_lw2Y&jWskcw(P7IcHoMQ1Ogq?~a%S1e8?lbAWjy`4W_)G4I!iqqD zWjipgtF}dBvqfa|IA_mdti%egMfxb~GBGs*t*mL4_9`!346Imi6;l_E38xi-lE@RcSx z$NuF!U+b4D<2_t4%DVcK8a>7ND$2O$JX|-*{^>ekEX=&EylO*IA7~IV?4?I z<33jHIa)Byz0{L6G{p8xz@cujew&?AOuMyOsMxVpd;*ogQ2+n{#B@?lQve4L77QE< z68;$e_x>dO{x>1&M^pNc8Zs*L_w?#J^eyLKE#Fx2fa9(8JA(Uih(rD1YW(!!-7UrG zPwDJx>CMYizR71@CCA6If|g>|@~-{imT}juNzR@xYdidxv_*XCgygZDrEB4(I_oYv_6~;KOI z!>_*jY9AP37<(9ujN!BPpY89Ttlr}}1gE_NZhtTkjuM>?r_(t%XEFjx4Q8W4_e>^_ zXMJ;X*&FluqTxWq?}p|6$G8QheV=W8`Qsn+CsX?)V=k8sF!28b?%g*G^kXRUw*85o zj(Y;9pLEwLb=vJFkJ+dJf*^>3EQ@~wcQuVT227^8_2t;nZaf?aE?D%sj{gWcyJume z+lQf@VZdfE82B>Jr_4$jnQZ|c&Vl;Wy*EhXK@x6lutL5=i%XN*ue6@YJzcXwrg33DR z90Lj9>@4w6NG3C9nKGZuCvf-bWmhlx=dCopL`gnzb|1XzCjF7{Zfp}PDcr8iXe|({d0BqPBl%xJ$`ho# zM2}~)0zj|ImIP5&&0rSP#`hxr$4V{NJ+n2m9dZ@xcACiL&dxF!91{uLP672}>P94L z#{@fGd-Q|An{Gln^^VtPEnZ)B{e%9csMq0vscN)t3IrKHHD2?DcgSXO$P*Z^AYTR~ zA{uU*Ex1Or$?1*l?)lx5kB(ZdYi4WlaQ_=yeH~@?nE|00Vit$9TM5e1&n-`0e>Qj1 zi*q-;AH1HW_}p3Un^yA5^;&~VYd(jQ+^+~GVR`Vn04<-Ow+1Q8Pyo~PEQ4I3g{d_xq%b)5}<_g)NB$E{s~nYZ9p2Q9Av%Ni~dOs(G+) zQ|>I)LVML&7GA8y98SAY(Ii05!yF}nu?k)_4YxGq9W(-EIc7jnz(2i(qT>>?WJv%h z#u7#I+~)F8Jn(p!?dhACpBl5JiB&>^dEeAO7Q!URO;bqBU!ll=Yj)>eK&}JFRJz!* zJcsLD2t>yncH&5u0D-6~kdGyI%RH+_xvB@b>NR*gCL=-71b`M^GU-x1kOId7t+ks+ z@niqMV_=p-rI5=8yGVl9+Um&c6I@aRldkcGQ0mFU!o@H)_MK}igt|nFY&8<~Iz47p zmdT~E5LYWn03N_i_*2i^99Ts8;SIwP1KnEQ+$4VI7{8!jRYd{Nh*t)oq~YzG-rchHbW=rbD1>C7Z8L88;e1vjC{4K-rb+E_&{PWMFH_M=x*wx5s z*WzVLZO;q&N~NND)?;AylSaoqGq1Kso|Ivo)wC zc6M~M?{9QJB)U4e7I@%(H*D2zRI#9560a-*LKO*6Om?Ru=8MLux_^KMj@3F)hvgjx z2CP==!ok7uG1>vUAa{A4ij9g0UQhE92tGg0pPu6TQZlZ;`4cw#sk|}sz{7khhp3a{ zU-G=fEUlw9n`>n1WPW34Yjzap^*`U8shhC4iLRycQ*#Zg-;h{LWLGv1jmK*LRK-YFC*`n{1nV~&MqE~*vgd5umCt+ zW!K0TdE40jS0{f=toC(v_WaigtwA>!T#Id*v~1y2R#jD~RU0I*YIk^jYfHgtx8+91 z30iL|p0nQ1!SP#i%9~WKq9ClK5vb58QQi}aA1_!Q`1HX8Pn?9FBr{ZbNRW}1lQ~ud zFxYlRrsgMJ&UCd2rL43xz2tM)jivMRf&^McNhBx=>Ip017yiNiTFb3bUJ0D8v)4*a z89sR#R*UfI@5BhXP(?JF5F1AxHh|)~x8Q*dRZs~o(|kFdA*9l_u@E!V&bHwc&`&R| zU}4p=2$%9A7DTMAGS0h`EOi>Bb^y)tO3;x@UN|@=kBqfeQ4vJdN*L%JTxiBQIOB!h zhdY&U!N^znGCXgNs<7p921xQ_p~LyDb~01~HyK2@WEQdo(3%y2!sTTiraB%C1l|2y zBZDG6H`_A}km!0XR-*RE>oh4^tg&{o4~B)%*-7<*7?k#-@b2$B~L-tNW_L$NXzb$f(D0Tzoo1x)tdPb}B> zYHGMxtRiL2!2_q0s6M24SLpD^nRc_(S{S_IFqX0xCAeW3MFaU%QtaN9rD^!zhS6!^ z8XAuxckFY_nN@s`=qpq>zbH{|yy*+L?>Xb?oZSdLF%*kbEM!PgurzWqG1J-6cHk`j zU&ozBC3{||`QJ)KRP4`xc`-fNoc-t;o|2;B3xrULg3pqvv?!nyWpu{E{(B9d`X;tV zY{eo~_><_2(uKE;Y)`bKt#)vOFIK+&9;t_r#hORyhe)>if?}n60$XY0tXHqlNEDSR zPV=JC)l(k!xvb%r?|ND<@|^tjpa1Qd~gP=x<(G$(gU-kHSBd7WmJMM zkaFbZ(+bXQ*gtvy5lk;4s6S(yAU2O69C2}}a4KnYvG~Eg#KqmOpYD{Yyp&<2A_g9Q zcDUH4tacy{cHqnw&IyGqba+ZbTw^(M4;%R~LiiG)G^epclSUOsczE_8? z>KOoDK`RP|uBrLeHf5EYe6iwC1QC%7XhrCvnVzpKA+vcP=)mlsC>$eg&Vtx1nmm%q zh;6aE;Am;(S=q2!&6JaT(e}+(6I~tc32ty{+^*!$1?rFH^RjBRdzak(9S;b-^#GCa zx>-Sqf`*Z0QT2e>NNY3Mp4s`4CwwxI!!&LhmBS*8bz`iO^+hYbkjj1#AR?C@W5i9FZU)vRz{t+>m zgaQI4;#F16c5gKD(6rW_F`2Af$O;-Ui>_cxOBCH(Pru`-Y6xTHL9bzWYJRI-eQ<}~ zzveYpButXAF+tVn91l}+^YGx{j8QZ;Yi#?+1$7t|!R#90JBt)Y!D*R2GNK2F1w@2s(pxOmm&+*Rzv3qV^Yx0{z7mxlqo7%_0_UvS< zyQ5t}w9>R8?Vv(2ShbHMyZLl04%bV*c+RYd6qwUEt7`X#7j!M5b(l||0SOw8NZCU3 zvu$gv9r|F@VN?XfprWb@GH4}Z{glvIkK;&XRT`MB!- ziH7wvsj6#gqWzkz*PO6YsR$tUT&^f4v~C7J{r?uk?)la|G$ca><2;BR4_mp9b;5=+ zx!*ER&GVg;t#(aX-#K9ne2UBun~jcNr}Z6=0f>utmpw|Yzf(Y^8h&Ju`>06Rh27pc zjP94w#IZe_Z{Ii=E7^3^VJgw?MRc?=!s}g|ehm9$2t8Jco)l3Qge-_fXUP}2dolqZOtWUn_M-=4~I6|o>rCS#WYpA%p1Mo$;b4+)eXQEn-r>0z+x{{qazyZziUl+ zEJ^7NPveH=C!xi*tsDZ}z!GS!6c7n($X-p)!|skp1#aMYmzwQDiS0DdOpd7kF8+j@ z*%&dL0cG%tuxX^dX`Kv=Q^3XEVV2UZk0SD$6PViSeb2cS3&Gu>Jxp7Ay#I} zBvJ7%8%EkWZAFF?#E@`FqDc5WtJ;5VMSjCEkwoj~*k1R!wWg1#J2*EDy=dr}lq6X+K1Z|lBS^Klry+Z}6kdz&9>rqI zKz-x-pS#dTBz~;}chk?~EM&2oe36%EM;~Q7z0Ji;FQ2;78QLU=0dP3s`O%LOb?Tm3 z#kn0?{9}Ip>ETr9{g|RZwM$D7BGB<GLhQH1(k(8jx{%TXZat})Qj)dWfIpt zS6H8`ixXhS`rBhzE_YXpH3=vclOlzrAa>F>^Y+9!RHoz^TbA-ntY0Bj;tUnCIs%y^l)q>E>KOTP#GRRTJqL9v^%@pl{X{2N1efFxOnt#F9AY3+kI# zT#KY=$o4niV9#5@~G_senKv3R#8%=B2PIf^=1_0IHF+YL95CwKli) zM)!HZ=TY<6lZEb1R>Kn8s283e!)A?4E=hJ~3k`MOP5pAjWhhrsS|*Jyut@?G=~Ufk z6160>_wEAVcsJbg=1iT}+%39XmWa=3M4k`PN=dT+{8N9^juAqMF^Ck1c`(ZKT=GPz z05w`>oHB_#5ziL@oE~4WY&Erdgex*bY76Q{>8XIkxGeu2+ywGLX%J=xa#OrT!q(C#{1$k+?e4uCA+{ zUcUv@L{if{*(*LYljGmZtIi*F8cQX%Ph3=u9)M6Jq8GVAnom9F8cG7YGnqegyz|B(B^%w~k!ax67o_I~rVv>0;ubdTS zVG5dHYogKdOLH+3*Xs@ts|v+Mpo^)mX%hG(f=>x}jLa5Lfl8&WqL{s4D#bJv>{+G| z>bMzVdk=OujiuU`NHBVTb#o1P;jh0l7$~eEZI_*=FMFEYA3FpG%wxAR=}pvtdkNaq z4rfW+@&sHx0Px>n`iSNC`r&?fVMWHNrm24C%1`>{c0EU;v2~Ave3If`RRl<=r$BsB zbVM)_=I~=SgV>trDf7t8mf`#r^EzX;nQzobqXo?M!k^o$2AA13A%Tqwd<5~}2f z4_`MmCd|?PSX7m(%oV~`fx7qvsZf%}C9=%n`@uK0;}v$k`3CoQaJBR7hnw{gIe(PC z_@$DVhq;cwXlilQyZ2%>S|2-(u^cXgSDQsZvwP3 zFWFqn+$OxSu9+Ud9=cDeR)X%Etk{3{>ptj(e;+PF7QajrO~WIL-A&5GKvkNQCs;6D zt%6+g!l@KkHMqvU8wveJ(uhpD@NX4E+_@d|+w*q?-dsDrXDg8fDUOf@8KNX;->x+k z3R{BF=O)lppX>!BCO%=BgZ$dhD{J8Z{W=xE?h zn|(Xb%z#~-dOIZ&YLvup!ygI@Mz>vjnn*GwCp(nwXMM5aJ- zu0#^TMib=MqG9^=N7l*uZ$IJyh(`>#A+Qz+)K$1>sU-!}5}+aB70d{Y-!5>CFR_u` zb+ei+ko;!BY&V$nN<*r5_-wLGOcSoU|JeSa)ZhP4H{o! zp@jMx_C5Ot^<1MJg6T*+<{)`gmhNIISb#@2ufN&z4>am*;E9c-%*OVH`GUGz%#{@o zbCg^bhYuUyw%ob39U4Zn76UUR(na-%Dt2dWKvVCrlFClZI7T;BS%OZ|_lSj?m>x&} zM`LSa7I8~Og;HV^?pN1b@i7ucGZpbPfP`02go0pNN6q;2hCT7JNfStsT2)YW8oXsj zV#I*VzM4oOb$zzj*Z7$6@2(<+zcggbs!5P^I^5Xmd(^|maAc@731WrzynNeubFM!a zMH61C)e0$3F+0bb6zZxQ?LZKcK8R{7GKdvK0o7jQvVXp{HoA)(MCNs2Ix$yf= zGIe~+oKv-$9A7AEHDCV!{EzSZ&VxQKYA|2|%{Yb2IW#h{-Snn{|%~SMJ|D8Wr6-TsM;gdt%I2n6 z6QJ`f=fz^x2C7g!{{u(21SRPNwqp9IZ!6w_a>Q!BWzU&`YM(;qn&R3T zE)pYm6tl1fSR)R0a2XD%3c^+I&VCC}QpXeEzTgAF&E^g4O$8M1v;<&v?Fues3?VSx zUBY5d`-ktg48!=vvs^Yy_9+I&=w#IhR>8S1A&vFnnQ&%>u%@~_sey3&+@*1a3zE#8=69GG>{bjg5jESArqZ$}Z+b^p}Yg%kg zPHyKawUkxQ{EEmZrCKG4))ePbdFW)#1xCrt$DeQQaxnvFZT|3Fp0azt(wIFB#n2#Wb;QQG-d-X4F z*P&46Bn?~()d+eVwMzKGUJ(1}fNmU;+(Iuf{0s|KF>EeX0`@TOmWn<_b{05yfj`}@NT`Jj^JxK;CKY(t z7sW7i#E1#EvT&YgjT|gOZzXJ(>@rx07AA;lebH>MZsr88mSIGP7nQeqs-^Zy(nn$I zibbxwxq|hM(u{k+M*0A*_=YCB{Qik;+8=9nxZkoG4(?ac(Q1}rV{=2*qXgEb1 zCGqkfQ^+fmA;6k-Y8WfbD21!GFu9v0SteV}0N2Pw3%OthZY)QwvoqlO#8({ncg?MI zd#G4B5iX%bxjlXf|5ZrE9&t61R&8VFU@WLq5{GTN^{4-t_U*m`iYBlKYqj0&b~SRuV75klH}6CcuH3K{ zoVOJyh~z<$_RUvc(cxq#TFTwDV{T=D$_*;gl)_c(f#8mBQE^e4+meXc|5+*q?G?ZZ z5s14vd_SPjilg`C0v9Lz`(okB{&WbiQumPAz0Sy!vr&g);4;A|2DNZ?=w=H=>q{?P zJH$TS@`LeYvee2_FO@=uC3(y*rR55R`aH}iFa z(|OXcFYN^HZ|tym@^Ok*_+Tz55Ayq8qCvvAq*%1LhW-8G6+?UAdNO$ZJ(Y01GZ+G4 z2Guj%C;A?K+Dfo84JSS5XiU>a8tzglv*O{hutdOT#E?5wL~Yu6*yxu4u?PrWgYfiQ~SBPg`Xi@wDUH3444A!MF4^ zIRlXT*r;n(Dneir-b3QP%tIjlp(;??OyJA2Br}%)G3__ zy)BPDvQa}>F&D1Ys-cO`TBmUpFp)lDVIKpgSU0XC>EUeM2knoFDqX@x{dc;ZILt1< z$N=vO7p6kMj%|PtL$w!$&hP$~hL2)d;roIYT<^52xD*V6-i9oUWo@YCd}}+AhTR-+ zExT^7LLVCB7RM?HTz#@pFZ*;L6A!p$tPtV+9v(%&$_qj8+qtZx>B;#8t9?8Kb4$9s z!vaxWHE{tSN}W*3NMgnHg_gQp1&vR)gc8j)hTm1Vz1HcigT@2W#wC_nmwhxcNVyv> zat0DzmjB4$eUJn!lZq5KdY(|)Ztgn3G>yT;;L&>u{(A33#3P|qT(F^uRx_>@ye2yb za;a%_FOMs2^tc%{5kP{Cdih5anI9x709(@Ii{mQ)Plko>9<&49=atqg*CUw|;+o2; zG_M#S!c>H^Q!rn4TP+K-8U{|q9BeoArNw}}>)(jNY8oF|`4n=A%g@4%mEfk1L9xj# zjY=za4OC*}lqY4^)c59sPYEzi2I_9`)k62)l0_fsZG&{0=BhRwdAqe*oW@6xJ1x@u zC5*dBX`@%MA=xm^ZfPz2FH+VAEZg%i3n?OCyA-~x98)1)bN>A7wR#%fM$-bCK8C%K zqgNHoVurG)m(pZ3Iny^=s}>gA%vHm#@cB(&W%JsD1w5bN25r&r{TGWS`S#5%n!+AP zY~K_D9C9JtuQ@BaT;CS7L%cy3j{;_h-%7J8wH{ev_n*dfJlRr%rp9n))3A#r;a0Xj zuCmARX&iw8;uga7!aj+?E}n}TUXtIkMMoJIQA-+x^tPB?)pM8;gZvg=sVCxBCPGf# zJ0&yoMw>ibr$cGF3INv7^!}BLx+Jziq54PpYTM zEOHAiFJRUX-8Sr(D!G9Rgsaxk11;q8@aX*f($doW{OIV~`r=rBr#iG65(QqLwOrS7 zA(qqRc_nF*08-4ko9kD_5OFAbOk9PtnkL=PJwUH3W{3<|^&Y3~71|^oP0#GU|DT;1 z@jL#+-~1)6L2Ts`SKGtxL(Y<*+q6}NXV*o-HF$Mu7TV<jBpsab4pD+ddfsYnb{C`SnVc@sKd?c?9FZzK3tBd+O~^ zPR#7mC$TE5U_w{}@i_eTa*hKHLZNVsABCyd+fPm7u*(6n9=KAJ(N;3R-xUa#8zw3DgB;tZ;nn&@XsH6nzzbf$zSZR8v2aCqS%q?9S(n#uMZDUF)0ENmkMSNSti;s{tl zi%R_mCoLpl$S~))q8x7EO3H|Q@ya)*u==sw-o-8@9n^9>2~;gK97VFv=srPQaq|2V zxa#>!PznUp_QZy7@o9BepMO`AYhiUu2;cSO!Hq!MWCWjijm8jt*I$vR;TXnD!eb9^ zF-owK2<24ieA&R2C*vGvo;jC2jpH5-U2bo$!XE z9>1%pz)F>kT_JtEoX->1lFfNMEei;1U0Jm?`bCeXxKJc9*up|_E+}_k)3F2MTxIT&{$5dNMX-&JK8a8@>*14y$$Y}$tAx9V$3S0>x)1w2Cz~vwDXgCUDCv%LF zu)#1*TENu=uJh6h^XkTqZ`N@Quk|PmiIBHF)TFsGfW)El8UAX%?^;DVXn7ckDD#hl zQwK?eAdcmC&-N>jbxf4rz%{&*=v;UQokx}tUYGlbv7lN@B@iRxlFY*UzHQEsL1NtN@a zm#Y+Uy#`gp>`B9i^Sc1n*Wvy%yu6V}BxYxq4_0=lFsKmMeD2hk|6GCnHhvfn*Ky7H zaanfJPz<2C0?X1zXMW?eX~60L*X$tPB9W!xTTU%irTtcQh#Nh*Lv_fhBEZof3+v0+ zt?7sFOn!ue-(CK>`B~%af820U?%)`;Vhdb9?^oz@OoX-xoiST|xlm>^?3t{PO0>o6 z9bHe1_4Apl&TFrYCDuoK1+|=B@HuM>gc=nle-gM-RPXmLb|_4oY>VEkUUcLBkqVDX`HskFZI6` zfGgv(%U4>`0$KT35cJJ3B<;{f%7dFJejV>Udh9px1KjTT`doj9_Usz~v!hWxhgzKR zOzK5IK^~TLZQ=^?wRHD%jRi4qHG%8F*AH(Yo`@^B5--b#O>m&)PA{W!y^`jbrvKU_ zp4iYkpDncizl>B3l~9-#(l(gG($eJyIzqu~5;S_H>eaK#Pv}JqUpr0=|KKeSQ$@Xq zDM#MK(;rLB7xGR=2d?mAv&bKn)BZ7-$O~M5et@~4z_mKF-6mVTPB2#h&*J^>zJ=YWX z3lr4!dA-Q84bCH5tjFayfq_Pc-^8%gETIFWM9&krZhramPrqc*cA)*J&b)C&mRF~N zD}DAIhlVlo;+geW3i?>UdbHmJ{%Z|f;pSqyqq58zAQ1|fR@pq@=ahj z`kYs?gJbJUKI$OL#DYi~u&ms^3=8`oY*nS)j$opJt8Wa{apg&2>aR)Z;92oj6?zr$ zQKjMfz{vtp*pN8c$Wc?!7D<+1yaHEUj_cv-z-gt9>*!cOVcbL8a1W@3hZBJHdC!r0 zrxo9ad|*pHaSmWh;Wltp_#O^p)CJy_X$*WNa1|#zy|2k6uh`LXB8UejA<2>6t}zGs zopZd|4MBJZp4o-A5|*wor*Btn@SCCi=9T*3D}J=NzEozGwB?sZ!g(G;H| zVC53XBt438akvVN&OsEo!pR99i$DGVT*bs7JMpP3v3@kd`?Z?NR3nq`NqgOi5Wg{W z_{Xb%O#v&~oUg*Jcw$ol*N%-O8Eb&RROpEi+^!8=(PhvZ^+ifrAJkhfM&vav zP2p%KjCg;yjD% zniMMFS|qNPk8)UEXd4!dj3FY}n+m>g*4S-f{R<&Uc}d#pbRO;)cpHtlE=h5H4GD&n zft;0G6}YAau6N#(GZ87zBChX$ChdtPW2l-0uAzyynnZBd`Sn+#BULivy4Jwev|K51 zEP#=tSdu;Q-4}P78l0nya?Zq-D8KcE1S+f*<8bQ|xGMD9jMpODtO0@RvA{Jn*)E+T z_Bqhd(G?tON-2B1jw^uOZI*Bau8m0paqW@e3aIk5<8Z+*8kbhXI{vL7xVc8}?cj@Z zMqDo!$yh0EecmJ8mao)t&8y%#D{w94Jb|mjnLO-e(YZ*V!hXEKMh88SECRLtdm(mD zd?l_~Zddk$J9S)(3bl=<1g^5iC04CHg5D~Vy(e4!1m2o)j>TRTlG>(G+zDLSHUL-Y z$Mo7kQc$f;7kjTRS;?|V&o1IhcD_vT0<@0pYlug9duuNrK!@w1BrHZTYhd1If ztO8?u#1%2brsu5QjeN?2lGG3t#v5{M!DC5f4uvFs}?UwfxS1=4!aTRpykP5EV>@ojtXXuTl zidUD+KxJITXR1^;8D^e57r8NC*IXQ$A9!1;;)*-dwt#ED6xS%01n0O4xq~{cJZkZp z%@+9d>&Umwg{yE2y&$fME-AIb;4^n%xIz3Z6;z?dvdQCziJu%-Qo}6|xXSw+fvagh zi)%&|*K}Ios>y@_eP9h2!2izfe$zztFl`v}NW_*(pOfSZ+r^?6jwfXEro>kR7LbBq zLl#$B|Jo+V=A1R?O8qMzim*ISVJFVDSuh^n*BO^C00%rU)}X_Is{Msv1*S&9UlXi}E$o!! zyZr{PO7me)Jk$RaSL!5d5tVqQOr31t8QHu^qa~Z*f@3)KakCUonEMM{VcIO8`(Gul ztS>D?Iv)<)fPoU2fHrWIT$96&MVBJ}$)-a``eJ(etp+QNh)O63BZNSI+(A zbHp@$0kqQjFke|h9^h#rFCgNI5*N7U!Ycb5-K5~fHl+SO8p(iV)AcZYUV0%lIPmUT zw#Zyntv+LhT!t3V`xTZtzyr%$FCPizB?E9#3rG-BB;L7_I!6L0$ zf`>a$U6F+1D@ZCSy`w-1a;vSq=R?qSdo&CqHR4KMh16^cGBK#OU~ge4)Xu<_|8r$; z^Bh;?;iFGwe2I^4IecyswG&;6rO_SA)Ny^3z1Jjfbp-E!MVli<9vG=DmJKS*uhgB* zPh4db#vL5WI0=ld&@hWmOjyvQNfSQW6_X|nB?=+M2}y&E73xCSl%QC(E=U>)m6d_G zw6gPmaAjaaau+vu5+>96$jxMiq?@Uk&f4GeUZhq_?>i_s92JlhM(4Tbeb0H$InSvk zc?iM~&;kHdzUef~9X)*$omopF8tp5>N`#%P7_plNlj(wM_&5=ZIRadL(`On({+(M8 zrNb~T9~ab;ZvL>v&W>&|#1M(#x;ymc-L^Q1Q6cz3L!#B3r{_OB7NyZzp?efZ2TL7#6VR@C-4sl9}(qOZ2%_Tnj{-Q)u% zZgqyvT@BR1m4ld}%5Y`G?yrW+WfTsi?^CarC+}ao+3`O^Yj))ql;e50VE8F0#)&p^ zUnz;j^jiuUE-we42o%eywawL;3uC=VB#xb*S>0TlUuH}a-zzXkVx?ppy_%*3%pwBM z51+1QPExURt{_}BCs}4LYFi#P1yo^kl1@|n@Z)Ts#hfIG(WpcYNO$mY9-QH=i{H%N z>|{pr+@IF*AKA+WFJBK#VvHS;=ewcYBDhv98cmhE-~keN;BAdstgz$H*IfLoBxO+~ zebQ^|n@f^NTwF+}lC^4%kgckisbZxkucX*7Azy%MLV6-pI0S`Ga4kIp*B?Im?vZeP zlFi0KXEPvu9~ngfWkr(~)wkEB@FRcaPJXi2%*F<8Z2Wlt-tCLmu3h`)+A-|n5q4Yl z((hvT?%lii&E1Ya6<*}8F#oyb@Z9CX9Z00Sn`?Of{ARDkR;>4!aP{^v$%~`iy}Uf1 z%19%zKiR|nZtab&qTQwu4x8<1=NGB`fNPN!tI&%;|7+E})auXSXH92Z-&zI;(&F6#-)+y`=r8{5?ljom&LDxazqW@toBb% zkA>bEX&yqJ9rR$>Yj^p6tj^nxynsakoY6-P*5K5(7;J{hxXtR{K*Yxg<^{GZ;{n0+ zoH+m1^s8R>d&>G=%yFnGUH?-L=5yg%RCCdYm5g58;M!PD&)DQqnwNvi)8up@pQqi1 z153ndgC4^MO= ztci_Re=necSIaC}g?zmzIQ4ic1A(YkrE#b32gtf+DSj1ciFGSj$#OC^SN@u-#Ybi$ zp`kv)=0$_+7vE2Gox8_IvL?I`a>83Ttwzwn6<|lH(%1nzSkCTYb#qOhO zSS{2JB4VrPX>l!;^tn$Z)&vFR@}(LZeNf$8wUm~Q5RE6qO%L{ee0OLJw7@pA!&oFkUb4tc@@1FsdIqqVUaSxHCN+; zwK#|q;99B{i)vc2w661TOY=!_h91Ze3|Fw_WCm29%Zb>G(ltDAEqd%ave1?Gi5lD- zxN4bVgrgN)oh&gi|MM0HvFQz0-x38Nd$sUK!-Ud~BbODdKz!mB6bZ$T?FiSy3Gf8x zFha8K{Nk96Xg7(z$IX=&HDPN}kcEnvPh!hGJ$#(cq}P{b&U2jF>%dE@oL&i)9l9*M z+ut|JRJ9K^FE1U4<^ir2IVlJ6F4Z5Y>6ztNmez6k;qCk5!vloVft63ioNQpu(4iE1 zFAOobdf;lYK1bwSMfD$Kmo%+vZxMvJ<~G;Y*B8?1wS|TCbzHTp6&7`dy$y|qNXc5* z=p`0aL#okz^lEGa2*mNSh%ZC+H7%;D9NTr0hq~UZn7BmyZ5-V|`{VVE$>C9KWo2~W z#4UIUUhRf>i9>;pOYVL_@~=H3A4F_c`c`UHgR3aomMj7@Ja%Db=EB?O$9khJF3_3C z#B;(mUsXF~IERVIk3=uMN?g+kfhrT}D zyW2(~@stcDMwrV79e+NUsBqVc1!W%b)S|^kKg4tVnzX!vhO|>MlAL6%)PT5han}ip zJwJ%8HA*<_;b8UU@ff@WJ3ndR{-x7qFH%;bhr3XZQh#mL%xa`g*!UB-?(X0-HGy+4 zF0KB(m?NjG^{-vEx#oH_`%(1BJPCKlm&z08}FtmR_k+uJ!TNN z+OxtchMQJ<%(DCdaY-8~N7x%8;Nr(~N(eF>#1_RmaAgp^RxqW4Q!%qXEx^_58DWaV zW^o8xFSY!1gzGgJEgvSkB)!}zt0UCPVYh?lfT~VAbV0OaQQm^8S`zVu`Du$ip*XC@ z)O>&6Rc3S=hRRdQ*K)doB&{uWz-tDcC=2q#?Lh?oQ1C7*nCfMl8&k3{?Boc59cZ5! z4O=q{UCoSC!&|0GW3kGN8jV-0RdU|^8qDq~7;8e8NwU$8&y_TIY0+5G&uvVtf!p}- z)V@451T!O?vO`&Y)xsCYe#`zbKn`q6Gmd15gsvv)RKvv}<-&ks3MUcmMycrPdcV z$7xk*fa|

    Y_%3ii<_9b*8gg#-z`%)Aqv|Ylbl0(*FlZ_b;y5J+d8ab@K4G-40 z16+r#_U3;Y+cU&#eYZ*IbjE;H?3ggPdhWbUJIY&gBbVUQOQP`SPkv=HmnF-ZtL{^R zc1Q+89@*^9$>pdJkQB|lFn9x~m@|4moI{GtzCQ>#L8Sx@OlP=lrm8FrDs?2Txu-^; zpk(DgK8YmVq5G8+PhyFMX_LtN9tFOJ82_k6ACzPe0$l%^lXtU;Tas(ykTzy5Siy(G zvAX(Nl?V}4~XHk*9MJ-EpeJc)0z5K2e-kGlqUAXY?83|5dH&>}~qqDaooN6-7 z0;sZi1`jad6d&vAToyaFlup*PeG&q(0(ErW=4TegA(l{p_b#Phh@Lx`k=lbIM!%(O zlfoK}X@_ONT8^{RtPkHlTd~vIpQjScD$>K?+g+Em25W!5C?Hn_0MgzQv0h;H)jac5 zUBmr%Yz~viOuEMtu2gDq`@z3C?t}jNdQAYyuXw|z*RG@G+v)6 zV9n%q37C5Y3u!WB!^+42_b58_VU`@rVkW7H|%s~W!L=9V33 z_Kh>EYaI0&;-oyMGU|-g1u=tlB0fHh!6H2eARn>M>`Tl{(U@YJ+Hj z399lVMGYp;XErbVXD-_{vzS>XsFk}??2Y%E-WSWvx)G=%#$Q&^>twepNsFW5y1p$d z&*Ntv^*Q7^D$8r*^Nm|=p(0^rQlA7?<}1YIN34N`G$`Z?#5F}I#gMT$Ym1Cc@W^OE zcoq84^MLh(w=8P}I(Ldt5?%#&eOYJlly+>_cR;ATK}c)~?0~b=RApydThrNBc2=S% zr8*T?6Idk^659jomDKeHt`+1#mO{GsExV1`AljofXv}5ReCWd~_XKYYVNNf*m z!Yg@35VJ&`J-ztvNyXl))9GYFt7EaeXAf)8|5BBna-Q4uha@kEbGann(^Q(*LWSl!yx&<}5GJti?HqaiUlFUz< z#otGEqcW*8&}6*XQCFJvj7FsUyYWE>xoIb6%CWo5Ol)1dc?RMq?ZtpycX>Bksg|3` zWymUNk3h>(xXUaoT>#l*U93hX#`om?0+vHKb>#zFSXCFMq{k!n3U}3+I?3uWgX?35 zj#F!3Nq4C5#bPv2h=?q&jNkgE4aAzl9kw3^po)3R_8p{Jx;(;WSTlm|NhN@cXMJvF zEZQ=vV^=rR1lUv(sz!egb-zoQI}^5{7@T#Gcj4`lTzyr`_bwrjNTl5%4o z(oQ{yx)`-v8UN*O+tW|zH!un;Z2;G6rEe+9jo4q&q_P^+d7TgJAzX2 ztybDE>OgI+y@lv$BuT!V<@E!~)c-AKc+AS9`jE)pE&FgR6C6Y0Ul< zH{GcDrzEchHCA-JvLS7}&>_w`5xxzKNhB@hQLtv*_BhB(jUGmT84za6COwOgLYm@+Ie%UGw0Doj7B2| z7L7)`dW}rtlIGZxiA2KpLB*3K&^|g(eloQ-r$o4wQ#g1i3L1@^=nCl|C27gRPSp1( zmaDE~Z5^}s9u4$CDGFC(Qe<(QzR~fmU#{JKx3lA1B+_p1MkhW=3Rf3$Li~SgG|?P{ zf~WnB3ZIHl#!ygxVmXO;p1@sNT77P)ByMgZlQ=S;jMsGRmUOY!h?;Wyz=})^f+DST zqvG!+k3K}79hPIE)$&j4rh!y4-#2c(+sYH%{qWZ0pxFYUp%8o?h>@v_ zig*`$Gq896rM>y?o3FIHZyvrFpWi*=Hh`Q+l$gB1e9?(5<|z<>H4(cQ^-q{3C<6vpy0{8nGU-^UY)o}QjWB7R^#<{>ApDj&wh97tL!Nt)?uao`RT zG|%g(#@}PpjS8DcK+H)BH1Pke72YD958j^~D#z+LsunyPN~@V!0xTBmlkxFn%?Up0 z(~$mch{^h+I{>Q$#7b6LpQ<8$dXLD~sDNWt&@ursMu2OqA@eX-29(cKwvpwfpr{0C z2_mx9iG{D@dC|fpF^D!Z0d&M5)FmAsx!H=?iI!aUGLk-{F?{w329^K{u7t-ZOJmtX zqyF>Pzwq&<{^5(G{tEuU-+l~x@jFfa*7uC@JRzeO=;*ydg|Hy^c}ihNT0SjW@66o7 zNRsGQGF*}u2C#flTBfBEi0*TJ%Rst#&_9|F%qS=>r>?+69A|P&qT{XykJ)p@D&7-K zTnADa^R42ETSaziasUN*j`FNyw78I>knvle+uq;o$zQ*C^5WMoezZ5$AqdQ&yN||| zlX!ie=!Ii3*9dfhTeQeqAI%Zt;}3@*H|{>BkpYrdY3i+uoH~|B!4>jm z!%jDR+7_=yZT;=R)F|AMYV2%C?>p8`qjR0J7jOMIJb>qK%LFUf8od!2-#B?QkC8}{ zdhAuWMzs2-Au(JV!gBaU0wsShB(G;_0 zLjL;d9$cj=xK@$MPWbf1ktE>(p(IIva#f`^UQk9Or9~xCIc<7jac%;xF&a5;<6=s? zm5iW`dx^;```@EVti$>vr!2S49zjo7IqidMx9|TvIlMA7B)P(v6M$DPPL^`%@$7D+_lP=axhWh5)wTOX%w+i2(Z@Z&P<3pT$gQb&dn`NTn$0gjy@duFadYTP$aN^ zeP==~i1wz6oq0oc9^ohu>i5tj{|z#x261#uG+m2U@e6a5iPuYN;Ydg z@Dc0o?6ByY?@2%-6d(YX&E#_XS(GVU)49mqT6F#7CqKN?da815d@!cgQE<)fFg$s- zCYO&jqnJoE3RJp%uRVcG|t8*zit0cv_H5z zgO?`5IF7emRs%Cn1(Rq5J17W3&USJP#H5UH3qfj_wGP$AVQHWp22wKDq`iPnfYT9rJXYn~MFsb^X3X@zhyA#~g4* z`=L6C4#vSLU`pZrgm3m)uCm1yg1IO97|cEQ_)^@rI6CZb@n==}?jbB!#hnxCZiNVL z8(pi`UoIs6(v6lHt1v7|H$;ssCb)Wij}=3@id7Lm1+mmgOR-=65t|$5T?@}sW4PP5 zu&Y@bVhB*D`N~Kx<#AyLGo!;2R=P6&URR2p5ylo&;>8{i0t-s-Qzi?#*e1HyRCPRtNY@vZkGs}RvpRO*UC@0Lh+>W`kI?l$4N=bdbuvfR0XOK=dx^!I}}ko z@a&@>$)&0@_vqsIB34(aBp+p<|3M;tuC*W1Gc-An7x1NFI$1ubE88?d>Anw-&!g#`7*M$HIYa%~~nzTDZ_V9NOc=v{u;lvHTW?9WIQipy(Xp z#Iw-lS!GYoQ9Z#IwU{PWq=vF7j5+eOqcZkQfQjLTNkwqeK2UV}N7KoJDc-u)R>vxJ z^?9rN_q|A$+2zfnLqz=lGsauqu}N2&fDv{_$_nXo(2qPm96wRctTg2qrb($>7BG>m z^?-5+=Q3Q8=4@w@mb9&FG45p0fXlKt`8qV*E7kyp#NA%STkzEmQd#5n;rv{Xt7n^_ z5~epIs;%{)!gu1u

      oiASo!Fl{s%Be~@xz-rp>_c)$-(C^qF)?wTgFhlOxrhu9` zC}r8!6Q~;C)5@?&YHaW<6X94!P^W_nh(4*@$SG~J8u5Vpk?}e6@YODPv@}+$Sh$xa zY+h1oGTx9w6i_OSTmOB=WBIr|dRRBJzp8d#=0fQLd)Xz`a{&J;}N+fas67jyX}>v@GE zPZR9(VSajf{OoZrD$82@HX6FawNJ4CRY#*Tc-~gdzLUwZg{hj%i2frpo~0Rre2`u3 zWoJ#q+w!19UHt6Ez~wv~MFIB^R>~@8pD%QIv4rxIM=>>c+SJA9Dq(BNS(fA0B(1D? z3E_W?PfJlUURf)kWNp`(S>TtOk)RqVc$3}Lbqj{W^zx=Rmt((SH8~usymQkk)2h#mU~h4noc)ui*8s=59{g|Z#0^+iVRW-f~ehGx#T@* zeW&M0*|&Q)Ta5%y zA?-(PuxgZnH7=abd~SJTW!7`jQa?S3-Va!Y@=|8=vsK){@-Yyu%wimE_p_%a$W(q{ zdNDk!yS1dZd|ewlXTmWT^^&W_7-cIBvk=P~&HzH30k|OR!N_E4XraerWz@+F6gGIX zjIM042K-yl9}WvL01&jj2pQ4u`v;rd#6{UC5fyR)m6CEFU6rU}Efye(L^H{F-?8?G z@F1`*FB@jwu2(rv2oKVrr{XFr^1^Hn^t_IP=efF!4{5>zViLB2f#|pG+EPE-Vnt6R z$OkkT+Mi|eIWCOPQhSCwmUghrft8IR8>1_uXcX5xyesj0<9oX$WJInW5eR-LMAku2VG3MX;Z_P?5#Z&bO4w4=v zX$4_Y6ihgdC@XNx&Bt~PgsEKqs^CTT@hB%4*r67ql6X4eXIqCQ$TErI+#KYmy zXy)3CdsW>lJD!>x10K-?GW`N(Vq8nb#0W7q7P+y0bCpP?p547Wv=`%lh@n=7K4Il- zck6Bt;`h?gkQPu2UCT{;p5cC%wK5}=1@+|&n2@lEP&nMLkeq>5_}G(G64&#Dq&3%5!GQruoF!mj^6S4M`+NM; zztNw$tDBcvSR0?4OOms9sG+Q~(e*1~0BgVx^(E3NcYB-RI6v4s(^waxFbu2x28p87 zO{$h#d#w@s{zGDo5F!YFEFnQ6{IEoVL>f}HBuEg1AjH1!q?nE=t)f)KQVps_GGZs* z_e?iST}xXf_c^C$&dl_7Zu|B-=R0Sn-=L2C0AB!xL=@LR+~I^0brs_#H01ayz*c7r z9jng=RRxIXgP@4$Xxa8s*+hi3>m**etf`EgGhV&YmhE^?+l-zMzzC&11}NgnUZ@3u zVj#-sRSjA&fN{dveL$|^x?~zAgvED2bk4NjTL>XMdi3n^Gx`l^R!}OhKu0@wBZIv_ zwO24!410KX06%x<%1w-IFT4;Y%yWC(_Uh7aa9QN*T3PHq8U6CeRFjmi zvbg{1flZ+;`dX;QSf)>*D;^Y7n{|XKi{ODk18q^gh73U)^ zSBBB)X|x^T+qOoKVNL-82!*TNfbf%r9b@Gxfn73MFu_F-yaD6`;Y7D?Sa1Be6+_1w z3v{LO5?yHosogZNJG8|x7FVOvUdeg>AP@1e81$b_w6-zpT)=@S>;){cpev^r>kh|Q zwBz`C4M&gWu!U_e`dlr9DY8HeN*NpxB0q-kuv-z%l)lwy4vaYHH5TOcD6o7L23XrT zsVS@$_DVQ`9GkoN@>9yOY=UnA zG|7ZFWFZh0nob_yaoiB}seKB{=Ci08I%wNs?xu|cCn2~RxQx>S1SM)oE@zvHmn)(V z=J)FY;$F_l-Y17?!DhV%3|TUMeEZ3>XO5=4fTw>1sGy357*%X$%S$sI-*L%|e!ZI2 zuJsRSnjHF!TD+(~q@4tDLB+qr+eGaHbeftHU zzD3)yZ{M+FC&qTre>Lq^9*@*b3{ICy8Rqm<(a>VdRnhB>b*iUQBMsGSRR5AX-(WNv zYYR}RgBPm5s_lsl$BvyL@BTI?7Yn~B;|5W_Ot}WQ;Y%yaw3SPjFWdrQ`{Nwh zuWg9!-nMP|(gduoBwS%#fY(dVcX=^v!=blL*fxPITsUFdsZ$3J_U_$#Se)L&dXHhj zB@#=lju{rqEQ+N!=o#mDlK02o|2>YLD9E^lmaA&9*w^%(Fn#LOE?rE8g@uD-Y~K7a zEra6}#t|!DW5V{|XY<~j+xNVVQ%Nhi;4+rD1xvs+6yFE?@)7O7+OubSOMNEY{xS`! zTDq;7;%L*!VDJNl1Qj*P6peC|0hm)T5WmR0I-R6bHNA1sw% zaP#h++bciu`Ft*q+wDo>@?;QSe3^4Rz9$}+i?zyoYSzw}QwTe?Z?QRwOodiW(5ND( zqIkX71`H{1T}eUy9^NZyQM^BiqWG4`SjuR%bCImiW6nKsbge?WG1f)Pf&NdKM=<31yc3r%2 zx-wPmTO6JIfp8dBCxt>33l-_vvuEMw5I0FuRw8LoSV35lWGNDe1im5i0|Gyd6w}pB zGlQJsn=M4k7*4@Ow#|6u+`=~mS<$^v*T&5Y{>)QqVA*0TGN|4ww9l}tdcl zj*9LS)+Pso^o^h}R6`jELF8x@nRpeMC>k(Lf(@d8zUXzci4ssWzX`g+u-x>PP;t|D z!b;X~=PVIAgZRGs8aLPfzN)S4HaJSMOe;hCD|{dLK(y4b1Oe5k{|9gcq~XsAL90R2 z6>?HfpAU+9p4OyGsKa+qfL9J;=Fg5Pt2VXJ2O znfwOk#q!JhiS#r=nt5t9lyn?qkAfQoSLp{ zd(Rs&Z{CQS0L4$zJT?Es)A_WVkv!DMk#%*yqiR+A6nMaJg=9r0=w7ctR7^P(7EPV9 z#@@}+suk`iUarhHBBC~N>GdWn+<9HULQXiufNy*jt`7} z)vBs=i9(V#1eGH)=5so=v2C%pYEY)UEh z{vEDJCm=RW%A=r(WR-zj@QiF{M%G{QmWkt~zveJH?d5{dvYxC8RjPYaCYL z19SMIMxMzbRSo(Jr!H7&sgm!}G@xs>CvGvu^i-Z#r&I|s%2!=!>*NoyQ)O=&3WdWe z9N#v!HI{!NtdXwHylPK4BjI#wb_%aY9Hl+%VhI)~t8xXZZFVc%>T@+8%gH0fRfJ#>-2%B1Z zX%)Px7rx4$jY_bMtb4;*!df*ms}4k zQdm$ezQ*Ii@4-^Oq2&(da^0Xi&qd@KDOOTV5Zx8%mD5gZE3BNX z_zC*kAN}J;D%6QzTE1Xp^zK)`+1ZlTDPg!OqxU}`tr0ujljxMZ^$sb%bL&6oj)S_j z-|Bo3{x>?x-}Cu6gLUO zf1Ep{zrIf4UD^M-Nv_+$Tu1ME@9|GQ`SO!JJwEh$?>#}halW|Ro=MghtKZ3^P4;W z5_|lIR|kv;KKtS2(W5!n8P(A1($daS7jjDPE{QNnTv=VHX4AAkH1_368NoW}C*uBH z#=lmo>n{OAt-yT~o1mY*vU5N*<@kM=9Y$afNa3%z1K*Hak3=MD*_7DTg#oZywHWQ$ zQLj*5tYq^USRZ<_?}L(lKV8vd#HAJl#D>CkJ}H!1#2 zcdi`a8ZDMI&qu5ubFrB0@#G4R+UZ&)t7^j2ZAKs+oyJTQdDf{$=W)^#A6*MCyh-VY zWFBj})m7ufM_m_Pt{Y*wzO%EA&UV@sNSYfE-XC6VNUZ$1r9a})qbnRn!BvQ6s@l^L zM~UTD7E0-iA?&U@BHg*_htmhZC?mP9JEXUHM-x`N2EH7_= zHPm?B;LAHSH#eyDp;c$J{(f@{K6>DKWVl)lPnagKcuU1dPj^6-XW;1MHu-Oj-L$i- z*C7Jxij+gimJW-1ZhZAa(hsO*(w4D>X@UC3&#vpea((Ej+iudujKg$)IN+lx4&p

      LwN}{DV4~m1r+l$rNX@8Em-r2hgr`!lVrw zRBywAEv(qz)irPfTmAUq=kSShHNT7=EYmZ(T=`ECZoK{ut`G+)9Wv$nLn~>`2(Cx{ zOgUV$zDZw0+iCSO3oFq=tu$*G`tJT@=s*p8B5r%+Vrh!7>JD)eaOLlgl_|fFLsJA{ zi(u95?)n;%>#g8=bA97Cu2>z1T4|=ZIkX~H4p~?c|NeJ>#N;yL{osmeYw~&|^kAJU zVhZ-my1qYcVzhO*@L=M3p76p;=#XRErrCsWmOh}yL2*P|!n1tOGbryLwdao*lIwfq z%GY)`oS@n{=iD65$G-pkQGdiZHp9%L^U$C!Btx&PxwVpN2orNA1h6JP0fc{OL(|lr zrD>W)3DG!FHuu=J?`x16PU$^=#8CTTa@``=j!Wik=Rwc&q6xS@e)Gd&f5gOc#_yai z^wd%@+JjAu<_gKxmP@OtBdVaOi1CyvxZ-3ctmZr7RUV8HshaN#o{x?bS5|*^>Kg7( zIYu+o^5P=ix}O@qeFgrA@a0+$$(7@kFW$KM=Ev_mCGS&t=c%Xo%hSUtUi#8~=kC$N zX;;_gqSb1N%#E?o76tRPiD}xx(m_EUajaCjG*c^&7jj8zER^uNWLF65ju*=-%kzwI z7&7*Ca661&c9ECR{n?M+FXZrHf7jTNFUkLLmGR*%xeSHm%3~{+t4H2@=x$tn^w1Lz z9njr)JL%Ck-Stm@26dj^I5b?JT%Lt12p7pZhHE^m`wyKb>KLPrFA!tGqUxtB%M;^C znCdBqU)xjmC&H`&Z&pJ13h7`JGPkf|>psn^>utK>V!VDnoe2F|kYo&6cKlKt_u8cM9y!g<0PC-Y@d9Bfz>%7TgBplXq zHf1zzh9Pj=usxw=XUe(Lbrj*Pkqez2BuZzItOxHMlQxd>UHY+&y`&TA4_O zBzqybMklhGrxR<_&0dd&!n#sQVUXI=qyWbnwNF&{6M)54n9p0h>p=+a(PU&wo0`EY zd&%_#%`Ikl^BB3Ns-cE!tXQ38;>xAnwj0g-YAjT%$BgRH-n5Px(H2^1xzPXCtT-;$qN^&Cu9$|o3SfT8 zlvZ+)FkCO*zA09o5>0GJcH4D#DNL=JGPjmBJS5b*OLD0;5K|{!+p|*1YKFiryoJ0y z2CnUD*~LP%ANwZgd~=;!R)wuwraH;^t2L|w!uqDjMt`kH#BN(WE4uk zHY^vvA;*_GGRPUoft7 z%k%^1b#rEZH5z<$t*Olhq@#sLtDK!v3@>V`Wsw|oaPr1+)-jFrV)B%@{vY;DSLex9 zc(y6B#dz>)T*b>-pU+tGN^Il|6;JXU?X+|q#c_@a>zc)}ORilh)7K0eQ6tYZwMs5j zq)FC6HHDE{KHL6SCY36xq1z~OW0+buvS`G<}PmwFb=xXrt8kxSPk}ESmT6X%Z ztzwke^o+`EVM8|^oOe8S*q^j-x>#HzYpTHdgfOqG)?y*fx~w^pT+@qZZ$6cP{nz{wR{9Z@O_$#)#bUJmvNErzQbw#cA!_mXS;gOW?G?S`9KOa`BcnE3(L zww|h;{p$MHnHts4EI(z}fu~h-ms}(7Pr1U9T=Of5z{6`P)pTThN94=HV_qAd!>wFC zxUwo|*Uu~_{u9^H{{h$N+Uy?J-~!XwYd90>C?10!W@&tgzF}o*tay_f1Pd z+a~3MYqPv}#pe&f#Bl6}54h{51w2Y@UI35MobmX@=6aP}b)8(X9S&TJHN2M9_C{$a z4zGv7W?V+Ch0sk8i6-SDb5(NJG(pRhI;}#2_E@i_eFu4L+D%t-!}k61A}15hjy8%F z8%zveXs(58v-@1f0{2*|fr5Kxu`>%pwY*Bjic17H4ZrT<$cFI7wjy`br z6Hgp&Mm=Rc5L)-$f5*K_hij?BRTrrnL8xLMNv?E{2uu+~3KJiNS8a`&fXdT_t-rB|PN>eXZP$g7VW(W}AY$MvkYx_arJm+w<#_I1kG z=Nb(>6KMz~v&Gm*mm@*1Ev3~x&Hj_rJ*BDaQmJ}lwJcks|IN*&8K0e5SSoaFzMu?% z>-~@a@Xa5$JwF7x^ZDm*d;ZRjzeK#4?}6**-YaKp<; zr7~)^w6I#t#p1o&VrMa6X(@xE+4OQ^09@~T>6_bkeuv<9hBxZ>f$Jv3Ur>;B<(@kZ zaczd<3THDR46QUB#P#!8L1#i&2n48vXv)WNY90|XMph=jw6HQh*6W~6ET;{uuqO8G zcB(WT={Hw?;ww8aqgX$vtwF0}%SjKL-w$!sb=?ia)sS2PHWXI}E+T@5W2XndH3(jO z*wPw6yIM>}mEQJ&^BEh(%{+^tT5@g>T%X^@ix1f+ZVX&>)7vE1?T$ZUybP{-T@N`A zr#QC5a>Y`t3tg%mR&||Yn`~`F7*d(+0=po4Pz){FtaV~(oi_Pcr0?@^hwJ9Xfss0R z$Gy#Ua>et;9@nDex*M8nqZh7pF9fSzgy^$?cnWPfwvDRbg<>+&%Y`DCiCeqU(^jNr z3QGUEUfI4$^Tdv?=$UZkx5eizxZK~_D_62gHGAO7rT{ro8_m#aIOOUIj&r)t;>InI zEsw=}xB#f4q0i66=Q6EyE!y{e(>+(Vw>I|Fae0r^qs`q~i401~SRtp<2@{4e(wTpX%Y8o%_AWKUbj>Cn|*&#x>8?yj$~uv|TVD)9WeoXw;%nT%#xsZ8o0WKf-7EQluXY!l&e zin${i4L4Kig5k|O zp6FV1fa^xT=3(iPx&81nub;VIKwP35A8t0dY#Iw=!Er=E!&BX{)WGVd=)QF!916oo zUU)NJt}QI#<_Av*+b7pnod?=_3oa5Ndx6-f?Rry~j>Xo1Q@9m6-4;uz7KW$k+9gt3s~bp2}xl zzIS9;boJV-Rqt>ORWE@!4o)F0i!bh{B8l~Y=fC)cf^;);4icB=EF6IhR^yvty|4X$lHjXINl zD?V1dk<~260ah5y!(v{mg!^%dt*Pw&Bv)fK(jctMUWY|pk-6dHzX>cuSN@i?qi#yVVipCr@|u8bfK z7gwyAhF&LEJzpCOezDbRHNdrPrLiCBzm&xE%w&q$eB0w?T6#zu-MNocyJ34iM!GeX z>pRy?i0kX{a7Al|=Ew`C%-~uyo_2MnH<78y45*zhl7u5J^5l;2Jke^K>BTuERD#{b z&!4YD>bTP7DnosJ;YtnF`ig$Kltr$($$q-vU6yFIxZLTYGN6h?Wo)ISAqij`hK=x| zAIj81K`>F6CRP|n*J@F4eGBVr-?(m2+rz|lyB}PcE*mbc zQ5mHV;zVX;R}vxe>x;6%&W1x^ekFR# zU0-s%_KB;!dvX)=@GT=lqsYXR(cpHt-ps6y1(%sjX{cAC6T7YrYK4_xm+-fgzVnXA zgs}sQt)RgUT!pTqVSDthFQ4C$;e$SL-C7?quFACJ%9|ODN-lW&{JCn;wV+{|Rvst* z!HD-nq>-ed-KH*yrq@I-Cur;^DDXbC*CxC zT(5qPSZW(wo3MC^hH$l25r>yIfx7Z)tigy|wrRn9Uc=F~J^ZhXQam3y);X(jgrwta}F9+o` z!IE#k?g+yW__11=3qI+jJx6jC`Q=|E*Ui%(uMZ3@SA^U&0io*84|9Kx^5oi-+w@=} z<2cQxk)O#8EKpp-3acAfGE99k=%~X>ZCyDL>sD%hkL&uy;i}~3XNAxief5o*5F6b1 zRa`3yu9o98OwUix3~G(#PoS=Ii`Qsr!A3)KRfhiA^OO4ZXK>ww)-TRHERQapBX<~9 zDNLv#fHIVD7@s>LQv%lP!?@4wk5*9$aWd1=1p zIlH`ILujkfP}VD@S&y+-c7~h2S}hOex|JxRU7aPKblIp95oJo>wLAek{n1`Os=Z!O0#4Ott64aa#M13cCli7 z`rVJ(U(G1{6*ef&ZhWd;A2Uc}vJ zMVVDJ1*5*&Ofs;J{Ti~iXmS?Dr{Dhgh0N0-O?q+0>&V<%2Jv25Q-pUrx~6n z&Dwa|IWEq>p6mCoj>tr#ZdHQo*pKCUamFilPLoK&^4|--{UMVy(dqfLh9d{W zeX;4eaDyo40(_TF;dU-^MKs?E3?(X8=OtI}o4)?)B92%53!uGRr_2-wY$&h=xp{&F zV^1igfoH(dV!1FE?bk}ny->#0A#e@O7SDZ7u1<&RMI5hm0_T8*OrI-kC`GQWWmD35 zOULe{4w)vV zzyFSdy7hE)@2%a>cFW&FNW9dwEy;#mVfj&OCDowIhg6+vVfU#{U7K01txc4Ry=puW zv==I8yIh+Y9JK=*JCWJj<9hp7|$CFCBlx!)JoDK~o3IGVSmt zwDGwz7Foj(rfmyBunx|a$RQZ;mdN+6$?El3U??$#S)b!Ivl`el53Xi?c(}q#@yhM} z(3KBA9MZ;_}mWnM9R<7_D#4VSwFBTn{x-ObsxsV|h+8WU{CTnBC z*=}lH>;3nj$ZG5K zb(6+mZ0V!V&)>Ml;b+B^j?hs)gq!MmX?gqTnyPsX2i1a(1<~e^s_Rs}7ilxOV6Fm- zxD$q}GCfJI=CE+Rw7HODs`G%S#H`O*Lpavup>CYb>r;0Zf*2I*bo9N zU1_9`-jM-|jjcTEpdtv(>phaK&1W+VQ%JW8DQP_0iv(IO0%N|KXqX|navrXmN9N%- z&ZKUQ>nrAAGFU%lZT+_AXG*Te^=OcWgGnw`?X?~)9?O*%t64Q;aAPd*g5YycV4G?v zuDafxhn2wbO5b|Z{u|c^&YbJk)~RBZCphe$ep~+?T#r^>m$X*h;WUbRwBBp^m1rVY ztj#aw^BGOk4Az$kY{jq_3oZD41^Xu0@+Yr}v8@E}hdB@b{rvjCnbg7X{Q5T5S8~Ov zg!|Z25f3<9@Q>Qw-rm~U`3&dRqgJ4**|f>kwsD_D?B7^wC354}udmKjN>p|--RZ@1&lX8JT+bU@J&2jx$@?lAO3LE9E@8h&24Z~ zi?gRz{dZke^ukLdbK_FQ>%C}Y<$6GEBjaM=YB@Z=F3tr9lbKf5tzj9jkCH0~EDoA) zKlAzvr>@suc=U~1jw_rfX{<2tO<1p}|HUisK$t&rqM}C?4-Wad%pZYkh&bXzMu4lZ zhGo2VxB~3v_S-K#gnNu0+}Cs6$G_2YcRY9>p6-3_!TavJV*wlgMCd2T7*D4i<46Lk!>2TFb z!S@i)8=|2*dv!2!D@v|!oF!NMWWlsxXRut^g_Ra9SrWsmg{nga7L}7$LvpRB=5tD5 zEE(PfChLbg^@tmL{jX=vbsbzs1}fI_BLHi$HVppj)$!rE9-k+%g;{~UI#Wc!+u;a{ zK$<3uZnfdzinVnMr_Digr3GDu8BWV$Cbf+Jh2hn#}UKbOp+_>!oMe1 z+R2_d*FW1kpPxp`IE+(DX^4lGt#M2Au$87nXFW&ZKypT{PZ__p;PBOPJagAI}aQ(f- z^}q{U_e=ZWI(g-P)zNP<;VQP#Hbk0DqOXNj*K9U)k7S82x2OKg`%#;k*^Lv zn9>PXUk|zN6Kth7TsbI?vh0B@3#tf=iajuog>Ohx6FO_&=`MUjCbpwZ!Fjl?Mt*=F z%z$gl8aApbSfEhQmX)n&e(Mr5m)$$A@c@=!;W?DWakf_o3&~Z->5n$ogX_*!TEiO0 zCf(|=)SXvuZmEOnBhr(f|+vXa&_0M#AKEY?9)XuA?Me@c9ezt1!m&${C#k(9}c*-z`nWGEK9DK z#UlAXnoD1v*MRe!dYYyOv_7t?ZuXh(XXv^o1mH$C1Gj$N8*u%*kIlzL11GC>9X?1n zq=;gj{+=|(qgVrL3RW}2^AI>w=f>+vhy5x4q48*;+m92E@y;EOSZJwa`$T>z@Oz&-QIGncrG0a!Xq%x~(r{ z(i2zJ82i|_R?EOja}ui=+n#V^%$AD_SQi~1H}uH&!{CY(3UWR44%Z$RQDQTgi^Q8% zj984S5Uic7hYRpm8@>v({?MaX)2M2;hMj&>ahYGjHUFxR>3yht$-09l@p?GmdMZEL zVihYrmLV)df>onQm^Jw?yEz_3ozUr~%+liygi%GE&{21FLYwp%W1R;y!>x9htNuOb zS~~C!SC|cKuSJ{a<6vcLXaK9=AOdW-b}lz)ef|XN`U*n`A#0{s5hRzm+#;xITqi3F zdfQ8`N94NSbFTZq>J_d-qtZn}d)mNCaXVcZWmYhP+D#{JU(&pXb-3ZKY09HkLg(gE zG{-TMyHOLI_7Jb-CYF*1T+iubVf=EB=A{iqQ+Uwx*i>lM6w7^|z6|p`*3I96y8*IF z09L5nc8z2G(A}aVO(+z3RF$c%B70@CVUb7qc4yx zJJ!wobhv4l5-Wu0i){s57L8}UaD10hW|7PRSErEuW#OKIO*`4$@l=~_YM212VMgtv z^(Df65kF{nB9z{Ka8Jc}iPk|{Svp?F*VY3r7n5^zDOQAKl*4q#q>bUVwx#I8XitAVh*OANO>SP`>_hVO@oqY(+-E5_+hcxvn7_y zIX*Uvgh`YTR`(!$s<$O9t4ilf2sdsNmT&R~5}E=P*`*@r8m6Whir!7Z4<4+5*N_6P z%`h@}J`I_FsF=b+#L>U)Nw}NkgFXoMR60R%%^E^UFH@)?~cGS>tRG8z9lgQnt2Sc{fj7 z4~bRYORhqv8Lr$w0${^RW!K$r46?LO+yYhsu<8N|6?=)R z`*xUIffW{N5TDAy89KyU`>N96KK+}fT3jvd92HyrXxp09B!;3QBNQzi2$KZ$H#&_X z5XGP~m!p&u$rntSKa!$n+c9ULtn(q^xE?f3vv+NAT}=%2E7#x~8;DonlvqprwlmT0 zmk!94<@f5R@mf{Rktj>Bnt)i@94fcCRvDo}Fd8Xb1(689s|Bf{bR*dk2(BfdA%<{| z9!(ayOCjM3BEnV9kQ5a5AAXjr$NE=iu1Da?IHb<^Tf=o7TzzS9buWe?1gxiGa6T)g zTeTkzR7p}*4MStR3N?(4g*WFXM!U@ku<@KsE`&w0_lKV0S})-@?=!9~M+}Hh=g()} zI>bU=3xp z&}OHezhJdXW&ZKgHmTj+ovk!X6%)5Fwl_3-e>+NJY#v=KN-z69=X%uUT6yW~jdQiQ zxVUk5adCO^?%m~;u_4MoaXSB}#_Y=6>u|G)pJ+tdVh z3w+Q;_nTnuWNT)z0j|>Vw!gVnN@Rq`U&i_oqGnuILol?Nn zj$u2!-?`Q+(j>D~dl_?=>#EVjW=d<2D;KKZC-1vB*N5)8`YtnGffcIM_O35i-~F9f zvz4rC70Y3|#Qg`Z-iX&qsl~OvhcWK;6tEV;f?RD~7vTaIANxFBCpYToUE5rzhOVXH z{g;fW7Ur&4KeWR!R+{Yhc%5w3+PT(T16wiGwshN&2{|cFal9X|L5Ftut~5+OAlEzB zvK?k#y{g$Zx>j)2BH6^hoGS5NygG4R9G6_L?YIefl!dTSHBDXTo^O;h*XOzRU%aB0 zovg`nO}S#ol#E+dO{P&ANRP$L)vNJ3+vWTfmC5L(cpb;XGV9sa*Qkb*bPwx?c-?p-IN*9tX6|+@EHq&$Pr(((z;|&T^-8(k z8gPB_@-JnRssW=ITPQ_F>rcQs;M(Vcz0_)icB{zV5t>$QCRs_pPq<<{JQz2fF=B%6 zg|2I+sTtL>0XMj8=$xzwk8#}?a6PkYU4u`Jtzcu$JT6+{)H#(yMh0B_Lo!%ZQ8t9G zbI8~FD=>kT z6Py9pzLr0+yB29$!eDv+1}&PRg&knM46ctIxqdX@`a(2(Kb@Uch0M6KOpKW5WS)le zL@&8QZn++ua2?EFJDTA2d`e|XCeqmDm`Q1-vX0IZBa>Zly+N+~?zsB8=K5#%T>tO; z>OOxcor$T6w9VDZ_+Z-#R{CL4;K=pYF5=Z2T))01Tz!E=dJ{>@CXyhT%)@lth81;F zCxl!tAzrBg*Z=D21h2$c#5Of>Wd^;iAbVP!&Thdm*A3UcYlp7^SKn|by_=nm8ya_6 z(Y2Okc9nr(WgFZtT&D(H{}HN~uSUYKifTMH(X~pKA;k(OvuR9k23-44K0l!D=96fE z8wL&jbxL`9{8Wvs$zUCD?Kh43CqgsZ*|q67b8Zl!ihwK|aLuP`GRwjs1FroepKqAi zoAXQS+ZjUTz?WP#a5W4Xg4nRtTkocJM9>rC;j83290&v^CIW5wd!|5369AeZ(baq* z6%DJFP*{{7!eZ@`9e2zg`~K;A=ObTX>%ulfT?V`cbFe>{RF z+1{l#H?z6i+Cn5w7e8t9#c2&yHo+C5OF0ciJi+zS;x*XKdQ))n$4}b&=#4Sy8mOo-#^?-yb zpsHxgV3~$Sk)BQ`u6+DV6R>pJnh5}lH@OBci|cES2QkL$uokJ;#((?hmQQj;WN7WT ztCA*oQ>9wwKJteABt=8|@M%ix{R$yFNERow5>9dyOD zeEewX?$ER6VG?_;&Cibfr=Smk2 zcRmD%%y=T#he0Q0&DRWF2!^d5pU!V?Ih0{?ZPIvvmO8o0aSf-BlefGv%?;EJ;qY&6`o!#{ovt|fAP zSGL2xrDWAh5`uFZGA$Qj|E|JQo>g4tZ!=W?J6EWJcy-6MUO6Dwpo{z*Iv9fMLuamd z4Y=gWJjoKhEK7A4{VOlV%ixsje9{tLl4;6?eU(0YDQT0q^&)DeaUHQnA3>=0i4)g1 z7TfXahAaD5`UA5ae${E8ZVz1PqE;Dq_6xr&{lXzvT*rAW`fYNR{)o}2s(VTCNMt&; zme2pRxtn%xspsMx%y{jHsv};VE?$1OUaH{Q+BoWQII(&eezL?he%FcXjXN8yCxMHd zxcY7`!rdR%?&x1#ah0!v`Z&1C^`@Wlg+kIZDird$?B@15OcF!41H;`gby)73ee(F- zmL5BeLVTaU@}zy~ho61!@W^8;PaZ#h>n&cq>@?2_t}K7}F2##)`W#p-<8i+_K_(|J~0?V;8-cUk{R*9^M_JaN3MsBU#dF7RlpjRH=9B~>wf6j|% zXYbrunG8C;VqRZaS-C^4e2#EEUpFRkY5U@!(=*1CIJx+BpTm=Q9}m3p+_fk)9OzVk Y0hymDP;*a@`~Uy|07*qoM6N<$f~~+8Hvj+t literal 0 HcmV?d00001 diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index e632e168d..73ea968b6 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -1,4 +1,5 @@ name: ocsf +ignored_values: ["-"] pipeline: - name: parse_event external: @@ -13,7 +14,7 @@ pipeline: properties: input_field: "{{ parse_event.message.end_time_dt }}" output_field: datetime - filter: "{{ parse_event.message.end_time_dt != None and parse_event.message.end_time_dt != '' }}" + filter: "{{ parse_event.message.end_time_dt != null and parse_event.message.end_time_dt != '' }}" - name: parse_date_end_time external: @@ -21,7 +22,7 @@ pipeline: properties: input_field: "{{ parse_event.message.end_time }}" output_field: datetime - filter: "{{ parse_event.message.end_time != None and parse_event.message.end_time != '' }}" + filter: "{{ parse_event.message.end_time != null and parse_event.message.end_time != '' }}" - name: parse_date_timestamp_from_time_dt external: @@ -29,7 +30,7 @@ pipeline: properties: input_field: "{{ parse_event.message.time_dt }}" output_field: datetime - filter: "{{ parse_event.message.time_dt != None and parse_event.message.time_dt != '' }}" + filter: "{{ parse_event.message.time_dt != null and parse_event.message.time_dt != '' }}" - name: parse_date_timestamp_from_time external: @@ -37,7 +38,7 @@ pipeline: properties: input_field: "{{ parse_event.message.time }}" output_field: datetime - filter: "{{ parse_event.message.time != None and parse_event.message.time != '' }}" + filter: "{{ parse_event.message.time != null and parse_event.message.time != '' }}" - name: parse_date_time_dt external: @@ -45,7 +46,7 @@ pipeline: properties: input_field: "{{ parse_event.message.time_dt }}" output_field: datetime - filter: "{{ parse_event.message.time_dt != None and parse_event.message.time_dt != '' }}" + filter: "{{ parse_event.message.time_dt != null and parse_event.message.time_dt != '' }}" - name: parse_date_time external: @@ -53,7 +54,7 @@ pipeline: properties: input_field: "{{ parse_event.message.time }}" output_field: datetime - filter: "{{ parse_event.message.time != None and parse_event.message.time != '' }}" + filter: "{{ parse_event.message.time != null and parse_event.message.time != '' }}" - name: parse_date_metadata_logged_time_dt external: @@ -61,7 +62,7 @@ pipeline: properties: input_field: "{{ parse_event.message.metadata.logged_time_dt }}" output_field: datetime - filter: "{{ parse_event.message.metadata.logged_time_dt != None and parse_event.message.metadata.logged_time_dt != '' }}" + filter: "{{ parse_event.message.metadata.logged_time_dt != null and parse_event.message.metadata.logged_time_dt != '' }}" - name: parse_date_metadata_logged_time external: @@ -69,7 +70,7 @@ pipeline: properties: input_field: "{{ parse_event.message.metadata.logged_time }}" output_field: datetime - filter: "{{ parse_event.message.metadata.logged_time != None and parse_event.message.metadata.logged_time != '' }}" + filter: "{{ parse_event.message.metadata.logged_time != null and parse_event.message.metadata.logged_time != '' }}" - name: parse_date_metadata_modified_time_dt external: @@ -77,7 +78,7 @@ pipeline: properties: input_field: "{{ parse_event.message.metadata.modified_time_dt }}" output_field: datetime - filter: "{{ parse_event.message.metadata.modified_time_dt != None and parse_event.message.metadata.modified_time_dt != '' }}" + filter: "{{ parse_event.message.metadata.modified_time_dt != null and parse_event.message.metadata.modified_time_dt != '' }}" - name: parse_date_metadata_modified_time external: @@ -85,7 +86,7 @@ pipeline: properties: input_field: "{{ parse_event.message.metadata.modified_time }}" output_field: datetime - filter: "{{ parse_event.message.metadata.modified_time != None and parse_event.message.metadata.modified_time != '' }}" + filter: "{{ parse_event.message.metadata.modified_time != null and parse_event.message.metadata.modified_time != '' }}" - name: parse_date_metadata_processed_time_dt external: @@ -93,7 +94,7 @@ pipeline: properties: input_field: "{{ parse_event.message.metadata.processed_time_dt }}" output_field: datetime - filter: "{{ parse_event.message.metadata.processed_time_dt != None and parse_event.message.metadata.processed_time_dt != '' }}" + filter: "{{ parse_event.message.metadata.processed_time_dt != null and parse_event.message.metadata.processed_time_dt != '' }}" - name: parse_date_metadata_processed_time external: @@ -101,7 +102,7 @@ pipeline: properties: input_field: "{{ parse_event.message.metadata.processed_time }}" output_field: datetime - filter: "{{ parse_event.message.metadata.processed_time != None and parse_event.message.metadata.processed_time != '' }}" + filter: "{{ parse_event.message.metadata.processed_time != null and parse_event.message.metadata.processed_time != '' }}" - name: parse_date_start_time_dt external: @@ -109,7 +110,7 @@ pipeline: properties: input_field: "{{ parse_event.message.start_time_dt }}" output_field: datetime - filter: "{{ parse_event.message.start_time_dt != None and parse_event.message.start_time_dt != '' }}" + filter: "{{ parse_event.message.start_time_dt != null and parse_event.message.start_time_dt != '' }}" - name: parse_date_start_time external: @@ -117,7 +118,7 @@ pipeline: properties: input_field: "{{ parse_event.message.start_time }}" output_field: datetime - filter: "{{ parse_event.message.start_time != None and parse_event.message.start_time != '' }}" + filter: "{{ parse_event.message.start_time != null and parse_event.message.start_time != '' }}" - name: set_event_kind - name: set_event_category @@ -127,77 +128,77 @@ pipeline: - name: pipeline_object_actor filter: - "{{ parse_event.message.class_uid != None and parse_event.message.class_uid - in [1001,1002,1003,1004,1005,1006,1007,3001,3002,3003,3004,3005,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,5001,5002,6001,6002,6003,6004] - and parse_event.message.actor != None }}" + "{{ parse_event.message.class_uid != null and parse_event.message.class_uid + in ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','5001','5002','6001','6002','6003','6004'] + and parse_event.message.actor != null }}" # - name: pipeline_object_attack - # filter: '{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,2001,4001,4002,4003,4005,4006,4007,4008,4009,4011,4012] and parse_event.message.attacks != None }}' + # filter: '{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,2001,4001,4002,4003,4005,4006,4007,4008,4009,4011,4012] and parse_event.message.attacks != null }}' - name: pipeline_object_network_connection_info - filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [4001,4002,4003,4005,4006,4007,4008] and parse_event.message.connection_info != None }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['4001','4002','4003','4005','4006','4007','4008'] and parse_event.message.connection_info != null }}" - name: pipeline_object_device - filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,3001,3002,3003,3004,3005,4001,4002,4003,4004,4005,4006,4007,4008,4009,4011,4012,5001,5002,6001,6002,6004] and parse_event.message.device != None }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4011','4012','5001','5002','6001','6002','6004'] and parse_event.message.device != null }}" - name: pipeline_object_http_request - filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [3001,3002,4002,6003,6004] and parse_event.message.http_request != None }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['3001','3002','4002','6003','6004'] and parse_event.message.http_request != null }}" - name: pipeline_object_malware - filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [2001,4001,4002,4003,4005,4006,4007,4008,4009,4011,4012] and parse_event.message.malware != None }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['2001','4001','4002','4003','4005','4006','4007','4008','4009','4011','4012'] and parse_event.message.malware != null }}" - name: pipeline_object_network_endpoint - filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [3001,3002,3003,3005,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,6001,6003,6004] and parse_event.message.dst_endpoint != None or parse_event.message.src_endpoint != None }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['3001','3002','3003','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','6001','6003','6004'] and parse_event.message.dst_endpoint != null or parse_event.message.src_endpoint != null }}" - name: pipeline_object_process - filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [1004,1007,2001] and parse_event.message.process != None }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['1004','1007','2001'] and parse_event.message.process != null }}" - name: pipeline_object_proxy - filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [4001,4002,4003,4005,4006,4007,4008] and parse_event.message.proxy != None }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['4001','4002','4003','4005','4006','4007','4008'] and parse_event.message.proxy != null }}" - name: pipeline_object_tls - filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [4001,4002,4003,4005,4006,4007,4008] and parse_event.message.tls != None }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['4001','4002','4003','4005','4006','4007','4008'] and parse_event.message.tls != null }}" - name: pipeline_object_traffic - filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [4001,4002,4003,4005,4006,4007,4008] and parse_event.message.traffic != None }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['4001','4002','4003','4005','4006','4007','4008'] and parse_event.message.traffic != null }}" - name: pipeline_object_user - filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [3001,3002,3003,3005,3006] and parse_event.message.user != None }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['3001','3002','3003','3005','3006'] and parse_event.message.user != null }}" - name: pipeline_object_file - filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [1001,4006,4010,4011] }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['1001','4006','4010','4011'] }}" - name: pipeline_object_system_activity_helper - filter: "{{ parse_event.message.class_uid != None and parse_event.message.class_uid in [1002,1005,1006] }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['1002','1005','1006'] }}" - name: pipeline_category_system_activity - filter: "{{ parse_event.message.category_uid != None and parse_event.message.category_uid == 1 }}" + filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == '1' }}" - name: pipeline_category_findings - filter: "{{ parse_event.message.category_uid != None and parse_event.message.category_uid == 2 }}" + filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == '2' }}" - name: pipeline_category_identity_and_access_management - filter: "{{ parse_event.message.category_uid != None and parse_event.message.category_uid == 3 }}" + filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == '3' }}" - name: pipeline_category_network_activity - filter: "{{ parse_event.message.category_uid != None and parse_event.message.category_uid == 4 }}" + filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == '4' }}" - name: pipeline_category_application_activity - filter: "{{ parse_event.message.category_uid != None and parse_event.message.category_uid == 6 }}" + filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == '6' }}" - name: pipeline_category_discovery - filter: "{{ parse_event.message.category_uid != None and parse_event.message.category_uid == 5 }}" + filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == '5' }}" stages: set_event_kind: actions: - set: event.kind: "event" - filter: "{{parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,3001,3002,3003,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,5001,5002,6001,6002,6003,6004]}}" + filter: "{{parse_event.message.class_uid in ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','5001','5002','6001','6002','6003','6004']}}" - set: event.kind: "alert" - filter: "{{parse_event.message.class_uid == 2001}}" + filter: "{{parse_event.message.class_uid == '2001'}}" set_event_category: actions: @@ -344,19 +345,19 @@ stages: - set: event.end: "{{parse_date_end_time_dt.datetime}}" - filter: "{{parse_date_end_time_dt.datetime != None}}" + filter: "{{parse_date_end_time_dt.datetime != null}}" - set: event.end: "{{parse_date_end_time.datetime}}" - filter: "{{parse_date_end_time.datetime != None}}" + filter: "{{parse_date_end_time.datetime != null}}" - set: event.start: "{{parse_date_start_time_dt.datetime}}" - filter: "{{parse_date_start_time_dt.datetime != None}}" + filter: "{{parse_date_start_time_dt.datetime != null}}" - set: event.start: "{{parse_date_start_time.datetime}}" - filter: "{{parse_date_start_time.datetime != None}}" + filter: "{{parse_date_start_time.datetime != null}}" - translate: dictionary: @@ -370,486 +371,492 @@ stages: actions: - set: ocsf: "{{parse_event.message}}" - #process: "{{parse_event.message.process}}" pipeline_object_actor: actions: - set: - container.id: "{{ parse_event.message.parse_event.message.actor.process.container.uid }}" - container.image.name: "{{ parse_event.message.parse_event.message.actor.process.container.image.name }}" + container.id: "{{ parse_event.message.actor.process.container.uid }}" + container.image.name: "{{ parse_event.message.actor.process.container.image.name }}" - set: container.image.tag: - - "{{ parse_event.message.parse_event.message.actor.process.container.image.tag }}" - filter: "{{ parse_event.message.actor.process.container.image.tag != None }}" - - set: - container.labels: "{{ parse_event.message.parse_event.message.actor.process.container.image.labels }}" - orchestrator.type: "{{ parse_event.message.parse_event.message.actor.process.container.orchestrator }}" - container.name: "{{ parse_event.message.parse_event.message.actor.process.container.name }}" - container.runtime: "{{ parse_event.message.parse_event.message.actor.process.container.runtime }}" - file.accessed: "{{ parse_event.message.parse_event.message.actor.process.file.accessed_time }}" - file.created: "{{ parse_event.message.parse_event.message.actor.process.file.created_time }}" - file.directory: "{{ parse_event.message.parse_event.message.actor.process.file.parent_folder }}" - file.inode: "{{ parse_event.message.parse_event.message.actor.process.file.uid }}" - file.mime_type: "{{ parse_event.message.parse_event.message.actor.process.file.mime_type }}" - file.mtime: "{{ parse_event.message.parse_event.message.actor.process.file.modified_time }}" - file.name: "{{ parse_event.message.parse_event.message.actor.process.file.name }}" - file.owner: "{{ parse_event.message.parse_event.message.actor.process.file.owner.name }}" - file.path: "{{ parse_event.message.parse_event.message.actor.process.file.path }}" - file.size: "{{ parse_event.message.parse_event.message.actor.process.file.size }}" - file.type: "{{ parse_event.message.parse_event.message.actor.process.file.type }}" - file.uid: "{{ parse_event.message.parse_event.message.actor.process.file.owner.uid }}" - file.x509.issuer.distinguished_name: "{{ parse_event.message.parse_event.message.actor.process.file.signature.certificate.issuer }}" - file.x509.not_after: "{{ parse_event.message.parse_event.message.actor.process.file.signature.certificate.expiration_time }}" - file.x509.serial_number: "{{ parse_event.message.parse_event.message.actor.process.file.signature.certificate.serial_number }}" - file.x509.subject.distinguished_name: "{{ parse_event.message.parse_event.message.actor.process.file.signature.certificate.subject }}" - file.x509.version_number: "{{ parse_event.message.parse_event.message.actor.process.file.signature.certificate.version }}" - process.command_line: "{{ parse_event.message.parse_event.message.actor.process.cmd_line }}" - process.end: "{{ parse_event.message.parse_event.message.actor.process.terminated_time }}" + - "{{ parse_event.message.actor.process.container.image.tag }}" + filter: "{{ parse_event.message.actor.process.container.image.tag != null }}" + - set: + container.labels: "{{ parse_event.message.actor.process.container.image.labels }}" + orchestrator.type: "{{ parse_event.message.actor.process.container.orchestrator }}" + container.name: "{{ parse_event.message.actor.process.container.name }}" + container.runtime: "{{ parse_event.message.actor.process.container.runtime }}" + file.accessed: "{{ parse_event.message.actor.process.file.accessed_time }}" + file.created: "{{ parse_event.message.actor.process.file.created_time }}" + file.directory: "{{ parse_event.message.actor.process.file.parent_folder }}" + file.inode: "{{ parse_event.message.actor.process.file.uid }}" + file.mime_type: "{{ parse_event.message.actor.process.file.mime_type }}" + file.mtime: "{{ parse_event.message.actor.process.file.modified_time }}" + file.name: "{{ parse_event.message.actor.process.file.name }}" + file.owner: "{{ parse_event.message.actor.process.file.owner.name }}" + file.path: "{{ parse_event.message.actor.process.file.path }}" + file.size: "{{ parse_event.message.actor.process.file.size }}" + file.type: "{{ parse_event.message.actor.process.file.type }}" + file.uid: "{{ parse_event.message.actor.process.file.owner.uid }}" + file.x509.issuer.distinguished_name: "{{ parse_event.message.actor.process.file.signature.certificate.issuer }}" + file.x509.not_after: "{{ parse_event.message.actor.process.file.signature.certificate.expiration_time }}" + file.x509.serial_number: "{{ parse_event.message.actor.process.file.signature.certificate.serial_number }}" + file.x509.subject.distinguished_name: "{{ parse_event.message.actor.process.file.signature.certificate.subject }}" + file.x509.version_number: "{{ parse_event.message.actor.process.file.signature.certificate.version }}" + process.command_line: "{{ parse_event.message.actor.process.cmd_line }}" + process.end: "{{ parse_event.message.actor.process.terminated_time }}" - set: process.group.id: - - "{{ parse_event.message.parse_event.message.actor.process.egid }}" - filter: "{{ parse_event.message.actor.process.egid != None }}" + - "{{ parse_event.message.actor.process.egid }}" + filter: "{{ parse_event.message.actor.process.egid != null }}" - set: process.group.id: - - "{{ parse_event.message.parse_event.message.actor.process.group.uid }}" - filter: "{{ parse_event.message.actor.process.group.uid != None }}" - - set: - process.group.name: "{{ parse_event.message.parse_event.message.actor.process.group.name }}" - process.name: "{{ parse_event.message.parse_event.message.actor.process.name }}" - process.pid: "{{ parse_event.message.parse_event.message.actor.process.pid }}" - process.start: "{{ parse_event.message.parse_event.message.actor.process.created_time }}" - process.thread.id: "{{ parse_event.message.parse_event.message.actor.process.tid }}" - process.entity_id: "{{ parse_event.message.parse_event.message.actor.process.uid }}" - process.user.domain: "{{ parse_event.message.parse_event.message.actor.process.user.domain }}" - process.user.email: "{{ parse_event.message.parse_event.message.actor.process.user.email_addr }}" - process.user.full_name: "{{ parse_event.message.parse_event.message.actor.process.user.full_name }}" + - "{{ parse_event.message.actor.process.group.uid }}" + filter: "{{ parse_event.message.actor.process.group.uid != null }}" + - set: + process.group.name: "{{ parse_event.message.actor.process.group.name }}" + process.name: "{{ parse_event.message.actor.process.name }}" + process.pid: "{{ parse_event.message.actor.process.pid }}" + process.start: "{{ parse_event.message.actor.process.created_time }}" + process.thread.id: "{{ parse_event.message.actor.process.tid }}" + process.entity_id: "{{ parse_event.message.actor.process.uid }}" + process.user.domain: "{{ parse_event.message.actor.process.user.domain }}" + process.user.email: "{{ parse_event.message.actor.process.user.email_addr }}" + process.user.full_name: "{{ parse_event.message.actor.process.user.full_name }}" - set: process.user.id: - - "{{ parse_event.message.parse_event.message.actor.process.euid }}" - filter: "{{ parse_event.message.actor.process.euid != None }}" + - "{{ parse_event.message.actor.process.euid }}" + filter: "{{ parse_event.message.actor.process.euid != null }}" - set: process.user.id: - - "{{ parse_event.message.parse_event.message.actor.process.user.uid }}" - filter: "{{ parse_event.message.actor.process.user.uid != None }}" - - set: - process.user.name: "{{ parse_event.message.parse_event.message.actor.process.user.name }}" - user.domain: "{{ parse_event.message.parse_event.message.actor.user.domain }}" - user.email: "{{ parse_event.message.parse_event.message.actor.user.email_addr }}" - user.full_name: "{{ parse_event.message.parse_event.message.actor.user.full_name }}" - user.id: "{{ parse_event.message.parse_event.message.actor.user.uid }}" - user.name: "{{ parse_event.message.parse_event.message.actor.user.name }}" - process.parent.command_line: "{{ parse_event.message.parse_event.message.actor.process.parent_process.cmd_line }}" - process.parent.end: "{{ parse_event.message.parse_event.message.actor.process.parent_process.terminated_time }}" + - "{{ parse_event.message.actor.process.user.uid }}" + filter: "{{ parse_event.message.actor.process.user.uid != null }}" + - set: + process.user.name: "{{ parse_event.message.actor.process.user.name }}" + user.domain: "{{ parse_event.message.actor.user.domain }}" + user.email: "{{ parse_event.message.actor.user.email_addr }}" + user.full_name: "{{ parse_event.message.actor.user.full_name }}" + user.id: "{{ parse_event.message.actor.user.uid }}" + user.name: "{{ parse_event.message.actor.user.name }}" + process.parent.command_line: "{{ parse_event.message.actor.process.parent_process.cmd_line }}" + process.parent.end: "{{ parse_event.message.actor.process.parent_process.terminated_time }}" - set: process.parent.group.id: - - "{{ parse_event.message.parse_event.message.actor.process.parent_process.egid }}" - filter: "{{ parse_event.message.actor.process.parent_process.egid != None }}" + - "{{ parse_event.message.actor.process.parent_process.egid }}" + filter: "{{ parse_event.message.actor.process.parent_process.egid != null }}" - set: process.parent.group.id: - - "{{ parse_event.message.parse_event.message.actor.process.parent_process.group.uid }}" - filter: "{{ parse_event.message.actor.process.parent_process.group.uid != None }}" - - set: - process.parent.group.name: "{{ parse_event.message.parse_event.message.actor.process.parent_process.group.name }}" - process.parent.name: "{{ parse_event.message.parse_event.message.actor.process.parent_process.name }}" - process.parent.pid: "{{ parse_event.message.parse_event.message.actor.process.parent_process.pid }}" - process.parent.start: "{{ parse_event.message.parse_event.message.actor.process.parent_process.created_time }}" - process.parent.thread.id: "{{ parse_event.message.parse_event.message.actor.process.parent_process.tid }}" - process.parent.entity_id: "{{ parse_event.message.parse_event.message.actor.process.parent_process.uid }}" - process.parent.user.domain: "{{ parse_event.message.parse_event.message.actor.process.parent_process.user.domain }}" - process.parent.user.email: "{{ parse_event.message.parse_event.message.actor.process.parent_process.user.email_addr }}" - process.parent.user.full_name: "{{ parse_event.message.parse_event.message.actor.process.parent_process.user.full_name }}" + - "{{ parse_event.message.actor.process.parent_process.group.uid }}" + filter: "{{ parse_event.message.actor.process.parent_process.group.uid != null }}" + - set: + process.parent.group.name: "{{ parse_event.message.actor.process.parent_process.group.name }}" + process.parent.name: "{{ parse_event.message.actor.process.parent_process.name }}" + process.parent.pid: "{{ parse_event.message.actor.process.parent_process.pid }}" + process.parent.start: "{{ parse_event.message.actor.process.parent_process.created_time }}" + process.parent.thread.id: "{{ parse_event.message.actor.process.parent_process.tid }}" + process.parent.entity_id: "{{ parse_event.message.actor.process.parent_process.uid }}" + process.parent.user.domain: "{{ parse_event.message.actor.process.parent_process.user.domain }}" + process.parent.user.email: "{{ parse_event.message.actor.process.parent_process.user.email_addr }}" + process.parent.user.full_name: "{{ parse_event.message.actor.process.parent_process.user.full_name }}" - set: process.parent.user.id: - - "{{ parse_event.message.parse_event.message.actor.process.parent_process.euid }}" - filter: "{{ parse_event.message.actor.process.parent_process.euid != None }}" + - "{{ parse_event.message.actor.process.parent_process.euid }}" + filter: "{{ parse_event.message.actor.process.parent_process.euid != null }}" - set: process.parent.user.id: - - "{{ parse_event.message.parse_event.message.actor.process.parent_process.user.uid }}" - filter: "{{ parse_event.message.actor.process.parent_process.user.uid != None }}" + - "{{ parse_event.message.actor.process.parent_process.user.uid }}" + filter: "{{ parse_event.message.actor.process.parent_process.user.uid != null }}" - set: - process.parent.user.name: "{{ parse_event.message.parse_event.message.actor.process.parent_process.user.name }}" + process.parent.user.name: "{{ parse_event.message.actor.process.parent_process.user.name }}" pipeline_object_network_connection_info: actions: - set: - network.iana_number: "{{ parse_event.message.parse_event.message.connection_info.protocol_num }}" + network.iana_number: "{{ parse_event.message.connection_info.protocol_num }}" - set: network.direction: - internal - filter: "{{ parse_event.message.connection_info.boundary != None and parse_event.message.connection_info.boundary == 'Internal' }}" + filter: "{{ parse_event.message.connection_info.boundary != null and parse_event.message.connection_info.boundary == 'Internal' }}" - set: network.direction: - external - filter: "{{ parse_event.message.connection_info.boundary != None and parse_event.message.connection_info.boundary == 'External' }}" + filter: "{{ parse_event.message.connection_info.boundary != null and parse_event.message.connection_info.boundary == 'External' }}" - set: network.direction: - inbound - filter: "{{ parse_event.message.connection_info.direction != None and parse_event.message.connection_info.direction == 'Inbound' }}" + filter: "{{ parse_event.message.connection_info.direction != null and parse_event.message.connection_info.direction == 'Inbound' }}" - set: network.direction: - outbound - filter: "{{ parse_event.message.connection_info.direction != None and parse_event.message.connection_info.direction == 'Outbound' }}" + filter: "{{ parse_event.message.connection_info.direction != null and parse_event.message.connection_info.direction == 'Outbound' }}" - set: network.direction: - unknown - filter: "{{ parse_event.message.connection_info.direction != None and parse_event.message.connection_info.direction == 'Unknown' or parse_event.message.connection_info.boundary != None and parse_event.message.connection_info.boundary == 'Unknown' }}" + filter: "{{ parse_event.message.connection_info.direction != null and parse_event.message.connection_info.direction == 'Unknown' or parse_event.message.connection_info.boundary != null and parse_event.message.connection_info.boundary == 'Unknown' }}" + pipeline_object_device: actions: - set: - host.domain: "{{ parse_event.message.parse_event.message.device.domain }}" - host.geo.city_name: "{{ parse_event.message.parse_event.message.device.location.city }}" - host.geo.continent_name: "{{ parse_event.message.parse_event.message.device.location.continent }}" - host.geo.country_iso_code: "{{ parse_event.message.parse_event.message.device.location.country }}" - host.geo.location: "{{ parse_event.message.parse_event.message.device.location.coordinates }}" - host.geo.name: "{{ parse_event.message.parse_event.message.device.location.desc }}" - host.geo.postal_code: "{{ parse_event.message.parse_event.message.device.location.postal_code }}" - host.geo.region_iso_code: "{{ parse_event.message.parse_event.message.device.location.region }}" - host.hostname: "{{ parse_event.message.parse_event.message.device.hostname }}" - host.id: "{{ parse_event.message.parse_event.message.device.uid }}" + host.domain: "{{ parse_event.message.device.domain }}" + host.geo.city_name: "{{ parse_event.message.device.location.city }}" + host.geo.continent_name: "{{ parse_event.message.device.location.continent }}" + host.geo.country_iso_code: "{{ parse_event.message.device.location.country }}" + host.geo.location: "{{ parse_event.message.device.location.coordinates }}" + host.geo.name: "{{ parse_event.message.device.location.desc }}" + host.geo.postal_code: "{{ parse_event.message.device.location.postal_code }}" + host.geo.region_iso_code: "{{ parse_event.message.device.location.region }}" + host.hostname: "{{ parse_event.message.device.hostname }}" + host.id: "{{ parse_event.message.device.uid }}" - set: host.ip: - - "{{ parse_event.message.parse_event.message.device.ip }}" - filter: "{{ parse_event.message.device.ip != None }}" + - "{{ parse_event.message.device.ip }}" + filter: "{{ parse_event.message.device.ip | is_ipaddress }}" - set: host.mac: - - "{{ parse_event.message.parse_event.message.device.mac }}" - filter: "{{ parse_event.message.device.mac != None }}" + - "{{ parse_event.message.device.mac }}" + filter: "{{ parse_event.message.device.mac != null }}" - set: - host.os.name: "{{ parse_event.message.parse_event.message.device.os.name }}" + host.os.name: "{{ parse_event.message.device.os.name }}" - set: - host.os.type: "{{ parse_event.message.parse_event.message.device.os.type }}" - filter: "{{ parse_event.message.device.os.type != None and parse_event.message.device.os.type in ['Linux','Windows','Android','macOS','iOS'] }}" + host.os.type: "{{ parse_event.message.device.os.type }}" + filter: "{{ parse_event.message.device.os.type != null and parse_event.message.device.os.type in ['Linux','Windows','Android','macOS','iOS'] }}" - set: - host.os.version: "{{ parse_event.message.parse_event.message.device.os.build }}" - host.risk.static_level: "{{ parse_event.message.parse_event.message.device.risk_level }}" - host.risk.static_score: "{{ parse_event.message.parse_event.message.device.risk_score }}" - host.type: "{{ parse_event.message.parse_event.message.device.type }}" - network.vlan.id: "{{ parse_event.message.parse_event.message.device.vlan_uid }}" + host.os.version: "{{ parse_event.message.device.os.build }}" + host.risk.static_level: "{{ parse_event.message.device.risk_level }}" + host.risk.static_score: "{{ parse_event.message.device.risk_score }}" + host.type: "{{ parse_event.message.device.type }}" + network.vlan.id: "{{ parse_event.message.device.vlan_uid }}" + pipeline_object_http_request: actions: - set: - http.request.id: "{{ parse_event.message.parse_event.message.http_request.uid }}" - http.request.method: "{{ parse_event.message.parse_event.message.http_request.http_method }}" - http.request.referrer: "{{ parse_event.message.parse_event.message.http_request.referrer }}" - http.version: "{{ parse_event.message.parse_event.message.http_request.version }}" - url.domain: "{{ parse_event.message.parse_event.message.http_request.url.hostname }}" - url.original: "{{ parse_event.message.parse_event.message.http_request.url.url_string }}" - url.path: "{{ parse_event.message.parse_event.message.http_request.url.path }}" - url.port: "{{ parse_event.message.parse_event.message.http_request.url.port }}" - url.query: "{{ parse_event.message.parse_event.message.http_request.url.query_string }}" - url.scheme: "{{ parse_event.message.parse_event.message.http_request.url.scheme }}" - url.subdomain: "{{ parse_event.message.parse_event.message.http_request.url.subdomain }}" - user_agent.original: "{{ parse_event.message.parse_event.message.http_request.user_agent }}" + http.request.id: "{{ parse_event.message.http_request.uid }}" + http.request.method: "{{ parse_event.message.http_request.http_method }}" + http.request.referrer: "{{ parse_event.message.http_request.referrer }}" + http.version: "{{ parse_event.message.http_request.version }}" + url.domain: "{{ parse_event.message.http_request.url.hostname }}" + url.original: "{{ parse_event.message.http_request.url.url_string }}" + url.path: "{{ parse_event.message.http_request.url.path }}" + url.port: "{{ parse_event.message.http_request.url.port }}" + url.query: "{{ parse_event.message.http_request.url.query_string }}" + url.scheme: "{{ parse_event.message.http_request.url.scheme }}" + url.subdomain: "{{ parse_event.message.http_request.url.subdomain }}" + user_agent.original: "{{ parse_event.message.http_request.user_agent }}" + pipeline_object_malware: actions: [] + pipeline_object_network_endpoint: actions: - set: - source.domain: - - "{{ parse_event.message.parse_event.message.src_endpoint.domain }}" - filter: "{{ parse_event.message.src_endpoint.domain != None }}" - - set: - source.geo.city_name: "{{ parse_event.message.parse_event.message.src_endpoint.location.city }}" - source.geo.continent_name: "{{ parse_event.message.parse_event.message.src_endpoint.location.continent }}" - source.geo.location: "{{ parse_event.message.parse_event.message.src_endpoint.location.coordinates }}" - source.geo.country_iso_code: "{{ parse_event.message.parse_event.message.src_endpoint.location.country }}" - source.geo.name: "{{ parse_event.message.parse_event.message.src_endpoint.location.desc }}" - source.geo.postal_code: "{{ parse_event.message.parse_event.message.src_endpoint.location.postal_code }}" - source.geo.region_iso_code: "{{ parse_event.message.parse_event.message.src_endpoint.location.region }}" - - set: - source.domain: - - "{{ parse_event.message.parse_event.message.src_endpoint.hostname }}" - filter: "{{ parse_event.message.src_endpoint.hostname != None }}" - - set: - source.ip: "{{ parse_event.message.parse_event.message.src_endpoint.ip }}" - source.mac: "{{ parse_event.message.parse_event.message.src_endpoint.mac }}" - source.port: "{{ parse_event.message.parse_event.message.src_endpoint.port }}" - - set: - network.application: - - "{{ parse_event.message.parse_event.message.src_endpoint.svc_name }}" - filter: "{{ parse_event.message.src_endpoint.svc_name != None }}" - - set: - destination.domain: - - "{{ parse_event.message.parse_event.message.dst_endpoint.domain }}" - filter: "{{ parse_event.message.dst_endpoint.domain != None }}" - - set: - destination.geo.city_name: "{{ parse_event.message.parse_event.message.dst_endpoint.location.city }}" - destination.geo.continent_name: "{{ parse_event.message.parse_event.message.dst_endpoint.location.continent }}" - destination.geo.location: "{{ parse_event.message.parse_event.message.dst_endpoint.location.coordinates }}" - destination.geo.country_iso_code: "{{ parse_event.message.parse_event.message.dst_endpoint.location.country }}" - destination.geo.name: "{{ parse_event.message.parse_event.message.dst_endpoint.location.desc }}" - destination.geo.postal_code: "{{ parse_event.message.parse_event.message.dst_endpoint.location.postal_code }}" - destination.geo.region_iso_code: "{{ parse_event.message.parse_event.message.dst_endpoint.location.region }}" - - set: - destination.domain: - - "{{ parse_event.message.parse_event.message.dst_endpoint.hostname }}" - filter: "{{ parse_event.message.dst_endpoint.hostname != None }}" - - set: - destination.ip: "{{ parse_event.message.parse_event.message.dst_endpoint.ip }}" - destination.mac: "{{ parse_event.message.parse_event.message.dst_endpoint.mac }}" - destination.port: "{{ parse_event.message.parse_event.message.dst_endpoint.port }}" - - set: - network.application: - - "{{ parse_event.message.parse_event.message.dst_endpoint.svc_name }}" - filter: "{{ parse_event.message.dst_endpoint.svc_name != None }}" + source.domain: "{{ parse_event.message.src_endpoint.domain }}" + filter: "{{ parse_event.message.src_endpoint.domain != null }}" + - set: + source.geo.city_name: "{{ parse_event.message.src_endpoint.location.city }}" + source.geo.continent_name: "{{ parse_event.message.src_endpoint.location.continent }}" + source.geo.location: "{{ parse_event.message.src_endpoint.location.coordinates }}" + source.geo.country_iso_code: "{{ parse_event.message.src_endpoint.location.country }}" + source.geo.name: "{{ parse_event.message.src_endpoint.location.desc }}" + source.geo.postal_code: "{{ parse_event.message.src_endpoint.location.postal_code }}" + source.geo.region_iso_code: "{{ parse_event.message.src_endpoint.location.region }}" + - set: + source.domain: "{{ parse_event.message.src_endpoint.hostname }}" + filter: "{{ parse_event.message.src_endpoint.hostname != null }}" + - set: + source.ip: "{{ parse_event.message.src_endpoint.ip }}" + source.mac: "{{ parse_event.message.src_endpoint.mac }}" + source.port: "{{ parse_event.message.src_endpoint.port }}" + - set: + network.application: "{{ parse_event.message.src_endpoint.svc_name }}" + filter: "{{ parse_event.message.src_endpoint.svc_name != null }}" + - set: + destination.domain: "{{ parse_event.message.dst_endpoint.domain }}" + filter: "{{ parse_event.message.dst_endpoint.domain != null }}" + - set: + destination.geo.city_name: "{{ parse_event.message.dst_endpoint.location.city }}" + destination.geo.continent_name: "{{ parse_event.message.dst_endpoint.location.continent }}" + destination.geo.location: "{{ parse_event.message.dst_endpoint.location.coordinates }}" + destination.geo.country_iso_code: "{{ parse_event.message.dst_endpoint.location.country }}" + destination.geo.name: "{{ parse_event.message.dst_endpoint.location.desc }}" + destination.geo.postal_code: "{{ parse_event.message.dst_endpoint.location.postal_code }}" + destination.geo.region_iso_code: "{{ parse_event.message.dst_endpoint.location.region }}" + - set: + destination.domain: "{{ parse_event.message.dst_endpoint.hostname }}" + filter: "{{ parse_event.message.dst_endpoint.hostname != null }}" + - set: + destination.ip: "{{ parse_event.message.dst_endpoint.ip }}" + destination.mac: "{{ parse_event.message.dst_endpoint.mac }}" + destination.port: "{{ parse_event.message.dst_endpoint.port }}" + - set: + network.application: "{{ parse_event.message.dst_endpoint.svc_name }}" + filter: "{{ parse_event.message.dst_endpoint.svc_name != null }}" + pipeline_object_process: actions: - set: - container.id: "{{ parse_event.message.parse_event.message.process.container.uid }}" - container.image.name: "{{ parse_event.message.parse_event.message.process.container.image.name }}" + container.id: "{{ parse_event.message.process.container.uid }}" + container.image.name: "{{ parse_event.message.process.container.image.name }}" - set: container.image.tag: - - "{{ parse_event.message.parse_event.message.process.container.image.tag }}" - filter: "{{ parse_event.message.process.container.image.tag != None }}" - - set: - container.labels: "{{ parse_event.message.parse_event.message.process.container.image.labels }}" - orchestrator.type: "{{ parse_event.message.parse_event.message.process.container.orchestrator }}" - container.name: "{{ parse_event.message.parse_event.message.process.container.name }}" - container.runtime: "{{ parse_event.message.parse_event.message.process.container.runtime }}" - file.accessed: "{{ parse_event.message.parse_event.message.process.file.accessed_time }}" - file.created: "{{ parse_event.message.parse_event.message.process.file.created_time }}" - file.directory: "{{ parse_event.message.parse_event.message.process.file.parent_folder }}" - file.inode: "{{ parse_event.message.parse_event.message.process.file.uid }}" - file.mime_type: "{{ parse_event.message.parse_event.message.process.file.mime_type }}" - file.mtime: "{{ parse_event.message.parse_event.message.process.file.modified_time }}" - file.name: "{{ parse_event.message.parse_event.message.process.file.name }}" - file.owner: "{{ parse_event.message.parse_event.message.process.file.owner.name }}" - file.path: "{{ parse_event.message.parse_event.message.process.file.path }}" - file.size: "{{ parse_event.message.parse_event.message.process.file.size }}" - file.type: "{{ parse_event.message.parse_event.message.process.file.type }}" - file.uid: "{{ parse_event.message.parse_event.message.process.file.owner.uid }}" - file.x509.issuer.distinguished_name: "{{ parse_event.message.parse_event.message.process.file.signature.certificate.issuer }}" - file.x509.not_after: "{{ parse_event.message.parse_event.message.process.file.signature.certificate.expiration_time }}" - file.x509.serial_number: "{{ parse_event.message.parse_event.message.process.file.signature.certificate.serial_number }}" - file.x509.subject.distinguished_name: "{{ parse_event.message.parse_event.message.process.file.signature.certificate.subject }}" - file.x509.version_number: "{{ parse_event.message.parse_event.message.process.file.signature.certificate.version }}" - process.command_line: "{{ parse_event.message.parse_event.message.process.cmd_line }}" - process.end: "{{ parse_event.message.parse_event.message.process.terminated_time }}" + - "{{ parse_event.message.process.container.image.tag }}" + filter: "{{ parse_event.message.process.container.image.tag != null }}" + - set: + container.labels: "{{ parse_event.message.process.container.image.labels }}" + orchestrator.type: "{{ parse_event.message.process.container.orchestrator }}" + container.name: "{{ parse_event.message.process.container.name }}" + container.runtime: "{{ parse_event.message.process.container.runtime }}" + file.accessed: "{{ parse_event.message.process.file.accessed_time }}" + file.created: "{{ parse_event.message.process.file.created_time }}" + file.directory: "{{ parse_event.message.process.file.parent_folder }}" + file.inode: "{{ parse_event.message.process.file.uid }}" + file.mime_type: "{{ parse_event.message.process.file.mime_type }}" + file.mtime: "{{ parse_event.message.process.file.modified_time }}" + file.name: "{{ parse_event.message.process.file.name }}" + file.owner: "{{ parse_event.message.process.file.owner.name }}" + file.path: "{{ parse_event.message.process.file.path }}" + file.size: "{{ parse_event.message.process.file.size }}" + file.type: "{{ parse_event.message.process.file.type }}" + file.uid: "{{ parse_event.message.process.file.owner.uid }}" + file.x509.issuer.distinguished_name: "{{ parse_event.message.process.file.signature.certificate.issuer }}" + file.x509.not_after: "{{ parse_event.message.process.file.signature.certificate.expiration_time }}" + file.x509.serial_number: "{{ parse_event.message.process.file.signature.certificate.serial_number }}" + file.x509.subject.distinguished_name: "{{ parse_event.message.process.file.signature.certificate.subject }}" + file.x509.version_number: "{{ parse_event.message.process.file.signature.certificate.version }}" + process.command_line: "{{ parse_event.message.process.cmd_line }}" + process.end: "{{ parse_event.message.process.terminated_time }}" - set: process.group.id: - - "{{ parse_event.message.parse_event.message.process.egid }}" - filter: "{{ parse_event.message.process.egid != None }}" + - "{{ parse_event.message.process.egid }}" + filter: "{{ parse_event.message.process.egid != null }}" - set: process.group.id: - - "{{ parse_event.message.parse_event.message.process.group.uid }}" - filter: "{{ parse_event.message.process.group.uid != None }}" - - set: - process.group.name: "{{ parse_event.message.parse_event.message.process.group.name }}" - process.name: "{{ parse_event.message.parse_event.message.process.name }}" - process.pid: "{{ parse_event.message.parse_event.message.process.pid }}" - process.start: "{{ parse_event.message.parse_event.message.process.created_time }}" - process.thread.id: "{{ parse_event.message.parse_event.message.process.tid }}" - process.entity_id: "{{ parse_event.message.parse_event.message.process.uid }}" - process.user.domain: "{{ parse_event.message.parse_event.message.process.user.domain }}" - process.user.email: "{{ parse_event.message.parse_event.message.process.user.email_addr }}" - process.user.full_name: "{{ parse_event.message.parse_event.message.process.user.full_name }}" + - "{{ parse_event.message.process.group.uid }}" + filter: "{{ parse_event.message.process.group.uid != null }}" + - set: + process.group.name: "{{ parse_event.message.process.group.name }}" + process.name: "{{ parse_event.message.process.name }}" + process.pid: "{{ parse_event.message.process.pid }}" + process.start: "{{ parse_event.message.process.created_time }}" + process.thread.id: "{{ parse_event.message.process.tid }}" + process.entity_id: "{{ parse_event.message.process.uid }}" + process.user.domain: "{{ parse_event.message.process.user.domain }}" + process.user.email: "{{ parse_event.message.process.user.email_addr }}" + process.user.full_name: "{{ parse_event.message.process.user.full_name }}" - set: process.user.id: - - "{{ parse_event.message.parse_event.message.process.euid }}" - filter: "{{ parse_event.message.process.euid != None }}" + - "{{ parse_event.message.process.euid }}" + filter: "{{ parse_event.message.process.euid != null }}" - set: process.user.id: - - "{{ parse_event.message.parse_event.message.process.user.uid }}" - filter: "{{ parse_event.message.process.user.uid != None }}" + - "{{ parse_event.message.process.user.uid }}" + filter: "{{ parse_event.message.process.user.uid != null }}" - set: - process.user.name: "{{ parse_event.message.parse_event.message.process.user.name }}" - process.parent.command_line: "{{ parse_event.message.parse_event.message.process.parent_process.cmd_line }}" - process.parent.end: "{{ parse_event.message.parse_event.message.process.parent_process.terminated_time }}" + process.user.name: "{{ parse_event.message.process.user.name }}" + process.parent.command_line: "{{ parse_event.message.process.parent_process.cmd_line }}" + process.parent.end: "{{ parse_event.message.process.parent_process.terminated_time }}" - set: process.parent.group.id: - - "{{ parse_event.message.parse_event.message.process.parent_process.egid }}" - filter: "{{ parse_event.message.process.parent_process.egid != None }}" + - "{{ parse_event.message.process.parent_process.egid }}" + filter: "{{ parse_event.message.process.parent_process.egid != null }}" - set: process.parent.group.id: - - "{{ parse_event.message.parse_event.message.process.parent_process.group.uid }}" - filter: "{{ parse_event.message.process.parent_process.group.uid != None }}" - - set: - process.parent.group.name: "{{ parse_event.message.parse_event.message.process.parent_process.group.name }}" - process.parent.name: "{{ parse_event.message.parse_event.message.process.parent_process.name }}" - process.parent.pid: "{{ parse_event.message.parse_event.message.process.parent_process.pid }}" - process.parent.start: "{{ parse_event.message.parse_event.message.process.parent_process.created_time }}" - process.parent.thread.id: "{{ parse_event.message.parse_event.message.process.parent_process.tid }}" - process.parent.entity_id: "{{ parse_event.message.parse_event.message.process.parent_process.uid }}" - process.parent.user.domain: "{{ parse_event.message.parse_event.message.process.parent_process.user.domain }}" - process.parent.user.email: "{{ parse_event.message.parse_event.message.process.parent_process.user.email_addr }}" - process.parent.user.full_name: "{{ parse_event.message.parse_event.message.process.parent_process.user.full_name }}" + - "{{ parse_event.message.process.parent_process.group.uid }}" + filter: "{{ parse_event.message.process.parent_process.group.uid != null }}" + - set: + process.parent.group.name: "{{ parse_event.message.process.parent_process.group.name }}" + process.parent.name: "{{ parse_event.message.process.parent_process.name }}" + process.parent.pid: "{{ parse_event.message.process.parent_process.pid }}" + process.parent.start: "{{ parse_event.message.process.parent_process.created_time }}" + process.parent.thread.id: "{{ parse_event.message.process.parent_process.tid }}" + process.parent.entity_id: "{{ parse_event.message.process.parent_process.uid }}" + process.parent.user.domain: "{{ parse_event.message.process.parent_process.user.domain }}" + process.parent.user.email: "{{ parse_event.message.process.parent_process.user.email_addr }}" + process.parent.user.full_name: "{{ parse_event.message.process.parent_process.user.full_name }}" - set: process.parent.user.id: - - "{{ parse_event.message.parse_event.message.process.parent_process.euid }}" - filter: "{{ parse_event.message.process.parent_process.euid != None }}" + - "{{ parse_event.message.process.parent_process.euid }}" + filter: "{{ parse_event.message.process.parent_process.euid != null }}" - set: process.parent.user.id: - - "{{ parse_event.message.parse_event.message.process.parent_process.user.uid }}" - filter: "{{ parse_event.message.process.parent_process.user.uid != None }}" + - "{{ parse_event.message.process.parent_process.user.uid }}" + filter: "{{ parse_event.message.process.parent_process.user.uid != null }}" - set: - process.parent.user.name: "{{ parse_event.message.parse_event.message.process.parent_process.user.name }}" + process.parent.user.name: "{{ parse_event.message.process.parent_process.user.name }}" + pipeline_object_proxy: actions: [] + pipeline_object_tls: actions: - set: - tls.cipher: "{{ parse_event.message.parse_event.message.tls.cipher }}" - tls.client.ja3: "{{ parse_event.message.parse_event.message.tls.ja3_hash.value }}" - tls.client.server_name: "{{ parse_event.message.parse_event.message.tls.sni }}" - tls.client.x509.issuer.distinguished_name: "{{ parse_event.message.parse_event.message.tls.certificate.issuer }}" - tls.client.x509.not_after: "{{ parse_event.message.parse_event.message.tls.certificate.expiration_time }}" - tls.client.x509.serial_number: "{{ parse_event.message.parse_event.message.tls.certificate.serial_number }}" - tls.client.x509.subject.distinguished_name: "{{ parse_event.message.parse_event.message.tls.certificate.subject }}" - tls.client.x509.version_number: "{{ parse_event.message.parse_event.message.tls.certificate.version }}" - tls.server.ja3s: "{{ parse_event.message.parse_event.message.tls.ja3s_hash.value }}" - tls.version: "{{ parse_event.message.parse_event.message.tls.version }}" + tls.cipher: "{{ parse_event.message.tls.cipher }}" + tls.client.ja3: "{{ parse_event.message.tls.ja3_hash.value }}" + tls.client.server_name: "{{ parse_event.message.tls.sni }}" + tls.client.x509.issuer.distinguished_name: "{{ parse_event.message.tls.certificate.issuer }}" + tls.client.x509.not_after: "{{ parse_event.message.tls.certificate.expiration_time }}" + tls.client.x509.serial_number: "{{ parse_event.message.tls.certificate.serial_number }}" + tls.client.x509.subject.distinguished_name: "{{ parse_event.message.tls.certificate.subject }}" + tls.client.x509.version_number: "{{ parse_event.message.tls.certificate.version }}" + tls.server.ja3s: "{{ parse_event.message.tls.ja3s_hash.value }}" + tls.version: "{{ parse_event.message.tls.version }}" pipeline_object_traffic: actions: - set: - destination.bytes: "{{ parse_event.message.parse_event.message.traffic.bytes_in }}" - source.bytes: "{{ parse_event.message.parse_event.message.traffic.bytes_out }}" - destination.packets: "{{ parse_event.message.parse_event.message.traffic.packets_in }}" - source.packets: "{{ parse_event.message.parse_event.message.traffic.packets_out }}" - network.bytes: "{{ parse_event.message.parse_event.message.traffic.bytes }}" - network.packets: "{{ parse_event.message.parse_event.message.traffic.packets }}" + destination.bytes: "{{ parse_event.message.traffic.bytes_in }}" + source.bytes: "{{ parse_event.message.traffic.bytes_out }}" + destination.packets: "{{ parse_event.message.traffic.packets_in }}" + source.packets: "{{ parse_event.message.traffic.packets_out }}" + network.bytes: "{{ parse_event.message.traffic.bytes }}" + network.packets: "{{ parse_event.message.traffic.packets }}" pipeline_object_user: actions: - set: - user.target.domain: "{{ parse_event.message.parse_event.message.user.domain }}" - user.target.email: "{{ parse_event.message.parse_event.message.user.email_addr }}" - user.target.full_name: "{{ parse_event.message.parse_event.message.user.full_name }}" - user.target.id: "{{ parse_event.message.parse_event.message.user.uid }}" - user.target.name: "{{ parse_event.message.parse_event.message.user.name }}" + user.target.domain: "{{ parse_event.message.user.domain }}" + user.target.email: "{{ parse_event.message.user.email_addr }}" + user.target.full_name: "{{ parse_event.message.user.full_name }}" + user.target.id: "{{ parse_event.message.user.uid }}" + user.target.name: "{{ parse_event.message.user.name }}" + pipeline_object_file: actions: - set: - file.accessed: "{{ parse_event.message.parse_event.message.file.accessed_time }}" - file.created: "{{ parse_event.message.parse_event.message.file.created_time }}" - file.directory: "{{ parse_event.message.parse_event.message.file.parent_folder }}" - file.inode: "{{ parse_event.message.parse_event.message.file.uid }}" - file.mime_type: "{{ parse_event.message.parse_event.message.file.mime_type }}" - file.mtime: "{{ parse_event.message.parse_event.message.file.modified_time }}" - file.name: "{{ parse_event.message.parse_event.message.file.name }}" - file.owner: "{{ parse_event.message.parse_event.message.file.owner.name }}" - file.path: "{{ parse_event.message.parse_event.message.file.path }}" - file.size: "{{ parse_event.message.parse_event.message.file.size }}" - file.type: "{{ parse_event.message.parse_event.message.file.type }}" - file.uid: "{{ parse_event.message.parse_event.message.file.owner.uid }}" - file.x509.issuer.distinguished_name: "{{ parse_event.message.parse_event.message.file.signature.certificate.issuer }}" - file.x509.not_after: "{{ parse_event.message.parse_event.message.file.signature.certificate.expiration_time }}" - file.x509.serial_number: "{{ parse_event.message.parse_event.message.file.signature.certificate.serial_number }}" - file.x509.subject.distinguished_name: "{{ parse_event.message.parse_event.message.file.signature.certificate.subject }}" - file.x509.version_number: "{{ parse_event.message.parse_event.message.file.signature.certificate.version }}" + file.accessed: "{{ parse_event.message.file.accessed_time }}" + file.created: "{{ parse_event.message.file.created_time }}" + file.directory: "{{ parse_event.message.file.parent_folder }}" + file.inode: "{{ parse_event.message.file.uid }}" + file.mime_type: "{{ parse_event.message.file.mime_type }}" + file.mtime: "{{ parse_event.message.file.modified_time }}" + file.name: "{{ parse_event.message.file.name }}" + file.owner: "{{ parse_event.message.file.owner.name }}" + file.path: "{{ parse_event.message.file.path }}" + file.size: "{{ parse_event.message.file.size }}" + file.type: "{{ parse_event.message.file.type }}" + file.uid: "{{ parse_event.message.file.owner.uid }}" + file.x509.issuer.distinguished_name: "{{ parse_event.message.file.signature.certificate.issuer }}" + file.x509.not_after: "{{ parse_event.message.file.signature.certificate.expiration_time }}" + file.x509.serial_number: "{{ parse_event.message.file.signature.certificate.serial_number }}" + file.x509.subject.distinguished_name: "{{ parse_event.message.file.signature.certificate.subject }}" + file.x509.version_number: "{{ parse_event.message.file.signature.certificate.version }}" + pipeline_object_system_activity_helper: actions: - set: - file.accessed: "{{ parse_event.message.parse_event.message.job.file.accessed_time }}" - file.created: "{{ parse_event.message.parse_event.message.job.file.created_time }}" - file.directory: "{{ parse_event.message.parse_event.message.job.file.parent_folder }}" - file.inode: "{{ parse_event.message.parse_event.message.job.file.uid }}" - file.mime_type: "{{ parse_event.message.parse_event.message.job.file.mime_type }}" - file.mtime: "{{ parse_event.message.parse_event.message.job.file.modified_time }}" - file.name: "{{ parse_event.message.parse_event.message.job.file.name }}" - file.owner: "{{ parse_event.message.parse_event.message.job.file.owner.name }}" - file.path: "{{ parse_event.message.parse_event.message.job.file.path }}" - file.size: "{{ parse_event.message.parse_event.message.job.file.size }}" - file.type: "{{ parse_event.message.parse_event.message.job.file.type }}" - file.uid: "{{ parse_event.message.parse_event.message.job.file.owner.uid }}" - file.x509.issuer.distinguished_name: "{{ parse_event.message.parse_event.message.job.file.signature.certificate.issuer }}" - file.x509.not_after: "{{ parse_event.message.parse_event.message.job.file.signature.certificate.expiration_time }}" - file.x509.serial_number: "{{ parse_event.message.parse_event.message.job.file.signature.certificate.serial_number }}" - file.x509.subject.distinguished_name: "{{ parse_event.message.parse_event.message.job.file.signature.certificate.subject }}" - file.x509.version_number: "{{ parse_event.message.parse_event.message.job.file.signature.certificate.version }}" + file.accessed: "{{ parse_event.message.job.file.accessed_time }}" + file.created: "{{ parse_event.message.job.file.created_time }}" + file.directory: "{{ parse_event.message.job.file.parent_folder }}" + file.inode: "{{ parse_event.message.job.file.uid }}" + file.mime_type: "{{ parse_event.message.job.file.mime_type }}" + file.mtime: "{{ parse_event.message.job.file.modified_time }}" + file.name: "{{ parse_event.message.job.file.name }}" + file.owner: "{{ parse_event.message.job.file.owner.name }}" + file.path: "{{ parse_event.message.job.file.path }}" + file.size: "{{ parse_event.message.job.file.size }}" + file.type: "{{ parse_event.message.job.file.type }}" + file.uid: "{{ parse_event.message.job.file.owner.uid }}" + file.x509.issuer.distinguished_name: "{{ parse_event.message.job.file.signature.certificate.issuer }}" + file.x509.not_after: "{{ parse_event.message.job.file.signature.certificate.expiration_time }}" + file.x509.serial_number: "{{ parse_event.message.job.file.signature.certificate.serial_number }}" + file.x509.subject.distinguished_name: "{{ parse_event.message.job.file.signature.certificate.subject }}" + file.x509.version_number: "{{ parse_event.message.job.file.signature.certificate.version }}" + pipeline_category_system_activity: actions: - set: - user.target.domain: "{{ parse_event.message.parse_event.message.job.user.domain }}" - user.target.email: "{{ parse_event.message.parse_event.message.job.user.email_addr }}" - user.target.full_name: "{{ parse_event.message.parse_event.message.job.user.full_name }}" - user.target.id: "{{ parse_event.message.parse_event.message.job.user.uid }}" - user.target.name: "{{ parse_event.message.parse_event.message.job.user.name }}" - process.exit_code: "{{ parse_event.message.parse_event.message.exit_code }}" + user.target.domain: "{{ parse_event.message.job.user.domain }}" + user.target.email: "{{ parse_event.message.job.user.email_addr }}" + user.target.full_name: "{{ parse_event.message.job.user.full_name }}" + user.target.id: "{{ parse_event.message.job.user.uid }}" + user.target.name: "{{ parse_event.message.job.user.name }}" + process.exit_code: "{{ parse_event.message.exit_code }}" + pipeline_category_findings: actions: - set: - event.reference: "{{ parse_event.message.parse_event.message.finding.src_url }}" - event.risk_score: "{{ parse_event.message.parse_event.message.risk_score }}" + event.reference: "{{ parse_event.message.finding.src_url }}" + event.risk_score: "{{ parse_event.message.risk_score }}" + pipeline_category_identity_and_access_management: actions: - set: - user.changes.domain: "{{ parse_event.message.parse_event.message.user_result.domain }}" - user.changes.email: "{{ parse_event.message.parse_event.message.user_result.email_addr }}" - user.changes.full_name: "{{ parse_event.message.parse_event.message.user_result.full_name }}" - user.changes.id: "{{ parse_event.message.parse_event.message.user_result.uid }}" - user.changes.name: "{{ parse_event.message.parse_event.message.user_result.name }}" - service.name: "{{ parse_event.message.parse_event.message.service.name }}" - service.id: "{{ parse_event.message.parse_event.message.service.uid }}" - service.version: "{{ parse_event.message.parse_event.message.service.version }}" - group.name: "{{ parse_event.message.parse_event.message.group.name }}" - group.id: "{{ parse_event.message.parse_event.message.group.uid }}" + user.changes.domain: "{{ parse_event.message.user_result.domain }}" + user.changes.email: "{{ parse_event.message.user_result.email_addr }}" + user.changes.full_name: "{{ parse_event.message.user_result.full_name }}" + user.changes.id: "{{ parse_event.message.user_result.uid }}" + user.changes.name: "{{ parse_event.message.user_result.name }}" + service.name: "{{ parse_event.message.service.name }}" + service.id: "{{ parse_event.message.service.uid }}" + service.version: "{{ parse_event.message.service.version }}" + group.name: "{{ parse_event.message.group.name }}" + group.id: "{{ parse_event.message.group.uid }}" + pipeline_category_network_activity: actions: - set: - dns.question.name: "{{ parse_event.message.parse_event.message.query.hostname }}" + dns.question.name: "{{ parse_event.message.query.hostname }}" - set: dns.id: - - "{{ parse_event.message.parse_event.message.query.packet_uid }}" - filter: "{{ parse_event.message.query.packet_uid != None }}" + - "{{ parse_event.message.query.packet_uid }}" + filter: "{{ parse_event.message.query.packet_uid != null }}" - set: dns.question.class: - - "{{ parse_event.message.parse_event.message.query.class }}" - filter: "{{ parse_event.message.query.class != None }}" + - "{{ parse_event.message.query.class }}" + filter: "{{ parse_event.message.query.class != null }}" - set: dns.question.type: - - "{{ parse_event.message.parse_event.message.query.type }}" - filter: "{{ parse_event.message.query.type != None }}" - - set: - dns.response_code: "{{ parse_event.message.parse_event.message.rcode }}" - http.response.status_code: "{{ parse_event.message.parse_event.message.response.code }}" - http.response.body.bytes: "{{ parse_event.message.parse_event.message.http_response.length }}" - http.response.body.content: "{{ parse_event.message.parse_event.message.http_response.message }}" - observer.hostname: "{{ parse_event.message.parse_event.message.relay.hostname }}" - observer.ip: "{{ parse_event.message.parse_event.message.relay.ip }}" - observer.mac: "{{ parse_event.message.parse_event.message.relay.mac }}" - observer.name: "{{ parse_event.message.parse_event.message.relay.name }}" - observer.type: "{{ parse_event.message.parse_event.message.relay.type }}" - http.request.id: "{{ parse_event.message.parse_event.message.request.uid }}" - tls.server.certificate_chain: "{{ parse_event.message.parse_event.message.certificate_chain }}" - email.cc.address: "{{ parse_event.message.parse_event.message.email.cc }}" - email.local_id: "{{ parse_event.message.parse_event.message.email.uid }}" + - "{{ parse_event.message.query.type }}" + filter: "{{ parse_event.message.query.type != null }}" + - set: + dns.response_code: "{{ parse_event.message.rcode }}" + http.response.status_code: "{{ parse_event.message.response.code }}" + http.response.body.bytes: "{{ parse_event.message.http_response.length }}" + http.response.body.content: "{{ parse_event.message.http_response.message }}" + observer.hostname: "{{ parse_event.message.relay.hostname }}" + observer.ip: "{{ parse_event.message.relay.ip }}" + observer.mac: "{{ parse_event.message.relay.mac }}" + observer.name: "{{ parse_event.message.relay.name }}" + observer.type: "{{ parse_event.message.relay.type }}" + http.request.id: "{{ parse_event.message.request.uid }}" + tls.server.certificate_chain: "{{ parse_event.message.certificate_chain }}" + email.cc.address: "{{ parse_event.message.email.cc }}" + email.local_id: "{{ parse_event.message.email.uid }}" - set: email.from.address: - - "{{ parse_event.message.parse_event.message.email.from }}" - filter: "{{ parse_event.message.email.from != None }}" + - "{{ parse_event.message.email.from }}" + filter: "{{ parse_event.message.email.from != null }}" - set: - email.message_id: "{{ parse_event.message.parse_event.message.email.message_uid }}" + email.message_id: "{{ parse_event.message.email.message_uid }}" - set: email.reply_to.address: - - "{{ parse_event.message.parse_event.message.email.reply_to }}" - filter: "{{ parse_event.message.email.reply_to != None }}" - - set: - email.subject: "{{ parse_event.message.parse_event.message.email.subject }}" - email.to.address: "{{ parse_event.message.parse_event.message.email.to }}" - email.local_id: "{{ parse_event.message.parse_event.message.email_uid }}" - url.query: "{{ parse_event.message.parse_event.message.url.query_string }}" - url.domain: "{{ parse_event.message.parse_event.message.url.hostname }}" - url.path: "{{ parse_event.message.parse_event.message.url.path }}" - url.port: "{{ parse_event.message.parse_event.message.url.port }}" - url.scheme: "{{ parse_event.message.parse_event.message.url.scheme }}" - url.subdomain: "{{ parse_event.message.parse_event.message.url.subdomain }}" - url.original: "{{ parse_event.message.parse_event.message.url.url_string }}" - - set: - email.attachments.file.size: "{{ parse_event.message.parse_event.message.file.size }}" - filter: "{{ parse_event.message.file.size != None and and }}" - - set: - email.attachments.file.name: "{{ parse_event.message.parse_event.message.file.name }}" - filter: "{{ parse_event.message.file.name != None and and }}" + - "{{ parse_event.message.email.reply_to }}" + filter: "{{ parse_event.message.email.reply_to != null }}" + - set: + email.subject: "{{ parse_event.message.email.subject }}" + email.to.address: "{{ parse_event.message.email.to }}" + email.local_id: "{{ parse_event.message.email_uid }}" + url.query: "{{ parse_event.message.url.query_string }}" + url.domain: "{{ parse_event.message.url.hostname }}" + url.path: "{{ parse_event.message.url.path }}" + url.port: "{{ parse_event.message.url.port }}" + url.scheme: "{{ parse_event.message.url.scheme }}" + url.subdomain: "{{ parse_event.message.url.subdomain }}" + url.original: "{{ parse_event.message.url.url_string }}" + - set: + email.attachments.file.size: "{{ parse_event.message.file.size }}" # @TODO fix with foreach + filter: "{{ parse_event.message.file.size != null }}" + - set: + email.attachments.file.name: "{{ parse_event.message.file.name }}" # @TODO fix with foreach + filter: "{{ parse_event.message.file.name != null }}" pipeline_category_application_activity: actions: - set: - http.response.status_code: "{{ parse_event.message.parse_event.message.http_response.code }}" - http.response.body.bytes: "{{ parse_event.message.parse_event.message.http_response.length }}" - http.response.body.content: "{{ parse_event.message.parse_event.message.http_response.message }}" + http.response.status_code: "{{ parse_event.message.http_response.code }}" + http.response.body.bytes: "{{ parse_event.message.http_response.length }}" + http.response.body.content: "{{ parse_event.message.http_response.message }}" pipeline_category_discovery: actions: - set: - rule.category: "{{ parse_event.message.parse_event.message.cis_benchmark_result.rule.category }}" - rule.description: "{{ parse_event.message.parse_event.message.cis_benchmark_result.rule.desc }}" - rule.name: "{{ parse_event.message.parse_event.message.cis_benchmark_result.rule.name }}" - rule.uuid: "{{ parse_event.message.parse_event.message.cis_benchmark_result.rule.uid }}" - rule.version: "{{ parse_event.message.parse_event.message.cis_benchmark_result.rule.version }}" + rule.category: "{{ parse_event.message.cis_benchmark_result.rule.category }}" + rule.description: "{{ parse_event.message.cis_benchmark_result.rule.desc }}" + rule.name: "{{ parse_event.message.cis_benchmark_result.rule.name }}" + rule.uuid: "{{ parse_event.message.cis_benchmark_result.rule.uid }}" + rule.version: "{{ parse_event.message.cis_benchmark_result.rule.version }}" diff --git a/OCSF/ocsf/tests/test_application_activity_1.json b/OCSF/ocsf/tests/test_application_activity_1.json new file mode 100644 index 000000000..c955d08b2 --- /dev/null +++ b/OCSF/ocsf/tests/test_application_activity_1.json @@ -0,0 +1,33 @@ +{ + "input": { + "message": "{\"http_request\": {\"version\": \"1.0.0\", \"uid\": \"072e083a-584a-11ee-9892-0242ac110005\", \"url\": {\"port\": 51670, \"scheme\": \"metallica races fears\", \"path\": \"container profiles content\", \"hostname\": \"congress.nato\", \"query_string\": \"pads palestinian already\", \"category_ids\": [35, 59], \"url_string\": \"daily\"}, \"user_agent\": \"webpage assets adams\", \"http_headers\": [{\"name\": \"aol jim thick\", \"value\": \"unexpected counts ease\"}, {\"name\": \"ride sender reflections\", \"value\": \"persistent irc finest\"}], \"http_method\": \"GET\"}, \"message\": \"brain bear brush\", \"status\": \"Unknown\", \"time\": 1695277679358, \"device\": {\"name\": \"explains slow junior\", \"type\": \"IOT\", \"ip\": \"81.2.69.142\", \"desc\": \"evaluate permits yesterday\", \"uid\": \"072de986-584a-11ee-b258-0242ac110005\", \"hostname\": \"chuck.int\", \"type_id\": 7, \"interface_name\": \"uzbekistan published feedback\", \"interface_uid\": \"072ddc66-584a-11ee-9824-0242ac110005\", \"last_seen_time\": 1695277679358, \"region\": \"invalid expressed participating\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"loc bw pa\", \"version\": \"1.0.0\", \"uid\": \"072dafa2-584a-11ee-bca3-0242ac110005\", \"lang\": \"en\", \"url_string\": \"indirect\", \"vendor_name\": \"fotos choir archive\"}, \"sequence\": 20, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"correlation_uid\": \"072db420-584a-11ee-adc0-0242ac110005\", \"event_code\": \"edward\", \"log_name\": \"foul jackson termination\", \"log_provider\": \"copper protective inexpensive\", \"original_time\": \"diploma mesh certified\", \"logged_time_dt\": \"2023-09-21T06:42:26.632427Z\"}, \"severity\": \"High\", \"type_name\": \"Web Resource Access Activity: Access Error\", \"activity_id\": 4, \"type_uid\": 600404, \"category_name\": \"Application Activity\", \"class_uid\": 6004, \"category_uid\": 6, \"class_name\": \"Web Resource Access Activity\", \"timezone_offset\": 55, \"activity_name\": \"Access Error\", \"cloud\": {\"org\": {\"name\": \"brazil newbie loc\", \"uid\": \"072d99ea-584a-11ee-920a-0242ac110005\", \"ou_name\": \"predicted themselves missile\", \"ou_uid\": \"072da124-584a-11ee-bf8b-0242ac110005\"}, \"provider\": \"speeches mail lack\"}, \"severity_id\": 4, \"status_id\": 0, \"web_resources\": [{\"name\": \"ghost formats res\", \"desc\": \"pleased won coverage\", \"uid\": \"072dbbbe-584a-11ee-b4cc-0242ac110005\", \"type\": \"package type\", \"url_string\": \"consists\"}, {\"data\": {\"logitech\": \"dehbs\"}, \"url_string\": \"devil\"}], \"start_time_dt\": \"2023-09-21T06:42:26.634761Z\", \"http_response\": {\"code\": 22, \"length\": 40, \"latency\": 3, \"message\": \"message regarding htp response\"}}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"http_request\": {\"version\": \"1.0.0\", \"uid\": \"072e083a-584a-11ee-9892-0242ac110005\", \"url\": {\"port\": 51670, \"scheme\": \"metallica races fears\", \"path\": \"container profiles content\", \"hostname\": \"congress.nato\", \"query_string\": \"pads palestinian already\", \"category_ids\": [35, 59], \"url_string\": \"daily\"}, \"user_agent\": \"webpage assets adams\", \"http_headers\": [{\"name\": \"aol jim thick\", \"value\": \"unexpected counts ease\"}, {\"name\": \"ride sender reflections\", \"value\": \"persistent irc finest\"}], \"http_method\": \"GET\"}, \"message\": \"brain bear brush\", \"status\": \"Unknown\", \"time\": 1695277679358, \"device\": {\"name\": \"explains slow junior\", \"type\": \"IOT\", \"ip\": \"81.2.69.142\", \"desc\": \"evaluate permits yesterday\", \"uid\": \"072de986-584a-11ee-b258-0242ac110005\", \"hostname\": \"chuck.int\", \"type_id\": 7, \"interface_name\": \"uzbekistan published feedback\", \"interface_uid\": \"072ddc66-584a-11ee-9824-0242ac110005\", \"last_seen_time\": 1695277679358, \"region\": \"invalid expressed participating\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"loc bw pa\", \"version\": \"1.0.0\", \"uid\": \"072dafa2-584a-11ee-bca3-0242ac110005\", \"lang\": \"en\", \"url_string\": \"indirect\", \"vendor_name\": \"fotos choir archive\"}, \"sequence\": 20, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"correlation_uid\": \"072db420-584a-11ee-adc0-0242ac110005\", \"event_code\": \"edward\", \"log_name\": \"foul jackson termination\", \"log_provider\": \"copper protective inexpensive\", \"original_time\": \"diploma mesh certified\", \"logged_time_dt\": \"2023-09-21T06:42:26.632427Z\"}, \"severity\": \"High\", \"type_name\": \"Web Resource Access Activity: Access Error\", \"activity_id\": 4, \"type_uid\": 600404, \"category_name\": \"Application Activity\", \"class_uid\": 6004, \"category_uid\": 6, \"class_name\": \"Web Resource Access Activity\", \"timezone_offset\": 55, \"activity_name\": \"Access Error\", \"cloud\": {\"org\": {\"name\": \"brazil newbie loc\", \"uid\": \"072d99ea-584a-11ee-920a-0242ac110005\", \"ou_name\": \"predicted themselves missile\", \"ou_uid\": \"072da124-584a-11ee-bf8b-0242ac110005\"}, \"provider\": \"speeches mail lack\"}, \"severity_id\": 4, \"status_id\": 0, \"web_resources\": [{\"name\": \"ghost formats res\", \"desc\": \"pleased won coverage\", \"uid\": \"072dbbbe-584a-11ee-b4cc-0242ac110005\", \"type\": \"package type\", \"url_string\": \"consists\"}, {\"data\": {\"logitech\": \"dehbs\"}, \"url_string\": \"devil\"}], \"start_time_dt\": \"2023-09-21T06:42:26.634761Z\", \"http_response\": {\"code\": 22, \"length\": 40, \"latency\": 3, \"message\": \"message regarding htp response\"}}", + "event": { + "action": "access error", + "category": [ + "web" + ], + "code": "edward", + "outcome": "unknown", + "provider": "copper protective inexpensive", + "sequence": 20, + "severity": 4, + "start": "2023-09-21T06:42:26.634761Z", + "type": [ + "error" + ] + }, + "cloud": { + "provider": "speeches mail lack" + }, + "ocsf": "{\"activity_id\": 4, \"activity_name\": \"Access Error\", \"category_name\": \"Application Activity\", \"category_uid\": 6, \"class_name\": \"Web Resource Access Activity\", \"class_uid\": 6004, \"cloud\": {\"org\": {\"name\": \"brazil newbie loc\", \"ou_name\": \"predicted themselves missile\", \"ou_uid\": \"072da124-584a-11ee-bf8b-0242ac110005\", \"uid\": \"072d99ea-584a-11ee-920a-0242ac110005\"}, \"provider\": \"speeches mail lack\"}, \"device\": {\"desc\": \"evaluate permits yesterday\", \"hostname\": \"chuck.int\", \"interface_name\": \"uzbekistan published feedback\", \"interface_uid\": \"072ddc66-584a-11ee-9824-0242ac110005\", \"ip\": \"81.2.69.142\", \"last_seen_time\": 1695277679358, \"name\": \"explains slow junior\", \"region\": \"invalid expressed participating\", \"type\": \"IOT\", \"type_id\": 7, \"uid\": \"072de986-584a-11ee-b258-0242ac110005\"}, \"http_request\": {\"http_headers\": [{\"name\": \"aol jim thick\", \"value\": \"unexpected counts ease\"}, {\"name\": \"ride sender reflections\", \"value\": \"persistent irc finest\"}], \"http_method\": \"GET\", \"uid\": \"072e083a-584a-11ee-9892-0242ac110005\", \"url\": {\"category_ids\": [35, 59], \"hostname\": \"congress.nato\", \"path\": \"container profiles content\", \"port\": 51670, \"query_string\": \"pads palestinian already\", \"scheme\": \"metallica races fears\", \"url_string\": \"daily\"}, \"user_agent\": \"webpage assets adams\", \"version\": \"1.0.0\"}, \"http_response\": {\"code\": 22, \"latency\": 3, \"length\": 40, \"message\": \"message regarding htp response\"}, \"message\": \"brain bear brush\", \"metadata\": {\"correlation_uid\": \"072db420-584a-11ee-adc0-0242ac110005\", \"event_code\": \"edward\", \"log_name\": \"foul jackson termination\", \"log_provider\": \"copper protective inexpensive\", \"logged_time_dt\": \"2023-09-21T06:42:26.632427Z\", \"original_time\": \"diploma mesh certified\", \"product\": {\"lang\": \"en\", \"name\": \"loc bw pa\", \"uid\": \"072dafa2-584a-11ee-bca3-0242ac110005\", \"url_string\": \"indirect\", \"vendor_name\": \"fotos choir archive\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"sequence\": 20, \"version\": \"1.0.0\"}, \"severity\": \"High\", \"severity_id\": 4, \"start_time_dt\": \"2023-09-21T06:42:26.634761Z\", \"status\": \"Unknown\", \"status_id\": 0, \"time\": 1695277679358, \"timezone_offset\": 55, \"type_name\": \"Web Resource Access Activity: Access Error\", \"type_uid\": 600404, \"web_resources\": [{\"desc\": \"pleased won coverage\", \"name\": \"ghost formats res\", \"type\": \"package type\", \"uid\": \"072dbbbe-584a-11ee-b4cc-0242ac110005\", \"url_string\": \"consists\"}, {\"data\": {\"logitech\": \"dehbs\"}, \"url_string\": \"devil\"}]}" + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_application_activity_2.json b/OCSF/ocsf/tests/test_application_activity_2.json new file mode 100644 index 000000000..f875dc7d8 --- /dev/null +++ b/OCSF/ocsf/tests/test_application_activity_2.json @@ -0,0 +1,42 @@ +{ + "input": { + "message": "{\"message\": \"washington like safari\", \"status\": \"Failure\", \"time\": 1695277679358, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"eligible scenes worm\", \"version\": \"1.0.0\", \"uid\": \"f6508420-520e-11ee-adcc-0242ac110004\", \"feature\": {\"name\": \"australia cup bios\", \"version\": \"1.0.0\", \"uid\": \"f6508bfa-520e-11ee-b54c-0242ac110004\"}, \"lang\": \"en\", \"vendor_name\": \"fix complicated accreditation\"}, \"sequence\": 78, \"profiles\": [], \"log_name\": \"ur bother bearing\", \"log_provider\": \"performs elevation fox\", \"log_version\": \"three maritime cowboy\", \"logged_time\": 1695277679358, \"original_time\": \"moore genetic symbols\", \"processed_time\": 1695277679358}, \"start_time\": 1695277679358, \"severity\": \"Unknown\", \"type_name\": \"Web Resources Activity: Create\", \"category_name\": \"Application Activity\", \"timezone_offset\": 83, \"activity_id\": 1, \"class_uid\": 6001, \"type_uid\": 600101, \"category_uid\": 6, \"class_name\": \"Web Resources Activity\", \"activity_name\": \"Create\", \"severity_id\": 0, \"src_endpoint\": {\"name\": \"leasing imperial toner\", \"port\": 31790, \"domain\": \"hawaii unfortunately copying\", \"ip\": \"81.2.69.142\", \"hostname\": \"saudi.int\", \"uid\": \"f650994c-520e-11ee-a9f4-0242ac110004\", \"instance_uid\": \"f6509d0c-520e-11ee-9e6b-0242ac110004\", \"interface_name\": \"somewhere mentor crm\", \"interface_uid\": \"f650a3f6-520e-11ee-882f-0242ac110004\", \"intermediate_ips\": [\"81.2.69.142\", \"81.2.69.143\"], \"svc_name\": \"sheets horror trader\", \"vlan_uid\": \"f650a8a6-520e-11ee-b961-0242ac110004\"}, \"status_detail\": \"only zone its\", \"status_id\": 2, \"web_resources\": [{\"data\": {\"discretion\": \"fhbds\"}, \"desc\": \"Description of web resource\", \"name\": \"concept navigator constitution\", \"type\": \"fundamental previous ty\", \"url_string\": \"past\"}], \"web_resources_result\": [{\"type\": \"prediction sunglasses rounds\", \"uid\": \"f65072d2-520e-11ee-9b9a-0242ac110004\", \"url_string\": \"military\"}, {\"data\": {\"protect\": \"rfvfd\"}, \"url_string\": \"association\"}]}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"message\": \"washington like safari\", \"status\": \"Failure\", \"time\": 1695277679358, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"eligible scenes worm\", \"version\": \"1.0.0\", \"uid\": \"f6508420-520e-11ee-adcc-0242ac110004\", \"feature\": {\"name\": \"australia cup bios\", \"version\": \"1.0.0\", \"uid\": \"f6508bfa-520e-11ee-b54c-0242ac110004\"}, \"lang\": \"en\", \"vendor_name\": \"fix complicated accreditation\"}, \"sequence\": 78, \"profiles\": [], \"log_name\": \"ur bother bearing\", \"log_provider\": \"performs elevation fox\", \"log_version\": \"three maritime cowboy\", \"logged_time\": 1695277679358, \"original_time\": \"moore genetic symbols\", \"processed_time\": 1695277679358}, \"start_time\": 1695277679358, \"severity\": \"Unknown\", \"type_name\": \"Web Resources Activity: Create\", \"category_name\": \"Application Activity\", \"timezone_offset\": 83, \"activity_id\": 1, \"class_uid\": 6001, \"type_uid\": 600101, \"category_uid\": 6, \"class_name\": \"Web Resources Activity\", \"activity_name\": \"Create\", \"severity_id\": 0, \"src_endpoint\": {\"name\": \"leasing imperial toner\", \"port\": 31790, \"domain\": \"hawaii unfortunately copying\", \"ip\": \"81.2.69.142\", \"hostname\": \"saudi.int\", \"uid\": \"f650994c-520e-11ee-a9f4-0242ac110004\", \"instance_uid\": \"f6509d0c-520e-11ee-9e6b-0242ac110004\", \"interface_name\": \"somewhere mentor crm\", \"interface_uid\": \"f650a3f6-520e-11ee-882f-0242ac110004\", \"intermediate_ips\": [\"81.2.69.142\", \"81.2.69.143\"], \"svc_name\": \"sheets horror trader\", \"vlan_uid\": \"f650a8a6-520e-11ee-b961-0242ac110004\"}, \"status_detail\": \"only zone its\", \"status_id\": 2, \"web_resources\": [{\"data\": {\"discretion\": \"fhbds\"}, \"desc\": \"Description of web resource\", \"name\": \"concept navigator constitution\", \"type\": \"fundamental previous ty\", \"url_string\": \"past\"}], \"web_resources_result\": [{\"type\": \"prediction sunglasses rounds\", \"uid\": \"f65072d2-520e-11ee-9b9a-0242ac110004\", \"url_string\": \"military\"}, {\"data\": {\"protect\": \"rfvfd\"}, \"url_string\": \"association\"}]}", + "event": { + "action": "create", + "outcome": "failure", + "provider": "performs elevation fox", + "sequence": 78, + "severity": 0, + "start": "2023-09-21T06:27:59.358000Z" + }, + "network": { + "application": "sheets horror trader" + }, + "ocsf": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"category_name\": \"Application Activity\", \"category_uid\": 6, \"class_name\": \"Web Resources Activity\", \"class_uid\": 6001, \"message\": \"washington like safari\", \"metadata\": {\"log_name\": \"ur bother bearing\", \"log_provider\": \"performs elevation fox\", \"log_version\": \"three maritime cowboy\", \"logged_time\": 1695277679358, \"original_time\": \"moore genetic symbols\", \"processed_time\": 1695277679358, \"product\": {\"feature\": {\"name\": \"australia cup bios\", \"uid\": \"f6508bfa-520e-11ee-b54c-0242ac110004\", \"version\": \"1.0.0\"}, \"lang\": \"en\", \"name\": \"eligible scenes worm\", \"uid\": \"f6508420-520e-11ee-adcc-0242ac110004\", \"vendor_name\": \"fix complicated accreditation\", \"version\": \"1.0.0\"}, \"profiles\": [], \"sequence\": 78, \"version\": \"1.0.0\"}, \"severity\": \"Unknown\", \"severity_id\": 0, \"src_endpoint\": {\"domain\": \"hawaii unfortunately copying\", \"hostname\": \"saudi.int\", \"instance_uid\": \"f6509d0c-520e-11ee-9e6b-0242ac110004\", \"interface_name\": \"somewhere mentor crm\", \"interface_uid\": \"f650a3f6-520e-11ee-882f-0242ac110004\", \"intermediate_ips\": [\"81.2.69.142\", \"81.2.69.143\"], \"ip\": \"81.2.69.142\", \"name\": \"leasing imperial toner\", \"port\": 31790, \"svc_name\": \"sheets horror trader\", \"uid\": \"f650994c-520e-11ee-a9f4-0242ac110004\", \"vlan_uid\": \"f650a8a6-520e-11ee-b961-0242ac110004\"}, \"start_time\": 1695277679358, \"status\": \"Failure\", \"status_detail\": \"only zone its\", \"status_id\": 2, \"time\": 1695277679358, \"timezone_offset\": 83, \"type_name\": \"Web Resources Activity: Create\", \"type_uid\": 600101, \"web_resources\": [{\"data\": {\"discretion\": \"fhbds\"}, \"desc\": \"Description of web resource\", \"name\": \"concept navigator constitution\", \"type\": \"fundamental previous ty\", \"url_string\": \"past\"}], \"web_resources_result\": [{\"type\": \"prediction sunglasses rounds\", \"uid\": \"f65072d2-520e-11ee-9b9a-0242ac110004\", \"url_string\": \"military\"}, {\"data\": {\"protect\": \"rfvfd\"}, \"url_string\": \"association\"}]}", + "related": { + "hosts": [ + "saudi.int" + ], + "ip": [ + "81.2.69.142" + ] + }, + "source": { + "address": "saudi.int", + "domain": "saudi.int", + "ip": "81.2.69.142", + "port": 31790, + "registered_domain": "saudi.int", + "top_level_domain": "int" + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_application_activity_3.json b/OCSF/ocsf/tests/test_application_activity_3.json new file mode 100644 index 000000000..b6d69c006 --- /dev/null +++ b/OCSF/ocsf/tests/test_application_activity_3.json @@ -0,0 +1,35 @@ +{ + "input": { + "message": "{\"message\": \"issues kings loop\", \"status\": \"Success\", \"time\": 1695277679358, \"device\": {\"name\": \"knows col covered\", \"type\": \"Unknown\", \"domain\": \"allied had insulation\", \"ip\": \"81.2.69.142\", \"uid\": \"651987a6-584c-11ee-ad31-0242ac110005\", \"hostname\": \"zinc.biz\", \"org\": {\"name\": \"chaos winner entered\", \"uid\": \"65197a86-584c-11ee-96c1-0242ac110005\", \"ou_name\": \"music client leaf\"}, \"type_id\": 0, \"created_time\": 1695277679358, \"hw_info\": {\"ram_size\": 84, \"serial_number\": \"training blink executives\"}, \"instance_uid\": \"65197efa-584c-11ee-bc04-0242ac110005\", \"interface_name\": \"lightbox bugs spain\", \"interface_uid\": \"6519835a-584c-11ee-b813-0242ac110005\", \"is_personal\": false, \"region\": \"casio paris norway\", \"subnet_uid\": \"6519725c-584c-11ee-b6a2-0242ac110005\", \"uid_alt\": \"older audience trends\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"enzyme cookie citations\", \"version\": \"1.0.0\", \"uid\": \"65195f88-584c-11ee-8118-0242ac110005\", \"lang\": \"en\", \"url_string\": \"deck\", \"vendor_name\": \"rochester school force\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"log_name\": \"collaboration blood loan\", \"log_provider\": \"jurisdiction protecting witness\", \"original_time\": \"effectively dimensional reservation\", \"modified_time_dt\": \"2023-09-21T06:59:23.198620Z\"}, \"app\": {\"name\": \"bottom loud knowledge\", \"version\": \"1.0.0\", \"uid\": \"6519a3da-584c-11ee-8c89-0242ac110005\", \"path\": \"path o f\", \"feature\": {\"name\": \"mit received implemented\", \"version\": \"1.0.0\", \"uid\": \"6519aa4c-584c-11ee-ac40-0242ac110005\"}, \"lang\": \"en\", \"vendor_name\": \"ss keeping administered\"}, \"severity\": \"Fatal\", \"type_name\": \"Application Lifecycle: Other\", \"activity_id\": 99, \"type_uid\": 600299, \"category_name\": \"Application Activity\", \"class_uid\": 6002, \"category_uid\": 6, \"class_name\": \"Application Lifecycle\", \"activity_name\": \"look\", \"cloud\": {\"org\": {\"name\": \"exclusive variables tag\", \"uid\": \"65193f12-584c-11ee-ae9b-0242ac110005\", \"ou_name\": \"custom packard pierre\"}, \"account\": {\"type\": \"AWS Account\", \"uid\": \"65194d7c-584c-11ee-8857-0242ac110005\", \"type_id\": 10}, \"provider\": \"infrared delayed visiting\", \"region\": \"initial lucia designer\"}, \"severity_id\": 6, \"status_detail\": \"rat forth dishes\", \"status_id\": 1, \"start_time_dt\": \"2023-09-21T06:59:23.200400Z\"}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"message\": \"issues kings loop\", \"status\": \"Success\", \"time\": 1695277679358, \"device\": {\"name\": \"knows col covered\", \"type\": \"Unknown\", \"domain\": \"allied had insulation\", \"ip\": \"81.2.69.142\", \"uid\": \"651987a6-584c-11ee-ad31-0242ac110005\", \"hostname\": \"zinc.biz\", \"org\": {\"name\": \"chaos winner entered\", \"uid\": \"65197a86-584c-11ee-96c1-0242ac110005\", \"ou_name\": \"music client leaf\"}, \"type_id\": 0, \"created_time\": 1695277679358, \"hw_info\": {\"ram_size\": 84, \"serial_number\": \"training blink executives\"}, \"instance_uid\": \"65197efa-584c-11ee-bc04-0242ac110005\", \"interface_name\": \"lightbox bugs spain\", \"interface_uid\": \"6519835a-584c-11ee-b813-0242ac110005\", \"is_personal\": false, \"region\": \"casio paris norway\", \"subnet_uid\": \"6519725c-584c-11ee-b6a2-0242ac110005\", \"uid_alt\": \"older audience trends\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"enzyme cookie citations\", \"version\": \"1.0.0\", \"uid\": \"65195f88-584c-11ee-8118-0242ac110005\", \"lang\": \"en\", \"url_string\": \"deck\", \"vendor_name\": \"rochester school force\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"log_name\": \"collaboration blood loan\", \"log_provider\": \"jurisdiction protecting witness\", \"original_time\": \"effectively dimensional reservation\", \"modified_time_dt\": \"2023-09-21T06:59:23.198620Z\"}, \"app\": {\"name\": \"bottom loud knowledge\", \"version\": \"1.0.0\", \"uid\": \"6519a3da-584c-11ee-8c89-0242ac110005\", \"path\": \"path o f\", \"feature\": {\"name\": \"mit received implemented\", \"version\": \"1.0.0\", \"uid\": \"6519aa4c-584c-11ee-ac40-0242ac110005\"}, \"lang\": \"en\", \"vendor_name\": \"ss keeping administered\"}, \"severity\": \"Fatal\", \"type_name\": \"Application Lifecycle: Other\", \"activity_id\": 99, \"type_uid\": 600299, \"category_name\": \"Application Activity\", \"class_uid\": 6002, \"category_uid\": 6, \"class_name\": \"Application Lifecycle\", \"activity_name\": \"look\", \"cloud\": {\"org\": {\"name\": \"exclusive variables tag\", \"uid\": \"65193f12-584c-11ee-ae9b-0242ac110005\", \"ou_name\": \"custom packard pierre\"}, \"account\": {\"type\": \"AWS Account\", \"uid\": \"65194d7c-584c-11ee-8857-0242ac110005\", \"type_id\": 10}, \"provider\": \"infrared delayed visiting\", \"region\": \"initial lucia designer\"}, \"severity_id\": 6, \"status_detail\": \"rat forth dishes\", \"status_id\": 1, \"start_time_dt\": \"2023-09-21T06:59:23.200400Z\"}", + "event": { + "action": "look", + "category": [ + "package" + ], + "outcome": "success", + "provider": "jurisdiction protecting witness", + "severity": 6, + "start": "2023-09-21T06:59:23.200400Z", + "type": [ + "info" + ] + }, + "cloud": { + "account": { + "id": "65194d7c-584c-11ee-8857-0242ac110005" + }, + "provider": "infrared delayed visiting", + "region": "initial lucia designer" + }, + "ocsf": "{\"activity_id\": 99, \"activity_name\": \"look\", \"app\": {\"feature\": {\"name\": \"mit received implemented\", \"uid\": \"6519aa4c-584c-11ee-ac40-0242ac110005\", \"version\": \"1.0.0\"}, \"lang\": \"en\", \"name\": \"bottom loud knowledge\", \"path\": \"path o f\", \"uid\": \"6519a3da-584c-11ee-8c89-0242ac110005\", \"vendor_name\": \"ss keeping administered\", \"version\": \"1.0.0\"}, \"category_name\": \"Application Activity\", \"category_uid\": 6, \"class_name\": \"Application Lifecycle\", \"class_uid\": 6002, \"cloud\": {\"account\": {\"type\": \"AWS Account\", \"type_id\": 10, \"uid\": \"65194d7c-584c-11ee-8857-0242ac110005\"}, \"org\": {\"name\": \"exclusive variables tag\", \"ou_name\": \"custom packard pierre\", \"uid\": \"65193f12-584c-11ee-ae9b-0242ac110005\"}, \"provider\": \"infrared delayed visiting\", \"region\": \"initial lucia designer\"}, \"device\": {\"created_time\": 1695277679358, \"domain\": \"allied had insulation\", \"hostname\": \"zinc.biz\", \"hw_info\": {\"ram_size\": 84, \"serial_number\": \"training blink executives\"}, \"instance_uid\": \"65197efa-584c-11ee-bc04-0242ac110005\", \"interface_name\": \"lightbox bugs spain\", \"interface_uid\": \"6519835a-584c-11ee-b813-0242ac110005\", \"ip\": \"81.2.69.142\", \"is_personal\": false, \"name\": \"knows col covered\", \"org\": {\"name\": \"chaos winner entered\", \"ou_name\": \"music client leaf\", \"uid\": \"65197a86-584c-11ee-96c1-0242ac110005\"}, \"region\": \"casio paris norway\", \"subnet_uid\": \"6519725c-584c-11ee-b6a2-0242ac110005\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"651987a6-584c-11ee-ad31-0242ac110005\", \"uid_alt\": \"older audience trends\"}, \"message\": \"issues kings loop\", \"metadata\": {\"log_name\": \"collaboration blood loan\", \"log_provider\": \"jurisdiction protecting witness\", \"modified_time_dt\": \"2023-09-21T06:59:23.198620Z\", \"original_time\": \"effectively dimensional reservation\", \"product\": {\"lang\": \"en\", \"name\": \"enzyme cookie citations\", \"uid\": \"65195f88-584c-11ee-8118-0242ac110005\", \"url_string\": \"deck\", \"vendor_name\": \"rochester school force\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"version\": \"1.0.0\"}, \"severity\": \"Fatal\", \"severity_id\": 6, \"start_time_dt\": \"2023-09-21T06:59:23.200400Z\", \"status\": \"Success\", \"status_detail\": \"rat forth dishes\", \"status_id\": 1, \"time\": 1695277679358, \"type_name\": \"Application Lifecycle: Other\", \"type_uid\": 600299}" + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_discovery_1.json b/OCSF/ocsf/tests/test_discovery_1.json new file mode 100644 index 000000000..36a0d21d4 --- /dev/null +++ b/OCSF/ocsf/tests/test_discovery_1.json @@ -0,0 +1,30 @@ +{ + "input": { + "message": "{\"count\": 73, \"message\": \"flags feel absolute\", \"cis_benchmark_result\": {\"rule\": {\"category\": \"descidhscate\", \"desc\": \"rule_description\", \"name\": \"rule_name\", \"uid\": \"rule123\", \"version\": \"0.1.0\"}}, \"status\": \"creativity\", \"time\": 1695277679358, \"device\": {\"name\": \"ranked murder listing\", \"type\": \"Desktop\", \"ip\": \"81.2.69.142\", \"uid\": \"023e2564-5848-11ee-9c42-0242ac110005\", \"hostname\": \"lucas.pro\", \"type_id\": 2, \"subnet\": \"49.28.0.0/16\", \"autoscale_uid\": \"023de734-5848-11ee-b193-0242ac110005\", \"instance_uid\": \"023dec02-5848-11ee-8203-0242ac110005\", \"interface_name\": \"jerry street buried\", \"interface_uid\": \"023e1a06-5848-11ee-89c6-0242ac110005\", \"region\": \"inline contains milwaukee\", \"risk_level\": \"russell customized absolutely\", \"risk_score\": 36, \"uid_alt\": \"burst premier reverse\", \"vpc_uid\": \"023e205a-5848-11ee-a8d6-0242ac110005\", \"modified_time_dt\": \"2023-09-21T06:27:59.357977Z\", \"first_seen_time_dt\": \"2023-09-21T06:27:59.356353Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"extension\": {\"name\": \"chess entry productive\", \"version\": \"1.0.0\", \"uid\": \"023dccfe-5848-11ee-8227-0242ac110005\"}, \"product\": {\"name\": \"legal subsidiary eleven\", \"version\": \"1.0.0\", \"path\": \"financial spot tennis\", \"uid\": \"023dd33e-5848-11ee-aa6d-0242ac110005\", \"vendor_name\": \"assumes podcast went\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"correlation_uid\": \"023dd7c6-5848-11ee-9d4d-0242ac110005\", \"log_provider\": \"reliance trust interim\", \"original_time\": \"database darwin area\", \"processed_time_dt\": \"2023-09-21T06:27:59.356124Z\"}, \"severity\": \"Fatal\", \"type_name\": \"Device Config State: Collect\", \"activity_id\": 2, \"type_uid\": 500202, \"category_name\": \"Discovery\", \"class_uid\": 5002, \"category_uid\": 5, \"class_name\": \"Device Config State\", \"timezone_offset\": 0, \"activity_name\": \"Collect\", \"cloud\": {\"org\": {\"uid\": \"023dbdcc-5848-11ee-bd54-0242ac110005\", \"ou_name\": \"determined apr sheets\"}, \"provider\": \"mathematical inclusive insured\", \"region\": \"gravity bids tennis\"}, \"enrichments\": [{\"data\": {\"inexpensive\": \"abddfg\"}, \"name\": \"preview belarus licking\", \"type\": \"separation passes distance\", \"value\": \"magnitude cancellation weed\", \"provider\": \"surgical disaster individually\"}], \"severity_id\": 6, \"status_id\": 99}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"count\": 73, \"message\": \"flags feel absolute\", \"cis_benchmark_result\": {\"rule\": {\"category\": \"descidhscate\", \"desc\": \"rule_description\", \"name\": \"rule_name\", \"uid\": \"rule123\", \"version\": \"0.1.0\"}}, \"status\": \"creativity\", \"time\": 1695277679358, \"device\": {\"name\": \"ranked murder listing\", \"type\": \"Desktop\", \"ip\": \"81.2.69.142\", \"uid\": \"023e2564-5848-11ee-9c42-0242ac110005\", \"hostname\": \"lucas.pro\", \"type_id\": 2, \"subnet\": \"49.28.0.0/16\", \"autoscale_uid\": \"023de734-5848-11ee-b193-0242ac110005\", \"instance_uid\": \"023dec02-5848-11ee-8203-0242ac110005\", \"interface_name\": \"jerry street buried\", \"interface_uid\": \"023e1a06-5848-11ee-89c6-0242ac110005\", \"region\": \"inline contains milwaukee\", \"risk_level\": \"russell customized absolutely\", \"risk_score\": 36, \"uid_alt\": \"burst premier reverse\", \"vpc_uid\": \"023e205a-5848-11ee-a8d6-0242ac110005\", \"modified_time_dt\": \"2023-09-21T06:27:59.357977Z\", \"first_seen_time_dt\": \"2023-09-21T06:27:59.356353Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"extension\": {\"name\": \"chess entry productive\", \"version\": \"1.0.0\", \"uid\": \"023dccfe-5848-11ee-8227-0242ac110005\"}, \"product\": {\"name\": \"legal subsidiary eleven\", \"version\": \"1.0.0\", \"path\": \"financial spot tennis\", \"uid\": \"023dd33e-5848-11ee-aa6d-0242ac110005\", \"vendor_name\": \"assumes podcast went\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"correlation_uid\": \"023dd7c6-5848-11ee-9d4d-0242ac110005\", \"log_provider\": \"reliance trust interim\", \"original_time\": \"database darwin area\", \"processed_time_dt\": \"2023-09-21T06:27:59.356124Z\"}, \"severity\": \"Fatal\", \"type_name\": \"Device Config State: Collect\", \"activity_id\": 2, \"type_uid\": 500202, \"category_name\": \"Discovery\", \"class_uid\": 5002, \"category_uid\": 5, \"class_name\": \"Device Config State\", \"timezone_offset\": 0, \"activity_name\": \"Collect\", \"cloud\": {\"org\": {\"uid\": \"023dbdcc-5848-11ee-bd54-0242ac110005\", \"ou_name\": \"determined apr sheets\"}, \"provider\": \"mathematical inclusive insured\", \"region\": \"gravity bids tennis\"}, \"enrichments\": [{\"data\": {\"inexpensive\": \"abddfg\"}, \"name\": \"preview belarus licking\", \"type\": \"separation passes distance\", \"value\": \"magnitude cancellation weed\", \"provider\": \"surgical disaster individually\"}], \"severity_id\": 6, \"status_id\": 99}", + "event": { + "action": "collect", + "category": [ + "configuration" + ], + "provider": "reliance trust interim", + "severity": 6, + "type": [ + "info" + ] + }, + "cloud": { + "provider": "mathematical inclusive insured", + "region": "gravity bids tennis" + }, + "ocsf": "{\"activity_id\": 2, \"activity_name\": \"Collect\", \"category_name\": \"Discovery\", \"category_uid\": 5, \"cis_benchmark_result\": {\"rule\": {\"category\": \"descidhscate\", \"desc\": \"rule_description\", \"name\": \"rule_name\", \"uid\": \"rule123\", \"version\": \"0.1.0\"}}, \"class_name\": \"Device Config State\", \"class_uid\": 5002, \"cloud\": {\"org\": {\"ou_name\": \"determined apr sheets\", \"uid\": \"023dbdcc-5848-11ee-bd54-0242ac110005\"}, \"provider\": \"mathematical inclusive insured\", \"region\": \"gravity bids tennis\"}, \"count\": 73, \"device\": {\"autoscale_uid\": \"023de734-5848-11ee-b193-0242ac110005\", \"first_seen_time_dt\": \"2023-09-21T06:27:59.356353Z\", \"hostname\": \"lucas.pro\", \"instance_uid\": \"023dec02-5848-11ee-8203-0242ac110005\", \"interface_name\": \"jerry street buried\", \"interface_uid\": \"023e1a06-5848-11ee-89c6-0242ac110005\", \"ip\": \"81.2.69.142\", \"modified_time_dt\": \"2023-09-21T06:27:59.357977Z\", \"name\": \"ranked murder listing\", \"region\": \"inline contains milwaukee\", \"risk_level\": \"russell customized absolutely\", \"risk_score\": 36, \"subnet\": \"49.28.0.0/16\", \"type\": \"Desktop\", \"type_id\": 2, \"uid\": \"023e2564-5848-11ee-9c42-0242ac110005\", \"uid_alt\": \"burst premier reverse\", \"vpc_uid\": \"023e205a-5848-11ee-a8d6-0242ac110005\"}, \"enrichments\": [{\"data\": {\"inexpensive\": \"abddfg\"}, \"name\": \"preview belarus licking\", \"provider\": \"surgical disaster individually\", \"type\": \"separation passes distance\", \"value\": \"magnitude cancellation weed\"}], \"message\": \"flags feel absolute\", \"metadata\": {\"correlation_uid\": \"023dd7c6-5848-11ee-9d4d-0242ac110005\", \"extension\": {\"name\": \"chess entry productive\", \"uid\": \"023dccfe-5848-11ee-8227-0242ac110005\", \"version\": \"1.0.0\"}, \"log_provider\": \"reliance trust interim\", \"original_time\": \"database darwin area\", \"processed_time_dt\": \"2023-09-21T06:27:59.356124Z\", \"product\": {\"name\": \"legal subsidiary eleven\", \"path\": \"financial spot tennis\", \"uid\": \"023dd33e-5848-11ee-aa6d-0242ac110005\", \"vendor_name\": \"assumes podcast went\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"version\": \"1.0.0\"}, \"severity\": \"Fatal\", \"severity_id\": 6, \"status\": \"creativity\", \"status_id\": 99, \"time\": 1695277679358, \"timezone_offset\": 0, \"type_name\": \"Device Config State: Collect\", \"type_uid\": 500202}" + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_discovery_2.json b/OCSF/ocsf/tests/test_discovery_2.json new file mode 100644 index 000000000..5a6b6f7b0 --- /dev/null +++ b/OCSF/ocsf/tests/test_discovery_2.json @@ -0,0 +1,30 @@ +{ + "input": { + "message": "{\"message\": \"poster thongs assumptions\", \"status\": \"Success\", \"time\": 1695277679358, \"device\": {\"name\": \"craig functioning literally\", \"type\": \"Laptop\", \"os\": {\"name\": \"spy chronic casual\", \"type\": \"Android\", \"version\": \"1.0.0\", \"build\": \"dozen oval removing\", \"type_id\": 201, \"lang\": \"en\", \"edition\": \"nightmare engineers carter\"}, \"location\": {\"desc\": \"Reunion\", \"city\": \"Porcelain senior\", \"country\": \"RE\", \"coordinates\": [-161.6608, -47.0418], \"continent\": \"Africa\"}, \"uid\": \"7f256308-584d-11ee-8de0-0242ac110005\", \"image\": {\"name\": \"saudi enhanced surgical\", \"uid\": \"7f2554b2-584d-11ee-b26b-0242ac110005\"}, \"mac\": \"C6:49:F0:76:1D:13:CE:F7\", \"type_id\": 3, \"autoscale_uid\": \"7f25415c-584d-11ee-b3fc-0242ac110005\", \"hw_info\": {\"cpu_bits\": 66}, \"instance_uid\": \"7f254ea4-584d-11ee-a68f-0242ac110005\", \"interface_name\": \"watt profile rs\", \"is_personal\": false, \"last_seen_time\": 1695277679358, \"region\": \"airport leaves kitchen\", \"risk_level\": \"organizational economic connecticut\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"butterfly knight log\", \"version\": \"1.0.0\", \"uid\": \"7f25336a-584d-11ee-b2a5-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"disciplinary rec report\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"event_code\": \"spelling\", \"log_name\": \"len falling educational\", \"log_provider\": \"tales asset extremely\", \"log_version\": \"learners headlines linear\", \"original_time\": \"programmers less barcelona\", \"processed_time\": 1695280036393}, \"severity\": \"Critical\", \"type_name\": \"Device Inventory Info: Collect\", \"activity_id\": 2, \"type_uid\": 500102, \"category_name\": \"Discovery\", \"class_uid\": 5001, \"category_uid\": 5, \"class_name\": \"Device Inventory Info\", \"timezone_offset\": 65, \"activity_name\": \"Collect\", \"cloud\": {\"org\": {\"name\": \"black lets promotions\", \"ou_name\": \"recover sol revolutionary\"}, \"provider\": \"mod force sailing\", \"region\": \"ticket resident buried\"}, \"enrichments\": [{\"data\": {\"nintendo\": \"abcd\"}, \"name\": \"visual mv bottom\", \"type\": \"calibration basics quebec\", \"value\": \"alice stick spray\", \"provider\": \"lucy permanent trips\"}], \"severity_id\": 5, \"status_code\": \"vancouver\", \"status_id\": 1, \"start_time_dt\": \"2023-09-21T07:07:16.394812Z\"}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"message\": \"poster thongs assumptions\", \"status\": \"Success\", \"time\": 1695277679358, \"device\": {\"name\": \"craig functioning literally\", \"type\": \"Laptop\", \"os\": {\"name\": \"spy chronic casual\", \"type\": \"Android\", \"version\": \"1.0.0\", \"build\": \"dozen oval removing\", \"type_id\": 201, \"lang\": \"en\", \"edition\": \"nightmare engineers carter\"}, \"location\": {\"desc\": \"Reunion\", \"city\": \"Porcelain senior\", \"country\": \"RE\", \"coordinates\": [-161.6608, -47.0418], \"continent\": \"Africa\"}, \"uid\": \"7f256308-584d-11ee-8de0-0242ac110005\", \"image\": {\"name\": \"saudi enhanced surgical\", \"uid\": \"7f2554b2-584d-11ee-b26b-0242ac110005\"}, \"mac\": \"C6:49:F0:76:1D:13:CE:F7\", \"type_id\": 3, \"autoscale_uid\": \"7f25415c-584d-11ee-b3fc-0242ac110005\", \"hw_info\": {\"cpu_bits\": 66}, \"instance_uid\": \"7f254ea4-584d-11ee-a68f-0242ac110005\", \"interface_name\": \"watt profile rs\", \"is_personal\": false, \"last_seen_time\": 1695277679358, \"region\": \"airport leaves kitchen\", \"risk_level\": \"organizational economic connecticut\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"butterfly knight log\", \"version\": \"1.0.0\", \"uid\": \"7f25336a-584d-11ee-b2a5-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"disciplinary rec report\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"event_code\": \"spelling\", \"log_name\": \"len falling educational\", \"log_provider\": \"tales asset extremely\", \"log_version\": \"learners headlines linear\", \"original_time\": \"programmers less barcelona\", \"processed_time\": 1695280036393}, \"severity\": \"Critical\", \"type_name\": \"Device Inventory Info: Collect\", \"activity_id\": 2, \"type_uid\": 500102, \"category_name\": \"Discovery\", \"class_uid\": 5001, \"category_uid\": 5, \"class_name\": \"Device Inventory Info\", \"timezone_offset\": 65, \"activity_name\": \"Collect\", \"cloud\": {\"org\": {\"name\": \"black lets promotions\", \"ou_name\": \"recover sol revolutionary\"}, \"provider\": \"mod force sailing\", \"region\": \"ticket resident buried\"}, \"enrichments\": [{\"data\": {\"nintendo\": \"abcd\"}, \"name\": \"visual mv bottom\", \"type\": \"calibration basics quebec\", \"value\": \"alice stick spray\", \"provider\": \"lucy permanent trips\"}], \"severity_id\": 5, \"status_code\": \"vancouver\", \"status_id\": 1, \"start_time_dt\": \"2023-09-21T07:07:16.394812Z\"}", + "event": { + "action": "collect", + "code": "spelling", + "outcome": "success", + "provider": "tales asset extremely", + "severity": 5, + "start": "2023-09-21T07:07:16.394812Z", + "type": [ + "info" + ] + }, + "cloud": { + "provider": "mod force sailing", + "region": "ticket resident buried" + }, + "ocsf": "{\"activity_id\": 2, \"activity_name\": \"Collect\", \"category_name\": \"Discovery\", \"category_uid\": 5, \"class_name\": \"Device Inventory Info\", \"class_uid\": 5001, \"cloud\": {\"org\": {\"name\": \"black lets promotions\", \"ou_name\": \"recover sol revolutionary\"}, \"provider\": \"mod force sailing\", \"region\": \"ticket resident buried\"}, \"device\": {\"autoscale_uid\": \"7f25415c-584d-11ee-b3fc-0242ac110005\", \"hw_info\": {\"cpu_bits\": 66}, \"image\": {\"name\": \"saudi enhanced surgical\", \"uid\": \"7f2554b2-584d-11ee-b26b-0242ac110005\"}, \"instance_uid\": \"7f254ea4-584d-11ee-a68f-0242ac110005\", \"interface_name\": \"watt profile rs\", \"is_personal\": false, \"last_seen_time\": 1695277679358, \"location\": {\"city\": \"Porcelain senior\", \"continent\": \"Africa\", \"coordinates\": [-161.6608, -47.0418], \"country\": \"RE\", \"desc\": \"Reunion\"}, \"mac\": \"C6:49:F0:76:1D:13:CE:F7\", \"name\": \"craig functioning literally\", \"os\": {\"build\": \"dozen oval removing\", \"edition\": \"nightmare engineers carter\", \"lang\": \"en\", \"name\": \"spy chronic casual\", \"type\": \"Android\", \"type_id\": 201, \"version\": \"1.0.0\"}, \"region\": \"airport leaves kitchen\", \"risk_level\": \"organizational economic connecticut\", \"type\": \"Laptop\", \"type_id\": 3, \"uid\": \"7f256308-584d-11ee-8de0-0242ac110005\"}, \"enrichments\": [{\"data\": {\"nintendo\": \"abcd\"}, \"name\": \"visual mv bottom\", \"provider\": \"lucy permanent trips\", \"type\": \"calibration basics quebec\", \"value\": \"alice stick spray\"}], \"message\": \"poster thongs assumptions\", \"metadata\": {\"event_code\": \"spelling\", \"log_name\": \"len falling educational\", \"log_provider\": \"tales asset extremely\", \"log_version\": \"learners headlines linear\", \"original_time\": \"programmers less barcelona\", \"processed_time\": 1695280036393, \"product\": {\"lang\": \"en\", \"name\": \"butterfly knight log\", \"uid\": \"7f25336a-584d-11ee-b2a5-0242ac110005\", \"vendor_name\": \"disciplinary rec report\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"version\": \"1.0.0\"}, \"severity\": \"Critical\", \"severity_id\": 5, \"start_time_dt\": \"2023-09-21T07:07:16.394812Z\", \"status\": \"Success\", \"status_code\": \"vancouver\", \"status_id\": 1, \"time\": 1695277679358, \"timezone_offset\": 65, \"type_name\": \"Device Inventory Info: Collect\", \"type_uid\": 500102}" + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_file_activity.json b/OCSF/ocsf/tests/test_file_activity.json deleted file mode 100644 index 463cd65cb..000000000 --- a/OCSF/ocsf/tests/test_file_activity.json +++ /dev/null @@ -1,185 +0,0 @@ -{ - "input": { - "message": "{\"message\": \"memorial vacation gains\", \"status\": \"jet\", \"time\": 1703680765007341, \"file\": {\"name\": \"validation.mp4\", \"owner\": {\"name\": \"Grid\", \"type\": \"System\", \"uid\": \"f7982966-a4b4-11ee-a3fa-0242ac110004\", \"type_id\": 3, \"credential_uid\": \"f7982dd0-a4b4-11ee-b2ca-0242ac110004\", \"uid_alt\": \"mud faculty coast\"}, \"type\": \"Folder\", \"version\": \"1.0.0\", \"path\": \"rc sharp flow/tells.hqx/validation.mp4\", \"product\": {\"name\": \"opens subdivision marc\", \"version\": \"1.0.0\", \"uid\": \"f79834c4-a4b4-11ee-bc9e-0242ac110004\", \"lang\": \"en\", \"url_string\": \"flyer\", \"vendor_name\": \"assumes defensive pets\"}, \"type_id\": 2, \"parent_folder\": \"rc sharp flow/tells.hqx\", \"accessed_time\": 1703680765008026, \"hashes\": [{\"value\": \"90DDECE3C6BD7FFFE83AF4D6DA7D1D47BDD3BC4B8C55E4FB6014A6197DA2199E\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"modified_time\": 1703680765008073}, \"device\": {\"name\": \"coated sacred waiver\", \"type\": \"Browser\", \"os\": {\"name\": \"producers assessing iran\", \"type\": \"HP-UX\", \"type_id\": 402, \"lang\": \"en\", \"sp_name\": \"mod booth seller\", \"sp_ver\": 45}, \"ip\": \"250.253.200.33\", \"hostname\": \"trends.org\", \"uid\": \"f798170a-a4b4-11ee-91ce-0242ac110004\", \"type_id\": 8, \"created_time\": 1703680765007313, \"imei\": \"genetics half institutional\", \"instance_uid\": \"f7980b52-a4b4-11ee-9b5a-0242ac110004\", \"interface_name\": \"visitors fa trinity\", \"interface_uid\": \"f798130e-a4b4-11ee-8b87-0242ac110004\", \"network_interfaces\": [{\"name\": \"ons physically championship\", \"type\": \"Wireless\", \"hostname\": \"overhead.mil\", \"mac\": \"9D:F9:D3:48:CD:B9:EC:8B\", \"namespace\": \"sociology collectible myers\", \"type_id\": 2}], \"region\": \"first universe furnishings\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"cult c table\", \"uid\": \"f7975f7c-a4b4-11ee-9e82-0242ac110004\", \"feature\": {\"name\": \"quad back ne\", \"version\": \"1.0.0\", \"uid\": \"f7976a76-a4b4-11ee-ba7c-0242ac110004\"}, \"lang\": \"en\", \"vendor_name\": \"kazakhstan yugoslavia danish\"}, \"profiles\": [], \"log_name\": \"conjunction wa alot\", \"log_provider\": \"answering gb single\", \"log_version\": \"exposure dx maui\", \"logged_time\": 1703680765002867, \"original_time\": \"postings hawaii aaa\"}, \"severity\": \"High\", \"duration\": 62, \"type_name\": \"File System Activity: Encrypt\", \"category_name\": \"System Activity\", \"activity_id\": 10, \"type_uid\": 100110, \"class_uid\": 1001, \"category_uid\": 1, \"class_name\": \"File System Activity\", \"timezone_offset\": 8, \"activity_name\": \"Encrypt\", \"actor\": {\"process\": {\"name\": \"Interventions\", \"pid\": 18, \"file\": {\"name\": \"level.doc\", \"type\": \"Symbolic Link\", \"path\": \"matthew eos tests/secondary.m3u/level.doc\", \"product\": {\"name\": \"fr subsequent administration\", \"version\": \"1.0.0\", \"uid\": \"f7977eee-a4b4-11ee-bfd5-0242ac110004\", \"lang\": \"en\", \"vendor_name\": \"combining concentrate gmt\"}, \"uid\": \"f797833a-a4b4-11ee-b077-0242ac110004\", \"type_id\": 7, \"parent_folder\": \"matthew eos tests/secondary.m3u\", \"confidentiality\": \"cigarettes subjects terrain\", \"created_time\": 1703680765003470, \"hashes\": [{\"value\": \"8F489E765ADD66CEA532CA1AFF150E01610199E3\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"98062F4DEE9A192C300D278008F1B6A2CB646B356D0DE1EFC340001AE12A69098A73CEB81AE52DA4A6D2158B11CD671482A7862402909FCB7C8588D490E677E6\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"user\": {\"name\": \"Acoustic\", \"type\": \"configuration\", \"uid\": \"f797ac16-a4b4-11ee-9910-0242ac110004\", \"org\": {\"name\": \"could director frankfurt\", \"uid\": \"f797b9fe-a4b4-11ee-a468-0242ac110004\", \"ou_name\": \"larry about arbitrary\"}, \"type_id\": 99, \"full_name\": \"Dannie Meagan\", \"email_addr\": \"Jen@atmosphere.mobi\"}, \"uid\": \"f797dcc2-a4b4-11ee-9f52-0242ac110004\", \"cmd_line\": \"buck advocacy initiatives\", \"created_time\": 1703680765005764, \"lineage\": [\"legend investigated adjustments\", \"sheet eligible regardless\"], \"sandbox\": \"survivors launched lodging\"}, \"user\": {\"name\": \"Tribes\", \"type\": \"System\", \"uid\": \"f797fc8e-a4b4-11ee-adc3-0242ac110004\", \"type_id\": 3, \"email_addr\": \"Wenona@gnu.name\"}, \"invoked_by\": \"beat tables rising\"}, \"end_time\": 1703680764999344, \"file_diff\": \"remote surprise tale\", \"severity_id\": 4, \"status_detail\": \"not jar user\", \"status_id\": 99}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"message\": \"memorial vacation gains\", \"status\": \"jet\", \"time\": 1703680765007341, \"file\": {\"name\": \"validation.mp4\", \"owner\": {\"name\": \"Grid\", \"type\": \"System\", \"uid\": \"f7982966-a4b4-11ee-a3fa-0242ac110004\", \"type_id\": 3, \"credential_uid\": \"f7982dd0-a4b4-11ee-b2ca-0242ac110004\", \"uid_alt\": \"mud faculty coast\"}, \"type\": \"Folder\", \"version\": \"1.0.0\", \"path\": \"rc sharp flow/tells.hqx/validation.mp4\", \"product\": {\"name\": \"opens subdivision marc\", \"version\": \"1.0.0\", \"uid\": \"f79834c4-a4b4-11ee-bc9e-0242ac110004\", \"lang\": \"en\", \"url_string\": \"flyer\", \"vendor_name\": \"assumes defensive pets\"}, \"type_id\": 2, \"parent_folder\": \"rc sharp flow/tells.hqx\", \"accessed_time\": 1703680765008026, \"hashes\": [{\"value\": \"90DDECE3C6BD7FFFE83AF4D6DA7D1D47BDD3BC4B8C55E4FB6014A6197DA2199E\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"modified_time\": 1703680765008073}, \"device\": {\"name\": \"coated sacred waiver\", \"type\": \"Browser\", \"os\": {\"name\": \"producers assessing iran\", \"type\": \"HP-UX\", \"type_id\": 402, \"lang\": \"en\", \"sp_name\": \"mod booth seller\", \"sp_ver\": 45}, \"ip\": \"250.253.200.33\", \"hostname\": \"trends.org\", \"uid\": \"f798170a-a4b4-11ee-91ce-0242ac110004\", \"type_id\": 8, \"created_time\": 1703680765007313, \"imei\": \"genetics half institutional\", \"instance_uid\": \"f7980b52-a4b4-11ee-9b5a-0242ac110004\", \"interface_name\": \"visitors fa trinity\", \"interface_uid\": \"f798130e-a4b4-11ee-8b87-0242ac110004\", \"network_interfaces\": [{\"name\": \"ons physically championship\", \"type\": \"Wireless\", \"hostname\": \"overhead.mil\", \"mac\": \"9D:F9:D3:48:CD:B9:EC:8B\", \"namespace\": \"sociology collectible myers\", \"type_id\": 2}], \"region\": \"first universe furnishings\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"cult c table\", \"uid\": \"f7975f7c-a4b4-11ee-9e82-0242ac110004\", \"feature\": {\"name\": \"quad back ne\", \"version\": \"1.0.0\", \"uid\": \"f7976a76-a4b4-11ee-ba7c-0242ac110004\"}, \"lang\": \"en\", \"vendor_name\": \"kazakhstan yugoslavia danish\"}, \"profiles\": [], \"log_name\": \"conjunction wa alot\", \"log_provider\": \"answering gb single\", \"log_version\": \"exposure dx maui\", \"logged_time\": 1703680765002867, \"original_time\": \"postings hawaii aaa\"}, \"severity\": \"High\", \"duration\": 62, \"type_name\": \"File System Activity: Encrypt\", \"category_name\": \"System Activity\", \"activity_id\": 10, \"type_uid\": 100110, \"class_uid\": 1001, \"category_uid\": 1, \"class_name\": \"File System Activity\", \"timezone_offset\": 8, \"activity_name\": \"Encrypt\", \"actor\": {\"process\": {\"name\": \"Interventions\", \"pid\": 18, \"file\": {\"name\": \"level.doc\", \"type\": \"Symbolic Link\", \"path\": \"matthew eos tests/secondary.m3u/level.doc\", \"product\": {\"name\": \"fr subsequent administration\", \"version\": \"1.0.0\", \"uid\": \"f7977eee-a4b4-11ee-bfd5-0242ac110004\", \"lang\": \"en\", \"vendor_name\": \"combining concentrate gmt\"}, \"uid\": \"f797833a-a4b4-11ee-b077-0242ac110004\", \"type_id\": 7, \"parent_folder\": \"matthew eos tests/secondary.m3u\", \"confidentiality\": \"cigarettes subjects terrain\", \"created_time\": 1703680765003470, \"hashes\": [{\"value\": \"8F489E765ADD66CEA532CA1AFF150E01610199E3\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"98062F4DEE9A192C300D278008F1B6A2CB646B356D0DE1EFC340001AE12A69098A73CEB81AE52DA4A6D2158B11CD671482A7862402909FCB7C8588D490E677E6\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"user\": {\"name\": \"Acoustic\", \"type\": \"configuration\", \"uid\": \"f797ac16-a4b4-11ee-9910-0242ac110004\", \"org\": {\"name\": \"could director frankfurt\", \"uid\": \"f797b9fe-a4b4-11ee-a468-0242ac110004\", \"ou_name\": \"larry about arbitrary\"}, \"type_id\": 99, \"full_name\": \"Dannie Meagan\", \"email_addr\": \"Jen@atmosphere.mobi\"}, \"uid\": \"f797dcc2-a4b4-11ee-9f52-0242ac110004\", \"cmd_line\": \"buck advocacy initiatives\", \"created_time\": 1703680765005764, \"lineage\": [\"legend investigated adjustments\", \"sheet eligible regardless\"], \"sandbox\": \"survivors launched lodging\"}, \"user\": {\"name\": \"Tribes\", \"type\": \"System\", \"uid\": \"f797fc8e-a4b4-11ee-adc3-0242ac110004\", \"type_id\": 3, \"email_addr\": \"Wenona@gnu.name\"}, \"invoked_by\": \"beat tables rising\"}, \"end_time\": 1703680764999344, \"file_diff\": \"remote surprise tale\", \"severity_id\": 4, \"status_detail\": \"not jar user\", \"status_id\": 99}", - "event": { - "action": "encrypt", - "category": [ - "file" - ], - "duration": 62000000, - "end": "2023-12-27T12:39:24.999344Z", - "kind": "event", - "provider": "answering gb single", - "severity": 4, - "type": [ - "info" - ] - }, - "host": { - "mac": [ - "null" - ] - }, - "ocsf": { - "activity_id": 10, - "activity_name": "Encrypt", - "actor": { - "invoked_by": "beat tables rising", - "process": { - "file": { - "confidentiality": "cigarettes subjects terrain", - "hashes": [ - { - "algorithm": "SHA-1", - "algorithm_id": "2", - "value": "8F489E765ADD66CEA532CA1AFF150E01610199E3" - }, - { - "algorithm": "CTPH", - "algorithm_id": "5", - "value": "98062F4DEE9A192C300D278008F1B6A2CB646B356D0DE1EFC340001AE12A69098A73CEB81AE52DA4A6D2158B11CD671482A7862402909FCB7C8588D490E677E6" - } - ], - "product": { - "lang": "en", - "name": "fr subsequent administration", - "uid": "f7977eee-a4b4-11ee-bfd5-0242ac110004", - "vendor_name": "combining concentrate gmt", - "version": "1.0.0" - }, - "type_id": "7" - }, - "lineage": [ - "legend investigated adjustments", - "sheet eligible regardless" - ], - "sandbox": "survivors launched lodging", - "user": { - "org": { - "name": "could director frankfurt", - "ou_name": "larry about arbitrary", - "uid": "f797b9fe-a4b4-11ee-a468-0242ac110004" - }, - "type": "configuration", - "type_id": "99" - } - }, - "user": { - "type": "System", - "type_id": "3" - } - }, - "category_name": "System Activity", - "category_uid": 1, - "class_name": "File System Activity", - "class_uid": "1001", - "device": { - "created_time": 1703680765007313, - "imei": "genetics half institutional", - "instance_uid": "f7980b52-a4b4-11ee-9b5a-0242ac110004", - "interface_name": "visitors fa trinity", - "interface_uid": "f798130e-a4b4-11ee-8b87-0242ac110004", - "network_interfaces": [ - { - "hostname": "overhead.mil", - "mac": "9D:F9:D3:48:CD:B9:EC:8B", - "name": "ons physically championship", - "namespace": "sociology collectible myers", - "type": "Wireless", - "type_id": "2" - } - ], - "os": { - "lang": "en", - "sp_name": "mod booth seller", - "sp_ver": "45", - "type": "HP-UX", - "type_id": "402" - }, - "region": "first universe furnishings", - "type_id": "8" - }, - "duration": 62, - "file": { - "hashes": [ - { - "algorithm": "SHA-256", - "algorithm_id": "3", - "value": "90DDECE3C6BD7FFFE83AF4D6DA7D1D47BDD3BC4B8C55E4FB6014A6197DA2199E" - } - ], - "owner": { - "credential_uid": "f7982dd0-a4b4-11ee-b2ca-0242ac110004", - "type": "System", - "type_id": "3", - "uid_alt": "mud faculty coast" - }, - "product": { - "lang": "en", - "name": "opens subdivision marc", - "uid": "f79834c4-a4b4-11ee-bc9e-0242ac110004", - "url_string": "flyer", - "vendor_name": "assumes defensive pets", - "version": "1.0.0" - }, - "type_id": "2", - "version": "1.0.0" - }, - "file_diff": "remote surprise tale", - "metadata": { - "log_name": "conjunction wa alot", - "log_version": "exposure dx maui", - "logged_time": 1703680765002867, - "original_time": "postings hawaii aaa", - "product": { - "feature": { - "name": "quad back ne", - "uid": "f7976a76-a4b4-11ee-ba7c-0242ac110004", - "version": "1.0.0" - }, - "lang": "en", - "name": "cult c table", - "uid": "f7975f7c-a4b4-11ee-9e82-0242ac110004", - "vendor_name": "kazakhstan yugoslavia danish" - }, - "profiles": [], - "version": "1.0.0" - }, - "severity": "High", - "status": "jet", - "status_detail": "not jar user", - "status_id": "99", - "timezone_offset": 8, - "type_name": "File System Activity: Encrypt", - "type_uid": "100110" - }, - "process": { - "group": { - "id": [ - "null" - ] - }, - "user": { - "id": [ - "null" - ] - } - }, - "sekoiaio": { - "intake": { - "parsing_warnings": [ - "Cannot set field 'host.ip' with given definition in stage 'pipeline_object_device'. Cannot convert value in field 'host.ip' to type 'ip'" - ] - } - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_findings_1.json b/OCSF/ocsf/tests/test_findings_1.json new file mode 100644 index 000000000..e014833ba --- /dev/null +++ b/OCSF/ocsf/tests/test_findings_1.json @@ -0,0 +1,32 @@ +{ + "input": { + "message": "{\"activity_id\": 2, \"activity_name\": \"Update\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"cloud\": {\"account\": {\"uid\": \"522536594833\"}, \"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"compliance\": {\"requirements\": [\"PCI1.2\"], \"status\": \"PASSED\", \"status_detail\": \"CloudWatch alarms do not exist in the account\"}, \"finding\": {\"created_time\": 1635449619417, \"desc\": \"This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports [3389, 20, 23, 110, 143, 3306, 8080, 1433, 9200, 9300, 25, 445, 135, 21, 1434, 4333, 5432, 5500, 5601, 22, 3000, 5000, 8088, 8888] that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for the listed ports.\", \"first_seen_time\": 1635449619417, \"last_seen_time\": 1659636565316, \"modified_time\": 1659636559100, \"related_events\": [{\"product_uid\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\", \"uid\": \"123e4567-e89b-12d3-a456-426655440000\"}, {\"product_uid\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\", \"uid\": \"AcmeNerfHerder-111111111111-x189dx7824\"}], \"remediation\": {\"desc\": \"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\", \"kb_articles\": [\"https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation\"]}, \"title\": \"EC2.19 Security groups should not allow unrestricted access to ports with high risk\", \"types\": [\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"], \"uid\": \"test\"}, \"malware\": [{\"classification_ids\": [1], \"classifications\": [\"Adware\"], \"name\": \"Stringler\", \"path\": \"/usr/sbin/stringler\"}], \"metadata\": {\"product\": {\"feature\": {\"name\": \"Security Hub\", \"uid\": \"aws-foundational-security-best-practices/v/1.0.0/EC2.19\"}, \"name\": \"Security Hub\", \"uid\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\", \"vendor_name\": \"AWS\", \"version\": \"2018-10-08\"}, \"profiles\": [\"cloud\"], \"version\": \"1.0.0-rc.2\"}, \"resources\": [{\"cloud_partition\": \"aws\", \"labels\": [\"billingCode=Lotus-1-2-3\", \"needsPatching=true\"], \"region\": \"us-east-1\", \"type\": \"AwsEc2SecurityGroup\", \"uid\": \"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"state\": \"Resolved\", \"state_id\": 4, \"time\": 1659636559100, \"type_name\": \"Security Finding: Update\", \"type_uid\": 200102, \"unmapped\": {\"CompanyName\": \"AWS\", \"Compliance.StatusReasons[].ReasonCode\": \"CW_ALARMS_NOT_PRESENT\", \"FindingProviderFields.Severity.Label\": \"INFORMATIONAL\", \"FindingProviderFields.Severity.Original\": \"INFORMATIONAL\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\", \"Malware[].State\": \"OBSERVED\", \"ProductFields.ControlId\": \"EC2.19\", \"ProductFields.RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation\", \"ProductFields.RelatedAWSResources:0/name\": \"securityhub-vpc-sg-restricted-common-ports-2af29baf\", \"ProductFields.RelatedAWSResources:0/type\": \"AWS::Config::ConfigRule\", \"ProductFields.Resources:0/Id\": \"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499\", \"ProductFields.StandardsArn\": \"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0\", \"ProductFields.StandardsControlArn\": \"arn:aws:securityhub:us-east-1:522536594833:control/aws-foundational-security-best-practices/v/1.0.0/EC2.19\", \"ProductFields.StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0\", \"ProductFields.aws/securityhub/CompanyName\": \"AWS\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bf428107-eee0-4d19-a013-92748ed69eef\", \"ProductFields.aws/securityhub/ProductName\": \"Security Hub\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"0\", \"Severity.Original\": \"INFORMATIONAL\", \"Severity.Product\": \"0\", \"Vulnerabilities[].Cvss[].BaseScore\": \"4.7,1.0\", \"Vulnerabilities[].Cvss[].BaseVector\": \"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N,AV:L/AC:M/Au:N/C:C/I:N/A:N\", \"Vulnerabilities[].Cvss[].Version\": \"V3,V2\", \"Vulnerabilities[].Vendor.VendorSeverity\": \"Medium\", \"WorkflowState\": \"NEW\"}, \"vulnerabilities\": [{\"cve\": {\"created_time\": 1579132903000, \"cvss\": {\"base_score\": 4.7, \"vector_string\": \"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"version\": \"V3\"}, \"modified_time\": 1579132903000, \"uid\": \"CVE-2020-12345\"}, \"kb_articles\": [\"https://alas.aws.amazon.com/ALAS-2020-1337.html\"], \"packages\": [{\"architecture\": \"x86_64\", \"epoch\": 1, \"name\": \"openssl\", \"release\": \"16.amzn2.0.3\", \"version\": \"1.0.2k\"}, {\"architecture\": \"x86_64\", \"epoch\": 3, \"name\": \"yaml\", \"release\": \"16.amzn2.0.3\", \"version\": \"4.3.2\"}], \"references\": [\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418\"], \"related_vulnerabilities\": [\"CVE-2020-12345\"], \"vendor_name\": \"Alas\"}]}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"activity_id\": 2, \"activity_name\": \"Update\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"cloud\": {\"account\": {\"uid\": \"522536594833\"}, \"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"compliance\": {\"requirements\": [\"PCI1.2\"], \"status\": \"PASSED\", \"status_detail\": \"CloudWatch alarms do not exist in the account\"}, \"finding\": {\"created_time\": 1635449619417, \"desc\": \"This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports [3389, 20, 23, 110, 143, 3306, 8080, 1433, 9200, 9300, 25, 445, 135, 21, 1434, 4333, 5432, 5500, 5601, 22, 3000, 5000, 8088, 8888] that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for the listed ports.\", \"first_seen_time\": 1635449619417, \"last_seen_time\": 1659636565316, \"modified_time\": 1659636559100, \"related_events\": [{\"product_uid\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\", \"uid\": \"123e4567-e89b-12d3-a456-426655440000\"}, {\"product_uid\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\", \"uid\": \"AcmeNerfHerder-111111111111-x189dx7824\"}], \"remediation\": {\"desc\": \"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\", \"kb_articles\": [\"https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation\"]}, \"title\": \"EC2.19 Security groups should not allow unrestricted access to ports with high risk\", \"types\": [\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"], \"uid\": \"test\"}, \"malware\": [{\"classification_ids\": [1], \"classifications\": [\"Adware\"], \"name\": \"Stringler\", \"path\": \"/usr/sbin/stringler\"}], \"metadata\": {\"product\": {\"feature\": {\"name\": \"Security Hub\", \"uid\": \"aws-foundational-security-best-practices/v/1.0.0/EC2.19\"}, \"name\": \"Security Hub\", \"uid\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\", \"vendor_name\": \"AWS\", \"version\": \"2018-10-08\"}, \"profiles\": [\"cloud\"], \"version\": \"1.0.0-rc.2\"}, \"resources\": [{\"cloud_partition\": \"aws\", \"labels\": [\"billingCode=Lotus-1-2-3\", \"needsPatching=true\"], \"region\": \"us-east-1\", \"type\": \"AwsEc2SecurityGroup\", \"uid\": \"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"state\": \"Resolved\", \"state_id\": 4, \"time\": 1659636559100, \"type_name\": \"Security Finding: Update\", \"type_uid\": 200102, \"unmapped\": {\"CompanyName\": \"AWS\", \"Compliance.StatusReasons[].ReasonCode\": \"CW_ALARMS_NOT_PRESENT\", \"FindingProviderFields.Severity.Label\": \"INFORMATIONAL\", \"FindingProviderFields.Severity.Original\": \"INFORMATIONAL\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\", \"Malware[].State\": \"OBSERVED\", \"ProductFields.ControlId\": \"EC2.19\", \"ProductFields.RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation\", \"ProductFields.RelatedAWSResources:0/name\": \"securityhub-vpc-sg-restricted-common-ports-2af29baf\", \"ProductFields.RelatedAWSResources:0/type\": \"AWS::Config::ConfigRule\", \"ProductFields.Resources:0/Id\": \"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499\", \"ProductFields.StandardsArn\": \"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0\", \"ProductFields.StandardsControlArn\": \"arn:aws:securityhub:us-east-1:522536594833:control/aws-foundational-security-best-practices/v/1.0.0/EC2.19\", \"ProductFields.StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0\", \"ProductFields.aws/securityhub/CompanyName\": \"AWS\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bf428107-eee0-4d19-a013-92748ed69eef\", \"ProductFields.aws/securityhub/ProductName\": \"Security Hub\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"0\", \"Severity.Original\": \"INFORMATIONAL\", \"Severity.Product\": \"0\", \"Vulnerabilities[].Cvss[].BaseScore\": \"4.7,1.0\", \"Vulnerabilities[].Cvss[].BaseVector\": \"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N,AV:L/AC:M/Au:N/C:C/I:N/A:N\", \"Vulnerabilities[].Cvss[].Version\": \"V3,V2\", \"Vulnerabilities[].Vendor.VendorSeverity\": \"Medium\", \"WorkflowState\": \"NEW\"}, \"vulnerabilities\": [{\"cve\": {\"created_time\": 1579132903000, \"cvss\": {\"base_score\": 4.7, \"vector_string\": \"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"version\": \"V3\"}, \"modified_time\": 1579132903000, \"uid\": \"CVE-2020-12345\"}, \"kb_articles\": [\"https://alas.aws.amazon.com/ALAS-2020-1337.html\"], \"packages\": [{\"architecture\": \"x86_64\", \"epoch\": 1, \"name\": \"openssl\", \"release\": \"16.amzn2.0.3\", \"version\": \"1.0.2k\"}, {\"architecture\": \"x86_64\", \"epoch\": 3, \"name\": \"yaml\", \"release\": \"16.amzn2.0.3\", \"version\": \"4.3.2\"}], \"references\": [\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418\"], \"related_vulnerabilities\": [\"CVE-2020-12345\"], \"vendor_name\": \"Alas\"}]}", + "event": { + "action": "update", + "category": [ + "vulnerability" + ], + "severity": 1, + "type": [ + "info" + ] + }, + "cloud": { + "account": { + "id": "522536594833" + }, + "provider": "AWS", + "region": "us-east-1" + }, + "ocsf": "{\"activity_id\": 2, \"activity_name\": \"Update\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"cloud\": {\"account\": {\"uid\": \"522536594833\"}, \"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"compliance\": {\"requirements\": [\"PCI1.2\"], \"status\": \"PASSED\", \"status_detail\": \"CloudWatch alarms do not exist in the account\"}, \"finding\": {\"created_time\": 1635449619417, \"desc\": \"This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports [3389, 20, 23, 110, 143, 3306, 8080, 1433, 9200, 9300, 25, 445, 135, 21, 1434, 4333, 5432, 5500, 5601, 22, 3000, 5000, 8088, 8888] that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for the listed ports.\", \"first_seen_time\": 1635449619417, \"last_seen_time\": 1659636565316, \"modified_time\": 1659636559100, \"related_events\": [{\"product_uid\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\", \"uid\": \"123e4567-e89b-12d3-a456-426655440000\"}, {\"product_uid\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\", \"uid\": \"AcmeNerfHerder-111111111111-x189dx7824\"}], \"remediation\": {\"desc\": \"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\", \"kb_articles\": [\"https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation\"]}, \"title\": \"EC2.19 Security groups should not allow unrestricted access to ports with high risk\", \"types\": [\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"], \"uid\": \"test\"}, \"malware\": [{\"classification_ids\": [1], \"classifications\": [\"Adware\"], \"name\": \"Stringler\", \"path\": \"/usr/sbin/stringler\"}], \"metadata\": {\"product\": {\"feature\": {\"name\": \"Security Hub\", \"uid\": \"aws-foundational-security-best-practices/v/1.0.0/EC2.19\"}, \"name\": \"Security Hub\", \"uid\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\", \"vendor_name\": \"AWS\", \"version\": \"2018-10-08\"}, \"profiles\": [\"cloud\"], \"version\": \"1.0.0-rc.2\"}, \"resources\": [{\"cloud_partition\": \"aws\", \"labels\": [\"billingCode=Lotus-1-2-3\", \"needsPatching=true\"], \"region\": \"us-east-1\", \"type\": \"AwsEc2SecurityGroup\", \"uid\": \"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"state\": \"Resolved\", \"state_id\": 4, \"time\": 1659636559100, \"type_name\": \"Security Finding: Update\", \"type_uid\": 200102, \"unmapped\": {\"CompanyName\": \"AWS\", \"Compliance.StatusReasons[].ReasonCode\": \"CW_ALARMS_NOT_PRESENT\", \"FindingProviderFields.Severity.Label\": \"INFORMATIONAL\", \"FindingProviderFields.Severity.Original\": \"INFORMATIONAL\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\", \"Malware[].State\": \"OBSERVED\", \"ProductFields.ControlId\": \"EC2.19\", \"ProductFields.RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation\", \"ProductFields.RelatedAWSResources:0/name\": \"securityhub-vpc-sg-restricted-common-ports-2af29baf\", \"ProductFields.RelatedAWSResources:0/type\": \"AWS::Config::ConfigRule\", \"ProductFields.Resources:0/Id\": \"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499\", \"ProductFields.StandardsArn\": \"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0\", \"ProductFields.StandardsControlArn\": \"arn:aws:securityhub:us-east-1:522536594833:control/aws-foundational-security-best-practices/v/1.0.0/EC2.19\", \"ProductFields.StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0\", \"ProductFields.aws/securityhub/CompanyName\": \"AWS\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bf428107-eee0-4d19-a013-92748ed69eef\", \"ProductFields.aws/securityhub/ProductName\": \"Security Hub\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"0\", \"Severity.Original\": \"INFORMATIONAL\", \"Severity.Product\": \"0\", \"Vulnerabilities[].Cvss[].BaseScore\": \"4.7,1.0\", \"Vulnerabilities[].Cvss[].BaseVector\": \"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N,AV:L/AC:M/Au:N/C:C/I:N/A:N\", \"Vulnerabilities[].Cvss[].Version\": \"V3,V2\", \"Vulnerabilities[].Vendor.VendorSeverity\": \"Medium\", \"WorkflowState\": \"NEW\"}, \"vulnerabilities\": [{\"cve\": {\"created_time\": 1579132903000, \"cvss\": {\"base_score\": 4.7, \"vector_string\": \"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"version\": \"V3\"}, \"modified_time\": 1579132903000, \"uid\": \"CVE-2020-12345\"}, \"kb_articles\": [\"https://alas.aws.amazon.com/ALAS-2020-1337.html\"], \"packages\": [{\"architecture\": \"x86_64\", \"epoch\": 1, \"name\": \"openssl\", \"release\": \"16.amzn2.0.3\", \"version\": \"1.0.2k\"}, {\"architecture\": \"x86_64\", \"epoch\": 3, \"name\": \"yaml\", \"release\": \"16.amzn2.0.3\", \"version\": \"4.3.2\"}], \"references\": [\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418\"], \"related_vulnerabilities\": [\"CVE-2020-12345\"], \"vendor_name\": \"Alas\"}]}" + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_iam_1.json b/OCSF/ocsf/tests/test_iam_1.json new file mode 100644 index 000000000..d43cbb9e9 --- /dev/null +++ b/OCSF/ocsf/tests/test_iam_1.json @@ -0,0 +1,28 @@ +{ + "input": { + "message": "{\"message\": \"gr rap prospect\", \"status\": \"Unknown\", \"time\": 1696570109, \"user\": {\"name\": \"And\", \"type\": \"creations\", \"uid\": \"2e6b43e8-6409-11ee-ad4a-0242ac110005\", \"type_id\": 99, \"account\": {\"name\": \"minimal bumper shortly\", \"type\": \"Unknown\", \"type_id\": 0}}, \"group\": {\"name\": \"hollow alignment one\", \"desc\": \"checking tion ii\", \"uid\": \"2e6b38da-6409-11ee-a724-0242ac110005\", \"privileges\": [\"powder exams monkey\"]}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"release zealand upon\", \"version\": \"1.0.0\", \"path\": \"fuel style da\", \"uid\": \"2e6ae592-6409-11ee-8656-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"crest homework turtle\"}, \"sequence\": 82, \"profiles\": [], \"log_name\": \"ebony pay tablets\", \"log_provider\": \"medline putting movie\", \"logged_time\": 1696570109, \"original_time\": \"gentleman brings relationship\"}, \"severity\": \"Low\", \"session\": {\"uid\": \"2e6b0374-6409-11ee-9a31-0242ac110005\", \"issuer\": \"available towns recorder\", \"credential_uid\": \"2e6b0d6a-6409-11ee-bff8-0242ac110005\", \"is_remote\": true}, \"type_name\": \"Authorize Session: Unknown\", \"activity_id\": 0, \"type_uid\": 300300, \"category_name\": \"Identity & Access Management\", \"class_uid\": 3003, \"category_uid\": 3, \"class_name\": \"Authorize Session\", \"timezone_offset\": 34, \"activity_name\": \"Unknown\", \"privileges\": [\"arrive wu supervisors\", \"fix kevin networking\"], \"severity_id\": 2, \"status_code\": \"seo\", \"status_id\": 0}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"message\": \"gr rap prospect\", \"status\": \"Unknown\", \"time\": 1696570109, \"user\": {\"name\": \"And\", \"type\": \"creations\", \"uid\": \"2e6b43e8-6409-11ee-ad4a-0242ac110005\", \"type_id\": 99, \"account\": {\"name\": \"minimal bumper shortly\", \"type\": \"Unknown\", \"type_id\": 0}}, \"group\": {\"name\": \"hollow alignment one\", \"desc\": \"checking tion ii\", \"uid\": \"2e6b38da-6409-11ee-a724-0242ac110005\", \"privileges\": [\"powder exams monkey\"]}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"release zealand upon\", \"version\": \"1.0.0\", \"path\": \"fuel style da\", \"uid\": \"2e6ae592-6409-11ee-8656-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"crest homework turtle\"}, \"sequence\": 82, \"profiles\": [], \"log_name\": \"ebony pay tablets\", \"log_provider\": \"medline putting movie\", \"logged_time\": 1696570109, \"original_time\": \"gentleman brings relationship\"}, \"severity\": \"Low\", \"session\": {\"uid\": \"2e6b0374-6409-11ee-9a31-0242ac110005\", \"issuer\": \"available towns recorder\", \"credential_uid\": \"2e6b0d6a-6409-11ee-bff8-0242ac110005\", \"is_remote\": true}, \"type_name\": \"Authorize Session: Unknown\", \"activity_id\": 0, \"type_uid\": 300300, \"category_name\": \"Identity & Access Management\", \"class_uid\": 3003, \"category_uid\": 3, \"class_name\": \"Authorize Session\", \"timezone_offset\": 34, \"activity_name\": \"Unknown\", \"privileges\": [\"arrive wu supervisors\", \"fix kevin networking\"], \"severity_id\": 2, \"status_code\": \"seo\", \"status_id\": 0}", + "event": { + "action": "unknown", + "category": [ + "session" + ], + "outcome": "unknown", + "provider": "medline putting movie", + "sequence": 82, + "severity": 2, + "type": [ + "info" + ] + }, + "ocsf": "{\"activity_id\": 0, \"activity_name\": \"Unknown\", \"category_name\": \"Identity & Access Management\", \"category_uid\": 3, \"class_name\": \"Authorize Session\", \"class_uid\": 3003, \"group\": {\"desc\": \"checking tion ii\", \"name\": \"hollow alignment one\", \"privileges\": [\"powder exams monkey\"], \"uid\": \"2e6b38da-6409-11ee-a724-0242ac110005\"}, \"message\": \"gr rap prospect\", \"metadata\": {\"log_name\": \"ebony pay tablets\", \"log_provider\": \"medline putting movie\", \"logged_time\": 1696570109, \"original_time\": \"gentleman brings relationship\", \"product\": {\"lang\": \"en\", \"name\": \"release zealand upon\", \"path\": \"fuel style da\", \"uid\": \"2e6ae592-6409-11ee-8656-0242ac110005\", \"vendor_name\": \"crest homework turtle\", \"version\": \"1.0.0\"}, \"profiles\": [], \"sequence\": 82, \"version\": \"1.0.0\"}, \"privileges\": [\"arrive wu supervisors\", \"fix kevin networking\"], \"session\": {\"credential_uid\": \"2e6b0d6a-6409-11ee-bff8-0242ac110005\", \"is_remote\": true, \"issuer\": \"available towns recorder\", \"uid\": \"2e6b0374-6409-11ee-9a31-0242ac110005\"}, \"severity\": \"Low\", \"severity_id\": 2, \"status\": \"Unknown\", \"status_code\": \"seo\", \"status_id\": 0, \"time\": 1696570109, \"timezone_offset\": 34, \"type_name\": \"Authorize Session: Unknown\", \"type_uid\": 300300, \"user\": {\"account\": {\"name\": \"minimal bumper shortly\", \"type\": \"Unknown\", \"type_id\": 0}, \"name\": \"And\", \"type\": \"creations\", \"type_id\": 99, \"uid\": \"2e6b43e8-6409-11ee-ad4a-0242ac110005\"}}" + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_iam_2.json b/OCSF/ocsf/tests/test_iam_2.json new file mode 100644 index 000000000..12d6fceb8 --- /dev/null +++ b/OCSF/ocsf/tests/test_iam_2.json @@ -0,0 +1,21 @@ +{ + "input": { + "message": "{\"message\": \"ri retired bargain\", \"status\": \"authors technology bible\", \"time\": 1696570795, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"version\": \"1.0.0\", \"uid\": \"c7a42ac4-640a-11ee-ae25-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"cross networks miles\"}, \"uid\": \"c7a45544-640a-11ee-84b0-0242ac110005\", \"labels\": [\"calm\"], \"sequence\": 53, \"profiles\": [], \"correlation_uid\": \"c7a462e6-640a-11ee-b915-0242ac110005\", \"log_name\": \"intent hobby reserve\", \"log_provider\": \"details contributor departments\"}, \"severity\": \"Unknown\", \"type_name\": \"Entity Management: Read\", \"activity_id\": 2, \"type_uid\": 300402, \"category_name\": \"Identity & Access Management\", \"class_uid\": 3004, \"category_uid\": 3, \"class_name\": \"Entity Management\", \"timezone_offset\": 36, \"activity_name\": \"Read\", \"entity\": {\"name\": \"sweden temperatures paste\", \"type\": \"founder quilt bone\", \"version\": \"1.0.0\", \"uid\": \"c7a47574-640a-11ee-aeb8-0242ac110005\"}, \"severity_id\": 0}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"message\": \"ri retired bargain\", \"status\": \"authors technology bible\", \"time\": 1696570795, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"version\": \"1.0.0\", \"uid\": \"c7a42ac4-640a-11ee-ae25-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"cross networks miles\"}, \"uid\": \"c7a45544-640a-11ee-84b0-0242ac110005\", \"labels\": [\"calm\"], \"sequence\": 53, \"profiles\": [], \"correlation_uid\": \"c7a462e6-640a-11ee-b915-0242ac110005\", \"log_name\": \"intent hobby reserve\", \"log_provider\": \"details contributor departments\"}, \"severity\": \"Unknown\", \"type_name\": \"Entity Management: Read\", \"activity_id\": 2, \"type_uid\": 300402, \"category_name\": \"Identity & Access Management\", \"class_uid\": 3004, \"category_uid\": 3, \"class_name\": \"Entity Management\", \"timezone_offset\": 36, \"activity_name\": \"Read\", \"entity\": {\"name\": \"sweden temperatures paste\", \"type\": \"founder quilt bone\", \"version\": \"1.0.0\", \"uid\": \"c7a47574-640a-11ee-aeb8-0242ac110005\"}, \"severity_id\": 0}", + "event": { + "action": "read", + "provider": "details contributor departments", + "sequence": 53, + "severity": 0 + }, + "ocsf": "{\"activity_id\": 2, \"activity_name\": \"Read\", \"category_name\": \"Identity & Access Management\", \"category_uid\": 3, \"class_name\": \"Entity Management\", \"class_uid\": 3004, \"entity\": {\"name\": \"sweden temperatures paste\", \"type\": \"founder quilt bone\", \"uid\": \"c7a47574-640a-11ee-aeb8-0242ac110005\", \"version\": \"1.0.0\"}, \"message\": \"ri retired bargain\", \"metadata\": {\"correlation_uid\": \"c7a462e6-640a-11ee-b915-0242ac110005\", \"labels\": [\"calm\"], \"log_name\": \"intent hobby reserve\", \"log_provider\": \"details contributor departments\", \"product\": {\"lang\": \"en\", \"uid\": \"c7a42ac4-640a-11ee-ae25-0242ac110005\", \"vendor_name\": \"cross networks miles\", \"version\": \"1.0.0\"}, \"profiles\": [], \"sequence\": 53, \"uid\": \"c7a45544-640a-11ee-84b0-0242ac110005\", \"version\": \"1.0.0\"}, \"severity\": \"Unknown\", \"severity_id\": 0, \"status\": \"authors technology bible\", \"time\": 1696570795, \"timezone_offset\": 36, \"type_name\": \"Entity Management: Read\", \"type_uid\": 300402}" + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_iam_3.json b/OCSF/ocsf/tests/test_iam_3.json new file mode 100644 index 000000000..aec731c59 --- /dev/null +++ b/OCSF/ocsf/tests/test_iam_3.json @@ -0,0 +1,29 @@ +{ + "input": { + "message": "{\"count\": 37, \"message\": \"obj permitted belong\", \"status\": \"Success\", \"time\": 1696583206, \"user\": {\"name\": \"Rankings\", \"type\": \"suited\", \"uid\": \"acca5dd2-6427-11ee-8ef4-0242ac110005\", \"org\": {\"name\": \"lesson machinery nutritional\", \"uid\": \"acca6354-6427-11ee-ae9b-0242ac110005\", \"ou_name\": \"to walnut dash\"}, \"groups\": [{\"name\": \"kim patio tr\", \"desc\": \"fire transsexual uri\", \"uid\": \"acca6980-6427-11ee-8abc-0242ac110005\"}, {\"name\": \"interior husband tvs\", \"type\": \"magnetic peninsula riders\", \"desc\": \"snake avi only\", \"uid\": \"acca6de0-6427-11ee-84f2-0242ac110005\", \"privileges\": [\"fresh provision sociology\", \"foundations twisted couple\"]}], \"type_id\": 99, \"full_name\": \"Nicki Christa\"}, \"group\": {\"name\": \"cottages donor awful\", \"uid\": \"acca5274-6427-11ee-9dbd-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"industry thou favorites\", \"version\": \"1.0.0\", \"uid\": \"acc9db64-6427-11ee-bbd5-0242ac110005\", \"vendor_name\": \"assisted parade monitored\"}, \"sequence\": 35, \"profiles\": [], \"log_name\": \"declared exhibits me\", \"log_provider\": \"adsl exposed rom\", \"original_time\": \"affordable mixture nigeria\"}, \"severity\": \"Low\", \"duration\": 91, \"type_name\": \"Group Management: Add User\", \"activity_id\": 3, \"type_uid\": 300603, \"category_name\": \"Identity & Access Management\", \"class_uid\": 3006, \"category_uid\": 3, \"class_name\": \"Group Management\", \"timezone_offset\": 81, \"activity_name\": \"Add User\", \"enrichments\": [{\"data\": {\"dns\": \"bhrjfd\"}, \"name\": \"consisting loves arrives\", \"type\": \"babes rrp normally\", \"value\": \"cooking pot enough\", \"provider\": \"case safari sw\"}], \"severity_id\": 2, \"status_id\": 1}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"count\": 37, \"message\": \"obj permitted belong\", \"status\": \"Success\", \"time\": 1696583206, \"user\": {\"name\": \"Rankings\", \"type\": \"suited\", \"uid\": \"acca5dd2-6427-11ee-8ef4-0242ac110005\", \"org\": {\"name\": \"lesson machinery nutritional\", \"uid\": \"acca6354-6427-11ee-ae9b-0242ac110005\", \"ou_name\": \"to walnut dash\"}, \"groups\": [{\"name\": \"kim patio tr\", \"desc\": \"fire transsexual uri\", \"uid\": \"acca6980-6427-11ee-8abc-0242ac110005\"}, {\"name\": \"interior husband tvs\", \"type\": \"magnetic peninsula riders\", \"desc\": \"snake avi only\", \"uid\": \"acca6de0-6427-11ee-84f2-0242ac110005\", \"privileges\": [\"fresh provision sociology\", \"foundations twisted couple\"]}], \"type_id\": 99, \"full_name\": \"Nicki Christa\"}, \"group\": {\"name\": \"cottages donor awful\", \"uid\": \"acca5274-6427-11ee-9dbd-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"industry thou favorites\", \"version\": \"1.0.0\", \"uid\": \"acc9db64-6427-11ee-bbd5-0242ac110005\", \"vendor_name\": \"assisted parade monitored\"}, \"sequence\": 35, \"profiles\": [], \"log_name\": \"declared exhibits me\", \"log_provider\": \"adsl exposed rom\", \"original_time\": \"affordable mixture nigeria\"}, \"severity\": \"Low\", \"duration\": 91, \"type_name\": \"Group Management: Add User\", \"activity_id\": 3, \"type_uid\": 300603, \"category_name\": \"Identity & Access Management\", \"class_uid\": 3006, \"category_uid\": 3, \"class_name\": \"Group Management\", \"timezone_offset\": 81, \"activity_name\": \"Add User\", \"enrichments\": [{\"data\": {\"dns\": \"bhrjfd\"}, \"name\": \"consisting loves arrives\", \"type\": \"babes rrp normally\", \"value\": \"cooking pot enough\", \"provider\": \"case safari sw\"}], \"severity_id\": 2, \"status_id\": 1}", + "event": { + "action": "add user", + "category": [ + "iam" + ], + "duration": 91000000, + "outcome": "success", + "provider": "adsl exposed rom", + "sequence": 35, + "severity": 2, + "type": [ + "user" + ] + }, + "ocsf": "{\"activity_id\": 3, \"activity_name\": \"Add User\", \"category_name\": \"Identity & Access Management\", \"category_uid\": 3, \"class_name\": \"Group Management\", \"class_uid\": 3006, \"count\": 37, \"duration\": 91, \"enrichments\": [{\"data\": {\"dns\": \"bhrjfd\"}, \"name\": \"consisting loves arrives\", \"provider\": \"case safari sw\", \"type\": \"babes rrp normally\", \"value\": \"cooking pot enough\"}], \"group\": {\"name\": \"cottages donor awful\", \"uid\": \"acca5274-6427-11ee-9dbd-0242ac110005\"}, \"message\": \"obj permitted belong\", \"metadata\": {\"log_name\": \"declared exhibits me\", \"log_provider\": \"adsl exposed rom\", \"original_time\": \"affordable mixture nigeria\", \"product\": {\"name\": \"industry thou favorites\", \"uid\": \"acc9db64-6427-11ee-bbd5-0242ac110005\", \"vendor_name\": \"assisted parade monitored\", \"version\": \"1.0.0\"}, \"profiles\": [], \"sequence\": 35, \"version\": \"1.0.0\"}, \"severity\": \"Low\", \"severity_id\": 2, \"status\": \"Success\", \"status_id\": 1, \"time\": 1696583206, \"timezone_offset\": 81, \"type_name\": \"Group Management: Add User\", \"type_uid\": 300603, \"user\": {\"full_name\": \"Nicki Christa\", \"groups\": [{\"desc\": \"fire transsexual uri\", \"name\": \"kim patio tr\", \"uid\": \"acca6980-6427-11ee-8abc-0242ac110005\"}, {\"desc\": \"snake avi only\", \"name\": \"interior husband tvs\", \"privileges\": [\"fresh provision sociology\", \"foundations twisted couple\"], \"type\": \"magnetic peninsula riders\", \"uid\": \"acca6de0-6427-11ee-84f2-0242ac110005\"}], \"name\": \"Rankings\", \"org\": {\"name\": \"lesson machinery nutritional\", \"ou_name\": \"to walnut dash\", \"uid\": \"acca6354-6427-11ee-ae9b-0242ac110005\"}, \"type\": \"suited\", \"type_id\": 99, \"uid\": \"acca5dd2-6427-11ee-8ef4-0242ac110005\"}}" + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_iam_4.json b/OCSF/ocsf/tests/test_iam_4.json new file mode 100644 index 000000000..804c63f83 --- /dev/null +++ b/OCSF/ocsf/tests/test_iam_4.json @@ -0,0 +1,26 @@ +{ + "input": { + "message": "{\"message\": \"isaac uncertainty replication\", \"status\": \"abstracts\", \"time\": 1696581958, \"group\": {\"name\": \"then nevada berkeley md\", \"uid\": \"c63f1e24-6424-11ee-af05-0242ac110005\"}, \"user\": {\"name\": \"Dd\", \"type\": \"System\", \"uid\": \"c52f5236-6424-11ee-9c16-0242ac110005\", \"type_id\": 3, \"credential_uid\": \"c52f57ae-6424-11ee-b8be-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"advance wellness phentermine\", \"version\": \"1.0.0\", \"uid\": \"c52f3210-6424-11ee-b807-0242ac110005\", \"feature\": {\"name\": \"services cultural ali\", \"version\": \"1.0.0\", \"uid\": \"c52f43f4-6424-11ee-9b6e-0242ac110005\"}, \"lang\": \"en\", \"vendor_name\": \"sphere chef physicians\"}, \"profiles\": [], \"log_name\": \"gravity bill gp\", \"logged_time\": 1696581958, \"original_time\": \"escape mic warner\"}, \"resource\": {\"owner\": {\"name\": \"Fatty\", \"type\": \"forecast\", \"domain\": \"regions gr dean\", \"uid\": \"c52f060a-6424-11ee-b378-0242ac110005\", \"type_id\": 99, \"email_addr\": \"Art@his.name\"}, \"group\": {\"name\": \"then nevada berkeley\", \"uid\": \"c52f1e24-6424-11ee-af05-0242ac110005\"}}, \"start_time\": 1696581958, \"severity\": \"Medium\", \"type_name\": \"User Access Management: Unknown\", \"activity_id\": 0, \"type_uid\": 300500, \"observables\": [{\"name\": \"devices arguments label\", \"type\": \"Fingerprint\", \"type_id\": 30}, {\"name\": \"line nightlife expo\", \"type\": \"Container\", \"type_id\": 27, \"reputation\": {\"base_score\": 45.5971, \"provider\": \"marcus magnetic expressed\", \"score\": \"May not be Safe\", \"score_id\": 5}}], \"category_name\": \"Identity & Access Management\", \"class_uid\": 3005, \"category_uid\": 3, \"class_name\": \"User Access Management\", \"timezone_offset\": 28, \"activity_name\": \"Unknown\", \"privileges\": [\"returned funeral cave\"], \"severity_id\": 3, \"status_id\": 99}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"message\": \"isaac uncertainty replication\", \"status\": \"abstracts\", \"time\": 1696581958, \"group\": {\"name\": \"then nevada berkeley md\", \"uid\": \"c63f1e24-6424-11ee-af05-0242ac110005\"}, \"user\": {\"name\": \"Dd\", \"type\": \"System\", \"uid\": \"c52f5236-6424-11ee-9c16-0242ac110005\", \"type_id\": 3, \"credential_uid\": \"c52f57ae-6424-11ee-b8be-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"advance wellness phentermine\", \"version\": \"1.0.0\", \"uid\": \"c52f3210-6424-11ee-b807-0242ac110005\", \"feature\": {\"name\": \"services cultural ali\", \"version\": \"1.0.0\", \"uid\": \"c52f43f4-6424-11ee-9b6e-0242ac110005\"}, \"lang\": \"en\", \"vendor_name\": \"sphere chef physicians\"}, \"profiles\": [], \"log_name\": \"gravity bill gp\", \"logged_time\": 1696581958, \"original_time\": \"escape mic warner\"}, \"resource\": {\"owner\": {\"name\": \"Fatty\", \"type\": \"forecast\", \"domain\": \"regions gr dean\", \"uid\": \"c52f060a-6424-11ee-b378-0242ac110005\", \"type_id\": 99, \"email_addr\": \"Art@his.name\"}, \"group\": {\"name\": \"then nevada berkeley\", \"uid\": \"c52f1e24-6424-11ee-af05-0242ac110005\"}}, \"start_time\": 1696581958, \"severity\": \"Medium\", \"type_name\": \"User Access Management: Unknown\", \"activity_id\": 0, \"type_uid\": 300500, \"observables\": [{\"name\": \"devices arguments label\", \"type\": \"Fingerprint\", \"type_id\": 30}, {\"name\": \"line nightlife expo\", \"type\": \"Container\", \"type_id\": 27, \"reputation\": {\"base_score\": 45.5971, \"provider\": \"marcus magnetic expressed\", \"score\": \"May not be Safe\", \"score_id\": 5}}], \"category_name\": \"Identity & Access Management\", \"class_uid\": 3005, \"category_uid\": 3, \"class_name\": \"User Access Management\", \"timezone_offset\": 28, \"activity_name\": \"Unknown\", \"privileges\": [\"returned funeral cave\"], \"severity_id\": 3, \"status_id\": 99}", + "event": { + "action": "unknown", + "category": [ + "iam" + ], + "severity": 3, + "start": "2023-10-06T08:45:58Z", + "type": [ + "group" + ] + }, + "ocsf": "{\"activity_id\": 0, \"activity_name\": \"Unknown\", \"category_name\": \"Identity & Access Management\", \"category_uid\": 3, \"class_name\": \"User Access Management\", \"class_uid\": 3005, \"group\": {\"name\": \"then nevada berkeley md\", \"uid\": \"c63f1e24-6424-11ee-af05-0242ac110005\"}, \"message\": \"isaac uncertainty replication\", \"metadata\": {\"log_name\": \"gravity bill gp\", \"logged_time\": 1696581958, \"original_time\": \"escape mic warner\", \"product\": {\"feature\": {\"name\": \"services cultural ali\", \"uid\": \"c52f43f4-6424-11ee-9b6e-0242ac110005\", \"version\": \"1.0.0\"}, \"lang\": \"en\", \"name\": \"advance wellness phentermine\", \"uid\": \"c52f3210-6424-11ee-b807-0242ac110005\", \"vendor_name\": \"sphere chef physicians\", \"version\": \"1.0.0\"}, \"profiles\": [], \"version\": \"1.0.0\"}, \"observables\": [{\"name\": \"devices arguments label\", \"type\": \"Fingerprint\", \"type_id\": 30}, {\"name\": \"line nightlife expo\", \"reputation\": {\"base_score\": 45.5971, \"provider\": \"marcus magnetic expressed\", \"score\": \"May not be Safe\", \"score_id\": 5}, \"type\": \"Container\", \"type_id\": 27}], \"privileges\": [\"returned funeral cave\"], \"resource\": {\"group\": {\"name\": \"then nevada berkeley\", \"uid\": \"c52f1e24-6424-11ee-af05-0242ac110005\"}, \"owner\": {\"domain\": \"regions gr dean\", \"email_addr\": \"Art@his.name\", \"name\": \"Fatty\", \"type\": \"forecast\", \"type_id\": 99, \"uid\": \"c52f060a-6424-11ee-b378-0242ac110005\"}}, \"severity\": \"Medium\", \"severity_id\": 3, \"start_time\": 1696581958, \"status\": \"abstracts\", \"status_id\": 99, \"time\": 1696581958, \"timezone_offset\": 28, \"type_name\": \"User Access Management: Unknown\", \"type_uid\": 300500, \"user\": {\"credential_uid\": \"c52f57ae-6424-11ee-b8be-0242ac110005\", \"name\": \"Dd\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"c52f5236-6424-11ee-9c16-0242ac110005\"}}" + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity.json b/OCSF/ocsf/tests/test_network_activity.json deleted file mode 100644 index d1816f8f8..000000000 --- a/OCSF/ocsf/tests/test_network_activity.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "input": { - "message": "{\"message\": \"soup mcdonald tale\", \"status\": \"Unknown\", \"time\": 1706622672156258, \"metadata\": {\"version\": \"1.1.0\", \"extension\": {\"name\": \"kidney discusses largely\", \"version\": \"1.1.0\", \"uid\": \"a0e5dc3a-bf76-11ee-9644-0242ac110005\"}, \"product\": {\"name\": \"contributions democrats hunter\", \"version\": \"1.1.0\", \"path\": \"purchased routes a\", \"uid\": \"a0e65110-bf76-11ee-84fa-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"transit beyond forecasts\"}, \"labels\": [\"reaches\", \"douglas\"], \"profiles\": [], \"correlation_uid\": \"a0e658ea-bf76-11ee-830f-0242ac110005\", \"log_name\": \"snake mixed discovered\", \"log_provider\": \"belongs pn asylum\", \"original_time\": \"summit morrison gate\", \"tenant_uid\": \"a0e65f8e-bf76-11ee-a65b-0242ac110005\"}, \"connection_info\": {\"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_num\": 19}, \"severity\": \"Critical\", \"type_name\": \"Network Activity: Reset\", \"category_name\": \"Network Activity\", \"activity_id\": 3, \"type_uid\": 400103, \"class_uid\": 4001, \"category_uid\": 4, \"class_name\": \"Network Activity\", \"timezone_offset\": 90, \"activity_name\": \"Reset\", \"dst_endpoint\": {\"name\": \"malawi ron affect\", \"port\": 22941, \"type\": \"Tablet\", \"ip\": \"250.43.118.90\", \"uid\": \"a0e5bd9a-bf76-11ee-a3b1-0242ac110005\", \"hostname\": \"asian.com\", \"mac\": \"DA:34:54:FF:33:42:DF:C8\", \"type_id\": 4, \"instance_uid\": \"a0e5c498-bf76-11ee-b200-0242ac110005\", \"interface_name\": \"decorating obesity pushed\", \"interface_uid\": \"a0e5ca88-bf76-11ee-bfe8-0242ac110005\", \"svc_name\": \"alt directed dramatically\"}, \"severity_id\": 5, \"src_endpoint\": {\"name\": \"switch rod prominent\", \"port\": 46077, \"type\": \"Mobile\", \"domain\": \"family commented opening\", \"ip\": \"159.228.37.237\", \"uid\": \"a0e57024-bf76-11ee-9a6c-0242ac110005\", \"hostname\": \"gbp.mil\", \"type_id\": 5, \"instance_uid\": \"a0e583de-bf76-11ee-9957-0242ac110005\", \"interface_name\": \"military hook wagon\", \"interface_uid\": \"a0e58e6a-bf76-11ee-860b-0242ac110005\", \"svc_name\": \"estimates inclusion incorporated\"}, \"status_code\": \"apollo\", \"status_id\": 0}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"message\": \"soup mcdonald tale\", \"status\": \"Unknown\", \"time\": 1706622672156258, \"metadata\": {\"version\": \"1.1.0\", \"extension\": {\"name\": \"kidney discusses largely\", \"version\": \"1.1.0\", \"uid\": \"a0e5dc3a-bf76-11ee-9644-0242ac110005\"}, \"product\": {\"name\": \"contributions democrats hunter\", \"version\": \"1.1.0\", \"path\": \"purchased routes a\", \"uid\": \"a0e65110-bf76-11ee-84fa-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"transit beyond forecasts\"}, \"labels\": [\"reaches\", \"douglas\"], \"profiles\": [], \"correlation_uid\": \"a0e658ea-bf76-11ee-830f-0242ac110005\", \"log_name\": \"snake mixed discovered\", \"log_provider\": \"belongs pn asylum\", \"original_time\": \"summit morrison gate\", \"tenant_uid\": \"a0e65f8e-bf76-11ee-a65b-0242ac110005\"}, \"connection_info\": {\"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_num\": 19}, \"severity\": \"Critical\", \"type_name\": \"Network Activity: Reset\", \"category_name\": \"Network Activity\", \"activity_id\": 3, \"type_uid\": 400103, \"class_uid\": 4001, \"category_uid\": 4, \"class_name\": \"Network Activity\", \"timezone_offset\": 90, \"activity_name\": \"Reset\", \"dst_endpoint\": {\"name\": \"malawi ron affect\", \"port\": 22941, \"type\": \"Tablet\", \"ip\": \"250.43.118.90\", \"uid\": \"a0e5bd9a-bf76-11ee-a3b1-0242ac110005\", \"hostname\": \"asian.com\", \"mac\": \"DA:34:54:FF:33:42:DF:C8\", \"type_id\": 4, \"instance_uid\": \"a0e5c498-bf76-11ee-b200-0242ac110005\", \"interface_name\": \"decorating obesity pushed\", \"interface_uid\": \"a0e5ca88-bf76-11ee-bfe8-0242ac110005\", \"svc_name\": \"alt directed dramatically\"}, \"severity_id\": 5, \"src_endpoint\": {\"name\": \"switch rod prominent\", \"port\": 46077, \"type\": \"Mobile\", \"domain\": \"family commented opening\", \"ip\": \"159.228.37.237\", \"uid\": \"a0e57024-bf76-11ee-9a6c-0242ac110005\", \"hostname\": \"gbp.mil\", \"type_id\": 5, \"instance_uid\": \"a0e583de-bf76-11ee-9957-0242ac110005\", \"interface_name\": \"military hook wagon\", \"interface_uid\": \"a0e58e6a-bf76-11ee-860b-0242ac110005\", \"svc_name\": \"estimates inclusion incorporated\"}, \"status_code\": \"apollo\", \"status_id\": 0}", - "sekoiaio": { - "intake": { - "parsing_error": "'AttributeError'" - } - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_1.json b/OCSF/ocsf/tests/test_network_activity_1.json new file mode 100644 index 000000000..34cacfd24 --- /dev/null +++ b/OCSF/ocsf/tests/test_network_activity_1.json @@ -0,0 +1,51 @@ +{ + "input": { + "message": "{\"metadata\": {\"product\": {\"version\": \"5\", \"name\": \"Amazon VPC\", \"feature\": {\"name\": \"Flowlogs\"}, \"vendor_name\": \"AWS\"}, \"profiles\": [\"cloud\", \"security_control\"], \"version\": \"1.0.0-rc.2\"}, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"region\": \"us-east-1\", \"zone\": \"use1-az1\", \"provider\": \"AWS\"}, \"src_endpoint\": {\"port\": 56858, \"svc_name\": \"-\", \"ip\": \"1.128.0.0\"}, \"dst_endpoint\": {\"port\": 39938, \"svc_name\": \"-\", \"ip\": \"172.31.2.52\", \"interface_uid\": \"eni-000000000000000000\", \"vpc_uid\": \"vpc-00000000\", \"instance_uid\": \"i-000000000000000000\", \"subnet_uid\": \"subnet-000000000000000000\"}, \"connection_info\": {\"protocol_num\": 6, \"tcp_flags\": 2, \"protocol_ver\": \"IPv4\", \"boundary_id\": 99, \"boundary\": \"-\", \"direction_id\": 1, \"direction\": \"Inbound\"}, \"traffic\": {\"packets\": 1, \"bytes\": 40}, \"time\": 1649721732000, \"start_time\": 1649721732000, \"end_time\": 1649721788000, \"status_code\": \"OK\", \"severity_id\": 1, \"severity\": \"Informational\", \"class_name\": \"Network Activity\", \"class_uid\": 4001, \"category_name\": \"Network Activity\", \"category_uid\": 4, \"activity_name\": \"Refuse\", \"activity_id\": 5, \"disposition\": \"Blocked\", \"disposition_id\": 2, \"type_uid\": 400105, \"type_name\": \"Network Activity: Refuse\", \"unmapped\": {\"sublocation_id\": \"-\", \"sublocation_type\": \"-\"}}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"metadata\": {\"product\": {\"version\": \"5\", \"name\": \"Amazon VPC\", \"feature\": {\"name\": \"Flowlogs\"}, \"vendor_name\": \"AWS\"}, \"profiles\": [\"cloud\", \"security_control\"], \"version\": \"1.0.0-rc.2\"}, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"region\": \"us-east-1\", \"zone\": \"use1-az1\", \"provider\": \"AWS\"}, \"src_endpoint\": {\"port\": 56858, \"svc_name\": \"-\", \"ip\": \"1.128.0.0\"}, \"dst_endpoint\": {\"port\": 39938, \"svc_name\": \"-\", \"ip\": \"172.31.2.52\", \"interface_uid\": \"eni-000000000000000000\", \"vpc_uid\": \"vpc-00000000\", \"instance_uid\": \"i-000000000000000000\", \"subnet_uid\": \"subnet-000000000000000000\"}, \"connection_info\": {\"protocol_num\": 6, \"tcp_flags\": 2, \"protocol_ver\": \"IPv4\", \"boundary_id\": 99, \"boundary\": \"-\", \"direction_id\": 1, \"direction\": \"Inbound\"}, \"traffic\": {\"packets\": 1, \"bytes\": 40}, \"time\": 1649721732000, \"start_time\": 1649721732000, \"end_time\": 1649721788000, \"status_code\": \"OK\", \"severity_id\": 1, \"severity\": \"Informational\", \"class_name\": \"Network Activity\", \"class_uid\": 4001, \"category_name\": \"Network Activity\", \"category_uid\": 4, \"activity_name\": \"Refuse\", \"activity_id\": 5, \"disposition\": \"Blocked\", \"disposition_id\": 2, \"type_uid\": 400105, \"type_name\": \"Network Activity: Refuse\", \"unmapped\": {\"sublocation_id\": \"-\", \"sublocation_type\": \"-\"}}", + "event": { + "action": "refuse", + "category": [ + "network" + ], + "end": "2022-04-12T00:03:08Z", + "severity": 1, + "start": "2022-04-12T00:02:12Z", + "type": [ + "denied" + ] + }, + "cloud": { + "account": { + "id": "123456789012" + }, + "availability_zone": "use1-az1", + "provider": "AWS", + "region": "us-east-1" + }, + "destination": { + "address": "172.31.2.52", + "ip": "172.31.2.52", + "port": 39938 + }, + "ocsf": "{\"activity_id\": 5, \"activity_name\": \"Refuse\", \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"Network Activity\", \"class_uid\": 4001, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"provider\": \"AWS\", \"region\": \"us-east-1\", \"zone\": \"use1-az1\"}, \"connection_info\": {\"boundary\": \"-\", \"boundary_id\": 99, \"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_num\": 6, \"protocol_ver\": \"IPv4\", \"tcp_flags\": 2}, \"disposition\": \"Blocked\", \"disposition_id\": 2, \"dst_endpoint\": {\"instance_uid\": \"i-000000000000000000\", \"interface_uid\": \"eni-000000000000000000\", \"ip\": \"172.31.2.52\", \"port\": 39938, \"subnet_uid\": \"subnet-000000000000000000\", \"svc_name\": \"-\", \"vpc_uid\": \"vpc-00000000\"}, \"end_time\": 1649721788000, \"metadata\": {\"product\": {\"feature\": {\"name\": \"Flowlogs\"}, \"name\": \"Amazon VPC\", \"vendor_name\": \"AWS\", \"version\": \"5\"}, \"profiles\": [\"cloud\", \"security_control\"], \"version\": \"1.0.0-rc.2\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"1.128.0.0\", \"port\": 56858, \"svc_name\": \"-\"}, \"start_time\": 1649721732000, \"status_code\": \"OK\", \"time\": 1649721732000, \"traffic\": {\"bytes\": 40, \"packets\": 1}, \"type_name\": \"Network Activity: Refuse\", \"type_uid\": 400105, \"unmapped\": {\"sublocation_id\": \"-\", \"sublocation_type\": \"-\"}}", + "related": { + "ip": [ + "1.128.0.0", + "172.31.2.52" + ] + }, + "source": { + "address": "1.128.0.0", + "ip": "1.128.0.0", + "port": 56858 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_10.json b/OCSF/ocsf/tests/test_network_activity_10.json new file mode 100644 index 000000000..4624302d3 --- /dev/null +++ b/OCSF/ocsf/tests/test_network_activity_10.json @@ -0,0 +1,51 @@ +{ + "input": { + "message": "{\"message\": \"kelkoo interactions constitute\", \"status\": \"patch emma midi\", \"time\": 1695676041549, \"file\": {\"name\": \"amend.sh\", \"type\": \"Unknown\", \"desc\": \"arabic suits fun\", \"type_id\": 0, \"accessor\": {\"name\": \"Uruguay\", \"type\": \"User\", \"uid\": \"849f49fa-5be7-11ee-bfe2-0242ac110005\", \"org\": {\"name\": \"lottery political own\", \"uid\": \"849f501c-5be7-11ee-ab6f-0242ac110005\", \"ou_name\": \"confirmed towards declined\", \"ou_uid\": \"849f540e-5be7-11ee-841c-0242ac110005\"}, \"type_id\": 1}, \"hashes\": [{\"value\": \"4C3280C17F9D982CCBAC882AE1F48DAD224DBA938BEE87BF18E31C76B0C3B88B\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"A7F0A2AD03BE8938C945F65DB1A395CE9E98D67F9EE8D4CA97D687FBB394B64FA0AEB15F5B1D82A2922B62320B77DBA842BBEDEE2B5E15D7A883665ADE3F7C2B\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time_dt\": \"2023-09-25T21:07:21.567190Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"describes static geological\", \"version\": \"1.0.0\", \"uid\": \"849714ce-5be7-11ee-981b-0242ac110005\", \"url_string\": \"avatar\", \"vendor_name\": \"highly got hook\"}, \"sequence\": 99, \"profiles\": [\"cloud\", \"container\", \"datetime\"], \"correlation_uid\": \"84971e10-5be7-11ee-b5e7-0242ac110005\", \"log_name\": \"proud iso ticket\", \"log_provider\": \"cb indexes boxing\", \"original_time\": \"tournaments leisure comedy\", \"modified_time_dt\": \"2023-09-25T21:07:21.513376Z\", \"processed_time_dt\": \"2023-09-25T21:07:21.513394Z\"}, \"start_time\": 1695676041445, \"severity\": \"Low\", \"type_name\": \"Network File Activity: Rename\", \"activity_id\": 5, \"type_uid\": 401005, \"observables\": [{\"name\": \"except visitor vbulletin\", \"type\": \"Uniform Resource Locator\", \"type_id\": 23}, {\"name\": \"hong rhode para\", \"type\": \"Process Name\", \"type_id\": 9}], \"category_name\": \"Network Activity\", \"class_uid\": 4010, \"category_uid\": 4, \"class_name\": \"Network File Activity\", \"timezone_offset\": 42, \"activity_name\": \"Rename\", \"actor\": {\"process\": {\"name\": \"Qualification\", \"pid\": 42, \"file\": {\"attributes\": 9, \"name\": \"citations.gpx\", \"type\": \"Character Device\", \"path\": \"telling saved challenge/wrapped.tga/citations.gpx\", \"type_id\": 3, \"parent_folder\": \"telling saved challenge/wrapped.tga\"}, \"user\": {\"name\": \"Aquatic\", \"type\": \"System\", \"uid\": \"84975f7e-5be7-11ee-bfad-0242ac110005\", \"type_id\": 3, \"account\": {\"name\": \"suspended cg sisters\", \"uid\": \"8497655a-5be7-11ee-ab52-0242ac110005\"}}, \"tid\": 17, \"uid\": \"849768e8-5be7-11ee-a428-0242ac110005\", \"cmd_line\": \"goals happen dad\", \"container\": {\"name\": \"ambien cloud eur\", \"size\": 2164055839, \"uid\": \"84977158-5be7-11ee-b042-0242ac110005\", \"image\": {\"name\": \"produced field obituaries\", \"path\": \"adaptive granny knew\", \"uid\": \"849779dc-5be7-11ee-8f66-0242ac110005\"}, \"network_driver\": \"cute desktops arrest\"}, \"created_time\": 1695676041514, \"namespace_pid\": 41, \"parent_process\": {\"file\": {\"name\": \"finance.3g2\", \"type\": \"wrap\", \"path\": \"attention matching forest/met.mpa/finance.3g2\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"mt minutes bids\", \"issuer\": \"shall systematic vatican\", \"fingerprints\": [{\"value\": \"B3305921648A755AA6C1E2C028691A6861EAE8922BAE5ACE52B76E01AD96DF87ECE4E22E06EDC6715A0CAE469323620A07CCC384FD40C69EBA60E8BBEE8EA805\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"expiration_time\": 1695676041516, \"serial_number\": \"requirement sodium situated\", \"expiration_time_dt\": \"2023-09-25T21:07:21.516239Z\", \"created_time_dt\": \"2023-09-25T21:07:21.516247Z\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"desc\": \"surgeons settled advocacy\", \"type_id\": 99, \"creator\": {\"name\": \"Additionally\", \"type\": \"beat\", \"uid\": \"84979804-5be7-11ee-848b-0242ac110005\", \"type_id\": 99, \"full_name\": \"Kirstin Thersa\", \"credential_uid\": \"8497ab3c-5be7-11ee-8df1-0242ac110005\"}, \"parent_folder\": \"attention matching forest/met.mpa\", \"hashes\": [{\"value\": \"2675028478A31F71064C2D8CCA68C7FCA87605C294611E7C2294806CE87B596AD856077767F9D941E21BC5089906C5E6903FE622EE1FE19DB2E3FA8F1F1A8EE9\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"4D018BA6DBA4C03004FD6E10D1C02BD324F62DE46C5FE687431A2D4BF4335BB7\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"modified_time_dt\": \"2023-09-25T21:07:21.517084Z\"}, \"uid\": \"8497ba64-5be7-11ee-b3a6-0242ac110005\", \"session\": {\"uid\": \"8497c27a-5be7-11ee-8a34-0242ac110005\", \"issuer\": \"discussing capital ottawa\", \"created_time\": 1695676041516, \"credential_uid\": \"8497c716-5be7-11ee-bd7a-0242ac110005\"}, \"loaded_modules\": [\"/super/disclose/barnes/pg/california.png\", \"/ourselves/lynn/gpl/helped/narrow.tga\"], \"cmd_line\": \"bless addresses backgrounds\", \"container\": {\"name\": \"citizenship caribbean twisted\", \"size\": 2686118868, \"uid\": \"8497d15c-5be7-11ee-aa8b-0242ac110005\", \"image\": {\"name\": \"assistance grande an\", \"uid\": \"8497dec2-5be7-11ee-9c88-0242ac110005\"}, \"hash\": {\"value\": \"08759209B8F0A761FFF2B978AB8DAB0B6AE7B63C9AC9D3694BC0FED57BB2E27F5AAFB08486F656D6C6FE784F7DF07513FCB0975EC8B772EE000F56F793867A77\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}}, \"created_time\": 1695676041518, \"lineage\": [\"vhs mechanism dates\"], \"namespace_pid\": 97, \"parent_process\": {\"name\": \"Bid\", \"pid\": 26, \"file\": {\"name\": \"dame.svg\", \"type\": \"Regular File\", \"path\": \"wives pamela karl/articles.c/dame.svg\", \"modifier\": {\"name\": \"Complete\", \"type\": \"Unknown\", \"uid\": \"8497f38a-5be7-11ee-97c6-0242ac110005\", \"groups\": [{\"name\": \"winds seeking reply\", \"uid\": \"8497fde4-5be7-11ee-9733-0242ac110005\"}, {\"name\": \"hamburg roommate environment\", \"uid\": \"8498099c-5be7-11ee-ac6f-0242ac110005\"}], \"type_id\": 0}, \"type_id\": 1, \"parent_folder\": \"wives pamela karl/articles.c\", \"hashes\": [{\"value\": \"E7B2EBCA4F63795EBE380FFBEAB194BCF3E2EB5C74F10C6B8AAB95F4C0B8D7AC\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"AFD9AD7A88CFF487A60962E99C6219806726EB352DD1591D375AD3BB143C0DABBFBC6DBFFA5D99B3662AE82C9B7EED847E30B7EA516D2AD9DFF07D8775F8AE36\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"security_descriptor\": \"robinson queens graduate\", \"created_time_dt\": \"2023-09-25T21:07:21.519646Z\"}, \"user\": {\"name\": \"Shipment\", \"type\": \"Unknown\", \"uid\": \"84981f68-5be7-11ee-b652-0242ac110005\", \"type_id\": 0, \"uid_alt\": \"singh dim static\"}, \"uid\": \"849823d2-5be7-11ee-92d1-0242ac110005\", \"cmd_line\": \"harder interventions pb\", \"container\": {\"name\": \"kg sources houses\", \"runtime\": \"kate through furniture\", \"size\": 2387392206, \"uid\": \"849829cc-5be7-11ee-bb7a-0242ac110005\", \"hash\": {\"value\": \"6A9A10210588981DD8FAA6BE10E39F2C65E816FEFE4768884F7B0BB0A10CD9D6\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, \"pod_uuid\": \"kiss\"}, \"created_time\": 1695676041517, \"integrity\": \"they thermal eau\", \"lineage\": [\"attraction cord adjustment\", \"announcements summer introduce\"], \"namespace_pid\": 49, \"parent_process\": {\"name\": \"Jamie\", \"pid\": 28, \"file\": {\"name\": \"seq.wpd\", \"type\": \"Character Device\", \"path\": \"conflicts disability citysearch/ieee.dtd/seq.wpd\", \"modifier\": {\"name\": \"Officer\", \"type\": \"Admin\", \"uid\": \"84984362-5be7-11ee-af2c-0242ac110005\", \"type_id\": 2}, \"type_id\": 3, \"parent_folder\": \"conflicts disability citysearch/ieee.dtd\", \"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"created_time\": 1695676041520845, \"hashes\": [{\"value\": \"7D875B5EB312ADEF7D530DD6E43468170B094A5F54CA1AC26E7788A81A01238428E62D581423E70B05DA11F15513291EB10776B4E14DE1844072ACDF11BBDFD1\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"1100511F3469E3CDE7D081EC6E78154C8476D546F615EEEB37C4CDFBD41740440FC77660EE3A4B9C67DE81C63172A49F835656F85ED5E36A65A2A25E2A733358\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"user\": {\"name\": \"Knows\", \"type\": \"User\", \"domain\": \"sao uri flesh\", \"uid\": \"84984db2-5be7-11ee-ba4e-0242ac110005\", \"type_id\": 1}, \"uid\": \"8498530c-5be7-11ee-86f3-0242ac110005\", \"cmd_line\": \"creation defense carolina\", \"container\": {\"name\": \"hunt indicating radiation\", \"size\": 3179758248, \"tag\": \"reader prevention as\", \"uid\": \"84985df2-5be7-11ee-be06-0242ac110005\", \"hash\": {\"value\": \"666334EB7A1E55E189435FFF3F0CA7266F484FB44970AAFF3E72546D8B04B02ABB1A66B209CAFD44267701CA1392DF35B8EC3EECE0DC492D093880F2E4FF352C\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695676041527, \"namespace_pid\": 46, \"parent_process\": {\"name\": \"Arbor\", \"pid\": 20, \"file\": {\"name\": \"startup.3dm\", \"size\": 3504413585, \"type\": \"Named Pipe\", \"version\": \"1.0.0\", \"signature\": {\"certificate\": {\"subject\": \"shades bad tradition\", \"issuer\": \"previous price thing\", \"fingerprints\": [{\"value\": \"8E4DE5CC0D59311697B0D4061FDBFB4CB99E38121EA17CF740789A0CBC85B56703E1341C940E7A2220C02211CC84447A19061569BE42AC4A2C03010FB6CB1A75\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"205D64FF9B580AADBF4829EC41DD4EF0\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"created_time\": 1695676041522, \"expiration_time\": 1695676041526, \"serial_number\": \"files the parish\", \"created_time_dt\": \"2023-09-25T21:07:21.521904Z\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"uid\": \"84987ae4-5be7-11ee-b247-0242ac110005\", \"type_id\": 6, \"created_time\": 1695676042262, \"hashes\": [{\"value\": \"60F202A3BE4EF214E24EA9D3555D194C\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"B0B2D200728B0DACE6CB6829F90EE31A9AD123FF1982012B003249D4F2C5351924E6DBBD1242EE722D4C5A0B80C983DC7B94DDD594FCFCEF4E63552956E2B26A\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"modified_time_dt\": \"2023-09-25T21:07:21.522441Z\"}, \"user\": {\"name\": \"Provided\", \"type\": \"Admin\", \"uid\": \"84988e80-5be7-11ee-bf3c-0242ac110005\", \"type_id\": 2, \"full_name\": \"Karoline Meggan\", \"email_addr\": \"Elza@girls.mil\"}, \"uid\": \"84989376-5be7-11ee-9216-0242ac110005\", \"cmd_line\": \"plan agents converter\", \"container\": {\"name\": \"thongs routine an\", \"size\": 2099983603, \"uid\": \"84989948-5be7-11ee-b4fb-0242ac110005\", \"image\": {\"name\": \"extending construction inkjet\", \"path\": \"empirical precipitation builder\", \"uid\": \"84989f42-5be7-11ee-8820-0242ac110005\", \"labels\": [\"golf\", \"nov\"]}, \"hash\": {\"value\": \"E7EFDA40B1C94805070CD9BF9638AE27\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"created_time\": 1695676041523226, \"integrity\": \"conspiracy unions allocated\", \"parent_process\": {\"name\": \"Processes\", \"pid\": 49, \"file\": {\"name\": \"considerations.jar\", \"type\": \"Local Socket\", \"path\": \"roger economy macro/mesh.gadget/considerations.jar\", \"type_id\": 5, \"accessor\": {\"name\": \"Wildlife\", \"type\": \"Admin\", \"uid\": \"8498c030-5be7-11ee-80d9-0242ac110005\", \"type_id\": 2, \"full_name\": \"Twyla Cherise\", \"email_addr\": \"Shin@cause.mobi\", \"uid_alt\": \"excellent far varied\"}, \"mime_type\": \"star/flyer\", \"parent_folder\": \"roger economy macro/mesh.gadget\", \"created_time\": 1695676041524, \"hashes\": [{\"value\": \"707CF5E50A11D69874235DED9A045B6AB42439F7495DED03049CB7E997949E8B014295A25059CD1A9F06BFE9E4101ED176615E69D43FE199E849DEC0BC4AEB4D\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"6F487B974BDB9DBDF014F50502D9F70BC2630E6C974E4C6E6AA2EB3BEC95A3BDCA7AE609DA34179E0677F042734A767ADA4F6CA04788916644262CDC60BC2FB2\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Hour\", \"type\": \"insert\", \"uid\": \"8498cd14-5be7-11ee-94d7-0242ac110005\", \"type_id\": 99, \"uid_alt\": \"organizations guild beds\"}, \"uid\": \"8498d430-5be7-11ee-b1bf-0242ac110005\", \"cmd_line\": \"sixth pc peoples\", \"container\": {\"name\": \"warrior document workflow\", \"size\": 2697694450, \"uid\": \"8498da2a-5be7-11ee-9d00-0242ac110005\", \"image\": {\"name\": \"version treating tall\", \"uid\": \"8498df20-5be7-11ee-8257-0242ac110005\"}, \"hash\": {\"value\": \"F4001D4FD76B73412DB0EFD2C66F0AB3C27D9FE9BD375B1659A1DDDA68C17DC1C0F5402A6AE571DC073E94F1B720821E4208595D5BB4B13D917A12CE3DA53C1E\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, \"pod_uuid\": \"sas\"}, \"created_time\": 1695676041523, \"integrity\": \"aviation blame tion\", \"namespace_pid\": 76, \"parent_process\": {\"name\": \"Job\", \"pid\": 86, \"file\": {\"name\": \"pic.vcd\", \"owner\": {\"name\": \"Enquiry\", \"type\": \"minneapolis\", \"uid\": \"849901e4-5be7-11ee-bfe1-0242ac110005\", \"type_id\": 99, \"full_name\": \"Blythe Jamie\"}, \"type\": \"charged\", \"path\": \"const foreign pressed/among.ged/pic.vcd\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"strap liz boulder\", \"issuer\": \"everybody brunei disciplinary\", \"fingerprints\": [{\"value\": \"9E41EB47ABD226D92CFE27DBDA0C924C190A1B0C0136B09923B419089B013DF14CB58C38F651F710540E348BF800DFE364197904B11FFFAD98BB2B10006B28E2\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"3DE877DDFB06DB510E63893D98DDAC9524696C14\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"created_time\": 1695676041526, \"expiration_time\": 1695676045872, \"serial_number\": \"approaches symbol assembly\"}, \"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"developer_uid\": \"84991526-5be7-11ee-a2ca-0242ac110005\", \"created_time_dt\": \"2023-09-25T21:07:21.526203Z\"}, \"uid\": \"84992264-5be7-11ee-8071-0242ac110005\", \"type_id\": 99, \"parent_folder\": \"const foreign pressed/among.ged\", \"accessed_time\": 1695676041556, \"confidentiality\": \"suburban ati mostly\", \"hashes\": [{\"value\": \"00EF9DADDE482AF5432B0BFC5F69023736D4A0ECD59F74884C4B8AD83D21429B78023351C5DBD07407EAB2BFA527A0586016DE3C92F37913920E221F7D452802\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"is_system\": false, \"modified_time_dt\": \"2023-09-25T21:07:21.526727Z\", \"created_time_dt\": \"2023-09-25T21:07:21.526737Z\"}, \"user\": {\"name\": \"Rice\", \"type\": \"Unknown\", \"uid\": \"84993312-5be7-11ee-b956-0242ac110005\", \"type_id\": 0, \"email_addr\": \"Renita@pete.cat\"}, \"uid\": \"8499377c-5be7-11ee-9164-0242ac110005\", \"container\": {\"name\": \"acquired minority slip\", \"size\": 2257875576, \"uid\": \"84993ce0-5be7-11ee-8a18-0242ac110005\", \"image\": {\"tag\": \"vocal trim jon\", \"uid\": \"849944f6-5be7-11ee-bc62-0242ac110005\"}}, \"namespace_pid\": 29, \"parent_process\": {\"pid\": 67, \"file\": {\"name\": \"tuner.pdb\", \"type\": \"Named Pipe\", \"version\": \"1.0.0\", \"path\": \"architectural pink phil/overview.dtd/tuner.pdb\", \"type_id\": 6, \"parent_folder\": \"architectural pink phil/overview.dtd\", \"hashes\": [{\"value\": \"44CA9EA761C2131C73960AD47472741B13D305EE2D07FE91E8F1B47F4F062B8A16DD3611E4439E4C163A7CF42F1AE5989CF9683117DB801FD1BC222A16618E19\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"C25DDA249CDECE9D908CC33ADCD16AA05E20290F\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"xattributes\": {}}, \"user\": {\"name\": \"Fantastic\", \"type\": \"Admin\", \"uid\": \"84995d06-5be7-11ee-8223-0242ac110005\", \"org\": {\"name\": \"dryer asn trying\", \"uid\": \"849963aa-5be7-11ee-b57a-0242ac110005\", \"ou_name\": \"wr r gibraltar\"}, \"type_id\": 2}, \"uid\": \"84996800-5be7-11ee-8754-0242ac110005\", \"cmd_line\": \"brush bouquet alto\", \"container\": {\"name\": \"deutschland pic newcastle\", \"size\": 797071549, \"uid\": \"84996db4-5be7-11ee-bada-0242ac110005\", \"image\": {\"name\": \"adipex into polo\", \"uid\": \"849984fc-5be7-11ee-af4c-0242ac110005\"}, \"hash\": {\"value\": \"82B5F7770097973F2962C241C557369EC2D38E9A1BDA03176B9CA511F1CA56CF\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695676041528, \"lineage\": [\"familiar privilege canvas\"], \"namespace_pid\": 23, \"parent_process\": {\"name\": \"Cialis\", \"pid\": 21, \"file\": {\"attributes\": 83, \"name\": \"spirit.max\", \"owner\": {\"name\": \"Friend\", \"type\": \"User\", \"uid\": \"84999e10-5be7-11ee-914b-0242ac110005\", \"type_id\": 1, \"email_addr\": \"Pamelia@directed.com\"}, \"type\": \"Regular File\", \"version\": \"1.0.0\", \"path\": \"fish largest alberta/solutions.deskthemepack/spirit.max\", \"desc\": \"escape steady bow\", \"type_id\": 1, \"parent_folder\": \"fish largest alberta/solutions.deskthemepack\", \"hashes\": [{\"value\": \"718C92FD5ECC9B483CA9A76E309BD60F7DAD6035254FAD5EA9430568F36EB16D5532657DE90C3B3B41896C8A9B601BF1E1083D5BB299127118B535C347D13549\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"D13D53927A745D27511C298846343093D7E92D919905B6C22ABBF727AD18EF7E3B3850949F8CC772390749C8644B5CF6F8618FEF524E9589DB73F57FE128AA88\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}]}, \"user\": {\"name\": \"Apartments\", \"type\": \"ad\", \"uid\": \"8499b5da-5be7-11ee-b276-0242ac110005\", \"type_id\": 99, \"uid_alt\": \"serving turbo spy\"}, \"uid\": \"8499bc88-5be7-11ee-b028-0242ac110005\", \"session\": {\"uid\": \"8499ca0c-5be7-11ee-aae9-0242ac110005\", \"created_time\": 1695676041534, \"expiration_time\": 1695676041542, \"is_remote\": true}, \"cmd_line\": \"in blowing memorial\", \"container\": {\"name\": \"france sg charger\", \"size\": 1048383191, \"tag\": \"deserve focused select\", \"uid\": \"8499d164-5be7-11ee-a7e8-0242ac110005\", \"image\": {\"name\": \"robert through mailing\", \"tag\": \"struggle gerald weather\", \"uid\": \"8499d704-5be7-11ee-b617-0242ac110005\"}, \"hash\": {\"value\": \"6B2A589B76A482CD379A7FF8AF13EE0F9ABF937DE60010068FEC808F5B6B22521C2A28C7F48BC5C2EDC81EAE5E5812D95F5E0F3DF5685571E5DB36B146DB82EC\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, \"network_driver\": \"catch sun general\", \"orchestrator\": \"sf varieties queries\"}, \"created_time\": 1695676041539, \"integrity\": \"faculty hardcover generated\", \"namespace_pid\": 79, \"parent_process\": {\"name\": \"Devices\", \"pid\": 90, \"file\": {\"name\": \"premises.sln\", \"owner\": {\"name\": \"Welcome\", \"type\": \"User\", \"type_id\": 1, \"account\": {\"name\": \"discs outlets general\", \"type\": \"Mac OS Account\", \"uid\": \"8499eb2c-5be7-11ee-86b7-0242ac110005\", \"type_id\": 7}}, \"type\": \"ships\", \"path\": \"ralph tales librarian/simpsons.psd/premises.sln\", \"type_id\": 99, \"creator\": {\"name\": \"Booking\", \"type\": \"System\", \"domain\": \"coupons dropped pantyhose\", \"uid\": \"8499f1ee-5be7-11ee-a02c-0242ac110005\", \"type_id\": 3}, \"parent_folder\": \"ralph tales librarian/simpsons.psd\", \"hashes\": [{\"value\": \"F01EB1DD5E5D955CF3DA810E1FAABA4136E09F5EF69DA3753223183EF836741A617AAAEB52D8B014D900A4A11B94974298F7D3C4EAE57C107CF3A3230AD34188\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"modified_time_dt\": \"2023-09-25T21:07:21.531893Z\"}, \"user\": {\"name\": \"Immediate\", \"type\": \"Unknown\", \"uid\": \"849a06c0-5be7-11ee-acfe-0242ac110005\", \"org\": {\"name\": \"velvet days pubs\", \"ou_name\": \"brake craps campaign\"}, \"groups\": [{\"uid\": \"849a1124-5be7-11ee-9a8e-0242ac110005\", \"privileges\": [\"independent vegetables assisted\", \"refinance lee seating\"]}, {\"name\": \"div violence strange\", \"uid\": \"849a1674-5be7-11ee-aa3b-0242ac110005\"}], \"type_id\": 0}, \"uid\": \"849a1af2-5be7-11ee-82a9-0242ac110005\", \"cmd_line\": \"text ana range\", \"container\": {\"name\": \"own drawing acute\", \"size\": 1512724327, \"uid\": \"849a2420-5be7-11ee-94c5-0242ac110005\", \"image\": {\"name\": \"layers branch lucas\", \"tag\": \"nations chances trips\", \"uid\": \"849a32bc-5be7-11ee-86bb-0242ac110005\"}, \"hash\": {\"value\": \"79F7EED760813BF63DC0EE7F986F1CC6345DD170AB03CA1350684CB8720E3C67F9FCE3B075A22266EB0C66A1CDA2D3BD540E777D9A294433377B83DB6DE3D6DB\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695676041533, \"lineage\": [\"guru hosted bradley\"], \"namespace_pid\": 39, \"parent_process\": {\"name\": \"Bags\", \"file\": {\"attributes\": 22, \"name\": \"hunt.ppt\", \"type\": \"Local Socket\", \"type_id\": 5, \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"value\": \"6FD1E1613C3918067E01585E32D4AA461C485DF01C56BD5A294FD82B353B5EC64A7EBAED614D28451E3AECB3ACA75900593A20D8AE7F7A1E2CF9DD4F0496B9C4\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"B66E94D9133A6E41392C5AFCBF3F6EEB29E45C041350255AEE34ADD6C4E6BD15FF9060177954793B5D078A8802B4B1ADDD73BECACB7D5827D9A1CB9F96D5E153\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"is_system\": false, \"modified_time_dt\": \"2023-09-25T21:07:21.533963Z\"}, \"user\": {\"name\": \"Sisters\", \"type\": \"rebound\", \"uid\": \"849a52ce-5be7-11ee-a468-0242ac110005\", \"type_id\": 99, \"full_name\": \"Elisa Cleora\"}, \"uid\": \"849a5d78-5be7-11ee-ac24-0242ac110005\", \"cmd_line\": \"merchandise initiatives accessibility\", \"container\": {\"name\": \"apartment drunk amateur\", \"size\": 3702557326, \"uid\": \"849a646c-5be7-11ee-90ce-0242ac110005\", \"image\": {\"name\": \"evaluating apartments disaster\", \"uid\": \"849a6a66-5be7-11ee-95e4-0242ac110005\"}, \"hash\": {\"value\": \"12FC9239ABF2C07159EBC92013171DA43175589170BD05B55220534634A9D1FEFC88B117A95FCE4FE3C5A5FEDB9DC4EB3F700C0386931C889F815E86BCD4B509\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}}, \"created_time\": 1695676041535, \"namespace_pid\": 29, \"parent_process\": {\"name\": \"Sen\", \"pid\": 13, \"file\": {\"attributes\": 35, \"name\": \"hardware.wma\", \"owner\": {\"name\": \"Asia\", \"type\": \"meetup\", \"uid\": \"849a7ac4-5be7-11ee-a06d-0242ac110005\", \"type_id\": 99}, \"type\": \"Unknown\", \"path\": \"interactions malta thoughts/laden.pdf/hardware.wma\", \"signature\": {\"digest\": {\"value\": \"3188206324B062751CE36D4251C19C94\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, \"algorithm\": \"Authenticode\", \"algorithm_id\": 4}, \"type_id\": 0, \"parent_folder\": \"interactions malta thoughts/laden.pdf\", \"hashes\": [{\"value\": \"6BD48B1E57856137037BFEE4DEC8D57F\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"user\": {\"name\": \"Round\", \"type\": \"System\", \"uid\": \"849a900e-5be7-11ee-9894-0242ac110005\", \"type_id\": 3, \"full_name\": \"Marisela Towanda\", \"account\": {\"name\": \"fragrances bulk specialty\", \"type\": \"LDAP Account\", \"uid\": \"849a9702-5be7-11ee-9f5d-0242ac110005\", \"type_id\": 1}, \"credential_uid\": \"849a9afe-5be7-11ee-b27a-0242ac110005\", \"email_addr\": \"Wava@promises.info\"}, \"uid\": \"849a9ed2-5be7-11ee-ae61-0242ac110005\", \"cmd_line\": \"recordings countries slides\", \"container\": {\"name\": \"distant modeling monaco\", \"runtime\": \"peace up sailing\", \"uid\": \"849aa490-5be7-11ee-bb98-0242ac110005\", \"image\": {\"name\": \"evanescence plans courts\", \"tag\": \"buy archives predict\", \"uid\": \"849aaa9e-5be7-11ee-a47a-0242ac110005\"}, \"hash\": {\"value\": \"383B6630E8241D34D54BFD689DECC0CAB88770D935667989A3A1DE8397F5520F\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695676041539, \"integrity\": \"bookings qc dictionaries\", \"lineage\": [\"lanka manufacture bra\", \"gibson implementation pope\"], \"namespace_pid\": 6, \"parent_process\": {\"name\": \"Impacts\", \"pid\": 86, \"file\": {\"name\": \"removal.obj\", \"type\": \"Named Pipe\", \"path\": \"jeff puts assignments/thing.msi/removal.obj\", \"type_id\": 6, \"parent_folder\": \"jeff puts assignments/thing.msi\", \"accessed_time\": 1695676041534, \"hashes\": [{\"value\": \"CE850E16E049A60B4B8F465DC00ADBFB7207CC76FD94F5EBC335F637B8052B77\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"security_descriptor\": \"bureau myspace barrel\"}, \"user\": {\"name\": \"Alliance\", \"type\": \"Admin\", \"domain\": \"statistical poland gregory\", \"uid\": \"849abe76-5be7-11ee-a5a1-0242ac110005\", \"org\": {\"name\": \"nyc kidney drawings\", \"uid\": \"849accae-5be7-11ee-af7b-0242ac110005\"}, \"groups\": [{\"name\": \"accessed thanks instructions\", \"desc\": \"luggage species belkin\", \"uid\": \"849ad5fa-5be7-11ee-a0e9-0242ac110005\", \"privileges\": [\"flashing aol autumn\"]}, {\"name\": \"cognitive times agent\", \"uid\": \"849ada50-5be7-11ee-824e-0242ac110005\", \"privileges\": [\"sodium believed housing\", \"incorporated jungle asian\"]}], \"type_id\": 2, \"full_name\": \"Paul Julian\"}, \"uid\": \"849adea6-5be7-11ee-aa53-0242ac110005\", \"cmd_line\": \"amount anywhere suffered\", \"container\": {\"name\": \"author channel disappointed\", \"size\": 191473515, \"uid\": \"849aff08-5be7-11ee-80bd-0242ac110005\", \"image\": {\"name\": \"cross tray influenced\", \"tag\": \"afternoon counseling governance\", \"uid\": \"849b1f7e-5be7-11ee-bb9d-0242ac110005\"}, \"hash\": {\"value\": \"B7F1BFFEB47BCFB30F891852F769572A9816784BF4A4073805850F9F969A5335CFC878CACC9E0F8A71B547F60832FE712A59A7DD7DBD6E94BB9D155309EB3581\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"network_driver\": \"slovakia friend username\"}, \"created_time\": 1695676041539630, \"namespace_pid\": 49, \"parent_process\": {\"name\": \"Sampling\", \"pid\": 71, \"file\": {\"attributes\": 78, \"name\": \"human.pdb\", \"type\": \"Symbolic Link\", \"path\": \"let dawn representing/surrounding.dwg/human.pdb\", \"product\": {\"name\": \"heavy payroll timothy\", \"version\": \"1.0.0\", \"uid\": \"849b3fd6-5be7-11ee-83d2-0242ac110005\", \"feature\": {\"name\": \"metric th alt\", \"version\": \"1.0.0\", \"uid\": \"849b46a2-5be7-11ee-824d-0242ac110005\"}, \"vendor_name\": \"rv brother vaccine\"}, \"type_id\": 7, \"accessor\": {\"name\": \"Dragon\", \"type\": \"System\", \"uid\": \"849b52b4-5be7-11ee-863c-0242ac110005\", \"type_id\": 3, \"credential_uid\": \"849b5b88-5be7-11ee-af7a-0242ac110005\"}, \"parent_folder\": \"let dawn representing/surrounding.dwg\", \"hashes\": [{\"value\": \"AABE45CE23939AE53AA3AF15C6123A6ED98FC106E4C7491B89A814D8EB040F3B9D5842B5A215D1D27ED1B4DC8DD3D3F0D50197DD105E37461661D98A23E0917C\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1695676041541, \"modified_time_dt\": \"2023-09-25T21:07:21.541163Z\", \"created_time_dt\": \"2023-09-25T21:07:21.541195Z\"}, \"user\": {\"name\": \"Particles\", \"type\": \"User\", \"domain\": \"lexmark refers dylan\", \"uid\": \"849b6916-5be7-11ee-a01e-0242ac110005\", \"type_id\": 1, \"email_addr\": \"Yelena@communities.nato\"}, \"uid\": \"849b6dee-5be7-11ee-84f0-0242ac110005\", \"cmd_line\": \"techno now vid\", \"created_time\": 1695676041593, \"lineage\": [\"qualify insight reproduce\", \"placing download tomato\"], \"namespace_pid\": 91, \"parent_process\": {\"name\": \"Foundation\", \"pid\": 41, \"file\": {\"name\": \"sunday.crdownload\", \"size\": 1384349588, \"type\": \"Unknown\", \"path\": \"designing designed kim/butts.crx/sunday.crdownload\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"annually ic quest\", \"issuer\": \"cooperation worldcat southwest\", \"fingerprints\": [{\"value\": \"A1636B226D49D354EAD09345190417B47EC13762648D8C196823FB556456DD5A2ED39FDF2ADE536CF2D0AFA33A47F9404800085FE205A49A4DA6C280AF603AA9\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"created_time\": 1695676041542, \"expiration_time\": 1695676041577, \"serial_number\": \"distributed characters bin\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time_dt\": \"2023-09-25T21:07:21.542032Z\"}, \"product\": {\"name\": \"nights validity updated\", \"version\": \"1.0.0\", \"uid\": \"849b866c-5be7-11ee-a7ff-0242ac110005\", \"feature\": {\"name\": \"seminar automatic gui\", \"version\": \"1.0.0\", \"uid\": \"849b9742-5be7-11ee-9904-0242ac110005\"}, \"lang\": \"en\", \"url_string\": \"however\", \"vendor_name\": \"favorite album ncaa\"}, \"type_id\": 0, \"accessor\": {\"name\": \"Xhtml\", \"type\": \"disabilities\", \"uid\": \"849ba016-5be7-11ee-8738-0242ac110005\", \"type_id\": 99, \"email_addr\": \"Stormy@postcard.mobi\"}, \"creator\": {\"name\": \"Tap\", \"type\": \"User\", \"domain\": \"neural fig colin\", \"org\": {\"name\": \"timing process palestinian\", \"uid\": \"849bad9a-5be7-11ee-9fa0-0242ac110005\", \"ou_name\": \"step mouth drunk\"}, \"type_id\": 1, \"full_name\": \"Otelia Kori\"}, \"mime_type\": \"talked/wishlist\", \"parent_folder\": \"designing designed kim/butts.crx\", \"hashes\": [{\"value\": \"A5064ED27DDBDCBA4CBCADF1DB39DA3F2EEE6B58C7A1239C64CABA643C220D3F292A1DE7E239A9314ECD04E09E02E1289265DB1375370F0E2CB9844F235B40B9\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"is_system\": true, \"modified_time\": 1695676041546}, \"user\": {\"name\": \"Certain\", \"type\": \"Unknown\", \"uid\": \"849bb81c-5be7-11ee-bbec-0242ac110005\", \"groups\": [{\"name\": \"penn laundry woods\", \"type\": \"powerpoint jump hospitality\", \"desc\": \"twenty protection innovative\", \"uid\": \"849bbdee-5be7-11ee-95a2-0242ac110005\"}, {\"uid\": \"849bc780-5be7-11ee-9955-0242ac110005\"}], \"type_id\": 0, \"email_addr\": \"Reba@contemporary.mobi\", \"uid_alt\": \"technical critics nationally\"}, \"tid\": 86, \"uid\": \"849bcfb4-5be7-11ee-b896-0242ac110005\", \"session\": {\"uid\": \"849bd89c-5be7-11ee-bbae-0242ac110005\", \"issuer\": \"mind file superior\", \"created_time\": 1695676041544, \"is_remote\": true}, \"loaded_modules\": [\"/aims/hammer/duke/implementation/roland.jar\", \"/illustration/reads/adaptation/ppc/footage.cab\"], \"cmd_line\": \"treatments proceeding assumed\", \"created_time\": 1695676041548, \"integrity\": \"written\", \"integrity_id\": 99, \"lineage\": [\"tenant surveillance nature\", \"securities joining bite\"], \"parent_process\": {\"name\": \"Restore\", \"pid\": 74, \"file\": {\"name\": \"moral.kmz\", \"type\": \"Local Socket\", \"path\": \"suit who pics/arrange.torrent/moral.kmz\", \"type_id\": 5, \"accessor\": {\"name\": \"Qualities\", \"type\": \"Unknown\", \"domain\": \"operates collectables presentations\", \"uid\": \"849bf00c-5be7-11ee-a0de-0242ac110005\", \"type_id\": 0, \"uid_alt\": \"welsh constraints elimination\"}, \"parent_folder\": \"suit who pics/arrange.torrent\", \"accessed_time\": 1695676044937, \"created_time\": 1695676041545, \"hashes\": [{\"value\": \"BADBDA50632954800C02D40EB49D1BEF8E5A883D\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"22B65F9CC3DDECE17BC92C741314C0C01D6C398B477BCFE22CCB63F4975A066119C2A3F4E9BDC342383345BCEEA9046C0573AEA278C1EBD8E1578337B1640606\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"is_system\": false}, \"cmd_line\": \"remain weird municipal\", \"container\": {\"name\": \"anthony serial medline\", \"size\": 2006500672, \"uid\": \"849c059c-5be7-11ee-b620-0242ac110005\", \"image\": {\"name\": \"titten live cvs\", \"uid\": \"849c105a-5be7-11ee-8337-0242ac110005\"}, \"hash\": {\"value\": \"53CB2A3DF41EA583C9DAD815CC228E623D600CA69DD3B138EBA03828A95C399AC2319E8C246FAF2EB345362B0931618009C8A5FF4C8E100C7B414107D51F849D\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695676041542, \"integrity\": \"High\", \"integrity_id\": 4, \"namespace_pid\": 8, \"parent_process\": {\"pid\": 20, \"file\": {\"attributes\": 79, \"name\": \"revolution.vcf\", \"owner\": {\"name\": \"Sunny\", \"type\": \"Unknown\", \"uid\": \"849c24fa-5be7-11ee-93d2-0242ac110005\", \"type_id\": 0, \"email_addr\": \"Suzan@communicate.coop\"}, \"type\": \"Folder\", \"version\": \"1.0.0\", \"path\": \"nintendo smilies thank/ought.vb/revolution.vcf\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"microwave marriott okay\", \"issuer\": \"foundation review shaft\", \"fingerprints\": [{\"value\": \"35C90137B6BD19F8D464173B9904DBFA60D62BFF8BCBCF99235987ACC2D4840DBA02F991522C533C211C54B3A1016A0A76AF0578E30D0190414926A1EA56FEB7\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1695676041548, \"expiration_time\": 1695676041514, \"serial_number\": \"windsor sponsor google\"}, \"algorithm\": \"ECDSA\", \"algorithm_id\": 3}, \"product\": {\"name\": \"pci invasion producers\", \"version\": \"1.0.0\", \"uid\": \"849c3e4a-5be7-11ee-80be-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"australian payments crm\"}, \"type_id\": 2, \"accessor\": {\"name\": \"Class\", \"type\": \"pie\", \"type_id\": 99, \"full_name\": \"Crysta Damaris\", \"account\": {\"name\": \"cards gratis necklace\", \"type\": \"Apple Account\", \"type_id\": 8}, \"uid_alt\": \"linux has luis\"}, \"company_name\": \"Mckenzie Ardith\", \"creator\": {\"type\": \"selected\", \"domain\": \"glass outlet lopez\", \"uid\": \"849c4b2e-5be7-11ee-9c0b-0242ac110005\", \"org\": {\"name\": \"reproductive balloon stanley\", \"uid\": \"849c5060-5be7-11ee-b740-0242ac110005\", \"ou_name\": \"pick rear governance\", \"ou_uid\": \"849c5470-5be7-11ee-b89d-0242ac110005\"}, \"groups\": [{\"name\": \"suspected contributor counting\", \"type\": \"vacations wines biological\", \"uid\": \"849c5ae2-5be7-11ee-97a7-0242ac110005\"}], \"type_id\": 99}, \"parent_folder\": \"nintendo smilies thank/ought.vb\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"hashes\": [{\"value\": \"1B8BF6AF4C4E0F5A64ED59860F5673F5762D1E214D4B3127BAC626D3811952EAF98972460DF098DEAB2B6D4FF02723546AEBA4108F2A03A20044552141A4447E\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"221C1DF278F5DBE8C04CCC89DB66A355ABA13C3F27B4E23A19D0E73C64E5E9A7951D5102BA2F416429122A6110C57ED22F7216EB73939FF0E7E4BDB574A90CC4\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"is_system\": false, \"security_descriptor\": \"recommended approve environment\"}, \"uid\": \"849c61f4-5be7-11ee-8006-0242ac110005\", \"cmd_line\": \"arrangements makes handy\", \"container\": {\"name\": \"yahoo plains basically\", \"uid\": \"849c6776-5be7-11ee-94b5-0242ac110005\", \"image\": {\"name\": \"capabilities huge hometown\", \"uid\": \"849c6d2a-5be7-11ee-a411-0242ac110005\", \"labels\": [\"mumbai\"]}, \"hash\": {\"value\": \"FC25F43E993A1FB725021E78097481FDD1FECA2EC91BF14AE34067FC31DBCD1005D4B0AFC4F050872672CC3EAB72236EADE80DFF4CCBB844F8ED0489F697D2F1\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695676041544, \"namespace_pid\": 13, \"parent_process\": {\"name\": \"Tell\", \"file\": {\"name\": \"world.jpg\", \"type\": \"Block Device\", \"path\": \"blend roommates closed/died.docx/world.jpg\", \"modifier\": {\"name\": \"Heritage\", \"type\": \"System\", \"domain\": \"ln resolved couple\", \"uid\": \"849c8878-5be7-11ee-98bd-0242ac110005\", \"type_id\": 3, \"email_addr\": \"Deloise@agreed.arpa\"}, \"type_id\": 4, \"mime_type\": \"engineer/habitat\", \"parent_folder\": \"blend roommates closed/died.docx\", \"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"hashes\": [{\"value\": \"3BC175E9CE56D1FC2D86AB6EA2EC56EB21930540B56A5B6E3840DFB64287ACAB\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"31588C71F04798D44E2202431AE7025AF3BC67EC8192E94F362A9B9121FB5AC23510026F8391A0A54234D8D0DB8D2DEBD112DEEF6AC598A11A194875191A4975\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"is_system\": true}, \"user\": {\"name\": \"Weather\", \"type\": \"Admin\", \"domain\": \"our installing clinical\", \"uid\": \"849ca4ca-5be7-11ee-b39c-0242ac110005\", \"org\": {\"name\": \"top riverside asthma\", \"uid\": \"849cb208-5be7-11ee-a4a6-0242ac110005\", \"ou_name\": \"stats dans soviet\"}, \"type_id\": 2, \"credential_uid\": \"849cc0f4-5be7-11ee-9c36-0242ac110005\"}, \"uid\": \"849cc522-5be7-11ee-aa87-0242ac110005\", \"session\": {\"uid\": \"849ccebe-5be7-11ee-a1ca-0242ac110005\", \"issuer\": \"volunteer meetings medline\", \"created_time\": 1695676041550, \"is_remote\": false, \"expiration_time_dt\": \"2023-09-25T21:07:21.550638Z\"}, \"loaded_modules\": [\"/rev/amazon/casino/june/fails.bin\", \"/credit/potential/lawsuit/clause/nine.bmp\"], \"cmd_line\": \"well absent shoe\", \"container\": {\"name\": \"hospitality walker vs\", \"size\": 1224758347, \"uid\": \"849cdd28-5be7-11ee-9250-0242ac110005\", \"image\": {\"name\": \"audio miracle leader\", \"uid\": \"849ce32c-5be7-11ee-b7a9-0242ac110005\"}, \"hash\": {\"value\": \"A813ED16B0B3E58FA959C0BA26A47058\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"created_time\": 1695676041555, \"lineage\": [\"achievement courage send\", \"expansion instructional agreements\"], \"namespace_pid\": 62, \"parent_process\": {\"name\": \"Airfare\", \"file\": {\"name\": \"flexible.vcxproj\", \"type\": \"Folder\", \"product\": {\"name\": \"external polar galaxy\", \"version\": \"1.0.0\", \"lang\": \"en\", \"vendor_name\": \"hack infection generator\"}, \"type_id\": 2, \"mime_type\": \"silicon/limousines\", \"confidentiality\": \"venue rl epa\", \"hashes\": [{\"value\": \"2347F66D3EE9CCBD7191F650BE1EF4F94E8B6ED61D543709A1A907FBC76BFC089577CB78BFA772DA65746573746C4AB26AF19E7A8E9DB821E3979ED04051B9BC\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"256D62122A8BA5E06B613EAD639B79BA7875995217AC6E2C854DBB610631D33C\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"modified_time\": 1695676041500, \"xattributes\": {}, \"created_time_dt\": \"2023-09-25T21:07:21.551631Z\"}, \"user\": {\"name\": \"Track\", \"type\": \"Unknown\", \"uid\": \"849cfe70-5be7-11ee-b38b-0242ac110005\", \"type_id\": 0, \"account\": {\"name\": \"strict manufactured invest\", \"type\": \"AWS IAM User\", \"uid\": \"849d0500-5be7-11ee-97bd-0242ac110005\", \"type_id\": 3}, \"credential_uid\": \"849d08ca-5be7-11ee-bfe2-0242ac110005\"}, \"cmd_line\": \"challenges prompt cumulative\", \"container\": {\"name\": \"develop affiliates required\", \"size\": 2138922450, \"uid\": \"849d0e7e-5be7-11ee-a8e4-0242ac110005\", \"image\": {\"name\": \"charges fragrances complex\", \"uid\": \"849d1342-5be7-11ee-a4ca-0242ac110005\"}, \"hash\": {\"value\": \"6E73C76AD0B2D03EB35088BB834D7A1949E2174F0288EAC8066F5CC920923FEC2568825E7A9B3B3B871DC2AA82AD34DAC42A8E327CAD3D3E720D2ADD7C13CAB0\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, \"network_driver\": \"familiar movies legitimate\", \"pod_uuid\": \"legally\"}, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"namespace_pid\": 2, \"parent_process\": {\"name\": \"Eternal\", \"pid\": 76, \"file\": {\"attributes\": 44, \"name\": \"uzbekistan.jar\", \"type\": \"Block Device\", \"uid\": \"849d2170-5be7-11ee-a637-0242ac110005\", \"type_id\": 4, \"mime_type\": \"will/executed\", \"hashes\": [{\"value\": \"8A25185F3C5523EF3B08C1ECDD83016224863C95\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"6B9ED75DAE7A1E692073FC400B558EA4\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"xattributes\": {}}, \"user\": {\"name\": \"Manager\", \"type\": \"legs\", \"uid\": \"849d2c24-5be7-11ee-953d-0242ac110005\", \"type_id\": 99, \"email_addr\": \"Josefina@holders.museum\"}, \"uid\": \"849d308e-5be7-11ee-a5ad-0242ac110005\", \"cmd_line\": \"reporter techno regarded\", \"container\": {\"name\": \"cpu mission hacker\", \"runtime\": \"cables vanilla amendments\", \"size\": 1820268463, \"uid\": \"849d3caa-5be7-11ee-9fe6-0242ac110005\", \"image\": {\"uid\": \"849d468c-5be7-11ee-85e3-0242ac110005\", \"labels\": [\"responsibility\"]}, \"hash\": {\"value\": \"0895F371F264F7E3AA4A79B16A3C6EEAABE10BBF6A7DC2B7D8DD4F14B3C6F05D\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, \"orchestrator\": \"helpful pasta matthew\"}, \"namespace_pid\": 84, \"parent_process\": {\"name\": \"Music\", \"pid\": 28, \"file\": {\"name\": \"titanium.avi\", \"type\": \"Unknown\", \"path\": \"slideshow configurations lens/nations.flv/titanium.avi\", \"desc\": \"closed hydraulic connecting\", \"type_id\": 0, \"company_name\": \"Frederica Hertha\", \"parent_folder\": \"slideshow configurations lens/nations.flv\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"created_time\": 1695676041554, \"hashes\": [{\"value\": \"5C5069744142886E3127F2CCFE145C68A0B1A4DFA3BB504B858390D851E16A9F\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"xattributes\": {}, \"created_time_dt\": \"2023-09-25T21:07:21.554150Z\"}, \"user\": {\"name\": \"Be\", \"type\": \"types\", \"uid\": \"849d60a4-5be7-11ee-98cb-0242ac110005\", \"type_id\": 99}, \"uid\": \"849d64dc-5be7-11ee-b02a-0242ac110005\", \"container\": {\"size\": 1668291787, \"uid\": \"849d7cce-5be7-11ee-80f3-0242ac110005\", \"image\": {\"name\": \"curtis burns park\", \"uid\": \"849d83f4-5be7-11ee-8f40-0242ac110005\", \"labels\": [\"fix\"]}, \"hash\": {\"value\": \"308FD1FED7D34B9AFAB9224FF617D64E4CA9AC20FC59F1FB3B80AB2CBB1511245EC668E138B6C330D86E2B874BD66ED33E16E931B3D344A8365BE63CAB39562C\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"network_driver\": \"surely assistance actively\", \"pod_uuid\": \"gardening\"}, \"created_time\": 1695676041553, \"integrity\": \"System\", \"integrity_id\": 5, \"parent_process\": {\"name\": \"Surprise\", \"pid\": 50, \"file\": {\"name\": \"opening.vob\", \"type\": \"Local Socket\", \"path\": \"venezuela flyer seller/os.kml/opening.vob\", \"modifier\": {\"name\": \"Infected\", \"type\": \"User\", \"uid\": \"849d94de-5be7-11ee-b30d-0242ac110005\", \"type_id\": 1, \"full_name\": \"Katheryn Kena\"}, \"type_id\": 5, \"accessor\": {\"name\": \"Mine\", \"type\": \"fcc\", \"uid\": \"849da17c-5be7-11ee-9d3a-0242ac110005\", \"type_id\": 99, \"account\": {\"name\": \"hourly toll disappointed\", \"uid\": \"849dabd6-5be7-11ee-ba6a-0242ac110005\"}, \"credential_uid\": \"849db838-5be7-11ee-8a18-0242ac110005\"}, \"parent_folder\": \"venezuela flyer seller/os.kml\", \"hashes\": [{\"value\": \"599DCCE2998A6B40B1E38E8C6006CB0A\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"E3C48119D2F351FBEB28EABE137BB8D7969A9AA7CEBF71A153DA4670481EFAAB267B6B39C0EDBDDAF4DD1B9E9B5FF0B28D72E0A5FA27336A282A0FDBA4D0C9D4\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"modified_time\": 1695676041557, \"security_descriptor\": \"graham occupations become\"}, \"user\": {\"name\": \"Simulations\", \"type\": \"User\", \"uid\": \"849debb4-5be7-11ee-bfac-0242ac110005\", \"type_id\": 1, \"account\": {\"type\": \"Windows Account\", \"uid\": \"849df820-5be7-11ee-82f1-0242ac110005\", \"type_id\": 2}, \"credential_uid\": \"849dfc62-5be7-11ee-a9bc-0242ac110005\"}, \"cmd_line\": \"pursuant proceed discussed\", \"container\": {\"name\": \"insight style ca\", \"runtime\": \"williams ng xhtml\", \"size\": 220440282, \"uid\": \"849e031a-5be7-11ee-b55b-0242ac110005\", \"image\": {\"name\": \"bubble architects vancouver\", \"path\": \"hairy pixel time\", \"uid\": \"849e0ebe-5be7-11ee-8341-0242ac110005\"}, \"hash\": {\"value\": \"8876489CE00D6D9FDF61ED1C773F047E\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"created_time\": 1695676041558, \"lineage\": [\"bk destinations est\", \"whose playback congressional\"], \"namespace_pid\": 54, \"parent_process\": {\"name\": \"Courage\", \"pid\": 5, \"file\": {\"name\": \"filled.mdb\", \"size\": 2881440001, \"type\": \"Character Device\", \"path\": \"disc dividend incentives/crucial.wps/filled.mdb\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"infectious replication lock\", \"issuer\": \"worker attended mel\", \"fingerprints\": [{\"value\": \"372885B9675F31EF37D14F711A430940E777638ADCB2F77B36D079076E38606F\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1695676041558, \"expiration_time\": 1695676041554, \"serial_number\": \"durham graham course\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"modifier\": {\"name\": \"Constraints\", \"type\": \"Unknown\", \"domain\": \"informational advisory mg\", \"uid\": \"849e2a2a-5be7-11ee-82b2-0242ac110005\", \"type_id\": 0}, \"product\": {\"name\": \"michigan slight torture\", \"version\": \"1.0.0\", \"path\": \"costumes somewhat qui\", \"uid\": \"849e3088-5be7-11ee-8510-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"franchise portland experiment\"}, \"type_id\": 3, \"accessor\": {\"name\": \"Intl\", \"type\": \"Unknown\", \"uid\": \"849e39a2-5be7-11ee-b3b8-0242ac110005\", \"type_id\": 0, \"full_name\": \"Lorna Francisco\"}, \"parent_folder\": \"disc dividend incentives/crucial.wps\", \"hashes\": [{\"value\": \"9471ED19416B8099E51855CB0EF61AE3\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"modified_time\": 1695676041563}, \"user\": {\"name\": \"Motorcycle\", \"type\": \"Admin\", \"uid\": \"849e4a46-5be7-11ee-bc81-0242ac110005\", \"type_id\": 2}, \"cmd_line\": \"peer rail specialist\", \"container\": {\"name\": \"priority mirrors although\", \"runtime\": \"rock relation block\", \"size\": 2559819198, \"uid\": \"849e509a-5be7-11ee-ad75-0242ac110005\", \"image\": {\"name\": \"committed plastic does\", \"uid\": \"849e6972-5be7-11ee-b803-0242ac110005\"}, \"network_driver\": \"conduct linking lb\"}, \"created_time\": 1695676041434, \"lineage\": [\"desktop lakes moscow\", \"barrel touch increasing\"], \"namespace_pid\": 13, \"parent_process\": {\"name\": \"Harley\", \"pid\": 38, \"file\": {\"name\": \"metabolism.gadget\", \"owner\": {\"type\": \"System\", \"uid\": \"849e86dc-5be7-11ee-9b00-0242ac110005\", \"org\": {\"name\": \"syndication joseph realized\", \"uid\": \"849e8ff6-5be7-11ee-be3f-0242ac110005\", \"ou_name\": \"advertise scored usr\", \"ou_uid\": \"849e9852-5be7-11ee-9c6a-0242ac110005\"}, \"type_id\": 3}, \"type\": \"Character Device\", \"path\": \"patch attempting mf/nashville.dxf/metabolism.gadget\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"signals book follow\", \"issuer\": \"database verse prince\", \"fingerprints\": [{\"value\": \"6467C5C0EA62DB25016E724973C845BA50F0BBD72AE91F11E4CB5F3884CF1852EC05AA4B971CA59B372F8DC7B8E49562276E89C888FFDE3DD41BFC2E88336E98\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"80A346634E5CD09AAFC3C417ABCE0C6A156B40EBB910123FAC486DC6197D24EC4C575301A8CC06D58FBAEEAE6F40E42B6D84FDA6996E06EE2F68282EA73FDA93\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"created_time\": 1695676041504, \"expiration_time\": 1695676041569, \"serial_number\": \"termination vi limitation\"}, \"algorithm\": \"ECDSA\", \"algorithm_id\": 3}, \"type_id\": 3, \"creator\": {\"type\": \"Unknown\", \"uid\": \"849edfe2-5be7-11ee-97f0-0242ac110005\", \"type_id\": 0, \"account\": {\"name\": \"workers observer lonely\", \"type\": \"GCP Account\", \"uid\": \"849ef310-5be7-11ee-b8e1-0242ac110005\", \"type_id\": 5}, \"email_addr\": \"Myrta@of.cat\"}, \"parent_folder\": \"patch attempting mf/nashville.dxf\", \"hashes\": [{\"value\": \"5F8105C9976CE93253600A074BD373A5286734FB9650F503EF4AD611A9422D3554C34BD6C2672159C2F485A59C83965804D6F2532A8DADF2749DF74B1B089C10\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"C1E19A5C30DB36D9FEA3088EBBCF2E05B7F2E3B108DA82565EF183591D036A615456960CA1BF3DEDAEF8450140669F4E45A239D12DE570D5B2322AEADAE0EE7B\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"accessed_time_dt\": \"2023-09-25T21:07:21.564734Z\"}, \"user\": {\"name\": \"Referenced\", \"type\": \"Admin\", \"type_id\": 2, \"full_name\": \"Lyndsay Ricky\"}, \"uid\": \"849f00ee-5be7-11ee-954b-0242ac110005\", \"cmd_line\": \"institutes yes inputs\", \"container\": {\"name\": \"missed foreign palmer\", \"size\": 903476370, \"uid\": \"849f0878-5be7-11ee-b335-0242ac110005\", \"image\": {\"name\": \"belfast interests activation\", \"uid\": \"849f1dc2-5be7-11ee-b432-0242ac110005\"}, \"hash\": {\"value\": \"7CA5C1BF6D37F1E7389DB34F7617B7101F65DED1\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}}, \"created_time\": 1695676041565, \"namespace_pid\": 44, \"terminated_time\": 1695676041566, \"xattributes\": {}, \"created_time_dt\": \"2023-09-25T21:07:21.565824Z\"}}, \"sandbox\": \"final corporations performances\"}}, \"xattributes\": {}}}, \"sandbox\": \"distributor workshops maldives\"}}, \"sandbox\": \"upload stages deutsch\", \"xattributes\": {}, \"created_time_dt\": \"2023-09-25T21:07:21.565886Z\", \"terminated_time_dt\": \"2023-09-25T21:07:21.565891Z\"}, \"sandbox\": \"facial gossip lopez\", \"terminated_time\": 1695676041561, \"created_time_dt\": \"2023-09-25T21:07:21.565904Z\", \"terminated_time_dt\": \"2023-09-25T21:07:21.565908Z\"}, \"sandbox\": \"compounds s time\", \"terminated_time\": 1695676041567}, \"sandbox\": \"romance volunteer entrepreneurs\"}}, \"xattributes\": {}}, \"sandbox\": \"moon exercise starring\", \"terminated_time\": 1695676041562}}, \"terminated_time\": 1695676041561}, \"xattributes\": {}}}, \"sandbox\": \"keeps pour rent\", \"terminated_time\": 1695676041566}, \"xattributes\": {}}, \"sandbox\": \"species tourism system\", \"terminated_time\": 1695676041564, \"xattributes\": {}}, \"terminated_time\": 1695676041564}}, \"user\": {\"name\": \"Turkish\", \"type\": \"metres\", \"domain\": \"jones cnet biz\", \"uid\": \"849f330c-5be7-11ee-aa02-0242ac110005\", \"org\": {\"name\": \"performed assignments undefined\", \"uid\": \"849f3870-5be7-11ee-8857-0242ac110005\", \"ou_name\": \"headquarters informal nigeria\"}, \"type_id\": 99}}, \"cloud\": {\"provider\": \"diego ins ext\", \"region\": \"kissing wi confidence\"}, \"enrichments\": [{\"data\": {\"wallpaper\": \"feded\"}, \"name\": \"hc saskatchewan quickly\", \"type\": \"thu loves strong\", \"value\": \"sword somebody equilibrium\", \"provider\": \"outlet toolkit person\"}, {\"data\": {\"drug\": \"drugg7899\"}, \"name\": \"tree cities corner\", \"type\": \"knife super bat\", \"value\": \"thy qualification booth\"}], \"expiration_time\": 1695676041527, \"severity_id\": 2, \"src_endpoint\": {\"name\": \"replaced wa unlock\", \"port\": 25780, \"ip\": \"175.16.199.1\", \"uid\": \"84972e82-5be7-11ee-8eac-0242ac110005\", \"hostname\": \"menu.travel\", \"instance_uid\": \"849732a6-5be7-11ee-bdb0-0242ac110005\", \"interface_name\": \"grown reflect expressed\", \"interface_uid\": \"84973670-5be7-11ee-8000-0242ac110005\", \"svc_name\": \"stanford leisure analyzed\"}}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"message\": \"kelkoo interactions constitute\", \"status\": \"patch emma midi\", \"time\": 1695676041549, \"file\": {\"name\": \"amend.sh\", \"type\": \"Unknown\", \"desc\": \"arabic suits fun\", \"type_id\": 0, \"accessor\": {\"name\": \"Uruguay\", \"type\": \"User\", \"uid\": \"849f49fa-5be7-11ee-bfe2-0242ac110005\", \"org\": {\"name\": \"lottery political own\", \"uid\": \"849f501c-5be7-11ee-ab6f-0242ac110005\", \"ou_name\": \"confirmed towards declined\", \"ou_uid\": \"849f540e-5be7-11ee-841c-0242ac110005\"}, \"type_id\": 1}, \"hashes\": [{\"value\": \"4C3280C17F9D982CCBAC882AE1F48DAD224DBA938BEE87BF18E31C76B0C3B88B\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"A7F0A2AD03BE8938C945F65DB1A395CE9E98D67F9EE8D4CA97D687FBB394B64FA0AEB15F5B1D82A2922B62320B77DBA842BBEDEE2B5E15D7A883665ADE3F7C2B\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time_dt\": \"2023-09-25T21:07:21.567190Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"describes static geological\", \"version\": \"1.0.0\", \"uid\": \"849714ce-5be7-11ee-981b-0242ac110005\", \"url_string\": \"avatar\", \"vendor_name\": \"highly got hook\"}, \"sequence\": 99, \"profiles\": [\"cloud\", \"container\", \"datetime\"], \"correlation_uid\": \"84971e10-5be7-11ee-b5e7-0242ac110005\", \"log_name\": \"proud iso ticket\", \"log_provider\": \"cb indexes boxing\", \"original_time\": \"tournaments leisure comedy\", \"modified_time_dt\": \"2023-09-25T21:07:21.513376Z\", \"processed_time_dt\": \"2023-09-25T21:07:21.513394Z\"}, \"start_time\": 1695676041445, \"severity\": \"Low\", \"type_name\": \"Network File Activity: Rename\", \"activity_id\": 5, \"type_uid\": 401005, \"observables\": [{\"name\": \"except visitor vbulletin\", \"type\": \"Uniform Resource Locator\", \"type_id\": 23}, {\"name\": \"hong rhode para\", \"type\": \"Process Name\", \"type_id\": 9}], \"category_name\": \"Network Activity\", \"class_uid\": 4010, \"category_uid\": 4, \"class_name\": \"Network File Activity\", \"timezone_offset\": 42, \"activity_name\": \"Rename\", \"actor\": {\"process\": {\"name\": \"Qualification\", \"pid\": 42, \"file\": {\"attributes\": 9, \"name\": \"citations.gpx\", \"type\": \"Character Device\", \"path\": \"telling saved challenge/wrapped.tga/citations.gpx\", \"type_id\": 3, \"parent_folder\": \"telling saved challenge/wrapped.tga\"}, \"user\": {\"name\": \"Aquatic\", \"type\": \"System\", \"uid\": \"84975f7e-5be7-11ee-bfad-0242ac110005\", \"type_id\": 3, \"account\": {\"name\": \"suspended cg sisters\", \"uid\": \"8497655a-5be7-11ee-ab52-0242ac110005\"}}, \"tid\": 17, \"uid\": \"849768e8-5be7-11ee-a428-0242ac110005\", \"cmd_line\": \"goals happen dad\", \"container\": {\"name\": \"ambien cloud eur\", \"size\": 2164055839, \"uid\": \"84977158-5be7-11ee-b042-0242ac110005\", \"image\": {\"name\": \"produced field obituaries\", \"path\": \"adaptive granny knew\", \"uid\": \"849779dc-5be7-11ee-8f66-0242ac110005\"}, \"network_driver\": \"cute desktops arrest\"}, \"created_time\": 1695676041514, \"namespace_pid\": 41, \"parent_process\": {\"file\": {\"name\": \"finance.3g2\", \"type\": \"wrap\", \"path\": \"attention matching forest/met.mpa/finance.3g2\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"mt minutes bids\", \"issuer\": \"shall systematic vatican\", \"fingerprints\": [{\"value\": \"B3305921648A755AA6C1E2C028691A6861EAE8922BAE5ACE52B76E01AD96DF87ECE4E22E06EDC6715A0CAE469323620A07CCC384FD40C69EBA60E8BBEE8EA805\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"expiration_time\": 1695676041516, \"serial_number\": \"requirement sodium situated\", \"expiration_time_dt\": \"2023-09-25T21:07:21.516239Z\", \"created_time_dt\": \"2023-09-25T21:07:21.516247Z\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"desc\": \"surgeons settled advocacy\", \"type_id\": 99, \"creator\": {\"name\": \"Additionally\", \"type\": \"beat\", \"uid\": \"84979804-5be7-11ee-848b-0242ac110005\", \"type_id\": 99, \"full_name\": \"Kirstin Thersa\", \"credential_uid\": \"8497ab3c-5be7-11ee-8df1-0242ac110005\"}, \"parent_folder\": \"attention matching forest/met.mpa\", \"hashes\": [{\"value\": \"2675028478A31F71064C2D8CCA68C7FCA87605C294611E7C2294806CE87B596AD856077767F9D941E21BC5089906C5E6903FE622EE1FE19DB2E3FA8F1F1A8EE9\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"4D018BA6DBA4C03004FD6E10D1C02BD324F62DE46C5FE687431A2D4BF4335BB7\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"modified_time_dt\": \"2023-09-25T21:07:21.517084Z\"}, \"uid\": \"8497ba64-5be7-11ee-b3a6-0242ac110005\", \"session\": {\"uid\": \"8497c27a-5be7-11ee-8a34-0242ac110005\", \"issuer\": \"discussing capital ottawa\", \"created_time\": 1695676041516, \"credential_uid\": \"8497c716-5be7-11ee-bd7a-0242ac110005\"}, \"loaded_modules\": [\"/super/disclose/barnes/pg/california.png\", \"/ourselves/lynn/gpl/helped/narrow.tga\"], \"cmd_line\": \"bless addresses backgrounds\", \"container\": {\"name\": \"citizenship caribbean twisted\", \"size\": 2686118868, \"uid\": \"8497d15c-5be7-11ee-aa8b-0242ac110005\", \"image\": {\"name\": \"assistance grande an\", \"uid\": \"8497dec2-5be7-11ee-9c88-0242ac110005\"}, \"hash\": {\"value\": \"08759209B8F0A761FFF2B978AB8DAB0B6AE7B63C9AC9D3694BC0FED57BB2E27F5AAFB08486F656D6C6FE784F7DF07513FCB0975EC8B772EE000F56F793867A77\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}}, \"created_time\": 1695676041518, \"lineage\": [\"vhs mechanism dates\"], \"namespace_pid\": 97, \"parent_process\": {\"name\": \"Bid\", \"pid\": 26, \"file\": {\"name\": \"dame.svg\", \"type\": \"Regular File\", \"path\": \"wives pamela karl/articles.c/dame.svg\", \"modifier\": {\"name\": \"Complete\", \"type\": \"Unknown\", \"uid\": \"8497f38a-5be7-11ee-97c6-0242ac110005\", \"groups\": [{\"name\": \"winds seeking reply\", \"uid\": \"8497fde4-5be7-11ee-9733-0242ac110005\"}, {\"name\": \"hamburg roommate environment\", \"uid\": \"8498099c-5be7-11ee-ac6f-0242ac110005\"}], \"type_id\": 0}, \"type_id\": 1, \"parent_folder\": \"wives pamela karl/articles.c\", \"hashes\": [{\"value\": \"E7B2EBCA4F63795EBE380FFBEAB194BCF3E2EB5C74F10C6B8AAB95F4C0B8D7AC\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"AFD9AD7A88CFF487A60962E99C6219806726EB352DD1591D375AD3BB143C0DABBFBC6DBFFA5D99B3662AE82C9B7EED847E30B7EA516D2AD9DFF07D8775F8AE36\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"security_descriptor\": \"robinson queens graduate\", \"created_time_dt\": \"2023-09-25T21:07:21.519646Z\"}, \"user\": {\"name\": \"Shipment\", \"type\": \"Unknown\", \"uid\": \"84981f68-5be7-11ee-b652-0242ac110005\", \"type_id\": 0, \"uid_alt\": \"singh dim static\"}, \"uid\": \"849823d2-5be7-11ee-92d1-0242ac110005\", \"cmd_line\": \"harder interventions pb\", \"container\": {\"name\": \"kg sources houses\", \"runtime\": \"kate through furniture\", \"size\": 2387392206, \"uid\": \"849829cc-5be7-11ee-bb7a-0242ac110005\", \"hash\": {\"value\": \"6A9A10210588981DD8FAA6BE10E39F2C65E816FEFE4768884F7B0BB0A10CD9D6\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, \"pod_uuid\": \"kiss\"}, \"created_time\": 1695676041517, \"integrity\": \"they thermal eau\", \"lineage\": [\"attraction cord adjustment\", \"announcements summer introduce\"], \"namespace_pid\": 49, \"parent_process\": {\"name\": \"Jamie\", \"pid\": 28, \"file\": {\"name\": \"seq.wpd\", \"type\": \"Character Device\", \"path\": \"conflicts disability citysearch/ieee.dtd/seq.wpd\", \"modifier\": {\"name\": \"Officer\", \"type\": \"Admin\", \"uid\": \"84984362-5be7-11ee-af2c-0242ac110005\", \"type_id\": 2}, \"type_id\": 3, \"parent_folder\": \"conflicts disability citysearch/ieee.dtd\", \"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"created_time\": 1695676041520845, \"hashes\": [{\"value\": \"7D875B5EB312ADEF7D530DD6E43468170B094A5F54CA1AC26E7788A81A01238428E62D581423E70B05DA11F15513291EB10776B4E14DE1844072ACDF11BBDFD1\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"1100511F3469E3CDE7D081EC6E78154C8476D546F615EEEB37C4CDFBD41740440FC77660EE3A4B9C67DE81C63172A49F835656F85ED5E36A65A2A25E2A733358\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"user\": {\"name\": \"Knows\", \"type\": \"User\", \"domain\": \"sao uri flesh\", \"uid\": \"84984db2-5be7-11ee-ba4e-0242ac110005\", \"type_id\": 1}, \"uid\": \"8498530c-5be7-11ee-86f3-0242ac110005\", \"cmd_line\": \"creation defense carolina\", \"container\": {\"name\": \"hunt indicating radiation\", \"size\": 3179758248, \"tag\": \"reader prevention as\", \"uid\": \"84985df2-5be7-11ee-be06-0242ac110005\", \"hash\": {\"value\": \"666334EB7A1E55E189435FFF3F0CA7266F484FB44970AAFF3E72546D8B04B02ABB1A66B209CAFD44267701CA1392DF35B8EC3EECE0DC492D093880F2E4FF352C\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695676041527, \"namespace_pid\": 46, \"parent_process\": {\"name\": \"Arbor\", \"pid\": 20, \"file\": {\"name\": \"startup.3dm\", \"size\": 3504413585, \"type\": \"Named Pipe\", \"version\": \"1.0.0\", \"signature\": {\"certificate\": {\"subject\": \"shades bad tradition\", \"issuer\": \"previous price thing\", \"fingerprints\": [{\"value\": \"8E4DE5CC0D59311697B0D4061FDBFB4CB99E38121EA17CF740789A0CBC85B56703E1341C940E7A2220C02211CC84447A19061569BE42AC4A2C03010FB6CB1A75\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"205D64FF9B580AADBF4829EC41DD4EF0\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"created_time\": 1695676041522, \"expiration_time\": 1695676041526, \"serial_number\": \"files the parish\", \"created_time_dt\": \"2023-09-25T21:07:21.521904Z\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"uid\": \"84987ae4-5be7-11ee-b247-0242ac110005\", \"type_id\": 6, \"created_time\": 1695676042262, \"hashes\": [{\"value\": \"60F202A3BE4EF214E24EA9D3555D194C\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"B0B2D200728B0DACE6CB6829F90EE31A9AD123FF1982012B003249D4F2C5351924E6DBBD1242EE722D4C5A0B80C983DC7B94DDD594FCFCEF4E63552956E2B26A\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"modified_time_dt\": \"2023-09-25T21:07:21.522441Z\"}, \"user\": {\"name\": \"Provided\", \"type\": \"Admin\", \"uid\": \"84988e80-5be7-11ee-bf3c-0242ac110005\", \"type_id\": 2, \"full_name\": \"Karoline Meggan\", \"email_addr\": \"Elza@girls.mil\"}, \"uid\": \"84989376-5be7-11ee-9216-0242ac110005\", \"cmd_line\": \"plan agents converter\", \"container\": {\"name\": \"thongs routine an\", \"size\": 2099983603, \"uid\": \"84989948-5be7-11ee-b4fb-0242ac110005\", \"image\": {\"name\": \"extending construction inkjet\", \"path\": \"empirical precipitation builder\", \"uid\": \"84989f42-5be7-11ee-8820-0242ac110005\", \"labels\": [\"golf\", \"nov\"]}, \"hash\": {\"value\": \"E7EFDA40B1C94805070CD9BF9638AE27\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"created_time\": 1695676041523226, \"integrity\": \"conspiracy unions allocated\", \"parent_process\": {\"name\": \"Processes\", \"pid\": 49, \"file\": {\"name\": \"considerations.jar\", \"type\": \"Local Socket\", \"path\": \"roger economy macro/mesh.gadget/considerations.jar\", \"type_id\": 5, \"accessor\": {\"name\": \"Wildlife\", \"type\": \"Admin\", \"uid\": \"8498c030-5be7-11ee-80d9-0242ac110005\", \"type_id\": 2, \"full_name\": \"Twyla Cherise\", \"email_addr\": \"Shin@cause.mobi\", \"uid_alt\": \"excellent far varied\"}, \"mime_type\": \"star/flyer\", \"parent_folder\": \"roger economy macro/mesh.gadget\", \"created_time\": 1695676041524, \"hashes\": [{\"value\": \"707CF5E50A11D69874235DED9A045B6AB42439F7495DED03049CB7E997949E8B014295A25059CD1A9F06BFE9E4101ED176615E69D43FE199E849DEC0BC4AEB4D\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"6F487B974BDB9DBDF014F50502D9F70BC2630E6C974E4C6E6AA2EB3BEC95A3BDCA7AE609DA34179E0677F042734A767ADA4F6CA04788916644262CDC60BC2FB2\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Hour\", \"type\": \"insert\", \"uid\": \"8498cd14-5be7-11ee-94d7-0242ac110005\", \"type_id\": 99, \"uid_alt\": \"organizations guild beds\"}, \"uid\": \"8498d430-5be7-11ee-b1bf-0242ac110005\", \"cmd_line\": \"sixth pc peoples\", \"container\": {\"name\": \"warrior document workflow\", \"size\": 2697694450, \"uid\": \"8498da2a-5be7-11ee-9d00-0242ac110005\", \"image\": {\"name\": \"version treating tall\", \"uid\": \"8498df20-5be7-11ee-8257-0242ac110005\"}, \"hash\": {\"value\": \"F4001D4FD76B73412DB0EFD2C66F0AB3C27D9FE9BD375B1659A1DDDA68C17DC1C0F5402A6AE571DC073E94F1B720821E4208595D5BB4B13D917A12CE3DA53C1E\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, \"pod_uuid\": \"sas\"}, \"created_time\": 1695676041523, \"integrity\": \"aviation blame tion\", \"namespace_pid\": 76, \"parent_process\": {\"name\": \"Job\", \"pid\": 86, \"file\": {\"name\": \"pic.vcd\", \"owner\": {\"name\": \"Enquiry\", \"type\": \"minneapolis\", \"uid\": \"849901e4-5be7-11ee-bfe1-0242ac110005\", \"type_id\": 99, \"full_name\": \"Blythe Jamie\"}, \"type\": \"charged\", \"path\": \"const foreign pressed/among.ged/pic.vcd\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"strap liz boulder\", \"issuer\": \"everybody brunei disciplinary\", \"fingerprints\": [{\"value\": \"9E41EB47ABD226D92CFE27DBDA0C924C190A1B0C0136B09923B419089B013DF14CB58C38F651F710540E348BF800DFE364197904B11FFFAD98BB2B10006B28E2\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"3DE877DDFB06DB510E63893D98DDAC9524696C14\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"created_time\": 1695676041526, \"expiration_time\": 1695676045872, \"serial_number\": \"approaches symbol assembly\"}, \"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"developer_uid\": \"84991526-5be7-11ee-a2ca-0242ac110005\", \"created_time_dt\": \"2023-09-25T21:07:21.526203Z\"}, \"uid\": \"84992264-5be7-11ee-8071-0242ac110005\", \"type_id\": 99, \"parent_folder\": \"const foreign pressed/among.ged\", \"accessed_time\": 1695676041556, \"confidentiality\": \"suburban ati mostly\", \"hashes\": [{\"value\": \"00EF9DADDE482AF5432B0BFC5F69023736D4A0ECD59F74884C4B8AD83D21429B78023351C5DBD07407EAB2BFA527A0586016DE3C92F37913920E221F7D452802\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"is_system\": false, \"modified_time_dt\": \"2023-09-25T21:07:21.526727Z\", \"created_time_dt\": \"2023-09-25T21:07:21.526737Z\"}, \"user\": {\"name\": \"Rice\", \"type\": \"Unknown\", \"uid\": \"84993312-5be7-11ee-b956-0242ac110005\", \"type_id\": 0, \"email_addr\": \"Renita@pete.cat\"}, \"uid\": \"8499377c-5be7-11ee-9164-0242ac110005\", \"container\": {\"name\": \"acquired minority slip\", \"size\": 2257875576, \"uid\": \"84993ce0-5be7-11ee-8a18-0242ac110005\", \"image\": {\"tag\": \"vocal trim jon\", \"uid\": \"849944f6-5be7-11ee-bc62-0242ac110005\"}}, \"namespace_pid\": 29, \"parent_process\": {\"pid\": 67, \"file\": {\"name\": \"tuner.pdb\", \"type\": \"Named Pipe\", \"version\": \"1.0.0\", \"path\": \"architectural pink phil/overview.dtd/tuner.pdb\", \"type_id\": 6, \"parent_folder\": \"architectural pink phil/overview.dtd\", \"hashes\": [{\"value\": \"44CA9EA761C2131C73960AD47472741B13D305EE2D07FE91E8F1B47F4F062B8A16DD3611E4439E4C163A7CF42F1AE5989CF9683117DB801FD1BC222A16618E19\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"C25DDA249CDECE9D908CC33ADCD16AA05E20290F\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"xattributes\": {}}, \"user\": {\"name\": \"Fantastic\", \"type\": \"Admin\", \"uid\": \"84995d06-5be7-11ee-8223-0242ac110005\", \"org\": {\"name\": \"dryer asn trying\", \"uid\": \"849963aa-5be7-11ee-b57a-0242ac110005\", \"ou_name\": \"wr r gibraltar\"}, \"type_id\": 2}, \"uid\": \"84996800-5be7-11ee-8754-0242ac110005\", \"cmd_line\": \"brush bouquet alto\", \"container\": {\"name\": \"deutschland pic newcastle\", \"size\": 797071549, \"uid\": \"84996db4-5be7-11ee-bada-0242ac110005\", \"image\": {\"name\": \"adipex into polo\", \"uid\": \"849984fc-5be7-11ee-af4c-0242ac110005\"}, \"hash\": {\"value\": \"82B5F7770097973F2962C241C557369EC2D38E9A1BDA03176B9CA511F1CA56CF\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695676041528, \"lineage\": [\"familiar privilege canvas\"], \"namespace_pid\": 23, \"parent_process\": {\"name\": \"Cialis\", \"pid\": 21, \"file\": {\"attributes\": 83, \"name\": \"spirit.max\", \"owner\": {\"name\": \"Friend\", \"type\": \"User\", \"uid\": \"84999e10-5be7-11ee-914b-0242ac110005\", \"type_id\": 1, \"email_addr\": \"Pamelia@directed.com\"}, \"type\": \"Regular File\", \"version\": \"1.0.0\", \"path\": \"fish largest alberta/solutions.deskthemepack/spirit.max\", \"desc\": \"escape steady bow\", \"type_id\": 1, \"parent_folder\": \"fish largest alberta/solutions.deskthemepack\", \"hashes\": [{\"value\": \"718C92FD5ECC9B483CA9A76E309BD60F7DAD6035254FAD5EA9430568F36EB16D5532657DE90C3B3B41896C8A9B601BF1E1083D5BB299127118B535C347D13549\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"D13D53927A745D27511C298846343093D7E92D919905B6C22ABBF727AD18EF7E3B3850949F8CC772390749C8644B5CF6F8618FEF524E9589DB73F57FE128AA88\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}]}, \"user\": {\"name\": \"Apartments\", \"type\": \"ad\", \"uid\": \"8499b5da-5be7-11ee-b276-0242ac110005\", \"type_id\": 99, \"uid_alt\": \"serving turbo spy\"}, \"uid\": \"8499bc88-5be7-11ee-b028-0242ac110005\", \"session\": {\"uid\": \"8499ca0c-5be7-11ee-aae9-0242ac110005\", \"created_time\": 1695676041534, \"expiration_time\": 1695676041542, \"is_remote\": true}, \"cmd_line\": \"in blowing memorial\", \"container\": {\"name\": \"france sg charger\", \"size\": 1048383191, \"tag\": \"deserve focused select\", \"uid\": \"8499d164-5be7-11ee-a7e8-0242ac110005\", \"image\": {\"name\": \"robert through mailing\", \"tag\": \"struggle gerald weather\", \"uid\": \"8499d704-5be7-11ee-b617-0242ac110005\"}, \"hash\": {\"value\": \"6B2A589B76A482CD379A7FF8AF13EE0F9ABF937DE60010068FEC808F5B6B22521C2A28C7F48BC5C2EDC81EAE5E5812D95F5E0F3DF5685571E5DB36B146DB82EC\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, \"network_driver\": \"catch sun general\", \"orchestrator\": \"sf varieties queries\"}, \"created_time\": 1695676041539, \"integrity\": \"faculty hardcover generated\", \"namespace_pid\": 79, \"parent_process\": {\"name\": \"Devices\", \"pid\": 90, \"file\": {\"name\": \"premises.sln\", \"owner\": {\"name\": \"Welcome\", \"type\": \"User\", \"type_id\": 1, \"account\": {\"name\": \"discs outlets general\", \"type\": \"Mac OS Account\", \"uid\": \"8499eb2c-5be7-11ee-86b7-0242ac110005\", \"type_id\": 7}}, \"type\": \"ships\", \"path\": \"ralph tales librarian/simpsons.psd/premises.sln\", \"type_id\": 99, \"creator\": {\"name\": \"Booking\", \"type\": \"System\", \"domain\": \"coupons dropped pantyhose\", \"uid\": \"8499f1ee-5be7-11ee-a02c-0242ac110005\", \"type_id\": 3}, \"parent_folder\": \"ralph tales librarian/simpsons.psd\", \"hashes\": [{\"value\": \"F01EB1DD5E5D955CF3DA810E1FAABA4136E09F5EF69DA3753223183EF836741A617AAAEB52D8B014D900A4A11B94974298F7D3C4EAE57C107CF3A3230AD34188\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"modified_time_dt\": \"2023-09-25T21:07:21.531893Z\"}, \"user\": {\"name\": \"Immediate\", \"type\": \"Unknown\", \"uid\": \"849a06c0-5be7-11ee-acfe-0242ac110005\", \"org\": {\"name\": \"velvet days pubs\", \"ou_name\": \"brake craps campaign\"}, \"groups\": [{\"uid\": \"849a1124-5be7-11ee-9a8e-0242ac110005\", \"privileges\": [\"independent vegetables assisted\", \"refinance lee seating\"]}, {\"name\": \"div violence strange\", \"uid\": \"849a1674-5be7-11ee-aa3b-0242ac110005\"}], \"type_id\": 0}, \"uid\": \"849a1af2-5be7-11ee-82a9-0242ac110005\", \"cmd_line\": \"text ana range\", \"container\": {\"name\": \"own drawing acute\", \"size\": 1512724327, \"uid\": \"849a2420-5be7-11ee-94c5-0242ac110005\", \"image\": {\"name\": \"layers branch lucas\", \"tag\": \"nations chances trips\", \"uid\": \"849a32bc-5be7-11ee-86bb-0242ac110005\"}, \"hash\": {\"value\": \"79F7EED760813BF63DC0EE7F986F1CC6345DD170AB03CA1350684CB8720E3C67F9FCE3B075A22266EB0C66A1CDA2D3BD540E777D9A294433377B83DB6DE3D6DB\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695676041533, \"lineage\": [\"guru hosted bradley\"], \"namespace_pid\": 39, \"parent_process\": {\"name\": \"Bags\", \"file\": {\"attributes\": 22, \"name\": \"hunt.ppt\", \"type\": \"Local Socket\", \"type_id\": 5, \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"value\": \"6FD1E1613C3918067E01585E32D4AA461C485DF01C56BD5A294FD82B353B5EC64A7EBAED614D28451E3AECB3ACA75900593A20D8AE7F7A1E2CF9DD4F0496B9C4\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"B66E94D9133A6E41392C5AFCBF3F6EEB29E45C041350255AEE34ADD6C4E6BD15FF9060177954793B5D078A8802B4B1ADDD73BECACB7D5827D9A1CB9F96D5E153\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"is_system\": false, \"modified_time_dt\": \"2023-09-25T21:07:21.533963Z\"}, \"user\": {\"name\": \"Sisters\", \"type\": \"rebound\", \"uid\": \"849a52ce-5be7-11ee-a468-0242ac110005\", \"type_id\": 99, \"full_name\": \"Elisa Cleora\"}, \"uid\": \"849a5d78-5be7-11ee-ac24-0242ac110005\", \"cmd_line\": \"merchandise initiatives accessibility\", \"container\": {\"name\": \"apartment drunk amateur\", \"size\": 3702557326, \"uid\": \"849a646c-5be7-11ee-90ce-0242ac110005\", \"image\": {\"name\": \"evaluating apartments disaster\", \"uid\": \"849a6a66-5be7-11ee-95e4-0242ac110005\"}, \"hash\": {\"value\": \"12FC9239ABF2C07159EBC92013171DA43175589170BD05B55220534634A9D1FEFC88B117A95FCE4FE3C5A5FEDB9DC4EB3F700C0386931C889F815E86BCD4B509\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}}, \"created_time\": 1695676041535, \"namespace_pid\": 29, \"parent_process\": {\"name\": \"Sen\", \"pid\": 13, \"file\": {\"attributes\": 35, \"name\": \"hardware.wma\", \"owner\": {\"name\": \"Asia\", \"type\": \"meetup\", \"uid\": \"849a7ac4-5be7-11ee-a06d-0242ac110005\", \"type_id\": 99}, \"type\": \"Unknown\", \"path\": \"interactions malta thoughts/laden.pdf/hardware.wma\", \"signature\": {\"digest\": {\"value\": \"3188206324B062751CE36D4251C19C94\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, \"algorithm\": \"Authenticode\", \"algorithm_id\": 4}, \"type_id\": 0, \"parent_folder\": \"interactions malta thoughts/laden.pdf\", \"hashes\": [{\"value\": \"6BD48B1E57856137037BFEE4DEC8D57F\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"user\": {\"name\": \"Round\", \"type\": \"System\", \"uid\": \"849a900e-5be7-11ee-9894-0242ac110005\", \"type_id\": 3, \"full_name\": \"Marisela Towanda\", \"account\": {\"name\": \"fragrances bulk specialty\", \"type\": \"LDAP Account\", \"uid\": \"849a9702-5be7-11ee-9f5d-0242ac110005\", \"type_id\": 1}, \"credential_uid\": \"849a9afe-5be7-11ee-b27a-0242ac110005\", \"email_addr\": \"Wava@promises.info\"}, \"uid\": \"849a9ed2-5be7-11ee-ae61-0242ac110005\", \"cmd_line\": \"recordings countries slides\", \"container\": {\"name\": \"distant modeling monaco\", \"runtime\": \"peace up sailing\", \"uid\": \"849aa490-5be7-11ee-bb98-0242ac110005\", \"image\": {\"name\": \"evanescence plans courts\", \"tag\": \"buy archives predict\", \"uid\": \"849aaa9e-5be7-11ee-a47a-0242ac110005\"}, \"hash\": {\"value\": \"383B6630E8241D34D54BFD689DECC0CAB88770D935667989A3A1DE8397F5520F\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695676041539, \"integrity\": \"bookings qc dictionaries\", \"lineage\": [\"lanka manufacture bra\", \"gibson implementation pope\"], \"namespace_pid\": 6, \"parent_process\": {\"name\": \"Impacts\", \"pid\": 86, \"file\": {\"name\": \"removal.obj\", \"type\": \"Named Pipe\", \"path\": \"jeff puts assignments/thing.msi/removal.obj\", \"type_id\": 6, \"parent_folder\": \"jeff puts assignments/thing.msi\", \"accessed_time\": 1695676041534, \"hashes\": [{\"value\": \"CE850E16E049A60B4B8F465DC00ADBFB7207CC76FD94F5EBC335F637B8052B77\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"security_descriptor\": \"bureau myspace barrel\"}, \"user\": {\"name\": \"Alliance\", \"type\": \"Admin\", \"domain\": \"statistical poland gregory\", \"uid\": \"849abe76-5be7-11ee-a5a1-0242ac110005\", \"org\": {\"name\": \"nyc kidney drawings\", \"uid\": \"849accae-5be7-11ee-af7b-0242ac110005\"}, \"groups\": [{\"name\": \"accessed thanks instructions\", \"desc\": \"luggage species belkin\", \"uid\": \"849ad5fa-5be7-11ee-a0e9-0242ac110005\", \"privileges\": [\"flashing aol autumn\"]}, {\"name\": \"cognitive times agent\", \"uid\": \"849ada50-5be7-11ee-824e-0242ac110005\", \"privileges\": [\"sodium believed housing\", \"incorporated jungle asian\"]}], \"type_id\": 2, \"full_name\": \"Paul Julian\"}, \"uid\": \"849adea6-5be7-11ee-aa53-0242ac110005\", \"cmd_line\": \"amount anywhere suffered\", \"container\": {\"name\": \"author channel disappointed\", \"size\": 191473515, \"uid\": \"849aff08-5be7-11ee-80bd-0242ac110005\", \"image\": {\"name\": \"cross tray influenced\", \"tag\": \"afternoon counseling governance\", \"uid\": \"849b1f7e-5be7-11ee-bb9d-0242ac110005\"}, \"hash\": {\"value\": \"B7F1BFFEB47BCFB30F891852F769572A9816784BF4A4073805850F9F969A5335CFC878CACC9E0F8A71B547F60832FE712A59A7DD7DBD6E94BB9D155309EB3581\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"network_driver\": \"slovakia friend username\"}, \"created_time\": 1695676041539630, \"namespace_pid\": 49, \"parent_process\": {\"name\": \"Sampling\", \"pid\": 71, \"file\": {\"attributes\": 78, \"name\": \"human.pdb\", \"type\": \"Symbolic Link\", \"path\": \"let dawn representing/surrounding.dwg/human.pdb\", \"product\": {\"name\": \"heavy payroll timothy\", \"version\": \"1.0.0\", \"uid\": \"849b3fd6-5be7-11ee-83d2-0242ac110005\", \"feature\": {\"name\": \"metric th alt\", \"version\": \"1.0.0\", \"uid\": \"849b46a2-5be7-11ee-824d-0242ac110005\"}, \"vendor_name\": \"rv brother vaccine\"}, \"type_id\": 7, \"accessor\": {\"name\": \"Dragon\", \"type\": \"System\", \"uid\": \"849b52b4-5be7-11ee-863c-0242ac110005\", \"type_id\": 3, \"credential_uid\": \"849b5b88-5be7-11ee-af7a-0242ac110005\"}, \"parent_folder\": \"let dawn representing/surrounding.dwg\", \"hashes\": [{\"value\": \"AABE45CE23939AE53AA3AF15C6123A6ED98FC106E4C7491B89A814D8EB040F3B9D5842B5A215D1D27ED1B4DC8DD3D3F0D50197DD105E37461661D98A23E0917C\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1695676041541, \"modified_time_dt\": \"2023-09-25T21:07:21.541163Z\", \"created_time_dt\": \"2023-09-25T21:07:21.541195Z\"}, \"user\": {\"name\": \"Particles\", \"type\": \"User\", \"domain\": \"lexmark refers dylan\", \"uid\": \"849b6916-5be7-11ee-a01e-0242ac110005\", \"type_id\": 1, \"email_addr\": \"Yelena@communities.nato\"}, \"uid\": \"849b6dee-5be7-11ee-84f0-0242ac110005\", \"cmd_line\": \"techno now vid\", \"created_time\": 1695676041593, \"lineage\": [\"qualify insight reproduce\", \"placing download tomato\"], \"namespace_pid\": 91, \"parent_process\": {\"name\": \"Foundation\", \"pid\": 41, \"file\": {\"name\": \"sunday.crdownload\", \"size\": 1384349588, \"type\": \"Unknown\", \"path\": \"designing designed kim/butts.crx/sunday.crdownload\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"annually ic quest\", \"issuer\": \"cooperation worldcat southwest\", \"fingerprints\": [{\"value\": \"A1636B226D49D354EAD09345190417B47EC13762648D8C196823FB556456DD5A2ED39FDF2ADE536CF2D0AFA33A47F9404800085FE205A49A4DA6C280AF603AA9\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"created_time\": 1695676041542, \"expiration_time\": 1695676041577, \"serial_number\": \"distributed characters bin\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time_dt\": \"2023-09-25T21:07:21.542032Z\"}, \"product\": {\"name\": \"nights validity updated\", \"version\": \"1.0.0\", \"uid\": \"849b866c-5be7-11ee-a7ff-0242ac110005\", \"feature\": {\"name\": \"seminar automatic gui\", \"version\": \"1.0.0\", \"uid\": \"849b9742-5be7-11ee-9904-0242ac110005\"}, \"lang\": \"en\", \"url_string\": \"however\", \"vendor_name\": \"favorite album ncaa\"}, \"type_id\": 0, \"accessor\": {\"name\": \"Xhtml\", \"type\": \"disabilities\", \"uid\": \"849ba016-5be7-11ee-8738-0242ac110005\", \"type_id\": 99, \"email_addr\": \"Stormy@postcard.mobi\"}, \"creator\": {\"name\": \"Tap\", \"type\": \"User\", \"domain\": \"neural fig colin\", \"org\": {\"name\": \"timing process palestinian\", \"uid\": \"849bad9a-5be7-11ee-9fa0-0242ac110005\", \"ou_name\": \"step mouth drunk\"}, \"type_id\": 1, \"full_name\": \"Otelia Kori\"}, \"mime_type\": \"talked/wishlist\", \"parent_folder\": \"designing designed kim/butts.crx\", \"hashes\": [{\"value\": \"A5064ED27DDBDCBA4CBCADF1DB39DA3F2EEE6B58C7A1239C64CABA643C220D3F292A1DE7E239A9314ECD04E09E02E1289265DB1375370F0E2CB9844F235B40B9\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"is_system\": true, \"modified_time\": 1695676041546}, \"user\": {\"name\": \"Certain\", \"type\": \"Unknown\", \"uid\": \"849bb81c-5be7-11ee-bbec-0242ac110005\", \"groups\": [{\"name\": \"penn laundry woods\", \"type\": \"powerpoint jump hospitality\", \"desc\": \"twenty protection innovative\", \"uid\": \"849bbdee-5be7-11ee-95a2-0242ac110005\"}, {\"uid\": \"849bc780-5be7-11ee-9955-0242ac110005\"}], \"type_id\": 0, \"email_addr\": \"Reba@contemporary.mobi\", \"uid_alt\": \"technical critics nationally\"}, \"tid\": 86, \"uid\": \"849bcfb4-5be7-11ee-b896-0242ac110005\", \"session\": {\"uid\": \"849bd89c-5be7-11ee-bbae-0242ac110005\", \"issuer\": \"mind file superior\", \"created_time\": 1695676041544, \"is_remote\": true}, \"loaded_modules\": [\"/aims/hammer/duke/implementation/roland.jar\", \"/illustration/reads/adaptation/ppc/footage.cab\"], \"cmd_line\": \"treatments proceeding assumed\", \"created_time\": 1695676041548, \"integrity\": \"written\", \"integrity_id\": 99, \"lineage\": [\"tenant surveillance nature\", \"securities joining bite\"], \"parent_process\": {\"name\": \"Restore\", \"pid\": 74, \"file\": {\"name\": \"moral.kmz\", \"type\": \"Local Socket\", \"path\": \"suit who pics/arrange.torrent/moral.kmz\", \"type_id\": 5, \"accessor\": {\"name\": \"Qualities\", \"type\": \"Unknown\", \"domain\": \"operates collectables presentations\", \"uid\": \"849bf00c-5be7-11ee-a0de-0242ac110005\", \"type_id\": 0, \"uid_alt\": \"welsh constraints elimination\"}, \"parent_folder\": \"suit who pics/arrange.torrent\", \"accessed_time\": 1695676044937, \"created_time\": 1695676041545, \"hashes\": [{\"value\": \"BADBDA50632954800C02D40EB49D1BEF8E5A883D\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"22B65F9CC3DDECE17BC92C741314C0C01D6C398B477BCFE22CCB63F4975A066119C2A3F4E9BDC342383345BCEEA9046C0573AEA278C1EBD8E1578337B1640606\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"is_system\": false}, \"cmd_line\": \"remain weird municipal\", \"container\": {\"name\": \"anthony serial medline\", \"size\": 2006500672, \"uid\": \"849c059c-5be7-11ee-b620-0242ac110005\", \"image\": {\"name\": \"titten live cvs\", \"uid\": \"849c105a-5be7-11ee-8337-0242ac110005\"}, \"hash\": {\"value\": \"53CB2A3DF41EA583C9DAD815CC228E623D600CA69DD3B138EBA03828A95C399AC2319E8C246FAF2EB345362B0931618009C8A5FF4C8E100C7B414107D51F849D\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695676041542, \"integrity\": \"High\", \"integrity_id\": 4, \"namespace_pid\": 8, \"parent_process\": {\"pid\": 20, \"file\": {\"attributes\": 79, \"name\": \"revolution.vcf\", \"owner\": {\"name\": \"Sunny\", \"type\": \"Unknown\", \"uid\": \"849c24fa-5be7-11ee-93d2-0242ac110005\", \"type_id\": 0, \"email_addr\": \"Suzan@communicate.coop\"}, \"type\": \"Folder\", \"version\": \"1.0.0\", \"path\": \"nintendo smilies thank/ought.vb/revolution.vcf\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"microwave marriott okay\", \"issuer\": \"foundation review shaft\", \"fingerprints\": [{\"value\": \"35C90137B6BD19F8D464173B9904DBFA60D62BFF8BCBCF99235987ACC2D4840DBA02F991522C533C211C54B3A1016A0A76AF0578E30D0190414926A1EA56FEB7\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1695676041548, \"expiration_time\": 1695676041514, \"serial_number\": \"windsor sponsor google\"}, \"algorithm\": \"ECDSA\", \"algorithm_id\": 3}, \"product\": {\"name\": \"pci invasion producers\", \"version\": \"1.0.0\", \"uid\": \"849c3e4a-5be7-11ee-80be-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"australian payments crm\"}, \"type_id\": 2, \"accessor\": {\"name\": \"Class\", \"type\": \"pie\", \"type_id\": 99, \"full_name\": \"Crysta Damaris\", \"account\": {\"name\": \"cards gratis necklace\", \"type\": \"Apple Account\", \"type_id\": 8}, \"uid_alt\": \"linux has luis\"}, \"company_name\": \"Mckenzie Ardith\", \"creator\": {\"type\": \"selected\", \"domain\": \"glass outlet lopez\", \"uid\": \"849c4b2e-5be7-11ee-9c0b-0242ac110005\", \"org\": {\"name\": \"reproductive balloon stanley\", \"uid\": \"849c5060-5be7-11ee-b740-0242ac110005\", \"ou_name\": \"pick rear governance\", \"ou_uid\": \"849c5470-5be7-11ee-b89d-0242ac110005\"}, \"groups\": [{\"name\": \"suspected contributor counting\", \"type\": \"vacations wines biological\", \"uid\": \"849c5ae2-5be7-11ee-97a7-0242ac110005\"}], \"type_id\": 99}, \"parent_folder\": \"nintendo smilies thank/ought.vb\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"hashes\": [{\"value\": \"1B8BF6AF4C4E0F5A64ED59860F5673F5762D1E214D4B3127BAC626D3811952EAF98972460DF098DEAB2B6D4FF02723546AEBA4108F2A03A20044552141A4447E\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"221C1DF278F5DBE8C04CCC89DB66A355ABA13C3F27B4E23A19D0E73C64E5E9A7951D5102BA2F416429122A6110C57ED22F7216EB73939FF0E7E4BDB574A90CC4\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"is_system\": false, \"security_descriptor\": \"recommended approve environment\"}, \"uid\": \"849c61f4-5be7-11ee-8006-0242ac110005\", \"cmd_line\": \"arrangements makes handy\", \"container\": {\"name\": \"yahoo plains basically\", \"uid\": \"849c6776-5be7-11ee-94b5-0242ac110005\", \"image\": {\"name\": \"capabilities huge hometown\", \"uid\": \"849c6d2a-5be7-11ee-a411-0242ac110005\", \"labels\": [\"mumbai\"]}, \"hash\": {\"value\": \"FC25F43E993A1FB725021E78097481FDD1FECA2EC91BF14AE34067FC31DBCD1005D4B0AFC4F050872672CC3EAB72236EADE80DFF4CCBB844F8ED0489F697D2F1\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695676041544, \"namespace_pid\": 13, \"parent_process\": {\"name\": \"Tell\", \"file\": {\"name\": \"world.jpg\", \"type\": \"Block Device\", \"path\": \"blend roommates closed/died.docx/world.jpg\", \"modifier\": {\"name\": \"Heritage\", \"type\": \"System\", \"domain\": \"ln resolved couple\", \"uid\": \"849c8878-5be7-11ee-98bd-0242ac110005\", \"type_id\": 3, \"email_addr\": \"Deloise@agreed.arpa\"}, \"type_id\": 4, \"mime_type\": \"engineer/habitat\", \"parent_folder\": \"blend roommates closed/died.docx\", \"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"hashes\": [{\"value\": \"3BC175E9CE56D1FC2D86AB6EA2EC56EB21930540B56A5B6E3840DFB64287ACAB\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"31588C71F04798D44E2202431AE7025AF3BC67EC8192E94F362A9B9121FB5AC23510026F8391A0A54234D8D0DB8D2DEBD112DEEF6AC598A11A194875191A4975\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"is_system\": true}, \"user\": {\"name\": \"Weather\", \"type\": \"Admin\", \"domain\": \"our installing clinical\", \"uid\": \"849ca4ca-5be7-11ee-b39c-0242ac110005\", \"org\": {\"name\": \"top riverside asthma\", \"uid\": \"849cb208-5be7-11ee-a4a6-0242ac110005\", \"ou_name\": \"stats dans soviet\"}, \"type_id\": 2, \"credential_uid\": \"849cc0f4-5be7-11ee-9c36-0242ac110005\"}, \"uid\": \"849cc522-5be7-11ee-aa87-0242ac110005\", \"session\": {\"uid\": \"849ccebe-5be7-11ee-a1ca-0242ac110005\", \"issuer\": \"volunteer meetings medline\", \"created_time\": 1695676041550, \"is_remote\": false, \"expiration_time_dt\": \"2023-09-25T21:07:21.550638Z\"}, \"loaded_modules\": [\"/rev/amazon/casino/june/fails.bin\", \"/credit/potential/lawsuit/clause/nine.bmp\"], \"cmd_line\": \"well absent shoe\", \"container\": {\"name\": \"hospitality walker vs\", \"size\": 1224758347, \"uid\": \"849cdd28-5be7-11ee-9250-0242ac110005\", \"image\": {\"name\": \"audio miracle leader\", \"uid\": \"849ce32c-5be7-11ee-b7a9-0242ac110005\"}, \"hash\": {\"value\": \"A813ED16B0B3E58FA959C0BA26A47058\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"created_time\": 1695676041555, \"lineage\": [\"achievement courage send\", \"expansion instructional agreements\"], \"namespace_pid\": 62, \"parent_process\": {\"name\": \"Airfare\", \"file\": {\"name\": \"flexible.vcxproj\", \"type\": \"Folder\", \"product\": {\"name\": \"external polar galaxy\", \"version\": \"1.0.0\", \"lang\": \"en\", \"vendor_name\": \"hack infection generator\"}, \"type_id\": 2, \"mime_type\": \"silicon/limousines\", \"confidentiality\": \"venue rl epa\", \"hashes\": [{\"value\": \"2347F66D3EE9CCBD7191F650BE1EF4F94E8B6ED61D543709A1A907FBC76BFC089577CB78BFA772DA65746573746C4AB26AF19E7A8E9DB821E3979ED04051B9BC\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"256D62122A8BA5E06B613EAD639B79BA7875995217AC6E2C854DBB610631D33C\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"modified_time\": 1695676041500, \"xattributes\": {}, \"created_time_dt\": \"2023-09-25T21:07:21.551631Z\"}, \"user\": {\"name\": \"Track\", \"type\": \"Unknown\", \"uid\": \"849cfe70-5be7-11ee-b38b-0242ac110005\", \"type_id\": 0, \"account\": {\"name\": \"strict manufactured invest\", \"type\": \"AWS IAM User\", \"uid\": \"849d0500-5be7-11ee-97bd-0242ac110005\", \"type_id\": 3}, \"credential_uid\": \"849d08ca-5be7-11ee-bfe2-0242ac110005\"}, \"cmd_line\": \"challenges prompt cumulative\", \"container\": {\"name\": \"develop affiliates required\", \"size\": 2138922450, \"uid\": \"849d0e7e-5be7-11ee-a8e4-0242ac110005\", \"image\": {\"name\": \"charges fragrances complex\", \"uid\": \"849d1342-5be7-11ee-a4ca-0242ac110005\"}, \"hash\": {\"value\": \"6E73C76AD0B2D03EB35088BB834D7A1949E2174F0288EAC8066F5CC920923FEC2568825E7A9B3B3B871DC2AA82AD34DAC42A8E327CAD3D3E720D2ADD7C13CAB0\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, \"network_driver\": \"familiar movies legitimate\", \"pod_uuid\": \"legally\"}, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"namespace_pid\": 2, \"parent_process\": {\"name\": \"Eternal\", \"pid\": 76, \"file\": {\"attributes\": 44, \"name\": \"uzbekistan.jar\", \"type\": \"Block Device\", \"uid\": \"849d2170-5be7-11ee-a637-0242ac110005\", \"type_id\": 4, \"mime_type\": \"will/executed\", \"hashes\": [{\"value\": \"8A25185F3C5523EF3B08C1ECDD83016224863C95\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"6B9ED75DAE7A1E692073FC400B558EA4\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"xattributes\": {}}, \"user\": {\"name\": \"Manager\", \"type\": \"legs\", \"uid\": \"849d2c24-5be7-11ee-953d-0242ac110005\", \"type_id\": 99, \"email_addr\": \"Josefina@holders.museum\"}, \"uid\": \"849d308e-5be7-11ee-a5ad-0242ac110005\", \"cmd_line\": \"reporter techno regarded\", \"container\": {\"name\": \"cpu mission hacker\", \"runtime\": \"cables vanilla amendments\", \"size\": 1820268463, \"uid\": \"849d3caa-5be7-11ee-9fe6-0242ac110005\", \"image\": {\"uid\": \"849d468c-5be7-11ee-85e3-0242ac110005\", \"labels\": [\"responsibility\"]}, \"hash\": {\"value\": \"0895F371F264F7E3AA4A79B16A3C6EEAABE10BBF6A7DC2B7D8DD4F14B3C6F05D\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, \"orchestrator\": \"helpful pasta matthew\"}, \"namespace_pid\": 84, \"parent_process\": {\"name\": \"Music\", \"pid\": 28, \"file\": {\"name\": \"titanium.avi\", \"type\": \"Unknown\", \"path\": \"slideshow configurations lens/nations.flv/titanium.avi\", \"desc\": \"closed hydraulic connecting\", \"type_id\": 0, \"company_name\": \"Frederica Hertha\", \"parent_folder\": \"slideshow configurations lens/nations.flv\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"created_time\": 1695676041554, \"hashes\": [{\"value\": \"5C5069744142886E3127F2CCFE145C68A0B1A4DFA3BB504B858390D851E16A9F\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"xattributes\": {}, \"created_time_dt\": \"2023-09-25T21:07:21.554150Z\"}, \"user\": {\"name\": \"Be\", \"type\": \"types\", \"uid\": \"849d60a4-5be7-11ee-98cb-0242ac110005\", \"type_id\": 99}, \"uid\": \"849d64dc-5be7-11ee-b02a-0242ac110005\", \"container\": {\"size\": 1668291787, \"uid\": \"849d7cce-5be7-11ee-80f3-0242ac110005\", \"image\": {\"name\": \"curtis burns park\", \"uid\": \"849d83f4-5be7-11ee-8f40-0242ac110005\", \"labels\": [\"fix\"]}, \"hash\": {\"value\": \"308FD1FED7D34B9AFAB9224FF617D64E4CA9AC20FC59F1FB3B80AB2CBB1511245EC668E138B6C330D86E2B874BD66ED33E16E931B3D344A8365BE63CAB39562C\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"network_driver\": \"surely assistance actively\", \"pod_uuid\": \"gardening\"}, \"created_time\": 1695676041553, \"integrity\": \"System\", \"integrity_id\": 5, \"parent_process\": {\"name\": \"Surprise\", \"pid\": 50, \"file\": {\"name\": \"opening.vob\", \"type\": \"Local Socket\", \"path\": \"venezuela flyer seller/os.kml/opening.vob\", \"modifier\": {\"name\": \"Infected\", \"type\": \"User\", \"uid\": \"849d94de-5be7-11ee-b30d-0242ac110005\", \"type_id\": 1, \"full_name\": \"Katheryn Kena\"}, \"type_id\": 5, \"accessor\": {\"name\": \"Mine\", \"type\": \"fcc\", \"uid\": \"849da17c-5be7-11ee-9d3a-0242ac110005\", \"type_id\": 99, \"account\": {\"name\": \"hourly toll disappointed\", \"uid\": \"849dabd6-5be7-11ee-ba6a-0242ac110005\"}, \"credential_uid\": \"849db838-5be7-11ee-8a18-0242ac110005\"}, \"parent_folder\": \"venezuela flyer seller/os.kml\", \"hashes\": [{\"value\": \"599DCCE2998A6B40B1E38E8C6006CB0A\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"E3C48119D2F351FBEB28EABE137BB8D7969A9AA7CEBF71A153DA4670481EFAAB267B6B39C0EDBDDAF4DD1B9E9B5FF0B28D72E0A5FA27336A282A0FDBA4D0C9D4\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"modified_time\": 1695676041557, \"security_descriptor\": \"graham occupations become\"}, \"user\": {\"name\": \"Simulations\", \"type\": \"User\", \"uid\": \"849debb4-5be7-11ee-bfac-0242ac110005\", \"type_id\": 1, \"account\": {\"type\": \"Windows Account\", \"uid\": \"849df820-5be7-11ee-82f1-0242ac110005\", \"type_id\": 2}, \"credential_uid\": \"849dfc62-5be7-11ee-a9bc-0242ac110005\"}, \"cmd_line\": \"pursuant proceed discussed\", \"container\": {\"name\": \"insight style ca\", \"runtime\": \"williams ng xhtml\", \"size\": 220440282, \"uid\": \"849e031a-5be7-11ee-b55b-0242ac110005\", \"image\": {\"name\": \"bubble architects vancouver\", \"path\": \"hairy pixel time\", \"uid\": \"849e0ebe-5be7-11ee-8341-0242ac110005\"}, \"hash\": {\"value\": \"8876489CE00D6D9FDF61ED1C773F047E\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"created_time\": 1695676041558, \"lineage\": [\"bk destinations est\", \"whose playback congressional\"], \"namespace_pid\": 54, \"parent_process\": {\"name\": \"Courage\", \"pid\": 5, \"file\": {\"name\": \"filled.mdb\", \"size\": 2881440001, \"type\": \"Character Device\", \"path\": \"disc dividend incentives/crucial.wps/filled.mdb\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"infectious replication lock\", \"issuer\": \"worker attended mel\", \"fingerprints\": [{\"value\": \"372885B9675F31EF37D14F711A430940E777638ADCB2F77B36D079076E38606F\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1695676041558, \"expiration_time\": 1695676041554, \"serial_number\": \"durham graham course\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"modifier\": {\"name\": \"Constraints\", \"type\": \"Unknown\", \"domain\": \"informational advisory mg\", \"uid\": \"849e2a2a-5be7-11ee-82b2-0242ac110005\", \"type_id\": 0}, \"product\": {\"name\": \"michigan slight torture\", \"version\": \"1.0.0\", \"path\": \"costumes somewhat qui\", \"uid\": \"849e3088-5be7-11ee-8510-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"franchise portland experiment\"}, \"type_id\": 3, \"accessor\": {\"name\": \"Intl\", \"type\": \"Unknown\", \"uid\": \"849e39a2-5be7-11ee-b3b8-0242ac110005\", \"type_id\": 0, \"full_name\": \"Lorna Francisco\"}, \"parent_folder\": \"disc dividend incentives/crucial.wps\", \"hashes\": [{\"value\": \"9471ED19416B8099E51855CB0EF61AE3\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"modified_time\": 1695676041563}, \"user\": {\"name\": \"Motorcycle\", \"type\": \"Admin\", \"uid\": \"849e4a46-5be7-11ee-bc81-0242ac110005\", \"type_id\": 2}, \"cmd_line\": \"peer rail specialist\", \"container\": {\"name\": \"priority mirrors although\", \"runtime\": \"rock relation block\", \"size\": 2559819198, \"uid\": \"849e509a-5be7-11ee-ad75-0242ac110005\", \"image\": {\"name\": \"committed plastic does\", \"uid\": \"849e6972-5be7-11ee-b803-0242ac110005\"}, \"network_driver\": \"conduct linking lb\"}, \"created_time\": 1695676041434, \"lineage\": [\"desktop lakes moscow\", \"barrel touch increasing\"], \"namespace_pid\": 13, \"parent_process\": {\"name\": \"Harley\", \"pid\": 38, \"file\": {\"name\": \"metabolism.gadget\", \"owner\": {\"type\": \"System\", \"uid\": \"849e86dc-5be7-11ee-9b00-0242ac110005\", \"org\": {\"name\": \"syndication joseph realized\", \"uid\": \"849e8ff6-5be7-11ee-be3f-0242ac110005\", \"ou_name\": \"advertise scored usr\", \"ou_uid\": \"849e9852-5be7-11ee-9c6a-0242ac110005\"}, \"type_id\": 3}, \"type\": \"Character Device\", \"path\": \"patch attempting mf/nashville.dxf/metabolism.gadget\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"signals book follow\", \"issuer\": \"database verse prince\", \"fingerprints\": [{\"value\": \"6467C5C0EA62DB25016E724973C845BA50F0BBD72AE91F11E4CB5F3884CF1852EC05AA4B971CA59B372F8DC7B8E49562276E89C888FFDE3DD41BFC2E88336E98\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"80A346634E5CD09AAFC3C417ABCE0C6A156B40EBB910123FAC486DC6197D24EC4C575301A8CC06D58FBAEEAE6F40E42B6D84FDA6996E06EE2F68282EA73FDA93\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"created_time\": 1695676041504, \"expiration_time\": 1695676041569, \"serial_number\": \"termination vi limitation\"}, \"algorithm\": \"ECDSA\", \"algorithm_id\": 3}, \"type_id\": 3, \"creator\": {\"type\": \"Unknown\", \"uid\": \"849edfe2-5be7-11ee-97f0-0242ac110005\", \"type_id\": 0, \"account\": {\"name\": \"workers observer lonely\", \"type\": \"GCP Account\", \"uid\": \"849ef310-5be7-11ee-b8e1-0242ac110005\", \"type_id\": 5}, \"email_addr\": \"Myrta@of.cat\"}, \"parent_folder\": \"patch attempting mf/nashville.dxf\", \"hashes\": [{\"value\": \"5F8105C9976CE93253600A074BD373A5286734FB9650F503EF4AD611A9422D3554C34BD6C2672159C2F485A59C83965804D6F2532A8DADF2749DF74B1B089C10\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"C1E19A5C30DB36D9FEA3088EBBCF2E05B7F2E3B108DA82565EF183591D036A615456960CA1BF3DEDAEF8450140669F4E45A239D12DE570D5B2322AEADAE0EE7B\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"accessed_time_dt\": \"2023-09-25T21:07:21.564734Z\"}, \"user\": {\"name\": \"Referenced\", \"type\": \"Admin\", \"type_id\": 2, \"full_name\": \"Lyndsay Ricky\"}, \"uid\": \"849f00ee-5be7-11ee-954b-0242ac110005\", \"cmd_line\": \"institutes yes inputs\", \"container\": {\"name\": \"missed foreign palmer\", \"size\": 903476370, \"uid\": \"849f0878-5be7-11ee-b335-0242ac110005\", \"image\": {\"name\": \"belfast interests activation\", \"uid\": \"849f1dc2-5be7-11ee-b432-0242ac110005\"}, \"hash\": {\"value\": \"7CA5C1BF6D37F1E7389DB34F7617B7101F65DED1\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}}, \"created_time\": 1695676041565, \"namespace_pid\": 44, \"terminated_time\": 1695676041566, \"xattributes\": {}, \"created_time_dt\": \"2023-09-25T21:07:21.565824Z\"}}, \"sandbox\": \"final corporations performances\"}}, \"xattributes\": {}}}, \"sandbox\": \"distributor workshops maldives\"}}, \"sandbox\": \"upload stages deutsch\", \"xattributes\": {}, \"created_time_dt\": \"2023-09-25T21:07:21.565886Z\", \"terminated_time_dt\": \"2023-09-25T21:07:21.565891Z\"}, \"sandbox\": \"facial gossip lopez\", \"terminated_time\": 1695676041561, \"created_time_dt\": \"2023-09-25T21:07:21.565904Z\", \"terminated_time_dt\": \"2023-09-25T21:07:21.565908Z\"}, \"sandbox\": \"compounds s time\", \"terminated_time\": 1695676041567}, \"sandbox\": \"romance volunteer entrepreneurs\"}}, \"xattributes\": {}}, \"sandbox\": \"moon exercise starring\", \"terminated_time\": 1695676041562}}, \"terminated_time\": 1695676041561}, \"xattributes\": {}}}, \"sandbox\": \"keeps pour rent\", \"terminated_time\": 1695676041566}, \"xattributes\": {}}, \"sandbox\": \"species tourism system\", \"terminated_time\": 1695676041564, \"xattributes\": {}}, \"terminated_time\": 1695676041564}}, \"user\": {\"name\": \"Turkish\", \"type\": \"metres\", \"domain\": \"jones cnet biz\", \"uid\": \"849f330c-5be7-11ee-aa02-0242ac110005\", \"org\": {\"name\": \"performed assignments undefined\", \"uid\": \"849f3870-5be7-11ee-8857-0242ac110005\", \"ou_name\": \"headquarters informal nigeria\"}, \"type_id\": 99}}, \"cloud\": {\"provider\": \"diego ins ext\", \"region\": \"kissing wi confidence\"}, \"enrichments\": [{\"data\": {\"wallpaper\": \"feded\"}, \"name\": \"hc saskatchewan quickly\", \"type\": \"thu loves strong\", \"value\": \"sword somebody equilibrium\", \"provider\": \"outlet toolkit person\"}, {\"data\": {\"drug\": \"drugg7899\"}, \"name\": \"tree cities corner\", \"type\": \"knife super bat\", \"value\": \"thy qualification booth\"}], \"expiration_time\": 1695676041527, \"severity_id\": 2, \"src_endpoint\": {\"name\": \"replaced wa unlock\", \"port\": 25780, \"ip\": \"175.16.199.1\", \"uid\": \"84972e82-5be7-11ee-8eac-0242ac110005\", \"hostname\": \"menu.travel\", \"instance_uid\": \"849732a6-5be7-11ee-bdb0-0242ac110005\", \"interface_name\": \"grown reflect expressed\", \"interface_uid\": \"84973670-5be7-11ee-8000-0242ac110005\", \"svc_name\": \"stanford leisure analyzed\"}}", + "event": { + "action": "rename", + "category": [ + "file" + ], + "provider": "cb indexes boxing", + "sequence": 99, + "severity": 2, + "start": "2023-09-25T21:07:21.445000Z", + "type": [ + "change" + ] + }, + "cloud": { + "provider": "diego ins ext", + "region": "kissing wi confidence" + }, + "network": { + "application": "stanford leisure analyzed" + }, + "ocsf": "{\"activity_id\": 5, \"activity_name\": \"Rename\", \"actor\": {\"process\": {\"cmd_line\": \"goals happen dad\", \"container\": {\"image\": {\"name\": \"produced field obituaries\", \"path\": \"adaptive granny knew\", \"uid\": \"849779dc-5be7-11ee-8f66-0242ac110005\"}, \"name\": \"ambien cloud eur\", \"network_driver\": \"cute desktops arrest\", \"size\": 2164055839, \"uid\": \"84977158-5be7-11ee-b042-0242ac110005\"}, \"created_time\": 1695676041514, \"file\": {\"attributes\": 9, \"name\": \"citations.gpx\", \"parent_folder\": \"telling saved challenge/wrapped.tga\", \"path\": \"telling saved challenge/wrapped.tga/citations.gpx\", \"type\": \"Character Device\", \"type_id\": 3}, \"name\": \"Qualification\", \"namespace_pid\": 41, \"parent_process\": {\"cmd_line\": \"bless addresses backgrounds\", \"container\": {\"hash\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"08759209B8F0A761FFF2B978AB8DAB0B6AE7B63C9AC9D3694BC0FED57BB2E27F5AAFB08486F656D6C6FE784F7DF07513FCB0975EC8B772EE000F56F793867A77\"}, \"image\": {\"name\": \"assistance grande an\", \"uid\": \"8497dec2-5be7-11ee-9c88-0242ac110005\"}, \"name\": \"citizenship caribbean twisted\", \"size\": 2686118868, \"uid\": \"8497d15c-5be7-11ee-aa8b-0242ac110005\"}, \"created_time\": 1695676041518, \"file\": {\"creator\": {\"credential_uid\": \"8497ab3c-5be7-11ee-8df1-0242ac110005\", \"full_name\": \"Kirstin Thersa\", \"name\": \"Additionally\", \"type\": \"beat\", \"type_id\": 99, \"uid\": \"84979804-5be7-11ee-848b-0242ac110005\"}, \"desc\": \"surgeons settled advocacy\", \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"2675028478A31F71064C2D8CCA68C7FCA87605C294611E7C2294806CE87B596AD856077767F9D941E21BC5089906C5E6903FE622EE1FE19DB2E3FA8F1F1A8EE9\"}, {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"4D018BA6DBA4C03004FD6E10D1C02BD324F62DE46C5FE687431A2D4BF4335BB7\"}], \"modified_time_dt\": \"2023-09-25T21:07:21.517084Z\", \"name\": \"finance.3g2\", \"parent_folder\": \"attention matching forest/met.mpa\", \"path\": \"attention matching forest/met.mpa/finance.3g2\", \"signature\": {\"algorithm\": \"RSA\", \"algorithm_id\": 2, \"certificate\": {\"created_time_dt\": \"2023-09-25T21:07:21.516247Z\", \"expiration_time\": 1695676041516, \"expiration_time_dt\": \"2023-09-25T21:07:21.516239Z\", \"fingerprints\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"B3305921648A755AA6C1E2C028691A6861EAE8922BAE5ACE52B76E01AD96DF87ECE4E22E06EDC6715A0CAE469323620A07CCC384FD40C69EBA60E8BBEE8EA805\"}], \"issuer\": \"shall systematic vatican\", \"serial_number\": \"requirement sodium situated\", \"subject\": \"mt minutes bids\", \"version\": \"1.0.0\"}}, \"type\": \"wrap\", \"type_id\": 99}, \"lineage\": [\"vhs mechanism dates\"], \"loaded_modules\": [\"/super/disclose/barnes/pg/california.png\", \"/ourselves/lynn/gpl/helped/narrow.tga\"], \"namespace_pid\": 97, \"parent_process\": {\"cmd_line\": \"harder interventions pb\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"6A9A10210588981DD8FAA6BE10E39F2C65E816FEFE4768884F7B0BB0A10CD9D6\"}, \"name\": \"kg sources houses\", \"pod_uuid\": \"kiss\", \"runtime\": \"kate through furniture\", \"size\": 2387392206, \"uid\": \"849829cc-5be7-11ee-bb7a-0242ac110005\"}, \"created_time\": 1695676041517, \"file\": {\"created_time_dt\": \"2023-09-25T21:07:21.519646Z\", \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"E7B2EBCA4F63795EBE380FFBEAB194BCF3E2EB5C74F10C6B8AAB95F4C0B8D7AC\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"AFD9AD7A88CFF487A60962E99C6219806726EB352DD1591D375AD3BB143C0DABBFBC6DBFFA5D99B3662AE82C9B7EED847E30B7EA516D2AD9DFF07D8775F8AE36\"}], \"modifier\": {\"groups\": [{\"name\": \"winds seeking reply\", \"uid\": \"8497fde4-5be7-11ee-9733-0242ac110005\"}, {\"name\": \"hamburg roommate environment\", \"uid\": \"8498099c-5be7-11ee-ac6f-0242ac110005\"}], \"name\": \"Complete\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"8497f38a-5be7-11ee-97c6-0242ac110005\"}, \"name\": \"dame.svg\", \"parent_folder\": \"wives pamela karl/articles.c\", \"path\": \"wives pamela karl/articles.c/dame.svg\", \"security_descriptor\": \"robinson queens graduate\", \"type\": \"Regular File\", \"type_id\": 1}, \"integrity\": \"they thermal eau\", \"lineage\": [\"attraction cord adjustment\", \"announcements summer introduce\"], \"name\": \"Bid\", \"namespace_pid\": 49, \"parent_process\": {\"cmd_line\": \"creation defense carolina\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"666334EB7A1E55E189435FFF3F0CA7266F484FB44970AAFF3E72546D8B04B02ABB1A66B209CAFD44267701CA1392DF35B8EC3EECE0DC492D093880F2E4FF352C\"}, \"name\": \"hunt indicating radiation\", \"size\": 3179758248, \"tag\": \"reader prevention as\", \"uid\": \"84985df2-5be7-11ee-be06-0242ac110005\"}, \"created_time\": 1695676041527, \"file\": {\"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"created_time\": 1695676041520845, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"7D875B5EB312ADEF7D530DD6E43468170B094A5F54CA1AC26E7788A81A01238428E62D581423E70B05DA11F15513291EB10776B4E14DE1844072ACDF11BBDFD1\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"1100511F3469E3CDE7D081EC6E78154C8476D546F615EEEB37C4CDFBD41740440FC77660EE3A4B9C67DE81C63172A49F835656F85ED5E36A65A2A25E2A733358\"}], \"modifier\": {\"name\": \"Officer\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"84984362-5be7-11ee-af2c-0242ac110005\"}, \"name\": \"seq.wpd\", \"parent_folder\": \"conflicts disability citysearch/ieee.dtd\", \"path\": \"conflicts disability citysearch/ieee.dtd/seq.wpd\", \"type\": \"Character Device\", \"type_id\": 3}, \"name\": \"Jamie\", \"namespace_pid\": 46, \"parent_process\": {\"cmd_line\": \"plan agents converter\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"E7EFDA40B1C94805070CD9BF9638AE27\"}, \"image\": {\"labels\": [\"golf\", \"nov\"], \"name\": \"extending construction inkjet\", \"path\": \"empirical precipitation builder\", \"uid\": \"84989f42-5be7-11ee-8820-0242ac110005\"}, \"name\": \"thongs routine an\", \"size\": 2099983603, \"uid\": \"84989948-5be7-11ee-b4fb-0242ac110005\"}, \"created_time\": 1695676041523226, \"file\": {\"created_time\": 1695676042262, \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"60F202A3BE4EF214E24EA9D3555D194C\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"B0B2D200728B0DACE6CB6829F90EE31A9AD123FF1982012B003249D4F2C5351924E6DBBD1242EE722D4C5A0B80C983DC7B94DDD594FCFCEF4E63552956E2B26A\"}], \"modified_time_dt\": \"2023-09-25T21:07:21.522441Z\", \"name\": \"startup.3dm\", \"signature\": {\"algorithm\": \"RSA\", \"algorithm_id\": 2, \"certificate\": {\"created_time\": 1695676041522, \"created_time_dt\": \"2023-09-25T21:07:21.521904Z\", \"expiration_time\": 1695676041526, \"fingerprints\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"8E4DE5CC0D59311697B0D4061FDBFB4CB99E38121EA17CF740789A0CBC85B56703E1341C940E7A2220C02211CC84447A19061569BE42AC4A2C03010FB6CB1A75\"}, {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"205D64FF9B580AADBF4829EC41DD4EF0\"}], \"issuer\": \"previous price thing\", \"serial_number\": \"files the parish\", \"subject\": \"shades bad tradition\"}}, \"size\": 3504413585, \"type\": \"Named Pipe\", \"type_id\": 6, \"uid\": \"84987ae4-5be7-11ee-b247-0242ac110005\", \"version\": \"1.0.0\"}, \"integrity\": \"conspiracy unions allocated\", \"name\": \"Arbor\", \"parent_process\": {\"cmd_line\": \"sixth pc peoples\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"F4001D4FD76B73412DB0EFD2C66F0AB3C27D9FE9BD375B1659A1DDDA68C17DC1C0F5402A6AE571DC073E94F1B720821E4208595D5BB4B13D917A12CE3DA53C1E\"}, \"image\": {\"name\": \"version treating tall\", \"uid\": \"8498df20-5be7-11ee-8257-0242ac110005\"}, \"name\": \"warrior document workflow\", \"pod_uuid\": \"sas\", \"size\": 2697694450, \"uid\": \"8498da2a-5be7-11ee-9d00-0242ac110005\"}, \"created_time\": 1695676041523, \"file\": {\"accessor\": {\"email_addr\": \"Shin@cause.mobi\", \"full_name\": \"Twyla Cherise\", \"name\": \"Wildlife\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"8498c030-5be7-11ee-80d9-0242ac110005\", \"uid_alt\": \"excellent far varied\"}, \"created_time\": 1695676041524, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"707CF5E50A11D69874235DED9A045B6AB42439F7495DED03049CB7E997949E8B014295A25059CD1A9F06BFE9E4101ED176615E69D43FE199E849DEC0BC4AEB4D\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"6F487B974BDB9DBDF014F50502D9F70BC2630E6C974E4C6E6AA2EB3BEC95A3BDCA7AE609DA34179E0677F042734A767ADA4F6CA04788916644262CDC60BC2FB2\"}], \"mime_type\": \"star/flyer\", \"name\": \"considerations.jar\", \"parent_folder\": \"roger economy macro/mesh.gadget\", \"path\": \"roger economy macro/mesh.gadget/considerations.jar\", \"type\": \"Local Socket\", \"type_id\": 5}, \"integrity\": \"aviation blame tion\", \"name\": \"Processes\", \"namespace_pid\": 76, \"parent_process\": {\"container\": {\"image\": {\"tag\": \"vocal trim jon\", \"uid\": \"849944f6-5be7-11ee-bc62-0242ac110005\"}, \"name\": \"acquired minority slip\", \"size\": 2257875576, \"uid\": \"84993ce0-5be7-11ee-8a18-0242ac110005\"}, \"file\": {\"accessed_time\": 1695676041556, \"confidentiality\": \"suburban ati mostly\", \"created_time_dt\": \"2023-09-25T21:07:21.526737Z\", \"hashes\": [{\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"00EF9DADDE482AF5432B0BFC5F69023736D4A0ECD59F74884C4B8AD83D21429B78023351C5DBD07407EAB2BFA527A0586016DE3C92F37913920E221F7D452802\"}], \"is_system\": false, \"modified_time_dt\": \"2023-09-25T21:07:21.526727Z\", \"name\": \"pic.vcd\", \"owner\": {\"full_name\": \"Blythe Jamie\", \"name\": \"Enquiry\", \"type\": \"minneapolis\", \"type_id\": 99, \"uid\": \"849901e4-5be7-11ee-bfe1-0242ac110005\"}, \"parent_folder\": \"const foreign pressed/among.ged\", \"path\": \"const foreign pressed/among.ged/pic.vcd\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"certificate\": {\"created_time\": 1695676041526, \"expiration_time\": 1695676045872, \"fingerprints\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"9E41EB47ABD226D92CFE27DBDA0C924C190A1B0C0136B09923B419089B013DF14CB58C38F651F710540E348BF800DFE364197904B11FFFAD98BB2B10006B28E2\"}, {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"3DE877DDFB06DB510E63893D98DDAC9524696C14\"}], \"issuer\": \"everybody brunei disciplinary\", \"serial_number\": \"approaches symbol assembly\", \"subject\": \"strap liz boulder\", \"version\": \"1.0.0\"}, \"created_time_dt\": \"2023-09-25T21:07:21.526203Z\", \"developer_uid\": \"84991526-5be7-11ee-a2ca-0242ac110005\"}, \"type\": \"charged\", \"type_id\": 99, \"uid\": \"84992264-5be7-11ee-8071-0242ac110005\"}, \"name\": \"Job\", \"namespace_pid\": 29, \"parent_process\": {\"cmd_line\": \"brush bouquet alto\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"82B5F7770097973F2962C241C557369EC2D38E9A1BDA03176B9CA511F1CA56CF\"}, \"image\": {\"name\": \"adipex into polo\", \"uid\": \"849984fc-5be7-11ee-af4c-0242ac110005\"}, \"name\": \"deutschland pic newcastle\", \"size\": 797071549, \"uid\": \"84996db4-5be7-11ee-bada-0242ac110005\"}, \"created_time\": 1695676041528, \"file\": {\"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"44CA9EA761C2131C73960AD47472741B13D305EE2D07FE91E8F1B47F4F062B8A16DD3611E4439E4C163A7CF42F1AE5989CF9683117DB801FD1BC222A16618E19\"}, {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"C25DDA249CDECE9D908CC33ADCD16AA05E20290F\"}], \"name\": \"tuner.pdb\", \"parent_folder\": \"architectural pink phil/overview.dtd\", \"path\": \"architectural pink phil/overview.dtd/tuner.pdb\", \"type\": \"Named Pipe\", \"type_id\": 6, \"version\": \"1.0.0\", \"xattributes\": {}}, \"lineage\": [\"familiar privilege canvas\"], \"namespace_pid\": 23, \"parent_process\": {\"cmd_line\": \"in blowing memorial\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"6B2A589B76A482CD379A7FF8AF13EE0F9ABF937DE60010068FEC808F5B6B22521C2A28C7F48BC5C2EDC81EAE5E5812D95F5E0F3DF5685571E5DB36B146DB82EC\"}, \"image\": {\"name\": \"robert through mailing\", \"tag\": \"struggle gerald weather\", \"uid\": \"8499d704-5be7-11ee-b617-0242ac110005\"}, \"name\": \"france sg charger\", \"network_driver\": \"catch sun general\", \"orchestrator\": \"sf varieties queries\", \"size\": 1048383191, \"tag\": \"deserve focused select\", \"uid\": \"8499d164-5be7-11ee-a7e8-0242ac110005\"}, \"created_time\": 1695676041539, \"file\": {\"attributes\": 83, \"desc\": \"escape steady bow\", \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"718C92FD5ECC9B483CA9A76E309BD60F7DAD6035254FAD5EA9430568F36EB16D5532657DE90C3B3B41896C8A9B601BF1E1083D5BB299127118B535C347D13549\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"D13D53927A745D27511C298846343093D7E92D919905B6C22ABBF727AD18EF7E3B3850949F8CC772390749C8644B5CF6F8618FEF524E9589DB73F57FE128AA88\"}], \"name\": \"spirit.max\", \"owner\": {\"email_addr\": \"Pamelia@directed.com\", \"name\": \"Friend\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"84999e10-5be7-11ee-914b-0242ac110005\"}, \"parent_folder\": \"fish largest alberta/solutions.deskthemepack\", \"path\": \"fish largest alberta/solutions.deskthemepack/spirit.max\", \"type\": \"Regular File\", \"type_id\": 1, \"version\": \"1.0.0\"}, \"integrity\": \"faculty hardcover generated\", \"name\": \"Cialis\", \"namespace_pid\": 79, \"parent_process\": {\"cmd_line\": \"text ana range\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"79F7EED760813BF63DC0EE7F986F1CC6345DD170AB03CA1350684CB8720E3C67F9FCE3B075A22266EB0C66A1CDA2D3BD540E777D9A294433377B83DB6DE3D6DB\"}, \"image\": {\"name\": \"layers branch lucas\", \"tag\": \"nations chances trips\", \"uid\": \"849a32bc-5be7-11ee-86bb-0242ac110005\"}, \"name\": \"own drawing acute\", \"size\": 1512724327, \"uid\": \"849a2420-5be7-11ee-94c5-0242ac110005\"}, \"created_time\": 1695676041533, \"file\": {\"creator\": {\"domain\": \"coupons dropped pantyhose\", \"name\": \"Booking\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"8499f1ee-5be7-11ee-a02c-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"F01EB1DD5E5D955CF3DA810E1FAABA4136E09F5EF69DA3753223183EF836741A617AAAEB52D8B014D900A4A11B94974298F7D3C4EAE57C107CF3A3230AD34188\"}], \"modified_time_dt\": \"2023-09-25T21:07:21.531893Z\", \"name\": \"premises.sln\", \"owner\": {\"account\": {\"name\": \"discs outlets general\", \"type\": \"Mac OS Account\", \"type_id\": 7, \"uid\": \"8499eb2c-5be7-11ee-86b7-0242ac110005\"}, \"name\": \"Welcome\", \"type\": \"User\", \"type_id\": 1}, \"parent_folder\": \"ralph tales librarian/simpsons.psd\", \"path\": \"ralph tales librarian/simpsons.psd/premises.sln\", \"type\": \"ships\", \"type_id\": 99}, \"lineage\": [\"guru hosted bradley\"], \"name\": \"Devices\", \"namespace_pid\": 39, \"parent_process\": {\"cmd_line\": \"merchandise initiatives accessibility\", \"container\": {\"hash\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"12FC9239ABF2C07159EBC92013171DA43175589170BD05B55220534634A9D1FEFC88B117A95FCE4FE3C5A5FEDB9DC4EB3F700C0386931C889F815E86BCD4B509\"}, \"image\": {\"name\": \"evaluating apartments disaster\", \"uid\": \"849a6a66-5be7-11ee-95e4-0242ac110005\"}, \"name\": \"apartment drunk amateur\", \"size\": 3702557326, \"uid\": \"849a646c-5be7-11ee-90ce-0242ac110005\"}, \"created_time\": 1695676041535, \"file\": {\"attributes\": 22, \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"6FD1E1613C3918067E01585E32D4AA461C485DF01C56BD5A294FD82B353B5EC64A7EBAED614D28451E3AECB3ACA75900593A20D8AE7F7A1E2CF9DD4F0496B9C4\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"B66E94D9133A6E41392C5AFCBF3F6EEB29E45C041350255AEE34ADD6C4E6BD15FF9060177954793B5D078A8802B4B1ADDD73BECACB7D5827D9A1CB9F96D5E153\"}], \"is_system\": false, \"modified_time_dt\": \"2023-09-25T21:07:21.533963Z\", \"name\": \"hunt.ppt\", \"type\": \"Local Socket\", \"type_id\": 5}, \"name\": \"Bags\", \"namespace_pid\": 29, \"parent_process\": {\"cmd_line\": \"recordings countries slides\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"383B6630E8241D34D54BFD689DECC0CAB88770D935667989A3A1DE8397F5520F\"}, \"image\": {\"name\": \"evanescence plans courts\", \"tag\": \"buy archives predict\", \"uid\": \"849aaa9e-5be7-11ee-a47a-0242ac110005\"}, \"name\": \"distant modeling monaco\", \"runtime\": \"peace up sailing\", \"uid\": \"849aa490-5be7-11ee-bb98-0242ac110005\"}, \"created_time\": 1695676041539, \"file\": {\"attributes\": 35, \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"6BD48B1E57856137037BFEE4DEC8D57F\"}], \"name\": \"hardware.wma\", \"owner\": {\"name\": \"Asia\", \"type\": \"meetup\", \"type_id\": 99, \"uid\": \"849a7ac4-5be7-11ee-a06d-0242ac110005\"}, \"parent_folder\": \"interactions malta thoughts/laden.pdf\", \"path\": \"interactions malta thoughts/laden.pdf/hardware.wma\", \"signature\": {\"algorithm\": \"Authenticode\", \"algorithm_id\": 4, \"digest\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"3188206324B062751CE36D4251C19C94\"}}, \"type\": \"Unknown\", \"type_id\": 0}, \"integrity\": \"bookings qc dictionaries\", \"lineage\": [\"lanka manufacture bra\", \"gibson implementation pope\"], \"name\": \"Sen\", \"namespace_pid\": 6, \"parent_process\": {\"cmd_line\": \"amount anywhere suffered\", \"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"B7F1BFFEB47BCFB30F891852F769572A9816784BF4A4073805850F9F969A5335CFC878CACC9E0F8A71B547F60832FE712A59A7DD7DBD6E94BB9D155309EB3581\"}, \"image\": {\"name\": \"cross tray influenced\", \"tag\": \"afternoon counseling governance\", \"uid\": \"849b1f7e-5be7-11ee-bb9d-0242ac110005\"}, \"name\": \"author channel disappointed\", \"network_driver\": \"slovakia friend username\", \"size\": 191473515, \"uid\": \"849aff08-5be7-11ee-80bd-0242ac110005\"}, \"created_time\": 1695676041539630, \"file\": {\"accessed_time\": 1695676041534, \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"CE850E16E049A60B4B8F465DC00ADBFB7207CC76FD94F5EBC335F637B8052B77\"}], \"name\": \"removal.obj\", \"parent_folder\": \"jeff puts assignments/thing.msi\", \"path\": \"jeff puts assignments/thing.msi/removal.obj\", \"security_descriptor\": \"bureau myspace barrel\", \"type\": \"Named Pipe\", \"type_id\": 6}, \"name\": \"Impacts\", \"namespace_pid\": 49, \"parent_process\": {\"cmd_line\": \"techno now vid\", \"created_time\": 1695676041593, \"file\": {\"accessor\": {\"credential_uid\": \"849b5b88-5be7-11ee-af7a-0242ac110005\", \"name\": \"Dragon\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"849b52b4-5be7-11ee-863c-0242ac110005\"}, \"attributes\": 78, \"created_time_dt\": \"2023-09-25T21:07:21.541195Z\", \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"AABE45CE23939AE53AA3AF15C6123A6ED98FC106E4C7491B89A814D8EB040F3B9D5842B5A215D1D27ED1B4DC8DD3D3F0D50197DD105E37461661D98A23E0917C\"}], \"modified_time\": 1695676041541, \"modified_time_dt\": \"2023-09-25T21:07:21.541163Z\", \"name\": \"human.pdb\", \"parent_folder\": \"let dawn representing/surrounding.dwg\", \"path\": \"let dawn representing/surrounding.dwg/human.pdb\", \"product\": {\"feature\": {\"name\": \"metric th alt\", \"uid\": \"849b46a2-5be7-11ee-824d-0242ac110005\", \"version\": \"1.0.0\"}, \"name\": \"heavy payroll timothy\", \"uid\": \"849b3fd6-5be7-11ee-83d2-0242ac110005\", \"vendor_name\": \"rv brother vaccine\", \"version\": \"1.0.0\"}, \"type\": \"Symbolic Link\", \"type_id\": 7}, \"lineage\": [\"qualify insight reproduce\", \"placing download tomato\"], \"name\": \"Sampling\", \"namespace_pid\": 91, \"parent_process\": {\"cmd_line\": \"treatments proceeding assumed\", \"created_time\": 1695676041548, \"created_time_dt\": \"2023-09-25T21:07:21.565904Z\", \"file\": {\"accessor\": {\"email_addr\": \"Stormy@postcard.mobi\", \"name\": \"Xhtml\", \"type\": \"disabilities\", \"type_id\": 99, \"uid\": \"849ba016-5be7-11ee-8738-0242ac110005\"}, \"creator\": {\"domain\": \"neural fig colin\", \"full_name\": \"Otelia Kori\", \"name\": \"Tap\", \"org\": {\"name\": \"timing process palestinian\", \"ou_name\": \"step mouth drunk\", \"uid\": \"849bad9a-5be7-11ee-9fa0-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1}, \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"A5064ED27DDBDCBA4CBCADF1DB39DA3F2EEE6B58C7A1239C64CABA643C220D3F292A1DE7E239A9314ECD04E09E02E1289265DB1375370F0E2CB9844F235B40B9\"}], \"is_system\": true, \"mime_type\": \"talked/wishlist\", \"modified_time\": 1695676041546, \"name\": \"sunday.crdownload\", \"parent_folder\": \"designing designed kim/butts.crx\", \"path\": \"designing designed kim/butts.crx/sunday.crdownload\", \"product\": {\"feature\": {\"name\": \"seminar automatic gui\", \"uid\": \"849b9742-5be7-11ee-9904-0242ac110005\", \"version\": \"1.0.0\"}, \"lang\": \"en\", \"name\": \"nights validity updated\", \"uid\": \"849b866c-5be7-11ee-a7ff-0242ac110005\", \"url_string\": \"however\", \"vendor_name\": \"favorite album ncaa\", \"version\": \"1.0.0\"}, \"signature\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"certificate\": {\"created_time\": 1695676041542, \"expiration_time\": 1695676041577, \"fingerprints\": [{\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"A1636B226D49D354EAD09345190417B47EC13762648D8C196823FB556456DD5A2ED39FDF2ADE536CF2D0AFA33A47F9404800085FE205A49A4DA6C280AF603AA9\"}], \"issuer\": \"cooperation worldcat southwest\", \"serial_number\": \"distributed characters bin\", \"subject\": \"annually ic quest\", \"version\": \"1.0.0\"}, \"created_time_dt\": \"2023-09-25T21:07:21.542032Z\"}, \"size\": 1384349588, \"type\": \"Unknown\", \"type_id\": 0}, \"integrity\": \"written\", \"integrity_id\": 99, \"lineage\": [\"tenant surveillance nature\", \"securities joining bite\"], \"loaded_modules\": [\"/aims/hammer/duke/implementation/roland.jar\", \"/illustration/reads/adaptation/ppc/footage.cab\"], \"name\": \"Foundation\", \"parent_process\": {\"cmd_line\": \"remain weird municipal\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"53CB2A3DF41EA583C9DAD815CC228E623D600CA69DD3B138EBA03828A95C399AC2319E8C246FAF2EB345362B0931618009C8A5FF4C8E100C7B414107D51F849D\"}, \"image\": {\"name\": \"titten live cvs\", \"uid\": \"849c105a-5be7-11ee-8337-0242ac110005\"}, \"name\": \"anthony serial medline\", \"size\": 2006500672, \"uid\": \"849c059c-5be7-11ee-b620-0242ac110005\"}, \"created_time\": 1695676041542, \"created_time_dt\": \"2023-09-25T21:07:21.565886Z\", \"file\": {\"accessed_time\": 1695676044937, \"accessor\": {\"domain\": \"operates collectables presentations\", \"name\": \"Qualities\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849bf00c-5be7-11ee-a0de-0242ac110005\", \"uid_alt\": \"welsh constraints elimination\"}, \"created_time\": 1695676041545, \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"BADBDA50632954800C02D40EB49D1BEF8E5A883D\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"22B65F9CC3DDECE17BC92C741314C0C01D6C398B477BCFE22CCB63F4975A066119C2A3F4E9BDC342383345BCEEA9046C0573AEA278C1EBD8E1578337B1640606\"}], \"is_system\": false, \"name\": \"moral.kmz\", \"parent_folder\": \"suit who pics/arrange.torrent\", \"path\": \"suit who pics/arrange.torrent/moral.kmz\", \"type\": \"Local Socket\", \"type_id\": 5}, \"integrity\": \"High\", \"integrity_id\": 4, \"name\": \"Restore\", \"namespace_pid\": 8, \"parent_process\": {\"cmd_line\": \"arrangements makes handy\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"FC25F43E993A1FB725021E78097481FDD1FECA2EC91BF14AE34067FC31DBCD1005D4B0AFC4F050872672CC3EAB72236EADE80DFF4CCBB844F8ED0489F697D2F1\"}, \"image\": {\"labels\": [\"mumbai\"], \"name\": \"capabilities huge hometown\", \"uid\": \"849c6d2a-5be7-11ee-a411-0242ac110005\"}, \"name\": \"yahoo plains basically\", \"uid\": \"849c6776-5be7-11ee-94b5-0242ac110005\"}, \"created_time\": 1695676041544, \"file\": {\"accessor\": {\"account\": {\"name\": \"cards gratis necklace\", \"type\": \"Apple Account\", \"type_id\": 8}, \"full_name\": \"Crysta Damaris\", \"name\": \"Class\", \"type\": \"pie\", \"type_id\": 99, \"uid_alt\": \"linux has luis\"}, \"attributes\": 79, \"company_name\": \"Mckenzie Ardith\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"creator\": {\"domain\": \"glass outlet lopez\", \"groups\": [{\"name\": \"suspected contributor counting\", \"type\": \"vacations wines biological\", \"uid\": \"849c5ae2-5be7-11ee-97a7-0242ac110005\"}], \"org\": {\"name\": \"reproductive balloon stanley\", \"ou_name\": \"pick rear governance\", \"ou_uid\": \"849c5470-5be7-11ee-b89d-0242ac110005\", \"uid\": \"849c5060-5be7-11ee-b740-0242ac110005\"}, \"type\": \"selected\", \"type_id\": 99, \"uid\": \"849c4b2e-5be7-11ee-9c0b-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"1B8BF6AF4C4E0F5A64ED59860F5673F5762D1E214D4B3127BAC626D3811952EAF98972460DF098DEAB2B6D4FF02723546AEBA4108F2A03A20044552141A4447E\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"221C1DF278F5DBE8C04CCC89DB66A355ABA13C3F27B4E23A19D0E73C64E5E9A7951D5102BA2F416429122A6110C57ED22F7216EB73939FF0E7E4BDB574A90CC4\"}], \"is_system\": false, \"name\": \"revolution.vcf\", \"owner\": {\"email_addr\": \"Suzan@communicate.coop\", \"name\": \"Sunny\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849c24fa-5be7-11ee-93d2-0242ac110005\"}, \"parent_folder\": \"nintendo smilies thank/ought.vb\", \"path\": \"nintendo smilies thank/ought.vb/revolution.vcf\", \"product\": {\"lang\": \"en\", \"name\": \"pci invasion producers\", \"uid\": \"849c3e4a-5be7-11ee-80be-0242ac110005\", \"vendor_name\": \"australian payments crm\", \"version\": \"1.0.0\"}, \"security_descriptor\": \"recommended approve environment\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"certificate\": {\"created_time\": 1695676041548, \"expiration_time\": 1695676041514, \"fingerprints\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"35C90137B6BD19F8D464173B9904DBFA60D62BFF8BCBCF99235987ACC2D4840DBA02F991522C533C211C54B3A1016A0A76AF0578E30D0190414926A1EA56FEB7\"}], \"issuer\": \"foundation review shaft\", \"serial_number\": \"windsor sponsor google\", \"subject\": \"microwave marriott okay\", \"version\": \"1.0.0\"}}, \"type\": \"Folder\", \"type_id\": 2, \"version\": \"1.0.0\"}, \"namespace_pid\": 13, \"parent_process\": {\"cmd_line\": \"well absent shoe\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"A813ED16B0B3E58FA959C0BA26A47058\"}, \"image\": {\"name\": \"audio miracle leader\", \"uid\": \"849ce32c-5be7-11ee-b7a9-0242ac110005\"}, \"name\": \"hospitality walker vs\", \"size\": 1224758347, \"uid\": \"849cdd28-5be7-11ee-9250-0242ac110005\"}, \"created_time\": 1695676041555, \"file\": {\"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"3BC175E9CE56D1FC2D86AB6EA2EC56EB21930540B56A5B6E3840DFB64287ACAB\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"31588C71F04798D44E2202431AE7025AF3BC67EC8192E94F362A9B9121FB5AC23510026F8391A0A54234D8D0DB8D2DEBD112DEEF6AC598A11A194875191A4975\"}], \"is_system\": true, \"mime_type\": \"engineer/habitat\", \"modifier\": {\"domain\": \"ln resolved couple\", \"email_addr\": \"Deloise@agreed.arpa\", \"name\": \"Heritage\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"849c8878-5be7-11ee-98bd-0242ac110005\"}, \"name\": \"world.jpg\", \"parent_folder\": \"blend roommates closed/died.docx\", \"path\": \"blend roommates closed/died.docx/world.jpg\", \"type\": \"Block Device\", \"type_id\": 4}, \"lineage\": [\"achievement courage send\", \"expansion instructional agreements\"], \"loaded_modules\": [\"/rev/amazon/casino/june/fails.bin\", \"/credit/potential/lawsuit/clause/nine.bmp\"], \"name\": \"Tell\", \"namespace_pid\": 62, \"parent_process\": {\"cmd_line\": \"challenges prompt cumulative\", \"container\": {\"hash\": {\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"6E73C76AD0B2D03EB35088BB834D7A1949E2174F0288EAC8066F5CC920923FEC2568825E7A9B3B3B871DC2AA82AD34DAC42A8E327CAD3D3E720D2ADD7C13CAB0\"}, \"image\": {\"name\": \"charges fragrances complex\", \"uid\": \"849d1342-5be7-11ee-a4ca-0242ac110005\"}, \"name\": \"develop affiliates required\", \"network_driver\": \"familiar movies legitimate\", \"pod_uuid\": \"legally\", \"size\": 2138922450, \"uid\": \"849d0e7e-5be7-11ee-a8e4-0242ac110005\"}, \"file\": {\"confidentiality\": \"venue rl epa\", \"created_time_dt\": \"2023-09-25T21:07:21.551631Z\", \"hashes\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"2347F66D3EE9CCBD7191F650BE1EF4F94E8B6ED61D543709A1A907FBC76BFC089577CB78BFA772DA65746573746C4AB26AF19E7A8E9DB821E3979ED04051B9BC\"}, {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"256D62122A8BA5E06B613EAD639B79BA7875995217AC6E2C854DBB610631D33C\"}], \"mime_type\": \"silicon/limousines\", \"modified_time\": 1695676041500, \"name\": \"flexible.vcxproj\", \"product\": {\"lang\": \"en\", \"name\": \"external polar galaxy\", \"vendor_name\": \"hack infection generator\", \"version\": \"1.0.0\"}, \"type\": \"Folder\", \"type_id\": 2, \"xattributes\": {}}, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"name\": \"Airfare\", \"namespace_pid\": 2, \"parent_process\": {\"cmd_line\": \"reporter techno regarded\", \"container\": {\"hash\": {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"0895F371F264F7E3AA4A79B16A3C6EEAABE10BBF6A7DC2B7D8DD4F14B3C6F05D\"}, \"image\": {\"labels\": [\"responsibility\"], \"uid\": \"849d468c-5be7-11ee-85e3-0242ac110005\"}, \"name\": \"cpu mission hacker\", \"orchestrator\": \"helpful pasta matthew\", \"runtime\": \"cables vanilla amendments\", \"size\": 1820268463, \"uid\": \"849d3caa-5be7-11ee-9fe6-0242ac110005\"}, \"file\": {\"attributes\": 44, \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"8A25185F3C5523EF3B08C1ECDD83016224863C95\"}, {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"6B9ED75DAE7A1E692073FC400B558EA4\"}], \"mime_type\": \"will/executed\", \"name\": \"uzbekistan.jar\", \"type\": \"Block Device\", \"type_id\": 4, \"uid\": \"849d2170-5be7-11ee-a637-0242ac110005\", \"xattributes\": {}}, \"name\": \"Eternal\", \"namespace_pid\": 84, \"parent_process\": {\"container\": {\"hash\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"308FD1FED7D34B9AFAB9224FF617D64E4CA9AC20FC59F1FB3B80AB2CBB1511245EC668E138B6C330D86E2B874BD66ED33E16E931B3D344A8365BE63CAB39562C\"}, \"image\": {\"labels\": [\"fix\"], \"name\": \"curtis burns park\", \"uid\": \"849d83f4-5be7-11ee-8f40-0242ac110005\"}, \"network_driver\": \"surely assistance actively\", \"pod_uuid\": \"gardening\", \"size\": 1668291787, \"uid\": \"849d7cce-5be7-11ee-80f3-0242ac110005\"}, \"created_time\": 1695676041553, \"file\": {\"company_name\": \"Frederica Hertha\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"created_time\": 1695676041554, \"created_time_dt\": \"2023-09-25T21:07:21.554150Z\", \"desc\": \"closed hydraulic connecting\", \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"5C5069744142886E3127F2CCFE145C68A0B1A4DFA3BB504B858390D851E16A9F\"}], \"name\": \"titanium.avi\", \"parent_folder\": \"slideshow configurations lens/nations.flv\", \"path\": \"slideshow configurations lens/nations.flv/titanium.avi\", \"type\": \"Unknown\", \"type_id\": 0, \"xattributes\": {}}, \"integrity\": \"System\", \"integrity_id\": 5, \"name\": \"Music\", \"parent_process\": {\"cmd_line\": \"pursuant proceed discussed\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"8876489CE00D6D9FDF61ED1C773F047E\"}, \"image\": {\"name\": \"bubble architects vancouver\", \"path\": \"hairy pixel time\", \"uid\": \"849e0ebe-5be7-11ee-8341-0242ac110005\"}, \"name\": \"insight style ca\", \"runtime\": \"williams ng xhtml\", \"size\": 220440282, \"uid\": \"849e031a-5be7-11ee-b55b-0242ac110005\"}, \"created_time\": 1695676041558, \"file\": {\"accessor\": {\"account\": {\"name\": \"hourly toll disappointed\", \"uid\": \"849dabd6-5be7-11ee-ba6a-0242ac110005\"}, \"credential_uid\": \"849db838-5be7-11ee-8a18-0242ac110005\", \"name\": \"Mine\", \"type\": \"fcc\", \"type_id\": 99, \"uid\": \"849da17c-5be7-11ee-9d3a-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"599DCCE2998A6B40B1E38E8C6006CB0A\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"E3C48119D2F351FBEB28EABE137BB8D7969A9AA7CEBF71A153DA4670481EFAAB267B6B39C0EDBDDAF4DD1B9E9B5FF0B28D72E0A5FA27336A282A0FDBA4D0C9D4\"}], \"modified_time\": 1695676041557, \"modifier\": {\"full_name\": \"Katheryn Kena\", \"name\": \"Infected\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"849d94de-5be7-11ee-b30d-0242ac110005\"}, \"name\": \"opening.vob\", \"parent_folder\": \"venezuela flyer seller/os.kml\", \"path\": \"venezuela flyer seller/os.kml/opening.vob\", \"security_descriptor\": \"graham occupations become\", \"type\": \"Local Socket\", \"type_id\": 5}, \"lineage\": [\"bk destinations est\", \"whose playback congressional\"], \"name\": \"Surprise\", \"namespace_pid\": 54, \"parent_process\": {\"cmd_line\": \"peer rail specialist\", \"container\": {\"image\": {\"name\": \"committed plastic does\", \"uid\": \"849e6972-5be7-11ee-b803-0242ac110005\"}, \"name\": \"priority mirrors although\", \"network_driver\": \"conduct linking lb\", \"runtime\": \"rock relation block\", \"size\": 2559819198, \"uid\": \"849e509a-5be7-11ee-ad75-0242ac110005\"}, \"created_time\": 1695676041434, \"file\": {\"accessor\": {\"full_name\": \"Lorna Francisco\", \"name\": \"Intl\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849e39a2-5be7-11ee-b3b8-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"9471ED19416B8099E51855CB0EF61AE3\"}], \"modified_time\": 1695676041563, \"modifier\": {\"domain\": \"informational advisory mg\", \"name\": \"Constraints\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849e2a2a-5be7-11ee-82b2-0242ac110005\"}, \"name\": \"filled.mdb\", \"parent_folder\": \"disc dividend incentives/crucial.wps\", \"path\": \"disc dividend incentives/crucial.wps/filled.mdb\", \"product\": {\"lang\": \"en\", \"name\": \"michigan slight torture\", \"path\": \"costumes somewhat qui\", \"uid\": \"849e3088-5be7-11ee-8510-0242ac110005\", \"vendor_name\": \"franchise portland experiment\", \"version\": \"1.0.0\"}, \"signature\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"certificate\": {\"created_time\": 1695676041558, \"expiration_time\": 1695676041554, \"fingerprints\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"372885B9675F31EF37D14F711A430940E777638ADCB2F77B36D079076E38606F\"}], \"issuer\": \"worker attended mel\", \"serial_number\": \"durham graham course\", \"subject\": \"infectious replication lock\", \"version\": \"1.0.0\"}}, \"size\": 2881440001, \"type\": \"Character Device\", \"type_id\": 3}, \"lineage\": [\"desktop lakes moscow\", \"barrel touch increasing\"], \"name\": \"Courage\", \"namespace_pid\": 13, \"parent_process\": {\"cmd_line\": \"institutes yes inputs\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"7CA5C1BF6D37F1E7389DB34F7617B7101F65DED1\"}, \"image\": {\"name\": \"belfast interests activation\", \"uid\": \"849f1dc2-5be7-11ee-b432-0242ac110005\"}, \"name\": \"missed foreign palmer\", \"size\": 903476370, \"uid\": \"849f0878-5be7-11ee-b335-0242ac110005\"}, \"created_time\": 1695676041565, \"created_time_dt\": \"2023-09-25T21:07:21.565824Z\", \"file\": {\"accessed_time_dt\": \"2023-09-25T21:07:21.564734Z\", \"creator\": {\"account\": {\"name\": \"workers observer lonely\", \"type\": \"GCP Account\", \"type_id\": 5, \"uid\": \"849ef310-5be7-11ee-b8e1-0242ac110005\"}, \"email_addr\": \"Myrta@of.cat\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849edfe2-5be7-11ee-97f0-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"5F8105C9976CE93253600A074BD373A5286734FB9650F503EF4AD611A9422D3554C34BD6C2672159C2F485A59C83965804D6F2532A8DADF2749DF74B1B089C10\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"C1E19A5C30DB36D9FEA3088EBBCF2E05B7F2E3B108DA82565EF183591D036A615456960CA1BF3DEDAEF8450140669F4E45A239D12DE570D5B2322AEADAE0EE7B\"}], \"name\": \"metabolism.gadget\", \"owner\": {\"org\": {\"name\": \"syndication joseph realized\", \"ou_name\": \"advertise scored usr\", \"ou_uid\": \"849e9852-5be7-11ee-9c6a-0242ac110005\", \"uid\": \"849e8ff6-5be7-11ee-be3f-0242ac110005\"}, \"type\": \"System\", \"type_id\": 3, \"uid\": \"849e86dc-5be7-11ee-9b00-0242ac110005\"}, \"parent_folder\": \"patch attempting mf/nashville.dxf\", \"path\": \"patch attempting mf/nashville.dxf/metabolism.gadget\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"certificate\": {\"created_time\": 1695676041504, \"expiration_time\": 1695676041569, \"fingerprints\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"6467C5C0EA62DB25016E724973C845BA50F0BBD72AE91F11E4CB5F3884CF1852EC05AA4B971CA59B372F8DC7B8E49562276E89C888FFDE3DD41BFC2E88336E98\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"80A346634E5CD09AAFC3C417ABCE0C6A156B40EBB910123FAC486DC6197D24EC4C575301A8CC06D58FBAEEAE6F40E42B6D84FDA6996E06EE2F68282EA73FDA93\"}], \"issuer\": \"database verse prince\", \"serial_number\": \"termination vi limitation\", \"subject\": \"signals book follow\", \"version\": \"1.0.0\"}}, \"type\": \"Character Device\", \"type_id\": 3}, \"name\": \"Harley\", \"namespace_pid\": 44, \"pid\": 38, \"terminated_time\": 1695676041566, \"uid\": \"849f00ee-5be7-11ee-954b-0242ac110005\", \"user\": {\"full_name\": \"Lyndsay Ricky\", \"name\": \"Referenced\", \"type\": \"Admin\", \"type_id\": 2}, \"xattributes\": {}}, \"pid\": 5, \"user\": {\"name\": \"Motorcycle\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"849e4a46-5be7-11ee-bc81-0242ac110005\"}}, \"pid\": 50, \"sandbox\": \"final corporations performances\", \"user\": {\"account\": {\"type\": \"Windows Account\", \"type_id\": 2, \"uid\": \"849df820-5be7-11ee-82f1-0242ac110005\"}, \"credential_uid\": \"849dfc62-5be7-11ee-a9bc-0242ac110005\", \"name\": \"Simulations\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"849debb4-5be7-11ee-bfac-0242ac110005\"}}, \"pid\": 28, \"uid\": \"849d64dc-5be7-11ee-b02a-0242ac110005\", \"user\": {\"name\": \"Be\", \"type\": \"types\", \"type_id\": 99, \"uid\": \"849d60a4-5be7-11ee-98cb-0242ac110005\"}}, \"pid\": 76, \"uid\": \"849d308e-5be7-11ee-a5ad-0242ac110005\", \"user\": {\"email_addr\": \"Josefina@holders.museum\", \"name\": \"Manager\", \"type\": \"legs\", \"type_id\": 99, \"uid\": \"849d2c24-5be7-11ee-953d-0242ac110005\"}, \"xattributes\": {}}, \"user\": {\"account\": {\"name\": \"strict manufactured invest\", \"type\": \"AWS IAM User\", \"type_id\": 3, \"uid\": \"849d0500-5be7-11ee-97bd-0242ac110005\"}, \"credential_uid\": \"849d08ca-5be7-11ee-bfe2-0242ac110005\", \"name\": \"Track\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849cfe70-5be7-11ee-b38b-0242ac110005\"}}, \"sandbox\": \"distributor workshops maldives\", \"session\": {\"created_time\": 1695676041550, \"expiration_time_dt\": \"2023-09-25T21:07:21.550638Z\", \"is_remote\": false, \"issuer\": \"volunteer meetings medline\", \"uid\": \"849ccebe-5be7-11ee-a1ca-0242ac110005\"}, \"uid\": \"849cc522-5be7-11ee-aa87-0242ac110005\", \"user\": {\"credential_uid\": \"849cc0f4-5be7-11ee-9c36-0242ac110005\", \"domain\": \"our installing clinical\", \"name\": \"Weather\", \"org\": {\"name\": \"top riverside asthma\", \"ou_name\": \"stats dans soviet\", \"uid\": \"849cb208-5be7-11ee-a4a6-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"849ca4ca-5be7-11ee-b39c-0242ac110005\"}}, \"pid\": 20, \"uid\": \"849c61f4-5be7-11ee-8006-0242ac110005\"}, \"pid\": 74, \"sandbox\": \"upload stages deutsch\", \"terminated_time_dt\": \"2023-09-25T21:07:21.565891Z\", \"xattributes\": {}}, \"pid\": 41, \"sandbox\": \"facial gossip lopez\", \"session\": {\"created_time\": 1695676041544, \"is_remote\": true, \"issuer\": \"mind file superior\", \"uid\": \"849bd89c-5be7-11ee-bbae-0242ac110005\"}, \"terminated_time\": 1695676041561, \"terminated_time_dt\": \"2023-09-25T21:07:21.565908Z\", \"tid\": 86, \"uid\": \"849bcfb4-5be7-11ee-b896-0242ac110005\", \"user\": {\"email_addr\": \"Reba@contemporary.mobi\", \"groups\": [{\"desc\": \"twenty protection innovative\", \"name\": \"penn laundry woods\", \"type\": \"powerpoint jump hospitality\", \"uid\": \"849bbdee-5be7-11ee-95a2-0242ac110005\"}, {\"uid\": \"849bc780-5be7-11ee-9955-0242ac110005\"}], \"name\": \"Certain\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849bb81c-5be7-11ee-bbec-0242ac110005\", \"uid_alt\": \"technical critics nationally\"}}, \"pid\": 71, \"sandbox\": \"compounds s time\", \"terminated_time\": 1695676041567, \"uid\": \"849b6dee-5be7-11ee-84f0-0242ac110005\", \"user\": {\"domain\": \"lexmark refers dylan\", \"email_addr\": \"Yelena@communities.nato\", \"name\": \"Particles\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"849b6916-5be7-11ee-a01e-0242ac110005\"}}, \"pid\": 86, \"sandbox\": \"romance volunteer entrepreneurs\", \"uid\": \"849adea6-5be7-11ee-aa53-0242ac110005\", \"user\": {\"domain\": \"statistical poland gregory\", \"full_name\": \"Paul Julian\", \"groups\": [{\"desc\": \"luggage species belkin\", \"name\": \"accessed thanks instructions\", \"privileges\": [\"flashing aol autumn\"], \"uid\": \"849ad5fa-5be7-11ee-a0e9-0242ac110005\"}, {\"name\": \"cognitive times agent\", \"privileges\": [\"sodium believed housing\", \"incorporated jungle asian\"], \"uid\": \"849ada50-5be7-11ee-824e-0242ac110005\"}], \"name\": \"Alliance\", \"org\": {\"name\": \"nyc kidney drawings\", \"uid\": \"849accae-5be7-11ee-af7b-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"849abe76-5be7-11ee-a5a1-0242ac110005\"}}, \"pid\": 13, \"uid\": \"849a9ed2-5be7-11ee-ae61-0242ac110005\", \"user\": {\"account\": {\"name\": \"fragrances bulk specialty\", \"type\": \"LDAP Account\", \"type_id\": 1, \"uid\": \"849a9702-5be7-11ee-9f5d-0242ac110005\"}, \"credential_uid\": \"849a9afe-5be7-11ee-b27a-0242ac110005\", \"email_addr\": \"Wava@promises.info\", \"full_name\": \"Marisela Towanda\", \"name\": \"Round\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"849a900e-5be7-11ee-9894-0242ac110005\"}}, \"uid\": \"849a5d78-5be7-11ee-ac24-0242ac110005\", \"user\": {\"full_name\": \"Elisa Cleora\", \"name\": \"Sisters\", \"type\": \"rebound\", \"type_id\": 99, \"uid\": \"849a52ce-5be7-11ee-a468-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 90, \"sandbox\": \"moon exercise starring\", \"terminated_time\": 1695676041562, \"uid\": \"849a1af2-5be7-11ee-82a9-0242ac110005\", \"user\": {\"groups\": [{\"privileges\": [\"independent vegetables assisted\", \"refinance lee seating\"], \"uid\": \"849a1124-5be7-11ee-9a8e-0242ac110005\"}, {\"name\": \"div violence strange\", \"uid\": \"849a1674-5be7-11ee-aa3b-0242ac110005\"}], \"name\": \"Immediate\", \"org\": {\"name\": \"velvet days pubs\", \"ou_name\": \"brake craps campaign\"}, \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849a06c0-5be7-11ee-acfe-0242ac110005\"}}, \"pid\": 21, \"session\": {\"created_time\": 1695676041534, \"expiration_time\": 1695676041542, \"is_remote\": true, \"uid\": \"8499ca0c-5be7-11ee-aae9-0242ac110005\"}, \"uid\": \"8499bc88-5be7-11ee-b028-0242ac110005\", \"user\": {\"name\": \"Apartments\", \"type\": \"ad\", \"type_id\": 99, \"uid\": \"8499b5da-5be7-11ee-b276-0242ac110005\", \"uid_alt\": \"serving turbo spy\"}}, \"pid\": 67, \"terminated_time\": 1695676041561, \"uid\": \"84996800-5be7-11ee-8754-0242ac110005\", \"user\": {\"name\": \"Fantastic\", \"org\": {\"name\": \"dryer asn trying\", \"ou_name\": \"wr r gibraltar\", \"uid\": \"849963aa-5be7-11ee-b57a-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"84995d06-5be7-11ee-8223-0242ac110005\"}}, \"pid\": 86, \"uid\": \"8499377c-5be7-11ee-9164-0242ac110005\", \"user\": {\"email_addr\": \"Renita@pete.cat\", \"name\": \"Rice\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"84993312-5be7-11ee-b956-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 49, \"uid\": \"8498d430-5be7-11ee-b1bf-0242ac110005\", \"user\": {\"name\": \"Hour\", \"type\": \"insert\", \"type_id\": 99, \"uid\": \"8498cd14-5be7-11ee-94d7-0242ac110005\", \"uid_alt\": \"organizations guild beds\"}}, \"pid\": 20, \"sandbox\": \"keeps pour rent\", \"terminated_time\": 1695676041566, \"uid\": \"84989376-5be7-11ee-9216-0242ac110005\", \"user\": {\"email_addr\": \"Elza@girls.mil\", \"full_name\": \"Karoline Meggan\", \"name\": \"Provided\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"84988e80-5be7-11ee-bf3c-0242ac110005\"}}, \"pid\": 28, \"uid\": \"8498530c-5be7-11ee-86f3-0242ac110005\", \"user\": {\"domain\": \"sao uri flesh\", \"name\": \"Knows\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"84984db2-5be7-11ee-ba4e-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 26, \"sandbox\": \"species tourism system\", \"terminated_time\": 1695676041564, \"uid\": \"849823d2-5be7-11ee-92d1-0242ac110005\", \"user\": {\"name\": \"Shipment\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"84981f68-5be7-11ee-b652-0242ac110005\", \"uid_alt\": \"singh dim static\"}, \"xattributes\": {}}, \"session\": {\"created_time\": 1695676041516, \"credential_uid\": \"8497c716-5be7-11ee-bd7a-0242ac110005\", \"issuer\": \"discussing capital ottawa\", \"uid\": \"8497c27a-5be7-11ee-8a34-0242ac110005\"}, \"terminated_time\": 1695676041564, \"uid\": \"8497ba64-5be7-11ee-b3a6-0242ac110005\"}, \"pid\": 42, \"tid\": 17, \"uid\": \"849768e8-5be7-11ee-a428-0242ac110005\", \"user\": {\"account\": {\"name\": \"suspended cg sisters\", \"uid\": \"8497655a-5be7-11ee-ab52-0242ac110005\"}, \"name\": \"Aquatic\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"84975f7e-5be7-11ee-bfad-0242ac110005\"}}, \"user\": {\"domain\": \"jones cnet biz\", \"name\": \"Turkish\", \"org\": {\"name\": \"performed assignments undefined\", \"ou_name\": \"headquarters informal nigeria\", \"uid\": \"849f3870-5be7-11ee-8857-0242ac110005\"}, \"type\": \"metres\", \"type_id\": 99, \"uid\": \"849f330c-5be7-11ee-aa02-0242ac110005\"}}, \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"Network File Activity\", \"class_uid\": 4010, \"cloud\": {\"provider\": \"diego ins ext\", \"region\": \"kissing wi confidence\"}, \"enrichments\": [{\"data\": {\"wallpaper\": \"feded\"}, \"name\": \"hc saskatchewan quickly\", \"provider\": \"outlet toolkit person\", \"type\": \"thu loves strong\", \"value\": \"sword somebody equilibrium\"}, {\"data\": {\"drug\": \"drugg7899\"}, \"name\": \"tree cities corner\", \"type\": \"knife super bat\", \"value\": \"thy qualification booth\"}], \"expiration_time\": 1695676041527, \"file\": {\"accessor\": {\"name\": \"Uruguay\", \"org\": {\"name\": \"lottery political own\", \"ou_name\": \"confirmed towards declined\", \"ou_uid\": \"849f540e-5be7-11ee-841c-0242ac110005\", \"uid\": \"849f501c-5be7-11ee-ab6f-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1, \"uid\": \"849f49fa-5be7-11ee-bfe2-0242ac110005\"}, \"desc\": \"arabic suits fun\", \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"4C3280C17F9D982CCBAC882AE1F48DAD224DBA938BEE87BF18E31C76B0C3B88B\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"A7F0A2AD03BE8938C945F65DB1A395CE9E98D67F9EE8D4CA97D687FBB394B64FA0AEB15F5B1D82A2922B62320B77DBA842BBEDEE2B5E15D7A883665ADE3F7C2B\"}], \"modified_time_dt\": \"2023-09-25T21:07:21.567190Z\", \"name\": \"amend.sh\", \"type\": \"Unknown\", \"type_id\": 0}, \"message\": \"kelkoo interactions constitute\", \"metadata\": {\"correlation_uid\": \"84971e10-5be7-11ee-b5e7-0242ac110005\", \"log_name\": \"proud iso ticket\", \"log_provider\": \"cb indexes boxing\", \"modified_time_dt\": \"2023-09-25T21:07:21.513376Z\", \"original_time\": \"tournaments leisure comedy\", \"processed_time_dt\": \"2023-09-25T21:07:21.513394Z\", \"product\": {\"name\": \"describes static geological\", \"uid\": \"849714ce-5be7-11ee-981b-0242ac110005\", \"url_string\": \"avatar\", \"vendor_name\": \"highly got hook\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\"], \"sequence\": 99, \"version\": \"1.0.0\"}, \"observables\": [{\"name\": \"except visitor vbulletin\", \"type\": \"Uniform Resource Locator\", \"type_id\": 23}, {\"name\": \"hong rhode para\", \"type\": \"Process Name\", \"type_id\": 9}], \"severity\": \"Low\", \"severity_id\": 2, \"src_endpoint\": {\"hostname\": \"menu.travel\", \"instance_uid\": \"849732a6-5be7-11ee-bdb0-0242ac110005\", \"interface_name\": \"grown reflect expressed\", \"interface_uid\": \"84973670-5be7-11ee-8000-0242ac110005\", \"ip\": \"175.16.199.1\", \"name\": \"replaced wa unlock\", \"port\": 25780, \"svc_name\": \"stanford leisure analyzed\", \"uid\": \"84972e82-5be7-11ee-8eac-0242ac110005\"}, \"start_time\": 1695676041445, \"status\": \"patch emma midi\", \"time\": 1695676041549, \"timezone_offset\": 42, \"type_name\": \"Network File Activity: Rename\", \"type_uid\": 401005}", + "related": { + "hosts": [ + "menu.travel" + ], + "ip": [ + "175.16.199.1" + ] + }, + "source": { + "address": "menu.travel", + "domain": "menu.travel", + "ip": "175.16.199.1", + "port": 25780, + "registered_domain": "menu.travel", + "top_level_domain": "travel" + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_11.json b/OCSF/ocsf/tests/test_network_activity_11.json new file mode 100644 index 000000000..0b2861d32 --- /dev/null +++ b/OCSF/ocsf/tests/test_network_activity_11.json @@ -0,0 +1,31 @@ +{ + "input": { + "message": "{\"message\": \"distances authorization packed\", \"status\": \"annually\", \"time\": 1695676084572, \"file\": {\"name\": \"revenge.ged\", \"size\": 123, \"type\": \"Block Device\", \"path\": \"pensions lightning push/congress.icns/revenge.ged\", \"type_id\": 4, \"parent_folder\": \"pensions lightning push/congress.icns\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"hashes\": [{\"value\": \"55F23C756971F835627DAD00E0FEAF38D62993462CA63631FDF93D0E8130CDFF\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"modified_time\": 1695676084549, \"security_descriptor\": \"procedure amsterdam belarus\", \"accessed_time_dt\": \"2023-09-25T21:08:04.549340Z\"}, \"device\": {\"name\": \"walter qt hitting\", \"type\": \"Tablet\", \"ip\": \"67.43.156.0\", \"uid\": \"9e3dbfa4-5be7-11ee-8f05-0242ac110005\", \"hostname\": \"rule.edu\", \"groups\": [{\"name\": \"scanned consisting expense\", \"type\": \"odds traditions trick\", \"uid\": \"9e3db702-5be7-11ee-a715-0242ac110005\", \"privileges\": [\"photography derived log\", \"dna ec believed\"]}, {\"name\": \"tires modifications calendars\", \"uid\": \"9e3dbc02-5be7-11ee-9470-0242ac110005\"}], \"type_id\": 4, \"autoscale_uid\": \"9e3d9b1e-5be7-11ee-ab96-0242ac110005\", \"instance_uid\": \"9e3d9f74-5be7-11ee-a549-0242ac110005\", \"interface_name\": \"accurately shadows node\", \"interface_uid\": \"9e3da38e-5be7-11ee-bda3-0242ac110005\", \"is_personal\": false, \"modified_time\": 1695676084549, \"region\": \"cosmetics preston msgstr\", \"uid_alt\": \"technology alex metallica\"}, \"metadata\": {\"version\": \"1.0.0\", \"extension\": {\"name\": \"editor nerve offset\", \"version\": \"1.0.0\", \"uid\": \"9e3d7ff8-5be7-11ee-8454-0242ac110005\"}, \"product\": {\"name\": \"harm dash walter\", \"version\": \"1.0.0\", \"path\": \"contributors rest worried\", \"uid\": \"9e3d893a-5be7-11ee-9bf6-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"acre shut suzuki\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_version\": \"flow tribunal aging\", \"original_time\": \"consistently sauce duke\", \"processed_time_dt\": \"2023-09-25T21:08:04.547033Z\"}, \"severity\": \"Critical\", \"disposition\": \"Blocked\", \"type_name\": \"Email File Activity: Send\", \"activity_id\": 1, \"disposition_id\": 2, \"type_uid\": 401101, \"category_name\": \"Network Activity\", \"class_uid\": 4011, \"category_uid\": 4, \"class_name\": \"Email File Activity\", \"timezone_offset\": 0, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"CMSTP\", \"uid\": \"T1191\"}}], \"activity_name\": \"Send\", \"cloud\": {\"account\": {\"type\": \"AWS Account\", \"uid\": \"9e3d6a4a-5be7-11ee-9095-0242ac110005\", \"type_id\": 10}, \"provider\": \"antique camp pin\"}, \"email_uid\": \"9e3d9088-5be7-11ee-b651-0242ac110005\", \"enrichments\": [{\"data\": {\"meat\": \"meattt\"}, \"name\": \"another polyester collectors\", \"type\": \"gen cap beauty\", \"value\": \"recipes generating stored\", \"provider\": \"companion fy mat\"}, {\"data\": {\"meatd\": \"meattt\"}, \"name\": \"brandon fraser seed\", \"type\": \"grove bradley ddr\", \"value\": \"written thumbnail looksmart\", \"provider\": \"hearings gossip shadows\"}], \"severity_id\": 5, \"status_id\": 99}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"message\": \"distances authorization packed\", \"status\": \"annually\", \"time\": 1695676084572, \"file\": {\"name\": \"revenge.ged\", \"size\": 123, \"type\": \"Block Device\", \"path\": \"pensions lightning push/congress.icns/revenge.ged\", \"type_id\": 4, \"parent_folder\": \"pensions lightning push/congress.icns\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"hashes\": [{\"value\": \"55F23C756971F835627DAD00E0FEAF38D62993462CA63631FDF93D0E8130CDFF\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"modified_time\": 1695676084549, \"security_descriptor\": \"procedure amsterdam belarus\", \"accessed_time_dt\": \"2023-09-25T21:08:04.549340Z\"}, \"device\": {\"name\": \"walter qt hitting\", \"type\": \"Tablet\", \"ip\": \"67.43.156.0\", \"uid\": \"9e3dbfa4-5be7-11ee-8f05-0242ac110005\", \"hostname\": \"rule.edu\", \"groups\": [{\"name\": \"scanned consisting expense\", \"type\": \"odds traditions trick\", \"uid\": \"9e3db702-5be7-11ee-a715-0242ac110005\", \"privileges\": [\"photography derived log\", \"dna ec believed\"]}, {\"name\": \"tires modifications calendars\", \"uid\": \"9e3dbc02-5be7-11ee-9470-0242ac110005\"}], \"type_id\": 4, \"autoscale_uid\": \"9e3d9b1e-5be7-11ee-ab96-0242ac110005\", \"instance_uid\": \"9e3d9f74-5be7-11ee-a549-0242ac110005\", \"interface_name\": \"accurately shadows node\", \"interface_uid\": \"9e3da38e-5be7-11ee-bda3-0242ac110005\", \"is_personal\": false, \"modified_time\": 1695676084549, \"region\": \"cosmetics preston msgstr\", \"uid_alt\": \"technology alex metallica\"}, \"metadata\": {\"version\": \"1.0.0\", \"extension\": {\"name\": \"editor nerve offset\", \"version\": \"1.0.0\", \"uid\": \"9e3d7ff8-5be7-11ee-8454-0242ac110005\"}, \"product\": {\"name\": \"harm dash walter\", \"version\": \"1.0.0\", \"path\": \"contributors rest worried\", \"uid\": \"9e3d893a-5be7-11ee-9bf6-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"acre shut suzuki\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_version\": \"flow tribunal aging\", \"original_time\": \"consistently sauce duke\", \"processed_time_dt\": \"2023-09-25T21:08:04.547033Z\"}, \"severity\": \"Critical\", \"disposition\": \"Blocked\", \"type_name\": \"Email File Activity: Send\", \"activity_id\": 1, \"disposition_id\": 2, \"type_uid\": 401101, \"category_name\": \"Network Activity\", \"class_uid\": 4011, \"category_uid\": 4, \"class_name\": \"Email File Activity\", \"timezone_offset\": 0, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"CMSTP\", \"uid\": \"T1191\"}}], \"activity_name\": \"Send\", \"cloud\": {\"account\": {\"type\": \"AWS Account\", \"uid\": \"9e3d6a4a-5be7-11ee-9095-0242ac110005\", \"type_id\": 10}, \"provider\": \"antique camp pin\"}, \"email_uid\": \"9e3d9088-5be7-11ee-b651-0242ac110005\", \"enrichments\": [{\"data\": {\"meat\": \"meattt\"}, \"name\": \"another polyester collectors\", \"type\": \"gen cap beauty\", \"value\": \"recipes generating stored\", \"provider\": \"companion fy mat\"}, {\"data\": {\"meatd\": \"meattt\"}, \"name\": \"brandon fraser seed\", \"type\": \"grove bradley ddr\", \"value\": \"written thumbnail looksmart\", \"provider\": \"hearings gossip shadows\"}], \"severity_id\": 5, \"status_id\": 99}", + "event": { + "action": "send", + "category": [ + "email" + ], + "severity": 5, + "type": [ + "info" + ] + }, + "cloud": { + "account": { + "id": "9e3d6a4a-5be7-11ee-9095-0242ac110005" + }, + "provider": "antique camp pin" + }, + "ocsf": "{\"activity_id\": 1, \"activity_name\": \"Send\", \"attacks\": [{\"tactics\": [{\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"CMSTP\", \"uid\": \"T1191\"}, \"version\": \"12.1\"}], \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"Email File Activity\", \"class_uid\": 4011, \"cloud\": {\"account\": {\"type\": \"AWS Account\", \"type_id\": 10, \"uid\": \"9e3d6a4a-5be7-11ee-9095-0242ac110005\"}, \"provider\": \"antique camp pin\"}, \"device\": {\"autoscale_uid\": \"9e3d9b1e-5be7-11ee-ab96-0242ac110005\", \"groups\": [{\"name\": \"scanned consisting expense\", \"privileges\": [\"photography derived log\", \"dna ec believed\"], \"type\": \"odds traditions trick\", \"uid\": \"9e3db702-5be7-11ee-a715-0242ac110005\"}, {\"name\": \"tires modifications calendars\", \"uid\": \"9e3dbc02-5be7-11ee-9470-0242ac110005\"}], \"hostname\": \"rule.edu\", \"instance_uid\": \"9e3d9f74-5be7-11ee-a549-0242ac110005\", \"interface_name\": \"accurately shadows node\", \"interface_uid\": \"9e3da38e-5be7-11ee-bda3-0242ac110005\", \"ip\": \"67.43.156.0\", \"is_personal\": false, \"modified_time\": 1695676084549, \"name\": \"walter qt hitting\", \"region\": \"cosmetics preston msgstr\", \"type\": \"Tablet\", \"type_id\": 4, \"uid\": \"9e3dbfa4-5be7-11ee-8f05-0242ac110005\", \"uid_alt\": \"technology alex metallica\"}, \"disposition\": \"Blocked\", \"disposition_id\": 2, \"email_uid\": \"9e3d9088-5be7-11ee-b651-0242ac110005\", \"enrichments\": [{\"data\": {\"meat\": \"meattt\"}, \"name\": \"another polyester collectors\", \"provider\": \"companion fy mat\", \"type\": \"gen cap beauty\", \"value\": \"recipes generating stored\"}, {\"data\": {\"meatd\": \"meattt\"}, \"name\": \"brandon fraser seed\", \"provider\": \"hearings gossip shadows\", \"type\": \"grove bradley ddr\", \"value\": \"written thumbnail looksmart\"}], \"file\": {\"accessed_time_dt\": \"2023-09-25T21:08:04.549340Z\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"55F23C756971F835627DAD00E0FEAF38D62993462CA63631FDF93D0E8130CDFF\"}], \"modified_time\": 1695676084549, \"name\": \"revenge.ged\", \"parent_folder\": \"pensions lightning push/congress.icns\", \"path\": \"pensions lightning push/congress.icns/revenge.ged\", \"security_descriptor\": \"procedure amsterdam belarus\", \"size\": 123, \"type\": \"Block Device\", \"type_id\": 4}, \"message\": \"distances authorization packed\", \"metadata\": {\"extension\": {\"name\": \"editor nerve offset\", \"uid\": \"9e3d7ff8-5be7-11ee-8454-0242ac110005\", \"version\": \"1.0.0\"}, \"log_version\": \"flow tribunal aging\", \"original_time\": \"consistently sauce duke\", \"processed_time_dt\": \"2023-09-25T21:08:04.547033Z\", \"product\": {\"lang\": \"en\", \"name\": \"harm dash walter\", \"path\": \"contributors rest worried\", \"uid\": \"9e3d893a-5be7-11ee-9bf6-0242ac110005\", \"vendor_name\": \"acre shut suzuki\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"version\": \"1.0.0\"}, \"severity\": \"Critical\", \"severity_id\": 5, \"status\": \"annually\", \"status_id\": 99, \"time\": 1695676084572, \"timezone_offset\": 0, \"type_name\": \"Email File Activity: Send\", \"type_uid\": 401101}" + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_12.json b/OCSF/ocsf/tests/test_network_activity_12.json new file mode 100644 index 000000000..61d2d9a52 --- /dev/null +++ b/OCSF/ocsf/tests/test_network_activity_12.json @@ -0,0 +1,36 @@ +{ + "input": { + "message": "{\"count\": 43, \"message\": \"carb fujitsu spots\", \"status\": \"Success\", \"time\": 1695676101376, \"device\": {\"name\": \"experiments old guides\", \"type\": \"Virtual\", \"ip\": \"67.43.156.0\", \"desc\": \"beta culture receiving\", \"uid\": \"a845433c-5be7-11ee-8e93-0242ac110005\", \"hostname\": \"australia.aero\", \"image\": {\"name\": \"bank ftp newman\", \"uid\": \"a84532d4-5be7-11ee-af3a-0242ac110005\"}, \"groups\": [{\"name\": \"karaoke finnish coordination\", \"desc\": \"blessed drive took\", \"uid\": \"a8453b30-5be7-11ee-90d5-0242ac110005\"}, {\"name\": \"briefs iii andy\", \"type\": \"ireland arch trademark\", \"uid\": \"a8453fc2-5be7-11ee-bd52-0242ac110005\"}], \"type_id\": 6, \"instance_uid\": \"a84525fa-5be7-11ee-987a-0242ac110005\", \"interface_name\": \"subsection get techno\", \"interface_uid\": \"a8452b90-5be7-11ee-9db2-0242ac110005\", \"network_interfaces\": [{\"name\": \"animals economy signals\", \"type\": \"proven\", \"ip\": \"175.16.199.1\", \"hostname\": \"personalized.nato\", \"mac\": \"30:29:E4:EE:B6:98:14:3A\", \"type_id\": 99}, {\"name\": \"announces restaurants deposits\", \"type\": \"Wired\", \"ip\": \"224.61.168.94\", \"hostname\": \"mitchell.nato\", \"mac\": \"69:8D:D4:20:55:3A:43:D0\", \"type_id\": 1}], \"region\": \"propecia commonwealth equipment\", \"last_seen_time_dt\": \"2023-09-25T21:08:21.374251Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"erotica ladies hero\", \"version\": \"1.0.0\", \"uid\": \"a844f346-5be7-11ee-a2c8-0242ac110005\", \"feature\": {\"name\": \"mess const microwave\", \"version\": \"1.0.0\", \"uid\": \"a8450084-5be7-11ee-93f7-0242ac110005\"}, \"lang\": \"en\", \"url_string\": \"washer\", \"vendor_name\": \"feelings tide perry\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"cleaners villa historic\", \"log_provider\": \"immediately accused charlie\", \"logged_time\": 1695676101375, \"original_time\": \"medline prospect ict\"}, \"severity\": \"electrical\", \"url\": {\"port\": 23624, \"scheme\": \"yoga thesaurus regardless\", \"path\": \"flows affiliation global\", \"hostname\": \"sage.mil\", \"query_string\": \"mattress betting covers\", \"category_ids\": [49, 54], \"url_string\": \"vocal\"}, \"duration\": 2, \"disposition\": \"Delayed\", \"type_name\": \"Email URL Activity: Receive\", \"activity_id\": 2, \"disposition_id\": 14, \"type_uid\": 401202, \"category_name\": \"Network Activity\", \"class_uid\": 4012, \"category_uid\": 4, \"class_name\": \"Email URL Activity\", \"timezone_offset\": 34, \"activity_name\": \"Receive\", \"cloud\": {\"account\": {\"name\": \"bubble prototype interstate\", \"type\": \"Azure AD Account\", \"uid\": \"a844c1f0-5be7-11ee-83dc-0242ac110005\", \"type_id\": 6}, \"provider\": \"indicated electro washer\", \"region\": \"crucial mysimon exit\"}, \"email_uid\": \"a8450be2-5be7-11ee-bf7c-0242ac110005\", \"severity_id\": 99, \"status_detail\": \"released oxygen reasonable\", \"status_id\": 1}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"count\": 43, \"message\": \"carb fujitsu spots\", \"status\": \"Success\", \"time\": 1695676101376, \"device\": {\"name\": \"experiments old guides\", \"type\": \"Virtual\", \"ip\": \"67.43.156.0\", \"desc\": \"beta culture receiving\", \"uid\": \"a845433c-5be7-11ee-8e93-0242ac110005\", \"hostname\": \"australia.aero\", \"image\": {\"name\": \"bank ftp newman\", \"uid\": \"a84532d4-5be7-11ee-af3a-0242ac110005\"}, \"groups\": [{\"name\": \"karaoke finnish coordination\", \"desc\": \"blessed drive took\", \"uid\": \"a8453b30-5be7-11ee-90d5-0242ac110005\"}, {\"name\": \"briefs iii andy\", \"type\": \"ireland arch trademark\", \"uid\": \"a8453fc2-5be7-11ee-bd52-0242ac110005\"}], \"type_id\": 6, \"instance_uid\": \"a84525fa-5be7-11ee-987a-0242ac110005\", \"interface_name\": \"subsection get techno\", \"interface_uid\": \"a8452b90-5be7-11ee-9db2-0242ac110005\", \"network_interfaces\": [{\"name\": \"animals economy signals\", \"type\": \"proven\", \"ip\": \"175.16.199.1\", \"hostname\": \"personalized.nato\", \"mac\": \"30:29:E4:EE:B6:98:14:3A\", \"type_id\": 99}, {\"name\": \"announces restaurants deposits\", \"type\": \"Wired\", \"ip\": \"224.61.168.94\", \"hostname\": \"mitchell.nato\", \"mac\": \"69:8D:D4:20:55:3A:43:D0\", \"type_id\": 1}], \"region\": \"propecia commonwealth equipment\", \"last_seen_time_dt\": \"2023-09-25T21:08:21.374251Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"erotica ladies hero\", \"version\": \"1.0.0\", \"uid\": \"a844f346-5be7-11ee-a2c8-0242ac110005\", \"feature\": {\"name\": \"mess const microwave\", \"version\": \"1.0.0\", \"uid\": \"a8450084-5be7-11ee-93f7-0242ac110005\"}, \"lang\": \"en\", \"url_string\": \"washer\", \"vendor_name\": \"feelings tide perry\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"cleaners villa historic\", \"log_provider\": \"immediately accused charlie\", \"logged_time\": 1695676101375, \"original_time\": \"medline prospect ict\"}, \"severity\": \"electrical\", \"url\": {\"port\": 23624, \"scheme\": \"yoga thesaurus regardless\", \"path\": \"flows affiliation global\", \"hostname\": \"sage.mil\", \"query_string\": \"mattress betting covers\", \"category_ids\": [49, 54], \"url_string\": \"vocal\"}, \"duration\": 2, \"disposition\": \"Delayed\", \"type_name\": \"Email URL Activity: Receive\", \"activity_id\": 2, \"disposition_id\": 14, \"type_uid\": 401202, \"category_name\": \"Network Activity\", \"class_uid\": 4012, \"category_uid\": 4, \"class_name\": \"Email URL Activity\", \"timezone_offset\": 34, \"activity_name\": \"Receive\", \"cloud\": {\"account\": {\"name\": \"bubble prototype interstate\", \"type\": \"Azure AD Account\", \"uid\": \"a844c1f0-5be7-11ee-83dc-0242ac110005\", \"type_id\": 6}, \"provider\": \"indicated electro washer\", \"region\": \"crucial mysimon exit\"}, \"email_uid\": \"a8450be2-5be7-11ee-bf7c-0242ac110005\", \"severity_id\": 99, \"status_detail\": \"released oxygen reasonable\", \"status_id\": 1}", + "event": { + "action": "receive", + "category": [ + "email" + ], + "duration": 2000000, + "outcome": "success", + "provider": "immediately accused charlie", + "severity": 99, + "type": [ + "info" + ] + }, + "cloud": { + "account": { + "id": "a844c1f0-5be7-11ee-83dc-0242ac110005", + "name": "bubble prototype interstate" + }, + "provider": "indicated electro washer", + "region": "crucial mysimon exit" + }, + "ocsf": "{\"activity_id\": 2, \"activity_name\": \"Receive\", \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"Email URL Activity\", \"class_uid\": 4012, \"cloud\": {\"account\": {\"name\": \"bubble prototype interstate\", \"type\": \"Azure AD Account\", \"type_id\": 6, \"uid\": \"a844c1f0-5be7-11ee-83dc-0242ac110005\"}, \"provider\": \"indicated electro washer\", \"region\": \"crucial mysimon exit\"}, \"count\": 43, \"device\": {\"desc\": \"beta culture receiving\", \"groups\": [{\"desc\": \"blessed drive took\", \"name\": \"karaoke finnish coordination\", \"uid\": \"a8453b30-5be7-11ee-90d5-0242ac110005\"}, {\"name\": \"briefs iii andy\", \"type\": \"ireland arch trademark\", \"uid\": \"a8453fc2-5be7-11ee-bd52-0242ac110005\"}], \"hostname\": \"australia.aero\", \"image\": {\"name\": \"bank ftp newman\", \"uid\": \"a84532d4-5be7-11ee-af3a-0242ac110005\"}, \"instance_uid\": \"a84525fa-5be7-11ee-987a-0242ac110005\", \"interface_name\": \"subsection get techno\", \"interface_uid\": \"a8452b90-5be7-11ee-9db2-0242ac110005\", \"ip\": \"67.43.156.0\", \"last_seen_time_dt\": \"2023-09-25T21:08:21.374251Z\", \"name\": \"experiments old guides\", \"network_interfaces\": [{\"hostname\": \"personalized.nato\", \"ip\": \"175.16.199.1\", \"mac\": \"30:29:E4:EE:B6:98:14:3A\", \"name\": \"animals economy signals\", \"type\": \"proven\", \"type_id\": 99}, {\"hostname\": \"mitchell.nato\", \"ip\": \"224.61.168.94\", \"mac\": \"69:8D:D4:20:55:3A:43:D0\", \"name\": \"announces restaurants deposits\", \"type\": \"Wired\", \"type_id\": 1}], \"region\": \"propecia commonwealth equipment\", \"type\": \"Virtual\", \"type_id\": 6, \"uid\": \"a845433c-5be7-11ee-8e93-0242ac110005\"}, \"disposition\": \"Delayed\", \"disposition_id\": 14, \"duration\": 2, \"email_uid\": \"a8450be2-5be7-11ee-bf7c-0242ac110005\", \"message\": \"carb fujitsu spots\", \"metadata\": {\"log_name\": \"cleaners villa historic\", \"log_provider\": \"immediately accused charlie\", \"logged_time\": 1695676101375, \"original_time\": \"medline prospect ict\", \"product\": {\"feature\": {\"name\": \"mess const microwave\", \"uid\": \"a8450084-5be7-11ee-93f7-0242ac110005\", \"version\": \"1.0.0\"}, \"lang\": \"en\", \"name\": \"erotica ladies hero\", \"uid\": \"a844f346-5be7-11ee-a2c8-0242ac110005\", \"url_string\": \"washer\", \"vendor_name\": \"feelings tide perry\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"version\": \"1.0.0\"}, \"severity\": \"electrical\", \"severity_id\": 99, \"status\": \"Success\", \"status_detail\": \"released oxygen reasonable\", \"status_id\": 1, \"time\": 1695676101376, \"timezone_offset\": 34, \"type_name\": \"Email URL Activity: Receive\", \"type_uid\": 401202, \"url\": {\"category_ids\": [49, 54], \"hostname\": \"sage.mil\", \"path\": \"flows affiliation global\", \"port\": 23624, \"query_string\": \"mattress betting covers\", \"scheme\": \"yoga thesaurus regardless\", \"url_string\": \"vocal\"}}" + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_2.json b/OCSF/ocsf/tests/test_network_activity_2.json new file mode 100644 index 000000000..2aac09c59 --- /dev/null +++ b/OCSF/ocsf/tests/test_network_activity_2.json @@ -0,0 +1,55 @@ +{ + "input": { + "message": "{\"http_response\": {\"code\": 83}, \"http_request\": {\"version\": \"1.0.0\", \"uid\": \"29eee308-5be7-11ee-baad-0242ac110005\", \"url\": {\"port\": 17689, \"scheme\": \"gary bibliography font\", \"path\": \"proposed opposed vegas\", \"hostname\": \"collected.org\", \"query_string\": \"additions linux furthermore\", \"categories\": [\"ratios amount prevent\", \"rpg beauty base\"], \"category_ids\": [109], \"resource_type\": \"tours entering camping\", \"subdomain\": \"katrina je pieces\", \"url_string\": \"illinois\"}, \"user_agent\": \"cheese heading anyway\", \"http_headers\": [{\"name\": \"using closed scientists\", \"value\": \"y montana command\"}, {\"name\": \"mileage wheels temple\", \"value\": \"where relate sheet\"}], \"http_method\": \"POST\", \"x_forwarded_for\": [\"175.16.199.1\"]}, \"message\": \"lt trusted genes\", \"status\": \"Success\", \"time\": 1695675889417, \"device\": {\"name\": \"calcium saudi allows\", \"type\": \"Virtual\", \"domain\": \"barbara advantages levitra\", \"ip\": \"175.16.199.1\", \"location\": {\"desc\": \"Lesotho, Kingdom of\", \"city\": \"Suspension associations\", \"country\": \"LS\", \"coordinates\": [-67.6681, -46.1461], \"continent\": \"Africa\"}, \"uid\": \"29eed912-5be7-11ee-a07b-0242ac110005\", \"hostname\": \"scanners.nato\", \"image\": {\"name\": \"cover hearts magazine\", \"path\": \"ts recording cooling\", \"uid\": \"29eece90-5be7-11ee-8106-0242ac110005\", \"labels\": [\"meaningful\"]}, \"type_id\": 6, \"hw_info\": {\"bios_ver\": \"1.4.4\", \"chassis\": \"pubs remarks desktops\"}, \"instance_uid\": \"29eeb9b4-5be7-11ee-9f8e-0242ac110005\", \"interface_name\": \"hall td flash\", \"interface_uid\": \"29eebe78-5be7-11ee-bef3-0242ac110005\", \"is_compliant\": true, \"is_personal\": false, \"region\": \"coverage financing sympathy\", \"risk_level\": \"improving jvc directors\", \"risk_score\": 9, \"subnet_uid\": \"29eea79e-5be7-11ee-9005-0242ac110005\", \"created_time_dt\": \"2023-09-25T21:04:49.414353Z\", \"last_seen_time_dt\": \"2023-09-25T21:04:49.414926Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"helena crystal initiative\", \"version\": \"1.0.0\", \"uid\": \"29ee731e-5be7-11ee-9b80-0242ac110005\", \"lang\": \"en\", \"url_string\": \"bedding\", \"vendor_name\": \"infectious instrumentation malaysia\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"directors clinton zone\", \"log_provider\": \"myrtle watts management\", \"logged_time\": 1695675889413, \"original_time\": \"mix carrying provides\", \"processed_time\": 1695675889453}, \"proxy\": {\"name\": \"exec cholesterol fossil\", \"port\": 24281, \"ip\": \"67.43.156.0\", \"uid\": \"29ef1436-5be7-11ee-aebf-0242ac110005\", \"hostname\": \"excel.info\", \"instance_uid\": \"29ef1a80-5be7-11ee-b25a-0242ac110005\", \"interface_name\": \"ipaq brazil justify\", \"interface_uid\": \"29ef1e7c-5be7-11ee-9f23-0242ac110005\", \"svc_name\": \"boys participant drove\"}, \"connection_info\": {\"direction\": \"andreas\", \"direction_id\": 99, \"protocol_num\": 67, \"protocol_ver\": \"1.4\"}, \"severity\": \"uw\", \"duration\": 80, \"disposition\": \"Quarantined\", \"type_name\": \"HTTP Activity: Connect\", \"activity_id\": 1, \"disposition_id\": 3, \"type_uid\": 400201, \"category_name\": \"Network Activity\", \"class_uid\": 4002, \"category_uid\": 4, \"class_name\": \"HTTP Activity\", \"timezone_offset\": 78, \"activity_name\": \"Connect\", \"cloud\": {\"provider\": \"reflect alarm my\", \"region\": \"chrome during bs\"}, \"dst_endpoint\": {\"name\": \"accounts an verzeichnis\", \"port\": 15440, \"uid\": \"29ee8048-5be7-11ee-b29d-0242ac110005\", \"instance_uid\": \"29ee849e-5be7-11ee-af0f-0242ac110005\", \"interface_name\": \"probability pins and\", \"interface_uid\": \"29ee88b8-5be7-11ee-ae4f-0242ac110005\", \"svc_name\": \"sim lucas entries\"}, \"end_time\": 1695675889419, \"http_status\": 51, \"malware\": [{\"name\": \"exception scholarship accessed\", \"path\": \"victim reductions pursue\", \"classification_ids\": [9, 11], \"provider\": \"computed oxygen viewer\"}], \"severity_id\": 99, \"src_endpoint\": {\"name\": \"exercise identified exciting\", \"port\": 14669, \"ip\": \"67.43.156.0\", \"uid\": \"29eef9ba-5be7-11ee-8245-0242ac110005\", \"hostname\": \"side.pro\", \"instance_uid\": \"29eeff46-5be7-11ee-9978-0242ac110005\", \"interface_name\": \"jc mistress announced\", \"subnet_uid\": \"29ef0446-5be7-11ee-9887-0242ac110005\", \"svc_name\": \"street truly arise\", \"vlan_uid\": \"29ef0900-5be7-11ee-937e-0242ac110005\"}, \"status_id\": 1, \"end_time_dt\": \"2023-09-25T21:04:49.412301Z\"}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"http_response\": {\"code\": 83}, \"http_request\": {\"version\": \"1.0.0\", \"uid\": \"29eee308-5be7-11ee-baad-0242ac110005\", \"url\": {\"port\": 17689, \"scheme\": \"gary bibliography font\", \"path\": \"proposed opposed vegas\", \"hostname\": \"collected.org\", \"query_string\": \"additions linux furthermore\", \"categories\": [\"ratios amount prevent\", \"rpg beauty base\"], \"category_ids\": [109], \"resource_type\": \"tours entering camping\", \"subdomain\": \"katrina je pieces\", \"url_string\": \"illinois\"}, \"user_agent\": \"cheese heading anyway\", \"http_headers\": [{\"name\": \"using closed scientists\", \"value\": \"y montana command\"}, {\"name\": \"mileage wheels temple\", \"value\": \"where relate sheet\"}], \"http_method\": \"POST\", \"x_forwarded_for\": [\"175.16.199.1\"]}, \"message\": \"lt trusted genes\", \"status\": \"Success\", \"time\": 1695675889417, \"device\": {\"name\": \"calcium saudi allows\", \"type\": \"Virtual\", \"domain\": \"barbara advantages levitra\", \"ip\": \"175.16.199.1\", \"location\": {\"desc\": \"Lesotho, Kingdom of\", \"city\": \"Suspension associations\", \"country\": \"LS\", \"coordinates\": [-67.6681, -46.1461], \"continent\": \"Africa\"}, \"uid\": \"29eed912-5be7-11ee-a07b-0242ac110005\", \"hostname\": \"scanners.nato\", \"image\": {\"name\": \"cover hearts magazine\", \"path\": \"ts recording cooling\", \"uid\": \"29eece90-5be7-11ee-8106-0242ac110005\", \"labels\": [\"meaningful\"]}, \"type_id\": 6, \"hw_info\": {\"bios_ver\": \"1.4.4\", \"chassis\": \"pubs remarks desktops\"}, \"instance_uid\": \"29eeb9b4-5be7-11ee-9f8e-0242ac110005\", \"interface_name\": \"hall td flash\", \"interface_uid\": \"29eebe78-5be7-11ee-bef3-0242ac110005\", \"is_compliant\": true, \"is_personal\": false, \"region\": \"coverage financing sympathy\", \"risk_level\": \"improving jvc directors\", \"risk_score\": 9, \"subnet_uid\": \"29eea79e-5be7-11ee-9005-0242ac110005\", \"created_time_dt\": \"2023-09-25T21:04:49.414353Z\", \"last_seen_time_dt\": \"2023-09-25T21:04:49.414926Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"helena crystal initiative\", \"version\": \"1.0.0\", \"uid\": \"29ee731e-5be7-11ee-9b80-0242ac110005\", \"lang\": \"en\", \"url_string\": \"bedding\", \"vendor_name\": \"infectious instrumentation malaysia\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"directors clinton zone\", \"log_provider\": \"myrtle watts management\", \"logged_time\": 1695675889413, \"original_time\": \"mix carrying provides\", \"processed_time\": 1695675889453}, \"proxy\": {\"name\": \"exec cholesterol fossil\", \"port\": 24281, \"ip\": \"67.43.156.0\", \"uid\": \"29ef1436-5be7-11ee-aebf-0242ac110005\", \"hostname\": \"excel.info\", \"instance_uid\": \"29ef1a80-5be7-11ee-b25a-0242ac110005\", \"interface_name\": \"ipaq brazil justify\", \"interface_uid\": \"29ef1e7c-5be7-11ee-9f23-0242ac110005\", \"svc_name\": \"boys participant drove\"}, \"connection_info\": {\"direction\": \"andreas\", \"direction_id\": 99, \"protocol_num\": 67, \"protocol_ver\": \"1.4\"}, \"severity\": \"uw\", \"duration\": 80, \"disposition\": \"Quarantined\", \"type_name\": \"HTTP Activity: Connect\", \"activity_id\": 1, \"disposition_id\": 3, \"type_uid\": 400201, \"category_name\": \"Network Activity\", \"class_uid\": 4002, \"category_uid\": 4, \"class_name\": \"HTTP Activity\", \"timezone_offset\": 78, \"activity_name\": \"Connect\", \"cloud\": {\"provider\": \"reflect alarm my\", \"region\": \"chrome during bs\"}, \"dst_endpoint\": {\"name\": \"accounts an verzeichnis\", \"port\": 15440, \"uid\": \"29ee8048-5be7-11ee-b29d-0242ac110005\", \"instance_uid\": \"29ee849e-5be7-11ee-af0f-0242ac110005\", \"interface_name\": \"probability pins and\", \"interface_uid\": \"29ee88b8-5be7-11ee-ae4f-0242ac110005\", \"svc_name\": \"sim lucas entries\"}, \"end_time\": 1695675889419, \"http_status\": 51, \"malware\": [{\"name\": \"exception scholarship accessed\", \"path\": \"victim reductions pursue\", \"classification_ids\": [9, 11], \"provider\": \"computed oxygen viewer\"}], \"severity_id\": 99, \"src_endpoint\": {\"name\": \"exercise identified exciting\", \"port\": 14669, \"ip\": \"67.43.156.0\", \"uid\": \"29eef9ba-5be7-11ee-8245-0242ac110005\", \"hostname\": \"side.pro\", \"instance_uid\": \"29eeff46-5be7-11ee-9978-0242ac110005\", \"interface_name\": \"jc mistress announced\", \"subnet_uid\": \"29ef0446-5be7-11ee-9887-0242ac110005\", \"svc_name\": \"street truly arise\", \"vlan_uid\": \"29ef0900-5be7-11ee-937e-0242ac110005\"}, \"status_id\": 1, \"end_time_dt\": \"2023-09-25T21:04:49.412301Z\"}", + "event": { + "action": "connect", + "category": [ + "api" + ], + "duration": 80000000, + "end": "2023-09-25T21:04:49.419000Z", + "outcome": "success", + "provider": "myrtle watts management", + "severity": 99, + "type": [ + "info" + ] + }, + "cloud": { + "provider": "reflect alarm my", + "region": "chrome during bs" + }, + "destination": { + "port": 15440 + }, + "network": { + "application": "sim lucas entries" + }, + "ocsf": "{\"activity_id\": 1, \"activity_name\": \"Connect\", \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"HTTP Activity\", \"class_uid\": 4002, \"cloud\": {\"provider\": \"reflect alarm my\", \"region\": \"chrome during bs\"}, \"connection_info\": {\"direction\": \"andreas\", \"direction_id\": 99, \"protocol_num\": 67, \"protocol_ver\": \"1.4\"}, \"device\": {\"created_time_dt\": \"2023-09-25T21:04:49.414353Z\", \"domain\": \"barbara advantages levitra\", \"hostname\": \"scanners.nato\", \"hw_info\": {\"bios_ver\": \"1.4.4\", \"chassis\": \"pubs remarks desktops\"}, \"image\": {\"labels\": [\"meaningful\"], \"name\": \"cover hearts magazine\", \"path\": \"ts recording cooling\", \"uid\": \"29eece90-5be7-11ee-8106-0242ac110005\"}, \"instance_uid\": \"29eeb9b4-5be7-11ee-9f8e-0242ac110005\", \"interface_name\": \"hall td flash\", \"interface_uid\": \"29eebe78-5be7-11ee-bef3-0242ac110005\", \"ip\": \"175.16.199.1\", \"is_compliant\": true, \"is_personal\": false, \"last_seen_time_dt\": \"2023-09-25T21:04:49.414926Z\", \"location\": {\"city\": \"Suspension associations\", \"continent\": \"Africa\", \"coordinates\": [-67.6681, -46.1461], \"country\": \"LS\", \"desc\": \"Lesotho, Kingdom of\"}, \"name\": \"calcium saudi allows\", \"region\": \"coverage financing sympathy\", \"risk_level\": \"improving jvc directors\", \"risk_score\": 9, \"subnet_uid\": \"29eea79e-5be7-11ee-9005-0242ac110005\", \"type\": \"Virtual\", \"type_id\": 6, \"uid\": \"29eed912-5be7-11ee-a07b-0242ac110005\"}, \"disposition\": \"Quarantined\", \"disposition_id\": 3, \"dst_endpoint\": {\"instance_uid\": \"29ee849e-5be7-11ee-af0f-0242ac110005\", \"interface_name\": \"probability pins and\", \"interface_uid\": \"29ee88b8-5be7-11ee-ae4f-0242ac110005\", \"name\": \"accounts an verzeichnis\", \"port\": 15440, \"svc_name\": \"sim lucas entries\", \"uid\": \"29ee8048-5be7-11ee-b29d-0242ac110005\"}, \"duration\": 80, \"end_time\": 1695675889419, \"end_time_dt\": \"2023-09-25T21:04:49.412301Z\", \"http_request\": {\"http_headers\": [{\"name\": \"using closed scientists\", \"value\": \"y montana command\"}, {\"name\": \"mileage wheels temple\", \"value\": \"where relate sheet\"}], \"http_method\": \"POST\", \"uid\": \"29eee308-5be7-11ee-baad-0242ac110005\", \"url\": {\"categories\": [\"ratios amount prevent\", \"rpg beauty base\"], \"category_ids\": [109], \"hostname\": \"collected.org\", \"path\": \"proposed opposed vegas\", \"port\": 17689, \"query_string\": \"additions linux furthermore\", \"resource_type\": \"tours entering camping\", \"scheme\": \"gary bibliography font\", \"subdomain\": \"katrina je pieces\", \"url_string\": \"illinois\"}, \"user_agent\": \"cheese heading anyway\", \"version\": \"1.0.0\", \"x_forwarded_for\": [\"175.16.199.1\"]}, \"http_response\": {\"code\": 83}, \"http_status\": 51, \"malware\": [{\"classification_ids\": [9, 11], \"name\": \"exception scholarship accessed\", \"path\": \"victim reductions pursue\", \"provider\": \"computed oxygen viewer\"}], \"message\": \"lt trusted genes\", \"metadata\": {\"log_name\": \"directors clinton zone\", \"log_provider\": \"myrtle watts management\", \"logged_time\": 1695675889413, \"original_time\": \"mix carrying provides\", \"processed_time\": 1695675889453, \"product\": {\"lang\": \"en\", \"name\": \"helena crystal initiative\", \"uid\": \"29ee731e-5be7-11ee-9b80-0242ac110005\", \"url_string\": \"bedding\", \"vendor_name\": \"infectious instrumentation malaysia\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"version\": \"1.0.0\"}, \"proxy\": {\"hostname\": \"excel.info\", \"instance_uid\": \"29ef1a80-5be7-11ee-b25a-0242ac110005\", \"interface_name\": \"ipaq brazil justify\", \"interface_uid\": \"29ef1e7c-5be7-11ee-9f23-0242ac110005\", \"ip\": \"67.43.156.0\", \"name\": \"exec cholesterol fossil\", \"port\": 24281, \"svc_name\": \"boys participant drove\", \"uid\": \"29ef1436-5be7-11ee-aebf-0242ac110005\"}, \"severity\": \"uw\", \"severity_id\": 99, \"src_endpoint\": {\"hostname\": \"side.pro\", \"instance_uid\": \"29eeff46-5be7-11ee-9978-0242ac110005\", \"interface_name\": \"jc mistress announced\", \"ip\": \"67.43.156.0\", \"name\": \"exercise identified exciting\", \"port\": 14669, \"subnet_uid\": \"29ef0446-5be7-11ee-9887-0242ac110005\", \"svc_name\": \"street truly arise\", \"uid\": \"29eef9ba-5be7-11ee-8245-0242ac110005\", \"vlan_uid\": \"29ef0900-5be7-11ee-937e-0242ac110005\"}, \"status\": \"Success\", \"status_id\": 1, \"time\": 1695675889417, \"timezone_offset\": 78, \"type_name\": \"HTTP Activity: Connect\", \"type_uid\": 400201}", + "related": { + "hosts": [ + "side.pro" + ], + "ip": [ + "67.43.156.0" + ] + }, + "source": { + "address": "side.pro", + "domain": "side.pro", + "ip": "67.43.156.0", + "port": 14669, + "registered_domain": "side.pro", + "top_level_domain": "pro" + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_3.json b/OCSF/ocsf/tests/test_network_activity_3.json new file mode 100644 index 000000000..5441b8fa2 --- /dev/null +++ b/OCSF/ocsf/tests/test_network_activity_3.json @@ -0,0 +1,42 @@ +{ + "input": { + "message": "{\"metadata\": {\"product\": {\"version\": \"1.100000\", \"name\": \"Route 53\", \"feature\": {\"name\": \"Resolver Query Logs\"}, \"vendor_name\": \"AWS\"}, \"profiles\": [\"cloud\", \"security_control\"], \"version\": \"1.0.0-rc.2\"}, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"region\": \"us-east-1\", \"provider\": \"AWS\"}, \"src_endpoint\": {\"vpc_uid\": \"vpc-00000000000000000\", \"ip\": \"10.200.21.100\", \"port\": 15083}, \"time\": 1665694957896, \"query\": {\"hostname\": \"ip-127-0-0-62.alert.firewall.canary.\", \"type\": \"A\", \"class\": \"IN\"}, \"answers\": [{\"type\": \"A\", \"rdata\": \"127.0.0.62\", \"class\": \"IN\"}], \"connection_info\": {\"protocol_name\": \"UDP\", \"direction\": \"Unknown\", \"direction_id\": 0}, \"dst_endpoint\": {\"instance_uid\": \"rslvr-in-0000000000000000\", \"interface_uid\": \"rni-0000000000000000\"}, \"severity_id\": 1, \"severity\": \"Informational\", \"class_name\": \"DNS Activity\", \"class_uid\": 4003, \"category_name\": \"Network Activity\", \"category_uid\": 4, \"disposition\": \"No Action\", \"disposition_id\": 16, \"rcode_id\": 0, \"rcode\": \"NoError\", \"activity_id\": 2, \"activity_name\": \"Response\", \"type_name\": \"DNS Activity: Response\", \"type_uid\": 400302, \"unmapped\": {\"firewall_rule_group_id\": \"rslvr-frg-000000000000000\", \"firewall_domain_list_id\": \"rslvr-fdl-0000000000000\"}}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"metadata\": {\"product\": {\"version\": \"1.100000\", \"name\": \"Route 53\", \"feature\": {\"name\": \"Resolver Query Logs\"}, \"vendor_name\": \"AWS\"}, \"profiles\": [\"cloud\", \"security_control\"], \"version\": \"1.0.0-rc.2\"}, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"region\": \"us-east-1\", \"provider\": \"AWS\"}, \"src_endpoint\": {\"vpc_uid\": \"vpc-00000000000000000\", \"ip\": \"10.200.21.100\", \"port\": 15083}, \"time\": 1665694957896, \"query\": {\"hostname\": \"ip-127-0-0-62.alert.firewall.canary.\", \"type\": \"A\", \"class\": \"IN\"}, \"answers\": [{\"type\": \"A\", \"rdata\": \"127.0.0.62\", \"class\": \"IN\"}], \"connection_info\": {\"protocol_name\": \"UDP\", \"direction\": \"Unknown\", \"direction_id\": 0}, \"dst_endpoint\": {\"instance_uid\": \"rslvr-in-0000000000000000\", \"interface_uid\": \"rni-0000000000000000\"}, \"severity_id\": 1, \"severity\": \"Informational\", \"class_name\": \"DNS Activity\", \"class_uid\": 4003, \"category_name\": \"Network Activity\", \"category_uid\": 4, \"disposition\": \"No Action\", \"disposition_id\": 16, \"rcode_id\": 0, \"rcode\": \"NoError\", \"activity_id\": 2, \"activity_name\": \"Response\", \"type_name\": \"DNS Activity: Response\", \"type_uid\": 400302, \"unmapped\": {\"firewall_rule_group_id\": \"rslvr-frg-000000000000000\", \"firewall_domain_list_id\": \"rslvr-fdl-0000000000000\"}}", + "event": { + "action": "response", + "category": [ + "network" + ], + "severity": 1, + "type": [ + "protocol" + ] + }, + "cloud": { + "account": { + "id": "123456789012" + }, + "provider": "AWS", + "region": "us-east-1" + }, + "ocsf": "{\"activity_id\": 2, \"activity_name\": \"Response\", \"answers\": [{\"class\": \"IN\", \"rdata\": \"127.0.0.62\", \"type\": \"A\"}], \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"DNS Activity\", \"class_uid\": 4003, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"connection_info\": {\"direction\": \"Unknown\", \"direction_id\": 0, \"protocol_name\": \"UDP\"}, \"disposition\": \"No Action\", \"disposition_id\": 16, \"dst_endpoint\": {\"instance_uid\": \"rslvr-in-0000000000000000\", \"interface_uid\": \"rni-0000000000000000\"}, \"metadata\": {\"product\": {\"feature\": {\"name\": \"Resolver Query Logs\"}, \"name\": \"Route 53\", \"vendor_name\": \"AWS\", \"version\": \"1.100000\"}, \"profiles\": [\"cloud\", \"security_control\"], \"version\": \"1.0.0-rc.2\"}, \"query\": {\"class\": \"IN\", \"hostname\": \"ip-127-0-0-62.alert.firewall.canary.\", \"type\": \"A\"}, \"rcode\": \"NoError\", \"rcode_id\": 0, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"10.200.21.100\", \"port\": 15083, \"vpc_uid\": \"vpc-00000000000000000\"}, \"time\": 1665694957896, \"type_name\": \"DNS Activity: Response\", \"type_uid\": 400302, \"unmapped\": {\"firewall_domain_list_id\": \"rslvr-fdl-0000000000000\", \"firewall_rule_group_id\": \"rslvr-frg-000000000000000\"}}", + "related": { + "ip": [ + "10.200.21.100" + ] + }, + "source": { + "address": "10.200.21.100", + "ip": "10.200.21.100", + "port": 15083 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_4.json b/OCSF/ocsf/tests/test_network_activity_4.json new file mode 100644 index 000000000..cceb747f3 --- /dev/null +++ b/OCSF/ocsf/tests/test_network_activity_4.json @@ -0,0 +1,73 @@ +{ + "input": { + "message": "{\"count\": 2, \"status\": \"Failure\", \"time\": 1695675919042, \"device\": {\"name\": \"worry scout director\", \"type\": \"Laptop\", \"domain\": \"ordinance died reducing\", \"ip\": \"67.43.156.0\", \"location\": {\"desc\": \"Iran, Islamic Republic of\", \"city\": \"Arabic ana\", \"country\": \"IR\", \"coordinates\": [-170.1816, -41.4084], \"continent\": \"Asia\"}, \"uid\": \"3b9854e0-5be7-11ee-b25b-0242ac110005\", \"hostname\": \"labs.org\", \"groups\": [{\"name\": \"crisis burlington stood\", \"type\": \"regional yourself ho\", \"uid\": \"3b984cde-5be7-11ee-a8b4-0242ac110005\"}, {\"name\": \"funds lawyers conferencing\", \"uid\": \"3b985120-5be7-11ee-b8c3-0242ac110005\"}], \"type_id\": 3, \"instance_uid\": \"3b98409a-5be7-11ee-87fa-0242ac110005\", \"interface_name\": \"bestsellers qualifying blog\", \"interface_uid\": \"3b984586-5be7-11ee-b105-0242ac110005\", \"is_managed\": false, \"modified_time\": 1695675919042, \"network_interfaces\": [{\"name\": \"leading ste lingerie\", \"type\": \"Wired\", \"ip\": \"175.16.199.1\", \"hostname\": \"signed.name\", \"mac\": \"F7:10:E8:11:73:9A:1F:AD\", \"type_id\": 1}], \"region\": \"accused continuous fibre\", \"uid_alt\": \"matter resolutions likely\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"version\": \"1.0.0\", \"path\": \"trademarks clean client\", \"uid\": \"3b98010c-5be7-11ee-b3a3-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"parents transit advisor\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"event_code\": \"population\", \"log_name\": \"rod nine dont\", \"log_provider\": \"remembered substantial possible\", \"modified_time\": 1695675919045, \"original_time\": \"processes payroll cheque\", \"modified_time_dt\": \"2023-09-25T21:05:19.045538Z\", \"processed_time_dt\": \"2023-09-25T21:05:19.045551Z\"}, \"severity\": \"undefined\", \"type_name\": \"DHCP Activity: Nak\", \"activity_id\": 6, \"type_uid\": 400406, \"category_name\": \"Network Activity\", \"class_uid\": 4004, \"category_uid\": 4, \"class_name\": \"DHCP Activity\", \"timezone_offset\": 7, \"activity_name\": \"Nak\", \"cloud\": {\"provider\": \"finest subdivision assists\", \"region\": \"drill bedford post\"}, \"dst_endpoint\": {\"name\": \"pickup offshore readers\", \"port\": 21794, \"ip\": \"67.43.156.0\", \"location\": {\"desc\": \"Saint Lucia\", \"city\": \"Suggests contamination\", \"country\": \"LC\", \"coordinates\": [54.5116, -89.695], \"continent\": \"North America\"}, \"uid\": \"3b9810ca-5be7-11ee-8a5e-0242ac110005\", \"hostname\": \"cloud.int\", \"instance_uid\": \"3b9815de-5be7-11ee-8748-0242ac110005\", \"interface_name\": \"rentals generic singles\", \"interface_uid\": \"3b981cd2-5be7-11ee-9f36-0242ac110005\", \"subnet_uid\": \"3b9820e2-5be7-11ee-af45-0242ac110005\", \"svc_name\": \"where image territories\"}, \"is_renewal\": false, \"severity_id\": 99, \"src_endpoint\": {\"name\": \"proceeding industries archive\", \"port\": 35266, \"ip\": \"67.43.156.0\", \"uid\": \"3b986b2e-5be7-11ee-9b3c-0242ac110005\", \"hostname\": \"scores.net\", \"instance_uid\": \"3b987272-5be7-11ee-a84f-0242ac110005\", \"interface_name\": \"habits quantitative second\", \"interface_uid\": \"3b987966-5be7-11ee-ae16-0242ac110005\", \"intermediate_ips\": [\"175.16.199.1\", \"89.160.20.112\"], \"svc_name\": \"marking misc alarm\", \"vpc_uid\": \"3b988096-5be7-11ee-bdee-0242ac110005\"}, \"status_detail\": \"relates cornwall cope\", \"status_id\": 2, \"transaction_uid\": \"3b989194-5be7-11ee-b97e-0242ac110005\"}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"count\": 2, \"status\": \"Failure\", \"time\": 1695675919042, \"device\": {\"name\": \"worry scout director\", \"type\": \"Laptop\", \"domain\": \"ordinance died reducing\", \"ip\": \"67.43.156.0\", \"location\": {\"desc\": \"Iran, Islamic Republic of\", \"city\": \"Arabic ana\", \"country\": \"IR\", \"coordinates\": [-170.1816, -41.4084], \"continent\": \"Asia\"}, \"uid\": \"3b9854e0-5be7-11ee-b25b-0242ac110005\", \"hostname\": \"labs.org\", \"groups\": [{\"name\": \"crisis burlington stood\", \"type\": \"regional yourself ho\", \"uid\": \"3b984cde-5be7-11ee-a8b4-0242ac110005\"}, {\"name\": \"funds lawyers conferencing\", \"uid\": \"3b985120-5be7-11ee-b8c3-0242ac110005\"}], \"type_id\": 3, \"instance_uid\": \"3b98409a-5be7-11ee-87fa-0242ac110005\", \"interface_name\": \"bestsellers qualifying blog\", \"interface_uid\": \"3b984586-5be7-11ee-b105-0242ac110005\", \"is_managed\": false, \"modified_time\": 1695675919042, \"network_interfaces\": [{\"name\": \"leading ste lingerie\", \"type\": \"Wired\", \"ip\": \"175.16.199.1\", \"hostname\": \"signed.name\", \"mac\": \"F7:10:E8:11:73:9A:1F:AD\", \"type_id\": 1}], \"region\": \"accused continuous fibre\", \"uid_alt\": \"matter resolutions likely\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"version\": \"1.0.0\", \"path\": \"trademarks clean client\", \"uid\": \"3b98010c-5be7-11ee-b3a3-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"parents transit advisor\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"event_code\": \"population\", \"log_name\": \"rod nine dont\", \"log_provider\": \"remembered substantial possible\", \"modified_time\": 1695675919045, \"original_time\": \"processes payroll cheque\", \"modified_time_dt\": \"2023-09-25T21:05:19.045538Z\", \"processed_time_dt\": \"2023-09-25T21:05:19.045551Z\"}, \"severity\": \"undefined\", \"type_name\": \"DHCP Activity: Nak\", \"activity_id\": 6, \"type_uid\": 400406, \"category_name\": \"Network Activity\", \"class_uid\": 4004, \"category_uid\": 4, \"class_name\": \"DHCP Activity\", \"timezone_offset\": 7, \"activity_name\": \"Nak\", \"cloud\": {\"provider\": \"finest subdivision assists\", \"region\": \"drill bedford post\"}, \"dst_endpoint\": {\"name\": \"pickup offshore readers\", \"port\": 21794, \"ip\": \"67.43.156.0\", \"location\": {\"desc\": \"Saint Lucia\", \"city\": \"Suggests contamination\", \"country\": \"LC\", \"coordinates\": [54.5116, -89.695], \"continent\": \"North America\"}, \"uid\": \"3b9810ca-5be7-11ee-8a5e-0242ac110005\", \"hostname\": \"cloud.int\", \"instance_uid\": \"3b9815de-5be7-11ee-8748-0242ac110005\", \"interface_name\": \"rentals generic singles\", \"interface_uid\": \"3b981cd2-5be7-11ee-9f36-0242ac110005\", \"subnet_uid\": \"3b9820e2-5be7-11ee-af45-0242ac110005\", \"svc_name\": \"where image territories\"}, \"is_renewal\": false, \"severity_id\": 99, \"src_endpoint\": {\"name\": \"proceeding industries archive\", \"port\": 35266, \"ip\": \"67.43.156.0\", \"uid\": \"3b986b2e-5be7-11ee-9b3c-0242ac110005\", \"hostname\": \"scores.net\", \"instance_uid\": \"3b987272-5be7-11ee-a84f-0242ac110005\", \"interface_name\": \"habits quantitative second\", \"interface_uid\": \"3b987966-5be7-11ee-ae16-0242ac110005\", \"intermediate_ips\": [\"175.16.199.1\", \"89.160.20.112\"], \"svc_name\": \"marking misc alarm\", \"vpc_uid\": \"3b988096-5be7-11ee-bdee-0242ac110005\"}, \"status_detail\": \"relates cornwall cope\", \"status_id\": 2, \"transaction_uid\": \"3b989194-5be7-11ee-b97e-0242ac110005\"}", + "event": { + "action": "nak", + "category": [ + "network" + ], + "code": "population", + "outcome": "failure", + "provider": "remembered substantial possible", + "severity": 99, + "type": [ + "protocol" + ] + }, + "cloud": { + "provider": "finest subdivision assists", + "region": "drill bedford post" + }, + "destination": { + "address": "cloud.int", + "domain": "cloud.int", + "geo": { + "city_name": "Suggests contamination", + "continent_name": "North America", + "country_iso_code": "LC", + "name": "Saint Lucia" + }, + "ip": "67.43.156.0", + "port": 21794, + "registered_domain": "cloud.int", + "top_level_domain": "int" + }, + "network": { + "application": "where image territories" + }, + "ocsf": "{\"activity_id\": 6, \"activity_name\": \"Nak\", \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"DHCP Activity\", \"class_uid\": 4004, \"cloud\": {\"provider\": \"finest subdivision assists\", \"region\": \"drill bedford post\"}, \"count\": 2, \"device\": {\"domain\": \"ordinance died reducing\", \"groups\": [{\"name\": \"crisis burlington stood\", \"type\": \"regional yourself ho\", \"uid\": \"3b984cde-5be7-11ee-a8b4-0242ac110005\"}, {\"name\": \"funds lawyers conferencing\", \"uid\": \"3b985120-5be7-11ee-b8c3-0242ac110005\"}], \"hostname\": \"labs.org\", \"instance_uid\": \"3b98409a-5be7-11ee-87fa-0242ac110005\", \"interface_name\": \"bestsellers qualifying blog\", \"interface_uid\": \"3b984586-5be7-11ee-b105-0242ac110005\", \"ip\": \"67.43.156.0\", \"is_managed\": false, \"location\": {\"city\": \"Arabic ana\", \"continent\": \"Asia\", \"coordinates\": [-170.1816, -41.4084], \"country\": \"IR\", \"desc\": \"Iran, Islamic Republic of\"}, \"modified_time\": 1695675919042, \"name\": \"worry scout director\", \"network_interfaces\": [{\"hostname\": \"signed.name\", \"ip\": \"175.16.199.1\", \"mac\": \"F7:10:E8:11:73:9A:1F:AD\", \"name\": \"leading ste lingerie\", \"type\": \"Wired\", \"type_id\": 1}], \"region\": \"accused continuous fibre\", \"type\": \"Laptop\", \"type_id\": 3, \"uid\": \"3b9854e0-5be7-11ee-b25b-0242ac110005\", \"uid_alt\": \"matter resolutions likely\"}, \"dst_endpoint\": {\"hostname\": \"cloud.int\", \"instance_uid\": \"3b9815de-5be7-11ee-8748-0242ac110005\", \"interface_name\": \"rentals generic singles\", \"interface_uid\": \"3b981cd2-5be7-11ee-9f36-0242ac110005\", \"ip\": \"67.43.156.0\", \"location\": {\"city\": \"Suggests contamination\", \"continent\": \"North America\", \"coordinates\": [54.5116, -89.695], \"country\": \"LC\", \"desc\": \"Saint Lucia\"}, \"name\": \"pickup offshore readers\", \"port\": 21794, \"subnet_uid\": \"3b9820e2-5be7-11ee-af45-0242ac110005\", \"svc_name\": \"where image territories\", \"uid\": \"3b9810ca-5be7-11ee-8a5e-0242ac110005\"}, \"is_renewal\": false, \"metadata\": {\"event_code\": \"population\", \"log_name\": \"rod nine dont\", \"log_provider\": \"remembered substantial possible\", \"modified_time\": 1695675919045, \"modified_time_dt\": \"2023-09-25T21:05:19.045538Z\", \"original_time\": \"processes payroll cheque\", \"processed_time_dt\": \"2023-09-25T21:05:19.045551Z\", \"product\": {\"lang\": \"en\", \"path\": \"trademarks clean client\", \"uid\": \"3b98010c-5be7-11ee-b3a3-0242ac110005\", \"vendor_name\": \"parents transit advisor\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"version\": \"1.0.0\"}, \"severity\": \"undefined\", \"severity_id\": 99, \"src_endpoint\": {\"hostname\": \"scores.net\", \"instance_uid\": \"3b987272-5be7-11ee-a84f-0242ac110005\", \"interface_name\": \"habits quantitative second\", \"interface_uid\": \"3b987966-5be7-11ee-ae16-0242ac110005\", \"intermediate_ips\": [\"175.16.199.1\", \"89.160.20.112\"], \"ip\": \"67.43.156.0\", \"name\": \"proceeding industries archive\", \"port\": 35266, \"svc_name\": \"marking misc alarm\", \"uid\": \"3b986b2e-5be7-11ee-9b3c-0242ac110005\", \"vpc_uid\": \"3b988096-5be7-11ee-bdee-0242ac110005\"}, \"status\": \"Failure\", \"status_detail\": \"relates cornwall cope\", \"status_id\": 2, \"time\": 1695675919042, \"timezone_offset\": 7, \"transaction_uid\": \"3b989194-5be7-11ee-b97e-0242ac110005\", \"type_name\": \"DHCP Activity: Nak\", \"type_uid\": 400406}", + "related": { + "hosts": [ + "cloud.int", + "scores.net" + ], + "ip": [ + "67.43.156.0" + ] + }, + "sekoiaio": { + "intake": { + "parsing_warnings": [ + "Cannot set field 'destination.geo.location' with given definition in stage 'pipeline_object_network_endpoint'. Cannot convert value in field 'destination.geo.location' to type 'dict'" + ] + } + }, + "source": { + "address": "scores.net", + "domain": "scores.net", + "ip": "67.43.156.0", + "port": 35266, + "registered_domain": "scores.net", + "top_level_domain": "net" + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_5.json b/OCSF/ocsf/tests/test_network_activity_5.json new file mode 100644 index 000000000..36207db4b --- /dev/null +++ b/OCSF/ocsf/tests/test_network_activity_5.json @@ -0,0 +1,57 @@ +{ + "input": { + "message": "{\"category_uid\": 4, \"request\": {\"uid\": \"52a3da4c-5be7-11ee-baa3-0242ac110005\"}, \"type_uid\": 400506, \"time\": 1695675957710, \"certificate_chain\": [\"universities investment processing\", \"magazines cooler constitute\"], \"src_endpoint\": {\"name\": \"request brakes anyway\", \"port\": 55305, \"ip\": \"67.43.156.0\", \"uid\": \"52a3c912-5be7-11ee-a7e5-0242ac110005\", \"instance_uid\": \"52a3cca0-5be7-11ee-bb44-0242ac110005\", \"interface_name\": \"caring interface recipe\", \"interface_uid\": \"52a3d06a-5be7-11ee-b15e-0242ac110005\", \"intermediate_ips\": [\"175.16.199.1\", \"89.160.20.112\"], \"svc_name\": \"leo fraser mic\"}, \"type_name\": \"RDP Activity: Traffic\", \"response\": {\"error\": \"earn bios diamonds\", \"code\": 79, \"flags\": [\"doors plus tool\"], \"message\": \"mysimon forum john\"}, \"status_id\": 99, \"activity_name\": \"Traffic\", \"capabilities\": [\"makers inkjet wealth\", \"statistical athletic tactics\"], \"activity_id\": 6, \"timezone_offset\": 14, \"severity_id\": 2, \"severity\": \"Low\", \"message\": \"start gifts correlation\", \"status\": \"chronicle\", \"connection_info\": {\"boundary\": \"direction design hook\", \"direction\": \"Unknown\", \"direction_id\": 0, \"protocol_num\": 7, \"protocol_ver\": \"compliant\", \"protocol_ver_id\": 99}, \"device\": {\"name\": \"mpg mumbai feedback\", \"type\": \"cingular\", \"ip\": \"175.16.199.1\", \"uid\": \"52a3b968-5be7-11ee-8c32-0242ac110005\", \"hostname\": \"bookstore.com\", \"type_id\": 99, \"autoscale_uid\": \"52a3aa7c-5be7-11ee-afac-0242ac110005\", \"hypervisor\": \"t contacting bomb\", \"instance_uid\": \"52a3af0e-5be7-11ee-8962-0242ac110005\", \"interface_name\": \"fifth cancer ties\", \"interface_uid\": \"52a3b382-5be7-11ee-b868-0242ac110005\", \"network_interfaces\": [{\"name\": \"extensive confirmation invisible\", \"type\": \"Unknown\", \"ip\": \"175.16.199.1\", \"uid\": \"52a3a572-5be7-11ee-b24b-0242ac110005\", \"hostname\": \"tray.gov\", \"mac\": \"D3:B5:6A:19:38:2F:24:A1\", \"type_id\": 0}], \"region\": \"childrens carriers contracting\", \"risk_level\": \"theory mattress fr\", \"risk_score\": 32}, \"disposition\": \"Quarantined\", \"dst_endpoint\": {\"name\": \"codes acts containers\", \"port\": 11600, \"ip\": \"67.43.156.0\", \"uid\": \"52a30022-5be7-11ee-b27b-0242ac110005\", \"hostname\": \"climate.gov\", \"mac\": \"6F:86:CF:42:61:43:EF:EC\", \"instance_uid\": \"52a3919a-5be7-11ee-a566-0242ac110005\", \"svc_name\": \"intro contacted payroll\"}, \"protocol_ver\": \"1.1.1\", \"api\": {\"version\": \"1.0.0\", \"request\": {\"uid\": \"52a2f4d8-5be7-11ee-9aad-0242ac110005\"}, \"response\": {\"error\": \"column reform improved\", \"error_message\": \"glen spray dear\"}, \"operation\": \"examinations convention inquire\"}, \"traffic\": {\"bytes\": 4178624388, \"bytes_in\": 3737296762, \"bytes_out\": 2902061295, \"packets\": 2072578920}, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Lateral Movement | The adversary is trying to move through your environment.\", \"uid\": \"TA0008\"}, {\"name\": \"Defense Evasion The adversary is trying to avoid being detected.\", \"uid\": \"TA0005\"}], \"technique\": {\"name\": \"Spearphishing Attachment\", \"uid\": \"T1193\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Command and Control The adversary is trying to communicate with compromised systems to control them.\", \"uid\": \"TA0011\"}, {\"name\": \"Lateral Movement | The adversary is trying to move through your environment.\", \"uid\": \"TA0008\"}, {\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Malware\", \"uid\": \"T1587.001\"}}], \"tls\": {\"version\": \"1.0.0\", \"cipher\": \"fabric mess guaranteed\", \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"tramadol babe inf\", \"issuer\": \"ring vc mild\", \"fingerprints\": [{\"value\": \"FC52C21756C177325B755781195254D9\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"B840263DB579453C080DA366BADC329FC04B253D1ACCC2F6FDEB475D2C1B4811CED673F4981DBFC8FC88877A7516C41B28BA654D3911FE15ED7E4BA5849624F9\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1695675957703, \"expiration_time\": 1695675957707, \"serial_number\": \"refrigerator os jumping\"}, \"sni\": \"burner funeral singing\", \"certificate_chain\": [\"permissions logistics pipe\"], \"client_ciphers\": [\"python ireland aerial\", \"season textbook walt\"], \"ja3s_hash\": {\"value\": \"63DA7BD36D87B066DC0E0BB794DBD39ABF21F1A63BA929705FB6C81005838FFA5E8FE456C4DB8ACBD983D90356A5707FC1F4EF069CC70B65B34A5496D5484DDC\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, \"sans\": [{\"name\": \"downloads informed warehouse\", \"type\": \"ordinance place flower\"}, {\"name\": \"gamma consultant lcd\", \"type\": \"experienced loved premises\"}]}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"sleeping roy view\", \"version\": \"1.0.0\", \"uid\": \"52a2a83e-5be7-11ee-b480-0242ac110005\", \"feature\": {\"name\": \"purse support el\", \"version\": \"1.0.0\", \"uid\": \"52a2b0e0-5be7-11ee-9130-0242ac110005\"}, \"vendor_name\": \"display discipline juvenile\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"structured electron theaters\", \"log_provider\": \"unwrap std painful\", \"modified_time\": 1695675957701, \"original_time\": \"skins child clearance\", \"modified_time_dt\": \"2023-09-25T21:05:57.703141Z\"}, \"class_name\": \"RDP Activity\", \"category_name\": \"Network Activity\", \"disposition_id\": 3, \"cloud\": {\"provider\": \"lafayette lime metal\", \"region\": \"crimes gotten calculators\"}, \"end_time_dt\": \"2023-09-25T21:05:57.699925Z\", \"start_time\": 1695675957693, \"class_uid\": 4005, \"status_code\": \"lectures\"}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"category_uid\": 4, \"request\": {\"uid\": \"52a3da4c-5be7-11ee-baa3-0242ac110005\"}, \"type_uid\": 400506, \"time\": 1695675957710, \"certificate_chain\": [\"universities investment processing\", \"magazines cooler constitute\"], \"src_endpoint\": {\"name\": \"request brakes anyway\", \"port\": 55305, \"ip\": \"67.43.156.0\", \"uid\": \"52a3c912-5be7-11ee-a7e5-0242ac110005\", \"instance_uid\": \"52a3cca0-5be7-11ee-bb44-0242ac110005\", \"interface_name\": \"caring interface recipe\", \"interface_uid\": \"52a3d06a-5be7-11ee-b15e-0242ac110005\", \"intermediate_ips\": [\"175.16.199.1\", \"89.160.20.112\"], \"svc_name\": \"leo fraser mic\"}, \"type_name\": \"RDP Activity: Traffic\", \"response\": {\"error\": \"earn bios diamonds\", \"code\": 79, \"flags\": [\"doors plus tool\"], \"message\": \"mysimon forum john\"}, \"status_id\": 99, \"activity_name\": \"Traffic\", \"capabilities\": [\"makers inkjet wealth\", \"statistical athletic tactics\"], \"activity_id\": 6, \"timezone_offset\": 14, \"severity_id\": 2, \"severity\": \"Low\", \"message\": \"start gifts correlation\", \"status\": \"chronicle\", \"connection_info\": {\"boundary\": \"direction design hook\", \"direction\": \"Unknown\", \"direction_id\": 0, \"protocol_num\": 7, \"protocol_ver\": \"compliant\", \"protocol_ver_id\": 99}, \"device\": {\"name\": \"mpg mumbai feedback\", \"type\": \"cingular\", \"ip\": \"175.16.199.1\", \"uid\": \"52a3b968-5be7-11ee-8c32-0242ac110005\", \"hostname\": \"bookstore.com\", \"type_id\": 99, \"autoscale_uid\": \"52a3aa7c-5be7-11ee-afac-0242ac110005\", \"hypervisor\": \"t contacting bomb\", \"instance_uid\": \"52a3af0e-5be7-11ee-8962-0242ac110005\", \"interface_name\": \"fifth cancer ties\", \"interface_uid\": \"52a3b382-5be7-11ee-b868-0242ac110005\", \"network_interfaces\": [{\"name\": \"extensive confirmation invisible\", \"type\": \"Unknown\", \"ip\": \"175.16.199.1\", \"uid\": \"52a3a572-5be7-11ee-b24b-0242ac110005\", \"hostname\": \"tray.gov\", \"mac\": \"D3:B5:6A:19:38:2F:24:A1\", \"type_id\": 0}], \"region\": \"childrens carriers contracting\", \"risk_level\": \"theory mattress fr\", \"risk_score\": 32}, \"disposition\": \"Quarantined\", \"dst_endpoint\": {\"name\": \"codes acts containers\", \"port\": 11600, \"ip\": \"67.43.156.0\", \"uid\": \"52a30022-5be7-11ee-b27b-0242ac110005\", \"hostname\": \"climate.gov\", \"mac\": \"6F:86:CF:42:61:43:EF:EC\", \"instance_uid\": \"52a3919a-5be7-11ee-a566-0242ac110005\", \"svc_name\": \"intro contacted payroll\"}, \"protocol_ver\": \"1.1.1\", \"api\": {\"version\": \"1.0.0\", \"request\": {\"uid\": \"52a2f4d8-5be7-11ee-9aad-0242ac110005\"}, \"response\": {\"error\": \"column reform improved\", \"error_message\": \"glen spray dear\"}, \"operation\": \"examinations convention inquire\"}, \"traffic\": {\"bytes\": 4178624388, \"bytes_in\": 3737296762, \"bytes_out\": 2902061295, \"packets\": 2072578920}, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Lateral Movement | The adversary is trying to move through your environment.\", \"uid\": \"TA0008\"}, {\"name\": \"Defense Evasion The adversary is trying to avoid being detected.\", \"uid\": \"TA0005\"}], \"technique\": {\"name\": \"Spearphishing Attachment\", \"uid\": \"T1193\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Command and Control The adversary is trying to communicate with compromised systems to control them.\", \"uid\": \"TA0011\"}, {\"name\": \"Lateral Movement | The adversary is trying to move through your environment.\", \"uid\": \"TA0008\"}, {\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Malware\", \"uid\": \"T1587.001\"}}], \"tls\": {\"version\": \"1.0.0\", \"cipher\": \"fabric mess guaranteed\", \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"tramadol babe inf\", \"issuer\": \"ring vc mild\", \"fingerprints\": [{\"value\": \"FC52C21756C177325B755781195254D9\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"B840263DB579453C080DA366BADC329FC04B253D1ACCC2F6FDEB475D2C1B4811CED673F4981DBFC8FC88877A7516C41B28BA654D3911FE15ED7E4BA5849624F9\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1695675957703, \"expiration_time\": 1695675957707, \"serial_number\": \"refrigerator os jumping\"}, \"sni\": \"burner funeral singing\", \"certificate_chain\": [\"permissions logistics pipe\"], \"client_ciphers\": [\"python ireland aerial\", \"season textbook walt\"], \"ja3s_hash\": {\"value\": \"63DA7BD36D87B066DC0E0BB794DBD39ABF21F1A63BA929705FB6C81005838FFA5E8FE456C4DB8ACBD983D90356A5707FC1F4EF069CC70B65B34A5496D5484DDC\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, \"sans\": [{\"name\": \"downloads informed warehouse\", \"type\": \"ordinance place flower\"}, {\"name\": \"gamma consultant lcd\", \"type\": \"experienced loved premises\"}]}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"sleeping roy view\", \"version\": \"1.0.0\", \"uid\": \"52a2a83e-5be7-11ee-b480-0242ac110005\", \"feature\": {\"name\": \"purse support el\", \"version\": \"1.0.0\", \"uid\": \"52a2b0e0-5be7-11ee-9130-0242ac110005\"}, \"vendor_name\": \"display discipline juvenile\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"structured electron theaters\", \"log_provider\": \"unwrap std painful\", \"modified_time\": 1695675957701, \"original_time\": \"skins child clearance\", \"modified_time_dt\": \"2023-09-25T21:05:57.703141Z\"}, \"class_name\": \"RDP Activity\", \"category_name\": \"Network Activity\", \"disposition_id\": 3, \"cloud\": {\"provider\": \"lafayette lime metal\", \"region\": \"crimes gotten calculators\"}, \"end_time_dt\": \"2023-09-25T21:05:57.699925Z\", \"start_time\": 1695675957693, \"class_uid\": 4005, \"status_code\": \"lectures\"}", + "event": { + "action": "traffic", + "category": [ + "network" + ], + "end": "2023-09-25T21:05:57.699925Z", + "provider": "unwrap std painful", + "severity": 2, + "start": "2023-09-25T21:05:57.693000Z", + "type": [ + "protocol" + ] + }, + "cloud": { + "provider": "lafayette lime metal", + "region": "crimes gotten calculators" + }, + "destination": { + "address": "climate.gov", + "domain": "climate.gov", + "ip": "67.43.156.0", + "mac": "6F:86:CF:42:61:43:EF:EC", + "port": 11600, + "registered_domain": "climate.gov", + "top_level_domain": "gov" + }, + "network": { + "application": "intro contacted payroll" + }, + "ocsf": "{\"activity_id\": 6, \"activity_name\": \"Traffic\", \"api\": {\"operation\": \"examinations convention inquire\", \"request\": {\"uid\": \"52a2f4d8-5be7-11ee-9aad-0242ac110005\"}, \"response\": {\"error\": \"column reform improved\", \"error_message\": \"glen spray dear\"}, \"version\": \"1.0.0\"}, \"attacks\": [{\"tactics\": [{\"name\": \"Lateral Movement | The adversary is trying to move through your environment.\", \"uid\": \"TA0008\"}, {\"name\": \"Defense Evasion The adversary is trying to avoid being detected.\", \"uid\": \"TA0005\"}], \"technique\": {\"name\": \"Spearphishing Attachment\", \"uid\": \"T1193\"}, \"version\": \"12.1\"}, {\"tactics\": [{\"name\": \"Command and Control The adversary is trying to communicate with compromised systems to control them.\", \"uid\": \"TA0011\"}, {\"name\": \"Lateral Movement | The adversary is trying to move through your environment.\", \"uid\": \"TA0008\"}, {\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Malware\", \"uid\": \"T1587.001\"}, \"version\": \"12.1\"}], \"capabilities\": [\"makers inkjet wealth\", \"statistical athletic tactics\"], \"category_name\": \"Network Activity\", \"category_uid\": 4, \"certificate_chain\": [\"universities investment processing\", \"magazines cooler constitute\"], \"class_name\": \"RDP Activity\", \"class_uid\": 4005, \"cloud\": {\"provider\": \"lafayette lime metal\", \"region\": \"crimes gotten calculators\"}, \"connection_info\": {\"boundary\": \"direction design hook\", \"direction\": \"Unknown\", \"direction_id\": 0, \"protocol_num\": 7, \"protocol_ver\": \"compliant\", \"protocol_ver_id\": 99}, \"device\": {\"autoscale_uid\": \"52a3aa7c-5be7-11ee-afac-0242ac110005\", \"hostname\": \"bookstore.com\", \"hypervisor\": \"t contacting bomb\", \"instance_uid\": \"52a3af0e-5be7-11ee-8962-0242ac110005\", \"interface_name\": \"fifth cancer ties\", \"interface_uid\": \"52a3b382-5be7-11ee-b868-0242ac110005\", \"ip\": \"175.16.199.1\", \"name\": \"mpg mumbai feedback\", \"network_interfaces\": [{\"hostname\": \"tray.gov\", \"ip\": \"175.16.199.1\", \"mac\": \"D3:B5:6A:19:38:2F:24:A1\", \"name\": \"extensive confirmation invisible\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"52a3a572-5be7-11ee-b24b-0242ac110005\"}], \"region\": \"childrens carriers contracting\", \"risk_level\": \"theory mattress fr\", \"risk_score\": 32, \"type\": \"cingular\", \"type_id\": 99, \"uid\": \"52a3b968-5be7-11ee-8c32-0242ac110005\"}, \"disposition\": \"Quarantined\", \"disposition_id\": 3, \"dst_endpoint\": {\"hostname\": \"climate.gov\", \"instance_uid\": \"52a3919a-5be7-11ee-a566-0242ac110005\", \"ip\": \"67.43.156.0\", \"mac\": \"6F:86:CF:42:61:43:EF:EC\", \"name\": \"codes acts containers\", \"port\": 11600, \"svc_name\": \"intro contacted payroll\", \"uid\": \"52a30022-5be7-11ee-b27b-0242ac110005\"}, \"end_time_dt\": \"2023-09-25T21:05:57.699925Z\", \"message\": \"start gifts correlation\", \"metadata\": {\"log_name\": \"structured electron theaters\", \"log_provider\": \"unwrap std painful\", \"modified_time\": 1695675957701, \"modified_time_dt\": \"2023-09-25T21:05:57.703141Z\", \"original_time\": \"skins child clearance\", \"product\": {\"feature\": {\"name\": \"purse support el\", \"uid\": \"52a2b0e0-5be7-11ee-9130-0242ac110005\", \"version\": \"1.0.0\"}, \"name\": \"sleeping roy view\", \"uid\": \"52a2a83e-5be7-11ee-b480-0242ac110005\", \"vendor_name\": \"display discipline juvenile\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"version\": \"1.0.0\"}, \"protocol_ver\": \"1.1.1\", \"request\": {\"uid\": \"52a3da4c-5be7-11ee-baa3-0242ac110005\"}, \"response\": {\"code\": 79, \"error\": \"earn bios diamonds\", \"flags\": [\"doors plus tool\"], \"message\": \"mysimon forum john\"}, \"severity\": \"Low\", \"severity_id\": 2, \"src_endpoint\": {\"instance_uid\": \"52a3cca0-5be7-11ee-bb44-0242ac110005\", \"interface_name\": \"caring interface recipe\", \"interface_uid\": \"52a3d06a-5be7-11ee-b15e-0242ac110005\", \"intermediate_ips\": [\"175.16.199.1\", \"89.160.20.112\"], \"ip\": \"67.43.156.0\", \"name\": \"request brakes anyway\", \"port\": 55305, \"svc_name\": \"leo fraser mic\", \"uid\": \"52a3c912-5be7-11ee-a7e5-0242ac110005\"}, \"start_time\": 1695675957693, \"status\": \"chronicle\", \"status_code\": \"lectures\", \"status_id\": 99, \"time\": 1695675957710, \"timezone_offset\": 14, \"tls\": {\"certificate\": {\"created_time\": 1695675957703, \"expiration_time\": 1695675957707, \"fingerprints\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"FC52C21756C177325B755781195254D9\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"B840263DB579453C080DA366BADC329FC04B253D1ACCC2F6FDEB475D2C1B4811CED673F4981DBFC8FC88877A7516C41B28BA654D3911FE15ED7E4BA5849624F9\"}], \"issuer\": \"ring vc mild\", \"serial_number\": \"refrigerator os jumping\", \"subject\": \"tramadol babe inf\", \"version\": \"1.0.0\"}, \"certificate_chain\": [\"permissions logistics pipe\"], \"cipher\": \"fabric mess guaranteed\", \"client_ciphers\": [\"python ireland aerial\", \"season textbook walt\"], \"ja3s_hash\": {\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"63DA7BD36D87B066DC0E0BB794DBD39ABF21F1A63BA929705FB6C81005838FFA5E8FE456C4DB8ACBD983D90356A5707FC1F4EF069CC70B65B34A5496D5484DDC\"}, \"sans\": [{\"name\": \"downloads informed warehouse\", \"type\": \"ordinance place flower\"}, {\"name\": \"gamma consultant lcd\", \"type\": \"experienced loved premises\"}], \"sni\": \"burner funeral singing\", \"version\": \"1.0.0\"}, \"traffic\": {\"bytes\": 4178624388, \"bytes_in\": 3737296762, \"bytes_out\": 2902061295, \"packets\": 2072578920}, \"type_name\": \"RDP Activity: Traffic\", \"type_uid\": 400506}", + "related": { + "hosts": [ + "climate.gov" + ], + "ip": [ + "67.43.156.0" + ] + }, + "source": { + "address": "67.43.156.0", + "ip": "67.43.156.0", + "port": 55305 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_6.json b/OCSF/ocsf/tests/test_network_activity_6.json new file mode 100644 index 000000000..b2f01ccfa --- /dev/null +++ b/OCSF/ocsf/tests/test_network_activity_6.json @@ -0,0 +1,59 @@ +{ + "input": { + "message": "{\"category_uid\": 4, \"file\": {\"attributes\": 43, \"name\": \"brazil.docx\", \"type\": \"Character Device\", \"path\": \"pay msie consciousness/checking.tiff/brazil.docx\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"tagged military guided\", \"issuer\": \"digest june ty\", \"fingerprints\": [{\"value\": \"9B0FBD383D667D48DB1FE9647C1E4BAA821ACA2908D5FFED88F145781F8B1A35\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1695675976051, \"expiration_time\": 1695675976057, \"serial_number\": \"schedules heater hardwood\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"product\": {\"name\": \"oecd initiatives purposes\", \"version\": \"1.0.0\", \"uid\": \"5d95c636-5be7-11ee-8b22-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"personal harmful referrals\"}, \"uid\": \"5d95ca5a-5be7-11ee-a417-0242ac110005\", \"type_id\": 3, \"parent_folder\": \"pay msie consciousness/checking.tiff\", \"hashes\": [{\"value\": \"37B77065B54AA76AAE4D96BFEA21F81217D2CEDE06CA457D86A77C0609B483B73102B9C600CC6DFEA5252B15E8E823BD2E5137AA311F7A2011B867F18FE9F502\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"B6F8AE88482BDE38221723480B7EE2BE8088C076BDB5F22AA847A66E59C2ACFB\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"modified_time\": 1695675976016, \"security_descriptor\": \"subsequent latinas quotes\", \"modified_time_dt\": \"2023-09-25T21:06:16.073732Z\", \"accessed_time_dt\": \"2023-09-25T21:06:16.073784Z\"}, \"time_dt\": \"2023-09-25T21:06:16.072807Z\", \"type_uid\": 400603, \"time\": 1695675976070, \"command\": \"switch text springs\", \"src_endpoint\": {\"name\": \"wyoming relocation sufficiently\", \"port\": 21573, \"ip\": \"67.43.156.0\", \"uid\": \"5d95a0ac-5be7-11ee-a3e8-0242ac110005\", \"hostname\": \"sara.web\", \"instance_uid\": \"5d95a4ee-5be7-11ee-a0b5-0242ac110005\", \"interface_name\": \"christians comparing garbage\", \"interface_uid\": \"5d95a8e0-5be7-11ee-800d-0242ac110005\", \"svc_name\": \"photographers do nobody\", \"vpc_uid\": \"5d95aec6-5be7-11ee-b409-0242ac110005\"}, \"type_name\": \"SMB Activity: File Create\", \"share_type_id\": 1, \"response\": {\"error\": \"monsters pl positioning\", \"code\": 94, \"error_message\": \"wires hart dirty\"}, \"status_id\": 2, \"activity_name\": \"File Create\", \"activity_id\": 3, \"client_dialects\": [\"gabriel ourselves diameter\", \"avg pages denial\"], \"timezone_offset\": 21, \"severity_id\": 3, \"open_type\": \"estates collections cia\", \"share_type\": \"File\", \"severity\": \"Medium\", \"message\": \"hotels boc parcel\", \"status\": \"Failure\", \"connection_info\": {\"direction\": \"Unknown\", \"direction_id\": 0, \"protocol_num\": 89}, \"device\": {\"name\": \"rwanda medal hazardous\", \"type\": \"IOT\", \"ip\": \"175.16.199.1\", \"hostname\": \"african.museum\", \"groups\": [{\"name\": \"medical discovered punishment\", \"uid\": \"5d958856-5be7-11ee-bf58-0242ac110005\"}, {\"name\": \"layer achieving api\", \"type\": \"prefers biol broke\", \"uid\": \"5d958cc0-5be7-11ee-8274-0242ac110005\"}], \"type_id\": 7, \"autoscale_uid\": \"5d957758-5be7-11ee-bdd5-0242ac110005\", \"instance_uid\": \"5d957cd0-5be7-11ee-b6eb-0242ac110005\", \"interface_name\": \"guided educational wy\", \"interface_uid\": \"5d958130-5be7-11ee-894c-0242ac110005\", \"is_personal\": false, \"region\": \"retain ste cfr\"}, \"disposition\": \"Allowed\", \"dst_endpoint\": {\"name\": \"simulations mountains flow\", \"port\": 3375, \"ip\": \"67.43.156.0\", \"uid\": \"5d954af8-5be7-11ee-9dec-0242ac110005\", \"hostname\": \"larger.mil\", \"instance_uid\": \"5d9550f2-5be7-11ee-8ce8-0242ac110005\", \"interface_name\": \"remaining james spent\", \"interface_uid\": \"5d955516-5be7-11ee-8913-0242ac110005\", \"svc_name\": \"galleries facilitate fiji\"}, \"dialect\": \"teams restaurants altered\", \"duration\": 78, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Credential Access The adversary is trying to steal account names and passwords.\", \"uid\": \"TA0006\"}, {\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}], \"technique\": {\"name\": \"Multi-hop Proxy\", \"uid\": \"T1090.003\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}, {\"name\": \"Resource Development | The adversary is trying to establish resources they can use to support operations.\", \"uid\": \"TA0042\"}, {\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}], \"technique\": {\"name\": \"Python\", \"uid\": \"T1059.006\"}}], \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"quantities persian easy\", \"version\": \"1.0.0\", \"uid\": \"5d952ece-5be7-11ee-8ef1-0242ac110005\", \"url_string\": \"blog\", \"vendor_name\": \"appliances building lauren\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"correlation_uid\": \"5d9534be-5be7-11ee-a413-0242ac110005\", \"log_name\": \"tampa array expired\", \"original_time\": \"gis holmes roads\", \"processed_time\": 1695675976062, \"modified_time_dt\": \"2023-09-25T21:06:16.069686Z\"}, \"class_name\": \"SMB Activity\", \"category_name\": \"Network Activity\", \"disposition_id\": 1, \"cloud\": {\"provider\": \"bracelet characteristic scenic\", \"region\": \"southern handles paradise\", \"zone\": \"silk appointed semi\"}, \"class_uid\": 4006}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"category_uid\": 4, \"file\": {\"attributes\": 43, \"name\": \"brazil.docx\", \"type\": \"Character Device\", \"path\": \"pay msie consciousness/checking.tiff/brazil.docx\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"tagged military guided\", \"issuer\": \"digest june ty\", \"fingerprints\": [{\"value\": \"9B0FBD383D667D48DB1FE9647C1E4BAA821ACA2908D5FFED88F145781F8B1A35\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1695675976051, \"expiration_time\": 1695675976057, \"serial_number\": \"schedules heater hardwood\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"product\": {\"name\": \"oecd initiatives purposes\", \"version\": \"1.0.0\", \"uid\": \"5d95c636-5be7-11ee-8b22-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"personal harmful referrals\"}, \"uid\": \"5d95ca5a-5be7-11ee-a417-0242ac110005\", \"type_id\": 3, \"parent_folder\": \"pay msie consciousness/checking.tiff\", \"hashes\": [{\"value\": \"37B77065B54AA76AAE4D96BFEA21F81217D2CEDE06CA457D86A77C0609B483B73102B9C600CC6DFEA5252B15E8E823BD2E5137AA311F7A2011B867F18FE9F502\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"B6F8AE88482BDE38221723480B7EE2BE8088C076BDB5F22AA847A66E59C2ACFB\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"modified_time\": 1695675976016, \"security_descriptor\": \"subsequent latinas quotes\", \"modified_time_dt\": \"2023-09-25T21:06:16.073732Z\", \"accessed_time_dt\": \"2023-09-25T21:06:16.073784Z\"}, \"time_dt\": \"2023-09-25T21:06:16.072807Z\", \"type_uid\": 400603, \"time\": 1695675976070, \"command\": \"switch text springs\", \"src_endpoint\": {\"name\": \"wyoming relocation sufficiently\", \"port\": 21573, \"ip\": \"67.43.156.0\", \"uid\": \"5d95a0ac-5be7-11ee-a3e8-0242ac110005\", \"hostname\": \"sara.web\", \"instance_uid\": \"5d95a4ee-5be7-11ee-a0b5-0242ac110005\", \"interface_name\": \"christians comparing garbage\", \"interface_uid\": \"5d95a8e0-5be7-11ee-800d-0242ac110005\", \"svc_name\": \"photographers do nobody\", \"vpc_uid\": \"5d95aec6-5be7-11ee-b409-0242ac110005\"}, \"type_name\": \"SMB Activity: File Create\", \"share_type_id\": 1, \"response\": {\"error\": \"monsters pl positioning\", \"code\": 94, \"error_message\": \"wires hart dirty\"}, \"status_id\": 2, \"activity_name\": \"File Create\", \"activity_id\": 3, \"client_dialects\": [\"gabriel ourselves diameter\", \"avg pages denial\"], \"timezone_offset\": 21, \"severity_id\": 3, \"open_type\": \"estates collections cia\", \"share_type\": \"File\", \"severity\": \"Medium\", \"message\": \"hotels boc parcel\", \"status\": \"Failure\", \"connection_info\": {\"direction\": \"Unknown\", \"direction_id\": 0, \"protocol_num\": 89}, \"device\": {\"name\": \"rwanda medal hazardous\", \"type\": \"IOT\", \"ip\": \"175.16.199.1\", \"hostname\": \"african.museum\", \"groups\": [{\"name\": \"medical discovered punishment\", \"uid\": \"5d958856-5be7-11ee-bf58-0242ac110005\"}, {\"name\": \"layer achieving api\", \"type\": \"prefers biol broke\", \"uid\": \"5d958cc0-5be7-11ee-8274-0242ac110005\"}], \"type_id\": 7, \"autoscale_uid\": \"5d957758-5be7-11ee-bdd5-0242ac110005\", \"instance_uid\": \"5d957cd0-5be7-11ee-b6eb-0242ac110005\", \"interface_name\": \"guided educational wy\", \"interface_uid\": \"5d958130-5be7-11ee-894c-0242ac110005\", \"is_personal\": false, \"region\": \"retain ste cfr\"}, \"disposition\": \"Allowed\", \"dst_endpoint\": {\"name\": \"simulations mountains flow\", \"port\": 3375, \"ip\": \"67.43.156.0\", \"uid\": \"5d954af8-5be7-11ee-9dec-0242ac110005\", \"hostname\": \"larger.mil\", \"instance_uid\": \"5d9550f2-5be7-11ee-8ce8-0242ac110005\", \"interface_name\": \"remaining james spent\", \"interface_uid\": \"5d955516-5be7-11ee-8913-0242ac110005\", \"svc_name\": \"galleries facilitate fiji\"}, \"dialect\": \"teams restaurants altered\", \"duration\": 78, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Credential Access The adversary is trying to steal account names and passwords.\", \"uid\": \"TA0006\"}, {\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}], \"technique\": {\"name\": \"Multi-hop Proxy\", \"uid\": \"T1090.003\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}, {\"name\": \"Resource Development | The adversary is trying to establish resources they can use to support operations.\", \"uid\": \"TA0042\"}, {\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}], \"technique\": {\"name\": \"Python\", \"uid\": \"T1059.006\"}}], \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"quantities persian easy\", \"version\": \"1.0.0\", \"uid\": \"5d952ece-5be7-11ee-8ef1-0242ac110005\", \"url_string\": \"blog\", \"vendor_name\": \"appliances building lauren\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"correlation_uid\": \"5d9534be-5be7-11ee-a413-0242ac110005\", \"log_name\": \"tampa array expired\", \"original_time\": \"gis holmes roads\", \"processed_time\": 1695675976062, \"modified_time_dt\": \"2023-09-25T21:06:16.069686Z\"}, \"class_name\": \"SMB Activity\", \"category_name\": \"Network Activity\", \"disposition_id\": 1, \"cloud\": {\"provider\": \"bracelet characteristic scenic\", \"region\": \"southern handles paradise\", \"zone\": \"silk appointed semi\"}, \"class_uid\": 4006}", + "event": { + "action": "file create", + "category": [ + "file" + ], + "duration": 78000000, + "outcome": "failure", + "severity": 3, + "type": [ + "creation" + ] + }, + "cloud": { + "availability_zone": "silk appointed semi", + "provider": "bracelet characteristic scenic", + "region": "southern handles paradise" + }, + "destination": { + "address": "larger.mil", + "domain": "larger.mil", + "ip": "67.43.156.0", + "port": 3375, + "registered_domain": "larger.mil", + "top_level_domain": "mil" + }, + "network": { + "application": "galleries facilitate fiji" + }, + "ocsf": "{\"activity_id\": 3, \"activity_name\": \"File Create\", \"attacks\": [{\"tactics\": [{\"name\": \"Credential Access The adversary is trying to steal account names and passwords.\", \"uid\": \"TA0006\"}, {\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}], \"technique\": {\"name\": \"Multi-hop Proxy\", \"uid\": \"T1090.003\"}, \"version\": \"12.1\"}, {\"tactics\": [{\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}, {\"name\": \"Resource Development | The adversary is trying to establish resources they can use to support operations.\", \"uid\": \"TA0042\"}, {\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}], \"technique\": {\"name\": \"Python\", \"uid\": \"T1059.006\"}, \"version\": \"12.1\"}], \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"SMB Activity\", \"class_uid\": 4006, \"client_dialects\": [\"gabriel ourselves diameter\", \"avg pages denial\"], \"cloud\": {\"provider\": \"bracelet characteristic scenic\", \"region\": \"southern handles paradise\", \"zone\": \"silk appointed semi\"}, \"command\": \"switch text springs\", \"connection_info\": {\"direction\": \"Unknown\", \"direction_id\": 0, \"protocol_num\": 89}, \"device\": {\"autoscale_uid\": \"5d957758-5be7-11ee-bdd5-0242ac110005\", \"groups\": [{\"name\": \"medical discovered punishment\", \"uid\": \"5d958856-5be7-11ee-bf58-0242ac110005\"}, {\"name\": \"layer achieving api\", \"type\": \"prefers biol broke\", \"uid\": \"5d958cc0-5be7-11ee-8274-0242ac110005\"}], \"hostname\": \"african.museum\", \"instance_uid\": \"5d957cd0-5be7-11ee-b6eb-0242ac110005\", \"interface_name\": \"guided educational wy\", \"interface_uid\": \"5d958130-5be7-11ee-894c-0242ac110005\", \"ip\": \"175.16.199.1\", \"is_personal\": false, \"name\": \"rwanda medal hazardous\", \"region\": \"retain ste cfr\", \"type\": \"IOT\", \"type_id\": 7}, \"dialect\": \"teams restaurants altered\", \"disposition\": \"Allowed\", \"disposition_id\": 1, \"dst_endpoint\": {\"hostname\": \"larger.mil\", \"instance_uid\": \"5d9550f2-5be7-11ee-8ce8-0242ac110005\", \"interface_name\": \"remaining james spent\", \"interface_uid\": \"5d955516-5be7-11ee-8913-0242ac110005\", \"ip\": \"67.43.156.0\", \"name\": \"simulations mountains flow\", \"port\": 3375, \"svc_name\": \"galleries facilitate fiji\", \"uid\": \"5d954af8-5be7-11ee-9dec-0242ac110005\"}, \"duration\": 78, \"file\": {\"accessed_time_dt\": \"2023-09-25T21:06:16.073784Z\", \"attributes\": 43, \"hashes\": [{\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"37B77065B54AA76AAE4D96BFEA21F81217D2CEDE06CA457D86A77C0609B483B73102B9C600CC6DFEA5252B15E8E823BD2E5137AA311F7A2011B867F18FE9F502\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"B6F8AE88482BDE38221723480B7EE2BE8088C076BDB5F22AA847A66E59C2ACFB\"}], \"modified_time\": 1695675976016, \"modified_time_dt\": \"2023-09-25T21:06:16.073732Z\", \"name\": \"brazil.docx\", \"parent_folder\": \"pay msie consciousness/checking.tiff\", \"path\": \"pay msie consciousness/checking.tiff/brazil.docx\", \"product\": {\"lang\": \"en\", \"name\": \"oecd initiatives purposes\", \"uid\": \"5d95c636-5be7-11ee-8b22-0242ac110005\", \"vendor_name\": \"personal harmful referrals\", \"version\": \"1.0.0\"}, \"security_descriptor\": \"subsequent latinas quotes\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1, \"certificate\": {\"created_time\": 1695675976051, \"expiration_time\": 1695675976057, \"fingerprints\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"9B0FBD383D667D48DB1FE9647C1E4BAA821ACA2908D5FFED88F145781F8B1A35\"}], \"issuer\": \"digest june ty\", \"serial_number\": \"schedules heater hardwood\", \"subject\": \"tagged military guided\", \"version\": \"1.0.0\"}}, \"type\": \"Character Device\", \"type_id\": 3, \"uid\": \"5d95ca5a-5be7-11ee-a417-0242ac110005\"}, \"message\": \"hotels boc parcel\", \"metadata\": {\"correlation_uid\": \"5d9534be-5be7-11ee-a413-0242ac110005\", \"log_name\": \"tampa array expired\", \"modified_time_dt\": \"2023-09-25T21:06:16.069686Z\", \"original_time\": \"gis holmes roads\", \"processed_time\": 1695675976062, \"product\": {\"name\": \"quantities persian easy\", \"uid\": \"5d952ece-5be7-11ee-8ef1-0242ac110005\", \"url_string\": \"blog\", \"vendor_name\": \"appliances building lauren\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"version\": \"1.0.0\"}, \"open_type\": \"estates collections cia\", \"response\": {\"code\": 94, \"error\": \"monsters pl positioning\", \"error_message\": \"wires hart dirty\"}, \"severity\": \"Medium\", \"severity_id\": 3, \"share_type\": \"File\", \"share_type_id\": 1, \"src_endpoint\": {\"hostname\": \"sara.web\", \"instance_uid\": \"5d95a4ee-5be7-11ee-a0b5-0242ac110005\", \"interface_name\": \"christians comparing garbage\", \"interface_uid\": \"5d95a8e0-5be7-11ee-800d-0242ac110005\", \"ip\": \"67.43.156.0\", \"name\": \"wyoming relocation sufficiently\", \"port\": 21573, \"svc_name\": \"photographers do nobody\", \"uid\": \"5d95a0ac-5be7-11ee-a3e8-0242ac110005\", \"vpc_uid\": \"5d95aec6-5be7-11ee-b409-0242ac110005\"}, \"status\": \"Failure\", \"status_id\": 2, \"time\": 1695675976070, \"time_dt\": \"2023-09-25T21:06:16.072807Z\", \"timezone_offset\": 21, \"type_name\": \"SMB Activity: File Create\", \"type_uid\": 400603}", + "related": { + "hosts": [ + "larger.mil", + "sara.web" + ], + "ip": [ + "67.43.156.0" + ] + }, + "source": { + "address": "sara.web", + "domain": "sara.web", + "ip": "67.43.156.0", + "port": 21573, + "subdomain": "sara" + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_7.json b/OCSF/ocsf/tests/test_network_activity_7.json new file mode 100644 index 000000000..d68039348 --- /dev/null +++ b/OCSF/ocsf/tests/test_network_activity_7.json @@ -0,0 +1,59 @@ +{ + "input": { + "message": "{\"message\": \"necessarily concord washer\", \"status\": \"Failure\", \"time\": 1695675986429, \"device\": {\"name\": \"britney diseases bhutan\", \"type\": \"Tablet\", \"ip\": \"127.252.94.88\", \"uid\": \"63c18c7a-5be7-11ee-930e-0242ac110005\", \"hostname\": \"incurred.net\", \"type_id\": 4, \"hypervisor\": \"attempt missouri lan\", \"instance_uid\": \"63c182d4-5be7-11ee-afba-0242ac110005\", \"interface_name\": \"mozambique pm carol\", \"is_personal\": false, \"is_trusted\": true, \"region\": \"southeast packed cookies\", \"vlan_uid\": \"63c18892-5be7-11ee-b15d-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"anaheim used riverside\", \"version\": \"1.0.0\", \"path\": \"volvo expired marketing\", \"uid\": \"63c0f6ac-5be7-11ee-a542-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"flowers billing iso\"}, \"uid\": \"63c0fbfc-5be7-11ee-82e8-0242ac110005\", \"sequence\": 3, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"bowling consistently pgp\", \"log_provider\": \"babies entities stephanie\", \"original_time\": \"weed treasury specifications\"}, \"proxy\": {\"name\": \"involve teacher calls\", \"port\": 50284, \"hostname\": \"problems.org\", \"instance_uid\": \"63c20466-5be7-11ee-a825-0242ac110005\", \"interface_name\": \"probe drugs bonds\", \"interface_uid\": \"63c24e08-5be7-11ee-be10-0242ac110005\", \"subnet_uid\": \"63c25358-5be7-11ee-a90c-0242ac110005\", \"svc_name\": \"selecting regional enrollment\", \"vlan_uid\": \"63c257fe-5be7-11ee-bca6-0242ac110005\"}, \"connection_info\": {\"protocol_name\": \"genes booth confirm\", \"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_num\": 59, \"tcp_flags\": 18}, \"severity\": \"Informational\", \"disposition\": \"Custom Action\", \"type_name\": \"SSH Activity: Unknown\", \"activity_id\": 0, \"disposition_id\": 7, \"type_uid\": 400700, \"category_name\": \"Network Activity\", \"class_uid\": 4007, \"category_uid\": 4, \"class_name\": \"SSH Activity\", \"timezone_offset\": 88, \"activity_name\": \"Unknown\", \"client_hassh\": {\"algorithm\": \"gave dollars relocation\", \"fingerprint\": {\"value\": \"232BC0C0B14F890B4F4BBBBD5985A67835F29296946D5D7F9401A44A441D72A2E3C86A7ED1DABF2390B70C41466925E22D45442C6CE2C51BF2BD75A66EBA67AC\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}}, \"cloud\": {\"provider\": \"flights density typical\"}, \"dst_endpoint\": {\"ip\": \"175.16.199.1\", \"uid\": \"63c1050c-5be7-11ee-8213-0242ac110005\", \"hostname\": \"novelty.arpa\", \"instance_uid\": \"63c1091c-5be7-11ee-a143-0242ac110005\", \"interface_name\": \"salvador far disable\", \"interface_uid\": \"63c10d18-5be7-11ee-9b99-0242ac110005\", \"svc_name\": \"observations dennis meals\", \"vpc_uid\": \"63c11100-5be7-11ee-9b51-0242ac110005\"}, \"server_hassh\": {\"algorithm\": \"shelter remember stickers\", \"fingerprint\": {\"value\": \"B23B6D25324F518146005AEA01FD7A7C64EC137532780572E3852F9D8E8556F4\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"severity_id\": 1, \"src_endpoint\": {\"name\": \"spas enclosure pleased\", \"port\": 63141, \"ip\": \"67.43.156.0\", \"uid\": \"63c1bb1e-5be7-11ee-b5ab-0242ac110005\", \"hostname\": \"visit.name\", \"instance_uid\": \"63c1c4ec-5be7-11ee-ac25-0242ac110005\", \"interface_name\": \"successful maryland study\", \"svc_name\": \"shipment miscellaneous highlights\", \"vpc_uid\": \"63c1fa70-5be7-11ee-ac6c-0242ac110005\"}, \"status_id\": 2, \"time_dt\": \"2023-09-25T21:06:26.429430Z\"}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"message\": \"necessarily concord washer\", \"status\": \"Failure\", \"time\": 1695675986429, \"device\": {\"name\": \"britney diseases bhutan\", \"type\": \"Tablet\", \"ip\": \"127.252.94.88\", \"uid\": \"63c18c7a-5be7-11ee-930e-0242ac110005\", \"hostname\": \"incurred.net\", \"type_id\": 4, \"hypervisor\": \"attempt missouri lan\", \"instance_uid\": \"63c182d4-5be7-11ee-afba-0242ac110005\", \"interface_name\": \"mozambique pm carol\", \"is_personal\": false, \"is_trusted\": true, \"region\": \"southeast packed cookies\", \"vlan_uid\": \"63c18892-5be7-11ee-b15d-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"anaheim used riverside\", \"version\": \"1.0.0\", \"path\": \"volvo expired marketing\", \"uid\": \"63c0f6ac-5be7-11ee-a542-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"flowers billing iso\"}, \"uid\": \"63c0fbfc-5be7-11ee-82e8-0242ac110005\", \"sequence\": 3, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"bowling consistently pgp\", \"log_provider\": \"babies entities stephanie\", \"original_time\": \"weed treasury specifications\"}, \"proxy\": {\"name\": \"involve teacher calls\", \"port\": 50284, \"hostname\": \"problems.org\", \"instance_uid\": \"63c20466-5be7-11ee-a825-0242ac110005\", \"interface_name\": \"probe drugs bonds\", \"interface_uid\": \"63c24e08-5be7-11ee-be10-0242ac110005\", \"subnet_uid\": \"63c25358-5be7-11ee-a90c-0242ac110005\", \"svc_name\": \"selecting regional enrollment\", \"vlan_uid\": \"63c257fe-5be7-11ee-bca6-0242ac110005\"}, \"connection_info\": {\"protocol_name\": \"genes booth confirm\", \"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_num\": 59, \"tcp_flags\": 18}, \"severity\": \"Informational\", \"disposition\": \"Custom Action\", \"type_name\": \"SSH Activity: Unknown\", \"activity_id\": 0, \"disposition_id\": 7, \"type_uid\": 400700, \"category_name\": \"Network Activity\", \"class_uid\": 4007, \"category_uid\": 4, \"class_name\": \"SSH Activity\", \"timezone_offset\": 88, \"activity_name\": \"Unknown\", \"client_hassh\": {\"algorithm\": \"gave dollars relocation\", \"fingerprint\": {\"value\": \"232BC0C0B14F890B4F4BBBBD5985A67835F29296946D5D7F9401A44A441D72A2E3C86A7ED1DABF2390B70C41466925E22D45442C6CE2C51BF2BD75A66EBA67AC\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}}, \"cloud\": {\"provider\": \"flights density typical\"}, \"dst_endpoint\": {\"ip\": \"175.16.199.1\", \"uid\": \"63c1050c-5be7-11ee-8213-0242ac110005\", \"hostname\": \"novelty.arpa\", \"instance_uid\": \"63c1091c-5be7-11ee-a143-0242ac110005\", \"interface_name\": \"salvador far disable\", \"interface_uid\": \"63c10d18-5be7-11ee-9b99-0242ac110005\", \"svc_name\": \"observations dennis meals\", \"vpc_uid\": \"63c11100-5be7-11ee-9b51-0242ac110005\"}, \"server_hassh\": {\"algorithm\": \"shelter remember stickers\", \"fingerprint\": {\"value\": \"B23B6D25324F518146005AEA01FD7A7C64EC137532780572E3852F9D8E8556F4\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"severity_id\": 1, \"src_endpoint\": {\"name\": \"spas enclosure pleased\", \"port\": 63141, \"ip\": \"67.43.156.0\", \"uid\": \"63c1bb1e-5be7-11ee-b5ab-0242ac110005\", \"hostname\": \"visit.name\", \"instance_uid\": \"63c1c4ec-5be7-11ee-ac25-0242ac110005\", \"interface_name\": \"successful maryland study\", \"svc_name\": \"shipment miscellaneous highlights\", \"vpc_uid\": \"63c1fa70-5be7-11ee-ac6c-0242ac110005\"}, \"status_id\": 2, \"time_dt\": \"2023-09-25T21:06:26.429430Z\"}", + "event": { + "action": "unknown", + "category": [ + "network" + ], + "outcome": "failure", + "provider": "babies entities stephanie", + "sequence": 3, + "severity": 1, + "type": [ + "protocol" + ] + }, + "cloud": { + "provider": "flights density typical" + }, + "destination": { + "address": "novelty.arpa", + "domain": "novelty.arpa", + "ip": "175.16.199.1", + "registered_domain": "novelty.arpa", + "top_level_domain": "arpa" + }, + "network": { + "application": "observations dennis meals" + }, + "ocsf": "{\"activity_id\": 0, \"activity_name\": \"Unknown\", \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"SSH Activity\", \"class_uid\": 4007, \"client_hassh\": {\"algorithm\": \"gave dollars relocation\", \"fingerprint\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"232BC0C0B14F890B4F4BBBBD5985A67835F29296946D5D7F9401A44A441D72A2E3C86A7ED1DABF2390B70C41466925E22D45442C6CE2C51BF2BD75A66EBA67AC\"}}, \"cloud\": {\"provider\": \"flights density typical\"}, \"connection_info\": {\"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_name\": \"genes booth confirm\", \"protocol_num\": 59, \"tcp_flags\": 18}, \"device\": {\"hostname\": \"incurred.net\", \"hypervisor\": \"attempt missouri lan\", \"instance_uid\": \"63c182d4-5be7-11ee-afba-0242ac110005\", \"interface_name\": \"mozambique pm carol\", \"ip\": \"127.252.94.88\", \"is_personal\": false, \"is_trusted\": true, \"name\": \"britney diseases bhutan\", \"region\": \"southeast packed cookies\", \"type\": \"Tablet\", \"type_id\": 4, \"uid\": \"63c18c7a-5be7-11ee-930e-0242ac110005\", \"vlan_uid\": \"63c18892-5be7-11ee-b15d-0242ac110005\"}, \"disposition\": \"Custom Action\", \"disposition_id\": 7, \"dst_endpoint\": {\"hostname\": \"novelty.arpa\", \"instance_uid\": \"63c1091c-5be7-11ee-a143-0242ac110005\", \"interface_name\": \"salvador far disable\", \"interface_uid\": \"63c10d18-5be7-11ee-9b99-0242ac110005\", \"ip\": \"175.16.199.1\", \"svc_name\": \"observations dennis meals\", \"uid\": \"63c1050c-5be7-11ee-8213-0242ac110005\", \"vpc_uid\": \"63c11100-5be7-11ee-9b51-0242ac110005\"}, \"message\": \"necessarily concord washer\", \"metadata\": {\"log_name\": \"bowling consistently pgp\", \"log_provider\": \"babies entities stephanie\", \"original_time\": \"weed treasury specifications\", \"product\": {\"lang\": \"en\", \"name\": \"anaheim used riverside\", \"path\": \"volvo expired marketing\", \"uid\": \"63c0f6ac-5be7-11ee-a542-0242ac110005\", \"vendor_name\": \"flowers billing iso\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"sequence\": 3, \"uid\": \"63c0fbfc-5be7-11ee-82e8-0242ac110005\", \"version\": \"1.0.0\"}, \"proxy\": {\"hostname\": \"problems.org\", \"instance_uid\": \"63c20466-5be7-11ee-a825-0242ac110005\", \"interface_name\": \"probe drugs bonds\", \"interface_uid\": \"63c24e08-5be7-11ee-be10-0242ac110005\", \"name\": \"involve teacher calls\", \"port\": 50284, \"subnet_uid\": \"63c25358-5be7-11ee-a90c-0242ac110005\", \"svc_name\": \"selecting regional enrollment\", \"vlan_uid\": \"63c257fe-5be7-11ee-bca6-0242ac110005\"}, \"server_hassh\": {\"algorithm\": \"shelter remember stickers\", \"fingerprint\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"B23B6D25324F518146005AEA01FD7A7C64EC137532780572E3852F9D8E8556F4\"}}, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"hostname\": \"visit.name\", \"instance_uid\": \"63c1c4ec-5be7-11ee-ac25-0242ac110005\", \"interface_name\": \"successful maryland study\", \"ip\": \"67.43.156.0\", \"name\": \"spas enclosure pleased\", \"port\": 63141, \"svc_name\": \"shipment miscellaneous highlights\", \"uid\": \"63c1bb1e-5be7-11ee-b5ab-0242ac110005\", \"vpc_uid\": \"63c1fa70-5be7-11ee-ac6c-0242ac110005\"}, \"status\": \"Failure\", \"status_id\": 2, \"time\": 1695675986429, \"time_dt\": \"2023-09-25T21:06:26.429430Z\", \"timezone_offset\": 88, \"type_name\": \"SSH Activity: Unknown\", \"type_uid\": 400700}", + "related": { + "hosts": [ + "novelty.arpa", + "visit.name" + ], + "ip": [ + "175.16.199.1", + "67.43.156.0" + ] + }, + "source": { + "address": "visit.name", + "domain": "visit.name", + "ip": "67.43.156.0", + "port": 63141, + "registered_domain": "visit.name", + "top_level_domain": "name" + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_8.json b/OCSF/ocsf/tests/test_network_activity_8.json new file mode 100644 index 000000000..168dcb068 --- /dev/null +++ b/OCSF/ocsf/tests/test_network_activity_8.json @@ -0,0 +1,56 @@ +{ + "input": { + "message": "{\"command\": \"moving sensitivity uri\", \"message\": \"cyber flower lyric\", \"port\": 58038, \"status\": \"discussions\", \"type\": \"seller luther nursery\", \"time\": 1695675995262, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"islands unless trivia\", \"version\": \"1.0.0\", \"uid\": \"690566e8-5be7-11ee-bbe6-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"mai insight ws\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"correlation_uid\": \"69056d3c-5be7-11ee-8e34-0242ac110005\", \"log_name\": \"investor direct pickup\", \"log_provider\": \"penn awards fp\", \"original_time\": \"fax pro carries\", \"processed_time\": 1695675995263, \"modified_time_dt\": \"2023-09-25T21:06:35.260101Z\"}, \"connection_info\": {\"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_num\": 74}, \"severity\": \"Fatal\", \"disposition\": \"Blocked\", \"type_name\": \"FTP Activity: Unknown\", \"activity_id\": 0, \"disposition_id\": 2, \"type_uid\": 400800, \"category_name\": \"Network Activity\", \"class_uid\": 4008, \"category_uid\": 4, \"class_name\": \"FTP Activity\", \"timezone_offset\": 79, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}, {\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}, {\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}], \"technique\": {\"name\": \"Exploitation for Client Execution\", \"uid\": \"T1203\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Lateral Movement | The adversary is trying to move through your environment.\", \"uid\": \"TA0008\"}, {\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}], \"technique\": {\"name\": \"Acquire Infrastructure\", \"uid\": \"T1583\"}}], \"activity_name\": \"Unknown\", \"cloud\": {\"provider\": \"there underwear pitch\"}, \"codes\": [44], \"command_responses\": [\"equations studios metallic\", \"heat designated unto\"], \"dst_endpoint\": {\"port\": 37570, \"ip\": \"67.43.156.0\", \"uid\": \"69057d22-5be7-11ee-b5d1-0242ac110005\", \"hostname\": \"seattle.cat\", \"instance_uid\": \"690581f0-5be7-11ee-8486-0242ac110005\", \"interface_name\": \"towards suzuki opportunities\", \"interface_uid\": \"690585f6-5be7-11ee-a611-0242ac110005\", \"svc_name\": \"meditation qualify finish\", \"vlan_uid\": \"69058a1a-5be7-11ee-bf51-0242ac110005\"}, \"end_time\": 1695675995259, \"severity_id\": 6, \"src_endpoint\": {\"port\": 21528, \"domain\": \"preview lectures oo\", \"uid\": \"6905c674-5be7-11ee-8e5b-0242ac110005\", \"hostname\": \"collectible.firm\", \"instance_uid\": \"6905cb2e-5be7-11ee-bd4d-0242ac110005\", \"interface_name\": \"drives center wondering\", \"interface_uid\": \"6905cf66-5be7-11ee-af73-0242ac110005\", \"intermediate_ips\": [\"67.43.156.0\", \"89.160.20.112\"], \"svc_name\": \"burn mental trembl\", \"vpc_uid\": \"6905d4a2-5be7-11ee-b06b-0242ac110005\"}, \"status_code\": \"certificates\", \"status_id\": 99, \"traffic\": {\"bytes\": 1018309558, \"bytes_out\": 469399752, \"packets\": 3392751261, \"packets_in\": 114291882}, \"end_time_dt\": \"2023-09-25T21:06:35.259215Z\"}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"command\": \"moving sensitivity uri\", \"message\": \"cyber flower lyric\", \"port\": 58038, \"status\": \"discussions\", \"type\": \"seller luther nursery\", \"time\": 1695675995262, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"islands unless trivia\", \"version\": \"1.0.0\", \"uid\": \"690566e8-5be7-11ee-bbe6-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"mai insight ws\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"correlation_uid\": \"69056d3c-5be7-11ee-8e34-0242ac110005\", \"log_name\": \"investor direct pickup\", \"log_provider\": \"penn awards fp\", \"original_time\": \"fax pro carries\", \"processed_time\": 1695675995263, \"modified_time_dt\": \"2023-09-25T21:06:35.260101Z\"}, \"connection_info\": {\"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_num\": 74}, \"severity\": \"Fatal\", \"disposition\": \"Blocked\", \"type_name\": \"FTP Activity: Unknown\", \"activity_id\": 0, \"disposition_id\": 2, \"type_uid\": 400800, \"category_name\": \"Network Activity\", \"class_uid\": 4008, \"category_uid\": 4, \"class_name\": \"FTP Activity\", \"timezone_offset\": 79, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}, {\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}, {\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}], \"technique\": {\"name\": \"Exploitation for Client Execution\", \"uid\": \"T1203\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Lateral Movement | The adversary is trying to move through your environment.\", \"uid\": \"TA0008\"}, {\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}], \"technique\": {\"name\": \"Acquire Infrastructure\", \"uid\": \"T1583\"}}], \"activity_name\": \"Unknown\", \"cloud\": {\"provider\": \"there underwear pitch\"}, \"codes\": [44], \"command_responses\": [\"equations studios metallic\", \"heat designated unto\"], \"dst_endpoint\": {\"port\": 37570, \"ip\": \"67.43.156.0\", \"uid\": \"69057d22-5be7-11ee-b5d1-0242ac110005\", \"hostname\": \"seattle.cat\", \"instance_uid\": \"690581f0-5be7-11ee-8486-0242ac110005\", \"interface_name\": \"towards suzuki opportunities\", \"interface_uid\": \"690585f6-5be7-11ee-a611-0242ac110005\", \"svc_name\": \"meditation qualify finish\", \"vlan_uid\": \"69058a1a-5be7-11ee-bf51-0242ac110005\"}, \"end_time\": 1695675995259, \"severity_id\": 6, \"src_endpoint\": {\"port\": 21528, \"domain\": \"preview lectures oo\", \"uid\": \"6905c674-5be7-11ee-8e5b-0242ac110005\", \"hostname\": \"collectible.firm\", \"instance_uid\": \"6905cb2e-5be7-11ee-bd4d-0242ac110005\", \"interface_name\": \"drives center wondering\", \"interface_uid\": \"6905cf66-5be7-11ee-af73-0242ac110005\", \"intermediate_ips\": [\"67.43.156.0\", \"89.160.20.112\"], \"svc_name\": \"burn mental trembl\", \"vpc_uid\": \"6905d4a2-5be7-11ee-b06b-0242ac110005\"}, \"status_code\": \"certificates\", \"status_id\": 99, \"traffic\": {\"bytes\": 1018309558, \"bytes_out\": 469399752, \"packets\": 3392751261, \"packets_in\": 114291882}, \"end_time_dt\": \"2023-09-25T21:06:35.259215Z\"}", + "event": { + "action": "unknown", + "category": [ + "file" + ], + "end": "2023-09-25T21:06:35.259000Z", + "provider": "penn awards fp", + "severity": 6, + "type": [ + "protocol" + ] + }, + "cloud": { + "provider": "there underwear pitch" + }, + "destination": { + "address": "seattle.cat", + "domain": "seattle.cat", + "ip": "67.43.156.0", + "port": 37570, + "registered_domain": "seattle.cat", + "top_level_domain": "cat" + }, + "network": { + "application": "meditation qualify finish" + }, + "ocsf": "{\"activity_id\": 0, \"activity_name\": \"Unknown\", \"attacks\": [{\"tactics\": [{\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}, {\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}, {\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}], \"technique\": {\"name\": \"Exploitation for Client Execution\", \"uid\": \"T1203\"}, \"version\": \"12.1\"}, {\"tactics\": [{\"name\": \"Lateral Movement | The adversary is trying to move through your environment.\", \"uid\": \"TA0008\"}, {\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}], \"technique\": {\"name\": \"Acquire Infrastructure\", \"uid\": \"T1583\"}, \"version\": \"12.1\"}], \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"FTP Activity\", \"class_uid\": 4008, \"cloud\": {\"provider\": \"there underwear pitch\"}, \"codes\": [44], \"command\": \"moving sensitivity uri\", \"command_responses\": [\"equations studios metallic\", \"heat designated unto\"], \"connection_info\": {\"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_num\": 74}, \"disposition\": \"Blocked\", \"disposition_id\": 2, \"dst_endpoint\": {\"hostname\": \"seattle.cat\", \"instance_uid\": \"690581f0-5be7-11ee-8486-0242ac110005\", \"interface_name\": \"towards suzuki opportunities\", \"interface_uid\": \"690585f6-5be7-11ee-a611-0242ac110005\", \"ip\": \"67.43.156.0\", \"port\": 37570, \"svc_name\": \"meditation qualify finish\", \"uid\": \"69057d22-5be7-11ee-b5d1-0242ac110005\", \"vlan_uid\": \"69058a1a-5be7-11ee-bf51-0242ac110005\"}, \"end_time\": 1695675995259, \"end_time_dt\": \"2023-09-25T21:06:35.259215Z\", \"message\": \"cyber flower lyric\", \"metadata\": {\"correlation_uid\": \"69056d3c-5be7-11ee-8e34-0242ac110005\", \"log_name\": \"investor direct pickup\", \"log_provider\": \"penn awards fp\", \"modified_time_dt\": \"2023-09-25T21:06:35.260101Z\", \"original_time\": \"fax pro carries\", \"processed_time\": 1695675995263, \"product\": {\"lang\": \"en\", \"name\": \"islands unless trivia\", \"uid\": \"690566e8-5be7-11ee-bbe6-0242ac110005\", \"vendor_name\": \"mai insight ws\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"version\": \"1.0.0\"}, \"port\": 58038, \"severity\": \"Fatal\", \"severity_id\": 6, \"src_endpoint\": {\"domain\": \"preview lectures oo\", \"hostname\": \"collectible.firm\", \"instance_uid\": \"6905cb2e-5be7-11ee-bd4d-0242ac110005\", \"interface_name\": \"drives center wondering\", \"interface_uid\": \"6905cf66-5be7-11ee-af73-0242ac110005\", \"intermediate_ips\": [\"67.43.156.0\", \"89.160.20.112\"], \"port\": 21528, \"svc_name\": \"burn mental trembl\", \"uid\": \"6905c674-5be7-11ee-8e5b-0242ac110005\", \"vpc_uid\": \"6905d4a2-5be7-11ee-b06b-0242ac110005\"}, \"status\": \"discussions\", \"status_code\": \"certificates\", \"status_id\": 99, \"time\": 1695675995262, \"timezone_offset\": 79, \"traffic\": {\"bytes\": 1018309558, \"bytes_out\": 469399752, \"packets\": 3392751261, \"packets_in\": 114291882}, \"type\": \"seller luther nursery\", \"type_name\": \"FTP Activity: Unknown\", \"type_uid\": 400800}", + "related": { + "hosts": [ + "collectible.firm", + "seattle.cat" + ], + "ip": [ + "67.43.156.0" + ] + }, + "source": { + "address": "collectible.firm", + "domain": "collectible.firm", + "port": 21528, + "subdomain": "collectible" + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_9.json b/OCSF/ocsf/tests/test_network_activity_9.json new file mode 100644 index 000000000..8163cfdeb --- /dev/null +++ b/OCSF/ocsf/tests/test_network_activity_9.json @@ -0,0 +1,31 @@ +{ + "input": { + "message": "{\"message\": \"freeware sticks unsigned\", \"status\": \"Success\", \"time\": 1695676021669, \"device\": {\"name\": \"programming apr remark\", \"type\": \"Tablet\", \"os\": {\"name\": \"rfc oman tan\", \"type\": \"macOS\", \"country\": \"Monaco, Principality of\", \"type_id\": 300, \"edition\": \"mortality achievements apparatus\", \"sp_name\": \"advanced addressed bomb\"}, \"ip\": \"175.16.199.1\", \"uid\": \"78c33c0e-5be7-11ee-ba4c-0242ac110005\", \"org\": {\"uid\": \"78c2f8d4-5be7-11ee-b0f0-0242ac110005\", \"ou_name\": \"florence homes divine\", \"ou_uid\": \"78c2fda2-5be7-11ee-9d5a-0242ac110005\"}, \"type_id\": 4, \"instance_uid\": \"78c328c2-5be7-11ee-8cdd-0242ac110005\", \"interface_name\": \"instruments diana nature\", \"interface_uid\": \"78c336c8-5be7-11ee-82fb-0242ac110005\", \"network_interfaces\": [{\"name\": \"sick mobility terrain\", \"type\": \"Wired\", \"ip\": \"175.16.199.1\", \"hostname\": \"buried.museum\", \"mac\": \"8A:A5:A8:8F:C5:1E:88:79\", \"type_id\": 1}, {\"name\": \"wiki philippines quick\", \"type\": \"Unknown\", \"ip\": \"175.16.199.1\", \"hostname\": \"acts.edu\", \"mac\": \"AB:AB:43:8:B2:A1:B7:8\", \"namespace\": \"that rare html\", \"type_id\": 0, \"subnet_prefix\": 34}], \"region\": \"bat johnston disability\", \"created_time_dt\": \"2023-09-25T21:07:01.668193Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"extension\": {\"name\": \"broad fears transfers\", \"version\": \"1.0.0\", \"uid\": \"78c2668a-5be7-11ee-a776-0242ac110005\"}, \"product\": {\"name\": \"civilian clearance powerseller\", \"version\": \"1.0.0\", \"uid\": \"78c28282-5be7-11ee-989a-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"activists berlin dramatically\"}, \"uid\": \"78c29cfe-5be7-11ee-9fb1-0242ac110005\", \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"seats briefly charming\", \"log_provider\": \"sheet satisfaction survey\", \"original_time\": \"administered respected angeles\"}, \"severity\": \"Informational\", \"email\": {\"size\": 2106286084, \"uid\": \"78c1ed2c-5be7-11ee-9a21-0242ac110005\", \"from\": \"Han@trans.info\", \"to\": [\"Vernia@tba.edu\", \"Darnell@stereo.nato\"], \"message_uid\": \"78c23354-5be7-11ee-b3ad-0242ac110005\", \"reply_to\": \"Nguyet@quoted.edu\", \"smtp_from\": \"Joyce@lending.org\", \"smtp_to\": [\"Kesha@whose.firm\"]}, \"direction\": \"Unknown\", \"disposition\": \"No Action\", \"type_name\": \"Email Activity: Other\", \"disposition_id\": 16, \"type_uid\": 400999, \"category_name\": \"Network Activity\", \"class_uid\": 4009, \"category_uid\": 4, \"class_name\": \"Email Activity\", \"timezone_offset\": 24, \"raw_data\": \"lakes cycles remainder\", \"cloud\": {\"provider\": \"stick harris italy\", \"region\": \"cj safer should\"}, \"direction_id\": 0, \"end_time\": 1695676021666, \"enrichments\": [{\"data\": {\"healthcare\": \"hddhj\"}, \"name\": \"remind jury laden\", \"type\": \"sale updating poll\", \"value\": \"savings ref bbc\", \"provider\": \"in hurt hl\"}, {\"data\": {\"chubby\": \"7895ss\"}, \"name\": \"force energy satin\", \"value\": \"dogs violation qualified\", \"provider\": \"lie allowance compressed\"}], \"severity_id\": 1, \"smtp_hello\": \"jurisdiction charts prerequisite\", \"status_detail\": \"bm around ranking\", \"status_id\": 1}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"message\": \"freeware sticks unsigned\", \"status\": \"Success\", \"time\": 1695676021669, \"device\": {\"name\": \"programming apr remark\", \"type\": \"Tablet\", \"os\": {\"name\": \"rfc oman tan\", \"type\": \"macOS\", \"country\": \"Monaco, Principality of\", \"type_id\": 300, \"edition\": \"mortality achievements apparatus\", \"sp_name\": \"advanced addressed bomb\"}, \"ip\": \"175.16.199.1\", \"uid\": \"78c33c0e-5be7-11ee-ba4c-0242ac110005\", \"org\": {\"uid\": \"78c2f8d4-5be7-11ee-b0f0-0242ac110005\", \"ou_name\": \"florence homes divine\", \"ou_uid\": \"78c2fda2-5be7-11ee-9d5a-0242ac110005\"}, \"type_id\": 4, \"instance_uid\": \"78c328c2-5be7-11ee-8cdd-0242ac110005\", \"interface_name\": \"instruments diana nature\", \"interface_uid\": \"78c336c8-5be7-11ee-82fb-0242ac110005\", \"network_interfaces\": [{\"name\": \"sick mobility terrain\", \"type\": \"Wired\", \"ip\": \"175.16.199.1\", \"hostname\": \"buried.museum\", \"mac\": \"8A:A5:A8:8F:C5:1E:88:79\", \"type_id\": 1}, {\"name\": \"wiki philippines quick\", \"type\": \"Unknown\", \"ip\": \"175.16.199.1\", \"hostname\": \"acts.edu\", \"mac\": \"AB:AB:43:8:B2:A1:B7:8\", \"namespace\": \"that rare html\", \"type_id\": 0, \"subnet_prefix\": 34}], \"region\": \"bat johnston disability\", \"created_time_dt\": \"2023-09-25T21:07:01.668193Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"extension\": {\"name\": \"broad fears transfers\", \"version\": \"1.0.0\", \"uid\": \"78c2668a-5be7-11ee-a776-0242ac110005\"}, \"product\": {\"name\": \"civilian clearance powerseller\", \"version\": \"1.0.0\", \"uid\": \"78c28282-5be7-11ee-989a-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"activists berlin dramatically\"}, \"uid\": \"78c29cfe-5be7-11ee-9fb1-0242ac110005\", \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"seats briefly charming\", \"log_provider\": \"sheet satisfaction survey\", \"original_time\": \"administered respected angeles\"}, \"severity\": \"Informational\", \"email\": {\"size\": 2106286084, \"uid\": \"78c1ed2c-5be7-11ee-9a21-0242ac110005\", \"from\": \"Han@trans.info\", \"to\": [\"Vernia@tba.edu\", \"Darnell@stereo.nato\"], \"message_uid\": \"78c23354-5be7-11ee-b3ad-0242ac110005\", \"reply_to\": \"Nguyet@quoted.edu\", \"smtp_from\": \"Joyce@lending.org\", \"smtp_to\": [\"Kesha@whose.firm\"]}, \"direction\": \"Unknown\", \"disposition\": \"No Action\", \"type_name\": \"Email Activity: Other\", \"disposition_id\": 16, \"type_uid\": 400999, \"category_name\": \"Network Activity\", \"class_uid\": 4009, \"category_uid\": 4, \"class_name\": \"Email Activity\", \"timezone_offset\": 24, \"raw_data\": \"lakes cycles remainder\", \"cloud\": {\"provider\": \"stick harris italy\", \"region\": \"cj safer should\"}, \"direction_id\": 0, \"end_time\": 1695676021666, \"enrichments\": [{\"data\": {\"healthcare\": \"hddhj\"}, \"name\": \"remind jury laden\", \"type\": \"sale updating poll\", \"value\": \"savings ref bbc\", \"provider\": \"in hurt hl\"}, {\"data\": {\"chubby\": \"7895ss\"}, \"name\": \"force energy satin\", \"value\": \"dogs violation qualified\", \"provider\": \"lie allowance compressed\"}], \"severity_id\": 1, \"smtp_hello\": \"jurisdiction charts prerequisite\", \"status_detail\": \"bm around ranking\", \"status_id\": 1}", + "event": { + "category": [ + "email" + ], + "end": "2023-09-25T21:07:01.666000Z", + "outcome": "success", + "provider": "sheet satisfaction survey", + "severity": 1, + "type": [ + "info" + ] + }, + "cloud": { + "provider": "stick harris italy", + "region": "cj safer should" + }, + "ocsf": "{\"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"Email Activity\", \"class_uid\": 4009, \"cloud\": {\"provider\": \"stick harris italy\", \"region\": \"cj safer should\"}, \"device\": {\"created_time_dt\": \"2023-09-25T21:07:01.668193Z\", \"instance_uid\": \"78c328c2-5be7-11ee-8cdd-0242ac110005\", \"interface_name\": \"instruments diana nature\", \"interface_uid\": \"78c336c8-5be7-11ee-82fb-0242ac110005\", \"ip\": \"175.16.199.1\", \"name\": \"programming apr remark\", \"network_interfaces\": [{\"hostname\": \"buried.museum\", \"ip\": \"175.16.199.1\", \"mac\": \"8A:A5:A8:8F:C5:1E:88:79\", \"name\": \"sick mobility terrain\", \"type\": \"Wired\", \"type_id\": 1}, {\"hostname\": \"acts.edu\", \"ip\": \"175.16.199.1\", \"mac\": \"AB:AB:43:8:B2:A1:B7:8\", \"name\": \"wiki philippines quick\", \"namespace\": \"that rare html\", \"subnet_prefix\": 34, \"type\": \"Unknown\", \"type_id\": 0}], \"org\": {\"ou_name\": \"florence homes divine\", \"ou_uid\": \"78c2fda2-5be7-11ee-9d5a-0242ac110005\", \"uid\": \"78c2f8d4-5be7-11ee-b0f0-0242ac110005\"}, \"os\": {\"country\": \"Monaco, Principality of\", \"edition\": \"mortality achievements apparatus\", \"name\": \"rfc oman tan\", \"sp_name\": \"advanced addressed bomb\", \"type\": \"macOS\", \"type_id\": 300}, \"region\": \"bat johnston disability\", \"type\": \"Tablet\", \"type_id\": 4, \"uid\": \"78c33c0e-5be7-11ee-ba4c-0242ac110005\"}, \"direction\": \"Unknown\", \"direction_id\": 0, \"disposition\": \"No Action\", \"disposition_id\": 16, \"email\": {\"from\": \"Han@trans.info\", \"message_uid\": \"78c23354-5be7-11ee-b3ad-0242ac110005\", \"reply_to\": \"Nguyet@quoted.edu\", \"size\": 2106286084, \"smtp_from\": \"Joyce@lending.org\", \"smtp_to\": [\"Kesha@whose.firm\"], \"to\": [\"Vernia@tba.edu\", \"Darnell@stereo.nato\"], \"uid\": \"78c1ed2c-5be7-11ee-9a21-0242ac110005\"}, \"end_time\": 1695676021666, \"enrichments\": [{\"data\": {\"healthcare\": \"hddhj\"}, \"name\": \"remind jury laden\", \"provider\": \"in hurt hl\", \"type\": \"sale updating poll\", \"value\": \"savings ref bbc\"}, {\"data\": {\"chubby\": \"7895ss\"}, \"name\": \"force energy satin\", \"provider\": \"lie allowance compressed\", \"value\": \"dogs violation qualified\"}], \"message\": \"freeware sticks unsigned\", \"metadata\": {\"extension\": {\"name\": \"broad fears transfers\", \"uid\": \"78c2668a-5be7-11ee-a776-0242ac110005\", \"version\": \"1.0.0\"}, \"log_name\": \"seats briefly charming\", \"log_provider\": \"sheet satisfaction survey\", \"original_time\": \"administered respected angeles\", \"product\": {\"lang\": \"en\", \"name\": \"civilian clearance powerseller\", \"uid\": \"78c28282-5be7-11ee-989a-0242ac110005\", \"vendor_name\": \"activists berlin dramatically\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"uid\": \"78c29cfe-5be7-11ee-9fb1-0242ac110005\", \"version\": \"1.0.0\"}, \"raw_data\": \"lakes cycles remainder\", \"severity\": \"Informational\", \"severity_id\": 1, \"smtp_hello\": \"jurisdiction charts prerequisite\", \"status\": \"Success\", \"status_detail\": \"bm around ranking\", \"status_id\": 1, \"time\": 1695676021669, \"timezone_offset\": 24, \"type_name\": \"Email Activity: Other\", \"type_uid\": 400999}" + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_process_activity.json b/OCSF/ocsf/tests/test_process_activity.json deleted file mode 100644 index dd3892085..000000000 --- a/OCSF/ocsf/tests/test_process_activity.json +++ /dev/null @@ -1,141 +0,0 @@ -{ - "input": { - "message": "{\"message\": \"ln centered engaged\", \"process\": {\"name\": \"Christine\", \"pid\": 49, \"file\": {\"name\": \"capture.key\", \"type\": \"Named Pipe\", \"path\": \"retrieval result greece/cooking.dds/capture.key\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"pac olympus bs\", \"issuer\": \"noble medal hay\", \"fingerprints\": [{\"value\": \"07A7C43357C379B3AE9EF43EF042D2A9741BE1BED49FBC735D4A00A6C2FCDABB\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1703680986265475, \"expiration_time\": 1703680986265487, \"serial_number\": \"po anna nudist\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"type_id\": 6, \"accessor\": {\"name\": \"Tools\", \"type\": \"impaired\", \"domain\": \"style mining rob\", \"type_id\": 99, \"full_name\": \"Ezra Carolyn\"}, \"creator\": {\"name\": \"Permits\", \"type\": \"System\", \"uid\": \"7b797c12-a4b5-11ee-ac2e-0242ac110004\", \"org\": {\"name\": \"goods hebrew tops\", \"uid\": \"7b798234-a4b5-11ee-9a21-0242ac110004\", \"ou_name\": \"horses titles sensor\", \"ou_uid\": \"7b798fb8-a4b5-11ee-baaa-0242ac110004\"}, \"groups\": [{\"name\": \"checking say elimination\", \"type\": \"protein rush spirituality\", \"uid\": \"7b7997c4-a4b5-11ee-b340-0242ac110004\"}, {\"name\": \"amd wc entering\", \"type\": \"strengths charge airport\", \"uid\": \"7b79a106-a4b5-11ee-b7d4-0242ac110004\"}], \"type_id\": 3, \"credential_uid\": \"7b79a5de-a4b5-11ee-bdf5-0242ac110004\"}, \"parent_folder\": \"retrieval result greece/cooking.dds\", \"security_descriptor\": \"relates competition influences\"}, \"user\": {\"type\": \"User\", \"domain\": \"rich fascinating babies\", \"uid\": \"7b79b0d8-a4b5-11ee-9d3b-0242ac110004\", \"type_id\": 1}, \"uid\": \"7b79ba2e-a4b5-11ee-9da9-0242ac110004\", \"session\": {\"uid\": \"7b79bfe2-a4b5-11ee-9790-0242ac110004\", \"uuid\": \"7b79c348-a4b5-11ee-a78e-0242ac110004\", \"issuer\": \"acquire soundtrack dentists\", \"created_time\": 1703680986267749, \"expiration_time\": 1703680986267759, \"is_remote\": false}, \"cmd_line\": \"template photographs thickness\", \"created_time\": 1703680986267769, \"parent_process\": {\"name\": \"Norway\", \"pid\": 97, \"file\": {\"attributes\": 20, \"name\": \"graduates.xlr\", \"type\": \"Character Device\", \"path\": \"dj hat sacrifice/anthropology.xml/graduates.xlr\", \"desc\": \"wife richardson tough\", \"type_id\": 3, \"accessor\": {\"name\": \"Walker\", \"type\": \"User\", \"domain\": \"adaptive vocal connect\", \"uid\": \"7b79d72a-a4b5-11ee-9491-0242ac110004\", \"type_id\": 1, \"credential_uid\": \"7b79db26-a4b5-11ee-9622-0242ac110004\"}, \"parent_folder\": \"dj hat sacrifice/anthropology.xml\", \"hashes\": [{\"value\": \"EF7CC4A402D8013B9E9699D07CBC14E3C55F5C5077C0E966DE86C3EE2751C748AEFF871E8DF294BCF1EA48DAC792946F2059A9A61F8BCB009BAC23FBEE1874CB\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"2E7435702BABF778619110BEFDD08E463FD9D525111EBEB5B7B7C35582EC89818D1758C14029D6962C0CA58552B0516B1C3D4AFCC3A9B8E655F57842FBA4B305\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"is_system\": false}, \"user\": {\"name\": \"Examples\", \"type\": \"User\", \"type_id\": 1, \"uid_alt\": \"headers yo regard\"}, \"uid\": \"7b79eda0-a4b5-11ee-b42e-0242ac110004\", \"session\": {\"uid\": \"7b79f30e-a4b5-11ee-ba3b-0242ac110004\", \"issuer\": \"incoming execute acdbentity\", \"created_time\": 1703680986268969, \"is_remote\": false}, \"cmd_line\": \"assessed he compaq\", \"created_time\": 1703680986268986, \"parent_process\": {\"name\": \"Zinc\", \"pid\": 58, \"file\": {\"attributes\": 74, \"name\": \"poverty.pdb\", \"type\": \"interests\", \"path\": \"besides fail stays/price.csr/poverty.pdb\", \"type_id\": 99, \"creator\": {\"name\": \"Succeed\", \"type\": \"Unknown\", \"domain\": \"tutorial niger essentially\", \"uid\": \"7b7a0682-a4b5-11ee-8137-0242ac110004\", \"type_id\": 0, \"uid_alt\": \"keeps face grain\"}, \"parent_folder\": \"besides fail stays/price.csr\", \"accessed_time\": 1703680986269471, \"hashes\": [{\"value\": \"DE27F1003BAC8F2CFA275C185BFCB7AF130EC26C2A381565EF1E0D53561298D740AE99098293A5DA2D77E710184E30BB3AC29B571921CEC6D9466DF5747EACEE\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"2CB1B780138BC273459232EDDA0E4B96\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"user\": {\"name\": \"Sheep\", \"type\": \"Unknown\", \"domain\": \"delivery commented support\", \"type_id\": 0, \"full_name\": \"Kiyoko Dominic\", \"email_addr\": \"Felicita@luxury.edu\", \"uid_alt\": \"gibson ga proprietary\"}, \"uid\": \"7b7a2054-a4b5-11ee-a6b9-0242ac110004\", \"cmd_line\": \"muscle performing worry\", \"created_time\": 1703680986270129, \"xattributes\": {}}}}, \"time\": 1703680986272045, \"device\": {\"name\": \"evening conditions deny\", \"type\": \"Mobile\", \"ip\": \"15.108.66.75\", \"hostname\": \"nurse.coop\", \"mac\": \"BB:9D:1F:28:EF:88:89:59\", \"type_id\": 5, \"instance_uid\": \"7b7a5902-a4b5-11ee-9f52-0242ac110004\", \"interface_name\": \"label ok research\", \"interface_uid\": \"7b7a649c-a4b5-11ee-89b8-0242ac110004\", \"is_compliant\": true, \"is_personal\": false, \"modified_time\": 1703680986272022, \"region\": \"lender scenarios lawyers\", \"subnet_uid\": \"7b7a6abe-a4b5-11ee-974d-0242ac110004\", \"uid_alt\": \"fifty acres evanescence\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"satisfied believe eq\", \"version\": \"1.0.0\", \"path\": \"arabic reg noise\", \"uid\": \"7b7a2f72-a4b5-11ee-9478-0242ac110004\", \"lang\": \"en\", \"url_string\": \"dumb\", \"vendor_name\": \"stunning reviewed climbing\"}, \"profiles\": [], \"log_name\": \"gpl saving steven\", \"log_provider\": \"weak inquiry relation\", \"original_time\": \"florists alot midlands\"}, \"severity\": \"Unknown\", \"type_name\": \"Process Activity: Launch\", \"category_name\": \"System Activity\", \"activity_id\": 1, \"type_uid\": 100701, \"class_uid\": 1007, \"category_uid\": 1, \"class_name\": \"Process Activity\", \"timezone_offset\": 96, \"activity_name\": \"Launch\", \"actor\": {\"user\": {\"name\": \"Aluminum\", \"type\": \"System\", \"uid\": \"7b7a45ca-a4b5-11ee-9086-0242ac110004\", \"type_id\": 3}, \"invoked_by\": \"montreal cisco legal\"}, \"severity_id\": 0}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"message\": \"ln centered engaged\", \"process\": {\"name\": \"Christine\", \"pid\": 49, \"file\": {\"name\": \"capture.key\", \"type\": \"Named Pipe\", \"path\": \"retrieval result greece/cooking.dds/capture.key\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"pac olympus bs\", \"issuer\": \"noble medal hay\", \"fingerprints\": [{\"value\": \"07A7C43357C379B3AE9EF43EF042D2A9741BE1BED49FBC735D4A00A6C2FCDABB\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1703680986265475, \"expiration_time\": 1703680986265487, \"serial_number\": \"po anna nudist\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"type_id\": 6, \"accessor\": {\"name\": \"Tools\", \"type\": \"impaired\", \"domain\": \"style mining rob\", \"type_id\": 99, \"full_name\": \"Ezra Carolyn\"}, \"creator\": {\"name\": \"Permits\", \"type\": \"System\", \"uid\": \"7b797c12-a4b5-11ee-ac2e-0242ac110004\", \"org\": {\"name\": \"goods hebrew tops\", \"uid\": \"7b798234-a4b5-11ee-9a21-0242ac110004\", \"ou_name\": \"horses titles sensor\", \"ou_uid\": \"7b798fb8-a4b5-11ee-baaa-0242ac110004\"}, \"groups\": [{\"name\": \"checking say elimination\", \"type\": \"protein rush spirituality\", \"uid\": \"7b7997c4-a4b5-11ee-b340-0242ac110004\"}, {\"name\": \"amd wc entering\", \"type\": \"strengths charge airport\", \"uid\": \"7b79a106-a4b5-11ee-b7d4-0242ac110004\"}], \"type_id\": 3, \"credential_uid\": \"7b79a5de-a4b5-11ee-bdf5-0242ac110004\"}, \"parent_folder\": \"retrieval result greece/cooking.dds\", \"security_descriptor\": \"relates competition influences\"}, \"user\": {\"type\": \"User\", \"domain\": \"rich fascinating babies\", \"uid\": \"7b79b0d8-a4b5-11ee-9d3b-0242ac110004\", \"type_id\": 1}, \"uid\": \"7b79ba2e-a4b5-11ee-9da9-0242ac110004\", \"session\": {\"uid\": \"7b79bfe2-a4b5-11ee-9790-0242ac110004\", \"uuid\": \"7b79c348-a4b5-11ee-a78e-0242ac110004\", \"issuer\": \"acquire soundtrack dentists\", \"created_time\": 1703680986267749, \"expiration_time\": 1703680986267759, \"is_remote\": false}, \"cmd_line\": \"template photographs thickness\", \"created_time\": 1703680986267769, \"parent_process\": {\"name\": \"Norway\", \"pid\": 97, \"file\": {\"attributes\": 20, \"name\": \"graduates.xlr\", \"type\": \"Character Device\", \"path\": \"dj hat sacrifice/anthropology.xml/graduates.xlr\", \"desc\": \"wife richardson tough\", \"type_id\": 3, \"accessor\": {\"name\": \"Walker\", \"type\": \"User\", \"domain\": \"adaptive vocal connect\", \"uid\": \"7b79d72a-a4b5-11ee-9491-0242ac110004\", \"type_id\": 1, \"credential_uid\": \"7b79db26-a4b5-11ee-9622-0242ac110004\"}, \"parent_folder\": \"dj hat sacrifice/anthropology.xml\", \"hashes\": [{\"value\": \"EF7CC4A402D8013B9E9699D07CBC14E3C55F5C5077C0E966DE86C3EE2751C748AEFF871E8DF294BCF1EA48DAC792946F2059A9A61F8BCB009BAC23FBEE1874CB\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"2E7435702BABF778619110BEFDD08E463FD9D525111EBEB5B7B7C35582EC89818D1758C14029D6962C0CA58552B0516B1C3D4AFCC3A9B8E655F57842FBA4B305\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"is_system\": false}, \"user\": {\"name\": \"Examples\", \"type\": \"User\", \"type_id\": 1, \"uid_alt\": \"headers yo regard\"}, \"uid\": \"7b79eda0-a4b5-11ee-b42e-0242ac110004\", \"session\": {\"uid\": \"7b79f30e-a4b5-11ee-ba3b-0242ac110004\", \"issuer\": \"incoming execute acdbentity\", \"created_time\": 1703680986268969, \"is_remote\": false}, \"cmd_line\": \"assessed he compaq\", \"created_time\": 1703680986268986, \"parent_process\": {\"name\": \"Zinc\", \"pid\": 58, \"file\": {\"attributes\": 74, \"name\": \"poverty.pdb\", \"type\": \"interests\", \"path\": \"besides fail stays/price.csr/poverty.pdb\", \"type_id\": 99, \"creator\": {\"name\": \"Succeed\", \"type\": \"Unknown\", \"domain\": \"tutorial niger essentially\", \"uid\": \"7b7a0682-a4b5-11ee-8137-0242ac110004\", \"type_id\": 0, \"uid_alt\": \"keeps face grain\"}, \"parent_folder\": \"besides fail stays/price.csr\", \"accessed_time\": 1703680986269471, \"hashes\": [{\"value\": \"DE27F1003BAC8F2CFA275C185BFCB7AF130EC26C2A381565EF1E0D53561298D740AE99098293A5DA2D77E710184E30BB3AC29B571921CEC6D9466DF5747EACEE\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"2CB1B780138BC273459232EDDA0E4B96\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"user\": {\"name\": \"Sheep\", \"type\": \"Unknown\", \"domain\": \"delivery commented support\", \"type_id\": 0, \"full_name\": \"Kiyoko Dominic\", \"email_addr\": \"Felicita@luxury.edu\", \"uid_alt\": \"gibson ga proprietary\"}, \"uid\": \"7b7a2054-a4b5-11ee-a6b9-0242ac110004\", \"cmd_line\": \"muscle performing worry\", \"created_time\": 1703680986270129, \"xattributes\": {}}}}, \"time\": 1703680986272045, \"device\": {\"name\": \"evening conditions deny\", \"type\": \"Mobile\", \"ip\": \"15.108.66.75\", \"hostname\": \"nurse.coop\", \"mac\": \"BB:9D:1F:28:EF:88:89:59\", \"type_id\": 5, \"instance_uid\": \"7b7a5902-a4b5-11ee-9f52-0242ac110004\", \"interface_name\": \"label ok research\", \"interface_uid\": \"7b7a649c-a4b5-11ee-89b8-0242ac110004\", \"is_compliant\": true, \"is_personal\": false, \"modified_time\": 1703680986272022, \"region\": \"lender scenarios lawyers\", \"subnet_uid\": \"7b7a6abe-a4b5-11ee-974d-0242ac110004\", \"uid_alt\": \"fifty acres evanescence\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"satisfied believe eq\", \"version\": \"1.0.0\", \"path\": \"arabic reg noise\", \"uid\": \"7b7a2f72-a4b5-11ee-9478-0242ac110004\", \"lang\": \"en\", \"url_string\": \"dumb\", \"vendor_name\": \"stunning reviewed climbing\"}, \"profiles\": [], \"log_name\": \"gpl saving steven\", \"log_provider\": \"weak inquiry relation\", \"original_time\": \"florists alot midlands\"}, \"severity\": \"Unknown\", \"type_name\": \"Process Activity: Launch\", \"category_name\": \"System Activity\", \"activity_id\": 1, \"type_uid\": 100701, \"class_uid\": 1007, \"category_uid\": 1, \"class_name\": \"Process Activity\", \"timezone_offset\": 96, \"activity_name\": \"Launch\", \"actor\": {\"user\": {\"name\": \"Aluminum\", \"type\": \"System\", \"uid\": \"7b7a45ca-a4b5-11ee-9086-0242ac110004\", \"type_id\": 3}, \"invoked_by\": \"montreal cisco legal\"}, \"severity_id\": 0}", - "event": { - "action": "launch", - "category": [ - "process" - ], - "kind": "event", - "provider": "weak inquiry relation", - "severity": 0, - "type": [ - "start" - ] - }, - "host": { - "mac": [ - "null" - ] - }, - "ocsf": { - "activity_id": 1, - "activity_name": "Launch", - "actor": { - "invoked_by": "montreal cisco legal", - "user": { - "type": "System", - "type_id": "3" - } - }, - "category_name": "System Activity", - "category_uid": 1, - "class_name": "Process Activity", - "class_uid": "1007", - "device": { - "instance_uid": "7b7a5902-a4b5-11ee-9f52-0242ac110004", - "interface_name": "label ok research", - "interface_uid": "7b7a649c-a4b5-11ee-89b8-0242ac110004", - "is_compliant": true, - "is_personal": false, - "modified_time": 1703680986272022, - "region": "lender scenarios lawyers", - "subnet_uid": "7b7a6abe-a4b5-11ee-974d-0242ac110004", - "type_id": "5", - "uid_alt": "fifty acres evanescence" - }, - "metadata": { - "log_name": "gpl saving steven", - "original_time": "florists alot midlands", - "product": { - "lang": "en", - "name": "satisfied believe eq", - "path": "arabic reg noise", - "uid": "7b7a2f72-a4b5-11ee-9478-0242ac110004", - "url_string": "dumb", - "vendor_name": "stunning reviewed climbing", - "version": "1.0.0" - }, - "profiles": [], - "version": "1.0.0" - }, - "process": { - "file": { - "creator": { - "groups": [ - {}, - {} - ] - }, - "signature": { - "certificate": { - "fingerprints": [ - {} - ] - } - } - }, - "parent_process": { - "file": { - "hashes": [ - {}, - {} - ] - }, - "parent_process": { - "file": { - "hashes": [ - {}, - {} - ] - } - } - } - }, - "severity": "Unknown", - "timezone_offset": 96, - "type_name": "Process Activity: Launch", - "type_uid": "100701" - }, - "process": { - "group": { - "id": [ - "null" - ] - }, - "parent": { - "group": { - "id": [ - "null" - ] - }, - "user": { - "id": [ - "null" - ] - } - }, - "user": { - "id": [ - "null" - ] - } - }, - "sekoiaio": { - "intake": { - "parsing_warnings": [ - "Cannot set field 'host.ip' with given definition in stage 'pipeline_object_device'. Cannot convert value in field 'host.ip' to type 'ip'" - ] - } - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_1.json b/OCSF/ocsf/tests/test_system_activity_1.json new file mode 100644 index 000000000..83ded18ae --- /dev/null +++ b/OCSF/ocsf/tests/test_system_activity_1.json @@ -0,0 +1,27 @@ +{ + "input": { + "message": "{\"message\": \"aug brought masters\", \"status\": \"same\", \"time\": 1695272181548, \"file\": {\"name\": \"phi.tar\", \"type\": \"Named Pipe\", \"path\": \"basement neighborhood nelson/pointer.mpa/phi.tar\", \"product\": {\"name\": \"judgment mel mental\", \"version\": \"1.0.0\", \"uid\": \"3576c3d0-583b-11ee-8a0f-0242ac110005\", \"vendor_name\": \"isp semiconductor screens\"}, \"type_id\": 666, \"parent_folder\": \"basement neighborhood nelson/pointer.mpa\", \"accessed_time\": 1695272181548, \"hashes\": [{\"value\": \"FA9D6D9F8C1E928F43F4CA3DEF6EC2D485AA60CDD4DF04348144D38434095D54EADA230FB5E8BE2A17FD91AEEFC38B4E2AD08D863F260E6244F56873701A53EE\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"device\": {\"name\": \"spirits since tours\", \"type\": \"Browser\", \"os\": {\"name\": \"mess deposits scary\", \"type\": \"HP-UX\", \"type_id\": 402, \"sp_ver\": 35}, \"ip\": \"1.128.0.0\", \"desc\": \"gene screens plenty\", \"uid\": \"3575127e-583b-11ee-b9cf-0242ac110005\", \"image\": {\"name\": \"aol interest statutes\", \"tag\": \"history afraid vcr\", \"path\": \"breaks contrary navigation\", \"uid\": \"3574fc30-583b-11ee-a7af-0242ac110005\"}, \"groups\": [{\"name\": \"spent disclaimer locks\", \"uid\": \"3575019e-583b-11ee-8751-0242ac110005\", \"privileges\": [\"seems freeware tire\"]}, {\"name\": \"stereo thousand cnet\", \"uid\": \"357505d6-583b-11ee-8d50-0242ac110005\"}], \"type_id\": 8, \"subnet\": \"130.109.0.0/16\", \"hypervisor\": \"barbados lcd electoral\", \"instance_uid\": \"3574eefc-583b-11ee-aedd-0242ac110005\", \"interface_name\": \"cleveland households subsidiaries\", \"interface_uid\": \"3574f352-583b-11ee-89fa-0242ac110005\", \"is_managed\": true, \"region\": \"survival statewide blog\", \"risk_score\": 17, \"subnet_uid\": \"3574e7c2-583b-11ee-8763-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"frederick avoiding settlement\", \"version\": \"1.0.0\", \"uid\": \"3574dd04-583b-11ee-9dd6-0242ac110005\", \"lang\": \"en\", \"url_string\": \"subscribers\", \"vendor_name\": \"biographies charts a\"}, \"sequence\": 36, \"profiles\": [], \"log_name\": \"benefits observe block\", \"log_provider\": \"apr applies bought\", \"original_time\": \"basement receipt forces\"}, \"severity\": \"High\", \"type_name\": \"File System Activity: Rename\", \"activity_id\": 5, \"type_uid\": 100105, \"category_name\": \"System Activity\", \"class_uid\": 1001, \"category_uid\": 1, \"class_name\": \"File System Activity\", \"timezone_offset\": 14, \"activity_name\": \"Rename\", \"actor\": {\"process\": {\"name\": \"Http\", \"pid\": 39, \"file\": {\"name\": \"with.com\", \"type\": \"Symbolic Link\", \"path\": \"fact nick marilyn/wives.iso/with.com\", \"type_id\": 7, \"parent_folder\": \"fact nick marilyn/wives.iso\", \"confidentiality\": \"microphone ingredients everybody\", \"hashes\": [{\"value\": \"5448F2E81D8402BD06F1B7A1F25A23A09CF423B5C17631EDC1CB3A06C6135BEA\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"DB43BDA2E28D2B02E0F94993E11FF5A6A49D0E62D62834916C0F623B00401D7C1848EDA3BD47A48ACE755F0AF75D3D92850EEDDD011B6B3ED4D93BA15953F9AD\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Proxy\", \"type\": \"User\", \"domain\": \"canal emerald dry\", \"uid\": \"35752d18-583b-11ee-8e91-0242ac110005\", \"type_id\": 1, \"full_name\": \"Kitty Sabine\", \"account\": {\"name\": \"findarticles awards error\", \"type\": \"AWS IAM User\", \"uid\": \"357534b6-583b-11ee-acbb-0242ac110005\", \"type_id\": 3}, \"email_addr\": \"Dotty@bg.info\", \"uid_alt\": \"mature botswana advisory\"}, \"uid\": \"357539de-583b-11ee-808d-0242ac110005\", \"cmd_line\": \"dd apple updating\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Olympic\", \"file\": {\"name\": \"chrysler.pages\", \"type\": \"Character Device\", \"path\": \"jesus cattle cave/remainder.iso/chrysler.pages\", \"desc\": \"claims runtime directories\", \"uid\": \"3575485c-583b-11ee-b07c-0242ac110005\", \"type_id\": 3, \"company_name\": \"Esta Malena\", \"parent_folder\": \"jesus cattle cave/remainder.iso\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"0983A0F9D6FE6015A7EB984C4D51C74EC818D6B4B2EA630CA2794A51512BEA5EC489606DAA019CA34D4CA678FF154530DBF2211DC9AD7D058363D7630F3AF2B8\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1695272181548, \"security_descriptor\": \"motels derby subtle\"}, \"user\": {\"name\": \"Salvador\", \"type\": \"Admin\", \"uid\": \"357551a8-583b-11ee-9f3a-0242ac110005\", \"groups\": [{\"name\": \"admissions throughout scope\", \"uid\": \"357556c6-583b-11ee-a761-0242ac110005\"}], \"type_id\": 2, \"email_addr\": \"Georgeann@compounds.org\"}, \"cmd_line\": \"regardless discussed gb\", \"created_time\": 1695272181548, \"integrity\": \"eat\", \"integrity_id\": 99, \"lineage\": [\"ff encoding towns\", \"alter reservoir drums\"], \"parent_process\": {\"pid\": 24, \"user\": {\"type\": \"dealer\", \"uid\": \"3575612a-583b-11ee-8729-0242ac110005\", \"type_id\": 99, \"account\": {\"name\": \"lisa avoiding grade\", \"type\": \"Mac OS Account\", \"uid\": \"35756968-583b-11ee-adc7-0242ac110005\", \"type_id\": 7}}, \"tid\": 17, \"uid\": \"35756e18-583b-11ee-8658-0242ac110005\", \"cmd_line\": \"step bernard quiet\", \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"name\": \"Schedules\", \"pid\": 64, \"file\": {\"attributes\": 59, \"name\": \"expectations.sh\", \"size\": 3829463934, \"type\": \"Named Pipe\", \"path\": \"their haven interact/president.log/expectations.sh\", \"type_id\": 6, \"company_name\": \"Johnny Kenia\", \"parent_folder\": \"their haven interact/president.log\", \"hashes\": [{\"value\": \"673864FF7BB72B5CB7535BD3C797DAE6BCDCE37BB6E0BD9D6EDDB8205EE636ACCA593394B1827FD62DAEC350638203EC5021A55A87B54D3BD4E0391CCACFA7B5\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"DA377EE2C5138BD0042100780B04CFB9752DD077344B2CBCACFFBEA5D94D0BB095E7314616D60350025F9E6489D6CBF9FA4C1D07CA52AB9C364397B6A6DB1426\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"is_system\": true}, \"user\": {\"name\": \"Gun\", \"type\": \"User\", \"uid\": \"35757fde-583b-11ee-8426-0242ac110005\", \"org\": {\"name\": \"suitable bother k\", \"uid\": \"357584f2-583b-11ee-b957-0242ac110005\", \"ou_name\": \"signals pixel questions\"}, \"type_id\": 1}, \"uid\": \"35758902-583b-11ee-9a1c-0242ac110005\", \"cmd_line\": \"sons eur fence\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Best\", \"pid\": 51, \"user\": {\"name\": \"Wrapping\", \"type\": \"Unknown\", \"uid\": \"357599c4-583b-11ee-839a-0242ac110005\", \"type_id\": 0, \"email_addr\": \"Valene@water.aero\"}, \"tid\": 72, \"uid\": \"3575a158-583b-11ee-a0c1-0242ac110005\", \"loaded_modules\": [\"/par/addresses/isle/blink/utils.3ds\", \"/conventions/market/normal/lease/absolute.tar.gz\"], \"cmd_line\": \"optional icq refresh\", \"created_time\": 1695272181548, \"integrity\": \"Medium\", \"integrity_id\": 3, \"lineage\": [\"marco danny survival\"], \"parent_process\": {\"name\": \"Expo\", \"pid\": 70, \"file\": {\"attributes\": 73, \"name\": \"wagner.hqx\", \"type\": \"Folder\", \"path\": \"nest communist anthony/tri.tex/wagner.hqx\", \"type_id\": 2, \"parent_folder\": \"nest communist anthony/tri.tex\"}, \"user\": {\"name\": \"Vehicles\", \"type\": \"Unknown\", \"uid\": \"3575b594-583b-11ee-ad61-0242ac110005\", \"groups\": [{\"name\": \"attention horrible saved\", \"type\": \"clinical integration find\"}], \"type_id\": 0, \"uid_alt\": \"immigrants vegetables names\"}, \"uid\": \"3575bbde-583b-11ee-a34c-0242ac110005\", \"cmd_line\": \"furnishings oo elderly\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Gis\", \"pid\": 7, \"file\": {\"name\": \"conviction.dem\", \"owner\": {\"name\": \"Founded\", \"type\": \"System\", \"groups\": [{\"name\": \"picked physicians sponsored\", \"uid\": \"3575cc6e-583b-11ee-9fc6-0242ac110005\"}, {\"name\": \"theft os finished\", \"type\": \"baking how furnished\", \"desc\": \"consistent remind intel\", \"uid\": \"3575d2cc-583b-11ee-9bd2-0242ac110005\", \"privileges\": [\"moscow whom catalogue\", \"bar distant sitting\"]}], \"type_id\": 3}, \"type\": \"Regular File\", \"path\": \"lesbian consistent policy/house.crdownload/conviction.dem\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"equivalent fuzzy password\", \"issuer\": \"rom ge xml\", \"fingerprints\": [{\"value\": \"4AE524EF0A54BC56E3844482DFF66D3DD1C07170A36531500327556E4EB58A66\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"2D3C087352251B27B4B883E464997A204BC6990478F6ADA51535ED9C87BB9BD65BB98AF4BCF9442E5126A77E0D6984B1596D2253167232DA8AC3415D7FB47186\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"streets missouri stack\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"type_id\": 1, \"company_name\": \"Agatha Bridget\", \"parent_folder\": \"lesbian consistent policy/house.crdownload\", \"hashes\": [{\"value\": \"7C44A3A14F05688E4AC527919744E64B96B371173856D178D72F65DAB3DC8EE7563B5E05EE7F625263083247F54503AD771DB5F66B3C9F9216B95114BA6BFCCB\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"security_descriptor\": \"blank special atm\"}, \"user\": {\"name\": \"Sec\", \"type\": \"Unknown\", \"uid\": \"3575f450-583b-11ee-b6bb-0242ac110005\", \"org\": {\"name\": \"delayed cables leads\", \"uid\": \"3575f964-583b-11ee-8c61-0242ac110005\"}, \"type_id\": 0, \"full_name\": \"Katheryn Dario\", \"uid_alt\": \"room suicide poem\"}, \"uid\": \"3575fdb0-583b-11ee-aeb9-0242ac110005\", \"cmd_line\": \"japan sells jeans\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Decrease\", \"pid\": 59, \"file\": {\"name\": \"structural.swf\", \"size\": 688932239, \"type\": \"customs\", \"path\": \"fwd various rr/harper.tar.gz/structural.swf\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"ordering ou explanation\", \"issuer\": \"truck rings arrivals\", \"fingerprints\": [{\"value\": \"D9B2FE68B6C253E250B14667FE79D988B4D2AC568F7FD62357330B906C30A49D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"EBD7275B8E016156D5C802AA81EF32823EF0D89B944B062044092C012CDD5078AF0362403420AB2DD96D282058889BCC6484F8FC42C61C29774AB18337A40FD9\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"expiration_time\": 1695272181548, \"serial_number\": \"rd throw preliminary\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1, \"created_time\": 1695272181548}, \"type_id\": 99, \"parent_folder\": \"fwd various rr/harper.tar.gz\", \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"value\": \"9392895322BB82C443FB155DA3D787E63B9CFF61E9725327EA2B4FAFE964C306117CB523AEBA0D2D8CDF029592125C16C1F892E88D80F9888D7031FD2974B8DE\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"type\": \"Admin\", \"domain\": \"sydney initiatives plymouth\", \"uid\": \"35761822-583b-11ee-beb2-0242ac110005\", \"type_id\": 2, \"full_name\": \"Theron Augustine\"}, \"tid\": 80, \"uid\": \"35761c82-583b-11ee-b824-0242ac110005\", \"cmd_line\": \"terry ld apple\", \"created_time\": 1695272181548, \"lineage\": [\"ts initial roses\", \"wicked sm especially\"], \"parent_process\": {\"pid\": 96, \"file\": {\"name\": \"fcc.gz\", \"type\": \"Local Socket\", \"path\": \"webcast invention brandon/thumbnail.rm/fcc.gz\", \"signature\": {\"digest\": {\"value\": \"F28E98CA59479136BFC3E11371555CF78BDEDDF0332D62DD063B794024CC5C4FE13F9EA7BA6BCE31550B8B7DEFFB31BF20E54B6C1095A68E8E18A26F91C0E838\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"previous furthermore create\", \"issuer\": \"kids permissions cosmetic\", \"fingerprints\": [{\"value\": \"C9E4D5C19777C2E695975FB5FE0D92C5DEEE360C4AFF172B638D981E5BCE505FB3373CF7A620436611A964772215DD15E564B701B09AB141C53258EA7DB63589\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"D02BCEDE7EF63722B56FD76E6C3E0C74E72D5B9C169DE7BA9712A1EAEF0C13F59F27BBFC33274C80889426EB38A8D191AB7B08FE9397BF0BE4D5B4C08CF7956C\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"mold afghanistan pine\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"desc\": \"reads choir while\", \"type_id\": 5, \"company_name\": \"Parthenia Kim\", \"creator\": {\"type\": \"System\", \"uid\": \"357634b0-583b-11ee-aa30-0242ac110005\", \"org\": {\"name\": \"lessons fighting basement\", \"uid\": \"357639f6-583b-11ee-a863-0242ac110005\", \"ou_name\": \"recently iron turning\"}, \"type_id\": 3}, \"parent_folder\": \"webcast invention brandon/thumbnail.rm\", \"hashes\": [{\"value\": \"533747897E1F6754B1E577DEEBA5E673C0DD9F09229F048608C88CA5EEC2A420FFF7F06C5B27F45A1B7A705FF141C4AE11196CAB9BE339546B7EEF258DFED346\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}]}, \"user\": {\"name\": \"Intervals\", \"type\": \"Admin\", \"uid\": \"357644a0-583b-11ee-b222-0242ac110005\", \"type_id\": 2, \"full_name\": \"Margert Debbie\", \"account\": {\"name\": \"gained oldest atomic\", \"type\": \"AWS IAM User\", \"type_id\": 3}, \"email_addr\": \"Ernie@drum.jobs\"}, \"uid\": \"35764af4-583b-11ee-bfee-0242ac110005\", \"session\": {\"uid\": \"35764ff4-583b-11ee-ad30-0242ac110005\", \"issuer\": \"information daisy computational\", \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"is_remote\": false}, \"loaded_modules\": [\"/frequently/tomatoes/one/trembl/trance.php\", \"/supposed/passwords/boutique/codes/coalition.txt\"], \"cmd_line\": \"grounds profits tear\", \"integrity\": \"attempts strategy meetup\", \"lineage\": [\"tar optical per\", \"fixtures while coaches\"], \"parent_process\": {\"name\": \"Speed\", \"pid\": 69, \"file\": {\"name\": \"kathy.gpx\", \"type\": \"Symbolic Link\", \"version\": \"1.0.0\", \"path\": \"stake dame kw/bangladesh.tax2020/kathy.gpx\", \"type_id\": 7, \"parent_folder\": \"stake dame kw/bangladesh.tax2020\", \"confidentiality\": \"smilies ethnic exclusively\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"DF2FF56CB3BAC1E28C3FE0395F52F814539922A774E1B53793268DC61ADD718A6BEED6E464F3D3AB436A5F61A84B21F073DD534943FEFA40E0DAD92DF1C92874\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Class\", \"type\": \"Admin\", \"uid\": \"3576639a-583b-11ee-a0a4-0242ac110005\", \"org\": {\"name\": \"thumb perception casual\", \"uid\": \"357668cc-583b-11ee-9bcd-0242ac110005\", \"ou_name\": \"russell martin tonight\"}, \"type_id\": 2, \"credential_uid\": \"35766f02-583b-11ee-93b4-0242ac110005\", \"uid_alt\": \"acute vocals goat\"}, \"uid\": \"3576731c-583b-11ee-b4bb-0242ac110005\", \"cmd_line\": \"canon istanbul ears\", \"created_time\": 1695272181548, \"integrity\": \"rage cloudy starts\", \"parent_process\": {\"name\": \"Forget\", \"pid\": 6, \"file\": {\"name\": \"rpg.eps\", \"size\": 2219996466, \"type\": \"Unknown\", \"type_id\": 0, \"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"hashes\": [{\"value\": \"25B732B3425CF8421A84FBE8E6EFA1AAF932AD4B\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"501A60A2B28BA8E6A95CE30C11877FDA\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"uid\": \"35768726-583b-11ee-b021-0242ac110005\", \"loaded_modules\": [\"/congo/hundreds/jerry/limousines/meanwhile.lua\", \"/employment/discounts/dg/company/colin.txt\"], \"cmd_line\": \"samuel affiliates stores\", \"created_time\": 1695272181548, \"lineage\": [\"locked feedback tank\", \"kuwait integrity messages\"], \"parent_process\": {\"name\": \"Part\", \"pid\": 72, \"file\": {\"name\": \"transexual.kml\", \"owner\": {\"name\": \"Disappointed\", \"type\": \"Admin\", \"uid\": \"357695ae-583b-11ee-a3e8-0242ac110005\", \"type_id\": 2}, \"type\": \"Local Socket\", \"path\": \"robin imperial rugby/delicious.lua/transexual.kml\", \"product\": {\"name\": \"receptors surgeons dui\", \"path\": \"joins roy in\", \"lang\": \"en\", \"url_string\": \"bias\", \"vendor_name\": \"wonderful earning zealand\"}, \"type_id\": 5, \"company_name\": \"Morris Antonio\", \"parent_folder\": \"robin imperial rugby/delicious.lua\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"value\": \"D9C1ACF117657BB04A8309ECBD6F3771E4F5E0BBEB437019748FFB5028BDA1B7\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}]}, \"user\": {\"name\": \"Tft\", \"type\": \"Unknown\", \"uid\": \"3576a274-583b-11ee-a3dc-0242ac110005\", \"type_id\": 0}, \"uid\": \"3576a6e8-583b-11ee-907e-0242ac110005\", \"loaded_modules\": [\"/initial/example/lenders/manitoba/picked.mdf\"], \"cmd_line\": \"hh officials patient\", \"created_time\": 1695272181548, \"sandbox\": \"new rt auto\"}, \"sandbox\": \"proc budgets magnet\"}}}, \"sandbox\": \"uk worth harmony\", \"xattributes\": {}}, \"sandbox\": \"arbitration saturday very\", \"terminated_time\": 1695272181548, \"xattributes\": {}}}}, \"sandbox\": \"ranked cookbook propecia\", \"xattributes\": {}}}}}, \"user\": {\"name\": \"Hispanic\", \"type\": \"Admin\", \"uid\": \"3576b16a-583b-11ee-9386-0242ac110005\", \"type_id\": 2, \"full_name\": \"Inocencia Adelle\"}, \"idp\": {\"name\": \"through foot query\", \"uid\": \"3576b692-583b-11ee-b9a6-0242ac110005\"}}, \"create_mask\": \"lu hairy cases\", \"enrichments\": [{\"data\": {\"professionals\": \"profess\"}, \"name\": \"universal ex rpg\", \"type\": \"concentrations sciences genuine\", \"value\": \"participants managing combines\", \"provider\": \"dance avon fundamental\"}, {\"data\": {\"hill\": \"rfsvfdc\"}, \"name\": \"strip milton opened\", \"type\": \"volunteers manufacturing argentina\", \"value\": \"needs hopes taxation\", \"provider\": \"held rounds tumor\"}], \"severity_id\": 4, \"status_id\": 99}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"message\": \"aug brought masters\", \"status\": \"same\", \"time\": 1695272181548, \"file\": {\"name\": \"phi.tar\", \"type\": \"Named Pipe\", \"path\": \"basement neighborhood nelson/pointer.mpa/phi.tar\", \"product\": {\"name\": \"judgment mel mental\", \"version\": \"1.0.0\", \"uid\": \"3576c3d0-583b-11ee-8a0f-0242ac110005\", \"vendor_name\": \"isp semiconductor screens\"}, \"type_id\": 666, \"parent_folder\": \"basement neighborhood nelson/pointer.mpa\", \"accessed_time\": 1695272181548, \"hashes\": [{\"value\": \"FA9D6D9F8C1E928F43F4CA3DEF6EC2D485AA60CDD4DF04348144D38434095D54EADA230FB5E8BE2A17FD91AEEFC38B4E2AD08D863F260E6244F56873701A53EE\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"device\": {\"name\": \"spirits since tours\", \"type\": \"Browser\", \"os\": {\"name\": \"mess deposits scary\", \"type\": \"HP-UX\", \"type_id\": 402, \"sp_ver\": 35}, \"ip\": \"1.128.0.0\", \"desc\": \"gene screens plenty\", \"uid\": \"3575127e-583b-11ee-b9cf-0242ac110005\", \"image\": {\"name\": \"aol interest statutes\", \"tag\": \"history afraid vcr\", \"path\": \"breaks contrary navigation\", \"uid\": \"3574fc30-583b-11ee-a7af-0242ac110005\"}, \"groups\": [{\"name\": \"spent disclaimer locks\", \"uid\": \"3575019e-583b-11ee-8751-0242ac110005\", \"privileges\": [\"seems freeware tire\"]}, {\"name\": \"stereo thousand cnet\", \"uid\": \"357505d6-583b-11ee-8d50-0242ac110005\"}], \"type_id\": 8, \"subnet\": \"130.109.0.0/16\", \"hypervisor\": \"barbados lcd electoral\", \"instance_uid\": \"3574eefc-583b-11ee-aedd-0242ac110005\", \"interface_name\": \"cleveland households subsidiaries\", \"interface_uid\": \"3574f352-583b-11ee-89fa-0242ac110005\", \"is_managed\": true, \"region\": \"survival statewide blog\", \"risk_score\": 17, \"subnet_uid\": \"3574e7c2-583b-11ee-8763-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"frederick avoiding settlement\", \"version\": \"1.0.0\", \"uid\": \"3574dd04-583b-11ee-9dd6-0242ac110005\", \"lang\": \"en\", \"url_string\": \"subscribers\", \"vendor_name\": \"biographies charts a\"}, \"sequence\": 36, \"profiles\": [], \"log_name\": \"benefits observe block\", \"log_provider\": \"apr applies bought\", \"original_time\": \"basement receipt forces\"}, \"severity\": \"High\", \"type_name\": \"File System Activity: Rename\", \"activity_id\": 5, \"type_uid\": 100105, \"category_name\": \"System Activity\", \"class_uid\": 1001, \"category_uid\": 1, \"class_name\": \"File System Activity\", \"timezone_offset\": 14, \"activity_name\": \"Rename\", \"actor\": {\"process\": {\"name\": \"Http\", \"pid\": 39, \"file\": {\"name\": \"with.com\", \"type\": \"Symbolic Link\", \"path\": \"fact nick marilyn/wives.iso/with.com\", \"type_id\": 7, \"parent_folder\": \"fact nick marilyn/wives.iso\", \"confidentiality\": \"microphone ingredients everybody\", \"hashes\": [{\"value\": \"5448F2E81D8402BD06F1B7A1F25A23A09CF423B5C17631EDC1CB3A06C6135BEA\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"DB43BDA2E28D2B02E0F94993E11FF5A6A49D0E62D62834916C0F623B00401D7C1848EDA3BD47A48ACE755F0AF75D3D92850EEDDD011B6B3ED4D93BA15953F9AD\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Proxy\", \"type\": \"User\", \"domain\": \"canal emerald dry\", \"uid\": \"35752d18-583b-11ee-8e91-0242ac110005\", \"type_id\": 1, \"full_name\": \"Kitty Sabine\", \"account\": {\"name\": \"findarticles awards error\", \"type\": \"AWS IAM User\", \"uid\": \"357534b6-583b-11ee-acbb-0242ac110005\", \"type_id\": 3}, \"email_addr\": \"Dotty@bg.info\", \"uid_alt\": \"mature botswana advisory\"}, \"uid\": \"357539de-583b-11ee-808d-0242ac110005\", \"cmd_line\": \"dd apple updating\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Olympic\", \"file\": {\"name\": \"chrysler.pages\", \"type\": \"Character Device\", \"path\": \"jesus cattle cave/remainder.iso/chrysler.pages\", \"desc\": \"claims runtime directories\", \"uid\": \"3575485c-583b-11ee-b07c-0242ac110005\", \"type_id\": 3, \"company_name\": \"Esta Malena\", \"parent_folder\": \"jesus cattle cave/remainder.iso\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"0983A0F9D6FE6015A7EB984C4D51C74EC818D6B4B2EA630CA2794A51512BEA5EC489606DAA019CA34D4CA678FF154530DBF2211DC9AD7D058363D7630F3AF2B8\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1695272181548, \"security_descriptor\": \"motels derby subtle\"}, \"user\": {\"name\": \"Salvador\", \"type\": \"Admin\", \"uid\": \"357551a8-583b-11ee-9f3a-0242ac110005\", \"groups\": [{\"name\": \"admissions throughout scope\", \"uid\": \"357556c6-583b-11ee-a761-0242ac110005\"}], \"type_id\": 2, \"email_addr\": \"Georgeann@compounds.org\"}, \"cmd_line\": \"regardless discussed gb\", \"created_time\": 1695272181548, \"integrity\": \"eat\", \"integrity_id\": 99, \"lineage\": [\"ff encoding towns\", \"alter reservoir drums\"], \"parent_process\": {\"pid\": 24, \"user\": {\"type\": \"dealer\", \"uid\": \"3575612a-583b-11ee-8729-0242ac110005\", \"type_id\": 99, \"account\": {\"name\": \"lisa avoiding grade\", \"type\": \"Mac OS Account\", \"uid\": \"35756968-583b-11ee-adc7-0242ac110005\", \"type_id\": 7}}, \"tid\": 17, \"uid\": \"35756e18-583b-11ee-8658-0242ac110005\", \"cmd_line\": \"step bernard quiet\", \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"name\": \"Schedules\", \"pid\": 64, \"file\": {\"attributes\": 59, \"name\": \"expectations.sh\", \"size\": 3829463934, \"type\": \"Named Pipe\", \"path\": \"their haven interact/president.log/expectations.sh\", \"type_id\": 6, \"company_name\": \"Johnny Kenia\", \"parent_folder\": \"their haven interact/president.log\", \"hashes\": [{\"value\": \"673864FF7BB72B5CB7535BD3C797DAE6BCDCE37BB6E0BD9D6EDDB8205EE636ACCA593394B1827FD62DAEC350638203EC5021A55A87B54D3BD4E0391CCACFA7B5\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"DA377EE2C5138BD0042100780B04CFB9752DD077344B2CBCACFFBEA5D94D0BB095E7314616D60350025F9E6489D6CBF9FA4C1D07CA52AB9C364397B6A6DB1426\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"is_system\": true}, \"user\": {\"name\": \"Gun\", \"type\": \"User\", \"uid\": \"35757fde-583b-11ee-8426-0242ac110005\", \"org\": {\"name\": \"suitable bother k\", \"uid\": \"357584f2-583b-11ee-b957-0242ac110005\", \"ou_name\": \"signals pixel questions\"}, \"type_id\": 1}, \"uid\": \"35758902-583b-11ee-9a1c-0242ac110005\", \"cmd_line\": \"sons eur fence\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Best\", \"pid\": 51, \"user\": {\"name\": \"Wrapping\", \"type\": \"Unknown\", \"uid\": \"357599c4-583b-11ee-839a-0242ac110005\", \"type_id\": 0, \"email_addr\": \"Valene@water.aero\"}, \"tid\": 72, \"uid\": \"3575a158-583b-11ee-a0c1-0242ac110005\", \"loaded_modules\": [\"/par/addresses/isle/blink/utils.3ds\", \"/conventions/market/normal/lease/absolute.tar.gz\"], \"cmd_line\": \"optional icq refresh\", \"created_time\": 1695272181548, \"integrity\": \"Medium\", \"integrity_id\": 3, \"lineage\": [\"marco danny survival\"], \"parent_process\": {\"name\": \"Expo\", \"pid\": 70, \"file\": {\"attributes\": 73, \"name\": \"wagner.hqx\", \"type\": \"Folder\", \"path\": \"nest communist anthony/tri.tex/wagner.hqx\", \"type_id\": 2, \"parent_folder\": \"nest communist anthony/tri.tex\"}, \"user\": {\"name\": \"Vehicles\", \"type\": \"Unknown\", \"uid\": \"3575b594-583b-11ee-ad61-0242ac110005\", \"groups\": [{\"name\": \"attention horrible saved\", \"type\": \"clinical integration find\"}], \"type_id\": 0, \"uid_alt\": \"immigrants vegetables names\"}, \"uid\": \"3575bbde-583b-11ee-a34c-0242ac110005\", \"cmd_line\": \"furnishings oo elderly\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Gis\", \"pid\": 7, \"file\": {\"name\": \"conviction.dem\", \"owner\": {\"name\": \"Founded\", \"type\": \"System\", \"groups\": [{\"name\": \"picked physicians sponsored\", \"uid\": \"3575cc6e-583b-11ee-9fc6-0242ac110005\"}, {\"name\": \"theft os finished\", \"type\": \"baking how furnished\", \"desc\": \"consistent remind intel\", \"uid\": \"3575d2cc-583b-11ee-9bd2-0242ac110005\", \"privileges\": [\"moscow whom catalogue\", \"bar distant sitting\"]}], \"type_id\": 3}, \"type\": \"Regular File\", \"path\": \"lesbian consistent policy/house.crdownload/conviction.dem\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"equivalent fuzzy password\", \"issuer\": \"rom ge xml\", \"fingerprints\": [{\"value\": \"4AE524EF0A54BC56E3844482DFF66D3DD1C07170A36531500327556E4EB58A66\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"2D3C087352251B27B4B883E464997A204BC6990478F6ADA51535ED9C87BB9BD65BB98AF4BCF9442E5126A77E0D6984B1596D2253167232DA8AC3415D7FB47186\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"streets missouri stack\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"type_id\": 1, \"company_name\": \"Agatha Bridget\", \"parent_folder\": \"lesbian consistent policy/house.crdownload\", \"hashes\": [{\"value\": \"7C44A3A14F05688E4AC527919744E64B96B371173856D178D72F65DAB3DC8EE7563B5E05EE7F625263083247F54503AD771DB5F66B3C9F9216B95114BA6BFCCB\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"security_descriptor\": \"blank special atm\"}, \"user\": {\"name\": \"Sec\", \"type\": \"Unknown\", \"uid\": \"3575f450-583b-11ee-b6bb-0242ac110005\", \"org\": {\"name\": \"delayed cables leads\", \"uid\": \"3575f964-583b-11ee-8c61-0242ac110005\"}, \"type_id\": 0, \"full_name\": \"Katheryn Dario\", \"uid_alt\": \"room suicide poem\"}, \"uid\": \"3575fdb0-583b-11ee-aeb9-0242ac110005\", \"cmd_line\": \"japan sells jeans\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Decrease\", \"pid\": 59, \"file\": {\"name\": \"structural.swf\", \"size\": 688932239, \"type\": \"customs\", \"path\": \"fwd various rr/harper.tar.gz/structural.swf\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"ordering ou explanation\", \"issuer\": \"truck rings arrivals\", \"fingerprints\": [{\"value\": \"D9B2FE68B6C253E250B14667FE79D988B4D2AC568F7FD62357330B906C30A49D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"EBD7275B8E016156D5C802AA81EF32823EF0D89B944B062044092C012CDD5078AF0362403420AB2DD96D282058889BCC6484F8FC42C61C29774AB18337A40FD9\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"expiration_time\": 1695272181548, \"serial_number\": \"rd throw preliminary\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1, \"created_time\": 1695272181548}, \"type_id\": 99, \"parent_folder\": \"fwd various rr/harper.tar.gz\", \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"value\": \"9392895322BB82C443FB155DA3D787E63B9CFF61E9725327EA2B4FAFE964C306117CB523AEBA0D2D8CDF029592125C16C1F892E88D80F9888D7031FD2974B8DE\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"type\": \"Admin\", \"domain\": \"sydney initiatives plymouth\", \"uid\": \"35761822-583b-11ee-beb2-0242ac110005\", \"type_id\": 2, \"full_name\": \"Theron Augustine\"}, \"tid\": 80, \"uid\": \"35761c82-583b-11ee-b824-0242ac110005\", \"cmd_line\": \"terry ld apple\", \"created_time\": 1695272181548, \"lineage\": [\"ts initial roses\", \"wicked sm especially\"], \"parent_process\": {\"pid\": 96, \"file\": {\"name\": \"fcc.gz\", \"type\": \"Local Socket\", \"path\": \"webcast invention brandon/thumbnail.rm/fcc.gz\", \"signature\": {\"digest\": {\"value\": \"F28E98CA59479136BFC3E11371555CF78BDEDDF0332D62DD063B794024CC5C4FE13F9EA7BA6BCE31550B8B7DEFFB31BF20E54B6C1095A68E8E18A26F91C0E838\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"previous furthermore create\", \"issuer\": \"kids permissions cosmetic\", \"fingerprints\": [{\"value\": \"C9E4D5C19777C2E695975FB5FE0D92C5DEEE360C4AFF172B638D981E5BCE505FB3373CF7A620436611A964772215DD15E564B701B09AB141C53258EA7DB63589\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"D02BCEDE7EF63722B56FD76E6C3E0C74E72D5B9C169DE7BA9712A1EAEF0C13F59F27BBFC33274C80889426EB38A8D191AB7B08FE9397BF0BE4D5B4C08CF7956C\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"mold afghanistan pine\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"desc\": \"reads choir while\", \"type_id\": 5, \"company_name\": \"Parthenia Kim\", \"creator\": {\"type\": \"System\", \"uid\": \"357634b0-583b-11ee-aa30-0242ac110005\", \"org\": {\"name\": \"lessons fighting basement\", \"uid\": \"357639f6-583b-11ee-a863-0242ac110005\", \"ou_name\": \"recently iron turning\"}, \"type_id\": 3}, \"parent_folder\": \"webcast invention brandon/thumbnail.rm\", \"hashes\": [{\"value\": \"533747897E1F6754B1E577DEEBA5E673C0DD9F09229F048608C88CA5EEC2A420FFF7F06C5B27F45A1B7A705FF141C4AE11196CAB9BE339546B7EEF258DFED346\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}]}, \"user\": {\"name\": \"Intervals\", \"type\": \"Admin\", \"uid\": \"357644a0-583b-11ee-b222-0242ac110005\", \"type_id\": 2, \"full_name\": \"Margert Debbie\", \"account\": {\"name\": \"gained oldest atomic\", \"type\": \"AWS IAM User\", \"type_id\": 3}, \"email_addr\": \"Ernie@drum.jobs\"}, \"uid\": \"35764af4-583b-11ee-bfee-0242ac110005\", \"session\": {\"uid\": \"35764ff4-583b-11ee-ad30-0242ac110005\", \"issuer\": \"information daisy computational\", \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"is_remote\": false}, \"loaded_modules\": [\"/frequently/tomatoes/one/trembl/trance.php\", \"/supposed/passwords/boutique/codes/coalition.txt\"], \"cmd_line\": \"grounds profits tear\", \"integrity\": \"attempts strategy meetup\", \"lineage\": [\"tar optical per\", \"fixtures while coaches\"], \"parent_process\": {\"name\": \"Speed\", \"pid\": 69, \"file\": {\"name\": \"kathy.gpx\", \"type\": \"Symbolic Link\", \"version\": \"1.0.0\", \"path\": \"stake dame kw/bangladesh.tax2020/kathy.gpx\", \"type_id\": 7, \"parent_folder\": \"stake dame kw/bangladesh.tax2020\", \"confidentiality\": \"smilies ethnic exclusively\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"DF2FF56CB3BAC1E28C3FE0395F52F814539922A774E1B53793268DC61ADD718A6BEED6E464F3D3AB436A5F61A84B21F073DD534943FEFA40E0DAD92DF1C92874\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Class\", \"type\": \"Admin\", \"uid\": \"3576639a-583b-11ee-a0a4-0242ac110005\", \"org\": {\"name\": \"thumb perception casual\", \"uid\": \"357668cc-583b-11ee-9bcd-0242ac110005\", \"ou_name\": \"russell martin tonight\"}, \"type_id\": 2, \"credential_uid\": \"35766f02-583b-11ee-93b4-0242ac110005\", \"uid_alt\": \"acute vocals goat\"}, \"uid\": \"3576731c-583b-11ee-b4bb-0242ac110005\", \"cmd_line\": \"canon istanbul ears\", \"created_time\": 1695272181548, \"integrity\": \"rage cloudy starts\", \"parent_process\": {\"name\": \"Forget\", \"pid\": 6, \"file\": {\"name\": \"rpg.eps\", \"size\": 2219996466, \"type\": \"Unknown\", \"type_id\": 0, \"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"hashes\": [{\"value\": \"25B732B3425CF8421A84FBE8E6EFA1AAF932AD4B\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"501A60A2B28BA8E6A95CE30C11877FDA\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"uid\": \"35768726-583b-11ee-b021-0242ac110005\", \"loaded_modules\": [\"/congo/hundreds/jerry/limousines/meanwhile.lua\", \"/employment/discounts/dg/company/colin.txt\"], \"cmd_line\": \"samuel affiliates stores\", \"created_time\": 1695272181548, \"lineage\": [\"locked feedback tank\", \"kuwait integrity messages\"], \"parent_process\": {\"name\": \"Part\", \"pid\": 72, \"file\": {\"name\": \"transexual.kml\", \"owner\": {\"name\": \"Disappointed\", \"type\": \"Admin\", \"uid\": \"357695ae-583b-11ee-a3e8-0242ac110005\", \"type_id\": 2}, \"type\": \"Local Socket\", \"path\": \"robin imperial rugby/delicious.lua/transexual.kml\", \"product\": {\"name\": \"receptors surgeons dui\", \"path\": \"joins roy in\", \"lang\": \"en\", \"url_string\": \"bias\", \"vendor_name\": \"wonderful earning zealand\"}, \"type_id\": 5, \"company_name\": \"Morris Antonio\", \"parent_folder\": \"robin imperial rugby/delicious.lua\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"value\": \"D9C1ACF117657BB04A8309ECBD6F3771E4F5E0BBEB437019748FFB5028BDA1B7\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}]}, \"user\": {\"name\": \"Tft\", \"type\": \"Unknown\", \"uid\": \"3576a274-583b-11ee-a3dc-0242ac110005\", \"type_id\": 0}, \"uid\": \"3576a6e8-583b-11ee-907e-0242ac110005\", \"loaded_modules\": [\"/initial/example/lenders/manitoba/picked.mdf\"], \"cmd_line\": \"hh officials patient\", \"created_time\": 1695272181548, \"sandbox\": \"new rt auto\"}, \"sandbox\": \"proc budgets magnet\"}}}, \"sandbox\": \"uk worth harmony\", \"xattributes\": {}}, \"sandbox\": \"arbitration saturday very\", \"terminated_time\": 1695272181548, \"xattributes\": {}}}}, \"sandbox\": \"ranked cookbook propecia\", \"xattributes\": {}}}}}, \"user\": {\"name\": \"Hispanic\", \"type\": \"Admin\", \"uid\": \"3576b16a-583b-11ee-9386-0242ac110005\", \"type_id\": 2, \"full_name\": \"Inocencia Adelle\"}, \"idp\": {\"name\": \"through foot query\", \"uid\": \"3576b692-583b-11ee-b9a6-0242ac110005\"}}, \"create_mask\": \"lu hairy cases\", \"enrichments\": [{\"data\": {\"professionals\": \"profess\"}, \"name\": \"universal ex rpg\", \"type\": \"concentrations sciences genuine\", \"value\": \"participants managing combines\", \"provider\": \"dance avon fundamental\"}, {\"data\": {\"hill\": \"rfsvfdc\"}, \"name\": \"strip milton opened\", \"type\": \"volunteers manufacturing argentina\", \"value\": \"needs hopes taxation\", \"provider\": \"held rounds tumor\"}], \"severity_id\": 4, \"status_id\": 99}", + "event": { + "action": "rename", + "category": [ + "file" + ], + "provider": "apr applies bought", + "sequence": 36, + "severity": 4, + "type": [ + "change" + ] + }, + "ocsf": "{\"activity_id\": 5, \"activity_name\": \"Rename\", \"actor\": {\"idp\": {\"name\": \"through foot query\", \"uid\": \"3576b692-583b-11ee-b9a6-0242ac110005\"}, \"process\": {\"cmd_line\": \"dd apple updating\", \"created_time\": 1695272181548, \"file\": {\"confidentiality\": \"microphone ingredients everybody\", \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"5448F2E81D8402BD06F1B7A1F25A23A09CF423B5C17631EDC1CB3A06C6135BEA\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"DB43BDA2E28D2B02E0F94993E11FF5A6A49D0E62D62834916C0F623B00401D7C1848EDA3BD47A48ACE755F0AF75D3D92850EEDDD011B6B3ED4D93BA15953F9AD\"}], \"name\": \"with.com\", \"parent_folder\": \"fact nick marilyn/wives.iso\", \"path\": \"fact nick marilyn/wives.iso/with.com\", \"type\": \"Symbolic Link\", \"type_id\": 7}, \"name\": \"Http\", \"parent_process\": {\"cmd_line\": \"regardless discussed gb\", \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Esta Malena\", \"created_time\": 1695272181548, \"desc\": \"claims runtime directories\", \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"0983A0F9D6FE6015A7EB984C4D51C74EC818D6B4B2EA630CA2794A51512BEA5EC489606DAA019CA34D4CA678FF154530DBF2211DC9AD7D058363D7630F3AF2B8\"}], \"modified_time\": 1695272181548, \"name\": \"chrysler.pages\", \"parent_folder\": \"jesus cattle cave/remainder.iso\", \"path\": \"jesus cattle cave/remainder.iso/chrysler.pages\", \"security_descriptor\": \"motels derby subtle\", \"type\": \"Character Device\", \"type_id\": 3, \"uid\": \"3575485c-583b-11ee-b07c-0242ac110005\"}, \"integrity\": \"eat\", \"integrity_id\": 99, \"lineage\": [\"ff encoding towns\", \"alter reservoir drums\"], \"name\": \"Olympic\", \"parent_process\": {\"cmd_line\": \"step bernard quiet\", \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"cmd_line\": \"sons eur fence\", \"created_time\": 1695272181548, \"file\": {\"attributes\": 59, \"company_name\": \"Johnny Kenia\", \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"673864FF7BB72B5CB7535BD3C797DAE6BCDCE37BB6E0BD9D6EDDB8205EE636ACCA593394B1827FD62DAEC350638203EC5021A55A87B54D3BD4E0391CCACFA7B5\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"DA377EE2C5138BD0042100780B04CFB9752DD077344B2CBCACFFBEA5D94D0BB095E7314616D60350025F9E6489D6CBF9FA4C1D07CA52AB9C364397B6A6DB1426\"}], \"is_system\": true, \"name\": \"expectations.sh\", \"parent_folder\": \"their haven interact/president.log\", \"path\": \"their haven interact/president.log/expectations.sh\", \"size\": 3829463934, \"type\": \"Named Pipe\", \"type_id\": 6}, \"name\": \"Schedules\", \"parent_process\": {\"cmd_line\": \"optional icq refresh\", \"created_time\": 1695272181548, \"integrity\": \"Medium\", \"integrity_id\": 3, \"lineage\": [\"marco danny survival\"], \"loaded_modules\": [\"/par/addresses/isle/blink/utils.3ds\", \"/conventions/market/normal/lease/absolute.tar.gz\"], \"name\": \"Best\", \"parent_process\": {\"cmd_line\": \"furnishings oo elderly\", \"created_time\": 1695272181548, \"file\": {\"attributes\": 73, \"name\": \"wagner.hqx\", \"parent_folder\": \"nest communist anthony/tri.tex\", \"path\": \"nest communist anthony/tri.tex/wagner.hqx\", \"type\": \"Folder\", \"type_id\": 2}, \"name\": \"Expo\", \"parent_process\": {\"cmd_line\": \"japan sells jeans\", \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Agatha Bridget\", \"hashes\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"7C44A3A14F05688E4AC527919744E64B96B371173856D178D72F65DAB3DC8EE7563B5E05EE7F625263083247F54503AD771DB5F66B3C9F9216B95114BA6BFCCB\"}], \"name\": \"conviction.dem\", \"owner\": {\"groups\": [{\"name\": \"picked physicians sponsored\", \"uid\": \"3575cc6e-583b-11ee-9fc6-0242ac110005\"}, {\"desc\": \"consistent remind intel\", \"name\": \"theft os finished\", \"privileges\": [\"moscow whom catalogue\", \"bar distant sitting\"], \"type\": \"baking how furnished\", \"uid\": \"3575d2cc-583b-11ee-9bd2-0242ac110005\"}], \"name\": \"Founded\", \"type\": \"System\", \"type_id\": 3}, \"parent_folder\": \"lesbian consistent policy/house.crdownload\", \"path\": \"lesbian consistent policy/house.crdownload/conviction.dem\", \"security_descriptor\": \"blank special atm\", \"signature\": {\"algorithm\": \"RSA\", \"algorithm_id\": 2, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"4AE524EF0A54BC56E3844482DFF66D3DD1C07170A36531500327556E4EB58A66\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"2D3C087352251B27B4B883E464997A204BC6990478F6ADA51535ED9C87BB9BD65BB98AF4BCF9442E5126A77E0D6984B1596D2253167232DA8AC3415D7FB47186\"}], \"issuer\": \"rom ge xml\", \"serial_number\": \"streets missouri stack\", \"subject\": \"equivalent fuzzy password\", \"version\": \"1.0.0\"}}, \"type\": \"Regular File\", \"type_id\": 1}, \"name\": \"Gis\", \"parent_process\": {\"cmd_line\": \"terry ld apple\", \"created_time\": 1695272181548, \"file\": {\"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"9392895322BB82C443FB155DA3D787E63B9CFF61E9725327EA2B4FAFE964C306117CB523AEBA0D2D8CDF029592125C16C1F892E88D80F9888D7031FD2974B8DE\"}], \"name\": \"structural.swf\", \"parent_folder\": \"fwd various rr/harper.tar.gz\", \"path\": \"fwd various rr/harper.tar.gz/structural.swf\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1, \"certificate\": {\"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"D9B2FE68B6C253E250B14667FE79D988B4D2AC568F7FD62357330B906C30A49D\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"EBD7275B8E016156D5C802AA81EF32823EF0D89B944B062044092C012CDD5078AF0362403420AB2DD96D282058889BCC6484F8FC42C61C29774AB18337A40FD9\"}], \"issuer\": \"truck rings arrivals\", \"serial_number\": \"rd throw preliminary\", \"subject\": \"ordering ou explanation\", \"version\": \"1.0.0\"}, \"created_time\": 1695272181548}, \"size\": 688932239, \"type\": \"customs\", \"type_id\": 99}, \"lineage\": [\"ts initial roses\", \"wicked sm especially\"], \"name\": \"Decrease\", \"parent_process\": {\"cmd_line\": \"grounds profits tear\", \"file\": {\"company_name\": \"Parthenia Kim\", \"creator\": {\"org\": {\"name\": \"lessons fighting basement\", \"ou_name\": \"recently iron turning\", \"uid\": \"357639f6-583b-11ee-a863-0242ac110005\"}, \"type\": \"System\", \"type_id\": 3, \"uid\": \"357634b0-583b-11ee-aa30-0242ac110005\"}, \"desc\": \"reads choir while\", \"hashes\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"533747897E1F6754B1E577DEEBA5E673C0DD9F09229F048608C88CA5EEC2A420FFF7F06C5B27F45A1B7A705FF141C4AE11196CAB9BE339546B7EEF258DFED346\"}], \"name\": \"fcc.gz\", \"parent_folder\": \"webcast invention brandon/thumbnail.rm\", \"path\": \"webcast invention brandon/thumbnail.rm/fcc.gz\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"C9E4D5C19777C2E695975FB5FE0D92C5DEEE360C4AFF172B638D981E5BCE505FB3373CF7A620436611A964772215DD15E564B701B09AB141C53258EA7DB63589\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"D02BCEDE7EF63722B56FD76E6C3E0C74E72D5B9C169DE7BA9712A1EAEF0C13F59F27BBFC33274C80889426EB38A8D191AB7B08FE9397BF0BE4D5B4C08CF7956C\"}], \"issuer\": \"kids permissions cosmetic\", \"serial_number\": \"mold afghanistan pine\", \"subject\": \"previous furthermore create\", \"version\": \"1.0.0\"}, \"digest\": {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"F28E98CA59479136BFC3E11371555CF78BDEDDF0332D62DD063B794024CC5C4FE13F9EA7BA6BCE31550B8B7DEFFB31BF20E54B6C1095A68E8E18A26F91C0E838\"}}, \"type\": \"Local Socket\", \"type_id\": 5}, \"integrity\": \"attempts strategy meetup\", \"lineage\": [\"tar optical per\", \"fixtures while coaches\"], \"loaded_modules\": [\"/frequently/tomatoes/one/trembl/trance.php\", \"/supposed/passwords/boutique/codes/coalition.txt\"], \"parent_process\": {\"cmd_line\": \"canon istanbul ears\", \"created_time\": 1695272181548, \"file\": {\"confidentiality\": \"smilies ethnic exclusively\", \"created_time\": 1695272181548, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"DF2FF56CB3BAC1E28C3FE0395F52F814539922A774E1B53793268DC61ADD718A6BEED6E464F3D3AB436A5F61A84B21F073DD534943FEFA40E0DAD92DF1C92874\"}], \"modified_time\": 1695272181548, \"name\": \"kathy.gpx\", \"parent_folder\": \"stake dame kw/bangladesh.tax2020\", \"path\": \"stake dame kw/bangladesh.tax2020/kathy.gpx\", \"type\": \"Symbolic Link\", \"type_id\": 7, \"version\": \"1.0.0\"}, \"integrity\": \"rage cloudy starts\", \"name\": \"Speed\", \"parent_process\": {\"cmd_line\": \"samuel affiliates stores\", \"created_time\": 1695272181548, \"file\": {\"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"25B732B3425CF8421A84FBE8E6EFA1AAF932AD4B\"}, {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"501A60A2B28BA8E6A95CE30C11877FDA\"}], \"name\": \"rpg.eps\", \"size\": 2219996466, \"type\": \"Unknown\", \"type_id\": 0}, \"lineage\": [\"locked feedback tank\", \"kuwait integrity messages\"], \"loaded_modules\": [\"/congo/hundreds/jerry/limousines/meanwhile.lua\", \"/employment/discounts/dg/company/colin.txt\"], \"name\": \"Forget\", \"parent_process\": {\"cmd_line\": \"hh officials patient\", \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Morris Antonio\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"D9C1ACF117657BB04A8309ECBD6F3771E4F5E0BBEB437019748FFB5028BDA1B7\"}], \"name\": \"transexual.kml\", \"owner\": {\"name\": \"Disappointed\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"357695ae-583b-11ee-a3e8-0242ac110005\"}, \"parent_folder\": \"robin imperial rugby/delicious.lua\", \"path\": \"robin imperial rugby/delicious.lua/transexual.kml\", \"product\": {\"lang\": \"en\", \"name\": \"receptors surgeons dui\", \"path\": \"joins roy in\", \"url_string\": \"bias\", \"vendor_name\": \"wonderful earning zealand\"}, \"type\": \"Local Socket\", \"type_id\": 5}, \"loaded_modules\": [\"/initial/example/lenders/manitoba/picked.mdf\"], \"name\": \"Part\", \"pid\": 72, \"sandbox\": \"new rt auto\", \"uid\": \"3576a6e8-583b-11ee-907e-0242ac110005\", \"user\": {\"name\": \"Tft\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"3576a274-583b-11ee-a3dc-0242ac110005\"}}, \"pid\": 6, \"sandbox\": \"proc budgets magnet\", \"uid\": \"35768726-583b-11ee-b021-0242ac110005\"}, \"pid\": 69, \"uid\": \"3576731c-583b-11ee-b4bb-0242ac110005\", \"user\": {\"credential_uid\": \"35766f02-583b-11ee-93b4-0242ac110005\", \"name\": \"Class\", \"org\": {\"name\": \"thumb perception casual\", \"ou_name\": \"russell martin tonight\", \"uid\": \"357668cc-583b-11ee-9bcd-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"3576639a-583b-11ee-a0a4-0242ac110005\", \"uid_alt\": \"acute vocals goat\"}}, \"pid\": 96, \"session\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"is_remote\": false, \"issuer\": \"information daisy computational\", \"uid\": \"35764ff4-583b-11ee-ad30-0242ac110005\"}, \"uid\": \"35764af4-583b-11ee-bfee-0242ac110005\", \"user\": {\"account\": {\"name\": \"gained oldest atomic\", \"type\": \"AWS IAM User\", \"type_id\": 3}, \"email_addr\": \"Ernie@drum.jobs\", \"full_name\": \"Margert Debbie\", \"name\": \"Intervals\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"357644a0-583b-11ee-b222-0242ac110005\"}}, \"pid\": 59, \"sandbox\": \"uk worth harmony\", \"tid\": 80, \"uid\": \"35761c82-583b-11ee-b824-0242ac110005\", \"user\": {\"domain\": \"sydney initiatives plymouth\", \"full_name\": \"Theron Augustine\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"35761822-583b-11ee-beb2-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 7, \"sandbox\": \"arbitration saturday very\", \"terminated_time\": 1695272181548, \"uid\": \"3575fdb0-583b-11ee-aeb9-0242ac110005\", \"user\": {\"full_name\": \"Katheryn Dario\", \"name\": \"Sec\", \"org\": {\"name\": \"delayed cables leads\", \"uid\": \"3575f964-583b-11ee-8c61-0242ac110005\"}, \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"3575f450-583b-11ee-b6bb-0242ac110005\", \"uid_alt\": \"room suicide poem\"}, \"xattributes\": {}}, \"pid\": 70, \"uid\": \"3575bbde-583b-11ee-a34c-0242ac110005\", \"user\": {\"groups\": [{\"name\": \"attention horrible saved\", \"type\": \"clinical integration find\"}], \"name\": \"Vehicles\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"3575b594-583b-11ee-ad61-0242ac110005\", \"uid_alt\": \"immigrants vegetables names\"}}, \"pid\": 51, \"tid\": 72, \"uid\": \"3575a158-583b-11ee-a0c1-0242ac110005\", \"user\": {\"email_addr\": \"Valene@water.aero\", \"name\": \"Wrapping\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"357599c4-583b-11ee-839a-0242ac110005\"}}, \"pid\": 64, \"sandbox\": \"ranked cookbook propecia\", \"uid\": \"35758902-583b-11ee-9a1c-0242ac110005\", \"user\": {\"name\": \"Gun\", \"org\": {\"name\": \"suitable bother k\", \"ou_name\": \"signals pixel questions\", \"uid\": \"357584f2-583b-11ee-b957-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1, \"uid\": \"35757fde-583b-11ee-8426-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 24, \"tid\": 17, \"uid\": \"35756e18-583b-11ee-8658-0242ac110005\", \"user\": {\"account\": {\"name\": \"lisa avoiding grade\", \"type\": \"Mac OS Account\", \"type_id\": 7, \"uid\": \"35756968-583b-11ee-adc7-0242ac110005\"}, \"type\": \"dealer\", \"type_id\": 99, \"uid\": \"3575612a-583b-11ee-8729-0242ac110005\"}}, \"user\": {\"email_addr\": \"Georgeann@compounds.org\", \"groups\": [{\"name\": \"admissions throughout scope\", \"uid\": \"357556c6-583b-11ee-a761-0242ac110005\"}], \"name\": \"Salvador\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"357551a8-583b-11ee-9f3a-0242ac110005\"}}, \"pid\": 39, \"uid\": \"357539de-583b-11ee-808d-0242ac110005\", \"user\": {\"account\": {\"name\": \"findarticles awards error\", \"type\": \"AWS IAM User\", \"type_id\": 3, \"uid\": \"357534b6-583b-11ee-acbb-0242ac110005\"}, \"domain\": \"canal emerald dry\", \"email_addr\": \"Dotty@bg.info\", \"full_name\": \"Kitty Sabine\", \"name\": \"Proxy\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"35752d18-583b-11ee-8e91-0242ac110005\", \"uid_alt\": \"mature botswana advisory\"}}, \"user\": {\"full_name\": \"Inocencia Adelle\", \"name\": \"Hispanic\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"3576b16a-583b-11ee-9386-0242ac110005\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"File System Activity\", \"class_uid\": 1001, \"create_mask\": \"lu hairy cases\", \"device\": {\"desc\": \"gene screens plenty\", \"groups\": [{\"name\": \"spent disclaimer locks\", \"privileges\": [\"seems freeware tire\"], \"uid\": \"3575019e-583b-11ee-8751-0242ac110005\"}, {\"name\": \"stereo thousand cnet\", \"uid\": \"357505d6-583b-11ee-8d50-0242ac110005\"}], \"hypervisor\": \"barbados lcd electoral\", \"image\": {\"name\": \"aol interest statutes\", \"path\": \"breaks contrary navigation\", \"tag\": \"history afraid vcr\", \"uid\": \"3574fc30-583b-11ee-a7af-0242ac110005\"}, \"instance_uid\": \"3574eefc-583b-11ee-aedd-0242ac110005\", \"interface_name\": \"cleveland households subsidiaries\", \"interface_uid\": \"3574f352-583b-11ee-89fa-0242ac110005\", \"ip\": \"1.128.0.0\", \"is_managed\": true, \"name\": \"spirits since tours\", \"os\": {\"name\": \"mess deposits scary\", \"sp_ver\": 35, \"type\": \"HP-UX\", \"type_id\": 402}, \"region\": \"survival statewide blog\", \"risk_score\": 17, \"subnet\": \"130.109.0.0/16\", \"subnet_uid\": \"3574e7c2-583b-11ee-8763-0242ac110005\", \"type\": \"Browser\", \"type_id\": 8, \"uid\": \"3575127e-583b-11ee-b9cf-0242ac110005\"}, \"enrichments\": [{\"data\": {\"professionals\": \"profess\"}, \"name\": \"universal ex rpg\", \"provider\": \"dance avon fundamental\", \"type\": \"concentrations sciences genuine\", \"value\": \"participants managing combines\"}, {\"data\": {\"hill\": \"rfsvfdc\"}, \"name\": \"strip milton opened\", \"provider\": \"held rounds tumor\", \"type\": \"volunteers manufacturing argentina\", \"value\": \"needs hopes taxation\"}], \"file\": {\"accessed_time\": 1695272181548, \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"FA9D6D9F8C1E928F43F4CA3DEF6EC2D485AA60CDD4DF04348144D38434095D54EADA230FB5E8BE2A17FD91AEEFC38B4E2AD08D863F260E6244F56873701A53EE\"}], \"name\": \"phi.tar\", \"parent_folder\": \"basement neighborhood nelson/pointer.mpa\", \"path\": \"basement neighborhood nelson/pointer.mpa/phi.tar\", \"product\": {\"name\": \"judgment mel mental\", \"uid\": \"3576c3d0-583b-11ee-8a0f-0242ac110005\", \"vendor_name\": \"isp semiconductor screens\", \"version\": \"1.0.0\"}, \"type\": \"Named Pipe\", \"type_id\": 666}, \"message\": \"aug brought masters\", \"metadata\": {\"log_name\": \"benefits observe block\", \"log_provider\": \"apr applies bought\", \"original_time\": \"basement receipt forces\", \"product\": {\"lang\": \"en\", \"name\": \"frederick avoiding settlement\", \"uid\": \"3574dd04-583b-11ee-9dd6-0242ac110005\", \"url_string\": \"subscribers\", \"vendor_name\": \"biographies charts a\", \"version\": \"1.0.0\"}, \"profiles\": [], \"sequence\": 36, \"version\": \"1.0.0\"}, \"severity\": \"High\", \"severity_id\": 4, \"status\": \"same\", \"status_id\": 99, \"time\": 1695272181548, \"timezone_offset\": 14, \"type_name\": \"File System Activity: Rename\", \"type_uid\": 100105}" + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_2.json b/OCSF/ocsf/tests/test_system_activity_2.json new file mode 100644 index 000000000..ae7ac517f --- /dev/null +++ b/OCSF/ocsf/tests/test_system_activity_2.json @@ -0,0 +1,32 @@ +{ + "input": { + "message": "{\"driver\": {\"file\": {\"name\": \"rail.m\", \"type\": \"earning\", \"path\": \"worst jay funds/plc.deskthemepack/rail.m\", \"uid\": \"19e82104-61aa-11ee-8d53-0242ac110005\", \"type_id\": 99, \"mime_type\": \"punishment/gaps\", \"parent_folder\": \"worst jay funds/plc.deskthemepack\", \"accessed_time\": 1695272181548, \"hashes\": [{\"value\": \"AD3638015A285E049F3EC3B5E96251E3D84A6B834297290B20EF11FE7A6244828ED6FC9E0489232D7B3358C785AA96C87A77266713AD2FB1978142C9CFFD4BF8\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"A47AC519441CF481779776ED56ADE421DEE3E26D0134CAE10E1A518591CCA7AB105D38FE20C7E07843149FF290C536A9E4B0507095FD8A744AF530741D2427B7\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}]}}, \"message\": \"allan juice leader\", \"status\": \"Unknown\", \"time\": 1695272181548, \"device\": {\"name\": \"madagascar made stability\", \"type\": \"IOT\", \"ip\": \"81.2.69.142\", \"hostname\": \"founded.pro\", \"uid\": \"19e7faee-61aa-11ee-a8f6-0242ac110005\", \"image\": {\"name\": \"casinos my pacific\", \"uid\": \"19e81448-61aa-11ee-bc86-0242ac110005\"}, \"type_id\": 7, \"first_seen_time\": 1695272181548, \"hypervisor\": \"consoles voting wellington\", \"instance_uid\": \"19e7f62a-61aa-11ee-ace6-0242ac110005\", \"interface_name\": \"see namespace chef\", \"interface_uid\": \"19e80ce6-61aa-11ee-bfc1-0242ac110005\", \"is_compliant\": true, \"region\": \"pledge cod growth\", \"modified_time_dt\": \"2023-10-03T05:02:50.203874Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"extension\": {\"name\": \"pirates went connecting\", \"version\": \"1.0.0\", \"uid\": \"19e7a6de-61aa-11ee-b198-0242ac110005\"}, \"product\": {\"name\": \"completed longer likes\", \"version\": \"1.0.0\", \"path\": \"jc rim ranch\", \"uid\": \"19e7b8b8-61aa-11ee-b357-0242ac110005\", \"lang\": \"en\", \"url_string\": \"placing\", \"vendor_name\": \"lcd belong academics\"}, \"uid\": \"19e7be44-61aa-11ee-919d-0242ac110005\", \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"louisville displaying universities\", \"log_provider\": \"officially vehicles incorporated\", \"original_time\": \"bodies jenny chris\"}, \"severity\": \"Low\", \"duration\": 56, \"api\": {\"request\": {\"flags\": [\"development suddenly affiliate\", \"blind putting connectors\"], \"uid\": \"19e78050-61aa-11ee-81a3-0242ac110005\"}, \"response\": {\"error\": \"storm edwards gateway\", \"code\": 48, \"message\": \"ac apnic applicants\", \"error_message\": \"retro wood cheese\"}, \"operation\": \"glucose spyware trustees\"}, \"disposition\": \"Corrected\", \"type_name\": \"Kernel Extension Activity: Unload\", \"activity_id\": 2, \"disposition_id\": 11, \"type_uid\": 100202, \"category_name\": \"System Activity\", \"class_uid\": 1002, \"category_uid\": 1, \"class_name\": \"Kernel Extension Activity\", \"timezone_offset\": 26, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Command and Control The adversary is trying to communicate with compromised systems to control them.\", \"uid\": \"TA0011\"}], \"technique\": {\"name\": \"Two-Factor Authentication Interception\", \"uid\": \"T1111\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Credential Access The adversary is trying to steal account names and passwords.\", \"uid\": \"TA0006\"}, {\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}], \"technique\": {\"name\": \"Multiband Communication\", \"uid\": \"T1026\"}}], \"activity_name\": \"Unload\", \"actor\": {\"process\": {\"name\": \"Complete\", \"pid\": 50, \"file\": {\"name\": \"syntax.dds\", \"type\": \"Symbolic Link\", \"path\": \"cartoon watershed viewers/magazine.xls/syntax.dds\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3}, \"type_id\": 7, \"parent_folder\": \"cartoon watershed viewers/magazine.xls\", \"confidentiality\": \"donated chapter runtime\", \"hashes\": [{\"value\": \"2EB64D601392F16BF21F01D7A9A66B62BC3DDC892394D8B44031A3B488A4F611F56951974C7601044DA53283AE3A774822583A678667AC1A5469561ADFC2CB22\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Pursue\", \"type\": \"User\", \"domain\": \"settle most mf\", \"uid\": \"19e84346-61aa-11ee-82b4-0242ac110005\", \"org\": {\"name\": \"contributions agents displayed\", \"uid\": \"19e854e4-61aa-11ee-b27b-0242ac110005\", \"ou_name\": \"with cpu scout\"}, \"type_id\": 1, \"full_name\": \"Fae Brendan\"}, \"uid\": \"19e85aa2-61aa-11ee-9863-0242ac110005\", \"cmd_line\": \"quest flashers qualifying\", \"integrity\": \"Untrusted\", \"integrity_id\": 1, \"namespace_pid\": 20, \"parent_process\": {\"name\": \"Fuzzy\", \"pid\": 7, \"uid\": \"19e86420-61aa-11ee-92e5-0242ac110005\", \"cmd_line\": \"mere tft rules\", \"container\": {\"name\": \"contains thriller incl\", \"runtime\": \"briefing portrait pj\", \"size\": 4086519029, \"uid\": \"19e86ef2-61aa-11ee-961e-0242ac110005\", \"image\": {\"name\": \"place questionnaire evil\", \"uid\": \"19e878de-61aa-11ee-8abe-0242ac110005\"}, \"hash\": {\"value\": \"99402752D9F0ADEE2B8CB7268DC3FCBF7900B5491AEECBCF11718BBA6969507DF048B5A627AE37D63F6235C52A9FFB0A874DB6E542EFB0E17DD61FFF02543A1B\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, \"network_driver\": \"balloon cj virtual\"}, \"created_time\": 1695272181548, \"integrity\": \"System\", \"integrity_id\": 5, \"namespace_pid\": 34, \"parent_process\": {\"name\": \"Pt\", \"pid\": 53, \"file\": {\"attributes\": 11, \"name\": \"unlimited.wmv\", \"type\": \"huntington\", \"version\": \"1.0.0\", \"product\": {\"name\": \"astrology musical magic\", \"version\": \"1.0.0\", \"uid\": \"19e88b3a-61aa-11ee-a044-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"logos texture jews\"}, \"type_id\": 99, \"confidentiality\": \"outlook\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"79B9213DDB8E561C9F5F0374719DBA7E55A481E720B75C53A12AF714880E51A4\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"C32B941D4ED063DE2F7FB1669124175ED90CDE46\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"is_system\": true, \"created_time_dt\": \"2023-10-03T05:02:50.206981Z\"}, \"uid\": \"19e89346-61aa-11ee-bb7f-0242ac110005\", \"loaded_modules\": [\"/faith/cbs/hispanic/lancaster/ncaa.swf\", \"/pulled/consecutive/treatment/myself/pittsburgh.wav\"], \"cmd_line\": \"valued leasing equilibrium\", \"container\": {\"size\": 2331695977, \"uid\": \"19e89a1c-61aa-11ee-930f-0242ac110005\", \"hash\": {\"value\": \"AACD3103F3F1FCAB0248F041A315AB6816C8A0E9\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}}, \"integrity\": \"System\", \"integrity_id\": 5, \"lineage\": [\"layer rachel performed\"], \"namespace_pid\": 75, \"parent_process\": {\"name\": \"Clinton\", \"pid\": 77, \"file\": {\"name\": \"jefferson.cbr\", \"size\": 3328615981, \"type\": \"Unknown\", \"path\": \"vacations floppy slides/crack.cs/jefferson.cbr\", \"modifier\": {\"name\": \"Resistant\", \"type\": \"System\", \"uid\": \"19e8ac78-61aa-11ee-a8f4-0242ac110005\", \"type_id\": 3}, \"desc\": \"referrals nottingham communication\", \"type_id\": 0, \"company_name\": \"Marie Enoch\", \"creator\": {\"name\": \"Journals\", \"type\": \"User\", \"uid\": \"19e8c136-61aa-11ee-8148-0242ac110005\", \"type_id\": 1}, \"parent_folder\": \"vacations floppy slides/crack.cs\", \"modified_time_dt\": \"2023-10-03T05:02:50.208298Z\"}, \"user\": {\"name\": \"Nudist\", \"type\": \"directories\", \"uid\": \"19e8cb2c-61aa-11ee-8668-0242ac110005\", \"type_id\": 99, \"full_name\": \"Glayds Glenda\", \"email_addr\": \"Johnette@flexibility.biz\", \"uid_alt\": \"facts local za\"}, \"uid\": \"19e8e4fe-61aa-11ee-869a-0242ac110005\", \"cmd_line\": \"vendor laptops germany\", \"container\": {\"name\": \"patients couple tmp\", \"runtime\": \"jul tommy um\", \"size\": 1196597453, \"uid\": \"19e93ddc-61aa-11ee-8ac2-0242ac110005\", \"image\": {\"name\": \"puzzles conditions sequences\", \"uid\": \"19e94566-61aa-11ee-9d6d-0242ac110005\", \"labels\": [\"aka\"]}, \"hash\": {\"value\": \"BBC85ACA84E370B3CD546CED854C6725D3242C1E1E174F6B4A803754254A38359A7A4CA50F4AD39E07AE04452C28859CAE5DB5FAF8D68075026A04F2C026726C\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"orchestrator\": \"helping cork mortality\"}, \"created_time\": 1695272181548, \"integrity\": \"five priest needle\", \"namespace_pid\": 94, \"parent_process\": {\"name\": \"Sms\", \"pid\": 52, \"file\": {\"name\": \"fixes.c\", \"type\": \"Folder\", \"path\": \"retro earthquake teachers/corruption.kml/fixes.c\", \"type_id\": 2, \"mime_type\": \"transcription/warned\", \"parent_folder\": \"retro earthquake teachers/corruption.kml\", \"hashes\": [{\"value\": \"9FD540B749A6D9C916406C5F4EB228F85F9FC35B5769F67886F778ACFE23F9DA44D2AA1E26E09B2EC8942215CD4C9DE71D9A27F539FC4E753E44181F1DA6899D\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"uid\": \"19e95920-61aa-11ee-a247-0242ac110005\", \"session\": {\"uid\": \"19e95e70-61aa-11ee-bf06-0242ac110005\", \"created_time\": 1695272181548, \"is_remote\": false}, \"cmd_line\": \"front accommodate advocate\", \"container\": {\"name\": \"finest world pontiac\", \"size\": 55618839, \"uid\": \"19e964b0-61aa-11ee-86d6-0242ac110005\", \"image\": {\"name\": \"obituaries seeing judgment\", \"path\": \"fit slightly ja\", \"uid\": \"19e96b36-61aa-11ee-97e4-0242ac110005\"}, \"hash\": {\"value\": \"DE46E578D10170889D94C44F29A8357C36E325D960A26A598ED7022BD1E1EDAD4B7C9E676EF5EED4AE64B21998EE85F24AFBB1A8DE06CD5B385EFE4AB1185F90\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, \"orchestrator\": \"vp bridal testimonials\"}, \"created_time\": 1695272181548, \"namespace_pid\": 19, \"terminated_time\": 1695272181548}, \"terminated_time_dt\": \"2023-10-03T05:02:50.212696Z\"}}, \"terminated_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:02:50.212708Z\"}, \"sandbox\": \"homes bachelor reach\", \"xattributes\": {}, \"terminated_time_dt\": \"2023-10-03T05:02:50.212738Z\"}, \"user\": {\"name\": \"Fellowship\", \"type\": \"Admin\", \"uid\": \"19e97d92-61aa-11ee-b56a-0242ac110005\", \"org\": {\"name\": \"ali authors bacterial\", \"uid\": \"19e9c5d6-61aa-11ee-96f2-0242ac110005\", \"ou_name\": \"ebay october staff\"}, \"type_id\": 2}}, \"cloud\": {\"org\": {\"name\": \"virus legislative schemes\", \"uid\": \"19e79248-61aa-11ee-83d4-0242ac110005\", \"ou_name\": \"aus radical chess\", \"ou_uid\": \"19e79b26-61aa-11ee-bc41-0242ac110005\"}, \"provider\": \"locations pharmaceutical aa\", \"region\": \"card heroes blogging\"}, \"severity_id\": 2, \"status_detail\": \"tablets vernon opinion\", \"status_id\": 0}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"driver\": {\"file\": {\"name\": \"rail.m\", \"type\": \"earning\", \"path\": \"worst jay funds/plc.deskthemepack/rail.m\", \"uid\": \"19e82104-61aa-11ee-8d53-0242ac110005\", \"type_id\": 99, \"mime_type\": \"punishment/gaps\", \"parent_folder\": \"worst jay funds/plc.deskthemepack\", \"accessed_time\": 1695272181548, \"hashes\": [{\"value\": \"AD3638015A285E049F3EC3B5E96251E3D84A6B834297290B20EF11FE7A6244828ED6FC9E0489232D7B3358C785AA96C87A77266713AD2FB1978142C9CFFD4BF8\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"A47AC519441CF481779776ED56ADE421DEE3E26D0134CAE10E1A518591CCA7AB105D38FE20C7E07843149FF290C536A9E4B0507095FD8A744AF530741D2427B7\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}]}}, \"message\": \"allan juice leader\", \"status\": \"Unknown\", \"time\": 1695272181548, \"device\": {\"name\": \"madagascar made stability\", \"type\": \"IOT\", \"ip\": \"81.2.69.142\", \"hostname\": \"founded.pro\", \"uid\": \"19e7faee-61aa-11ee-a8f6-0242ac110005\", \"image\": {\"name\": \"casinos my pacific\", \"uid\": \"19e81448-61aa-11ee-bc86-0242ac110005\"}, \"type_id\": 7, \"first_seen_time\": 1695272181548, \"hypervisor\": \"consoles voting wellington\", \"instance_uid\": \"19e7f62a-61aa-11ee-ace6-0242ac110005\", \"interface_name\": \"see namespace chef\", \"interface_uid\": \"19e80ce6-61aa-11ee-bfc1-0242ac110005\", \"is_compliant\": true, \"region\": \"pledge cod growth\", \"modified_time_dt\": \"2023-10-03T05:02:50.203874Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"extension\": {\"name\": \"pirates went connecting\", \"version\": \"1.0.0\", \"uid\": \"19e7a6de-61aa-11ee-b198-0242ac110005\"}, \"product\": {\"name\": \"completed longer likes\", \"version\": \"1.0.0\", \"path\": \"jc rim ranch\", \"uid\": \"19e7b8b8-61aa-11ee-b357-0242ac110005\", \"lang\": \"en\", \"url_string\": \"placing\", \"vendor_name\": \"lcd belong academics\"}, \"uid\": \"19e7be44-61aa-11ee-919d-0242ac110005\", \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"louisville displaying universities\", \"log_provider\": \"officially vehicles incorporated\", \"original_time\": \"bodies jenny chris\"}, \"severity\": \"Low\", \"duration\": 56, \"api\": {\"request\": {\"flags\": [\"development suddenly affiliate\", \"blind putting connectors\"], \"uid\": \"19e78050-61aa-11ee-81a3-0242ac110005\"}, \"response\": {\"error\": \"storm edwards gateway\", \"code\": 48, \"message\": \"ac apnic applicants\", \"error_message\": \"retro wood cheese\"}, \"operation\": \"glucose spyware trustees\"}, \"disposition\": \"Corrected\", \"type_name\": \"Kernel Extension Activity: Unload\", \"activity_id\": 2, \"disposition_id\": 11, \"type_uid\": 100202, \"category_name\": \"System Activity\", \"class_uid\": 1002, \"category_uid\": 1, \"class_name\": \"Kernel Extension Activity\", \"timezone_offset\": 26, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Command and Control The adversary is trying to communicate with compromised systems to control them.\", \"uid\": \"TA0011\"}], \"technique\": {\"name\": \"Two-Factor Authentication Interception\", \"uid\": \"T1111\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Credential Access The adversary is trying to steal account names and passwords.\", \"uid\": \"TA0006\"}, {\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}], \"technique\": {\"name\": \"Multiband Communication\", \"uid\": \"T1026\"}}], \"activity_name\": \"Unload\", \"actor\": {\"process\": {\"name\": \"Complete\", \"pid\": 50, \"file\": {\"name\": \"syntax.dds\", \"type\": \"Symbolic Link\", \"path\": \"cartoon watershed viewers/magazine.xls/syntax.dds\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3}, \"type_id\": 7, \"parent_folder\": \"cartoon watershed viewers/magazine.xls\", \"confidentiality\": \"donated chapter runtime\", \"hashes\": [{\"value\": \"2EB64D601392F16BF21F01D7A9A66B62BC3DDC892394D8B44031A3B488A4F611F56951974C7601044DA53283AE3A774822583A678667AC1A5469561ADFC2CB22\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Pursue\", \"type\": \"User\", \"domain\": \"settle most mf\", \"uid\": \"19e84346-61aa-11ee-82b4-0242ac110005\", \"org\": {\"name\": \"contributions agents displayed\", \"uid\": \"19e854e4-61aa-11ee-b27b-0242ac110005\", \"ou_name\": \"with cpu scout\"}, \"type_id\": 1, \"full_name\": \"Fae Brendan\"}, \"uid\": \"19e85aa2-61aa-11ee-9863-0242ac110005\", \"cmd_line\": \"quest flashers qualifying\", \"integrity\": \"Untrusted\", \"integrity_id\": 1, \"namespace_pid\": 20, \"parent_process\": {\"name\": \"Fuzzy\", \"pid\": 7, \"uid\": \"19e86420-61aa-11ee-92e5-0242ac110005\", \"cmd_line\": \"mere tft rules\", \"container\": {\"name\": \"contains thriller incl\", \"runtime\": \"briefing portrait pj\", \"size\": 4086519029, \"uid\": \"19e86ef2-61aa-11ee-961e-0242ac110005\", \"image\": {\"name\": \"place questionnaire evil\", \"uid\": \"19e878de-61aa-11ee-8abe-0242ac110005\"}, \"hash\": {\"value\": \"99402752D9F0ADEE2B8CB7268DC3FCBF7900B5491AEECBCF11718BBA6969507DF048B5A627AE37D63F6235C52A9FFB0A874DB6E542EFB0E17DD61FFF02543A1B\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, \"network_driver\": \"balloon cj virtual\"}, \"created_time\": 1695272181548, \"integrity\": \"System\", \"integrity_id\": 5, \"namespace_pid\": 34, \"parent_process\": {\"name\": \"Pt\", \"pid\": 53, \"file\": {\"attributes\": 11, \"name\": \"unlimited.wmv\", \"type\": \"huntington\", \"version\": \"1.0.0\", \"product\": {\"name\": \"astrology musical magic\", \"version\": \"1.0.0\", \"uid\": \"19e88b3a-61aa-11ee-a044-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"logos texture jews\"}, \"type_id\": 99, \"confidentiality\": \"outlook\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"79B9213DDB8E561C9F5F0374719DBA7E55A481E720B75C53A12AF714880E51A4\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"C32B941D4ED063DE2F7FB1669124175ED90CDE46\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"is_system\": true, \"created_time_dt\": \"2023-10-03T05:02:50.206981Z\"}, \"uid\": \"19e89346-61aa-11ee-bb7f-0242ac110005\", \"loaded_modules\": [\"/faith/cbs/hispanic/lancaster/ncaa.swf\", \"/pulled/consecutive/treatment/myself/pittsburgh.wav\"], \"cmd_line\": \"valued leasing equilibrium\", \"container\": {\"size\": 2331695977, \"uid\": \"19e89a1c-61aa-11ee-930f-0242ac110005\", \"hash\": {\"value\": \"AACD3103F3F1FCAB0248F041A315AB6816C8A0E9\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}}, \"integrity\": \"System\", \"integrity_id\": 5, \"lineage\": [\"layer rachel performed\"], \"namespace_pid\": 75, \"parent_process\": {\"name\": \"Clinton\", \"pid\": 77, \"file\": {\"name\": \"jefferson.cbr\", \"size\": 3328615981, \"type\": \"Unknown\", \"path\": \"vacations floppy slides/crack.cs/jefferson.cbr\", \"modifier\": {\"name\": \"Resistant\", \"type\": \"System\", \"uid\": \"19e8ac78-61aa-11ee-a8f4-0242ac110005\", \"type_id\": 3}, \"desc\": \"referrals nottingham communication\", \"type_id\": 0, \"company_name\": \"Marie Enoch\", \"creator\": {\"name\": \"Journals\", \"type\": \"User\", \"uid\": \"19e8c136-61aa-11ee-8148-0242ac110005\", \"type_id\": 1}, \"parent_folder\": \"vacations floppy slides/crack.cs\", \"modified_time_dt\": \"2023-10-03T05:02:50.208298Z\"}, \"user\": {\"name\": \"Nudist\", \"type\": \"directories\", \"uid\": \"19e8cb2c-61aa-11ee-8668-0242ac110005\", \"type_id\": 99, \"full_name\": \"Glayds Glenda\", \"email_addr\": \"Johnette@flexibility.biz\", \"uid_alt\": \"facts local za\"}, \"uid\": \"19e8e4fe-61aa-11ee-869a-0242ac110005\", \"cmd_line\": \"vendor laptops germany\", \"container\": {\"name\": \"patients couple tmp\", \"runtime\": \"jul tommy um\", \"size\": 1196597453, \"uid\": \"19e93ddc-61aa-11ee-8ac2-0242ac110005\", \"image\": {\"name\": \"puzzles conditions sequences\", \"uid\": \"19e94566-61aa-11ee-9d6d-0242ac110005\", \"labels\": [\"aka\"]}, \"hash\": {\"value\": \"BBC85ACA84E370B3CD546CED854C6725D3242C1E1E174F6B4A803754254A38359A7A4CA50F4AD39E07AE04452C28859CAE5DB5FAF8D68075026A04F2C026726C\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"orchestrator\": \"helping cork mortality\"}, \"created_time\": 1695272181548, \"integrity\": \"five priest needle\", \"namespace_pid\": 94, \"parent_process\": {\"name\": \"Sms\", \"pid\": 52, \"file\": {\"name\": \"fixes.c\", \"type\": \"Folder\", \"path\": \"retro earthquake teachers/corruption.kml/fixes.c\", \"type_id\": 2, \"mime_type\": \"transcription/warned\", \"parent_folder\": \"retro earthquake teachers/corruption.kml\", \"hashes\": [{\"value\": \"9FD540B749A6D9C916406C5F4EB228F85F9FC35B5769F67886F778ACFE23F9DA44D2AA1E26E09B2EC8942215CD4C9DE71D9A27F539FC4E753E44181F1DA6899D\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"uid\": \"19e95920-61aa-11ee-a247-0242ac110005\", \"session\": {\"uid\": \"19e95e70-61aa-11ee-bf06-0242ac110005\", \"created_time\": 1695272181548, \"is_remote\": false}, \"cmd_line\": \"front accommodate advocate\", \"container\": {\"name\": \"finest world pontiac\", \"size\": 55618839, \"uid\": \"19e964b0-61aa-11ee-86d6-0242ac110005\", \"image\": {\"name\": \"obituaries seeing judgment\", \"path\": \"fit slightly ja\", \"uid\": \"19e96b36-61aa-11ee-97e4-0242ac110005\"}, \"hash\": {\"value\": \"DE46E578D10170889D94C44F29A8357C36E325D960A26A598ED7022BD1E1EDAD4B7C9E676EF5EED4AE64B21998EE85F24AFBB1A8DE06CD5B385EFE4AB1185F90\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, \"orchestrator\": \"vp bridal testimonials\"}, \"created_time\": 1695272181548, \"namespace_pid\": 19, \"terminated_time\": 1695272181548}, \"terminated_time_dt\": \"2023-10-03T05:02:50.212696Z\"}}, \"terminated_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:02:50.212708Z\"}, \"sandbox\": \"homes bachelor reach\", \"xattributes\": {}, \"terminated_time_dt\": \"2023-10-03T05:02:50.212738Z\"}, \"user\": {\"name\": \"Fellowship\", \"type\": \"Admin\", \"uid\": \"19e97d92-61aa-11ee-b56a-0242ac110005\", \"org\": {\"name\": \"ali authors bacterial\", \"uid\": \"19e9c5d6-61aa-11ee-96f2-0242ac110005\", \"ou_name\": \"ebay october staff\"}, \"type_id\": 2}}, \"cloud\": {\"org\": {\"name\": \"virus legislative schemes\", \"uid\": \"19e79248-61aa-11ee-83d4-0242ac110005\", \"ou_name\": \"aus radical chess\", \"ou_uid\": \"19e79b26-61aa-11ee-bc41-0242ac110005\"}, \"provider\": \"locations pharmaceutical aa\", \"region\": \"card heroes blogging\"}, \"severity_id\": 2, \"status_detail\": \"tablets vernon opinion\", \"status_id\": 0}", + "event": { + "action": "unload", + "category": [ + "driver" + ], + "duration": 56000000, + "outcome": "unknown", + "provider": "officially vehicles incorporated", + "severity": 2, + "type": [ + "info" + ] + }, + "cloud": { + "provider": "locations pharmaceutical aa", + "region": "card heroes blogging" + }, + "ocsf": "{\"activity_id\": 2, \"activity_name\": \"Unload\", \"actor\": {\"process\": {\"cmd_line\": \"quest flashers qualifying\", \"file\": {\"confidentiality\": \"donated chapter runtime\", \"hashes\": [{\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"2EB64D601392F16BF21F01D7A9A66B62BC3DDC892394D8B44031A3B488A4F611F56951974C7601044DA53283AE3A774822583A678667AC1A5469561ADFC2CB22\"}], \"modified_time\": 1695272181548, \"name\": \"syntax.dds\", \"parent_folder\": \"cartoon watershed viewers/magazine.xls\", \"path\": \"cartoon watershed viewers/magazine.xls/syntax.dds\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3}, \"type\": \"Symbolic Link\", \"type_id\": 7}, \"integrity\": \"Untrusted\", \"integrity_id\": 1, \"name\": \"Complete\", \"namespace_pid\": 20, \"parent_process\": {\"cmd_line\": \"mere tft rules\", \"container\": {\"hash\": {\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"99402752D9F0ADEE2B8CB7268DC3FCBF7900B5491AEECBCF11718BBA6969507DF048B5A627AE37D63F6235C52A9FFB0A874DB6E542EFB0E17DD61FFF02543A1B\"}, \"image\": {\"name\": \"place questionnaire evil\", \"uid\": \"19e878de-61aa-11ee-8abe-0242ac110005\"}, \"name\": \"contains thriller incl\", \"network_driver\": \"balloon cj virtual\", \"runtime\": \"briefing portrait pj\", \"size\": 4086519029, \"uid\": \"19e86ef2-61aa-11ee-961e-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:02:50.212708Z\", \"integrity\": \"System\", \"integrity_id\": 5, \"name\": \"Fuzzy\", \"namespace_pid\": 34, \"parent_process\": {\"cmd_line\": \"valued leasing equilibrium\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"AACD3103F3F1FCAB0248F041A315AB6816C8A0E9\"}, \"size\": 2331695977, \"uid\": \"19e89a1c-61aa-11ee-930f-0242ac110005\"}, \"file\": {\"attributes\": 11, \"confidentiality\": \"outlook\", \"confidentiality_id\": 99, \"created_time_dt\": \"2023-10-03T05:02:50.206981Z\", \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"79B9213DDB8E561C9F5F0374719DBA7E55A481E720B75C53A12AF714880E51A4\"}, {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"C32B941D4ED063DE2F7FB1669124175ED90CDE46\"}], \"is_system\": true, \"name\": \"unlimited.wmv\", \"product\": {\"lang\": \"en\", \"name\": \"astrology musical magic\", \"uid\": \"19e88b3a-61aa-11ee-a044-0242ac110005\", \"vendor_name\": \"logos texture jews\", \"version\": \"1.0.0\"}, \"type\": \"huntington\", \"type_id\": 99, \"version\": \"1.0.0\"}, \"integrity\": \"System\", \"integrity_id\": 5, \"lineage\": [\"layer rachel performed\"], \"loaded_modules\": [\"/faith/cbs/hispanic/lancaster/ncaa.swf\", \"/pulled/consecutive/treatment/myself/pittsburgh.wav\"], \"name\": \"Pt\", \"namespace_pid\": 75, \"parent_process\": {\"cmd_line\": \"vendor laptops germany\", \"container\": {\"hash\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"BBC85ACA84E370B3CD546CED854C6725D3242C1E1E174F6B4A803754254A38359A7A4CA50F4AD39E07AE04452C28859CAE5DB5FAF8D68075026A04F2C026726C\"}, \"image\": {\"labels\": [\"aka\"], \"name\": \"puzzles conditions sequences\", \"uid\": \"19e94566-61aa-11ee-9d6d-0242ac110005\"}, \"name\": \"patients couple tmp\", \"orchestrator\": \"helping cork mortality\", \"runtime\": \"jul tommy um\", \"size\": 1196597453, \"uid\": \"19e93ddc-61aa-11ee-8ac2-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Marie Enoch\", \"creator\": {\"name\": \"Journals\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"19e8c136-61aa-11ee-8148-0242ac110005\"}, \"desc\": \"referrals nottingham communication\", \"modified_time_dt\": \"2023-10-03T05:02:50.208298Z\", \"modifier\": {\"name\": \"Resistant\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"19e8ac78-61aa-11ee-a8f4-0242ac110005\"}, \"name\": \"jefferson.cbr\", \"parent_folder\": \"vacations floppy slides/crack.cs\", \"path\": \"vacations floppy slides/crack.cs/jefferson.cbr\", \"size\": 3328615981, \"type\": \"Unknown\", \"type_id\": 0}, \"integrity\": \"five priest needle\", \"name\": \"Clinton\", \"namespace_pid\": 94, \"parent_process\": {\"cmd_line\": \"front accommodate advocate\", \"container\": {\"hash\": {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"DE46E578D10170889D94C44F29A8357C36E325D960A26A598ED7022BD1E1EDAD4B7C9E676EF5EED4AE64B21998EE85F24AFBB1A8DE06CD5B385EFE4AB1185F90\"}, \"image\": {\"name\": \"obituaries seeing judgment\", \"path\": \"fit slightly ja\", \"uid\": \"19e96b36-61aa-11ee-97e4-0242ac110005\"}, \"name\": \"finest world pontiac\", \"orchestrator\": \"vp bridal testimonials\", \"size\": 55618839, \"uid\": \"19e964b0-61aa-11ee-86d6-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"9FD540B749A6D9C916406C5F4EB228F85F9FC35B5769F67886F778ACFE23F9DA44D2AA1E26E09B2EC8942215CD4C9DE71D9A27F539FC4E753E44181F1DA6899D\"}], \"mime_type\": \"transcription/warned\", \"name\": \"fixes.c\", \"parent_folder\": \"retro earthquake teachers/corruption.kml\", \"path\": \"retro earthquake teachers/corruption.kml/fixes.c\", \"type\": \"Folder\", \"type_id\": 2}, \"name\": \"Sms\", \"namespace_pid\": 19, \"pid\": 52, \"session\": {\"created_time\": 1695272181548, \"is_remote\": false, \"uid\": \"19e95e70-61aa-11ee-bf06-0242ac110005\"}, \"terminated_time\": 1695272181548, \"uid\": \"19e95920-61aa-11ee-a247-0242ac110005\"}, \"pid\": 77, \"terminated_time_dt\": \"2023-10-03T05:02:50.212696Z\", \"uid\": \"19e8e4fe-61aa-11ee-869a-0242ac110005\", \"user\": {\"email_addr\": \"Johnette@flexibility.biz\", \"full_name\": \"Glayds Glenda\", \"name\": \"Nudist\", \"type\": \"directories\", \"type_id\": 99, \"uid\": \"19e8cb2c-61aa-11ee-8668-0242ac110005\", \"uid_alt\": \"facts local za\"}}, \"pid\": 53, \"uid\": \"19e89346-61aa-11ee-bb7f-0242ac110005\"}, \"pid\": 7, \"terminated_time\": 1695272181548, \"uid\": \"19e86420-61aa-11ee-92e5-0242ac110005\"}, \"pid\": 50, \"sandbox\": \"homes bachelor reach\", \"terminated_time_dt\": \"2023-10-03T05:02:50.212738Z\", \"uid\": \"19e85aa2-61aa-11ee-9863-0242ac110005\", \"user\": {\"domain\": \"settle most mf\", \"full_name\": \"Fae Brendan\", \"name\": \"Pursue\", \"org\": {\"name\": \"contributions agents displayed\", \"ou_name\": \"with cpu scout\", \"uid\": \"19e854e4-61aa-11ee-b27b-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1, \"uid\": \"19e84346-61aa-11ee-82b4-0242ac110005\"}, \"xattributes\": {}}, \"user\": {\"name\": \"Fellowship\", \"org\": {\"name\": \"ali authors bacterial\", \"ou_name\": \"ebay october staff\", \"uid\": \"19e9c5d6-61aa-11ee-96f2-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"19e97d92-61aa-11ee-b56a-0242ac110005\"}}, \"api\": {\"operation\": \"glucose spyware trustees\", \"request\": {\"flags\": [\"development suddenly affiliate\", \"blind putting connectors\"], \"uid\": \"19e78050-61aa-11ee-81a3-0242ac110005\"}, \"response\": {\"code\": 48, \"error\": \"storm edwards gateway\", \"error_message\": \"retro wood cheese\", \"message\": \"ac apnic applicants\"}}, \"attacks\": [{\"tactics\": [{\"name\": \"Command and Control The adversary is trying to communicate with compromised systems to control them.\", \"uid\": \"TA0011\"}], \"technique\": {\"name\": \"Two-Factor Authentication Interception\", \"uid\": \"T1111\"}, \"version\": \"12.1\"}, {\"tactics\": [{\"name\": \"Credential Access The adversary is trying to steal account names and passwords.\", \"uid\": \"TA0006\"}, {\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}], \"technique\": {\"name\": \"Multiband Communication\", \"uid\": \"T1026\"}, \"version\": \"12.1\"}], \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Kernel Extension Activity\", \"class_uid\": 1002, \"cloud\": {\"org\": {\"name\": \"virus legislative schemes\", \"ou_name\": \"aus radical chess\", \"ou_uid\": \"19e79b26-61aa-11ee-bc41-0242ac110005\", \"uid\": \"19e79248-61aa-11ee-83d4-0242ac110005\"}, \"provider\": \"locations pharmaceutical aa\", \"region\": \"card heroes blogging\"}, \"device\": {\"first_seen_time\": 1695272181548, \"hostname\": \"founded.pro\", \"hypervisor\": \"consoles voting wellington\", \"image\": {\"name\": \"casinos my pacific\", \"uid\": \"19e81448-61aa-11ee-bc86-0242ac110005\"}, \"instance_uid\": \"19e7f62a-61aa-11ee-ace6-0242ac110005\", \"interface_name\": \"see namespace chef\", \"interface_uid\": \"19e80ce6-61aa-11ee-bfc1-0242ac110005\", \"ip\": \"81.2.69.142\", \"is_compliant\": true, \"modified_time_dt\": \"2023-10-03T05:02:50.203874Z\", \"name\": \"madagascar made stability\", \"region\": \"pledge cod growth\", \"type\": \"IOT\", \"type_id\": 7, \"uid\": \"19e7faee-61aa-11ee-a8f6-0242ac110005\"}, \"disposition\": \"Corrected\", \"disposition_id\": 11, \"driver\": {\"file\": {\"accessed_time\": 1695272181548, \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"AD3638015A285E049F3EC3B5E96251E3D84A6B834297290B20EF11FE7A6244828ED6FC9E0489232D7B3358C785AA96C87A77266713AD2FB1978142C9CFFD4BF8\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"A47AC519441CF481779776ED56ADE421DEE3E26D0134CAE10E1A518591CCA7AB105D38FE20C7E07843149FF290C536A9E4B0507095FD8A744AF530741D2427B7\"}], \"mime_type\": \"punishment/gaps\", \"name\": \"rail.m\", \"parent_folder\": \"worst jay funds/plc.deskthemepack\", \"path\": \"worst jay funds/plc.deskthemepack/rail.m\", \"type\": \"earning\", \"type_id\": 99, \"uid\": \"19e82104-61aa-11ee-8d53-0242ac110005\"}}, \"duration\": 56, \"message\": \"allan juice leader\", \"metadata\": {\"extension\": {\"name\": \"pirates went connecting\", \"uid\": \"19e7a6de-61aa-11ee-b198-0242ac110005\", \"version\": \"1.0.0\"}, \"log_name\": \"louisville displaying universities\", \"log_provider\": \"officially vehicles incorporated\", \"original_time\": \"bodies jenny chris\", \"product\": {\"lang\": \"en\", \"name\": \"completed longer likes\", \"path\": \"jc rim ranch\", \"uid\": \"19e7b8b8-61aa-11ee-b357-0242ac110005\", \"url_string\": \"placing\", \"vendor_name\": \"lcd belong academics\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"uid\": \"19e7be44-61aa-11ee-919d-0242ac110005\", \"version\": \"1.0.0\"}, \"severity\": \"Low\", \"severity_id\": 2, \"status\": \"Unknown\", \"status_detail\": \"tablets vernon opinion\", \"status_id\": 0, \"time\": 1695272181548, \"timezone_offset\": 26, \"type_name\": \"Kernel Extension Activity: Unload\", \"type_uid\": 100202}" + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_3.json b/OCSF/ocsf/tests/test_system_activity_3.json new file mode 100644 index 000000000..2374373ca --- /dev/null +++ b/OCSF/ocsf/tests/test_system_activity_3.json @@ -0,0 +1,33 @@ +{ + "input": { + "message": "{\"message\": \"compile oasis hazards\", \"status\": \"Success\", \"time\": 1695272181548, \"device\": {\"name\": \"owned flyer thinkpad\", \"type\": \"Browser\", \"ip\": \"81.2.69.142\", \"desc\": \"recommendations norman ventures\", \"hostname\": \"indexes.jobs\", \"uid\": \"619223f4-61ac-11ee-9c42-0242ac110005\", \"type_id\": 8, \"autoscale_uid\": \"6191f41a-61ac-11ee-b68a-0242ac110005\", \"first_seen_time\": 1695272181548, \"hw_info\": {\"bios_manufacturer\": \"newman marble developed\", \"serial_number\": \"dave cst enlarge\"}, \"instance_uid\": \"61921fda-61ac-11ee-ad02-0242ac110005\", \"interface_name\": \"local rules scholarship\", \"interface_uid\": \"61922b1a-61ac-11ee-afbc-0242ac110005\", \"network_interfaces\": [{\"name\": \"hewlett dozens asthma\", \"type\": \"Mobile\", \"ip\": \"81.2.69.142\", \"hostname\": \"motherboard.info\", \"mac\": \"CE:92:5B:C1:90:45:60:31\", \"type_id\": 3, \"subnet_prefix\": 8}], \"region\": \"without featured amazon\", \"risk_level\": \"familiar motorcycles wild\", \"vpc_uid\": \"619230c4-61ac-11ee-8fa9-0242ac110005\", \"first_seen_time_dt\": \"2023-10-03T05:19:09.429787Z\"}, \"kernel\": {\"name\": \"summaries cornell blowing\", \"type\": \"System Call\", \"type_id\": 2}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"version\": \"1.0.0\", \"uid\": \"6191ccc4-61ac-11ee-aacf-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"editors coordinate cvs\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"inkjet klein mechanical\", \"log_provider\": \"any alexander rolling\", \"log_version\": \"receptor literally shut\", \"modified_time\": 1695272181548, \"original_time\": \"jewish ethiopia invitation\", \"modified_time_dt\": \"2023-10-03T05:19:09.427926Z\"}, \"severity\": \"Medium\", \"duration\": 24, \"disposition\": \"recipes\", \"type_name\": \"Kernel Activity: Create\", \"activity_id\": 1, \"disposition_id\": 99, \"type_uid\": 100301, \"observables\": [{\"name\": \"car trust sister\", \"type\": \"Fingerprint\", \"type_id\": 30}, {\"name\": \"evidence because locate\", \"type\": \"IP Address\", \"type_id\": 2}], \"category_name\": \"System Activity\", \"class_uid\": 1003, \"category_uid\": 1, \"class_name\": \"Kernel Activity\", \"timezone_offset\": 54, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}, {\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}, {\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}], \"technique\": {\"name\": \"Data Manipulation\", \"uid\": \"T1565\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Initial Access | The adversary is trying to get into your network.\", \"uid\": \"TA0001\"}, {\"name\": \"Credential Access The adversary is trying to steal account names and passwords.\", \"uid\": \"TA0006\"}, {\"name\": \"Persistence The adversary is trying to maintain their foothold.\", \"uid\": \"TA0003\"}], \"technique\": {\"name\": \"LSA Secrets\", \"uid\": \"T1003.004\"}}], \"activity_name\": \"Create\", \"actor\": {\"process\": {\"name\": \"Covering\", \"pid\": 91, \"file\": {\"name\": \"word.drv\", \"size\": 2389716033, \"type\": \"Unknown\", \"version\": \"1.0.0\", \"path\": \"cigarette until wc/ls.c/word.drv\", \"type_id\": 0, \"parent_folder\": \"cigarette until wc/ls.c\", \"confidentiality\": \"tulsa\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"C3BD5B24A4E0467F267EEA0A0378CB224839993F4AEB1BF9A9F519E8484E9A16344FE367E55D08DED2F892D80577FD485A3BC5CA66EB0AE7C1CFA0B33586E766\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"FEBD25D9812320828D7312326E19250E4439A6A99BCB4C740A8308671F571A6707A6D2A5A6066EB0DAA87071D23BE71ED56EAFF115D8AEAACEA125D283F45963\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"security_descriptor\": \"hospitality conclusions wires\", \"xattributes\": {}}, \"user\": {\"name\": \"Beth\", \"type\": \"User\", \"uid\": \"6192672e-61ac-11ee-a3c0-0242ac110005\", \"type_id\": 1, \"full_name\": \"Winifred Idell\", \"credential_uid\": \"61926cce-61ac-11ee-8202-0242ac110005\"}, \"tid\": 36, \"uid\": \"6192707a-61ac-11ee-ac88-0242ac110005\", \"cmd_line\": \"fy believed resolutions\", \"container\": {\"name\": \"transaction titans lucky\", \"runtime\": \"justify red wit\", \"size\": 4198558845, \"tag\": \"gambling romance place\", \"uid\": \"61927746-61ac-11ee-b13c-0242ac110005\", \"image\": {\"name\": \"ac tcp helen\", \"uid\": \"61927e30-61ac-11ee-ab18-0242ac110005\", \"labels\": [\"maybe\"]}, \"hash\": {\"value\": \"F19FE42A1B9BB9BBFC77F8F0A52EC5C411DC9200836F0C5D41A56543D8951D5AD8A1FA6F248A975A90B28E8B5268C50F220F5CAE2B47F74A204FB47E835AAE80\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}}, \"created_time\": 1695272181548, \"namespace_pid\": 6, \"parent_process\": {\"name\": \"Elect\", \"file\": {\"name\": \"hazard.aif\", \"owner\": {\"name\": \"Principle\", \"type\": \"User\", \"uid\": \"6192910e-61ac-11ee-9b83-0242ac110005\", \"type_id\": 1, \"email_addr\": \"Ryann@libraries.store\"}, \"type\": \"Symbolic Link\", \"path\": \"seeds divx firefox/kirk.cbr/hazard.aif\", \"type_id\": 7, \"company_name\": \"Latisha Billye\", \"creator\": {\"name\": \"Remain\", \"type\": \"Unknown\", \"uid\": \"61929852-61ac-11ee-b767-0242ac110005\", \"type_id\": 0, \"uid_alt\": \"limitations compound viewer\"}, \"parent_folder\": \"seeds divx firefox/kirk.cbr\", \"hashes\": [{\"value\": \"C6141BDD46728A85659C19E84135237C41908EF3\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}]}, \"user\": {\"type\": \"System\", \"uid\": \"6192a298-61ac-11ee-a78f-0242ac110005\", \"org\": {\"name\": \"lexus porcelain february\", \"uid\": \"6192a810-61ac-11ee-bb74-0242ac110005\", \"ou_name\": \"realm lesson pal\"}, \"type_id\": 3}, \"uid\": \"6192ac3e-61ac-11ee-a0ed-0242ac110005\", \"cmd_line\": \"volunteer trustees tax\", \"container\": {\"name\": \"stood moms serving\", \"size\": 1947076520, \"uid\": \"6192b44a-61ac-11ee-a1ac-0242ac110005\", \"image\": {\"name\": \"occupations pie meanwhile\", \"uid\": \"6192b990-61ac-11ee-b095-0242ac110005\"}, \"hash\": {\"value\": \"B85EC314BF443B797EF8A66B3B03F8A4\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, \"pod_uuid\": \"effectiveness\"}, \"created_time\": 1695272181548, \"namespace_pid\": 64, \"parent_process\": {\"name\": \"Rugs\", \"pid\": 77, \"file\": {\"attributes\": 21, \"name\": \"interests.png\", \"type\": \"Symbolic Link\", \"path\": \"wagon workforce whatever/boundaries.bat/interests.png\", \"modifier\": {\"name\": \"Few\", \"type\": \"System\", \"type_id\": 3, \"email_addr\": \"Winona@teens.web\"}, \"desc\": \"fruit hop dean\", \"type_id\": 7, \"parent_folder\": \"wagon workforce whatever/boundaries.bat\", \"hashes\": [{\"value\": \"8A1AB46C5F0A7BC9F0562A16DEBAB8746A8BEF57920B6FE78D0B18EE49175C8F8CC8CD5F02E37B486B4CA85EBA2B18558E2D171B09545BB234AD29AB09936187\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"is_system\": false, \"modified_time_dt\": \"2023-10-03T05:19:09.434332Z\"}, \"user\": {\"name\": \"Structured\", \"type\": \"Admin\", \"uid\": \"6192d272-61ac-11ee-ae27-0242ac110005\", \"type_id\": 2, \"account\": {\"name\": \"peer amounts pros\", \"type\": \"AWS IAM User\", \"uid\": \"6192dbaa-61ac-11ee-8151-0242ac110005\", \"type_id\": 3}, \"uid_alt\": \"allocation vector lexus\"}, \"uid\": \"6192dff6-61ac-11ee-89c7-0242ac110005\", \"session\": {\"uid\": \"6192e51e-61ac-11ee-8c76-0242ac110005\", \"issuer\": \"covers advise flux\", \"created_time\": 1695272181548, \"is_remote\": true}, \"cmd_line\": \"arlington charger skins\", \"created_time\": 1695272181548, \"namespace_pid\": 65, \"parent_process\": {\"name\": \"Infant\", \"pid\": 92, \"file\": {\"name\": \"border.bmp\", \"type\": \"Local Socket\", \"version\": \"1.0.0\", \"path\": \"exterior quick striking/females.cpp/border.bmp\", \"modifier\": {\"name\": \"Spots\", \"type\": \"System\", \"uid\": \"6192f6bc-61ac-11ee-9638-0242ac110005\", \"type_id\": 3, \"account\": {\"name\": \"lose fotos fraction\", \"type\": \"Azure AD Account\", \"type_id\": 6}}, \"product\": {\"name\": \"democratic announcement crime\", \"version\": \"1.0.0\", \"uid\": \"6192ff54-61ac-11ee-9d07-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"three schema bench\"}, \"type_id\": 5, \"parent_folder\": \"exterior quick striking/females.cpp\", \"accessed_time_dt\": \"2023-10-03T05:19:09.435701Z\"}, \"user\": {\"name\": \"Fires\", \"type\": \"User\", \"uid\": \"61930b98-61ac-11ee-bb18-0242ac110005\", \"org\": {\"name\": \"nationwide yea yoga\", \"uid\": \"6193126e-61ac-11ee-9d91-0242ac110005\", \"ou_name\": \"meeting kiss first\"}, \"type_id\": 1, \"credential_uid\": \"619318cc-61ac-11ee-82d0-0242ac110005\"}, \"tid\": 60, \"uid\": \"61931cbe-61ac-11ee-b447-0242ac110005\", \"loaded_modules\": [\"/te/ut/obviously/inform/assignment.cue\", \"/clicks/importance/raw/agenda/soccer.js\"], \"cmd_line\": \"trinity comfort varieties\", \"created_time\": 1695272181548, \"namespace_pid\": 54, \"parent_process\": {\"name\": \"Valid\", \"pid\": 27, \"file\": {\"name\": \"outline.msg\", \"type\": \"Unknown\", \"path\": \"visiting guide believe/intense.rss/outline.msg\", \"desc\": \"floating told foul\", \"type_id\": 0, \"parent_folder\": \"visiting guide believe/intense.rss\", \"accessed_time\": 1695272181548, \"confidentiality\": \"keeps integrate specifies\", \"hashes\": [{\"value\": \"5A4194525971186E774FC3205628B611B5CCCE42\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"11BA65852271CD24C56C865A9635B90616326949FF2BF6CD07EACAF788BAD320\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"security_descriptor\": \"chance gmc ghana\", \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:19:09.436838Z\"}, \"user\": {\"name\": \"Swing\", \"type\": \"User\", \"type_id\": 1, \"full_name\": \"Alfredo Pauline\"}, \"uid\": \"61933410-61ac-11ee-8072-0242ac110005\", \"cmd_line\": \"italian kid properly\", \"container\": {\"name\": \"additions wyoming weekly\", \"size\": 3239910166, \"tag\": \"practical metals respected\", \"uid\": \"61933e06-61ac-11ee-8e9b-0242ac110005\", \"image\": {\"name\": \"assessments effects soap\", \"uid\": \"61934414-61ac-11ee-943e-0242ac110005\"}, \"hash\": {\"value\": \"A34D9E58DB53A2451A09B961F644E04C794AEFD5AF71BB6785BF8D771D1BC27EABC888BE87A7B3E92BB750215FC097CEB0FD238D44C5494F35746A4A9A0B4159\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"pod_uuid\": \"hear\"}, \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"lineage\": [\"picked purchase freelance\", \"scripts hybrid worked\"], \"namespace_pid\": 65, \"parent_process\": {\"name\": \"Si\", \"file\": {\"name\": \"comes.css\", \"type\": \"Local Socket\", \"path\": \"death payday queens/fleece.app/comes.css\", \"modifier\": {\"name\": \"Feelings\", \"type\": \"Admin\", \"uid\": \"61935512-61ac-11ee-9f87-0242ac110005\", \"type_id\": 2, \"full_name\": \"Calvin Marquitta\"}, \"product\": {\"version\": \"1.0.0\", \"uid\": \"61935b2a-61ac-11ee-9f18-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"marie stays nested\"}, \"type_id\": 5, \"company_name\": \"Courtney Kendal\", \"mime_type\": \"reflects/shore\", \"parent_folder\": \"death payday queens/fleece.app\", \"hashes\": [{\"value\": \"7653C24F6B758E09C2F78D41ED16D4D98AC9589616AA7DDE3CE38AC3018F86F726082E5D7895E732CB2D0C979A4B85FE853F95A815DF845615257B5A82F05144\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"1D5072F894A9D4122CBB317567CA88F6EAF3C8B645271C7E86EF241EBC1EBA51\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time_dt\": \"2023-10-03T05:19:09.438101Z\"}, \"user\": {\"type\": \"Admin\", \"uid\": \"61936e76-61ac-11ee-aa0d-0242ac110005\", \"org\": {\"name\": \"msgstr et pure\", \"uid\": \"619374a2-61ac-11ee-8d19-0242ac110005\", \"ou_name\": \"mg usa blair\"}, \"groups\": [{\"name\": \"tires online movement\", \"uid\": \"61937b46-61ac-11ee-8129-0242ac110005\", \"privileges\": [\"jan hindu collectible\", \"competitors antique disc\"]}, {\"name\": \"raymond shirts techno\", \"uid\": \"619380aa-61ac-11ee-9e69-0242ac110005\"}], \"type_id\": 2, \"credential_uid\": \"61938474-61ac-11ee-8547-0242ac110005\", \"email_addr\": \"Ilana@moses.firm\", \"uid_alt\": \"serbia named dns\"}, \"tid\": 9, \"uid\": \"6193888e-61ac-11ee-92f7-0242ac110005\", \"loaded_modules\": [\"/handbook/great/egyptian/guestbook/died.bat\", \"/matrix/ecommerce/management/just/songs.dcr\"], \"cmd_line\": \"injured metabolism martha\", \"container\": {\"name\": \"optimize unsigned reforms\", \"size\": 1197726829, \"uid\": \"619392fc-61ac-11ee-95a0-0242ac110005\", \"image\": {\"name\": \"versions soc fifteen\", \"tag\": \"actors des guardian\", \"uid\": \"61939900-61ac-11ee-89bb-0242ac110005\", \"labels\": [\"put\", \"experience\"]}, \"hash\": {\"value\": \"EA07DCC807FFE0D653259BB7C0DE7E6F136D741B4596E3E11BD60E98F38FE0B5\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695272181548, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"namespace_pid\": 54, \"terminated_time_dt\": \"2023-10-03T05:19:09.439671Z\"}}}, \"terminated_time\": 1695272181548}}, \"created_time_dt\": \"2023-10-03T05:19:09.439688Z\"}, \"user\": {\"name\": \"Affect\", \"type\": \"User\", \"uid\": \"6193a4e0-61ac-11ee-9d49-0242ac110005\", \"type_id\": 1}, \"session\": {\"uid\": \"6193ab66-61ac-11ee-b4d7-0242ac110005\", \"issuer\": \"conventional tar relay\", \"created_time\": 1695272181548}, \"idp\": {\"name\": \"rachel grey swiss\", \"uid\": \"6193b0ca-61ac-11ee-b37d-0242ac110005\"}, \"invoked_by\": \"substitute choice extent\"}, \"cloud\": {\"provider\": \"newman banned showcase\", \"region\": \"realized remarkable accompanied\", \"zone\": \"friend drops those\"}, \"severity_id\": 3, \"status_code\": \"user\", \"status_id\": 1, \"time_dt\": \"2023-10-03T05:19:09.440241Z\"}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"message\": \"compile oasis hazards\", \"status\": \"Success\", \"time\": 1695272181548, \"device\": {\"name\": \"owned flyer thinkpad\", \"type\": \"Browser\", \"ip\": \"81.2.69.142\", \"desc\": \"recommendations norman ventures\", \"hostname\": \"indexes.jobs\", \"uid\": \"619223f4-61ac-11ee-9c42-0242ac110005\", \"type_id\": 8, \"autoscale_uid\": \"6191f41a-61ac-11ee-b68a-0242ac110005\", \"first_seen_time\": 1695272181548, \"hw_info\": {\"bios_manufacturer\": \"newman marble developed\", \"serial_number\": \"dave cst enlarge\"}, \"instance_uid\": \"61921fda-61ac-11ee-ad02-0242ac110005\", \"interface_name\": \"local rules scholarship\", \"interface_uid\": \"61922b1a-61ac-11ee-afbc-0242ac110005\", \"network_interfaces\": [{\"name\": \"hewlett dozens asthma\", \"type\": \"Mobile\", \"ip\": \"81.2.69.142\", \"hostname\": \"motherboard.info\", \"mac\": \"CE:92:5B:C1:90:45:60:31\", \"type_id\": 3, \"subnet_prefix\": 8}], \"region\": \"without featured amazon\", \"risk_level\": \"familiar motorcycles wild\", \"vpc_uid\": \"619230c4-61ac-11ee-8fa9-0242ac110005\", \"first_seen_time_dt\": \"2023-10-03T05:19:09.429787Z\"}, \"kernel\": {\"name\": \"summaries cornell blowing\", \"type\": \"System Call\", \"type_id\": 2}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"version\": \"1.0.0\", \"uid\": \"6191ccc4-61ac-11ee-aacf-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"editors coordinate cvs\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"inkjet klein mechanical\", \"log_provider\": \"any alexander rolling\", \"log_version\": \"receptor literally shut\", \"modified_time\": 1695272181548, \"original_time\": \"jewish ethiopia invitation\", \"modified_time_dt\": \"2023-10-03T05:19:09.427926Z\"}, \"severity\": \"Medium\", \"duration\": 24, \"disposition\": \"recipes\", \"type_name\": \"Kernel Activity: Create\", \"activity_id\": 1, \"disposition_id\": 99, \"type_uid\": 100301, \"observables\": [{\"name\": \"car trust sister\", \"type\": \"Fingerprint\", \"type_id\": 30}, {\"name\": \"evidence because locate\", \"type\": \"IP Address\", \"type_id\": 2}], \"category_name\": \"System Activity\", \"class_uid\": 1003, \"category_uid\": 1, \"class_name\": \"Kernel Activity\", \"timezone_offset\": 54, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}, {\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}, {\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}], \"technique\": {\"name\": \"Data Manipulation\", \"uid\": \"T1565\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Initial Access | The adversary is trying to get into your network.\", \"uid\": \"TA0001\"}, {\"name\": \"Credential Access The adversary is trying to steal account names and passwords.\", \"uid\": \"TA0006\"}, {\"name\": \"Persistence The adversary is trying to maintain their foothold.\", \"uid\": \"TA0003\"}], \"technique\": {\"name\": \"LSA Secrets\", \"uid\": \"T1003.004\"}}], \"activity_name\": \"Create\", \"actor\": {\"process\": {\"name\": \"Covering\", \"pid\": 91, \"file\": {\"name\": \"word.drv\", \"size\": 2389716033, \"type\": \"Unknown\", \"version\": \"1.0.0\", \"path\": \"cigarette until wc/ls.c/word.drv\", \"type_id\": 0, \"parent_folder\": \"cigarette until wc/ls.c\", \"confidentiality\": \"tulsa\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"C3BD5B24A4E0467F267EEA0A0378CB224839993F4AEB1BF9A9F519E8484E9A16344FE367E55D08DED2F892D80577FD485A3BC5CA66EB0AE7C1CFA0B33586E766\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"FEBD25D9812320828D7312326E19250E4439A6A99BCB4C740A8308671F571A6707A6D2A5A6066EB0DAA87071D23BE71ED56EAFF115D8AEAACEA125D283F45963\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"security_descriptor\": \"hospitality conclusions wires\", \"xattributes\": {}}, \"user\": {\"name\": \"Beth\", \"type\": \"User\", \"uid\": \"6192672e-61ac-11ee-a3c0-0242ac110005\", \"type_id\": 1, \"full_name\": \"Winifred Idell\", \"credential_uid\": \"61926cce-61ac-11ee-8202-0242ac110005\"}, \"tid\": 36, \"uid\": \"6192707a-61ac-11ee-ac88-0242ac110005\", \"cmd_line\": \"fy believed resolutions\", \"container\": {\"name\": \"transaction titans lucky\", \"runtime\": \"justify red wit\", \"size\": 4198558845, \"tag\": \"gambling romance place\", \"uid\": \"61927746-61ac-11ee-b13c-0242ac110005\", \"image\": {\"name\": \"ac tcp helen\", \"uid\": \"61927e30-61ac-11ee-ab18-0242ac110005\", \"labels\": [\"maybe\"]}, \"hash\": {\"value\": \"F19FE42A1B9BB9BBFC77F8F0A52EC5C411DC9200836F0C5D41A56543D8951D5AD8A1FA6F248A975A90B28E8B5268C50F220F5CAE2B47F74A204FB47E835AAE80\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}}, \"created_time\": 1695272181548, \"namespace_pid\": 6, \"parent_process\": {\"name\": \"Elect\", \"file\": {\"name\": \"hazard.aif\", \"owner\": {\"name\": \"Principle\", \"type\": \"User\", \"uid\": \"6192910e-61ac-11ee-9b83-0242ac110005\", \"type_id\": 1, \"email_addr\": \"Ryann@libraries.store\"}, \"type\": \"Symbolic Link\", \"path\": \"seeds divx firefox/kirk.cbr/hazard.aif\", \"type_id\": 7, \"company_name\": \"Latisha Billye\", \"creator\": {\"name\": \"Remain\", \"type\": \"Unknown\", \"uid\": \"61929852-61ac-11ee-b767-0242ac110005\", \"type_id\": 0, \"uid_alt\": \"limitations compound viewer\"}, \"parent_folder\": \"seeds divx firefox/kirk.cbr\", \"hashes\": [{\"value\": \"C6141BDD46728A85659C19E84135237C41908EF3\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}]}, \"user\": {\"type\": \"System\", \"uid\": \"6192a298-61ac-11ee-a78f-0242ac110005\", \"org\": {\"name\": \"lexus porcelain february\", \"uid\": \"6192a810-61ac-11ee-bb74-0242ac110005\", \"ou_name\": \"realm lesson pal\"}, \"type_id\": 3}, \"uid\": \"6192ac3e-61ac-11ee-a0ed-0242ac110005\", \"cmd_line\": \"volunteer trustees tax\", \"container\": {\"name\": \"stood moms serving\", \"size\": 1947076520, \"uid\": \"6192b44a-61ac-11ee-a1ac-0242ac110005\", \"image\": {\"name\": \"occupations pie meanwhile\", \"uid\": \"6192b990-61ac-11ee-b095-0242ac110005\"}, \"hash\": {\"value\": \"B85EC314BF443B797EF8A66B3B03F8A4\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, \"pod_uuid\": \"effectiveness\"}, \"created_time\": 1695272181548, \"namespace_pid\": 64, \"parent_process\": {\"name\": \"Rugs\", \"pid\": 77, \"file\": {\"attributes\": 21, \"name\": \"interests.png\", \"type\": \"Symbolic Link\", \"path\": \"wagon workforce whatever/boundaries.bat/interests.png\", \"modifier\": {\"name\": \"Few\", \"type\": \"System\", \"type_id\": 3, \"email_addr\": \"Winona@teens.web\"}, \"desc\": \"fruit hop dean\", \"type_id\": 7, \"parent_folder\": \"wagon workforce whatever/boundaries.bat\", \"hashes\": [{\"value\": \"8A1AB46C5F0A7BC9F0562A16DEBAB8746A8BEF57920B6FE78D0B18EE49175C8F8CC8CD5F02E37B486B4CA85EBA2B18558E2D171B09545BB234AD29AB09936187\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"is_system\": false, \"modified_time_dt\": \"2023-10-03T05:19:09.434332Z\"}, \"user\": {\"name\": \"Structured\", \"type\": \"Admin\", \"uid\": \"6192d272-61ac-11ee-ae27-0242ac110005\", \"type_id\": 2, \"account\": {\"name\": \"peer amounts pros\", \"type\": \"AWS IAM User\", \"uid\": \"6192dbaa-61ac-11ee-8151-0242ac110005\", \"type_id\": 3}, \"uid_alt\": \"allocation vector lexus\"}, \"uid\": \"6192dff6-61ac-11ee-89c7-0242ac110005\", \"session\": {\"uid\": \"6192e51e-61ac-11ee-8c76-0242ac110005\", \"issuer\": \"covers advise flux\", \"created_time\": 1695272181548, \"is_remote\": true}, \"cmd_line\": \"arlington charger skins\", \"created_time\": 1695272181548, \"namespace_pid\": 65, \"parent_process\": {\"name\": \"Infant\", \"pid\": 92, \"file\": {\"name\": \"border.bmp\", \"type\": \"Local Socket\", \"version\": \"1.0.0\", \"path\": \"exterior quick striking/females.cpp/border.bmp\", \"modifier\": {\"name\": \"Spots\", \"type\": \"System\", \"uid\": \"6192f6bc-61ac-11ee-9638-0242ac110005\", \"type_id\": 3, \"account\": {\"name\": \"lose fotos fraction\", \"type\": \"Azure AD Account\", \"type_id\": 6}}, \"product\": {\"name\": \"democratic announcement crime\", \"version\": \"1.0.0\", \"uid\": \"6192ff54-61ac-11ee-9d07-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"three schema bench\"}, \"type_id\": 5, \"parent_folder\": \"exterior quick striking/females.cpp\", \"accessed_time_dt\": \"2023-10-03T05:19:09.435701Z\"}, \"user\": {\"name\": \"Fires\", \"type\": \"User\", \"uid\": \"61930b98-61ac-11ee-bb18-0242ac110005\", \"org\": {\"name\": \"nationwide yea yoga\", \"uid\": \"6193126e-61ac-11ee-9d91-0242ac110005\", \"ou_name\": \"meeting kiss first\"}, \"type_id\": 1, \"credential_uid\": \"619318cc-61ac-11ee-82d0-0242ac110005\"}, \"tid\": 60, \"uid\": \"61931cbe-61ac-11ee-b447-0242ac110005\", \"loaded_modules\": [\"/te/ut/obviously/inform/assignment.cue\", \"/clicks/importance/raw/agenda/soccer.js\"], \"cmd_line\": \"trinity comfort varieties\", \"created_time\": 1695272181548, \"namespace_pid\": 54, \"parent_process\": {\"name\": \"Valid\", \"pid\": 27, \"file\": {\"name\": \"outline.msg\", \"type\": \"Unknown\", \"path\": \"visiting guide believe/intense.rss/outline.msg\", \"desc\": \"floating told foul\", \"type_id\": 0, \"parent_folder\": \"visiting guide believe/intense.rss\", \"accessed_time\": 1695272181548, \"confidentiality\": \"keeps integrate specifies\", \"hashes\": [{\"value\": \"5A4194525971186E774FC3205628B611B5CCCE42\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"11BA65852271CD24C56C865A9635B90616326949FF2BF6CD07EACAF788BAD320\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"security_descriptor\": \"chance gmc ghana\", \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:19:09.436838Z\"}, \"user\": {\"name\": \"Swing\", \"type\": \"User\", \"type_id\": 1, \"full_name\": \"Alfredo Pauline\"}, \"uid\": \"61933410-61ac-11ee-8072-0242ac110005\", \"cmd_line\": \"italian kid properly\", \"container\": {\"name\": \"additions wyoming weekly\", \"size\": 3239910166, \"tag\": \"practical metals respected\", \"uid\": \"61933e06-61ac-11ee-8e9b-0242ac110005\", \"image\": {\"name\": \"assessments effects soap\", \"uid\": \"61934414-61ac-11ee-943e-0242ac110005\"}, \"hash\": {\"value\": \"A34D9E58DB53A2451A09B961F644E04C794AEFD5AF71BB6785BF8D771D1BC27EABC888BE87A7B3E92BB750215FC097CEB0FD238D44C5494F35746A4A9A0B4159\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"pod_uuid\": \"hear\"}, \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"lineage\": [\"picked purchase freelance\", \"scripts hybrid worked\"], \"namespace_pid\": 65, \"parent_process\": {\"name\": \"Si\", \"file\": {\"name\": \"comes.css\", \"type\": \"Local Socket\", \"path\": \"death payday queens/fleece.app/comes.css\", \"modifier\": {\"name\": \"Feelings\", \"type\": \"Admin\", \"uid\": \"61935512-61ac-11ee-9f87-0242ac110005\", \"type_id\": 2, \"full_name\": \"Calvin Marquitta\"}, \"product\": {\"version\": \"1.0.0\", \"uid\": \"61935b2a-61ac-11ee-9f18-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"marie stays nested\"}, \"type_id\": 5, \"company_name\": \"Courtney Kendal\", \"mime_type\": \"reflects/shore\", \"parent_folder\": \"death payday queens/fleece.app\", \"hashes\": [{\"value\": \"7653C24F6B758E09C2F78D41ED16D4D98AC9589616AA7DDE3CE38AC3018F86F726082E5D7895E732CB2D0C979A4B85FE853F95A815DF845615257B5A82F05144\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"1D5072F894A9D4122CBB317567CA88F6EAF3C8B645271C7E86EF241EBC1EBA51\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time_dt\": \"2023-10-03T05:19:09.438101Z\"}, \"user\": {\"type\": \"Admin\", \"uid\": \"61936e76-61ac-11ee-aa0d-0242ac110005\", \"org\": {\"name\": \"msgstr et pure\", \"uid\": \"619374a2-61ac-11ee-8d19-0242ac110005\", \"ou_name\": \"mg usa blair\"}, \"groups\": [{\"name\": \"tires online movement\", \"uid\": \"61937b46-61ac-11ee-8129-0242ac110005\", \"privileges\": [\"jan hindu collectible\", \"competitors antique disc\"]}, {\"name\": \"raymond shirts techno\", \"uid\": \"619380aa-61ac-11ee-9e69-0242ac110005\"}], \"type_id\": 2, \"credential_uid\": \"61938474-61ac-11ee-8547-0242ac110005\", \"email_addr\": \"Ilana@moses.firm\", \"uid_alt\": \"serbia named dns\"}, \"tid\": 9, \"uid\": \"6193888e-61ac-11ee-92f7-0242ac110005\", \"loaded_modules\": [\"/handbook/great/egyptian/guestbook/died.bat\", \"/matrix/ecommerce/management/just/songs.dcr\"], \"cmd_line\": \"injured metabolism martha\", \"container\": {\"name\": \"optimize unsigned reforms\", \"size\": 1197726829, \"uid\": \"619392fc-61ac-11ee-95a0-0242ac110005\", \"image\": {\"name\": \"versions soc fifteen\", \"tag\": \"actors des guardian\", \"uid\": \"61939900-61ac-11ee-89bb-0242ac110005\", \"labels\": [\"put\", \"experience\"]}, \"hash\": {\"value\": \"EA07DCC807FFE0D653259BB7C0DE7E6F136D741B4596E3E11BD60E98F38FE0B5\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695272181548, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"namespace_pid\": 54, \"terminated_time_dt\": \"2023-10-03T05:19:09.439671Z\"}}}, \"terminated_time\": 1695272181548}}, \"created_time_dt\": \"2023-10-03T05:19:09.439688Z\"}, \"user\": {\"name\": \"Affect\", \"type\": \"User\", \"uid\": \"6193a4e0-61ac-11ee-9d49-0242ac110005\", \"type_id\": 1}, \"session\": {\"uid\": \"6193ab66-61ac-11ee-b4d7-0242ac110005\", \"issuer\": \"conventional tar relay\", \"created_time\": 1695272181548}, \"idp\": {\"name\": \"rachel grey swiss\", \"uid\": \"6193b0ca-61ac-11ee-b37d-0242ac110005\"}, \"invoked_by\": \"substitute choice extent\"}, \"cloud\": {\"provider\": \"newman banned showcase\", \"region\": \"realized remarkable accompanied\", \"zone\": \"friend drops those\"}, \"severity_id\": 3, \"status_code\": \"user\", \"status_id\": 1, \"time_dt\": \"2023-10-03T05:19:09.440241Z\"}", + "event": { + "action": "create", + "category": [ + "driver" + ], + "duration": 24000000, + "outcome": "success", + "provider": "any alexander rolling", + "severity": 3, + "type": [ + "info" + ] + }, + "cloud": { + "availability_zone": "friend drops those", + "provider": "newman banned showcase", + "region": "realized remarkable accompanied" + }, + "ocsf": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"actor\": {\"idp\": {\"name\": \"rachel grey swiss\", \"uid\": \"6193b0ca-61ac-11ee-b37d-0242ac110005\"}, \"invoked_by\": \"substitute choice extent\", \"process\": {\"cmd_line\": \"fy believed resolutions\", \"container\": {\"hash\": {\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"F19FE42A1B9BB9BBFC77F8F0A52EC5C411DC9200836F0C5D41A56543D8951D5AD8A1FA6F248A975A90B28E8B5268C50F220F5CAE2B47F74A204FB47E835AAE80\"}, \"image\": {\"labels\": [\"maybe\"], \"name\": \"ac tcp helen\", \"uid\": \"61927e30-61ac-11ee-ab18-0242ac110005\"}, \"name\": \"transaction titans lucky\", \"runtime\": \"justify red wit\", \"size\": 4198558845, \"tag\": \"gambling romance place\", \"uid\": \"61927746-61ac-11ee-b13c-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:19:09.439688Z\", \"file\": {\"confidentiality\": \"tulsa\", \"confidentiality_id\": 99, \"hashes\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"C3BD5B24A4E0467F267EEA0A0378CB224839993F4AEB1BF9A9F519E8484E9A16344FE367E55D08DED2F892D80577FD485A3BC5CA66EB0AE7C1CFA0B33586E766\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"FEBD25D9812320828D7312326E19250E4439A6A99BCB4C740A8308671F571A6707A6D2A5A6066EB0DAA87071D23BE71ED56EAFF115D8AEAACEA125D283F45963\"}], \"name\": \"word.drv\", \"parent_folder\": \"cigarette until wc/ls.c\", \"path\": \"cigarette until wc/ls.c/word.drv\", \"security_descriptor\": \"hospitality conclusions wires\", \"size\": 2389716033, \"type\": \"Unknown\", \"type_id\": 0, \"version\": \"1.0.0\", \"xattributes\": {}}, \"name\": \"Covering\", \"namespace_pid\": 6, \"parent_process\": {\"cmd_line\": \"volunteer trustees tax\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"B85EC314BF443B797EF8A66B3B03F8A4\"}, \"image\": {\"name\": \"occupations pie meanwhile\", \"uid\": \"6192b990-61ac-11ee-b095-0242ac110005\"}, \"name\": \"stood moms serving\", \"pod_uuid\": \"effectiveness\", \"size\": 1947076520, \"uid\": \"6192b44a-61ac-11ee-a1ac-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Latisha Billye\", \"creator\": {\"name\": \"Remain\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"61929852-61ac-11ee-b767-0242ac110005\", \"uid_alt\": \"limitations compound viewer\"}, \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"C6141BDD46728A85659C19E84135237C41908EF3\"}], \"name\": \"hazard.aif\", \"owner\": {\"email_addr\": \"Ryann@libraries.store\", \"name\": \"Principle\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"6192910e-61ac-11ee-9b83-0242ac110005\"}, \"parent_folder\": \"seeds divx firefox/kirk.cbr\", \"path\": \"seeds divx firefox/kirk.cbr/hazard.aif\", \"type\": \"Symbolic Link\", \"type_id\": 7}, \"name\": \"Elect\", \"namespace_pid\": 64, \"parent_process\": {\"cmd_line\": \"arlington charger skins\", \"created_time\": 1695272181548, \"file\": {\"attributes\": 21, \"desc\": \"fruit hop dean\", \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"8A1AB46C5F0A7BC9F0562A16DEBAB8746A8BEF57920B6FE78D0B18EE49175C8F8CC8CD5F02E37B486B4CA85EBA2B18558E2D171B09545BB234AD29AB09936187\"}], \"is_system\": false, \"modified_time_dt\": \"2023-10-03T05:19:09.434332Z\", \"modifier\": {\"email_addr\": \"Winona@teens.web\", \"name\": \"Few\", \"type\": \"System\", \"type_id\": 3}, \"name\": \"interests.png\", \"parent_folder\": \"wagon workforce whatever/boundaries.bat\", \"path\": \"wagon workforce whatever/boundaries.bat/interests.png\", \"type\": \"Symbolic Link\", \"type_id\": 7}, \"name\": \"Rugs\", \"namespace_pid\": 65, \"parent_process\": {\"cmd_line\": \"trinity comfort varieties\", \"created_time\": 1695272181548, \"file\": {\"accessed_time_dt\": \"2023-10-03T05:19:09.435701Z\", \"modifier\": {\"account\": {\"name\": \"lose fotos fraction\", \"type\": \"Azure AD Account\", \"type_id\": 6}, \"name\": \"Spots\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"6192f6bc-61ac-11ee-9638-0242ac110005\"}, \"name\": \"border.bmp\", \"parent_folder\": \"exterior quick striking/females.cpp\", \"path\": \"exterior quick striking/females.cpp/border.bmp\", \"product\": {\"lang\": \"en\", \"name\": \"democratic announcement crime\", \"uid\": \"6192ff54-61ac-11ee-9d07-0242ac110005\", \"vendor_name\": \"three schema bench\", \"version\": \"1.0.0\"}, \"type\": \"Local Socket\", \"type_id\": 5, \"version\": \"1.0.0\"}, \"loaded_modules\": [\"/te/ut/obviously/inform/assignment.cue\", \"/clicks/importance/raw/agenda/soccer.js\"], \"name\": \"Infant\", \"namespace_pid\": 54, \"parent_process\": {\"cmd_line\": \"italian kid properly\", \"container\": {\"hash\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"A34D9E58DB53A2451A09B961F644E04C794AEFD5AF71BB6785BF8D771D1BC27EABC888BE87A7B3E92BB750215FC097CEB0FD238D44C5494F35746A4A9A0B4159\"}, \"image\": {\"name\": \"assessments effects soap\", \"uid\": \"61934414-61ac-11ee-943e-0242ac110005\"}, \"name\": \"additions wyoming weekly\", \"pod_uuid\": \"hear\", \"size\": 3239910166, \"tag\": \"practical metals respected\", \"uid\": \"61933e06-61ac-11ee-8e9b-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessed_time\": 1695272181548, \"confidentiality\": \"keeps integrate specifies\", \"created_time_dt\": \"2023-10-03T05:19:09.436838Z\", \"desc\": \"floating told foul\", \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"5A4194525971186E774FC3205628B611B5CCCE42\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"11BA65852271CD24C56C865A9635B90616326949FF2BF6CD07EACAF788BAD320\"}], \"name\": \"outline.msg\", \"parent_folder\": \"visiting guide believe/intense.rss\", \"path\": \"visiting guide believe/intense.rss/outline.msg\", \"security_descriptor\": \"chance gmc ghana\", \"type\": \"Unknown\", \"type_id\": 0, \"xattributes\": {}}, \"integrity\": \"High\", \"integrity_id\": 4, \"lineage\": [\"picked purchase freelance\", \"scripts hybrid worked\"], \"name\": \"Valid\", \"namespace_pid\": 65, \"parent_process\": {\"cmd_line\": \"injured metabolism martha\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"EA07DCC807FFE0D653259BB7C0DE7E6F136D741B4596E3E11BD60E98F38FE0B5\"}, \"image\": {\"labels\": [\"put\", \"experience\"], \"name\": \"versions soc fifteen\", \"tag\": \"actors des guardian\", \"uid\": \"61939900-61ac-11ee-89bb-0242ac110005\"}, \"name\": \"optimize unsigned reforms\", \"size\": 1197726829, \"uid\": \"619392fc-61ac-11ee-95a0-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Courtney Kendal\", \"created_time_dt\": \"2023-10-03T05:19:09.438101Z\", \"hashes\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"7653C24F6B758E09C2F78D41ED16D4D98AC9589616AA7DDE3CE38AC3018F86F726082E5D7895E732CB2D0C979A4B85FE853F95A815DF845615257B5A82F05144\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"1D5072F894A9D4122CBB317567CA88F6EAF3C8B645271C7E86EF241EBC1EBA51\"}], \"mime_type\": \"reflects/shore\", \"modifier\": {\"full_name\": \"Calvin Marquitta\", \"name\": \"Feelings\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"61935512-61ac-11ee-9f87-0242ac110005\"}, \"name\": \"comes.css\", \"parent_folder\": \"death payday queens/fleece.app\", \"path\": \"death payday queens/fleece.app/comes.css\", \"product\": {\"lang\": \"en\", \"uid\": \"61935b2a-61ac-11ee-9f18-0242ac110005\", \"vendor_name\": \"marie stays nested\", \"version\": \"1.0.0\"}, \"type\": \"Local Socket\", \"type_id\": 5}, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"loaded_modules\": [\"/handbook/great/egyptian/guestbook/died.bat\", \"/matrix/ecommerce/management/just/songs.dcr\"], \"name\": \"Si\", \"namespace_pid\": 54, \"terminated_time_dt\": \"2023-10-03T05:19:09.439671Z\", \"tid\": 9, \"uid\": \"6193888e-61ac-11ee-92f7-0242ac110005\", \"user\": {\"credential_uid\": \"61938474-61ac-11ee-8547-0242ac110005\", \"email_addr\": \"Ilana@moses.firm\", \"groups\": [{\"name\": \"tires online movement\", \"privileges\": [\"jan hindu collectible\", \"competitors antique disc\"], \"uid\": \"61937b46-61ac-11ee-8129-0242ac110005\"}, {\"name\": \"raymond shirts techno\", \"uid\": \"619380aa-61ac-11ee-9e69-0242ac110005\"}], \"org\": {\"name\": \"msgstr et pure\", \"ou_name\": \"mg usa blair\", \"uid\": \"619374a2-61ac-11ee-8d19-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"61936e76-61ac-11ee-aa0d-0242ac110005\", \"uid_alt\": \"serbia named dns\"}}, \"pid\": 27, \"uid\": \"61933410-61ac-11ee-8072-0242ac110005\", \"user\": {\"full_name\": \"Alfredo Pauline\", \"name\": \"Swing\", \"type\": \"User\", \"type_id\": 1}}, \"pid\": 92, \"tid\": 60, \"uid\": \"61931cbe-61ac-11ee-b447-0242ac110005\", \"user\": {\"credential_uid\": \"619318cc-61ac-11ee-82d0-0242ac110005\", \"name\": \"Fires\", \"org\": {\"name\": \"nationwide yea yoga\", \"ou_name\": \"meeting kiss first\", \"uid\": \"6193126e-61ac-11ee-9d91-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1, \"uid\": \"61930b98-61ac-11ee-bb18-0242ac110005\"}}, \"pid\": 77, \"session\": {\"created_time\": 1695272181548, \"is_remote\": true, \"issuer\": \"covers advise flux\", \"uid\": \"6192e51e-61ac-11ee-8c76-0242ac110005\"}, \"terminated_time\": 1695272181548, \"uid\": \"6192dff6-61ac-11ee-89c7-0242ac110005\", \"user\": {\"account\": {\"name\": \"peer amounts pros\", \"type\": \"AWS IAM User\", \"type_id\": 3, \"uid\": \"6192dbaa-61ac-11ee-8151-0242ac110005\"}, \"name\": \"Structured\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"6192d272-61ac-11ee-ae27-0242ac110005\", \"uid_alt\": \"allocation vector lexus\"}}, \"uid\": \"6192ac3e-61ac-11ee-a0ed-0242ac110005\", \"user\": {\"org\": {\"name\": \"lexus porcelain february\", \"ou_name\": \"realm lesson pal\", \"uid\": \"6192a810-61ac-11ee-bb74-0242ac110005\"}, \"type\": \"System\", \"type_id\": 3, \"uid\": \"6192a298-61ac-11ee-a78f-0242ac110005\"}}, \"pid\": 91, \"tid\": 36, \"uid\": \"6192707a-61ac-11ee-ac88-0242ac110005\", \"user\": {\"credential_uid\": \"61926cce-61ac-11ee-8202-0242ac110005\", \"full_name\": \"Winifred Idell\", \"name\": \"Beth\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"6192672e-61ac-11ee-a3c0-0242ac110005\"}}, \"session\": {\"created_time\": 1695272181548, \"issuer\": \"conventional tar relay\", \"uid\": \"6193ab66-61ac-11ee-b4d7-0242ac110005\"}, \"user\": {\"name\": \"Affect\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"6193a4e0-61ac-11ee-9d49-0242ac110005\"}}, \"attacks\": [{\"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}, {\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}, {\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}], \"technique\": {\"name\": \"Data Manipulation\", \"uid\": \"T1565\"}, \"version\": \"12.1\"}, {\"tactics\": [{\"name\": \"Initial Access | The adversary is trying to get into your network.\", \"uid\": \"TA0001\"}, {\"name\": \"Credential Access The adversary is trying to steal account names and passwords.\", \"uid\": \"TA0006\"}, {\"name\": \"Persistence The adversary is trying to maintain their foothold.\", \"uid\": \"TA0003\"}], \"technique\": {\"name\": \"LSA Secrets\", \"uid\": \"T1003.004\"}, \"version\": \"12.1\"}], \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Kernel Activity\", \"class_uid\": 1003, \"cloud\": {\"provider\": \"newman banned showcase\", \"region\": \"realized remarkable accompanied\", \"zone\": \"friend drops those\"}, \"device\": {\"autoscale_uid\": \"6191f41a-61ac-11ee-b68a-0242ac110005\", \"desc\": \"recommendations norman ventures\", \"first_seen_time\": 1695272181548, \"first_seen_time_dt\": \"2023-10-03T05:19:09.429787Z\", \"hostname\": \"indexes.jobs\", \"hw_info\": {\"bios_manufacturer\": \"newman marble developed\", \"serial_number\": \"dave cst enlarge\"}, \"instance_uid\": \"61921fda-61ac-11ee-ad02-0242ac110005\", \"interface_name\": \"local rules scholarship\", \"interface_uid\": \"61922b1a-61ac-11ee-afbc-0242ac110005\", \"ip\": \"81.2.69.142\", \"name\": \"owned flyer thinkpad\", \"network_interfaces\": [{\"hostname\": \"motherboard.info\", \"ip\": \"81.2.69.142\", \"mac\": \"CE:92:5B:C1:90:45:60:31\", \"name\": \"hewlett dozens asthma\", \"subnet_prefix\": 8, \"type\": \"Mobile\", \"type_id\": 3}], \"region\": \"without featured amazon\", \"risk_level\": \"familiar motorcycles wild\", \"type\": \"Browser\", \"type_id\": 8, \"uid\": \"619223f4-61ac-11ee-9c42-0242ac110005\", \"vpc_uid\": \"619230c4-61ac-11ee-8fa9-0242ac110005\"}, \"disposition\": \"recipes\", \"disposition_id\": 99, \"duration\": 24, \"kernel\": {\"name\": \"summaries cornell blowing\", \"type\": \"System Call\", \"type_id\": 2}, \"message\": \"compile oasis hazards\", \"metadata\": {\"log_name\": \"inkjet klein mechanical\", \"log_provider\": \"any alexander rolling\", \"log_version\": \"receptor literally shut\", \"modified_time\": 1695272181548, \"modified_time_dt\": \"2023-10-03T05:19:09.427926Z\", \"original_time\": \"jewish ethiopia invitation\", \"product\": {\"lang\": \"en\", \"uid\": \"6191ccc4-61ac-11ee-aacf-0242ac110005\", \"vendor_name\": \"editors coordinate cvs\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"version\": \"1.0.0\"}, \"observables\": [{\"name\": \"car trust sister\", \"type\": \"Fingerprint\", \"type_id\": 30}, {\"name\": \"evidence because locate\", \"type\": \"IP Address\", \"type_id\": 2}], \"severity\": \"Medium\", \"severity_id\": 3, \"status\": \"Success\", \"status_code\": \"user\", \"status_id\": 1, \"time\": 1695272181548, \"time_dt\": \"2023-10-03T05:19:09.440241Z\", \"timezone_offset\": 54, \"type_name\": \"Kernel Activity: Create\", \"type_uid\": 100301}" + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_4.json b/OCSF/ocsf/tests/test_system_activity_4.json new file mode 100644 index 000000000..db4db0735 --- /dev/null +++ b/OCSF/ocsf/tests/test_system_activity_4.json @@ -0,0 +1,28 @@ +{ + "input": { + "message": "{\"message\": \"door lotus aol\", \"time\": 1695272181548, \"device\": {\"name\": \"repeated sip distance\", \"type\": \"Server\", \"location\": {\"desc\": \"Taiwan\", \"city\": \"Stephanie hence\", \"country\": \"TW\", \"coordinates\": [161.2949, 22.9251], \"continent\": \"Asia\"}, \"hostname\": \"phd.nato\", \"uid\": \"f450d454-61ae-11ee-b232-0242ac110005\", \"image\": {\"name\": \"leader mind compliant\", \"uid\": \"f450e20a-61ae-11ee-959b-0242ac110005\"}, \"org\": {\"name\": \"gratuit book virtually\", \"uid\": \"f4507856-61ae-11ee-b34b-0242ac110005\", \"ou_name\": \"profit plug fioricet\"}, \"type_id\": 1, \"created_time\": 1695272181548, \"first_seen_time\": 1695272181548, \"instance_uid\": \"f450c02c-61ae-11ee-a04e-0242ac110005\", \"interface_name\": \"adaptive survivor nickname\", \"interface_uid\": \"f450dada-61ae-11ee-9e5c-0242ac110005\", \"is_trusted\": false, \"last_seen_time\": 1695272181548, \"region\": \"debut instruments alphabetical\", \"risk_level\": \"thomson shanghai foreign\", \"subnet_uid\": \"f450b6fe-61ae-11ee-aa6c-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"asbestos settings medication\", \"version\": \"1.0.0\", \"uid\": \"f4506410-61ae-11ee-a485-0242ac110005\", \"feature\": {\"name\": \"wish quest practitioners\", \"version\": \"1.0.0\", \"uid\": \"f4506a32-61ae-11ee-a6bb-0242ac110005\"}, \"lang\": \"en\", \"vendor_name\": \"evaluations belly reception\"}, \"sequence\": 35, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"trademarks wishing accreditation\", \"log_provider\": \"manual equivalent detroit\", \"logged_time\": 1695272181548, \"original_time\": \"protection velvet propose\"}, \"severity\": \"Critical\", \"api\": {\"request\": {\"uid\": \"f45046ce-61ae-11ee-8a1b-0242ac110005\"}, \"response\": {\"error\": \"dash knife stable\", \"code\": 99, \"message\": \"julian peninsula bought\", \"error_message\": \"delaware genetic purple\"}, \"operation\": \"appraisal disappointed iraqi\"}, \"disposition\": \"Deleted\", \"type_name\": \"Memory Activity: Allocate Page\", \"activity_id\": 1, \"disposition_id\": 5, \"type_uid\": 100401, \"category_name\": \"System Activity\", \"class_uid\": 1004, \"category_uid\": 1, \"class_name\": \"Memory Activity\", \"timezone_offset\": 26, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}], \"technique\": {\"name\": \"Additional Cloud Credentials\", \"uid\": \"T1098.001\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.\", \"uid\": \"TA0040\"}, {\"name\": \"Command and Control The adversary is trying to communicate with compromised systems to control them.\", \"uid\": \"TA0011\"}], \"technique\": {\"name\": \"Credentials in Registry\", \"uid\": \"T1214\"}}], \"activity_name\": \"Allocate Page\", \"actor\": {\"process\": {\"name\": \"Quad\", \"pid\": 76, \"file\": {\"name\": \"tenant.prf\", \"type\": \"Symbolic Link\", \"path\": \"daisy bullet expectations/speakers.fon/tenant.prf\", \"type_id\": 7, \"company_name\": \"Hue Marcelina\", \"parent_folder\": \"daisy bullet expectations/speakers.fon\", \"confidentiality\": \"Not Confidential\", \"confidentiality_id\": 1, \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"D593DAFEC471B60EC788CAF95AEB0DBE9F1AF56F9741565D96CEB84FF7C0AB18B97E298266E585A9FE82C4F85EE020C4B4BD974B54373088F0D1ACE2022CE17D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"4F227649B2E932AED413A05B69BAA35D\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"modified_time\": 1695272181548, \"modified_time_dt\": \"2023-10-03T05:37:34.691274Z\"}, \"user\": {\"name\": \"Utc\", \"type\": \"User\", \"uid\": \"f45ba8fc-61ae-11ee-883d-0242ac110005\", \"type_id\": 1, \"full_name\": \"Carin Otha\", \"email_addr\": \"Mireille@associate.mobi\"}, \"uid\": \"f45baed8-61ae-11ee-95e3-0242ac110005\", \"cmd_line\": \"stick strength suffered\", \"container\": {\"name\": \"sp finger reductions\", \"size\": 1112406887, \"tag\": \"dish acc interpretation\", \"uid\": \"f45bb5c2-61ae-11ee-b166-0242ac110005\", \"image\": {\"name\": \"leaves mounted something\", \"uid\": \"f45bbbe4-61ae-11ee-9bd8-0242ac110005\"}, \"hash\": {\"value\": \"0C2DC99EB913832DEE1E00AC1C121596D14346E7971CAF8B9873BA2BB862C4070FDD33F21558BA3B264A80A7B15D1722F1B3603C0858D1247E4359752B166BCC\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, \"network_driver\": \"arizona knight karl\", \"orchestrator\": \"integral economics gc\"}, \"created_time\": 1695272181548, \"namespace_pid\": 50, \"parent_process\": {\"name\": \"Trout\", \"pid\": 61, \"file\": {\"name\": \"download.pptx\", \"type\": \"Regular File\", \"path\": \"qld four roulette/sticker.dwg/download.pptx\", \"desc\": \"vs in contamination\", \"type_id\": 1, \"parent_folder\": \"qld four roulette/sticker.dwg\", \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"value\": \"64188A2F3AF0E7C7E83F429137D1F51F574286F7\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"7C12BD84ACFCEACC8A756BE13D08AF2B1EC193C5411C64B85380EEEC0B1B41F7\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"modified_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.692393Z\", \"accessed_time_dt\": \"2023-10-03T05:37:34.692401Z\"}, \"user\": {\"name\": \"Presidential\", \"type\": \"User\", \"uid\": \"f45bd110-61ae-11ee-b7e4-0242ac110005\", \"org\": {\"name\": \"setup stolen unexpected\", \"uid\": \"f45bd82c-61ae-11ee-9e57-0242ac110005\", \"ou_name\": \"iceland threats webcast\"}, \"type_id\": 1, \"full_name\": \"Rosamaria Mckenzie\", \"credential_uid\": \"f45bdcd2-61ae-11ee-a554-0242ac110005\"}, \"uid\": \"f45be042-61ae-11ee-a467-0242ac110005\", \"cmd_line\": \"red beaches fi\", \"container\": {\"name\": \"dispatch ste exist\", \"uid\": \"f45be5ba-61ae-11ee-88ce-0242ac110005\", \"image\": {\"name\": \"third aged kurt\", \"uid\": \"f45bebfa-61ae-11ee-bf2c-0242ac110005\"}, \"hash\": {\"value\": \"23ABACC1EF47F49C2387DDF45E9C424754AB96A8A4DED29732E05CA4192D028D05F263525EFEB4BBAFD7ECE02D2821858C8F39BADB5B11151131D82A3D8596FA\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695272181548, \"namespace_pid\": 31, \"parent_process\": {\"pid\": 98, \"file\": {\"name\": \"mins.srt\", \"type\": \"Regular File\", \"path\": \"risks rendering meal/surf.pages/mins.srt\", \"signature\": {\"certificate\": {\"subject\": \"lindsay symptoms gel\", \"issuer\": \"agency covers tested\", \"fingerprints\": [{\"value\": \"5F3258EAA1979A8BE0323FCD83F87741B9046FD02DFEDB63CC5E8BBEC47C85C9\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"fool aye tears\"}, \"algorithm\": \"Authenticode\", \"algorithm_id\": 4}, \"product\": {\"name\": \"morocco steam contractors\", \"uid\": \"f45bff78-61ae-11ee-94d1-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"myrtle wn view\"}, \"type_id\": 1, \"parent_folder\": \"risks rendering meal/surf.pages\", \"hashes\": [{\"value\": \"A98DE8AD923CB627EA1CDCCD5CF7356C\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"modified_time_dt\": \"2023-10-03T05:37:34.693818Z\", \"created_time_dt\": \"2023-10-03T05:37:34.693827Z\", \"accessed_time_dt\": \"2023-10-03T05:37:34.693831Z\"}, \"user\": {\"type\": \"Unknown\", \"uid\": \"f45c0b9e-61ae-11ee-9f3b-0242ac110005\", \"type_id\": 0, \"full_name\": \"Marry Dia\", \"email_addr\": \"Lilliana@ability.edu\"}, \"tid\": 86, \"session\": {\"uid\": \"f45c1288-61ae-11ee-ab6a-0242ac110005\", \"uuid\": \"f45c160c-61ae-11ee-b9ea-0242ac110005\", \"issuer\": \"spec gambling separated\", \"created_time\": 1695272181548, \"credential_uid\": \"f45c1a1c-61ae-11ee-85ba-0242ac110005\", \"is_remote\": false, \"expiration_time_dt\": \"2023-10-03T05:37:34.694457Z\", \"created_time_dt\": \"2023-10-03T05:37:34.694465Z\"}, \"container\": {\"name\": \"pest fought calibration\", \"runtime\": \"violation card logged\", \"size\": 1513188610, \"uid\": \"f45c2426-61ae-11ee-9c9d-0242ac110005\", \"image\": {\"name\": \"stripes excerpt baptist\", \"uid\": \"f45c2962-61ae-11ee-8549-0242ac110005\"}, \"hash\": {\"value\": \"5D7318303179149862E7825F7F1712F9E8045CDC54401C79C269DD068E20EA5D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, \"orchestrator\": \"walt truly susan\", \"pod_uuid\": \"techno\"}, \"namespace_pid\": 49, \"parent_process\": {\"name\": \"Telling\", \"pid\": 43, \"file\": {\"name\": \"asked.htm\", \"owner\": {\"name\": \"Initiatives\", \"type\": \"Unknown\", \"domain\": \"voyeurweb strip groove\", \"type_id\": 0, \"full_name\": \"Lynnette Brooke\"}, \"type\": \"Symbolic Link\", \"path\": \"brakes bugs inquire/blogging.ics/asked.htm\", \"signature\": {\"digest\": {\"value\": \"522CB2274A0D096C0F94307F55DB6E9D63211626E8BED23C3C8721CA612F28681D4E0202C137F40265FCAAD0EFE6A9BD02E0CF8323BAF52EFE09FF298791B18D\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"fetish converter communicate\", \"issuer\": \"conclusions medicines exception\", \"fingerprints\": [{\"value\": \"F74C6AF46A78BECB2F1BD3F95BBD5858\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"43F66E6B6CBAF53CC520E58EC65805EC62FA04119845AC53816DA9F36F525AC65E3D7D92BED0351865836C0E97D63184282A5FEDC9AF2E914C6F9B349CB835F0\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"legal grant module\", \"expiration_time_dt\": \"2023-10-03T05:37:34.695275Z\", \"created_time_dt\": \"2023-10-03T05:37:34.695282Z\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2, \"created_time_dt\": \"2023-10-03T05:37:34.695288Z\"}, \"uid\": \"f45c3f9c-61ae-11ee-9d0c-0242ac110005\", \"type_id\": 7, \"accessor\": {\"name\": \"Review\", \"type\": \"Admin\", \"uid\": \"f45c480c-61ae-11ee-acd3-0242ac110005\", \"groups\": [{\"name\": \"holder outstanding vatican\", \"uid\": \"f45c4fe6-61ae-11ee-92f7-0242ac110005\"}, {\"name\": \"conducted egypt siemens\", \"type\": \"rent divine winston\", \"uid\": \"f45c5446-61ae-11ee-9f91-0242ac110005\"}], \"type_id\": 2}, \"creator\": {\"type\": \"availability\", \"uid\": \"f45c601c-61ae-11ee-a457-0242ac110005\", \"groups\": [{\"name\": \"usually gained erotica\", \"uid\": \"f45c65d0-61ae-11ee-b6a8-0242ac110005\"}], \"type_id\": 99}, \"parent_folder\": \"brakes bugs inquire/blogging.ics\", \"hashes\": [{\"value\": \"5FA7429271BF14C077FFD905562FF00BA03D0E577EBDE842D181A43F83B98C5611220439195D98F47BB4838632D59E533816344E1DF7DB00271120083235ABCA\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Duck\", \"type\": \"Admin\", \"uid\": \"f45c6dd2-61ae-11ee-9f94-0242ac110005\", \"type_id\": 2}, \"uid\": \"f45c71a6-61ae-11ee-9f7b-0242ac110005\", \"cmd_line\": \"montana introductory ratings\", \"container\": {\"name\": \"strings provided foster\", \"runtime\": \"accidents usda suit\", \"uid\": \"f45c77be-61ae-11ee-8b06-0242ac110005\", \"image\": {\"name\": \"resources albums born\", \"uid\": \"f45c7e4e-61ae-11ee-955d-0242ac110005\"}, \"hash\": {\"value\": \"AB2620F9B7154D9F9DC1B3C2D949D85D595FE77F45411B3DBE6E5B47DA564177\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695272181548, \"lineage\": [\"copies would makeup\"], \"namespace_pid\": 88, \"parent_process\": {\"name\": \"Brandon\", \"pid\": 45, \"file\": {\"name\": \"instructions.tif\", \"size\": 2331416290, \"type\": \"Unknown\", \"path\": \"passwords floral edition/roland.gif/instructions.tif\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"underwear chancellor basic\", \"issuer\": \"strengths enlarge sorry\", \"fingerprints\": [{\"value\": \"0BB55CC45379DA535A05A8EDE44DF854F408971928C66528377DA784038293CF\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"D8EAE8212E2ED885C71F4117E0C39374\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"neon ban suse\"}, \"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"developer_uid\": \"f45c9208-61ae-11ee-9a72-0242ac110005\"}, \"desc\": \"goto egyptian throw\", \"type_id\": 0, \"parent_folder\": \"passwords floral edition/roland.gif\", \"hashes\": [{\"value\": \"6D856108BBB655CE760736415EE23ECE1B8FCEE045C992B3A971D31ED454BFAD53DE388CBE3FFDE1EF1A4258DDD307E4DAAD413389F51A42155B5F334C9243A4\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"6163CDC7962473142ADF6DA1E4C2B6DB26C7391242E8BBD4EE04661FEC7DF2C941477A0394334EEE5002B17ED4164502FEE4342047E61B7F299B5C98BE241602\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Manufacturing\", \"type\": \"united\", \"uid\": \"f45ca0ea-61ae-11ee-8476-0242ac110005\", \"org\": {\"name\": \"way pros ddr\", \"uid\": \"f45cafa4-61ae-11ee-af8c-0242ac110005\", \"ou_name\": \"reliability poultry devices\"}, \"type_id\": 99, \"full_name\": \"Livia Ji\", \"account\": {\"name\": \"pen favors essential\", \"type\": \"AWS Account\", \"uid\": \"f45cb6ac-61ae-11ee-89fb-0242ac110005\", \"type_id\": 10}, \"credential_uid\": \"f45cba58-61ae-11ee-8137-0242ac110005\", \"email_addr\": \"Moira@upset.nato\"}, \"uid\": \"f45cc066-61ae-11ee-b149-0242ac110005\", \"cmd_line\": \"trembl reverse constantly\", \"container\": {\"name\": \"strain outputs perceived\", \"uid\": \"f45cc660-61ae-11ee-8e56-0242ac110005\", \"image\": {\"name\": \"saturn cincinnati productivity\", \"path\": \"harrison typical operations\", \"uid\": \"f45ccb74-61ae-11ee-9ef0-0242ac110005\"}, \"hash\": {\"value\": \"5F69DE08EF1B52810A2E555253B2561BF4E27E0CF557FEB7502CAD51FCA3AC3B923994EC15B91A6E29CCD01AED752264DCA40FCF45DDB4B47C42836B57984513\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, \"pod_uuid\": \"ontario\"}, \"created_time\": 1695272181548, \"namespace_pid\": 48, \"parent_process\": {\"pid\": 43, \"file\": {\"name\": \"gothic.m3u\", \"owner\": {\"name\": \"Strengthening\", \"type\": \"pentium\", \"uid\": \"f45cdaba-61ae-11ee-ba9e-0242ac110005\", \"org\": {\"name\": \"wed mpeg mortality\", \"uid\": \"f45cdfd8-61ae-11ee-9701-0242ac110005\", \"ou_name\": \"penny automatically tops\"}, \"groups\": [{\"type\": \"britain touch corporations\", \"uid\": \"f45ce500-61ae-11ee-ae50-0242ac110005\"}], \"type_id\": 99, \"uid_alt\": \"developed drinks university\"}, \"type\": \"Block Device\", \"path\": \"dod emirates promote/knitting.vob/gothic.m3u\", \"signature\": {\"digest\": {\"value\": \"7243F8BE75253AFBADF7477867021F8B\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"tractor bag coleman\", \"issuer\": \"formation mixer sullivan\", \"fingerprints\": [{\"value\": \"741DD1242DF463E4748B3F29D59B2CDB444A2B723C098FCD8A61CFF3A2531A1EBEB1D42A7AD9A444FA8D89DC6A11F741547C10080B44BED739B5D0CDC993B842\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"C4824AE8BB216F860CA4CD45F979A59088DD132DF0BFA0EC613752EF4A2EE45E\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"ser rna serves\"}, \"algorithm\": \"supreme\", \"algorithm_id\": 99}, \"type_id\": 4, \"creator\": {\"name\": \"Catalog\", \"type\": \"System\", \"uid\": \"f45cf144-61ae-11ee-a33b-0242ac110005\", \"groups\": [{\"uid\": \"f45d004e-61ae-11ee-8d39-0242ac110005\"}, {\"name\": \"chairs leisure institution\", \"uid\": \"f45d05e4-61ae-11ee-99f9-0242ac110005\"}], \"type_id\": 3}, \"parent_folder\": \"dod emirates promote/knitting.vob\", \"security_descriptor\": \"retention changing science\", \"xattributes\": {}}, \"user\": {\"name\": \"Opt\", \"type\": \"Unknown\", \"domain\": \"funky valentine attached\", \"uid\": \"f45d1192-61ae-11ee-805a-0242ac110005\", \"type_id\": 0}, \"uid\": \"f45d16ba-61ae-11ee-b515-0242ac110005\", \"cmd_line\": \"reductions transfer kyle\", \"created_time\": 1695272181548, \"integrity\": \"guys thus beads\", \"namespace_pid\": 82, \"parent_process\": {\"name\": \"Friends\", \"pid\": 7, \"user\": {\"name\": \"Overall\", \"type\": \"Admin\", \"uid\": \"f45d2c18-61ae-11ee-8f99-0242ac110005\", \"org\": {\"name\": \"antique crawford mug\", \"uid\": \"f45d3226-61ae-11ee-b3e9-0242ac110005\", \"ou_name\": \"maximize tx tide\"}, \"type_id\": 2, \"credential_uid\": \"f45d3654-61ae-11ee-a013-0242ac110005\", \"uid_alt\": \"areas attachment guy\"}, \"uid\": \"f45d3a46-61ae-11ee-89e2-0242ac110005\", \"cmd_line\": \"trails washer home\", \"container\": {\"name\": \"requested divx inspector\", \"size\": 648398402, \"uid\": \"f45d3faa-61ae-11ee-95d3-0242ac110005\", \"image\": {\"name\": \"equation modular saver\", \"uid\": \"f45d4bb2-61ae-11ee-98af-0242ac110005\", \"labels\": [\"malaysia\", \"tough\"]}, \"hash\": {\"value\": \"68C9913042346CAD7F9FABEBF901C5DBBE49BEAFFE6CDBF271C0CD6F2363033A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}}, \"created_time\": 1695272181548, \"lineage\": [\"married funded elections\", \"liquid geek cal\"], \"namespace_pid\": 2, \"parent_process\": {\"name\": \"Warnings\", \"pid\": 59, \"file\": {\"name\": \"manner.app\", \"type\": \"Folder\", \"version\": \"1.0.0\", \"path\": \"turn available mighty/grocery.tax2016/manner.app\", \"desc\": \"starting invasion flame\", \"type_id\": 2, \"company_name\": \"Myrl Ilana\", \"parent_folder\": \"turn available mighty/grocery.tax2016\", \"hashes\": [{\"value\": \"2FF592449E1B208D2349421A0E142A80E875518AA0C20FF64D3610AB6830DD78BF8980FD7F211369C267D93464D86327F78FA84CEDB14D9210655D931C34F7BA\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"A2349F07A5DCE2F05BB0C656C6DEA195972A5C01A7B5DA65FEC562FE2C229B6B5B6930E7613E6323D8F52E25C3E76F85EBED522B17F8EB673C263A290FD26BB7\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"created_time_dt\": \"2023-10-03T05:37:34.702607Z\"}, \"user\": {\"name\": \"Dis\", \"type\": \"Unknown\", \"uid\": \"f45d6034-61ae-11ee-9b9d-0242ac110005\", \"groups\": [{\"name\": \"gamecube sunday foster\", \"uid\": \"f45d6750-61ae-11ee-bb59-0242ac110005\", \"privileges\": [\"ceiling pulling chapter\", \"advise lung transparent\"]}, {\"name\": \"skins korea bubble\", \"type\": \"annie rn pot\", \"uid\": \"f45d710a-61ae-11ee-a1f1-0242ac110005\", \"privileges\": [\"harbor syracuse quantities\"]}], \"type_id\": 0, \"account\": {\"name\": \"cycles beast pierce\", \"type\": \"Azure AD Account\", \"uid\": \"f45d7e20-61ae-11ee-9be4-0242ac110005\", \"type_id\": 6}}, \"tid\": 63, \"uid\": \"f45d835c-61ae-11ee-a0b4-0242ac110005\", \"cmd_line\": \"guided spine purple\", \"container\": {\"name\": \"diffs dead mechanical\", \"size\": 1480676944, \"tag\": \"cheers cancer russian\", \"uid\": \"f45d8ab4-61ae-11ee-a07b-0242ac110005\", \"hash\": {\"value\": \"10E86C6514D40F2A3E861B31847340EE8C8ED181029A17B042F137121D28863E\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, \"orchestrator\": \"piano sims editors\", \"pod_uuid\": \"danish\"}, \"created_time\": 1695272181548, \"lineage\": [\"at residential ceo\"], \"namespace_pid\": 67, \"parent_process\": {\"name\": \"Hamilton\", \"pid\": 38, \"file\": {\"name\": \"basename.mpg\", \"size\": 2270854617, \"type\": \"Folder\", \"path\": \"general required suspect/commentary.jar/basename.mpg\", \"modifier\": {\"name\": \"Lopez\", \"type\": \"Admin\", \"uid\": \"f45da012-61ae-11ee-8601-0242ac110005\", \"type_id\": 2}, \"type_id\": 2, \"parent_folder\": \"general required suspect/commentary.jar\", \"accessed_time\": 1695272181548, \"confidentiality\": \"fear browsers television\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"3B0173ED99A820AB5188A16998FBC2E1957424B5E1E2DB85F6F1F8CAFAE691070EE54DC314BDF2983F9A2CE57CF6E378ABB2AEDB0DA772B4626469F1363D4782\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.704513Z\", \"accessed_time_dt\": \"2023-10-03T05:37:34.704522Z\"}, \"cmd_line\": \"lists accredited manufacture\", \"created_time\": 1695272181548, \"integrity\": \"disclosure insert americans\", \"namespace_pid\": 16, \"parent_process\": {\"pid\": 26, \"file\": {\"name\": \"mitsubishi.zip\", \"type\": \"way\", \"path\": \"premium accommodation showtimes/prisoner.deskthemepack/mitsubishi.zip\", \"type_id\": 99, \"parent_folder\": \"premium accommodation showtimes/prisoner.deskthemepack\", \"accessed_time\": 1695272181548, \"confidentiality\": \"applications\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"AC3F2D226D9EFC7934195793B402CBBC13E2736E205E59735FD07CE424B1FB37\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"BD1DC345B2C39E8DADCDA520CC809F96FFC8413DD1169269D5E02AE412E1297111E2A26660902A783337A5D4C0D0C9FEBCCBB0C0AED91F2BFA2CCF4845056AAB\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1695272181548, \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.704809Z\"}, \"user\": {\"name\": \"Cardiovascular\", \"type\": \"Unknown\", \"uid\": \"f45db58e-61ae-11ee-b50c-0242ac110005\", \"type_id\": 0, \"uid_alt\": \"sn exception got\"}, \"container\": {\"name\": \"praise britannica rev\", \"uid\": \"f45dc254-61ae-11ee-b035-0242ac110005\", \"image\": {\"name\": \"conducted takes renewable\", \"uid\": \"f45dc7b8-61ae-11ee-9630-0242ac110005\"}, \"hash\": {\"value\": \"5DF4BFECA632B9BD1D11E5E5D9549CF30B4849A4C815894151C865C80E13E3D0DE949759C7E1AEE233D178AD52E3AE2E93D99AEA0D993ED5DCE67E03E1578823\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695272181548, \"integrity\": \"times entities fx\", \"namespace_pid\": 98, \"parent_process\": {\"name\": \"Forecasts\", \"pid\": 17, \"file\": {\"name\": \"hockey.part\", \"type\": \"Symbolic Link\", \"version\": \"1.0.0\", \"path\": \"seafood tape distant/physically.mdf/hockey.part\", \"uid\": \"f45dd3d4-61ae-11ee-9986-0242ac110005\", \"type_id\": 7, \"parent_folder\": \"seafood tape distant/physically.mdf\", \"hashes\": [{\"value\": \"0D3045A301A866174DD910C13E50427CB610EAD22A8523650B444E52FF16941B\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"BEE38FBC71DC4377BEF693AF6C11F462AC065BD6\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}]}, \"user\": {\"name\": \"Requires\", \"type\": \"User\", \"uid\": \"f45de0e0-61ae-11ee-88a9-0242ac110005\", \"type_id\": 1, \"credential_uid\": \"f45de554-61ae-11ee-bc44-0242ac110005\", \"uid_alt\": \"monica includes treating\"}, \"uid\": \"f45de978-61ae-11ee-af82-0242ac110005\", \"cmd_line\": \"insulation else evidence\", \"container\": {\"name\": \"dv cst mug\", \"size\": 2782839574, \"uid\": \"f45deefa-61ae-11ee-95f2-0242ac110005\", \"image\": {\"name\": \"olympus present empirical\", \"uid\": \"f45df3a0-61ae-11ee-ae83-0242ac110005\"}, \"hash\": {\"value\": \"E272B1A204600DF6B8A987C8FB851C7EF2AA8596CF158120722E5966F20081F5\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, \"orchestrator\": \"internationally correct examining\"}, \"created_time\": 1695272181548, \"integrity\": \"involvement hk speaking\", \"namespace_pid\": 56, \"parent_process\": {\"name\": \"Heath\", \"pid\": 26, \"user\": {\"name\": \"Qualities\", \"type\": \"System\", \"uid\": \"f45e00c0-61ae-11ee-b4f1-0242ac110005\", \"type_id\": 3, \"account\": {\"name\": \"engines robot c\", \"uid\": \"f45e05fc-61ae-11ee-bdef-0242ac110005\"}, \"uid_alt\": \"pathology ordinary ep\"}, \"cmd_line\": \"collapse tan demo\", \"container\": {\"name\": \"matters sophisticated hampshire\", \"size\": 277669091, \"uid\": \"f45e0b7e-61ae-11ee-9c4e-0242ac110005\", \"image\": {\"name\": \"pty dramatic measure\", \"uid\": \"f45e1452-61ae-11ee-93ff-0242ac110005\"}, \"hash\": {\"value\": \"7CFCBD1C1575DD7EAE454F18B9267188\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, \"orchestrator\": \"earned accountability todd\"}, \"created_time\": 1695272181548, \"integrity\": \"Protected\", \"integrity_id\": 6, \"namespace_pid\": 36, \"parent_process\": {\"name\": \"Special\", \"pid\": 39, \"user\": {\"name\": \"Mice\", \"type\": \"scoring\", \"uid\": \"f45e1f4c-61ae-11ee-bd4f-0242ac110005\", \"type_id\": 99}, \"cmd_line\": \"rubber taxi deployment\", \"container\": {\"name\": \"insulin never metabolism\", \"size\": 2875863087, \"uid\": \"f45e2532-61ae-11ee-b4f8-0242ac110005\", \"image\": {\"name\": \"phantom participant employee\", \"uid\": \"f45e29ec-61ae-11ee-b755-0242ac110005\"}, \"hash\": {\"value\": \"19EA5DD6F7D4532CE968933056B2150CB38D84FBEA07A9B1E71EE7388D9EAD136AFB55A16621065CA950B550FAA589C7E77583279DE84B3C958B13C9BA731D69\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"pod_uuid\": \"luxury\"}, \"created_time\": 1695272181548, \"integrity\": \"Protected\", \"integrity_id\": 6, \"namespace_pid\": 45, \"parent_process\": {\"pid\": 65, \"file\": {\"name\": \"message.exe\", \"owner\": {\"name\": \"Vegas\", \"type\": \"Unknown\", \"domain\": \"existence see evans\", \"org\": {\"name\": \"super rolling importantly\", \"uid\": \"f45e40bc-61ae-11ee-9f84-0242ac110005\", \"ou_uid\": \"f45e44ea-61ae-11ee-af1f-0242ac110005\"}, \"groups\": [{\"name\": \"careers fixes kai\", \"desc\": \"highways cheat summary\", \"uid\": \"f45e4da0-61ae-11ee-8ce5-0242ac110005\"}, {\"name\": \"past affiliate london\", \"type\": \"exclusion cleaners mart\", \"uid\": \"f45e51c4-61ae-11ee-af56-0242ac110005\"}], \"type_id\": 0, \"account\": {\"name\": \"tradition surfaces classification\", \"type\": \"AWS IAM Role\", \"uid\": \"f45e5af2-61ae-11ee-8e43-0242ac110005\", \"type_id\": 4}}, \"type\": \"mozilla\", \"path\": \"brunette symbol poem/weekends.htm/message.exe\", \"uid\": \"f45e5fa2-61ae-11ee-9642-0242ac110005\", \"type_id\": 99, \"parent_folder\": \"brunette symbol poem/weekends.htm\", \"confidentiality\": \"watson\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"EC04A154DEAC2F7D6C2C939EA992222061F58A10BD334C6D45E3B9B3BC538985107E3B32A6CA567C7B5C6F8F0D857459E5DDC11A97318AC1AEA8A2461B955401\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"6E170831A56B3AFDAFF2E0614B1495541FDE0CA37B2F9EBCB6D5225A0CADE66CC1E6AD525CAFDD363EAA50505FD613EDBD5C1B4D703D34702968D3AE7E09037C\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time_dt\": \"2023-10-03T05:37:34.709399Z\", \"created_time_dt\": \"2023-10-03T05:37:34.709410Z\", \"accessed_time_dt\": \"2023-10-03T05:37:34.709414Z\"}, \"user\": {\"type\": \"Unknown\", \"uid\": \"f45e68d0-61ae-11ee-a6d3-0242ac110005\", \"type_id\": 0, \"full_name\": \"Rosamaria Norberto\", \"account\": {\"name\": \"wireless trains wave\", \"type\": \"Linux Account\", \"uid\": \"f45e6eb6-61ae-11ee-9f44-0242ac110005\", \"type_id\": 9}, \"credential_uid\": \"f45e7230-61ae-11ee-a271-0242ac110005\"}, \"uid\": \"f45e7546-61ae-11ee-ab37-0242ac110005\", \"session\": {\"uid\": \"f45e805e-61ae-11ee-90d6-0242ac110005\", \"created_time\": 1695272181548, \"is_remote\": true, \"expiration_time_dt\": \"2023-10-03T05:37:34.710191Z\"}, \"namespace_pid\": 69, \"parent_process\": {\"name\": \"Is\", \"pid\": 14, \"file\": {\"name\": \"ambassador.swf\", \"type\": \"Symbolic Link\", \"path\": \"nickel gui cute/vision.m3u/ambassador.swf\", \"signature\": {\"digest\": {\"value\": \"14B85FA8E87F846F757EACCDA09761641B397F01\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"panic aspects reporting\", \"issuer\": \"hate passive admission\", \"fingerprints\": [{\"value\": \"09958F2F29A975C86F4BC77872179A9E719846A48F2022B36957925999CD31F4A0578A6C18EE8BDC0AEE2F0974FB4647FF2A0BFEA8A1E56877193277A827418F\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"promote dirt hindu\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time_dt\": \"2023-10-03T05:37:34.710541Z\"}, \"type_id\": 7, \"company_name\": \"Nicholas Betty\", \"parent_folder\": \"nickel gui cute/vision.m3u\", \"confidentiality\": \"sandwich exhibit ellis\", \"hashes\": [{\"value\": \"4DBD2BB0760D9EBBC2743A91879CCBC04A4837BD467C1F3B4E0850E4D459BC52\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"A5469012CF0415AAE3FFA22840287489C3C57811D0FD29A58C2CD702BC84D59ADC43354994A400CA41F16849414FADE8C6A9889E640F7987FF65EAD837C7D8E4\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.710639Z\"}, \"user\": {\"name\": \"Genres\", \"type\": \"User\", \"uid\": \"f45e9cb0-61ae-11ee-b849-0242ac110005\", \"type_id\": 1, \"full_name\": \"Lucile Apryl\", \"account\": {\"name\": \"saint view max\", \"type\": \"Apple Account\", \"uid\": \"f45ea32c-61ae-11ee-9546-0242ac110005\", \"type_id\": 8}, \"credential_uid\": \"f45ea700-61ae-11ee-bb61-0242ac110005\", \"email_addr\": \"Jeana@drill.web\"}, \"cmd_line\": \"changes sad programmes\", \"container\": {\"size\": 1104975009, \"tag\": \"alexander specs considered\", \"uid\": \"f45eae80-61ae-11ee-8fa9-0242ac110005\", \"image\": {\"name\": \"soap potter browsers\", \"uid\": \"f45eb3bc-61ae-11ee-871c-0242ac110005\"}, \"hash\": {\"value\": \"05521B80BB22220B8B095A94DA44E07951EE15F402F4BD4A050BD0CFFFD6B154\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, \"orchestrator\": \"matches virginia accepts\"}, \"created_time\": 1695272181548, \"namespace_pid\": 49}, \"sandbox\": \"ut metropolitan adjacent\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711553Z\"}, \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.711572Z\"}, \"terminated_time\": 1695272181548, \"terminated_time_dt\": \"2023-10-03T05:37:34.711582Z\"}, \"sandbox\": \"dans ip tours\"}, \"terminated_time\": 1695272181548, \"terminated_time_dt\": \"2023-10-03T05:37:34.711596Z\"}, \"created_time_dt\": \"2023-10-03T05:37:34.711602Z\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711606Z\"}, \"terminated_time\": 1695272181548, \"xattributes\": {}}, \"xattributes\": {}}, \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.711634Z\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711638Z\"}, \"sandbox\": \"brunette christ monetary\", \"created_time_dt\": \"2023-10-03T05:37:34.711648Z\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711652Z\"}, \"terminated_time\": 1695272181548}, \"xattributes\": {}}, \"xattributes\": {}}}, \"user\": {\"name\": \"We\", \"type\": \"Admin\", \"uid\": \"f45ec2a8-61ae-11ee-90fc-0242ac110005\", \"org\": {\"name\": \"enquiry hottest creations\", \"uid\": \"f45ecb68-61ae-11ee-824c-0242ac110005\", \"ou_name\": \"reel metals plain\"}, \"type_id\": 2, \"account\": {\"name\": \"intensive flash narrative\", \"type\": \"Windows Account\", \"uid\": \"f45ed32e-61ae-11ee-9aa9-0242ac110005\", \"type_id\": 2}}}, \"actual_permissions\": 14, \"base_address\": \"statements dining gnome\", \"cloud\": {\"project_uid\": \"f4505768-61ae-11ee-89e9-0242ac110005\", \"provider\": \"christian studies pioneer\", \"region\": \"increased competitors sparc\"}, \"severity_id\": 5, \"status_code\": \"registry\", \"time_dt\": \"2023-10-03T05:37:34.712339Z\"}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"message\": \"door lotus aol\", \"time\": 1695272181548, \"device\": {\"name\": \"repeated sip distance\", \"type\": \"Server\", \"location\": {\"desc\": \"Taiwan\", \"city\": \"Stephanie hence\", \"country\": \"TW\", \"coordinates\": [161.2949, 22.9251], \"continent\": \"Asia\"}, \"hostname\": \"phd.nato\", \"uid\": \"f450d454-61ae-11ee-b232-0242ac110005\", \"image\": {\"name\": \"leader mind compliant\", \"uid\": \"f450e20a-61ae-11ee-959b-0242ac110005\"}, \"org\": {\"name\": \"gratuit book virtually\", \"uid\": \"f4507856-61ae-11ee-b34b-0242ac110005\", \"ou_name\": \"profit plug fioricet\"}, \"type_id\": 1, \"created_time\": 1695272181548, \"first_seen_time\": 1695272181548, \"instance_uid\": \"f450c02c-61ae-11ee-a04e-0242ac110005\", \"interface_name\": \"adaptive survivor nickname\", \"interface_uid\": \"f450dada-61ae-11ee-9e5c-0242ac110005\", \"is_trusted\": false, \"last_seen_time\": 1695272181548, \"region\": \"debut instruments alphabetical\", \"risk_level\": \"thomson shanghai foreign\", \"subnet_uid\": \"f450b6fe-61ae-11ee-aa6c-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"asbestos settings medication\", \"version\": \"1.0.0\", \"uid\": \"f4506410-61ae-11ee-a485-0242ac110005\", \"feature\": {\"name\": \"wish quest practitioners\", \"version\": \"1.0.0\", \"uid\": \"f4506a32-61ae-11ee-a6bb-0242ac110005\"}, \"lang\": \"en\", \"vendor_name\": \"evaluations belly reception\"}, \"sequence\": 35, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"trademarks wishing accreditation\", \"log_provider\": \"manual equivalent detroit\", \"logged_time\": 1695272181548, \"original_time\": \"protection velvet propose\"}, \"severity\": \"Critical\", \"api\": {\"request\": {\"uid\": \"f45046ce-61ae-11ee-8a1b-0242ac110005\"}, \"response\": {\"error\": \"dash knife stable\", \"code\": 99, \"message\": \"julian peninsula bought\", \"error_message\": \"delaware genetic purple\"}, \"operation\": \"appraisal disappointed iraqi\"}, \"disposition\": \"Deleted\", \"type_name\": \"Memory Activity: Allocate Page\", \"activity_id\": 1, \"disposition_id\": 5, \"type_uid\": 100401, \"category_name\": \"System Activity\", \"class_uid\": 1004, \"category_uid\": 1, \"class_name\": \"Memory Activity\", \"timezone_offset\": 26, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}], \"technique\": {\"name\": \"Additional Cloud Credentials\", \"uid\": \"T1098.001\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.\", \"uid\": \"TA0040\"}, {\"name\": \"Command and Control The adversary is trying to communicate with compromised systems to control them.\", \"uid\": \"TA0011\"}], \"technique\": {\"name\": \"Credentials in Registry\", \"uid\": \"T1214\"}}], \"activity_name\": \"Allocate Page\", \"actor\": {\"process\": {\"name\": \"Quad\", \"pid\": 76, \"file\": {\"name\": \"tenant.prf\", \"type\": \"Symbolic Link\", \"path\": \"daisy bullet expectations/speakers.fon/tenant.prf\", \"type_id\": 7, \"company_name\": \"Hue Marcelina\", \"parent_folder\": \"daisy bullet expectations/speakers.fon\", \"confidentiality\": \"Not Confidential\", \"confidentiality_id\": 1, \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"D593DAFEC471B60EC788CAF95AEB0DBE9F1AF56F9741565D96CEB84FF7C0AB18B97E298266E585A9FE82C4F85EE020C4B4BD974B54373088F0D1ACE2022CE17D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"4F227649B2E932AED413A05B69BAA35D\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"modified_time\": 1695272181548, \"modified_time_dt\": \"2023-10-03T05:37:34.691274Z\"}, \"user\": {\"name\": \"Utc\", \"type\": \"User\", \"uid\": \"f45ba8fc-61ae-11ee-883d-0242ac110005\", \"type_id\": 1, \"full_name\": \"Carin Otha\", \"email_addr\": \"Mireille@associate.mobi\"}, \"uid\": \"f45baed8-61ae-11ee-95e3-0242ac110005\", \"cmd_line\": \"stick strength suffered\", \"container\": {\"name\": \"sp finger reductions\", \"size\": 1112406887, \"tag\": \"dish acc interpretation\", \"uid\": \"f45bb5c2-61ae-11ee-b166-0242ac110005\", \"image\": {\"name\": \"leaves mounted something\", \"uid\": \"f45bbbe4-61ae-11ee-9bd8-0242ac110005\"}, \"hash\": {\"value\": \"0C2DC99EB913832DEE1E00AC1C121596D14346E7971CAF8B9873BA2BB862C4070FDD33F21558BA3B264A80A7B15D1722F1B3603C0858D1247E4359752B166BCC\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, \"network_driver\": \"arizona knight karl\", \"orchestrator\": \"integral economics gc\"}, \"created_time\": 1695272181548, \"namespace_pid\": 50, \"parent_process\": {\"name\": \"Trout\", \"pid\": 61, \"file\": {\"name\": \"download.pptx\", \"type\": \"Regular File\", \"path\": \"qld four roulette/sticker.dwg/download.pptx\", \"desc\": \"vs in contamination\", \"type_id\": 1, \"parent_folder\": \"qld four roulette/sticker.dwg\", \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"value\": \"64188A2F3AF0E7C7E83F429137D1F51F574286F7\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"7C12BD84ACFCEACC8A756BE13D08AF2B1EC193C5411C64B85380EEEC0B1B41F7\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"modified_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.692393Z\", \"accessed_time_dt\": \"2023-10-03T05:37:34.692401Z\"}, \"user\": {\"name\": \"Presidential\", \"type\": \"User\", \"uid\": \"f45bd110-61ae-11ee-b7e4-0242ac110005\", \"org\": {\"name\": \"setup stolen unexpected\", \"uid\": \"f45bd82c-61ae-11ee-9e57-0242ac110005\", \"ou_name\": \"iceland threats webcast\"}, \"type_id\": 1, \"full_name\": \"Rosamaria Mckenzie\", \"credential_uid\": \"f45bdcd2-61ae-11ee-a554-0242ac110005\"}, \"uid\": \"f45be042-61ae-11ee-a467-0242ac110005\", \"cmd_line\": \"red beaches fi\", \"container\": {\"name\": \"dispatch ste exist\", \"uid\": \"f45be5ba-61ae-11ee-88ce-0242ac110005\", \"image\": {\"name\": \"third aged kurt\", \"uid\": \"f45bebfa-61ae-11ee-bf2c-0242ac110005\"}, \"hash\": {\"value\": \"23ABACC1EF47F49C2387DDF45E9C424754AB96A8A4DED29732E05CA4192D028D05F263525EFEB4BBAFD7ECE02D2821858C8F39BADB5B11151131D82A3D8596FA\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695272181548, \"namespace_pid\": 31, \"parent_process\": {\"pid\": 98, \"file\": {\"name\": \"mins.srt\", \"type\": \"Regular File\", \"path\": \"risks rendering meal/surf.pages/mins.srt\", \"signature\": {\"certificate\": {\"subject\": \"lindsay symptoms gel\", \"issuer\": \"agency covers tested\", \"fingerprints\": [{\"value\": \"5F3258EAA1979A8BE0323FCD83F87741B9046FD02DFEDB63CC5E8BBEC47C85C9\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"fool aye tears\"}, \"algorithm\": \"Authenticode\", \"algorithm_id\": 4}, \"product\": {\"name\": \"morocco steam contractors\", \"uid\": \"f45bff78-61ae-11ee-94d1-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"myrtle wn view\"}, \"type_id\": 1, \"parent_folder\": \"risks rendering meal/surf.pages\", \"hashes\": [{\"value\": \"A98DE8AD923CB627EA1CDCCD5CF7356C\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"modified_time_dt\": \"2023-10-03T05:37:34.693818Z\", \"created_time_dt\": \"2023-10-03T05:37:34.693827Z\", \"accessed_time_dt\": \"2023-10-03T05:37:34.693831Z\"}, \"user\": {\"type\": \"Unknown\", \"uid\": \"f45c0b9e-61ae-11ee-9f3b-0242ac110005\", \"type_id\": 0, \"full_name\": \"Marry Dia\", \"email_addr\": \"Lilliana@ability.edu\"}, \"tid\": 86, \"session\": {\"uid\": \"f45c1288-61ae-11ee-ab6a-0242ac110005\", \"uuid\": \"f45c160c-61ae-11ee-b9ea-0242ac110005\", \"issuer\": \"spec gambling separated\", \"created_time\": 1695272181548, \"credential_uid\": \"f45c1a1c-61ae-11ee-85ba-0242ac110005\", \"is_remote\": false, \"expiration_time_dt\": \"2023-10-03T05:37:34.694457Z\", \"created_time_dt\": \"2023-10-03T05:37:34.694465Z\"}, \"container\": {\"name\": \"pest fought calibration\", \"runtime\": \"violation card logged\", \"size\": 1513188610, \"uid\": \"f45c2426-61ae-11ee-9c9d-0242ac110005\", \"image\": {\"name\": \"stripes excerpt baptist\", \"uid\": \"f45c2962-61ae-11ee-8549-0242ac110005\"}, \"hash\": {\"value\": \"5D7318303179149862E7825F7F1712F9E8045CDC54401C79C269DD068E20EA5D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, \"orchestrator\": \"walt truly susan\", \"pod_uuid\": \"techno\"}, \"namespace_pid\": 49, \"parent_process\": {\"name\": \"Telling\", \"pid\": 43, \"file\": {\"name\": \"asked.htm\", \"owner\": {\"name\": \"Initiatives\", \"type\": \"Unknown\", \"domain\": \"voyeurweb strip groove\", \"type_id\": 0, \"full_name\": \"Lynnette Brooke\"}, \"type\": \"Symbolic Link\", \"path\": \"brakes bugs inquire/blogging.ics/asked.htm\", \"signature\": {\"digest\": {\"value\": \"522CB2274A0D096C0F94307F55DB6E9D63211626E8BED23C3C8721CA612F28681D4E0202C137F40265FCAAD0EFE6A9BD02E0CF8323BAF52EFE09FF298791B18D\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"fetish converter communicate\", \"issuer\": \"conclusions medicines exception\", \"fingerprints\": [{\"value\": \"F74C6AF46A78BECB2F1BD3F95BBD5858\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"43F66E6B6CBAF53CC520E58EC65805EC62FA04119845AC53816DA9F36F525AC65E3D7D92BED0351865836C0E97D63184282A5FEDC9AF2E914C6F9B349CB835F0\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"legal grant module\", \"expiration_time_dt\": \"2023-10-03T05:37:34.695275Z\", \"created_time_dt\": \"2023-10-03T05:37:34.695282Z\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2, \"created_time_dt\": \"2023-10-03T05:37:34.695288Z\"}, \"uid\": \"f45c3f9c-61ae-11ee-9d0c-0242ac110005\", \"type_id\": 7, \"accessor\": {\"name\": \"Review\", \"type\": \"Admin\", \"uid\": \"f45c480c-61ae-11ee-acd3-0242ac110005\", \"groups\": [{\"name\": \"holder outstanding vatican\", \"uid\": \"f45c4fe6-61ae-11ee-92f7-0242ac110005\"}, {\"name\": \"conducted egypt siemens\", \"type\": \"rent divine winston\", \"uid\": \"f45c5446-61ae-11ee-9f91-0242ac110005\"}], \"type_id\": 2}, \"creator\": {\"type\": \"availability\", \"uid\": \"f45c601c-61ae-11ee-a457-0242ac110005\", \"groups\": [{\"name\": \"usually gained erotica\", \"uid\": \"f45c65d0-61ae-11ee-b6a8-0242ac110005\"}], \"type_id\": 99}, \"parent_folder\": \"brakes bugs inquire/blogging.ics\", \"hashes\": [{\"value\": \"5FA7429271BF14C077FFD905562FF00BA03D0E577EBDE842D181A43F83B98C5611220439195D98F47BB4838632D59E533816344E1DF7DB00271120083235ABCA\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Duck\", \"type\": \"Admin\", \"uid\": \"f45c6dd2-61ae-11ee-9f94-0242ac110005\", \"type_id\": 2}, \"uid\": \"f45c71a6-61ae-11ee-9f7b-0242ac110005\", \"cmd_line\": \"montana introductory ratings\", \"container\": {\"name\": \"strings provided foster\", \"runtime\": \"accidents usda suit\", \"uid\": \"f45c77be-61ae-11ee-8b06-0242ac110005\", \"image\": {\"name\": \"resources albums born\", \"uid\": \"f45c7e4e-61ae-11ee-955d-0242ac110005\"}, \"hash\": {\"value\": \"AB2620F9B7154D9F9DC1B3C2D949D85D595FE77F45411B3DBE6E5B47DA564177\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695272181548, \"lineage\": [\"copies would makeup\"], \"namespace_pid\": 88, \"parent_process\": {\"name\": \"Brandon\", \"pid\": 45, \"file\": {\"name\": \"instructions.tif\", \"size\": 2331416290, \"type\": \"Unknown\", \"path\": \"passwords floral edition/roland.gif/instructions.tif\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"underwear chancellor basic\", \"issuer\": \"strengths enlarge sorry\", \"fingerprints\": [{\"value\": \"0BB55CC45379DA535A05A8EDE44DF854F408971928C66528377DA784038293CF\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"D8EAE8212E2ED885C71F4117E0C39374\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"neon ban suse\"}, \"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"developer_uid\": \"f45c9208-61ae-11ee-9a72-0242ac110005\"}, \"desc\": \"goto egyptian throw\", \"type_id\": 0, \"parent_folder\": \"passwords floral edition/roland.gif\", \"hashes\": [{\"value\": \"6D856108BBB655CE760736415EE23ECE1B8FCEE045C992B3A971D31ED454BFAD53DE388CBE3FFDE1EF1A4258DDD307E4DAAD413389F51A42155B5F334C9243A4\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"6163CDC7962473142ADF6DA1E4C2B6DB26C7391242E8BBD4EE04661FEC7DF2C941477A0394334EEE5002B17ED4164502FEE4342047E61B7F299B5C98BE241602\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Manufacturing\", \"type\": \"united\", \"uid\": \"f45ca0ea-61ae-11ee-8476-0242ac110005\", \"org\": {\"name\": \"way pros ddr\", \"uid\": \"f45cafa4-61ae-11ee-af8c-0242ac110005\", \"ou_name\": \"reliability poultry devices\"}, \"type_id\": 99, \"full_name\": \"Livia Ji\", \"account\": {\"name\": \"pen favors essential\", \"type\": \"AWS Account\", \"uid\": \"f45cb6ac-61ae-11ee-89fb-0242ac110005\", \"type_id\": 10}, \"credential_uid\": \"f45cba58-61ae-11ee-8137-0242ac110005\", \"email_addr\": \"Moira@upset.nato\"}, \"uid\": \"f45cc066-61ae-11ee-b149-0242ac110005\", \"cmd_line\": \"trembl reverse constantly\", \"container\": {\"name\": \"strain outputs perceived\", \"uid\": \"f45cc660-61ae-11ee-8e56-0242ac110005\", \"image\": {\"name\": \"saturn cincinnati productivity\", \"path\": \"harrison typical operations\", \"uid\": \"f45ccb74-61ae-11ee-9ef0-0242ac110005\"}, \"hash\": {\"value\": \"5F69DE08EF1B52810A2E555253B2561BF4E27E0CF557FEB7502CAD51FCA3AC3B923994EC15B91A6E29CCD01AED752264DCA40FCF45DDB4B47C42836B57984513\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, \"pod_uuid\": \"ontario\"}, \"created_time\": 1695272181548, \"namespace_pid\": 48, \"parent_process\": {\"pid\": 43, \"file\": {\"name\": \"gothic.m3u\", \"owner\": {\"name\": \"Strengthening\", \"type\": \"pentium\", \"uid\": \"f45cdaba-61ae-11ee-ba9e-0242ac110005\", \"org\": {\"name\": \"wed mpeg mortality\", \"uid\": \"f45cdfd8-61ae-11ee-9701-0242ac110005\", \"ou_name\": \"penny automatically tops\"}, \"groups\": [{\"type\": \"britain touch corporations\", \"uid\": \"f45ce500-61ae-11ee-ae50-0242ac110005\"}], \"type_id\": 99, \"uid_alt\": \"developed drinks university\"}, \"type\": \"Block Device\", \"path\": \"dod emirates promote/knitting.vob/gothic.m3u\", \"signature\": {\"digest\": {\"value\": \"7243F8BE75253AFBADF7477867021F8B\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"tractor bag coleman\", \"issuer\": \"formation mixer sullivan\", \"fingerprints\": [{\"value\": \"741DD1242DF463E4748B3F29D59B2CDB444A2B723C098FCD8A61CFF3A2531A1EBEB1D42A7AD9A444FA8D89DC6A11F741547C10080B44BED739B5D0CDC993B842\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"C4824AE8BB216F860CA4CD45F979A59088DD132DF0BFA0EC613752EF4A2EE45E\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"ser rna serves\"}, \"algorithm\": \"supreme\", \"algorithm_id\": 99}, \"type_id\": 4, \"creator\": {\"name\": \"Catalog\", \"type\": \"System\", \"uid\": \"f45cf144-61ae-11ee-a33b-0242ac110005\", \"groups\": [{\"uid\": \"f45d004e-61ae-11ee-8d39-0242ac110005\"}, {\"name\": \"chairs leisure institution\", \"uid\": \"f45d05e4-61ae-11ee-99f9-0242ac110005\"}], \"type_id\": 3}, \"parent_folder\": \"dod emirates promote/knitting.vob\", \"security_descriptor\": \"retention changing science\", \"xattributes\": {}}, \"user\": {\"name\": \"Opt\", \"type\": \"Unknown\", \"domain\": \"funky valentine attached\", \"uid\": \"f45d1192-61ae-11ee-805a-0242ac110005\", \"type_id\": 0}, \"uid\": \"f45d16ba-61ae-11ee-b515-0242ac110005\", \"cmd_line\": \"reductions transfer kyle\", \"created_time\": 1695272181548, \"integrity\": \"guys thus beads\", \"namespace_pid\": 82, \"parent_process\": {\"name\": \"Friends\", \"pid\": 7, \"user\": {\"name\": \"Overall\", \"type\": \"Admin\", \"uid\": \"f45d2c18-61ae-11ee-8f99-0242ac110005\", \"org\": {\"name\": \"antique crawford mug\", \"uid\": \"f45d3226-61ae-11ee-b3e9-0242ac110005\", \"ou_name\": \"maximize tx tide\"}, \"type_id\": 2, \"credential_uid\": \"f45d3654-61ae-11ee-a013-0242ac110005\", \"uid_alt\": \"areas attachment guy\"}, \"uid\": \"f45d3a46-61ae-11ee-89e2-0242ac110005\", \"cmd_line\": \"trails washer home\", \"container\": {\"name\": \"requested divx inspector\", \"size\": 648398402, \"uid\": \"f45d3faa-61ae-11ee-95d3-0242ac110005\", \"image\": {\"name\": \"equation modular saver\", \"uid\": \"f45d4bb2-61ae-11ee-98af-0242ac110005\", \"labels\": [\"malaysia\", \"tough\"]}, \"hash\": {\"value\": \"68C9913042346CAD7F9FABEBF901C5DBBE49BEAFFE6CDBF271C0CD6F2363033A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}}, \"created_time\": 1695272181548, \"lineage\": [\"married funded elections\", \"liquid geek cal\"], \"namespace_pid\": 2, \"parent_process\": {\"name\": \"Warnings\", \"pid\": 59, \"file\": {\"name\": \"manner.app\", \"type\": \"Folder\", \"version\": \"1.0.0\", \"path\": \"turn available mighty/grocery.tax2016/manner.app\", \"desc\": \"starting invasion flame\", \"type_id\": 2, \"company_name\": \"Myrl Ilana\", \"parent_folder\": \"turn available mighty/grocery.tax2016\", \"hashes\": [{\"value\": \"2FF592449E1B208D2349421A0E142A80E875518AA0C20FF64D3610AB6830DD78BF8980FD7F211369C267D93464D86327F78FA84CEDB14D9210655D931C34F7BA\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"A2349F07A5DCE2F05BB0C656C6DEA195972A5C01A7B5DA65FEC562FE2C229B6B5B6930E7613E6323D8F52E25C3E76F85EBED522B17F8EB673C263A290FD26BB7\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"created_time_dt\": \"2023-10-03T05:37:34.702607Z\"}, \"user\": {\"name\": \"Dis\", \"type\": \"Unknown\", \"uid\": \"f45d6034-61ae-11ee-9b9d-0242ac110005\", \"groups\": [{\"name\": \"gamecube sunday foster\", \"uid\": \"f45d6750-61ae-11ee-bb59-0242ac110005\", \"privileges\": [\"ceiling pulling chapter\", \"advise lung transparent\"]}, {\"name\": \"skins korea bubble\", \"type\": \"annie rn pot\", \"uid\": \"f45d710a-61ae-11ee-a1f1-0242ac110005\", \"privileges\": [\"harbor syracuse quantities\"]}], \"type_id\": 0, \"account\": {\"name\": \"cycles beast pierce\", \"type\": \"Azure AD Account\", \"uid\": \"f45d7e20-61ae-11ee-9be4-0242ac110005\", \"type_id\": 6}}, \"tid\": 63, \"uid\": \"f45d835c-61ae-11ee-a0b4-0242ac110005\", \"cmd_line\": \"guided spine purple\", \"container\": {\"name\": \"diffs dead mechanical\", \"size\": 1480676944, \"tag\": \"cheers cancer russian\", \"uid\": \"f45d8ab4-61ae-11ee-a07b-0242ac110005\", \"hash\": {\"value\": \"10E86C6514D40F2A3E861B31847340EE8C8ED181029A17B042F137121D28863E\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, \"orchestrator\": \"piano sims editors\", \"pod_uuid\": \"danish\"}, \"created_time\": 1695272181548, \"lineage\": [\"at residential ceo\"], \"namespace_pid\": 67, \"parent_process\": {\"name\": \"Hamilton\", \"pid\": 38, \"file\": {\"name\": \"basename.mpg\", \"size\": 2270854617, \"type\": \"Folder\", \"path\": \"general required suspect/commentary.jar/basename.mpg\", \"modifier\": {\"name\": \"Lopez\", \"type\": \"Admin\", \"uid\": \"f45da012-61ae-11ee-8601-0242ac110005\", \"type_id\": 2}, \"type_id\": 2, \"parent_folder\": \"general required suspect/commentary.jar\", \"accessed_time\": 1695272181548, \"confidentiality\": \"fear browsers television\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"3B0173ED99A820AB5188A16998FBC2E1957424B5E1E2DB85F6F1F8CAFAE691070EE54DC314BDF2983F9A2CE57CF6E378ABB2AEDB0DA772B4626469F1363D4782\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.704513Z\", \"accessed_time_dt\": \"2023-10-03T05:37:34.704522Z\"}, \"cmd_line\": \"lists accredited manufacture\", \"created_time\": 1695272181548, \"integrity\": \"disclosure insert americans\", \"namespace_pid\": 16, \"parent_process\": {\"pid\": 26, \"file\": {\"name\": \"mitsubishi.zip\", \"type\": \"way\", \"path\": \"premium accommodation showtimes/prisoner.deskthemepack/mitsubishi.zip\", \"type_id\": 99, \"parent_folder\": \"premium accommodation showtimes/prisoner.deskthemepack\", \"accessed_time\": 1695272181548, \"confidentiality\": \"applications\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"AC3F2D226D9EFC7934195793B402CBBC13E2736E205E59735FD07CE424B1FB37\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"BD1DC345B2C39E8DADCDA520CC809F96FFC8413DD1169269D5E02AE412E1297111E2A26660902A783337A5D4C0D0C9FEBCCBB0C0AED91F2BFA2CCF4845056AAB\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1695272181548, \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.704809Z\"}, \"user\": {\"name\": \"Cardiovascular\", \"type\": \"Unknown\", \"uid\": \"f45db58e-61ae-11ee-b50c-0242ac110005\", \"type_id\": 0, \"uid_alt\": \"sn exception got\"}, \"container\": {\"name\": \"praise britannica rev\", \"uid\": \"f45dc254-61ae-11ee-b035-0242ac110005\", \"image\": {\"name\": \"conducted takes renewable\", \"uid\": \"f45dc7b8-61ae-11ee-9630-0242ac110005\"}, \"hash\": {\"value\": \"5DF4BFECA632B9BD1D11E5E5D9549CF30B4849A4C815894151C865C80E13E3D0DE949759C7E1AEE233D178AD52E3AE2E93D99AEA0D993ED5DCE67E03E1578823\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695272181548, \"integrity\": \"times entities fx\", \"namespace_pid\": 98, \"parent_process\": {\"name\": \"Forecasts\", \"pid\": 17, \"file\": {\"name\": \"hockey.part\", \"type\": \"Symbolic Link\", \"version\": \"1.0.0\", \"path\": \"seafood tape distant/physically.mdf/hockey.part\", \"uid\": \"f45dd3d4-61ae-11ee-9986-0242ac110005\", \"type_id\": 7, \"parent_folder\": \"seafood tape distant/physically.mdf\", \"hashes\": [{\"value\": \"0D3045A301A866174DD910C13E50427CB610EAD22A8523650B444E52FF16941B\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"BEE38FBC71DC4377BEF693AF6C11F462AC065BD6\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}]}, \"user\": {\"name\": \"Requires\", \"type\": \"User\", \"uid\": \"f45de0e0-61ae-11ee-88a9-0242ac110005\", \"type_id\": 1, \"credential_uid\": \"f45de554-61ae-11ee-bc44-0242ac110005\", \"uid_alt\": \"monica includes treating\"}, \"uid\": \"f45de978-61ae-11ee-af82-0242ac110005\", \"cmd_line\": \"insulation else evidence\", \"container\": {\"name\": \"dv cst mug\", \"size\": 2782839574, \"uid\": \"f45deefa-61ae-11ee-95f2-0242ac110005\", \"image\": {\"name\": \"olympus present empirical\", \"uid\": \"f45df3a0-61ae-11ee-ae83-0242ac110005\"}, \"hash\": {\"value\": \"E272B1A204600DF6B8A987C8FB851C7EF2AA8596CF158120722E5966F20081F5\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, \"orchestrator\": \"internationally correct examining\"}, \"created_time\": 1695272181548, \"integrity\": \"involvement hk speaking\", \"namespace_pid\": 56, \"parent_process\": {\"name\": \"Heath\", \"pid\": 26, \"user\": {\"name\": \"Qualities\", \"type\": \"System\", \"uid\": \"f45e00c0-61ae-11ee-b4f1-0242ac110005\", \"type_id\": 3, \"account\": {\"name\": \"engines robot c\", \"uid\": \"f45e05fc-61ae-11ee-bdef-0242ac110005\"}, \"uid_alt\": \"pathology ordinary ep\"}, \"cmd_line\": \"collapse tan demo\", \"container\": {\"name\": \"matters sophisticated hampshire\", \"size\": 277669091, \"uid\": \"f45e0b7e-61ae-11ee-9c4e-0242ac110005\", \"image\": {\"name\": \"pty dramatic measure\", \"uid\": \"f45e1452-61ae-11ee-93ff-0242ac110005\"}, \"hash\": {\"value\": \"7CFCBD1C1575DD7EAE454F18B9267188\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, \"orchestrator\": \"earned accountability todd\"}, \"created_time\": 1695272181548, \"integrity\": \"Protected\", \"integrity_id\": 6, \"namespace_pid\": 36, \"parent_process\": {\"name\": \"Special\", \"pid\": 39, \"user\": {\"name\": \"Mice\", \"type\": \"scoring\", \"uid\": \"f45e1f4c-61ae-11ee-bd4f-0242ac110005\", \"type_id\": 99}, \"cmd_line\": \"rubber taxi deployment\", \"container\": {\"name\": \"insulin never metabolism\", \"size\": 2875863087, \"uid\": \"f45e2532-61ae-11ee-b4f8-0242ac110005\", \"image\": {\"name\": \"phantom participant employee\", \"uid\": \"f45e29ec-61ae-11ee-b755-0242ac110005\"}, \"hash\": {\"value\": \"19EA5DD6F7D4532CE968933056B2150CB38D84FBEA07A9B1E71EE7388D9EAD136AFB55A16621065CA950B550FAA589C7E77583279DE84B3C958B13C9BA731D69\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"pod_uuid\": \"luxury\"}, \"created_time\": 1695272181548, \"integrity\": \"Protected\", \"integrity_id\": 6, \"namespace_pid\": 45, \"parent_process\": {\"pid\": 65, \"file\": {\"name\": \"message.exe\", \"owner\": {\"name\": \"Vegas\", \"type\": \"Unknown\", \"domain\": \"existence see evans\", \"org\": {\"name\": \"super rolling importantly\", \"uid\": \"f45e40bc-61ae-11ee-9f84-0242ac110005\", \"ou_uid\": \"f45e44ea-61ae-11ee-af1f-0242ac110005\"}, \"groups\": [{\"name\": \"careers fixes kai\", \"desc\": \"highways cheat summary\", \"uid\": \"f45e4da0-61ae-11ee-8ce5-0242ac110005\"}, {\"name\": \"past affiliate london\", \"type\": \"exclusion cleaners mart\", \"uid\": \"f45e51c4-61ae-11ee-af56-0242ac110005\"}], \"type_id\": 0, \"account\": {\"name\": \"tradition surfaces classification\", \"type\": \"AWS IAM Role\", \"uid\": \"f45e5af2-61ae-11ee-8e43-0242ac110005\", \"type_id\": 4}}, \"type\": \"mozilla\", \"path\": \"brunette symbol poem/weekends.htm/message.exe\", \"uid\": \"f45e5fa2-61ae-11ee-9642-0242ac110005\", \"type_id\": 99, \"parent_folder\": \"brunette symbol poem/weekends.htm\", \"confidentiality\": \"watson\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"EC04A154DEAC2F7D6C2C939EA992222061F58A10BD334C6D45E3B9B3BC538985107E3B32A6CA567C7B5C6F8F0D857459E5DDC11A97318AC1AEA8A2461B955401\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"6E170831A56B3AFDAFF2E0614B1495541FDE0CA37B2F9EBCB6D5225A0CADE66CC1E6AD525CAFDD363EAA50505FD613EDBD5C1B4D703D34702968D3AE7E09037C\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time_dt\": \"2023-10-03T05:37:34.709399Z\", \"created_time_dt\": \"2023-10-03T05:37:34.709410Z\", \"accessed_time_dt\": \"2023-10-03T05:37:34.709414Z\"}, \"user\": {\"type\": \"Unknown\", \"uid\": \"f45e68d0-61ae-11ee-a6d3-0242ac110005\", \"type_id\": 0, \"full_name\": \"Rosamaria Norberto\", \"account\": {\"name\": \"wireless trains wave\", \"type\": \"Linux Account\", \"uid\": \"f45e6eb6-61ae-11ee-9f44-0242ac110005\", \"type_id\": 9}, \"credential_uid\": \"f45e7230-61ae-11ee-a271-0242ac110005\"}, \"uid\": \"f45e7546-61ae-11ee-ab37-0242ac110005\", \"session\": {\"uid\": \"f45e805e-61ae-11ee-90d6-0242ac110005\", \"created_time\": 1695272181548, \"is_remote\": true, \"expiration_time_dt\": \"2023-10-03T05:37:34.710191Z\"}, \"namespace_pid\": 69, \"parent_process\": {\"name\": \"Is\", \"pid\": 14, \"file\": {\"name\": \"ambassador.swf\", \"type\": \"Symbolic Link\", \"path\": \"nickel gui cute/vision.m3u/ambassador.swf\", \"signature\": {\"digest\": {\"value\": \"14B85FA8E87F846F757EACCDA09761641B397F01\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"panic aspects reporting\", \"issuer\": \"hate passive admission\", \"fingerprints\": [{\"value\": \"09958F2F29A975C86F4BC77872179A9E719846A48F2022B36957925999CD31F4A0578A6C18EE8BDC0AEE2F0974FB4647FF2A0BFEA8A1E56877193277A827418F\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"promote dirt hindu\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time_dt\": \"2023-10-03T05:37:34.710541Z\"}, \"type_id\": 7, \"company_name\": \"Nicholas Betty\", \"parent_folder\": \"nickel gui cute/vision.m3u\", \"confidentiality\": \"sandwich exhibit ellis\", \"hashes\": [{\"value\": \"4DBD2BB0760D9EBBC2743A91879CCBC04A4837BD467C1F3B4E0850E4D459BC52\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"A5469012CF0415AAE3FFA22840287489C3C57811D0FD29A58C2CD702BC84D59ADC43354994A400CA41F16849414FADE8C6A9889E640F7987FF65EAD837C7D8E4\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.710639Z\"}, \"user\": {\"name\": \"Genres\", \"type\": \"User\", \"uid\": \"f45e9cb0-61ae-11ee-b849-0242ac110005\", \"type_id\": 1, \"full_name\": \"Lucile Apryl\", \"account\": {\"name\": \"saint view max\", \"type\": \"Apple Account\", \"uid\": \"f45ea32c-61ae-11ee-9546-0242ac110005\", \"type_id\": 8}, \"credential_uid\": \"f45ea700-61ae-11ee-bb61-0242ac110005\", \"email_addr\": \"Jeana@drill.web\"}, \"cmd_line\": \"changes sad programmes\", \"container\": {\"size\": 1104975009, \"tag\": \"alexander specs considered\", \"uid\": \"f45eae80-61ae-11ee-8fa9-0242ac110005\", \"image\": {\"name\": \"soap potter browsers\", \"uid\": \"f45eb3bc-61ae-11ee-871c-0242ac110005\"}, \"hash\": {\"value\": \"05521B80BB22220B8B095A94DA44E07951EE15F402F4BD4A050BD0CFFFD6B154\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, \"orchestrator\": \"matches virginia accepts\"}, \"created_time\": 1695272181548, \"namespace_pid\": 49}, \"sandbox\": \"ut metropolitan adjacent\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711553Z\"}, \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.711572Z\"}, \"terminated_time\": 1695272181548, \"terminated_time_dt\": \"2023-10-03T05:37:34.711582Z\"}, \"sandbox\": \"dans ip tours\"}, \"terminated_time\": 1695272181548, \"terminated_time_dt\": \"2023-10-03T05:37:34.711596Z\"}, \"created_time_dt\": \"2023-10-03T05:37:34.711602Z\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711606Z\"}, \"terminated_time\": 1695272181548, \"xattributes\": {}}, \"xattributes\": {}}, \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.711634Z\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711638Z\"}, \"sandbox\": \"brunette christ monetary\", \"created_time_dt\": \"2023-10-03T05:37:34.711648Z\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711652Z\"}, \"terminated_time\": 1695272181548}, \"xattributes\": {}}, \"xattributes\": {}}}, \"user\": {\"name\": \"We\", \"type\": \"Admin\", \"uid\": \"f45ec2a8-61ae-11ee-90fc-0242ac110005\", \"org\": {\"name\": \"enquiry hottest creations\", \"uid\": \"f45ecb68-61ae-11ee-824c-0242ac110005\", \"ou_name\": \"reel metals plain\"}, \"type_id\": 2, \"account\": {\"name\": \"intensive flash narrative\", \"type\": \"Windows Account\", \"uid\": \"f45ed32e-61ae-11ee-9aa9-0242ac110005\", \"type_id\": 2}}}, \"actual_permissions\": 14, \"base_address\": \"statements dining gnome\", \"cloud\": {\"project_uid\": \"f4505768-61ae-11ee-89e9-0242ac110005\", \"provider\": \"christian studies pioneer\", \"region\": \"increased competitors sparc\"}, \"severity_id\": 5, \"status_code\": \"registry\", \"time_dt\": \"2023-10-03T05:37:34.712339Z\"}", + "event": { + "action": "allocate page", + "provider": "manual equivalent detroit", + "sequence": 35, + "severity": 5 + }, + "cloud": { + "project": { + "id": "f4505768-61ae-11ee-89e9-0242ac110005" + }, + "provider": "christian studies pioneer", + "region": "increased competitors sparc" + }, + "ocsf": "{\"activity_id\": 1, \"activity_name\": \"Allocate Page\", \"actor\": {\"process\": {\"cmd_line\": \"stick strength suffered\", \"container\": {\"hash\": {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"0C2DC99EB913832DEE1E00AC1C121596D14346E7971CAF8B9873BA2BB862C4070FDD33F21558BA3B264A80A7B15D1722F1B3603C0858D1247E4359752B166BCC\"}, \"image\": {\"name\": \"leaves mounted something\", \"uid\": \"f45bbbe4-61ae-11ee-9bd8-0242ac110005\"}, \"name\": \"sp finger reductions\", \"network_driver\": \"arizona knight karl\", \"orchestrator\": \"integral economics gc\", \"size\": 1112406887, \"tag\": \"dish acc interpretation\", \"uid\": \"f45bb5c2-61ae-11ee-b166-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Hue Marcelina\", \"confidentiality\": \"Not Confidential\", \"confidentiality_id\": 1, \"created_time\": 1695272181548, \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"D593DAFEC471B60EC788CAF95AEB0DBE9F1AF56F9741565D96CEB84FF7C0AB18B97E298266E585A9FE82C4F85EE020C4B4BD974B54373088F0D1ACE2022CE17D\"}, {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"4F227649B2E932AED413A05B69BAA35D\"}], \"modified_time\": 1695272181548, \"modified_time_dt\": \"2023-10-03T05:37:34.691274Z\", \"name\": \"tenant.prf\", \"parent_folder\": \"daisy bullet expectations/speakers.fon\", \"path\": \"daisy bullet expectations/speakers.fon/tenant.prf\", \"type\": \"Symbolic Link\", \"type_id\": 7}, \"name\": \"Quad\", \"namespace_pid\": 50, \"parent_process\": {\"cmd_line\": \"red beaches fi\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"23ABACC1EF47F49C2387DDF45E9C424754AB96A8A4DED29732E05CA4192D028D05F263525EFEB4BBAFD7ECE02D2821858C8F39BADB5B11151131D82A3D8596FA\"}, \"image\": {\"name\": \"third aged kurt\", \"uid\": \"f45bebfa-61ae-11ee-bf2c-0242ac110005\"}, \"name\": \"dispatch ste exist\", \"uid\": \"f45be5ba-61ae-11ee-88ce-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessed_time_dt\": \"2023-10-03T05:37:34.692401Z\", \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"created_time_dt\": \"2023-10-03T05:37:34.692393Z\", \"desc\": \"vs in contamination\", \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"64188A2F3AF0E7C7E83F429137D1F51F574286F7\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"7C12BD84ACFCEACC8A756BE13D08AF2B1EC193C5411C64B85380EEEC0B1B41F7\"}], \"modified_time\": 1695272181548, \"name\": \"download.pptx\", \"parent_folder\": \"qld four roulette/sticker.dwg\", \"path\": \"qld four roulette/sticker.dwg/download.pptx\", \"type\": \"Regular File\", \"type_id\": 1}, \"name\": \"Trout\", \"namespace_pid\": 31, \"parent_process\": {\"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"5D7318303179149862E7825F7F1712F9E8045CDC54401C79C269DD068E20EA5D\"}, \"image\": {\"name\": \"stripes excerpt baptist\", \"uid\": \"f45c2962-61ae-11ee-8549-0242ac110005\"}, \"name\": \"pest fought calibration\", \"orchestrator\": \"walt truly susan\", \"pod_uuid\": \"techno\", \"runtime\": \"violation card logged\", \"size\": 1513188610, \"uid\": \"f45c2426-61ae-11ee-9c9d-0242ac110005\"}, \"file\": {\"accessed_time_dt\": \"2023-10-03T05:37:34.693831Z\", \"created_time_dt\": \"2023-10-03T05:37:34.693827Z\", \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"A98DE8AD923CB627EA1CDCCD5CF7356C\"}], \"modified_time_dt\": \"2023-10-03T05:37:34.693818Z\", \"name\": \"mins.srt\", \"parent_folder\": \"risks rendering meal/surf.pages\", \"path\": \"risks rendering meal/surf.pages/mins.srt\", \"product\": {\"lang\": \"en\", \"name\": \"morocco steam contractors\", \"uid\": \"f45bff78-61ae-11ee-94d1-0242ac110005\", \"vendor_name\": \"myrtle wn view\"}, \"signature\": {\"algorithm\": \"Authenticode\", \"algorithm_id\": 4, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"5F3258EAA1979A8BE0323FCD83F87741B9046FD02DFEDB63CC5E8BBEC47C85C9\"}], \"issuer\": \"agency covers tested\", \"serial_number\": \"fool aye tears\", \"subject\": \"lindsay symptoms gel\"}}, \"type\": \"Regular File\", \"type_id\": 1}, \"namespace_pid\": 49, \"parent_process\": {\"cmd_line\": \"montana introductory ratings\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"AB2620F9B7154D9F9DC1B3C2D949D85D595FE77F45411B3DBE6E5B47DA564177\"}, \"image\": {\"name\": \"resources albums born\", \"uid\": \"f45c7e4e-61ae-11ee-955d-0242ac110005\"}, \"name\": \"strings provided foster\", \"runtime\": \"accidents usda suit\", \"uid\": \"f45c77be-61ae-11ee-8b06-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessor\": {\"groups\": [{\"name\": \"holder outstanding vatican\", \"uid\": \"f45c4fe6-61ae-11ee-92f7-0242ac110005\"}, {\"name\": \"conducted egypt siemens\", \"type\": \"rent divine winston\", \"uid\": \"f45c5446-61ae-11ee-9f91-0242ac110005\"}], \"name\": \"Review\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"f45c480c-61ae-11ee-acd3-0242ac110005\"}, \"creator\": {\"groups\": [{\"name\": \"usually gained erotica\", \"uid\": \"f45c65d0-61ae-11ee-b6a8-0242ac110005\"}], \"type\": \"availability\", \"type_id\": 99, \"uid\": \"f45c601c-61ae-11ee-a457-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"5FA7429271BF14C077FFD905562FF00BA03D0E577EBDE842D181A43F83B98C5611220439195D98F47BB4838632D59E533816344E1DF7DB00271120083235ABCA\"}], \"name\": \"asked.htm\", \"owner\": {\"domain\": \"voyeurweb strip groove\", \"full_name\": \"Lynnette Brooke\", \"name\": \"Initiatives\", \"type\": \"Unknown\", \"type_id\": 0}, \"parent_folder\": \"brakes bugs inquire/blogging.ics\", \"path\": \"brakes bugs inquire/blogging.ics/asked.htm\", \"signature\": {\"algorithm\": \"RSA\", \"algorithm_id\": 2, \"certificate\": {\"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.695282Z\", \"expiration_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T05:37:34.695275Z\", \"fingerprints\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"F74C6AF46A78BECB2F1BD3F95BBD5858\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"43F66E6B6CBAF53CC520E58EC65805EC62FA04119845AC53816DA9F36F525AC65E3D7D92BED0351865836C0E97D63184282A5FEDC9AF2E914C6F9B349CB835F0\"}], \"issuer\": \"conclusions medicines exception\", \"serial_number\": \"legal grant module\", \"subject\": \"fetish converter communicate\", \"version\": \"1.0.0\"}, \"created_time_dt\": \"2023-10-03T05:37:34.695288Z\", \"digest\": {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"522CB2274A0D096C0F94307F55DB6E9D63211626E8BED23C3C8721CA612F28681D4E0202C137F40265FCAAD0EFE6A9BD02E0CF8323BAF52EFE09FF298791B18D\"}}, \"type\": \"Symbolic Link\", \"type_id\": 7, \"uid\": \"f45c3f9c-61ae-11ee-9d0c-0242ac110005\"}, \"lineage\": [\"copies would makeup\"], \"name\": \"Telling\", \"namespace_pid\": 88, \"parent_process\": {\"cmd_line\": \"trembl reverse constantly\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"5F69DE08EF1B52810A2E555253B2561BF4E27E0CF557FEB7502CAD51FCA3AC3B923994EC15B91A6E29CCD01AED752264DCA40FCF45DDB4B47C42836B57984513\"}, \"image\": {\"name\": \"saturn cincinnati productivity\", \"path\": \"harrison typical operations\", \"uid\": \"f45ccb74-61ae-11ee-9ef0-0242ac110005\"}, \"name\": \"strain outputs perceived\", \"pod_uuid\": \"ontario\", \"uid\": \"f45cc660-61ae-11ee-8e56-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.711648Z\", \"file\": {\"desc\": \"goto egyptian throw\", \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"6D856108BBB655CE760736415EE23ECE1B8FCEE045C992B3A971D31ED454BFAD53DE388CBE3FFDE1EF1A4258DDD307E4DAAD413389F51A42155B5F334C9243A4\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"6163CDC7962473142ADF6DA1E4C2B6DB26C7391242E8BBD4EE04661FEC7DF2C941477A0394334EEE5002B17ED4164502FEE4342047E61B7F299B5C98BE241602\"}], \"modified_time\": 1695272181548, \"name\": \"instructions.tif\", \"parent_folder\": \"passwords floral edition/roland.gif\", \"path\": \"passwords floral edition/roland.gif/instructions.tif\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"0BB55CC45379DA535A05A8EDE44DF854F408971928C66528377DA784038293CF\"}, {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"D8EAE8212E2ED885C71F4117E0C39374\"}], \"issuer\": \"strengths enlarge sorry\", \"serial_number\": \"neon ban suse\", \"subject\": \"underwear chancellor basic\", \"version\": \"1.0.0\"}, \"developer_uid\": \"f45c9208-61ae-11ee-9a72-0242ac110005\"}, \"size\": 2331416290, \"type\": \"Unknown\", \"type_id\": 0}, \"name\": \"Brandon\", \"namespace_pid\": 48, \"parent_process\": {\"cmd_line\": \"reductions transfer kyle\", \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.711634Z\", \"file\": {\"creator\": {\"groups\": [{\"uid\": \"f45d004e-61ae-11ee-8d39-0242ac110005\"}, {\"name\": \"chairs leisure institution\", \"uid\": \"f45d05e4-61ae-11ee-99f9-0242ac110005\"}], \"name\": \"Catalog\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"f45cf144-61ae-11ee-a33b-0242ac110005\"}, \"name\": \"gothic.m3u\", \"owner\": {\"groups\": [{\"type\": \"britain touch corporations\", \"uid\": \"f45ce500-61ae-11ee-ae50-0242ac110005\"}], \"name\": \"Strengthening\", \"org\": {\"name\": \"wed mpeg mortality\", \"ou_name\": \"penny automatically tops\", \"uid\": \"f45cdfd8-61ae-11ee-9701-0242ac110005\"}, \"type\": \"pentium\", \"type_id\": 99, \"uid\": \"f45cdaba-61ae-11ee-ba9e-0242ac110005\", \"uid_alt\": \"developed drinks university\"}, \"parent_folder\": \"dod emirates promote/knitting.vob\", \"path\": \"dod emirates promote/knitting.vob/gothic.m3u\", \"security_descriptor\": \"retention changing science\", \"signature\": {\"algorithm\": \"supreme\", \"algorithm_id\": 99, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"741DD1242DF463E4748B3F29D59B2CDB444A2B723C098FCD8A61CFF3A2531A1EBEB1D42A7AD9A444FA8D89DC6A11F741547C10080B44BED739B5D0CDC993B842\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"C4824AE8BB216F860CA4CD45F979A59088DD132DF0BFA0EC613752EF4A2EE45E\"}], \"issuer\": \"formation mixer sullivan\", \"serial_number\": \"ser rna serves\", \"subject\": \"tractor bag coleman\", \"version\": \"1.0.0\"}, \"digest\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"7243F8BE75253AFBADF7477867021F8B\"}}, \"type\": \"Block Device\", \"type_id\": 4, \"xattributes\": {}}, \"integrity\": \"guys thus beads\", \"namespace_pid\": 82, \"parent_process\": {\"cmd_line\": \"trails washer home\", \"container\": {\"hash\": {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"68C9913042346CAD7F9FABEBF901C5DBBE49BEAFFE6CDBF271C0CD6F2363033A\"}, \"image\": {\"labels\": [\"malaysia\", \"tough\"], \"name\": \"equation modular saver\", \"uid\": \"f45d4bb2-61ae-11ee-98af-0242ac110005\"}, \"name\": \"requested divx inspector\", \"size\": 648398402, \"uid\": \"f45d3faa-61ae-11ee-95d3-0242ac110005\"}, \"created_time\": 1695272181548, \"lineage\": [\"married funded elections\", \"liquid geek cal\"], \"name\": \"Friends\", \"namespace_pid\": 2, \"parent_process\": {\"cmd_line\": \"guided spine purple\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"10E86C6514D40F2A3E861B31847340EE8C8ED181029A17B042F137121D28863E\"}, \"name\": \"diffs dead mechanical\", \"orchestrator\": \"piano sims editors\", \"pod_uuid\": \"danish\", \"size\": 1480676944, \"tag\": \"cheers cancer russian\", \"uid\": \"f45d8ab4-61ae-11ee-a07b-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Myrl Ilana\", \"created_time_dt\": \"2023-10-03T05:37:34.702607Z\", \"desc\": \"starting invasion flame\", \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"2FF592449E1B208D2349421A0E142A80E875518AA0C20FF64D3610AB6830DD78BF8980FD7F211369C267D93464D86327F78FA84CEDB14D9210655D931C34F7BA\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"A2349F07A5DCE2F05BB0C656C6DEA195972A5C01A7B5DA65FEC562FE2C229B6B5B6930E7613E6323D8F52E25C3E76F85EBED522B17F8EB673C263A290FD26BB7\"}], \"name\": \"manner.app\", \"parent_folder\": \"turn available mighty/grocery.tax2016\", \"path\": \"turn available mighty/grocery.tax2016/manner.app\", \"type\": \"Folder\", \"type_id\": 2, \"version\": \"1.0.0\"}, \"lineage\": [\"at residential ceo\"], \"name\": \"Warnings\", \"namespace_pid\": 67, \"parent_process\": {\"cmd_line\": \"lists accredited manufacture\", \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.711602Z\", \"file\": {\"accessed_time\": 1695272181548, \"accessed_time_dt\": \"2023-10-03T05:37:34.704522Z\", \"confidentiality\": \"fear browsers television\", \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.704513Z\", \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"3B0173ED99A820AB5188A16998FBC2E1957424B5E1E2DB85F6F1F8CAFAE691070EE54DC314BDF2983F9A2CE57CF6E378ABB2AEDB0DA772B4626469F1363D4782\"}], \"modifier\": {\"name\": \"Lopez\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"f45da012-61ae-11ee-8601-0242ac110005\"}, \"name\": \"basename.mpg\", \"parent_folder\": \"general required suspect/commentary.jar\", \"path\": \"general required suspect/commentary.jar/basename.mpg\", \"size\": 2270854617, \"type\": \"Folder\", \"type_id\": 2, \"xattributes\": {}}, \"integrity\": \"disclosure insert americans\", \"name\": \"Hamilton\", \"namespace_pid\": 16, \"parent_process\": {\"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"5DF4BFECA632B9BD1D11E5E5D9549CF30B4849A4C815894151C865C80E13E3D0DE949759C7E1AEE233D178AD52E3AE2E93D99AEA0D993ED5DCE67E03E1578823\"}, \"image\": {\"name\": \"conducted takes renewable\", \"uid\": \"f45dc7b8-61ae-11ee-9630-0242ac110005\"}, \"name\": \"praise britannica rev\", \"uid\": \"f45dc254-61ae-11ee-b035-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessed_time\": 1695272181548, \"confidentiality\": \"applications\", \"confidentiality_id\": 99, \"created_time_dt\": \"2023-10-03T05:37:34.704809Z\", \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"AC3F2D226D9EFC7934195793B402CBBC13E2736E205E59735FD07CE424B1FB37\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"BD1DC345B2C39E8DADCDA520CC809F96FFC8413DD1169269D5E02AE412E1297111E2A26660902A783337A5D4C0D0C9FEBCCBB0C0AED91F2BFA2CCF4845056AAB\"}], \"modified_time\": 1695272181548, \"name\": \"mitsubishi.zip\", \"parent_folder\": \"premium accommodation showtimes/prisoner.deskthemepack\", \"path\": \"premium accommodation showtimes/prisoner.deskthemepack/mitsubishi.zip\", \"type\": \"way\", \"type_id\": 99, \"xattributes\": {}}, \"integrity\": \"times entities fx\", \"namespace_pid\": 98, \"parent_process\": {\"cmd_line\": \"insulation else evidence\", \"container\": {\"hash\": {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"E272B1A204600DF6B8A987C8FB851C7EF2AA8596CF158120722E5966F20081F5\"}, \"image\": {\"name\": \"olympus present empirical\", \"uid\": \"f45df3a0-61ae-11ee-ae83-0242ac110005\"}, \"name\": \"dv cst mug\", \"orchestrator\": \"internationally correct examining\", \"size\": 2782839574, \"uid\": \"f45deefa-61ae-11ee-95f2-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"0D3045A301A866174DD910C13E50427CB610EAD22A8523650B444E52FF16941B\"}, {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"BEE38FBC71DC4377BEF693AF6C11F462AC065BD6\"}], \"name\": \"hockey.part\", \"parent_folder\": \"seafood tape distant/physically.mdf\", \"path\": \"seafood tape distant/physically.mdf/hockey.part\", \"type\": \"Symbolic Link\", \"type_id\": 7, \"uid\": \"f45dd3d4-61ae-11ee-9986-0242ac110005\", \"version\": \"1.0.0\"}, \"integrity\": \"involvement hk speaking\", \"name\": \"Forecasts\", \"namespace_pid\": 56, \"parent_process\": {\"cmd_line\": \"collapse tan demo\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"7CFCBD1C1575DD7EAE454F18B9267188\"}, \"image\": {\"name\": \"pty dramatic measure\", \"uid\": \"f45e1452-61ae-11ee-93ff-0242ac110005\"}, \"name\": \"matters sophisticated hampshire\", \"orchestrator\": \"earned accountability todd\", \"size\": 277669091, \"uid\": \"f45e0b7e-61ae-11ee-9c4e-0242ac110005\"}, \"created_time\": 1695272181548, \"integrity\": \"Protected\", \"integrity_id\": 6, \"name\": \"Heath\", \"namespace_pid\": 36, \"parent_process\": {\"cmd_line\": \"rubber taxi deployment\", \"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"19EA5DD6F7D4532CE968933056B2150CB38D84FBEA07A9B1E71EE7388D9EAD136AFB55A16621065CA950B550FAA589C7E77583279DE84B3C958B13C9BA731D69\"}, \"image\": {\"name\": \"phantom participant employee\", \"uid\": \"f45e29ec-61ae-11ee-b755-0242ac110005\"}, \"name\": \"insulin never metabolism\", \"pod_uuid\": \"luxury\", \"size\": 2875863087, \"uid\": \"f45e2532-61ae-11ee-b4f8-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.711572Z\", \"integrity\": \"Protected\", \"integrity_id\": 6, \"name\": \"Special\", \"namespace_pid\": 45, \"parent_process\": {\"file\": {\"accessed_time_dt\": \"2023-10-03T05:37:34.709414Z\", \"confidentiality\": \"watson\", \"confidentiality_id\": 99, \"created_time_dt\": \"2023-10-03T05:37:34.709410Z\", \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"EC04A154DEAC2F7D6C2C939EA992222061F58A10BD334C6D45E3B9B3BC538985107E3B32A6CA567C7B5C6F8F0D857459E5DDC11A97318AC1AEA8A2461B955401\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"6E170831A56B3AFDAFF2E0614B1495541FDE0CA37B2F9EBCB6D5225A0CADE66CC1E6AD525CAFDD363EAA50505FD613EDBD5C1B4D703D34702968D3AE7E09037C\"}], \"modified_time_dt\": \"2023-10-03T05:37:34.709399Z\", \"name\": \"message.exe\", \"owner\": {\"account\": {\"name\": \"tradition surfaces classification\", \"type\": \"AWS IAM Role\", \"type_id\": 4, \"uid\": \"f45e5af2-61ae-11ee-8e43-0242ac110005\"}, \"domain\": \"existence see evans\", \"groups\": [{\"desc\": \"highways cheat summary\", \"name\": \"careers fixes kai\", \"uid\": \"f45e4da0-61ae-11ee-8ce5-0242ac110005\"}, {\"name\": \"past affiliate london\", \"type\": \"exclusion cleaners mart\", \"uid\": \"f45e51c4-61ae-11ee-af56-0242ac110005\"}], \"name\": \"Vegas\", \"org\": {\"name\": \"super rolling importantly\", \"ou_uid\": \"f45e44ea-61ae-11ee-af1f-0242ac110005\", \"uid\": \"f45e40bc-61ae-11ee-9f84-0242ac110005\"}, \"type\": \"Unknown\", \"type_id\": 0}, \"parent_folder\": \"brunette symbol poem/weekends.htm\", \"path\": \"brunette symbol poem/weekends.htm/message.exe\", \"type\": \"mozilla\", \"type_id\": 99, \"uid\": \"f45e5fa2-61ae-11ee-9642-0242ac110005\"}, \"namespace_pid\": 69, \"parent_process\": {\"cmd_line\": \"changes sad programmes\", \"container\": {\"hash\": {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"05521B80BB22220B8B095A94DA44E07951EE15F402F4BD4A050BD0CFFFD6B154\"}, \"image\": {\"name\": \"soap potter browsers\", \"uid\": \"f45eb3bc-61ae-11ee-871c-0242ac110005\"}, \"orchestrator\": \"matches virginia accepts\", \"size\": 1104975009, \"tag\": \"alexander specs considered\", \"uid\": \"f45eae80-61ae-11ee-8fa9-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Nicholas Betty\", \"confidentiality\": \"sandwich exhibit ellis\", \"created_time_dt\": \"2023-10-03T05:37:34.710639Z\", \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"4DBD2BB0760D9EBBC2743A91879CCBC04A4837BD467C1F3B4E0850E4D459BC52\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"A5469012CF0415AAE3FFA22840287489C3C57811D0FD29A58C2CD702BC84D59ADC43354994A400CA41F16849414FADE8C6A9889E640F7987FF65EAD837C7D8E4\"}], \"name\": \"ambassador.swf\", \"parent_folder\": \"nickel gui cute/vision.m3u\", \"path\": \"nickel gui cute/vision.m3u/ambassador.swf\", \"signature\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"09958F2F29A975C86F4BC77872179A9E719846A48F2022B36957925999CD31F4A0578A6C18EE8BDC0AEE2F0974FB4647FF2A0BFEA8A1E56877193277A827418F\"}], \"issuer\": \"hate passive admission\", \"serial_number\": \"promote dirt hindu\", \"subject\": \"panic aspects reporting\", \"version\": \"1.0.0\"}, \"created_time_dt\": \"2023-10-03T05:37:34.710541Z\", \"digest\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"14B85FA8E87F846F757EACCDA09761641B397F01\"}}, \"type\": \"Symbolic Link\", \"type_id\": 7, \"xattributes\": {}}, \"name\": \"Is\", \"namespace_pid\": 49, \"pid\": 14, \"user\": {\"account\": {\"name\": \"saint view max\", \"type\": \"Apple Account\", \"type_id\": 8, \"uid\": \"f45ea32c-61ae-11ee-9546-0242ac110005\"}, \"credential_uid\": \"f45ea700-61ae-11ee-bb61-0242ac110005\", \"email_addr\": \"Jeana@drill.web\", \"full_name\": \"Lucile Apryl\", \"name\": \"Genres\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"f45e9cb0-61ae-11ee-b849-0242ac110005\"}}, \"pid\": 65, \"sandbox\": \"ut metropolitan adjacent\", \"session\": {\"created_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T05:37:34.710191Z\", \"is_remote\": true, \"uid\": \"f45e805e-61ae-11ee-90d6-0242ac110005\"}, \"terminated_time_dt\": \"2023-10-03T05:37:34.711553Z\", \"uid\": \"f45e7546-61ae-11ee-ab37-0242ac110005\", \"user\": {\"account\": {\"name\": \"wireless trains wave\", \"type\": \"Linux Account\", \"type_id\": 9, \"uid\": \"f45e6eb6-61ae-11ee-9f44-0242ac110005\"}, \"credential_uid\": \"f45e7230-61ae-11ee-a271-0242ac110005\", \"full_name\": \"Rosamaria Norberto\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"f45e68d0-61ae-11ee-a6d3-0242ac110005\"}}, \"pid\": 39, \"user\": {\"name\": \"Mice\", \"type\": \"scoring\", \"type_id\": 99, \"uid\": \"f45e1f4c-61ae-11ee-bd4f-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 26, \"terminated_time\": 1695272181548, \"terminated_time_dt\": \"2023-10-03T05:37:34.711582Z\", \"user\": {\"account\": {\"name\": \"engines robot c\", \"uid\": \"f45e05fc-61ae-11ee-bdef-0242ac110005\"}, \"name\": \"Qualities\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"f45e00c0-61ae-11ee-b4f1-0242ac110005\", \"uid_alt\": \"pathology ordinary ep\"}}, \"pid\": 17, \"sandbox\": \"dans ip tours\", \"uid\": \"f45de978-61ae-11ee-af82-0242ac110005\", \"user\": {\"credential_uid\": \"f45de554-61ae-11ee-bc44-0242ac110005\", \"name\": \"Requires\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"f45de0e0-61ae-11ee-88a9-0242ac110005\", \"uid_alt\": \"monica includes treating\"}}, \"pid\": 26, \"terminated_time\": 1695272181548, \"terminated_time_dt\": \"2023-10-03T05:37:34.711596Z\", \"user\": {\"name\": \"Cardiovascular\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"f45db58e-61ae-11ee-b50c-0242ac110005\", \"uid_alt\": \"sn exception got\"}}, \"pid\": 38, \"terminated_time_dt\": \"2023-10-03T05:37:34.711606Z\"}, \"pid\": 59, \"terminated_time\": 1695272181548, \"tid\": 63, \"uid\": \"f45d835c-61ae-11ee-a0b4-0242ac110005\", \"user\": {\"account\": {\"name\": \"cycles beast pierce\", \"type\": \"Azure AD Account\", \"type_id\": 6, \"uid\": \"f45d7e20-61ae-11ee-9be4-0242ac110005\"}, \"groups\": [{\"name\": \"gamecube sunday foster\", \"privileges\": [\"ceiling pulling chapter\", \"advise lung transparent\"], \"uid\": \"f45d6750-61ae-11ee-bb59-0242ac110005\"}, {\"name\": \"skins korea bubble\", \"privileges\": [\"harbor syracuse quantities\"], \"type\": \"annie rn pot\", \"uid\": \"f45d710a-61ae-11ee-a1f1-0242ac110005\"}], \"name\": \"Dis\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"f45d6034-61ae-11ee-9b9d-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 7, \"uid\": \"f45d3a46-61ae-11ee-89e2-0242ac110005\", \"user\": {\"credential_uid\": \"f45d3654-61ae-11ee-a013-0242ac110005\", \"name\": \"Overall\", \"org\": {\"name\": \"antique crawford mug\", \"ou_name\": \"maximize tx tide\", \"uid\": \"f45d3226-61ae-11ee-b3e9-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"f45d2c18-61ae-11ee-8f99-0242ac110005\", \"uid_alt\": \"areas attachment guy\"}, \"xattributes\": {}}, \"pid\": 43, \"terminated_time_dt\": \"2023-10-03T05:37:34.711638Z\", \"uid\": \"f45d16ba-61ae-11ee-b515-0242ac110005\", \"user\": {\"domain\": \"funky valentine attached\", \"name\": \"Opt\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"f45d1192-61ae-11ee-805a-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 45, \"sandbox\": \"brunette christ monetary\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711652Z\", \"uid\": \"f45cc066-61ae-11ee-b149-0242ac110005\", \"user\": {\"account\": {\"name\": \"pen favors essential\", \"type\": \"AWS Account\", \"type_id\": 10, \"uid\": \"f45cb6ac-61ae-11ee-89fb-0242ac110005\"}, \"credential_uid\": \"f45cba58-61ae-11ee-8137-0242ac110005\", \"email_addr\": \"Moira@upset.nato\", \"full_name\": \"Livia Ji\", \"name\": \"Manufacturing\", \"org\": {\"name\": \"way pros ddr\", \"ou_name\": \"reliability poultry devices\", \"uid\": \"f45cafa4-61ae-11ee-af8c-0242ac110005\"}, \"type\": \"united\", \"type_id\": 99, \"uid\": \"f45ca0ea-61ae-11ee-8476-0242ac110005\"}}, \"pid\": 43, \"terminated_time\": 1695272181548, \"uid\": \"f45c71a6-61ae-11ee-9f7b-0242ac110005\", \"user\": {\"name\": \"Duck\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"f45c6dd2-61ae-11ee-9f94-0242ac110005\"}}, \"pid\": 98, \"session\": {\"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.694465Z\", \"credential_uid\": \"f45c1a1c-61ae-11ee-85ba-0242ac110005\", \"expiration_time_dt\": \"2023-10-03T05:37:34.694457Z\", \"is_remote\": false, \"issuer\": \"spec gambling separated\", \"uid\": \"f45c1288-61ae-11ee-ab6a-0242ac110005\", \"uuid\": \"f45c160c-61ae-11ee-b9ea-0242ac110005\"}, \"tid\": 86, \"user\": {\"email_addr\": \"Lilliana@ability.edu\", \"full_name\": \"Marry Dia\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"f45c0b9e-61ae-11ee-9f3b-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 61, \"uid\": \"f45be042-61ae-11ee-a467-0242ac110005\", \"user\": {\"credential_uid\": \"f45bdcd2-61ae-11ee-a554-0242ac110005\", \"full_name\": \"Rosamaria Mckenzie\", \"name\": \"Presidential\", \"org\": {\"name\": \"setup stolen unexpected\", \"ou_name\": \"iceland threats webcast\", \"uid\": \"f45bd82c-61ae-11ee-9e57-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1, \"uid\": \"f45bd110-61ae-11ee-b7e4-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 76, \"uid\": \"f45baed8-61ae-11ee-95e3-0242ac110005\", \"user\": {\"email_addr\": \"Mireille@associate.mobi\", \"full_name\": \"Carin Otha\", \"name\": \"Utc\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"f45ba8fc-61ae-11ee-883d-0242ac110005\"}}, \"user\": {\"account\": {\"name\": \"intensive flash narrative\", \"type\": \"Windows Account\", \"type_id\": 2, \"uid\": \"f45ed32e-61ae-11ee-9aa9-0242ac110005\"}, \"name\": \"We\", \"org\": {\"name\": \"enquiry hottest creations\", \"ou_name\": \"reel metals plain\", \"uid\": \"f45ecb68-61ae-11ee-824c-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"f45ec2a8-61ae-11ee-90fc-0242ac110005\"}}, \"actual_permissions\": 14, \"api\": {\"operation\": \"appraisal disappointed iraqi\", \"request\": {\"uid\": \"f45046ce-61ae-11ee-8a1b-0242ac110005\"}, \"response\": {\"code\": 99, \"error\": \"dash knife stable\", \"error_message\": \"delaware genetic purple\", \"message\": \"julian peninsula bought\"}}, \"attacks\": [{\"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}], \"technique\": {\"name\": \"Additional Cloud Credentials\", \"uid\": \"T1098.001\"}, \"version\": \"12.1\"}, {\"tactics\": [{\"name\": \"Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.\", \"uid\": \"TA0040\"}, {\"name\": \"Command and Control The adversary is trying to communicate with compromised systems to control them.\", \"uid\": \"TA0011\"}], \"technique\": {\"name\": \"Credentials in Registry\", \"uid\": \"T1214\"}, \"version\": \"12.1\"}], \"base_address\": \"statements dining gnome\", \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Memory Activity\", \"class_uid\": 1004, \"cloud\": {\"project_uid\": \"f4505768-61ae-11ee-89e9-0242ac110005\", \"provider\": \"christian studies pioneer\", \"region\": \"increased competitors sparc\"}, \"device\": {\"created_time\": 1695272181548, \"first_seen_time\": 1695272181548, \"hostname\": \"phd.nato\", \"image\": {\"name\": \"leader mind compliant\", \"uid\": \"f450e20a-61ae-11ee-959b-0242ac110005\"}, \"instance_uid\": \"f450c02c-61ae-11ee-a04e-0242ac110005\", \"interface_name\": \"adaptive survivor nickname\", \"interface_uid\": \"f450dada-61ae-11ee-9e5c-0242ac110005\", \"is_trusted\": false, \"last_seen_time\": 1695272181548, \"location\": {\"city\": \"Stephanie hence\", \"continent\": \"Asia\", \"coordinates\": [161.2949, 22.9251], \"country\": \"TW\", \"desc\": \"Taiwan\"}, \"name\": \"repeated sip distance\", \"org\": {\"name\": \"gratuit book virtually\", \"ou_name\": \"profit plug fioricet\", \"uid\": \"f4507856-61ae-11ee-b34b-0242ac110005\"}, \"region\": \"debut instruments alphabetical\", \"risk_level\": \"thomson shanghai foreign\", \"subnet_uid\": \"f450b6fe-61ae-11ee-aa6c-0242ac110005\", \"type\": \"Server\", \"type_id\": 1, \"uid\": \"f450d454-61ae-11ee-b232-0242ac110005\"}, \"disposition\": \"Deleted\", \"disposition_id\": 5, \"message\": \"door lotus aol\", \"metadata\": {\"log_name\": \"trademarks wishing accreditation\", \"log_provider\": \"manual equivalent detroit\", \"logged_time\": 1695272181548, \"original_time\": \"protection velvet propose\", \"product\": {\"feature\": {\"name\": \"wish quest practitioners\", \"uid\": \"f4506a32-61ae-11ee-a6bb-0242ac110005\", \"version\": \"1.0.0\"}, \"lang\": \"en\", \"name\": \"asbestos settings medication\", \"uid\": \"f4506410-61ae-11ee-a485-0242ac110005\", \"vendor_name\": \"evaluations belly reception\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"sequence\": 35, \"version\": \"1.0.0\"}, \"severity\": \"Critical\", \"severity_id\": 5, \"status_code\": \"registry\", \"time\": 1695272181548, \"time_dt\": \"2023-10-03T05:37:34.712339Z\", \"timezone_offset\": 26, \"type_name\": \"Memory Activity: Allocate Page\", \"type_uid\": 100401}" + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_5.json b/OCSF/ocsf/tests/test_system_activity_5.json new file mode 100644 index 000000000..ef9126b9c --- /dev/null +++ b/OCSF/ocsf/tests/test_system_activity_5.json @@ -0,0 +1,33 @@ +{ + "input": { + "message": "{\"message\": \"menu controller plants\", \"module\": {\"file\": {\"name\": \"expiration.cpl\", \"type\": \"Character Device\", \"path\": \"pleased dip spiritual/corresponding.java/expiration.cpl\", \"product\": {\"name\": \"traveling yea espn\", \"version\": \"1.0.0\", \"uid\": \"8b82966a-61b8-11ee-81c7-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"manhattan better posts\"}, \"type_id\": 3, \"parent_folder\": \"pleased dip spiritual/corresponding.java\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"value\": \"795F2AAA00B0D80F2A50C10902A141A3E0AFE3A4BCE0007F213C21994E6AE528B448F2C2F4BDF6C4E1D0AEA3B8396D40A4395AA9730A77E879848BDB750D6468\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"B8C09AA4F584900FEA2DF3DAFBDAF9F0C6E76095BFDBCCF5F0F748D069D706526380A29574124164B0EDC1B56DD8342FC4BF70467A9B6024D999269A45E2A175\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T06:46:13.753318Z\"}, \"base_address\": \"daughters offshore thehun\", \"load_type\": \"Non Standard\", \"load_type_id\": 2, \"start_address\": \"needs some limit\"}, \"status\": \"Unknown\", \"time\": 1695272181548, \"device\": {\"name\": \"assigned daughters creating\", \"type\": \"frontier\", \"os\": {\"name\": \"extreme oct care\", \"type\": \"Android\", \"build\": \"grave pn resist\", \"country\": \"Cuba, Republic of\", \"type_id\": 201, \"sp_ver\": 3}, \"domain\": \"existence conditional pillow\", \"ip\": \"81.2.69.142\", \"hostname\": \"tiles.name\", \"mac\": \"6C:91:94:13:50:61:2E:D4\", \"groups\": [{\"name\": \"ev terminal meals\", \"uid\": \"8b82bf64-61b8-11ee-a83f-0242ac110005\"}, {\"name\": \"born lasting vitamins\", \"uid\": \"8b82c338-61b8-11ee-bf95-0242ac110005\", \"privileges\": [\"sheets loading representative\"]}], \"type_id\": 99, \"hw_info\": {\"cpu_bits\": 95, \"keyboard_info\": {\"keyboard_subtype\": 47}}, \"hypervisor\": \"fundraising kerry peer\", \"imei\": \"moderators sentence ordered\", \"instance_uid\": \"8b82c98c-61b8-11ee-ac91-0242ac110005\", \"interface_uid\": \"8b82d0da-61b8-11ee-b450-0242ac110005\", \"modified_time\": 1695272181548, \"network_interfaces\": [{\"name\": \"henderson treasures dv\", \"type\": \"Tunnel\", \"ip\": \"81.2.69.142\", \"hostname\": \"lightbox.gov\", \"mac\": \"57:15:98:E9:35:D3:B3:9A\", \"type_id\": 4}, {\"name\": \"forests designation entire\", \"type\": \"fcc\", \"ip\": \"81.2.69.142\", \"hostname\": \"horizon.biz\", \"uid\": \"8b82b79e-61b8-11ee-a441-0242ac110005\", \"mac\": \"47:B8:F6:D1:B8:90:8C:7F\", \"type_id\": 99}], \"region\": \"slight centers swimming\", \"risk_level\": \"Low\", \"risk_level_id\": 1}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"improving consist portfolio\", \"version\": \"1.0.0\", \"uid\": \"8b82a664-61b8-11ee-bb6e-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"completing watershed poor\"}, \"labels\": [\"moses\"], \"sequence\": 44, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"laboratory instance upon\", \"log_provider\": \"discrimination morrison course\", \"logged_time\": 1695272181548, \"original_time\": \"rights newly filled\"}, \"severity\": \"minutes\", \"api\": {\"request\": {\"uid\": \"8b824fc0-61b8-11ee-b26d-0242ac110005\"}, \"response\": {\"error\": \"three acdbentity sufficient\", \"code\": 99, \"message\": \"myrtle trust resort\"}, \"operation\": \"helena internationally leo\"}, \"disposition\": \"Deleted\", \"type_name\": \"Module Activity: Load\", \"activity_id\": 1, \"disposition_id\": 5, \"type_uid\": 100501, \"category_name\": \"System Activity\", \"class_uid\": 1005, \"category_uid\": 1, \"class_name\": \"Module Activity\", \"timezone_offset\": 8, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}, {\"name\": \"Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.\", \"uid\": \"TA0040\"}], \"technique\": {\"name\": \"PowerShell Profile\", \"uid\": \"T1504\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}, {\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Securityd Memory\", \"uid\": \"T1555.002\"}}], \"activity_name\": \"Load\", \"actor\": {\"process\": {\"name\": \"Switzerland\", \"pid\": 8, \"file\": {\"name\": \"administrators.tmp\", \"type\": \"Folder\", \"path\": \"flush faced champagne/cruise.tar.gz/administrators.tmp\", \"desc\": \"computing investors rio\", \"type_id\": 2, \"accessor\": {\"name\": \"Elections\", \"type\": \"distributor\", \"uid\": \"8b82e9d0-61b8-11ee-be3a-0242ac110005\", \"org\": {\"name\": \"ids mercury milan\", \"uid\": \"8b82ef20-61b8-11ee-9b3a-0242ac110005\", \"ou_name\": \"whether eddie investment\"}, \"type_id\": 99, \"credential_uid\": \"8b82f4ca-61b8-11ee-894f-0242ac110005\"}, \"parent_folder\": \"flush faced champagne/cruise.tar.gz\", \"is_system\": false, \"modified_time_dt\": \"2023-10-03T06:46:13.755631Z\"}, \"user\": {\"name\": \"Mechanics\", \"type\": \"System\", \"uid\": \"8b82fc86-61b8-11ee-b5b6-0242ac110005\", \"type_id\": 3}, \"tid\": 12, \"uid\": \"8b830046-61b8-11ee-b4bd-0242ac110005\", \"session\": {\"uid\": \"8b830532-61b8-11ee-bdfd-0242ac110005\", \"issuer\": \"texts advertiser henderson\", \"created_time\": 1695272181548, \"credential_uid\": \"8b830938-61b8-11ee-9d39-0242ac110005\", \"is_remote\": true, \"expiration_time_dt\": \"2023-10-03T06:46:13.756144Z\", \"created_time_dt\": \"2023-10-03T06:46:13.756371Z\"}, \"cmd_line\": \"fame little relax\", \"container\": {\"name\": \"renew angle reject\", \"runtime\": \"annoying remarkable setup\", \"size\": 2132122251, \"uid\": \"8b832030-61b8-11ee-816d-0242ac110005\", \"image\": {\"name\": \"babies detective christians\", \"uid\": \"8b8325a8-61b8-11ee-9a88-0242ac110005\", \"labels\": [\"printed\", \"safer\"]}, \"hash\": {\"value\": \"BA691BA042BCEDD9A61A36F5969026BC95859DCCDC7E47F24E6BCE35673BAF2F\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695272181548, \"namespace_pid\": 97, \"parent_process\": {\"name\": \"Containers\", \"pid\": 76, \"file\": {\"name\": \"audi.pspimage\", \"owner\": {\"name\": \"Mastercard\", \"type\": \"Admin\", \"uid\": \"8b833638-61b8-11ee-a13b-0242ac110005\", \"org\": {\"name\": \"qualification twisted australian\", \"uid\": \"8b833dfe-61b8-11ee-a745-0242ac110005\", \"ou_name\": \"franklin nb leslie\"}, \"type_id\": 2}, \"type\": \"Block Device\", \"path\": \"paying represent putting/showing.vob/audi.pspimage\", \"type_id\": 4, \"mime_type\": \"today/uniprotkb\", \"parent_folder\": \"paying represent putting/showing.vob\", \"created_time\": 1695272181548, \"is_system\": false}, \"user\": {\"name\": \"Prep\", \"type\": \"lot\", \"domain\": \"klein greg processing\", \"uid\": \"8b834682-61b8-11ee-8f6a-0242ac110005\", \"type_id\": 99, \"full_name\": \"Franklyn Shantell\"}, \"uid\": \"8b834aba-61b8-11ee-8172-0242ac110005\", \"container\": {\"size\": 388023740, \"uid\": \"8b834fd8-61b8-11ee-8b6a-0242ac110005\", \"hash\": {\"value\": \"1FA53D9A1AEAB5165003DE1755AD56612ABF77A3D033D697439C884637D2DC66DBDFFA147DFDBD69DC6D27340B63C26C93D84C65F59EE3A270CA5BBB1D13613F\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"network_driver\": \"ee australian housewares\"}, \"created_time\": 1695272181548, \"namespace_pid\": 5, \"parent_process\": {\"name\": \"Global\", \"pid\": 30, \"user\": {\"name\": \"Includes\", \"type\": \"System\", \"uid\": \"8b835b7c-61b8-11ee-9c7d-0242ac110005\", \"type_id\": 3, \"account\": {\"name\": \"desk periodic depth\", \"type\": \"Mac OS Account\", \"uid\": \"8b836400-61b8-11ee-9913-0242ac110005\", \"type_id\": 7}, \"uid_alt\": \"origins demo declaration\"}, \"uid\": \"8b83682e-61b8-11ee-bf60-0242ac110005\", \"session\": {\"uid\": \"8b836dc4-61b8-11ee-aa72-0242ac110005\", \"created_time\": 1695272181548, \"is_remote\": true, \"expiration_time_dt\": \"2023-10-03T06:46:13.758724Z\"}, \"cmd_line\": \"gang spring carlo\", \"container\": {\"name\": \"victims edit minimum\", \"size\": 2069042340, \"uid\": \"8b83744a-61b8-11ee-9c26-0242ac110005\", \"hash\": {\"value\": \"85434F1527CE237329D0B1927EABF9D3\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"integrity\": \"happening\", \"integrity_id\": 99, \"namespace_pid\": 74, \"parent_process\": {\"name\": \"Pilot\", \"file\": {\"name\": \"planner.bak\", \"type\": \"Character Device\", \"path\": \"sony discussion suit/stomach.gif/planner.bak\", \"uid\": \"8b838804-61b8-11ee-a06e-0242ac110005\", \"type_id\": 3, \"accessor\": {\"name\": \"Mathematical\", \"type\": \"System\", \"uid\": \"8b838e30-61b8-11ee-8527-0242ac110005\", \"groups\": [{\"name\": \"ct disposal rent\", \"uid\": \"8b839358-61b8-11ee-a4c0-0242ac110005\"}, {\"name\": \"cruise ancient chemicals\", \"type\": \"spoke life lee\"}], \"type_id\": 3}, \"mime_type\": \"molecules/sharon\", \"parent_folder\": \"sony discussion suit/stomach.gif\", \"hashes\": [{\"value\": \"CA247333484AEB04EFA2DE65A9EC68032CED9ACC7716F9379404EB2422FC65190E0F56D3C2B21505FE722A0CD1D05AF9B8E47B4CB5005B4C4E71C6C5545C775F\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Warner\", \"type\": \"interim\", \"uid\": \"8b83f500-61b8-11ee-9242-0242ac110005\", \"type_id\": 99, \"credential_uid\": \"8b83f94c-61b8-11ee-85e8-0242ac110005\"}, \"tid\": 45, \"uid\": \"8b83fcbc-61b8-11ee-8764-0242ac110005\", \"cmd_line\": \"mm bon estimate\", \"container\": {\"name\": \"separation catalogs vocals\", \"uid\": \"8b8402a2-61b8-11ee-92d4-0242ac110005\", \"image\": {\"uid\": \"8b840af4-61b8-11ee-a7b5-0242ac110005\"}, \"hash\": {\"value\": \"CA59BAD8CEAD7A8424AD6823FE6AED5BA7AF4A9FDA854EA5AAB75A41B5369465\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"name\": \"Sleep\", \"pid\": 54, \"user\": {\"name\": \"Edges\", \"type\": \"compute\", \"uid\": \"8b841ca6-61b8-11ee-ac94-0242ac110005\", \"type_id\": 99}, \"uid\": \"8b8424bc-61b8-11ee-aa3b-0242ac110005\", \"session\": {\"is_remote\": true, \"created_time_dt\": \"2023-10-03T06:46:13.763445Z\"}, \"cmd_line\": \"applicable acquire folk\", \"container\": {\"name\": \"businesses suspension across\", \"size\": 2843627610, \"uid\": \"8b842ce6-61b8-11ee-acb2-0242ac110005\", \"image\": {\"name\": \"pressure sixth happen\", \"uid\": \"8b8431e6-61b8-11ee-9576-0242ac110005\"}, \"hash\": {\"value\": \"6B942E2831F972C22E2B0292EA3A8176AB41CD3B\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, \"orchestrator\": \"theta create impact\"}, \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"lineage\": [\"wires largest stamp\", \"handbook dale photograph\"], \"namespace_pid\": 4, \"parent_process\": {\"name\": \"Lie\", \"pid\": 43, \"file\": {\"name\": \"pottery.java\", \"type\": \"Local Socket\", \"path\": \"revolutionary such regulations/cheaper.ico/pottery.java\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"consensus ownership trainer\", \"issuer\": \"write watts guitars\", \"fingerprints\": [{\"value\": \"EDE381A3419BC1A2ACD00220F23CE82967A8631DB35FDF0122B8A0E43E8768CABDBDC842A83C48138C523D1A56B3F63F03D85756C9BFED7656AE5097479D9A4C\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"AFD38780B76420D3214D2D6D318A6EA972D720518346C2F7339E661205D5F20A5682869DAF56249F9FACD6EDF878C81669184A1D9C736232079EDED66727E297\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"facing wb drinks\", \"expiration_time_dt\": \"2023-10-03T06:46:13.764297Z\"}, \"algorithm\": \"ECDSA\", \"algorithm_id\": 3}, \"type_id\": 5, \"parent_folder\": \"revolutionary such regulations/cheaper.ico\", \"hashes\": [{\"value\": \"436DE0B494120DEC66B218D7D67AE5FC65841DA47A5D5A6044D76AE7CD0D793736DCAD5FA9C579A8C53310FA0B70225BB8C079A2E5BEDB5F6F48176972572F1C\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Wrapping\", \"type\": \"Unknown\", \"domain\": \"continuity cases issues\", \"uid\": \"8b8452de-61b8-11ee-9b3c-0242ac110005\", \"groups\": [{\"name\": \"protein lightweight complications\", \"type\": \"samsung knowledgestorm ppm\", \"uid\": \"8b8458ba-61b8-11ee-9ec2-0242ac110005\"}, {\"name\": \"spyware expensive partnerships\", \"type\": \"lcd moore th\"}], \"type_id\": 0, \"account\": {\"name\": \"chrome ones leeds\", \"type\": \"AWS IAM User\", \"type_id\": 3}, \"uid_alt\": \"mpegs eric ky\"}, \"session\": {\"uid\": \"8b8460c6-61b8-11ee-9def-0242ac110005\", \"issuer\": \"fun tomorrow antibodies\", \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"is_remote\": false, \"expiration_time_dt\": \"2023-10-03T06:46:13.764963Z\", \"created_time_dt\": \"2023-10-03T06:46:13.764972Z\"}, \"cmd_line\": \"packs maximum audit\", \"container\": {\"name\": \"hotmail midlands ripe\", \"size\": 860474369, \"uid\": \"8b847c96-61b8-11ee-99b1-0242ac110005\", \"image\": {\"name\": \"letter fri mauritius\", \"uid\": \"8b84825e-61b8-11ee-a5b5-0242ac110005\", \"labels\": [\"clouds\"]}, \"hash\": {\"value\": \"799904B20F1174F01C0D2DD87C57E097\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"created_time\": 1695272181548, \"namespace_pid\": 45, \"parent_process\": {\"name\": \"Homepage\", \"pid\": 78, \"file\": {\"attributes\": 57, \"name\": \"pledge.ini\", \"type\": \"Character Device\", \"path\": \"internationally remedies back/his.cgi/pledge.ini\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"portugal motel preserve\", \"issuer\": \"rocket separation opponent\", \"fingerprints\": [{\"value\": \"F72B1ED0BD7D6BE65211FA1606D1DE35F225DE73CB524C01380509CCE5B6F8F8DDE81A0B0AB6F5ECE9A7E651DD7D0C19DB365A83C018B747DA5B0A79259F3547\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"AEAA2CEC33E27D65690E726E1710D3F4A99A2BF0AE9A3BD9087488F1DFB4D38D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"edinburgh responsible supervisor\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"desc\": \"syracuse until as\", \"type_id\": 3, \"company_name\": \"Elenore Jeanetta\", \"parent_folder\": \"internationally remedies back/his.cgi\", \"confidentiality\": \"hitachi shaw tension\", \"hashes\": [{\"value\": \"8A8173677F164DD2E2CF83BEA2A42A8B\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"6B70D921D9E8DCF0F08A73F508E5D19D274B58D8AC2E29049A23B62D1988C1028A8ECBA2485531BBD6B7AEE51EA822578E859759F8FFC4818023EFD47ABC9C4D\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"security_descriptor\": \"lower cable requiring\", \"created_time_dt\": \"2023-10-03T06:46:13.766258Z\", \"accessed_time_dt\": \"2023-10-03T06:46:13.766265Z\"}, \"user\": {\"name\": \"Lauderdale\", \"type\": \"User\", \"uid\": \"8b84a6e4-61b8-11ee-b1fe-0242ac110005\", \"type_id\": 1, \"uid_alt\": \"venezuela path passing\"}, \"uid\": \"8b84ac48-61b8-11ee-97d9-0242ac110005\", \"session\": {\"uid\": \"8b84b562-61b8-11ee-a0d1-0242ac110005\", \"uuid\": \"8b84bbd4-61b8-11ee-8f0e-0242ac110005\", \"issuer\": \"gel submissions finite\", \"created_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T06:46:13.767292Z\", \"created_time_dt\": \"2023-10-03T06:46:13.767299Z\"}, \"cmd_line\": \"prior angry workers\", \"container\": {\"name\": \"horrible scroll del\", \"size\": 870541982, \"uid\": \"8b84c7c8-61b8-11ee-b0ff-0242ac110005\", \"image\": {\"name\": \"expenses pdt conditioning\", \"tag\": \"recognition albania curtis\", \"path\": \"valentine corp gcc\", \"uid\": \"8b84d204-61b8-11ee-8eb1-0242ac110005\"}, \"hash\": {\"value\": \"B413223A2BB7E91D5C6E244B77A2392BA017906B615F3CDF4BA192FE568C7738ADE3E24CAA9273F592169D682882DAC5E0DF8975B0FDB3859FB69A175B815724\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"pod_uuid\": \"gift\"}, \"created_time\": 1695272181548, \"namespace_pid\": 94}, \"sandbox\": \"holmes guess hyundai\", \"created_time_dt\": \"2023-10-03T06:46:13.768070Z\"}}, \"sandbox\": \"mothers equipped enquiry\"}}}, \"terminated_time\": 1695272181548}, \"user\": {\"name\": \"Cookies\", \"type\": \"load\", \"uid\": \"8b84f59a-61b8-11ee-8275-0242ac110005\", \"type_id\": 99, \"full_name\": \"Regan Loise\", \"uid_alt\": \"dawn but titles\"}, \"invoked_by\": \"pantyhose macedonia retained\"}, \"cloud\": {\"account\": {\"name\": \"abroad takes controversy\", \"type\": \"AWS Account\", \"uid\": \"8b82630c-61b8-11ee-a1c3-0242ac110005\", \"type_id\": 10}, \"project_uid\": \"8b82679e-61b8-11ee-9ed4-0242ac110005\", \"provider\": \"translate be cabinets\", \"region\": \"trap wood power\"}, \"malware\": [{\"name\": \"generally insight ee\", \"path\": \"jc possess fibre\", \"classification_ids\": [17, 2], \"classifications\": [\"ontario amsterdam archived\", \"newfoundland norman eddie\"], \"provider\": \"singapore flexible casino\"}, {\"name\": \"illustrated lending requirements\", \"path\": \"cho basket ul\", \"uid\": \"8b8272c0-61b8-11ee-90e5-0242ac110005\", \"classification_ids\": [16, 5], \"cves\": [{\"type\": \"graphical acm salt\", \"uid\": \"8b827964-61b8-11ee-822b-0242ac110005\", \"created_time\": 1695272181548, \"modified_time\": 1695272181548, \"modified_time_dt\": \"2023-10-03T06:46:13.752477Z\"}], \"provider\": \"goods fitting latter\"}], \"severity_id\": 99, \"status_id\": 0}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"message\": \"menu controller plants\", \"module\": {\"file\": {\"name\": \"expiration.cpl\", \"type\": \"Character Device\", \"path\": \"pleased dip spiritual/corresponding.java/expiration.cpl\", \"product\": {\"name\": \"traveling yea espn\", \"version\": \"1.0.0\", \"uid\": \"8b82966a-61b8-11ee-81c7-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"manhattan better posts\"}, \"type_id\": 3, \"parent_folder\": \"pleased dip spiritual/corresponding.java\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"value\": \"795F2AAA00B0D80F2A50C10902A141A3E0AFE3A4BCE0007F213C21994E6AE528B448F2C2F4BDF6C4E1D0AEA3B8396D40A4395AA9730A77E879848BDB750D6468\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"B8C09AA4F584900FEA2DF3DAFBDAF9F0C6E76095BFDBCCF5F0F748D069D706526380A29574124164B0EDC1B56DD8342FC4BF70467A9B6024D999269A45E2A175\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T06:46:13.753318Z\"}, \"base_address\": \"daughters offshore thehun\", \"load_type\": \"Non Standard\", \"load_type_id\": 2, \"start_address\": \"needs some limit\"}, \"status\": \"Unknown\", \"time\": 1695272181548, \"device\": {\"name\": \"assigned daughters creating\", \"type\": \"frontier\", \"os\": {\"name\": \"extreme oct care\", \"type\": \"Android\", \"build\": \"grave pn resist\", \"country\": \"Cuba, Republic of\", \"type_id\": 201, \"sp_ver\": 3}, \"domain\": \"existence conditional pillow\", \"ip\": \"81.2.69.142\", \"hostname\": \"tiles.name\", \"mac\": \"6C:91:94:13:50:61:2E:D4\", \"groups\": [{\"name\": \"ev terminal meals\", \"uid\": \"8b82bf64-61b8-11ee-a83f-0242ac110005\"}, {\"name\": \"born lasting vitamins\", \"uid\": \"8b82c338-61b8-11ee-bf95-0242ac110005\", \"privileges\": [\"sheets loading representative\"]}], \"type_id\": 99, \"hw_info\": {\"cpu_bits\": 95, \"keyboard_info\": {\"keyboard_subtype\": 47}}, \"hypervisor\": \"fundraising kerry peer\", \"imei\": \"moderators sentence ordered\", \"instance_uid\": \"8b82c98c-61b8-11ee-ac91-0242ac110005\", \"interface_uid\": \"8b82d0da-61b8-11ee-b450-0242ac110005\", \"modified_time\": 1695272181548, \"network_interfaces\": [{\"name\": \"henderson treasures dv\", \"type\": \"Tunnel\", \"ip\": \"81.2.69.142\", \"hostname\": \"lightbox.gov\", \"mac\": \"57:15:98:E9:35:D3:B3:9A\", \"type_id\": 4}, {\"name\": \"forests designation entire\", \"type\": \"fcc\", \"ip\": \"81.2.69.142\", \"hostname\": \"horizon.biz\", \"uid\": \"8b82b79e-61b8-11ee-a441-0242ac110005\", \"mac\": \"47:B8:F6:D1:B8:90:8C:7F\", \"type_id\": 99}], \"region\": \"slight centers swimming\", \"risk_level\": \"Low\", \"risk_level_id\": 1}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"improving consist portfolio\", \"version\": \"1.0.0\", \"uid\": \"8b82a664-61b8-11ee-bb6e-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"completing watershed poor\"}, \"labels\": [\"moses\"], \"sequence\": 44, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"laboratory instance upon\", \"log_provider\": \"discrimination morrison course\", \"logged_time\": 1695272181548, \"original_time\": \"rights newly filled\"}, \"severity\": \"minutes\", \"api\": {\"request\": {\"uid\": \"8b824fc0-61b8-11ee-b26d-0242ac110005\"}, \"response\": {\"error\": \"three acdbentity sufficient\", \"code\": 99, \"message\": \"myrtle trust resort\"}, \"operation\": \"helena internationally leo\"}, \"disposition\": \"Deleted\", \"type_name\": \"Module Activity: Load\", \"activity_id\": 1, \"disposition_id\": 5, \"type_uid\": 100501, \"category_name\": \"System Activity\", \"class_uid\": 1005, \"category_uid\": 1, \"class_name\": \"Module Activity\", \"timezone_offset\": 8, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}, {\"name\": \"Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.\", \"uid\": \"TA0040\"}], \"technique\": {\"name\": \"PowerShell Profile\", \"uid\": \"T1504\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}, {\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Securityd Memory\", \"uid\": \"T1555.002\"}}], \"activity_name\": \"Load\", \"actor\": {\"process\": {\"name\": \"Switzerland\", \"pid\": 8, \"file\": {\"name\": \"administrators.tmp\", \"type\": \"Folder\", \"path\": \"flush faced champagne/cruise.tar.gz/administrators.tmp\", \"desc\": \"computing investors rio\", \"type_id\": 2, \"accessor\": {\"name\": \"Elections\", \"type\": \"distributor\", \"uid\": \"8b82e9d0-61b8-11ee-be3a-0242ac110005\", \"org\": {\"name\": \"ids mercury milan\", \"uid\": \"8b82ef20-61b8-11ee-9b3a-0242ac110005\", \"ou_name\": \"whether eddie investment\"}, \"type_id\": 99, \"credential_uid\": \"8b82f4ca-61b8-11ee-894f-0242ac110005\"}, \"parent_folder\": \"flush faced champagne/cruise.tar.gz\", \"is_system\": false, \"modified_time_dt\": \"2023-10-03T06:46:13.755631Z\"}, \"user\": {\"name\": \"Mechanics\", \"type\": \"System\", \"uid\": \"8b82fc86-61b8-11ee-b5b6-0242ac110005\", \"type_id\": 3}, \"tid\": 12, \"uid\": \"8b830046-61b8-11ee-b4bd-0242ac110005\", \"session\": {\"uid\": \"8b830532-61b8-11ee-bdfd-0242ac110005\", \"issuer\": \"texts advertiser henderson\", \"created_time\": 1695272181548, \"credential_uid\": \"8b830938-61b8-11ee-9d39-0242ac110005\", \"is_remote\": true, \"expiration_time_dt\": \"2023-10-03T06:46:13.756144Z\", \"created_time_dt\": \"2023-10-03T06:46:13.756371Z\"}, \"cmd_line\": \"fame little relax\", \"container\": {\"name\": \"renew angle reject\", \"runtime\": \"annoying remarkable setup\", \"size\": 2132122251, \"uid\": \"8b832030-61b8-11ee-816d-0242ac110005\", \"image\": {\"name\": \"babies detective christians\", \"uid\": \"8b8325a8-61b8-11ee-9a88-0242ac110005\", \"labels\": [\"printed\", \"safer\"]}, \"hash\": {\"value\": \"BA691BA042BCEDD9A61A36F5969026BC95859DCCDC7E47F24E6BCE35673BAF2F\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695272181548, \"namespace_pid\": 97, \"parent_process\": {\"name\": \"Containers\", \"pid\": 76, \"file\": {\"name\": \"audi.pspimage\", \"owner\": {\"name\": \"Mastercard\", \"type\": \"Admin\", \"uid\": \"8b833638-61b8-11ee-a13b-0242ac110005\", \"org\": {\"name\": \"qualification twisted australian\", \"uid\": \"8b833dfe-61b8-11ee-a745-0242ac110005\", \"ou_name\": \"franklin nb leslie\"}, \"type_id\": 2}, \"type\": \"Block Device\", \"path\": \"paying represent putting/showing.vob/audi.pspimage\", \"type_id\": 4, \"mime_type\": \"today/uniprotkb\", \"parent_folder\": \"paying represent putting/showing.vob\", \"created_time\": 1695272181548, \"is_system\": false}, \"user\": {\"name\": \"Prep\", \"type\": \"lot\", \"domain\": \"klein greg processing\", \"uid\": \"8b834682-61b8-11ee-8f6a-0242ac110005\", \"type_id\": 99, \"full_name\": \"Franklyn Shantell\"}, \"uid\": \"8b834aba-61b8-11ee-8172-0242ac110005\", \"container\": {\"size\": 388023740, \"uid\": \"8b834fd8-61b8-11ee-8b6a-0242ac110005\", \"hash\": {\"value\": \"1FA53D9A1AEAB5165003DE1755AD56612ABF77A3D033D697439C884637D2DC66DBDFFA147DFDBD69DC6D27340B63C26C93D84C65F59EE3A270CA5BBB1D13613F\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"network_driver\": \"ee australian housewares\"}, \"created_time\": 1695272181548, \"namespace_pid\": 5, \"parent_process\": {\"name\": \"Global\", \"pid\": 30, \"user\": {\"name\": \"Includes\", \"type\": \"System\", \"uid\": \"8b835b7c-61b8-11ee-9c7d-0242ac110005\", \"type_id\": 3, \"account\": {\"name\": \"desk periodic depth\", \"type\": \"Mac OS Account\", \"uid\": \"8b836400-61b8-11ee-9913-0242ac110005\", \"type_id\": 7}, \"uid_alt\": \"origins demo declaration\"}, \"uid\": \"8b83682e-61b8-11ee-bf60-0242ac110005\", \"session\": {\"uid\": \"8b836dc4-61b8-11ee-aa72-0242ac110005\", \"created_time\": 1695272181548, \"is_remote\": true, \"expiration_time_dt\": \"2023-10-03T06:46:13.758724Z\"}, \"cmd_line\": \"gang spring carlo\", \"container\": {\"name\": \"victims edit minimum\", \"size\": 2069042340, \"uid\": \"8b83744a-61b8-11ee-9c26-0242ac110005\", \"hash\": {\"value\": \"85434F1527CE237329D0B1927EABF9D3\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"integrity\": \"happening\", \"integrity_id\": 99, \"namespace_pid\": 74, \"parent_process\": {\"name\": \"Pilot\", \"file\": {\"name\": \"planner.bak\", \"type\": \"Character Device\", \"path\": \"sony discussion suit/stomach.gif/planner.bak\", \"uid\": \"8b838804-61b8-11ee-a06e-0242ac110005\", \"type_id\": 3, \"accessor\": {\"name\": \"Mathematical\", \"type\": \"System\", \"uid\": \"8b838e30-61b8-11ee-8527-0242ac110005\", \"groups\": [{\"name\": \"ct disposal rent\", \"uid\": \"8b839358-61b8-11ee-a4c0-0242ac110005\"}, {\"name\": \"cruise ancient chemicals\", \"type\": \"spoke life lee\"}], \"type_id\": 3}, \"mime_type\": \"molecules/sharon\", \"parent_folder\": \"sony discussion suit/stomach.gif\", \"hashes\": [{\"value\": \"CA247333484AEB04EFA2DE65A9EC68032CED9ACC7716F9379404EB2422FC65190E0F56D3C2B21505FE722A0CD1D05AF9B8E47B4CB5005B4C4E71C6C5545C775F\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Warner\", \"type\": \"interim\", \"uid\": \"8b83f500-61b8-11ee-9242-0242ac110005\", \"type_id\": 99, \"credential_uid\": \"8b83f94c-61b8-11ee-85e8-0242ac110005\"}, \"tid\": 45, \"uid\": \"8b83fcbc-61b8-11ee-8764-0242ac110005\", \"cmd_line\": \"mm bon estimate\", \"container\": {\"name\": \"separation catalogs vocals\", \"uid\": \"8b8402a2-61b8-11ee-92d4-0242ac110005\", \"image\": {\"uid\": \"8b840af4-61b8-11ee-a7b5-0242ac110005\"}, \"hash\": {\"value\": \"CA59BAD8CEAD7A8424AD6823FE6AED5BA7AF4A9FDA854EA5AAB75A41B5369465\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"name\": \"Sleep\", \"pid\": 54, \"user\": {\"name\": \"Edges\", \"type\": \"compute\", \"uid\": \"8b841ca6-61b8-11ee-ac94-0242ac110005\", \"type_id\": 99}, \"uid\": \"8b8424bc-61b8-11ee-aa3b-0242ac110005\", \"session\": {\"is_remote\": true, \"created_time_dt\": \"2023-10-03T06:46:13.763445Z\"}, \"cmd_line\": \"applicable acquire folk\", \"container\": {\"name\": \"businesses suspension across\", \"size\": 2843627610, \"uid\": \"8b842ce6-61b8-11ee-acb2-0242ac110005\", \"image\": {\"name\": \"pressure sixth happen\", \"uid\": \"8b8431e6-61b8-11ee-9576-0242ac110005\"}, \"hash\": {\"value\": \"6B942E2831F972C22E2B0292EA3A8176AB41CD3B\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, \"orchestrator\": \"theta create impact\"}, \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"lineage\": [\"wires largest stamp\", \"handbook dale photograph\"], \"namespace_pid\": 4, \"parent_process\": {\"name\": \"Lie\", \"pid\": 43, \"file\": {\"name\": \"pottery.java\", \"type\": \"Local Socket\", \"path\": \"revolutionary such regulations/cheaper.ico/pottery.java\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"consensus ownership trainer\", \"issuer\": \"write watts guitars\", \"fingerprints\": [{\"value\": \"EDE381A3419BC1A2ACD00220F23CE82967A8631DB35FDF0122B8A0E43E8768CABDBDC842A83C48138C523D1A56B3F63F03D85756C9BFED7656AE5097479D9A4C\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"AFD38780B76420D3214D2D6D318A6EA972D720518346C2F7339E661205D5F20A5682869DAF56249F9FACD6EDF878C81669184A1D9C736232079EDED66727E297\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"facing wb drinks\", \"expiration_time_dt\": \"2023-10-03T06:46:13.764297Z\"}, \"algorithm\": \"ECDSA\", \"algorithm_id\": 3}, \"type_id\": 5, \"parent_folder\": \"revolutionary such regulations/cheaper.ico\", \"hashes\": [{\"value\": \"436DE0B494120DEC66B218D7D67AE5FC65841DA47A5D5A6044D76AE7CD0D793736DCAD5FA9C579A8C53310FA0B70225BB8C079A2E5BEDB5F6F48176972572F1C\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Wrapping\", \"type\": \"Unknown\", \"domain\": \"continuity cases issues\", \"uid\": \"8b8452de-61b8-11ee-9b3c-0242ac110005\", \"groups\": [{\"name\": \"protein lightweight complications\", \"type\": \"samsung knowledgestorm ppm\", \"uid\": \"8b8458ba-61b8-11ee-9ec2-0242ac110005\"}, {\"name\": \"spyware expensive partnerships\", \"type\": \"lcd moore th\"}], \"type_id\": 0, \"account\": {\"name\": \"chrome ones leeds\", \"type\": \"AWS IAM User\", \"type_id\": 3}, \"uid_alt\": \"mpegs eric ky\"}, \"session\": {\"uid\": \"8b8460c6-61b8-11ee-9def-0242ac110005\", \"issuer\": \"fun tomorrow antibodies\", \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"is_remote\": false, \"expiration_time_dt\": \"2023-10-03T06:46:13.764963Z\", \"created_time_dt\": \"2023-10-03T06:46:13.764972Z\"}, \"cmd_line\": \"packs maximum audit\", \"container\": {\"name\": \"hotmail midlands ripe\", \"size\": 860474369, \"uid\": \"8b847c96-61b8-11ee-99b1-0242ac110005\", \"image\": {\"name\": \"letter fri mauritius\", \"uid\": \"8b84825e-61b8-11ee-a5b5-0242ac110005\", \"labels\": [\"clouds\"]}, \"hash\": {\"value\": \"799904B20F1174F01C0D2DD87C57E097\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"created_time\": 1695272181548, \"namespace_pid\": 45, \"parent_process\": {\"name\": \"Homepage\", \"pid\": 78, \"file\": {\"attributes\": 57, \"name\": \"pledge.ini\", \"type\": \"Character Device\", \"path\": \"internationally remedies back/his.cgi/pledge.ini\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"portugal motel preserve\", \"issuer\": \"rocket separation opponent\", \"fingerprints\": [{\"value\": \"F72B1ED0BD7D6BE65211FA1606D1DE35F225DE73CB524C01380509CCE5B6F8F8DDE81A0B0AB6F5ECE9A7E651DD7D0C19DB365A83C018B747DA5B0A79259F3547\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"AEAA2CEC33E27D65690E726E1710D3F4A99A2BF0AE9A3BD9087488F1DFB4D38D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"edinburgh responsible supervisor\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"desc\": \"syracuse until as\", \"type_id\": 3, \"company_name\": \"Elenore Jeanetta\", \"parent_folder\": \"internationally remedies back/his.cgi\", \"confidentiality\": \"hitachi shaw tension\", \"hashes\": [{\"value\": \"8A8173677F164DD2E2CF83BEA2A42A8B\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"6B70D921D9E8DCF0F08A73F508E5D19D274B58D8AC2E29049A23B62D1988C1028A8ECBA2485531BBD6B7AEE51EA822578E859759F8FFC4818023EFD47ABC9C4D\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"security_descriptor\": \"lower cable requiring\", \"created_time_dt\": \"2023-10-03T06:46:13.766258Z\", \"accessed_time_dt\": \"2023-10-03T06:46:13.766265Z\"}, \"user\": {\"name\": \"Lauderdale\", \"type\": \"User\", \"uid\": \"8b84a6e4-61b8-11ee-b1fe-0242ac110005\", \"type_id\": 1, \"uid_alt\": \"venezuela path passing\"}, \"uid\": \"8b84ac48-61b8-11ee-97d9-0242ac110005\", \"session\": {\"uid\": \"8b84b562-61b8-11ee-a0d1-0242ac110005\", \"uuid\": \"8b84bbd4-61b8-11ee-8f0e-0242ac110005\", \"issuer\": \"gel submissions finite\", \"created_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T06:46:13.767292Z\", \"created_time_dt\": \"2023-10-03T06:46:13.767299Z\"}, \"cmd_line\": \"prior angry workers\", \"container\": {\"name\": \"horrible scroll del\", \"size\": 870541982, \"uid\": \"8b84c7c8-61b8-11ee-b0ff-0242ac110005\", \"image\": {\"name\": \"expenses pdt conditioning\", \"tag\": \"recognition albania curtis\", \"path\": \"valentine corp gcc\", \"uid\": \"8b84d204-61b8-11ee-8eb1-0242ac110005\"}, \"hash\": {\"value\": \"B413223A2BB7E91D5C6E244B77A2392BA017906B615F3CDF4BA192FE568C7738ADE3E24CAA9273F592169D682882DAC5E0DF8975B0FDB3859FB69A175B815724\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"pod_uuid\": \"gift\"}, \"created_time\": 1695272181548, \"namespace_pid\": 94}, \"sandbox\": \"holmes guess hyundai\", \"created_time_dt\": \"2023-10-03T06:46:13.768070Z\"}}, \"sandbox\": \"mothers equipped enquiry\"}}}, \"terminated_time\": 1695272181548}, \"user\": {\"name\": \"Cookies\", \"type\": \"load\", \"uid\": \"8b84f59a-61b8-11ee-8275-0242ac110005\", \"type_id\": 99, \"full_name\": \"Regan Loise\", \"uid_alt\": \"dawn but titles\"}, \"invoked_by\": \"pantyhose macedonia retained\"}, \"cloud\": {\"account\": {\"name\": \"abroad takes controversy\", \"type\": \"AWS Account\", \"uid\": \"8b82630c-61b8-11ee-a1c3-0242ac110005\", \"type_id\": 10}, \"project_uid\": \"8b82679e-61b8-11ee-9ed4-0242ac110005\", \"provider\": \"translate be cabinets\", \"region\": \"trap wood power\"}, \"malware\": [{\"name\": \"generally insight ee\", \"path\": \"jc possess fibre\", \"classification_ids\": [17, 2], \"classifications\": [\"ontario amsterdam archived\", \"newfoundland norman eddie\"], \"provider\": \"singapore flexible casino\"}, {\"name\": \"illustrated lending requirements\", \"path\": \"cho basket ul\", \"uid\": \"8b8272c0-61b8-11ee-90e5-0242ac110005\", \"classification_ids\": [16, 5], \"cves\": [{\"type\": \"graphical acm salt\", \"uid\": \"8b827964-61b8-11ee-822b-0242ac110005\", \"created_time\": 1695272181548, \"modified_time\": 1695272181548, \"modified_time_dt\": \"2023-10-03T06:46:13.752477Z\"}], \"provider\": \"goods fitting latter\"}], \"severity_id\": 99, \"status_id\": 0}", + "event": { + "action": "load", + "outcome": "unknown", + "provider": "discrimination morrison course", + "sequence": 44, + "severity": 99 + }, + "cloud": { + "account": { + "id": "8b82630c-61b8-11ee-a1c3-0242ac110005", + "name": "abroad takes controversy" + }, + "project": { + "id": "8b82679e-61b8-11ee-9ed4-0242ac110005" + }, + "provider": "translate be cabinets", + "region": "trap wood power" + }, + "ocsf": "{\"activity_id\": 1, \"activity_name\": \"Load\", \"actor\": {\"invoked_by\": \"pantyhose macedonia retained\", \"process\": {\"cmd_line\": \"fame little relax\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"BA691BA042BCEDD9A61A36F5969026BC95859DCCDC7E47F24E6BCE35673BAF2F\"}, \"image\": {\"labels\": [\"printed\", \"safer\"], \"name\": \"babies detective christians\", \"uid\": \"8b8325a8-61b8-11ee-9a88-0242ac110005\"}, \"name\": \"renew angle reject\", \"runtime\": \"annoying remarkable setup\", \"size\": 2132122251, \"uid\": \"8b832030-61b8-11ee-816d-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessor\": {\"credential_uid\": \"8b82f4ca-61b8-11ee-894f-0242ac110005\", \"name\": \"Elections\", \"org\": {\"name\": \"ids mercury milan\", \"ou_name\": \"whether eddie investment\", \"uid\": \"8b82ef20-61b8-11ee-9b3a-0242ac110005\"}, \"type\": \"distributor\", \"type_id\": 99, \"uid\": \"8b82e9d0-61b8-11ee-be3a-0242ac110005\"}, \"desc\": \"computing investors rio\", \"is_system\": false, \"modified_time_dt\": \"2023-10-03T06:46:13.755631Z\", \"name\": \"administrators.tmp\", \"parent_folder\": \"flush faced champagne/cruise.tar.gz\", \"path\": \"flush faced champagne/cruise.tar.gz/administrators.tmp\", \"type\": \"Folder\", \"type_id\": 2}, \"name\": \"Switzerland\", \"namespace_pid\": 97, \"parent_process\": {\"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"1FA53D9A1AEAB5165003DE1755AD56612ABF77A3D033D697439C884637D2DC66DBDFFA147DFDBD69DC6D27340B63C26C93D84C65F59EE3A270CA5BBB1D13613F\"}, \"network_driver\": \"ee australian housewares\", \"size\": 388023740, \"uid\": \"8b834fd8-61b8-11ee-8b6a-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"created_time\": 1695272181548, \"is_system\": false, \"mime_type\": \"today/uniprotkb\", \"name\": \"audi.pspimage\", \"owner\": {\"name\": \"Mastercard\", \"org\": {\"name\": \"qualification twisted australian\", \"ou_name\": \"franklin nb leslie\", \"uid\": \"8b833dfe-61b8-11ee-a745-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"8b833638-61b8-11ee-a13b-0242ac110005\"}, \"parent_folder\": \"paying represent putting/showing.vob\", \"path\": \"paying represent putting/showing.vob/audi.pspimage\", \"type\": \"Block Device\", \"type_id\": 4}, \"name\": \"Containers\", \"namespace_pid\": 5, \"parent_process\": {\"cmd_line\": \"gang spring carlo\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"85434F1527CE237329D0B1927EABF9D3\"}, \"name\": \"victims edit minimum\", \"size\": 2069042340, \"uid\": \"8b83744a-61b8-11ee-9c26-0242ac110005\"}, \"integrity\": \"happening\", \"integrity_id\": 99, \"name\": \"Global\", \"namespace_pid\": 74, \"parent_process\": {\"cmd_line\": \"mm bon estimate\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"CA59BAD8CEAD7A8424AD6823FE6AED5BA7AF4A9FDA854EA5AAB75A41B5369465\"}, \"image\": {\"uid\": \"8b840af4-61b8-11ee-a7b5-0242ac110005\"}, \"name\": \"separation catalogs vocals\", \"uid\": \"8b8402a2-61b8-11ee-92d4-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessor\": {\"groups\": [{\"name\": \"ct disposal rent\", \"uid\": \"8b839358-61b8-11ee-a4c0-0242ac110005\"}, {\"name\": \"cruise ancient chemicals\", \"type\": \"spoke life lee\"}], \"name\": \"Mathematical\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"8b838e30-61b8-11ee-8527-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"CA247333484AEB04EFA2DE65A9EC68032CED9ACC7716F9379404EB2422FC65190E0F56D3C2B21505FE722A0CD1D05AF9B8E47B4CB5005B4C4E71C6C5545C775F\"}], \"mime_type\": \"molecules/sharon\", \"name\": \"planner.bak\", \"parent_folder\": \"sony discussion suit/stomach.gif\", \"path\": \"sony discussion suit/stomach.gif/planner.bak\", \"type\": \"Character Device\", \"type_id\": 3, \"uid\": \"8b838804-61b8-11ee-a06e-0242ac110005\"}, \"integrity\": \"High\", \"integrity_id\": 4, \"name\": \"Pilot\", \"parent_process\": {\"cmd_line\": \"applicable acquire folk\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"6B942E2831F972C22E2B0292EA3A8176AB41CD3B\"}, \"image\": {\"name\": \"pressure sixth happen\", \"uid\": \"8b8431e6-61b8-11ee-9576-0242ac110005\"}, \"name\": \"businesses suspension across\", \"orchestrator\": \"theta create impact\", \"size\": 2843627610, \"uid\": \"8b842ce6-61b8-11ee-acb2-0242ac110005\"}, \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"lineage\": [\"wires largest stamp\", \"handbook dale photograph\"], \"name\": \"Sleep\", \"namespace_pid\": 4, \"parent_process\": {\"cmd_line\": \"packs maximum audit\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"799904B20F1174F01C0D2DD87C57E097\"}, \"image\": {\"labels\": [\"clouds\"], \"name\": \"letter fri mauritius\", \"uid\": \"8b84825e-61b8-11ee-a5b5-0242ac110005\"}, \"name\": \"hotmail midlands ripe\", \"size\": 860474369, \"uid\": \"8b847c96-61b8-11ee-99b1-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T06:46:13.768070Z\", \"file\": {\"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"436DE0B494120DEC66B218D7D67AE5FC65841DA47A5D5A6044D76AE7CD0D793736DCAD5FA9C579A8C53310FA0B70225BB8C079A2E5BEDB5F6F48176972572F1C\"}], \"name\": \"pottery.java\", \"parent_folder\": \"revolutionary such regulations/cheaper.ico\", \"path\": \"revolutionary such regulations/cheaper.ico/pottery.java\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T06:46:13.764297Z\", \"fingerprints\": [{\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"EDE381A3419BC1A2ACD00220F23CE82967A8631DB35FDF0122B8A0E43E8768CABDBDC842A83C48138C523D1A56B3F63F03D85756C9BFED7656AE5097479D9A4C\"}, {\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"AFD38780B76420D3214D2D6D318A6EA972D720518346C2F7339E661205D5F20A5682869DAF56249F9FACD6EDF878C81669184A1D9C736232079EDED66727E297\"}], \"issuer\": \"write watts guitars\", \"serial_number\": \"facing wb drinks\", \"subject\": \"consensus ownership trainer\", \"version\": \"1.0.0\"}}, \"type\": \"Local Socket\", \"type_id\": 5}, \"name\": \"Lie\", \"namespace_pid\": 45, \"parent_process\": {\"cmd_line\": \"prior angry workers\", \"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"B413223A2BB7E91D5C6E244B77A2392BA017906B615F3CDF4BA192FE568C7738ADE3E24CAA9273F592169D682882DAC5E0DF8975B0FDB3859FB69A175B815724\"}, \"image\": {\"name\": \"expenses pdt conditioning\", \"path\": \"valentine corp gcc\", \"tag\": \"recognition albania curtis\", \"uid\": \"8b84d204-61b8-11ee-8eb1-0242ac110005\"}, \"name\": \"horrible scroll del\", \"pod_uuid\": \"gift\", \"size\": 870541982, \"uid\": \"8b84c7c8-61b8-11ee-b0ff-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessed_time_dt\": \"2023-10-03T06:46:13.766265Z\", \"attributes\": 57, \"company_name\": \"Elenore Jeanetta\", \"confidentiality\": \"hitachi shaw tension\", \"created_time_dt\": \"2023-10-03T06:46:13.766258Z\", \"desc\": \"syracuse until as\", \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"8A8173677F164DD2E2CF83BEA2A42A8B\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"6B70D921D9E8DCF0F08A73F508E5D19D274B58D8AC2E29049A23B62D1988C1028A8ECBA2485531BBD6B7AEE51EA822578E859759F8FFC4818023EFD47ABC9C4D\"}], \"name\": \"pledge.ini\", \"parent_folder\": \"internationally remedies back/his.cgi\", \"path\": \"internationally remedies back/his.cgi/pledge.ini\", \"security_descriptor\": \"lower cable requiring\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"F72B1ED0BD7D6BE65211FA1606D1DE35F225DE73CB524C01380509CCE5B6F8F8DDE81A0B0AB6F5ECE9A7E651DD7D0C19DB365A83C018B747DA5B0A79259F3547\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"AEAA2CEC33E27D65690E726E1710D3F4A99A2BF0AE9A3BD9087488F1DFB4D38D\"}], \"issuer\": \"rocket separation opponent\", \"serial_number\": \"edinburgh responsible supervisor\", \"subject\": \"portugal motel preserve\", \"version\": \"1.0.0\"}}, \"type\": \"Character Device\", \"type_id\": 3}, \"name\": \"Homepage\", \"namespace_pid\": 94, \"pid\": 78, \"session\": {\"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T06:46:13.767299Z\", \"expiration_time_dt\": \"2023-10-03T06:46:13.767292Z\", \"issuer\": \"gel submissions finite\", \"uid\": \"8b84b562-61b8-11ee-a0d1-0242ac110005\", \"uuid\": \"8b84bbd4-61b8-11ee-8f0e-0242ac110005\"}, \"uid\": \"8b84ac48-61b8-11ee-97d9-0242ac110005\", \"user\": {\"name\": \"Lauderdale\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"8b84a6e4-61b8-11ee-b1fe-0242ac110005\", \"uid_alt\": \"venezuela path passing\"}}, \"pid\": 43, \"sandbox\": \"holmes guess hyundai\", \"session\": {\"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T06:46:13.764972Z\", \"expiration_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T06:46:13.764963Z\", \"is_remote\": false, \"issuer\": \"fun tomorrow antibodies\", \"uid\": \"8b8460c6-61b8-11ee-9def-0242ac110005\"}, \"user\": {\"account\": {\"name\": \"chrome ones leeds\", \"type\": \"AWS IAM User\", \"type_id\": 3}, \"domain\": \"continuity cases issues\", \"groups\": [{\"name\": \"protein lightweight complications\", \"type\": \"samsung knowledgestorm ppm\", \"uid\": \"8b8458ba-61b8-11ee-9ec2-0242ac110005\"}, {\"name\": \"spyware expensive partnerships\", \"type\": \"lcd moore th\"}], \"name\": \"Wrapping\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"8b8452de-61b8-11ee-9b3c-0242ac110005\", \"uid_alt\": \"mpegs eric ky\"}}, \"pid\": 54, \"session\": {\"created_time_dt\": \"2023-10-03T06:46:13.763445Z\", \"is_remote\": true}, \"uid\": \"8b8424bc-61b8-11ee-aa3b-0242ac110005\", \"user\": {\"name\": \"Edges\", \"type\": \"compute\", \"type_id\": 99, \"uid\": \"8b841ca6-61b8-11ee-ac94-0242ac110005\"}}, \"sandbox\": \"mothers equipped enquiry\", \"tid\": 45, \"uid\": \"8b83fcbc-61b8-11ee-8764-0242ac110005\", \"user\": {\"credential_uid\": \"8b83f94c-61b8-11ee-85e8-0242ac110005\", \"name\": \"Warner\", \"type\": \"interim\", \"type_id\": 99, \"uid\": \"8b83f500-61b8-11ee-9242-0242ac110005\"}}, \"pid\": 30, \"session\": {\"created_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T06:46:13.758724Z\", \"is_remote\": true, \"uid\": \"8b836dc4-61b8-11ee-aa72-0242ac110005\"}, \"uid\": \"8b83682e-61b8-11ee-bf60-0242ac110005\", \"user\": {\"account\": {\"name\": \"desk periodic depth\", \"type\": \"Mac OS Account\", \"type_id\": 7, \"uid\": \"8b836400-61b8-11ee-9913-0242ac110005\"}, \"name\": \"Includes\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"8b835b7c-61b8-11ee-9c7d-0242ac110005\", \"uid_alt\": \"origins demo declaration\"}}, \"pid\": 76, \"uid\": \"8b834aba-61b8-11ee-8172-0242ac110005\", \"user\": {\"domain\": \"klein greg processing\", \"full_name\": \"Franklyn Shantell\", \"name\": \"Prep\", \"type\": \"lot\", \"type_id\": 99, \"uid\": \"8b834682-61b8-11ee-8f6a-0242ac110005\"}}, \"pid\": 8, \"session\": {\"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T06:46:13.756371Z\", \"credential_uid\": \"8b830938-61b8-11ee-9d39-0242ac110005\", \"expiration_time_dt\": \"2023-10-03T06:46:13.756144Z\", \"is_remote\": true, \"issuer\": \"texts advertiser henderson\", \"uid\": \"8b830532-61b8-11ee-bdfd-0242ac110005\"}, \"terminated_time\": 1695272181548, \"tid\": 12, \"uid\": \"8b830046-61b8-11ee-b4bd-0242ac110005\", \"user\": {\"name\": \"Mechanics\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"8b82fc86-61b8-11ee-b5b6-0242ac110005\"}}, \"user\": {\"full_name\": \"Regan Loise\", \"name\": \"Cookies\", \"type\": \"load\", \"type_id\": 99, \"uid\": \"8b84f59a-61b8-11ee-8275-0242ac110005\", \"uid_alt\": \"dawn but titles\"}}, \"api\": {\"operation\": \"helena internationally leo\", \"request\": {\"uid\": \"8b824fc0-61b8-11ee-b26d-0242ac110005\"}, \"response\": {\"code\": 99, \"error\": \"three acdbentity sufficient\", \"message\": \"myrtle trust resort\"}}, \"attacks\": [{\"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}, {\"name\": \"Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.\", \"uid\": \"TA0040\"}], \"technique\": {\"name\": \"PowerShell Profile\", \"uid\": \"T1504\"}, \"version\": \"12.1\"}, {\"tactics\": [{\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}, {\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Securityd Memory\", \"uid\": \"T1555.002\"}, \"version\": \"12.1\"}], \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Module Activity\", \"class_uid\": 1005, \"cloud\": {\"account\": {\"name\": \"abroad takes controversy\", \"type\": \"AWS Account\", \"type_id\": 10, \"uid\": \"8b82630c-61b8-11ee-a1c3-0242ac110005\"}, \"project_uid\": \"8b82679e-61b8-11ee-9ed4-0242ac110005\", \"provider\": \"translate be cabinets\", \"region\": \"trap wood power\"}, \"device\": {\"domain\": \"existence conditional pillow\", \"groups\": [{\"name\": \"ev terminal meals\", \"uid\": \"8b82bf64-61b8-11ee-a83f-0242ac110005\"}, {\"name\": \"born lasting vitamins\", \"privileges\": [\"sheets loading representative\"], \"uid\": \"8b82c338-61b8-11ee-bf95-0242ac110005\"}], \"hostname\": \"tiles.name\", \"hw_info\": {\"cpu_bits\": 95, \"keyboard_info\": {\"keyboard_subtype\": 47}}, \"hypervisor\": \"fundraising kerry peer\", \"imei\": \"moderators sentence ordered\", \"instance_uid\": \"8b82c98c-61b8-11ee-ac91-0242ac110005\", \"interface_uid\": \"8b82d0da-61b8-11ee-b450-0242ac110005\", \"ip\": \"81.2.69.142\", \"mac\": \"6C:91:94:13:50:61:2E:D4\", \"modified_time\": 1695272181548, \"name\": \"assigned daughters creating\", \"network_interfaces\": [{\"hostname\": \"lightbox.gov\", \"ip\": \"81.2.69.142\", \"mac\": \"57:15:98:E9:35:D3:B3:9A\", \"name\": \"henderson treasures dv\", \"type\": \"Tunnel\", \"type_id\": 4}, {\"hostname\": \"horizon.biz\", \"ip\": \"81.2.69.142\", \"mac\": \"47:B8:F6:D1:B8:90:8C:7F\", \"name\": \"forests designation entire\", \"type\": \"fcc\", \"type_id\": 99, \"uid\": \"8b82b79e-61b8-11ee-a441-0242ac110005\"}], \"os\": {\"build\": \"grave pn resist\", \"country\": \"Cuba, Republic of\", \"name\": \"extreme oct care\", \"sp_ver\": 3, \"type\": \"Android\", \"type_id\": 201}, \"region\": \"slight centers swimming\", \"risk_level\": \"Low\", \"risk_level_id\": 1, \"type\": \"frontier\", \"type_id\": 99}, \"disposition\": \"Deleted\", \"disposition_id\": 5, \"malware\": [{\"classification_ids\": [17, 2], \"classifications\": [\"ontario amsterdam archived\", \"newfoundland norman eddie\"], \"name\": \"generally insight ee\", \"path\": \"jc possess fibre\", \"provider\": \"singapore flexible casino\"}, {\"classification_ids\": [16, 5], \"cves\": [{\"created_time\": 1695272181548, \"modified_time\": 1695272181548, \"modified_time_dt\": \"2023-10-03T06:46:13.752477Z\", \"type\": \"graphical acm salt\", \"uid\": \"8b827964-61b8-11ee-822b-0242ac110005\"}], \"name\": \"illustrated lending requirements\", \"path\": \"cho basket ul\", \"provider\": \"goods fitting latter\", \"uid\": \"8b8272c0-61b8-11ee-90e5-0242ac110005\"}], \"message\": \"menu controller plants\", \"metadata\": {\"labels\": [\"moses\"], \"log_name\": \"laboratory instance upon\", \"log_provider\": \"discrimination morrison course\", \"logged_time\": 1695272181548, \"original_time\": \"rights newly filled\", \"product\": {\"lang\": \"en\", \"name\": \"improving consist portfolio\", \"uid\": \"8b82a664-61b8-11ee-bb6e-0242ac110005\", \"vendor_name\": \"completing watershed poor\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"sequence\": 44, \"version\": \"1.0.0\"}, \"module\": {\"base_address\": \"daughters offshore thehun\", \"file\": {\"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"created_time_dt\": \"2023-10-03T06:46:13.753318Z\", \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"795F2AAA00B0D80F2A50C10902A141A3E0AFE3A4BCE0007F213C21994E6AE528B448F2C2F4BDF6C4E1D0AEA3B8396D40A4395AA9730A77E879848BDB750D6468\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"B8C09AA4F584900FEA2DF3DAFBDAF9F0C6E76095BFDBCCF5F0F748D069D706526380A29574124164B0EDC1B56DD8342FC4BF70467A9B6024D999269A45E2A175\"}], \"modified_time\": 1695272181548, \"name\": \"expiration.cpl\", \"parent_folder\": \"pleased dip spiritual/corresponding.java\", \"path\": \"pleased dip spiritual/corresponding.java/expiration.cpl\", \"product\": {\"lang\": \"en\", \"name\": \"traveling yea espn\", \"uid\": \"8b82966a-61b8-11ee-81c7-0242ac110005\", \"vendor_name\": \"manhattan better posts\", \"version\": \"1.0.0\"}, \"type\": \"Character Device\", \"type_id\": 3}, \"load_type\": \"Non Standard\", \"load_type_id\": 2, \"start_address\": \"needs some limit\"}, \"severity\": \"minutes\", \"severity_id\": 99, \"status\": \"Unknown\", \"status_id\": 0, \"time\": 1695272181548, \"timezone_offset\": 8, \"type_name\": \"Module Activity: Load\", \"type_uid\": 100501}" + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_6.json b/OCSF/ocsf/tests/test_system_activity_6.json new file mode 100644 index 000000000..69c1fb31b --- /dev/null +++ b/OCSF/ocsf/tests/test_system_activity_6.json @@ -0,0 +1,33 @@ +{ + "input": { + "message": "{\"message\": \"walnut trucks alabama\", \"status\": \"vcr\", \"time\": 1695272181548, \"device\": {\"name\": \"cholesterol republicans albert\", \"type\": \"Virtual\", \"ip\": \"81.2.69.142\", \"location\": {\"desc\": \"Antigua and Barbuda\", \"city\": \"Guidance marijuana\", \"country\": \"AG\", \"coordinates\": [139.683, -39.2278], \"continent\": \"North America\"}, \"hostname\": \"bags.coop\", \"uid\": \"442a8524-61be-11ee-a4cc-0242ac110005\", \"org\": {\"name\": \"answer intelligent artificial\", \"ou_name\": \"garlic glucose festival\"}, \"type_id\": 6, \"hypervisor\": \"indianapolis finite serious\", \"interface_name\": \"officials janet subscribe\", \"interface_uid\": \"442a8a60-61be-11ee-b5e8-0242ac110005\", \"last_seen_time\": 1695272181548, \"region\": \"argentina andy wyoming\", \"risk_score\": 44, \"modified_time_dt\": \"2023-10-03T07:27:11.038353Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"rough cfr elephant\", \"version\": \"1.0.0\", \"uid\": \"442a6c38-61be-11ee-811a-0242ac110005\", \"lang\": \"en\", \"url_string\": \"cl\", \"vendor_name\": \"turkey directors vacations\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"event_code\": \"paths\", \"log_provider\": \"gays consultation motivated\", \"logged_time\": 1695272181548, \"original_time\": \"bolt beds created\", \"modified_time_dt\": \"2023-10-03T07:27:11.037636Z\", \"processed_time_dt\": \"2023-10-03T07:27:11.037651Z\"}, \"start_time\": 1695272181548, \"severity\": \"doctors\", \"disposition\": \"Unknown\", \"type_name\": \"Process Activity: Set User ID\", \"activity_id\": 5, \"disposition_id\": 0, \"type_uid\": 100705, \"category_name\": \"System Activity\", \"class_uid\": 1007, \"category_uid\": 1, \"class_name\": \"Process Activity\", \"timezone_offset\": 75, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}, {\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Accessibility Features\", \"uid\": \"T1546.008\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Web Shell\", \"uid\": \"T1100\"}}], \"activity_name\": \"Set User ID\", \"actor\": {\"process\": {\"name\": \"Woman\", \"pid\": 99, \"file\": {\"attributes\": 71, \"name\": \"game.crdownload\", \"type\": \"Symbolic Link\", \"path\": \"district moment specs/consolidation.mp3/game.crdownload\", \"type_id\": 7, \"parent_folder\": \"district moment specs/consolidation.mp3\", \"hashes\": [{\"value\": \"DBC811458704E7331C9D9B3365E5DB08E8D9247CEDBE9F8FFED69606E0A5CE644230CB925F7AE8919137B51CE7E4797EC55533D10E6AF32B803BAB785848BD58\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"74900E05175C9BD82834F761CAE8D37E3190933ED2249C16508DB4053419EDAEE6ADD186BACD19C2AF5686BC9D15177A7960A70D7A385EB3E05AF555356368E6\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"xattributes\": {}, \"accessed_time_dt\": \"2023-10-03T07:27:11.051398Z\"}, \"user\": {\"name\": \"Laboratory\", \"type\": \"Unknown\", \"uid\": \"442c90bc-61be-11ee-8334-0242ac110005\", \"type_id\": 0, \"account\": {\"name\": \"filled lunch processing\", \"type\": \"Windows Account\", \"uid\": \"442c96ac-61be-11ee-945c-0242ac110005\", \"type_id\": 2}}, \"uid\": \"442c9a58-61be-11ee-8992-0242ac110005\", \"cmd_line\": \"wrist teach engaging\", \"container\": {\"name\": \"disabled underlying prerequisite\", \"runtime\": \"ntsc replacing emotional\", \"size\": 1294218177, \"uid\": \"442ca070-61be-11ee-b847-0242ac110005\", \"image\": {\"name\": \"janet flights pct\", \"tag\": \"reporter calculator population\", \"uid\": \"442ca5e8-61be-11ee-ac6f-0242ac110005\", \"labels\": [\"beef\"]}, \"hash\": {\"value\": \"2A9141F10042E65FE9B037DE88C913D5CB6420C809E4F70D77B0C1CD0DB599E0DA4CC22A8E772350CACDACD72722801EA7BEAAE4B6D79D3949E37DB3492F1892\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695272181548, \"integrity\": \"Low\", \"integrity_id\": 2, \"namespace_pid\": 96, \"parent_process\": {\"name\": \"Undergraduate\", \"pid\": 18, \"file\": {\"name\": \"alice.cur\", \"type\": \"Block Device\", \"path\": \"llc snap glossary/striking.cgi/alice.cur\", \"type_id\": 4, \"company_name\": \"Margurite Hester\", \"parent_folder\": \"llc snap glossary/striking.cgi\", \"hashes\": [{\"value\": \"C87068358A2AF25FB6462D2E9D5CEE0C1B843771EE363E91B70497182AC6058683881C15DDFF011CE7CAAE6617D935F69F093E8BB488A880E8A559A8AC1073FA\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time\": 1695272181548, \"security_descriptor\": \"kurt snowboard baby\", \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T07:27:11.052592Z\"}, \"user\": {\"type\": \"System\", \"uid\": \"442d0416-61be-11ee-8f5e-0242ac110005\", \"type_id\": 3}, \"tid\": 18, \"uid\": \"442d08c6-61be-11ee-9eea-0242ac110005\", \"cmd_line\": \"shopzilla signal shift\", \"created_time\": 1695272181548, \"integrity\": \"brush clinton bride\", \"namespace_pid\": 81, \"parent_process\": {\"name\": \"Danger\", \"pid\": 27, \"file\": {\"name\": \"es.sql\", \"type\": \"Regular File\", \"path\": \"sarah receivers appropriate/keen.cpl/es.sql\", \"desc\": \"dynamics dg islamic\", \"type_id\": 1, \"accessor\": {\"type\": \"Admin\", \"uid\": \"442d1b40-61be-11ee-8249-0242ac110005\", \"type_id\": 2, \"email_addr\": \"Alethea@fa.web\"}, \"parent_folder\": \"sarah receivers appropriate/keen.cpl\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"4095391C7E3E04FF12C9AD2E6C49BD63DFE77E885ACAADD3B58A1D8895383044\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"is_system\": false, \"created_time_dt\": \"2023-10-03T07:27:11.055203Z\"}, \"user\": {\"name\": \"Strong\", \"type\": \"Unknown\", \"uid\": \"442d27de-61be-11ee-b498-0242ac110005\", \"type_id\": 0, \"account\": {\"name\": \"allows country mineral\", \"type\": \"AWS IAM Role\", \"uid\": \"442d4a0c-61be-11ee-bd4c-0242ac110005\", \"type_id\": 4}, \"email_addr\": \"Minta@active.biz\"}, \"uid\": \"442d4ee4-61be-11ee-a8b0-0242ac110005\", \"loaded_modules\": [\"/instantly/lazy/quickly/junk/relates.gadget\", \"/gentle/sen/bridge/brochure/county.cbr\"], \"cmd_line\": \"growing howard error\", \"container\": {\"name\": \"stand tumor previously\", \"size\": 61744955, \"uid\": \"442d84ae-61be-11ee-a35f-0242ac110005\", \"hash\": {\"value\": \"77D19917CD3F9FDA9C5B453897F0829D1D94450C31CB6991090BF4B4F49578CF29BBBBA4AF270287F408F0B9D696F5C18C16366E5CDFFDB199FDFC3E2BF91A62\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, \"network_driver\": \"receiver recommended governor\"}, \"created_time\": 1695272181548, \"namespace_pid\": 25, \"parent_process\": {\"name\": \"Virtue\", \"pid\": 9, \"file\": {\"name\": \"wishlist.fnt\", \"owner\": {\"name\": \"Proof\", \"type\": \"genius\", \"uid\": \"442e1d74-61be-11ee-ac9e-0242ac110005\", \"type_id\": 99}, \"type\": \"Regular File\", \"path\": \"bouquet bibliography pull/dumb.mov/wishlist.fnt\", \"modifier\": {\"name\": \"Victory\", \"type\": \"User\", \"uid\": \"442e4920-61be-11ee-ab85-0242ac110005\", \"type_id\": 1, \"account\": {\"name\": \"me tagged lang\", \"type\": \"AWS IAM Role\", \"uid\": \"442e5168-61be-11ee-a406-0242ac110005\", \"type_id\": 4}, \"email_addr\": \"Zona@partners.mil\"}, \"product\": {\"name\": \"written em fujitsu\", \"version\": \"1.0.0\", \"uid\": \"442e6324-61be-11ee-9f29-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"sounds di inquiry\"}, \"type_id\": 1, \"company_name\": \"Tamara Porsha\", \"parent_folder\": \"bouquet bibliography pull/dumb.mov\", \"hashes\": [{\"value\": \"EA326FE8119ACC03CB82276431BF6120811A2EE778F15E25088100D62EF8410FAD0B948395B7204152892B06C76A6405752FE2115D4B22CAF5461B8DA8D74966\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"uid\": \"442e6b76-61be-11ee-ab8d-0242ac110005\", \"cmd_line\": \"fox breathing excluded\", \"container\": {\"name\": \"obtained thompson wait\", \"size\": 1304039495, \"uid\": \"442e74ae-61be-11ee-bee1-0242ac110005\", \"image\": {\"name\": \"ou false horn\", \"tag\": \"widely concerns ranger\", \"uid\": \"442e7aa8-61be-11ee-92c0-0242ac110005\"}, \"hash\": {\"value\": \"34BF8F4BFD5096DFE4AD7B1FC397EE225004242E\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, \"orchestrator\": \"cingular grow causing\"}, \"created_time\": 1695272181548, \"integrity\": \"races parcel generating\", \"namespace_pid\": 54, \"parent_process\": {\"name\": \"Kai\", \"pid\": 23, \"file\": {\"attributes\": 99, \"name\": \"conceptual.py\", \"type\": \"Named Pipe\", \"path\": \"impression finance trader/fragrances.sql/conceptual.py\", \"signature\": {\"digest\": {\"value\": \"46A80AC3F38096FE6828377277FC50B39BB0C646F94FC178876749ADE0DA96DE\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"jumping experts visitors\", \"issuer\": \"enterprise game humanitarian\", \"fingerprints\": [{\"value\": \"6B70FC8DC165E533CBF2BCD7C70701DE3B3E114D\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"FCC3C0E1B16A999DE463D9C657DCA7E366719DE7E84E9C4EC1E41B0E744F649955B9E844AD173EBB3075A18E757DAF50733546203C86FB3209652FC0FB80534C\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"grad newest earlier\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"type_id\": 6, \"parent_folder\": \"impression finance trader/fragrances.sql\", \"accessed_time\": 1695272181548, \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"is_system\": true, \"security_descriptor\": \"ni easter snapshot\", \"modified_time_dt\": \"2023-10-03T07:27:11.064617Z\"}, \"user\": {\"name\": \"Da\", \"type\": \"ben\", \"domain\": \"dubai sys drum\", \"uid\": \"442ed390-61be-11ee-902b-0242ac110005\", \"groups\": [{\"name\": \"implications fred rent\", \"uid\": \"442ed976-61be-11ee-acb4-0242ac110005\"}, {\"type\": \"hundred suggesting radius\", \"uid\": \"442ede6c-61be-11ee-815a-0242ac110005\"}], \"type_id\": 99, \"uid_alt\": \"documents harmony austria\"}, \"uid\": \"442ee2d6-61be-11ee-ad3f-0242ac110005\", \"session\": {\"uid\": \"442ee7f4-61be-11ee-a967-0242ac110005\", \"uuid\": \"442eeb3c-61be-11ee-a179-0242ac110005\", \"issuer\": \"robots places depression\", \"created_time\": 1695272181548, \"is_remote\": false}, \"cmd_line\": \"operations expanded ht\", \"container\": {\"name\": \"victor civic segments\", \"size\": 2232172986, \"uid\": \"442ef1ea-61be-11ee-870d-0242ac110005\", \"image\": {\"name\": \"weird sep allowing\", \"uid\": \"442efa14-61be-11ee-8abf-0242ac110005\", \"labels\": [\"amplifier\"]}, \"hash\": {\"value\": \"27D94D1C177AA8E0E6E8A4F5ECAB104598CD2B62F27D3A26FCDC87A6AA7398BFD85771D86723FEDB24EC75CA439D57127989FB397C1F07F53B35533563BA3274\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}}, \"created_time\": 1695272181548, \"namespace_pid\": 74, \"parent_process\": {\"name\": \"Industries\", \"pid\": 93, \"file\": {\"name\": \"rage.ics\", \"type\": \"Regular File\", \"path\": \"slide sensitivity milton/dsc.kml/rage.ics\", \"type_id\": 1, \"parent_folder\": \"slide sensitivity milton/dsc.kml\", \"accessed_time\": 1695272181548, \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"F10EEB0D89F01824C27418121C62436F\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"B883D1D4320E98F7DE7D6913D7C3DF5503FB17747CCE5EBD6F3384A41414FF8D\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"xattributes\": {}}, \"user\": {\"name\": \"Earrings\", \"type\": \"System\", \"uid\": \"442f0f18-61be-11ee-92c1-0242ac110005\", \"type_id\": 3}, \"uid\": \"442f1314-61be-11ee-a9ee-0242ac110005\", \"container\": {\"name\": \"irish paid ga\", \"runtime\": \"meetings imported nutrition\", \"size\": 706306619, \"uid\": \"442f19c2-61be-11ee-851e-0242ac110005\", \"image\": {\"name\": \"struct wind included\", \"uid\": \"442f39ca-61be-11ee-9840-0242ac110005\", \"labels\": [\"hourly\"]}, \"hash\": {\"value\": \"C4802F4F55FE24BE9AF5F053E8719A9BC77381D625A0D27A35201C772CFD324009461ABCAC4A120286B98C707400807BB9DF7CFB3AA2C3BBF04EBB41E2AD07B3\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695272181548, \"namespace_pid\": 46, \"parent_process\": {\"name\": \"Employed\", \"pid\": 49, \"file\": {\"name\": \"nextel.dat\", \"type\": \"Unknown\", \"path\": \"exhibitions grad folks/lonely.yuv/nextel.dat\", \"desc\": \"parking hazards hunter\", \"type_id\": 0, \"parent_folder\": \"exhibitions grad folks/lonely.yuv\", \"hashes\": [{\"value\": \"1FE380DD618981AF242E43F459760A9F0C89B6D74E1C7544A298FBA160545A4F047CFFB754779F8EAD083609F87AB1EF4DE7D3630EDA324A5052064685D8A814\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"27D3F37EB6F68FBB9EDC408AAFC6035EF463633CB1D425DD737C0AD4F6A2442EE5857F1FD9BB49C0A3030802642A48CB4AADBAFC7B20B82DE18144D2E360B551\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"is_system\": true, \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Affiliation\", \"type\": \"User\", \"uid\": \"442f881c-61be-11ee-8d6d-0242ac110005\", \"type_id\": 1, \"credential_uid\": \"442f8c40-61be-11ee-858e-0242ac110005\"}, \"tid\": 75, \"uid\": \"442f8fb0-61be-11ee-b4aa-0242ac110005\", \"cmd_line\": \"directive rico hs\", \"container\": {\"name\": \"depot lanes mai\", \"size\": 4170062018, \"uid\": \"442f976c-61be-11ee-8026-0242ac110005\", \"image\": {\"name\": \"inappropriate burden hoped\", \"uid\": \"442f9c62-61be-11ee-81fa-0242ac110005\"}, \"hash\": {\"value\": \"FE9E27DD7BF526B57D69D3BD9FAC33DC\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"created_time\": 1695272181548, \"namespace_pid\": 5, \"parent_process\": {\"pid\": 4, \"file\": {\"attributes\": 28, \"name\": \"centered.txt\", \"size\": 724911628, \"type\": \"Unknown\", \"path\": \"patrol considers alternative/bargains.xlr/centered.txt\", \"type_id\": 0, \"accessor\": {\"name\": \"Bailey\", \"type\": \"User\", \"uid\": \"442fac66-61be-11ee-b373-0242ac110005\", \"org\": {\"name\": \"nova identification paul\", \"uid\": \"442fb1a2-61be-11ee-9fd5-0242ac110005\", \"ou_name\": \"honors tattoo australian\"}, \"type_id\": 1, \"credential_uid\": \"442fb5ee-61be-11ee-a469-0242ac110005\", \"email_addr\": \"Almeda@representations.biz\"}, \"company_name\": \"Chery Hunter\", \"mime_type\": \"finish/councils\", \"parent_folder\": \"patrol considers alternative/bargains.xlr\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"2E5106CC0168994B4FE52AC9F67394250EE7504DB2DB5DE3CE0AC0A6E01DFA01\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"37A8A4AF49E5E20E61CF73D569C93D3F839D333C98BADE757EC2C5093C969DBEBC2707A0A2C9B4709FB6986E18991E93BA14C3CC2799E6153B1BEA132224F02B\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Achieving\", \"type\": \"System\", \"uid\": \"442fbf76-61be-11ee-b1ce-0242ac110005\", \"org\": {\"uid\": \"442fc408-61be-11ee-a83e-0242ac110005\", \"ou_name\": \"drunk pt locations\"}, \"groups\": [{\"name\": \"blackberry genetics dsc\", \"uid\": \"442fc93a-61be-11ee-93e5-0242ac110005\", \"privileges\": [\"counter relocation association\", \"precise nurses satisfactory\"]}, {\"name\": \"munich clothing commit\", \"uid\": \"442fcd54-61be-11ee-ab07-0242ac110005\"}], \"type_id\": 3, \"account\": {\"name\": \"batman sprint established\", \"type\": \"Linux Account\", \"type_id\": 9}}, \"uid\": \"442fd27c-61be-11ee-bc32-0242ac110005\", \"session\": {\"uid\": \"442fda56-61be-11ee-93d0-0242ac110005\", \"issuer\": \"vacation obligation refused\", \"created_time\": 1695272181548, \"is_remote\": false}, \"cmd_line\": \"portfolio syracuse zinc\", \"container\": {\"name\": \"extremely bridges jane\", \"size\": 2170520292, \"tag\": \"magnificent nerve ethnic\", \"uid\": \"442fe3ca-61be-11ee-ac04-0242ac110005\", \"image\": {\"uid\": \"442fe870-61be-11ee-8322-0242ac110005\"}, \"hash\": {\"value\": \"E9264147B413746293E539868C8EDFF71715E1E3\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, \"pod_uuid\": \"save\"}, \"created_time\": 1695272181548, \"namespace_pid\": 10, \"parent_process\": {\"name\": \"Flags\", \"pid\": 12, \"file\": {\"name\": \"stats.cs\", \"size\": 3217957879, \"type\": \"Block Device\", \"path\": \"well vacations concrete/hamburg.vcf/stats.cs\", \"modifier\": {\"type\": \"System\", \"uid\": \"442ff8e2-61be-11ee-bc3b-0242ac110005\", \"type_id\": 3}, \"desc\": \"supporters billy surgeon\", \"product\": {\"name\": \"rare musical oregon\", \"version\": \"1.0.0\", \"uid\": \"442ffee6-61be-11ee-b950-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"moms scholarships pins\"}, \"type_id\": 4, \"parent_folder\": \"well vacations concrete/hamburg.vcf\", \"hashes\": [{\"value\": \"220358975ACF552AE828178DC72009FA5342AB5C33895C6E9E5048EF5BD044736C17B29683CD4CD82D017C7D963FB9AE740735C6D31E956B42C4A45F803F6EDA\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"security_descriptor\": \"dave manufacturing applicant\", \"modified_time_dt\": \"2023-10-03T07:27:11.074123Z\"}, \"user\": {\"name\": \"Rod\", \"type\": \"fiji\", \"uid\": \"44300a4e-61be-11ee-b6bc-0242ac110005\", \"type_id\": 99}, \"uid\": \"44300e5e-61be-11ee-8332-0242ac110005\", \"cmd_line\": \"easter anaheim introductory\", \"container\": {\"name\": \"clone sic tight\", \"size\": 3536383459, \"uid\": \"443013cc-61be-11ee-a273-0242ac110005\", \"image\": {\"name\": \"jonathan calculation incomplete\", \"uid\": \"4430194e-61be-11ee-a776-0242ac110005\"}, \"hash\": {\"value\": \"A63B60EEA4665F00EDDB1E2A8FECCFEA7634F795\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}}, \"created_time\": 1695272181548, \"integrity\": \"guys document multimedia\", \"lineage\": [\"weight anytime gzip\", \"subcommittee milan reasonable\"], \"namespace_pid\": 4, \"parent_process\": {\"name\": \"Vat\", \"pid\": 10, \"file\": {\"name\": \"fioricet.lnk\", \"owner\": {\"name\": \"Vid\", \"type\": \"Admin\", \"uid\": \"44302a6a-61be-11ee-b70a-0242ac110005\", \"type_id\": 2, \"email_addr\": \"Elise@starts.museum\", \"uid_alt\": \"supplied epic spas\"}, \"type\": \"Unknown\", \"uid\": \"44302f24-61be-11ee-99d3-0242ac110005\", \"type_id\": 0, \"company_name\": \"Archie Lesley\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"F7EDAF3282DAFB609C7D421B786486F127371E76\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"security_descriptor\": \"believes airlines granted\"}, \"user\": {\"name\": \"Candles\", \"type\": \"User\", \"domain\": \"restaurants instead occurring\", \"uid\": \"443039a6-61be-11ee-8f9f-0242ac110005\", \"type_id\": 1, \"full_name\": \"Margareta Elden\", \"credential_uid\": \"44303eba-61be-11ee-ab60-0242ac110005\"}, \"session\": {\"uid\": \"443043ec-61be-11ee-96c0-0242ac110005\", \"issuer\": \"mediterranean provider something\", \"created_time\": 1695272181548, \"is_remote\": true}, \"loaded_modules\": [\"/timing/norm/crime/apollo/pollution.dwg\"], \"cmd_line\": \"robinson hunter anne\", \"container\": {\"name\": \"magnificent capabilities ideal\", \"size\": 3127592961, \"uid\": \"44305030-61be-11ee-b7e4-0242ac110005\", \"image\": {\"name\": \"mistake baseball jordan\", \"uid\": \"4430571a-61be-11ee-8c37-0242ac110005\"}, \"hash\": {\"value\": \"4B4AACD68CE2D5C32C8437FC88E56923FA0DDADFEA6532D34FA536A344FDD0F482CB0159A5237950B31A7F3D097FED596515444734A2DF56CF7D38A74DCA94D7\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}}, \"created_time\": 1695272181548, \"integrity\": \"reality\", \"integrity_id\": 99, \"namespace_pid\": 41, \"parent_process\": {\"name\": \"Cart\", \"pid\": 36, \"file\": {\"name\": \"ts.exe\", \"owner\": {\"name\": \"Commander\", \"type\": \"motherboard\", \"domain\": \"andale museum reality\", \"uid\": \"44306aca-61be-11ee-be86-0242ac110005\", \"type_id\": 99, \"credential_uid\": \"44306ef8-61be-11ee-b8fd-0242ac110005\", \"uid_alt\": \"verzeichnis prefer soccer\"}, \"type\": \"Regular File\", \"type_id\": 1, \"confidentiality\": \"Not Confidential\", \"confidentiality_id\": 1, \"hashes\": [{\"value\": \"ADCAA40050F92C2A48474F33D6E697529CA1D0BD1FCC6D553290E4655C5F0BA7FAB42B475667A0C8EAD38187E3AFBE5AC9C7F3A68C87167BCF01080031CE50FB\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"D1F34CA31A773B2BDD48DB8EC34E2B88EA9746B72EB845256BE259CA7D5D9E5F\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"xattributes\": {}}, \"user\": {\"name\": \"Editorial\", \"type\": \"Unknown\", \"uid\": \"44307e70-61be-11ee-a962-0242ac110005\", \"org\": {\"name\": \"insulin identical prizes\", \"uid\": \"44308564-61be-11ee-abd1-0242ac110005\"}, \"type_id\": 0, \"account\": {\"name\": \"hewlett then appendix\", \"type\": \"GCP Account\", \"type_id\": 5}}, \"uid\": \"44308c3a-61be-11ee-93fe-0242ac110005\", \"cmd_line\": \"territories year excluded\", \"created_time\": 1695272181548, \"namespace_pid\": 51, \"parent_process\": {\"name\": \"Identical\", \"file\": {\"name\": \"underwear.sdf\", \"type\": \"Named Pipe\", \"version\": \"1.0.0\", \"path\": \"writer photoshop lane/st.sdf/underwear.sdf\", \"type_id\": 6, \"company_name\": \"Rosendo Grace\", \"parent_folder\": \"writer photoshop lane/st.sdf\", \"confidentiality\": \"cut salt catch\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"0F4CF4B2CE58DE3BF03D760DE38955BF246F80BAB6F81927F253AB5D9773EB75\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"647878B29B754A911F330D47137E3068A61F6185ED78B1AA43695E4A1D98607D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time_dt\": \"2023-10-03T07:27:11.078126Z\"}, \"user\": {\"name\": \"Spank\", \"type\": \"User\", \"uid\": \"4430a878-61be-11ee-af22-0242ac110005\", \"org\": {\"name\": \"von reservoir moore\", \"uid\": \"4430adc8-61be-11ee-b4ba-0242ac110005\", \"ou_name\": \"photos nat eds\", \"ou_uid\": \"4430b502-61be-11ee-8f5b-0242ac110005\"}, \"type_id\": 1, \"credential_uid\": \"4430b912-61be-11ee-8411-0242ac110005\", \"email_addr\": \"Ena@hearing.int\"}, \"cmd_line\": \"suited pace informal\", \"container\": {\"name\": \"elegant rankings wild\", \"size\": 2933994191, \"uid\": \"4430bf98-61be-11ee-b010-0242ac110005\", \"hash\": {\"value\": \"6F4F28E68A201B8127A08D889356FCFA0C736B9FD1330596E58F7D1669820A151705235B2F41C93CE5159EC808FE328BCED0BBC02E6C20382443EBB5ACDD6023\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"network_driver\": \"what belgium used\", \"orchestrator\": \"everyone ho alternative\", \"pod_uuid\": \"rocky\"}, \"created_time\": 1695272181548, \"namespace_pid\": 66, \"parent_process\": {\"name\": \"Documentation\", \"pid\": 70, \"file\": {\"name\": \"space.js\", \"size\": 3135869827, \"type\": \"Regular File\", \"version\": \"1.0.0\", \"path\": \"cookbook dc effort/abc.pkg/space.js\", \"type_id\": 1, \"parent_folder\": \"cookbook dc effort/abc.pkg\", \"hashes\": [{\"value\": \"7F572F2B5A5DED4063EF1594729C97543A900961\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"D6CDFD95B6030B86B739AC2B7575BA411041446BFEF23DF7765EC4B470C9A5D2E182599FBA3C539E0EBEAF5E656A808285FED2455EB8F7E802ABD6245CB543FC\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Ser\", \"type\": \"boom\", \"org\": {\"ou_name\": \"officials watches house\"}, \"type_id\": 99, \"account\": {\"name\": \"pas jacob personals\", \"type\": \"GCP Account\", \"uid\": \"4430d578-61be-11ee-ab48-0242ac110005\", \"type_id\": 5}, \"email_addr\": \"Charlette@anytime.jobs\"}, \"uid\": \"4430d9d8-61be-11ee-a2ef-0242ac110005\", \"cmd_line\": \"adolescent agreements wooden\", \"container\": {\"name\": \"sparc memphis paid\", \"size\": 3567867280, \"tag\": \"agency ended lambda\", \"uid\": \"4430dfe6-61be-11ee-bbae-0242ac110005\", \"hash\": {\"value\": \"6DBDD59AB542C91F19905B4D8672B5320DCBA285\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, \"orchestrator\": \"workstation opening cambridge\", \"pod_uuid\": \"rendering\"}, \"integrity\": \"podcasts owned how\", \"namespace_pid\": 79, \"parent_process\": {\"name\": \"Triangle\", \"pid\": 76, \"file\": {\"name\": \"xl.php\", \"type\": \"Symbolic Link\", \"path\": \"beneath among lands/resort.cbr/xl.php\", \"desc\": \"panic united modeling\", \"type_id\": 7, \"parent_folder\": \"beneath among lands/resort.cbr\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"value\": \"9A5751D5ACECF26FF7EB2B33C144EFCE1C69FE9A\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"F803B26388365E33184D5CC145D868E1B8DF74D5\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"is_system\": false, \"xattributes\": {}, \"accessed_time_dt\": \"2023-10-03T07:27:11.080165Z\"}, \"user\": {\"type\": \"System\", \"uid\": \"4430f40e-61be-11ee-86fe-0242ac110005\", \"org\": {\"name\": \"important analog unnecessary\", \"uid\": \"4430faee-61be-11ee-b642-0242ac110005\", \"ou_name\": \"highlights douglas manufacturer\"}, \"groups\": [{\"name\": \"go prohibited oxford\", \"uid\": \"44310066-61be-11ee-99fb-0242ac110005\"}], \"type_id\": 3}, \"tid\": 20, \"uid\": \"443103fe-61be-11ee-8306-0242ac110005\", \"container\": {\"name\": \"flex operational statistical\", \"uid\": \"4431094e-61be-11ee-a229-0242ac110005\", \"hash\": {\"value\": \"4DA1DD452B8D517803494B5E00054136CCF55DF19FF70469451D438255FC03B1FA45BB3A48C03F49FCCE16708623DA0458F11C60EC6D10453E6D6AB6C6492E15\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"orchestrator\": \"performed gadgets bank\", \"pod_uuid\": \"password\"}, \"created_time\": 1695272181548, \"namespace_pid\": 98}}}, \"sandbox\": \"pendant funds intervals\", \"terminated_time_dt\": \"2023-10-03T07:27:11.080957Z\"}, \"xattributes\": {}, \"terminated_time_dt\": \"2023-10-03T07:27:11.080979Z\"}, \"sandbox\": \"earl manually converter\"}}, \"sandbox\": \"mexican broadway volleyball\", \"terminated_time_dt\": \"2023-10-03T07:27:11.081001Z\"}, \"xattributes\": {}}, \"created_time_dt\": \"2023-10-03T07:27:11.081016Z\"}, \"sandbox\": \"deep simply nn\", \"xattributes\": {}}, \"sandbox\": \"repeat checked peace\", \"xattributes\": {}, \"terminated_time_dt\": \"2023-10-03T07:27:11.081046Z\"}, \"sandbox\": \"rational girls corner\"}, \"created_time_dt\": \"2023-10-03T07:27:11.081059Z\", \"terminated_time_dt\": \"2023-10-03T07:27:11.081081Z\"}, \"user\": {\"type\": \"System\", \"uid\": \"4431189e-61be-11ee-bc71-0242ac110005\", \"type_id\": 3, \"credential_uid\": \"44311cae-61be-11ee-9f07-0242ac110005\"}}, \"actual_permissions\": 48, \"cloud\": {\"provider\": \"nu connector termination\", \"region\": \"lose activists occurred\"}, \"end_time\": 1695272181548, \"severity_id\": 99, \"status_id\": 99}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"message\": \"walnut trucks alabama\", \"status\": \"vcr\", \"time\": 1695272181548, \"device\": {\"name\": \"cholesterol republicans albert\", \"type\": \"Virtual\", \"ip\": \"81.2.69.142\", \"location\": {\"desc\": \"Antigua and Barbuda\", \"city\": \"Guidance marijuana\", \"country\": \"AG\", \"coordinates\": [139.683, -39.2278], \"continent\": \"North America\"}, \"hostname\": \"bags.coop\", \"uid\": \"442a8524-61be-11ee-a4cc-0242ac110005\", \"org\": {\"name\": \"answer intelligent artificial\", \"ou_name\": \"garlic glucose festival\"}, \"type_id\": 6, \"hypervisor\": \"indianapolis finite serious\", \"interface_name\": \"officials janet subscribe\", \"interface_uid\": \"442a8a60-61be-11ee-b5e8-0242ac110005\", \"last_seen_time\": 1695272181548, \"region\": \"argentina andy wyoming\", \"risk_score\": 44, \"modified_time_dt\": \"2023-10-03T07:27:11.038353Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"rough cfr elephant\", \"version\": \"1.0.0\", \"uid\": \"442a6c38-61be-11ee-811a-0242ac110005\", \"lang\": \"en\", \"url_string\": \"cl\", \"vendor_name\": \"turkey directors vacations\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"event_code\": \"paths\", \"log_provider\": \"gays consultation motivated\", \"logged_time\": 1695272181548, \"original_time\": \"bolt beds created\", \"modified_time_dt\": \"2023-10-03T07:27:11.037636Z\", \"processed_time_dt\": \"2023-10-03T07:27:11.037651Z\"}, \"start_time\": 1695272181548, \"severity\": \"doctors\", \"disposition\": \"Unknown\", \"type_name\": \"Process Activity: Set User ID\", \"activity_id\": 5, \"disposition_id\": 0, \"type_uid\": 100705, \"category_name\": \"System Activity\", \"class_uid\": 1007, \"category_uid\": 1, \"class_name\": \"Process Activity\", \"timezone_offset\": 75, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}, {\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Accessibility Features\", \"uid\": \"T1546.008\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Web Shell\", \"uid\": \"T1100\"}}], \"activity_name\": \"Set User ID\", \"actor\": {\"process\": {\"name\": \"Woman\", \"pid\": 99, \"file\": {\"attributes\": 71, \"name\": \"game.crdownload\", \"type\": \"Symbolic Link\", \"path\": \"district moment specs/consolidation.mp3/game.crdownload\", \"type_id\": 7, \"parent_folder\": \"district moment specs/consolidation.mp3\", \"hashes\": [{\"value\": \"DBC811458704E7331C9D9B3365E5DB08E8D9247CEDBE9F8FFED69606E0A5CE644230CB925F7AE8919137B51CE7E4797EC55533D10E6AF32B803BAB785848BD58\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"74900E05175C9BD82834F761CAE8D37E3190933ED2249C16508DB4053419EDAEE6ADD186BACD19C2AF5686BC9D15177A7960A70D7A385EB3E05AF555356368E6\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"xattributes\": {}, \"accessed_time_dt\": \"2023-10-03T07:27:11.051398Z\"}, \"user\": {\"name\": \"Laboratory\", \"type\": \"Unknown\", \"uid\": \"442c90bc-61be-11ee-8334-0242ac110005\", \"type_id\": 0, \"account\": {\"name\": \"filled lunch processing\", \"type\": \"Windows Account\", \"uid\": \"442c96ac-61be-11ee-945c-0242ac110005\", \"type_id\": 2}}, \"uid\": \"442c9a58-61be-11ee-8992-0242ac110005\", \"cmd_line\": \"wrist teach engaging\", \"container\": {\"name\": \"disabled underlying prerequisite\", \"runtime\": \"ntsc replacing emotional\", \"size\": 1294218177, \"uid\": \"442ca070-61be-11ee-b847-0242ac110005\", \"image\": {\"name\": \"janet flights pct\", \"tag\": \"reporter calculator population\", \"uid\": \"442ca5e8-61be-11ee-ac6f-0242ac110005\", \"labels\": [\"beef\"]}, \"hash\": {\"value\": \"2A9141F10042E65FE9B037DE88C913D5CB6420C809E4F70D77B0C1CD0DB599E0DA4CC22A8E772350CACDACD72722801EA7BEAAE4B6D79D3949E37DB3492F1892\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695272181548, \"integrity\": \"Low\", \"integrity_id\": 2, \"namespace_pid\": 96, \"parent_process\": {\"name\": \"Undergraduate\", \"pid\": 18, \"file\": {\"name\": \"alice.cur\", \"type\": \"Block Device\", \"path\": \"llc snap glossary/striking.cgi/alice.cur\", \"type_id\": 4, \"company_name\": \"Margurite Hester\", \"parent_folder\": \"llc snap glossary/striking.cgi\", \"hashes\": [{\"value\": \"C87068358A2AF25FB6462D2E9D5CEE0C1B843771EE363E91B70497182AC6058683881C15DDFF011CE7CAAE6617D935F69F093E8BB488A880E8A559A8AC1073FA\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time\": 1695272181548, \"security_descriptor\": \"kurt snowboard baby\", \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T07:27:11.052592Z\"}, \"user\": {\"type\": \"System\", \"uid\": \"442d0416-61be-11ee-8f5e-0242ac110005\", \"type_id\": 3}, \"tid\": 18, \"uid\": \"442d08c6-61be-11ee-9eea-0242ac110005\", \"cmd_line\": \"shopzilla signal shift\", \"created_time\": 1695272181548, \"integrity\": \"brush clinton bride\", \"namespace_pid\": 81, \"parent_process\": {\"name\": \"Danger\", \"pid\": 27, \"file\": {\"name\": \"es.sql\", \"type\": \"Regular File\", \"path\": \"sarah receivers appropriate/keen.cpl/es.sql\", \"desc\": \"dynamics dg islamic\", \"type_id\": 1, \"accessor\": {\"type\": \"Admin\", \"uid\": \"442d1b40-61be-11ee-8249-0242ac110005\", \"type_id\": 2, \"email_addr\": \"Alethea@fa.web\"}, \"parent_folder\": \"sarah receivers appropriate/keen.cpl\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"4095391C7E3E04FF12C9AD2E6C49BD63DFE77E885ACAADD3B58A1D8895383044\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"is_system\": false, \"created_time_dt\": \"2023-10-03T07:27:11.055203Z\"}, \"user\": {\"name\": \"Strong\", \"type\": \"Unknown\", \"uid\": \"442d27de-61be-11ee-b498-0242ac110005\", \"type_id\": 0, \"account\": {\"name\": \"allows country mineral\", \"type\": \"AWS IAM Role\", \"uid\": \"442d4a0c-61be-11ee-bd4c-0242ac110005\", \"type_id\": 4}, \"email_addr\": \"Minta@active.biz\"}, \"uid\": \"442d4ee4-61be-11ee-a8b0-0242ac110005\", \"loaded_modules\": [\"/instantly/lazy/quickly/junk/relates.gadget\", \"/gentle/sen/bridge/brochure/county.cbr\"], \"cmd_line\": \"growing howard error\", \"container\": {\"name\": \"stand tumor previously\", \"size\": 61744955, \"uid\": \"442d84ae-61be-11ee-a35f-0242ac110005\", \"hash\": {\"value\": \"77D19917CD3F9FDA9C5B453897F0829D1D94450C31CB6991090BF4B4F49578CF29BBBBA4AF270287F408F0B9D696F5C18C16366E5CDFFDB199FDFC3E2BF91A62\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, \"network_driver\": \"receiver recommended governor\"}, \"created_time\": 1695272181548, \"namespace_pid\": 25, \"parent_process\": {\"name\": \"Virtue\", \"pid\": 9, \"file\": {\"name\": \"wishlist.fnt\", \"owner\": {\"name\": \"Proof\", \"type\": \"genius\", \"uid\": \"442e1d74-61be-11ee-ac9e-0242ac110005\", \"type_id\": 99}, \"type\": \"Regular File\", \"path\": \"bouquet bibliography pull/dumb.mov/wishlist.fnt\", \"modifier\": {\"name\": \"Victory\", \"type\": \"User\", \"uid\": \"442e4920-61be-11ee-ab85-0242ac110005\", \"type_id\": 1, \"account\": {\"name\": \"me tagged lang\", \"type\": \"AWS IAM Role\", \"uid\": \"442e5168-61be-11ee-a406-0242ac110005\", \"type_id\": 4}, \"email_addr\": \"Zona@partners.mil\"}, \"product\": {\"name\": \"written em fujitsu\", \"version\": \"1.0.0\", \"uid\": \"442e6324-61be-11ee-9f29-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"sounds di inquiry\"}, \"type_id\": 1, \"company_name\": \"Tamara Porsha\", \"parent_folder\": \"bouquet bibliography pull/dumb.mov\", \"hashes\": [{\"value\": \"EA326FE8119ACC03CB82276431BF6120811A2EE778F15E25088100D62EF8410FAD0B948395B7204152892B06C76A6405752FE2115D4B22CAF5461B8DA8D74966\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"uid\": \"442e6b76-61be-11ee-ab8d-0242ac110005\", \"cmd_line\": \"fox breathing excluded\", \"container\": {\"name\": \"obtained thompson wait\", \"size\": 1304039495, \"uid\": \"442e74ae-61be-11ee-bee1-0242ac110005\", \"image\": {\"name\": \"ou false horn\", \"tag\": \"widely concerns ranger\", \"uid\": \"442e7aa8-61be-11ee-92c0-0242ac110005\"}, \"hash\": {\"value\": \"34BF8F4BFD5096DFE4AD7B1FC397EE225004242E\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, \"orchestrator\": \"cingular grow causing\"}, \"created_time\": 1695272181548, \"integrity\": \"races parcel generating\", \"namespace_pid\": 54, \"parent_process\": {\"name\": \"Kai\", \"pid\": 23, \"file\": {\"attributes\": 99, \"name\": \"conceptual.py\", \"type\": \"Named Pipe\", \"path\": \"impression finance trader/fragrances.sql/conceptual.py\", \"signature\": {\"digest\": {\"value\": \"46A80AC3F38096FE6828377277FC50B39BB0C646F94FC178876749ADE0DA96DE\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"jumping experts visitors\", \"issuer\": \"enterprise game humanitarian\", \"fingerprints\": [{\"value\": \"6B70FC8DC165E533CBF2BCD7C70701DE3B3E114D\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"FCC3C0E1B16A999DE463D9C657DCA7E366719DE7E84E9C4EC1E41B0E744F649955B9E844AD173EBB3075A18E757DAF50733546203C86FB3209652FC0FB80534C\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"grad newest earlier\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"type_id\": 6, \"parent_folder\": \"impression finance trader/fragrances.sql\", \"accessed_time\": 1695272181548, \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"is_system\": true, \"security_descriptor\": \"ni easter snapshot\", \"modified_time_dt\": \"2023-10-03T07:27:11.064617Z\"}, \"user\": {\"name\": \"Da\", \"type\": \"ben\", \"domain\": \"dubai sys drum\", \"uid\": \"442ed390-61be-11ee-902b-0242ac110005\", \"groups\": [{\"name\": \"implications fred rent\", \"uid\": \"442ed976-61be-11ee-acb4-0242ac110005\"}, {\"type\": \"hundred suggesting radius\", \"uid\": \"442ede6c-61be-11ee-815a-0242ac110005\"}], \"type_id\": 99, \"uid_alt\": \"documents harmony austria\"}, \"uid\": \"442ee2d6-61be-11ee-ad3f-0242ac110005\", \"session\": {\"uid\": \"442ee7f4-61be-11ee-a967-0242ac110005\", \"uuid\": \"442eeb3c-61be-11ee-a179-0242ac110005\", \"issuer\": \"robots places depression\", \"created_time\": 1695272181548, \"is_remote\": false}, \"cmd_line\": \"operations expanded ht\", \"container\": {\"name\": \"victor civic segments\", \"size\": 2232172986, \"uid\": \"442ef1ea-61be-11ee-870d-0242ac110005\", \"image\": {\"name\": \"weird sep allowing\", \"uid\": \"442efa14-61be-11ee-8abf-0242ac110005\", \"labels\": [\"amplifier\"]}, \"hash\": {\"value\": \"27D94D1C177AA8E0E6E8A4F5ECAB104598CD2B62F27D3A26FCDC87A6AA7398BFD85771D86723FEDB24EC75CA439D57127989FB397C1F07F53B35533563BA3274\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}}, \"created_time\": 1695272181548, \"namespace_pid\": 74, \"parent_process\": {\"name\": \"Industries\", \"pid\": 93, \"file\": {\"name\": \"rage.ics\", \"type\": \"Regular File\", \"path\": \"slide sensitivity milton/dsc.kml/rage.ics\", \"type_id\": 1, \"parent_folder\": \"slide sensitivity milton/dsc.kml\", \"accessed_time\": 1695272181548, \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"F10EEB0D89F01824C27418121C62436F\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"B883D1D4320E98F7DE7D6913D7C3DF5503FB17747CCE5EBD6F3384A41414FF8D\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"xattributes\": {}}, \"user\": {\"name\": \"Earrings\", \"type\": \"System\", \"uid\": \"442f0f18-61be-11ee-92c1-0242ac110005\", \"type_id\": 3}, \"uid\": \"442f1314-61be-11ee-a9ee-0242ac110005\", \"container\": {\"name\": \"irish paid ga\", \"runtime\": \"meetings imported nutrition\", \"size\": 706306619, \"uid\": \"442f19c2-61be-11ee-851e-0242ac110005\", \"image\": {\"name\": \"struct wind included\", \"uid\": \"442f39ca-61be-11ee-9840-0242ac110005\", \"labels\": [\"hourly\"]}, \"hash\": {\"value\": \"C4802F4F55FE24BE9AF5F053E8719A9BC77381D625A0D27A35201C772CFD324009461ABCAC4A120286B98C707400807BB9DF7CFB3AA2C3BBF04EBB41E2AD07B3\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695272181548, \"namespace_pid\": 46, \"parent_process\": {\"name\": \"Employed\", \"pid\": 49, \"file\": {\"name\": \"nextel.dat\", \"type\": \"Unknown\", \"path\": \"exhibitions grad folks/lonely.yuv/nextel.dat\", \"desc\": \"parking hazards hunter\", \"type_id\": 0, \"parent_folder\": \"exhibitions grad folks/lonely.yuv\", \"hashes\": [{\"value\": \"1FE380DD618981AF242E43F459760A9F0C89B6D74E1C7544A298FBA160545A4F047CFFB754779F8EAD083609F87AB1EF4DE7D3630EDA324A5052064685D8A814\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"27D3F37EB6F68FBB9EDC408AAFC6035EF463633CB1D425DD737C0AD4F6A2442EE5857F1FD9BB49C0A3030802642A48CB4AADBAFC7B20B82DE18144D2E360B551\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"is_system\": true, \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Affiliation\", \"type\": \"User\", \"uid\": \"442f881c-61be-11ee-8d6d-0242ac110005\", \"type_id\": 1, \"credential_uid\": \"442f8c40-61be-11ee-858e-0242ac110005\"}, \"tid\": 75, \"uid\": \"442f8fb0-61be-11ee-b4aa-0242ac110005\", \"cmd_line\": \"directive rico hs\", \"container\": {\"name\": \"depot lanes mai\", \"size\": 4170062018, \"uid\": \"442f976c-61be-11ee-8026-0242ac110005\", \"image\": {\"name\": \"inappropriate burden hoped\", \"uid\": \"442f9c62-61be-11ee-81fa-0242ac110005\"}, \"hash\": {\"value\": \"FE9E27DD7BF526B57D69D3BD9FAC33DC\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"created_time\": 1695272181548, \"namespace_pid\": 5, \"parent_process\": {\"pid\": 4, \"file\": {\"attributes\": 28, \"name\": \"centered.txt\", \"size\": 724911628, \"type\": \"Unknown\", \"path\": \"patrol considers alternative/bargains.xlr/centered.txt\", \"type_id\": 0, \"accessor\": {\"name\": \"Bailey\", \"type\": \"User\", \"uid\": \"442fac66-61be-11ee-b373-0242ac110005\", \"org\": {\"name\": \"nova identification paul\", \"uid\": \"442fb1a2-61be-11ee-9fd5-0242ac110005\", \"ou_name\": \"honors tattoo australian\"}, \"type_id\": 1, \"credential_uid\": \"442fb5ee-61be-11ee-a469-0242ac110005\", \"email_addr\": \"Almeda@representations.biz\"}, \"company_name\": \"Chery Hunter\", \"mime_type\": \"finish/councils\", \"parent_folder\": \"patrol considers alternative/bargains.xlr\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"2E5106CC0168994B4FE52AC9F67394250EE7504DB2DB5DE3CE0AC0A6E01DFA01\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"37A8A4AF49E5E20E61CF73D569C93D3F839D333C98BADE757EC2C5093C969DBEBC2707A0A2C9B4709FB6986E18991E93BA14C3CC2799E6153B1BEA132224F02B\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Achieving\", \"type\": \"System\", \"uid\": \"442fbf76-61be-11ee-b1ce-0242ac110005\", \"org\": {\"uid\": \"442fc408-61be-11ee-a83e-0242ac110005\", \"ou_name\": \"drunk pt locations\"}, \"groups\": [{\"name\": \"blackberry genetics dsc\", \"uid\": \"442fc93a-61be-11ee-93e5-0242ac110005\", \"privileges\": [\"counter relocation association\", \"precise nurses satisfactory\"]}, {\"name\": \"munich clothing commit\", \"uid\": \"442fcd54-61be-11ee-ab07-0242ac110005\"}], \"type_id\": 3, \"account\": {\"name\": \"batman sprint established\", \"type\": \"Linux Account\", \"type_id\": 9}}, \"uid\": \"442fd27c-61be-11ee-bc32-0242ac110005\", \"session\": {\"uid\": \"442fda56-61be-11ee-93d0-0242ac110005\", \"issuer\": \"vacation obligation refused\", \"created_time\": 1695272181548, \"is_remote\": false}, \"cmd_line\": \"portfolio syracuse zinc\", \"container\": {\"name\": \"extremely bridges jane\", \"size\": 2170520292, \"tag\": \"magnificent nerve ethnic\", \"uid\": \"442fe3ca-61be-11ee-ac04-0242ac110005\", \"image\": {\"uid\": \"442fe870-61be-11ee-8322-0242ac110005\"}, \"hash\": {\"value\": \"E9264147B413746293E539868C8EDFF71715E1E3\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, \"pod_uuid\": \"save\"}, \"created_time\": 1695272181548, \"namespace_pid\": 10, \"parent_process\": {\"name\": \"Flags\", \"pid\": 12, \"file\": {\"name\": \"stats.cs\", \"size\": 3217957879, \"type\": \"Block Device\", \"path\": \"well vacations concrete/hamburg.vcf/stats.cs\", \"modifier\": {\"type\": \"System\", \"uid\": \"442ff8e2-61be-11ee-bc3b-0242ac110005\", \"type_id\": 3}, \"desc\": \"supporters billy surgeon\", \"product\": {\"name\": \"rare musical oregon\", \"version\": \"1.0.0\", \"uid\": \"442ffee6-61be-11ee-b950-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"moms scholarships pins\"}, \"type_id\": 4, \"parent_folder\": \"well vacations concrete/hamburg.vcf\", \"hashes\": [{\"value\": \"220358975ACF552AE828178DC72009FA5342AB5C33895C6E9E5048EF5BD044736C17B29683CD4CD82D017C7D963FB9AE740735C6D31E956B42C4A45F803F6EDA\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"security_descriptor\": \"dave manufacturing applicant\", \"modified_time_dt\": \"2023-10-03T07:27:11.074123Z\"}, \"user\": {\"name\": \"Rod\", \"type\": \"fiji\", \"uid\": \"44300a4e-61be-11ee-b6bc-0242ac110005\", \"type_id\": 99}, \"uid\": \"44300e5e-61be-11ee-8332-0242ac110005\", \"cmd_line\": \"easter anaheim introductory\", \"container\": {\"name\": \"clone sic tight\", \"size\": 3536383459, \"uid\": \"443013cc-61be-11ee-a273-0242ac110005\", \"image\": {\"name\": \"jonathan calculation incomplete\", \"uid\": \"4430194e-61be-11ee-a776-0242ac110005\"}, \"hash\": {\"value\": \"A63B60EEA4665F00EDDB1E2A8FECCFEA7634F795\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}}, \"created_time\": 1695272181548, \"integrity\": \"guys document multimedia\", \"lineage\": [\"weight anytime gzip\", \"subcommittee milan reasonable\"], \"namespace_pid\": 4, \"parent_process\": {\"name\": \"Vat\", \"pid\": 10, \"file\": {\"name\": \"fioricet.lnk\", \"owner\": {\"name\": \"Vid\", \"type\": \"Admin\", \"uid\": \"44302a6a-61be-11ee-b70a-0242ac110005\", \"type_id\": 2, \"email_addr\": \"Elise@starts.museum\", \"uid_alt\": \"supplied epic spas\"}, \"type\": \"Unknown\", \"uid\": \"44302f24-61be-11ee-99d3-0242ac110005\", \"type_id\": 0, \"company_name\": \"Archie Lesley\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"F7EDAF3282DAFB609C7D421B786486F127371E76\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"security_descriptor\": \"believes airlines granted\"}, \"user\": {\"name\": \"Candles\", \"type\": \"User\", \"domain\": \"restaurants instead occurring\", \"uid\": \"443039a6-61be-11ee-8f9f-0242ac110005\", \"type_id\": 1, \"full_name\": \"Margareta Elden\", \"credential_uid\": \"44303eba-61be-11ee-ab60-0242ac110005\"}, \"session\": {\"uid\": \"443043ec-61be-11ee-96c0-0242ac110005\", \"issuer\": \"mediterranean provider something\", \"created_time\": 1695272181548, \"is_remote\": true}, \"loaded_modules\": [\"/timing/norm/crime/apollo/pollution.dwg\"], \"cmd_line\": \"robinson hunter anne\", \"container\": {\"name\": \"magnificent capabilities ideal\", \"size\": 3127592961, \"uid\": \"44305030-61be-11ee-b7e4-0242ac110005\", \"image\": {\"name\": \"mistake baseball jordan\", \"uid\": \"4430571a-61be-11ee-8c37-0242ac110005\"}, \"hash\": {\"value\": \"4B4AACD68CE2D5C32C8437FC88E56923FA0DDADFEA6532D34FA536A344FDD0F482CB0159A5237950B31A7F3D097FED596515444734A2DF56CF7D38A74DCA94D7\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}}, \"created_time\": 1695272181548, \"integrity\": \"reality\", \"integrity_id\": 99, \"namespace_pid\": 41, \"parent_process\": {\"name\": \"Cart\", \"pid\": 36, \"file\": {\"name\": \"ts.exe\", \"owner\": {\"name\": \"Commander\", \"type\": \"motherboard\", \"domain\": \"andale museum reality\", \"uid\": \"44306aca-61be-11ee-be86-0242ac110005\", \"type_id\": 99, \"credential_uid\": \"44306ef8-61be-11ee-b8fd-0242ac110005\", \"uid_alt\": \"verzeichnis prefer soccer\"}, \"type\": \"Regular File\", \"type_id\": 1, \"confidentiality\": \"Not Confidential\", \"confidentiality_id\": 1, \"hashes\": [{\"value\": \"ADCAA40050F92C2A48474F33D6E697529CA1D0BD1FCC6D553290E4655C5F0BA7FAB42B475667A0C8EAD38187E3AFBE5AC9C7F3A68C87167BCF01080031CE50FB\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"D1F34CA31A773B2BDD48DB8EC34E2B88EA9746B72EB845256BE259CA7D5D9E5F\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"xattributes\": {}}, \"user\": {\"name\": \"Editorial\", \"type\": \"Unknown\", \"uid\": \"44307e70-61be-11ee-a962-0242ac110005\", \"org\": {\"name\": \"insulin identical prizes\", \"uid\": \"44308564-61be-11ee-abd1-0242ac110005\"}, \"type_id\": 0, \"account\": {\"name\": \"hewlett then appendix\", \"type\": \"GCP Account\", \"type_id\": 5}}, \"uid\": \"44308c3a-61be-11ee-93fe-0242ac110005\", \"cmd_line\": \"territories year excluded\", \"created_time\": 1695272181548, \"namespace_pid\": 51, \"parent_process\": {\"name\": \"Identical\", \"file\": {\"name\": \"underwear.sdf\", \"type\": \"Named Pipe\", \"version\": \"1.0.0\", \"path\": \"writer photoshop lane/st.sdf/underwear.sdf\", \"type_id\": 6, \"company_name\": \"Rosendo Grace\", \"parent_folder\": \"writer photoshop lane/st.sdf\", \"confidentiality\": \"cut salt catch\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"0F4CF4B2CE58DE3BF03D760DE38955BF246F80BAB6F81927F253AB5D9773EB75\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"647878B29B754A911F330D47137E3068A61F6185ED78B1AA43695E4A1D98607D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time_dt\": \"2023-10-03T07:27:11.078126Z\"}, \"user\": {\"name\": \"Spank\", \"type\": \"User\", \"uid\": \"4430a878-61be-11ee-af22-0242ac110005\", \"org\": {\"name\": \"von reservoir moore\", \"uid\": \"4430adc8-61be-11ee-b4ba-0242ac110005\", \"ou_name\": \"photos nat eds\", \"ou_uid\": \"4430b502-61be-11ee-8f5b-0242ac110005\"}, \"type_id\": 1, \"credential_uid\": \"4430b912-61be-11ee-8411-0242ac110005\", \"email_addr\": \"Ena@hearing.int\"}, \"cmd_line\": \"suited pace informal\", \"container\": {\"name\": \"elegant rankings wild\", \"size\": 2933994191, \"uid\": \"4430bf98-61be-11ee-b010-0242ac110005\", \"hash\": {\"value\": \"6F4F28E68A201B8127A08D889356FCFA0C736B9FD1330596E58F7D1669820A151705235B2F41C93CE5159EC808FE328BCED0BBC02E6C20382443EBB5ACDD6023\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"network_driver\": \"what belgium used\", \"orchestrator\": \"everyone ho alternative\", \"pod_uuid\": \"rocky\"}, \"created_time\": 1695272181548, \"namespace_pid\": 66, \"parent_process\": {\"name\": \"Documentation\", \"pid\": 70, \"file\": {\"name\": \"space.js\", \"size\": 3135869827, \"type\": \"Regular File\", \"version\": \"1.0.0\", \"path\": \"cookbook dc effort/abc.pkg/space.js\", \"type_id\": 1, \"parent_folder\": \"cookbook dc effort/abc.pkg\", \"hashes\": [{\"value\": \"7F572F2B5A5DED4063EF1594729C97543A900961\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"D6CDFD95B6030B86B739AC2B7575BA411041446BFEF23DF7765EC4B470C9A5D2E182599FBA3C539E0EBEAF5E656A808285FED2455EB8F7E802ABD6245CB543FC\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Ser\", \"type\": \"boom\", \"org\": {\"ou_name\": \"officials watches house\"}, \"type_id\": 99, \"account\": {\"name\": \"pas jacob personals\", \"type\": \"GCP Account\", \"uid\": \"4430d578-61be-11ee-ab48-0242ac110005\", \"type_id\": 5}, \"email_addr\": \"Charlette@anytime.jobs\"}, \"uid\": \"4430d9d8-61be-11ee-a2ef-0242ac110005\", \"cmd_line\": \"adolescent agreements wooden\", \"container\": {\"name\": \"sparc memphis paid\", \"size\": 3567867280, \"tag\": \"agency ended lambda\", \"uid\": \"4430dfe6-61be-11ee-bbae-0242ac110005\", \"hash\": {\"value\": \"6DBDD59AB542C91F19905B4D8672B5320DCBA285\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, \"orchestrator\": \"workstation opening cambridge\", \"pod_uuid\": \"rendering\"}, \"integrity\": \"podcasts owned how\", \"namespace_pid\": 79, \"parent_process\": {\"name\": \"Triangle\", \"pid\": 76, \"file\": {\"name\": \"xl.php\", \"type\": \"Symbolic Link\", \"path\": \"beneath among lands/resort.cbr/xl.php\", \"desc\": \"panic united modeling\", \"type_id\": 7, \"parent_folder\": \"beneath among lands/resort.cbr\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"value\": \"9A5751D5ACECF26FF7EB2B33C144EFCE1C69FE9A\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"F803B26388365E33184D5CC145D868E1B8DF74D5\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"is_system\": false, \"xattributes\": {}, \"accessed_time_dt\": \"2023-10-03T07:27:11.080165Z\"}, \"user\": {\"type\": \"System\", \"uid\": \"4430f40e-61be-11ee-86fe-0242ac110005\", \"org\": {\"name\": \"important analog unnecessary\", \"uid\": \"4430faee-61be-11ee-b642-0242ac110005\", \"ou_name\": \"highlights douglas manufacturer\"}, \"groups\": [{\"name\": \"go prohibited oxford\", \"uid\": \"44310066-61be-11ee-99fb-0242ac110005\"}], \"type_id\": 3}, \"tid\": 20, \"uid\": \"443103fe-61be-11ee-8306-0242ac110005\", \"container\": {\"name\": \"flex operational statistical\", \"uid\": \"4431094e-61be-11ee-a229-0242ac110005\", \"hash\": {\"value\": \"4DA1DD452B8D517803494B5E00054136CCF55DF19FF70469451D438255FC03B1FA45BB3A48C03F49FCCE16708623DA0458F11C60EC6D10453E6D6AB6C6492E15\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"orchestrator\": \"performed gadgets bank\", \"pod_uuid\": \"password\"}, \"created_time\": 1695272181548, \"namespace_pid\": 98}}}, \"sandbox\": \"pendant funds intervals\", \"terminated_time_dt\": \"2023-10-03T07:27:11.080957Z\"}, \"xattributes\": {}, \"terminated_time_dt\": \"2023-10-03T07:27:11.080979Z\"}, \"sandbox\": \"earl manually converter\"}}, \"sandbox\": \"mexican broadway volleyball\", \"terminated_time_dt\": \"2023-10-03T07:27:11.081001Z\"}, \"xattributes\": {}}, \"created_time_dt\": \"2023-10-03T07:27:11.081016Z\"}, \"sandbox\": \"deep simply nn\", \"xattributes\": {}}, \"sandbox\": \"repeat checked peace\", \"xattributes\": {}, \"terminated_time_dt\": \"2023-10-03T07:27:11.081046Z\"}, \"sandbox\": \"rational girls corner\"}, \"created_time_dt\": \"2023-10-03T07:27:11.081059Z\", \"terminated_time_dt\": \"2023-10-03T07:27:11.081081Z\"}, \"user\": {\"type\": \"System\", \"uid\": \"4431189e-61be-11ee-bc71-0242ac110005\", \"type_id\": 3, \"credential_uid\": \"44311cae-61be-11ee-9f07-0242ac110005\"}}, \"actual_permissions\": 48, \"cloud\": {\"provider\": \"nu connector termination\", \"region\": \"lose activists occurred\"}, \"end_time\": 1695272181548, \"severity_id\": 99, \"status_id\": 99}", + "event": { + "action": "set user id", + "category": [ + "process" + ], + "code": "paths", + "end": "2023-09-21T04:56:21.548000Z", + "provider": "gays consultation motivated", + "severity": 99, + "start": "2023-09-21T04:56:21.548000Z", + "type": [ + "info" + ] + }, + "cloud": { + "provider": "nu connector termination", + "region": "lose activists occurred" + }, + "ocsf": "{\"activity_id\": 5, \"activity_name\": \"Set User ID\", \"actor\": {\"process\": {\"cmd_line\": \"wrist teach engaging\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"2A9141F10042E65FE9B037DE88C913D5CB6420C809E4F70D77B0C1CD0DB599E0DA4CC22A8E772350CACDACD72722801EA7BEAAE4B6D79D3949E37DB3492F1892\"}, \"image\": {\"labels\": [\"beef\"], \"name\": \"janet flights pct\", \"tag\": \"reporter calculator population\", \"uid\": \"442ca5e8-61be-11ee-ac6f-0242ac110005\"}, \"name\": \"disabled underlying prerequisite\", \"runtime\": \"ntsc replacing emotional\", \"size\": 1294218177, \"uid\": \"442ca070-61be-11ee-b847-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T07:27:11.081059Z\", \"file\": {\"accessed_time_dt\": \"2023-10-03T07:27:11.051398Z\", \"attributes\": 71, \"hashes\": [{\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"DBC811458704E7331C9D9B3365E5DB08E8D9247CEDBE9F8FFED69606E0A5CE644230CB925F7AE8919137B51CE7E4797EC55533D10E6AF32B803BAB785848BD58\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"74900E05175C9BD82834F761CAE8D37E3190933ED2249C16508DB4053419EDAEE6ADD186BACD19C2AF5686BC9D15177A7960A70D7A385EB3E05AF555356368E6\"}], \"name\": \"game.crdownload\", \"parent_folder\": \"district moment specs/consolidation.mp3\", \"path\": \"district moment specs/consolidation.mp3/game.crdownload\", \"type\": \"Symbolic Link\", \"type_id\": 7, \"xattributes\": {}}, \"integrity\": \"Low\", \"integrity_id\": 2, \"name\": \"Woman\", \"namespace_pid\": 96, \"parent_process\": {\"cmd_line\": \"shopzilla signal shift\", \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Margurite Hester\", \"created_time_dt\": \"2023-10-03T07:27:11.052592Z\", \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"C87068358A2AF25FB6462D2E9D5CEE0C1B843771EE363E91B70497182AC6058683881C15DDFF011CE7CAAE6617D935F69F093E8BB488A880E8A559A8AC1073FA\"}], \"modified_time\": 1695272181548, \"name\": \"alice.cur\", \"parent_folder\": \"llc snap glossary/striking.cgi\", \"path\": \"llc snap glossary/striking.cgi/alice.cur\", \"security_descriptor\": \"kurt snowboard baby\", \"type\": \"Block Device\", \"type_id\": 4, \"xattributes\": {}}, \"integrity\": \"brush clinton bride\", \"name\": \"Undergraduate\", \"namespace_pid\": 81, \"parent_process\": {\"cmd_line\": \"growing howard error\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"77D19917CD3F9FDA9C5B453897F0829D1D94450C31CB6991090BF4B4F49578CF29BBBBA4AF270287F408F0B9D696F5C18C16366E5CDFFDB199FDFC3E2BF91A62\"}, \"name\": \"stand tumor previously\", \"network_driver\": \"receiver recommended governor\", \"size\": 61744955, \"uid\": \"442d84ae-61be-11ee-a35f-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessor\": {\"email_addr\": \"Alethea@fa.web\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"442d1b40-61be-11ee-8249-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T07:27:11.055203Z\", \"desc\": \"dynamics dg islamic\", \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"4095391C7E3E04FF12C9AD2E6C49BD63DFE77E885ACAADD3B58A1D8895383044\"}], \"is_system\": false, \"name\": \"es.sql\", \"parent_folder\": \"sarah receivers appropriate/keen.cpl\", \"path\": \"sarah receivers appropriate/keen.cpl/es.sql\", \"type\": \"Regular File\", \"type_id\": 1}, \"loaded_modules\": [\"/instantly/lazy/quickly/junk/relates.gadget\", \"/gentle/sen/bridge/brochure/county.cbr\"], \"name\": \"Danger\", \"namespace_pid\": 25, \"parent_process\": {\"cmd_line\": \"fox breathing excluded\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"34BF8F4BFD5096DFE4AD7B1FC397EE225004242E\"}, \"image\": {\"name\": \"ou false horn\", \"tag\": \"widely concerns ranger\", \"uid\": \"442e7aa8-61be-11ee-92c0-0242ac110005\"}, \"name\": \"obtained thompson wait\", \"orchestrator\": \"cingular grow causing\", \"size\": 1304039495, \"uid\": \"442e74ae-61be-11ee-bee1-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Tamara Porsha\", \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"EA326FE8119ACC03CB82276431BF6120811A2EE778F15E25088100D62EF8410FAD0B948395B7204152892B06C76A6405752FE2115D4B22CAF5461B8DA8D74966\"}], \"modifier\": {\"account\": {\"name\": \"me tagged lang\", \"type\": \"AWS IAM Role\", \"type_id\": 4, \"uid\": \"442e5168-61be-11ee-a406-0242ac110005\"}, \"email_addr\": \"Zona@partners.mil\", \"name\": \"Victory\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"442e4920-61be-11ee-ab85-0242ac110005\"}, \"name\": \"wishlist.fnt\", \"owner\": {\"name\": \"Proof\", \"type\": \"genius\", \"type_id\": 99, \"uid\": \"442e1d74-61be-11ee-ac9e-0242ac110005\"}, \"parent_folder\": \"bouquet bibliography pull/dumb.mov\", \"path\": \"bouquet bibliography pull/dumb.mov/wishlist.fnt\", \"product\": {\"lang\": \"en\", \"name\": \"written em fujitsu\", \"uid\": \"442e6324-61be-11ee-9f29-0242ac110005\", \"vendor_name\": \"sounds di inquiry\", \"version\": \"1.0.0\"}, \"type\": \"Regular File\", \"type_id\": 1}, \"integrity\": \"races parcel generating\", \"name\": \"Virtue\", \"namespace_pid\": 54, \"parent_process\": {\"cmd_line\": \"operations expanded ht\", \"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"27D94D1C177AA8E0E6E8A4F5ECAB104598CD2B62F27D3A26FCDC87A6AA7398BFD85771D86723FEDB24EC75CA439D57127989FB397C1F07F53B35533563BA3274\"}, \"image\": {\"labels\": [\"amplifier\"], \"name\": \"weird sep allowing\", \"uid\": \"442efa14-61be-11ee-8abf-0242ac110005\"}, \"name\": \"victor civic segments\", \"size\": 2232172986, \"uid\": \"442ef1ea-61be-11ee-870d-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T07:27:11.081016Z\", \"file\": {\"accessed_time\": 1695272181548, \"attributes\": 99, \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"is_system\": true, \"modified_time_dt\": \"2023-10-03T07:27:11.064617Z\", \"name\": \"conceptual.py\", \"parent_folder\": \"impression finance trader/fragrances.sql\", \"path\": \"impression finance trader/fragrances.sql/conceptual.py\", \"security_descriptor\": \"ni easter snapshot\", \"signature\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"6B70FC8DC165E533CBF2BCD7C70701DE3B3E114D\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"FCC3C0E1B16A999DE463D9C657DCA7E366719DE7E84E9C4EC1E41B0E744F649955B9E844AD173EBB3075A18E757DAF50733546203C86FB3209652FC0FB80534C\"}], \"issuer\": \"enterprise game humanitarian\", \"serial_number\": \"grad newest earlier\", \"subject\": \"jumping experts visitors\", \"version\": \"1.0.0\"}, \"digest\": {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"46A80AC3F38096FE6828377277FC50B39BB0C646F94FC178876749ADE0DA96DE\"}}, \"type\": \"Named Pipe\", \"type_id\": 6}, \"name\": \"Kai\", \"namespace_pid\": 74, \"parent_process\": {\"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"C4802F4F55FE24BE9AF5F053E8719A9BC77381D625A0D27A35201C772CFD324009461ABCAC4A120286B98C707400807BB9DF7CFB3AA2C3BBF04EBB41E2AD07B3\"}, \"image\": {\"labels\": [\"hourly\"], \"name\": \"struct wind included\", \"uid\": \"442f39ca-61be-11ee-9840-0242ac110005\"}, \"name\": \"irish paid ga\", \"runtime\": \"meetings imported nutrition\", \"size\": 706306619, \"uid\": \"442f19c2-61be-11ee-851e-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessed_time\": 1695272181548, \"created_time\": 1695272181548, \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"F10EEB0D89F01824C27418121C62436F\"}, {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"B883D1D4320E98F7DE7D6913D7C3DF5503FB17747CCE5EBD6F3384A41414FF8D\"}], \"name\": \"rage.ics\", \"parent_folder\": \"slide sensitivity milton/dsc.kml\", \"path\": \"slide sensitivity milton/dsc.kml/rage.ics\", \"type\": \"Regular File\", \"type_id\": 1, \"xattributes\": {}}, \"name\": \"Industries\", \"namespace_pid\": 46, \"parent_process\": {\"cmd_line\": \"directive rico hs\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"FE9E27DD7BF526B57D69D3BD9FAC33DC\"}, \"image\": {\"name\": \"inappropriate burden hoped\", \"uid\": \"442f9c62-61be-11ee-81fa-0242ac110005\"}, \"name\": \"depot lanes mai\", \"size\": 4170062018, \"uid\": \"442f976c-61be-11ee-8026-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"desc\": \"parking hazards hunter\", \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"1FE380DD618981AF242E43F459760A9F0C89B6D74E1C7544A298FBA160545A4F047CFFB754779F8EAD083609F87AB1EF4DE7D3630EDA324A5052064685D8A814\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"27D3F37EB6F68FBB9EDC408AAFC6035EF463633CB1D425DD737C0AD4F6A2442EE5857F1FD9BB49C0A3030802642A48CB4AADBAFC7B20B82DE18144D2E360B551\"}], \"is_system\": true, \"modified_time\": 1695272181548, \"name\": \"nextel.dat\", \"parent_folder\": \"exhibitions grad folks/lonely.yuv\", \"path\": \"exhibitions grad folks/lonely.yuv/nextel.dat\", \"type\": \"Unknown\", \"type_id\": 0}, \"name\": \"Employed\", \"namespace_pid\": 5, \"parent_process\": {\"cmd_line\": \"portfolio syracuse zinc\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"E9264147B413746293E539868C8EDFF71715E1E3\"}, \"image\": {\"uid\": \"442fe870-61be-11ee-8322-0242ac110005\"}, \"name\": \"extremely bridges jane\", \"pod_uuid\": \"save\", \"size\": 2170520292, \"tag\": \"magnificent nerve ethnic\", \"uid\": \"442fe3ca-61be-11ee-ac04-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessor\": {\"credential_uid\": \"442fb5ee-61be-11ee-a469-0242ac110005\", \"email_addr\": \"Almeda@representations.biz\", \"name\": \"Bailey\", \"org\": {\"name\": \"nova identification paul\", \"ou_name\": \"honors tattoo australian\", \"uid\": \"442fb1a2-61be-11ee-9fd5-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1, \"uid\": \"442fac66-61be-11ee-b373-0242ac110005\"}, \"attributes\": 28, \"company_name\": \"Chery Hunter\", \"created_time\": 1695272181548, \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"2E5106CC0168994B4FE52AC9F67394250EE7504DB2DB5DE3CE0AC0A6E01DFA01\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"37A8A4AF49E5E20E61CF73D569C93D3F839D333C98BADE757EC2C5093C969DBEBC2707A0A2C9B4709FB6986E18991E93BA14C3CC2799E6153B1BEA132224F02B\"}], \"mime_type\": \"finish/councils\", \"modified_time\": 1695272181548, \"name\": \"centered.txt\", \"parent_folder\": \"patrol considers alternative/bargains.xlr\", \"path\": \"patrol considers alternative/bargains.xlr/centered.txt\", \"size\": 724911628, \"type\": \"Unknown\", \"type_id\": 0}, \"namespace_pid\": 10, \"parent_process\": {\"cmd_line\": \"easter anaheim introductory\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"A63B60EEA4665F00EDDB1E2A8FECCFEA7634F795\"}, \"image\": {\"name\": \"jonathan calculation incomplete\", \"uid\": \"4430194e-61be-11ee-a776-0242ac110005\"}, \"name\": \"clone sic tight\", \"size\": 3536383459, \"uid\": \"443013cc-61be-11ee-a273-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"desc\": \"supporters billy surgeon\", \"hashes\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"220358975ACF552AE828178DC72009FA5342AB5C33895C6E9E5048EF5BD044736C17B29683CD4CD82D017C7D963FB9AE740735C6D31E956B42C4A45F803F6EDA\"}], \"modified_time_dt\": \"2023-10-03T07:27:11.074123Z\", \"modifier\": {\"type\": \"System\", \"type_id\": 3, \"uid\": \"442ff8e2-61be-11ee-bc3b-0242ac110005\"}, \"name\": \"stats.cs\", \"parent_folder\": \"well vacations concrete/hamburg.vcf\", \"path\": \"well vacations concrete/hamburg.vcf/stats.cs\", \"product\": {\"lang\": \"en\", \"name\": \"rare musical oregon\", \"uid\": \"442ffee6-61be-11ee-b950-0242ac110005\", \"vendor_name\": \"moms scholarships pins\", \"version\": \"1.0.0\"}, \"security_descriptor\": \"dave manufacturing applicant\", \"size\": 3217957879, \"type\": \"Block Device\", \"type_id\": 4}, \"integrity\": \"guys document multimedia\", \"lineage\": [\"weight anytime gzip\", \"subcommittee milan reasonable\"], \"name\": \"Flags\", \"namespace_pid\": 4, \"parent_process\": {\"cmd_line\": \"robinson hunter anne\", \"container\": {\"hash\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"4B4AACD68CE2D5C32C8437FC88E56923FA0DDADFEA6532D34FA536A344FDD0F482CB0159A5237950B31A7F3D097FED596515444734A2DF56CF7D38A74DCA94D7\"}, \"image\": {\"name\": \"mistake baseball jordan\", \"uid\": \"4430571a-61be-11ee-8c37-0242ac110005\"}, \"name\": \"magnificent capabilities ideal\", \"size\": 3127592961, \"uid\": \"44305030-61be-11ee-b7e4-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Archie Lesley\", \"created_time\": 1695272181548, \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"F7EDAF3282DAFB609C7D421B786486F127371E76\"}], \"name\": \"fioricet.lnk\", \"owner\": {\"email_addr\": \"Elise@starts.museum\", \"name\": \"Vid\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"44302a6a-61be-11ee-b70a-0242ac110005\", \"uid_alt\": \"supplied epic spas\"}, \"security_descriptor\": \"believes airlines granted\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"44302f24-61be-11ee-99d3-0242ac110005\"}, \"integrity\": \"reality\", \"integrity_id\": 99, \"loaded_modules\": [\"/timing/norm/crime/apollo/pollution.dwg\"], \"name\": \"Vat\", \"namespace_pid\": 41, \"parent_process\": {\"cmd_line\": \"territories year excluded\", \"created_time\": 1695272181548, \"file\": {\"confidentiality\": \"Not Confidential\", \"confidentiality_id\": 1, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"ADCAA40050F92C2A48474F33D6E697529CA1D0BD1FCC6D553290E4655C5F0BA7FAB42B475667A0C8EAD38187E3AFBE5AC9C7F3A68C87167BCF01080031CE50FB\"}, {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"D1F34CA31A773B2BDD48DB8EC34E2B88EA9746B72EB845256BE259CA7D5D9E5F\"}], \"name\": \"ts.exe\", \"owner\": {\"credential_uid\": \"44306ef8-61be-11ee-b8fd-0242ac110005\", \"domain\": \"andale museum reality\", \"name\": \"Commander\", \"type\": \"motherboard\", \"type_id\": 99, \"uid\": \"44306aca-61be-11ee-be86-0242ac110005\", \"uid_alt\": \"verzeichnis prefer soccer\"}, \"type\": \"Regular File\", \"type_id\": 1, \"xattributes\": {}}, \"name\": \"Cart\", \"namespace_pid\": 51, \"parent_process\": {\"cmd_line\": \"suited pace informal\", \"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"6F4F28E68A201B8127A08D889356FCFA0C736B9FD1330596E58F7D1669820A151705235B2F41C93CE5159EC808FE328BCED0BBC02E6C20382443EBB5ACDD6023\"}, \"name\": \"elegant rankings wild\", \"network_driver\": \"what belgium used\", \"orchestrator\": \"everyone ho alternative\", \"pod_uuid\": \"rocky\", \"size\": 2933994191, \"uid\": \"4430bf98-61be-11ee-b010-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Rosendo Grace\", \"confidentiality\": \"cut salt catch\", \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T07:27:11.078126Z\", \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"0F4CF4B2CE58DE3BF03D760DE38955BF246F80BAB6F81927F253AB5D9773EB75\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"647878B29B754A911F330D47137E3068A61F6185ED78B1AA43695E4A1D98607D\"}], \"name\": \"underwear.sdf\", \"parent_folder\": \"writer photoshop lane/st.sdf\", \"path\": \"writer photoshop lane/st.sdf/underwear.sdf\", \"type\": \"Named Pipe\", \"type_id\": 6, \"version\": \"1.0.0\"}, \"name\": \"Identical\", \"namespace_pid\": 66, \"parent_process\": {\"cmd_line\": \"adolescent agreements wooden\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"6DBDD59AB542C91F19905B4D8672B5320DCBA285\"}, \"name\": \"sparc memphis paid\", \"orchestrator\": \"workstation opening cambridge\", \"pod_uuid\": \"rendering\", \"size\": 3567867280, \"tag\": \"agency ended lambda\", \"uid\": \"4430dfe6-61be-11ee-bbae-0242ac110005\"}, \"file\": {\"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"7F572F2B5A5DED4063EF1594729C97543A900961\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"D6CDFD95B6030B86B739AC2B7575BA411041446BFEF23DF7765EC4B470C9A5D2E182599FBA3C539E0EBEAF5E656A808285FED2455EB8F7E802ABD6245CB543FC\"}], \"modified_time\": 1695272181548, \"name\": \"space.js\", \"parent_folder\": \"cookbook dc effort/abc.pkg\", \"path\": \"cookbook dc effort/abc.pkg/space.js\", \"size\": 3135869827, \"type\": \"Regular File\", \"type_id\": 1, \"version\": \"1.0.0\"}, \"integrity\": \"podcasts owned how\", \"name\": \"Documentation\", \"namespace_pid\": 79, \"parent_process\": {\"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"4DA1DD452B8D517803494B5E00054136CCF55DF19FF70469451D438255FC03B1FA45BB3A48C03F49FCCE16708623DA0458F11C60EC6D10453E6D6AB6C6492E15\"}, \"name\": \"flex operational statistical\", \"orchestrator\": \"performed gadgets bank\", \"pod_uuid\": \"password\", \"uid\": \"4431094e-61be-11ee-a229-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessed_time_dt\": \"2023-10-03T07:27:11.080165Z\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"desc\": \"panic united modeling\", \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"9A5751D5ACECF26FF7EB2B33C144EFCE1C69FE9A\"}, {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"F803B26388365E33184D5CC145D868E1B8DF74D5\"}], \"is_system\": false, \"name\": \"xl.php\", \"parent_folder\": \"beneath among lands/resort.cbr\", \"path\": \"beneath among lands/resort.cbr/xl.php\", \"type\": \"Symbolic Link\", \"type_id\": 7, \"xattributes\": {}}, \"name\": \"Triangle\", \"namespace_pid\": 98, \"pid\": 76, \"tid\": 20, \"uid\": \"443103fe-61be-11ee-8306-0242ac110005\", \"user\": {\"groups\": [{\"name\": \"go prohibited oxford\", \"uid\": \"44310066-61be-11ee-99fb-0242ac110005\"}], \"org\": {\"name\": \"important analog unnecessary\", \"ou_name\": \"highlights douglas manufacturer\", \"uid\": \"4430faee-61be-11ee-b642-0242ac110005\"}, \"type\": \"System\", \"type_id\": 3, \"uid\": \"4430f40e-61be-11ee-86fe-0242ac110005\"}}, \"pid\": 70, \"uid\": \"4430d9d8-61be-11ee-a2ef-0242ac110005\", \"user\": {\"account\": {\"name\": \"pas jacob personals\", \"type\": \"GCP Account\", \"type_id\": 5, \"uid\": \"4430d578-61be-11ee-ab48-0242ac110005\"}, \"email_addr\": \"Charlette@anytime.jobs\", \"name\": \"Ser\", \"org\": {\"ou_name\": \"officials watches house\"}, \"type\": \"boom\", \"type_id\": 99}}, \"user\": {\"credential_uid\": \"4430b912-61be-11ee-8411-0242ac110005\", \"email_addr\": \"Ena@hearing.int\", \"name\": \"Spank\", \"org\": {\"name\": \"von reservoir moore\", \"ou_name\": \"photos nat eds\", \"ou_uid\": \"4430b502-61be-11ee-8f5b-0242ac110005\", \"uid\": \"4430adc8-61be-11ee-b4ba-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1, \"uid\": \"4430a878-61be-11ee-af22-0242ac110005\"}}, \"pid\": 36, \"sandbox\": \"pendant funds intervals\", \"terminated_time_dt\": \"2023-10-03T07:27:11.080957Z\", \"uid\": \"44308c3a-61be-11ee-93fe-0242ac110005\", \"user\": {\"account\": {\"name\": \"hewlett then appendix\", \"type\": \"GCP Account\", \"type_id\": 5}, \"name\": \"Editorial\", \"org\": {\"name\": \"insulin identical prizes\", \"uid\": \"44308564-61be-11ee-abd1-0242ac110005\"}, \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"44307e70-61be-11ee-a962-0242ac110005\"}}, \"pid\": 10, \"session\": {\"created_time\": 1695272181548, \"is_remote\": true, \"issuer\": \"mediterranean provider something\", \"uid\": \"443043ec-61be-11ee-96c0-0242ac110005\"}, \"terminated_time_dt\": \"2023-10-03T07:27:11.080979Z\", \"user\": {\"credential_uid\": \"44303eba-61be-11ee-ab60-0242ac110005\", \"domain\": \"restaurants instead occurring\", \"full_name\": \"Margareta Elden\", \"name\": \"Candles\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"443039a6-61be-11ee-8f9f-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 12, \"sandbox\": \"earl manually converter\", \"uid\": \"44300e5e-61be-11ee-8332-0242ac110005\", \"user\": {\"name\": \"Rod\", \"type\": \"fiji\", \"type_id\": 99, \"uid\": \"44300a4e-61be-11ee-b6bc-0242ac110005\"}}, \"pid\": 4, \"session\": {\"created_time\": 1695272181548, \"is_remote\": false, \"issuer\": \"vacation obligation refused\", \"uid\": \"442fda56-61be-11ee-93d0-0242ac110005\"}, \"uid\": \"442fd27c-61be-11ee-bc32-0242ac110005\", \"user\": {\"account\": {\"name\": \"batman sprint established\", \"type\": \"Linux Account\", \"type_id\": 9}, \"groups\": [{\"name\": \"blackberry genetics dsc\", \"privileges\": [\"counter relocation association\", \"precise nurses satisfactory\"], \"uid\": \"442fc93a-61be-11ee-93e5-0242ac110005\"}, {\"name\": \"munich clothing commit\", \"uid\": \"442fcd54-61be-11ee-ab07-0242ac110005\"}], \"name\": \"Achieving\", \"org\": {\"ou_name\": \"drunk pt locations\", \"uid\": \"442fc408-61be-11ee-a83e-0242ac110005\"}, \"type\": \"System\", \"type_id\": 3, \"uid\": \"442fbf76-61be-11ee-b1ce-0242ac110005\"}}, \"pid\": 49, \"sandbox\": \"mexican broadway volleyball\", \"terminated_time_dt\": \"2023-10-03T07:27:11.081001Z\", \"tid\": 75, \"uid\": \"442f8fb0-61be-11ee-b4aa-0242ac110005\", \"user\": {\"credential_uid\": \"442f8c40-61be-11ee-858e-0242ac110005\", \"name\": \"Affiliation\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"442f881c-61be-11ee-8d6d-0242ac110005\"}}, \"pid\": 93, \"uid\": \"442f1314-61be-11ee-a9ee-0242ac110005\", \"user\": {\"name\": \"Earrings\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"442f0f18-61be-11ee-92c1-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 23, \"session\": {\"created_time\": 1695272181548, \"is_remote\": false, \"issuer\": \"robots places depression\", \"uid\": \"442ee7f4-61be-11ee-a967-0242ac110005\", \"uuid\": \"442eeb3c-61be-11ee-a179-0242ac110005\"}, \"uid\": \"442ee2d6-61be-11ee-ad3f-0242ac110005\", \"user\": {\"domain\": \"dubai sys drum\", \"groups\": [{\"name\": \"implications fred rent\", \"uid\": \"442ed976-61be-11ee-acb4-0242ac110005\"}, {\"type\": \"hundred suggesting radius\", \"uid\": \"442ede6c-61be-11ee-815a-0242ac110005\"}], \"name\": \"Da\", \"type\": \"ben\", \"type_id\": 99, \"uid\": \"442ed390-61be-11ee-902b-0242ac110005\", \"uid_alt\": \"documents harmony austria\"}}, \"pid\": 9, \"sandbox\": \"deep simply nn\", \"uid\": \"442e6b76-61be-11ee-ab8d-0242ac110005\", \"xattributes\": {}}, \"pid\": 27, \"sandbox\": \"repeat checked peace\", \"terminated_time_dt\": \"2023-10-03T07:27:11.081046Z\", \"uid\": \"442d4ee4-61be-11ee-a8b0-0242ac110005\", \"user\": {\"account\": {\"name\": \"allows country mineral\", \"type\": \"AWS IAM Role\", \"type_id\": 4, \"uid\": \"442d4a0c-61be-11ee-bd4c-0242ac110005\"}, \"email_addr\": \"Minta@active.biz\", \"name\": \"Strong\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"442d27de-61be-11ee-b498-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 18, \"sandbox\": \"rational girls corner\", \"tid\": 18, \"uid\": \"442d08c6-61be-11ee-9eea-0242ac110005\", \"user\": {\"type\": \"System\", \"type_id\": 3, \"uid\": \"442d0416-61be-11ee-8f5e-0242ac110005\"}}, \"pid\": 99, \"terminated_time_dt\": \"2023-10-03T07:27:11.081081Z\", \"uid\": \"442c9a58-61be-11ee-8992-0242ac110005\", \"user\": {\"account\": {\"name\": \"filled lunch processing\", \"type\": \"Windows Account\", \"type_id\": 2, \"uid\": \"442c96ac-61be-11ee-945c-0242ac110005\"}, \"name\": \"Laboratory\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"442c90bc-61be-11ee-8334-0242ac110005\"}}, \"user\": {\"credential_uid\": \"44311cae-61be-11ee-9f07-0242ac110005\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"4431189e-61be-11ee-bc71-0242ac110005\"}}, \"actual_permissions\": 48, \"attacks\": [{\"tactics\": [{\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}, {\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Accessibility Features\", \"uid\": \"T1546.008\"}, \"version\": \"12.1\"}, {\"tactics\": [{\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Web Shell\", \"uid\": \"T1100\"}, \"version\": \"12.1\"}], \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Process Activity\", \"class_uid\": 1007, \"cloud\": {\"provider\": \"nu connector termination\", \"region\": \"lose activists occurred\"}, \"device\": {\"hostname\": \"bags.coop\", \"hypervisor\": \"indianapolis finite serious\", \"interface_name\": \"officials janet subscribe\", \"interface_uid\": \"442a8a60-61be-11ee-b5e8-0242ac110005\", \"ip\": \"81.2.69.142\", \"last_seen_time\": 1695272181548, \"location\": {\"city\": \"Guidance marijuana\", \"continent\": \"North America\", \"coordinates\": [139.683, -39.2278], \"country\": \"AG\", \"desc\": \"Antigua and Barbuda\"}, \"modified_time_dt\": \"2023-10-03T07:27:11.038353Z\", \"name\": \"cholesterol republicans albert\", \"org\": {\"name\": \"answer intelligent artificial\", \"ou_name\": \"garlic glucose festival\"}, \"region\": \"argentina andy wyoming\", \"risk_score\": 44, \"type\": \"Virtual\", \"type_id\": 6, \"uid\": \"442a8524-61be-11ee-a4cc-0242ac110005\"}, \"disposition\": \"Unknown\", \"disposition_id\": 0, \"end_time\": 1695272181548, \"message\": \"walnut trucks alabama\", \"metadata\": {\"event_code\": \"paths\", \"log_provider\": \"gays consultation motivated\", \"logged_time\": 1695272181548, \"modified_time_dt\": \"2023-10-03T07:27:11.037636Z\", \"original_time\": \"bolt beds created\", \"processed_time_dt\": \"2023-10-03T07:27:11.037651Z\", \"product\": {\"lang\": \"en\", \"name\": \"rough cfr elephant\", \"uid\": \"442a6c38-61be-11ee-811a-0242ac110005\", \"url_string\": \"cl\", \"vendor_name\": \"turkey directors vacations\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"version\": \"1.0.0\"}, \"severity\": \"doctors\", \"severity_id\": 99, \"start_time\": 1695272181548, \"status\": \"vcr\", \"status_id\": 99, \"time\": 1695272181548, \"timezone_offset\": 75, \"type_name\": \"Process Activity: Set User ID\", \"type_uid\": 100705}" + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_7.json b/OCSF/ocsf/tests/test_system_activity_7.json new file mode 100644 index 000000000..59dc2fa6a --- /dev/null +++ b/OCSF/ocsf/tests/test_system_activity_7.json @@ -0,0 +1,26 @@ +{ + "input": { + "message": "{\"message\": \"appeal verse adjacent\", \"status\": \"Failure\", \"time\": 1695272181548, \"device\": {\"type\": \"IOT\", \"os\": {\"name\": \"officially marks hook\", \"type\": \"iOS\", \"type_id\": 301}, \"ip\": \"81.2.69.142\", \"hostname\": \"paragraph.nato\", \"uid\": \"1d440972-61bd-11ee-b78b-0242ac110005\", \"groups\": [{\"name\": \"summit torture accused\", \"uid\": \"1d43dac4-61bd-11ee-8157-0242ac110005\"}, {\"name\": \"silicon headline seniors\", \"uid\": \"1d43df06-61bd-11ee-884b-0242ac110005\"}], \"type_id\": 7, \"first_seen_time\": 1695272181548, \"hypervisor\": \"listening genres rob\", \"imei\": \"seekers sue networks\", \"instance_uid\": \"1d440530-61bd-11ee-9a80-0242ac110005\", \"interface_name\": \"requiring showtimes only\", \"interface_uid\": \"1d440e68-61bd-11ee-9bc1-0242ac110005\", \"region\": \"terms quarter premium\", \"first_seen_time_dt\": \"2023-10-03T07:18:56.276163Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"extension\": {\"name\": \"attempt directed associate\", \"version\": \"1.0.0\", \"uid\": \"1d43b58a-61bd-11ee-811e-0242ac110005\"}, \"product\": {\"name\": \"gallery crude arc\", \"version\": \"1.0.0\", \"uid\": \"1d43be36-61bd-11ee-9314-0242ac110005\", \"lang\": \"en\", \"url_string\": \"registrar\", \"vendor_name\": \"staffing steven textiles\"}, \"uid\": \"1d43c2b4-61bd-11ee-814c-0242ac110005\", \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"external cadillac navy\", \"log_provider\": \"deadline emissions whilst\", \"original_time\": \"my northwest exhibitions\"}, \"severity\": \"Low\", \"duration\": 4, \"disposition\": \"Restored\", \"type_name\": \"Scheduled Job Activity: Other\", \"activity_id\": 99, \"disposition_id\": 9, \"type_uid\": 100699, \"category_name\": \"System Activity\", \"class_uid\": 1006, \"category_uid\": 1, \"class_name\": \"Scheduled Job Activity\", \"timezone_offset\": 87, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Execution The adversary is trying to run malicious code.\", \"uid\": \"TA0002\"}], \"technique\": {\"name\": \"Obtain Capabilities\", \"uid\": \"T1588\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}, {\"name\": \"Persistence The adversary is trying to maintain their foothold.\", \"uid\": \"TA0003\"}, {\"name\": \"Initial Access | The adversary is trying to get into your network.\", \"uid\": \"TA0001\"}], \"technique\": {\"name\": \"Cloud Instance Metadata API\", \"uid\": \"T1522\"}}], \"activity_name\": \"considerable\", \"cloud\": {\"org\": {\"name\": \"pf months already\", \"uid\": \"1d4398de-61bd-11ee-804b-0242ac110005\", \"ou_name\": \"cry centers expense\"}, \"provider\": \"trusts disclose snapshot\", \"region\": \"choose consolidated set\"}, \"severity_id\": 2, \"status_code\": \"respond\", \"status_id\": 2}", + "sekoiaio": { + "intake": { + "dialect": "OCSF", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"message\": \"appeal verse adjacent\", \"status\": \"Failure\", \"time\": 1695272181548, \"device\": {\"type\": \"IOT\", \"os\": {\"name\": \"officially marks hook\", \"type\": \"iOS\", \"type_id\": 301}, \"ip\": \"81.2.69.142\", \"hostname\": \"paragraph.nato\", \"uid\": \"1d440972-61bd-11ee-b78b-0242ac110005\", \"groups\": [{\"name\": \"summit torture accused\", \"uid\": \"1d43dac4-61bd-11ee-8157-0242ac110005\"}, {\"name\": \"silicon headline seniors\", \"uid\": \"1d43df06-61bd-11ee-884b-0242ac110005\"}], \"type_id\": 7, \"first_seen_time\": 1695272181548, \"hypervisor\": \"listening genres rob\", \"imei\": \"seekers sue networks\", \"instance_uid\": \"1d440530-61bd-11ee-9a80-0242ac110005\", \"interface_name\": \"requiring showtimes only\", \"interface_uid\": \"1d440e68-61bd-11ee-9bc1-0242ac110005\", \"region\": \"terms quarter premium\", \"first_seen_time_dt\": \"2023-10-03T07:18:56.276163Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"extension\": {\"name\": \"attempt directed associate\", \"version\": \"1.0.0\", \"uid\": \"1d43b58a-61bd-11ee-811e-0242ac110005\"}, \"product\": {\"name\": \"gallery crude arc\", \"version\": \"1.0.0\", \"uid\": \"1d43be36-61bd-11ee-9314-0242ac110005\", \"lang\": \"en\", \"url_string\": \"registrar\", \"vendor_name\": \"staffing steven textiles\"}, \"uid\": \"1d43c2b4-61bd-11ee-814c-0242ac110005\", \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"external cadillac navy\", \"log_provider\": \"deadline emissions whilst\", \"original_time\": \"my northwest exhibitions\"}, \"severity\": \"Low\", \"duration\": 4, \"disposition\": \"Restored\", \"type_name\": \"Scheduled Job Activity: Other\", \"activity_id\": 99, \"disposition_id\": 9, \"type_uid\": 100699, \"category_name\": \"System Activity\", \"class_uid\": 1006, \"category_uid\": 1, \"class_name\": \"Scheduled Job Activity\", \"timezone_offset\": 87, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Execution The adversary is trying to run malicious code.\", \"uid\": \"TA0002\"}], \"technique\": {\"name\": \"Obtain Capabilities\", \"uid\": \"T1588\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}, {\"name\": \"Persistence The adversary is trying to maintain their foothold.\", \"uid\": \"TA0003\"}, {\"name\": \"Initial Access | The adversary is trying to get into your network.\", \"uid\": \"TA0001\"}], \"technique\": {\"name\": \"Cloud Instance Metadata API\", \"uid\": \"T1522\"}}], \"activity_name\": \"considerable\", \"cloud\": {\"org\": {\"name\": \"pf months already\", \"uid\": \"1d4398de-61bd-11ee-804b-0242ac110005\", \"ou_name\": \"cry centers expense\"}, \"provider\": \"trusts disclose snapshot\", \"region\": \"choose consolidated set\"}, \"severity_id\": 2, \"status_code\": \"respond\", \"status_id\": 2}", + "event": { + "action": "considerable", + "duration": 4000000, + "outcome": "failure", + "provider": "deadline emissions whilst", + "severity": 2 + }, + "cloud": { + "provider": "trusts disclose snapshot", + "region": "choose consolidated set" + }, + "ocsf": "{\"activity_id\": 99, \"activity_name\": \"considerable\", \"attacks\": [{\"tactics\": [{\"name\": \"Execution The adversary is trying to run malicious code.\", \"uid\": \"TA0002\"}], \"technique\": {\"name\": \"Obtain Capabilities\", \"uid\": \"T1588\"}, \"version\": \"12.1\"}, {\"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}, {\"name\": \"Persistence The adversary is trying to maintain their foothold.\", \"uid\": \"TA0003\"}, {\"name\": \"Initial Access | The adversary is trying to get into your network.\", \"uid\": \"TA0001\"}], \"technique\": {\"name\": \"Cloud Instance Metadata API\", \"uid\": \"T1522\"}, \"version\": \"12.1\"}], \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Scheduled Job Activity\", \"class_uid\": 1006, \"cloud\": {\"org\": {\"name\": \"pf months already\", \"ou_name\": \"cry centers expense\", \"uid\": \"1d4398de-61bd-11ee-804b-0242ac110005\"}, \"provider\": \"trusts disclose snapshot\", \"region\": \"choose consolidated set\"}, \"device\": {\"first_seen_time\": 1695272181548, \"first_seen_time_dt\": \"2023-10-03T07:18:56.276163Z\", \"groups\": [{\"name\": \"summit torture accused\", \"uid\": \"1d43dac4-61bd-11ee-8157-0242ac110005\"}, {\"name\": \"silicon headline seniors\", \"uid\": \"1d43df06-61bd-11ee-884b-0242ac110005\"}], \"hostname\": \"paragraph.nato\", \"hypervisor\": \"listening genres rob\", \"imei\": \"seekers sue networks\", \"instance_uid\": \"1d440530-61bd-11ee-9a80-0242ac110005\", \"interface_name\": \"requiring showtimes only\", \"interface_uid\": \"1d440e68-61bd-11ee-9bc1-0242ac110005\", \"ip\": \"81.2.69.142\", \"os\": {\"name\": \"officially marks hook\", \"type\": \"iOS\", \"type_id\": 301}, \"region\": \"terms quarter premium\", \"type\": \"IOT\", \"type_id\": 7, \"uid\": \"1d440972-61bd-11ee-b78b-0242ac110005\"}, \"disposition\": \"Restored\", \"disposition_id\": 9, \"duration\": 4, \"message\": \"appeal verse adjacent\", \"metadata\": {\"extension\": {\"name\": \"attempt directed associate\", \"uid\": \"1d43b58a-61bd-11ee-811e-0242ac110005\", \"version\": \"1.0.0\"}, \"log_name\": \"external cadillac navy\", \"log_provider\": \"deadline emissions whilst\", \"original_time\": \"my northwest exhibitions\", \"product\": {\"lang\": \"en\", \"name\": \"gallery crude arc\", \"uid\": \"1d43be36-61bd-11ee-9314-0242ac110005\", \"url_string\": \"registrar\", \"vendor_name\": \"staffing steven textiles\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"uid\": \"1d43c2b4-61bd-11ee-814c-0242ac110005\", \"version\": \"1.0.0\"}, \"severity\": \"Low\", \"severity_id\": 2, \"status\": \"Failure\", \"status_code\": \"respond\", \"status_id\": 2, \"time\": 1695272181548, \"timezone_offset\": 87, \"type_name\": \"Scheduled Job Activity: Other\", \"type_uid\": 100699}" + } +} \ No newline at end of file From 4fb0465ed83385a6c2dc74d039c586fda28087e6 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 30 Jan 2024 17:57:26 +0200 Subject: [PATCH 08/34] Update fields --- OCSF/ocsf/_meta/fields.yml | 7669 ++++++++++++++++- .../tests/test_application_activity_1.json | 87 +- .../tests/test_application_activity_2.json | 69 +- .../tests/test_application_activity_3.json | 80 +- OCSF/ocsf/tests/test_discovery_1.json | 68 +- OCSF/ocsf/tests/test_discovery_2.json | 75 +- OCSF/ocsf/tests/test_findings_1.json | 129 +- OCSF/ocsf/tests/test_iam_1.json | 56 +- OCSF/ocsf/tests/test_iam_2.json | 32 +- OCSF/ocsf/tests/test_iam_3.json | 64 +- OCSF/ocsf/tests/test_iam_4.json | 74 +- OCSF/ocsf/tests/test_network_activity_1.json | 44 +- OCSF/ocsf/tests/test_network_activity_10.json | 212 +- OCSF/ocsf/tests/test_network_activity_11.json | 120 +- OCSF/ocsf/tests/test_network_activity_12.json | 101 +- OCSF/ocsf/tests/test_network_activity_2.json | 132 +- OCSF/ocsf/tests/test_network_activity_3.json | 49 +- OCSF/ocsf/tests/test_network_activity_4.json | 92 +- OCSF/ocsf/tests/test_network_activity_5.json | 183 +- OCSF/ocsf/tests/test_network_activity_6.json | 173 +- OCSF/ocsf/tests/test_network_activity_7.json | 93 +- OCSF/ocsf/tests/test_network_activity_8.json | 113 +- OCSF/ocsf/tests/test_network_activity_9.json | 106 +- OCSF/ocsf/tests/test_system_activity_1.json | 176 +- OCSF/ocsf/tests/test_system_activity_2.json | 199 +- OCSF/ocsf/tests/test_system_activity_3.json | 243 +- OCSF/ocsf/tests/test_system_activity_4.json | 218 +- OCSF/ocsf/tests/test_system_activity_5.json | 301 +- OCSF/ocsf/tests/test_system_activity_6.json | 167 +- OCSF/ocsf/tests/test_system_activity_7.json | 112 +- 30 files changed, 11189 insertions(+), 48 deletions(-) diff --git a/OCSF/ocsf/_meta/fields.yml b/OCSF/ocsf/_meta/fields.yml index a4a5807dc..608a8eddf 100644 --- a/OCSF/ocsf/_meta/fields.yml +++ b/OCSF/ocsf/_meta/fields.yml @@ -1,44 +1,7675 @@ -ocsf: - description: '' - name: ocsf +input.type: + description: Type of filebeat input. + name: input.type + type: keyword +log.offset: + description: Log offset. + name: log.offset + type: long +ocsf.access_mask: + description: The access mask in a platform-native format. + name: ocsf.access_mask + type: long +ocsf.activity_id: + description: The normalized identifier of the activity that triggered the event. + name: ocsf.activity_id + type: long +ocsf.activity_name: + description: The event activity name, as defined by the activity_id. + name: ocsf.activity_name + type: keyword +ocsf.actor.authorizations.decision: + description: Authorization Result/outcome, e.g. allowed, denied. + name: ocsf.actor.authorizations.decision + type: keyword +ocsf.actor.authorizations.policy.desc: + description: The description of the policy. + name: ocsf.actor.authorizations.policy.desc + type: keyword +ocsf.actor.authorizations.policy.group.desc: + description: The group description. + name: ocsf.actor.authorizations.policy.group.desc + type: keyword +ocsf.actor.authorizations.policy.group.name: + description: The group name. + name: ocsf.actor.authorizations.policy.group.name + type: keyword +ocsf.actor.authorizations.policy.group.privileges: + description: The group privileges. + name: ocsf.actor.authorizations.policy.group.privileges + type: keyword +ocsf.actor.authorizations.policy.group.type: + description: The type of the group or account. + name: ocsf.actor.authorizations.policy.group.type + type: keyword +ocsf.actor.authorizations.policy.group.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.authorizations.policy.group.uid + type: keyword +ocsf.actor.authorizations.policy.name: + description: "The policy name. For example: IAM Policy." + name: ocsf.actor.authorizations.policy.name + type: keyword +ocsf.actor.authorizations.policy.uid: + description: A unique identifier of the policy instance. + name: ocsf.actor.authorizations.policy.uid + type: keyword +ocsf.actor.authorizations.policy.version: + description: The policy version number. + name: ocsf.actor.authorizations.policy.version + type: keyword +ocsf.actor.idp.name: + description: The name of the identity provider. + name: ocsf.actor.idp.name + type: keyword +ocsf.actor.idp.uid: + description: The unique identifier of the identity provider. + name: ocsf.actor.idp.uid + type: keyword +ocsf.actor.invoked_by: + description: + The name of the service that invoked the activity as described in the + event. + name: ocsf.actor.invoked_by + type: keyword +ocsf.actor.process.auid: + description: The audit user assigned at login by the audit subsystem. + name: ocsf.actor.process.auid + type: keyword +ocsf.actor.process.container.hash.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.actor.process.container.hash.algorithm + type: keyword +ocsf.actor.process.container.hash.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.actor.process.container.hash.algorithm_id + type: keyword +ocsf.actor.process.container.hash.value: + description: The digital fingerprint value. + name: ocsf.actor.process.container.hash.value + type: keyword +ocsf.actor.process.container.image.path: + description: The full path to the image file. + name: ocsf.actor.process.container.image.path + type: keyword +ocsf.actor.process.container.image.uid: + description: The unique image ID. + name: ocsf.actor.process.container.image.uid + type: keyword +ocsf.actor.process.container.network_driver: + description: + The network driver used by the container. For example, bridge, overlay, + host, none, etc. + name: ocsf.actor.process.container.network_driver + type: keyword +ocsf.actor.process.container.pod_uuid: + description: + The unique identifier of the pod (or equivalent) that the container + is executing on. + name: ocsf.actor.process.container.pod_uuid + type: keyword +ocsf.actor.process.container.size: + description: The size of the container image. + name: ocsf.actor.process.container.size + type: long +ocsf.actor.process.container.tag: + description: The tag used by the container. It can indicate version, format, OS. + name: ocsf.actor.process.container.tag + type: keyword +ocsf.actor.process.created_time_dt: + description: The time when the process was created/started. + name: ocsf.actor.process.created_time_dt + type: date +ocsf.actor.process.file.accessed_time_dt: + description: The time when the file was last accessed. + name: ocsf.actor.process.file.accessed_time_dt + type: date +ocsf.actor.process.file.accessor.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.actor.process.file.accessor.account.name + type: keyword +ocsf.actor.process.file.accessor.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.file.accessor.account.type + type: keyword +ocsf.actor.process.file.accessor.account.type_id: + description: The normalized account type identifier. + name: ocsf.actor.process.file.accessor.account.type_id + type: keyword +ocsf.actor.process.file.accessor.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.actor.process.file.accessor.account.uid + type: keyword +ocsf.actor.process.file.accessor.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.file.accessor.credential_uid + type: keyword +ocsf.actor.process.file.accessor.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.actor.process.file.accessor.domain + type: keyword +ocsf.actor.process.file.accessor.email_addr: + description: The user's email address. + name: ocsf.actor.process.file.accessor.email_addr + type: keyword +ocsf.actor.process.file.accessor.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.actor.process.file.accessor.full_name + type: keyword +ocsf.actor.process.file.accessor.groups.desc: + description: The group description. + name: ocsf.actor.process.file.accessor.groups.desc + type: keyword +ocsf.actor.process.file.accessor.groups.name: + description: The group name. + name: ocsf.actor.process.file.accessor.groups.name + type: keyword +ocsf.actor.process.file.accessor.groups.privileges: + description: The group privileges. + name: ocsf.actor.process.file.accessor.groups.privileges + type: keyword +ocsf.actor.process.file.accessor.groups.type: + description: The type of the group or account. + name: ocsf.actor.process.file.accessor.groups.type + type: keyword +ocsf.actor.process.file.accessor.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.process.file.accessor.groups.uid + type: keyword +ocsf.actor.process.file.accessor.name: + description: The username. For example, janedoe1. + name: ocsf.actor.process.file.accessor.name + type: keyword +ocsf.actor.process.file.accessor.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.actor.process.file.accessor.org.name + type: keyword +ocsf.actor.process.file.accessor.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.actor.process.file.accessor.org.ou_name + type: keyword +ocsf.actor.process.file.accessor.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.actor.process.file.accessor.org.ou_uid + type: keyword +ocsf.actor.process.file.accessor.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.actor.process.file.accessor.org.uid + type: keyword +ocsf.actor.process.file.accessor.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.actor.process.file.accessor.type + type: keyword +ocsf.actor.process.file.accessor.type_id: + description: The account type identifier. + name: ocsf.actor.process.file.accessor.type_id + type: keyword +ocsf.actor.process.file.accessor.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.actor.process.file.accessor.uid + type: keyword +ocsf.actor.process.file.accessor.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.actor.process.file.accessor.uid_alt + type: keyword +ocsf.actor.process.file.attributes: + description: The Bitmask value that represents the file attributes. + name: ocsf.actor.process.file.attributes + type: long +ocsf.actor.process.file.company_name: + description: + "The name of the company that published the file. For example: Microsoft + Corporation." + name: ocsf.actor.process.file.company_name + type: keyword +ocsf.actor.process.file.confidentiality: + description: + The file content confidentiality, normalized to the confidentiality_id + value. In the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.file.confidentiality + type: keyword +ocsf.actor.process.file.confidentiality_id: + description: The normalized identifier of the file content confidentiality indicator. + name: ocsf.actor.process.file.confidentiality_id + type: keyword +ocsf.actor.process.file.created_time_dt: + description: The time when the file was created. + name: ocsf.actor.process.file.created_time_dt + type: date +ocsf.actor.process.file.creator.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.actor.process.file.creator.account.name + type: keyword +ocsf.actor.process.file.creator.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.file.creator.account.type + type: keyword +ocsf.actor.process.file.creator.account.type_id: + description: The normalized account type identifier. + name: ocsf.actor.process.file.creator.account.type_id + type: keyword +ocsf.actor.process.file.creator.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.actor.process.file.creator.account.uid + type: keyword +ocsf.actor.process.file.creator.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.file.creator.credential_uid + type: keyword +ocsf.actor.process.file.creator.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.actor.process.file.creator.domain + type: keyword +ocsf.actor.process.file.creator.email_addr: + description: The user's email address. + name: ocsf.actor.process.file.creator.email_addr + type: keyword +ocsf.actor.process.file.creator.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.actor.process.file.creator.full_name + type: keyword +ocsf.actor.process.file.creator.groups.desc: + description: The group description. + name: ocsf.actor.process.file.creator.groups.desc + type: keyword +ocsf.actor.process.file.creator.groups.name: + description: The group name. + name: ocsf.actor.process.file.creator.groups.name + type: keyword +ocsf.actor.process.file.creator.groups.privileges: + description: The group privileges. + name: ocsf.actor.process.file.creator.groups.privileges + type: keyword +ocsf.actor.process.file.creator.groups.type: + description: The type of the group or account. + name: ocsf.actor.process.file.creator.groups.type + type: keyword +ocsf.actor.process.file.creator.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.process.file.creator.groups.uid + type: keyword +ocsf.actor.process.file.creator.name: + description: The name of the city. + name: ocsf.actor.process.file.creator.name + type: keyword +ocsf.actor.process.file.creator.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.actor.process.file.creator.org.name + type: keyword +ocsf.actor.process.file.creator.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.actor.process.file.creator.org.ou_name + type: keyword +ocsf.actor.process.file.creator.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.actor.process.file.creator.org.ou_uid + type: keyword +ocsf.actor.process.file.creator.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.actor.process.file.creator.org.uid + type: keyword +ocsf.actor.process.file.creator.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.actor.process.file.creator.type + type: keyword +ocsf.actor.process.file.creator.type_id: + description: The account type identifier. + name: ocsf.actor.process.file.creator.type_id + type: keyword +ocsf.actor.process.file.creator.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.actor.process.file.creator.uid + type: keyword +ocsf.actor.process.file.creator.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.actor.process.file.creator.uid_alt + type: keyword +ocsf.actor.process.file.desc: + description: + "The description of the file, as returned by file system. For example: + the description as returned by the Unix file command or the Windows file type." + name: ocsf.actor.process.file.desc + type: keyword +ocsf.actor.process.file.hashes.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.actor.process.file.hashes.algorithm + type: keyword +ocsf.actor.process.file.hashes.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.actor.process.file.hashes.algorithm_id + type: keyword +ocsf.actor.process.file.hashes.value: + description: The digital fingerprint value. + name: ocsf.actor.process.file.hashes.value + type: keyword +ocsf.actor.process.file.is_system: + description: The indication of whether the object is part of the operating system. + name: ocsf.actor.process.file.is_system + type: boolean +ocsf.actor.process.file.modified_time_dt: + description: The time when the file was last modified. + name: ocsf.actor.process.file.modified_time_dt + type: date +ocsf.actor.process.file.modifier.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.actor.process.file.modifier.account.name + type: keyword +ocsf.actor.process.file.modifier.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.file.modifier.account.type + type: keyword +ocsf.actor.process.file.modifier.account.type_id: + description: The normalized account type identifier. + name: ocsf.actor.process.file.modifier.account.type_id + type: keyword +ocsf.actor.process.file.modifier.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.actor.process.file.modifier.account.uid + type: keyword +ocsf.actor.process.file.modifier.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.file.modifier.credential_uid + type: keyword +ocsf.actor.process.file.modifier.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.actor.process.file.modifier.domain + type: keyword +ocsf.actor.process.file.modifier.email_addr: + description: "The image name. For example: elixir." + name: ocsf.actor.process.file.modifier.email_addr + type: keyword +ocsf.actor.process.file.modifier.full_name: + description: The user's email address. + name: ocsf.actor.process.file.modifier.full_name + type: keyword +ocsf.actor.process.file.modifier.groups.desc: + description: The group description. + name: ocsf.actor.process.file.modifier.groups.desc + type: keyword +ocsf.actor.process.file.modifier.groups.name: + description: The group name. + name: ocsf.actor.process.file.modifier.groups.name + type: keyword +ocsf.actor.process.file.modifier.groups.privileges: + description: The group privileges. + name: ocsf.actor.process.file.modifier.groups.privileges + type: keyword +ocsf.actor.process.file.modifier.groups.type: + description: The type of the group or account. + name: ocsf.actor.process.file.modifier.groups.type + type: keyword +ocsf.actor.process.file.modifier.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.process.file.modifier.groups.uid + type: keyword +ocsf.actor.process.file.modifier.name: + description: The username. For example, janedoe1. + name: ocsf.actor.process.file.modifier.name + type: keyword +ocsf.actor.process.file.modifier.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.actor.process.file.modifier.org.name + type: keyword +ocsf.actor.process.file.modifier.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.actor.process.file.modifier.org.ou_name + type: keyword +ocsf.actor.process.file.modifier.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.actor.process.file.modifier.org.ou_uid + type: keyword +ocsf.actor.process.file.modifier.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.actor.process.file.modifier.org.uid + type: keyword +ocsf.actor.process.file.modifier.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.actor.process.file.modifier.type + type: keyword +ocsf.actor.process.file.modifier.type_id: + description: The account type identifier. + name: ocsf.actor.process.file.modifier.type_id + type: keyword +ocsf.actor.process.file.modifier.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.actor.process.file.modifier.uid + type: keyword +ocsf.actor.process.file.modifier.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.actor.process.file.modifier.uid_alt + type: keyword +ocsf.actor.process.file.owner.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.actor.process.file.owner.account.name + type: keyword +ocsf.actor.process.file.owner.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.file.owner.account.type + type: keyword +ocsf.actor.process.file.owner.account.type_id: + description: The normalized account type identifier. + name: ocsf.actor.process.file.owner.account.type_id + type: keyword +ocsf.actor.process.file.owner.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.actor.process.file.owner.account.uid + type: keyword +ocsf.actor.process.file.owner.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.file.owner.credential_uid + type: keyword +ocsf.actor.process.file.owner.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.actor.process.file.owner.domain + type: keyword +ocsf.actor.process.file.owner.email_addr: + description: The user's email address. + name: ocsf.actor.process.file.owner.email_addr + type: keyword +ocsf.actor.process.file.owner.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.actor.process.file.owner.full_name + type: keyword +ocsf.actor.process.file.owner.groups.desc: + description: The group description. + name: ocsf.actor.process.file.owner.groups.desc + type: keyword +ocsf.actor.process.file.owner.groups.name: + description: The group name. + name: ocsf.actor.process.file.owner.groups.name + type: keyword +ocsf.actor.process.file.owner.groups.privileges: + description: The group privileges. + name: ocsf.actor.process.file.owner.groups.privileges + type: keyword +ocsf.actor.process.file.owner.groups.type: + description: The type of the group or account. + name: ocsf.actor.process.file.owner.groups.type + type: keyword +ocsf.actor.process.file.owner.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.process.file.owner.groups.uid + type: keyword +ocsf.actor.process.file.owner.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.actor.process.file.owner.org.name + type: keyword +ocsf.actor.process.file.owner.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.actor.process.file.owner.org.ou_name + type: keyword +ocsf.actor.process.file.owner.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.actor.process.file.owner.org.ou_uid + type: keyword +ocsf.actor.process.file.owner.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.actor.process.file.owner.org.uid + type: keyword +ocsf.actor.process.file.owner.type: + description: + The event occurred on a personal device.The type of the user. For example, + System, AWS IAM User, etc. + name: ocsf.actor.process.file.owner.type + type: keyword +ocsf.actor.process.file.owner.type_id: + description: The account type identifier. + name: ocsf.actor.process.file.owner.type_id + type: keyword +ocsf.actor.process.file.owner.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.actor.process.file.owner.uid_alt + type: keyword +ocsf.actor.process.file.product.feature.name: + description: The name of the feature. + name: ocsf.actor.process.file.product.feature.name + type: keyword +ocsf.actor.process.file.product.feature.uid: + description: The unique identifier of the feature. + name: ocsf.actor.process.file.product.feature.uid + type: keyword +ocsf.actor.process.file.product.feature.version: + description: The version of the feature. + name: ocsf.actor.process.file.product.feature.version + type: keyword +ocsf.actor.process.file.product.lang: + description: + "The two letter lower case language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French)." + name: ocsf.actor.process.file.product.lang + type: keyword +ocsf.actor.process.file.product.name: + description: The name of the feature. + name: ocsf.actor.process.file.product.name + type: keyword +ocsf.actor.process.file.product.path: + description: The installation path of the product. + name: ocsf.actor.process.file.product.path + type: keyword +ocsf.actor.process.file.product.uid: + description: The unique identifier of the feature. + name: ocsf.actor.process.file.product.uid + type: keyword +ocsf.actor.process.file.product.url_string: + description: The URL pointing towards the product. + name: ocsf.actor.process.file.product.url_string + type: keyword +ocsf.actor.process.file.product.vendor_name: + description: The name of the vendor of the product. + name: ocsf.actor.process.file.product.vendor_name + type: keyword +ocsf.actor.process.file.product.version: + description: + "The version of the product, as defined by the event source. For example: + 2013.1.3-beta." + name: ocsf.actor.process.file.product.version + type: keyword +ocsf.actor.process.file.security_descriptor: + description: The object security descriptor. + name: ocsf.actor.process.file.security_descriptor + type: keyword +ocsf.actor.process.file.signature.algorithm: + description: + The digital signature algorithm used to create the signature, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.actor.process.file.signature.algorithm + type: keyword +ocsf.actor.process.file.signature.algorithm_id: + description: The identifier of the normalized digital signature algorithm. + name: ocsf.actor.process.file.signature.algorithm_id + type: keyword +ocsf.actor.process.file.signature.certificate.created_time: + description: The time when the certificate was created. + name: ocsf.actor.process.file.signature.certificate.created_time + type: date +ocsf.actor.process.file.signature.certificate.created_time_dt: + description: The time when the certificate was created. + name: ocsf.actor.process.file.signature.certificate.created_time_dt + type: date +ocsf.actor.process.file.signature.certificate.expiration_time_dt: + description: The expiration time of the certificate. + name: ocsf.actor.process.file.signature.certificate.expiration_time_dt + type: date +ocsf.actor.process.file.signature.certificate.fingerprints.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.actor.process.file.signature.certificate.fingerprints.algorithm + type: keyword +ocsf.actor.process.file.signature.certificate.fingerprints.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.actor.process.file.signature.certificate.fingerprints.algorithm_id + type: keyword +ocsf.actor.process.file.signature.certificate.fingerprints.value: + description: The digital fingerprint value. + name: ocsf.actor.process.file.signature.certificate.fingerprints.value + type: keyword +ocsf.actor.process.file.signature.created_time: + description: The time when the digital signature was created. + name: ocsf.actor.process.file.signature.created_time + type: date +ocsf.actor.process.file.signature.created_time_dt: + description: The time when the digital signature was created. + name: ocsf.actor.process.file.signature.created_time_dt + type: date +ocsf.actor.process.file.signature.developer_uid: + description: The developer ID on the certificate that signed the file. + name: ocsf.actor.process.file.signature.developer_uid + type: keyword +ocsf.actor.process.file.signature.digest.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.actor.process.file.signature.digest.algorithm + type: keyword +ocsf.actor.process.file.signature.digest.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.actor.process.file.signature.digest.algorithm_id + type: keyword +ocsf.actor.process.file.signature.digest.value: + description: The digital fingerprint value. + name: ocsf.actor.process.file.signature.digest.value + type: keyword +ocsf.actor.process.file.type_id: + description: The file type ID. + name: ocsf.actor.process.file.type_id + type: keyword +ocsf.actor.process.file.version: + description: "The file version. For example: 8.0.7601.17514." + name: ocsf.actor.process.file.version + type: keyword +ocsf.actor.process.file.xattributes: + description: + An unordered collection of zero or more name/value pairs where each + pair represents a file or folder extended attribute. + name: ocsf.actor.process.file.xattributes + type: keyword +ocsf.actor.process.group.desc: + description: The group description. + name: ocsf.actor.process.group.desc + type: keyword +ocsf.actor.process.group.privileges: + description: The group privileges. + name: ocsf.actor.process.group.privileges + type: keyword +ocsf.actor.process.group.type: + description: The type of the group or account. + name: ocsf.actor.process.group.type + type: keyword +ocsf.actor.process.integrity: + description: + The process integrity level, normalized to the caption of the direction_id + value. In the case of 'Other', it is defined by the event source (Windows only). + name: ocsf.actor.process.integrity + type: keyword +ocsf.actor.process.integrity_id: + description: The normalized identifier of the process integrity level (Windows only). + name: ocsf.actor.process.integrity_id + type: keyword +ocsf.actor.process.lineage: + description: + "The lineage of the process, represented by a list of paths for each + ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']." + name: ocsf.actor.process.lineage + type: keyword +ocsf.actor.process.loaded_modules: + description: The list of loaded module names. + name: ocsf.actor.process.loaded_modules + type: keyword +ocsf.actor.process.namespace_pid: + description: + If running under a process namespace (such as in a container), the + process identifier within that process namespace. + name: ocsf.actor.process.namespace_pid + type: long +ocsf.actor.process.parent_process.auid: + description: The audit user assigned at login by the audit subsystem. + name: ocsf.actor.process.parent_process.auid + type: keyword +ocsf.actor.process.parent_process.container.hash.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.actor.process.parent_process.container.hash.algorithm + type: keyword +ocsf.actor.process.parent_process.container.hash.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.actor.process.parent_process.container.hash.algorithm_id + type: keyword +ocsf.actor.process.parent_process.container.hash.value: + description: The digital fingerprint value. + name: ocsf.actor.process.parent_process.container.hash.value + type: keyword +ocsf.actor.process.parent_process.container.image.labels: + description: The image labels. + name: ocsf.actor.process.parent_process.container.image.labels + type: keyword +ocsf.actor.process.parent_process.container.image.name: + description: The image name. + name: ocsf.actor.process.parent_process.container.image.name + type: keyword +ocsf.actor.process.parent_process.container.image.path: + description: The full path to the image file. + name: ocsf.actor.process.parent_process.container.image.path + type: keyword +ocsf.actor.process.parent_process.container.image.tag: + description: The tag used by the container. It can indicate version, format, OS. + name: ocsf.actor.process.parent_process.container.image.tag + type: keyword +ocsf.actor.process.parent_process.container.image.uid: + description: The unique image ID. + name: ocsf.actor.process.parent_process.container.image.uid + type: keyword +ocsf.actor.process.parent_process.container.name: + description: The container name. + name: ocsf.actor.process.parent_process.container.name + type: keyword +ocsf.actor.process.parent_process.container.network_driver: + description: + The network driver used by the container. For example, bridge, overlay, + host, none, etc. + name: ocsf.actor.process.parent_process.container.network_driver + type: keyword +ocsf.actor.process.parent_process.container.orchestrator: + description: + The orchestrator managing the container, such as ECS, EKS, K8s, or + OpenShift. + name: ocsf.actor.process.parent_process.container.orchestrator + type: keyword +ocsf.actor.process.parent_process.container.pod_uuid: + description: + The unique identifier of the pod (or equivalent) that the container + is executing on. + name: ocsf.actor.process.parent_process.container.pod_uuid + type: keyword +ocsf.actor.process.parent_process.container.runtime: + description: The backend running the container, such as containerd or cri-o. + name: ocsf.actor.process.parent_process.container.runtime + type: keyword +ocsf.actor.process.parent_process.container.size: + description: The size of the container image. + name: ocsf.actor.process.parent_process.container.size + type: long +ocsf.actor.process.parent_process.container.tag: + description: The tag used by the container. It can indicate version, format, OS. + name: ocsf.actor.process.parent_process.container.tag + type: keyword +ocsf.actor.process.parent_process.container.uid: + description: + The full container unique identifier for this instantiation of the + container. + name: ocsf.actor.process.parent_process.container.uid + type: keyword +ocsf.actor.process.parent_process.created_time_dt: + description: The time when the process was created/started. + name: ocsf.actor.process.parent_process.created_time_dt + type: date +ocsf.actor.process.parent_process.file.accessed_time: + description: The time when the file was last accessed. + name: ocsf.actor.process.parent_process.file.accessed_time + type: date +ocsf.actor.process.parent_process.file.accessed_time_dt: + description: The time when the file was last accessed. + name: ocsf.actor.process.parent_process.file.accessed_time_dt + type: date +ocsf.actor.process.parent_process.file.accessor.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.actor.process.parent_process.file.accessor.account.name + type: keyword +ocsf.actor.process.parent_process.file.accessor.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.parent_process.file.accessor.account.type + type: keyword +ocsf.actor.process.parent_process.file.accessor.account.type_id: + description: The normalized account type identifier. + name: ocsf.actor.process.parent_process.file.accessor.account.type_id + type: keyword +ocsf.actor.process.parent_process.file.accessor.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.actor.process.parent_process.file.accessor.account.uid + type: keyword +ocsf.actor.process.parent_process.file.accessor.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.parent_process.file.accessor.credential_uid + type: keyword +ocsf.actor.process.parent_process.file.accessor.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.actor.process.parent_process.file.accessor.domain + type: keyword +ocsf.actor.process.parent_process.file.accessor.email_addr: + description: The user's email address. + name: ocsf.actor.process.parent_process.file.accessor.email_addr + type: keyword +ocsf.actor.process.parent_process.file.accessor.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.actor.process.parent_process.file.accessor.full_name + type: keyword +ocsf.actor.process.parent_process.file.accessor.groups.desc: + description: The group description. + name: ocsf.actor.process.parent_process.file.accessor.groups.desc + type: keyword +ocsf.actor.process.parent_process.file.accessor.groups.name: + description: The group name. + name: ocsf.actor.process.parent_process.file.accessor.groups.name + type: keyword +ocsf.actor.process.parent_process.file.accessor.groups.privileges: + description: The group privileges. + name: ocsf.actor.process.parent_process.file.accessor.groups.privileges + type: keyword +ocsf.actor.process.parent_process.file.accessor.groups.type: + description: The type of the group or account. + name: ocsf.actor.process.parent_process.file.accessor.groups.type + type: keyword +ocsf.actor.process.parent_process.file.accessor.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.process.parent_process.file.accessor.groups.uid + type: keyword +ocsf.actor.process.parent_process.file.accessor.name: + description: The username. For example, janedoe1. + name: ocsf.actor.process.parent_process.file.accessor.name + type: keyword +ocsf.actor.process.parent_process.file.accessor.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.actor.process.parent_process.file.accessor.org.name + type: keyword +ocsf.actor.process.parent_process.file.accessor.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.actor.process.parent_process.file.accessor.org.ou_name + type: keyword +ocsf.actor.process.parent_process.file.accessor.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.actor.process.parent_process.file.accessor.org.ou_uid + type: keyword +ocsf.actor.process.parent_process.file.accessor.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.actor.process.parent_process.file.accessor.org.uid + type: keyword +ocsf.actor.process.parent_process.file.accessor.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.actor.process.parent_process.file.accessor.type + type: keyword +ocsf.actor.process.parent_process.file.accessor.type_id: + description: The account type identifier. + name: ocsf.actor.process.parent_process.file.accessor.type_id + type: keyword +ocsf.actor.process.parent_process.file.accessor.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.actor.process.parent_process.file.accessor.uid + type: keyword +ocsf.actor.process.parent_process.file.accessor.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.actor.process.parent_process.file.accessor.uid_alt + type: keyword +ocsf.actor.process.parent_process.file.attributes: + description: The Bitmask value that represents the file attributes. + name: ocsf.actor.process.parent_process.file.attributes + type: long +ocsf.actor.process.parent_process.file.company_name: + description: + "The name of the company that published the file. For example: Microsoft + Corporation." + name: ocsf.actor.process.parent_process.file.company_name + type: keyword +ocsf.actor.process.parent_process.file.confidentiality: + description: + The file content confidentiality, normalized to the confidentiality_id + value. In the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.parent_process.file.confidentiality + type: keyword +ocsf.actor.process.parent_process.file.confidentiality_id: + description: The normalized identifier of the file content confidentiality indicator. + name: ocsf.actor.process.parent_process.file.confidentiality_id + type: keyword +ocsf.actor.process.parent_process.file.created_time: + description: The time when the file was created. + name: ocsf.actor.process.parent_process.file.created_time + type: date +ocsf.actor.process.parent_process.file.created_time_dt: + description: The time when the file was created. + name: ocsf.actor.process.parent_process.file.created_time_dt + type: date +ocsf.actor.process.parent_process.file.creator.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.actor.process.parent_process.file.creator.account.name + type: keyword +ocsf.actor.process.parent_process.file.creator.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.parent_process.file.creator.account.type + type: keyword +ocsf.actor.process.parent_process.file.creator.account.type_id: + description: The normalized account type identifier. + name: ocsf.actor.process.parent_process.file.creator.account.type_id + type: keyword +ocsf.actor.process.parent_process.file.creator.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.actor.process.parent_process.file.creator.account.uid + type: keyword +ocsf.actor.process.parent_process.file.creator.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.parent_process.file.creator.credential_uid + type: keyword +ocsf.actor.process.parent_process.file.creator.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.actor.process.parent_process.file.creator.domain + type: keyword +ocsf.actor.process.parent_process.file.creator.email_addr: + description: The user's email address. + name: ocsf.actor.process.parent_process.file.creator.email_addr + type: keyword +ocsf.actor.process.parent_process.file.creator.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.actor.process.parent_process.file.creator.full_name + type: keyword +ocsf.actor.process.parent_process.file.creator.groups.desc: + description: The group description. + name: ocsf.actor.process.parent_process.file.creator.groups.desc + type: keyword +ocsf.actor.process.parent_process.file.creator.groups.name: + description: The group name. + name: ocsf.actor.process.parent_process.file.creator.groups.name + type: keyword +ocsf.actor.process.parent_process.file.creator.groups.privileges: + description: The group privileges. + name: ocsf.actor.process.parent_process.file.creator.groups.privileges + type: keyword +ocsf.actor.process.parent_process.file.creator.groups.type: + description: The type of the group or account. + name: ocsf.actor.process.parent_process.file.creator.groups.type + type: keyword +ocsf.actor.process.parent_process.file.creator.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.process.parent_process.file.creator.groups.uid + type: keyword +ocsf.actor.process.parent_process.file.creator.name: + description: The name of the city. + name: ocsf.actor.process.parent_process.file.creator.name + type: keyword +ocsf.actor.process.parent_process.file.creator.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.actor.process.parent_process.file.creator.org.name + type: keyword +ocsf.actor.process.parent_process.file.creator.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.actor.process.parent_process.file.creator.org.ou_name + type: keyword +ocsf.actor.process.parent_process.file.creator.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.actor.process.parent_process.file.creator.org.ou_uid + type: keyword +ocsf.actor.process.parent_process.file.creator.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.actor.process.parent_process.file.creator.org.uid + type: keyword +ocsf.actor.process.parent_process.file.creator.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.actor.process.parent_process.file.creator.type + type: keyword +ocsf.actor.process.parent_process.file.creator.type_id: + description: The account type identifier. + name: ocsf.actor.process.parent_process.file.creator.type_id + type: keyword +ocsf.actor.process.parent_process.file.creator.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.actor.process.parent_process.file.creator.uid + type: keyword +ocsf.actor.process.parent_process.file.creator.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.actor.process.parent_process.file.creator.uid_alt + type: keyword +ocsf.actor.process.parent_process.file.desc: + description: + "The description of the file, as returned by file system. For example: + the description as returned by the Unix file command or the Windows file type." + name: ocsf.actor.process.parent_process.file.desc + type: keyword +ocsf.actor.process.parent_process.file.hashes.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.actor.process.parent_process.file.hashes.algorithm + type: keyword +ocsf.actor.process.parent_process.file.hashes.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.actor.process.parent_process.file.hashes.algorithm_id + type: keyword +ocsf.actor.process.parent_process.file.hashes.value: + description: The digital fingerprint value. + name: ocsf.actor.process.parent_process.file.hashes.value + type: keyword +ocsf.actor.process.parent_process.file.is_system: + description: The indication of whether the object is part of the operating system. + name: ocsf.actor.process.parent_process.file.is_system + type: boolean +ocsf.actor.process.parent_process.file.mime_type: + description: + The Multipurpose Internet Mail Extensions (MIME) type of the file, + if applicable. + name: ocsf.actor.process.parent_process.file.mime_type + type: keyword +ocsf.actor.process.parent_process.file.modified_time: + description: The time when the file was last modified. + name: ocsf.actor.process.parent_process.file.modified_time + type: date +ocsf.actor.process.parent_process.file.modified_time_dt: + description: The time when the file was last modified. + name: ocsf.actor.process.parent_process.file.modified_time_dt + type: date +ocsf.actor.process.parent_process.file.modifier.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.actor.process.parent_process.file.modifier.account.name + type: keyword +ocsf.actor.process.parent_process.file.modifier.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.parent_process.file.modifier.account.type + type: keyword +ocsf.actor.process.parent_process.file.modifier.account.type_id: + description: The normalized account type identifier. + name: ocsf.actor.process.parent_process.file.modifier.account.type_id + type: keyword +ocsf.actor.process.parent_process.file.modifier.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.actor.process.parent_process.file.modifier.account.uid + type: keyword +ocsf.actor.process.parent_process.file.modifier.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.parent_process.file.modifier.credential_uid + type: keyword +ocsf.actor.process.parent_process.file.modifier.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.actor.process.parent_process.file.modifier.domain + type: keyword +ocsf.actor.process.parent_process.file.modifier.email_addr: + description: "The image name. For example: elixir." + name: ocsf.actor.process.parent_process.file.modifier.email_addr + type: keyword +ocsf.actor.process.parent_process.file.modifier.full_name: + description: The user's email address. + name: ocsf.actor.process.parent_process.file.modifier.full_name + type: keyword +ocsf.actor.process.parent_process.file.modifier.groups.desc: + description: The group description. + name: ocsf.actor.process.parent_process.file.modifier.groups.desc + type: keyword +ocsf.actor.process.parent_process.file.modifier.groups.name: + description: The group name. + name: ocsf.actor.process.parent_process.file.modifier.groups.name + type: keyword +ocsf.actor.process.parent_process.file.modifier.groups.privileges: + description: The group privileges. + name: ocsf.actor.process.parent_process.file.modifier.groups.privileges + type: keyword +ocsf.actor.process.parent_process.file.modifier.groups.type: + description: The type of the group or account. + name: ocsf.actor.process.parent_process.file.modifier.groups.type + type: keyword +ocsf.actor.process.parent_process.file.modifier.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.process.parent_process.file.modifier.groups.uid + type: keyword +ocsf.actor.process.parent_process.file.modifier.name: + description: The username. For example, janedoe1. + name: ocsf.actor.process.parent_process.file.modifier.name + type: keyword +ocsf.actor.process.parent_process.file.modifier.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.actor.process.parent_process.file.modifier.org.name + type: keyword +ocsf.actor.process.parent_process.file.modifier.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.actor.process.parent_process.file.modifier.org.ou_name + type: keyword +ocsf.actor.process.parent_process.file.modifier.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.actor.process.parent_process.file.modifier.org.ou_uid + type: keyword +ocsf.actor.process.parent_process.file.modifier.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.actor.process.parent_process.file.modifier.org.uid + type: keyword +ocsf.actor.process.parent_process.file.modifier.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.actor.process.parent_process.file.modifier.type + type: keyword +ocsf.actor.process.parent_process.file.modifier.type_id: + description: The account type identifier. + name: ocsf.actor.process.parent_process.file.modifier.type_id + type: keyword +ocsf.actor.process.parent_process.file.modifier.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.actor.process.parent_process.file.modifier.uid + type: keyword +ocsf.actor.process.parent_process.file.modifier.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.actor.process.parent_process.file.modifier.uid_alt + type: keyword +ocsf.actor.process.parent_process.file.name: + description: "The name of the file. For example: svchost.exe." + name: ocsf.actor.process.parent_process.file.name + type: keyword +ocsf.actor.process.parent_process.file.owner.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.actor.process.parent_process.file.owner.account.name + type: keyword +ocsf.actor.process.parent_process.file.owner.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.parent_process.file.owner.account.type + type: keyword +ocsf.actor.process.parent_process.file.owner.account.type_id: + description: The normalized account type identifier. + name: ocsf.actor.process.parent_process.file.owner.account.type_id + type: keyword +ocsf.actor.process.parent_process.file.owner.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.actor.process.parent_process.file.owner.account.uid + type: keyword +ocsf.actor.process.parent_process.file.owner.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.parent_process.file.owner.credential_uid + type: keyword +ocsf.actor.process.parent_process.file.owner.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.actor.process.parent_process.file.owner.domain + type: keyword +ocsf.actor.process.parent_process.file.owner.email_addr: + description: The user's email address. + name: ocsf.actor.process.parent_process.file.owner.email_addr + type: keyword +ocsf.actor.process.parent_process.file.owner.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.actor.process.parent_process.file.owner.full_name + type: keyword +ocsf.actor.process.parent_process.file.owner.groups.desc: + description: The group description. + name: ocsf.actor.process.parent_process.file.owner.groups.desc + type: keyword +ocsf.actor.process.parent_process.file.owner.groups.name: + description: The group name. + name: ocsf.actor.process.parent_process.file.owner.groups.name + type: keyword +ocsf.actor.process.parent_process.file.owner.groups.privileges: + description: The group privileges. + name: ocsf.actor.process.parent_process.file.owner.groups.privileges + type: keyword +ocsf.actor.process.parent_process.file.owner.groups.type: + description: The type of the group or account. + name: ocsf.actor.process.parent_process.file.owner.groups.type + type: keyword +ocsf.actor.process.parent_process.file.owner.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.process.parent_process.file.owner.groups.uid + type: keyword +ocsf.actor.process.parent_process.file.owner.name: + description: The username. For example, janedoe1. + name: ocsf.actor.process.parent_process.file.owner.name + type: keyword +ocsf.actor.process.parent_process.file.owner.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.actor.process.parent_process.file.owner.org.name + type: keyword +ocsf.actor.process.parent_process.file.owner.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.actor.process.parent_process.file.owner.org.ou_name + type: keyword +ocsf.actor.process.parent_process.file.owner.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.actor.process.parent_process.file.owner.org.ou_uid + type: keyword +ocsf.actor.process.parent_process.file.owner.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.actor.process.parent_process.file.owner.org.uid + type: keyword +ocsf.actor.process.parent_process.file.owner.type: + description: + The event occurred on a personal device.The type of the user. For example, + System, AWS IAM User, etc. + name: ocsf.actor.process.parent_process.file.owner.type + type: keyword +ocsf.actor.process.parent_process.file.owner.type_id: + description: The account type identifier. + name: ocsf.actor.process.parent_process.file.owner.type_id + type: keyword +ocsf.actor.process.parent_process.file.owner.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.actor.process.parent_process.file.owner.uid + type: keyword +ocsf.actor.process.parent_process.file.owner.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.actor.process.parent_process.file.owner.uid_alt + type: keyword +ocsf.actor.process.parent_process.file.parent_folder: + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + name: ocsf.actor.process.parent_process.file.parent_folder + type: keyword +ocsf.actor.process.parent_process.file.path: + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + name: ocsf.actor.process.parent_process.file.path + type: keyword +ocsf.actor.process.parent_process.file.product.feature.name: + description: The name of the feature. + name: ocsf.actor.process.parent_process.file.product.feature.name + type: keyword +ocsf.actor.process.parent_process.file.product.feature.uid: + description: The unique identifier of the feature. + name: ocsf.actor.process.parent_process.file.product.feature.uid + type: keyword +ocsf.actor.process.parent_process.file.product.feature.version: + description: The version of the feature. + name: ocsf.actor.process.parent_process.file.product.feature.version + type: keyword +ocsf.actor.process.parent_process.file.product.lang: + description: + "The two letter lower case language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French)." + name: ocsf.actor.process.parent_process.file.product.lang + type: keyword +ocsf.actor.process.parent_process.file.product.name: + description: The name of the feature. + name: ocsf.actor.process.parent_process.file.product.name + type: keyword +ocsf.actor.process.parent_process.file.product.path: + description: The installation path of the product. + name: ocsf.actor.process.parent_process.file.product.path + type: keyword +ocsf.actor.process.parent_process.file.product.uid: + description: The unique identifier of the feature. + name: ocsf.actor.process.parent_process.file.product.uid + type: keyword +ocsf.actor.process.parent_process.file.product.url_string: + description: The URL pointing towards the product. + name: ocsf.actor.process.parent_process.file.product.url_string + type: keyword +ocsf.actor.process.parent_process.file.product.vendor_name: + description: The name of the vendor of the product. + name: ocsf.actor.process.parent_process.file.product.vendor_name + type: keyword +ocsf.actor.process.parent_process.file.product.version: + description: + "The version of the product, as defined by the event source. For example: + 2013.1.3-beta." + name: ocsf.actor.process.parent_process.file.product.version + type: keyword +ocsf.actor.process.parent_process.file.security_descriptor: + description: The object security descriptor. + name: ocsf.actor.process.parent_process.file.security_descriptor + type: keyword +ocsf.actor.process.parent_process.file.signature.algorithm: + description: + The digital signature algorithm used to create the signature, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.actor.process.parent_process.file.signature.algorithm + type: keyword +ocsf.actor.process.parent_process.file.signature.algorithm_id: + description: The identifier of the normalized digital signature algorithm. + name: ocsf.actor.process.parent_process.file.signature.algorithm_id + type: keyword +ocsf.actor.process.parent_process.file.signature.certificate.created_time: + description: The time when the certificate was created. + name: ocsf.actor.process.parent_process.file.signature.certificate.created_time + type: date +ocsf.actor.process.parent_process.file.signature.certificate.created_time_dt: + description: The time when the certificate was created. + name: ocsf.actor.process.parent_process.file.signature.certificate.created_time_dt + type: date +ocsf.actor.process.parent_process.file.signature.certificate.expiration_time: + description: The expiration time of the certificate. + name: ocsf.actor.process.parent_process.file.signature.certificate.expiration_time + type: date +ocsf.actor.process.parent_process.file.signature.certificate.expiration_time_dt: + description: The expiration time of the certificate. + name: ocsf.actor.process.parent_process.file.signature.certificate.expiration_time_dt + type: date +ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm + type: keyword +ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm_id + type: keyword +ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.value: + description: The digital fingerprint value. + name: ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.value + type: keyword +ocsf.actor.process.parent_process.file.signature.certificate.issuer: + description: The certificate issuer distinguished name. + name: ocsf.actor.process.parent_process.file.signature.certificate.issuer + type: keyword +ocsf.actor.process.parent_process.file.signature.certificate.serial_number: + description: The serial number of the certificate used to create the digital signature. + name: ocsf.actor.process.parent_process.file.signature.certificate.serial_number + type: keyword +ocsf.actor.process.parent_process.file.signature.certificate.subject: + description: The certificate subject distinguished name. + name: ocsf.actor.process.parent_process.file.signature.certificate.subject + type: keyword +ocsf.actor.process.parent_process.file.signature.certificate.version: + description: The certificate version. + name: ocsf.actor.process.parent_process.file.signature.certificate.version + type: keyword +ocsf.actor.process.parent_process.file.signature.created_time: + description: The time when the digital signature was created. + name: ocsf.actor.process.parent_process.file.signature.created_time + type: date +ocsf.actor.process.parent_process.file.signature.created_time_dt: + description: The time when the digital signature was created. + name: ocsf.actor.process.parent_process.file.signature.created_time_dt + type: date +ocsf.actor.process.parent_process.file.signature.developer_uid: + description: The developer ID on the certificate that signed the file. + name: ocsf.actor.process.parent_process.file.signature.developer_uid + type: keyword +ocsf.actor.process.parent_process.file.signature.digest.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.actor.process.parent_process.file.signature.digest.algorithm + type: keyword +ocsf.actor.process.parent_process.file.signature.digest.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.actor.process.parent_process.file.signature.digest.algorithm_id + type: keyword +ocsf.actor.process.parent_process.file.signature.digest.value: + description: The digital fingerprint value. + name: ocsf.actor.process.parent_process.file.signature.digest.value + type: keyword +ocsf.actor.process.parent_process.file.size: + description: The size of data, in bytes. + name: ocsf.actor.process.parent_process.file.size + type: long +ocsf.actor.process.parent_process.file.type: + description: The file type. + name: ocsf.actor.process.parent_process.file.type + type: keyword +ocsf.actor.process.parent_process.file.type_id: + description: The file type ID. + name: ocsf.actor.process.parent_process.file.type_id + type: keyword +ocsf.actor.process.parent_process.file.uid: + description: + The unique identifier of the file as defined by the storage system, + such the file system file ID. + name: ocsf.actor.process.parent_process.file.uid + type: keyword +ocsf.actor.process.parent_process.file.version: + description: "The file version. For example: 8.0.7601.17514." + name: ocsf.actor.process.parent_process.file.version + type: keyword +ocsf.actor.process.parent_process.file.xattributes: + description: + An unordered collection of zero or more name/value pairs where each + pair represents a file or folder extended attribute. + name: ocsf.actor.process.parent_process.file.xattributes + type: keyword +ocsf.actor.process.parent_process.group.desc: + description: The group description. + name: ocsf.actor.process.parent_process.group.desc + type: keyword +ocsf.actor.process.parent_process.group.privileges: + description: The group privileges. + name: ocsf.actor.process.parent_process.group.privileges + type: keyword +ocsf.actor.process.parent_process.group.type: + description: The type of the group or account. + name: ocsf.actor.process.parent_process.group.type + type: keyword +ocsf.actor.process.parent_process.integrity: + description: + The process integrity level, normalized to the caption of the direction_id + value. In the case of 'Other', it is defined by the event source (Windows only). + name: ocsf.actor.process.parent_process.integrity + type: keyword +ocsf.actor.process.parent_process.integrity_id: + description: The normalized identifier of the process integrity level (Windows only). + name: ocsf.actor.process.parent_process.integrity_id + type: keyword +ocsf.actor.process.parent_process.lineage: + description: + "The lineage of the process, represented by a list of paths for each + ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']." + name: ocsf.actor.process.parent_process.lineage + type: keyword +ocsf.actor.process.parent_process.loaded_modules: + description: The list of loaded module names. + name: ocsf.actor.process.parent_process.loaded_modules + type: keyword +ocsf.actor.process.parent_process.namespace_pid: + description: + If running under a process namespace (such as in a container), the + process identifier within that process namespace. + name: ocsf.actor.process.parent_process.namespace_pid + type: long +ocsf.actor.process.parent_process.parent_process: + description: + The parent process of this process object. It is recommended to only + populate this field for the first process object, to prevent deep nesting. + name: ocsf.actor.process.parent_process.parent_process + type: keyword +ocsf.actor.process.parent_process.parent_process_keyword: + description: "" + name: ocsf.actor.process.parent_process.parent_process_keyword + type: keyword +ocsf.actor.process.parent_process.sandbox: + description: + The name of the containment jail (i.e., sandbox). For example, hardened_ps, + high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + name: ocsf.actor.process.parent_process.sandbox + type: keyword +ocsf.actor.process.parent_process.session.created_time: + description: The time when the session was created. + name: ocsf.actor.process.parent_process.session.created_time + type: date +ocsf.actor.process.parent_process.session.created_time_dt: + description: The time when the session was created. + name: ocsf.actor.process.parent_process.session.created_time_dt + type: date +ocsf.actor.process.parent_process.session.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.parent_process.session.credential_uid + type: keyword +ocsf.actor.process.parent_process.session.expiration_time: + description: The session expiration time. + name: ocsf.actor.process.parent_process.session.expiration_time + type: date +ocsf.actor.process.parent_process.session.expiration_time_dt: + description: The session expiration time. + name: ocsf.actor.process.parent_process.session.expiration_time_dt + type: date +ocsf.actor.process.parent_process.session.is_remote: + description: The indication of whether the session is remote. + name: ocsf.actor.process.parent_process.session.is_remote + type: boolean +ocsf.actor.process.parent_process.session.issuer: + description: The identifier of the session issuer. + name: ocsf.actor.process.parent_process.session.issuer + type: keyword +ocsf.actor.process.parent_process.session.mfa: + description: "" + name: ocsf.actor.process.parent_process.session.mfa + type: boolean +ocsf.actor.process.parent_process.session.uid: + description: The unique identifier of the session. + name: ocsf.actor.process.parent_process.session.uid + type: keyword +ocsf.actor.process.parent_process.session.uuid: + description: The universally unique identifier of the session. + name: ocsf.actor.process.parent_process.session.uuid + type: keyword +ocsf.actor.process.parent_process.terminated_time_dt: + description: The time when the process was terminated. + name: ocsf.actor.process.parent_process.terminated_time_dt + type: date +ocsf.actor.process.parent_process.user.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.actor.process.parent_process.user.account.name + type: keyword +ocsf.actor.process.parent_process.user.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.parent_process.user.account.type + type: keyword +ocsf.actor.process.parent_process.user.account.type_id: + description: The normalized account type identifier. + name: ocsf.actor.process.parent_process.user.account.type_id + type: keyword +ocsf.actor.process.parent_process.user.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.actor.process.parent_process.user.account.uid + type: keyword +ocsf.actor.process.parent_process.user.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.parent_process.user.credential_uid + type: keyword +ocsf.actor.process.parent_process.user.groups.desc: + description: The group description. + name: ocsf.actor.process.parent_process.user.groups.desc + type: keyword +ocsf.actor.process.parent_process.user.groups.name: + description: The group name. + name: ocsf.actor.process.parent_process.user.groups.name + type: keyword +ocsf.actor.process.parent_process.user.groups.privileges: + description: The group privileges. + name: ocsf.actor.process.parent_process.user.groups.privileges + type: keyword +ocsf.actor.process.parent_process.user.groups.type: + description: The type of the group or account. + name: ocsf.actor.process.parent_process.user.groups.type + type: keyword +ocsf.actor.process.parent_process.user.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.process.parent_process.user.groups.uid + type: keyword +ocsf.actor.process.parent_process.user.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.actor.process.parent_process.user.org.name + type: keyword +ocsf.actor.process.parent_process.user.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.actor.process.parent_process.user.org.ou_name + type: keyword +ocsf.actor.process.parent_process.user.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.actor.process.parent_process.user.org.ou_uid + type: keyword +ocsf.actor.process.parent_process.user.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.actor.process.parent_process.user.org.uid + type: keyword +ocsf.actor.process.parent_process.user.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.actor.process.parent_process.user.type + type: keyword +ocsf.actor.process.parent_process.user.type_id: + description: The account type identifier. + name: ocsf.actor.process.parent_process.user.type_id + type: keyword +ocsf.actor.process.parent_process.user.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.actor.process.parent_process.user.uid_alt + type: keyword +ocsf.actor.process.parent_process.xattributes: + description: + An unordered collection of zero or more name/value pairs that represent + a process extended attribute. + name: ocsf.actor.process.parent_process.xattributes + type: keyword +ocsf.actor.process.sandbox: + description: + The name of the containment jail (i.e., sandbox). For example, hardened_ps, + high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + name: ocsf.actor.process.sandbox + type: keyword +ocsf.actor.process.session.created_time: + description: The time when the session was created. + name: ocsf.actor.process.session.created_time + type: date +ocsf.actor.process.session.created_time_dt: + description: The time when the session was created. + name: ocsf.actor.process.session.created_time_dt + type: date +ocsf.actor.process.session.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.session.credential_uid + type: keyword +ocsf.actor.process.session.expiration_time: + description: The session expiration time. + name: ocsf.actor.process.session.expiration_time + type: date +ocsf.actor.process.session.expiration_time_dt: + description: The session expiration time. + name: ocsf.actor.process.session.expiration_time_dt + type: date +ocsf.actor.process.session.is_remote: + description: The indication of whether the session is remote. + name: ocsf.actor.process.session.is_remote + type: boolean +ocsf.actor.process.session.issuer: + description: The identifier of the session issuer. + name: ocsf.actor.process.session.issuer + type: keyword +ocsf.actor.process.session.mfa: + description: "" + name: ocsf.actor.process.session.mfa + type: boolean +ocsf.actor.process.session.uid: + description: The unique identifier of the session. + name: ocsf.actor.process.session.uid + type: keyword +ocsf.actor.process.session.uuid: + description: The universally unique identifier of the session. + name: ocsf.actor.process.session.uuid + type: keyword +ocsf.actor.process.terminated_time_dt: + description: The time when the process was terminated. + name: ocsf.actor.process.terminated_time_dt + type: date +ocsf.actor.process.user.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.actor.process.user.account.name + type: keyword +ocsf.actor.process.user.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.actor.process.user.account.type + type: keyword +ocsf.actor.process.user.account.type_id: + description: The normalized account type identifier. + name: ocsf.actor.process.user.account.type_id + type: keyword +ocsf.actor.process.user.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.actor.process.user.account.uid + type: keyword +ocsf.actor.process.user.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.process.user.credential_uid + type: keyword +ocsf.actor.process.user.groups.desc: + description: The group description. + name: ocsf.actor.process.user.groups.desc + type: keyword +ocsf.actor.process.user.groups.name: + description: The group name. + name: ocsf.actor.process.user.groups.name + type: keyword +ocsf.actor.process.user.groups.privileges: + description: The group privileges. + name: ocsf.actor.process.user.groups.privileges + type: keyword +ocsf.actor.process.user.groups.type: + description: The type of the group or account. + name: ocsf.actor.process.user.groups.type + type: keyword +ocsf.actor.process.user.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.process.user.groups.uid + type: keyword +ocsf.actor.process.user.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.actor.process.user.org.name + type: keyword +ocsf.actor.process.user.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.actor.process.user.org.ou_name + type: keyword +ocsf.actor.process.user.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.actor.process.user.org.ou_uid + type: keyword +ocsf.actor.process.user.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.actor.process.user.org.uid + type: keyword +ocsf.actor.process.user.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.actor.process.user.type + type: keyword +ocsf.actor.process.user.type_id: + description: The account type identifier. + name: ocsf.actor.process.user.type_id + type: keyword +ocsf.actor.process.user.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.actor.process.user.uid_alt + type: keyword +ocsf.actor.process.xattributes: + description: + An unordered collection of zero or more name/value pairs that represent + a process extended attribute. + name: ocsf.actor.process.xattributes + type: keyword +ocsf.actor.session.created_time: + description: The time when the session was created. + name: ocsf.actor.session.created_time + type: date +ocsf.actor.session.created_time_dt: + description: The time when the session was created. + name: ocsf.actor.session.created_time_dt + type: date +ocsf.actor.session.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.session.credential_uid + type: keyword +ocsf.actor.session.expiration_time: + description: The session expiration time. + name: ocsf.actor.session.expiration_time + type: date +ocsf.actor.session.expiration_time_dt: + description: The session expiration time. + name: ocsf.actor.session.expiration_time_dt + type: date +ocsf.actor.session.is_remote: + description: The indication of whether the session is remote. + name: ocsf.actor.session.is_remote + type: boolean +ocsf.actor.session.issuer: + description: The identifier of the session issuer. + name: ocsf.actor.session.issuer + type: keyword +ocsf.actor.session.mfa: + description: "" + name: ocsf.actor.session.mfa + type: boolean +ocsf.actor.session.uid: + description: The unique identifier of the session. + name: ocsf.actor.session.uid + type: keyword +ocsf.actor.session.uuid: + description: The universally unique identifier of the session. + name: ocsf.actor.session.uuid + type: keyword +ocsf.actor.user.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.actor.user.account.name + type: keyword +ocsf.actor.user.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.actor.user.account.type + type: keyword +ocsf.actor.user.account.type_id: + description: The normalized account type identifier. + name: ocsf.actor.user.account.type_id + type: keyword +ocsf.actor.user.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.actor.user.account.uid + type: keyword +ocsf.actor.user.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.actor.user.credential_uid + type: keyword +ocsf.actor.user.groups.desc: + description: The group description. + name: ocsf.actor.user.groups.desc + type: keyword +ocsf.actor.user.groups.name: + description: The group name. + name: ocsf.actor.user.groups.name + type: keyword +ocsf.actor.user.groups.privileges: + description: The group privileges. + name: ocsf.actor.user.groups.privileges + type: keyword +ocsf.actor.user.groups.type: + description: The type of the group or account. + name: ocsf.actor.user.groups.type + type: keyword +ocsf.actor.user.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.actor.user.groups.uid + type: keyword +ocsf.actor.user.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.actor.user.org.name + type: keyword +ocsf.actor.user.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.actor.user.org.ou_name + type: keyword +ocsf.actor.user.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.actor.user.org.ou_uid + type: keyword +ocsf.actor.user.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.actor.user.org.uid + type: keyword +ocsf.actor.user.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.actor.user.type + type: keyword +ocsf.actor.user.type_id: + description: The account type identifier. + name: ocsf.actor.user.type_id + type: keyword +ocsf.actor.user.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.actor.user.uid_alt + type: keyword +ocsf.actual_permissions: + description: The permissions that were granted to the in a platform-native format. + name: ocsf.actual_permissions + type: long +ocsf.analytic.category: + description: The analytic category. + name: ocsf.analytic.category + type: keyword +ocsf.analytic.desc: + description: The description of the analytic that generated the finding. + name: ocsf.analytic.desc + type: keyword +ocsf.analytic.name: + description: The name of the analytic that generated the finding. + name: ocsf.analytic.name + type: keyword +ocsf.analytic.related_analytics.category: + description: The analytic category. + name: ocsf.analytic.related_analytics.category + type: keyword +ocsf.analytic.related_analytics.desc: + description: The description of the analytic that generated the finding. + name: ocsf.analytic.related_analytics.desc + type: keyword +ocsf.analytic.related_analytics.name: + description: The name of the analytic that generated the finding. + name: ocsf.analytic.related_analytics.name + type: keyword +ocsf.analytic.related_analytics.related_analytics: + description: "" + name: ocsf.analytic.related_analytics.related_analytics + type: keyword +ocsf.analytic.related_analytics.type: + description: The analytic type. + name: ocsf.analytic.related_analytics.type + type: keyword +ocsf.analytic.related_analytics.type_id: + description: The analytic type ID. + name: ocsf.analytic.related_analytics.type_id + type: keyword +ocsf.analytic.related_analytics.uid: + description: The unique identifier of the analytic that generated the finding. + name: ocsf.analytic.related_analytics.uid + type: keyword +ocsf.analytic.related_analytics.version: + description: "The analytic version. For example: 1.1." + name: ocsf.analytic.related_analytics.version + type: keyword +ocsf.analytic.type: + description: The analytic type. + name: ocsf.analytic.type + type: keyword +ocsf.analytic.type_id: + description: The analytic type ID. + name: ocsf.analytic.type_id + type: keyword +ocsf.analytic.uid: + description: The unique identifier of the analytic that generated the finding. + name: ocsf.analytic.uid + type: keyword +ocsf.analytic.version: + description: "The analytic version. For example: 1.1." + name: ocsf.analytic.version + type: keyword +ocsf.answers.class: + description: + "The class of DNS data contained in this resource record. See RFC1035. + For example: IN." + name: ocsf.answers.class + type: keyword +ocsf.answers.flag_ids: + description: The list of DNS answer header flag IDs. + name: ocsf.answers.flag_ids + type: keyword +ocsf.answers.flags: + description: The list of DNS answer header flags. + name: ocsf.answers.flags + type: keyword +ocsf.answers.packet_uid: + description: + The DNS packet identifier assigned by the program that generated the + query. The identifier is copied to the response. + name: ocsf.answers.packet_uid + type: keyword +ocsf.answers.rdata: + description: + The data describing the DNS resource. The meaning of this data depends + on the type and class of the resource record. + name: ocsf.answers.rdata + type: keyword +ocsf.answers.ttl: + description: + The time interval that the resource record may be cached. Zero value + means that the resource record can only be used for the transaction in progress, + and should not be cached. + name: ocsf.answers.ttl + type: long +ocsf.answers.type: + description: + "The type of data contained in this resource record. See RFC1035. For + example: CNAME." + name: ocsf.answers.type + type: keyword +ocsf.api.operation: + description: Verb/Operation associated with the request. + name: ocsf.api.operation + type: keyword +ocsf.api.request.flags: + description: + The list of communication flags, normalized to the captions of the + flag_ids values. In the case of 'Other', they are defined by the event source. + name: ocsf.api.request.flags + type: keyword +ocsf.api.request.uid: + description: The unique request identifier. + name: ocsf.api.request.uid + type: keyword +ocsf.api.response.code: + description: The numeric response sent to a request. + name: ocsf.api.response.code + type: long +ocsf.api.response.error: + description: Error Code. + name: ocsf.api.response.error + type: keyword +ocsf.api.response.error_message: + description: Error Message. + name: ocsf.api.response.error_message + type: keyword +ocsf.api.response.flags: + description: + The list of communication flags, normalized to the captions of the + flag_ids values. In the case of 'Other', they are defined by the event source. + name: ocsf.api.response.flags + type: keyword +ocsf.api.response.message: + description: The description of the event, as defined by the event source. + name: ocsf.api.response.message + type: keyword +ocsf.api.service.labels: + description: The list of labels associated with the service. + name: ocsf.api.service.labels + type: keyword +ocsf.api.service.name: + description: The name of the service. + name: ocsf.api.service.name + type: keyword +ocsf.api.service.uid: + description: The unique identifier of the service. + name: ocsf.api.service.uid + type: keyword +ocsf.api.service.version: + description: The version of the service. + name: ocsf.api.service.version + type: keyword +ocsf.api.version: + description: The version of the API service. + name: ocsf.api.version + type: keyword +ocsf.app.feature.name: + description: The name of the feature. + name: ocsf.app.feature.name + type: keyword +ocsf.app.feature.uid: + description: The unique identifier of the feature. + name: ocsf.app.feature.uid + type: keyword +ocsf.app.feature.version: + description: The version of the feature. + name: ocsf.app.feature.version + type: keyword +ocsf.app.lang: + description: The two letter lower case language codes, as defined by ISO 639-1. + name: ocsf.app.lang + type: keyword +ocsf.app.name: + description: The CIS benchmark name. + name: ocsf.app.name + type: keyword +ocsf.app.path: + description: The installation path of the product. + name: ocsf.app.path + type: keyword +ocsf.app.uid: + description: The unique identifier of the product. + name: ocsf.app.uid + type: keyword +ocsf.app.url_string: + description: The URL pointing towards the product. + name: ocsf.app.url_string + type: keyword +ocsf.app.vendor_name: + description: The name of the vendor of the product. + name: ocsf.app.vendor_name + type: keyword +ocsf.app.version: + description: The version of the product, as defined by the event source. + name: ocsf.app.version + type: keyword +ocsf.app_name: + description: The name of the application that is associated with the event or object. + name: ocsf.app_name + type: keyword +ocsf.attacks.tactics.name: + description: + The tactic name that is associated with the attack technique, as defined + by ATT&CK MatrixTM. + name: ocsf.attacks.tactics.name + type: keyword +ocsf.attacks.tactics.uid: + description: + The tactic ID that is associated with the attack technique, as defined + by ATT&CK MatrixTM. + name: ocsf.attacks.tactics.uid + type: keyword +ocsf.attacks.technique.name: + description: + "The name of the attack technique, as defined by ATT&CK MatrixTM. For + example: Drive-by Compromise." + name: ocsf.attacks.technique.name + type: keyword +ocsf.attacks.technique.uid: + description: + "The unique identifier of the attack technique, as defined by ATT&CK + MatrixTM. For example: T1189." + name: ocsf.attacks.technique.uid + type: keyword +ocsf.attacks.version: + description: The ATT&CK Matrix version. + name: ocsf.attacks.version + type: keyword +ocsf.attempt: + description: The attempt number for attempting to deliver the email. + name: ocsf.attempt + type: long +ocsf.auth_protocol: + description: + The authentication protocol as defined by the caption of 'auth_protocol_id'. + In the case of 'Other', it is defined by the event source. + name: ocsf.auth_protocol + type: keyword +ocsf.auth_protocol_id: + description: + The normalized identifier of the authentication protocol used to create + the user session. + name: ocsf.auth_protocol_id + type: keyword +ocsf.banner: + description: + The initial SMTP connection response that a messaging server receives + after it connects to a email server. + name: ocsf.banner + type: keyword +ocsf.base_address: + description: The memory address that was access or requested. + name: ocsf.base_address + type: keyword +ocsf.capabilities: + description: A list of RDP capabilities. + name: ocsf.capabilities + type: keyword +ocsf.category_name: + description: + "The event category name, as defined by category_uid value: Identity + & Access Management." + name: ocsf.category_name + type: keyword +ocsf.category_uid: + description: + The category unique identifier of the event.3 Identity & Access ManagementIdentity + & Access Management (IAM) events relate to the supervision of the system's authentication + and access control model. Examples of such events are the success or failure of + authentication, granting of authority, password change, entity change, privileged + use etc. + name: ocsf.category_uid + type: long +ocsf.certificate.created_time: + description: The time when the certificate was created. + name: ocsf.certificate.created_time + type: date +ocsf.certificate.created_time_dt: + description: The time when the certificate was created. + name: ocsf.certificate.created_time_dt + type: date +ocsf.certificate.expiration_time: + description: The expiration time of the certificate. + name: ocsf.certificate.expiration_time + type: date +ocsf.certificate.expiration_time_dt: + description: The expiration time of the certificate. + name: ocsf.certificate.expiration_time_dt + type: date +ocsf.certificate.fingerprints.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.certificate.fingerprints.algorithm + type: keyword +ocsf.certificate.fingerprints.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.certificate.fingerprints.algorithm_id + type: keyword +ocsf.certificate.fingerprints.value: + description: The digital fingerprint value. + name: ocsf.certificate.fingerprints.value + type: keyword +ocsf.certificate.issuer: + description: The certificate issuer distinguished name. + name: ocsf.certificate.issuer + type: keyword +ocsf.certificate.serial_number: + description: The serial number of the certificate used to create the digital signature. + name: ocsf.certificate.serial_number + type: keyword +ocsf.certificate.subject: + description: The certificate subject distinguished name. + name: ocsf.certificate.subject + type: keyword +ocsf.certificate.version: + description: The certificate version. + name: ocsf.certificate.version + type: keyword +ocsf.cis_benchmark_result.desc: + description: The CIS benchmark description. + name: ocsf.cis_benchmark_result.desc + type: keyword +ocsf.cis_benchmark_result.name: + description: The CIS benchmark name. + name: ocsf.cis_benchmark_result.name + type: keyword +ocsf.cis_benchmark_result.remediation.desc: + description: The description of the remediation strategy. + name: ocsf.cis_benchmark_result.remediation.desc + type: keyword +ocsf.cis_benchmark_result.remediation.kb_articles: + description: The KB article/s related to the entity. + name: ocsf.cis_benchmark_result.remediation.kb_articles + type: keyword +ocsf.cis_benchmark_result.rule.type: + description: The rule type. + name: ocsf.cis_benchmark_result.rule.type + type: keyword +ocsf.cis_csc.control: + description: The CIS critical security control. + name: ocsf.cis_csc.control + type: keyword +ocsf.cis_csc.version: + description: The CIS critical security control version. + name: ocsf.cis_csc.version + type: keyword +ocsf.class_name: + description: "The event class name, as defined by class_uid value: Security Finding." + name: ocsf.class_name + type: keyword +ocsf.class_uid: + description: + The unique identifier of a class. A Class describes the attributes + available in an event.2001 Security FindingSecurity Finding events describe findings, + detections, anomalies, alerts and/or actions performed by security products. + name: ocsf.class_uid + type: keyword +ocsf.client_dialects: + description: The list of SMB dialects that the client speaks. + name: ocsf.client_dialects + type: keyword +ocsf.client_hassh.algorithm: + description: + "The concatenation of key exchange, encryption, authentication and + compression algorithms (separated by ';'). NOTE: This is not the underlying + algorithm for the hash implementation." + name: ocsf.client_hassh.algorithm + type: keyword +ocsf.client_hassh.fingerprint.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.client_hassh.fingerprint.algorithm + type: keyword +ocsf.client_hassh.fingerprint.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.client_hassh.fingerprint.algorithm_id + type: keyword +ocsf.client_hassh.fingerprint.value: + description: The digital fingerprint value. + name: ocsf.client_hassh.fingerprint.value + type: keyword +ocsf.cloud.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.cloud.account.type + type: keyword +ocsf.cloud.account.type_id: + description: The normalized account type identifier. + name: ocsf.cloud.account.type_id + type: keyword +ocsf.cloud.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.cloud.org.name + type: keyword +ocsf.cloud.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.cloud.org.ou_name + type: keyword +ocsf.cloud.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.cloud.org.ou_uid + type: keyword +ocsf.cloud.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.cloud.org.uid + type: keyword +ocsf.codes: + description: The list of return codes to the FTP command. + name: ocsf.codes + type: long +ocsf.command: + description: The command name. + name: ocsf.command + type: keyword +ocsf.command_responses: + description: The list of responses to the FTP command. + name: ocsf.command_responses + type: keyword +ocsf.comment: + description: The user provided comment about why the entity was changed. + name: ocsf.comment + type: keyword +ocsf.compliance.requirements: + description: + A list of applicable compliance requirements for which this finding + is related to. + name: ocsf.compliance.requirements + type: keyword +ocsf.compliance.status: + description: + The event status, normalized to the caption of the status_id value. + In the case of 'Other', it is defined by the event source. + name: ocsf.compliance.status + type: keyword +ocsf.compliance.status_detail: + description: + The status details contains additional information about the event + outcome. + name: ocsf.compliance.status_detail + type: keyword +ocsf.component: + description: + The name or relative pathname of a sub-component of the data object, + if applicable. + name: ocsf.component + type: keyword +ocsf.confidence: + description: + The confidence, normalized to the caption of the confidence_id value. + In the case of 'Other', it is defined by the event source. + name: ocsf.confidence + type: keyword +ocsf.confidence_id: + description: + The normalized confidence refers to the accuracy of the rule that created + the finding. A rule with a low confidence means that the finding scope is wide + and may create finding reports that may not be malicious in nature. + name: ocsf.confidence_id + type: keyword +ocsf.confidence_score: + description: The confidence score as reported by the event source. + name: ocsf.confidence_score + type: long +ocsf.connection_info.boundary: + description: + The boundary of the connection, normalized to the caption of 'boundary_id'. + In the case of 'Other', it is defined by the event source.For cloud connections, + this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional + networks, this is described as Local, Internal, or External. + name: ocsf.connection_info.boundary + type: keyword +ocsf.connection_info.boundary_id: + description: + The normalized identifier of the boundary of the connection. For cloud + connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). + For traditional networks, this is described as Local, Internal, or External. + name: ocsf.connection_info.boundary_id + type: keyword +ocsf.connection_info.direction: + description: + The direction of the initiated connection, traffic, or email, normalized + to the caption of the direction_id value. In the case of 'Other', it is defined + by the event source. + name: ocsf.connection_info.direction + type: keyword +ocsf.connection_info.direction_id: + description: + The normalized identifier of the direction of the initiated connection, + traffic, or email. + name: ocsf.connection_info.direction_id + type: keyword +ocsf.connection_info.protocol_ver_id: + description: The Internet Protocol version identifier. + name: ocsf.connection_info.protocol_ver_id + type: keyword +ocsf.connection_info.tcp_flags: + description: The network connection TCP header flags (i.e., control bits). + name: ocsf.connection_info.tcp_flags + type: long +ocsf.connection_info.uid: + description: The unique identifier of the connection. + name: ocsf.connection_info.uid + type: keyword +ocsf.connection_uid: + description: The network connection identifier. + name: ocsf.connection_uid + type: keyword +ocsf.count: + description: + The number of times that events in the same logical group occurred + during the event Start Time to End Time period. + name: ocsf.count + type: long +ocsf.create_mask: + description: The original Windows mask that is required to create the object. + name: ocsf.create_mask + type: keyword +ocsf.data_sources: + description: The data sources for the finding. + name: ocsf.data_sources + type: keyword +ocsf.dce_rpc.command: + description: The request command (e.g. REQUEST, BIND). + name: ocsf.dce_rpc.command + type: keyword +ocsf.dce_rpc.command_response: + description: The reply to the request command (e.g. RESPONSE, BINDACK or FAULT). + name: ocsf.dce_rpc.command_response + type: keyword +ocsf.dce_rpc.flags: + description: The list of interface flags. + name: ocsf.dce_rpc.flags + type: keyword +ocsf.dce_rpc.opnum: + description: + An operation number used to identify a specific remote procedure call + (RPC) method or a method in an interface. + name: ocsf.dce_rpc.opnum + type: long +ocsf.dce_rpc.rpc_interface.ack_reason: + description: + An integer that provides a reason code or additional information about + the acknowledgment result. + name: ocsf.dce_rpc.rpc_interface.ack_reason + type: long +ocsf.dce_rpc.rpc_interface.ack_result: + description: An integer that denotes the acknowledgment result of the DCE/RPC call. + name: ocsf.dce_rpc.rpc_interface.ack_result + type: long +ocsf.dce_rpc.rpc_interface.uuid: + description: The unique identifier of the particular remote procedure or service. + name: ocsf.dce_rpc.rpc_interface.uuid + type: keyword +ocsf.dce_rpc.rpc_interface.version: + description: The version of the DCE/RPC protocol being used in the session. + name: ocsf.dce_rpc.rpc_interface.version + type: keyword +ocsf.device.autoscale_uid: + description: The unique identifier of the cloud autoscale configuration. + name: ocsf.device.autoscale_uid + type: keyword +ocsf.device.created_time: + description: The time when the device was known to have been created. + name: ocsf.device.created_time + type: date +ocsf.device.created_time_dt: + description: TThe time when the device was known to have been created. + name: ocsf.device.created_time_dt + type: date +ocsf.device.desc: + description: + The description of the device, ordinarily as reported by the operating + system. + name: ocsf.device.desc + type: keyword +ocsf.device.first_seen_time: + description: The initial discovery time of the device. + name: ocsf.device.first_seen_time + type: date +ocsf.device.first_seen_time_dt: + description: The initial discovery time of the device. + name: ocsf.device.first_seen_time_dt + type: date +ocsf.device.groups.desc: + description: The group description. + name: ocsf.device.groups.desc + type: keyword +ocsf.device.groups.name: + description: The group name. + name: ocsf.device.groups.name + type: keyword +ocsf.device.groups.privileges: + description: The group privileges. + name: ocsf.device.groups.privileges + type: keyword +ocsf.device.groups.type: + description: The type of the group or account. + name: ocsf.device.groups.type + type: keyword +ocsf.device.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.device.groups.uid + type: keyword +ocsf.device.hw_info.bios_date: + description: "The BIOS date. For example: 03/31/16." + name: ocsf.device.hw_info.bios_date + type: keyword +ocsf.device.hw_info.bios_manufacturer: + description: "The BIOS manufacturer. For example: LENOVO." + name: ocsf.device.hw_info.bios_manufacturer + type: keyword +ocsf.device.hw_info.bios_ver: + description: "The BIOS version. For example: LENOVO G5ETA2WW (2.62)." + name: ocsf.device.hw_info.bios_ver + type: keyword +ocsf.device.hw_info.chassis: + description: + The chassis type describes the system enclosure or physical form factor. + Such as the following examples for Windows Windows Chassis Types. + name: ocsf.device.hw_info.chassis + type: keyword +ocsf.device.hw_info.cpu_bits: + description: + "The cpu architecture, the number of bits used for addressing in memory. + For example: 32 or 64." + name: ocsf.device.hw_info.cpu_bits + type: long +ocsf.device.hw_info.cpu_cores: + description: + "The number of processor cores in all installed processors. For Example: + 42." + name: ocsf.device.hw_info.cpu_cores + type: long +ocsf.device.hw_info.cpu_count: + description: "The number of physical processors on a system. For example: 1." + name: ocsf.device.hw_info.cpu_count + type: long +ocsf.device.hw_info.cpu_speed: + description: "The speed of the processor in Mhz. For Example: 4200." + name: ocsf.device.hw_info.cpu_speed + type: long +ocsf.device.hw_info.cpu_type: + description: "The processor type. For example: x86 Family 6 Model 37 Stepping 5." + name: ocsf.device.hw_info.cpu_type + type: keyword +ocsf.device.hw_info.desktop_display.color_depth: + description: The numeric color depth. + name: ocsf.device.hw_info.desktop_display.color_depth + type: long +ocsf.device.hw_info.desktop_display.physical_height: + description: The numeric physical height of display. + name: ocsf.device.hw_info.desktop_display.physical_height + type: long +ocsf.device.hw_info.desktop_display.physical_orientation: + description: The numeric physical orientation of display. + name: ocsf.device.hw_info.desktop_display.physical_orientation + type: long +ocsf.device.hw_info.desktop_display.physical_width: + description: The numeric physical width of display. + name: ocsf.device.hw_info.desktop_display.physical_width + type: long +ocsf.device.hw_info.desktop_display.scale_factor: + description: The numeric scale factor of display. + name: ocsf.device.hw_info.desktop_display.scale_factor + type: long +ocsf.device.hw_info.keyboard_info.function_keys: + description: The number of function keys on client keyboard. + name: ocsf.device.hw_info.keyboard_info.function_keys + type: long +ocsf.device.hw_info.keyboard_info.ime: + description: The Input Method Editor (IME) file name. + name: ocsf.device.hw_info.keyboard_info.ime + type: keyword +ocsf.device.hw_info.keyboard_info.keyboard_layout: + description: The keyboard locale identifier name (e.g., en-US). + name: ocsf.device.hw_info.keyboard_info.keyboard_layout + type: keyword +ocsf.device.hw_info.keyboard_info.keyboard_subtype: + description: The keyboard numeric code. + name: ocsf.device.hw_info.keyboard_info.keyboard_subtype + type: long +ocsf.device.hw_info.keyboard_info.keyboard_type: + description: The keyboard type (e.g., xt, ico). + name: ocsf.device.hw_info.keyboard_info.keyboard_type + type: keyword +ocsf.device.hw_info.ram_size: + description: "The total amount of installed RAM, in Megabytes. For example: 2048." + name: ocsf.device.hw_info.ram_size + type: long +ocsf.device.hw_info.serial_number: + description: The device manufacturer serial number. + name: ocsf.device.hw_info.serial_number + type: keyword +ocsf.device.hypervisor: + description: + The name of the hypervisor running on the device. For example, Xen, + VMware, Hyper-V, VirtualBox, etc. + name: ocsf.device.hypervisor + type: keyword +ocsf.device.image.labels: + description: The image labels. + name: ocsf.device.image.labels + type: keyword +ocsf.device.image.name: + description: "The image name. For example: elixir." + name: ocsf.device.image.name + type: keyword +ocsf.device.image.path: + description: The full path to the image file. + name: ocsf.device.image.path + type: keyword +ocsf.device.image.tag: + description: "The image tag. For example: 1.11-alpine." + name: ocsf.device.image.tag + type: keyword +ocsf.device.image.uid: + description: "The unique image ID. For example: 77af4d6b9913." + name: ocsf.device.image.uid + type: keyword +ocsf.device.imei: + description: + The International Mobile Station Equipment Identifier that is associated + with the device. + name: ocsf.device.imei + type: keyword +ocsf.device.instance_uid: + description: The unique identifier of a VM instance. + name: ocsf.device.instance_uid + type: keyword +ocsf.device.interface_name: + description: The name of the network interface (e.g. eth2). + name: ocsf.device.interface_name + type: keyword +ocsf.device.interface_uid: + description: The unique identifier of the network interface. + name: ocsf.device.interface_uid + type: keyword +ocsf.device.is_compliant: + description: The event occurred on a compliant device. + name: ocsf.device.is_compliant + type: boolean +ocsf.device.is_managed: + description: The event occurred on a managed device. + name: ocsf.device.is_managed + type: boolean +ocsf.device.is_personal: + description: The event occurred on a personal device. + name: ocsf.device.is_personal + type: boolean +ocsf.device.is_trusted: + description: The event occurred on a trusted device. + name: ocsf.device.is_trusted + type: boolean +ocsf.device.last_seen_time: + description: The most recent discovery time of the device. + name: ocsf.device.last_seen_time + type: date +ocsf.device.last_seen_time_dt: + description: The most recent discovery time of the device. + name: ocsf.device.last_seen_time_dt + type: date +ocsf.device.location.is_on_premises: + description: The indication of whether the location is on premises. + name: ocsf.device.location.is_on_premises + type: boolean +ocsf.device.location.isp: + description: The name of the Internet Service Provider (ISP). + name: ocsf.device.location.isp + type: keyword +ocsf.device.location.provider: + description: The provider of the geographical location data. + name: ocsf.device.location.provider + type: keyword +ocsf.device.modified_time: + description: The time when the device was last known to have been modified. + name: ocsf.device.modified_time + type: date +ocsf.device.modified_time_dt: + description: The time when the device was last known to have been modified. + name: ocsf.device.modified_time_dt + type: date +ocsf.device.network_interfaces.hostname: + description: The hostname associated with the network interface. + name: ocsf.device.network_interfaces.hostname + type: keyword +ocsf.device.network_interfaces.ip: + description: The IP address associated with the network interface. + name: ocsf.device.network_interfaces.ip + type: ip +ocsf.device.network_interfaces.mac: + description: The MAC address of the network interface. + name: ocsf.device.network_interfaces.mac + type: keyword +ocsf.device.network_interfaces.name: + description: The name of the network interface. + name: ocsf.device.network_interfaces.name + type: keyword +ocsf.device.network_interfaces.namespace: + description: + The namespace is useful in merger or acquisition situations. For example, + when similar entities exists that you need to keep separate. + name: ocsf.device.network_interfaces.namespace + type: keyword +ocsf.device.network_interfaces.subnet_prefix: + description: + The subnet prefix length determines the number of bits used to represent + the network part of the IP address. The remaining bits are reserved for identifying + individual hosts within that subnet. + name: ocsf.device.network_interfaces.subnet_prefix + type: long +ocsf.device.network_interfaces.type: + description: The type of network interface. + name: ocsf.device.network_interfaces.type + type: keyword +ocsf.device.network_interfaces.type_id: + description: The network interface type identifier. + name: ocsf.device.network_interfaces.type_id + type: keyword +ocsf.device.network_interfaces.uid: + description: The unique identifier for the network interface. + name: ocsf.device.network_interfaces.uid + type: keyword +ocsf.device.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.device.org.name + type: keyword +ocsf.device.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.device.org.ou_name + type: keyword +ocsf.device.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.device.org.ou_uid + type: keyword +ocsf.device.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.device.org.uid + type: keyword +ocsf.device.os.country: + description: + The operating system country code, as defined by the ISO 3166-1 standard + (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 + codes. + name: ocsf.device.os.country + type: keyword +ocsf.device.os.cpu_bits: + description: + The cpu architecture, the number of bits used for addressing in memory. + For example, 32 or 64. + name: ocsf.device.os.cpu_bits + type: long +ocsf.device.os.edition: + description: The operating system edition. For example, Professional. + name: ocsf.device.os.edition + type: keyword +ocsf.device.os.lang: + description: The two letter lower case language codes, as defined by ISO 639-1. + name: ocsf.device.os.lang + type: keyword +ocsf.device.os.sp_name: + description: The name of the latest Service Pack. + name: ocsf.device.os.sp_name + type: keyword +ocsf.device.os.sp_ver: + description: The version number of the latest Service Pack. + name: ocsf.device.os.sp_ver + type: keyword +ocsf.device.os.type: + description: The type of the operating system. + name: ocsf.device.os.type + type: keyword +ocsf.device.os.type_id: + description: The type identifier of the operating system. + name: ocsf.device.os.type_id + type: keyword +ocsf.device.os.version: + description: + The version of the OS running on the device that originated the event. + For example, "Windows 10", "OS X 10.7", or "iOS 9". + name: ocsf.device.os.version + type: keyword +ocsf.device.region: + description: + The region where the virtual machine is located. For example, an AWS + Region. + name: ocsf.device.region + type: keyword +ocsf.device.risk_level_id: + description: The normalized risk level id. + name: ocsf.device.risk_level_id + type: keyword +ocsf.device.subnet: + description: The subnet mask. + name: ocsf.device.subnet + type: keyword +ocsf.device.subnet_uid: + description: The unique identifier of a virtual subnet. + name: ocsf.device.subnet_uid + type: keyword +ocsf.device.type_id: + description: The device type ID. + name: ocsf.device.type_id + type: keyword +ocsf.device.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.device.uid_alt + type: keyword +ocsf.device.vpc_uid: + description: The unique identifier of the Virtual Private Cloud (VPC). + name: ocsf.device.vpc_uid + type: keyword +ocsf.dialect: + description: The negotiated protocol dialect. + name: ocsf.dialect + type: keyword +ocsf.direction: + description: The direction of the email, as defined by the direction_id value. + name: ocsf.direction + type: keyword +ocsf.direction_id: + description: The direction of the email relative to the scanning host or organization. + name: ocsf.direction_id + type: keyword +ocsf.disposition: + description: + The event disposition name, normalized to the caption of the disposition_id + value. In the case of 'Other', it is defined by the event source. + name: ocsf.disposition + type: keyword +ocsf.disposition_id: + description: + When security issues, such as malware or policy violations, are detected + and possibly corrected, then disposition_id describes the action taken by the + security product. + name: ocsf.disposition_id + type: keyword +ocsf.driver.file.accessed_time_dt: + description: The time when the file was last accessed. + name: ocsf.driver.file.accessed_time_dt + type: date +ocsf.driver.file.accessor.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.driver.file.accessor.account.name + type: keyword +ocsf.driver.file.accessor.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.driver.file.accessor.account.type + type: keyword +ocsf.driver.file.accessor.account.type_id: + description: The normalized account type identifier. + name: ocsf.driver.file.accessor.account.type_id + type: keyword +ocsf.driver.file.accessor.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.driver.file.accessor.account.uid + type: keyword +ocsf.driver.file.accessor.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.driver.file.accessor.credential_uid + type: keyword +ocsf.driver.file.accessor.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.driver.file.accessor.domain + type: keyword +ocsf.driver.file.accessor.email_addr: + description: The user's email address. + name: ocsf.driver.file.accessor.email_addr + type: keyword +ocsf.driver.file.accessor.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.driver.file.accessor.full_name + type: keyword +ocsf.driver.file.accessor.groups.desc: + description: The group description. + name: ocsf.driver.file.accessor.groups.desc + type: keyword +ocsf.driver.file.accessor.groups.name: + description: The group name. + name: ocsf.driver.file.accessor.groups.name + type: keyword +ocsf.driver.file.accessor.groups.privileges: + description: The group privileges. + name: ocsf.driver.file.accessor.groups.privileges + type: keyword +ocsf.driver.file.accessor.groups.type: + description: The type of the group or account. + name: ocsf.driver.file.accessor.groups.type + type: keyword +ocsf.driver.file.accessor.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.driver.file.accessor.groups.uid + type: keyword +ocsf.driver.file.accessor.name: + description: The username. For example, janedoe1. + name: ocsf.driver.file.accessor.name + type: keyword +ocsf.driver.file.accessor.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.driver.file.accessor.org.name + type: keyword +ocsf.driver.file.accessor.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.driver.file.accessor.org.ou_name + type: keyword +ocsf.driver.file.accessor.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.driver.file.accessor.org.ou_uid + type: keyword +ocsf.driver.file.accessor.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.driver.file.accessor.org.uid + type: keyword +ocsf.driver.file.accessor.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.driver.file.accessor.type + type: keyword +ocsf.driver.file.accessor.type_id: + description: The account type identifier. + name: ocsf.driver.file.accessor.type_id + type: keyword +ocsf.driver.file.accessor.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.driver.file.accessor.uid + type: keyword +ocsf.driver.file.accessor.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.driver.file.accessor.uid_alt + type: keyword +ocsf.driver.file.attributes: + description: The Bitmask value that represents the file attributes. + name: ocsf.driver.file.attributes + type: long +ocsf.driver.file.company_name: + description: + "The name of the company that published the file. For example: Microsoft + Corporation." + name: ocsf.driver.file.company_name + type: keyword +ocsf.driver.file.confidentiality: + description: + The file content confidentiality, normalized to the confidentiality_id + value. In the case of 'Other', it is defined by the event source. + name: ocsf.driver.file.confidentiality + type: keyword +ocsf.driver.file.confidentiality_id: + description: The normalized identifier of the file content confidentiality indicator. + name: ocsf.driver.file.confidentiality_id + type: keyword +ocsf.driver.file.created_time_dt: + description: The time when the file was created. + name: ocsf.driver.file.created_time_dt + type: date +ocsf.driver.file.creator.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.driver.file.creator.account.name + type: keyword +ocsf.driver.file.creator.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.driver.file.creator.account.type + type: keyword +ocsf.driver.file.creator.account.type_id: + description: The normalized account type identifier. + name: ocsf.driver.file.creator.account.type_id + type: keyword +ocsf.driver.file.creator.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.driver.file.creator.account.uid + type: keyword +ocsf.driver.file.creator.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.driver.file.creator.credential_uid + type: keyword +ocsf.driver.file.creator.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.driver.file.creator.domain + type: keyword +ocsf.driver.file.creator.email_addr: + description: The user's email address. + name: ocsf.driver.file.creator.email_addr + type: keyword +ocsf.driver.file.creator.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.driver.file.creator.full_name + type: keyword +ocsf.driver.file.creator.groups.desc: + description: The group description. + name: ocsf.driver.file.creator.groups.desc + type: keyword +ocsf.driver.file.creator.groups.name: + description: The group name. + name: ocsf.driver.file.creator.groups.name + type: keyword +ocsf.driver.file.creator.groups.privileges: + description: The group privileges. + name: ocsf.driver.file.creator.groups.privileges + type: keyword +ocsf.driver.file.creator.groups.type: + description: The type of the group or account. + name: ocsf.driver.file.creator.groups.type + type: keyword +ocsf.driver.file.creator.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.driver.file.creator.groups.uid + type: keyword +ocsf.driver.file.creator.name: + description: The username. For example, janedoe1. + name: ocsf.driver.file.creator.name + type: keyword +ocsf.driver.file.creator.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.driver.file.creator.org.name + type: keyword +ocsf.driver.file.creator.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.driver.file.creator.org.ou_name + type: keyword +ocsf.driver.file.creator.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.driver.file.creator.org.ou_uid + type: keyword +ocsf.driver.file.creator.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.driver.file.creator.org.uid + type: keyword +ocsf.driver.file.creator.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.driver.file.creator.type + type: keyword +ocsf.driver.file.creator.type_id: + description: The account type identifier. + name: ocsf.driver.file.creator.type_id + type: keyword +ocsf.driver.file.creator.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.driver.file.creator.uid + type: keyword +ocsf.driver.file.creator.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.driver.file.creator.uid_alt + type: keyword +ocsf.driver.file.desc: + description: + "The description of the file, as returned by file system. For example: + the description as returned by the Unix file command or the Windows file type." + name: ocsf.driver.file.desc + type: keyword +ocsf.driver.file.hashes.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.driver.file.hashes.algorithm + type: keyword +ocsf.driver.file.hashes.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.driver.file.hashes.algorithm_id + type: keyword +ocsf.driver.file.hashes.value: + description: The digital fingerprint value. + name: ocsf.driver.file.hashes.value + type: keyword +ocsf.driver.file.is_system: + description: The indication of whether the object is part of the operating system. + name: ocsf.driver.file.is_system + type: boolean +ocsf.driver.file.modified_time_dt: + description: The time when the file was last modified. + name: ocsf.driver.file.modified_time_dt + type: date +ocsf.driver.file.modifier.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.driver.file.modifier.account.name + type: keyword +ocsf.driver.file.modifier.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.driver.file.modifier.account.type + type: keyword +ocsf.driver.file.modifier.account.type_id: + description: The normalized account type identifier. + name: ocsf.driver.file.modifier.account.type_id + type: keyword +ocsf.driver.file.modifier.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.driver.file.modifier.account.uid + type: keyword +ocsf.driver.file.modifier.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.driver.file.modifier.credential_uid + type: keyword +ocsf.driver.file.modifier.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.driver.file.modifier.domain + type: keyword +ocsf.driver.file.modifier.email_addr: + description: The user's email address. + name: ocsf.driver.file.modifier.email_addr + type: keyword +ocsf.driver.file.modifier.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.driver.file.modifier.full_name + type: keyword +ocsf.driver.file.modifier.groups.desc: + description: The group description. + name: ocsf.driver.file.modifier.groups.desc + type: keyword +ocsf.driver.file.modifier.groups.name: + description: The group name. + name: ocsf.driver.file.modifier.groups.name + type: keyword +ocsf.driver.file.modifier.groups.privileges: + description: The group privileges. + name: ocsf.driver.file.modifier.groups.privileges + type: keyword +ocsf.driver.file.modifier.groups.type: + description: The type of the group or account. + name: ocsf.driver.file.modifier.groups.type + type: keyword +ocsf.driver.file.modifier.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.driver.file.modifier.groups.uid + type: keyword +ocsf.driver.file.modifier.name: + description: The username. For example, janedoe1. + name: ocsf.driver.file.modifier.name + type: keyword +ocsf.driver.file.modifier.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.driver.file.modifier.org.name + type: keyword +ocsf.driver.file.modifier.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.driver.file.modifier.org.ou_name + type: keyword +ocsf.driver.file.modifier.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.driver.file.modifier.org.ou_uid + type: keyword +ocsf.driver.file.modifier.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.driver.file.modifier.org.uid + type: keyword +ocsf.driver.file.modifier.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.driver.file.modifier.type + type: keyword +ocsf.driver.file.modifier.type_id: + description: The account type identifier. + name: ocsf.driver.file.modifier.type_id + type: keyword +ocsf.driver.file.modifier.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.driver.file.modifier.uid + type: keyword +ocsf.driver.file.modifier.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.driver.file.modifier.uid_alt + type: keyword +ocsf.driver.file.owner.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.driver.file.owner.account.name + type: keyword +ocsf.driver.file.owner.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.driver.file.owner.account.type + type: keyword +ocsf.driver.file.owner.account.type_id: + description: The normalized account type identifier. + name: ocsf.driver.file.owner.account.type_id + type: keyword +ocsf.driver.file.owner.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.driver.file.owner.account.uid + type: keyword +ocsf.driver.file.owner.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.driver.file.owner.credential_uid + type: keyword +ocsf.driver.file.owner.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.driver.file.owner.domain + type: keyword +ocsf.driver.file.owner.email_addr: + description: The user's email address. + name: ocsf.driver.file.owner.email_addr + type: keyword +ocsf.driver.file.owner.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.driver.file.owner.full_name + type: keyword +ocsf.driver.file.owner.groups.desc: + description: The group description. + name: ocsf.driver.file.owner.groups.desc + type: keyword +ocsf.driver.file.owner.groups.name: + description: The group name. + name: ocsf.driver.file.owner.groups.name + type: keyword +ocsf.driver.file.owner.groups.privileges: + description: The group privileges. + name: ocsf.driver.file.owner.groups.privileges + type: keyword +ocsf.driver.file.owner.groups.type: + description: The type of the group or account. + name: ocsf.driver.file.owner.groups.type + type: keyword +ocsf.driver.file.owner.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.driver.file.owner.groups.uid + type: keyword +ocsf.driver.file.owner.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.driver.file.owner.org.name + type: keyword +ocsf.driver.file.owner.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.driver.file.owner.org.ou_name + type: keyword +ocsf.driver.file.owner.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.driver.file.owner.org.ou_uid + type: keyword +ocsf.driver.file.owner.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.driver.file.owner.org.uid + type: keyword +ocsf.driver.file.owner.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.driver.file.owner.type + type: keyword +ocsf.driver.file.owner.type_id: + description: The account type identifier. + name: ocsf.driver.file.owner.type_id + type: keyword +ocsf.driver.file.owner.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.driver.file.owner.uid_alt + type: keyword +ocsf.driver.file.product.feature.name: + description: The name of the feature. + name: ocsf.driver.file.product.feature.name + type: keyword +ocsf.driver.file.product.feature.uid: + description: The unique identifier of the feature. + name: ocsf.driver.file.product.feature.uid + type: keyword +ocsf.driver.file.product.feature.version: + description: The version of the feature. + name: ocsf.driver.file.product.feature.version + type: keyword +ocsf.driver.file.product.lang: + description: + "The two letter lower case language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French)." + name: ocsf.driver.file.product.lang + type: keyword +ocsf.driver.file.product.name: + description: The name of the product. + name: ocsf.driver.file.product.name + type: keyword +ocsf.driver.file.product.path: + description: The installation path of the product. + name: ocsf.driver.file.product.path + type: keyword +ocsf.driver.file.product.uid: + description: The unique identifier of the product. + name: ocsf.driver.file.product.uid + type: keyword +ocsf.driver.file.product.vendor_name: + description: The name of the vendor of the product. + name: ocsf.driver.file.product.vendor_name + type: keyword +ocsf.driver.file.product.version: + description: + "The version of the product, as defined by the event source. For example: + 2013.1.3-beta." + name: ocsf.driver.file.product.version + type: keyword +ocsf.driver.file.security_descriptor: + description: The object security descriptor. + name: ocsf.driver.file.security_descriptor + type: keyword +ocsf.driver.file.signature.algorithm: + description: + The digital signature algorithm used to create the signature, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.driver.file.signature.algorithm + type: keyword +ocsf.driver.file.signature.algorithm_id: + description: The identifier of the normalized digital signature algorithm. + name: ocsf.driver.file.signature.algorithm_id + type: keyword +ocsf.driver.file.signature.certificate.created_time: + description: The time when the certificate was created. + name: ocsf.driver.file.signature.certificate.created_time + type: date +ocsf.driver.file.signature.certificate.created_time_dt: + description: The time when the certificate was created. + name: ocsf.driver.file.signature.certificate.created_time_dt + type: date +ocsf.driver.file.signature.certificate.expiration_time_dt: + description: The expiration time of the certificate. + name: ocsf.driver.file.signature.certificate.expiration_time_dt + type: date +ocsf.driver.file.signature.certificate.fingerprints.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.driver.file.signature.certificate.fingerprints.algorithm + type: keyword +ocsf.driver.file.signature.certificate.fingerprints.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.driver.file.signature.certificate.fingerprints.algorithm_id + type: keyword +ocsf.driver.file.signature.certificate.fingerprints.value: + description: The digital fingerprint value. + name: ocsf.driver.file.signature.certificate.fingerprints.value + type: keyword +ocsf.driver.file.signature.created_time: + description: The time when the digital signature was created. + name: ocsf.driver.file.signature.created_time + type: date +ocsf.driver.file.signature.created_time_dt: + description: The time when the digital signature was created. + name: ocsf.driver.file.signature.created_time_dt + type: date +ocsf.driver.file.signature.developer_uid: + description: The developer ID on the certificate that signed the file. + name: ocsf.driver.file.signature.developer_uid + type: keyword +ocsf.driver.file.signature.digest.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.driver.file.signature.digest.algorithm + type: keyword +ocsf.driver.file.signature.digest.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.driver.file.signature.digest.algorithm_id + type: keyword +ocsf.driver.file.signature.digest.value: + description: The digital fingerprint value. + name: ocsf.driver.file.signature.digest.value + type: keyword +ocsf.driver.file.type_id: + description: The file type ID. + name: ocsf.driver.file.type_id + type: keyword +ocsf.driver.file.version: + description: "The file version. For example: 8.0.7601.17514." + name: ocsf.driver.file.version + type: keyword +ocsf.driver.file.xattributes: + description: + An unordered collection of zero or more name/value pairs where each + pair represents a file or folder extended attribute. + name: ocsf.driver.file.xattributes + type: keyword +ocsf.dst_endpoint.instance_uid: + description: The unique identifier of a VM instance. + name: ocsf.dst_endpoint.instance_uid + type: keyword +ocsf.dst_endpoint.interface_name: + description: The name of the network interface (e.g. eth2). + name: ocsf.dst_endpoint.interface_name + type: keyword +ocsf.dst_endpoint.interface_uid: + description: The unique identifier of the network interface. + name: ocsf.dst_endpoint.interface_uid + type: keyword +ocsf.dst_endpoint.intermediate_ips: + description: + The intermediate IP Addresses. For example, the IP addresses in the + HTTP X-Forwarded-For header. + name: ocsf.dst_endpoint.intermediate_ips + type: ip +ocsf.dst_endpoint.location.is_on_premises: + description: The indication of whether the location is on premises. + name: ocsf.dst_endpoint.location.is_on_premises + type: boolean +ocsf.dst_endpoint.location.isp: + description: The name of the Internet Service Provider (ISP). + name: ocsf.dst_endpoint.location.isp + type: keyword +ocsf.dst_endpoint.location.provider: + description: The provider of the geographical location data. + name: ocsf.dst_endpoint.location.provider + type: keyword +ocsf.dst_endpoint.name: + description: The short name of the endpoint. + name: ocsf.dst_endpoint.name + type: keyword +ocsf.dst_endpoint.subnet_uid: + description: The unique identifier of a virtual subnet. + name: ocsf.dst_endpoint.subnet_uid + type: keyword +ocsf.dst_endpoint.uid: + description: The unique identifier of the endpoint. + name: ocsf.dst_endpoint.uid + type: keyword +ocsf.dst_endpoint.vlan_uid: + description: The Virtual LAN identifier. + name: ocsf.dst_endpoint.vlan_uid + type: keyword +ocsf.dst_endpoint.vpc_uid: + description: The unique identifier of the Virtual Private Cloud (VPC). + name: ocsf.dst_endpoint.vpc_uid + type: keyword +ocsf.duration: + description: + The event duration or aggregate time, the amount of time the event + covers from start_time to end_time in milliseconds. + name: ocsf.duration + type: long +ocsf.email.delivered_to: + description: The Delivered-To email header field. + name: ocsf.email.delivered_to + type: keyword +ocsf.email.raw_header: + description: The email authentication header. + name: ocsf.email.raw_header + type: keyword +ocsf.email.size: + description: The size in bytes of the email, including attachments. + name: ocsf.email.size + type: long +ocsf.email.smtp_from: + description: The value of the SMTP MAIL FROM command. + name: ocsf.email.smtp_from + type: keyword +ocsf.email.smtp_to: + description: The value of the SMTP envelope RCPT TO command. + name: ocsf.email.smtp_to + type: keyword +ocsf.email.x_originating_ip: + description: The X-Originating-IP header identifying the emails originating IP address(es). + name: ocsf.email.x_originating_ip + type: ip +ocsf.email_auth.dkim: + description: The DomainKeys Identified Mail (DKIM) status of the email. + name: ocsf.email_auth.dkim + type: keyword +ocsf.email_auth.dkim_domain: + description: The DomainKeys Identified Mail (DKIM) signing domain of the email. + name: ocsf.email_auth.dkim_domain + type: keyword +ocsf.email_auth.dkim_signature: + description: + The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving + system. + name: ocsf.email_auth.dkim_signature + type: keyword +ocsf.email_auth.dmarc: + description: + The Domain-based Message Authentication, Reporting and Conformance + (DMARC) status of the email. + name: ocsf.email_auth.dmarc + type: keyword +ocsf.email_auth.dmarc_override: + description: + The Domain-based Message Authentication, Reporting and Conformance + (DMARC) override action. + name: ocsf.email_auth.dmarc_override + type: keyword +ocsf.email_auth.dmarc_policy: + description: + The Domain-based Message Authentication, Reporting and Conformance + (DMARC) policy status. + name: ocsf.email_auth.dmarc_policy + type: keyword +ocsf.email_auth.spf: + description: The Sender Policy Framework (SPF) status of the email. + name: ocsf.email_auth.spf + type: keyword +ocsf.end_time_dt: + description: + The end time of a time period, or the time of the most recent event + included in the aggregate event. + name: ocsf.end_time_dt + type: date +ocsf.enrichments.data: + description: + The enrichment data associated with the attribute and value. The meaning + of this data depends on the type the enrichment record. + name: ocsf.enrichments.data + type: keyword +ocsf.enrichments.name: + description: The name of the attribute to which the enriched data pertains. + name: ocsf.enrichments.name + type: keyword +ocsf.enrichments.provider: + description: The enrichment data provider name. + name: ocsf.enrichments.provider + type: keyword +ocsf.enrichments.type: + description: The enrichment type. For example, location. + name: ocsf.enrichments.type + type: keyword +ocsf.enrichments.value: + description: The value of the attribute to which the enriched data pertains. + name: ocsf.enrichments.value + type: keyword +ocsf.entity.data: + description: The managed entity content as a JSON object. + name: ocsf.entity.data + type: keyword +ocsf.entity.name: + description: The name of the managed entity. + name: ocsf.entity.name + type: keyword +ocsf.entity.type: + description: The managed entity type. + name: ocsf.entity.type + type: keyword +ocsf.entity.uid: + description: The identifier of the managed entity. + name: ocsf.entity.uid + type: keyword +ocsf.entity.version: + description: The version of the managed entity. + name: ocsf.entity.version + type: keyword +ocsf.entity_result.data: + description: The managed entity content as a JSON object. + name: ocsf.entity_result.data + type: keyword +ocsf.entity_result.name: + description: The name of the managed entity. + name: ocsf.entity_result.name + type: keyword +ocsf.entity_result.type: + description: The managed entity type. + name: ocsf.entity_result.type + type: keyword +ocsf.entity_result.uid: + description: The identifier of the managed entity. + name: ocsf.entity_result.uid + type: keyword +ocsf.entity_result.version: + description: The version of the managed entity. + name: ocsf.entity_result.version + type: keyword +ocsf.evidence: + description: The data the finding exposes to the analyst. + name: ocsf.evidence + type: keyword +ocsf.expiration_time: + description: The share expiration time. + name: ocsf.expiration_time + type: date +ocsf.expiration_time_dt: + description: The share expiration time. + name: ocsf.expiration_time_dt + type: date +ocsf.file.accessed_time_dt: + description: The time when the file was last accessed. + name: ocsf.file.accessed_time_dt + type: date +ocsf.file.accessor.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.file.accessor.account.name + type: keyword +ocsf.file.accessor.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.file.accessor.account.type + type: keyword +ocsf.file.accessor.account.type_id: + description: The normalized account type identifier. + name: ocsf.file.accessor.account.type_id + type: keyword +ocsf.file.accessor.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.file.accessor.account.uid + type: keyword +ocsf.file.accessor.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.file.accessor.credential_uid + type: keyword +ocsf.file.accessor.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.file.accessor.domain + type: keyword +ocsf.file.accessor.email_addr: + description: The user's email address. + name: ocsf.file.accessor.email_addr + type: keyword +ocsf.file.accessor.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.file.accessor.full_name + type: keyword +ocsf.file.accessor.groups.desc: + description: The group description. + name: ocsf.file.accessor.groups.desc + type: keyword +ocsf.file.accessor.groups.name: + description: The group name. + name: ocsf.file.accessor.groups.name + type: keyword +ocsf.file.accessor.groups.privileges: + description: The group privileges. + name: ocsf.file.accessor.groups.privileges + type: keyword +ocsf.file.accessor.groups.type: + description: The type of the group or account. + name: ocsf.file.accessor.groups.type + type: keyword +ocsf.file.accessor.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.file.accessor.groups.uid + type: keyword +ocsf.file.accessor.name: + description: The username. For example, janedoe1. + name: ocsf.file.accessor.name + type: keyword +ocsf.file.accessor.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.file.accessor.org.name + type: keyword +ocsf.file.accessor.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.file.accessor.org.ou_name + type: keyword +ocsf.file.accessor.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.file.accessor.org.ou_uid + type: keyword +ocsf.file.accessor.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.file.accessor.org.uid + type: keyword +ocsf.file.accessor.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.file.accessor.type + type: keyword +ocsf.file.accessor.type_id: + description: The account type identifier. + name: ocsf.file.accessor.type_id + type: keyword +ocsf.file.accessor.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.file.accessor.uid + type: keyword +ocsf.file.accessor.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.file.accessor.uid_alt + type: keyword +ocsf.file.attributes: + description: The Bitmask value that represents the file attributes. + name: ocsf.file.attributes + type: long +ocsf.file.company_name: + description: + "The name of the company that published the file. For example: Microsoft + Corporation." + name: ocsf.file.company_name + type: keyword +ocsf.file.confidentiality: + description: + The file content confidentiality, normalized to the confidentiality_id + value. In the case of 'Other', it is defined by the event source. + name: ocsf.file.confidentiality + type: keyword +ocsf.file.confidentiality_id: + description: The normalized identifier of the file content confidentiality indicator. + name: ocsf.file.confidentiality_id + type: keyword +ocsf.file.created_time_dt: + description: The time when the file was created. + name: ocsf.file.created_time_dt + type: date +ocsf.file.creator.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.file.creator.account.name + type: keyword +ocsf.file.creator.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.file.creator.account.type + type: keyword +ocsf.file.creator.account.type_id: + description: The normalized account type identifier. + name: ocsf.file.creator.account.type_id + type: keyword +ocsf.file.creator.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.file.creator.account.uid + type: keyword +ocsf.file.creator.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.file.creator.credential_uid + type: keyword +ocsf.file.creator.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.file.creator.domain + type: keyword +ocsf.file.creator.email_addr: + description: The user's email address. + name: ocsf.file.creator.email_addr + type: keyword +ocsf.file.creator.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.file.creator.full_name + type: keyword +ocsf.file.creator.groups.desc: + description: The group description. + name: ocsf.file.creator.groups.desc + type: keyword +ocsf.file.creator.groups.name: + description: The group name. + name: ocsf.file.creator.groups.name + type: keyword +ocsf.file.creator.groups.privileges: + description: The group privileges. + name: ocsf.file.creator.groups.privileges + type: keyword +ocsf.file.creator.groups.type: + description: The type of the group or account. + name: ocsf.file.creator.groups.type + type: keyword +ocsf.file.creator.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.file.creator.groups.uid + type: keyword +ocsf.file.creator.name: + description: The username. For example, janedoe1. + name: ocsf.file.creator.name + type: keyword +ocsf.file.creator.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.file.creator.org.name + type: keyword +ocsf.file.creator.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.file.creator.org.ou_name + type: keyword +ocsf.file.creator.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.file.creator.org.ou_uid + type: keyword +ocsf.file.creator.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.file.creator.org.uid + type: keyword +ocsf.file.creator.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.file.creator.type + type: keyword +ocsf.file.creator.type_id: + description: The account type identifier. + name: ocsf.file.creator.type_id + type: keyword +ocsf.file.creator.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.file.creator.uid + type: keyword +ocsf.file.creator.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.file.creator.uid_alt + type: keyword +ocsf.file.desc: + description: + "The description of the file, as returned by file system. For example: + the description as returned by the Unix file command or the Windows file type." + name: ocsf.file.desc + type: keyword +ocsf.file.hashes.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.file.hashes.algorithm + type: keyword +ocsf.file.hashes.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.file.hashes.algorithm_id + type: keyword +ocsf.file.hashes.value: + description: The digital fingerprint value. + name: ocsf.file.hashes.value + type: keyword +ocsf.file.is_system: + description: The indication of whether the object is part of the operating system. + name: ocsf.file.is_system + type: boolean +ocsf.file.modified_time_dt: + description: The time when the file was last modified. + name: ocsf.file.modified_time_dt + type: date +ocsf.file.modifier.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.file.modifier.account.name + type: keyword +ocsf.file.modifier.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.file.modifier.account.type + type: keyword +ocsf.file.modifier.account.type_id: + description: The normalized account type identifier. + name: ocsf.file.modifier.account.type_id + type: keyword +ocsf.file.modifier.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.file.modifier.account.uid + type: keyword +ocsf.file.modifier.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.file.modifier.credential_uid + type: keyword +ocsf.file.modifier.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.file.modifier.domain + type: keyword +ocsf.file.modifier.email_addr: + description: The user's email address. + name: ocsf.file.modifier.email_addr + type: keyword +ocsf.file.modifier.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.file.modifier.full_name + type: keyword +ocsf.file.modifier.groups.desc: + description: The group description. + name: ocsf.file.modifier.groups.desc + type: keyword +ocsf.file.modifier.groups.name: + description: The group name. + name: ocsf.file.modifier.groups.name + type: keyword +ocsf.file.modifier.groups.privileges: + description: The group privileges. + name: ocsf.file.modifier.groups.privileges + type: keyword +ocsf.file.modifier.groups.type: + description: The type of the group or account. + name: ocsf.file.modifier.groups.type + type: keyword +ocsf.file.modifier.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.file.modifier.groups.uid + type: keyword +ocsf.file.modifier.name: + description: The username. For example, janedoe1. + name: ocsf.file.modifier.name + type: keyword +ocsf.file.modifier.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.file.modifier.org.name + type: keyword +ocsf.file.modifier.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.file.modifier.org.ou_name + type: keyword +ocsf.file.modifier.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.file.modifier.org.ou_uid + type: keyword +ocsf.file.modifier.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.file.modifier.org.uid + type: keyword +ocsf.file.modifier.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.file.modifier.type + type: keyword +ocsf.file.modifier.type_id: + description: The account type identifier. + name: ocsf.file.modifier.type_id + type: keyword +ocsf.file.modifier.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.file.modifier.uid + type: keyword +ocsf.file.modifier.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.file.modifier.uid_alt + type: keyword +ocsf.file.owner.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.file.owner.account.name + type: keyword +ocsf.file.owner.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.file.owner.account.type + type: keyword +ocsf.file.owner.account.type_id: + description: The normalized account type identifier. + name: ocsf.file.owner.account.type_id + type: keyword +ocsf.file.owner.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.file.owner.account.uid + type: keyword +ocsf.file.owner.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.file.owner.credential_uid + type: keyword +ocsf.file.owner.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.file.owner.domain + type: keyword +ocsf.file.owner.email_addr: + description: The user's email address. + name: ocsf.file.owner.email_addr + type: keyword +ocsf.file.owner.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.file.owner.full_name + type: keyword +ocsf.file.owner.groups.desc: + description: The group description. + name: ocsf.file.owner.groups.desc + type: keyword +ocsf.file.owner.groups.name: + description: The group name. + name: ocsf.file.owner.groups.name + type: keyword +ocsf.file.owner.groups.privileges: + description: The group privileges. + name: ocsf.file.owner.groups.privileges + type: keyword +ocsf.file.owner.groups.type: + description: The type of the group or account. + name: ocsf.file.owner.groups.type + type: keyword +ocsf.file.owner.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.file.owner.groups.uid + type: keyword +ocsf.file.owner.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.file.owner.org.name + type: keyword +ocsf.file.owner.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.file.owner.org.ou_name + type: keyword +ocsf.file.owner.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.file.owner.org.ou_uid + type: keyword +ocsf.file.owner.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.file.owner.org.uid + type: keyword +ocsf.file.owner.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.file.owner.type + type: keyword +ocsf.file.owner.type_id: + description: The account type identifier. + name: ocsf.file.owner.type_id + type: keyword +ocsf.file.owner.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.file.owner.uid_alt + type: keyword +ocsf.file.product.feature.name: + description: The name of the feature. + name: ocsf.file.product.feature.name + type: keyword +ocsf.file.product.feature.uid: + description: The unique identifier of the feature. + name: ocsf.file.product.feature.uid + type: keyword +ocsf.file.product.feature.version: + description: The version of the feature. + name: ocsf.file.product.feature.version + type: keyword +ocsf.file.product.lang: + description: + "The two letter lower case language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French)." + name: ocsf.file.product.lang + type: keyword +ocsf.file.product.name: + description: The name of the product. + name: ocsf.file.product.name + type: keyword +ocsf.file.product.path: + description: The installation path of the product. + name: ocsf.file.product.path + type: keyword +ocsf.file.product.uid: + description: The unique identifier of the product. + name: ocsf.file.product.uid + type: keyword +ocsf.file.product.url_string: + description: The URL pointing towards the product. + name: ocsf.file.product.url_string + type: keyword +ocsf.file.product.vendor_name: + description: The name of the vendor of the product. + name: ocsf.file.product.vendor_name + type: keyword +ocsf.file.product.version: + description: + "The version of the product, as defined by the event source. For example: + 2013.1.3-beta." + name: ocsf.file.product.version + type: keyword +ocsf.file.security_descriptor: + description: The object security descriptor. + name: ocsf.file.security_descriptor + type: keyword +ocsf.file.signature.algorithm: + description: + The digital signature algorithm used to create the signature, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.file.signature.algorithm + type: keyword +ocsf.file.signature.algorithm_id: + description: The identifier of the normalized digital signature algorithm. + name: ocsf.file.signature.algorithm_id + type: keyword +ocsf.file.signature.certificate.created_time: + description: The time when the certificate was created. + name: ocsf.file.signature.certificate.created_time + type: date +ocsf.file.signature.certificate.created_time_dt: + description: The time when the certificate was created. + name: ocsf.file.signature.certificate.created_time_dt + type: date +ocsf.file.signature.certificate.expiration_time_dt: + description: The expiration time of the certificate. + name: ocsf.file.signature.certificate.expiration_time_dt + type: date +ocsf.file.signature.certificate.fingerprints.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.file.signature.certificate.fingerprints.algorithm + type: keyword +ocsf.file.signature.certificate.fingerprints.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.file.signature.certificate.fingerprints.algorithm_id + type: keyword +ocsf.file.signature.certificate.fingerprints.value: + description: The digital fingerprint value. + name: ocsf.file.signature.certificate.fingerprints.value + type: keyword +ocsf.file.signature.created_time: + description: The time when the digital signature was created. + name: ocsf.file.signature.created_time + type: date +ocsf.file.signature.created_time_dt: + description: The time when the digital signature was created. + name: ocsf.file.signature.created_time_dt + type: date +ocsf.file.signature.developer_uid: + description: The developer ID on the certificate that signed the file. + name: ocsf.file.signature.developer_uid + type: keyword +ocsf.file.signature.digest.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.file.signature.digest.algorithm + type: keyword +ocsf.file.signature.digest.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.file.signature.digest.algorithm_id + type: keyword +ocsf.file.signature.digest.value: + description: The digital fingerprint value. + name: ocsf.file.signature.digest.value + type: keyword +ocsf.file.type_id: + description: The file type ID. + name: ocsf.file.type_id + type: keyword +ocsf.file.version: + description: "The file version. For example: 8.0.7601.17514." + name: ocsf.file.version + type: keyword +ocsf.file.xattributes: + description: + An unordered collection of zero or more name/value pairs where each + pair represents a file or folder extended attribute. + name: ocsf.file.xattributes + type: keyword +ocsf.file_diff: + description: + File content differences used for change detection. For example, a + common use case is to identify itemized changes within INI or configuration/property + setting values. + name: ocsf.file_diff + type: keyword +ocsf.file_result.accessed_time: + description: The time when the file was last accessed. + name: ocsf.file_result.accessed_time + type: date +ocsf.file_result.accessed_time_dt: + description: The time when the file was last accessed. + name: ocsf.file_result.accessed_time_dt + type: date +ocsf.file_result.accessor.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.file_result.accessor.account.name + type: keyword +ocsf.file_result.accessor.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.file_result.accessor.account.type + type: keyword +ocsf.file_result.accessor.account.type_id: + description: The normalized account type identifier. + name: ocsf.file_result.accessor.account.type_id + type: keyword +ocsf.file_result.accessor.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.file_result.accessor.account.uid + type: keyword +ocsf.file_result.accessor.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.file_result.accessor.credential_uid + type: keyword +ocsf.file_result.accessor.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.file_result.accessor.domain + type: keyword +ocsf.file_result.accessor.email_addr: + description: The user's email address. + name: ocsf.file_result.accessor.email_addr + type: keyword +ocsf.file_result.accessor.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.file_result.accessor.full_name + type: keyword +ocsf.file_result.accessor.groups.desc: + description: The group description. + name: ocsf.file_result.accessor.groups.desc + type: keyword +ocsf.file_result.accessor.groups.name: + description: The group name. + name: ocsf.file_result.accessor.groups.name + type: keyword +ocsf.file_result.accessor.groups.privileges: + description: The group privileges. + name: ocsf.file_result.accessor.groups.privileges + type: keyword +ocsf.file_result.accessor.groups.type: + description: The type of the group or account. + name: ocsf.file_result.accessor.groups.type + type: keyword +ocsf.file_result.accessor.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.file_result.accessor.groups.uid + type: keyword +ocsf.file_result.accessor.name: + description: The username. For example, janedoe1. + name: ocsf.file_result.accessor.name + type: keyword +ocsf.file_result.accessor.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.file_result.accessor.org.name + type: keyword +ocsf.file_result.accessor.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.file_result.accessor.org.ou_name + type: keyword +ocsf.file_result.accessor.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.file_result.accessor.org.ou_uid + type: keyword +ocsf.file_result.accessor.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.file_result.accessor.org.uid + type: keyword +ocsf.file_result.accessor.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.file_result.accessor.type + type: keyword +ocsf.file_result.accessor.type_id: + description: The account type identifier. + name: ocsf.file_result.accessor.type_id + type: keyword +ocsf.file_result.accessor.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.file_result.accessor.uid + type: keyword +ocsf.file_result.accessor.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.file_result.accessor.uid_alt + type: keyword +ocsf.file_result.attributes: + description: The Bitmask value that represents the file attributes. + name: ocsf.file_result.attributes + type: long +ocsf.file_result.company_name: + description: + "The name of the company that published the file. For example: Microsoft + Corporation." + name: ocsf.file_result.company_name + type: keyword +ocsf.file_result.confidentiality: + description: + The file content confidentiality, normalized to the confidentiality_id + value. In the case of 'Other', it is defined by the event source. + name: ocsf.file_result.confidentiality + type: keyword +ocsf.file_result.confidentiality_id: + description: The normalized identifier of the file content confidentiality indicator. + name: ocsf.file_result.confidentiality_id + type: keyword +ocsf.file_result.created_time: + description: The time when the file was created. + name: ocsf.file_result.created_time + type: date +ocsf.file_result.created_time_dt: + description: The time when the file was created. + name: ocsf.file_result.created_time_dt + type: date +ocsf.file_result.creator.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.file_result.creator.account.name + type: keyword +ocsf.file_result.creator.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.file_result.creator.account.type + type: keyword +ocsf.file_result.creator.account.type_id: + description: The normalized account type identifier. + name: ocsf.file_result.creator.account.type_id + type: keyword +ocsf.file_result.creator.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.file_result.creator.account.uid + type: keyword +ocsf.file_result.creator.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.file_result.creator.credential_uid + type: keyword +ocsf.file_result.creator.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.file_result.creator.domain + type: keyword +ocsf.file_result.creator.email_addr: + description: The user's email address. + name: ocsf.file_result.creator.email_addr + type: keyword +ocsf.file_result.creator.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.file_result.creator.full_name + type: keyword +ocsf.file_result.creator.groups.desc: + description: The group description. + name: ocsf.file_result.creator.groups.desc + type: keyword +ocsf.file_result.creator.groups.name: + description: The group name. + name: ocsf.file_result.creator.groups.name + type: keyword +ocsf.file_result.creator.groups.privileges: + description: The group privileges. + name: ocsf.file_result.creator.groups.privileges + type: keyword +ocsf.file_result.creator.groups.type: + description: The type of the group or account. + name: ocsf.file_result.creator.groups.type + type: keyword +ocsf.file_result.creator.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.file_result.creator.groups.uid + type: keyword +ocsf.file_result.creator.name: + description: The username. For example, janedoe1. + name: ocsf.file_result.creator.name + type: keyword +ocsf.file_result.creator.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.file_result.creator.org.name + type: keyword +ocsf.file_result.creator.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.file_result.creator.org.ou_name + type: keyword +ocsf.file_result.creator.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.file_result.creator.org.ou_uid + type: keyword +ocsf.file_result.creator.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.file_result.creator.org.uid + type: keyword +ocsf.file_result.creator.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.file_result.creator.type + type: keyword +ocsf.file_result.creator.type_id: + description: The account type identifier. + name: ocsf.file_result.creator.type_id + type: keyword +ocsf.file_result.creator.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.file_result.creator.uid + type: keyword +ocsf.file_result.creator.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.file_result.creator.uid_alt + type: keyword +ocsf.file_result.desc: + description: + "The description of the file, as returned by file system. For example: + the description as returned by the Unix file command or the Windows file type." + name: ocsf.file_result.desc + type: keyword +ocsf.file_result.hashes.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.file_result.hashes.algorithm + type: keyword +ocsf.file_result.hashes.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.file_result.hashes.algorithm_id + type: keyword +ocsf.file_result.hashes.value: + description: The digital fingerprint value. + name: ocsf.file_result.hashes.value + type: keyword +ocsf.file_result.is_system: + description: The indication of whether the object is part of the operating system. + name: ocsf.file_result.is_system + type: boolean +ocsf.file_result.mime_type: + description: + The Multipurpose Internet Mail Extensions (MIME) type of the file, + if applicable. + name: ocsf.file_result.mime_type + type: keyword +ocsf.file_result.modified_time: + description: The time when the file was last modified. + name: ocsf.file_result.modified_time + type: date +ocsf.file_result.modified_time_dt: + description: The time when the file was last modified. + name: ocsf.file_result.modified_time_dt + type: date +ocsf.file_result.modifier.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.file_result.modifier.account.name + type: keyword +ocsf.file_result.modifier.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.file_result.modifier.account.type + type: keyword +ocsf.file_result.modifier.account.type_id: + description: The normalized account type identifier. + name: ocsf.file_result.modifier.account.type_id + type: keyword +ocsf.file_result.modifier.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.file_result.modifier.account.uid + type: keyword +ocsf.file_result.modifier.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.file_result.modifier.credential_uid + type: keyword +ocsf.file_result.modifier.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.file_result.modifier.domain + type: keyword +ocsf.file_result.modifier.email_addr: + description: The user's email address. + name: ocsf.file_result.modifier.email_addr + type: keyword +ocsf.file_result.modifier.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.file_result.modifier.full_name + type: keyword +ocsf.file_result.modifier.groups.desc: + description: The group description. + name: ocsf.file_result.modifier.groups.desc + type: keyword +ocsf.file_result.modifier.groups.name: + description: The group name. + name: ocsf.file_result.modifier.groups.name + type: keyword +ocsf.file_result.modifier.groups.privileges: + description: The group privileges. + name: ocsf.file_result.modifier.groups.privileges + type: keyword +ocsf.file_result.modifier.groups.type: + description: The type of the group or account. + name: ocsf.file_result.modifier.groups.type + type: keyword +ocsf.file_result.modifier.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.file_result.modifier.groups.uid + type: keyword +ocsf.file_result.modifier.name: + description: The username. For example, janedoe1. + name: ocsf.file_result.modifier.name + type: keyword +ocsf.file_result.modifier.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.file_result.modifier.org.name + type: keyword +ocsf.file_result.modifier.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.file_result.modifier.org.ou_name + type: keyword +ocsf.file_result.modifier.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.file_result.modifier.org.ou_uid + type: keyword +ocsf.file_result.modifier.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.file_result.modifier.org.uid + type: keyword +ocsf.file_result.modifier.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.file_result.modifier.type + type: keyword +ocsf.file_result.modifier.type_id: + description: The account type identifier. + name: ocsf.file_result.modifier.type_id + type: keyword +ocsf.file_result.modifier.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.file_result.modifier.uid + type: keyword +ocsf.file_result.modifier.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.file_result.modifier.uid_alt + type: keyword +ocsf.file_result.name: + description: "The name of the file. For example: svchost.exe." + name: ocsf.file_result.name + type: keyword +ocsf.file_result.owner.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.file_result.owner.account.name + type: keyword +ocsf.file_result.owner.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.file_result.owner.account.type + type: keyword +ocsf.file_result.owner.account.type_id: + description: The normalized account type identifier. + name: ocsf.file_result.owner.account.type_id + type: keyword +ocsf.file_result.owner.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.file_result.owner.account.uid + type: keyword +ocsf.file_result.owner.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.file_result.owner.credential_uid + type: keyword +ocsf.file_result.owner.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.file_result.owner.domain + type: keyword +ocsf.file_result.owner.email_addr: + description: The user's email address. + name: ocsf.file_result.owner.email_addr + type: keyword +ocsf.file_result.owner.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.file_result.owner.full_name + type: keyword +ocsf.file_result.owner.groups.desc: + description: The group description. + name: ocsf.file_result.owner.groups.desc + type: keyword +ocsf.file_result.owner.groups.name: + description: The group name. + name: ocsf.file_result.owner.groups.name + type: keyword +ocsf.file_result.owner.groups.privileges: + description: The group privileges. + name: ocsf.file_result.owner.groups.privileges + type: keyword +ocsf.file_result.owner.groups.type: + description: The type of the group or account. + name: ocsf.file_result.owner.groups.type + type: keyword +ocsf.file_result.owner.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.file_result.owner.groups.uid + type: keyword +ocsf.file_result.owner.name: + description: The username. For example, janedoe1. + name: ocsf.file_result.owner.name + type: keyword +ocsf.file_result.owner.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.file_result.owner.org.name + type: keyword +ocsf.file_result.owner.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.file_result.owner.org.ou_name + type: keyword +ocsf.file_result.owner.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.file_result.owner.org.ou_uid + type: keyword +ocsf.file_result.owner.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.file_result.owner.org.uid + type: keyword +ocsf.file_result.owner.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.file_result.owner.type + type: keyword +ocsf.file_result.owner.type_id: + description: The account type identifier. + name: ocsf.file_result.owner.type_id + type: keyword +ocsf.file_result.owner.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.file_result.owner.uid + type: keyword +ocsf.file_result.owner.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.file_result.owner.uid_alt + type: keyword +ocsf.file_result.parent_folder: + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + name: ocsf.file_result.parent_folder + type: keyword +ocsf.file_result.path: + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + name: ocsf.file_result.path + type: keyword +ocsf.file_result.product.feature.name: + description: The name of the feature. + name: ocsf.file_result.product.feature.name + type: keyword +ocsf.file_result.product.feature.uid: + description: The unique identifier of the feature. + name: ocsf.file_result.product.feature.uid + type: keyword +ocsf.file_result.product.feature.version: + description: The version of the feature. + name: ocsf.file_result.product.feature.version + type: keyword +ocsf.file_result.product.lang: + description: + "The two letter lower case language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French)." + name: ocsf.file_result.product.lang + type: keyword +ocsf.file_result.product.name: + description: The name of the product. + name: ocsf.file_result.product.name + type: keyword +ocsf.file_result.product.path: + description: The installation path of the product. + name: ocsf.file_result.product.path + type: keyword +ocsf.file_result.product.uid: + description: The unique identifier of the product. + name: ocsf.file_result.product.uid + type: keyword +ocsf.file_result.product.vendor_name: + description: The name of the vendor of the product. + name: ocsf.file_result.product.vendor_name + type: keyword +ocsf.file_result.product.version: + description: + "The version of the product, as defined by the event source. For example: + 2013.1.3-beta." + name: ocsf.file_result.product.version + type: keyword +ocsf.file_result.security_descriptor: + description: The object security descriptor. + name: ocsf.file_result.security_descriptor + type: keyword +ocsf.file_result.signature.algorithm: + description: + The digital signature algorithm used to create the signature, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.file_result.signature.algorithm + type: keyword +ocsf.file_result.signature.algorithm_id: + description: The identifier of the normalized digital signature algorithm. + name: ocsf.file_result.signature.algorithm_id + type: keyword +ocsf.file_result.signature.certificate.created_time: + description: The time when the certificate was created. + name: ocsf.file_result.signature.certificate.created_time + type: date +ocsf.file_result.signature.certificate.created_time_dt: + description: The time when the certificate was created. + name: ocsf.file_result.signature.certificate.created_time_dt + type: date +ocsf.file_result.signature.certificate.expiration_time: + description: The expiration time of the certificate. + name: ocsf.file_result.signature.certificate.expiration_time + type: date +ocsf.file_result.signature.certificate.expiration_time_dt: + description: The expiration time of the certificate. + name: ocsf.file_result.signature.certificate.expiration_time_dt + type: date +ocsf.file_result.signature.certificate.fingerprints.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.file_result.signature.certificate.fingerprints.algorithm + type: keyword +ocsf.file_result.signature.certificate.fingerprints.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.file_result.signature.certificate.fingerprints.algorithm_id + type: keyword +ocsf.file_result.signature.certificate.fingerprints.value: + description: The digital fingerprint value. + name: ocsf.file_result.signature.certificate.fingerprints.value + type: keyword +ocsf.file_result.signature.certificate.issuer: + description: The certificate issuer distinguished name. + name: ocsf.file_result.signature.certificate.issuer + type: keyword +ocsf.file_result.signature.certificate.serial_number: + description: The serial number of the certificate used to create the digital signature. + name: ocsf.file_result.signature.certificate.serial_number + type: keyword +ocsf.file_result.signature.certificate.subject: + description: The certificate subject distinguished name. + name: ocsf.file_result.signature.certificate.subject + type: keyword +ocsf.file_result.signature.certificate.version: + description: The certificate version. + name: ocsf.file_result.signature.certificate.version + type: keyword +ocsf.file_result.signature.created_time: + description: The time when the digital signature was created. + name: ocsf.file_result.signature.created_time + type: date +ocsf.file_result.signature.created_time_dt: + description: The time when the digital signature was created. + name: ocsf.file_result.signature.created_time_dt + type: date +ocsf.file_result.signature.developer_uid: + description: The developer ID on the certificate that signed the file. + name: ocsf.file_result.signature.developer_uid + type: keyword +ocsf.file_result.signature.digest.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.file_result.signature.digest.algorithm + type: keyword +ocsf.file_result.signature.digest.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.file_result.signature.digest.algorithm_id + type: keyword +ocsf.file_result.signature.digest.value: + description: The digital fingerprint value. + name: ocsf.file_result.signature.digest.value + type: keyword +ocsf.file_result.size: + description: The size of data, in bytes. + name: ocsf.file_result.size + type: long +ocsf.file_result.type: + description: The file type. + name: ocsf.file_result.type + type: keyword +ocsf.file_result.type_id: + description: The file type ID. + name: ocsf.file_result.type_id + type: keyword +ocsf.file_result.uid: + description: + The unique identifier of the file as defined by the storage system, + such the file system file ID. + name: ocsf.file_result.uid + type: keyword +ocsf.file_result.version: + description: "The file version. For example: 8.0.7601.17514." + name: ocsf.file_result.version + type: keyword +ocsf.file_result.xattributes: + description: + An unordered collection of zero or more name/value pairs where each + pair represents a file or folder extended attribute. + name: ocsf.file_result.xattributes + type: keyword +ocsf.finding.created_time_dt: + description: The time when the finding was created. + name: ocsf.finding.created_time_dt + type: date +ocsf.finding.desc: + description: The description of the reported finding. + name: ocsf.finding.desc + type: keyword +ocsf.finding.first_seen_time: + description: The time when the finding was first observed. + name: ocsf.finding.first_seen_time + type: date +ocsf.finding.first_seen_time_dt: + description: The time when the finding was first observed. + name: ocsf.finding.first_seen_time_dt + type: date +ocsf.finding.last_seen_time: + description: The time when the finding was most recently observed. + name: ocsf.finding.last_seen_time + type: date +ocsf.finding.last_seen_time_dt: + description: The time when the finding was most recently observed. + name: ocsf.finding.last_seen_time_dt + type: date +ocsf.finding.modified_time: + description: The time when the finding was last modified. + name: ocsf.finding.modified_time + type: date +ocsf.finding.modified_time_dt: + description: The time when the finding was last modified. + name: ocsf.finding.modified_time_dt + type: date +ocsf.finding.product_uid: + description: The unique identifier of the product that reported the finding. + name: ocsf.finding.product_uid + type: keyword +ocsf.finding.related_events.product_uid: + description: The unique identifier of the product that reported the related event. + name: ocsf.finding.related_events.product_uid + type: keyword +ocsf.finding.related_events.type: + description: "The type of the related event. For example: Process Activity: Launch." + name: ocsf.finding.related_events.type + type: keyword +ocsf.finding.related_events.type_uid: + description: "The unique identifier of the related event type. For example: 100701." + name: ocsf.finding.related_events.type_uid + type: keyword +ocsf.finding.related_events.uid: + description: The unique identifier of the related event. + name: ocsf.finding.related_events.uid + type: keyword +ocsf.finding.remediation.desc: + description: The description of the remediation strategy. + name: ocsf.finding.remediation.desc + type: keyword +ocsf.finding.remediation.kb_articles: + description: The KB article/s related to the entity. + name: ocsf.finding.remediation.kb_articles + type: keyword +ocsf.finding.supporting_data: + description: Additional data supporting a finding as provided by security tool. + name: ocsf.finding.supporting_data + type: keyword +ocsf.finding.title: + description: The title of the reported finding. + name: ocsf.finding.title + type: keyword +ocsf.finding.types: + description: One or more types of the reported finding. + name: ocsf.finding.types + type: keyword +ocsf.finding.uid: + description: The unique identifier of the reported finding. + name: ocsf.finding.uid + type: keyword +ocsf.group.desc: + description: The group description. + name: ocsf.group.desc + type: keyword +ocsf.group.privileges: + description: The group privileges. + name: ocsf.group.privileges + type: keyword +ocsf.group.type: + description: The type of the group or account. + name: ocsf.group.type + type: keyword +ocsf.http_request.args: + description: The arguments sent along with the HTTP request. + name: ocsf.http_request.args + type: keyword +ocsf.http_request.http_headers.name: + description: The name of the header. + name: ocsf.http_request.http_headers.name + type: keyword +ocsf.http_request.http_headers.value: + description: The value of the header. + name: ocsf.http_request.http_headers.value + type: keyword +ocsf.http_request.url.categories: + description: The Website categorization names, as defined by category_ids enum values. + name: ocsf.http_request.url.categories + type: keyword +ocsf.http_request.url.category_ids: + description: The Website categorization identifies. + name: ocsf.http_request.url.category_ids + type: keyword +ocsf.http_request.url.resource_type: + description: The context in which a resource was retrieved in a web request. + name: ocsf.http_request.url.resource_type + type: keyword +ocsf.http_request.x_forwarded_for: + description: + The X-Forwarded-For header identifying the originating IP address(es) + of a client connecting to a web server through an HTTP proxy or a load balancer. + name: ocsf.http_request.x_forwarded_for + type: ip +ocsf.http_response.content_type: + description: + The request header that identifies the original media type of the resource + (prior to any content encoding applied for sending). + name: ocsf.http_response.content_type + type: keyword +ocsf.http_response.latency: + description: The HTTP response latency. In seconds, milliseconds, etc. + name: ocsf.http_response.latency + type: long +ocsf.http_response.status: + description: The response status. + name: ocsf.http_response.status + type: keyword +ocsf.http_status: + description: + The Hypertext Transfer Protocol (HTTP) status code returned to the + client. + name: ocsf.http_status + type: long +ocsf.identifier_cookie: + description: The client identifier cookie during client/server exchange. + name: ocsf.identifier_cookie + type: keyword +ocsf.impact: + description: + The impact , normalized to the caption of the impact_id value. In the + case of 'Other', it is defined by the event source. + name: ocsf.impact + type: keyword +ocsf.impact_id: + description: The normalized impact of the finding. + name: ocsf.impact_id + type: keyword +ocsf.impact_score: + description: The impact of the finding, valid range 0-100. + name: ocsf.impact_score + type: long +ocsf.injection_type: + description: + The process injection method, normalized to the caption of the injection_type_id + value. In the case of 'Other', it is defined by the event source. + name: ocsf.injection_type + type: keyword +ocsf.injection_type_id: + description: The normalized identifier of the process injection method. + name: ocsf.injection_type_id + type: keyword +ocsf.is_cleartext: + description: + "Indicates whether the credentials were passed in clear text.Note: + True if the credentials were passed in a clear text protocol such as FTP or TELNET, + or if Windows detected that a user's logon password was passed to the authentication + package in clear text." + name: ocsf.is_cleartext + type: boolean +ocsf.is_mfa: + description: Indicates whether Multi Factor Authentication was used during authentication. + name: ocsf.is_mfa + type: boolean +ocsf.is_new_logon: + description: + Indicates logon is from a device not seen before or a first time account + logon. + name: ocsf.is_new_logon + type: boolean +ocsf.is_remote: + description: The attempted authentication is over a remote connection. + name: ocsf.is_remote + type: boolean +ocsf.is_renewal: + description: The indication of whether this is a lease/session renewal event. + name: ocsf.is_renewal + type: boolean +ocsf.kernel.is_system: + description: The indication of whether the object is part of the operating system. + name: ocsf.kernel.is_system + type: boolean +ocsf.kernel.name: + description: The name of the kernel resource. + name: ocsf.kernel.name + type: keyword +ocsf.kernel.path: + description: The full path of the kernel resource. + name: ocsf.kernel.path + type: keyword +ocsf.kernel.system_call: + description: The system call that was invoked. + name: ocsf.kernel.system_call + type: keyword +ocsf.kernel.type: + description: The type of the kernel resource. + name: ocsf.kernel.type + type: keyword +ocsf.kernel.type_id: + description: The type id of the kernel resource. + name: ocsf.kernel.type_id + type: keyword +ocsf.kill_chain.phase: + description: The cyber kill chain phase. + name: ocsf.kill_chain.phase + type: keyword +ocsf.kill_chain.phase_id: + description: The cyber kill chain phase identifier. + name: ocsf.kill_chain.phase_id + type: keyword +ocsf.lease_dur: + description: + This represents the length of the DHCP lease in seconds. This is present + in DHCP Ack events. (activity_id = 1) + name: ocsf.lease_dur + type: long +ocsf.logon_type: + description: + The logon type, normalized to the caption of the logon_type_id value. + In the case of 'Other', it is defined by the event source. + name: ocsf.logon_type + type: keyword +ocsf.logon_type_id: + description: The normalized logon type identifier + name: ocsf.logon_type_id + type: keyword +ocsf.malware.classification_ids: + description: The list of normalized identifiers of the malware classifications. + name: ocsf.malware.classification_ids + type: keyword +ocsf.malware.classifications: + description: + The list of malware classifications, normalized to the captions of + the classification_id values. In the case of 'Other', they are defined by the + event source. + name: ocsf.malware.classifications + type: keyword +ocsf.malware.cves.created_time: + description: + The Record Creation Date identifies when the CVE ID was issued to a + CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. + Note that the Record Creation Date does not necessarily indicate when this vulnerability + was discovered, shared with the affected vendor, publicly disclosed, or updated + in CVE. + name: ocsf.malware.cves.created_time + type: date +ocsf.malware.cves.created_time_dt: + description: + The Record Creation Date identifies when the CVE ID was issued to a + CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. + Note that the Record Creation Date does not necessarily indicate when this vulnerability + was discovered, shared with the affected vendor, publicly disclosed, or updated + in CVE. + name: ocsf.malware.cves.created_time_dt + type: date +ocsf.malware.cves.cvss.base_score: + description: The CVSS base score. + name: ocsf.malware.cves.cvss.base_score + type: keyword +ocsf.malware.cves.cvss.depth: + description: + The CVSS depth represents a depth of the equation used to calculate + CVSS score. + name: ocsf.malware.cves.cvss.depth + type: keyword +ocsf.malware.cves.cvss.metrics.name: + description: The name of the metric. + name: ocsf.malware.cves.cvss.metrics.name + type: keyword +ocsf.malware.cves.cvss.metrics.value: + description: The value of the metric. + name: ocsf.malware.cves.cvss.metrics.value + type: keyword +ocsf.malware.cves.cvss.overall_score: + description: + The CVSS overall score, impacted by base, temporal, and environmental + metrics. + name: ocsf.malware.cves.cvss.overall_score + type: keyword +ocsf.malware.cves.cvss.severity: + description: + The Common Vulnerability Scoring System (CVSS) Qualitative Severity + Rating. A textual representation of the numeric score. + name: ocsf.malware.cves.cvss.severity + type: keyword +ocsf.malware.cves.cvss.vector_string: + description: + "The CVSS vector string is a text representation of a set of CVSS metrics. + It is commonly used to record or transfer CVSS metric information in a concise + form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H." + name: ocsf.malware.cves.cvss.vector_string + type: keyword +ocsf.malware.cves.cvss.version: + description: The CVSS version. + name: ocsf.malware.cves.cvss.version + type: keyword +ocsf.malware.cves.cwe_uid: + description: + "The Common Weakness Enumeration (CWE) unique identifier. For example: + CWE-787." + name: ocsf.malware.cves.cwe_uid + type: keyword +ocsf.malware.cves.cwe_url: + description: Common Weakness Enumeration (CWE) definition URL. + name: ocsf.malware.cves.cwe_url + type: keyword +ocsf.malware.cves.modified_time: + description: The Record Modified Date identifies when the CVE record was last updated. + name: ocsf.malware.cves.modified_time + type: date +ocsf.malware.cves.modified_time_dt: + description: The Record Modified Date identifies when the CVE record was last updated. + name: ocsf.malware.cves.modified_time_dt + type: date +ocsf.malware.cves.product.feature.name: + description: The name of the feature. + name: ocsf.malware.cves.product.feature.name + type: keyword +ocsf.malware.cves.product.feature.uid: + description: The unique identifier of the feature. + name: ocsf.malware.cves.product.feature.uid + type: keyword +ocsf.malware.cves.product.feature.version: + description: The version of the feature. + name: ocsf.malware.cves.product.feature.version + type: keyword +ocsf.malware.cves.product.lang: + description: The two letter lower case language codes, as defined by ISO 639-1. + name: ocsf.malware.cves.product.lang + type: keyword +ocsf.malware.cves.product.name: + description: The name of the product. + name: ocsf.malware.cves.product.name + type: keyword +ocsf.malware.cves.product.path: + description: The installation path of the product. + name: ocsf.malware.cves.product.path + type: keyword +ocsf.malware.cves.product.uid: + description: The unique identifier of the product. + name: ocsf.malware.cves.product.uid + type: keyword +ocsf.malware.cves.product.url_string: + description: The URL pointing towards the product. + name: ocsf.malware.cves.product.url_string + type: keyword +ocsf.malware.cves.product.vendor_name: + description: The name of the vendor of the product. + name: ocsf.malware.cves.product.vendor_name + type: keyword +ocsf.malware.cves.product.version: + description: + "The version of the product, as defined by the event source. For example: + 2013.1.3-beta." + name: ocsf.malware.cves.product.version + type: keyword +ocsf.malware.cves.type: + description: + The vulnerability type as selected from a large dropdown menu during + CVE refinement. + name: ocsf.malware.cves.type + type: keyword +ocsf.malware.cves.uid: + description: + "The Common Vulnerabilities and Exposures unique number assigned to + a specific computer vulnerability. A CVE Identifier begins with 4 digits representing + the year followed by a sequence of digits that acts as a unique identifier. For + example: CVE-2021-12345." + name: ocsf.malware.cves.uid + type: keyword +ocsf.malware.name: + description: The malware name, as reported by the detection engine. + name: ocsf.malware.name + type: keyword +ocsf.malware.path: + description: The filesystem path of the malware that was observed. + name: ocsf.malware.path + type: keyword +ocsf.malware.provider: + description: The provider of the malware information. + name: ocsf.malware.provider + type: keyword +ocsf.malware.uid: + description: + The malware unique identifier, as reported by the detection engine. + For example a virus id or an IPS signature id. + name: ocsf.malware.uid + type: keyword +ocsf.metadata.correlation_uid: + description: The unique identifier used to correlate events. + name: ocsf.metadata.correlation_uid + type: keyword +ocsf.metadata.extension.name: + description: "The schema extension name. For example: dev." + name: ocsf.metadata.extension.name + type: keyword +ocsf.metadata.extension.uid: + description: "The schema extension unique identifier. For example: 999." + name: ocsf.metadata.extension.uid + type: keyword +ocsf.metadata.extension.version: + description: "The schema extension version. For example: 1.0.0-alpha.2." + name: ocsf.metadata.extension.version + type: keyword +ocsf.metadata.log_name: + description: + "The event log name. For example, syslog file name or Windows logging + subsystem: Security." + name: ocsf.metadata.log_name + type: keyword +ocsf.metadata.log_version: + description: + The event log schema version that specifies the format of the original + event. For example syslog version or Cisco Log Schema Version. + name: ocsf.metadata.log_version + type: keyword +ocsf.metadata.logged_time: + description: + The time when the logging system collected and logged the event. This + attribute is distinct from the event time in that event time typically contain + the time extracted from the original event. Most of the time, these two times + will be different. + name: ocsf.metadata.logged_time + type: date +ocsf.metadata.logged_time_dt: + description: + The time when the logging system collected and logged the event. This + attribute is distinct from the event time in that event time typically contain + the time extracted from the original event. Most of the time, these two times + will be different. + name: ocsf.metadata.logged_time_dt + type: date +ocsf.metadata.modified_time: + description: The time when the event was last modified or enriched. + name: ocsf.metadata.modified_time + type: date +ocsf.metadata.modified_time_dt: + description: The time when the event was last modified or enriched. + name: ocsf.metadata.modified_time_dt + type: date +ocsf.metadata.original_time: + description: + The original event time as reported by the event source. For example, + the time in the original format from system event log such as Syslog on Unix/Linux + and the System event file on Windows. Omit if event is generated instead of collected + via logs. + name: ocsf.metadata.original_time + type: keyword +ocsf.metadata.processed_time: + description: The event processed time, such as an ETL operation. + name: ocsf.metadata.processed_time + type: date +ocsf.metadata.processed_time_dt: + description: The event processed time, such as an ETL operation. + name: ocsf.metadata.processed_time_dt + type: date +ocsf.metadata.product.feature.name: + description: The name of the feature. + name: ocsf.metadata.product.feature.name + type: keyword +ocsf.metadata.product.feature.uid: + description: The unique identifier of the feature. + name: ocsf.metadata.product.feature.uid + type: keyword +ocsf.metadata.product.feature.version: + description: The version of the feature. + name: ocsf.metadata.product.feature.version + type: keyword +ocsf.metadata.product.lang: + description: + "The two letter lowercase language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French)." + name: ocsf.metadata.product.lang + type: keyword +ocsf.metadata.product.name: + description: The name of the product. + name: ocsf.metadata.product.name + type: keyword +ocsf.metadata.product.path: + description: The installation path of the product. + name: ocsf.metadata.product.path + type: keyword +ocsf.metadata.product.uid: + description: The unique identifier of the product. + name: ocsf.metadata.product.uid + type: keyword +ocsf.metadata.product.url_string: + description: The URL pointing towards the product. + name: ocsf.metadata.product.url_string + type: keyword +ocsf.metadata.product.vendor_name: + description: The name of the vendor of the product. + name: ocsf.metadata.product.vendor_name + type: keyword +ocsf.metadata.product.version: + description: + "The version of the product, as defined by the event source. For example: + 2013.1.3-beta." + name: ocsf.metadata.product.version + type: keyword +ocsf.metadata.profiles: + description: The list of profiles used to create the event. + name: ocsf.metadata.profiles + type: keyword +ocsf.metadata.version: + description: + "The version of the OCSF schema, using Semantic Versioning Specification + (SemVer). For example: 1.0.0. Event consumers use the version to determine the + available event attributes." + name: ocsf.metadata.version + type: keyword +ocsf.module.base_address: + description: The memory address where the module was loaded. + name: ocsf.module.base_address + type: keyword +ocsf.module.file.accessed_time_dt: + description: The time when the file was last accessed. + name: ocsf.module.file.accessed_time_dt + type: date +ocsf.module.file.accessor.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.module.file.accessor.account.name + type: keyword +ocsf.module.file.accessor.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.module.file.accessor.account.type + type: keyword +ocsf.module.file.accessor.account.type_id: + description: The normalized account type identifier. + name: ocsf.module.file.accessor.account.type_id + type: keyword +ocsf.module.file.accessor.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.module.file.accessor.account.uid + type: keyword +ocsf.module.file.accessor.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.module.file.accessor.credential_uid + type: keyword +ocsf.module.file.accessor.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.module.file.accessor.domain + type: keyword +ocsf.module.file.accessor.email_addr: + description: The user's email address. + name: ocsf.module.file.accessor.email_addr + type: keyword +ocsf.module.file.accessor.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.module.file.accessor.full_name + type: keyword +ocsf.module.file.accessor.groups.desc: + description: The group description. + name: ocsf.module.file.accessor.groups.desc + type: keyword +ocsf.module.file.accessor.groups.name: + description: The group name. + name: ocsf.module.file.accessor.groups.name + type: keyword +ocsf.module.file.accessor.groups.privileges: + description: The group privileges. + name: ocsf.module.file.accessor.groups.privileges + type: keyword +ocsf.module.file.accessor.groups.type: + description: The type of the group or account. + name: ocsf.module.file.accessor.groups.type + type: keyword +ocsf.module.file.accessor.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.module.file.accessor.groups.uid + type: keyword +ocsf.module.file.accessor.name: + description: The username. For example, janedoe1. + name: ocsf.module.file.accessor.name + type: keyword +ocsf.module.file.accessor.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.module.file.accessor.org.name + type: keyword +ocsf.module.file.accessor.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.module.file.accessor.org.ou_name + type: keyword +ocsf.module.file.accessor.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.module.file.accessor.org.ou_uid + type: keyword +ocsf.module.file.accessor.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.module.file.accessor.org.uid + type: keyword +ocsf.module.file.accessor.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.module.file.accessor.type + type: keyword +ocsf.module.file.accessor.type_id: + description: The account type identifier. + name: ocsf.module.file.accessor.type_id + type: keyword +ocsf.module.file.accessor.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.module.file.accessor.uid + type: keyword +ocsf.module.file.accessor.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.module.file.accessor.uid_alt + type: keyword +ocsf.module.file.attributes: + description: The Bitmask value that represents the file attributes. + name: ocsf.module.file.attributes + type: long +ocsf.module.file.company_name: + description: + "The name of the company that published the file. For example: Microsoft + Corporation." + name: ocsf.module.file.company_name + type: keyword +ocsf.module.file.confidentiality: + description: + The file content confidentiality, normalized to the confidentiality_id + value. In the case of 'Other', it is defined by the event source. + name: ocsf.module.file.confidentiality + type: keyword +ocsf.module.file.confidentiality_id: + description: The normalized identifier of the file content confidentiality indicator. + name: ocsf.module.file.confidentiality_id + type: keyword +ocsf.module.file.created_time_dt: + description: The time when the file was created. + name: ocsf.module.file.created_time_dt + type: date +ocsf.module.file.creator.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.module.file.creator.account.name + type: keyword +ocsf.module.file.creator.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.module.file.creator.account.type + type: keyword +ocsf.module.file.creator.account.type_id: + description: The normalized account type identifier. + name: ocsf.module.file.creator.account.type_id + type: keyword +ocsf.module.file.creator.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.module.file.creator.account.uid + type: keyword +ocsf.module.file.creator.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.module.file.creator.credential_uid + type: keyword +ocsf.module.file.creator.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.module.file.creator.domain + type: keyword +ocsf.module.file.creator.email_addr: + description: The user's email address. + name: ocsf.module.file.creator.email_addr + type: keyword +ocsf.module.file.creator.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.module.file.creator.full_name + type: keyword +ocsf.module.file.creator.groups.desc: + description: The group description. + name: ocsf.module.file.creator.groups.desc + type: keyword +ocsf.module.file.creator.groups.name: + description: The group name. + name: ocsf.module.file.creator.groups.name + type: keyword +ocsf.module.file.creator.groups.privileges: + description: The group privileges. + name: ocsf.module.file.creator.groups.privileges + type: keyword +ocsf.module.file.creator.groups.type: + description: The type of the group or account. + name: ocsf.module.file.creator.groups.type + type: keyword +ocsf.module.file.creator.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.module.file.creator.groups.uid + type: keyword +ocsf.module.file.creator.name: + description: The username. For example, janedoe1. + name: ocsf.module.file.creator.name + type: keyword +ocsf.module.file.creator.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.module.file.creator.org.name + type: keyword +ocsf.module.file.creator.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.module.file.creator.org.ou_name + type: keyword +ocsf.module.file.creator.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.module.file.creator.org.ou_uid + type: keyword +ocsf.module.file.creator.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.module.file.creator.org.uid + type: keyword +ocsf.module.file.creator.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.module.file.creator.type + type: keyword +ocsf.module.file.creator.type_id: + description: The account type identifier. + name: ocsf.module.file.creator.type_id + type: keyword +ocsf.module.file.creator.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.module.file.creator.uid + type: keyword +ocsf.module.file.creator.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.module.file.creator.uid_alt + type: keyword +ocsf.module.file.desc: + description: + "The description of the file, as returned by file system. For example: + the description as returned by the Unix file command or the Windows file type." + name: ocsf.module.file.desc + type: keyword +ocsf.module.file.hashes.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.module.file.hashes.algorithm + type: keyword +ocsf.module.file.hashes.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.module.file.hashes.algorithm_id + type: keyword +ocsf.module.file.hashes.value: + description: The digital fingerprint value. + name: ocsf.module.file.hashes.value + type: keyword +ocsf.module.file.is_system: + description: The indication of whether the object is part of the operating system. + name: ocsf.module.file.is_system + type: boolean +ocsf.module.file.modified_time_dt: + description: The time when the file was last modified. + name: ocsf.module.file.modified_time_dt + type: date +ocsf.module.file.modifier.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.module.file.modifier.account.name + type: keyword +ocsf.module.file.modifier.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.module.file.modifier.account.type + type: keyword +ocsf.module.file.modifier.account.type_id: + description: The normalized account type identifier. + name: ocsf.module.file.modifier.account.type_id + type: keyword +ocsf.module.file.modifier.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.module.file.modifier.account.uid + type: keyword +ocsf.module.file.modifier.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.module.file.modifier.credential_uid + type: keyword +ocsf.module.file.modifier.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.module.file.modifier.domain + type: keyword +ocsf.module.file.modifier.email_addr: + description: The user's email address. + name: ocsf.module.file.modifier.email_addr + type: keyword +ocsf.module.file.modifier.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.module.file.modifier.full_name + type: keyword +ocsf.module.file.modifier.groups.desc: + description: The group description. + name: ocsf.module.file.modifier.groups.desc + type: keyword +ocsf.module.file.modifier.groups.name: + description: The group name. + name: ocsf.module.file.modifier.groups.name + type: keyword +ocsf.module.file.modifier.groups.privileges: + description: The group privileges. + name: ocsf.module.file.modifier.groups.privileges + type: keyword +ocsf.module.file.modifier.groups.type: + description: The type of the group or account. + name: ocsf.module.file.modifier.groups.type + type: keyword +ocsf.module.file.modifier.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.module.file.modifier.groups.uid + type: keyword +ocsf.module.file.modifier.name: + description: The username. For example, janedoe1. + name: ocsf.module.file.modifier.name + type: keyword +ocsf.module.file.modifier.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.module.file.modifier.org.name + type: keyword +ocsf.module.file.modifier.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.module.file.modifier.org.ou_name + type: keyword +ocsf.module.file.modifier.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.module.file.modifier.org.ou_uid + type: keyword +ocsf.module.file.modifier.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.module.file.modifier.org.uid + type: keyword +ocsf.module.file.modifier.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.module.file.modifier.type + type: keyword +ocsf.module.file.modifier.type_id: + description: The account type identifier. + name: ocsf.module.file.modifier.type_id + type: keyword +ocsf.module.file.modifier.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.module.file.modifier.uid + type: keyword +ocsf.module.file.modifier.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.module.file.modifier.uid_alt + type: keyword +ocsf.module.file.owner.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.module.file.owner.account.name + type: keyword +ocsf.module.file.owner.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.module.file.owner.account.type + type: keyword +ocsf.module.file.owner.account.type_id: + description: The normalized account type identifier. + name: ocsf.module.file.owner.account.type_id + type: keyword +ocsf.module.file.owner.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.module.file.owner.account.uid + type: keyword +ocsf.module.file.owner.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.module.file.owner.credential_uid + type: keyword +ocsf.module.file.owner.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.module.file.owner.domain + type: keyword +ocsf.module.file.owner.email_addr: + description: The user's email address. + name: ocsf.module.file.owner.email_addr + type: keyword +ocsf.module.file.owner.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.module.file.owner.full_name + type: keyword +ocsf.module.file.owner.groups.desc: + description: The group description. + name: ocsf.module.file.owner.groups.desc + type: keyword +ocsf.module.file.owner.groups.name: + description: The group name. + name: ocsf.module.file.owner.groups.name + type: keyword +ocsf.module.file.owner.groups.privileges: + description: The group privileges. + name: ocsf.module.file.owner.groups.privileges + type: keyword +ocsf.module.file.owner.groups.type: + description: The type of the group or account. + name: ocsf.module.file.owner.groups.type + type: keyword +ocsf.module.file.owner.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.module.file.owner.groups.uid + type: keyword +ocsf.module.file.owner.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.module.file.owner.org.name + type: keyword +ocsf.module.file.owner.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.module.file.owner.org.ou_name + type: keyword +ocsf.module.file.owner.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.module.file.owner.org.ou_uid + type: keyword +ocsf.module.file.owner.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.module.file.owner.org.uid + type: keyword +ocsf.module.file.owner.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.module.file.owner.type + type: keyword +ocsf.module.file.owner.type_id: + description: The account type identifier. + name: ocsf.module.file.owner.type_id + type: keyword +ocsf.module.file.owner.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.module.file.owner.uid_alt + type: keyword +ocsf.module.file.product.feature.name: + description: The name of the feature. + name: ocsf.module.file.product.feature.name + type: keyword +ocsf.module.file.product.feature.uid: + description: The unique identifier of the feature. + name: ocsf.module.file.product.feature.uid + type: keyword +ocsf.module.file.product.feature.version: + description: The version of the feature. + name: ocsf.module.file.product.feature.version + type: keyword +ocsf.module.file.product.lang: + description: + "The two letter lower case language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French)." + name: ocsf.module.file.product.lang + type: keyword +ocsf.module.file.product.name: + description: The name of the product. + name: ocsf.module.file.product.name + type: keyword +ocsf.module.file.product.path: + description: The installation path of the product. + name: ocsf.module.file.product.path + type: keyword +ocsf.module.file.product.uid: + description: The unique identifier of the product. + name: ocsf.module.file.product.uid + type: keyword +ocsf.module.file.product.vendor_name: + description: The name of the vendor of the product. + name: ocsf.module.file.product.vendor_name + type: keyword +ocsf.module.file.product.version: + description: + "The version of the product, as defined by the event source. For example: + 2013.1.3-beta." + name: ocsf.module.file.product.version + type: keyword +ocsf.module.file.security_descriptor: + description: The object security descriptor. + name: ocsf.module.file.security_descriptor + type: keyword +ocsf.module.file.signature.algorithm: + description: + The digital signature algorithm used to create the signature, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.module.file.signature.algorithm + type: keyword +ocsf.module.file.signature.algorithm_id: + description: The identifier of the normalized digital signature algorithm. + name: ocsf.module.file.signature.algorithm_id + type: keyword +ocsf.module.file.signature.certificate.created_time: + description: The time when the certificate was created. + name: ocsf.module.file.signature.certificate.created_time + type: date +ocsf.module.file.signature.certificate.created_time_dt: + description: The time when the certificate was created. + name: ocsf.module.file.signature.certificate.created_time_dt + type: date +ocsf.module.file.signature.certificate.expiration_time_dt: + description: The expiration time of the certificate. + name: ocsf.module.file.signature.certificate.expiration_time_dt + type: date +ocsf.module.file.signature.certificate.fingerprints.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.module.file.signature.certificate.fingerprints.algorithm + type: keyword +ocsf.module.file.signature.certificate.fingerprints.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.module.file.signature.certificate.fingerprints.algorithm_id + type: keyword +ocsf.module.file.signature.certificate.fingerprints.value: + description: The digital fingerprint value. + name: ocsf.module.file.signature.certificate.fingerprints.value + type: keyword +ocsf.module.file.signature.created_time: + description: The time when the digital signature was created. + name: ocsf.module.file.signature.created_time + type: date +ocsf.module.file.signature.created_time_dt: + description: The time when the digital signature was created. + name: ocsf.module.file.signature.created_time_dt + type: date +ocsf.module.file.signature.developer_uid: + description: The developer ID on the certificate that signed the file. + name: ocsf.module.file.signature.developer_uid + type: keyword +ocsf.module.file.signature.digest.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.module.file.signature.digest.algorithm + type: keyword +ocsf.module.file.signature.digest.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.module.file.signature.digest.algorithm_id + type: keyword +ocsf.module.file.signature.digest.value: + description: The digital fingerprint value. + name: ocsf.module.file.signature.digest.value + type: keyword +ocsf.module.file.type_id: + description: The file type ID. + name: ocsf.module.file.type_id + type: keyword +ocsf.module.file.version: + description: "The file version. For example: 8.0.7601.17514." + name: ocsf.module.file.version + type: keyword +ocsf.module.file.xattributes: + description: + An unordered collection of zero or more name/value pairs where each + pair represents a file or folder extended attribute. + name: ocsf.module.file.xattributes + type: keyword +ocsf.module.function_name: + description: + The entry-point function of the module. The system calls the entry-point + function whenever a process or thread loads or unloads the module. + name: ocsf.module.function_name + type: keyword +ocsf.module.load_type: + description: + The load type, normalized to the caption of the load_type_id value. + In the case of 'Other', it is defined by the event source. It describes how the + module was loaded in memory. + name: ocsf.module.load_type + type: keyword +ocsf.module.load_type_id: + description: + The normalized identifier of the load type. It identifies how the module + was loaded in memory. + name: ocsf.module.load_type_id + type: keyword +ocsf.module.start_address: + description: The start address of the execution. + name: ocsf.module.start_address + type: keyword +ocsf.module.type: + description: The module type. + name: ocsf.module.type + type: keyword +ocsf.name: + description: The name of the data affiliated with the command. + name: ocsf.name + type: keyword +ocsf.nist: + description: + The NIST Cybersecurity Framework recommendations for managing the cybersecurity + risk. + name: ocsf.nist + type: keyword +ocsf.observables.name: + description: + "The full name of the observable attribute. The name is a pointer/reference + to an attribute within the event data. For example: file.name." + name: ocsf.observables.name + type: keyword +ocsf.observables.reputation.base_score: + description: The reputation score as reported by the event source. + name: ocsf.observables.reputation.base_score + type: keyword +ocsf.observables.reputation.provider: + description: The provider of the reputation information. + name: ocsf.observables.reputation.provider + type: keyword +ocsf.observables.reputation.score: + description: + The reputation score, normalized to the caption of the score_id value. + In the case of 'Other', it is defined by the event source. + name: ocsf.observables.reputation.score + type: keyword +ocsf.observables.reputation.score_id: + description: The normalized reputation score identifier. + name: ocsf.observables.reputation.score_id + type: keyword +ocsf.observables.type: + description: The observable value type name. + name: ocsf.observables.type + type: keyword +ocsf.observables.type_id: + description: The observable value type identifier. + name: ocsf.observables.type_id + type: keyword +ocsf.observables.value: + description: The value associated with the observable attribute. + name: ocsf.observables.value + type: keyword +ocsf.open_type: + description: Indicates how the file was opened (e.g. normal, delete on close). + name: ocsf.open_type + type: keyword +ocsf.port: + description: The dynamic port established for impending data transfers. + name: ocsf.port + type: long +ocsf.privileges: + description: The list of sensitive privileges, assigned to the new user session. + name: ocsf.privileges + type: keyword +ocsf.protocol_ver: + description: The Protocol version. + name: ocsf.protocol_ver + type: keyword +ocsf.proxy.domain: + description: The name of the domain. + name: ocsf.proxy.domain + type: keyword +ocsf.proxy.hostname: + description: The fully qualified name of the endpoint. + name: ocsf.proxy.hostname + type: keyword +ocsf.proxy.instance_uid: + description: The unique identifier of a VM instance. + name: ocsf.proxy.instance_uid + type: keyword +ocsf.proxy.interface_name: + description: The name of the network interface (e.g. eth2). + name: ocsf.proxy.interface_name + type: keyword +ocsf.proxy.interface_uid: + description: The unique identifier of the network interface. + name: ocsf.proxy.interface_uid + type: keyword +ocsf.proxy.intermediate_ips: + description: + The intermediate IP Addresses. For example, the IP addresses in the + HTTP X-Forwarded-For header. + name: ocsf.proxy.intermediate_ips + type: ip +ocsf.proxy.ip: + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + name: ocsf.proxy.ip + type: ip +ocsf.proxy.location.city: + description: The name of the city. + name: ocsf.proxy.location.city + type: keyword +ocsf.proxy.location.continent: + description: The name of the continent. + name: ocsf.proxy.location.continent + type: keyword +ocsf.proxy.location.coordinates: + description: + A two-element array, containing a longitude/latitude pair. The format + conforms with GeoJSON. + name: ocsf.proxy.location.coordinates + type: geo_point +ocsf.proxy.location.country: + description: + The ISO 3166-1 Alpha-2 country code. For the complete list of country + codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + name: ocsf.proxy.location.country + type: keyword +ocsf.proxy.location.desc: + description: The description of the geographical location. + name: ocsf.proxy.location.desc + type: keyword +ocsf.proxy.location.is_on_premises: + description: The indication of whether the location is on premises. + name: ocsf.proxy.location.is_on_premises + type: boolean +ocsf.proxy.location.isp: + description: The name of the Internet Service Provider (ISP). + name: ocsf.proxy.location.isp + type: keyword +ocsf.proxy.location.postal_code: + description: The postal code of the location. + name: ocsf.proxy.location.postal_code + type: keyword +ocsf.proxy.location.provider: + description: The provider of the geographical location data. + name: ocsf.proxy.location.provider + type: keyword +ocsf.proxy.location.region: + description: + The alphanumeric code that identifies the principal subdivision (e.g. + province or state) of the country. Region codes are defined at ISO 3166-2 and + have a limit of three characters. For example, see the region codes for the US. + name: ocsf.proxy.location.region + type: keyword +ocsf.proxy.mac: + description: The Media Access Control (MAC) address of the endpoint. + name: ocsf.proxy.mac + type: keyword +ocsf.proxy.name: + description: The short name of the endpoint. + name: ocsf.proxy.name + type: keyword +ocsf.proxy.port: + description: The port used for communication within the network connection. + name: ocsf.proxy.port + type: long +ocsf.proxy.subnet_uid: + description: The unique identifier of a virtual subnet. + name: ocsf.proxy.subnet_uid + type: keyword +ocsf.proxy.svc_name: + description: + The service name in service-to-service connections. For example, AWS + VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection + is coming from or going to an AWS service. + name: ocsf.proxy.svc_name + type: keyword +ocsf.proxy.uid: + description: The unique identifier of the endpoint. + name: ocsf.proxy.uid + type: keyword +ocsf.proxy.vlan_uid: + description: The Virtual LAN identifier. + name: ocsf.proxy.vlan_uid + type: keyword +ocsf.proxy.vpc_uid: + description: The unique identifier of the Virtual Private Cloud (VPC). + name: ocsf.proxy.vpc_uid + type: keyword +ocsf.query.opcode: + description: The DNS opcode specifies the type of the query message. + name: ocsf.query.opcode + type: keyword +ocsf.query.opcode_id: + description: The DNS opcode ID specifies the normalized query message type. + name: ocsf.query.opcode_id + type: keyword +ocsf.query_time: + description: The Domain Name System (DNS) query time. + name: ocsf.query_time + type: date +ocsf.query_time_dt: + description: The Domain Name System (DNS) query time. + name: ocsf.query_time_dt + type: date +ocsf.raw_data: + description: The event data as received from the event source. + name: ocsf.raw_data + type: keyword +ocsf.raw_data_keyword: + description: "" + name: ocsf.raw_data_keyword + type: keyword +ocsf.rcode_id: + description: The normalized identifier of the DNS server response code. + name: ocsf.rcode_id + type: keyword +ocsf.relay.namespace: + description: + The namespace is useful in merger or acquisition situations. For example, + when similar entities exists that you need to keep separate. + name: ocsf.relay.namespace + type: keyword +ocsf.relay.subnet_prefix: + description: + The subnet prefix length determines the number of bits used to represent + the network part of the IP address. The remaining bits are reserved for identifying + individual hosts within that subnet. + name: ocsf.relay.subnet_prefix + type: long +ocsf.relay.type_id: + description: The network interface type identifier. + name: ocsf.relay.type_id + type: keyword +ocsf.relay.uid: + description: The unique identifier for the network interface. + name: ocsf.relay.uid + type: keyword +ocsf.remote_display.color_depth: + description: The numeric color depth. + name: ocsf.remote_display.color_depth + type: long +ocsf.remote_display.physical_height: + description: The numeric physical height of display. + name: ocsf.remote_display.physical_height + type: long +ocsf.remote_display.physical_orientation: + description: The numeric physical orientation of display. + name: ocsf.remote_display.physical_orientation + type: long +ocsf.remote_display.physical_width: + description: The numeric physical width of display. + name: ocsf.remote_display.physical_width + type: long +ocsf.remote_display.scale_factor: + description: The numeric scale factor of display. + name: ocsf.remote_display.scale_factor + type: long +ocsf.request.flags: + description: + The list of communication flags, normalized to the captions of the + flag_ids values. In the case of 'Other', they are defined by the event source. + name: ocsf.request.flags + type: date +ocsf.requested_permissions: + description: The permissions mask that were requested by the process. + name: ocsf.requested_permissions + type: long +ocsf.resource.cloud_partition: + description: + "The canonical cloud partition name to which the region is assigned + (e.g. AWS Partitions: aws, aws-cn, aws-us-gov)." + name: ocsf.resource.cloud_partition + type: keyword +ocsf.resource.criticality: + description: The criticality of the resource as defined by the event source. + name: ocsf.resource.criticality + type: keyword +ocsf.resource.data: + description: Additional data describing the resource. + name: ocsf.resource.data + type: keyword +ocsf.resource.group.desc: + description: The group description. + name: ocsf.resource.group.desc + type: keyword +ocsf.resource.group.name: + description: The group name. + name: ocsf.resource.group.name + type: keyword +ocsf.resource.group.privileges: + description: The group privileges. + name: ocsf.resource.group.privileges + type: keyword +ocsf.resource.group.type: + description: The type of the group or account. + name: ocsf.resource.group.type + type: keyword +ocsf.resource.group.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.resource.group.uid + type: keyword +ocsf.resource.labels: + description: The list of labels/tags associated to a resource. + name: ocsf.resource.labels + type: keyword +ocsf.resource.name: + description: The name of the resource. + name: ocsf.resource.name + type: keyword +ocsf.resource.owner.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.resource.owner.account.name + type: keyword +ocsf.resource.owner.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.resource.owner.account.type + type: keyword +ocsf.resource.owner.account.type_id: + description: The normalized account type identifier. + name: ocsf.resource.owner.account.type_id + type: keyword +ocsf.resource.owner.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.resource.owner.account.uid + type: keyword +ocsf.resource.owner.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.resource.owner.credential_uid + type: keyword +ocsf.resource.owner.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.resource.owner.domain + type: keyword +ocsf.resource.owner.email_addr: + description: The user's email address. + name: ocsf.resource.owner.email_addr + type: keyword +ocsf.resource.owner.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.resource.owner.full_name + type: keyword +ocsf.resource.owner.groups.desc: + description: The group description. + name: ocsf.resource.owner.groups.desc + type: keyword +ocsf.resource.owner.groups.name: + description: The group name. + name: ocsf.resource.owner.groups.name + type: keyword +ocsf.resource.owner.groups.privileges: + description: The group privileges. + name: ocsf.resource.owner.groups.privileges + type: keyword +ocsf.resource.owner.groups.type: + description: The type of the group or account. + name: ocsf.resource.owner.groups.type + type: keyword +ocsf.resource.owner.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.resource.owner.groups.uid + type: keyword +ocsf.resource.owner.name: + description: The username. For example, janedoe1. + name: ocsf.resource.owner.name + type: keyword +ocsf.resource.owner.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.resource.owner.org.name + type: keyword +ocsf.resource.owner.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.resource.owner.org.ou_name + type: keyword +ocsf.resource.owner.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.resource.owner.org.ou_uid + type: keyword +ocsf.resource.owner.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.resource.owner.org.uid + type: keyword +ocsf.resource.owner.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.resource.owner.type + type: keyword +ocsf.resource.owner.type_id: + description: The account type identifier. + name: ocsf.resource.owner.type_id + type: keyword +ocsf.resource.owner.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.resource.owner.uid + type: keyword +ocsf.resource.owner.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.resource.owner.uid_alt + type: keyword +ocsf.resource.region: + description: The cloud region of the resource. + name: ocsf.resource.region + type: keyword +ocsf.resource.type: + description: The resource type as defined by the event source. + name: ocsf.resource.type + type: keyword +ocsf.resource.uid: + description: The unique identifier of the resource. + name: ocsf.resource.uid + type: keyword +ocsf.resource.version: + description: The version of the resource. For example 1.2.3. + name: ocsf.resource.version + type: keyword +ocsf.resources.cloud_partition: + description: + "The canonical cloud partition name to which the region is assigned + (e.g. AWS Partitions: aws, aws-cn, aws-us-gov)." + name: ocsf.resources.cloud_partition + type: keyword +ocsf.resources.criticality: + description: The criticality of the resource as defined by the event source. + name: ocsf.resources.criticality + type: keyword +ocsf.resources.data: + description: Additional data describing the resource. + name: ocsf.resources.data + type: keyword +ocsf.resources.group.desc: + description: The group description. + name: ocsf.resources.group.desc + type: keyword +ocsf.resources.group.name: + description: The group name. + name: ocsf.resources.group.name + type: keyword +ocsf.resources.group.privileges: + description: The group privileges. + name: ocsf.resources.group.privileges + type: keyword +ocsf.resources.group.type: + description: The type of the group or account. + name: ocsf.resources.group.type + type: keyword +ocsf.resources.group.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.resources.group.uid + type: keyword +ocsf.resources.labels: + description: The list of labels/tags associated to a resource. + name: ocsf.resources.labels + type: keyword +ocsf.resources.name: + description: The name of the resource. + name: ocsf.resources.name + type: keyword +ocsf.resources.owner.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.resources.owner.account.name + type: keyword +ocsf.resources.owner.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.resources.owner.account.type + type: keyword +ocsf.resources.owner.account.type_id: + description: The normalized account type identifier. + name: ocsf.resources.owner.account.type_id + type: keyword +ocsf.resources.owner.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.resources.owner.account.uid + type: keyword +ocsf.resources.owner.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.resources.owner.credential_uid + type: keyword +ocsf.resources.owner.domain: + description: + "The domain where the user is defined. For example: the LDAP or Active + Directory domain." + name: ocsf.resources.owner.domain + type: keyword +ocsf.resources.owner.email_addr: + description: The user's email address. + name: ocsf.resources.owner.email_addr + type: keyword +ocsf.resources.owner.full_name: + description: + The full name of the person, as per the LDAP Common Name attribute + (cn). + name: ocsf.resources.owner.full_name + type: keyword +ocsf.resources.owner.groups.desc: + description: The group description. + name: ocsf.resources.owner.groups.desc + type: keyword +ocsf.resources.owner.groups.name: + description: The group name. + name: ocsf.resources.owner.groups.name + type: keyword +ocsf.resources.owner.groups.privileges: + description: The group privileges. + name: ocsf.resources.owner.groups.privileges + type: keyword +ocsf.resources.owner.groups.type: + description: The type of the group or account. + name: ocsf.resources.owner.groups.type + type: keyword +ocsf.resources.owner.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.resources.owner.groups.uid + type: keyword +ocsf.resources.owner.name: + description: The username. For example, janedoe1. + name: ocsf.resources.owner.name + type: keyword +ocsf.resources.owner.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.resources.owner.org.name + type: keyword +ocsf.resources.owner.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.resources.owner.org.ou_name + type: keyword +ocsf.resources.owner.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.resources.owner.org.ou_uid + type: keyword +ocsf.resources.owner.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.resources.owner.org.uid + type: keyword +ocsf.resources.owner.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.resources.owner.type + type: keyword +ocsf.resources.owner.type_id: + description: The account type identifier. + name: ocsf.resources.owner.type_id + type: keyword +ocsf.resources.owner.uid: + description: + The unique user identifier. For example, the Windows user SID, ActiveDirectory + DN or AWS user ARN. + name: ocsf.resources.owner.uid + type: keyword +ocsf.resources.owner.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.resources.owner.uid_alt + type: keyword +ocsf.resources.region: + description: The cloud region of the resource. + name: ocsf.resources.region + type: keyword +ocsf.resources.type: + description: The resource type as defined by the event source. + name: ocsf.resources.type + type: keyword +ocsf.resources.uid: + description: The unique identifier of the resource. + name: ocsf.resources.uid + type: keyword +ocsf.resources.version: + description: The version of the resource. For example 1.2.3. + name: ocsf.resources.version + type: keyword +ocsf.response.error: + description: Error Code. + name: ocsf.response.error + type: keyword +ocsf.response.error_message: + description: Error Message. + name: ocsf.response.error_message + type: keyword +ocsf.response.flags: + description: + The list of communication flags, normalized to the captions of the + flag_ids values. In the case of 'Other', they are defined by the event source. + name: ocsf.response.flags + type: keyword +ocsf.response.message: + description: The description of the event, as defined by the event source. + name: ocsf.response.message + type: keyword +ocsf.response_time: + description: The Domain Name System (DNS) response time. + name: ocsf.response_time + type: date +ocsf.response_time_dt: + description: The Domain Name System (DNS) response time. + name: ocsf.response_time_dt + type: date +ocsf.risk_level: + description: + The risk level, normalized to the caption of the risk_level_id value. + In the case of 'Other', it is defined by the event source. + name: ocsf.risk_level + type: keyword +ocsf.risk_level_id: + description: The normalized risk level id. + name: ocsf.risk_level_id + type: keyword +ocsf.server_hassh.algorithm: + description: + "The concatenation of key exchange, encryption, authentication and + compression algorithms (separated by ';'). NOTE: This is not the underlying + algorithm for the hash implementation." + name: ocsf.server_hassh.algorithm + type: keyword +ocsf.server_hassh.fingerprint.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.server_hassh.fingerprint.algorithm + type: keyword +ocsf.server_hassh.fingerprint.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.server_hassh.fingerprint.algorithm_id + type: keyword +ocsf.server_hassh.fingerprint.value: + description: The digital fingerprint value. + name: ocsf.server_hassh.fingerprint.value + type: keyword +ocsf.service.labels: + description: The list of labels associated with the service. + name: ocsf.service.labels + type: keyword +ocsf.session.created_time: + description: The time when the session was created. + name: ocsf.session.created_time + type: date +ocsf.session.created_time_dt: + description: The time when the session was created. + name: ocsf.session.created_time_dt + type: date +ocsf.session.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.session.credential_uid + type: keyword +ocsf.session.expiration_time: + description: The session expiration time. + name: ocsf.session.expiration_time + type: date +ocsf.session.expiration_time_dt: + description: The session expiration time. + name: ocsf.session.expiration_time_dt + type: date +ocsf.session.is_remote: + description: The indication of whether the session is remote. + name: ocsf.session.is_remote + type: boolean +ocsf.session.issuer: + description: The identifier of the session issuer. + name: ocsf.session.issuer + type: keyword +ocsf.session.mfa: + description: "" + name: ocsf.session.mfa + type: boolean +ocsf.session.uid: + description: The unique identifier of the session. + name: ocsf.session.uid + type: keyword +ocsf.session.uuid: + description: The universally unique identifier of the session. + name: ocsf.session.uuid + type: keyword +ocsf.severity: + description: + The event severity, normalized to the caption of the severity_id value. + In the case of 'Other', it is defined by the event source. + name: ocsf.severity + type: keyword +ocsf.share: + description: The SMB share name. + name: ocsf.share + type: keyword +ocsf.share_type: + description: + The SMB share type, normalized to the caption of the share_type_id + value. In the case of 'Other', it is defined by the event source. + name: ocsf.share_type + type: keyword +ocsf.share_type_id: + description: The normalized identifier of the SMB share type. + name: ocsf.share_type_id + type: keyword +ocsf.size: + description: The memory size that was access or requested. + name: ocsf.size + type: long +ocsf.smtp_hello: + description: The value of the SMTP HELO or EHLO command sent by the initiator (client). + name: ocsf.smtp_hello + type: keyword +ocsf.src_endpoint.instance_uid: + description: The unique identifier of a VM instance. + name: ocsf.src_endpoint.instance_uid + type: keyword +ocsf.src_endpoint.interface_name: + description: The name of the network interface (e.g. eth2). + name: ocsf.src_endpoint.interface_name + type: keyword +ocsf.src_endpoint.interface_uid: + description: The unique identifier of the network interface. + name: ocsf.src_endpoint.interface_uid + type: keyword +ocsf.src_endpoint.intermediate_ips: + description: + The intermediate IP Addresses. For example, the IP addresses in the + HTTP X-Forwarded-For header. + name: ocsf.src_endpoint.intermediate_ips + type: ip +ocsf.src_endpoint.location.is_on_premises: + description: The indication of whether the location is on premises. + name: ocsf.src_endpoint.location.is_on_premises + type: boolean +ocsf.src_endpoint.location.isp: + description: The name of the Internet Service Provider (ISP). + name: ocsf.src_endpoint.location.isp + type: keyword +ocsf.src_endpoint.location.provider: + description: The provider of the geographical location data. + name: ocsf.src_endpoint.location.provider + type: keyword +ocsf.src_endpoint.name: + description: The short name of the endpoint. + name: ocsf.src_endpoint.name + type: keyword +ocsf.src_endpoint.subnet_uid: + description: The unique identifier of a virtual subnet. + name: ocsf.src_endpoint.subnet_uid + type: keyword +ocsf.src_endpoint.uid: + description: The unique identifier of the endpoint. + name: ocsf.src_endpoint.uid + type: keyword +ocsf.src_endpoint.vlan_uid: + description: The Virtual LAN identifier. + name: ocsf.src_endpoint.vlan_uid + type: keyword +ocsf.src_endpoint.vpc_uid: + description: The unique identifier of the Virtual Private Cloud (VPC). + name: ocsf.src_endpoint.vpc_uid + type: keyword +ocsf.start_time_dt: + description: + The start time of a time period, or the time of the least recent event + included in the aggregate event. + name: ocsf.start_time_dt + type: date +ocsf.state: + description: The normalized state of a security finding. + name: ocsf.state + type: keyword +ocsf.state_id: + description: The normalized state identifier of a security finding. + name: ocsf.state_id + type: keyword +ocsf.status: + description: + The event status, normalized to the caption of the status_id value. + In the case of 'Other', it is defined by the event source. + name: ocsf.status + type: keyword +ocsf.status_code: + description: + The event status code, as reported by the event source. For example, + in a Windows Failed Authentication event, this would be the value of 'Failure + Code', e.g. 0x18. + name: ocsf.status_code + type: keyword +ocsf.status_detail: + description: + The status details contains additional information about the event + outcome. + name: ocsf.status_detail + type: keyword +ocsf.status_id: + description: The normalized identifier of the event status. + name: ocsf.status_id + type: keyword +ocsf.time_dt: + description: The normalized event occurrence time. + name: ocsf.time_dt + type: date +ocsf.timezone_offset: + description: + The number of minutes that the reported event time is ahead or behind + UTC, in the range -1,080 to +1,080. + name: ocsf.timezone_offset + type: long +ocsf.tls.alert: + description: + The integer value of TLS alert if present. The alerts are defined in + the TLS specification in RFC-2246. + name: ocsf.tls.alert + type: long +ocsf.tls.certificate.created_time: + description: The time when the certificate was created. + name: ocsf.tls.certificate.created_time + type: date +ocsf.tls.certificate.created_time_dt: + description: The time when the certificate was created. + name: ocsf.tls.certificate.created_time_dt + type: date +ocsf.tls.certificate.expiration_time_dt: + description: The expiration time of the certificate. + name: ocsf.tls.certificate.expiration_time_dt + type: date +ocsf.tls.certificate.fingerprints.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.tls.certificate.fingerprints.algorithm + type: keyword +ocsf.tls.certificate.fingerprints.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.tls.certificate.fingerprints.algorithm_id + type: keyword +ocsf.tls.certificate.fingerprints.value: + description: The digital fingerprint value. + name: ocsf.tls.certificate.fingerprints.value + type: keyword +ocsf.tls.certificate_chain: + description: + The Chain of Certificate Serial Numbers field provides a chain of Certificate + Issuer Serial Numbers leading to the Root Certificate Issuer. + name: ocsf.tls.certificate_chain + type: keyword +ocsf.tls.extension_list.data: + description: + The data contains information specific to the particular extension + type. + name: ocsf.tls.extension_list.data + type: keyword +ocsf.tls.extension_list.type: + description: "The TLS extension type. For example: Server Name." + name: ocsf.tls.extension_list.type + type: keyword +ocsf.tls.extension_list.type_id: + description: + The TLS extension type identifier. See The Transport Layer Security + (TLS) extension page. + name: ocsf.tls.extension_list.type_id + type: keyword +ocsf.tls.handshake_dur: + description: + The amount of total time for the TLS handshake to complete after the + TCP connection is established, including client-side delays, in milliseconds. + name: ocsf.tls.handshake_dur + type: long +ocsf.tls.ja3_hash.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.tls.ja3_hash.algorithm + type: keyword +ocsf.tls.ja3_hash.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.tls.ja3_hash.algorithm_id + type: keyword +ocsf.tls.ja3s_hash.algorithm: + description: + The hash algorithm used to create the digital fingerprint, normalized + to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the + event source. + name: ocsf.tls.ja3s_hash.algorithm + type: keyword +ocsf.tls.ja3s_hash.algorithm_id: + description: + The identifier of the normalized hash algorithm, which was used to + create the digital fingerprint. + name: ocsf.tls.ja3s_hash.algorithm_id + type: keyword +ocsf.tls.key_length: + description: The length of the encryption key. + name: ocsf.tls.key_length + type: long +ocsf.tls.sans.name: + description: Name of SAN (e.g. The actual IP Address or domain.) + name: ocsf.tls.sans.name + type: keyword +ocsf.tls.sans.type: + description: Type descriptor of SAN (e.g. IP Address/domain/etc.) + name: ocsf.tls.sans.type + type: keyword +ocsf.tls.server_ciphers: + description: + The server cipher suites that were exchanged during the TLS handshake + negotiation. + name: ocsf.tls.server_ciphers + type: keyword +ocsf.transaction_uid: + description: + The unique identifier of the transaction. This is typically a random + number generated from the client to associate a dhcp request/response pair. + name: ocsf.transaction_uid + type: keyword +ocsf.tree_uid: + description: + The tree id is a unique SMB identifier which represents an open connection + to a share. + name: ocsf.tree_uid + type: keyword +ocsf.type: + description: The type of FTP network connection (e.g. active, passive). + name: ocsf.type + type: keyword +ocsf.type_name: + description: The event type name, as defined by the type_uid. + name: ocsf.type_name + type: keyword +ocsf.type_uid: + description: + 'The event type ID. It identifies the events semantics and structure. + The value is calculated by the logging system as: class_uid \* 100 + activity_id.' + name: ocsf.type_uid + type: keyword +ocsf.unmapped: + description: + The attributes that are not mapped to the event schema. The names and + values of those attributes are specific to the event source. + name: ocsf.unmapped + type: keyword +ocsf.url.categories: + description: The Website categorization names, as defined by category_ids enum values. + name: ocsf.url.categories + type: keyword +ocsf.url.category_ids: + description: The Website categorization identifies. + name: ocsf.url.category_ids + type: keyword +ocsf.url.resource_type: + description: The context in which a resource was retrieved in a web request. + name: ocsf.url.resource_type + type: keyword +ocsf.user.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.user.account.name + type: keyword +ocsf.user.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.user.account.type + type: keyword +ocsf.user.account.type_id: + description: The normalized account type identifier. + name: ocsf.user.account.type_id + type: keyword +ocsf.user.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.user.account.uid + type: keyword +ocsf.user.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.user.credential_uid + type: keyword +ocsf.user.groups.desc: + description: The group description. + name: ocsf.user.groups.desc + type: keyword +ocsf.user.groups.name: + description: The group name. + name: ocsf.user.groups.name + type: keyword +ocsf.user.groups.privileges: + description: The group privileges. + name: ocsf.user.groups.privileges + type: keyword +ocsf.user.groups.type: + description: The type of the group or account. + name: ocsf.user.groups.type + type: keyword +ocsf.user.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.user.groups.uid + type: keyword +ocsf.user.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.user.org.name + type: keyword +ocsf.user.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.user.org.ou_name + type: keyword +ocsf.user.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.user.org.ou_uid + type: keyword +ocsf.user.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.user.org.uid + type: keyword +ocsf.user.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.user.type + type: keyword +ocsf.user.type_id: + description: The account type identifier. + name: ocsf.user.type_id + type: keyword +ocsf.user.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.user.uid_alt + type: keyword +ocsf.user_result.account.name: + description: The name of the account (e.g. GCP Account Name). + name: ocsf.user_result.account.name + type: keyword +ocsf.user_result.account.type: + description: + The account type, normalized to the caption of 'account_type_id'. In + the case of 'Other', it is defined by the event source. + name: ocsf.user_result.account.type + type: keyword +ocsf.user_result.account.type_id: + description: The normalized account type identifier. + name: ocsf.user_result.account.type_id + type: keyword +ocsf.user_result.account.uid: + description: The unique identifier of the account (e.g. AWS Account ID). + name: ocsf.user_result.account.uid + type: keyword +ocsf.user_result.credential_uid: + description: + The unique identifier of the user's credential. For example, AWS Access + Key ID. + name: ocsf.user_result.credential_uid + type: keyword +ocsf.user_result.groups.desc: + description: The group description. + name: ocsf.user_result.groups.desc + type: keyword +ocsf.user_result.groups.name: + description: The group name. + name: ocsf.user_result.groups.name + type: keyword +ocsf.user_result.groups.privileges: + description: The group privileges. + name: ocsf.user_result.groups.privileges + type: keyword +ocsf.user_result.groups.type: + description: The type of the group or account. + name: ocsf.user_result.groups.type + type: keyword +ocsf.user_result.groups.uid: + description: + The unique identifier of the group. For example, for Windows events + this is the security identifier (SID) of the group. + name: ocsf.user_result.groups.uid + type: keyword +ocsf.user_result.org.name: + description: The name of the organization. For example, Widget, Inc. + name: ocsf.user_result.org.name + type: keyword +ocsf.user_result.org.ou_name: + description: + The name of the organizational unit, within an organization. For example, + Finance, IT, R&D. + name: ocsf.user_result.org.ou_name + type: keyword +ocsf.user_result.org.ou_uid: + description: + The alternate identifier for an entity's unique identifier. For example, + its Active Directory OU DN or AWS OU ID. + name: ocsf.user_result.org.ou_uid + type: keyword +ocsf.user_result.org.uid: + description: + The unique identifier of the organization. For example, its Active + Directory or AWS Org ID. + name: ocsf.user_result.org.uid + type: keyword +ocsf.user_result.type: + description: The type of the user. For example, System, AWS IAM User, etc. + name: ocsf.user_result.type + type: keyword +ocsf.user_result.type_id: + description: The account type identifier. + name: ocsf.user_result.type_id + type: keyword +ocsf.user_result.uid_alt: + description: + The alternate user identifier. For example, the Active Directory user + GUID or AWS user Principal ID. + name: ocsf.user_result.uid_alt + type: keyword +ocsf.vulnerabilities.cve.created_time: + description: + The Record Creation Date identifies when the CVE ID was issued to a + CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. + Note that the Record Creation Date does not necessarily indicate when this vulnerability + was discovered, shared with the affected vendor, publicly disclosed, or updated + in CVE. + name: ocsf.vulnerabilities.cve.created_time + type: date +ocsf.vulnerabilities.cve.created_time_dt: + description: + The Record Creation Date identifies when the CVE ID was issued to a + CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. + Note that the Record Creation Date does not necessarily indicate when this vulnerability + was discovered, shared with the affected vendor, publicly disclosed, or updated + in CVE. + name: ocsf.vulnerabilities.cve.created_time_dt + type: date +ocsf.vulnerabilities.cve.cvss.base_score: + description: "The CVSS base score. For example: 9.1." + name: ocsf.vulnerabilities.cve.cvss.base_score + type: keyword +ocsf.vulnerabilities.cve.cvss.depth: + description: + The CVSS depth represents a depth of the equation used to calculate + CVSS score. + name: ocsf.vulnerabilities.cve.cvss.depth + type: keyword +ocsf.vulnerabilities.cve.cvss.metrics.name: + description: The name of the metric. + name: ocsf.vulnerabilities.cve.cvss.metrics.name + type: keyword +ocsf.vulnerabilities.cve.cvss.metrics.value: + description: The value of the metric. + name: ocsf.vulnerabilities.cve.cvss.metrics.value + type: keyword +ocsf.vulnerabilities.cve.cvss.overall_score: + description: + "The CVSS overall score, impacted by base, temporal, and environmental + metrics. For example: 9.1." + name: ocsf.vulnerabilities.cve.cvss.overall_score + type: keyword +ocsf.vulnerabilities.cve.cvss.severity: + description: + The Common Vulnerability Scoring System (CVSS) Qualitative Severity + Rating. A textual representation of the numeric score. + name: ocsf.vulnerabilities.cve.cvss.severity + type: keyword +ocsf.vulnerabilities.cve.cvss.vector_string: + description: + "The CVSS vector string is a text representation of a set of CVSS metrics. + It is commonly used to record or transfer CVSS metric information in a concise + form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H." + name: ocsf.vulnerabilities.cve.cvss.vector_string + type: keyword +ocsf.vulnerabilities.cve.cvss.version: + description: "The CVSS version. For example: 3.1." + name: ocsf.vulnerabilities.cve.cvss.version + type: keyword +ocsf.vulnerabilities.cve.cwe_uid: + description: + "The Common Weakness Enumeration (CWE) unique identifier. For example: + CWE-787." + name: ocsf.vulnerabilities.cve.cwe_uid + type: keyword +ocsf.vulnerabilities.cve.cwe_url: + description: "Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html." + name: ocsf.vulnerabilities.cve.cwe_url + type: keyword +ocsf.vulnerabilities.cve.modified_time: + description: The Record Modified Date identifies when the CVE record was last updated. + name: ocsf.vulnerabilities.cve.modified_time + type: date +ocsf.vulnerabilities.cve.modified_time_dt: + description: The Record Modified Date identifies when the CVE record was last updated. + name: ocsf.vulnerabilities.cve.modified_time_dt + type: date +ocsf.vulnerabilities.cve.product.feature.name: + description: The name of the feature. + name: ocsf.vulnerabilities.cve.product.feature.name + type: keyword +ocsf.vulnerabilities.cve.product.feature.uid: + description: The unique identifier of the feature. + name: ocsf.vulnerabilities.cve.product.feature.uid + type: keyword +ocsf.vulnerabilities.cve.product.feature.version: + description: The version of the feature. + name: ocsf.vulnerabilities.cve.product.feature.version + type: keyword +ocsf.vulnerabilities.cve.product.lang: + description: + "The two letter lower case language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French)." + name: ocsf.vulnerabilities.cve.product.lang + type: keyword +ocsf.vulnerabilities.cve.product.name: + description: The name of the product. + name: ocsf.vulnerabilities.cve.product.name + type: keyword +ocsf.vulnerabilities.cve.product.path: + description: The installation path of the product. + name: ocsf.vulnerabilities.cve.product.path + type: keyword +ocsf.vulnerabilities.cve.product.uid: + description: The unique identifier of the product. + name: ocsf.vulnerabilities.cve.product.uid + type: keyword +ocsf.vulnerabilities.cve.product.url_string: + description: The URL pointing towards the product. + name: ocsf.vulnerabilities.cve.product.url_string + type: keyword +ocsf.vulnerabilities.cve.product.vendor_name: + description: The name of the vendor of the product. + name: ocsf.vulnerabilities.cve.product.vendor_name + type: keyword +ocsf.vulnerabilities.cve.product.version: + description: + "The version of the product, as defined by the event source. For example: + 2013.1.3-beta." + name: ocsf.vulnerabilities.cve.product.version + type: keyword +ocsf.vulnerabilities.cve.type: + description: + The vulnerability type as selected from a large dropdown menu during + CVE refinement. + name: ocsf.vulnerabilities.cve.type + type: keyword +ocsf.vulnerabilities.cve.uid: + description: + "The Common Vulnerabilities and Exposures unique number assigned to + a specific computer vulnerability. A CVE Identifier begins with 4 digits representing + the year followed by a sequence of digits that acts as a unique identifier. For + example: CVE-2021-12345." + name: ocsf.vulnerabilities.cve.uid + type: keyword +ocsf.vulnerabilities.desc: + description: The description of the vulnerability. + name: ocsf.vulnerabilities.desc + type: keyword +ocsf.vulnerabilities.fix_available: + description: Indicates if a fix is available for the reported vulnerability. + name: ocsf.vulnerabilities.fix_available + type: boolean +ocsf.vulnerabilities.kb_articles: + description: The KB article/s related to the entity. + name: ocsf.vulnerabilities.kb_articles + type: keyword +ocsf.vulnerabilities.packages.architecture: + description: + Architecture is a shorthand name describing the type of computer hardware + the packaged software is meant to run on. + name: ocsf.vulnerabilities.packages.architecture + type: keyword +ocsf.vulnerabilities.packages.epoch: + description: + The software package epoch. Epoch is a way to define weighted dependencies + based on version numbers. + name: ocsf.vulnerabilities.packages.epoch + type: long +ocsf.vulnerabilities.packages.license: + description: The software license applied to this package. + name: ocsf.vulnerabilities.packages.license + type: keyword +ocsf.vulnerabilities.packages.name: + description: The software package name. + name: ocsf.vulnerabilities.packages.name + type: keyword +ocsf.vulnerabilities.packages.release: + description: Release is the number of times a version of the software has been packaged. + name: ocsf.vulnerabilities.packages.release + type: keyword +ocsf.vulnerabilities.packages.version: + description: The software package version. + name: ocsf.vulnerabilities.packages.version + type: keyword +ocsf.vulnerabilities.references: + description: Supporting reference URLs. + name: ocsf.vulnerabilities.references + type: keyword +ocsf.vulnerabilities.related_vulnerabilities: + description: List of vulnerabilities that are related to this vulnerability. + name: ocsf.vulnerabilities.related_vulnerabilities + type: keyword +ocsf.vulnerabilities.severity: + description: + The event severity, normalized to the caption of the severity_id value. + In the case of 'Other', it is defined by the event source. + name: ocsf.vulnerabilities.severity + type: keyword +ocsf.vulnerabilities.title: + description: The title of the vulnerability. + name: ocsf.vulnerabilities.title + type: keyword +ocsf.vulnerabilities.vendor_name: + description: The vendor who identified the vulnerability. + name: ocsf.vulnerabilities.vendor_name + type: keyword +ocsf.web_resources.data: + description: + Details of the web resource, e.g, file details, search results or application-defined + resource. + name: ocsf.web_resources.data + type: keyword +ocsf.web_resources.desc: + description: Description of the web resource. + name: ocsf.web_resources.desc + type: keyword +ocsf.web_resources.labels: + description: The list of labels/tags associated to a resource. + name: ocsf.web_resources.labels + type: keyword +ocsf.web_resources.name: + description: The name of the web resource. + name: ocsf.web_resources.name + type: keyword +ocsf.web_resources.type: + description: The web resource type as defined by the event source. + name: ocsf.web_resources.type + type: keyword +ocsf.web_resources.uid: + description: The unique identifier of the web resource. + name: ocsf.web_resources.uid + type: keyword +ocsf.web_resources.url_string: + description: The URL pointing towards the source of the web resource. + name: ocsf.web_resources.url_string + type: keyword +ocsf.web_resources_result.data: + description: + Details of the web resource, e.g, file details, search results or application-defined + resource. + name: ocsf.web_resources_result.data + type: keyword +ocsf.web_resources_result.desc: + description: Description of the web resource. + name: ocsf.web_resources_result.desc + type: keyword +ocsf.web_resources_result.labels: + description: The list of labels/tags associated to a resource. + name: ocsf.web_resources_result.labels + type: keyword +ocsf.web_resources_result.name: + description: The name of the web resource. + name: ocsf.web_resources_result.name + type: keyword +ocsf.web_resources_result.type: + description: The web resource type as defined by the event source. + name: ocsf.web_resources_result.type + type: keyword +ocsf.web_resources_result.uid: + description: The unique identifier of the web resource. + name: ocsf.web_resources_result.uid + type: keyword +ocsf.web_resources_result.url_string: + description: The URL pointing towards the source of the web resource. + name: ocsf.web_resources_result.url_string type: keyword - process.group.id: - description: '' + description: "" name: process.group.id type: keyword - process.group.name: - description: '' + description: "" name: process.group.name type: keyword - process.parent.user.domain: - description: '' + description: "" name: process.parent.user.domain type: keyword - process.parent.user.email: - description: '' + description: "" name: process.parent.user.email type: keyword - process.parent.user.full_name: - description: '' + description: "" name: process.parent.user.full_name type: keyword - +process.parent.user.group.id: + description: "" + name: process.parent.user.group.id + type: keyword +process.parent.user.group.name: + description: "" + name: process.parent.user.group.name + type: keyword process.user.domain: - description: '' + description: "" name: process.user.domain type: keyword - process.user.email: - description: '' + description: "" name: process.user.email type: keyword - process.user.full_name: - description: '' + description: "" name: process.user.full_name type: keyword +process.user.group.id: + description: "" + name: process.user.group.id + type: keyword +process.user.group.name: + description: "" + name: process.user.group.name + type: keyword diff --git a/OCSF/ocsf/tests/test_application_activity_1.json b/OCSF/ocsf/tests/test_application_activity_1.json index c955d08b2..1dd8be1e3 100644 --- a/OCSF/ocsf/tests/test_application_activity_1.json +++ b/OCSF/ocsf/tests/test_application_activity_1.json @@ -28,6 +28,91 @@ "cloud": { "provider": "speeches mail lack" }, - "ocsf": "{\"activity_id\": 4, \"activity_name\": \"Access Error\", \"category_name\": \"Application Activity\", \"category_uid\": 6, \"class_name\": \"Web Resource Access Activity\", \"class_uid\": 6004, \"cloud\": {\"org\": {\"name\": \"brazil newbie loc\", \"ou_name\": \"predicted themselves missile\", \"ou_uid\": \"072da124-584a-11ee-bf8b-0242ac110005\", \"uid\": \"072d99ea-584a-11ee-920a-0242ac110005\"}, \"provider\": \"speeches mail lack\"}, \"device\": {\"desc\": \"evaluate permits yesterday\", \"hostname\": \"chuck.int\", \"interface_name\": \"uzbekistan published feedback\", \"interface_uid\": \"072ddc66-584a-11ee-9824-0242ac110005\", \"ip\": \"81.2.69.142\", \"last_seen_time\": 1695277679358, \"name\": \"explains slow junior\", \"region\": \"invalid expressed participating\", \"type\": \"IOT\", \"type_id\": 7, \"uid\": \"072de986-584a-11ee-b258-0242ac110005\"}, \"http_request\": {\"http_headers\": [{\"name\": \"aol jim thick\", \"value\": \"unexpected counts ease\"}, {\"name\": \"ride sender reflections\", \"value\": \"persistent irc finest\"}], \"http_method\": \"GET\", \"uid\": \"072e083a-584a-11ee-9892-0242ac110005\", \"url\": {\"category_ids\": [35, 59], \"hostname\": \"congress.nato\", \"path\": \"container profiles content\", \"port\": 51670, \"query_string\": \"pads palestinian already\", \"scheme\": \"metallica races fears\", \"url_string\": \"daily\"}, \"user_agent\": \"webpage assets adams\", \"version\": \"1.0.0\"}, \"http_response\": {\"code\": 22, \"latency\": 3, \"length\": 40, \"message\": \"message regarding htp response\"}, \"message\": \"brain bear brush\", \"metadata\": {\"correlation_uid\": \"072db420-584a-11ee-adc0-0242ac110005\", \"event_code\": \"edward\", \"log_name\": \"foul jackson termination\", \"log_provider\": \"copper protective inexpensive\", \"logged_time_dt\": \"2023-09-21T06:42:26.632427Z\", \"original_time\": \"diploma mesh certified\", \"product\": {\"lang\": \"en\", \"name\": \"loc bw pa\", \"uid\": \"072dafa2-584a-11ee-bca3-0242ac110005\", \"url_string\": \"indirect\", \"vendor_name\": \"fotos choir archive\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"sequence\": 20, \"version\": \"1.0.0\"}, \"severity\": \"High\", \"severity_id\": 4, \"start_time_dt\": \"2023-09-21T06:42:26.634761Z\", \"status\": \"Unknown\", \"status_id\": 0, \"time\": 1695277679358, \"timezone_offset\": 55, \"type_name\": \"Web Resource Access Activity: Access Error\", \"type_uid\": 600404, \"web_resources\": [{\"desc\": \"pleased won coverage\", \"name\": \"ghost formats res\", \"type\": \"package type\", \"uid\": \"072dbbbe-584a-11ee-b4cc-0242ac110005\", \"url_string\": \"consists\"}, {\"data\": {\"logitech\": \"dehbs\"}, \"url_string\": \"devil\"}]}" + "ocsf": { + "activity_id": 4, + "activity_name": "Access Error", + "category_name": "Application Activity", + "category_uid": 6, + "class_name": "Web Resource Access Activity", + "class_uid": "6004", + "cloud": { + "org": { + "name": "brazil newbie loc", + "ou_name": "predicted themselves missile", + "ou_uid": "072da124-584a-11ee-bf8b-0242ac110005", + "uid": "072d99ea-584a-11ee-920a-0242ac110005" + } + }, + "device": { + "desc": "evaluate permits yesterday", + "interface_name": "uzbekistan published feedback", + "interface_uid": "072ddc66-584a-11ee-9824-0242ac110005", + "last_seen_time": 1695277679358, + "region": "invalid expressed participating", + "type_id": "7" + }, + "http_request": { + "http_headers": [ + { + "name": "aol jim thick", + "value": "unexpected counts ease" + }, + { + "name": "ride sender reflections", + "value": "persistent irc finest" + } + ], + "url": { + "category_ids": [ + "35", + "59" + ] + } + }, + "http_response": { + "latency": 3 + }, + "metadata": { + "correlation_uid": "072db420-584a-11ee-adc0-0242ac110005", + "log_name": "foul jackson termination", + "logged_time_dt": "2023-09-21T06:42:26.632427Z", + "original_time": "diploma mesh certified", + "product": { + "lang": "en", + "name": "loc bw pa", + "uid": "072dafa2-584a-11ee-bca3-0242ac110005", + "url_string": "indirect", + "vendor_name": "fotos choir archive", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host" + ], + "version": "1.0.0" + }, + "severity": "High", + "start_time_dt": "2023-09-21T06:42:26.634761Z", + "status": "Unknown", + "status_id": "0", + "timezone_offset": 55, + "type_name": "Web Resource Access Activity: Access Error", + "type_uid": "600404", + "web_resources": [ + { + "desc": "pleased won coverage", + "name": "ghost formats res", + "type": "package type", + "uid": "072dbbbe-584a-11ee-b4cc-0242ac110005", + "url_string": "consists" + }, + { + "data": "{\"logitech\": \"dehbs\"}", + "url_string": "devil" + } + ] + } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_application_activity_2.json b/OCSF/ocsf/tests/test_application_activity_2.json index f875dc7d8..7b3534d18 100644 --- a/OCSF/ocsf/tests/test_application_activity_2.json +++ b/OCSF/ocsf/tests/test_application_activity_2.json @@ -21,7 +21,74 @@ "network": { "application": "sheets horror trader" }, - "ocsf": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"category_name\": \"Application Activity\", \"category_uid\": 6, \"class_name\": \"Web Resources Activity\", \"class_uid\": 6001, \"message\": \"washington like safari\", \"metadata\": {\"log_name\": \"ur bother bearing\", \"log_provider\": \"performs elevation fox\", \"log_version\": \"three maritime cowboy\", \"logged_time\": 1695277679358, \"original_time\": \"moore genetic symbols\", \"processed_time\": 1695277679358, \"product\": {\"feature\": {\"name\": \"australia cup bios\", \"uid\": \"f6508bfa-520e-11ee-b54c-0242ac110004\", \"version\": \"1.0.0\"}, \"lang\": \"en\", \"name\": \"eligible scenes worm\", \"uid\": \"f6508420-520e-11ee-adcc-0242ac110004\", \"vendor_name\": \"fix complicated accreditation\", \"version\": \"1.0.0\"}, \"profiles\": [], \"sequence\": 78, \"version\": \"1.0.0\"}, \"severity\": \"Unknown\", \"severity_id\": 0, \"src_endpoint\": {\"domain\": \"hawaii unfortunately copying\", \"hostname\": \"saudi.int\", \"instance_uid\": \"f6509d0c-520e-11ee-9e6b-0242ac110004\", \"interface_name\": \"somewhere mentor crm\", \"interface_uid\": \"f650a3f6-520e-11ee-882f-0242ac110004\", \"intermediate_ips\": [\"81.2.69.142\", \"81.2.69.143\"], \"ip\": \"81.2.69.142\", \"name\": \"leasing imperial toner\", \"port\": 31790, \"svc_name\": \"sheets horror trader\", \"uid\": \"f650994c-520e-11ee-a9f4-0242ac110004\", \"vlan_uid\": \"f650a8a6-520e-11ee-b961-0242ac110004\"}, \"start_time\": 1695277679358, \"status\": \"Failure\", \"status_detail\": \"only zone its\", \"status_id\": 2, \"time\": 1695277679358, \"timezone_offset\": 83, \"type_name\": \"Web Resources Activity: Create\", \"type_uid\": 600101, \"web_resources\": [{\"data\": {\"discretion\": \"fhbds\"}, \"desc\": \"Description of web resource\", \"name\": \"concept navigator constitution\", \"type\": \"fundamental previous ty\", \"url_string\": \"past\"}], \"web_resources_result\": [{\"type\": \"prediction sunglasses rounds\", \"uid\": \"f65072d2-520e-11ee-9b9a-0242ac110004\", \"url_string\": \"military\"}, {\"data\": {\"protect\": \"rfvfd\"}, \"url_string\": \"association\"}]}", + "ocsf": { + "activity_id": 1, + "activity_name": "Create", + "category_name": "Application Activity", + "category_uid": 6, + "class_name": "Web Resources Activity", + "class_uid": "6001", + "metadata": { + "log_name": "ur bother bearing", + "log_version": "three maritime cowboy", + "logged_time": 1695277679358, + "original_time": "moore genetic symbols", + "processed_time": 1695277679358, + "product": { + "feature": { + "name": "australia cup bios", + "uid": "f6508bfa-520e-11ee-b54c-0242ac110004", + "version": "1.0.0" + }, + "lang": "en", + "name": "eligible scenes worm", + "uid": "f6508420-520e-11ee-adcc-0242ac110004", + "vendor_name": "fix complicated accreditation", + "version": "1.0.0" + }, + "profiles": [], + "version": "1.0.0" + }, + "severity": "Unknown", + "src_endpoint": { + "instance_uid": "f6509d0c-520e-11ee-9e6b-0242ac110004", + "interface_name": "somewhere mentor crm", + "interface_uid": "f650a3f6-520e-11ee-882f-0242ac110004", + "intermediate_ips": [ + "81.2.69.142", + "81.2.69.143" + ], + "name": "leasing imperial toner", + "uid": "f650994c-520e-11ee-a9f4-0242ac110004", + "vlan_uid": "f650a8a6-520e-11ee-b961-0242ac110004" + }, + "status": "Failure", + "status_detail": "only zone its", + "status_id": "2", + "timezone_offset": 83, + "type_name": "Web Resources Activity: Create", + "type_uid": "600101", + "web_resources": [ + { + "data": "{\"discretion\": \"fhbds\"}", + "desc": "Description of web resource", + "name": "concept navigator constitution", + "type": "fundamental previous ty", + "url_string": "past" + } + ], + "web_resources_result": [ + { + "type": "prediction sunglasses rounds", + "uid": "f65072d2-520e-11ee-9b9a-0242ac110004", + "url_string": "military" + }, + { + "data": "{\"protect\": \"rfvfd\"}", + "url_string": "association" + } + ] + }, "related": { "hosts": [ "saudi.int" diff --git a/OCSF/ocsf/tests/test_application_activity_3.json b/OCSF/ocsf/tests/test_application_activity_3.json index b6d69c006..a7c5c8a3e 100644 --- a/OCSF/ocsf/tests/test_application_activity_3.json +++ b/OCSF/ocsf/tests/test_application_activity_3.json @@ -30,6 +30,84 @@ "provider": "infrared delayed visiting", "region": "initial lucia designer" }, - "ocsf": "{\"activity_id\": 99, \"activity_name\": \"look\", \"app\": {\"feature\": {\"name\": \"mit received implemented\", \"uid\": \"6519aa4c-584c-11ee-ac40-0242ac110005\", \"version\": \"1.0.0\"}, \"lang\": \"en\", \"name\": \"bottom loud knowledge\", \"path\": \"path o f\", \"uid\": \"6519a3da-584c-11ee-8c89-0242ac110005\", \"vendor_name\": \"ss keeping administered\", \"version\": \"1.0.0\"}, \"category_name\": \"Application Activity\", \"category_uid\": 6, \"class_name\": \"Application Lifecycle\", \"class_uid\": 6002, \"cloud\": {\"account\": {\"type\": \"AWS Account\", \"type_id\": 10, \"uid\": \"65194d7c-584c-11ee-8857-0242ac110005\"}, \"org\": {\"name\": \"exclusive variables tag\", \"ou_name\": \"custom packard pierre\", \"uid\": \"65193f12-584c-11ee-ae9b-0242ac110005\"}, \"provider\": \"infrared delayed visiting\", \"region\": \"initial lucia designer\"}, \"device\": {\"created_time\": 1695277679358, \"domain\": \"allied had insulation\", \"hostname\": \"zinc.biz\", \"hw_info\": {\"ram_size\": 84, \"serial_number\": \"training blink executives\"}, \"instance_uid\": \"65197efa-584c-11ee-bc04-0242ac110005\", \"interface_name\": \"lightbox bugs spain\", \"interface_uid\": \"6519835a-584c-11ee-b813-0242ac110005\", \"ip\": \"81.2.69.142\", \"is_personal\": false, \"name\": \"knows col covered\", \"org\": {\"name\": \"chaos winner entered\", \"ou_name\": \"music client leaf\", \"uid\": \"65197a86-584c-11ee-96c1-0242ac110005\"}, \"region\": \"casio paris norway\", \"subnet_uid\": \"6519725c-584c-11ee-b6a2-0242ac110005\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"651987a6-584c-11ee-ad31-0242ac110005\", \"uid_alt\": \"older audience trends\"}, \"message\": \"issues kings loop\", \"metadata\": {\"log_name\": \"collaboration blood loan\", \"log_provider\": \"jurisdiction protecting witness\", \"modified_time_dt\": \"2023-09-21T06:59:23.198620Z\", \"original_time\": \"effectively dimensional reservation\", \"product\": {\"lang\": \"en\", \"name\": \"enzyme cookie citations\", \"uid\": \"65195f88-584c-11ee-8118-0242ac110005\", \"url_string\": \"deck\", \"vendor_name\": \"rochester school force\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"version\": \"1.0.0\"}, \"severity\": \"Fatal\", \"severity_id\": 6, \"start_time_dt\": \"2023-09-21T06:59:23.200400Z\", \"status\": \"Success\", \"status_detail\": \"rat forth dishes\", \"status_id\": 1, \"time\": 1695277679358, \"type_name\": \"Application Lifecycle: Other\", \"type_uid\": 600299}" + "ocsf": { + "activity_id": 99, + "activity_name": "look", + "app": { + "feature": { + "name": "mit received implemented", + "uid": "6519aa4c-584c-11ee-ac40-0242ac110005", + "version": "1.0.0" + }, + "lang": "en", + "name": "bottom loud knowledge", + "path": "path o f", + "uid": "6519a3da-584c-11ee-8c89-0242ac110005", + "vendor_name": "ss keeping administered", + "version": "1.0.0" + }, + "category_name": "Application Activity", + "category_uid": 6, + "class_name": "Application Lifecycle", + "class_uid": "6002", + "cloud": { + "account": { + "type": "AWS Account", + "type_id": "10" + }, + "org": { + "name": "exclusive variables tag", + "ou_name": "custom packard pierre", + "uid": "65193f12-584c-11ee-ae9b-0242ac110005" + } + }, + "device": { + "created_time": 1695277679358, + "hw_info": { + "ram_size": 84, + "serial_number": "training blink executives" + }, + "instance_uid": "65197efa-584c-11ee-bc04-0242ac110005", + "interface_name": "lightbox bugs spain", + "interface_uid": "6519835a-584c-11ee-b813-0242ac110005", + "is_personal": false, + "org": { + "name": "chaos winner entered", + "ou_name": "music client leaf", + "uid": "65197a86-584c-11ee-96c1-0242ac110005" + }, + "region": "casio paris norway", + "subnet_uid": "6519725c-584c-11ee-b6a2-0242ac110005", + "type_id": "0", + "uid_alt": "older audience trends" + }, + "metadata": { + "log_name": "collaboration blood loan", + "modified_time_dt": "2023-09-21T06:59:23.198620Z", + "original_time": "effectively dimensional reservation", + "product": { + "lang": "en", + "name": "enzyme cookie citations", + "uid": "65195f88-584c-11ee-8118-0242ac110005", + "url_string": "deck", + "vendor_name": "rochester school force", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host" + ], + "version": "1.0.0" + }, + "severity": "Fatal", + "start_time_dt": "2023-09-21T06:59:23.200400Z", + "status": "Success", + "status_detail": "rat forth dishes", + "status_id": "1", + "type_name": "Application Lifecycle: Other", + "type_uid": "600299" + } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_discovery_1.json b/OCSF/ocsf/tests/test_discovery_1.json index 36a0d21d4..f8bf47b01 100644 --- a/OCSF/ocsf/tests/test_discovery_1.json +++ b/OCSF/ocsf/tests/test_discovery_1.json @@ -25,6 +25,72 @@ "provider": "mathematical inclusive insured", "region": "gravity bids tennis" }, - "ocsf": "{\"activity_id\": 2, \"activity_name\": \"Collect\", \"category_name\": \"Discovery\", \"category_uid\": 5, \"cis_benchmark_result\": {\"rule\": {\"category\": \"descidhscate\", \"desc\": \"rule_description\", \"name\": \"rule_name\", \"uid\": \"rule123\", \"version\": \"0.1.0\"}}, \"class_name\": \"Device Config State\", \"class_uid\": 5002, \"cloud\": {\"org\": {\"ou_name\": \"determined apr sheets\", \"uid\": \"023dbdcc-5848-11ee-bd54-0242ac110005\"}, \"provider\": \"mathematical inclusive insured\", \"region\": \"gravity bids tennis\"}, \"count\": 73, \"device\": {\"autoscale_uid\": \"023de734-5848-11ee-b193-0242ac110005\", \"first_seen_time_dt\": \"2023-09-21T06:27:59.356353Z\", \"hostname\": \"lucas.pro\", \"instance_uid\": \"023dec02-5848-11ee-8203-0242ac110005\", \"interface_name\": \"jerry street buried\", \"interface_uid\": \"023e1a06-5848-11ee-89c6-0242ac110005\", \"ip\": \"81.2.69.142\", \"modified_time_dt\": \"2023-09-21T06:27:59.357977Z\", \"name\": \"ranked murder listing\", \"region\": \"inline contains milwaukee\", \"risk_level\": \"russell customized absolutely\", \"risk_score\": 36, \"subnet\": \"49.28.0.0/16\", \"type\": \"Desktop\", \"type_id\": 2, \"uid\": \"023e2564-5848-11ee-9c42-0242ac110005\", \"uid_alt\": \"burst premier reverse\", \"vpc_uid\": \"023e205a-5848-11ee-a8d6-0242ac110005\"}, \"enrichments\": [{\"data\": {\"inexpensive\": \"abddfg\"}, \"name\": \"preview belarus licking\", \"provider\": \"surgical disaster individually\", \"type\": \"separation passes distance\", \"value\": \"magnitude cancellation weed\"}], \"message\": \"flags feel absolute\", \"metadata\": {\"correlation_uid\": \"023dd7c6-5848-11ee-9d4d-0242ac110005\", \"extension\": {\"name\": \"chess entry productive\", \"uid\": \"023dccfe-5848-11ee-8227-0242ac110005\", \"version\": \"1.0.0\"}, \"log_provider\": \"reliance trust interim\", \"original_time\": \"database darwin area\", \"processed_time_dt\": \"2023-09-21T06:27:59.356124Z\", \"product\": {\"name\": \"legal subsidiary eleven\", \"path\": \"financial spot tennis\", \"uid\": \"023dd33e-5848-11ee-aa6d-0242ac110005\", \"vendor_name\": \"assumes podcast went\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"version\": \"1.0.0\"}, \"severity\": \"Fatal\", \"severity_id\": 6, \"status\": \"creativity\", \"status_id\": 99, \"time\": 1695277679358, \"timezone_offset\": 0, \"type_name\": \"Device Config State: Collect\", \"type_uid\": 500202}" + "ocsf": { + "activity_id": 2, + "activity_name": "Collect", + "category_name": "Discovery", + "category_uid": 5, + "class_name": "Device Config State", + "class_uid": "5002", + "cloud": { + "org": { + "ou_name": "determined apr sheets", + "uid": "023dbdcc-5848-11ee-bd54-0242ac110005" + } + }, + "count": 73, + "device": { + "autoscale_uid": "023de734-5848-11ee-b193-0242ac110005", + "first_seen_time_dt": "2023-09-21T06:27:59.356353Z", + "instance_uid": "023dec02-5848-11ee-8203-0242ac110005", + "interface_name": "jerry street buried", + "interface_uid": "023e1a06-5848-11ee-89c6-0242ac110005", + "modified_time_dt": "2023-09-21T06:27:59.357977Z", + "region": "inline contains milwaukee", + "subnet": "49.28.0.0/16", + "type_id": "2", + "uid_alt": "burst premier reverse", + "vpc_uid": "023e205a-5848-11ee-a8d6-0242ac110005" + }, + "enrichments": [ + { + "data": "{\"inexpensive\": \"abddfg\"}", + "name": "preview belarus licking", + "provider": "surgical disaster individually", + "type": "separation passes distance", + "value": "magnitude cancellation weed" + } + ], + "metadata": { + "correlation_uid": "023dd7c6-5848-11ee-9d4d-0242ac110005", + "extension": { + "name": "chess entry productive", + "uid": "023dccfe-5848-11ee-8227-0242ac110005", + "version": "1.0.0" + }, + "original_time": "database darwin area", + "processed_time_dt": "2023-09-21T06:27:59.356124Z", + "product": { + "name": "legal subsidiary eleven", + "path": "financial spot tennis", + "uid": "023dd33e-5848-11ee-aa6d-0242ac110005", + "vendor_name": "assumes podcast went", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host" + ], + "version": "1.0.0" + }, + "severity": "Fatal", + "status": "creativity", + "status_id": "99", + "timezone_offset": 0, + "type_name": "Device Config State: Collect", + "type_uid": "500202" + } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_discovery_2.json b/OCSF/ocsf/tests/test_discovery_2.json index 5a6b6f7b0..11d91d278 100644 --- a/OCSF/ocsf/tests/test_discovery_2.json +++ b/OCSF/ocsf/tests/test_discovery_2.json @@ -25,6 +25,79 @@ "provider": "mod force sailing", "region": "ticket resident buried" }, - "ocsf": "{\"activity_id\": 2, \"activity_name\": \"Collect\", \"category_name\": \"Discovery\", \"category_uid\": 5, \"class_name\": \"Device Inventory Info\", \"class_uid\": 5001, \"cloud\": {\"org\": {\"name\": \"black lets promotions\", \"ou_name\": \"recover sol revolutionary\"}, \"provider\": \"mod force sailing\", \"region\": \"ticket resident buried\"}, \"device\": {\"autoscale_uid\": \"7f25415c-584d-11ee-b3fc-0242ac110005\", \"hw_info\": {\"cpu_bits\": 66}, \"image\": {\"name\": \"saudi enhanced surgical\", \"uid\": \"7f2554b2-584d-11ee-b26b-0242ac110005\"}, \"instance_uid\": \"7f254ea4-584d-11ee-a68f-0242ac110005\", \"interface_name\": \"watt profile rs\", \"is_personal\": false, \"last_seen_time\": 1695277679358, \"location\": {\"city\": \"Porcelain senior\", \"continent\": \"Africa\", \"coordinates\": [-161.6608, -47.0418], \"country\": \"RE\", \"desc\": \"Reunion\"}, \"mac\": \"C6:49:F0:76:1D:13:CE:F7\", \"name\": \"craig functioning literally\", \"os\": {\"build\": \"dozen oval removing\", \"edition\": \"nightmare engineers carter\", \"lang\": \"en\", \"name\": \"spy chronic casual\", \"type\": \"Android\", \"type_id\": 201, \"version\": \"1.0.0\"}, \"region\": \"airport leaves kitchen\", \"risk_level\": \"organizational economic connecticut\", \"type\": \"Laptop\", \"type_id\": 3, \"uid\": \"7f256308-584d-11ee-8de0-0242ac110005\"}, \"enrichments\": [{\"data\": {\"nintendo\": \"abcd\"}, \"name\": \"visual mv bottom\", \"provider\": \"lucy permanent trips\", \"type\": \"calibration basics quebec\", \"value\": \"alice stick spray\"}], \"message\": \"poster thongs assumptions\", \"metadata\": {\"event_code\": \"spelling\", \"log_name\": \"len falling educational\", \"log_provider\": \"tales asset extremely\", \"log_version\": \"learners headlines linear\", \"original_time\": \"programmers less barcelona\", \"processed_time\": 1695280036393, \"product\": {\"lang\": \"en\", \"name\": \"butterfly knight log\", \"uid\": \"7f25336a-584d-11ee-b2a5-0242ac110005\", \"vendor_name\": \"disciplinary rec report\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"version\": \"1.0.0\"}, \"severity\": \"Critical\", \"severity_id\": 5, \"start_time_dt\": \"2023-09-21T07:07:16.394812Z\", \"status\": \"Success\", \"status_code\": \"vancouver\", \"status_id\": 1, \"time\": 1695277679358, \"timezone_offset\": 65, \"type_name\": \"Device Inventory Info: Collect\", \"type_uid\": 500102}" + "ocsf": { + "activity_id": 2, + "activity_name": "Collect", + "category_name": "Discovery", + "category_uid": 5, + "class_name": "Device Inventory Info", + "class_uid": "5001", + "cloud": { + "org": { + "name": "black lets promotions", + "ou_name": "recover sol revolutionary" + } + }, + "device": { + "autoscale_uid": "7f25415c-584d-11ee-b3fc-0242ac110005", + "hw_info": { + "cpu_bits": 66 + }, + "image": { + "name": "saudi enhanced surgical", + "uid": "7f2554b2-584d-11ee-b26b-0242ac110005" + }, + "instance_uid": "7f254ea4-584d-11ee-a68f-0242ac110005", + "interface_name": "watt profile rs", + "is_personal": false, + "last_seen_time": 1695277679358, + "os": { + "edition": "nightmare engineers carter", + "lang": "en", + "type": "Android", + "type_id": "201", + "version": "1.0.0" + }, + "region": "airport leaves kitchen", + "type_id": "3" + }, + "enrichments": [ + { + "data": "{\"nintendo\": \"abcd\"}", + "name": "visual mv bottom", + "provider": "lucy permanent trips", + "type": "calibration basics quebec", + "value": "alice stick spray" + } + ], + "metadata": { + "log_name": "len falling educational", + "log_version": "learners headlines linear", + "original_time": "programmers less barcelona", + "processed_time": 1695280036393, + "product": { + "lang": "en", + "name": "butterfly knight log", + "uid": "7f25336a-584d-11ee-b2a5-0242ac110005", + "vendor_name": "disciplinary rec report", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host" + ], + "version": "1.0.0" + }, + "severity": "Critical", + "start_time_dt": "2023-09-21T07:07:16.394812Z", + "status": "Success", + "status_code": "vancouver", + "status_id": "1", + "timezone_offset": 65, + "type_name": "Device Inventory Info: Collect", + "type_uid": "500102" + } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_findings_1.json b/OCSF/ocsf/tests/test_findings_1.json index e014833ba..7560c3739 100644 --- a/OCSF/ocsf/tests/test_findings_1.json +++ b/OCSF/ocsf/tests/test_findings_1.json @@ -27,6 +27,133 @@ "provider": "AWS", "region": "us-east-1" }, - "ocsf": "{\"activity_id\": 2, \"activity_name\": \"Update\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"cloud\": {\"account\": {\"uid\": \"522536594833\"}, \"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"compliance\": {\"requirements\": [\"PCI1.2\"], \"status\": \"PASSED\", \"status_detail\": \"CloudWatch alarms do not exist in the account\"}, \"finding\": {\"created_time\": 1635449619417, \"desc\": \"This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports [3389, 20, 23, 110, 143, 3306, 8080, 1433, 9200, 9300, 25, 445, 135, 21, 1434, 4333, 5432, 5500, 5601, 22, 3000, 5000, 8088, 8888] that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for the listed ports.\", \"first_seen_time\": 1635449619417, \"last_seen_time\": 1659636565316, \"modified_time\": 1659636559100, \"related_events\": [{\"product_uid\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\", \"uid\": \"123e4567-e89b-12d3-a456-426655440000\"}, {\"product_uid\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\", \"uid\": \"AcmeNerfHerder-111111111111-x189dx7824\"}], \"remediation\": {\"desc\": \"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\", \"kb_articles\": [\"https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation\"]}, \"title\": \"EC2.19 Security groups should not allow unrestricted access to ports with high risk\", \"types\": [\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"], \"uid\": \"test\"}, \"malware\": [{\"classification_ids\": [1], \"classifications\": [\"Adware\"], \"name\": \"Stringler\", \"path\": \"/usr/sbin/stringler\"}], \"metadata\": {\"product\": {\"feature\": {\"name\": \"Security Hub\", \"uid\": \"aws-foundational-security-best-practices/v/1.0.0/EC2.19\"}, \"name\": \"Security Hub\", \"uid\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\", \"vendor_name\": \"AWS\", \"version\": \"2018-10-08\"}, \"profiles\": [\"cloud\"], \"version\": \"1.0.0-rc.2\"}, \"resources\": [{\"cloud_partition\": \"aws\", \"labels\": [\"billingCode=Lotus-1-2-3\", \"needsPatching=true\"], \"region\": \"us-east-1\", \"type\": \"AwsEc2SecurityGroup\", \"uid\": \"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"state\": \"Resolved\", \"state_id\": 4, \"time\": 1659636559100, \"type_name\": \"Security Finding: Update\", \"type_uid\": 200102, \"unmapped\": {\"CompanyName\": \"AWS\", \"Compliance.StatusReasons[].ReasonCode\": \"CW_ALARMS_NOT_PRESENT\", \"FindingProviderFields.Severity.Label\": \"INFORMATIONAL\", \"FindingProviderFields.Severity.Original\": \"INFORMATIONAL\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\", \"Malware[].State\": \"OBSERVED\", \"ProductFields.ControlId\": \"EC2.19\", \"ProductFields.RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation\", \"ProductFields.RelatedAWSResources:0/name\": \"securityhub-vpc-sg-restricted-common-ports-2af29baf\", \"ProductFields.RelatedAWSResources:0/type\": \"AWS::Config::ConfigRule\", \"ProductFields.Resources:0/Id\": \"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499\", \"ProductFields.StandardsArn\": \"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0\", \"ProductFields.StandardsControlArn\": \"arn:aws:securityhub:us-east-1:522536594833:control/aws-foundational-security-best-practices/v/1.0.0/EC2.19\", \"ProductFields.StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0\", \"ProductFields.aws/securityhub/CompanyName\": \"AWS\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bf428107-eee0-4d19-a013-92748ed69eef\", \"ProductFields.aws/securityhub/ProductName\": \"Security Hub\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"0\", \"Severity.Original\": \"INFORMATIONAL\", \"Severity.Product\": \"0\", \"Vulnerabilities[].Cvss[].BaseScore\": \"4.7,1.0\", \"Vulnerabilities[].Cvss[].BaseVector\": \"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N,AV:L/AC:M/Au:N/C:C/I:N/A:N\", \"Vulnerabilities[].Cvss[].Version\": \"V3,V2\", \"Vulnerabilities[].Vendor.VendorSeverity\": \"Medium\", \"WorkflowState\": \"NEW\"}, \"vulnerabilities\": [{\"cve\": {\"created_time\": 1579132903000, \"cvss\": {\"base_score\": 4.7, \"vector_string\": \"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"version\": \"V3\"}, \"modified_time\": 1579132903000, \"uid\": \"CVE-2020-12345\"}, \"kb_articles\": [\"https://alas.aws.amazon.com/ALAS-2020-1337.html\"], \"packages\": [{\"architecture\": \"x86_64\", \"epoch\": 1, \"name\": \"openssl\", \"release\": \"16.amzn2.0.3\", \"version\": \"1.0.2k\"}, {\"architecture\": \"x86_64\", \"epoch\": 3, \"name\": \"yaml\", \"release\": \"16.amzn2.0.3\", \"version\": \"4.3.2\"}], \"references\": [\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418\"], \"related_vulnerabilities\": [\"CVE-2020-12345\"], \"vendor_name\": \"Alas\"}]}" + "ocsf": { + "activity_id": 2, + "activity_name": "Update", + "category_name": "Findings", + "category_uid": 2, + "class_name": "Security Finding", + "class_uid": "2001", + "compliance": { + "requirements": [ + "PCI1.2" + ], + "status": "PASSED", + "status_detail": "CloudWatch alarms do not exist in the account" + }, + "finding": { + "desc": "This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports [3389, 20, 23, 110, 143, 3306, 8080, 1433, 9200, 9300, 25, 445, 135, 21, 1434, 4333, 5432, 5500, 5601, 22, 3000, 5000, 8088, 8888] that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for the listed ports.", + "first_seen_time": 1635449619417, + "last_seen_time": 1659636565316, + "modified_time": 1659636559100, + "related_events": [ + { + "product_uid": "arn:aws:securityhub:us-west-2::product/aws/guardduty", + "uid": "123e4567-e89b-12d3-a456-426655440000" + }, + { + "product_uid": "arn:aws:securityhub:us-west-2::product/aws/guardduty", + "uid": "AcmeNerfHerder-111111111111-x189dx7824" + } + ], + "remediation": { + "desc": "For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.", + "kb_articles": [ + "https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation" + ] + }, + "title": "EC2.19 Security groups should not allow unrestricted access to ports with high risk", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" + ], + "uid": "test" + }, + "malware": [ + { + "classification_ids": [ + "1" + ], + "classifications": [ + "Adware" + ], + "name": "Stringler", + "path": "/usr/sbin/stringler" + } + ], + "metadata": { + "product": { + "feature": { + "name": "Security Hub", + "uid": "aws-foundational-security-best-practices/v/1.0.0/EC2.19" + }, + "name": "Security Hub", + "uid": "arn:aws:securityhub:us-east-1::product/aws/securityhub", + "vendor_name": "AWS", + "version": "2018-10-08" + }, + "profiles": [ + "cloud" + ], + "version": "1.0.0-rc.2" + }, + "resources": [ + { + "cloud_partition": "aws", + "labels": [ + "billingCode=Lotus-1-2-3", + "needsPatching=true" + ], + "region": "us-east-1", + "type": "AwsEc2SecurityGroup", + "uid": "arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499" + } + ], + "severity": "Informational", + "state": "Resolved", + "state_id": "4", + "type_name": "Security Finding: Update", + "type_uid": "200102", + "unmapped": "{\"CompanyName\": \"AWS\", \"Compliance.StatusReasons[].ReasonCode\": \"CW_ALARMS_NOT_PRESENT\", \"FindingProviderFields.Severity.Label\": \"INFORMATIONAL\", \"FindingProviderFields.Severity.Original\": \"INFORMATIONAL\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\", \"Malware[].State\": \"OBSERVED\", \"ProductFields.ControlId\": \"EC2.19\", \"ProductFields.RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation\", \"ProductFields.RelatedAWSResources:0/name\": \"securityhub-vpc-sg-restricted-common-ports-2af29baf\", \"ProductFields.RelatedAWSResources:0/type\": \"AWS::Config::ConfigRule\", \"ProductFields.Resources:0/Id\": \"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499\", \"ProductFields.StandardsArn\": \"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0\", \"ProductFields.StandardsControlArn\": \"arn:aws:securityhub:us-east-1:522536594833:control/aws-foundational-security-best-practices/v/1.0.0/EC2.19\", \"ProductFields.StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0\", \"ProductFields.aws/securityhub/CompanyName\": \"AWS\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bf428107-eee0-4d19-a013-92748ed69eef\", \"ProductFields.aws/securityhub/ProductName\": \"Security Hub\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"0\", \"Severity.Original\": \"INFORMATIONAL\", \"Severity.Product\": \"0\", \"Vulnerabilities[].Cvss[].BaseScore\": \"4.7,1.0\", \"Vulnerabilities[].Cvss[].BaseVector\": \"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N,AV:L/AC:M/Au:N/C:C/I:N/A:N\", \"Vulnerabilities[].Cvss[].Version\": \"V3,V2\", \"Vulnerabilities[].Vendor.VendorSeverity\": \"Medium\", \"WorkflowState\": \"NEW\"}", + "vulnerabilities": [ + { + "cve": { + "created_time": 1579132903000, + "cvss": { + "base_score": "4.7", + "vector_string": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "version": "V3" + }, + "modified_time": 1579132903000, + "uid": "CVE-2020-12345" + }, + "kb_articles": [ + "https://alas.aws.amazon.com/ALAS-2020-1337.html" + ], + "packages": [ + { + "architecture": "x86_64", + "epoch": 1, + "name": "openssl", + "release": "16.amzn2.0.3", + "version": "1.0.2k" + }, + { + "architecture": "x86_64", + "epoch": 3, + "name": "yaml", + "release": "16.amzn2.0.3", + "version": "4.3.2" + } + ], + "references": [ + "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418" + ], + "related_vulnerabilities": [ + "CVE-2020-12345" + ], + "vendor_name": "Alas" + } + ] + } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_iam_1.json b/OCSF/ocsf/tests/test_iam_1.json index d43cbb9e9..5aa6136d3 100644 --- a/OCSF/ocsf/tests/test_iam_1.json +++ b/OCSF/ocsf/tests/test_iam_1.json @@ -23,6 +23,60 @@ "info" ] }, - "ocsf": "{\"activity_id\": 0, \"activity_name\": \"Unknown\", \"category_name\": \"Identity & Access Management\", \"category_uid\": 3, \"class_name\": \"Authorize Session\", \"class_uid\": 3003, \"group\": {\"desc\": \"checking tion ii\", \"name\": \"hollow alignment one\", \"privileges\": [\"powder exams monkey\"], \"uid\": \"2e6b38da-6409-11ee-a724-0242ac110005\"}, \"message\": \"gr rap prospect\", \"metadata\": {\"log_name\": \"ebony pay tablets\", \"log_provider\": \"medline putting movie\", \"logged_time\": 1696570109, \"original_time\": \"gentleman brings relationship\", \"product\": {\"lang\": \"en\", \"name\": \"release zealand upon\", \"path\": \"fuel style da\", \"uid\": \"2e6ae592-6409-11ee-8656-0242ac110005\", \"vendor_name\": \"crest homework turtle\", \"version\": \"1.0.0\"}, \"profiles\": [], \"sequence\": 82, \"version\": \"1.0.0\"}, \"privileges\": [\"arrive wu supervisors\", \"fix kevin networking\"], \"session\": {\"credential_uid\": \"2e6b0d6a-6409-11ee-bff8-0242ac110005\", \"is_remote\": true, \"issuer\": \"available towns recorder\", \"uid\": \"2e6b0374-6409-11ee-9a31-0242ac110005\"}, \"severity\": \"Low\", \"severity_id\": 2, \"status\": \"Unknown\", \"status_code\": \"seo\", \"status_id\": 0, \"time\": 1696570109, \"timezone_offset\": 34, \"type_name\": \"Authorize Session: Unknown\", \"type_uid\": 300300, \"user\": {\"account\": {\"name\": \"minimal bumper shortly\", \"type\": \"Unknown\", \"type_id\": 0}, \"name\": \"And\", \"type\": \"creations\", \"type_id\": 99, \"uid\": \"2e6b43e8-6409-11ee-ad4a-0242ac110005\"}}" + "ocsf": { + "activity_id": 0, + "activity_name": "Unknown", + "category_name": "Identity & Access Management", + "category_uid": 3, + "class_name": "Authorize Session", + "class_uid": "3003", + "group": { + "desc": "checking tion ii", + "privileges": [ + "powder exams monkey" + ] + }, + "metadata": { + "log_name": "ebony pay tablets", + "logged_time": 1696570109, + "original_time": "gentleman brings relationship", + "product": { + "lang": "en", + "name": "release zealand upon", + "path": "fuel style da", + "uid": "2e6ae592-6409-11ee-8656-0242ac110005", + "vendor_name": "crest homework turtle", + "version": "1.0.0" + }, + "profiles": [], + "version": "1.0.0" + }, + "privileges": [ + "arrive wu supervisors", + "fix kevin networking" + ], + "session": { + "credential_uid": "2e6b0d6a-6409-11ee-bff8-0242ac110005", + "is_remote": true, + "issuer": "available towns recorder", + "uid": "2e6b0374-6409-11ee-9a31-0242ac110005" + }, + "severity": "Low", + "status": "Unknown", + "status_code": "seo", + "status_id": "0", + "timezone_offset": 34, + "type_name": "Authorize Session: Unknown", + "type_uid": "300300", + "user": { + "account": { + "name": "minimal bumper shortly", + "type": "Unknown", + "type_id": "0" + }, + "type": "creations", + "type_id": "99" + } + } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_iam_2.json b/OCSF/ocsf/tests/test_iam_2.json index 12d6fceb8..f5349435f 100644 --- a/OCSF/ocsf/tests/test_iam_2.json +++ b/OCSF/ocsf/tests/test_iam_2.json @@ -16,6 +16,36 @@ "sequence": 53, "severity": 0 }, - "ocsf": "{\"activity_id\": 2, \"activity_name\": \"Read\", \"category_name\": \"Identity & Access Management\", \"category_uid\": 3, \"class_name\": \"Entity Management\", \"class_uid\": 3004, \"entity\": {\"name\": \"sweden temperatures paste\", \"type\": \"founder quilt bone\", \"uid\": \"c7a47574-640a-11ee-aeb8-0242ac110005\", \"version\": \"1.0.0\"}, \"message\": \"ri retired bargain\", \"metadata\": {\"correlation_uid\": \"c7a462e6-640a-11ee-b915-0242ac110005\", \"labels\": [\"calm\"], \"log_name\": \"intent hobby reserve\", \"log_provider\": \"details contributor departments\", \"product\": {\"lang\": \"en\", \"uid\": \"c7a42ac4-640a-11ee-ae25-0242ac110005\", \"vendor_name\": \"cross networks miles\", \"version\": \"1.0.0\"}, \"profiles\": [], \"sequence\": 53, \"uid\": \"c7a45544-640a-11ee-84b0-0242ac110005\", \"version\": \"1.0.0\"}, \"severity\": \"Unknown\", \"severity_id\": 0, \"status\": \"authors technology bible\", \"time\": 1696570795, \"timezone_offset\": 36, \"type_name\": \"Entity Management: Read\", \"type_uid\": 300402}" + "ocsf": { + "activity_id": 2, + "activity_name": "Read", + "category_name": "Identity & Access Management", + "category_uid": 3, + "class_name": "Entity Management", + "class_uid": "3004", + "entity": { + "name": "sweden temperatures paste", + "type": "founder quilt bone", + "uid": "c7a47574-640a-11ee-aeb8-0242ac110005", + "version": "1.0.0" + }, + "metadata": { + "correlation_uid": "c7a462e6-640a-11ee-b915-0242ac110005", + "log_name": "intent hobby reserve", + "product": { + "lang": "en", + "uid": "c7a42ac4-640a-11ee-ae25-0242ac110005", + "vendor_name": "cross networks miles", + "version": "1.0.0" + }, + "profiles": [], + "version": "1.0.0" + }, + "severity": "Unknown", + "status": "authors technology bible", + "timezone_offset": 36, + "type_name": "Entity Management: Read", + "type_uid": "300402" + } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_iam_3.json b/OCSF/ocsf/tests/test_iam_3.json index aec731c59..ae3bcdb53 100644 --- a/OCSF/ocsf/tests/test_iam_3.json +++ b/OCSF/ocsf/tests/test_iam_3.json @@ -24,6 +24,68 @@ "user" ] }, - "ocsf": "{\"activity_id\": 3, \"activity_name\": \"Add User\", \"category_name\": \"Identity & Access Management\", \"category_uid\": 3, \"class_name\": \"Group Management\", \"class_uid\": 3006, \"count\": 37, \"duration\": 91, \"enrichments\": [{\"data\": {\"dns\": \"bhrjfd\"}, \"name\": \"consisting loves arrives\", \"provider\": \"case safari sw\", \"type\": \"babes rrp normally\", \"value\": \"cooking pot enough\"}], \"group\": {\"name\": \"cottages donor awful\", \"uid\": \"acca5274-6427-11ee-9dbd-0242ac110005\"}, \"message\": \"obj permitted belong\", \"metadata\": {\"log_name\": \"declared exhibits me\", \"log_provider\": \"adsl exposed rom\", \"original_time\": \"affordable mixture nigeria\", \"product\": {\"name\": \"industry thou favorites\", \"uid\": \"acc9db64-6427-11ee-bbd5-0242ac110005\", \"vendor_name\": \"assisted parade monitored\", \"version\": \"1.0.0\"}, \"profiles\": [], \"sequence\": 35, \"version\": \"1.0.0\"}, \"severity\": \"Low\", \"severity_id\": 2, \"status\": \"Success\", \"status_id\": 1, \"time\": 1696583206, \"timezone_offset\": 81, \"type_name\": \"Group Management: Add User\", \"type_uid\": 300603, \"user\": {\"full_name\": \"Nicki Christa\", \"groups\": [{\"desc\": \"fire transsexual uri\", \"name\": \"kim patio tr\", \"uid\": \"acca6980-6427-11ee-8abc-0242ac110005\"}, {\"desc\": \"snake avi only\", \"name\": \"interior husband tvs\", \"privileges\": [\"fresh provision sociology\", \"foundations twisted couple\"], \"type\": \"magnetic peninsula riders\", \"uid\": \"acca6de0-6427-11ee-84f2-0242ac110005\"}], \"name\": \"Rankings\", \"org\": {\"name\": \"lesson machinery nutritional\", \"ou_name\": \"to walnut dash\", \"uid\": \"acca6354-6427-11ee-ae9b-0242ac110005\"}, \"type\": \"suited\", \"type_id\": 99, \"uid\": \"acca5dd2-6427-11ee-8ef4-0242ac110005\"}}" + "ocsf": { + "activity_id": 3, + "activity_name": "Add User", + "category_name": "Identity & Access Management", + "category_uid": 3, + "class_name": "Group Management", + "class_uid": "3006", + "count": 37, + "duration": 91, + "enrichments": [ + { + "data": "{\"dns\": \"bhrjfd\"}", + "name": "consisting loves arrives", + "provider": "case safari sw", + "type": "babes rrp normally", + "value": "cooking pot enough" + } + ], + "metadata": { + "log_name": "declared exhibits me", + "original_time": "affordable mixture nigeria", + "product": { + "name": "industry thou favorites", + "uid": "acc9db64-6427-11ee-bbd5-0242ac110005", + "vendor_name": "assisted parade monitored", + "version": "1.0.0" + }, + "profiles": [], + "version": "1.0.0" + }, + "severity": "Low", + "status": "Success", + "status_id": "1", + "timezone_offset": 81, + "type_name": "Group Management: Add User", + "type_uid": "300603", + "user": { + "groups": [ + { + "desc": "fire transsexual uri", + "name": "kim patio tr", + "uid": "acca6980-6427-11ee-8abc-0242ac110005" + }, + { + "desc": "snake avi only", + "name": "interior husband tvs", + "privileges": [ + "fresh provision sociology", + "foundations twisted couple" + ], + "type": "magnetic peninsula riders", + "uid": "acca6de0-6427-11ee-84f2-0242ac110005" + } + ], + "org": { + "name": "lesson machinery nutritional", + "ou_name": "to walnut dash", + "uid": "acca6354-6427-11ee-ae9b-0242ac110005" + }, + "type": "suited", + "type_id": "99" + } + } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_iam_4.json b/OCSF/ocsf/tests/test_iam_4.json index 804c63f83..4fbbb0f40 100644 --- a/OCSF/ocsf/tests/test_iam_4.json +++ b/OCSF/ocsf/tests/test_iam_4.json @@ -21,6 +21,78 @@ "group" ] }, - "ocsf": "{\"activity_id\": 0, \"activity_name\": \"Unknown\", \"category_name\": \"Identity & Access Management\", \"category_uid\": 3, \"class_name\": \"User Access Management\", \"class_uid\": 3005, \"group\": {\"name\": \"then nevada berkeley md\", \"uid\": \"c63f1e24-6424-11ee-af05-0242ac110005\"}, \"message\": \"isaac uncertainty replication\", \"metadata\": {\"log_name\": \"gravity bill gp\", \"logged_time\": 1696581958, \"original_time\": \"escape mic warner\", \"product\": {\"feature\": {\"name\": \"services cultural ali\", \"uid\": \"c52f43f4-6424-11ee-9b6e-0242ac110005\", \"version\": \"1.0.0\"}, \"lang\": \"en\", \"name\": \"advance wellness phentermine\", \"uid\": \"c52f3210-6424-11ee-b807-0242ac110005\", \"vendor_name\": \"sphere chef physicians\", \"version\": \"1.0.0\"}, \"profiles\": [], \"version\": \"1.0.0\"}, \"observables\": [{\"name\": \"devices arguments label\", \"type\": \"Fingerprint\", \"type_id\": 30}, {\"name\": \"line nightlife expo\", \"reputation\": {\"base_score\": 45.5971, \"provider\": \"marcus magnetic expressed\", \"score\": \"May not be Safe\", \"score_id\": 5}, \"type\": \"Container\", \"type_id\": 27}], \"privileges\": [\"returned funeral cave\"], \"resource\": {\"group\": {\"name\": \"then nevada berkeley\", \"uid\": \"c52f1e24-6424-11ee-af05-0242ac110005\"}, \"owner\": {\"domain\": \"regions gr dean\", \"email_addr\": \"Art@his.name\", \"name\": \"Fatty\", \"type\": \"forecast\", \"type_id\": 99, \"uid\": \"c52f060a-6424-11ee-b378-0242ac110005\"}}, \"severity\": \"Medium\", \"severity_id\": 3, \"start_time\": 1696581958, \"status\": \"abstracts\", \"status_id\": 99, \"time\": 1696581958, \"timezone_offset\": 28, \"type_name\": \"User Access Management: Unknown\", \"type_uid\": 300500, \"user\": {\"credential_uid\": \"c52f57ae-6424-11ee-b8be-0242ac110005\", \"name\": \"Dd\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"c52f5236-6424-11ee-9c16-0242ac110005\"}}" + "ocsf": { + "activity_id": 0, + "activity_name": "Unknown", + "category_name": "Identity & Access Management", + "category_uid": 3, + "class_name": "User Access Management", + "class_uid": "3005", + "metadata": { + "log_name": "gravity bill gp", + "logged_time": 1696581958, + "original_time": "escape mic warner", + "product": { + "feature": { + "name": "services cultural ali", + "uid": "c52f43f4-6424-11ee-9b6e-0242ac110005", + "version": "1.0.0" + }, + "lang": "en", + "name": "advance wellness phentermine", + "uid": "c52f3210-6424-11ee-b807-0242ac110005", + "vendor_name": "sphere chef physicians", + "version": "1.0.0" + }, + "profiles": [], + "version": "1.0.0" + }, + "observables": [ + { + "name": "devices arguments label", + "type": "Fingerprint", + "type_id": "30" + }, + { + "name": "line nightlife expo", + "reputation": { + "base_score": "45.5971", + "provider": "marcus magnetic expressed", + "score": "May not be Safe", + "score_id": "5" + }, + "type": "Container", + "type_id": "27" + } + ], + "privileges": [ + "returned funeral cave" + ], + "resource": { + "group": { + "name": "then nevada berkeley", + "uid": "c52f1e24-6424-11ee-af05-0242ac110005" + }, + "owner": { + "domain": "regions gr dean", + "email_addr": "Art@his.name", + "name": "Fatty", + "type": "forecast", + "type_id": "99", + "uid": "c52f060a-6424-11ee-b378-0242ac110005" + } + }, + "severity": "Medium", + "status": "abstracts", + "status_id": "99", + "timezone_offset": 28, + "type_name": "User Access Management: Unknown", + "type_uid": "300500", + "user": { + "credential_uid": "c52f57ae-6424-11ee-b8be-0242ac110005", + "type": "System", + "type_id": "3" + } + } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_1.json b/OCSF/ocsf/tests/test_network_activity_1.json index 34cacfd24..db3a7ad23 100644 --- a/OCSF/ocsf/tests/test_network_activity_1.json +++ b/OCSF/ocsf/tests/test_network_activity_1.json @@ -35,7 +35,49 @@ "ip": "172.31.2.52", "port": 39938 }, - "ocsf": "{\"activity_id\": 5, \"activity_name\": \"Refuse\", \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"Network Activity\", \"class_uid\": 4001, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"provider\": \"AWS\", \"region\": \"us-east-1\", \"zone\": \"use1-az1\"}, \"connection_info\": {\"boundary\": \"-\", \"boundary_id\": 99, \"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_num\": 6, \"protocol_ver\": \"IPv4\", \"tcp_flags\": 2}, \"disposition\": \"Blocked\", \"disposition_id\": 2, \"dst_endpoint\": {\"instance_uid\": \"i-000000000000000000\", \"interface_uid\": \"eni-000000000000000000\", \"ip\": \"172.31.2.52\", \"port\": 39938, \"subnet_uid\": \"subnet-000000000000000000\", \"svc_name\": \"-\", \"vpc_uid\": \"vpc-00000000\"}, \"end_time\": 1649721788000, \"metadata\": {\"product\": {\"feature\": {\"name\": \"Flowlogs\"}, \"name\": \"Amazon VPC\", \"vendor_name\": \"AWS\", \"version\": \"5\"}, \"profiles\": [\"cloud\", \"security_control\"], \"version\": \"1.0.0-rc.2\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"1.128.0.0\", \"port\": 56858, \"svc_name\": \"-\"}, \"start_time\": 1649721732000, \"status_code\": \"OK\", \"time\": 1649721732000, \"traffic\": {\"bytes\": 40, \"packets\": 1}, \"type_name\": \"Network Activity: Refuse\", \"type_uid\": 400105, \"unmapped\": {\"sublocation_id\": \"-\", \"sublocation_type\": \"-\"}}", + "ocsf": { + "activity_id": 5, + "activity_name": "Refuse", + "category_name": "Network Activity", + "category_uid": 4, + "class_name": "Network Activity", + "class_uid": "4001", + "connection_info": { + "boundary": "-", + "boundary_id": "99", + "direction": "Inbound", + "direction_id": "1", + "tcp_flags": 2 + }, + "disposition": "Blocked", + "disposition_id": "2", + "dst_endpoint": { + "instance_uid": "i-000000000000000000", + "interface_uid": "eni-000000000000000000", + "subnet_uid": "subnet-000000000000000000", + "vpc_uid": "vpc-00000000" + }, + "metadata": { + "product": { + "feature": { + "name": "Flowlogs" + }, + "name": "Amazon VPC", + "vendor_name": "AWS", + "version": "5" + }, + "profiles": [ + "cloud", + "security_control" + ], + "version": "1.0.0-rc.2" + }, + "severity": "Informational", + "status_code": "OK", + "type_name": "Network Activity: Refuse", + "type_uid": "400105", + "unmapped": "{\"sublocation_id\": \"-\", \"sublocation_type\": \"-\"}" + }, "related": { "ip": [ "1.128.0.0", diff --git a/OCSF/ocsf/tests/test_network_activity_10.json b/OCSF/ocsf/tests/test_network_activity_10.json index 4624302d3..52cd136bc 100644 --- a/OCSF/ocsf/tests/test_network_activity_10.json +++ b/OCSF/ocsf/tests/test_network_activity_10.json @@ -30,7 +30,217 @@ "network": { "application": "stanford leisure analyzed" }, - "ocsf": "{\"activity_id\": 5, \"activity_name\": \"Rename\", \"actor\": {\"process\": {\"cmd_line\": \"goals happen dad\", \"container\": {\"image\": {\"name\": \"produced field obituaries\", \"path\": \"adaptive granny knew\", \"uid\": \"849779dc-5be7-11ee-8f66-0242ac110005\"}, \"name\": \"ambien cloud eur\", \"network_driver\": \"cute desktops arrest\", \"size\": 2164055839, \"uid\": \"84977158-5be7-11ee-b042-0242ac110005\"}, \"created_time\": 1695676041514, \"file\": {\"attributes\": 9, \"name\": \"citations.gpx\", \"parent_folder\": \"telling saved challenge/wrapped.tga\", \"path\": \"telling saved challenge/wrapped.tga/citations.gpx\", \"type\": \"Character Device\", \"type_id\": 3}, \"name\": \"Qualification\", \"namespace_pid\": 41, \"parent_process\": {\"cmd_line\": \"bless addresses backgrounds\", \"container\": {\"hash\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"08759209B8F0A761FFF2B978AB8DAB0B6AE7B63C9AC9D3694BC0FED57BB2E27F5AAFB08486F656D6C6FE784F7DF07513FCB0975EC8B772EE000F56F793867A77\"}, \"image\": {\"name\": \"assistance grande an\", \"uid\": \"8497dec2-5be7-11ee-9c88-0242ac110005\"}, \"name\": \"citizenship caribbean twisted\", \"size\": 2686118868, \"uid\": \"8497d15c-5be7-11ee-aa8b-0242ac110005\"}, \"created_time\": 1695676041518, \"file\": {\"creator\": {\"credential_uid\": \"8497ab3c-5be7-11ee-8df1-0242ac110005\", \"full_name\": \"Kirstin Thersa\", \"name\": \"Additionally\", \"type\": \"beat\", \"type_id\": 99, \"uid\": \"84979804-5be7-11ee-848b-0242ac110005\"}, \"desc\": \"surgeons settled advocacy\", \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"2675028478A31F71064C2D8CCA68C7FCA87605C294611E7C2294806CE87B596AD856077767F9D941E21BC5089906C5E6903FE622EE1FE19DB2E3FA8F1F1A8EE9\"}, {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"4D018BA6DBA4C03004FD6E10D1C02BD324F62DE46C5FE687431A2D4BF4335BB7\"}], \"modified_time_dt\": \"2023-09-25T21:07:21.517084Z\", \"name\": \"finance.3g2\", \"parent_folder\": \"attention matching forest/met.mpa\", \"path\": \"attention matching forest/met.mpa/finance.3g2\", \"signature\": {\"algorithm\": \"RSA\", \"algorithm_id\": 2, \"certificate\": {\"created_time_dt\": \"2023-09-25T21:07:21.516247Z\", \"expiration_time\": 1695676041516, \"expiration_time_dt\": \"2023-09-25T21:07:21.516239Z\", \"fingerprints\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"B3305921648A755AA6C1E2C028691A6861EAE8922BAE5ACE52B76E01AD96DF87ECE4E22E06EDC6715A0CAE469323620A07CCC384FD40C69EBA60E8BBEE8EA805\"}], \"issuer\": \"shall systematic vatican\", \"serial_number\": \"requirement sodium situated\", \"subject\": \"mt minutes bids\", \"version\": \"1.0.0\"}}, \"type\": \"wrap\", \"type_id\": 99}, \"lineage\": [\"vhs mechanism dates\"], \"loaded_modules\": [\"/super/disclose/barnes/pg/california.png\", \"/ourselves/lynn/gpl/helped/narrow.tga\"], \"namespace_pid\": 97, \"parent_process\": {\"cmd_line\": \"harder interventions pb\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"6A9A10210588981DD8FAA6BE10E39F2C65E816FEFE4768884F7B0BB0A10CD9D6\"}, \"name\": \"kg sources houses\", \"pod_uuid\": \"kiss\", \"runtime\": \"kate through furniture\", \"size\": 2387392206, \"uid\": \"849829cc-5be7-11ee-bb7a-0242ac110005\"}, \"created_time\": 1695676041517, \"file\": {\"created_time_dt\": \"2023-09-25T21:07:21.519646Z\", \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"E7B2EBCA4F63795EBE380FFBEAB194BCF3E2EB5C74F10C6B8AAB95F4C0B8D7AC\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"AFD9AD7A88CFF487A60962E99C6219806726EB352DD1591D375AD3BB143C0DABBFBC6DBFFA5D99B3662AE82C9B7EED847E30B7EA516D2AD9DFF07D8775F8AE36\"}], \"modifier\": {\"groups\": [{\"name\": \"winds seeking reply\", \"uid\": \"8497fde4-5be7-11ee-9733-0242ac110005\"}, {\"name\": \"hamburg roommate environment\", \"uid\": \"8498099c-5be7-11ee-ac6f-0242ac110005\"}], \"name\": \"Complete\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"8497f38a-5be7-11ee-97c6-0242ac110005\"}, \"name\": \"dame.svg\", \"parent_folder\": \"wives pamela karl/articles.c\", \"path\": \"wives pamela karl/articles.c/dame.svg\", \"security_descriptor\": \"robinson queens graduate\", \"type\": \"Regular File\", \"type_id\": 1}, \"integrity\": \"they thermal eau\", \"lineage\": [\"attraction cord adjustment\", \"announcements summer introduce\"], \"name\": \"Bid\", \"namespace_pid\": 49, \"parent_process\": {\"cmd_line\": \"creation defense carolina\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"666334EB7A1E55E189435FFF3F0CA7266F484FB44970AAFF3E72546D8B04B02ABB1A66B209CAFD44267701CA1392DF35B8EC3EECE0DC492D093880F2E4FF352C\"}, \"name\": \"hunt indicating radiation\", \"size\": 3179758248, \"tag\": \"reader prevention as\", \"uid\": \"84985df2-5be7-11ee-be06-0242ac110005\"}, \"created_time\": 1695676041527, \"file\": {\"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"created_time\": 1695676041520845, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"7D875B5EB312ADEF7D530DD6E43468170B094A5F54CA1AC26E7788A81A01238428E62D581423E70B05DA11F15513291EB10776B4E14DE1844072ACDF11BBDFD1\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"1100511F3469E3CDE7D081EC6E78154C8476D546F615EEEB37C4CDFBD41740440FC77660EE3A4B9C67DE81C63172A49F835656F85ED5E36A65A2A25E2A733358\"}], \"modifier\": {\"name\": \"Officer\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"84984362-5be7-11ee-af2c-0242ac110005\"}, \"name\": \"seq.wpd\", \"parent_folder\": \"conflicts disability citysearch/ieee.dtd\", \"path\": \"conflicts disability citysearch/ieee.dtd/seq.wpd\", \"type\": \"Character Device\", \"type_id\": 3}, \"name\": \"Jamie\", \"namespace_pid\": 46, \"parent_process\": {\"cmd_line\": \"plan agents converter\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"E7EFDA40B1C94805070CD9BF9638AE27\"}, \"image\": {\"labels\": [\"golf\", \"nov\"], \"name\": \"extending construction inkjet\", \"path\": \"empirical precipitation builder\", \"uid\": \"84989f42-5be7-11ee-8820-0242ac110005\"}, \"name\": \"thongs routine an\", \"size\": 2099983603, \"uid\": \"84989948-5be7-11ee-b4fb-0242ac110005\"}, \"created_time\": 1695676041523226, \"file\": {\"created_time\": 1695676042262, \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"60F202A3BE4EF214E24EA9D3555D194C\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"B0B2D200728B0DACE6CB6829F90EE31A9AD123FF1982012B003249D4F2C5351924E6DBBD1242EE722D4C5A0B80C983DC7B94DDD594FCFCEF4E63552956E2B26A\"}], \"modified_time_dt\": \"2023-09-25T21:07:21.522441Z\", \"name\": \"startup.3dm\", \"signature\": {\"algorithm\": \"RSA\", \"algorithm_id\": 2, \"certificate\": {\"created_time\": 1695676041522, \"created_time_dt\": \"2023-09-25T21:07:21.521904Z\", \"expiration_time\": 1695676041526, \"fingerprints\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"8E4DE5CC0D59311697B0D4061FDBFB4CB99E38121EA17CF740789A0CBC85B56703E1341C940E7A2220C02211CC84447A19061569BE42AC4A2C03010FB6CB1A75\"}, {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"205D64FF9B580AADBF4829EC41DD4EF0\"}], \"issuer\": \"previous price thing\", \"serial_number\": \"files the parish\", \"subject\": \"shades bad tradition\"}}, \"size\": 3504413585, \"type\": \"Named Pipe\", \"type_id\": 6, \"uid\": \"84987ae4-5be7-11ee-b247-0242ac110005\", \"version\": \"1.0.0\"}, \"integrity\": \"conspiracy unions allocated\", \"name\": \"Arbor\", \"parent_process\": {\"cmd_line\": \"sixth pc peoples\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"F4001D4FD76B73412DB0EFD2C66F0AB3C27D9FE9BD375B1659A1DDDA68C17DC1C0F5402A6AE571DC073E94F1B720821E4208595D5BB4B13D917A12CE3DA53C1E\"}, \"image\": {\"name\": \"version treating tall\", \"uid\": \"8498df20-5be7-11ee-8257-0242ac110005\"}, \"name\": \"warrior document workflow\", \"pod_uuid\": \"sas\", \"size\": 2697694450, \"uid\": \"8498da2a-5be7-11ee-9d00-0242ac110005\"}, \"created_time\": 1695676041523, \"file\": {\"accessor\": {\"email_addr\": \"Shin@cause.mobi\", \"full_name\": \"Twyla Cherise\", \"name\": \"Wildlife\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"8498c030-5be7-11ee-80d9-0242ac110005\", \"uid_alt\": \"excellent far varied\"}, \"created_time\": 1695676041524, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"707CF5E50A11D69874235DED9A045B6AB42439F7495DED03049CB7E997949E8B014295A25059CD1A9F06BFE9E4101ED176615E69D43FE199E849DEC0BC4AEB4D\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"6F487B974BDB9DBDF014F50502D9F70BC2630E6C974E4C6E6AA2EB3BEC95A3BDCA7AE609DA34179E0677F042734A767ADA4F6CA04788916644262CDC60BC2FB2\"}], \"mime_type\": \"star/flyer\", \"name\": \"considerations.jar\", \"parent_folder\": \"roger economy macro/mesh.gadget\", \"path\": \"roger economy macro/mesh.gadget/considerations.jar\", \"type\": \"Local Socket\", \"type_id\": 5}, \"integrity\": \"aviation blame tion\", \"name\": \"Processes\", \"namespace_pid\": 76, \"parent_process\": {\"container\": {\"image\": {\"tag\": \"vocal trim jon\", \"uid\": \"849944f6-5be7-11ee-bc62-0242ac110005\"}, \"name\": \"acquired minority slip\", \"size\": 2257875576, \"uid\": \"84993ce0-5be7-11ee-8a18-0242ac110005\"}, \"file\": {\"accessed_time\": 1695676041556, \"confidentiality\": \"suburban ati mostly\", \"created_time_dt\": \"2023-09-25T21:07:21.526737Z\", \"hashes\": [{\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"00EF9DADDE482AF5432B0BFC5F69023736D4A0ECD59F74884C4B8AD83D21429B78023351C5DBD07407EAB2BFA527A0586016DE3C92F37913920E221F7D452802\"}], \"is_system\": false, \"modified_time_dt\": \"2023-09-25T21:07:21.526727Z\", \"name\": \"pic.vcd\", \"owner\": {\"full_name\": \"Blythe Jamie\", \"name\": \"Enquiry\", \"type\": \"minneapolis\", \"type_id\": 99, \"uid\": \"849901e4-5be7-11ee-bfe1-0242ac110005\"}, \"parent_folder\": \"const foreign pressed/among.ged\", \"path\": \"const foreign pressed/among.ged/pic.vcd\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"certificate\": {\"created_time\": 1695676041526, \"expiration_time\": 1695676045872, \"fingerprints\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"9E41EB47ABD226D92CFE27DBDA0C924C190A1B0C0136B09923B419089B013DF14CB58C38F651F710540E348BF800DFE364197904B11FFFAD98BB2B10006B28E2\"}, {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"3DE877DDFB06DB510E63893D98DDAC9524696C14\"}], \"issuer\": \"everybody brunei disciplinary\", \"serial_number\": \"approaches symbol assembly\", \"subject\": \"strap liz boulder\", \"version\": \"1.0.0\"}, \"created_time_dt\": \"2023-09-25T21:07:21.526203Z\", \"developer_uid\": \"84991526-5be7-11ee-a2ca-0242ac110005\"}, \"type\": \"charged\", \"type_id\": 99, \"uid\": \"84992264-5be7-11ee-8071-0242ac110005\"}, \"name\": \"Job\", \"namespace_pid\": 29, \"parent_process\": {\"cmd_line\": \"brush bouquet alto\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"82B5F7770097973F2962C241C557369EC2D38E9A1BDA03176B9CA511F1CA56CF\"}, \"image\": {\"name\": \"adipex into polo\", \"uid\": \"849984fc-5be7-11ee-af4c-0242ac110005\"}, \"name\": \"deutschland pic newcastle\", \"size\": 797071549, \"uid\": \"84996db4-5be7-11ee-bada-0242ac110005\"}, \"created_time\": 1695676041528, \"file\": {\"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"44CA9EA761C2131C73960AD47472741B13D305EE2D07FE91E8F1B47F4F062B8A16DD3611E4439E4C163A7CF42F1AE5989CF9683117DB801FD1BC222A16618E19\"}, {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"C25DDA249CDECE9D908CC33ADCD16AA05E20290F\"}], \"name\": \"tuner.pdb\", \"parent_folder\": \"architectural pink phil/overview.dtd\", \"path\": \"architectural pink phil/overview.dtd/tuner.pdb\", \"type\": \"Named Pipe\", \"type_id\": 6, \"version\": \"1.0.0\", \"xattributes\": {}}, \"lineage\": [\"familiar privilege canvas\"], \"namespace_pid\": 23, \"parent_process\": {\"cmd_line\": \"in blowing memorial\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"6B2A589B76A482CD379A7FF8AF13EE0F9ABF937DE60010068FEC808F5B6B22521C2A28C7F48BC5C2EDC81EAE5E5812D95F5E0F3DF5685571E5DB36B146DB82EC\"}, \"image\": {\"name\": \"robert through mailing\", \"tag\": \"struggle gerald weather\", \"uid\": \"8499d704-5be7-11ee-b617-0242ac110005\"}, \"name\": \"france sg charger\", \"network_driver\": \"catch sun general\", \"orchestrator\": \"sf varieties queries\", \"size\": 1048383191, \"tag\": \"deserve focused select\", \"uid\": \"8499d164-5be7-11ee-a7e8-0242ac110005\"}, \"created_time\": 1695676041539, \"file\": {\"attributes\": 83, \"desc\": \"escape steady bow\", \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"718C92FD5ECC9B483CA9A76E309BD60F7DAD6035254FAD5EA9430568F36EB16D5532657DE90C3B3B41896C8A9B601BF1E1083D5BB299127118B535C347D13549\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"D13D53927A745D27511C298846343093D7E92D919905B6C22ABBF727AD18EF7E3B3850949F8CC772390749C8644B5CF6F8618FEF524E9589DB73F57FE128AA88\"}], \"name\": \"spirit.max\", \"owner\": {\"email_addr\": \"Pamelia@directed.com\", \"name\": \"Friend\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"84999e10-5be7-11ee-914b-0242ac110005\"}, \"parent_folder\": \"fish largest alberta/solutions.deskthemepack\", \"path\": \"fish largest alberta/solutions.deskthemepack/spirit.max\", \"type\": \"Regular File\", \"type_id\": 1, \"version\": \"1.0.0\"}, \"integrity\": \"faculty hardcover generated\", \"name\": \"Cialis\", \"namespace_pid\": 79, \"parent_process\": {\"cmd_line\": \"text ana range\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"79F7EED760813BF63DC0EE7F986F1CC6345DD170AB03CA1350684CB8720E3C67F9FCE3B075A22266EB0C66A1CDA2D3BD540E777D9A294433377B83DB6DE3D6DB\"}, \"image\": {\"name\": \"layers branch lucas\", \"tag\": \"nations chances trips\", \"uid\": \"849a32bc-5be7-11ee-86bb-0242ac110005\"}, \"name\": \"own drawing acute\", \"size\": 1512724327, \"uid\": \"849a2420-5be7-11ee-94c5-0242ac110005\"}, \"created_time\": 1695676041533, \"file\": {\"creator\": {\"domain\": \"coupons dropped pantyhose\", \"name\": \"Booking\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"8499f1ee-5be7-11ee-a02c-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"F01EB1DD5E5D955CF3DA810E1FAABA4136E09F5EF69DA3753223183EF836741A617AAAEB52D8B014D900A4A11B94974298F7D3C4EAE57C107CF3A3230AD34188\"}], \"modified_time_dt\": \"2023-09-25T21:07:21.531893Z\", \"name\": \"premises.sln\", \"owner\": {\"account\": {\"name\": \"discs outlets general\", \"type\": \"Mac OS Account\", \"type_id\": 7, \"uid\": \"8499eb2c-5be7-11ee-86b7-0242ac110005\"}, \"name\": \"Welcome\", \"type\": \"User\", \"type_id\": 1}, \"parent_folder\": \"ralph tales librarian/simpsons.psd\", \"path\": \"ralph tales librarian/simpsons.psd/premises.sln\", \"type\": \"ships\", \"type_id\": 99}, \"lineage\": [\"guru hosted bradley\"], \"name\": \"Devices\", \"namespace_pid\": 39, \"parent_process\": {\"cmd_line\": \"merchandise initiatives accessibility\", \"container\": {\"hash\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"12FC9239ABF2C07159EBC92013171DA43175589170BD05B55220534634A9D1FEFC88B117A95FCE4FE3C5A5FEDB9DC4EB3F700C0386931C889F815E86BCD4B509\"}, \"image\": {\"name\": \"evaluating apartments disaster\", \"uid\": \"849a6a66-5be7-11ee-95e4-0242ac110005\"}, \"name\": \"apartment drunk amateur\", \"size\": 3702557326, \"uid\": \"849a646c-5be7-11ee-90ce-0242ac110005\"}, \"created_time\": 1695676041535, \"file\": {\"attributes\": 22, \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"6FD1E1613C3918067E01585E32D4AA461C485DF01C56BD5A294FD82B353B5EC64A7EBAED614D28451E3AECB3ACA75900593A20D8AE7F7A1E2CF9DD4F0496B9C4\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"B66E94D9133A6E41392C5AFCBF3F6EEB29E45C041350255AEE34ADD6C4E6BD15FF9060177954793B5D078A8802B4B1ADDD73BECACB7D5827D9A1CB9F96D5E153\"}], \"is_system\": false, \"modified_time_dt\": \"2023-09-25T21:07:21.533963Z\", \"name\": \"hunt.ppt\", \"type\": \"Local Socket\", \"type_id\": 5}, \"name\": \"Bags\", \"namespace_pid\": 29, \"parent_process\": {\"cmd_line\": \"recordings countries slides\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"383B6630E8241D34D54BFD689DECC0CAB88770D935667989A3A1DE8397F5520F\"}, \"image\": {\"name\": \"evanescence plans courts\", \"tag\": \"buy archives predict\", \"uid\": \"849aaa9e-5be7-11ee-a47a-0242ac110005\"}, \"name\": \"distant modeling monaco\", \"runtime\": \"peace up sailing\", \"uid\": \"849aa490-5be7-11ee-bb98-0242ac110005\"}, \"created_time\": 1695676041539, \"file\": {\"attributes\": 35, \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"6BD48B1E57856137037BFEE4DEC8D57F\"}], \"name\": \"hardware.wma\", \"owner\": {\"name\": \"Asia\", \"type\": \"meetup\", \"type_id\": 99, \"uid\": \"849a7ac4-5be7-11ee-a06d-0242ac110005\"}, \"parent_folder\": \"interactions malta thoughts/laden.pdf\", \"path\": \"interactions malta thoughts/laden.pdf/hardware.wma\", \"signature\": {\"algorithm\": \"Authenticode\", \"algorithm_id\": 4, \"digest\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"3188206324B062751CE36D4251C19C94\"}}, \"type\": \"Unknown\", \"type_id\": 0}, \"integrity\": \"bookings qc dictionaries\", \"lineage\": [\"lanka manufacture bra\", \"gibson implementation pope\"], \"name\": \"Sen\", \"namespace_pid\": 6, \"parent_process\": {\"cmd_line\": \"amount anywhere suffered\", \"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"B7F1BFFEB47BCFB30F891852F769572A9816784BF4A4073805850F9F969A5335CFC878CACC9E0F8A71B547F60832FE712A59A7DD7DBD6E94BB9D155309EB3581\"}, \"image\": {\"name\": \"cross tray influenced\", \"tag\": \"afternoon counseling governance\", \"uid\": \"849b1f7e-5be7-11ee-bb9d-0242ac110005\"}, \"name\": \"author channel disappointed\", \"network_driver\": \"slovakia friend username\", \"size\": 191473515, \"uid\": \"849aff08-5be7-11ee-80bd-0242ac110005\"}, \"created_time\": 1695676041539630, \"file\": {\"accessed_time\": 1695676041534, \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"CE850E16E049A60B4B8F465DC00ADBFB7207CC76FD94F5EBC335F637B8052B77\"}], \"name\": \"removal.obj\", \"parent_folder\": \"jeff puts assignments/thing.msi\", \"path\": \"jeff puts assignments/thing.msi/removal.obj\", \"security_descriptor\": \"bureau myspace barrel\", \"type\": \"Named Pipe\", \"type_id\": 6}, \"name\": \"Impacts\", \"namespace_pid\": 49, \"parent_process\": {\"cmd_line\": \"techno now vid\", \"created_time\": 1695676041593, \"file\": {\"accessor\": {\"credential_uid\": \"849b5b88-5be7-11ee-af7a-0242ac110005\", \"name\": \"Dragon\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"849b52b4-5be7-11ee-863c-0242ac110005\"}, \"attributes\": 78, \"created_time_dt\": \"2023-09-25T21:07:21.541195Z\", \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"AABE45CE23939AE53AA3AF15C6123A6ED98FC106E4C7491B89A814D8EB040F3B9D5842B5A215D1D27ED1B4DC8DD3D3F0D50197DD105E37461661D98A23E0917C\"}], \"modified_time\": 1695676041541, \"modified_time_dt\": \"2023-09-25T21:07:21.541163Z\", \"name\": \"human.pdb\", \"parent_folder\": \"let dawn representing/surrounding.dwg\", \"path\": \"let dawn representing/surrounding.dwg/human.pdb\", \"product\": {\"feature\": {\"name\": \"metric th alt\", \"uid\": \"849b46a2-5be7-11ee-824d-0242ac110005\", \"version\": \"1.0.0\"}, \"name\": \"heavy payroll timothy\", \"uid\": \"849b3fd6-5be7-11ee-83d2-0242ac110005\", \"vendor_name\": \"rv brother vaccine\", \"version\": \"1.0.0\"}, \"type\": \"Symbolic Link\", \"type_id\": 7}, \"lineage\": [\"qualify insight reproduce\", \"placing download tomato\"], \"name\": \"Sampling\", \"namespace_pid\": 91, \"parent_process\": {\"cmd_line\": \"treatments proceeding assumed\", \"created_time\": 1695676041548, \"created_time_dt\": \"2023-09-25T21:07:21.565904Z\", \"file\": {\"accessor\": {\"email_addr\": \"Stormy@postcard.mobi\", \"name\": \"Xhtml\", \"type\": \"disabilities\", \"type_id\": 99, \"uid\": \"849ba016-5be7-11ee-8738-0242ac110005\"}, \"creator\": {\"domain\": \"neural fig colin\", \"full_name\": \"Otelia Kori\", \"name\": \"Tap\", \"org\": {\"name\": \"timing process palestinian\", \"ou_name\": \"step mouth drunk\", \"uid\": \"849bad9a-5be7-11ee-9fa0-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1}, \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"A5064ED27DDBDCBA4CBCADF1DB39DA3F2EEE6B58C7A1239C64CABA643C220D3F292A1DE7E239A9314ECD04E09E02E1289265DB1375370F0E2CB9844F235B40B9\"}], \"is_system\": true, \"mime_type\": \"talked/wishlist\", \"modified_time\": 1695676041546, \"name\": \"sunday.crdownload\", \"parent_folder\": \"designing designed kim/butts.crx\", \"path\": \"designing designed kim/butts.crx/sunday.crdownload\", \"product\": {\"feature\": {\"name\": \"seminar automatic gui\", \"uid\": \"849b9742-5be7-11ee-9904-0242ac110005\", \"version\": \"1.0.0\"}, \"lang\": \"en\", \"name\": \"nights validity updated\", \"uid\": \"849b866c-5be7-11ee-a7ff-0242ac110005\", \"url_string\": \"however\", \"vendor_name\": \"favorite album ncaa\", \"version\": \"1.0.0\"}, \"signature\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"certificate\": {\"created_time\": 1695676041542, \"expiration_time\": 1695676041577, \"fingerprints\": [{\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"A1636B226D49D354EAD09345190417B47EC13762648D8C196823FB556456DD5A2ED39FDF2ADE536CF2D0AFA33A47F9404800085FE205A49A4DA6C280AF603AA9\"}], \"issuer\": \"cooperation worldcat southwest\", \"serial_number\": \"distributed characters bin\", \"subject\": \"annually ic quest\", \"version\": \"1.0.0\"}, \"created_time_dt\": \"2023-09-25T21:07:21.542032Z\"}, \"size\": 1384349588, \"type\": \"Unknown\", \"type_id\": 0}, \"integrity\": \"written\", \"integrity_id\": 99, \"lineage\": [\"tenant surveillance nature\", \"securities joining bite\"], \"loaded_modules\": [\"/aims/hammer/duke/implementation/roland.jar\", \"/illustration/reads/adaptation/ppc/footage.cab\"], \"name\": \"Foundation\", \"parent_process\": {\"cmd_line\": \"remain weird municipal\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"53CB2A3DF41EA583C9DAD815CC228E623D600CA69DD3B138EBA03828A95C399AC2319E8C246FAF2EB345362B0931618009C8A5FF4C8E100C7B414107D51F849D\"}, \"image\": {\"name\": \"titten live cvs\", \"uid\": \"849c105a-5be7-11ee-8337-0242ac110005\"}, \"name\": \"anthony serial medline\", \"size\": 2006500672, \"uid\": \"849c059c-5be7-11ee-b620-0242ac110005\"}, \"created_time\": 1695676041542, \"created_time_dt\": \"2023-09-25T21:07:21.565886Z\", \"file\": {\"accessed_time\": 1695676044937, \"accessor\": {\"domain\": \"operates collectables presentations\", \"name\": \"Qualities\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849bf00c-5be7-11ee-a0de-0242ac110005\", \"uid_alt\": \"welsh constraints elimination\"}, \"created_time\": 1695676041545, \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"BADBDA50632954800C02D40EB49D1BEF8E5A883D\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"22B65F9CC3DDECE17BC92C741314C0C01D6C398B477BCFE22CCB63F4975A066119C2A3F4E9BDC342383345BCEEA9046C0573AEA278C1EBD8E1578337B1640606\"}], \"is_system\": false, \"name\": \"moral.kmz\", \"parent_folder\": \"suit who pics/arrange.torrent\", \"path\": \"suit who pics/arrange.torrent/moral.kmz\", \"type\": \"Local Socket\", \"type_id\": 5}, \"integrity\": \"High\", \"integrity_id\": 4, \"name\": \"Restore\", \"namespace_pid\": 8, \"parent_process\": {\"cmd_line\": \"arrangements makes handy\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"FC25F43E993A1FB725021E78097481FDD1FECA2EC91BF14AE34067FC31DBCD1005D4B0AFC4F050872672CC3EAB72236EADE80DFF4CCBB844F8ED0489F697D2F1\"}, \"image\": {\"labels\": [\"mumbai\"], \"name\": \"capabilities huge hometown\", \"uid\": \"849c6d2a-5be7-11ee-a411-0242ac110005\"}, \"name\": \"yahoo plains basically\", \"uid\": \"849c6776-5be7-11ee-94b5-0242ac110005\"}, \"created_time\": 1695676041544, \"file\": {\"accessor\": {\"account\": {\"name\": \"cards gratis necklace\", \"type\": \"Apple Account\", \"type_id\": 8}, \"full_name\": \"Crysta Damaris\", \"name\": \"Class\", \"type\": \"pie\", \"type_id\": 99, \"uid_alt\": \"linux has luis\"}, \"attributes\": 79, \"company_name\": \"Mckenzie Ardith\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"creator\": {\"domain\": \"glass outlet lopez\", \"groups\": [{\"name\": \"suspected contributor counting\", \"type\": \"vacations wines biological\", \"uid\": \"849c5ae2-5be7-11ee-97a7-0242ac110005\"}], \"org\": {\"name\": \"reproductive balloon stanley\", \"ou_name\": \"pick rear governance\", \"ou_uid\": \"849c5470-5be7-11ee-b89d-0242ac110005\", \"uid\": \"849c5060-5be7-11ee-b740-0242ac110005\"}, \"type\": \"selected\", \"type_id\": 99, \"uid\": \"849c4b2e-5be7-11ee-9c0b-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"1B8BF6AF4C4E0F5A64ED59860F5673F5762D1E214D4B3127BAC626D3811952EAF98972460DF098DEAB2B6D4FF02723546AEBA4108F2A03A20044552141A4447E\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"221C1DF278F5DBE8C04CCC89DB66A355ABA13C3F27B4E23A19D0E73C64E5E9A7951D5102BA2F416429122A6110C57ED22F7216EB73939FF0E7E4BDB574A90CC4\"}], \"is_system\": false, \"name\": \"revolution.vcf\", \"owner\": {\"email_addr\": \"Suzan@communicate.coop\", \"name\": \"Sunny\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849c24fa-5be7-11ee-93d2-0242ac110005\"}, \"parent_folder\": \"nintendo smilies thank/ought.vb\", \"path\": \"nintendo smilies thank/ought.vb/revolution.vcf\", \"product\": {\"lang\": \"en\", \"name\": \"pci invasion producers\", \"uid\": \"849c3e4a-5be7-11ee-80be-0242ac110005\", \"vendor_name\": \"australian payments crm\", \"version\": \"1.0.0\"}, \"security_descriptor\": \"recommended approve environment\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"certificate\": {\"created_time\": 1695676041548, \"expiration_time\": 1695676041514, \"fingerprints\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"35C90137B6BD19F8D464173B9904DBFA60D62BFF8BCBCF99235987ACC2D4840DBA02F991522C533C211C54B3A1016A0A76AF0578E30D0190414926A1EA56FEB7\"}], \"issuer\": \"foundation review shaft\", \"serial_number\": \"windsor sponsor google\", \"subject\": \"microwave marriott okay\", \"version\": \"1.0.0\"}}, \"type\": \"Folder\", \"type_id\": 2, \"version\": \"1.0.0\"}, \"namespace_pid\": 13, \"parent_process\": {\"cmd_line\": \"well absent shoe\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"A813ED16B0B3E58FA959C0BA26A47058\"}, \"image\": {\"name\": \"audio miracle leader\", \"uid\": \"849ce32c-5be7-11ee-b7a9-0242ac110005\"}, \"name\": \"hospitality walker vs\", \"size\": 1224758347, \"uid\": \"849cdd28-5be7-11ee-9250-0242ac110005\"}, \"created_time\": 1695676041555, \"file\": {\"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"3BC175E9CE56D1FC2D86AB6EA2EC56EB21930540B56A5B6E3840DFB64287ACAB\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"31588C71F04798D44E2202431AE7025AF3BC67EC8192E94F362A9B9121FB5AC23510026F8391A0A54234D8D0DB8D2DEBD112DEEF6AC598A11A194875191A4975\"}], \"is_system\": true, \"mime_type\": \"engineer/habitat\", \"modifier\": {\"domain\": \"ln resolved couple\", \"email_addr\": \"Deloise@agreed.arpa\", \"name\": \"Heritage\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"849c8878-5be7-11ee-98bd-0242ac110005\"}, \"name\": \"world.jpg\", \"parent_folder\": \"blend roommates closed/died.docx\", \"path\": \"blend roommates closed/died.docx/world.jpg\", \"type\": \"Block Device\", \"type_id\": 4}, \"lineage\": [\"achievement courage send\", \"expansion instructional agreements\"], \"loaded_modules\": [\"/rev/amazon/casino/june/fails.bin\", \"/credit/potential/lawsuit/clause/nine.bmp\"], \"name\": \"Tell\", \"namespace_pid\": 62, \"parent_process\": {\"cmd_line\": \"challenges prompt cumulative\", \"container\": {\"hash\": {\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"6E73C76AD0B2D03EB35088BB834D7A1949E2174F0288EAC8066F5CC920923FEC2568825E7A9B3B3B871DC2AA82AD34DAC42A8E327CAD3D3E720D2ADD7C13CAB0\"}, \"image\": {\"name\": \"charges fragrances complex\", \"uid\": \"849d1342-5be7-11ee-a4ca-0242ac110005\"}, \"name\": \"develop affiliates required\", \"network_driver\": \"familiar movies legitimate\", \"pod_uuid\": \"legally\", \"size\": 2138922450, \"uid\": \"849d0e7e-5be7-11ee-a8e4-0242ac110005\"}, \"file\": {\"confidentiality\": \"venue rl epa\", \"created_time_dt\": \"2023-09-25T21:07:21.551631Z\", \"hashes\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"2347F66D3EE9CCBD7191F650BE1EF4F94E8B6ED61D543709A1A907FBC76BFC089577CB78BFA772DA65746573746C4AB26AF19E7A8E9DB821E3979ED04051B9BC\"}, {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"256D62122A8BA5E06B613EAD639B79BA7875995217AC6E2C854DBB610631D33C\"}], \"mime_type\": \"silicon/limousines\", \"modified_time\": 1695676041500, \"name\": \"flexible.vcxproj\", \"product\": {\"lang\": \"en\", \"name\": \"external polar galaxy\", \"vendor_name\": \"hack infection generator\", \"version\": \"1.0.0\"}, \"type\": \"Folder\", \"type_id\": 2, \"xattributes\": {}}, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"name\": \"Airfare\", \"namespace_pid\": 2, \"parent_process\": {\"cmd_line\": \"reporter techno regarded\", \"container\": {\"hash\": {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"0895F371F264F7E3AA4A79B16A3C6EEAABE10BBF6A7DC2B7D8DD4F14B3C6F05D\"}, \"image\": {\"labels\": [\"responsibility\"], \"uid\": \"849d468c-5be7-11ee-85e3-0242ac110005\"}, \"name\": \"cpu mission hacker\", \"orchestrator\": \"helpful pasta matthew\", \"runtime\": \"cables vanilla amendments\", \"size\": 1820268463, \"uid\": \"849d3caa-5be7-11ee-9fe6-0242ac110005\"}, \"file\": {\"attributes\": 44, \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"8A25185F3C5523EF3B08C1ECDD83016224863C95\"}, {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"6B9ED75DAE7A1E692073FC400B558EA4\"}], \"mime_type\": \"will/executed\", \"name\": \"uzbekistan.jar\", \"type\": \"Block Device\", \"type_id\": 4, \"uid\": \"849d2170-5be7-11ee-a637-0242ac110005\", \"xattributes\": {}}, \"name\": \"Eternal\", \"namespace_pid\": 84, \"parent_process\": {\"container\": {\"hash\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"308FD1FED7D34B9AFAB9224FF617D64E4CA9AC20FC59F1FB3B80AB2CBB1511245EC668E138B6C330D86E2B874BD66ED33E16E931B3D344A8365BE63CAB39562C\"}, \"image\": {\"labels\": [\"fix\"], \"name\": \"curtis burns park\", \"uid\": \"849d83f4-5be7-11ee-8f40-0242ac110005\"}, \"network_driver\": \"surely assistance actively\", \"pod_uuid\": \"gardening\", \"size\": 1668291787, \"uid\": \"849d7cce-5be7-11ee-80f3-0242ac110005\"}, \"created_time\": 1695676041553, \"file\": {\"company_name\": \"Frederica Hertha\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"created_time\": 1695676041554, \"created_time_dt\": \"2023-09-25T21:07:21.554150Z\", \"desc\": \"closed hydraulic connecting\", \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"5C5069744142886E3127F2CCFE145C68A0B1A4DFA3BB504B858390D851E16A9F\"}], \"name\": \"titanium.avi\", \"parent_folder\": \"slideshow configurations lens/nations.flv\", \"path\": \"slideshow configurations lens/nations.flv/titanium.avi\", \"type\": \"Unknown\", \"type_id\": 0, \"xattributes\": {}}, \"integrity\": \"System\", \"integrity_id\": 5, \"name\": \"Music\", \"parent_process\": {\"cmd_line\": \"pursuant proceed discussed\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"8876489CE00D6D9FDF61ED1C773F047E\"}, \"image\": {\"name\": \"bubble architects vancouver\", \"path\": \"hairy pixel time\", \"uid\": \"849e0ebe-5be7-11ee-8341-0242ac110005\"}, \"name\": \"insight style ca\", \"runtime\": \"williams ng xhtml\", \"size\": 220440282, \"uid\": \"849e031a-5be7-11ee-b55b-0242ac110005\"}, \"created_time\": 1695676041558, \"file\": {\"accessor\": {\"account\": {\"name\": \"hourly toll disappointed\", \"uid\": \"849dabd6-5be7-11ee-ba6a-0242ac110005\"}, \"credential_uid\": \"849db838-5be7-11ee-8a18-0242ac110005\", \"name\": \"Mine\", \"type\": \"fcc\", \"type_id\": 99, \"uid\": \"849da17c-5be7-11ee-9d3a-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"599DCCE2998A6B40B1E38E8C6006CB0A\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"E3C48119D2F351FBEB28EABE137BB8D7969A9AA7CEBF71A153DA4670481EFAAB267B6B39C0EDBDDAF4DD1B9E9B5FF0B28D72E0A5FA27336A282A0FDBA4D0C9D4\"}], \"modified_time\": 1695676041557, \"modifier\": {\"full_name\": \"Katheryn Kena\", \"name\": \"Infected\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"849d94de-5be7-11ee-b30d-0242ac110005\"}, \"name\": \"opening.vob\", \"parent_folder\": \"venezuela flyer seller/os.kml\", \"path\": \"venezuela flyer seller/os.kml/opening.vob\", \"security_descriptor\": \"graham occupations become\", \"type\": \"Local Socket\", \"type_id\": 5}, \"lineage\": [\"bk destinations est\", \"whose playback congressional\"], \"name\": \"Surprise\", \"namespace_pid\": 54, \"parent_process\": {\"cmd_line\": \"peer rail specialist\", \"container\": {\"image\": {\"name\": \"committed plastic does\", \"uid\": \"849e6972-5be7-11ee-b803-0242ac110005\"}, \"name\": \"priority mirrors although\", \"network_driver\": \"conduct linking lb\", \"runtime\": \"rock relation block\", \"size\": 2559819198, \"uid\": \"849e509a-5be7-11ee-ad75-0242ac110005\"}, \"created_time\": 1695676041434, \"file\": {\"accessor\": {\"full_name\": \"Lorna Francisco\", \"name\": \"Intl\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849e39a2-5be7-11ee-b3b8-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"9471ED19416B8099E51855CB0EF61AE3\"}], \"modified_time\": 1695676041563, \"modifier\": {\"domain\": \"informational advisory mg\", \"name\": \"Constraints\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849e2a2a-5be7-11ee-82b2-0242ac110005\"}, \"name\": \"filled.mdb\", \"parent_folder\": \"disc dividend incentives/crucial.wps\", \"path\": \"disc dividend incentives/crucial.wps/filled.mdb\", \"product\": {\"lang\": \"en\", \"name\": \"michigan slight torture\", \"path\": \"costumes somewhat qui\", \"uid\": \"849e3088-5be7-11ee-8510-0242ac110005\", \"vendor_name\": \"franchise portland experiment\", \"version\": \"1.0.0\"}, \"signature\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"certificate\": {\"created_time\": 1695676041558, \"expiration_time\": 1695676041554, \"fingerprints\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"372885B9675F31EF37D14F711A430940E777638ADCB2F77B36D079076E38606F\"}], \"issuer\": \"worker attended mel\", \"serial_number\": \"durham graham course\", \"subject\": \"infectious replication lock\", \"version\": \"1.0.0\"}}, \"size\": 2881440001, \"type\": \"Character Device\", \"type_id\": 3}, \"lineage\": [\"desktop lakes moscow\", \"barrel touch increasing\"], \"name\": \"Courage\", \"namespace_pid\": 13, \"parent_process\": {\"cmd_line\": \"institutes yes inputs\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"7CA5C1BF6D37F1E7389DB34F7617B7101F65DED1\"}, \"image\": {\"name\": \"belfast interests activation\", \"uid\": \"849f1dc2-5be7-11ee-b432-0242ac110005\"}, \"name\": \"missed foreign palmer\", \"size\": 903476370, \"uid\": \"849f0878-5be7-11ee-b335-0242ac110005\"}, \"created_time\": 1695676041565, \"created_time_dt\": \"2023-09-25T21:07:21.565824Z\", \"file\": {\"accessed_time_dt\": \"2023-09-25T21:07:21.564734Z\", \"creator\": {\"account\": {\"name\": \"workers observer lonely\", \"type\": \"GCP Account\", \"type_id\": 5, \"uid\": \"849ef310-5be7-11ee-b8e1-0242ac110005\"}, \"email_addr\": \"Myrta@of.cat\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849edfe2-5be7-11ee-97f0-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"5F8105C9976CE93253600A074BD373A5286734FB9650F503EF4AD611A9422D3554C34BD6C2672159C2F485A59C83965804D6F2532A8DADF2749DF74B1B089C10\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"C1E19A5C30DB36D9FEA3088EBBCF2E05B7F2E3B108DA82565EF183591D036A615456960CA1BF3DEDAEF8450140669F4E45A239D12DE570D5B2322AEADAE0EE7B\"}], \"name\": \"metabolism.gadget\", \"owner\": {\"org\": {\"name\": \"syndication joseph realized\", \"ou_name\": \"advertise scored usr\", \"ou_uid\": \"849e9852-5be7-11ee-9c6a-0242ac110005\", \"uid\": \"849e8ff6-5be7-11ee-be3f-0242ac110005\"}, \"type\": \"System\", \"type_id\": 3, \"uid\": \"849e86dc-5be7-11ee-9b00-0242ac110005\"}, \"parent_folder\": \"patch attempting mf/nashville.dxf\", \"path\": \"patch attempting mf/nashville.dxf/metabolism.gadget\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"certificate\": {\"created_time\": 1695676041504, \"expiration_time\": 1695676041569, \"fingerprints\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"6467C5C0EA62DB25016E724973C845BA50F0BBD72AE91F11E4CB5F3884CF1852EC05AA4B971CA59B372F8DC7B8E49562276E89C888FFDE3DD41BFC2E88336E98\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"80A346634E5CD09AAFC3C417ABCE0C6A156B40EBB910123FAC486DC6197D24EC4C575301A8CC06D58FBAEEAE6F40E42B6D84FDA6996E06EE2F68282EA73FDA93\"}], \"issuer\": \"database verse prince\", \"serial_number\": \"termination vi limitation\", \"subject\": \"signals book follow\", \"version\": \"1.0.0\"}}, \"type\": \"Character Device\", \"type_id\": 3}, \"name\": \"Harley\", \"namespace_pid\": 44, \"pid\": 38, \"terminated_time\": 1695676041566, \"uid\": \"849f00ee-5be7-11ee-954b-0242ac110005\", \"user\": {\"full_name\": \"Lyndsay Ricky\", \"name\": \"Referenced\", \"type\": \"Admin\", \"type_id\": 2}, \"xattributes\": {}}, \"pid\": 5, \"user\": {\"name\": \"Motorcycle\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"849e4a46-5be7-11ee-bc81-0242ac110005\"}}, \"pid\": 50, \"sandbox\": \"final corporations performances\", \"user\": {\"account\": {\"type\": \"Windows Account\", \"type_id\": 2, \"uid\": \"849df820-5be7-11ee-82f1-0242ac110005\"}, \"credential_uid\": \"849dfc62-5be7-11ee-a9bc-0242ac110005\", \"name\": \"Simulations\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"849debb4-5be7-11ee-bfac-0242ac110005\"}}, \"pid\": 28, \"uid\": \"849d64dc-5be7-11ee-b02a-0242ac110005\", \"user\": {\"name\": \"Be\", \"type\": \"types\", \"type_id\": 99, \"uid\": \"849d60a4-5be7-11ee-98cb-0242ac110005\"}}, \"pid\": 76, \"uid\": \"849d308e-5be7-11ee-a5ad-0242ac110005\", \"user\": {\"email_addr\": \"Josefina@holders.museum\", \"name\": \"Manager\", \"type\": \"legs\", \"type_id\": 99, \"uid\": \"849d2c24-5be7-11ee-953d-0242ac110005\"}, \"xattributes\": {}}, \"user\": {\"account\": {\"name\": \"strict manufactured invest\", \"type\": \"AWS IAM User\", \"type_id\": 3, \"uid\": \"849d0500-5be7-11ee-97bd-0242ac110005\"}, \"credential_uid\": \"849d08ca-5be7-11ee-bfe2-0242ac110005\", \"name\": \"Track\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849cfe70-5be7-11ee-b38b-0242ac110005\"}}, \"sandbox\": \"distributor workshops maldives\", \"session\": {\"created_time\": 1695676041550, \"expiration_time_dt\": \"2023-09-25T21:07:21.550638Z\", \"is_remote\": false, \"issuer\": \"volunteer meetings medline\", \"uid\": \"849ccebe-5be7-11ee-a1ca-0242ac110005\"}, \"uid\": \"849cc522-5be7-11ee-aa87-0242ac110005\", \"user\": {\"credential_uid\": \"849cc0f4-5be7-11ee-9c36-0242ac110005\", \"domain\": \"our installing clinical\", \"name\": \"Weather\", \"org\": {\"name\": \"top riverside asthma\", \"ou_name\": \"stats dans soviet\", \"uid\": \"849cb208-5be7-11ee-a4a6-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"849ca4ca-5be7-11ee-b39c-0242ac110005\"}}, \"pid\": 20, \"uid\": \"849c61f4-5be7-11ee-8006-0242ac110005\"}, \"pid\": 74, \"sandbox\": \"upload stages deutsch\", \"terminated_time_dt\": \"2023-09-25T21:07:21.565891Z\", \"xattributes\": {}}, \"pid\": 41, \"sandbox\": \"facial gossip lopez\", \"session\": {\"created_time\": 1695676041544, \"is_remote\": true, \"issuer\": \"mind file superior\", \"uid\": \"849bd89c-5be7-11ee-bbae-0242ac110005\"}, \"terminated_time\": 1695676041561, \"terminated_time_dt\": \"2023-09-25T21:07:21.565908Z\", \"tid\": 86, \"uid\": \"849bcfb4-5be7-11ee-b896-0242ac110005\", \"user\": {\"email_addr\": \"Reba@contemporary.mobi\", \"groups\": [{\"desc\": \"twenty protection innovative\", \"name\": \"penn laundry woods\", \"type\": \"powerpoint jump hospitality\", \"uid\": \"849bbdee-5be7-11ee-95a2-0242ac110005\"}, {\"uid\": \"849bc780-5be7-11ee-9955-0242ac110005\"}], \"name\": \"Certain\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849bb81c-5be7-11ee-bbec-0242ac110005\", \"uid_alt\": \"technical critics nationally\"}}, \"pid\": 71, \"sandbox\": \"compounds s time\", \"terminated_time\": 1695676041567, \"uid\": \"849b6dee-5be7-11ee-84f0-0242ac110005\", \"user\": {\"domain\": \"lexmark refers dylan\", \"email_addr\": \"Yelena@communities.nato\", \"name\": \"Particles\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"849b6916-5be7-11ee-a01e-0242ac110005\"}}, \"pid\": 86, \"sandbox\": \"romance volunteer entrepreneurs\", \"uid\": \"849adea6-5be7-11ee-aa53-0242ac110005\", \"user\": {\"domain\": \"statistical poland gregory\", \"full_name\": \"Paul Julian\", \"groups\": [{\"desc\": \"luggage species belkin\", \"name\": \"accessed thanks instructions\", \"privileges\": [\"flashing aol autumn\"], \"uid\": \"849ad5fa-5be7-11ee-a0e9-0242ac110005\"}, {\"name\": \"cognitive times agent\", \"privileges\": [\"sodium believed housing\", \"incorporated jungle asian\"], \"uid\": \"849ada50-5be7-11ee-824e-0242ac110005\"}], \"name\": \"Alliance\", \"org\": {\"name\": \"nyc kidney drawings\", \"uid\": \"849accae-5be7-11ee-af7b-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"849abe76-5be7-11ee-a5a1-0242ac110005\"}}, \"pid\": 13, \"uid\": \"849a9ed2-5be7-11ee-ae61-0242ac110005\", \"user\": {\"account\": {\"name\": \"fragrances bulk specialty\", \"type\": \"LDAP Account\", \"type_id\": 1, \"uid\": \"849a9702-5be7-11ee-9f5d-0242ac110005\"}, \"credential_uid\": \"849a9afe-5be7-11ee-b27a-0242ac110005\", \"email_addr\": \"Wava@promises.info\", \"full_name\": \"Marisela Towanda\", \"name\": \"Round\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"849a900e-5be7-11ee-9894-0242ac110005\"}}, \"uid\": \"849a5d78-5be7-11ee-ac24-0242ac110005\", \"user\": {\"full_name\": \"Elisa Cleora\", \"name\": \"Sisters\", \"type\": \"rebound\", \"type_id\": 99, \"uid\": \"849a52ce-5be7-11ee-a468-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 90, \"sandbox\": \"moon exercise starring\", \"terminated_time\": 1695676041562, \"uid\": \"849a1af2-5be7-11ee-82a9-0242ac110005\", \"user\": {\"groups\": [{\"privileges\": [\"independent vegetables assisted\", \"refinance lee seating\"], \"uid\": \"849a1124-5be7-11ee-9a8e-0242ac110005\"}, {\"name\": \"div violence strange\", \"uid\": \"849a1674-5be7-11ee-aa3b-0242ac110005\"}], \"name\": \"Immediate\", \"org\": {\"name\": \"velvet days pubs\", \"ou_name\": \"brake craps campaign\"}, \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849a06c0-5be7-11ee-acfe-0242ac110005\"}}, \"pid\": 21, \"session\": {\"created_time\": 1695676041534, \"expiration_time\": 1695676041542, \"is_remote\": true, \"uid\": \"8499ca0c-5be7-11ee-aae9-0242ac110005\"}, \"uid\": \"8499bc88-5be7-11ee-b028-0242ac110005\", \"user\": {\"name\": \"Apartments\", \"type\": \"ad\", \"type_id\": 99, \"uid\": \"8499b5da-5be7-11ee-b276-0242ac110005\", \"uid_alt\": \"serving turbo spy\"}}, \"pid\": 67, \"terminated_time\": 1695676041561, \"uid\": \"84996800-5be7-11ee-8754-0242ac110005\", \"user\": {\"name\": \"Fantastic\", \"org\": {\"name\": \"dryer asn trying\", \"ou_name\": \"wr r gibraltar\", \"uid\": \"849963aa-5be7-11ee-b57a-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"84995d06-5be7-11ee-8223-0242ac110005\"}}, \"pid\": 86, \"uid\": \"8499377c-5be7-11ee-9164-0242ac110005\", \"user\": {\"email_addr\": \"Renita@pete.cat\", \"name\": \"Rice\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"84993312-5be7-11ee-b956-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 49, \"uid\": \"8498d430-5be7-11ee-b1bf-0242ac110005\", \"user\": {\"name\": \"Hour\", \"type\": \"insert\", \"type_id\": 99, \"uid\": \"8498cd14-5be7-11ee-94d7-0242ac110005\", \"uid_alt\": \"organizations guild beds\"}}, \"pid\": 20, \"sandbox\": \"keeps pour rent\", \"terminated_time\": 1695676041566, \"uid\": \"84989376-5be7-11ee-9216-0242ac110005\", \"user\": {\"email_addr\": \"Elza@girls.mil\", \"full_name\": \"Karoline Meggan\", \"name\": \"Provided\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"84988e80-5be7-11ee-bf3c-0242ac110005\"}}, \"pid\": 28, \"uid\": \"8498530c-5be7-11ee-86f3-0242ac110005\", \"user\": {\"domain\": \"sao uri flesh\", \"name\": \"Knows\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"84984db2-5be7-11ee-ba4e-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 26, \"sandbox\": \"species tourism system\", \"terminated_time\": 1695676041564, \"uid\": \"849823d2-5be7-11ee-92d1-0242ac110005\", \"user\": {\"name\": \"Shipment\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"84981f68-5be7-11ee-b652-0242ac110005\", \"uid_alt\": \"singh dim static\"}, \"xattributes\": {}}, \"session\": {\"created_time\": 1695676041516, \"credential_uid\": \"8497c716-5be7-11ee-bd7a-0242ac110005\", \"issuer\": \"discussing capital ottawa\", \"uid\": \"8497c27a-5be7-11ee-8a34-0242ac110005\"}, \"terminated_time\": 1695676041564, \"uid\": \"8497ba64-5be7-11ee-b3a6-0242ac110005\"}, \"pid\": 42, \"tid\": 17, \"uid\": \"849768e8-5be7-11ee-a428-0242ac110005\", \"user\": {\"account\": {\"name\": \"suspended cg sisters\", \"uid\": \"8497655a-5be7-11ee-ab52-0242ac110005\"}, \"name\": \"Aquatic\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"84975f7e-5be7-11ee-bfad-0242ac110005\"}}, \"user\": {\"domain\": \"jones cnet biz\", \"name\": \"Turkish\", \"org\": {\"name\": \"performed assignments undefined\", \"ou_name\": \"headquarters informal nigeria\", \"uid\": \"849f3870-5be7-11ee-8857-0242ac110005\"}, \"type\": \"metres\", \"type_id\": 99, \"uid\": \"849f330c-5be7-11ee-aa02-0242ac110005\"}}, \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"Network File Activity\", \"class_uid\": 4010, \"cloud\": {\"provider\": \"diego ins ext\", \"region\": \"kissing wi confidence\"}, \"enrichments\": [{\"data\": {\"wallpaper\": \"feded\"}, \"name\": \"hc saskatchewan quickly\", \"provider\": \"outlet toolkit person\", \"type\": \"thu loves strong\", \"value\": \"sword somebody equilibrium\"}, {\"data\": {\"drug\": \"drugg7899\"}, \"name\": \"tree cities corner\", \"type\": \"knife super bat\", \"value\": \"thy qualification booth\"}], \"expiration_time\": 1695676041527, \"file\": {\"accessor\": {\"name\": \"Uruguay\", \"org\": {\"name\": \"lottery political own\", \"ou_name\": \"confirmed towards declined\", \"ou_uid\": \"849f540e-5be7-11ee-841c-0242ac110005\", \"uid\": \"849f501c-5be7-11ee-ab6f-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1, \"uid\": \"849f49fa-5be7-11ee-bfe2-0242ac110005\"}, \"desc\": \"arabic suits fun\", \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"4C3280C17F9D982CCBAC882AE1F48DAD224DBA938BEE87BF18E31C76B0C3B88B\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"A7F0A2AD03BE8938C945F65DB1A395CE9E98D67F9EE8D4CA97D687FBB394B64FA0AEB15F5B1D82A2922B62320B77DBA842BBEDEE2B5E15D7A883665ADE3F7C2B\"}], \"modified_time_dt\": \"2023-09-25T21:07:21.567190Z\", \"name\": \"amend.sh\", \"type\": \"Unknown\", \"type_id\": 0}, \"message\": \"kelkoo interactions constitute\", \"metadata\": {\"correlation_uid\": \"84971e10-5be7-11ee-b5e7-0242ac110005\", \"log_name\": \"proud iso ticket\", \"log_provider\": \"cb indexes boxing\", \"modified_time_dt\": \"2023-09-25T21:07:21.513376Z\", \"original_time\": \"tournaments leisure comedy\", \"processed_time_dt\": \"2023-09-25T21:07:21.513394Z\", \"product\": {\"name\": \"describes static geological\", \"uid\": \"849714ce-5be7-11ee-981b-0242ac110005\", \"url_string\": \"avatar\", \"vendor_name\": \"highly got hook\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\"], \"sequence\": 99, \"version\": \"1.0.0\"}, \"observables\": [{\"name\": \"except visitor vbulletin\", \"type\": \"Uniform Resource Locator\", \"type_id\": 23}, {\"name\": \"hong rhode para\", \"type\": \"Process Name\", \"type_id\": 9}], \"severity\": \"Low\", \"severity_id\": 2, \"src_endpoint\": {\"hostname\": \"menu.travel\", \"instance_uid\": \"849732a6-5be7-11ee-bdb0-0242ac110005\", \"interface_name\": \"grown reflect expressed\", \"interface_uid\": \"84973670-5be7-11ee-8000-0242ac110005\", \"ip\": \"175.16.199.1\", \"name\": \"replaced wa unlock\", \"port\": 25780, \"svc_name\": \"stanford leisure analyzed\", \"uid\": \"84972e82-5be7-11ee-8eac-0242ac110005\"}, \"start_time\": 1695676041445, \"status\": \"patch emma midi\", \"time\": 1695676041549, \"timezone_offset\": 42, \"type_name\": \"Network File Activity: Rename\", \"type_uid\": 401005}", + "ocsf": { + "activity_id": 5, + "activity_name": "Rename", + "actor": { + "process": { + "container": { + "image": { + "path": "adaptive granny knew", + "uid": "849779dc-5be7-11ee-8f66-0242ac110005" + }, + "network_driver": "cute desktops arrest", + "size": 2164055839 + }, + "file": { + "attributes": 9, + "type_id": "3" + }, + "namespace_pid": 41, + "parent_process": { + "container": { + "hash": { + "algorithm": "Unknown", + "algorithm_id": "0", + "value": "08759209B8F0A761FFF2B978AB8DAB0B6AE7B63C9AC9D3694BC0FED57BB2E27F5AAFB08486F656D6C6FE784F7DF07513FCB0975EC8B772EE000F56F793867A77" + }, + "image": { + "name": "assistance grande an", + "uid": "8497dec2-5be7-11ee-9c88-0242ac110005" + }, + "name": "citizenship caribbean twisted", + "size": 2686118868, + "uid": "8497d15c-5be7-11ee-aa8b-0242ac110005" + }, + "file": { + "creator": { + "credential_uid": "8497ab3c-5be7-11ee-8df1-0242ac110005", + "full_name": "Kirstin Thersa", + "name": "Additionally", + "type": "beat", + "type_id": "99", + "uid": "84979804-5be7-11ee-848b-0242ac110005" + }, + "desc": "surgeons settled advocacy", + "hashes": [ + { + "algorithm": "CTPH", + "algorithm_id": "5", + "value": "2675028478A31F71064C2D8CCA68C7FCA87605C294611E7C2294806CE87B596AD856077767F9D941E21BC5089906C5E6903FE622EE1FE19DB2E3FA8F1F1A8EE9" + }, + { + "algorithm": "magic", + "algorithm_id": "99", + "value": "4D018BA6DBA4C03004FD6E10D1C02BD324F62DE46C5FE687431A2D4BF4335BB7" + } + ], + "modified_time_dt": "2023-09-25T21:07:21.517084Z", + "name": "finance.3g2", + "parent_folder": "attention matching forest/met.mpa", + "path": "attention matching forest/met.mpa/finance.3g2", + "signature": { + "algorithm": "RSA", + "algorithm_id": "2", + "certificate": { + "created_time_dt": "2023-09-25T21:07:21.516247Z", + "expiration_time": 1695676041516, + "expiration_time_dt": "2023-09-25T21:07:21.516239Z", + "fingerprints": [ + { + "algorithm": "TLSH", + "algorithm_id": "6", + "value": "B3305921648A755AA6C1E2C028691A6861EAE8922BAE5ACE52B76E01AD96DF87ECE4E22E06EDC6715A0CAE469323620A07CCC384FD40C69EBA60E8BBEE8EA805" + } + ], + "issuer": "shall systematic vatican", + "serial_number": "requirement sodium situated", + "subject": "mt minutes bids", + "version": "1.0.0" + } + }, + "type": "wrap", + "type_id": "99" + }, + "lineage": [ + "vhs mechanism dates" + ], + "loaded_modules": [ + "/ourselves/lynn/gpl/helped/narrow.tga", + "/super/disclose/barnes/pg/california.png" + ], + "namespace_pid": 97, + "parent_process": "{\"cmd_line\": \"harder interventions pb\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"6A9A10210588981DD8FAA6BE10E39F2C65E816FEFE4768884F7B0BB0A10CD9D6\"}, \"name\": \"kg sources houses\", \"pod_uuid\": \"kiss\", \"runtime\": \"kate through furniture\", \"size\": 2387392206, \"uid\": \"849829cc-5be7-11ee-bb7a-0242ac110005\"}, \"created_time\": 1695676041517, \"file\": {\"created_time_dt\": \"2023-09-25T21:07:21.519646Z\", \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"E7B2EBCA4F63795EBE380FFBEAB194BCF3E2EB5C74F10C6B8AAB95F4C0B8D7AC\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"AFD9AD7A88CFF487A60962E99C6219806726EB352DD1591D375AD3BB143C0DABBFBC6DBFFA5D99B3662AE82C9B7EED847E30B7EA516D2AD9DFF07D8775F8AE36\"}], \"modifier\": {\"groups\": [{\"name\": \"winds seeking reply\", \"uid\": \"8497fde4-5be7-11ee-9733-0242ac110005\"}, {\"name\": \"hamburg roommate environment\", \"uid\": \"8498099c-5be7-11ee-ac6f-0242ac110005\"}], \"name\": \"Complete\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"8497f38a-5be7-11ee-97c6-0242ac110005\"}, \"name\": \"dame.svg\", \"parent_folder\": \"wives pamela karl/articles.c\", \"path\": \"wives pamela karl/articles.c/dame.svg\", \"security_descriptor\": \"robinson queens graduate\", \"type\": \"Regular File\", \"type_id\": 1}, \"integrity\": \"they thermal eau\", \"lineage\": [\"attraction cord adjustment\", \"announcements summer introduce\"], \"name\": \"Bid\", \"namespace_pid\": 49, \"parent_process\": {\"cmd_line\": \"creation defense carolina\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"666334EB7A1E55E189435FFF3F0CA7266F484FB44970AAFF3E72546D8B04B02ABB1A66B209CAFD44267701CA1392DF35B8EC3EECE0DC492D093880F2E4FF352C\"}, \"name\": \"hunt indicating radiation\", \"size\": 3179758248, \"tag\": \"reader prevention as\", \"uid\": \"84985df2-5be7-11ee-be06-0242ac110005\"}, \"created_time\": 1695676041527, \"file\": {\"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"created_time\": 1695676041520845, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"7D875B5EB312ADEF7D530DD6E43468170B094A5F54CA1AC26E7788A81A01238428E62D581423E70B05DA11F15513291EB10776B4E14DE1844072ACDF11BBDFD1\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"1100511F3469E3CDE7D081EC6E78154C8476D546F615EEEB37C4CDFBD41740440FC77660EE3A4B9C67DE81C63172A49F835656F85ED5E36A65A2A25E2A733358\"}], \"modifier\": {\"name\": \"Officer\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"84984362-5be7-11ee-af2c-0242ac110005\"}, \"name\": \"seq.wpd\", \"parent_folder\": \"conflicts disability citysearch/ieee.dtd\", \"path\": \"conflicts disability citysearch/ieee.dtd/seq.wpd\", \"type\": \"Character Device\", \"type_id\": 3}, \"name\": \"Jamie\", \"namespace_pid\": 46, \"parent_process\": {\"cmd_line\": \"plan agents converter\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"E7EFDA40B1C94805070CD9BF9638AE27\"}, \"image\": {\"labels\": [\"golf\", \"nov\"], \"name\": \"extending construction inkjet\", \"path\": \"empirical precipitation builder\", \"uid\": \"84989f42-5be7-11ee-8820-0242ac110005\"}, \"name\": \"thongs routine an\", \"size\": 2099983603, \"uid\": \"84989948-5be7-11ee-b4fb-0242ac110005\"}, \"created_time\": 1695676041523226, \"file\": {\"created_time\": 1695676042262, \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"60F202A3BE4EF214E24EA9D3555D194C\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"B0B2D200728B0DACE6CB6829F90EE31A9AD123FF1982012B003249D4F2C5351924E6DBBD1242EE722D4C5A0B80C983DC7B94DDD594FCFCEF4E63552956E2B26A\"}], \"modified_time_dt\": \"2023-09-25T21:07:21.522441Z\", \"name\": \"startup.3dm\", \"signature\": {\"algorithm\": \"RSA\", \"algorithm_id\": 2, \"certificate\": {\"created_time\": 1695676041522, \"created_time_dt\": \"2023-09-25T21:07:21.521904Z\", \"expiration_time\": 1695676041526, \"fingerprints\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"8E4DE5CC0D59311697B0D4061FDBFB4CB99E38121EA17CF740789A0CBC85B56703E1341C940E7A2220C02211CC84447A19061569BE42AC4A2C03010FB6CB1A75\"}, {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"205D64FF9B580AADBF4829EC41DD4EF0\"}], \"issuer\": \"previous price thing\", \"serial_number\": \"files the parish\", \"subject\": \"shades bad tradition\"}}, \"size\": 3504413585, \"type\": \"Named Pipe\", \"type_id\": 6, \"uid\": \"84987ae4-5be7-11ee-b247-0242ac110005\", \"version\": \"1.0.0\"}, \"integrity\": \"conspiracy unions allocated\", \"name\": \"Arbor\", \"parent_process\": {\"cmd_line\": \"sixth pc peoples\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"F4001D4FD76B73412DB0EFD2C66F0AB3C27D9FE9BD375B1659A1DDDA68C17DC1C0F5402A6AE571DC073E94F1B720821E4208595D5BB4B13D917A12CE3DA53C1E\"}, \"image\": {\"name\": \"version treating tall\", \"uid\": \"8498df20-5be7-11ee-8257-0242ac110005\"}, \"name\": \"warrior document workflow\", \"pod_uuid\": \"sas\", \"size\": 2697694450, \"uid\": \"8498da2a-5be7-11ee-9d00-0242ac110005\"}, \"created_time\": 1695676041523, \"file\": {\"accessor\": {\"email_addr\": \"Shin@cause.mobi\", \"full_name\": \"Twyla Cherise\", \"name\": \"Wildlife\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"8498c030-5be7-11ee-80d9-0242ac110005\", \"uid_alt\": \"excellent far varied\"}, \"created_time\": 1695676041524, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"707CF5E50A11D69874235DED9A045B6AB42439F7495DED03049CB7E997949E8B014295A25059CD1A9F06BFE9E4101ED176615E69D43FE199E849DEC0BC4AEB4D\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"6F487B974BDB9DBDF014F50502D9F70BC2630E6C974E4C6E6AA2EB3BEC95A3BDCA7AE609DA34179E0677F042734A767ADA4F6CA04788916644262CDC60BC2FB2\"}], \"mime_type\": \"star/flyer\", \"name\": \"considerations.jar\", \"parent_folder\": \"roger economy macro/mesh.gadget\", \"path\": \"roger economy macro/mesh.gadget/considerations.jar\", \"type\": \"Local Socket\", \"type_id\": 5}, \"integrity\": \"aviation blame tion\", \"name\": \"Processes\", \"namespace_pid\": 76, \"parent_process\": {\"container\": {\"image\": {\"tag\": \"vocal trim jon\", \"uid\": \"849944f6-5be7-11ee-bc62-0242ac110005\"}, \"name\": \"acquired minority slip\", \"size\": 2257875576, \"uid\": \"84993ce0-5be7-11ee-8a18-0242ac110005\"}, \"file\": {\"accessed_time\": 1695676041556, \"confidentiality\": \"suburban ati mostly\", \"created_time_dt\": \"2023-09-25T21:07:21.526737Z\", \"hashes\": [{\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"00EF9DADDE482AF5432B0BFC5F69023736D4A0ECD59F74884C4B8AD83D21429B78023351C5DBD07407EAB2BFA527A0586016DE3C92F37913920E221F7D452802\"}], \"is_system\": false, \"modified_time_dt\": \"2023-09-25T21:07:21.526727Z\", \"name\": \"pic.vcd\", \"owner\": {\"full_name\": \"Blythe Jamie\", \"name\": \"Enquiry\", \"type\": \"minneapolis\", \"type_id\": 99, \"uid\": \"849901e4-5be7-11ee-bfe1-0242ac110005\"}, \"parent_folder\": \"const foreign pressed/among.ged\", \"path\": \"const foreign pressed/among.ged/pic.vcd\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"certificate\": {\"created_time\": 1695676041526, \"expiration_time\": 1695676045872, \"fingerprints\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"9E41EB47ABD226D92CFE27DBDA0C924C190A1B0C0136B09923B419089B013DF14CB58C38F651F710540E348BF800DFE364197904B11FFFAD98BB2B10006B28E2\"}, {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"3DE877DDFB06DB510E63893D98DDAC9524696C14\"}], \"issuer\": \"everybody brunei disciplinary\", \"serial_number\": \"approaches symbol assembly\", \"subject\": \"strap liz boulder\", \"version\": \"1.0.0\"}, \"created_time_dt\": \"2023-09-25T21:07:21.526203Z\", \"developer_uid\": \"84991526-5be7-11ee-a2ca-0242ac110005\"}, \"type\": \"charged\", \"type_id\": 99, \"uid\": \"84992264-5be7-11ee-8071-0242ac110005\"}, \"name\": \"Job\", \"namespace_pid\": 29, \"parent_process\": {\"cmd_line\": \"brush bouquet alto\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"82B5F7770097973F2962C241C557369EC2D38E9A1BDA03176B9CA511F1CA56CF\"}, \"image\": {\"name\": \"adipex into polo\", \"uid\": \"849984fc-5be7-11ee-af4c-0242ac110005\"}, \"name\": \"deutschland pic newcastle\", \"size\": 797071549, \"uid\": \"84996db4-5be7-11ee-bada-0242ac110005\"}, \"created_time\": 1695676041528, \"file\": {\"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"44CA9EA761C2131C73960AD47472741B13D305EE2D07FE91E8F1B47F4F062B8A16DD3611E4439E4C163A7CF42F1AE5989CF9683117DB801FD1BC222A16618E19\"}, {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"C25DDA249CDECE9D908CC33ADCD16AA05E20290F\"}], \"name\": \"tuner.pdb\", \"parent_folder\": \"architectural pink phil/overview.dtd\", \"path\": \"architectural pink phil/overview.dtd/tuner.pdb\", \"type\": \"Named Pipe\", \"type_id\": 6, \"version\": \"1.0.0\", \"xattributes\": {}}, \"lineage\": [\"familiar privilege canvas\"], \"namespace_pid\": 23, \"parent_process\": {\"cmd_line\": \"in blowing memorial\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"6B2A589B76A482CD379A7FF8AF13EE0F9ABF937DE60010068FEC808F5B6B22521C2A28C7F48BC5C2EDC81EAE5E5812D95F5E0F3DF5685571E5DB36B146DB82EC\"}, \"image\": {\"name\": \"robert through mailing\", \"tag\": \"struggle gerald weather\", \"uid\": \"8499d704-5be7-11ee-b617-0242ac110005\"}, \"name\": \"france sg charger\", \"network_driver\": \"catch sun general\", \"orchestrator\": \"sf varieties queries\", \"size\": 1048383191, \"tag\": \"deserve focused select\", \"uid\": \"8499d164-5be7-11ee-a7e8-0242ac110005\"}, \"created_time\": 1695676041539, \"file\": {\"attributes\": 83, \"desc\": \"escape steady bow\", \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"718C92FD5ECC9B483CA9A76E309BD60F7DAD6035254FAD5EA9430568F36EB16D5532657DE90C3B3B41896C8A9B601BF1E1083D5BB299127118B535C347D13549\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"D13D53927A745D27511C298846343093D7E92D919905B6C22ABBF727AD18EF7E3B3850949F8CC772390749C8644B5CF6F8618FEF524E9589DB73F57FE128AA88\"}], \"name\": \"spirit.max\", \"owner\": {\"email_addr\": \"Pamelia@directed.com\", \"name\": \"Friend\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"84999e10-5be7-11ee-914b-0242ac110005\"}, \"parent_folder\": \"fish largest alberta/solutions.deskthemepack\", \"path\": \"fish largest alberta/solutions.deskthemepack/spirit.max\", \"type\": \"Regular File\", \"type_id\": 1, \"version\": \"1.0.0\"}, \"integrity\": \"faculty hardcover generated\", \"name\": \"Cialis\", \"namespace_pid\": 79, \"parent_process\": {\"cmd_line\": \"text ana range\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"79F7EED760813BF63DC0EE7F986F1CC6345DD170AB03CA1350684CB8720E3C67F9FCE3B075A22266EB0C66A1CDA2D3BD540E777D9A294433377B83DB6DE3D6DB\"}, \"image\": {\"name\": \"layers branch lucas\", \"tag\": \"nations chances trips\", \"uid\": \"849a32bc-5be7-11ee-86bb-0242ac110005\"}, \"name\": \"own drawing acute\", \"size\": 1512724327, \"uid\": \"849a2420-5be7-11ee-94c5-0242ac110005\"}, \"created_time\": 1695676041533, \"file\": {\"creator\": {\"domain\": \"coupons dropped pantyhose\", \"name\": \"Booking\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"8499f1ee-5be7-11ee-a02c-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"F01EB1DD5E5D955CF3DA810E1FAABA4136E09F5EF69DA3753223183EF836741A617AAAEB52D8B014D900A4A11B94974298F7D3C4EAE57C107CF3A3230AD34188\"}], \"modified_time_dt\": \"2023-09-25T21:07:21.531893Z\", \"name\": \"premises.sln\", \"owner\": {\"account\": {\"name\": \"discs outlets general\", \"type\": \"Mac OS Account\", \"type_id\": 7, \"uid\": \"8499eb2c-5be7-11ee-86b7-0242ac110005\"}, \"name\": \"Welcome\", \"type\": \"User\", \"type_id\": 1}, \"parent_folder\": \"ralph tales librarian/simpsons.psd\", \"path\": \"ralph tales librarian/simpsons.psd/premises.sln\", \"type\": \"ships\", \"type_id\": 99}, \"lineage\": [\"guru hosted bradley\"], \"name\": \"Devices\", \"namespace_pid\": 39, \"parent_process\": {\"cmd_line\": \"merchandise initiatives accessibility\", \"container\": {\"hash\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"12FC9239ABF2C07159EBC92013171DA43175589170BD05B55220534634A9D1FEFC88B117A95FCE4FE3C5A5FEDB9DC4EB3F700C0386931C889F815E86BCD4B509\"}, \"image\": {\"name\": \"evaluating apartments disaster\", \"uid\": \"849a6a66-5be7-11ee-95e4-0242ac110005\"}, \"name\": \"apartment drunk amateur\", \"size\": 3702557326, \"uid\": \"849a646c-5be7-11ee-90ce-0242ac110005\"}, \"created_time\": 1695676041535, \"file\": {\"attributes\": 22, \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"6FD1E1613C3918067E01585E32D4AA461C485DF01C56BD5A294FD82B353B5EC64A7EBAED614D28451E3AECB3ACA75900593A20D8AE7F7A1E2CF9DD4F0496B9C4\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"B66E94D9133A6E41392C5AFCBF3F6EEB29E45C041350255AEE34ADD6C4E6BD15FF9060177954793B5D078A8802B4B1ADDD73BECACB7D5827D9A1CB9F96D5E153\"}], \"is_system\": false, \"modified_time_dt\": \"2023-09-25T21:07:21.533963Z\", \"name\": \"hunt.ppt\", \"type\": \"Local Socket\", \"type_id\": 5}, \"name\": \"Bags\", \"namespace_pid\": 29, \"parent_process\": {\"cmd_line\": \"recordings countries slides\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"383B6630E8241D34D54BFD689DECC0CAB88770D935667989A3A1DE8397F5520F\"}, \"image\": {\"name\": \"evanescence plans courts\", \"tag\": \"buy archives predict\", \"uid\": \"849aaa9e-5be7-11ee-a47a-0242ac110005\"}, \"name\": \"distant modeling monaco\", \"runtime\": \"peace up sailing\", \"uid\": \"849aa490-5be7-11ee-bb98-0242ac110005\"}, \"created_time\": 1695676041539, \"file\": {\"attributes\": 35, \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"6BD48B1E57856137037BFEE4DEC8D57F\"}], \"name\": \"hardware.wma\", \"owner\": {\"name\": \"Asia\", \"type\": \"meetup\", \"type_id\": 99, \"uid\": \"849a7ac4-5be7-11ee-a06d-0242ac110005\"}, \"parent_folder\": \"interactions malta thoughts/laden.pdf\", \"path\": \"interactions malta thoughts/laden.pdf/hardware.wma\", \"signature\": {\"algorithm\": \"Authenticode\", \"algorithm_id\": 4, \"digest\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"3188206324B062751CE36D4251C19C94\"}}, \"type\": \"Unknown\", \"type_id\": 0}, \"integrity\": \"bookings qc dictionaries\", \"lineage\": [\"lanka manufacture bra\", \"gibson implementation pope\"], \"name\": \"Sen\", \"namespace_pid\": 6, \"parent_process\": {\"cmd_line\": \"amount anywhere suffered\", \"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"B7F1BFFEB47BCFB30F891852F769572A9816784BF4A4073805850F9F969A5335CFC878CACC9E0F8A71B547F60832FE712A59A7DD7DBD6E94BB9D155309EB3581\"}, \"image\": {\"name\": \"cross tray influenced\", \"tag\": \"afternoon counseling governance\", \"uid\": \"849b1f7e-5be7-11ee-bb9d-0242ac110005\"}, \"name\": \"author channel disappointed\", \"network_driver\": \"slovakia friend username\", \"size\": 191473515, \"uid\": \"849aff08-5be7-11ee-80bd-0242ac110005\"}, \"created_time\": 1695676041539630, \"file\": {\"accessed_time\": 1695676041534, \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"CE850E16E049A60B4B8F465DC00ADBFB7207CC76FD94F5EBC335F637B8052B77\"}], \"name\": \"removal.obj\", \"parent_folder\": \"jeff puts assignments/thing.msi\", \"path\": \"jeff puts assignments/thing.msi/removal.obj\", \"security_descriptor\": \"bureau myspace barrel\", \"type\": \"Named Pipe\", \"type_id\": 6}, \"name\": \"Impacts\", \"namespace_pid\": 49, \"parent_process\": {\"cmd_line\": \"techno now vid\", \"created_time\": 1695676041593, \"file\": {\"accessor\": {\"credential_uid\": \"849b5b88-5be7-11ee-af7a-0242ac110005\", \"name\": \"Dragon\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"849b52b4-5be7-11ee-863c-0242ac110005\"}, \"attributes\": 78, \"created_time_dt\": \"2023-09-25T21:07:21.541195Z\", \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"AABE45CE23939AE53AA3AF15C6123A6ED98FC106E4C7491B89A814D8EB040F3B9D5842B5A215D1D27ED1B4DC8DD3D3F0D50197DD105E37461661D98A23E0917C\"}], \"modified_time\": 1695676041541, \"modified_time_dt\": \"2023-09-25T21:07:21.541163Z\", \"name\": \"human.pdb\", \"parent_folder\": \"let dawn representing/surrounding.dwg\", \"path\": \"let dawn representing/surrounding.dwg/human.pdb\", \"product\": {\"feature\": {\"name\": \"metric th alt\", \"uid\": \"849b46a2-5be7-11ee-824d-0242ac110005\", \"version\": \"1.0.0\"}, \"name\": \"heavy payroll timothy\", \"uid\": \"849b3fd6-5be7-11ee-83d2-0242ac110005\", \"vendor_name\": \"rv brother vaccine\", \"version\": \"1.0.0\"}, \"type\": \"Symbolic Link\", \"type_id\": 7}, \"lineage\": [\"qualify insight reproduce\", \"placing download tomato\"], \"name\": \"Sampling\", \"namespace_pid\": 91, \"parent_process\": {\"cmd_line\": \"treatments proceeding assumed\", \"created_time\": 1695676041548, \"created_time_dt\": \"2023-09-25T21:07:21.565904Z\", \"file\": {\"accessor\": {\"email_addr\": \"Stormy@postcard.mobi\", \"name\": \"Xhtml\", \"type\": \"disabilities\", \"type_id\": 99, \"uid\": \"849ba016-5be7-11ee-8738-0242ac110005\"}, \"creator\": {\"domain\": \"neural fig colin\", \"full_name\": \"Otelia Kori\", \"name\": \"Tap\", \"org\": {\"name\": \"timing process palestinian\", \"ou_name\": \"step mouth drunk\", \"uid\": \"849bad9a-5be7-11ee-9fa0-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1}, \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"A5064ED27DDBDCBA4CBCADF1DB39DA3F2EEE6B58C7A1239C64CABA643C220D3F292A1DE7E239A9314ECD04E09E02E1289265DB1375370F0E2CB9844F235B40B9\"}], \"is_system\": true, \"mime_type\": \"talked/wishlist\", \"modified_time\": 1695676041546, \"name\": \"sunday.crdownload\", \"parent_folder\": \"designing designed kim/butts.crx\", \"path\": \"designing designed kim/butts.crx/sunday.crdownload\", \"product\": {\"feature\": {\"name\": \"seminar automatic gui\", \"uid\": \"849b9742-5be7-11ee-9904-0242ac110005\", \"version\": \"1.0.0\"}, \"lang\": \"en\", \"name\": \"nights validity updated\", \"uid\": \"849b866c-5be7-11ee-a7ff-0242ac110005\", \"url_string\": \"however\", \"vendor_name\": \"favorite album ncaa\", \"version\": \"1.0.0\"}, \"signature\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"certificate\": {\"created_time\": 1695676041542, \"expiration_time\": 1695676041577, \"fingerprints\": [{\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"A1636B226D49D354EAD09345190417B47EC13762648D8C196823FB556456DD5A2ED39FDF2ADE536CF2D0AFA33A47F9404800085FE205A49A4DA6C280AF603AA9\"}], \"issuer\": \"cooperation worldcat southwest\", \"serial_number\": \"distributed characters bin\", \"subject\": \"annually ic quest\", \"version\": \"1.0.0\"}, \"created_time_dt\": \"2023-09-25T21:07:21.542032Z\"}, \"size\": 1384349588, \"type\": \"Unknown\", \"type_id\": 0}, \"integrity\": \"written\", \"integrity_id\": 99, \"lineage\": [\"tenant surveillance nature\", \"securities joining bite\"], \"loaded_modules\": [\"/aims/hammer/duke/implementation/roland.jar\", \"/illustration/reads/adaptation/ppc/footage.cab\"], \"name\": \"Foundation\", \"parent_process\": {\"cmd_line\": \"remain weird municipal\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"53CB2A3DF41EA583C9DAD815CC228E623D600CA69DD3B138EBA03828A95C399AC2319E8C246FAF2EB345362B0931618009C8A5FF4C8E100C7B414107D51F849D\"}, \"image\": {\"name\": \"titten live cvs\", \"uid\": \"849c105a-5be7-11ee-8337-0242ac110005\"}, \"name\": \"anthony serial medline\", \"size\": 2006500672, \"uid\": \"849c059c-5be7-11ee-b620-0242ac110005\"}, \"created_time\": 1695676041542, \"created_time_dt\": \"2023-09-25T21:07:21.565886Z\", \"file\": {\"accessed_time\": 1695676044937, \"accessor\": {\"domain\": \"operates collectables presentations\", \"name\": \"Qualities\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849bf00c-5be7-11ee-a0de-0242ac110005\", \"uid_alt\": \"welsh constraints elimination\"}, \"created_time\": 1695676041545, \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"BADBDA50632954800C02D40EB49D1BEF8E5A883D\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"22B65F9CC3DDECE17BC92C741314C0C01D6C398B477BCFE22CCB63F4975A066119C2A3F4E9BDC342383345BCEEA9046C0573AEA278C1EBD8E1578337B1640606\"}], \"is_system\": false, \"name\": \"moral.kmz\", \"parent_folder\": \"suit who pics/arrange.torrent\", \"path\": \"suit who pics/arrange.torrent/moral.kmz\", \"type\": \"Local Socket\", \"type_id\": 5}, \"integrity\": \"High\", \"integrity_id\": 4, \"name\": \"Restore\", \"namespace_pid\": 8, \"parent_process\": {\"cmd_line\": \"arrangements makes handy\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"FC25F43E993A1FB725021E78097481FDD1FECA2EC91BF14AE34067FC31DBCD1005D4B0AFC4F050872672CC3EAB72236EADE80DFF4CCBB844F8ED0489F697D2F1\"}, \"image\": {\"labels\": [\"mumbai\"], \"name\": \"capabilities huge hometown\", \"uid\": \"849c6d2a-5be7-11ee-a411-0242ac110005\"}, \"name\": \"yahoo plains basically\", \"uid\": \"849c6776-5be7-11ee-94b5-0242ac110005\"}, \"created_time\": 1695676041544, \"file\": {\"accessor\": {\"account\": {\"name\": \"cards gratis necklace\", \"type\": \"Apple Account\", \"type_id\": 8}, \"full_name\": \"Crysta Damaris\", \"name\": \"Class\", \"type\": \"pie\", \"type_id\": 99, \"uid_alt\": \"linux has luis\"}, \"attributes\": 79, \"company_name\": \"Mckenzie Ardith\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"creator\": {\"domain\": \"glass outlet lopez\", \"groups\": [{\"name\": \"suspected contributor counting\", \"type\": \"vacations wines biological\", \"uid\": \"849c5ae2-5be7-11ee-97a7-0242ac110005\"}], \"org\": {\"name\": \"reproductive balloon stanley\", \"ou_name\": \"pick rear governance\", \"ou_uid\": \"849c5470-5be7-11ee-b89d-0242ac110005\", \"uid\": \"849c5060-5be7-11ee-b740-0242ac110005\"}, \"type\": \"selected\", \"type_id\": 99, \"uid\": \"849c4b2e-5be7-11ee-9c0b-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"1B8BF6AF4C4E0F5A64ED59860F5673F5762D1E214D4B3127BAC626D3811952EAF98972460DF098DEAB2B6D4FF02723546AEBA4108F2A03A20044552141A4447E\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"221C1DF278F5DBE8C04CCC89DB66A355ABA13C3F27B4E23A19D0E73C64E5E9A7951D5102BA2F416429122A6110C57ED22F7216EB73939FF0E7E4BDB574A90CC4\"}], \"is_system\": false, \"name\": \"revolution.vcf\", \"owner\": {\"email_addr\": \"Suzan@communicate.coop\", \"name\": \"Sunny\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849c24fa-5be7-11ee-93d2-0242ac110005\"}, \"parent_folder\": \"nintendo smilies thank/ought.vb\", \"path\": \"nintendo smilies thank/ought.vb/revolution.vcf\", \"product\": {\"lang\": \"en\", \"name\": \"pci invasion producers\", \"uid\": \"849c3e4a-5be7-11ee-80be-0242ac110005\", \"vendor_name\": \"australian payments crm\", \"version\": \"1.0.0\"}, \"security_descriptor\": \"recommended approve environment\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"certificate\": {\"created_time\": 1695676041548, \"expiration_time\": 1695676041514, \"fingerprints\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"35C90137B6BD19F8D464173B9904DBFA60D62BFF8BCBCF99235987ACC2D4840DBA02F991522C533C211C54B3A1016A0A76AF0578E30D0190414926A1EA56FEB7\"}], \"issuer\": \"foundation review shaft\", \"serial_number\": \"windsor sponsor google\", \"subject\": \"microwave marriott okay\", \"version\": \"1.0.0\"}}, \"type\": \"Folder\", \"type_id\": 2, \"version\": \"1.0.0\"}, \"namespace_pid\": 13, \"parent_process\": {\"cmd_line\": \"well absent shoe\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"A813ED16B0B3E58FA959C0BA26A47058\"}, \"image\": {\"name\": \"audio miracle leader\", \"uid\": \"849ce32c-5be7-11ee-b7a9-0242ac110005\"}, \"name\": \"hospitality walker vs\", \"size\": 1224758347, \"uid\": \"849cdd28-5be7-11ee-9250-0242ac110005\"}, \"created_time\": 1695676041555, \"file\": {\"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"3BC175E9CE56D1FC2D86AB6EA2EC56EB21930540B56A5B6E3840DFB64287ACAB\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"31588C71F04798D44E2202431AE7025AF3BC67EC8192E94F362A9B9121FB5AC23510026F8391A0A54234D8D0DB8D2DEBD112DEEF6AC598A11A194875191A4975\"}], \"is_system\": true, \"mime_type\": \"engineer/habitat\", \"modifier\": {\"domain\": \"ln resolved couple\", \"email_addr\": \"Deloise@agreed.arpa\", \"name\": \"Heritage\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"849c8878-5be7-11ee-98bd-0242ac110005\"}, \"name\": \"world.jpg\", \"parent_folder\": \"blend roommates closed/died.docx\", \"path\": \"blend roommates closed/died.docx/world.jpg\", \"type\": \"Block Device\", \"type_id\": 4}, \"lineage\": [\"achievement courage send\", \"expansion instructional agreements\"], \"loaded_modules\": [\"/rev/amazon/casino/june/fails.bin\", \"/credit/potential/lawsuit/clause/nine.bmp\"], \"name\": \"Tell\", \"namespace_pid\": 62, \"parent_process\": {\"cmd_line\": \"challenges prompt cumulative\", \"container\": {\"hash\": {\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"6E73C76AD0B2D03EB35088BB834D7A1949E2174F0288EAC8066F5CC920923FEC2568825E7A9B3B3B871DC2AA82AD34DAC42A8E327CAD3D3E720D2ADD7C13CAB0\"}, \"image\": {\"name\": \"charges fragrances complex\", \"uid\": \"849d1342-5be7-11ee-a4ca-0242ac110005\"}, \"name\": \"develop affiliates required\", \"network_driver\": \"familiar movies legitimate\", \"pod_uuid\": \"legally\", \"size\": 2138922450, \"uid\": \"849d0e7e-5be7-11ee-a8e4-0242ac110005\"}, \"file\": {\"confidentiality\": \"venue rl epa\", \"created_time_dt\": \"2023-09-25T21:07:21.551631Z\", \"hashes\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"2347F66D3EE9CCBD7191F650BE1EF4F94E8B6ED61D543709A1A907FBC76BFC089577CB78BFA772DA65746573746C4AB26AF19E7A8E9DB821E3979ED04051B9BC\"}, {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"256D62122A8BA5E06B613EAD639B79BA7875995217AC6E2C854DBB610631D33C\"}], \"mime_type\": \"silicon/limousines\", \"modified_time\": 1695676041500, \"name\": \"flexible.vcxproj\", \"product\": {\"lang\": \"en\", \"name\": \"external polar galaxy\", \"vendor_name\": \"hack infection generator\", \"version\": \"1.0.0\"}, \"type\": \"Folder\", \"type_id\": 2, \"xattributes\": {}}, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"name\": \"Airfare\", \"namespace_pid\": 2, \"parent_process\": {\"cmd_line\": \"reporter techno regarded\", \"container\": {\"hash\": {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"0895F371F264F7E3AA4A79B16A3C6EEAABE10BBF6A7DC2B7D8DD4F14B3C6F05D\"}, \"image\": {\"labels\": [\"responsibility\"], \"uid\": \"849d468c-5be7-11ee-85e3-0242ac110005\"}, \"name\": \"cpu mission hacker\", \"orchestrator\": \"helpful pasta matthew\", \"runtime\": \"cables vanilla amendments\", \"size\": 1820268463, \"uid\": \"849d3caa-5be7-11ee-9fe6-0242ac110005\"}, \"file\": {\"attributes\": 44, \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"8A25185F3C5523EF3B08C1ECDD83016224863C95\"}, {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"6B9ED75DAE7A1E692073FC400B558EA4\"}], \"mime_type\": \"will/executed\", \"name\": \"uzbekistan.jar\", \"type\": \"Block Device\", \"type_id\": 4, \"uid\": \"849d2170-5be7-11ee-a637-0242ac110005\", \"xattributes\": {}}, \"name\": \"Eternal\", \"namespace_pid\": 84, \"parent_process\": {\"container\": {\"hash\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"308FD1FED7D34B9AFAB9224FF617D64E4CA9AC20FC59F1FB3B80AB2CBB1511245EC668E138B6C330D86E2B874BD66ED33E16E931B3D344A8365BE63CAB39562C\"}, \"image\": {\"labels\": [\"fix\"], \"name\": \"curtis burns park\", \"uid\": \"849d83f4-5be7-11ee-8f40-0242ac110005\"}, \"network_driver\": \"surely assistance actively\", \"pod_uuid\": \"gardening\", \"size\": 1668291787, \"uid\": \"849d7cce-5be7-11ee-80f3-0242ac110005\"}, \"created_time\": 1695676041553, \"file\": {\"company_name\": \"Frederica Hertha\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"created_time\": 1695676041554, \"created_time_dt\": \"2023-09-25T21:07:21.554150Z\", \"desc\": \"closed hydraulic connecting\", \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"5C5069744142886E3127F2CCFE145C68A0B1A4DFA3BB504B858390D851E16A9F\"}], \"name\": \"titanium.avi\", \"parent_folder\": \"slideshow configurations lens/nations.flv\", \"path\": \"slideshow configurations lens/nations.flv/titanium.avi\", \"type\": \"Unknown\", \"type_id\": 0, \"xattributes\": {}}, \"integrity\": \"System\", \"integrity_id\": 5, \"name\": \"Music\", \"parent_process\": {\"cmd_line\": \"pursuant proceed discussed\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"8876489CE00D6D9FDF61ED1C773F047E\"}, \"image\": {\"name\": \"bubble architects vancouver\", \"path\": \"hairy pixel time\", \"uid\": \"849e0ebe-5be7-11ee-8341-0242ac110005\"}, \"name\": \"insight style ca\", \"runtime\": \"williams ng xhtml\", \"size\": 220440282, \"uid\": \"849e031a-5be7-11ee-b55b-0242ac110005\"}, \"created_time\": 1695676041558, \"file\": {\"accessor\": {\"account\": {\"name\": \"hourly toll disappointed\", \"uid\": \"849dabd6-5be7-11ee-ba6a-0242ac110005\"}, \"credential_uid\": \"849db838-5be7-11ee-8a18-0242ac110005\", \"name\": \"Mine\", \"type\": \"fcc\", \"type_id\": 99, \"uid\": \"849da17c-5be7-11ee-9d3a-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"599DCCE2998A6B40B1E38E8C6006CB0A\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"E3C48119D2F351FBEB28EABE137BB8D7969A9AA7CEBF71A153DA4670481EFAAB267B6B39C0EDBDDAF4DD1B9E9B5FF0B28D72E0A5FA27336A282A0FDBA4D0C9D4\"}], \"modified_time\": 1695676041557, \"modifier\": {\"full_name\": \"Katheryn Kena\", \"name\": \"Infected\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"849d94de-5be7-11ee-b30d-0242ac110005\"}, \"name\": \"opening.vob\", \"parent_folder\": \"venezuela flyer seller/os.kml\", \"path\": \"venezuela flyer seller/os.kml/opening.vob\", \"security_descriptor\": \"graham occupations become\", \"type\": \"Local Socket\", \"type_id\": 5}, \"lineage\": [\"bk destinations est\", \"whose playback congressional\"], \"name\": \"Surprise\", \"namespace_pid\": 54, \"parent_process\": {\"cmd_line\": \"peer rail specialist\", \"container\": {\"image\": {\"name\": \"committed plastic does\", \"uid\": \"849e6972-5be7-11ee-b803-0242ac110005\"}, \"name\": \"priority mirrors although\", \"network_driver\": \"conduct linking lb\", \"runtime\": \"rock relation block\", \"size\": 2559819198, \"uid\": \"849e509a-5be7-11ee-ad75-0242ac110005\"}, \"created_time\": 1695676041434, \"file\": {\"accessor\": {\"full_name\": \"Lorna Francisco\", \"name\": \"Intl\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849e39a2-5be7-11ee-b3b8-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"9471ED19416B8099E51855CB0EF61AE3\"}], \"modified_time\": 1695676041563, \"modifier\": {\"domain\": \"informational advisory mg\", \"name\": \"Constraints\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849e2a2a-5be7-11ee-82b2-0242ac110005\"}, \"name\": \"filled.mdb\", \"parent_folder\": \"disc dividend incentives/crucial.wps\", \"path\": \"disc dividend incentives/crucial.wps/filled.mdb\", \"product\": {\"lang\": \"en\", \"name\": \"michigan slight torture\", \"path\": \"costumes somewhat qui\", \"uid\": \"849e3088-5be7-11ee-8510-0242ac110005\", \"vendor_name\": \"franchise portland experiment\", \"version\": \"1.0.0\"}, \"signature\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"certificate\": {\"created_time\": 1695676041558, \"expiration_time\": 1695676041554, \"fingerprints\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"372885B9675F31EF37D14F711A430940E777638ADCB2F77B36D079076E38606F\"}], \"issuer\": \"worker attended mel\", \"serial_number\": \"durham graham course\", \"subject\": \"infectious replication lock\", \"version\": \"1.0.0\"}}, \"size\": 2881440001, \"type\": \"Character Device\", \"type_id\": 3}, \"lineage\": [\"desktop lakes moscow\", \"barrel touch increasing\"], \"name\": \"Courage\", \"namespace_pid\": 13, \"parent_process\": {\"cmd_line\": \"institutes yes inputs\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"7CA5C1BF6D37F1E7389DB34F7617B7101F65DED1\"}, \"image\": {\"name\": \"belfast interests activation\", \"uid\": \"849f1dc2-5be7-11ee-b432-0242ac110005\"}, \"name\": \"missed foreign palmer\", \"size\": 903476370, \"uid\": \"849f0878-5be7-11ee-b335-0242ac110005\"}, \"created_time\": 1695676041565, \"created_time_dt\": \"2023-09-25T21:07:21.565824Z\", \"file\": {\"accessed_time_dt\": \"2023-09-25T21:07:21.564734Z\", \"creator\": {\"account\": {\"name\": \"workers observer lonely\", \"type\": \"GCP Account\", \"type_id\": 5, \"uid\": \"849ef310-5be7-11ee-b8e1-0242ac110005\"}, \"email_addr\": \"Myrta@of.cat\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849edfe2-5be7-11ee-97f0-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"5F8105C9976CE93253600A074BD373A5286734FB9650F503EF4AD611A9422D3554C34BD6C2672159C2F485A59C83965804D6F2532A8DADF2749DF74B1B089C10\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"C1E19A5C30DB36D9FEA3088EBBCF2E05B7F2E3B108DA82565EF183591D036A615456960CA1BF3DEDAEF8450140669F4E45A239D12DE570D5B2322AEADAE0EE7B\"}], \"name\": \"metabolism.gadget\", \"owner\": {\"org\": {\"name\": \"syndication joseph realized\", \"ou_name\": \"advertise scored usr\", \"ou_uid\": \"849e9852-5be7-11ee-9c6a-0242ac110005\", \"uid\": \"849e8ff6-5be7-11ee-be3f-0242ac110005\"}, \"type\": \"System\", \"type_id\": 3, \"uid\": \"849e86dc-5be7-11ee-9b00-0242ac110005\"}, \"parent_folder\": \"patch attempting mf/nashville.dxf\", \"path\": \"patch attempting mf/nashville.dxf/metabolism.gadget\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"certificate\": {\"created_time\": 1695676041504, \"expiration_time\": 1695676041569, \"fingerprints\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"6467C5C0EA62DB25016E724973C845BA50F0BBD72AE91F11E4CB5F3884CF1852EC05AA4B971CA59B372F8DC7B8E49562276E89C888FFDE3DD41BFC2E88336E98\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"80A346634E5CD09AAFC3C417ABCE0C6A156B40EBB910123FAC486DC6197D24EC4C575301A8CC06D58FBAEEAE6F40E42B6D84FDA6996E06EE2F68282EA73FDA93\"}], \"issuer\": \"database verse prince\", \"serial_number\": \"termination vi limitation\", \"subject\": \"signals book follow\", \"version\": \"1.0.0\"}}, \"type\": \"Character Device\", \"type_id\": 3}, \"name\": \"Harley\", \"namespace_pid\": 44, \"pid\": 38, \"terminated_time\": 1695676041566, \"uid\": \"849f00ee-5be7-11ee-954b-0242ac110005\", \"user\": {\"full_name\": \"Lyndsay Ricky\", \"name\": \"Referenced\", \"type\": \"Admin\", \"type_id\": 2}, \"xattributes\": {}}, \"pid\": 5, \"user\": {\"name\": \"Motorcycle\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"849e4a46-5be7-11ee-bc81-0242ac110005\"}}, \"pid\": 50, \"sandbox\": \"final corporations performances\", \"user\": {\"account\": {\"type\": \"Windows Account\", \"type_id\": 2, \"uid\": \"849df820-5be7-11ee-82f1-0242ac110005\"}, \"credential_uid\": \"849dfc62-5be7-11ee-a9bc-0242ac110005\", \"name\": \"Simulations\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"849debb4-5be7-11ee-bfac-0242ac110005\"}}, \"pid\": 28, \"uid\": \"849d64dc-5be7-11ee-b02a-0242ac110005\", \"user\": {\"name\": \"Be\", \"type\": \"types\", \"type_id\": 99, \"uid\": \"849d60a4-5be7-11ee-98cb-0242ac110005\"}}, \"pid\": 76, \"uid\": \"849d308e-5be7-11ee-a5ad-0242ac110005\", \"user\": {\"email_addr\": \"Josefina@holders.museum\", \"name\": \"Manager\", \"type\": \"legs\", \"type_id\": 99, \"uid\": \"849d2c24-5be7-11ee-953d-0242ac110005\"}, \"xattributes\": {}}, \"user\": {\"account\": {\"name\": \"strict manufactured invest\", \"type\": \"AWS IAM User\", \"type_id\": 3, \"uid\": \"849d0500-5be7-11ee-97bd-0242ac110005\"}, \"credential_uid\": \"849d08ca-5be7-11ee-bfe2-0242ac110005\", \"name\": \"Track\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849cfe70-5be7-11ee-b38b-0242ac110005\"}}, \"sandbox\": \"distributor workshops maldives\", \"session\": {\"created_time\": 1695676041550, \"expiration_time_dt\": \"2023-09-25T21:07:21.550638Z\", \"is_remote\": false, \"issuer\": \"volunteer meetings medline\", \"uid\": \"849ccebe-5be7-11ee-a1ca-0242ac110005\"}, \"uid\": \"849cc522-5be7-11ee-aa87-0242ac110005\", \"user\": {\"credential_uid\": \"849cc0f4-5be7-11ee-9c36-0242ac110005\", \"domain\": \"our installing clinical\", \"name\": \"Weather\", \"org\": {\"name\": \"top riverside asthma\", \"ou_name\": \"stats dans soviet\", \"uid\": \"849cb208-5be7-11ee-a4a6-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"849ca4ca-5be7-11ee-b39c-0242ac110005\"}}, \"pid\": 20, \"uid\": \"849c61f4-5be7-11ee-8006-0242ac110005\"}, \"pid\": 74, \"sandbox\": \"upload stages deutsch\", \"terminated_time_dt\": \"2023-09-25T21:07:21.565891Z\", \"xattributes\": {}}, \"pid\": 41, \"sandbox\": \"facial gossip lopez\", \"session\": {\"created_time\": 1695676041544, \"is_remote\": true, \"issuer\": \"mind file superior\", \"uid\": \"849bd89c-5be7-11ee-bbae-0242ac110005\"}, \"terminated_time\": 1695676041561, \"terminated_time_dt\": \"2023-09-25T21:07:21.565908Z\", \"tid\": 86, \"uid\": \"849bcfb4-5be7-11ee-b896-0242ac110005\", \"user\": {\"email_addr\": \"Reba@contemporary.mobi\", \"groups\": [{\"desc\": \"twenty protection innovative\", \"name\": \"penn laundry woods\", \"type\": \"powerpoint jump hospitality\", \"uid\": \"849bbdee-5be7-11ee-95a2-0242ac110005\"}, {\"uid\": \"849bc780-5be7-11ee-9955-0242ac110005\"}], \"name\": \"Certain\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849bb81c-5be7-11ee-bbec-0242ac110005\", \"uid_alt\": \"technical critics nationally\"}}, \"pid\": 71, \"sandbox\": \"compounds s time\", \"terminated_time\": 1695676041567, \"uid\": \"849b6dee-5be7-11ee-84f0-0242ac110005\", \"user\": {\"domain\": \"lexmark refers dylan\", \"email_addr\": \"Yelena@communities.nato\", \"name\": \"Particles\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"849b6916-5be7-11ee-a01e-0242ac110005\"}}, \"pid\": 86, \"sandbox\": \"romance volunteer entrepreneurs\", \"uid\": \"849adea6-5be7-11ee-aa53-0242ac110005\", \"user\": {\"domain\": \"statistical poland gregory\", \"full_name\": \"Paul Julian\", \"groups\": [{\"desc\": \"luggage species belkin\", \"name\": \"accessed thanks instructions\", \"privileges\": [\"flashing aol autumn\"], \"uid\": \"849ad5fa-5be7-11ee-a0e9-0242ac110005\"}, {\"name\": \"cognitive times agent\", \"privileges\": [\"sodium believed housing\", \"incorporated jungle asian\"], \"uid\": \"849ada50-5be7-11ee-824e-0242ac110005\"}], \"name\": \"Alliance\", \"org\": {\"name\": \"nyc kidney drawings\", \"uid\": \"849accae-5be7-11ee-af7b-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"849abe76-5be7-11ee-a5a1-0242ac110005\"}}, \"pid\": 13, \"uid\": \"849a9ed2-5be7-11ee-ae61-0242ac110005\", \"user\": {\"account\": {\"name\": \"fragrances bulk specialty\", \"type\": \"LDAP Account\", \"type_id\": 1, \"uid\": \"849a9702-5be7-11ee-9f5d-0242ac110005\"}, \"credential_uid\": \"849a9afe-5be7-11ee-b27a-0242ac110005\", \"email_addr\": \"Wava@promises.info\", \"full_name\": \"Marisela Towanda\", \"name\": \"Round\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"849a900e-5be7-11ee-9894-0242ac110005\"}}, \"uid\": \"849a5d78-5be7-11ee-ac24-0242ac110005\", \"user\": {\"full_name\": \"Elisa Cleora\", \"name\": \"Sisters\", \"type\": \"rebound\", \"type_id\": 99, \"uid\": \"849a52ce-5be7-11ee-a468-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 90, \"sandbox\": \"moon exercise starring\", \"terminated_time\": 1695676041562, \"uid\": \"849a1af2-5be7-11ee-82a9-0242ac110005\", \"user\": {\"groups\": [{\"privileges\": [\"independent vegetables assisted\", \"refinance lee seating\"], \"uid\": \"849a1124-5be7-11ee-9a8e-0242ac110005\"}, {\"name\": \"div violence strange\", \"uid\": \"849a1674-5be7-11ee-aa3b-0242ac110005\"}], \"name\": \"Immediate\", \"org\": {\"name\": \"velvet days pubs\", \"ou_name\": \"brake craps campaign\"}, \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849a06c0-5be7-11ee-acfe-0242ac110005\"}}, \"pid\": 21, \"session\": {\"created_time\": 1695676041534, \"expiration_time\": 1695676041542, \"is_remote\": true, \"uid\": \"8499ca0c-5be7-11ee-aae9-0242ac110005\"}, \"uid\": \"8499bc88-5be7-11ee-b028-0242ac110005\", \"user\": {\"name\": \"Apartments\", \"type\": \"ad\", \"type_id\": 99, \"uid\": \"8499b5da-5be7-11ee-b276-0242ac110005\", \"uid_alt\": \"serving turbo spy\"}}, \"pid\": 67, \"terminated_time\": 1695676041561, \"uid\": \"84996800-5be7-11ee-8754-0242ac110005\", \"user\": {\"name\": \"Fantastic\", \"org\": {\"name\": \"dryer asn trying\", \"ou_name\": \"wr r gibraltar\", \"uid\": \"849963aa-5be7-11ee-b57a-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"84995d06-5be7-11ee-8223-0242ac110005\"}}, \"pid\": 86, \"uid\": \"8499377c-5be7-11ee-9164-0242ac110005\", \"user\": {\"email_addr\": \"Renita@pete.cat\", \"name\": \"Rice\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"84993312-5be7-11ee-b956-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 49, \"uid\": \"8498d430-5be7-11ee-b1bf-0242ac110005\", \"user\": {\"name\": \"Hour\", \"type\": \"insert\", \"type_id\": 99, \"uid\": \"8498cd14-5be7-11ee-94d7-0242ac110005\", \"uid_alt\": \"organizations guild beds\"}}, \"pid\": 20, \"sandbox\": \"keeps pour rent\", \"terminated_time\": 1695676041566, \"uid\": \"84989376-5be7-11ee-9216-0242ac110005\", \"user\": {\"email_addr\": \"Elza@girls.mil\", \"full_name\": \"Karoline Meggan\", \"name\": \"Provided\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"84988e80-5be7-11ee-bf3c-0242ac110005\"}}, \"pid\": 28, \"uid\": \"8498530c-5be7-11ee-86f3-0242ac110005\", \"user\": {\"domain\": \"sao uri flesh\", \"name\": \"Knows\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"84984db2-5be7-11ee-ba4e-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 26, \"sandbox\": \"species tourism system\", \"terminated_time\": 1695676041564, \"uid\": \"849823d2-5be7-11ee-92d1-0242ac110005\", \"user\": {\"name\": \"Shipment\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"84981f68-5be7-11ee-b652-0242ac110005\", \"uid_alt\": \"singh dim static\"}, \"xattributes\": {}}", + "session": { + "created_time": 1695676041516, + "credential_uid": "8497c716-5be7-11ee-bd7a-0242ac110005", + "issuer": "discussing capital ottawa", + "uid": "8497c27a-5be7-11ee-8a34-0242ac110005" + } + }, + "user": { + "account": { + "name": "suspended cg sisters", + "uid": "8497655a-5be7-11ee-ab52-0242ac110005" + }, + "type": "System", + "type_id": "3" + } + }, + "user": { + "org": { + "name": "performed assignments undefined", + "ou_name": "headquarters informal nigeria", + "uid": "849f3870-5be7-11ee-8857-0242ac110005" + }, + "type": "metres", + "type_id": "99" + } + }, + "category_name": "Network Activity", + "category_uid": 4, + "class_name": "Network File Activity", + "class_uid": "4010", + "enrichments": [ + { + "data": "{\"drug\": \"drugg7899\"}", + "name": "tree cities corner", + "type": "knife super bat", + "value": "thy qualification booth" + }, + { + "data": "{\"wallpaper\": \"feded\"}", + "name": "hc saskatchewan quickly", + "provider": "outlet toolkit person", + "type": "thu loves strong", + "value": "sword somebody equilibrium" + } + ], + "expiration_time": 1695676041527, + "file": { + "accessor": { + "name": "Uruguay", + "org": { + "name": "lottery political own", + "ou_name": "confirmed towards declined", + "ou_uid": "849f540e-5be7-11ee-841c-0242ac110005", + "uid": "849f501c-5be7-11ee-ab6f-0242ac110005" + }, + "type": "User", + "type_id": "1", + "uid": "849f49fa-5be7-11ee-bfe2-0242ac110005" + }, + "desc": "arabic suits fun", + "hashes": [ + { + "algorithm": "SHA-256", + "algorithm_id": "3", + "value": "4C3280C17F9D982CCBAC882AE1F48DAD224DBA938BEE87BF18E31C76B0C3B88B" + }, + { + "algorithm": "quickXorHash", + "algorithm_id": "7", + "value": "A7F0A2AD03BE8938C945F65DB1A395CE9E98D67F9EE8D4CA97D687FBB394B64FA0AEB15F5B1D82A2922B62320B77DBA842BBEDEE2B5E15D7A883665ADE3F7C2B" + } + ], + "modified_time_dt": "2023-09-25T21:07:21.567190Z", + "type_id": "0" + }, + "metadata": { + "correlation_uid": "84971e10-5be7-11ee-b5e7-0242ac110005", + "log_name": "proud iso ticket", + "modified_time_dt": "2023-09-25T21:07:21.513376Z", + "original_time": "tournaments leisure comedy", + "processed_time_dt": "2023-09-25T21:07:21.513394Z", + "product": { + "name": "describes static geological", + "uid": "849714ce-5be7-11ee-981b-0242ac110005", + "url_string": "avatar", + "vendor_name": "highly got hook", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime" + ], + "version": "1.0.0" + }, + "observables": [ + { + "name": "except visitor vbulletin", + "type": "Uniform Resource Locator", + "type_id": "23" + }, + { + "name": "hong rhode para", + "type": "Process Name", + "type_id": "9" + } + ], + "severity": "Low", + "src_endpoint": { + "instance_uid": "849732a6-5be7-11ee-bdb0-0242ac110005", + "interface_name": "grown reflect expressed", + "interface_uid": "84973670-5be7-11ee-8000-0242ac110005", + "name": "replaced wa unlock", + "uid": "84972e82-5be7-11ee-8eac-0242ac110005" + }, + "status": "patch emma midi", + "timezone_offset": 42, + "type_name": "Network File Activity: Rename", + "type_uid": "401005" + }, "related": { "hosts": [ "menu.travel" diff --git a/OCSF/ocsf/tests/test_network_activity_11.json b/OCSF/ocsf/tests/test_network_activity_11.json index 0b2861d32..3a5ff9003 100644 --- a/OCSF/ocsf/tests/test_network_activity_11.json +++ b/OCSF/ocsf/tests/test_network_activity_11.json @@ -26,6 +26,124 @@ }, "provider": "antique camp pin" }, - "ocsf": "{\"activity_id\": 1, \"activity_name\": \"Send\", \"attacks\": [{\"tactics\": [{\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"CMSTP\", \"uid\": \"T1191\"}, \"version\": \"12.1\"}], \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"Email File Activity\", \"class_uid\": 4011, \"cloud\": {\"account\": {\"type\": \"AWS Account\", \"type_id\": 10, \"uid\": \"9e3d6a4a-5be7-11ee-9095-0242ac110005\"}, \"provider\": \"antique camp pin\"}, \"device\": {\"autoscale_uid\": \"9e3d9b1e-5be7-11ee-ab96-0242ac110005\", \"groups\": [{\"name\": \"scanned consisting expense\", \"privileges\": [\"photography derived log\", \"dna ec believed\"], \"type\": \"odds traditions trick\", \"uid\": \"9e3db702-5be7-11ee-a715-0242ac110005\"}, {\"name\": \"tires modifications calendars\", \"uid\": \"9e3dbc02-5be7-11ee-9470-0242ac110005\"}], \"hostname\": \"rule.edu\", \"instance_uid\": \"9e3d9f74-5be7-11ee-a549-0242ac110005\", \"interface_name\": \"accurately shadows node\", \"interface_uid\": \"9e3da38e-5be7-11ee-bda3-0242ac110005\", \"ip\": \"67.43.156.0\", \"is_personal\": false, \"modified_time\": 1695676084549, \"name\": \"walter qt hitting\", \"region\": \"cosmetics preston msgstr\", \"type\": \"Tablet\", \"type_id\": 4, \"uid\": \"9e3dbfa4-5be7-11ee-8f05-0242ac110005\", \"uid_alt\": \"technology alex metallica\"}, \"disposition\": \"Blocked\", \"disposition_id\": 2, \"email_uid\": \"9e3d9088-5be7-11ee-b651-0242ac110005\", \"enrichments\": [{\"data\": {\"meat\": \"meattt\"}, \"name\": \"another polyester collectors\", \"provider\": \"companion fy mat\", \"type\": \"gen cap beauty\", \"value\": \"recipes generating stored\"}, {\"data\": {\"meatd\": \"meattt\"}, \"name\": \"brandon fraser seed\", \"provider\": \"hearings gossip shadows\", \"type\": \"grove bradley ddr\", \"value\": \"written thumbnail looksmart\"}], \"file\": {\"accessed_time_dt\": \"2023-09-25T21:08:04.549340Z\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"55F23C756971F835627DAD00E0FEAF38D62993462CA63631FDF93D0E8130CDFF\"}], \"modified_time\": 1695676084549, \"name\": \"revenge.ged\", \"parent_folder\": \"pensions lightning push/congress.icns\", \"path\": \"pensions lightning push/congress.icns/revenge.ged\", \"security_descriptor\": \"procedure amsterdam belarus\", \"size\": 123, \"type\": \"Block Device\", \"type_id\": 4}, \"message\": \"distances authorization packed\", \"metadata\": {\"extension\": {\"name\": \"editor nerve offset\", \"uid\": \"9e3d7ff8-5be7-11ee-8454-0242ac110005\", \"version\": \"1.0.0\"}, \"log_version\": \"flow tribunal aging\", \"original_time\": \"consistently sauce duke\", \"processed_time_dt\": \"2023-09-25T21:08:04.547033Z\", \"product\": {\"lang\": \"en\", \"name\": \"harm dash walter\", \"path\": \"contributors rest worried\", \"uid\": \"9e3d893a-5be7-11ee-9bf6-0242ac110005\", \"vendor_name\": \"acre shut suzuki\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"version\": \"1.0.0\"}, \"severity\": \"Critical\", \"severity_id\": 5, \"status\": \"annually\", \"status_id\": 99, \"time\": 1695676084572, \"timezone_offset\": 0, \"type_name\": \"Email File Activity: Send\", \"type_uid\": 401101}" + "ocsf": { + "activity_id": 1, + "activity_name": "Send", + "attacks": [ + { + "tactics": [ + { + "name": "Privilege Escalation | The adversary is trying to gain higher-level permissions.", + "uid": "TA0004" + } + ], + "technique": { + "name": "CMSTP", + "uid": "T1191" + }, + "version": "12.1" + } + ], + "category_name": "Network Activity", + "category_uid": 4, + "class_name": "Email File Activity", + "class_uid": "4011", + "cloud": { + "account": { + "type": "AWS Account", + "type_id": "10" + } + }, + "device": { + "autoscale_uid": "9e3d9b1e-5be7-11ee-ab96-0242ac110005", + "groups": [ + { + "name": "tires modifications calendars", + "uid": "9e3dbc02-5be7-11ee-9470-0242ac110005" + }, + { + "name": "scanned consisting expense", + "privileges": [ + "photography derived log", + "dna ec believed" + ], + "type": "odds traditions trick", + "uid": "9e3db702-5be7-11ee-a715-0242ac110005" + } + ], + "instance_uid": "9e3d9f74-5be7-11ee-a549-0242ac110005", + "interface_name": "accurately shadows node", + "interface_uid": "9e3da38e-5be7-11ee-bda3-0242ac110005", + "is_personal": false, + "modified_time": 1695676084549, + "region": "cosmetics preston msgstr", + "type_id": "4", + "uid_alt": "technology alex metallica" + }, + "disposition": "Blocked", + "disposition_id": "2", + "enrichments": [ + { + "data": "{\"meat\": \"meattt\"}", + "name": "another polyester collectors", + "provider": "companion fy mat", + "type": "gen cap beauty", + "value": "recipes generating stored" + }, + { + "data": "{\"meatd\": \"meattt\"}", + "name": "brandon fraser seed", + "provider": "hearings gossip shadows", + "type": "grove bradley ddr", + "value": "written thumbnail looksmart" + } + ], + "file": { + "accessed_time_dt": "2023-09-25T21:08:04.549340Z", + "confidentiality": "Top Secret", + "confidentiality_id": "4", + "hashes": [ + { + "algorithm": "magic", + "algorithm_id": "99", + "value": "55F23C756971F835627DAD00E0FEAF38D62993462CA63631FDF93D0E8130CDFF" + } + ], + "security_descriptor": "procedure amsterdam belarus", + "type_id": "4" + }, + "metadata": { + "extension": { + "name": "editor nerve offset", + "uid": "9e3d7ff8-5be7-11ee-8454-0242ac110005", + "version": "1.0.0" + }, + "log_version": "flow tribunal aging", + "original_time": "consistently sauce duke", + "processed_time_dt": "2023-09-25T21:08:04.547033Z", + "product": { + "lang": "en", + "name": "harm dash walter", + "path": "contributors rest worried", + "uid": "9e3d893a-5be7-11ee-9bf6-0242ac110005", + "vendor_name": "acre shut suzuki", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "security_control" + ], + "version": "1.0.0" + }, + "severity": "Critical", + "status": "annually", + "status_id": "99", + "timezone_offset": 0, + "type_name": "Email File Activity: Send", + "type_uid": "401101" + } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_12.json b/OCSF/ocsf/tests/test_network_activity_12.json index 61d2d9a52..688b9162c 100644 --- a/OCSF/ocsf/tests/test_network_activity_12.json +++ b/OCSF/ocsf/tests/test_network_activity_12.json @@ -31,6 +31,105 @@ "provider": "indicated electro washer", "region": "crucial mysimon exit" }, - "ocsf": "{\"activity_id\": 2, \"activity_name\": \"Receive\", \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"Email URL Activity\", \"class_uid\": 4012, \"cloud\": {\"account\": {\"name\": \"bubble prototype interstate\", \"type\": \"Azure AD Account\", \"type_id\": 6, \"uid\": \"a844c1f0-5be7-11ee-83dc-0242ac110005\"}, \"provider\": \"indicated electro washer\", \"region\": \"crucial mysimon exit\"}, \"count\": 43, \"device\": {\"desc\": \"beta culture receiving\", \"groups\": [{\"desc\": \"blessed drive took\", \"name\": \"karaoke finnish coordination\", \"uid\": \"a8453b30-5be7-11ee-90d5-0242ac110005\"}, {\"name\": \"briefs iii andy\", \"type\": \"ireland arch trademark\", \"uid\": \"a8453fc2-5be7-11ee-bd52-0242ac110005\"}], \"hostname\": \"australia.aero\", \"image\": {\"name\": \"bank ftp newman\", \"uid\": \"a84532d4-5be7-11ee-af3a-0242ac110005\"}, \"instance_uid\": \"a84525fa-5be7-11ee-987a-0242ac110005\", \"interface_name\": \"subsection get techno\", \"interface_uid\": \"a8452b90-5be7-11ee-9db2-0242ac110005\", \"ip\": \"67.43.156.0\", \"last_seen_time_dt\": \"2023-09-25T21:08:21.374251Z\", \"name\": \"experiments old guides\", \"network_interfaces\": [{\"hostname\": \"personalized.nato\", \"ip\": \"175.16.199.1\", \"mac\": \"30:29:E4:EE:B6:98:14:3A\", \"name\": \"animals economy signals\", \"type\": \"proven\", \"type_id\": 99}, {\"hostname\": \"mitchell.nato\", \"ip\": \"224.61.168.94\", \"mac\": \"69:8D:D4:20:55:3A:43:D0\", \"name\": \"announces restaurants deposits\", \"type\": \"Wired\", \"type_id\": 1}], \"region\": \"propecia commonwealth equipment\", \"type\": \"Virtual\", \"type_id\": 6, \"uid\": \"a845433c-5be7-11ee-8e93-0242ac110005\"}, \"disposition\": \"Delayed\", \"disposition_id\": 14, \"duration\": 2, \"email_uid\": \"a8450be2-5be7-11ee-bf7c-0242ac110005\", \"message\": \"carb fujitsu spots\", \"metadata\": {\"log_name\": \"cleaners villa historic\", \"log_provider\": \"immediately accused charlie\", \"logged_time\": 1695676101375, \"original_time\": \"medline prospect ict\", \"product\": {\"feature\": {\"name\": \"mess const microwave\", \"uid\": \"a8450084-5be7-11ee-93f7-0242ac110005\", \"version\": \"1.0.0\"}, \"lang\": \"en\", \"name\": \"erotica ladies hero\", \"uid\": \"a844f346-5be7-11ee-a2c8-0242ac110005\", \"url_string\": \"washer\", \"vendor_name\": \"feelings tide perry\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"version\": \"1.0.0\"}, \"severity\": \"electrical\", \"severity_id\": 99, \"status\": \"Success\", \"status_detail\": \"released oxygen reasonable\", \"status_id\": 1, \"time\": 1695676101376, \"timezone_offset\": 34, \"type_name\": \"Email URL Activity: Receive\", \"type_uid\": 401202, \"url\": {\"category_ids\": [49, 54], \"hostname\": \"sage.mil\", \"path\": \"flows affiliation global\", \"port\": 23624, \"query_string\": \"mattress betting covers\", \"scheme\": \"yoga thesaurus regardless\", \"url_string\": \"vocal\"}}" + "ocsf": { + "activity_id": 2, + "activity_name": "Receive", + "category_name": "Network Activity", + "category_uid": 4, + "class_name": "Email URL Activity", + "class_uid": "4012", + "cloud": { + "account": { + "type": "Azure AD Account", + "type_id": "6" + } + }, + "count": 43, + "device": { + "desc": "beta culture receiving", + "groups": [ + { + "desc": "blessed drive took", + "name": "karaoke finnish coordination", + "uid": "a8453b30-5be7-11ee-90d5-0242ac110005" + }, + { + "name": "briefs iii andy", + "type": "ireland arch trademark", + "uid": "a8453fc2-5be7-11ee-bd52-0242ac110005" + } + ], + "image": { + "name": "bank ftp newman", + "uid": "a84532d4-5be7-11ee-af3a-0242ac110005" + }, + "instance_uid": "a84525fa-5be7-11ee-987a-0242ac110005", + "interface_name": "subsection get techno", + "interface_uid": "a8452b90-5be7-11ee-9db2-0242ac110005", + "last_seen_time_dt": "2023-09-25T21:08:21.374251Z", + "network_interfaces": [ + { + "hostname": "personalized.nato", + "ip": "175.16.199.1", + "mac": "30:29:E4:EE:B6:98:14:3A", + "name": "animals economy signals", + "type": "proven", + "type_id": "99" + }, + { + "hostname": "mitchell.nato", + "ip": "224.61.168.94", + "mac": "69:8D:D4:20:55:3A:43:D0", + "name": "announces restaurants deposits", + "type": "Wired", + "type_id": "1" + } + ], + "region": "propecia commonwealth equipment", + "type_id": "6" + }, + "disposition": "Delayed", + "disposition_id": "14", + "duration": 2, + "metadata": { + "log_name": "cleaners villa historic", + "logged_time": 1695676101375, + "original_time": "medline prospect ict", + "product": { + "feature": { + "name": "mess const microwave", + "uid": "a8450084-5be7-11ee-93f7-0242ac110005", + "version": "1.0.0" + }, + "lang": "en", + "name": "erotica ladies hero", + "uid": "a844f346-5be7-11ee-a2c8-0242ac110005", + "url_string": "washer", + "vendor_name": "feelings tide perry", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "security_control" + ], + "version": "1.0.0" + }, + "severity": "electrical", + "status": "Success", + "status_detail": "released oxygen reasonable", + "status_id": "1", + "timezone_offset": 34, + "type_name": "Email URL Activity: Receive", + "type_uid": "401202", + "url": { + "category_ids": [ + "49", + "54" + ] + } + } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_2.json b/OCSF/ocsf/tests/test_network_activity_2.json index 2aac09c59..4ac43b7df 100644 --- a/OCSF/ocsf/tests/test_network_activity_2.json +++ b/OCSF/ocsf/tests/test_network_activity_2.json @@ -34,7 +34,137 @@ "network": { "application": "sim lucas entries" }, - "ocsf": "{\"activity_id\": 1, \"activity_name\": \"Connect\", \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"HTTP Activity\", \"class_uid\": 4002, \"cloud\": {\"provider\": \"reflect alarm my\", \"region\": \"chrome during bs\"}, \"connection_info\": {\"direction\": \"andreas\", \"direction_id\": 99, \"protocol_num\": 67, \"protocol_ver\": \"1.4\"}, \"device\": {\"created_time_dt\": \"2023-09-25T21:04:49.414353Z\", \"domain\": \"barbara advantages levitra\", \"hostname\": \"scanners.nato\", \"hw_info\": {\"bios_ver\": \"1.4.4\", \"chassis\": \"pubs remarks desktops\"}, \"image\": {\"labels\": [\"meaningful\"], \"name\": \"cover hearts magazine\", \"path\": \"ts recording cooling\", \"uid\": \"29eece90-5be7-11ee-8106-0242ac110005\"}, \"instance_uid\": \"29eeb9b4-5be7-11ee-9f8e-0242ac110005\", \"interface_name\": \"hall td flash\", \"interface_uid\": \"29eebe78-5be7-11ee-bef3-0242ac110005\", \"ip\": \"175.16.199.1\", \"is_compliant\": true, \"is_personal\": false, \"last_seen_time_dt\": \"2023-09-25T21:04:49.414926Z\", \"location\": {\"city\": \"Suspension associations\", \"continent\": \"Africa\", \"coordinates\": [-67.6681, -46.1461], \"country\": \"LS\", \"desc\": \"Lesotho, Kingdom of\"}, \"name\": \"calcium saudi allows\", \"region\": \"coverage financing sympathy\", \"risk_level\": \"improving jvc directors\", \"risk_score\": 9, \"subnet_uid\": \"29eea79e-5be7-11ee-9005-0242ac110005\", \"type\": \"Virtual\", \"type_id\": 6, \"uid\": \"29eed912-5be7-11ee-a07b-0242ac110005\"}, \"disposition\": \"Quarantined\", \"disposition_id\": 3, \"dst_endpoint\": {\"instance_uid\": \"29ee849e-5be7-11ee-af0f-0242ac110005\", \"interface_name\": \"probability pins and\", \"interface_uid\": \"29ee88b8-5be7-11ee-ae4f-0242ac110005\", \"name\": \"accounts an verzeichnis\", \"port\": 15440, \"svc_name\": \"sim lucas entries\", \"uid\": \"29ee8048-5be7-11ee-b29d-0242ac110005\"}, \"duration\": 80, \"end_time\": 1695675889419, \"end_time_dt\": \"2023-09-25T21:04:49.412301Z\", \"http_request\": {\"http_headers\": [{\"name\": \"using closed scientists\", \"value\": \"y montana command\"}, {\"name\": \"mileage wheels temple\", \"value\": \"where relate sheet\"}], \"http_method\": \"POST\", \"uid\": \"29eee308-5be7-11ee-baad-0242ac110005\", \"url\": {\"categories\": [\"ratios amount prevent\", \"rpg beauty base\"], \"category_ids\": [109], \"hostname\": \"collected.org\", \"path\": \"proposed opposed vegas\", \"port\": 17689, \"query_string\": \"additions linux furthermore\", \"resource_type\": \"tours entering camping\", \"scheme\": \"gary bibliography font\", \"subdomain\": \"katrina je pieces\", \"url_string\": \"illinois\"}, \"user_agent\": \"cheese heading anyway\", \"version\": \"1.0.0\", \"x_forwarded_for\": [\"175.16.199.1\"]}, \"http_response\": {\"code\": 83}, \"http_status\": 51, \"malware\": [{\"classification_ids\": [9, 11], \"name\": \"exception scholarship accessed\", \"path\": \"victim reductions pursue\", \"provider\": \"computed oxygen viewer\"}], \"message\": \"lt trusted genes\", \"metadata\": {\"log_name\": \"directors clinton zone\", \"log_provider\": \"myrtle watts management\", \"logged_time\": 1695675889413, \"original_time\": \"mix carrying provides\", \"processed_time\": 1695675889453, \"product\": {\"lang\": \"en\", \"name\": \"helena crystal initiative\", \"uid\": \"29ee731e-5be7-11ee-9b80-0242ac110005\", \"url_string\": \"bedding\", \"vendor_name\": \"infectious instrumentation malaysia\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"version\": \"1.0.0\"}, \"proxy\": {\"hostname\": \"excel.info\", \"instance_uid\": \"29ef1a80-5be7-11ee-b25a-0242ac110005\", \"interface_name\": \"ipaq brazil justify\", \"interface_uid\": \"29ef1e7c-5be7-11ee-9f23-0242ac110005\", \"ip\": \"67.43.156.0\", \"name\": \"exec cholesterol fossil\", \"port\": 24281, \"svc_name\": \"boys participant drove\", \"uid\": \"29ef1436-5be7-11ee-aebf-0242ac110005\"}, \"severity\": \"uw\", \"severity_id\": 99, \"src_endpoint\": {\"hostname\": \"side.pro\", \"instance_uid\": \"29eeff46-5be7-11ee-9978-0242ac110005\", \"interface_name\": \"jc mistress announced\", \"ip\": \"67.43.156.0\", \"name\": \"exercise identified exciting\", \"port\": 14669, \"subnet_uid\": \"29ef0446-5be7-11ee-9887-0242ac110005\", \"svc_name\": \"street truly arise\", \"uid\": \"29eef9ba-5be7-11ee-8245-0242ac110005\", \"vlan_uid\": \"29ef0900-5be7-11ee-937e-0242ac110005\"}, \"status\": \"Success\", \"status_id\": 1, \"time\": 1695675889417, \"timezone_offset\": 78, \"type_name\": \"HTTP Activity: Connect\", \"type_uid\": 400201}", + "ocsf": { + "activity_id": 1, + "activity_name": "Connect", + "category_name": "Network Activity", + "category_uid": 4, + "class_name": "HTTP Activity", + "class_uid": "4002", + "connection_info": { + "direction": "andreas", + "direction_id": "99" + }, + "device": { + "created_time_dt": "2023-09-25T21:04:49.414353Z", + "hw_info": { + "bios_ver": "1.4.4", + "chassis": "pubs remarks desktops" + }, + "image": { + "labels": [ + "meaningful" + ], + "name": "cover hearts magazine", + "path": "ts recording cooling", + "uid": "29eece90-5be7-11ee-8106-0242ac110005" + }, + "instance_uid": "29eeb9b4-5be7-11ee-9f8e-0242ac110005", + "interface_name": "hall td flash", + "interface_uid": "29eebe78-5be7-11ee-bef3-0242ac110005", + "is_compliant": true, + "is_personal": false, + "last_seen_time_dt": "2023-09-25T21:04:49.414926Z", + "region": "coverage financing sympathy", + "subnet_uid": "29eea79e-5be7-11ee-9005-0242ac110005", + "type_id": "6" + }, + "disposition": "Quarantined", + "disposition_id": "3", + "dst_endpoint": { + "instance_uid": "29ee849e-5be7-11ee-af0f-0242ac110005", + "interface_name": "probability pins and", + "interface_uid": "29ee88b8-5be7-11ee-ae4f-0242ac110005", + "name": "accounts an verzeichnis", + "uid": "29ee8048-5be7-11ee-b29d-0242ac110005" + }, + "duration": 80, + "end_time_dt": "2023-09-25T21:04:49.412301Z", + "http_request": { + "http_headers": [ + { + "name": "using closed scientists", + "value": "y montana command" + }, + { + "name": "mileage wheels temple", + "value": "where relate sheet" + } + ], + "url": { + "categories": [ + "ratios amount prevent", + "rpg beauty base" + ], + "category_ids": [ + "109" + ], + "resource_type": "tours entering camping" + }, + "x_forwarded_for": [ + "175.16.199.1" + ] + }, + "http_status": 51, + "malware": [ + { + "classification_ids": [ + "9", + "11" + ], + "name": "exception scholarship accessed", + "path": "victim reductions pursue", + "provider": "computed oxygen viewer" + } + ], + "metadata": { + "log_name": "directors clinton zone", + "logged_time": 1695675889413, + "original_time": "mix carrying provides", + "processed_time": 1695675889453, + "product": { + "lang": "en", + "name": "helena crystal initiative", + "uid": "29ee731e-5be7-11ee-9b80-0242ac110005", + "url_string": "bedding", + "vendor_name": "infectious instrumentation malaysia", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "security_control" + ], + "version": "1.0.0" + }, + "proxy": { + "hostname": "excel.info", + "instance_uid": "29ef1a80-5be7-11ee-b25a-0242ac110005", + "interface_name": "ipaq brazil justify", + "interface_uid": "29ef1e7c-5be7-11ee-9f23-0242ac110005", + "ip": "67.43.156.0", + "name": "exec cholesterol fossil", + "port": 24281, + "svc_name": "boys participant drove", + "uid": "29ef1436-5be7-11ee-aebf-0242ac110005" + }, + "severity": "uw", + "src_endpoint": { + "instance_uid": "29eeff46-5be7-11ee-9978-0242ac110005", + "interface_name": "jc mistress announced", + "name": "exercise identified exciting", + "subnet_uid": "29ef0446-5be7-11ee-9887-0242ac110005", + "uid": "29eef9ba-5be7-11ee-8245-0242ac110005", + "vlan_uid": "29ef0900-5be7-11ee-937e-0242ac110005" + }, + "status": "Success", + "status_id": "1", + "timezone_offset": 78, + "type_name": "HTTP Activity: Connect", + "type_uid": "400201" + }, "related": { "hosts": [ "side.pro" diff --git a/OCSF/ocsf/tests/test_network_activity_3.json b/OCSF/ocsf/tests/test_network_activity_3.json index 5441b8fa2..4b68617b7 100644 --- a/OCSF/ocsf/tests/test_network_activity_3.json +++ b/OCSF/ocsf/tests/test_network_activity_3.json @@ -27,7 +27,54 @@ "provider": "AWS", "region": "us-east-1" }, - "ocsf": "{\"activity_id\": 2, \"activity_name\": \"Response\", \"answers\": [{\"class\": \"IN\", \"rdata\": \"127.0.0.62\", \"type\": \"A\"}], \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"DNS Activity\", \"class_uid\": 4003, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"connection_info\": {\"direction\": \"Unknown\", \"direction_id\": 0, \"protocol_name\": \"UDP\"}, \"disposition\": \"No Action\", \"disposition_id\": 16, \"dst_endpoint\": {\"instance_uid\": \"rslvr-in-0000000000000000\", \"interface_uid\": \"rni-0000000000000000\"}, \"metadata\": {\"product\": {\"feature\": {\"name\": \"Resolver Query Logs\"}, \"name\": \"Route 53\", \"vendor_name\": \"AWS\", \"version\": \"1.100000\"}, \"profiles\": [\"cloud\", \"security_control\"], \"version\": \"1.0.0-rc.2\"}, \"query\": {\"class\": \"IN\", \"hostname\": \"ip-127-0-0-62.alert.firewall.canary.\", \"type\": \"A\"}, \"rcode\": \"NoError\", \"rcode_id\": 0, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"10.200.21.100\", \"port\": 15083, \"vpc_uid\": \"vpc-00000000000000000\"}, \"time\": 1665694957896, \"type_name\": \"DNS Activity: Response\", \"type_uid\": 400302, \"unmapped\": {\"firewall_domain_list_id\": \"rslvr-fdl-0000000000000\", \"firewall_rule_group_id\": \"rslvr-frg-000000000000000\"}}", + "ocsf": { + "activity_id": 2, + "activity_name": "Response", + "answers": [ + { + "class": "IN", + "rdata": "127.0.0.62", + "type": "A" + } + ], + "category_name": "Network Activity", + "category_uid": 4, + "class_name": "DNS Activity", + "class_uid": "4003", + "connection_info": { + "direction": "Unknown", + "direction_id": "0" + }, + "disposition": "No Action", + "disposition_id": "16", + "dst_endpoint": { + "instance_uid": "rslvr-in-0000000000000000", + "interface_uid": "rni-0000000000000000" + }, + "metadata": { + "product": { + "feature": { + "name": "Resolver Query Logs" + }, + "name": "Route 53", + "vendor_name": "AWS", + "version": "1.100000" + }, + "profiles": [ + "cloud", + "security_control" + ], + "version": "1.0.0-rc.2" + }, + "rcode_id": "0", + "severity": "Informational", + "src_endpoint": { + "vpc_uid": "vpc-00000000000000000" + }, + "type_name": "DNS Activity: Response", + "type_uid": "400302", + "unmapped": "{\"firewall_domain_list_id\": \"rslvr-fdl-0000000000000\", \"firewall_rule_group_id\": \"rslvr-frg-000000000000000\"}" + }, "related": { "ip": [ "10.200.21.100" diff --git a/OCSF/ocsf/tests/test_network_activity_4.json b/OCSF/ocsf/tests/test_network_activity_4.json index cceb747f3..436d6dc27 100644 --- a/OCSF/ocsf/tests/test_network_activity_4.json +++ b/OCSF/ocsf/tests/test_network_activity_4.json @@ -44,7 +44,97 @@ "network": { "application": "where image territories" }, - "ocsf": "{\"activity_id\": 6, \"activity_name\": \"Nak\", \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"DHCP Activity\", \"class_uid\": 4004, \"cloud\": {\"provider\": \"finest subdivision assists\", \"region\": \"drill bedford post\"}, \"count\": 2, \"device\": {\"domain\": \"ordinance died reducing\", \"groups\": [{\"name\": \"crisis burlington stood\", \"type\": \"regional yourself ho\", \"uid\": \"3b984cde-5be7-11ee-a8b4-0242ac110005\"}, {\"name\": \"funds lawyers conferencing\", \"uid\": \"3b985120-5be7-11ee-b8c3-0242ac110005\"}], \"hostname\": \"labs.org\", \"instance_uid\": \"3b98409a-5be7-11ee-87fa-0242ac110005\", \"interface_name\": \"bestsellers qualifying blog\", \"interface_uid\": \"3b984586-5be7-11ee-b105-0242ac110005\", \"ip\": \"67.43.156.0\", \"is_managed\": false, \"location\": {\"city\": \"Arabic ana\", \"continent\": \"Asia\", \"coordinates\": [-170.1816, -41.4084], \"country\": \"IR\", \"desc\": \"Iran, Islamic Republic of\"}, \"modified_time\": 1695675919042, \"name\": \"worry scout director\", \"network_interfaces\": [{\"hostname\": \"signed.name\", \"ip\": \"175.16.199.1\", \"mac\": \"F7:10:E8:11:73:9A:1F:AD\", \"name\": \"leading ste lingerie\", \"type\": \"Wired\", \"type_id\": 1}], \"region\": \"accused continuous fibre\", \"type\": \"Laptop\", \"type_id\": 3, \"uid\": \"3b9854e0-5be7-11ee-b25b-0242ac110005\", \"uid_alt\": \"matter resolutions likely\"}, \"dst_endpoint\": {\"hostname\": \"cloud.int\", \"instance_uid\": \"3b9815de-5be7-11ee-8748-0242ac110005\", \"interface_name\": \"rentals generic singles\", \"interface_uid\": \"3b981cd2-5be7-11ee-9f36-0242ac110005\", \"ip\": \"67.43.156.0\", \"location\": {\"city\": \"Suggests contamination\", \"continent\": \"North America\", \"coordinates\": [54.5116, -89.695], \"country\": \"LC\", \"desc\": \"Saint Lucia\"}, \"name\": \"pickup offshore readers\", \"port\": 21794, \"subnet_uid\": \"3b9820e2-5be7-11ee-af45-0242ac110005\", \"svc_name\": \"where image territories\", \"uid\": \"3b9810ca-5be7-11ee-8a5e-0242ac110005\"}, \"is_renewal\": false, \"metadata\": {\"event_code\": \"population\", \"log_name\": \"rod nine dont\", \"log_provider\": \"remembered substantial possible\", \"modified_time\": 1695675919045, \"modified_time_dt\": \"2023-09-25T21:05:19.045538Z\", \"original_time\": \"processes payroll cheque\", \"processed_time_dt\": \"2023-09-25T21:05:19.045551Z\", \"product\": {\"lang\": \"en\", \"path\": \"trademarks clean client\", \"uid\": \"3b98010c-5be7-11ee-b3a3-0242ac110005\", \"vendor_name\": \"parents transit advisor\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"version\": \"1.0.0\"}, \"severity\": \"undefined\", \"severity_id\": 99, \"src_endpoint\": {\"hostname\": \"scores.net\", \"instance_uid\": \"3b987272-5be7-11ee-a84f-0242ac110005\", \"interface_name\": \"habits quantitative second\", \"interface_uid\": \"3b987966-5be7-11ee-ae16-0242ac110005\", \"intermediate_ips\": [\"175.16.199.1\", \"89.160.20.112\"], \"ip\": \"67.43.156.0\", \"name\": \"proceeding industries archive\", \"port\": 35266, \"svc_name\": \"marking misc alarm\", \"uid\": \"3b986b2e-5be7-11ee-9b3c-0242ac110005\", \"vpc_uid\": \"3b988096-5be7-11ee-bdee-0242ac110005\"}, \"status\": \"Failure\", \"status_detail\": \"relates cornwall cope\", \"status_id\": 2, \"time\": 1695675919042, \"timezone_offset\": 7, \"transaction_uid\": \"3b989194-5be7-11ee-b97e-0242ac110005\", \"type_name\": \"DHCP Activity: Nak\", \"type_uid\": 400406}", + "ocsf": { + "activity_id": 6, + "activity_name": "Nak", + "category_name": "Network Activity", + "category_uid": 4, + "class_name": "DHCP Activity", + "class_uid": "4004", + "count": 2, + "device": { + "groups": [ + { + "name": "funds lawyers conferencing", + "uid": "3b985120-5be7-11ee-b8c3-0242ac110005" + }, + { + "name": "crisis burlington stood", + "type": "regional yourself ho", + "uid": "3b984cde-5be7-11ee-a8b4-0242ac110005" + } + ], + "instance_uid": "3b98409a-5be7-11ee-87fa-0242ac110005", + "interface_name": "bestsellers qualifying blog", + "interface_uid": "3b984586-5be7-11ee-b105-0242ac110005", + "is_managed": false, + "modified_time": 1695675919042, + "network_interfaces": [ + { + "hostname": "signed.name", + "ip": "175.16.199.1", + "mac": "F7:10:E8:11:73:9A:1F:AD", + "name": "leading ste lingerie", + "type": "Wired", + "type_id": "1" + } + ], + "region": "accused continuous fibre", + "type_id": "3", + "uid_alt": "matter resolutions likely" + }, + "dst_endpoint": { + "instance_uid": "3b9815de-5be7-11ee-8748-0242ac110005", + "interface_name": "rentals generic singles", + "interface_uid": "3b981cd2-5be7-11ee-9f36-0242ac110005", + "name": "pickup offshore readers", + "subnet_uid": "3b9820e2-5be7-11ee-af45-0242ac110005", + "uid": "3b9810ca-5be7-11ee-8a5e-0242ac110005" + }, + "is_renewal": false, + "metadata": { + "log_name": "rod nine dont", + "modified_time": 1695675919045, + "modified_time_dt": "2023-09-25T21:05:19.045538Z", + "original_time": "processes payroll cheque", + "processed_time_dt": "2023-09-25T21:05:19.045551Z", + "product": { + "lang": "en", + "path": "trademarks clean client", + "uid": "3b98010c-5be7-11ee-b3a3-0242ac110005", + "vendor_name": "parents transit advisor", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "security_control" + ], + "version": "1.0.0" + }, + "severity": "undefined", + "src_endpoint": { + "instance_uid": "3b987272-5be7-11ee-a84f-0242ac110005", + "interface_name": "habits quantitative second", + "interface_uid": "3b987966-5be7-11ee-ae16-0242ac110005", + "intermediate_ips": [ + "175.16.199.1", + "89.160.20.112" + ], + "name": "proceeding industries archive", + "uid": "3b986b2e-5be7-11ee-9b3c-0242ac110005", + "vpc_uid": "3b988096-5be7-11ee-bdee-0242ac110005" + }, + "status": "Failure", + "status_detail": "relates cornwall cope", + "status_id": "2", + "timezone_offset": 7, + "transaction_uid": "3b989194-5be7-11ee-b97e-0242ac110005", + "type_name": "DHCP Activity: Nak", + "type_uid": "400406" + }, "related": { "hosts": [ "cloud.int", diff --git a/OCSF/ocsf/tests/test_network_activity_5.json b/OCSF/ocsf/tests/test_network_activity_5.json index 36207db4b..e45cc90df 100644 --- a/OCSF/ocsf/tests/test_network_activity_5.json +++ b/OCSF/ocsf/tests/test_network_activity_5.json @@ -39,7 +39,188 @@ "network": { "application": "intro contacted payroll" }, - "ocsf": "{\"activity_id\": 6, \"activity_name\": \"Traffic\", \"api\": {\"operation\": \"examinations convention inquire\", \"request\": {\"uid\": \"52a2f4d8-5be7-11ee-9aad-0242ac110005\"}, \"response\": {\"error\": \"column reform improved\", \"error_message\": \"glen spray dear\"}, \"version\": \"1.0.0\"}, \"attacks\": [{\"tactics\": [{\"name\": \"Lateral Movement | The adversary is trying to move through your environment.\", \"uid\": \"TA0008\"}, {\"name\": \"Defense Evasion The adversary is trying to avoid being detected.\", \"uid\": \"TA0005\"}], \"technique\": {\"name\": \"Spearphishing Attachment\", \"uid\": \"T1193\"}, \"version\": \"12.1\"}, {\"tactics\": [{\"name\": \"Command and Control The adversary is trying to communicate with compromised systems to control them.\", \"uid\": \"TA0011\"}, {\"name\": \"Lateral Movement | The adversary is trying to move through your environment.\", \"uid\": \"TA0008\"}, {\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Malware\", \"uid\": \"T1587.001\"}, \"version\": \"12.1\"}], \"capabilities\": [\"makers inkjet wealth\", \"statistical athletic tactics\"], \"category_name\": \"Network Activity\", \"category_uid\": 4, \"certificate_chain\": [\"universities investment processing\", \"magazines cooler constitute\"], \"class_name\": \"RDP Activity\", \"class_uid\": 4005, \"cloud\": {\"provider\": \"lafayette lime metal\", \"region\": \"crimes gotten calculators\"}, \"connection_info\": {\"boundary\": \"direction design hook\", \"direction\": \"Unknown\", \"direction_id\": 0, \"protocol_num\": 7, \"protocol_ver\": \"compliant\", \"protocol_ver_id\": 99}, \"device\": {\"autoscale_uid\": \"52a3aa7c-5be7-11ee-afac-0242ac110005\", \"hostname\": \"bookstore.com\", \"hypervisor\": \"t contacting bomb\", \"instance_uid\": \"52a3af0e-5be7-11ee-8962-0242ac110005\", \"interface_name\": \"fifth cancer ties\", \"interface_uid\": \"52a3b382-5be7-11ee-b868-0242ac110005\", \"ip\": \"175.16.199.1\", \"name\": \"mpg mumbai feedback\", \"network_interfaces\": [{\"hostname\": \"tray.gov\", \"ip\": \"175.16.199.1\", \"mac\": \"D3:B5:6A:19:38:2F:24:A1\", \"name\": \"extensive confirmation invisible\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"52a3a572-5be7-11ee-b24b-0242ac110005\"}], \"region\": \"childrens carriers contracting\", \"risk_level\": \"theory mattress fr\", \"risk_score\": 32, \"type\": \"cingular\", \"type_id\": 99, \"uid\": \"52a3b968-5be7-11ee-8c32-0242ac110005\"}, \"disposition\": \"Quarantined\", \"disposition_id\": 3, \"dst_endpoint\": {\"hostname\": \"climate.gov\", \"instance_uid\": \"52a3919a-5be7-11ee-a566-0242ac110005\", \"ip\": \"67.43.156.0\", \"mac\": \"6F:86:CF:42:61:43:EF:EC\", \"name\": \"codes acts containers\", \"port\": 11600, \"svc_name\": \"intro contacted payroll\", \"uid\": \"52a30022-5be7-11ee-b27b-0242ac110005\"}, \"end_time_dt\": \"2023-09-25T21:05:57.699925Z\", \"message\": \"start gifts correlation\", \"metadata\": {\"log_name\": \"structured electron theaters\", \"log_provider\": \"unwrap std painful\", \"modified_time\": 1695675957701, \"modified_time_dt\": \"2023-09-25T21:05:57.703141Z\", \"original_time\": \"skins child clearance\", \"product\": {\"feature\": {\"name\": \"purse support el\", \"uid\": \"52a2b0e0-5be7-11ee-9130-0242ac110005\", \"version\": \"1.0.0\"}, \"name\": \"sleeping roy view\", \"uid\": \"52a2a83e-5be7-11ee-b480-0242ac110005\", \"vendor_name\": \"display discipline juvenile\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"version\": \"1.0.0\"}, \"protocol_ver\": \"1.1.1\", \"request\": {\"uid\": \"52a3da4c-5be7-11ee-baa3-0242ac110005\"}, \"response\": {\"code\": 79, \"error\": \"earn bios diamonds\", \"flags\": [\"doors plus tool\"], \"message\": \"mysimon forum john\"}, \"severity\": \"Low\", \"severity_id\": 2, \"src_endpoint\": {\"instance_uid\": \"52a3cca0-5be7-11ee-bb44-0242ac110005\", \"interface_name\": \"caring interface recipe\", \"interface_uid\": \"52a3d06a-5be7-11ee-b15e-0242ac110005\", \"intermediate_ips\": [\"175.16.199.1\", \"89.160.20.112\"], \"ip\": \"67.43.156.0\", \"name\": \"request brakes anyway\", \"port\": 55305, \"svc_name\": \"leo fraser mic\", \"uid\": \"52a3c912-5be7-11ee-a7e5-0242ac110005\"}, \"start_time\": 1695675957693, \"status\": \"chronicle\", \"status_code\": \"lectures\", \"status_id\": 99, \"time\": 1695675957710, \"timezone_offset\": 14, \"tls\": {\"certificate\": {\"created_time\": 1695675957703, \"expiration_time\": 1695675957707, \"fingerprints\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"FC52C21756C177325B755781195254D9\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"B840263DB579453C080DA366BADC329FC04B253D1ACCC2F6FDEB475D2C1B4811CED673F4981DBFC8FC88877A7516C41B28BA654D3911FE15ED7E4BA5849624F9\"}], \"issuer\": \"ring vc mild\", \"serial_number\": \"refrigerator os jumping\", \"subject\": \"tramadol babe inf\", \"version\": \"1.0.0\"}, \"certificate_chain\": [\"permissions logistics pipe\"], \"cipher\": \"fabric mess guaranteed\", \"client_ciphers\": [\"python ireland aerial\", \"season textbook walt\"], \"ja3s_hash\": {\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"63DA7BD36D87B066DC0E0BB794DBD39ABF21F1A63BA929705FB6C81005838FFA5E8FE456C4DB8ACBD983D90356A5707FC1F4EF069CC70B65B34A5496D5484DDC\"}, \"sans\": [{\"name\": \"downloads informed warehouse\", \"type\": \"ordinance place flower\"}, {\"name\": \"gamma consultant lcd\", \"type\": \"experienced loved premises\"}], \"sni\": \"burner funeral singing\", \"version\": \"1.0.0\"}, \"traffic\": {\"bytes\": 4178624388, \"bytes_in\": 3737296762, \"bytes_out\": 2902061295, \"packets\": 2072578920}, \"type_name\": \"RDP Activity: Traffic\", \"type_uid\": 400506}", + "ocsf": { + "activity_id": 6, + "activity_name": "Traffic", + "api": { + "operation": "examinations convention inquire", + "request": { + "uid": "52a2f4d8-5be7-11ee-9aad-0242ac110005" + }, + "response": { + "error": "column reform improved", + "error_message": "glen spray dear" + }, + "version": "1.0.0" + }, + "attacks": [ + { + "tactics": [ + { + "name": "Lateral Movement | The adversary is trying to move through your environment.", + "uid": "TA0008" + }, + { + "name": "Defense Evasion The adversary is trying to avoid being detected.", + "uid": "TA0005" + } + ], + "technique": { + "name": "Spearphishing Attachment", + "uid": "T1193" + }, + "version": "12.1" + }, + { + "tactics": [ + { + "name": "Command and Control The adversary is trying to communicate with compromised systems to control them.", + "uid": "TA0011" + }, + { + "name": "Lateral Movement | The adversary is trying to move through your environment.", + "uid": "TA0008" + }, + { + "name": "Privilege Escalation | The adversary is trying to gain higher-level permissions.", + "uid": "TA0004" + } + ], + "technique": { + "name": "Malware", + "uid": "T1587.001" + }, + "version": "12.1" + } + ], + "capabilities": [ + "makers inkjet wealth", + "statistical athletic tactics" + ], + "category_name": "Network Activity", + "category_uid": 4, + "class_name": "RDP Activity", + "class_uid": "4005", + "connection_info": { + "boundary": "direction design hook", + "direction": "Unknown", + "direction_id": "0", + "protocol_ver_id": "99" + }, + "device": { + "autoscale_uid": "52a3aa7c-5be7-11ee-afac-0242ac110005", + "hypervisor": "t contacting bomb", + "instance_uid": "52a3af0e-5be7-11ee-8962-0242ac110005", + "interface_name": "fifth cancer ties", + "interface_uid": "52a3b382-5be7-11ee-b868-0242ac110005", + "network_interfaces": [ + { + "hostname": "tray.gov", + "ip": "175.16.199.1", + "mac": "D3:B5:6A:19:38:2F:24:A1", + "name": "extensive confirmation invisible", + "type": "Unknown", + "type_id": "0", + "uid": "52a3a572-5be7-11ee-b24b-0242ac110005" + } + ], + "region": "childrens carriers contracting", + "type_id": "99" + }, + "disposition": "Quarantined", + "disposition_id": "3", + "dst_endpoint": { + "instance_uid": "52a3919a-5be7-11ee-a566-0242ac110005", + "name": "codes acts containers", + "uid": "52a30022-5be7-11ee-b27b-0242ac110005" + }, + "end_time_dt": "2023-09-25T21:05:57.699925Z", + "metadata": { + "log_name": "structured electron theaters", + "modified_time": 1695675957701, + "modified_time_dt": "2023-09-25T21:05:57.703141Z", + "original_time": "skins child clearance", + "product": { + "feature": { + "name": "purse support el", + "uid": "52a2b0e0-5be7-11ee-9130-0242ac110005", + "version": "1.0.0" + }, + "name": "sleeping roy view", + "uid": "52a2a83e-5be7-11ee-b480-0242ac110005", + "vendor_name": "display discipline juvenile", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "security_control" + ], + "version": "1.0.0" + }, + "protocol_ver": "1.1.1", + "response": { + "error": "earn bios diamonds", + "flags": [ + "doors plus tool" + ], + "message": "mysimon forum john" + }, + "severity": "Low", + "src_endpoint": { + "instance_uid": "52a3cca0-5be7-11ee-bb44-0242ac110005", + "interface_name": "caring interface recipe", + "interface_uid": "52a3d06a-5be7-11ee-b15e-0242ac110005", + "intermediate_ips": [ + "175.16.199.1", + "89.160.20.112" + ], + "name": "request brakes anyway", + "uid": "52a3c912-5be7-11ee-a7e5-0242ac110005" + }, + "status": "chronicle", + "status_code": "lectures", + "status_id": "99", + "timezone_offset": 14, + "tls": { + "certificate": { + "created_time": 1695675957703, + "fingerprints": [ + { + "algorithm": "MD5", + "algorithm_id": "1", + "value": "FC52C21756C177325B755781195254D9" + }, + { + "algorithm": "CTPH", + "algorithm_id": "5", + "value": "B840263DB579453C080DA366BADC329FC04B253D1ACCC2F6FDEB475D2C1B4811CED673F4981DBFC8FC88877A7516C41B28BA654D3911FE15ED7E4BA5849624F9" + } + ] + }, + "certificate_chain": [ + "permissions logistics pipe" + ], + "ja3s_hash": { + "algorithm": "SHA-512", + "algorithm_id": "4" + }, + "sans": [ + { + "name": "downloads informed warehouse", + "type": "ordinance place flower" + }, + { + "name": "gamma consultant lcd", + "type": "experienced loved premises" + } + ] + }, + "type_name": "RDP Activity: Traffic", + "type_uid": "400506" + }, "related": { "hosts": [ "climate.gov" diff --git a/OCSF/ocsf/tests/test_network_activity_6.json b/OCSF/ocsf/tests/test_network_activity_6.json index b2f01ccfa..c810021e0 100644 --- a/OCSF/ocsf/tests/test_network_activity_6.json +++ b/OCSF/ocsf/tests/test_network_activity_6.json @@ -38,7 +38,178 @@ "network": { "application": "galleries facilitate fiji" }, - "ocsf": "{\"activity_id\": 3, \"activity_name\": \"File Create\", \"attacks\": [{\"tactics\": [{\"name\": \"Credential Access The adversary is trying to steal account names and passwords.\", \"uid\": \"TA0006\"}, {\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}], \"technique\": {\"name\": \"Multi-hop Proxy\", \"uid\": \"T1090.003\"}, \"version\": \"12.1\"}, {\"tactics\": [{\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}, {\"name\": \"Resource Development | The adversary is trying to establish resources they can use to support operations.\", \"uid\": \"TA0042\"}, {\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}], \"technique\": {\"name\": \"Python\", \"uid\": \"T1059.006\"}, \"version\": \"12.1\"}], \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"SMB Activity\", \"class_uid\": 4006, \"client_dialects\": [\"gabriel ourselves diameter\", \"avg pages denial\"], \"cloud\": {\"provider\": \"bracelet characteristic scenic\", \"region\": \"southern handles paradise\", \"zone\": \"silk appointed semi\"}, \"command\": \"switch text springs\", \"connection_info\": {\"direction\": \"Unknown\", \"direction_id\": 0, \"protocol_num\": 89}, \"device\": {\"autoscale_uid\": \"5d957758-5be7-11ee-bdd5-0242ac110005\", \"groups\": [{\"name\": \"medical discovered punishment\", \"uid\": \"5d958856-5be7-11ee-bf58-0242ac110005\"}, {\"name\": \"layer achieving api\", \"type\": \"prefers biol broke\", \"uid\": \"5d958cc0-5be7-11ee-8274-0242ac110005\"}], \"hostname\": \"african.museum\", \"instance_uid\": \"5d957cd0-5be7-11ee-b6eb-0242ac110005\", \"interface_name\": \"guided educational wy\", \"interface_uid\": \"5d958130-5be7-11ee-894c-0242ac110005\", \"ip\": \"175.16.199.1\", \"is_personal\": false, \"name\": \"rwanda medal hazardous\", \"region\": \"retain ste cfr\", \"type\": \"IOT\", \"type_id\": 7}, \"dialect\": \"teams restaurants altered\", \"disposition\": \"Allowed\", \"disposition_id\": 1, \"dst_endpoint\": {\"hostname\": \"larger.mil\", \"instance_uid\": \"5d9550f2-5be7-11ee-8ce8-0242ac110005\", \"interface_name\": \"remaining james spent\", \"interface_uid\": \"5d955516-5be7-11ee-8913-0242ac110005\", \"ip\": \"67.43.156.0\", \"name\": \"simulations mountains flow\", \"port\": 3375, \"svc_name\": \"galleries facilitate fiji\", \"uid\": \"5d954af8-5be7-11ee-9dec-0242ac110005\"}, \"duration\": 78, \"file\": {\"accessed_time_dt\": \"2023-09-25T21:06:16.073784Z\", \"attributes\": 43, \"hashes\": [{\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"37B77065B54AA76AAE4D96BFEA21F81217D2CEDE06CA457D86A77C0609B483B73102B9C600CC6DFEA5252B15E8E823BD2E5137AA311F7A2011B867F18FE9F502\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"B6F8AE88482BDE38221723480B7EE2BE8088C076BDB5F22AA847A66E59C2ACFB\"}], \"modified_time\": 1695675976016, \"modified_time_dt\": \"2023-09-25T21:06:16.073732Z\", \"name\": \"brazil.docx\", \"parent_folder\": \"pay msie consciousness/checking.tiff\", \"path\": \"pay msie consciousness/checking.tiff/brazil.docx\", \"product\": {\"lang\": \"en\", \"name\": \"oecd initiatives purposes\", \"uid\": \"5d95c636-5be7-11ee-8b22-0242ac110005\", \"vendor_name\": \"personal harmful referrals\", \"version\": \"1.0.0\"}, \"security_descriptor\": \"subsequent latinas quotes\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1, \"certificate\": {\"created_time\": 1695675976051, \"expiration_time\": 1695675976057, \"fingerprints\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"9B0FBD383D667D48DB1FE9647C1E4BAA821ACA2908D5FFED88F145781F8B1A35\"}], \"issuer\": \"digest june ty\", \"serial_number\": \"schedules heater hardwood\", \"subject\": \"tagged military guided\", \"version\": \"1.0.0\"}}, \"type\": \"Character Device\", \"type_id\": 3, \"uid\": \"5d95ca5a-5be7-11ee-a417-0242ac110005\"}, \"message\": \"hotels boc parcel\", \"metadata\": {\"correlation_uid\": \"5d9534be-5be7-11ee-a413-0242ac110005\", \"log_name\": \"tampa array expired\", \"modified_time_dt\": \"2023-09-25T21:06:16.069686Z\", \"original_time\": \"gis holmes roads\", \"processed_time\": 1695675976062, \"product\": {\"name\": \"quantities persian easy\", \"uid\": \"5d952ece-5be7-11ee-8ef1-0242ac110005\", \"url_string\": \"blog\", \"vendor_name\": \"appliances building lauren\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"version\": \"1.0.0\"}, \"open_type\": \"estates collections cia\", \"response\": {\"code\": 94, \"error\": \"monsters pl positioning\", \"error_message\": \"wires hart dirty\"}, \"severity\": \"Medium\", \"severity_id\": 3, \"share_type\": \"File\", \"share_type_id\": 1, \"src_endpoint\": {\"hostname\": \"sara.web\", \"instance_uid\": \"5d95a4ee-5be7-11ee-a0b5-0242ac110005\", \"interface_name\": \"christians comparing garbage\", \"interface_uid\": \"5d95a8e0-5be7-11ee-800d-0242ac110005\", \"ip\": \"67.43.156.0\", \"name\": \"wyoming relocation sufficiently\", \"port\": 21573, \"svc_name\": \"photographers do nobody\", \"uid\": \"5d95a0ac-5be7-11ee-a3e8-0242ac110005\", \"vpc_uid\": \"5d95aec6-5be7-11ee-b409-0242ac110005\"}, \"status\": \"Failure\", \"status_id\": 2, \"time\": 1695675976070, \"time_dt\": \"2023-09-25T21:06:16.072807Z\", \"timezone_offset\": 21, \"type_name\": \"SMB Activity: File Create\", \"type_uid\": 400603}", + "ocsf": { + "activity_id": 3, + "activity_name": "File Create", + "attacks": [ + { + "tactics": [ + { + "name": "Credential Access The adversary is trying to steal account names and passwords.", + "uid": "TA0006" + }, + { + "name": "Exfiltration | The adversary is trying to steal data.", + "uid": "TA0010" + } + ], + "technique": { + "name": "Multi-hop Proxy", + "uid": "T1090.003" + }, + "version": "12.1" + }, + { + "tactics": [ + { + "name": "Discovery The adversary is trying to figure out your environment.", + "uid": "TA0007" + }, + { + "name": "Resource Development | The adversary is trying to establish resources they can use to support operations.", + "uid": "TA0042" + }, + { + "name": "Reconnaissance | The adversary is trying to gather information they can use to plan future operations.", + "uid": "TA0043" + } + ], + "technique": { + "name": "Python", + "uid": "T1059.006" + }, + "version": "12.1" + } + ], + "category_name": "Network Activity", + "category_uid": 4, + "class_name": "SMB Activity", + "class_uid": "4006", + "client_dialects": [ + "avg pages denial", + "gabriel ourselves diameter" + ], + "command": "switch text springs", + "connection_info": { + "direction": "Unknown", + "direction_id": "0" + }, + "device": { + "autoscale_uid": "5d957758-5be7-11ee-bdd5-0242ac110005", + "groups": [ + { + "name": "medical discovered punishment", + "uid": "5d958856-5be7-11ee-bf58-0242ac110005" + }, + { + "name": "layer achieving api", + "type": "prefers biol broke", + "uid": "5d958cc0-5be7-11ee-8274-0242ac110005" + } + ], + "instance_uid": "5d957cd0-5be7-11ee-b6eb-0242ac110005", + "interface_name": "guided educational wy", + "interface_uid": "5d958130-5be7-11ee-894c-0242ac110005", + "is_personal": false, + "region": "retain ste cfr", + "type_id": "7" + }, + "dialect": "teams restaurants altered", + "disposition": "Allowed", + "disposition_id": "1", + "dst_endpoint": { + "instance_uid": "5d9550f2-5be7-11ee-8ce8-0242ac110005", + "interface_name": "remaining james spent", + "interface_uid": "5d955516-5be7-11ee-8913-0242ac110005", + "name": "simulations mountains flow", + "uid": "5d954af8-5be7-11ee-9dec-0242ac110005" + }, + "duration": 78, + "file": { + "accessed_time_dt": "2023-09-25T21:06:16.073784Z", + "attributes": 43, + "hashes": [ + { + "algorithm": "Unknown", + "algorithm_id": "0", + "value": "37B77065B54AA76AAE4D96BFEA21F81217D2CEDE06CA457D86A77C0609B483B73102B9C600CC6DFEA5252B15E8E823BD2E5137AA311F7A2011B867F18FE9F502" + }, + { + "algorithm": "SHA-256", + "algorithm_id": "3", + "value": "B6F8AE88482BDE38221723480B7EE2BE8088C076BDB5F22AA847A66E59C2ACFB" + } + ], + "modified_time_dt": "2023-09-25T21:06:16.073732Z", + "product": { + "lang": "en", + "name": "oecd initiatives purposes", + "uid": "5d95c636-5be7-11ee-8b22-0242ac110005", + "vendor_name": "personal harmful referrals", + "version": "1.0.0" + }, + "security_descriptor": "subsequent latinas quotes", + "signature": { + "algorithm": "DSA", + "algorithm_id": "1", + "certificate": { + "created_time": 1695675976051, + "fingerprints": [ + { + "algorithm": "magic", + "algorithm_id": "99", + "value": "9B0FBD383D667D48DB1FE9647C1E4BAA821ACA2908D5FFED88F145781F8B1A35" + } + ] + } + }, + "type_id": "3" + }, + "metadata": { + "correlation_uid": "5d9534be-5be7-11ee-a413-0242ac110005", + "log_name": "tampa array expired", + "modified_time_dt": "2023-09-25T21:06:16.069686Z", + "original_time": "gis holmes roads", + "processed_time": 1695675976062, + "product": { + "name": "quantities persian easy", + "uid": "5d952ece-5be7-11ee-8ef1-0242ac110005", + "url_string": "blog", + "vendor_name": "appliances building lauren", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "security_control" + ], + "version": "1.0.0" + }, + "open_type": "estates collections cia", + "response": { + "error": "monsters pl positioning", + "error_message": "wires hart dirty" + }, + "severity": "Medium", + "share_type": "File", + "share_type_id": "1", + "src_endpoint": { + "instance_uid": "5d95a4ee-5be7-11ee-a0b5-0242ac110005", + "interface_name": "christians comparing garbage", + "interface_uid": "5d95a8e0-5be7-11ee-800d-0242ac110005", + "name": "wyoming relocation sufficiently", + "uid": "5d95a0ac-5be7-11ee-a3e8-0242ac110005", + "vpc_uid": "5d95aec6-5be7-11ee-b409-0242ac110005" + }, + "status": "Failure", + "status_id": "2", + "time_dt": "2023-09-25T21:06:16.072807Z", + "timezone_offset": 21, + "type_name": "SMB Activity: File Create", + "type_uid": "400603" + }, "related": { "hosts": [ "larger.mil", diff --git a/OCSF/ocsf/tests/test_network_activity_7.json b/OCSF/ocsf/tests/test_network_activity_7.json index d68039348..578d8f618 100644 --- a/OCSF/ocsf/tests/test_network_activity_7.json +++ b/OCSF/ocsf/tests/test_network_activity_7.json @@ -36,7 +36,98 @@ "network": { "application": "observations dennis meals" }, - "ocsf": "{\"activity_id\": 0, \"activity_name\": \"Unknown\", \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"SSH Activity\", \"class_uid\": 4007, \"client_hassh\": {\"algorithm\": \"gave dollars relocation\", \"fingerprint\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"232BC0C0B14F890B4F4BBBBD5985A67835F29296946D5D7F9401A44A441D72A2E3C86A7ED1DABF2390B70C41466925E22D45442C6CE2C51BF2BD75A66EBA67AC\"}}, \"cloud\": {\"provider\": \"flights density typical\"}, \"connection_info\": {\"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_name\": \"genes booth confirm\", \"protocol_num\": 59, \"tcp_flags\": 18}, \"device\": {\"hostname\": \"incurred.net\", \"hypervisor\": \"attempt missouri lan\", \"instance_uid\": \"63c182d4-5be7-11ee-afba-0242ac110005\", \"interface_name\": \"mozambique pm carol\", \"ip\": \"127.252.94.88\", \"is_personal\": false, \"is_trusted\": true, \"name\": \"britney diseases bhutan\", \"region\": \"southeast packed cookies\", \"type\": \"Tablet\", \"type_id\": 4, \"uid\": \"63c18c7a-5be7-11ee-930e-0242ac110005\", \"vlan_uid\": \"63c18892-5be7-11ee-b15d-0242ac110005\"}, \"disposition\": \"Custom Action\", \"disposition_id\": 7, \"dst_endpoint\": {\"hostname\": \"novelty.arpa\", \"instance_uid\": \"63c1091c-5be7-11ee-a143-0242ac110005\", \"interface_name\": \"salvador far disable\", \"interface_uid\": \"63c10d18-5be7-11ee-9b99-0242ac110005\", \"ip\": \"175.16.199.1\", \"svc_name\": \"observations dennis meals\", \"uid\": \"63c1050c-5be7-11ee-8213-0242ac110005\", \"vpc_uid\": \"63c11100-5be7-11ee-9b51-0242ac110005\"}, \"message\": \"necessarily concord washer\", \"metadata\": {\"log_name\": \"bowling consistently pgp\", \"log_provider\": \"babies entities stephanie\", \"original_time\": \"weed treasury specifications\", \"product\": {\"lang\": \"en\", \"name\": \"anaheim used riverside\", \"path\": \"volvo expired marketing\", \"uid\": \"63c0f6ac-5be7-11ee-a542-0242ac110005\", \"vendor_name\": \"flowers billing iso\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"sequence\": 3, \"uid\": \"63c0fbfc-5be7-11ee-82e8-0242ac110005\", \"version\": \"1.0.0\"}, \"proxy\": {\"hostname\": \"problems.org\", \"instance_uid\": \"63c20466-5be7-11ee-a825-0242ac110005\", \"interface_name\": \"probe drugs bonds\", \"interface_uid\": \"63c24e08-5be7-11ee-be10-0242ac110005\", \"name\": \"involve teacher calls\", \"port\": 50284, \"subnet_uid\": \"63c25358-5be7-11ee-a90c-0242ac110005\", \"svc_name\": \"selecting regional enrollment\", \"vlan_uid\": \"63c257fe-5be7-11ee-bca6-0242ac110005\"}, \"server_hassh\": {\"algorithm\": \"shelter remember stickers\", \"fingerprint\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"B23B6D25324F518146005AEA01FD7A7C64EC137532780572E3852F9D8E8556F4\"}}, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"hostname\": \"visit.name\", \"instance_uid\": \"63c1c4ec-5be7-11ee-ac25-0242ac110005\", \"interface_name\": \"successful maryland study\", \"ip\": \"67.43.156.0\", \"name\": \"spas enclosure pleased\", \"port\": 63141, \"svc_name\": \"shipment miscellaneous highlights\", \"uid\": \"63c1bb1e-5be7-11ee-b5ab-0242ac110005\", \"vpc_uid\": \"63c1fa70-5be7-11ee-ac6c-0242ac110005\"}, \"status\": \"Failure\", \"status_id\": 2, \"time\": 1695675986429, \"time_dt\": \"2023-09-25T21:06:26.429430Z\", \"timezone_offset\": 88, \"type_name\": \"SSH Activity: Unknown\", \"type_uid\": 400700}", + "ocsf": { + "activity_id": 0, + "activity_name": "Unknown", + "category_name": "Network Activity", + "category_uid": 4, + "class_name": "SSH Activity", + "class_uid": "4007", + "client_hassh": { + "algorithm": "gave dollars relocation", + "fingerprint": { + "algorithm": "quickXorHash", + "algorithm_id": "7", + "value": "232BC0C0B14F890B4F4BBBBD5985A67835F29296946D5D7F9401A44A441D72A2E3C86A7ED1DABF2390B70C41466925E22D45442C6CE2C51BF2BD75A66EBA67AC" + } + }, + "connection_info": { + "direction": "Inbound", + "direction_id": "1", + "tcp_flags": 18 + }, + "device": { + "hypervisor": "attempt missouri lan", + "instance_uid": "63c182d4-5be7-11ee-afba-0242ac110005", + "interface_name": "mozambique pm carol", + "is_personal": false, + "is_trusted": true, + "region": "southeast packed cookies", + "type_id": "4" + }, + "disposition": "Custom Action", + "disposition_id": "7", + "dst_endpoint": { + "instance_uid": "63c1091c-5be7-11ee-a143-0242ac110005", + "interface_name": "salvador far disable", + "interface_uid": "63c10d18-5be7-11ee-9b99-0242ac110005", + "uid": "63c1050c-5be7-11ee-8213-0242ac110005", + "vpc_uid": "63c11100-5be7-11ee-9b51-0242ac110005" + }, + "metadata": { + "log_name": "bowling consistently pgp", + "original_time": "weed treasury specifications", + "product": { + "lang": "en", + "name": "anaheim used riverside", + "path": "volvo expired marketing", + "uid": "63c0f6ac-5be7-11ee-a542-0242ac110005", + "vendor_name": "flowers billing iso", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "security_control" + ], + "version": "1.0.0" + }, + "proxy": { + "hostname": "problems.org", + "instance_uid": "63c20466-5be7-11ee-a825-0242ac110005", + "interface_name": "probe drugs bonds", + "interface_uid": "63c24e08-5be7-11ee-be10-0242ac110005", + "name": "involve teacher calls", + "port": 50284, + "subnet_uid": "63c25358-5be7-11ee-a90c-0242ac110005", + "svc_name": "selecting regional enrollment", + "vlan_uid": "63c257fe-5be7-11ee-bca6-0242ac110005" + }, + "server_hassh": { + "algorithm": "shelter remember stickers", + "fingerprint": { + "algorithm": "SHA-256", + "algorithm_id": "3", + "value": "B23B6D25324F518146005AEA01FD7A7C64EC137532780572E3852F9D8E8556F4" + } + }, + "severity": "Informational", + "src_endpoint": { + "instance_uid": "63c1c4ec-5be7-11ee-ac25-0242ac110005", + "interface_name": "successful maryland study", + "name": "spas enclosure pleased", + "uid": "63c1bb1e-5be7-11ee-b5ab-0242ac110005", + "vpc_uid": "63c1fa70-5be7-11ee-ac6c-0242ac110005" + }, + "status": "Failure", + "status_id": "2", + "time_dt": "2023-09-25T21:06:26.429430Z", + "timezone_offset": 88, + "type_name": "SSH Activity: Unknown", + "type_uid": "400700" + }, "related": { "hosts": [ "novelty.arpa", diff --git a/OCSF/ocsf/tests/test_network_activity_8.json b/OCSF/ocsf/tests/test_network_activity_8.json index 168dcb068..040086f7e 100644 --- a/OCSF/ocsf/tests/test_network_activity_8.json +++ b/OCSF/ocsf/tests/test_network_activity_8.json @@ -36,7 +36,118 @@ "network": { "application": "meditation qualify finish" }, - "ocsf": "{\"activity_id\": 0, \"activity_name\": \"Unknown\", \"attacks\": [{\"tactics\": [{\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}, {\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}, {\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}], \"technique\": {\"name\": \"Exploitation for Client Execution\", \"uid\": \"T1203\"}, \"version\": \"12.1\"}, {\"tactics\": [{\"name\": \"Lateral Movement | The adversary is trying to move through your environment.\", \"uid\": \"TA0008\"}, {\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}], \"technique\": {\"name\": \"Acquire Infrastructure\", \"uid\": \"T1583\"}, \"version\": \"12.1\"}], \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"FTP Activity\", \"class_uid\": 4008, \"cloud\": {\"provider\": \"there underwear pitch\"}, \"codes\": [44], \"command\": \"moving sensitivity uri\", \"command_responses\": [\"equations studios metallic\", \"heat designated unto\"], \"connection_info\": {\"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_num\": 74}, \"disposition\": \"Blocked\", \"disposition_id\": 2, \"dst_endpoint\": {\"hostname\": \"seattle.cat\", \"instance_uid\": \"690581f0-5be7-11ee-8486-0242ac110005\", \"interface_name\": \"towards suzuki opportunities\", \"interface_uid\": \"690585f6-5be7-11ee-a611-0242ac110005\", \"ip\": \"67.43.156.0\", \"port\": 37570, \"svc_name\": \"meditation qualify finish\", \"uid\": \"69057d22-5be7-11ee-b5d1-0242ac110005\", \"vlan_uid\": \"69058a1a-5be7-11ee-bf51-0242ac110005\"}, \"end_time\": 1695675995259, \"end_time_dt\": \"2023-09-25T21:06:35.259215Z\", \"message\": \"cyber flower lyric\", \"metadata\": {\"correlation_uid\": \"69056d3c-5be7-11ee-8e34-0242ac110005\", \"log_name\": \"investor direct pickup\", \"log_provider\": \"penn awards fp\", \"modified_time_dt\": \"2023-09-25T21:06:35.260101Z\", \"original_time\": \"fax pro carries\", \"processed_time\": 1695675995263, \"product\": {\"lang\": \"en\", \"name\": \"islands unless trivia\", \"uid\": \"690566e8-5be7-11ee-bbe6-0242ac110005\", \"vendor_name\": \"mai insight ws\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"version\": \"1.0.0\"}, \"port\": 58038, \"severity\": \"Fatal\", \"severity_id\": 6, \"src_endpoint\": {\"domain\": \"preview lectures oo\", \"hostname\": \"collectible.firm\", \"instance_uid\": \"6905cb2e-5be7-11ee-bd4d-0242ac110005\", \"interface_name\": \"drives center wondering\", \"interface_uid\": \"6905cf66-5be7-11ee-af73-0242ac110005\", \"intermediate_ips\": [\"67.43.156.0\", \"89.160.20.112\"], \"port\": 21528, \"svc_name\": \"burn mental trembl\", \"uid\": \"6905c674-5be7-11ee-8e5b-0242ac110005\", \"vpc_uid\": \"6905d4a2-5be7-11ee-b06b-0242ac110005\"}, \"status\": \"discussions\", \"status_code\": \"certificates\", \"status_id\": 99, \"time\": 1695675995262, \"timezone_offset\": 79, \"traffic\": {\"bytes\": 1018309558, \"bytes_out\": 469399752, \"packets\": 3392751261, \"packets_in\": 114291882}, \"type\": \"seller luther nursery\", \"type_name\": \"FTP Activity: Unknown\", \"type_uid\": 400800}", + "ocsf": { + "activity_id": 0, + "activity_name": "Unknown", + "attacks": [ + { + "tactics": [ + { + "name": "Reconnaissance | The adversary is trying to gather information they can use to plan future operations.", + "uid": "TA0043" + }, + { + "name": "Exfiltration | The adversary is trying to steal data.", + "uid": "TA0010" + }, + { + "name": "Exfiltration | The adversary is trying to steal data.", + "uid": "TA0010" + } + ], + "technique": { + "name": "Exploitation for Client Execution", + "uid": "T1203" + }, + "version": "12.1" + }, + { + "tactics": [ + { + "name": "Lateral Movement | The adversary is trying to move through your environment.", + "uid": "TA0008" + }, + { + "name": "Reconnaissance | The adversary is trying to gather information they can use to plan future operations.", + "uid": "TA0043" + } + ], + "technique": { + "name": "Acquire Infrastructure", + "uid": "T1583" + }, + "version": "12.1" + } + ], + "category_name": "Network Activity", + "category_uid": 4, + "class_name": "FTP Activity", + "class_uid": "4008", + "codes": [ + 44 + ], + "command": "moving sensitivity uri", + "command_responses": [ + "equations studios metallic", + "heat designated unto" + ], + "connection_info": { + "direction": "Inbound", + "direction_id": "1" + }, + "disposition": "Blocked", + "disposition_id": "2", + "dst_endpoint": { + "instance_uid": "690581f0-5be7-11ee-8486-0242ac110005", + "interface_name": "towards suzuki opportunities", + "interface_uid": "690585f6-5be7-11ee-a611-0242ac110005", + "uid": "69057d22-5be7-11ee-b5d1-0242ac110005", + "vlan_uid": "69058a1a-5be7-11ee-bf51-0242ac110005" + }, + "end_time_dt": "2023-09-25T21:06:35.259215Z", + "metadata": { + "correlation_uid": "69056d3c-5be7-11ee-8e34-0242ac110005", + "log_name": "investor direct pickup", + "modified_time_dt": "2023-09-25T21:06:35.260101Z", + "original_time": "fax pro carries", + "processed_time": 1695675995263, + "product": { + "lang": "en", + "name": "islands unless trivia", + "uid": "690566e8-5be7-11ee-bbe6-0242ac110005", + "vendor_name": "mai insight ws", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "security_control" + ], + "version": "1.0.0" + }, + "port": 58038, + "severity": "Fatal", + "src_endpoint": { + "instance_uid": "6905cb2e-5be7-11ee-bd4d-0242ac110005", + "interface_name": "drives center wondering", + "interface_uid": "6905cf66-5be7-11ee-af73-0242ac110005", + "intermediate_ips": [ + "67.43.156.0", + "89.160.20.112" + ], + "uid": "6905c674-5be7-11ee-8e5b-0242ac110005", + "vpc_uid": "6905d4a2-5be7-11ee-b06b-0242ac110005" + }, + "status": "discussions", + "status_code": "certificates", + "status_id": "99", + "timezone_offset": 79, + "type": "seller luther nursery", + "type_name": "FTP Activity: Unknown", + "type_uid": "400800" + }, "related": { "hosts": [ "collectible.firm", diff --git a/OCSF/ocsf/tests/test_network_activity_9.json b/OCSF/ocsf/tests/test_network_activity_9.json index 8163cfdeb..d02844102 100644 --- a/OCSF/ocsf/tests/test_network_activity_9.json +++ b/OCSF/ocsf/tests/test_network_activity_9.json @@ -26,6 +26,110 @@ "provider": "stick harris italy", "region": "cj safer should" }, - "ocsf": "{\"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"Email Activity\", \"class_uid\": 4009, \"cloud\": {\"provider\": \"stick harris italy\", \"region\": \"cj safer should\"}, \"device\": {\"created_time_dt\": \"2023-09-25T21:07:01.668193Z\", \"instance_uid\": \"78c328c2-5be7-11ee-8cdd-0242ac110005\", \"interface_name\": \"instruments diana nature\", \"interface_uid\": \"78c336c8-5be7-11ee-82fb-0242ac110005\", \"ip\": \"175.16.199.1\", \"name\": \"programming apr remark\", \"network_interfaces\": [{\"hostname\": \"buried.museum\", \"ip\": \"175.16.199.1\", \"mac\": \"8A:A5:A8:8F:C5:1E:88:79\", \"name\": \"sick mobility terrain\", \"type\": \"Wired\", \"type_id\": 1}, {\"hostname\": \"acts.edu\", \"ip\": \"175.16.199.1\", \"mac\": \"AB:AB:43:8:B2:A1:B7:8\", \"name\": \"wiki philippines quick\", \"namespace\": \"that rare html\", \"subnet_prefix\": 34, \"type\": \"Unknown\", \"type_id\": 0}], \"org\": {\"ou_name\": \"florence homes divine\", \"ou_uid\": \"78c2fda2-5be7-11ee-9d5a-0242ac110005\", \"uid\": \"78c2f8d4-5be7-11ee-b0f0-0242ac110005\"}, \"os\": {\"country\": \"Monaco, Principality of\", \"edition\": \"mortality achievements apparatus\", \"name\": \"rfc oman tan\", \"sp_name\": \"advanced addressed bomb\", \"type\": \"macOS\", \"type_id\": 300}, \"region\": \"bat johnston disability\", \"type\": \"Tablet\", \"type_id\": 4, \"uid\": \"78c33c0e-5be7-11ee-ba4c-0242ac110005\"}, \"direction\": \"Unknown\", \"direction_id\": 0, \"disposition\": \"No Action\", \"disposition_id\": 16, \"email\": {\"from\": \"Han@trans.info\", \"message_uid\": \"78c23354-5be7-11ee-b3ad-0242ac110005\", \"reply_to\": \"Nguyet@quoted.edu\", \"size\": 2106286084, \"smtp_from\": \"Joyce@lending.org\", \"smtp_to\": [\"Kesha@whose.firm\"], \"to\": [\"Vernia@tba.edu\", \"Darnell@stereo.nato\"], \"uid\": \"78c1ed2c-5be7-11ee-9a21-0242ac110005\"}, \"end_time\": 1695676021666, \"enrichments\": [{\"data\": {\"healthcare\": \"hddhj\"}, \"name\": \"remind jury laden\", \"provider\": \"in hurt hl\", \"type\": \"sale updating poll\", \"value\": \"savings ref bbc\"}, {\"data\": {\"chubby\": \"7895ss\"}, \"name\": \"force energy satin\", \"provider\": \"lie allowance compressed\", \"value\": \"dogs violation qualified\"}], \"message\": \"freeware sticks unsigned\", \"metadata\": {\"extension\": {\"name\": \"broad fears transfers\", \"uid\": \"78c2668a-5be7-11ee-a776-0242ac110005\", \"version\": \"1.0.0\"}, \"log_name\": \"seats briefly charming\", \"log_provider\": \"sheet satisfaction survey\", \"original_time\": \"administered respected angeles\", \"product\": {\"lang\": \"en\", \"name\": \"civilian clearance powerseller\", \"uid\": \"78c28282-5be7-11ee-989a-0242ac110005\", \"vendor_name\": \"activists berlin dramatically\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"uid\": \"78c29cfe-5be7-11ee-9fb1-0242ac110005\", \"version\": \"1.0.0\"}, \"raw_data\": \"lakes cycles remainder\", \"severity\": \"Informational\", \"severity_id\": 1, \"smtp_hello\": \"jurisdiction charts prerequisite\", \"status\": \"Success\", \"status_detail\": \"bm around ranking\", \"status_id\": 1, \"time\": 1695676021669, \"timezone_offset\": 24, \"type_name\": \"Email Activity: Other\", \"type_uid\": 400999}" + "ocsf": { + "category_name": "Network Activity", + "category_uid": 4, + "class_name": "Email Activity", + "class_uid": "4009", + "device": { + "created_time_dt": "2023-09-25T21:07:01.668193Z", + "instance_uid": "78c328c2-5be7-11ee-8cdd-0242ac110005", + "interface_name": "instruments diana nature", + "interface_uid": "78c336c8-5be7-11ee-82fb-0242ac110005", + "network_interfaces": [ + { + "hostname": "buried.museum", + "ip": "175.16.199.1", + "mac": "8A:A5:A8:8F:C5:1E:88:79", + "name": "sick mobility terrain", + "type": "Wired", + "type_id": "1" + }, + { + "hostname": "acts.edu", + "ip": "175.16.199.1", + "mac": "AB:AB:43:8:B2:A1:B7:8", + "name": "wiki philippines quick", + "namespace": "that rare html", + "subnet_prefix": 34, + "type": "Unknown", + "type_id": "0" + } + ], + "org": { + "ou_name": "florence homes divine", + "ou_uid": "78c2fda2-5be7-11ee-9d5a-0242ac110005", + "uid": "78c2f8d4-5be7-11ee-b0f0-0242ac110005" + }, + "os": { + "country": "Monaco, Principality of", + "edition": "mortality achievements apparatus", + "sp_name": "advanced addressed bomb", + "type": "macOS", + "type_id": "300" + }, + "region": "bat johnston disability", + "type_id": "4" + }, + "direction": "Unknown", + "direction_id": "0", + "disposition": "No Action", + "disposition_id": "16", + "email": { + "size": 2106286084, + "smtp_from": "Joyce@lending.org", + "smtp_to": [ + "Kesha@whose.firm" + ] + }, + "enrichments": [ + { + "data": "{\"chubby\": \"7895ss\"}", + "name": "force energy satin", + "provider": "lie allowance compressed", + "value": "dogs violation qualified" + }, + { + "data": "{\"healthcare\": \"hddhj\"}", + "name": "remind jury laden", + "provider": "in hurt hl", + "type": "sale updating poll", + "value": "savings ref bbc" + } + ], + "metadata": { + "extension": { + "name": "broad fears transfers", + "uid": "78c2668a-5be7-11ee-a776-0242ac110005", + "version": "1.0.0" + }, + "log_name": "seats briefly charming", + "original_time": "administered respected angeles", + "product": { + "lang": "en", + "name": "civilian clearance powerseller", + "uid": "78c28282-5be7-11ee-989a-0242ac110005", + "vendor_name": "activists berlin dramatically", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "security_control" + ], + "version": "1.0.0" + }, + "raw_data": "lakes cycles remainder", + "severity": "Informational", + "smtp_hello": "jurisdiction charts prerequisite", + "status": "Success", + "status_detail": "bm around ranking", + "status_id": "1", + "timezone_offset": 24, + "type_name": "Email Activity: Other", + "type_uid": "400999" + } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_1.json b/OCSF/ocsf/tests/test_system_activity_1.json index 83ded18ae..e38c3c7fe 100644 --- a/OCSF/ocsf/tests/test_system_activity_1.json +++ b/OCSF/ocsf/tests/test_system_activity_1.json @@ -22,6 +22,180 @@ "change" ] }, - "ocsf": "{\"activity_id\": 5, \"activity_name\": \"Rename\", \"actor\": {\"idp\": {\"name\": \"through foot query\", \"uid\": \"3576b692-583b-11ee-b9a6-0242ac110005\"}, \"process\": {\"cmd_line\": \"dd apple updating\", \"created_time\": 1695272181548, \"file\": {\"confidentiality\": \"microphone ingredients everybody\", \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"5448F2E81D8402BD06F1B7A1F25A23A09CF423B5C17631EDC1CB3A06C6135BEA\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"DB43BDA2E28D2B02E0F94993E11FF5A6A49D0E62D62834916C0F623B00401D7C1848EDA3BD47A48ACE755F0AF75D3D92850EEDDD011B6B3ED4D93BA15953F9AD\"}], \"name\": \"with.com\", \"parent_folder\": \"fact nick marilyn/wives.iso\", \"path\": \"fact nick marilyn/wives.iso/with.com\", \"type\": \"Symbolic Link\", \"type_id\": 7}, \"name\": \"Http\", \"parent_process\": {\"cmd_line\": \"regardless discussed gb\", \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Esta Malena\", \"created_time\": 1695272181548, \"desc\": \"claims runtime directories\", \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"0983A0F9D6FE6015A7EB984C4D51C74EC818D6B4B2EA630CA2794A51512BEA5EC489606DAA019CA34D4CA678FF154530DBF2211DC9AD7D058363D7630F3AF2B8\"}], \"modified_time\": 1695272181548, \"name\": \"chrysler.pages\", \"parent_folder\": \"jesus cattle cave/remainder.iso\", \"path\": \"jesus cattle cave/remainder.iso/chrysler.pages\", \"security_descriptor\": \"motels derby subtle\", \"type\": \"Character Device\", \"type_id\": 3, \"uid\": \"3575485c-583b-11ee-b07c-0242ac110005\"}, \"integrity\": \"eat\", \"integrity_id\": 99, \"lineage\": [\"ff encoding towns\", \"alter reservoir drums\"], \"name\": \"Olympic\", \"parent_process\": {\"cmd_line\": \"step bernard quiet\", \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"cmd_line\": \"sons eur fence\", \"created_time\": 1695272181548, \"file\": {\"attributes\": 59, \"company_name\": \"Johnny Kenia\", \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"673864FF7BB72B5CB7535BD3C797DAE6BCDCE37BB6E0BD9D6EDDB8205EE636ACCA593394B1827FD62DAEC350638203EC5021A55A87B54D3BD4E0391CCACFA7B5\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"DA377EE2C5138BD0042100780B04CFB9752DD077344B2CBCACFFBEA5D94D0BB095E7314616D60350025F9E6489D6CBF9FA4C1D07CA52AB9C364397B6A6DB1426\"}], \"is_system\": true, \"name\": \"expectations.sh\", \"parent_folder\": \"their haven interact/president.log\", \"path\": \"their haven interact/president.log/expectations.sh\", \"size\": 3829463934, \"type\": \"Named Pipe\", \"type_id\": 6}, \"name\": \"Schedules\", \"parent_process\": {\"cmd_line\": \"optional icq refresh\", \"created_time\": 1695272181548, \"integrity\": \"Medium\", \"integrity_id\": 3, \"lineage\": [\"marco danny survival\"], \"loaded_modules\": [\"/par/addresses/isle/blink/utils.3ds\", \"/conventions/market/normal/lease/absolute.tar.gz\"], \"name\": \"Best\", \"parent_process\": {\"cmd_line\": \"furnishings oo elderly\", \"created_time\": 1695272181548, \"file\": {\"attributes\": 73, \"name\": \"wagner.hqx\", \"parent_folder\": \"nest communist anthony/tri.tex\", \"path\": \"nest communist anthony/tri.tex/wagner.hqx\", \"type\": \"Folder\", \"type_id\": 2}, \"name\": \"Expo\", \"parent_process\": {\"cmd_line\": \"japan sells jeans\", \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Agatha Bridget\", \"hashes\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"7C44A3A14F05688E4AC527919744E64B96B371173856D178D72F65DAB3DC8EE7563B5E05EE7F625263083247F54503AD771DB5F66B3C9F9216B95114BA6BFCCB\"}], \"name\": \"conviction.dem\", \"owner\": {\"groups\": [{\"name\": \"picked physicians sponsored\", \"uid\": \"3575cc6e-583b-11ee-9fc6-0242ac110005\"}, {\"desc\": \"consistent remind intel\", \"name\": \"theft os finished\", \"privileges\": [\"moscow whom catalogue\", \"bar distant sitting\"], \"type\": \"baking how furnished\", \"uid\": \"3575d2cc-583b-11ee-9bd2-0242ac110005\"}], \"name\": \"Founded\", \"type\": \"System\", \"type_id\": 3}, \"parent_folder\": \"lesbian consistent policy/house.crdownload\", \"path\": \"lesbian consistent policy/house.crdownload/conviction.dem\", \"security_descriptor\": \"blank special atm\", \"signature\": {\"algorithm\": \"RSA\", \"algorithm_id\": 2, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"4AE524EF0A54BC56E3844482DFF66D3DD1C07170A36531500327556E4EB58A66\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"2D3C087352251B27B4B883E464997A204BC6990478F6ADA51535ED9C87BB9BD65BB98AF4BCF9442E5126A77E0D6984B1596D2253167232DA8AC3415D7FB47186\"}], \"issuer\": \"rom ge xml\", \"serial_number\": \"streets missouri stack\", \"subject\": \"equivalent fuzzy password\", \"version\": \"1.0.0\"}}, \"type\": \"Regular File\", \"type_id\": 1}, \"name\": \"Gis\", \"parent_process\": {\"cmd_line\": \"terry ld apple\", \"created_time\": 1695272181548, \"file\": {\"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"9392895322BB82C443FB155DA3D787E63B9CFF61E9725327EA2B4FAFE964C306117CB523AEBA0D2D8CDF029592125C16C1F892E88D80F9888D7031FD2974B8DE\"}], \"name\": \"structural.swf\", \"parent_folder\": \"fwd various rr/harper.tar.gz\", \"path\": \"fwd various rr/harper.tar.gz/structural.swf\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1, \"certificate\": {\"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"D9B2FE68B6C253E250B14667FE79D988B4D2AC568F7FD62357330B906C30A49D\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"EBD7275B8E016156D5C802AA81EF32823EF0D89B944B062044092C012CDD5078AF0362403420AB2DD96D282058889BCC6484F8FC42C61C29774AB18337A40FD9\"}], \"issuer\": \"truck rings arrivals\", \"serial_number\": \"rd throw preliminary\", \"subject\": \"ordering ou explanation\", \"version\": \"1.0.0\"}, \"created_time\": 1695272181548}, \"size\": 688932239, \"type\": \"customs\", \"type_id\": 99}, \"lineage\": [\"ts initial roses\", \"wicked sm especially\"], \"name\": \"Decrease\", \"parent_process\": {\"cmd_line\": \"grounds profits tear\", \"file\": {\"company_name\": \"Parthenia Kim\", \"creator\": {\"org\": {\"name\": \"lessons fighting basement\", \"ou_name\": \"recently iron turning\", \"uid\": \"357639f6-583b-11ee-a863-0242ac110005\"}, \"type\": \"System\", \"type_id\": 3, \"uid\": \"357634b0-583b-11ee-aa30-0242ac110005\"}, \"desc\": \"reads choir while\", \"hashes\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"533747897E1F6754B1E577DEEBA5E673C0DD9F09229F048608C88CA5EEC2A420FFF7F06C5B27F45A1B7A705FF141C4AE11196CAB9BE339546B7EEF258DFED346\"}], \"name\": \"fcc.gz\", \"parent_folder\": \"webcast invention brandon/thumbnail.rm\", \"path\": \"webcast invention brandon/thumbnail.rm/fcc.gz\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"C9E4D5C19777C2E695975FB5FE0D92C5DEEE360C4AFF172B638D981E5BCE505FB3373CF7A620436611A964772215DD15E564B701B09AB141C53258EA7DB63589\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"D02BCEDE7EF63722B56FD76E6C3E0C74E72D5B9C169DE7BA9712A1EAEF0C13F59F27BBFC33274C80889426EB38A8D191AB7B08FE9397BF0BE4D5B4C08CF7956C\"}], \"issuer\": \"kids permissions cosmetic\", \"serial_number\": \"mold afghanistan pine\", \"subject\": \"previous furthermore create\", \"version\": \"1.0.0\"}, \"digest\": {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"F28E98CA59479136BFC3E11371555CF78BDEDDF0332D62DD063B794024CC5C4FE13F9EA7BA6BCE31550B8B7DEFFB31BF20E54B6C1095A68E8E18A26F91C0E838\"}}, \"type\": \"Local Socket\", \"type_id\": 5}, \"integrity\": \"attempts strategy meetup\", \"lineage\": [\"tar optical per\", \"fixtures while coaches\"], \"loaded_modules\": [\"/frequently/tomatoes/one/trembl/trance.php\", \"/supposed/passwords/boutique/codes/coalition.txt\"], \"parent_process\": {\"cmd_line\": \"canon istanbul ears\", \"created_time\": 1695272181548, \"file\": {\"confidentiality\": \"smilies ethnic exclusively\", \"created_time\": 1695272181548, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"DF2FF56CB3BAC1E28C3FE0395F52F814539922A774E1B53793268DC61ADD718A6BEED6E464F3D3AB436A5F61A84B21F073DD534943FEFA40E0DAD92DF1C92874\"}], \"modified_time\": 1695272181548, \"name\": \"kathy.gpx\", \"parent_folder\": \"stake dame kw/bangladesh.tax2020\", \"path\": \"stake dame kw/bangladesh.tax2020/kathy.gpx\", \"type\": \"Symbolic Link\", \"type_id\": 7, \"version\": \"1.0.0\"}, \"integrity\": \"rage cloudy starts\", \"name\": \"Speed\", \"parent_process\": {\"cmd_line\": \"samuel affiliates stores\", \"created_time\": 1695272181548, \"file\": {\"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"25B732B3425CF8421A84FBE8E6EFA1AAF932AD4B\"}, {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"501A60A2B28BA8E6A95CE30C11877FDA\"}], \"name\": \"rpg.eps\", \"size\": 2219996466, \"type\": \"Unknown\", \"type_id\": 0}, \"lineage\": [\"locked feedback tank\", \"kuwait integrity messages\"], \"loaded_modules\": [\"/congo/hundreds/jerry/limousines/meanwhile.lua\", \"/employment/discounts/dg/company/colin.txt\"], \"name\": \"Forget\", \"parent_process\": {\"cmd_line\": \"hh officials patient\", \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Morris Antonio\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"D9C1ACF117657BB04A8309ECBD6F3771E4F5E0BBEB437019748FFB5028BDA1B7\"}], \"name\": \"transexual.kml\", \"owner\": {\"name\": \"Disappointed\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"357695ae-583b-11ee-a3e8-0242ac110005\"}, \"parent_folder\": \"robin imperial rugby/delicious.lua\", \"path\": \"robin imperial rugby/delicious.lua/transexual.kml\", \"product\": {\"lang\": \"en\", \"name\": \"receptors surgeons dui\", \"path\": \"joins roy in\", \"url_string\": \"bias\", \"vendor_name\": \"wonderful earning zealand\"}, \"type\": \"Local Socket\", \"type_id\": 5}, \"loaded_modules\": [\"/initial/example/lenders/manitoba/picked.mdf\"], \"name\": \"Part\", \"pid\": 72, \"sandbox\": \"new rt auto\", \"uid\": \"3576a6e8-583b-11ee-907e-0242ac110005\", \"user\": {\"name\": \"Tft\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"3576a274-583b-11ee-a3dc-0242ac110005\"}}, \"pid\": 6, \"sandbox\": \"proc budgets magnet\", \"uid\": \"35768726-583b-11ee-b021-0242ac110005\"}, \"pid\": 69, \"uid\": \"3576731c-583b-11ee-b4bb-0242ac110005\", \"user\": {\"credential_uid\": \"35766f02-583b-11ee-93b4-0242ac110005\", \"name\": \"Class\", \"org\": {\"name\": \"thumb perception casual\", \"ou_name\": \"russell martin tonight\", \"uid\": \"357668cc-583b-11ee-9bcd-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"3576639a-583b-11ee-a0a4-0242ac110005\", \"uid_alt\": \"acute vocals goat\"}}, \"pid\": 96, \"session\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"is_remote\": false, \"issuer\": \"information daisy computational\", \"uid\": \"35764ff4-583b-11ee-ad30-0242ac110005\"}, \"uid\": \"35764af4-583b-11ee-bfee-0242ac110005\", \"user\": {\"account\": {\"name\": \"gained oldest atomic\", \"type\": \"AWS IAM User\", \"type_id\": 3}, \"email_addr\": \"Ernie@drum.jobs\", \"full_name\": \"Margert Debbie\", \"name\": \"Intervals\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"357644a0-583b-11ee-b222-0242ac110005\"}}, \"pid\": 59, \"sandbox\": \"uk worth harmony\", \"tid\": 80, \"uid\": \"35761c82-583b-11ee-b824-0242ac110005\", \"user\": {\"domain\": \"sydney initiatives plymouth\", \"full_name\": \"Theron Augustine\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"35761822-583b-11ee-beb2-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 7, \"sandbox\": \"arbitration saturday very\", \"terminated_time\": 1695272181548, \"uid\": \"3575fdb0-583b-11ee-aeb9-0242ac110005\", \"user\": {\"full_name\": \"Katheryn Dario\", \"name\": \"Sec\", \"org\": {\"name\": \"delayed cables leads\", \"uid\": \"3575f964-583b-11ee-8c61-0242ac110005\"}, \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"3575f450-583b-11ee-b6bb-0242ac110005\", \"uid_alt\": \"room suicide poem\"}, \"xattributes\": {}}, \"pid\": 70, \"uid\": \"3575bbde-583b-11ee-a34c-0242ac110005\", \"user\": {\"groups\": [{\"name\": \"attention horrible saved\", \"type\": \"clinical integration find\"}], \"name\": \"Vehicles\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"3575b594-583b-11ee-ad61-0242ac110005\", \"uid_alt\": \"immigrants vegetables names\"}}, \"pid\": 51, \"tid\": 72, \"uid\": \"3575a158-583b-11ee-a0c1-0242ac110005\", \"user\": {\"email_addr\": \"Valene@water.aero\", \"name\": \"Wrapping\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"357599c4-583b-11ee-839a-0242ac110005\"}}, \"pid\": 64, \"sandbox\": \"ranked cookbook propecia\", \"uid\": \"35758902-583b-11ee-9a1c-0242ac110005\", \"user\": {\"name\": \"Gun\", \"org\": {\"name\": \"suitable bother k\", \"ou_name\": \"signals pixel questions\", \"uid\": \"357584f2-583b-11ee-b957-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1, \"uid\": \"35757fde-583b-11ee-8426-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 24, \"tid\": 17, \"uid\": \"35756e18-583b-11ee-8658-0242ac110005\", \"user\": {\"account\": {\"name\": \"lisa avoiding grade\", \"type\": \"Mac OS Account\", \"type_id\": 7, \"uid\": \"35756968-583b-11ee-adc7-0242ac110005\"}, \"type\": \"dealer\", \"type_id\": 99, \"uid\": \"3575612a-583b-11ee-8729-0242ac110005\"}}, \"user\": {\"email_addr\": \"Georgeann@compounds.org\", \"groups\": [{\"name\": \"admissions throughout scope\", \"uid\": \"357556c6-583b-11ee-a761-0242ac110005\"}], \"name\": \"Salvador\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"357551a8-583b-11ee-9f3a-0242ac110005\"}}, \"pid\": 39, \"uid\": \"357539de-583b-11ee-808d-0242ac110005\", \"user\": {\"account\": {\"name\": \"findarticles awards error\", \"type\": \"AWS IAM User\", \"type_id\": 3, \"uid\": \"357534b6-583b-11ee-acbb-0242ac110005\"}, \"domain\": \"canal emerald dry\", \"email_addr\": \"Dotty@bg.info\", \"full_name\": \"Kitty Sabine\", \"name\": \"Proxy\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"35752d18-583b-11ee-8e91-0242ac110005\", \"uid_alt\": \"mature botswana advisory\"}}, \"user\": {\"full_name\": \"Inocencia Adelle\", \"name\": \"Hispanic\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"3576b16a-583b-11ee-9386-0242ac110005\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"File System Activity\", \"class_uid\": 1001, \"create_mask\": \"lu hairy cases\", \"device\": {\"desc\": \"gene screens plenty\", \"groups\": [{\"name\": \"spent disclaimer locks\", \"privileges\": [\"seems freeware tire\"], \"uid\": \"3575019e-583b-11ee-8751-0242ac110005\"}, {\"name\": \"stereo thousand cnet\", \"uid\": \"357505d6-583b-11ee-8d50-0242ac110005\"}], \"hypervisor\": \"barbados lcd electoral\", \"image\": {\"name\": \"aol interest statutes\", \"path\": \"breaks contrary navigation\", \"tag\": \"history afraid vcr\", \"uid\": \"3574fc30-583b-11ee-a7af-0242ac110005\"}, \"instance_uid\": \"3574eefc-583b-11ee-aedd-0242ac110005\", \"interface_name\": \"cleveland households subsidiaries\", \"interface_uid\": \"3574f352-583b-11ee-89fa-0242ac110005\", \"ip\": \"1.128.0.0\", \"is_managed\": true, \"name\": \"spirits since tours\", \"os\": {\"name\": \"mess deposits scary\", \"sp_ver\": 35, \"type\": \"HP-UX\", \"type_id\": 402}, \"region\": \"survival statewide blog\", \"risk_score\": 17, \"subnet\": \"130.109.0.0/16\", \"subnet_uid\": \"3574e7c2-583b-11ee-8763-0242ac110005\", \"type\": \"Browser\", \"type_id\": 8, \"uid\": \"3575127e-583b-11ee-b9cf-0242ac110005\"}, \"enrichments\": [{\"data\": {\"professionals\": \"profess\"}, \"name\": \"universal ex rpg\", \"provider\": \"dance avon fundamental\", \"type\": \"concentrations sciences genuine\", \"value\": \"participants managing combines\"}, {\"data\": {\"hill\": \"rfsvfdc\"}, \"name\": \"strip milton opened\", \"provider\": \"held rounds tumor\", \"type\": \"volunteers manufacturing argentina\", \"value\": \"needs hopes taxation\"}], \"file\": {\"accessed_time\": 1695272181548, \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"FA9D6D9F8C1E928F43F4CA3DEF6EC2D485AA60CDD4DF04348144D38434095D54EADA230FB5E8BE2A17FD91AEEFC38B4E2AD08D863F260E6244F56873701A53EE\"}], \"name\": \"phi.tar\", \"parent_folder\": \"basement neighborhood nelson/pointer.mpa\", \"path\": \"basement neighborhood nelson/pointer.mpa/phi.tar\", \"product\": {\"name\": \"judgment mel mental\", \"uid\": \"3576c3d0-583b-11ee-8a0f-0242ac110005\", \"vendor_name\": \"isp semiconductor screens\", \"version\": \"1.0.0\"}, \"type\": \"Named Pipe\", \"type_id\": 666}, \"message\": \"aug brought masters\", \"metadata\": {\"log_name\": \"benefits observe block\", \"log_provider\": \"apr applies bought\", \"original_time\": \"basement receipt forces\", \"product\": {\"lang\": \"en\", \"name\": \"frederick avoiding settlement\", \"uid\": \"3574dd04-583b-11ee-9dd6-0242ac110005\", \"url_string\": \"subscribers\", \"vendor_name\": \"biographies charts a\", \"version\": \"1.0.0\"}, \"profiles\": [], \"sequence\": 36, \"version\": \"1.0.0\"}, \"severity\": \"High\", \"severity_id\": 4, \"status\": \"same\", \"status_id\": 99, \"time\": 1695272181548, \"timezone_offset\": 14, \"type_name\": \"File System Activity: Rename\", \"type_uid\": 100105}" + "ocsf": { + "activity_id": 5, + "activity_name": "Rename", + "actor": { + "idp": { + "name": "through foot query", + "uid": "3576b692-583b-11ee-b9a6-0242ac110005" + }, + "process": { + "file": { + "confidentiality": "microphone ingredients everybody", + "hashes": [ + { + "algorithm": "SHA-256", + "algorithm_id": "3", + "value": "5448F2E81D8402BD06F1B7A1F25A23A09CF423B5C17631EDC1CB3A06C6135BEA" + }, + { + "algorithm": "CTPH", + "algorithm_id": "5", + "value": "DB43BDA2E28D2B02E0F94993E11FF5A6A49D0E62D62834916C0F623B00401D7C1848EDA3BD47A48ACE755F0AF75D3D92850EEDDD011B6B3ED4D93BA15953F9AD" + } + ], + "type_id": "7" + }, + "parent_process": { + "file": { + "company_name": "Esta Malena", + "created_time": 1695272181548, + "desc": "claims runtime directories", + "hashes": [ + { + "algorithm": "quickXorHash", + "algorithm_id": "7", + "value": "0983A0F9D6FE6015A7EB984C4D51C74EC818D6B4B2EA630CA2794A51512BEA5EC489606DAA019CA34D4CA678FF154530DBF2211DC9AD7D058363D7630F3AF2B8" + } + ], + "modified_time": 1695272181548, + "name": "chrysler.pages", + "parent_folder": "jesus cattle cave/remainder.iso", + "path": "jesus cattle cave/remainder.iso/chrysler.pages", + "security_descriptor": "motels derby subtle", + "type": "Character Device", + "type_id": "3", + "uid": "3575485c-583b-11ee-b07c-0242ac110005" + }, + "integrity": "eat", + "integrity_id": "99", + "lineage": [ + "alter reservoir drums", + "ff encoding towns" + ], + "parent_process": "{\"cmd_line\": \"step bernard quiet\", \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"cmd_line\": \"sons eur fence\", \"created_time\": 1695272181548, \"file\": {\"attributes\": 59, \"company_name\": \"Johnny Kenia\", \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"673864FF7BB72B5CB7535BD3C797DAE6BCDCE37BB6E0BD9D6EDDB8205EE636ACCA593394B1827FD62DAEC350638203EC5021A55A87B54D3BD4E0391CCACFA7B5\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"DA377EE2C5138BD0042100780B04CFB9752DD077344B2CBCACFFBEA5D94D0BB095E7314616D60350025F9E6489D6CBF9FA4C1D07CA52AB9C364397B6A6DB1426\"}], \"is_system\": true, \"name\": \"expectations.sh\", \"parent_folder\": \"their haven interact/president.log\", \"path\": \"their haven interact/president.log/expectations.sh\", \"size\": 3829463934, \"type\": \"Named Pipe\", \"type_id\": 6}, \"name\": \"Schedules\", \"parent_process\": {\"cmd_line\": \"optional icq refresh\", \"created_time\": 1695272181548, \"integrity\": \"Medium\", \"integrity_id\": 3, \"lineage\": [\"marco danny survival\"], \"loaded_modules\": [\"/par/addresses/isle/blink/utils.3ds\", \"/conventions/market/normal/lease/absolute.tar.gz\"], \"name\": \"Best\", \"parent_process\": {\"cmd_line\": \"furnishings oo elderly\", \"created_time\": 1695272181548, \"file\": {\"attributes\": 73, \"name\": \"wagner.hqx\", \"parent_folder\": \"nest communist anthony/tri.tex\", \"path\": \"nest communist anthony/tri.tex/wagner.hqx\", \"type\": \"Folder\", \"type_id\": 2}, \"name\": \"Expo\", \"parent_process\": {\"cmd_line\": \"japan sells jeans\", \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Agatha Bridget\", \"hashes\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"7C44A3A14F05688E4AC527919744E64B96B371173856D178D72F65DAB3DC8EE7563B5E05EE7F625263083247F54503AD771DB5F66B3C9F9216B95114BA6BFCCB\"}], \"name\": \"conviction.dem\", \"owner\": {\"groups\": [{\"name\": \"picked physicians sponsored\", \"uid\": \"3575cc6e-583b-11ee-9fc6-0242ac110005\"}, {\"desc\": \"consistent remind intel\", \"name\": \"theft os finished\", \"privileges\": [\"moscow whom catalogue\", \"bar distant sitting\"], \"type\": \"baking how furnished\", \"uid\": \"3575d2cc-583b-11ee-9bd2-0242ac110005\"}], \"name\": \"Founded\", \"type\": \"System\", \"type_id\": 3}, \"parent_folder\": \"lesbian consistent policy/house.crdownload\", \"path\": \"lesbian consistent policy/house.crdownload/conviction.dem\", \"security_descriptor\": \"blank special atm\", \"signature\": {\"algorithm\": \"RSA\", \"algorithm_id\": 2, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"4AE524EF0A54BC56E3844482DFF66D3DD1C07170A36531500327556E4EB58A66\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"2D3C087352251B27B4B883E464997A204BC6990478F6ADA51535ED9C87BB9BD65BB98AF4BCF9442E5126A77E0D6984B1596D2253167232DA8AC3415D7FB47186\"}], \"issuer\": \"rom ge xml\", \"serial_number\": \"streets missouri stack\", \"subject\": \"equivalent fuzzy password\", \"version\": \"1.0.0\"}}, \"type\": \"Regular File\", \"type_id\": 1}, \"name\": \"Gis\", \"parent_process\": {\"cmd_line\": \"terry ld apple\", \"created_time\": 1695272181548, \"file\": {\"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"9392895322BB82C443FB155DA3D787E63B9CFF61E9725327EA2B4FAFE964C306117CB523AEBA0D2D8CDF029592125C16C1F892E88D80F9888D7031FD2974B8DE\"}], \"name\": \"structural.swf\", \"parent_folder\": \"fwd various rr/harper.tar.gz\", \"path\": \"fwd various rr/harper.tar.gz/structural.swf\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1, \"certificate\": {\"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"D9B2FE68B6C253E250B14667FE79D988B4D2AC568F7FD62357330B906C30A49D\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"EBD7275B8E016156D5C802AA81EF32823EF0D89B944B062044092C012CDD5078AF0362403420AB2DD96D282058889BCC6484F8FC42C61C29774AB18337A40FD9\"}], \"issuer\": \"truck rings arrivals\", \"serial_number\": \"rd throw preliminary\", \"subject\": \"ordering ou explanation\", \"version\": \"1.0.0\"}, \"created_time\": 1695272181548}, \"size\": 688932239, \"type\": \"customs\", \"type_id\": 99}, \"lineage\": [\"ts initial roses\", \"wicked sm especially\"], \"name\": \"Decrease\", \"parent_process\": {\"cmd_line\": \"grounds profits tear\", \"file\": {\"company_name\": \"Parthenia Kim\", \"creator\": {\"org\": {\"name\": \"lessons fighting basement\", \"ou_name\": \"recently iron turning\", \"uid\": \"357639f6-583b-11ee-a863-0242ac110005\"}, \"type\": \"System\", \"type_id\": 3, \"uid\": \"357634b0-583b-11ee-aa30-0242ac110005\"}, \"desc\": \"reads choir while\", \"hashes\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"533747897E1F6754B1E577DEEBA5E673C0DD9F09229F048608C88CA5EEC2A420FFF7F06C5B27F45A1B7A705FF141C4AE11196CAB9BE339546B7EEF258DFED346\"}], \"name\": \"fcc.gz\", \"parent_folder\": \"webcast invention brandon/thumbnail.rm\", \"path\": \"webcast invention brandon/thumbnail.rm/fcc.gz\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"C9E4D5C19777C2E695975FB5FE0D92C5DEEE360C4AFF172B638D981E5BCE505FB3373CF7A620436611A964772215DD15E564B701B09AB141C53258EA7DB63589\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"D02BCEDE7EF63722B56FD76E6C3E0C74E72D5B9C169DE7BA9712A1EAEF0C13F59F27BBFC33274C80889426EB38A8D191AB7B08FE9397BF0BE4D5B4C08CF7956C\"}], \"issuer\": \"kids permissions cosmetic\", \"serial_number\": \"mold afghanistan pine\", \"subject\": \"previous furthermore create\", \"version\": \"1.0.0\"}, \"digest\": {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"F28E98CA59479136BFC3E11371555CF78BDEDDF0332D62DD063B794024CC5C4FE13F9EA7BA6BCE31550B8B7DEFFB31BF20E54B6C1095A68E8E18A26F91C0E838\"}}, \"type\": \"Local Socket\", \"type_id\": 5}, \"integrity\": \"attempts strategy meetup\", \"lineage\": [\"tar optical per\", \"fixtures while coaches\"], \"loaded_modules\": [\"/frequently/tomatoes/one/trembl/trance.php\", \"/supposed/passwords/boutique/codes/coalition.txt\"], \"parent_process\": {\"cmd_line\": \"canon istanbul ears\", \"created_time\": 1695272181548, \"file\": {\"confidentiality\": \"smilies ethnic exclusively\", \"created_time\": 1695272181548, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"DF2FF56CB3BAC1E28C3FE0395F52F814539922A774E1B53793268DC61ADD718A6BEED6E464F3D3AB436A5F61A84B21F073DD534943FEFA40E0DAD92DF1C92874\"}], \"modified_time\": 1695272181548, \"name\": \"kathy.gpx\", \"parent_folder\": \"stake dame kw/bangladesh.tax2020\", \"path\": \"stake dame kw/bangladesh.tax2020/kathy.gpx\", \"type\": \"Symbolic Link\", \"type_id\": 7, \"version\": \"1.0.0\"}, \"integrity\": \"rage cloudy starts\", \"name\": \"Speed\", \"parent_process\": {\"cmd_line\": \"samuel affiliates stores\", \"created_time\": 1695272181548, \"file\": {\"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"25B732B3425CF8421A84FBE8E6EFA1AAF932AD4B\"}, {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"501A60A2B28BA8E6A95CE30C11877FDA\"}], \"name\": \"rpg.eps\", \"size\": 2219996466, \"type\": \"Unknown\", \"type_id\": 0}, \"lineage\": [\"locked feedback tank\", \"kuwait integrity messages\"], \"loaded_modules\": [\"/congo/hundreds/jerry/limousines/meanwhile.lua\", \"/employment/discounts/dg/company/colin.txt\"], \"name\": \"Forget\", \"parent_process\": {\"cmd_line\": \"hh officials patient\", \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Morris Antonio\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"D9C1ACF117657BB04A8309ECBD6F3771E4F5E0BBEB437019748FFB5028BDA1B7\"}], \"name\": \"transexual.kml\", \"owner\": {\"name\": \"Disappointed\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"357695ae-583b-11ee-a3e8-0242ac110005\"}, \"parent_folder\": \"robin imperial rugby/delicious.lua\", \"path\": \"robin imperial rugby/delicious.lua/transexual.kml\", \"product\": {\"lang\": \"en\", \"name\": \"receptors surgeons dui\", \"path\": \"joins roy in\", \"url_string\": \"bias\", \"vendor_name\": \"wonderful earning zealand\"}, \"type\": \"Local Socket\", \"type_id\": 5}, \"loaded_modules\": [\"/initial/example/lenders/manitoba/picked.mdf\"], \"name\": \"Part\", \"pid\": 72, \"sandbox\": \"new rt auto\", \"uid\": \"3576a6e8-583b-11ee-907e-0242ac110005\", \"user\": {\"name\": \"Tft\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"3576a274-583b-11ee-a3dc-0242ac110005\"}}, \"pid\": 6, \"sandbox\": \"proc budgets magnet\", \"uid\": \"35768726-583b-11ee-b021-0242ac110005\"}, \"pid\": 69, \"uid\": \"3576731c-583b-11ee-b4bb-0242ac110005\", \"user\": {\"credential_uid\": \"35766f02-583b-11ee-93b4-0242ac110005\", \"name\": \"Class\", \"org\": {\"name\": \"thumb perception casual\", \"ou_name\": \"russell martin tonight\", \"uid\": \"357668cc-583b-11ee-9bcd-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"3576639a-583b-11ee-a0a4-0242ac110005\", \"uid_alt\": \"acute vocals goat\"}}, \"pid\": 96, \"session\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"is_remote\": false, \"issuer\": \"information daisy computational\", \"uid\": \"35764ff4-583b-11ee-ad30-0242ac110005\"}, \"uid\": \"35764af4-583b-11ee-bfee-0242ac110005\", \"user\": {\"account\": {\"name\": \"gained oldest atomic\", \"type\": \"AWS IAM User\", \"type_id\": 3}, \"email_addr\": \"Ernie@drum.jobs\", \"full_name\": \"Margert Debbie\", \"name\": \"Intervals\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"357644a0-583b-11ee-b222-0242ac110005\"}}, \"pid\": 59, \"sandbox\": \"uk worth harmony\", \"tid\": 80, \"uid\": \"35761c82-583b-11ee-b824-0242ac110005\", \"user\": {\"domain\": \"sydney initiatives plymouth\", \"full_name\": \"Theron Augustine\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"35761822-583b-11ee-beb2-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 7, \"sandbox\": \"arbitration saturday very\", \"terminated_time\": 1695272181548, \"uid\": \"3575fdb0-583b-11ee-aeb9-0242ac110005\", \"user\": {\"full_name\": \"Katheryn Dario\", \"name\": \"Sec\", \"org\": {\"name\": \"delayed cables leads\", \"uid\": \"3575f964-583b-11ee-8c61-0242ac110005\"}, \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"3575f450-583b-11ee-b6bb-0242ac110005\", \"uid_alt\": \"room suicide poem\"}, \"xattributes\": {}}, \"pid\": 70, \"uid\": \"3575bbde-583b-11ee-a34c-0242ac110005\", \"user\": {\"groups\": [{\"name\": \"attention horrible saved\", \"type\": \"clinical integration find\"}], \"name\": \"Vehicles\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"3575b594-583b-11ee-ad61-0242ac110005\", \"uid_alt\": \"immigrants vegetables names\"}}, \"pid\": 51, \"tid\": 72, \"uid\": \"3575a158-583b-11ee-a0c1-0242ac110005\", \"user\": {\"email_addr\": \"Valene@water.aero\", \"name\": \"Wrapping\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"357599c4-583b-11ee-839a-0242ac110005\"}}, \"pid\": 64, \"sandbox\": \"ranked cookbook propecia\", \"uid\": \"35758902-583b-11ee-9a1c-0242ac110005\", \"user\": {\"name\": \"Gun\", \"org\": {\"name\": \"suitable bother k\", \"ou_name\": \"signals pixel questions\", \"uid\": \"357584f2-583b-11ee-b957-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1, \"uid\": \"35757fde-583b-11ee-8426-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 24, \"tid\": 17, \"uid\": \"35756e18-583b-11ee-8658-0242ac110005\", \"user\": {\"account\": {\"name\": \"lisa avoiding grade\", \"type\": \"Mac OS Account\", \"type_id\": 7, \"uid\": \"35756968-583b-11ee-adc7-0242ac110005\"}, \"type\": \"dealer\", \"type_id\": 99, \"uid\": \"3575612a-583b-11ee-8729-0242ac110005\"}}", + "user": { + "groups": [ + { + "name": "admissions throughout scope", + "uid": "357556c6-583b-11ee-a761-0242ac110005" + } + ], + "type": "Admin", + "type_id": "2" + } + }, + "user": { + "account": { + "name": "findarticles awards error", + "type": "AWS IAM User", + "type_id": "3", + "uid": "357534b6-583b-11ee-acbb-0242ac110005" + }, + "type": "User", + "type_id": "1", + "uid_alt": "mature botswana advisory" + } + }, + "user": { + "type": "Admin", + "type_id": "2" + } + }, + "category_name": "System Activity", + "category_uid": 1, + "class_name": "File System Activity", + "class_uid": "1001", + "create_mask": "lu hairy cases", + "device": { + "desc": "gene screens plenty", + "groups": [ + { + "name": "stereo thousand cnet", + "uid": "357505d6-583b-11ee-8d50-0242ac110005" + }, + { + "name": "spent disclaimer locks", + "privileges": [ + "seems freeware tire" + ], + "uid": "3575019e-583b-11ee-8751-0242ac110005" + } + ], + "hypervisor": "barbados lcd electoral", + "image": { + "name": "aol interest statutes", + "path": "breaks contrary navigation", + "tag": "history afraid vcr", + "uid": "3574fc30-583b-11ee-a7af-0242ac110005" + }, + "instance_uid": "3574eefc-583b-11ee-aedd-0242ac110005", + "interface_name": "cleveland households subsidiaries", + "interface_uid": "3574f352-583b-11ee-89fa-0242ac110005", + "is_managed": true, + "os": { + "sp_ver": "35", + "type": "HP-UX", + "type_id": "402" + }, + "region": "survival statewide blog", + "subnet": "130.109.0.0/16", + "subnet_uid": "3574e7c2-583b-11ee-8763-0242ac110005", + "type_id": "8" + }, + "enrichments": [ + { + "data": "{\"professionals\": \"profess\"}", + "name": "universal ex rpg", + "provider": "dance avon fundamental", + "type": "concentrations sciences genuine", + "value": "participants managing combines" + }, + { + "data": "{\"hill\": \"rfsvfdc\"}", + "name": "strip milton opened", + "provider": "held rounds tumor", + "type": "volunteers manufacturing argentina", + "value": "needs hopes taxation" + } + ], + "file": { + "hashes": [ + { + "algorithm": "quickXorHash", + "algorithm_id": "7", + "value": "FA9D6D9F8C1E928F43F4CA3DEF6EC2D485AA60CDD4DF04348144D38434095D54EADA230FB5E8BE2A17FD91AEEFC38B4E2AD08D863F260E6244F56873701A53EE" + } + ], + "product": { + "name": "judgment mel mental", + "uid": "3576c3d0-583b-11ee-8a0f-0242ac110005", + "vendor_name": "isp semiconductor screens", + "version": "1.0.0" + }, + "type_id": "666" + }, + "metadata": { + "log_name": "benefits observe block", + "original_time": "basement receipt forces", + "product": { + "lang": "en", + "name": "frederick avoiding settlement", + "uid": "3574dd04-583b-11ee-9dd6-0242ac110005", + "url_string": "subscribers", + "vendor_name": "biographies charts a", + "version": "1.0.0" + }, + "profiles": [], + "version": "1.0.0" + }, + "severity": "High", + "status": "same", + "status_id": "99", + "timezone_offset": 14, + "type_name": "File System Activity: Rename", + "type_uid": "100105" + } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_2.json b/OCSF/ocsf/tests/test_system_activity_2.json index ae7ac517f..aa3558a0e 100644 --- a/OCSF/ocsf/tests/test_system_activity_2.json +++ b/OCSF/ocsf/tests/test_system_activity_2.json @@ -27,6 +27,203 @@ "provider": "locations pharmaceutical aa", "region": "card heroes blogging" }, - "ocsf": "{\"activity_id\": 2, \"activity_name\": \"Unload\", \"actor\": {\"process\": {\"cmd_line\": \"quest flashers qualifying\", \"file\": {\"confidentiality\": \"donated chapter runtime\", \"hashes\": [{\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"2EB64D601392F16BF21F01D7A9A66B62BC3DDC892394D8B44031A3B488A4F611F56951974C7601044DA53283AE3A774822583A678667AC1A5469561ADFC2CB22\"}], \"modified_time\": 1695272181548, \"name\": \"syntax.dds\", \"parent_folder\": \"cartoon watershed viewers/magazine.xls\", \"path\": \"cartoon watershed viewers/magazine.xls/syntax.dds\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3}, \"type\": \"Symbolic Link\", \"type_id\": 7}, \"integrity\": \"Untrusted\", \"integrity_id\": 1, \"name\": \"Complete\", \"namespace_pid\": 20, \"parent_process\": {\"cmd_line\": \"mere tft rules\", \"container\": {\"hash\": {\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"99402752D9F0ADEE2B8CB7268DC3FCBF7900B5491AEECBCF11718BBA6969507DF048B5A627AE37D63F6235C52A9FFB0A874DB6E542EFB0E17DD61FFF02543A1B\"}, \"image\": {\"name\": \"place questionnaire evil\", \"uid\": \"19e878de-61aa-11ee-8abe-0242ac110005\"}, \"name\": \"contains thriller incl\", \"network_driver\": \"balloon cj virtual\", \"runtime\": \"briefing portrait pj\", \"size\": 4086519029, \"uid\": \"19e86ef2-61aa-11ee-961e-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:02:50.212708Z\", \"integrity\": \"System\", \"integrity_id\": 5, \"name\": \"Fuzzy\", \"namespace_pid\": 34, \"parent_process\": {\"cmd_line\": \"valued leasing equilibrium\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"AACD3103F3F1FCAB0248F041A315AB6816C8A0E9\"}, \"size\": 2331695977, \"uid\": \"19e89a1c-61aa-11ee-930f-0242ac110005\"}, \"file\": {\"attributes\": 11, \"confidentiality\": \"outlook\", \"confidentiality_id\": 99, \"created_time_dt\": \"2023-10-03T05:02:50.206981Z\", \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"79B9213DDB8E561C9F5F0374719DBA7E55A481E720B75C53A12AF714880E51A4\"}, {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"C32B941D4ED063DE2F7FB1669124175ED90CDE46\"}], \"is_system\": true, \"name\": \"unlimited.wmv\", \"product\": {\"lang\": \"en\", \"name\": \"astrology musical magic\", \"uid\": \"19e88b3a-61aa-11ee-a044-0242ac110005\", \"vendor_name\": \"logos texture jews\", \"version\": \"1.0.0\"}, \"type\": \"huntington\", \"type_id\": 99, \"version\": \"1.0.0\"}, \"integrity\": \"System\", \"integrity_id\": 5, \"lineage\": [\"layer rachel performed\"], \"loaded_modules\": [\"/faith/cbs/hispanic/lancaster/ncaa.swf\", \"/pulled/consecutive/treatment/myself/pittsburgh.wav\"], \"name\": \"Pt\", \"namespace_pid\": 75, \"parent_process\": {\"cmd_line\": \"vendor laptops germany\", \"container\": {\"hash\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"BBC85ACA84E370B3CD546CED854C6725D3242C1E1E174F6B4A803754254A38359A7A4CA50F4AD39E07AE04452C28859CAE5DB5FAF8D68075026A04F2C026726C\"}, \"image\": {\"labels\": [\"aka\"], \"name\": \"puzzles conditions sequences\", \"uid\": \"19e94566-61aa-11ee-9d6d-0242ac110005\"}, \"name\": \"patients couple tmp\", \"orchestrator\": \"helping cork mortality\", \"runtime\": \"jul tommy um\", \"size\": 1196597453, \"uid\": \"19e93ddc-61aa-11ee-8ac2-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Marie Enoch\", \"creator\": {\"name\": \"Journals\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"19e8c136-61aa-11ee-8148-0242ac110005\"}, \"desc\": \"referrals nottingham communication\", \"modified_time_dt\": \"2023-10-03T05:02:50.208298Z\", \"modifier\": {\"name\": \"Resistant\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"19e8ac78-61aa-11ee-a8f4-0242ac110005\"}, \"name\": \"jefferson.cbr\", \"parent_folder\": \"vacations floppy slides/crack.cs\", \"path\": \"vacations floppy slides/crack.cs/jefferson.cbr\", \"size\": 3328615981, \"type\": \"Unknown\", \"type_id\": 0}, \"integrity\": \"five priest needle\", \"name\": \"Clinton\", \"namespace_pid\": 94, \"parent_process\": {\"cmd_line\": \"front accommodate advocate\", \"container\": {\"hash\": {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"DE46E578D10170889D94C44F29A8357C36E325D960A26A598ED7022BD1E1EDAD4B7C9E676EF5EED4AE64B21998EE85F24AFBB1A8DE06CD5B385EFE4AB1185F90\"}, \"image\": {\"name\": \"obituaries seeing judgment\", \"path\": \"fit slightly ja\", \"uid\": \"19e96b36-61aa-11ee-97e4-0242ac110005\"}, \"name\": \"finest world pontiac\", \"orchestrator\": \"vp bridal testimonials\", \"size\": 55618839, \"uid\": \"19e964b0-61aa-11ee-86d6-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"9FD540B749A6D9C916406C5F4EB228F85F9FC35B5769F67886F778ACFE23F9DA44D2AA1E26E09B2EC8942215CD4C9DE71D9A27F539FC4E753E44181F1DA6899D\"}], \"mime_type\": \"transcription/warned\", \"name\": \"fixes.c\", \"parent_folder\": \"retro earthquake teachers/corruption.kml\", \"path\": \"retro earthquake teachers/corruption.kml/fixes.c\", \"type\": \"Folder\", \"type_id\": 2}, \"name\": \"Sms\", \"namespace_pid\": 19, \"pid\": 52, \"session\": {\"created_time\": 1695272181548, \"is_remote\": false, \"uid\": \"19e95e70-61aa-11ee-bf06-0242ac110005\"}, \"terminated_time\": 1695272181548, \"uid\": \"19e95920-61aa-11ee-a247-0242ac110005\"}, \"pid\": 77, \"terminated_time_dt\": \"2023-10-03T05:02:50.212696Z\", \"uid\": \"19e8e4fe-61aa-11ee-869a-0242ac110005\", \"user\": {\"email_addr\": \"Johnette@flexibility.biz\", \"full_name\": \"Glayds Glenda\", \"name\": \"Nudist\", \"type\": \"directories\", \"type_id\": 99, \"uid\": \"19e8cb2c-61aa-11ee-8668-0242ac110005\", \"uid_alt\": \"facts local za\"}}, \"pid\": 53, \"uid\": \"19e89346-61aa-11ee-bb7f-0242ac110005\"}, \"pid\": 7, \"terminated_time\": 1695272181548, \"uid\": \"19e86420-61aa-11ee-92e5-0242ac110005\"}, \"pid\": 50, \"sandbox\": \"homes bachelor reach\", \"terminated_time_dt\": \"2023-10-03T05:02:50.212738Z\", \"uid\": \"19e85aa2-61aa-11ee-9863-0242ac110005\", \"user\": {\"domain\": \"settle most mf\", \"full_name\": \"Fae Brendan\", \"name\": \"Pursue\", \"org\": {\"name\": \"contributions agents displayed\", \"ou_name\": \"with cpu scout\", \"uid\": \"19e854e4-61aa-11ee-b27b-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1, \"uid\": \"19e84346-61aa-11ee-82b4-0242ac110005\"}, \"xattributes\": {}}, \"user\": {\"name\": \"Fellowship\", \"org\": {\"name\": \"ali authors bacterial\", \"ou_name\": \"ebay october staff\", \"uid\": \"19e9c5d6-61aa-11ee-96f2-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"19e97d92-61aa-11ee-b56a-0242ac110005\"}}, \"api\": {\"operation\": \"glucose spyware trustees\", \"request\": {\"flags\": [\"development suddenly affiliate\", \"blind putting connectors\"], \"uid\": \"19e78050-61aa-11ee-81a3-0242ac110005\"}, \"response\": {\"code\": 48, \"error\": \"storm edwards gateway\", \"error_message\": \"retro wood cheese\", \"message\": \"ac apnic applicants\"}}, \"attacks\": [{\"tactics\": [{\"name\": \"Command and Control The adversary is trying to communicate with compromised systems to control them.\", \"uid\": \"TA0011\"}], \"technique\": {\"name\": \"Two-Factor Authentication Interception\", \"uid\": \"T1111\"}, \"version\": \"12.1\"}, {\"tactics\": [{\"name\": \"Credential Access The adversary is trying to steal account names and passwords.\", \"uid\": \"TA0006\"}, {\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}], \"technique\": {\"name\": \"Multiband Communication\", \"uid\": \"T1026\"}, \"version\": \"12.1\"}], \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Kernel Extension Activity\", \"class_uid\": 1002, \"cloud\": {\"org\": {\"name\": \"virus legislative schemes\", \"ou_name\": \"aus radical chess\", \"ou_uid\": \"19e79b26-61aa-11ee-bc41-0242ac110005\", \"uid\": \"19e79248-61aa-11ee-83d4-0242ac110005\"}, \"provider\": \"locations pharmaceutical aa\", \"region\": \"card heroes blogging\"}, \"device\": {\"first_seen_time\": 1695272181548, \"hostname\": \"founded.pro\", \"hypervisor\": \"consoles voting wellington\", \"image\": {\"name\": \"casinos my pacific\", \"uid\": \"19e81448-61aa-11ee-bc86-0242ac110005\"}, \"instance_uid\": \"19e7f62a-61aa-11ee-ace6-0242ac110005\", \"interface_name\": \"see namespace chef\", \"interface_uid\": \"19e80ce6-61aa-11ee-bfc1-0242ac110005\", \"ip\": \"81.2.69.142\", \"is_compliant\": true, \"modified_time_dt\": \"2023-10-03T05:02:50.203874Z\", \"name\": \"madagascar made stability\", \"region\": \"pledge cod growth\", \"type\": \"IOT\", \"type_id\": 7, \"uid\": \"19e7faee-61aa-11ee-a8f6-0242ac110005\"}, \"disposition\": \"Corrected\", \"disposition_id\": 11, \"driver\": {\"file\": {\"accessed_time\": 1695272181548, \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"AD3638015A285E049F3EC3B5E96251E3D84A6B834297290B20EF11FE7A6244828ED6FC9E0489232D7B3358C785AA96C87A77266713AD2FB1978142C9CFFD4BF8\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"A47AC519441CF481779776ED56ADE421DEE3E26D0134CAE10E1A518591CCA7AB105D38FE20C7E07843149FF290C536A9E4B0507095FD8A744AF530741D2427B7\"}], \"mime_type\": \"punishment/gaps\", \"name\": \"rail.m\", \"parent_folder\": \"worst jay funds/plc.deskthemepack\", \"path\": \"worst jay funds/plc.deskthemepack/rail.m\", \"type\": \"earning\", \"type_id\": 99, \"uid\": \"19e82104-61aa-11ee-8d53-0242ac110005\"}}, \"duration\": 56, \"message\": \"allan juice leader\", \"metadata\": {\"extension\": {\"name\": \"pirates went connecting\", \"uid\": \"19e7a6de-61aa-11ee-b198-0242ac110005\", \"version\": \"1.0.0\"}, \"log_name\": \"louisville displaying universities\", \"log_provider\": \"officially vehicles incorporated\", \"original_time\": \"bodies jenny chris\", \"product\": {\"lang\": \"en\", \"name\": \"completed longer likes\", \"path\": \"jc rim ranch\", \"uid\": \"19e7b8b8-61aa-11ee-b357-0242ac110005\", \"url_string\": \"placing\", \"vendor_name\": \"lcd belong academics\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"uid\": \"19e7be44-61aa-11ee-919d-0242ac110005\", \"version\": \"1.0.0\"}, \"severity\": \"Low\", \"severity_id\": 2, \"status\": \"Unknown\", \"status_detail\": \"tablets vernon opinion\", \"status_id\": 0, \"time\": 1695272181548, \"timezone_offset\": 26, \"type_name\": \"Kernel Extension Activity: Unload\", \"type_uid\": 100202}" + "ocsf": { + "activity_id": 2, + "activity_name": "Unload", + "actor": { + "process": { + "file": { + "confidentiality": "donated chapter runtime", + "hashes": [ + { + "algorithm": "Unknown", + "algorithm_id": "0", + "value": "2EB64D601392F16BF21F01D7A9A66B62BC3DDC892394D8B44031A3B488A4F611F56951974C7601044DA53283AE3A774822583A678667AC1A5469561ADFC2CB22" + } + ], + "signature": { + "algorithm": "ECDSA", + "algorithm_id": "3" + }, + "type_id": "7" + }, + "integrity": "Untrusted", + "integrity_id": "1", + "namespace_pid": 20, + "parent_process": { + "container": { + "hash": { + "algorithm": "SHA-512", + "algorithm_id": "4", + "value": "99402752D9F0ADEE2B8CB7268DC3FCBF7900B5491AEECBCF11718BBA6969507DF048B5A627AE37D63F6235C52A9FFB0A874DB6E542EFB0E17DD61FFF02543A1B" + }, + "image": { + "name": "place questionnaire evil", + "uid": "19e878de-61aa-11ee-8abe-0242ac110005" + }, + "name": "contains thriller incl", + "network_driver": "balloon cj virtual", + "runtime": "briefing portrait pj", + "size": 4086519029, + "uid": "19e86ef2-61aa-11ee-961e-0242ac110005" + }, + "created_time_dt": "2023-10-03T05:02:50.212708Z", + "integrity": "System", + "integrity_id": "5", + "namespace_pid": 34, + "parent_process": "{\"cmd_line\": \"valued leasing equilibrium\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"AACD3103F3F1FCAB0248F041A315AB6816C8A0E9\"}, \"size\": 2331695977, \"uid\": \"19e89a1c-61aa-11ee-930f-0242ac110005\"}, \"file\": {\"attributes\": 11, \"confidentiality\": \"outlook\", \"confidentiality_id\": 99, \"created_time_dt\": \"2023-10-03T05:02:50.206981Z\", \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"79B9213DDB8E561C9F5F0374719DBA7E55A481E720B75C53A12AF714880E51A4\"}, {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"C32B941D4ED063DE2F7FB1669124175ED90CDE46\"}], \"is_system\": true, \"name\": \"unlimited.wmv\", \"product\": {\"lang\": \"en\", \"name\": \"astrology musical magic\", \"uid\": \"19e88b3a-61aa-11ee-a044-0242ac110005\", \"vendor_name\": \"logos texture jews\", \"version\": \"1.0.0\"}, \"type\": \"huntington\", \"type_id\": 99, \"version\": \"1.0.0\"}, \"integrity\": \"System\", \"integrity_id\": 5, \"lineage\": [\"layer rachel performed\"], \"loaded_modules\": [\"/faith/cbs/hispanic/lancaster/ncaa.swf\", \"/pulled/consecutive/treatment/myself/pittsburgh.wav\"], \"name\": \"Pt\", \"namespace_pid\": 75, \"parent_process\": {\"cmd_line\": \"vendor laptops germany\", \"container\": {\"hash\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"BBC85ACA84E370B3CD546CED854C6725D3242C1E1E174F6B4A803754254A38359A7A4CA50F4AD39E07AE04452C28859CAE5DB5FAF8D68075026A04F2C026726C\"}, \"image\": {\"labels\": [\"aka\"], \"name\": \"puzzles conditions sequences\", \"uid\": \"19e94566-61aa-11ee-9d6d-0242ac110005\"}, \"name\": \"patients couple tmp\", \"orchestrator\": \"helping cork mortality\", \"runtime\": \"jul tommy um\", \"size\": 1196597453, \"uid\": \"19e93ddc-61aa-11ee-8ac2-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Marie Enoch\", \"creator\": {\"name\": \"Journals\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"19e8c136-61aa-11ee-8148-0242ac110005\"}, \"desc\": \"referrals nottingham communication\", \"modified_time_dt\": \"2023-10-03T05:02:50.208298Z\", \"modifier\": {\"name\": \"Resistant\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"19e8ac78-61aa-11ee-a8f4-0242ac110005\"}, \"name\": \"jefferson.cbr\", \"parent_folder\": \"vacations floppy slides/crack.cs\", \"path\": \"vacations floppy slides/crack.cs/jefferson.cbr\", \"size\": 3328615981, \"type\": \"Unknown\", \"type_id\": 0}, \"integrity\": \"five priest needle\", \"name\": \"Clinton\", \"namespace_pid\": 94, \"parent_process\": {\"cmd_line\": \"front accommodate advocate\", \"container\": {\"hash\": {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"DE46E578D10170889D94C44F29A8357C36E325D960A26A598ED7022BD1E1EDAD4B7C9E676EF5EED4AE64B21998EE85F24AFBB1A8DE06CD5B385EFE4AB1185F90\"}, \"image\": {\"name\": \"obituaries seeing judgment\", \"path\": \"fit slightly ja\", \"uid\": \"19e96b36-61aa-11ee-97e4-0242ac110005\"}, \"name\": \"finest world pontiac\", \"orchestrator\": \"vp bridal testimonials\", \"size\": 55618839, \"uid\": \"19e964b0-61aa-11ee-86d6-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"9FD540B749A6D9C916406C5F4EB228F85F9FC35B5769F67886F778ACFE23F9DA44D2AA1E26E09B2EC8942215CD4C9DE71D9A27F539FC4E753E44181F1DA6899D\"}], \"mime_type\": \"transcription/warned\", \"name\": \"fixes.c\", \"parent_folder\": \"retro earthquake teachers/corruption.kml\", \"path\": \"retro earthquake teachers/corruption.kml/fixes.c\", \"type\": \"Folder\", \"type_id\": 2}, \"name\": \"Sms\", \"namespace_pid\": 19, \"pid\": 52, \"session\": {\"created_time\": 1695272181548, \"is_remote\": false, \"uid\": \"19e95e70-61aa-11ee-bf06-0242ac110005\"}, \"terminated_time\": 1695272181548, \"uid\": \"19e95920-61aa-11ee-a247-0242ac110005\"}, \"pid\": 77, \"terminated_time_dt\": \"2023-10-03T05:02:50.212696Z\", \"uid\": \"19e8e4fe-61aa-11ee-869a-0242ac110005\", \"user\": {\"email_addr\": \"Johnette@flexibility.biz\", \"full_name\": \"Glayds Glenda\", \"name\": \"Nudist\", \"type\": \"directories\", \"type_id\": 99, \"uid\": \"19e8cb2c-61aa-11ee-8668-0242ac110005\", \"uid_alt\": \"facts local za\"}}, \"pid\": 53, \"uid\": \"19e89346-61aa-11ee-bb7f-0242ac110005\"}" + }, + "sandbox": "homes bachelor reach", + "terminated_time_dt": "2023-10-03T05:02:50.212738Z", + "user": { + "org": { + "name": "contributions agents displayed", + "ou_name": "with cpu scout", + "uid": "19e854e4-61aa-11ee-b27b-0242ac110005" + }, + "type": "User", + "type_id": "1" + }, + "xattributes": "{}" + }, + "user": { + "org": { + "name": "ali authors bacterial", + "ou_name": "ebay october staff", + "uid": "19e9c5d6-61aa-11ee-96f2-0242ac110005" + }, + "type": "Admin", + "type_id": "2" + } + }, + "api": { + "operation": "glucose spyware trustees", + "request": { + "flags": [ + "blind putting connectors", + "development suddenly affiliate" + ], + "uid": "19e78050-61aa-11ee-81a3-0242ac110005" + }, + "response": { + "code": 48, + "error": "storm edwards gateway", + "error_message": "retro wood cheese", + "message": "ac apnic applicants" + } + }, + "attacks": [ + { + "tactics": [ + { + "name": "Command and Control The adversary is trying to communicate with compromised systems to control them.", + "uid": "TA0011" + } + ], + "technique": { + "name": "Two-Factor Authentication Interception", + "uid": "T1111" + }, + "version": "12.1" + }, + { + "tactics": [ + { + "name": "Credential Access The adversary is trying to steal account names and passwords.", + "uid": "TA0006" + }, + { + "name": "Discovery The adversary is trying to figure out your environment.", + "uid": "TA0007" + } + ], + "technique": { + "name": "Multiband Communication", + "uid": "T1026" + }, + "version": "12.1" + } + ], + "category_name": "System Activity", + "category_uid": 1, + "class_name": "Kernel Extension Activity", + "class_uid": "1002", + "cloud": { + "org": { + "name": "virus legislative schemes", + "ou_name": "aus radical chess", + "ou_uid": "19e79b26-61aa-11ee-bc41-0242ac110005", + "uid": "19e79248-61aa-11ee-83d4-0242ac110005" + } + }, + "device": { + "first_seen_time": 1695272181548, + "hypervisor": "consoles voting wellington", + "image": { + "name": "casinos my pacific", + "uid": "19e81448-61aa-11ee-bc86-0242ac110005" + }, + "instance_uid": "19e7f62a-61aa-11ee-ace6-0242ac110005", + "interface_name": "see namespace chef", + "interface_uid": "19e80ce6-61aa-11ee-bfc1-0242ac110005", + "is_compliant": true, + "modified_time_dt": "2023-10-03T05:02:50.203874Z", + "region": "pledge cod growth", + "type_id": "7" + }, + "disposition": "Corrected", + "disposition_id": "11", + "driver": { + "file": { + "hashes": [ + { + "algorithm": "quickXorHash", + "algorithm_id": "7", + "value": "AD3638015A285E049F3EC3B5E96251E3D84A6B834297290B20EF11FE7A6244828ED6FC9E0489232D7B3358C785AA96C87A77266713AD2FB1978142C9CFFD4BF8" + }, + { + "algorithm": "Unknown", + "algorithm_id": "0", + "value": "A47AC519441CF481779776ED56ADE421DEE3E26D0134CAE10E1A518591CCA7AB105D38FE20C7E07843149FF290C536A9E4B0507095FD8A744AF530741D2427B7" + } + ], + "type_id": "99" + } + }, + "duration": 56, + "metadata": { + "extension": { + "name": "pirates went connecting", + "uid": "19e7a6de-61aa-11ee-b198-0242ac110005", + "version": "1.0.0" + }, + "log_name": "louisville displaying universities", + "original_time": "bodies jenny chris", + "product": { + "lang": "en", + "name": "completed longer likes", + "path": "jc rim ranch", + "uid": "19e7b8b8-61aa-11ee-b357-0242ac110005", + "url_string": "placing", + "vendor_name": "lcd belong academics", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "security_control" + ], + "version": "1.0.0" + }, + "severity": "Low", + "status": "Unknown", + "status_detail": "tablets vernon opinion", + "status_id": "0", + "timezone_offset": 26, + "type_name": "Kernel Extension Activity: Unload", + "type_uid": "100202" + } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_3.json b/OCSF/ocsf/tests/test_system_activity_3.json index 2374373ca..291570a4f 100644 --- a/OCSF/ocsf/tests/test_system_activity_3.json +++ b/OCSF/ocsf/tests/test_system_activity_3.json @@ -28,6 +28,247 @@ "provider": "newman banned showcase", "region": "realized remarkable accompanied" }, - "ocsf": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"actor\": {\"idp\": {\"name\": \"rachel grey swiss\", \"uid\": \"6193b0ca-61ac-11ee-b37d-0242ac110005\"}, \"invoked_by\": \"substitute choice extent\", \"process\": {\"cmd_line\": \"fy believed resolutions\", \"container\": {\"hash\": {\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"F19FE42A1B9BB9BBFC77F8F0A52EC5C411DC9200836F0C5D41A56543D8951D5AD8A1FA6F248A975A90B28E8B5268C50F220F5CAE2B47F74A204FB47E835AAE80\"}, \"image\": {\"labels\": [\"maybe\"], \"name\": \"ac tcp helen\", \"uid\": \"61927e30-61ac-11ee-ab18-0242ac110005\"}, \"name\": \"transaction titans lucky\", \"runtime\": \"justify red wit\", \"size\": 4198558845, \"tag\": \"gambling romance place\", \"uid\": \"61927746-61ac-11ee-b13c-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:19:09.439688Z\", \"file\": {\"confidentiality\": \"tulsa\", \"confidentiality_id\": 99, \"hashes\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"C3BD5B24A4E0467F267EEA0A0378CB224839993F4AEB1BF9A9F519E8484E9A16344FE367E55D08DED2F892D80577FD485A3BC5CA66EB0AE7C1CFA0B33586E766\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"FEBD25D9812320828D7312326E19250E4439A6A99BCB4C740A8308671F571A6707A6D2A5A6066EB0DAA87071D23BE71ED56EAFF115D8AEAACEA125D283F45963\"}], \"name\": \"word.drv\", \"parent_folder\": \"cigarette until wc/ls.c\", \"path\": \"cigarette until wc/ls.c/word.drv\", \"security_descriptor\": \"hospitality conclusions wires\", \"size\": 2389716033, \"type\": \"Unknown\", \"type_id\": 0, \"version\": \"1.0.0\", \"xattributes\": {}}, \"name\": \"Covering\", \"namespace_pid\": 6, \"parent_process\": {\"cmd_line\": \"volunteer trustees tax\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"B85EC314BF443B797EF8A66B3B03F8A4\"}, \"image\": {\"name\": \"occupations pie meanwhile\", \"uid\": \"6192b990-61ac-11ee-b095-0242ac110005\"}, \"name\": \"stood moms serving\", \"pod_uuid\": \"effectiveness\", \"size\": 1947076520, \"uid\": \"6192b44a-61ac-11ee-a1ac-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Latisha Billye\", \"creator\": {\"name\": \"Remain\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"61929852-61ac-11ee-b767-0242ac110005\", \"uid_alt\": \"limitations compound viewer\"}, \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"C6141BDD46728A85659C19E84135237C41908EF3\"}], \"name\": \"hazard.aif\", \"owner\": {\"email_addr\": \"Ryann@libraries.store\", \"name\": \"Principle\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"6192910e-61ac-11ee-9b83-0242ac110005\"}, \"parent_folder\": \"seeds divx firefox/kirk.cbr\", \"path\": \"seeds divx firefox/kirk.cbr/hazard.aif\", \"type\": \"Symbolic Link\", \"type_id\": 7}, \"name\": \"Elect\", \"namespace_pid\": 64, \"parent_process\": {\"cmd_line\": \"arlington charger skins\", \"created_time\": 1695272181548, \"file\": {\"attributes\": 21, \"desc\": \"fruit hop dean\", \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"8A1AB46C5F0A7BC9F0562A16DEBAB8746A8BEF57920B6FE78D0B18EE49175C8F8CC8CD5F02E37B486B4CA85EBA2B18558E2D171B09545BB234AD29AB09936187\"}], \"is_system\": false, \"modified_time_dt\": \"2023-10-03T05:19:09.434332Z\", \"modifier\": {\"email_addr\": \"Winona@teens.web\", \"name\": \"Few\", \"type\": \"System\", \"type_id\": 3}, \"name\": \"interests.png\", \"parent_folder\": \"wagon workforce whatever/boundaries.bat\", \"path\": \"wagon workforce whatever/boundaries.bat/interests.png\", \"type\": \"Symbolic Link\", \"type_id\": 7}, \"name\": \"Rugs\", \"namespace_pid\": 65, \"parent_process\": {\"cmd_line\": \"trinity comfort varieties\", \"created_time\": 1695272181548, \"file\": {\"accessed_time_dt\": \"2023-10-03T05:19:09.435701Z\", \"modifier\": {\"account\": {\"name\": \"lose fotos fraction\", \"type\": \"Azure AD Account\", \"type_id\": 6}, \"name\": \"Spots\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"6192f6bc-61ac-11ee-9638-0242ac110005\"}, \"name\": \"border.bmp\", \"parent_folder\": \"exterior quick striking/females.cpp\", \"path\": \"exterior quick striking/females.cpp/border.bmp\", \"product\": {\"lang\": \"en\", \"name\": \"democratic announcement crime\", \"uid\": \"6192ff54-61ac-11ee-9d07-0242ac110005\", \"vendor_name\": \"three schema bench\", \"version\": \"1.0.0\"}, \"type\": \"Local Socket\", \"type_id\": 5, \"version\": \"1.0.0\"}, \"loaded_modules\": [\"/te/ut/obviously/inform/assignment.cue\", \"/clicks/importance/raw/agenda/soccer.js\"], \"name\": \"Infant\", \"namespace_pid\": 54, \"parent_process\": {\"cmd_line\": \"italian kid properly\", \"container\": {\"hash\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"A34D9E58DB53A2451A09B961F644E04C794AEFD5AF71BB6785BF8D771D1BC27EABC888BE87A7B3E92BB750215FC097CEB0FD238D44C5494F35746A4A9A0B4159\"}, \"image\": {\"name\": \"assessments effects soap\", \"uid\": \"61934414-61ac-11ee-943e-0242ac110005\"}, \"name\": \"additions wyoming weekly\", \"pod_uuid\": \"hear\", \"size\": 3239910166, \"tag\": \"practical metals respected\", \"uid\": \"61933e06-61ac-11ee-8e9b-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessed_time\": 1695272181548, \"confidentiality\": \"keeps integrate specifies\", \"created_time_dt\": \"2023-10-03T05:19:09.436838Z\", \"desc\": \"floating told foul\", \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"5A4194525971186E774FC3205628B611B5CCCE42\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"11BA65852271CD24C56C865A9635B90616326949FF2BF6CD07EACAF788BAD320\"}], \"name\": \"outline.msg\", \"parent_folder\": \"visiting guide believe/intense.rss\", \"path\": \"visiting guide believe/intense.rss/outline.msg\", \"security_descriptor\": \"chance gmc ghana\", \"type\": \"Unknown\", \"type_id\": 0, \"xattributes\": {}}, \"integrity\": \"High\", \"integrity_id\": 4, \"lineage\": [\"picked purchase freelance\", \"scripts hybrid worked\"], \"name\": \"Valid\", \"namespace_pid\": 65, \"parent_process\": {\"cmd_line\": \"injured metabolism martha\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"EA07DCC807FFE0D653259BB7C0DE7E6F136D741B4596E3E11BD60E98F38FE0B5\"}, \"image\": {\"labels\": [\"put\", \"experience\"], \"name\": \"versions soc fifteen\", \"tag\": \"actors des guardian\", \"uid\": \"61939900-61ac-11ee-89bb-0242ac110005\"}, \"name\": \"optimize unsigned reforms\", \"size\": 1197726829, \"uid\": \"619392fc-61ac-11ee-95a0-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Courtney Kendal\", \"created_time_dt\": \"2023-10-03T05:19:09.438101Z\", \"hashes\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"7653C24F6B758E09C2F78D41ED16D4D98AC9589616AA7DDE3CE38AC3018F86F726082E5D7895E732CB2D0C979A4B85FE853F95A815DF845615257B5A82F05144\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"1D5072F894A9D4122CBB317567CA88F6EAF3C8B645271C7E86EF241EBC1EBA51\"}], \"mime_type\": \"reflects/shore\", \"modifier\": {\"full_name\": \"Calvin Marquitta\", \"name\": \"Feelings\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"61935512-61ac-11ee-9f87-0242ac110005\"}, \"name\": \"comes.css\", \"parent_folder\": \"death payday queens/fleece.app\", \"path\": \"death payday queens/fleece.app/comes.css\", \"product\": {\"lang\": \"en\", \"uid\": \"61935b2a-61ac-11ee-9f18-0242ac110005\", \"vendor_name\": \"marie stays nested\", \"version\": \"1.0.0\"}, \"type\": \"Local Socket\", \"type_id\": 5}, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"loaded_modules\": [\"/handbook/great/egyptian/guestbook/died.bat\", \"/matrix/ecommerce/management/just/songs.dcr\"], \"name\": \"Si\", \"namespace_pid\": 54, \"terminated_time_dt\": \"2023-10-03T05:19:09.439671Z\", \"tid\": 9, \"uid\": \"6193888e-61ac-11ee-92f7-0242ac110005\", \"user\": {\"credential_uid\": \"61938474-61ac-11ee-8547-0242ac110005\", \"email_addr\": \"Ilana@moses.firm\", \"groups\": [{\"name\": \"tires online movement\", \"privileges\": [\"jan hindu collectible\", \"competitors antique disc\"], \"uid\": \"61937b46-61ac-11ee-8129-0242ac110005\"}, {\"name\": \"raymond shirts techno\", \"uid\": \"619380aa-61ac-11ee-9e69-0242ac110005\"}], \"org\": {\"name\": \"msgstr et pure\", \"ou_name\": \"mg usa blair\", \"uid\": \"619374a2-61ac-11ee-8d19-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"61936e76-61ac-11ee-aa0d-0242ac110005\", \"uid_alt\": \"serbia named dns\"}}, \"pid\": 27, \"uid\": \"61933410-61ac-11ee-8072-0242ac110005\", \"user\": {\"full_name\": \"Alfredo Pauline\", \"name\": \"Swing\", \"type\": \"User\", \"type_id\": 1}}, \"pid\": 92, \"tid\": 60, \"uid\": \"61931cbe-61ac-11ee-b447-0242ac110005\", \"user\": {\"credential_uid\": \"619318cc-61ac-11ee-82d0-0242ac110005\", \"name\": \"Fires\", \"org\": {\"name\": \"nationwide yea yoga\", \"ou_name\": \"meeting kiss first\", \"uid\": \"6193126e-61ac-11ee-9d91-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1, \"uid\": \"61930b98-61ac-11ee-bb18-0242ac110005\"}}, \"pid\": 77, \"session\": {\"created_time\": 1695272181548, \"is_remote\": true, \"issuer\": \"covers advise flux\", \"uid\": \"6192e51e-61ac-11ee-8c76-0242ac110005\"}, \"terminated_time\": 1695272181548, \"uid\": \"6192dff6-61ac-11ee-89c7-0242ac110005\", \"user\": {\"account\": {\"name\": \"peer amounts pros\", \"type\": \"AWS IAM User\", \"type_id\": 3, \"uid\": \"6192dbaa-61ac-11ee-8151-0242ac110005\"}, \"name\": \"Structured\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"6192d272-61ac-11ee-ae27-0242ac110005\", \"uid_alt\": \"allocation vector lexus\"}}, \"uid\": \"6192ac3e-61ac-11ee-a0ed-0242ac110005\", \"user\": {\"org\": {\"name\": \"lexus porcelain february\", \"ou_name\": \"realm lesson pal\", \"uid\": \"6192a810-61ac-11ee-bb74-0242ac110005\"}, \"type\": \"System\", \"type_id\": 3, \"uid\": \"6192a298-61ac-11ee-a78f-0242ac110005\"}}, \"pid\": 91, \"tid\": 36, \"uid\": \"6192707a-61ac-11ee-ac88-0242ac110005\", \"user\": {\"credential_uid\": \"61926cce-61ac-11ee-8202-0242ac110005\", \"full_name\": \"Winifred Idell\", \"name\": \"Beth\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"6192672e-61ac-11ee-a3c0-0242ac110005\"}}, \"session\": {\"created_time\": 1695272181548, \"issuer\": \"conventional tar relay\", \"uid\": \"6193ab66-61ac-11ee-b4d7-0242ac110005\"}, \"user\": {\"name\": \"Affect\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"6193a4e0-61ac-11ee-9d49-0242ac110005\"}}, \"attacks\": [{\"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}, {\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}, {\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}], \"technique\": {\"name\": \"Data Manipulation\", \"uid\": \"T1565\"}, \"version\": \"12.1\"}, {\"tactics\": [{\"name\": \"Initial Access | The adversary is trying to get into your network.\", \"uid\": \"TA0001\"}, {\"name\": \"Credential Access The adversary is trying to steal account names and passwords.\", \"uid\": \"TA0006\"}, {\"name\": \"Persistence The adversary is trying to maintain their foothold.\", \"uid\": \"TA0003\"}], \"technique\": {\"name\": \"LSA Secrets\", \"uid\": \"T1003.004\"}, \"version\": \"12.1\"}], \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Kernel Activity\", \"class_uid\": 1003, \"cloud\": {\"provider\": \"newman banned showcase\", \"region\": \"realized remarkable accompanied\", \"zone\": \"friend drops those\"}, \"device\": {\"autoscale_uid\": \"6191f41a-61ac-11ee-b68a-0242ac110005\", \"desc\": \"recommendations norman ventures\", \"first_seen_time\": 1695272181548, \"first_seen_time_dt\": \"2023-10-03T05:19:09.429787Z\", \"hostname\": \"indexes.jobs\", \"hw_info\": {\"bios_manufacturer\": \"newman marble developed\", \"serial_number\": \"dave cst enlarge\"}, \"instance_uid\": \"61921fda-61ac-11ee-ad02-0242ac110005\", \"interface_name\": \"local rules scholarship\", \"interface_uid\": \"61922b1a-61ac-11ee-afbc-0242ac110005\", \"ip\": \"81.2.69.142\", \"name\": \"owned flyer thinkpad\", \"network_interfaces\": [{\"hostname\": \"motherboard.info\", \"ip\": \"81.2.69.142\", \"mac\": \"CE:92:5B:C1:90:45:60:31\", \"name\": \"hewlett dozens asthma\", \"subnet_prefix\": 8, \"type\": \"Mobile\", \"type_id\": 3}], \"region\": \"without featured amazon\", \"risk_level\": \"familiar motorcycles wild\", \"type\": \"Browser\", \"type_id\": 8, \"uid\": \"619223f4-61ac-11ee-9c42-0242ac110005\", \"vpc_uid\": \"619230c4-61ac-11ee-8fa9-0242ac110005\"}, \"disposition\": \"recipes\", \"disposition_id\": 99, \"duration\": 24, \"kernel\": {\"name\": \"summaries cornell blowing\", \"type\": \"System Call\", \"type_id\": 2}, \"message\": \"compile oasis hazards\", \"metadata\": {\"log_name\": \"inkjet klein mechanical\", \"log_provider\": \"any alexander rolling\", \"log_version\": \"receptor literally shut\", \"modified_time\": 1695272181548, \"modified_time_dt\": \"2023-10-03T05:19:09.427926Z\", \"original_time\": \"jewish ethiopia invitation\", \"product\": {\"lang\": \"en\", \"uid\": \"6191ccc4-61ac-11ee-aacf-0242ac110005\", \"vendor_name\": \"editors coordinate cvs\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"version\": \"1.0.0\"}, \"observables\": [{\"name\": \"car trust sister\", \"type\": \"Fingerprint\", \"type_id\": 30}, {\"name\": \"evidence because locate\", \"type\": \"IP Address\", \"type_id\": 2}], \"severity\": \"Medium\", \"severity_id\": 3, \"status\": \"Success\", \"status_code\": \"user\", \"status_id\": 1, \"time\": 1695272181548, \"time_dt\": \"2023-10-03T05:19:09.440241Z\", \"timezone_offset\": 54, \"type_name\": \"Kernel Activity: Create\", \"type_uid\": 100301}" + "ocsf": { + "activity_id": 1, + "activity_name": "Create", + "actor": { + "idp": { + "name": "rachel grey swiss", + "uid": "6193b0ca-61ac-11ee-b37d-0242ac110005" + }, + "invoked_by": "substitute choice extent", + "process": { + "container": { + "hash": { + "algorithm": "SHA-512", + "algorithm_id": "4", + "value": "F19FE42A1B9BB9BBFC77F8F0A52EC5C411DC9200836F0C5D41A56543D8951D5AD8A1FA6F248A975A90B28E8B5268C50F220F5CAE2B47F74A204FB47E835AAE80" + }, + "image": { + "uid": "61927e30-61ac-11ee-ab18-0242ac110005" + }, + "size": 4198558845, + "tag": "gambling romance place" + }, + "created_time_dt": "2023-10-03T05:19:09.439688Z", + "file": { + "confidentiality": "tulsa", + "confidentiality_id": "99", + "hashes": [ + { + "algorithm": "SHA-512", + "algorithm_id": "4", + "value": "C3BD5B24A4E0467F267EEA0A0378CB224839993F4AEB1BF9A9F519E8484E9A16344FE367E55D08DED2F892D80577FD485A3BC5CA66EB0AE7C1CFA0B33586E766" + }, + { + "algorithm": "Unknown", + "algorithm_id": "0", + "value": "FEBD25D9812320828D7312326E19250E4439A6A99BCB4C740A8308671F571A6707A6D2A5A6066EB0DAA87071D23BE71ED56EAFF115D8AEAACEA125D283F45963" + } + ], + "security_descriptor": "hospitality conclusions wires", + "type_id": "0", + "version": "1.0.0", + "xattributes": "{}" + }, + "namespace_pid": 6, + "parent_process": { + "container": { + "hash": { + "algorithm": "MD5", + "algorithm_id": "1", + "value": "B85EC314BF443B797EF8A66B3B03F8A4" + }, + "image": { + "name": "occupations pie meanwhile", + "uid": "6192b990-61ac-11ee-b095-0242ac110005" + }, + "name": "stood moms serving", + "pod_uuid": "effectiveness", + "size": 1947076520, + "uid": "6192b44a-61ac-11ee-a1ac-0242ac110005" + }, + "file": { + "company_name": "Latisha Billye", + "creator": { + "name": "Remain", + "type": "Unknown", + "type_id": "0", + "uid": "61929852-61ac-11ee-b767-0242ac110005", + "uid_alt": "limitations compound viewer" + }, + "hashes": [ + { + "algorithm": "SHA-1", + "algorithm_id": "2", + "value": "C6141BDD46728A85659C19E84135237C41908EF3" + } + ], + "name": "hazard.aif", + "owner": { + "email_addr": "Ryann@libraries.store", + "name": "Principle", + "type": "User", + "type_id": "1", + "uid": "6192910e-61ac-11ee-9b83-0242ac110005" + }, + "parent_folder": "seeds divx firefox/kirk.cbr", + "path": "seeds divx firefox/kirk.cbr/hazard.aif", + "type": "Symbolic Link", + "type_id": "7" + }, + "namespace_pid": 64, + "parent_process": "{\"cmd_line\": \"arlington charger skins\", \"created_time\": 1695272181548, \"file\": {\"attributes\": 21, \"desc\": \"fruit hop dean\", \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"8A1AB46C5F0A7BC9F0562A16DEBAB8746A8BEF57920B6FE78D0B18EE49175C8F8CC8CD5F02E37B486B4CA85EBA2B18558E2D171B09545BB234AD29AB09936187\"}], \"is_system\": false, \"modified_time_dt\": \"2023-10-03T05:19:09.434332Z\", \"modifier\": {\"email_addr\": \"Winona@teens.web\", \"name\": \"Few\", \"type\": \"System\", \"type_id\": 3}, \"name\": \"interests.png\", \"parent_folder\": \"wagon workforce whatever/boundaries.bat\", \"path\": \"wagon workforce whatever/boundaries.bat/interests.png\", \"type\": \"Symbolic Link\", \"type_id\": 7}, \"name\": \"Rugs\", \"namespace_pid\": 65, \"parent_process\": {\"cmd_line\": \"trinity comfort varieties\", \"created_time\": 1695272181548, \"file\": {\"accessed_time_dt\": \"2023-10-03T05:19:09.435701Z\", \"modifier\": {\"account\": {\"name\": \"lose fotos fraction\", \"type\": \"Azure AD Account\", \"type_id\": 6}, \"name\": \"Spots\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"6192f6bc-61ac-11ee-9638-0242ac110005\"}, \"name\": \"border.bmp\", \"parent_folder\": \"exterior quick striking/females.cpp\", \"path\": \"exterior quick striking/females.cpp/border.bmp\", \"product\": {\"lang\": \"en\", \"name\": \"democratic announcement crime\", \"uid\": \"6192ff54-61ac-11ee-9d07-0242ac110005\", \"vendor_name\": \"three schema bench\", \"version\": \"1.0.0\"}, \"type\": \"Local Socket\", \"type_id\": 5, \"version\": \"1.0.0\"}, \"loaded_modules\": [\"/te/ut/obviously/inform/assignment.cue\", \"/clicks/importance/raw/agenda/soccer.js\"], \"name\": \"Infant\", \"namespace_pid\": 54, \"parent_process\": {\"cmd_line\": \"italian kid properly\", \"container\": {\"hash\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"A34D9E58DB53A2451A09B961F644E04C794AEFD5AF71BB6785BF8D771D1BC27EABC888BE87A7B3E92BB750215FC097CEB0FD238D44C5494F35746A4A9A0B4159\"}, \"image\": {\"name\": \"assessments effects soap\", \"uid\": \"61934414-61ac-11ee-943e-0242ac110005\"}, \"name\": \"additions wyoming weekly\", \"pod_uuid\": \"hear\", \"size\": 3239910166, \"tag\": \"practical metals respected\", \"uid\": \"61933e06-61ac-11ee-8e9b-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessed_time\": 1695272181548, \"confidentiality\": \"keeps integrate specifies\", \"created_time_dt\": \"2023-10-03T05:19:09.436838Z\", \"desc\": \"floating told foul\", \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"5A4194525971186E774FC3205628B611B5CCCE42\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"11BA65852271CD24C56C865A9635B90616326949FF2BF6CD07EACAF788BAD320\"}], \"name\": \"outline.msg\", \"parent_folder\": \"visiting guide believe/intense.rss\", \"path\": \"visiting guide believe/intense.rss/outline.msg\", \"security_descriptor\": \"chance gmc ghana\", \"type\": \"Unknown\", \"type_id\": 0, \"xattributes\": {}}, \"integrity\": \"High\", \"integrity_id\": 4, \"lineage\": [\"picked purchase freelance\", \"scripts hybrid worked\"], \"name\": \"Valid\", \"namespace_pid\": 65, \"parent_process\": {\"cmd_line\": \"injured metabolism martha\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"EA07DCC807FFE0D653259BB7C0DE7E6F136D741B4596E3E11BD60E98F38FE0B5\"}, \"image\": {\"labels\": [\"put\", \"experience\"], \"name\": \"versions soc fifteen\", \"tag\": \"actors des guardian\", \"uid\": \"61939900-61ac-11ee-89bb-0242ac110005\"}, \"name\": \"optimize unsigned reforms\", \"size\": 1197726829, \"uid\": \"619392fc-61ac-11ee-95a0-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Courtney Kendal\", \"created_time_dt\": \"2023-10-03T05:19:09.438101Z\", \"hashes\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"7653C24F6B758E09C2F78D41ED16D4D98AC9589616AA7DDE3CE38AC3018F86F726082E5D7895E732CB2D0C979A4B85FE853F95A815DF845615257B5A82F05144\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"1D5072F894A9D4122CBB317567CA88F6EAF3C8B645271C7E86EF241EBC1EBA51\"}], \"mime_type\": \"reflects/shore\", \"modifier\": {\"full_name\": \"Calvin Marquitta\", \"name\": \"Feelings\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"61935512-61ac-11ee-9f87-0242ac110005\"}, \"name\": \"comes.css\", \"parent_folder\": \"death payday queens/fleece.app\", \"path\": \"death payday queens/fleece.app/comes.css\", \"product\": {\"lang\": \"en\", \"uid\": \"61935b2a-61ac-11ee-9f18-0242ac110005\", \"vendor_name\": \"marie stays nested\", \"version\": \"1.0.0\"}, \"type\": \"Local Socket\", \"type_id\": 5}, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"loaded_modules\": [\"/handbook/great/egyptian/guestbook/died.bat\", \"/matrix/ecommerce/management/just/songs.dcr\"], \"name\": \"Si\", \"namespace_pid\": 54, \"terminated_time_dt\": \"2023-10-03T05:19:09.439671Z\", \"tid\": 9, \"uid\": \"6193888e-61ac-11ee-92f7-0242ac110005\", \"user\": {\"credential_uid\": \"61938474-61ac-11ee-8547-0242ac110005\", \"email_addr\": \"Ilana@moses.firm\", \"groups\": [{\"name\": \"tires online movement\", \"privileges\": [\"jan hindu collectible\", \"competitors antique disc\"], \"uid\": \"61937b46-61ac-11ee-8129-0242ac110005\"}, {\"name\": \"raymond shirts techno\", \"uid\": \"619380aa-61ac-11ee-9e69-0242ac110005\"}], \"org\": {\"name\": \"msgstr et pure\", \"ou_name\": \"mg usa blair\", \"uid\": \"619374a2-61ac-11ee-8d19-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"61936e76-61ac-11ee-aa0d-0242ac110005\", \"uid_alt\": \"serbia named dns\"}}, \"pid\": 27, \"uid\": \"61933410-61ac-11ee-8072-0242ac110005\", \"user\": {\"full_name\": \"Alfredo Pauline\", \"name\": \"Swing\", \"type\": \"User\", \"type_id\": 1}}, \"pid\": 92, \"tid\": 60, \"uid\": \"61931cbe-61ac-11ee-b447-0242ac110005\", \"user\": {\"credential_uid\": \"619318cc-61ac-11ee-82d0-0242ac110005\", \"name\": \"Fires\", \"org\": {\"name\": \"nationwide yea yoga\", \"ou_name\": \"meeting kiss first\", \"uid\": \"6193126e-61ac-11ee-9d91-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1, \"uid\": \"61930b98-61ac-11ee-bb18-0242ac110005\"}}, \"pid\": 77, \"session\": {\"created_time\": 1695272181548, \"is_remote\": true, \"issuer\": \"covers advise flux\", \"uid\": \"6192e51e-61ac-11ee-8c76-0242ac110005\"}, \"terminated_time\": 1695272181548, \"uid\": \"6192dff6-61ac-11ee-89c7-0242ac110005\", \"user\": {\"account\": {\"name\": \"peer amounts pros\", \"type\": \"AWS IAM User\", \"type_id\": 3, \"uid\": \"6192dbaa-61ac-11ee-8151-0242ac110005\"}, \"name\": \"Structured\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"6192d272-61ac-11ee-ae27-0242ac110005\", \"uid_alt\": \"allocation vector lexus\"}}", + "user": { + "org": { + "name": "lexus porcelain february", + "ou_name": "realm lesson pal", + "uid": "6192a810-61ac-11ee-bb74-0242ac110005" + }, + "type": "System", + "type_id": "3" + } + }, + "user": { + "credential_uid": "61926cce-61ac-11ee-8202-0242ac110005", + "type": "User", + "type_id": "1" + } + }, + "session": { + "created_time": 1695272181548, + "issuer": "conventional tar relay", + "uid": "6193ab66-61ac-11ee-b4d7-0242ac110005" + }, + "user": { + "type": "User", + "type_id": "1" + } + }, + "attacks": [ + { + "tactics": [ + { + "name": "Collection | The adversary is trying to gather data of interest to their goal.", + "uid": "TA0009" + }, + { + "name": "Reconnaissance | The adversary is trying to gather information they can use to plan future operations.", + "uid": "TA0043" + }, + { + "name": "Discovery The adversary is trying to figure out your environment.", + "uid": "TA0007" + } + ], + "technique": { + "name": "Data Manipulation", + "uid": "T1565" + }, + "version": "12.1" + }, + { + "tactics": [ + { + "name": "Initial Access | The adversary is trying to get into your network.", + "uid": "TA0001" + }, + { + "name": "Credential Access The adversary is trying to steal account names and passwords.", + "uid": "TA0006" + }, + { + "name": "Persistence The adversary is trying to maintain their foothold.", + "uid": "TA0003" + } + ], + "technique": { + "name": "LSA Secrets", + "uid": "T1003.004" + }, + "version": "12.1" + } + ], + "category_name": "System Activity", + "category_uid": 1, + "class_name": "Kernel Activity", + "class_uid": "1003", + "device": { + "autoscale_uid": "6191f41a-61ac-11ee-b68a-0242ac110005", + "desc": "recommendations norman ventures", + "first_seen_time": 1695272181548, + "first_seen_time_dt": "2023-10-03T05:19:09.429787Z", + "hw_info": { + "bios_manufacturer": "newman marble developed", + "serial_number": "dave cst enlarge" + }, + "instance_uid": "61921fda-61ac-11ee-ad02-0242ac110005", + "interface_name": "local rules scholarship", + "interface_uid": "61922b1a-61ac-11ee-afbc-0242ac110005", + "network_interfaces": [ + { + "hostname": "motherboard.info", + "ip": "81.2.69.142", + "mac": "CE:92:5B:C1:90:45:60:31", + "name": "hewlett dozens asthma", + "subnet_prefix": 8, + "type": "Mobile", + "type_id": "3" + } + ], + "region": "without featured amazon", + "type_id": "8", + "vpc_uid": "619230c4-61ac-11ee-8fa9-0242ac110005" + }, + "disposition": "recipes", + "disposition_id": "99", + "duration": 24, + "kernel": { + "name": "summaries cornell blowing", + "type": "System Call", + "type_id": "2" + }, + "metadata": { + "log_name": "inkjet klein mechanical", + "log_version": "receptor literally shut", + "modified_time": 1695272181548, + "modified_time_dt": "2023-10-03T05:19:09.427926Z", + "original_time": "jewish ethiopia invitation", + "product": { + "lang": "en", + "uid": "6191ccc4-61ac-11ee-aacf-0242ac110005", + "vendor_name": "editors coordinate cvs", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "security_control" + ], + "version": "1.0.0" + }, + "observables": [ + { + "name": "car trust sister", + "type": "Fingerprint", + "type_id": "30" + }, + { + "name": "evidence because locate", + "type": "IP Address", + "type_id": "2" + } + ], + "severity": "Medium", + "status": "Success", + "status_code": "user", + "status_id": "1", + "time_dt": "2023-10-03T05:19:09.440241Z", + "timezone_offset": 54, + "type_name": "Kernel Activity: Create", + "type_uid": "100301" + } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_4.json b/OCSF/ocsf/tests/test_system_activity_4.json index db4db0735..4ece12b69 100644 --- a/OCSF/ocsf/tests/test_system_activity_4.json +++ b/OCSF/ocsf/tests/test_system_activity_4.json @@ -23,6 +23,222 @@ "provider": "christian studies pioneer", "region": "increased competitors sparc" }, - "ocsf": "{\"activity_id\": 1, \"activity_name\": \"Allocate Page\", \"actor\": {\"process\": {\"cmd_line\": \"stick strength suffered\", \"container\": {\"hash\": {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"0C2DC99EB913832DEE1E00AC1C121596D14346E7971CAF8B9873BA2BB862C4070FDD33F21558BA3B264A80A7B15D1722F1B3603C0858D1247E4359752B166BCC\"}, \"image\": {\"name\": \"leaves mounted something\", \"uid\": \"f45bbbe4-61ae-11ee-9bd8-0242ac110005\"}, \"name\": \"sp finger reductions\", \"network_driver\": \"arizona knight karl\", \"orchestrator\": \"integral economics gc\", \"size\": 1112406887, \"tag\": \"dish acc interpretation\", \"uid\": \"f45bb5c2-61ae-11ee-b166-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Hue Marcelina\", \"confidentiality\": \"Not Confidential\", \"confidentiality_id\": 1, \"created_time\": 1695272181548, \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"D593DAFEC471B60EC788CAF95AEB0DBE9F1AF56F9741565D96CEB84FF7C0AB18B97E298266E585A9FE82C4F85EE020C4B4BD974B54373088F0D1ACE2022CE17D\"}, {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"4F227649B2E932AED413A05B69BAA35D\"}], \"modified_time\": 1695272181548, \"modified_time_dt\": \"2023-10-03T05:37:34.691274Z\", \"name\": \"tenant.prf\", \"parent_folder\": \"daisy bullet expectations/speakers.fon\", \"path\": \"daisy bullet expectations/speakers.fon/tenant.prf\", \"type\": \"Symbolic Link\", \"type_id\": 7}, \"name\": \"Quad\", \"namespace_pid\": 50, \"parent_process\": {\"cmd_line\": \"red beaches fi\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"23ABACC1EF47F49C2387DDF45E9C424754AB96A8A4DED29732E05CA4192D028D05F263525EFEB4BBAFD7ECE02D2821858C8F39BADB5B11151131D82A3D8596FA\"}, \"image\": {\"name\": \"third aged kurt\", \"uid\": \"f45bebfa-61ae-11ee-bf2c-0242ac110005\"}, \"name\": \"dispatch ste exist\", \"uid\": \"f45be5ba-61ae-11ee-88ce-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessed_time_dt\": \"2023-10-03T05:37:34.692401Z\", \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"created_time_dt\": \"2023-10-03T05:37:34.692393Z\", \"desc\": \"vs in contamination\", \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"64188A2F3AF0E7C7E83F429137D1F51F574286F7\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"7C12BD84ACFCEACC8A756BE13D08AF2B1EC193C5411C64B85380EEEC0B1B41F7\"}], \"modified_time\": 1695272181548, \"name\": \"download.pptx\", \"parent_folder\": \"qld four roulette/sticker.dwg\", \"path\": \"qld four roulette/sticker.dwg/download.pptx\", \"type\": \"Regular File\", \"type_id\": 1}, \"name\": \"Trout\", \"namespace_pid\": 31, \"parent_process\": {\"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"5D7318303179149862E7825F7F1712F9E8045CDC54401C79C269DD068E20EA5D\"}, \"image\": {\"name\": \"stripes excerpt baptist\", \"uid\": \"f45c2962-61ae-11ee-8549-0242ac110005\"}, \"name\": \"pest fought calibration\", \"orchestrator\": \"walt truly susan\", \"pod_uuid\": \"techno\", \"runtime\": \"violation card logged\", \"size\": 1513188610, \"uid\": \"f45c2426-61ae-11ee-9c9d-0242ac110005\"}, \"file\": {\"accessed_time_dt\": \"2023-10-03T05:37:34.693831Z\", \"created_time_dt\": \"2023-10-03T05:37:34.693827Z\", \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"A98DE8AD923CB627EA1CDCCD5CF7356C\"}], \"modified_time_dt\": \"2023-10-03T05:37:34.693818Z\", \"name\": \"mins.srt\", \"parent_folder\": \"risks rendering meal/surf.pages\", \"path\": \"risks rendering meal/surf.pages/mins.srt\", \"product\": {\"lang\": \"en\", \"name\": \"morocco steam contractors\", \"uid\": \"f45bff78-61ae-11ee-94d1-0242ac110005\", \"vendor_name\": \"myrtle wn view\"}, \"signature\": {\"algorithm\": \"Authenticode\", \"algorithm_id\": 4, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"5F3258EAA1979A8BE0323FCD83F87741B9046FD02DFEDB63CC5E8BBEC47C85C9\"}], \"issuer\": \"agency covers tested\", \"serial_number\": \"fool aye tears\", \"subject\": \"lindsay symptoms gel\"}}, \"type\": \"Regular File\", \"type_id\": 1}, \"namespace_pid\": 49, \"parent_process\": {\"cmd_line\": \"montana introductory ratings\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"AB2620F9B7154D9F9DC1B3C2D949D85D595FE77F45411B3DBE6E5B47DA564177\"}, \"image\": {\"name\": \"resources albums born\", \"uid\": \"f45c7e4e-61ae-11ee-955d-0242ac110005\"}, \"name\": \"strings provided foster\", \"runtime\": \"accidents usda suit\", \"uid\": \"f45c77be-61ae-11ee-8b06-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessor\": {\"groups\": [{\"name\": \"holder outstanding vatican\", \"uid\": \"f45c4fe6-61ae-11ee-92f7-0242ac110005\"}, {\"name\": \"conducted egypt siemens\", \"type\": \"rent divine winston\", \"uid\": \"f45c5446-61ae-11ee-9f91-0242ac110005\"}], \"name\": \"Review\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"f45c480c-61ae-11ee-acd3-0242ac110005\"}, \"creator\": {\"groups\": [{\"name\": \"usually gained erotica\", \"uid\": \"f45c65d0-61ae-11ee-b6a8-0242ac110005\"}], \"type\": \"availability\", \"type_id\": 99, \"uid\": \"f45c601c-61ae-11ee-a457-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"5FA7429271BF14C077FFD905562FF00BA03D0E577EBDE842D181A43F83B98C5611220439195D98F47BB4838632D59E533816344E1DF7DB00271120083235ABCA\"}], \"name\": \"asked.htm\", \"owner\": {\"domain\": \"voyeurweb strip groove\", \"full_name\": \"Lynnette Brooke\", \"name\": \"Initiatives\", \"type\": \"Unknown\", \"type_id\": 0}, \"parent_folder\": \"brakes bugs inquire/blogging.ics\", \"path\": \"brakes bugs inquire/blogging.ics/asked.htm\", \"signature\": {\"algorithm\": \"RSA\", \"algorithm_id\": 2, \"certificate\": {\"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.695282Z\", \"expiration_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T05:37:34.695275Z\", \"fingerprints\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"F74C6AF46A78BECB2F1BD3F95BBD5858\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"43F66E6B6CBAF53CC520E58EC65805EC62FA04119845AC53816DA9F36F525AC65E3D7D92BED0351865836C0E97D63184282A5FEDC9AF2E914C6F9B349CB835F0\"}], \"issuer\": \"conclusions medicines exception\", \"serial_number\": \"legal grant module\", \"subject\": \"fetish converter communicate\", \"version\": \"1.0.0\"}, \"created_time_dt\": \"2023-10-03T05:37:34.695288Z\", \"digest\": {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"522CB2274A0D096C0F94307F55DB6E9D63211626E8BED23C3C8721CA612F28681D4E0202C137F40265FCAAD0EFE6A9BD02E0CF8323BAF52EFE09FF298791B18D\"}}, \"type\": \"Symbolic Link\", \"type_id\": 7, \"uid\": \"f45c3f9c-61ae-11ee-9d0c-0242ac110005\"}, \"lineage\": [\"copies would makeup\"], \"name\": \"Telling\", \"namespace_pid\": 88, \"parent_process\": {\"cmd_line\": \"trembl reverse constantly\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"5F69DE08EF1B52810A2E555253B2561BF4E27E0CF557FEB7502CAD51FCA3AC3B923994EC15B91A6E29CCD01AED752264DCA40FCF45DDB4B47C42836B57984513\"}, \"image\": {\"name\": \"saturn cincinnati productivity\", \"path\": \"harrison typical operations\", \"uid\": \"f45ccb74-61ae-11ee-9ef0-0242ac110005\"}, \"name\": \"strain outputs perceived\", \"pod_uuid\": \"ontario\", \"uid\": \"f45cc660-61ae-11ee-8e56-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.711648Z\", \"file\": {\"desc\": \"goto egyptian throw\", \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"6D856108BBB655CE760736415EE23ECE1B8FCEE045C992B3A971D31ED454BFAD53DE388CBE3FFDE1EF1A4258DDD307E4DAAD413389F51A42155B5F334C9243A4\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"6163CDC7962473142ADF6DA1E4C2B6DB26C7391242E8BBD4EE04661FEC7DF2C941477A0394334EEE5002B17ED4164502FEE4342047E61B7F299B5C98BE241602\"}], \"modified_time\": 1695272181548, \"name\": \"instructions.tif\", \"parent_folder\": \"passwords floral edition/roland.gif\", \"path\": \"passwords floral edition/roland.gif/instructions.tif\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"0BB55CC45379DA535A05A8EDE44DF854F408971928C66528377DA784038293CF\"}, {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"D8EAE8212E2ED885C71F4117E0C39374\"}], \"issuer\": \"strengths enlarge sorry\", \"serial_number\": \"neon ban suse\", \"subject\": \"underwear chancellor basic\", \"version\": \"1.0.0\"}, \"developer_uid\": \"f45c9208-61ae-11ee-9a72-0242ac110005\"}, \"size\": 2331416290, \"type\": \"Unknown\", \"type_id\": 0}, \"name\": \"Brandon\", \"namespace_pid\": 48, \"parent_process\": {\"cmd_line\": \"reductions transfer kyle\", \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.711634Z\", \"file\": {\"creator\": {\"groups\": [{\"uid\": \"f45d004e-61ae-11ee-8d39-0242ac110005\"}, {\"name\": \"chairs leisure institution\", \"uid\": \"f45d05e4-61ae-11ee-99f9-0242ac110005\"}], \"name\": \"Catalog\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"f45cf144-61ae-11ee-a33b-0242ac110005\"}, \"name\": \"gothic.m3u\", \"owner\": {\"groups\": [{\"type\": \"britain touch corporations\", \"uid\": \"f45ce500-61ae-11ee-ae50-0242ac110005\"}], \"name\": \"Strengthening\", \"org\": {\"name\": \"wed mpeg mortality\", \"ou_name\": \"penny automatically tops\", \"uid\": \"f45cdfd8-61ae-11ee-9701-0242ac110005\"}, \"type\": \"pentium\", \"type_id\": 99, \"uid\": \"f45cdaba-61ae-11ee-ba9e-0242ac110005\", \"uid_alt\": \"developed drinks university\"}, \"parent_folder\": \"dod emirates promote/knitting.vob\", \"path\": \"dod emirates promote/knitting.vob/gothic.m3u\", \"security_descriptor\": \"retention changing science\", \"signature\": {\"algorithm\": \"supreme\", \"algorithm_id\": 99, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"741DD1242DF463E4748B3F29D59B2CDB444A2B723C098FCD8A61CFF3A2531A1EBEB1D42A7AD9A444FA8D89DC6A11F741547C10080B44BED739B5D0CDC993B842\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"C4824AE8BB216F860CA4CD45F979A59088DD132DF0BFA0EC613752EF4A2EE45E\"}], \"issuer\": \"formation mixer sullivan\", \"serial_number\": \"ser rna serves\", \"subject\": \"tractor bag coleman\", \"version\": \"1.0.0\"}, \"digest\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"7243F8BE75253AFBADF7477867021F8B\"}}, \"type\": \"Block Device\", \"type_id\": 4, \"xattributes\": {}}, \"integrity\": \"guys thus beads\", \"namespace_pid\": 82, \"parent_process\": {\"cmd_line\": \"trails washer home\", \"container\": {\"hash\": {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"68C9913042346CAD7F9FABEBF901C5DBBE49BEAFFE6CDBF271C0CD6F2363033A\"}, \"image\": {\"labels\": [\"malaysia\", \"tough\"], \"name\": \"equation modular saver\", \"uid\": \"f45d4bb2-61ae-11ee-98af-0242ac110005\"}, \"name\": \"requested divx inspector\", \"size\": 648398402, \"uid\": \"f45d3faa-61ae-11ee-95d3-0242ac110005\"}, \"created_time\": 1695272181548, \"lineage\": [\"married funded elections\", \"liquid geek cal\"], \"name\": \"Friends\", \"namespace_pid\": 2, \"parent_process\": {\"cmd_line\": \"guided spine purple\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"10E86C6514D40F2A3E861B31847340EE8C8ED181029A17B042F137121D28863E\"}, \"name\": \"diffs dead mechanical\", \"orchestrator\": \"piano sims editors\", \"pod_uuid\": \"danish\", \"size\": 1480676944, \"tag\": \"cheers cancer russian\", \"uid\": \"f45d8ab4-61ae-11ee-a07b-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Myrl Ilana\", \"created_time_dt\": \"2023-10-03T05:37:34.702607Z\", \"desc\": \"starting invasion flame\", \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"2FF592449E1B208D2349421A0E142A80E875518AA0C20FF64D3610AB6830DD78BF8980FD7F211369C267D93464D86327F78FA84CEDB14D9210655D931C34F7BA\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"A2349F07A5DCE2F05BB0C656C6DEA195972A5C01A7B5DA65FEC562FE2C229B6B5B6930E7613E6323D8F52E25C3E76F85EBED522B17F8EB673C263A290FD26BB7\"}], \"name\": \"manner.app\", \"parent_folder\": \"turn available mighty/grocery.tax2016\", \"path\": \"turn available mighty/grocery.tax2016/manner.app\", \"type\": \"Folder\", \"type_id\": 2, \"version\": \"1.0.0\"}, \"lineage\": [\"at residential ceo\"], \"name\": \"Warnings\", \"namespace_pid\": 67, \"parent_process\": {\"cmd_line\": \"lists accredited manufacture\", \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.711602Z\", \"file\": {\"accessed_time\": 1695272181548, \"accessed_time_dt\": \"2023-10-03T05:37:34.704522Z\", \"confidentiality\": \"fear browsers television\", \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.704513Z\", \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"3B0173ED99A820AB5188A16998FBC2E1957424B5E1E2DB85F6F1F8CAFAE691070EE54DC314BDF2983F9A2CE57CF6E378ABB2AEDB0DA772B4626469F1363D4782\"}], \"modifier\": {\"name\": \"Lopez\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"f45da012-61ae-11ee-8601-0242ac110005\"}, \"name\": \"basename.mpg\", \"parent_folder\": \"general required suspect/commentary.jar\", \"path\": \"general required suspect/commentary.jar/basename.mpg\", \"size\": 2270854617, \"type\": \"Folder\", \"type_id\": 2, \"xattributes\": {}}, \"integrity\": \"disclosure insert americans\", \"name\": \"Hamilton\", \"namespace_pid\": 16, \"parent_process\": {\"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"5DF4BFECA632B9BD1D11E5E5D9549CF30B4849A4C815894151C865C80E13E3D0DE949759C7E1AEE233D178AD52E3AE2E93D99AEA0D993ED5DCE67E03E1578823\"}, \"image\": {\"name\": \"conducted takes renewable\", \"uid\": \"f45dc7b8-61ae-11ee-9630-0242ac110005\"}, \"name\": \"praise britannica rev\", \"uid\": \"f45dc254-61ae-11ee-b035-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessed_time\": 1695272181548, \"confidentiality\": \"applications\", \"confidentiality_id\": 99, \"created_time_dt\": \"2023-10-03T05:37:34.704809Z\", \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"AC3F2D226D9EFC7934195793B402CBBC13E2736E205E59735FD07CE424B1FB37\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"BD1DC345B2C39E8DADCDA520CC809F96FFC8413DD1169269D5E02AE412E1297111E2A26660902A783337A5D4C0D0C9FEBCCBB0C0AED91F2BFA2CCF4845056AAB\"}], \"modified_time\": 1695272181548, \"name\": \"mitsubishi.zip\", \"parent_folder\": \"premium accommodation showtimes/prisoner.deskthemepack\", \"path\": \"premium accommodation showtimes/prisoner.deskthemepack/mitsubishi.zip\", \"type\": \"way\", \"type_id\": 99, \"xattributes\": {}}, \"integrity\": \"times entities fx\", \"namespace_pid\": 98, \"parent_process\": {\"cmd_line\": \"insulation else evidence\", \"container\": {\"hash\": {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"E272B1A204600DF6B8A987C8FB851C7EF2AA8596CF158120722E5966F20081F5\"}, \"image\": {\"name\": \"olympus present empirical\", \"uid\": \"f45df3a0-61ae-11ee-ae83-0242ac110005\"}, \"name\": \"dv cst mug\", \"orchestrator\": \"internationally correct examining\", \"size\": 2782839574, \"uid\": \"f45deefa-61ae-11ee-95f2-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"0D3045A301A866174DD910C13E50427CB610EAD22A8523650B444E52FF16941B\"}, {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"BEE38FBC71DC4377BEF693AF6C11F462AC065BD6\"}], \"name\": \"hockey.part\", \"parent_folder\": \"seafood tape distant/physically.mdf\", \"path\": \"seafood tape distant/physically.mdf/hockey.part\", \"type\": \"Symbolic Link\", \"type_id\": 7, \"uid\": \"f45dd3d4-61ae-11ee-9986-0242ac110005\", \"version\": \"1.0.0\"}, \"integrity\": \"involvement hk speaking\", \"name\": \"Forecasts\", \"namespace_pid\": 56, \"parent_process\": {\"cmd_line\": \"collapse tan demo\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"7CFCBD1C1575DD7EAE454F18B9267188\"}, \"image\": {\"name\": \"pty dramatic measure\", \"uid\": \"f45e1452-61ae-11ee-93ff-0242ac110005\"}, \"name\": \"matters sophisticated hampshire\", \"orchestrator\": \"earned accountability todd\", \"size\": 277669091, \"uid\": \"f45e0b7e-61ae-11ee-9c4e-0242ac110005\"}, \"created_time\": 1695272181548, \"integrity\": \"Protected\", \"integrity_id\": 6, \"name\": \"Heath\", \"namespace_pid\": 36, \"parent_process\": {\"cmd_line\": \"rubber taxi deployment\", \"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"19EA5DD6F7D4532CE968933056B2150CB38D84FBEA07A9B1E71EE7388D9EAD136AFB55A16621065CA950B550FAA589C7E77583279DE84B3C958B13C9BA731D69\"}, \"image\": {\"name\": \"phantom participant employee\", \"uid\": \"f45e29ec-61ae-11ee-b755-0242ac110005\"}, \"name\": \"insulin never metabolism\", \"pod_uuid\": \"luxury\", \"size\": 2875863087, \"uid\": \"f45e2532-61ae-11ee-b4f8-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.711572Z\", \"integrity\": \"Protected\", \"integrity_id\": 6, \"name\": \"Special\", \"namespace_pid\": 45, \"parent_process\": {\"file\": {\"accessed_time_dt\": \"2023-10-03T05:37:34.709414Z\", \"confidentiality\": \"watson\", \"confidentiality_id\": 99, \"created_time_dt\": \"2023-10-03T05:37:34.709410Z\", \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"EC04A154DEAC2F7D6C2C939EA992222061F58A10BD334C6D45E3B9B3BC538985107E3B32A6CA567C7B5C6F8F0D857459E5DDC11A97318AC1AEA8A2461B955401\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"6E170831A56B3AFDAFF2E0614B1495541FDE0CA37B2F9EBCB6D5225A0CADE66CC1E6AD525CAFDD363EAA50505FD613EDBD5C1B4D703D34702968D3AE7E09037C\"}], \"modified_time_dt\": \"2023-10-03T05:37:34.709399Z\", \"name\": \"message.exe\", \"owner\": {\"account\": {\"name\": \"tradition surfaces classification\", \"type\": \"AWS IAM Role\", \"type_id\": 4, \"uid\": \"f45e5af2-61ae-11ee-8e43-0242ac110005\"}, \"domain\": \"existence see evans\", \"groups\": [{\"desc\": \"highways cheat summary\", \"name\": \"careers fixes kai\", \"uid\": \"f45e4da0-61ae-11ee-8ce5-0242ac110005\"}, {\"name\": \"past affiliate london\", \"type\": \"exclusion cleaners mart\", \"uid\": \"f45e51c4-61ae-11ee-af56-0242ac110005\"}], \"name\": \"Vegas\", \"org\": {\"name\": \"super rolling importantly\", \"ou_uid\": \"f45e44ea-61ae-11ee-af1f-0242ac110005\", \"uid\": \"f45e40bc-61ae-11ee-9f84-0242ac110005\"}, \"type\": \"Unknown\", \"type_id\": 0}, \"parent_folder\": \"brunette symbol poem/weekends.htm\", \"path\": \"brunette symbol poem/weekends.htm/message.exe\", \"type\": \"mozilla\", \"type_id\": 99, \"uid\": \"f45e5fa2-61ae-11ee-9642-0242ac110005\"}, \"namespace_pid\": 69, \"parent_process\": {\"cmd_line\": \"changes sad programmes\", \"container\": {\"hash\": {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"05521B80BB22220B8B095A94DA44E07951EE15F402F4BD4A050BD0CFFFD6B154\"}, \"image\": {\"name\": \"soap potter browsers\", \"uid\": \"f45eb3bc-61ae-11ee-871c-0242ac110005\"}, \"orchestrator\": \"matches virginia accepts\", \"size\": 1104975009, \"tag\": \"alexander specs considered\", \"uid\": \"f45eae80-61ae-11ee-8fa9-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Nicholas Betty\", \"confidentiality\": \"sandwich exhibit ellis\", \"created_time_dt\": \"2023-10-03T05:37:34.710639Z\", \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"4DBD2BB0760D9EBBC2743A91879CCBC04A4837BD467C1F3B4E0850E4D459BC52\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"A5469012CF0415AAE3FFA22840287489C3C57811D0FD29A58C2CD702BC84D59ADC43354994A400CA41F16849414FADE8C6A9889E640F7987FF65EAD837C7D8E4\"}], \"name\": \"ambassador.swf\", \"parent_folder\": \"nickel gui cute/vision.m3u\", \"path\": \"nickel gui cute/vision.m3u/ambassador.swf\", \"signature\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"09958F2F29A975C86F4BC77872179A9E719846A48F2022B36957925999CD31F4A0578A6C18EE8BDC0AEE2F0974FB4647FF2A0BFEA8A1E56877193277A827418F\"}], \"issuer\": \"hate passive admission\", \"serial_number\": \"promote dirt hindu\", \"subject\": \"panic aspects reporting\", \"version\": \"1.0.0\"}, \"created_time_dt\": \"2023-10-03T05:37:34.710541Z\", \"digest\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"14B85FA8E87F846F757EACCDA09761641B397F01\"}}, \"type\": \"Symbolic Link\", \"type_id\": 7, \"xattributes\": {}}, \"name\": \"Is\", \"namespace_pid\": 49, \"pid\": 14, \"user\": {\"account\": {\"name\": \"saint view max\", \"type\": \"Apple Account\", \"type_id\": 8, \"uid\": \"f45ea32c-61ae-11ee-9546-0242ac110005\"}, \"credential_uid\": \"f45ea700-61ae-11ee-bb61-0242ac110005\", \"email_addr\": \"Jeana@drill.web\", \"full_name\": \"Lucile Apryl\", \"name\": \"Genres\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"f45e9cb0-61ae-11ee-b849-0242ac110005\"}}, \"pid\": 65, \"sandbox\": \"ut metropolitan adjacent\", \"session\": {\"created_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T05:37:34.710191Z\", \"is_remote\": true, \"uid\": \"f45e805e-61ae-11ee-90d6-0242ac110005\"}, \"terminated_time_dt\": \"2023-10-03T05:37:34.711553Z\", \"uid\": \"f45e7546-61ae-11ee-ab37-0242ac110005\", \"user\": {\"account\": {\"name\": \"wireless trains wave\", \"type\": \"Linux Account\", \"type_id\": 9, \"uid\": \"f45e6eb6-61ae-11ee-9f44-0242ac110005\"}, \"credential_uid\": \"f45e7230-61ae-11ee-a271-0242ac110005\", \"full_name\": \"Rosamaria Norberto\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"f45e68d0-61ae-11ee-a6d3-0242ac110005\"}}, \"pid\": 39, \"user\": {\"name\": \"Mice\", \"type\": \"scoring\", \"type_id\": 99, \"uid\": \"f45e1f4c-61ae-11ee-bd4f-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 26, \"terminated_time\": 1695272181548, \"terminated_time_dt\": \"2023-10-03T05:37:34.711582Z\", \"user\": {\"account\": {\"name\": \"engines robot c\", \"uid\": \"f45e05fc-61ae-11ee-bdef-0242ac110005\"}, \"name\": \"Qualities\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"f45e00c0-61ae-11ee-b4f1-0242ac110005\", \"uid_alt\": \"pathology ordinary ep\"}}, \"pid\": 17, \"sandbox\": \"dans ip tours\", \"uid\": \"f45de978-61ae-11ee-af82-0242ac110005\", \"user\": {\"credential_uid\": \"f45de554-61ae-11ee-bc44-0242ac110005\", \"name\": \"Requires\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"f45de0e0-61ae-11ee-88a9-0242ac110005\", \"uid_alt\": \"monica includes treating\"}}, \"pid\": 26, \"terminated_time\": 1695272181548, \"terminated_time_dt\": \"2023-10-03T05:37:34.711596Z\", \"user\": {\"name\": \"Cardiovascular\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"f45db58e-61ae-11ee-b50c-0242ac110005\", \"uid_alt\": \"sn exception got\"}}, \"pid\": 38, \"terminated_time_dt\": \"2023-10-03T05:37:34.711606Z\"}, \"pid\": 59, \"terminated_time\": 1695272181548, \"tid\": 63, \"uid\": \"f45d835c-61ae-11ee-a0b4-0242ac110005\", \"user\": {\"account\": {\"name\": \"cycles beast pierce\", \"type\": \"Azure AD Account\", \"type_id\": 6, \"uid\": \"f45d7e20-61ae-11ee-9be4-0242ac110005\"}, \"groups\": [{\"name\": \"gamecube sunday foster\", \"privileges\": [\"ceiling pulling chapter\", \"advise lung transparent\"], \"uid\": \"f45d6750-61ae-11ee-bb59-0242ac110005\"}, {\"name\": \"skins korea bubble\", \"privileges\": [\"harbor syracuse quantities\"], \"type\": \"annie rn pot\", \"uid\": \"f45d710a-61ae-11ee-a1f1-0242ac110005\"}], \"name\": \"Dis\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"f45d6034-61ae-11ee-9b9d-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 7, \"uid\": \"f45d3a46-61ae-11ee-89e2-0242ac110005\", \"user\": {\"credential_uid\": \"f45d3654-61ae-11ee-a013-0242ac110005\", \"name\": \"Overall\", \"org\": {\"name\": \"antique crawford mug\", \"ou_name\": \"maximize tx tide\", \"uid\": \"f45d3226-61ae-11ee-b3e9-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"f45d2c18-61ae-11ee-8f99-0242ac110005\", \"uid_alt\": \"areas attachment guy\"}, \"xattributes\": {}}, \"pid\": 43, \"terminated_time_dt\": \"2023-10-03T05:37:34.711638Z\", \"uid\": \"f45d16ba-61ae-11ee-b515-0242ac110005\", \"user\": {\"domain\": \"funky valentine attached\", \"name\": \"Opt\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"f45d1192-61ae-11ee-805a-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 45, \"sandbox\": \"brunette christ monetary\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711652Z\", \"uid\": \"f45cc066-61ae-11ee-b149-0242ac110005\", \"user\": {\"account\": {\"name\": \"pen favors essential\", \"type\": \"AWS Account\", \"type_id\": 10, \"uid\": \"f45cb6ac-61ae-11ee-89fb-0242ac110005\"}, \"credential_uid\": \"f45cba58-61ae-11ee-8137-0242ac110005\", \"email_addr\": \"Moira@upset.nato\", \"full_name\": \"Livia Ji\", \"name\": \"Manufacturing\", \"org\": {\"name\": \"way pros ddr\", \"ou_name\": \"reliability poultry devices\", \"uid\": \"f45cafa4-61ae-11ee-af8c-0242ac110005\"}, \"type\": \"united\", \"type_id\": 99, \"uid\": \"f45ca0ea-61ae-11ee-8476-0242ac110005\"}}, \"pid\": 43, \"terminated_time\": 1695272181548, \"uid\": \"f45c71a6-61ae-11ee-9f7b-0242ac110005\", \"user\": {\"name\": \"Duck\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"f45c6dd2-61ae-11ee-9f94-0242ac110005\"}}, \"pid\": 98, \"session\": {\"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.694465Z\", \"credential_uid\": \"f45c1a1c-61ae-11ee-85ba-0242ac110005\", \"expiration_time_dt\": \"2023-10-03T05:37:34.694457Z\", \"is_remote\": false, \"issuer\": \"spec gambling separated\", \"uid\": \"f45c1288-61ae-11ee-ab6a-0242ac110005\", \"uuid\": \"f45c160c-61ae-11ee-b9ea-0242ac110005\"}, \"tid\": 86, \"user\": {\"email_addr\": \"Lilliana@ability.edu\", \"full_name\": \"Marry Dia\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"f45c0b9e-61ae-11ee-9f3b-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 61, \"uid\": \"f45be042-61ae-11ee-a467-0242ac110005\", \"user\": {\"credential_uid\": \"f45bdcd2-61ae-11ee-a554-0242ac110005\", \"full_name\": \"Rosamaria Mckenzie\", \"name\": \"Presidential\", \"org\": {\"name\": \"setup stolen unexpected\", \"ou_name\": \"iceland threats webcast\", \"uid\": \"f45bd82c-61ae-11ee-9e57-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1, \"uid\": \"f45bd110-61ae-11ee-b7e4-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 76, \"uid\": \"f45baed8-61ae-11ee-95e3-0242ac110005\", \"user\": {\"email_addr\": \"Mireille@associate.mobi\", \"full_name\": \"Carin Otha\", \"name\": \"Utc\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"f45ba8fc-61ae-11ee-883d-0242ac110005\"}}, \"user\": {\"account\": {\"name\": \"intensive flash narrative\", \"type\": \"Windows Account\", \"type_id\": 2, \"uid\": \"f45ed32e-61ae-11ee-9aa9-0242ac110005\"}, \"name\": \"We\", \"org\": {\"name\": \"enquiry hottest creations\", \"ou_name\": \"reel metals plain\", \"uid\": \"f45ecb68-61ae-11ee-824c-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"f45ec2a8-61ae-11ee-90fc-0242ac110005\"}}, \"actual_permissions\": 14, \"api\": {\"operation\": \"appraisal disappointed iraqi\", \"request\": {\"uid\": \"f45046ce-61ae-11ee-8a1b-0242ac110005\"}, \"response\": {\"code\": 99, \"error\": \"dash knife stable\", \"error_message\": \"delaware genetic purple\", \"message\": \"julian peninsula bought\"}}, \"attacks\": [{\"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}], \"technique\": {\"name\": \"Additional Cloud Credentials\", \"uid\": \"T1098.001\"}, \"version\": \"12.1\"}, {\"tactics\": [{\"name\": \"Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.\", \"uid\": \"TA0040\"}, {\"name\": \"Command and Control The adversary is trying to communicate with compromised systems to control them.\", \"uid\": \"TA0011\"}], \"technique\": {\"name\": \"Credentials in Registry\", \"uid\": \"T1214\"}, \"version\": \"12.1\"}], \"base_address\": \"statements dining gnome\", \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Memory Activity\", \"class_uid\": 1004, \"cloud\": {\"project_uid\": \"f4505768-61ae-11ee-89e9-0242ac110005\", \"provider\": \"christian studies pioneer\", \"region\": \"increased competitors sparc\"}, \"device\": {\"created_time\": 1695272181548, \"first_seen_time\": 1695272181548, \"hostname\": \"phd.nato\", \"image\": {\"name\": \"leader mind compliant\", \"uid\": \"f450e20a-61ae-11ee-959b-0242ac110005\"}, \"instance_uid\": \"f450c02c-61ae-11ee-a04e-0242ac110005\", \"interface_name\": \"adaptive survivor nickname\", \"interface_uid\": \"f450dada-61ae-11ee-9e5c-0242ac110005\", \"is_trusted\": false, \"last_seen_time\": 1695272181548, \"location\": {\"city\": \"Stephanie hence\", \"continent\": \"Asia\", \"coordinates\": [161.2949, 22.9251], \"country\": \"TW\", \"desc\": \"Taiwan\"}, \"name\": \"repeated sip distance\", \"org\": {\"name\": \"gratuit book virtually\", \"ou_name\": \"profit plug fioricet\", \"uid\": \"f4507856-61ae-11ee-b34b-0242ac110005\"}, \"region\": \"debut instruments alphabetical\", \"risk_level\": \"thomson shanghai foreign\", \"subnet_uid\": \"f450b6fe-61ae-11ee-aa6c-0242ac110005\", \"type\": \"Server\", \"type_id\": 1, \"uid\": \"f450d454-61ae-11ee-b232-0242ac110005\"}, \"disposition\": \"Deleted\", \"disposition_id\": 5, \"message\": \"door lotus aol\", \"metadata\": {\"log_name\": \"trademarks wishing accreditation\", \"log_provider\": \"manual equivalent detroit\", \"logged_time\": 1695272181548, \"original_time\": \"protection velvet propose\", \"product\": {\"feature\": {\"name\": \"wish quest practitioners\", \"uid\": \"f4506a32-61ae-11ee-a6bb-0242ac110005\", \"version\": \"1.0.0\"}, \"lang\": \"en\", \"name\": \"asbestos settings medication\", \"uid\": \"f4506410-61ae-11ee-a485-0242ac110005\", \"vendor_name\": \"evaluations belly reception\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"sequence\": 35, \"version\": \"1.0.0\"}, \"severity\": \"Critical\", \"severity_id\": 5, \"status_code\": \"registry\", \"time\": 1695272181548, \"time_dt\": \"2023-10-03T05:37:34.712339Z\", \"timezone_offset\": 26, \"type_name\": \"Memory Activity: Allocate Page\", \"type_uid\": 100401}" + "ocsf": { + "activity_id": 1, + "activity_name": "Allocate Page", + "actor": { + "process": { + "container": { + "hash": { + "algorithm": "CTPH", + "algorithm_id": "5", + "value": "0C2DC99EB913832DEE1E00AC1C121596D14346E7971CAF8B9873BA2BB862C4070FDD33F21558BA3B264A80A7B15D1722F1B3603C0858D1247E4359752B166BCC" + }, + "image": { + "uid": "f45bbbe4-61ae-11ee-9bd8-0242ac110005" + }, + "network_driver": "arizona knight karl", + "size": 1112406887, + "tag": "dish acc interpretation" + }, + "file": { + "company_name": "Hue Marcelina", + "confidentiality": "Not Confidential", + "confidentiality_id": "1", + "hashes": [ + { + "algorithm": "quickXorHash", + "algorithm_id": "7", + "value": "D593DAFEC471B60EC788CAF95AEB0DBE9F1AF56F9741565D96CEB84FF7C0AB18B97E298266E585A9FE82C4F85EE020C4B4BD974B54373088F0D1ACE2022CE17D" + }, + { + "algorithm": "MD5", + "algorithm_id": "1", + "value": "4F227649B2E932AED413A05B69BAA35D" + } + ], + "modified_time_dt": "2023-10-03T05:37:34.691274Z", + "type_id": "7" + }, + "namespace_pid": 50, + "parent_process": { + "container": { + "hash": { + "algorithm": "TLSH", + "algorithm_id": "6", + "value": "23ABACC1EF47F49C2387DDF45E9C424754AB96A8A4DED29732E05CA4192D028D05F263525EFEB4BBAFD7ECE02D2821858C8F39BADB5B11151131D82A3D8596FA" + }, + "image": { + "name": "third aged kurt", + "uid": "f45bebfa-61ae-11ee-bf2c-0242ac110005" + }, + "name": "dispatch ste exist", + "uid": "f45be5ba-61ae-11ee-88ce-0242ac110005" + }, + "file": { + "accessed_time_dt": "2023-10-03T05:37:34.692401Z", + "confidentiality": "Confidential", + "confidentiality_id": "2", + "created_time_dt": "2023-10-03T05:37:34.692393Z", + "desc": "vs in contamination", + "hashes": [ + { + "algorithm": "SHA-1", + "algorithm_id": "2", + "value": "64188A2F3AF0E7C7E83F429137D1F51F574286F7" + }, + { + "algorithm": "SHA-256", + "algorithm_id": "3", + "value": "7C12BD84ACFCEACC8A756BE13D08AF2B1EC193C5411C64B85380EEEC0B1B41F7" + } + ], + "modified_time": 1695272181548, + "name": "download.pptx", + "parent_folder": "qld four roulette/sticker.dwg", + "path": "qld four roulette/sticker.dwg/download.pptx", + "type": "Regular File", + "type_id": "1" + }, + "namespace_pid": 31, + "parent_process": "{\"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"5D7318303179149862E7825F7F1712F9E8045CDC54401C79C269DD068E20EA5D\"}, \"image\": {\"name\": \"stripes excerpt baptist\", \"uid\": \"f45c2962-61ae-11ee-8549-0242ac110005\"}, \"name\": \"pest fought calibration\", \"orchestrator\": \"walt truly susan\", \"pod_uuid\": \"techno\", \"runtime\": \"violation card logged\", \"size\": 1513188610, \"uid\": \"f45c2426-61ae-11ee-9c9d-0242ac110005\"}, \"file\": {\"accessed_time_dt\": \"2023-10-03T05:37:34.693831Z\", \"created_time_dt\": \"2023-10-03T05:37:34.693827Z\", \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"A98DE8AD923CB627EA1CDCCD5CF7356C\"}], \"modified_time_dt\": \"2023-10-03T05:37:34.693818Z\", \"name\": \"mins.srt\", \"parent_folder\": \"risks rendering meal/surf.pages\", \"path\": \"risks rendering meal/surf.pages/mins.srt\", \"product\": {\"lang\": \"en\", \"name\": \"morocco steam contractors\", \"uid\": \"f45bff78-61ae-11ee-94d1-0242ac110005\", \"vendor_name\": \"myrtle wn view\"}, \"signature\": {\"algorithm\": \"Authenticode\", \"algorithm_id\": 4, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"5F3258EAA1979A8BE0323FCD83F87741B9046FD02DFEDB63CC5E8BBEC47C85C9\"}], \"issuer\": \"agency covers tested\", \"serial_number\": \"fool aye tears\", \"subject\": \"lindsay symptoms gel\"}}, \"type\": \"Regular File\", \"type_id\": 1}, \"namespace_pid\": 49, \"parent_process\": {\"cmd_line\": \"montana introductory ratings\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"AB2620F9B7154D9F9DC1B3C2D949D85D595FE77F45411B3DBE6E5B47DA564177\"}, \"image\": {\"name\": \"resources albums born\", \"uid\": \"f45c7e4e-61ae-11ee-955d-0242ac110005\"}, \"name\": \"strings provided foster\", \"runtime\": \"accidents usda suit\", \"uid\": \"f45c77be-61ae-11ee-8b06-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessor\": {\"groups\": [{\"name\": \"holder outstanding vatican\", \"uid\": \"f45c4fe6-61ae-11ee-92f7-0242ac110005\"}, {\"name\": \"conducted egypt siemens\", \"type\": \"rent divine winston\", \"uid\": \"f45c5446-61ae-11ee-9f91-0242ac110005\"}], \"name\": \"Review\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"f45c480c-61ae-11ee-acd3-0242ac110005\"}, \"creator\": {\"groups\": [{\"name\": \"usually gained erotica\", \"uid\": \"f45c65d0-61ae-11ee-b6a8-0242ac110005\"}], \"type\": \"availability\", \"type_id\": 99, \"uid\": \"f45c601c-61ae-11ee-a457-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"5FA7429271BF14C077FFD905562FF00BA03D0E577EBDE842D181A43F83B98C5611220439195D98F47BB4838632D59E533816344E1DF7DB00271120083235ABCA\"}], \"name\": \"asked.htm\", \"owner\": {\"domain\": \"voyeurweb strip groove\", \"full_name\": \"Lynnette Brooke\", \"name\": \"Initiatives\", \"type\": \"Unknown\", \"type_id\": 0}, \"parent_folder\": \"brakes bugs inquire/blogging.ics\", \"path\": \"brakes bugs inquire/blogging.ics/asked.htm\", \"signature\": {\"algorithm\": \"RSA\", \"algorithm_id\": 2, \"certificate\": {\"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.695282Z\", \"expiration_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T05:37:34.695275Z\", \"fingerprints\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"F74C6AF46A78BECB2F1BD3F95BBD5858\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"43F66E6B6CBAF53CC520E58EC65805EC62FA04119845AC53816DA9F36F525AC65E3D7D92BED0351865836C0E97D63184282A5FEDC9AF2E914C6F9B349CB835F0\"}], \"issuer\": \"conclusions medicines exception\", \"serial_number\": \"legal grant module\", \"subject\": \"fetish converter communicate\", \"version\": \"1.0.0\"}, \"created_time_dt\": \"2023-10-03T05:37:34.695288Z\", \"digest\": {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"522CB2274A0D096C0F94307F55DB6E9D63211626E8BED23C3C8721CA612F28681D4E0202C137F40265FCAAD0EFE6A9BD02E0CF8323BAF52EFE09FF298791B18D\"}}, \"type\": \"Symbolic Link\", \"type_id\": 7, \"uid\": \"f45c3f9c-61ae-11ee-9d0c-0242ac110005\"}, \"lineage\": [\"copies would makeup\"], \"name\": \"Telling\", \"namespace_pid\": 88, \"parent_process\": {\"cmd_line\": \"trembl reverse constantly\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"5F69DE08EF1B52810A2E555253B2561BF4E27E0CF557FEB7502CAD51FCA3AC3B923994EC15B91A6E29CCD01AED752264DCA40FCF45DDB4B47C42836B57984513\"}, \"image\": {\"name\": \"saturn cincinnati productivity\", \"path\": \"harrison typical operations\", \"uid\": \"f45ccb74-61ae-11ee-9ef0-0242ac110005\"}, \"name\": \"strain outputs perceived\", \"pod_uuid\": \"ontario\", \"uid\": \"f45cc660-61ae-11ee-8e56-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.711648Z\", \"file\": {\"desc\": \"goto egyptian throw\", \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"6D856108BBB655CE760736415EE23ECE1B8FCEE045C992B3A971D31ED454BFAD53DE388CBE3FFDE1EF1A4258DDD307E4DAAD413389F51A42155B5F334C9243A4\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"6163CDC7962473142ADF6DA1E4C2B6DB26C7391242E8BBD4EE04661FEC7DF2C941477A0394334EEE5002B17ED4164502FEE4342047E61B7F299B5C98BE241602\"}], \"modified_time\": 1695272181548, \"name\": \"instructions.tif\", \"parent_folder\": \"passwords floral edition/roland.gif\", \"path\": \"passwords floral edition/roland.gif/instructions.tif\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"0BB55CC45379DA535A05A8EDE44DF854F408971928C66528377DA784038293CF\"}, {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"D8EAE8212E2ED885C71F4117E0C39374\"}], \"issuer\": \"strengths enlarge sorry\", \"serial_number\": \"neon ban suse\", \"subject\": \"underwear chancellor basic\", \"version\": \"1.0.0\"}, \"developer_uid\": \"f45c9208-61ae-11ee-9a72-0242ac110005\"}, \"size\": 2331416290, \"type\": \"Unknown\", \"type_id\": 0}, \"name\": \"Brandon\", \"namespace_pid\": 48, \"parent_process\": {\"cmd_line\": \"reductions transfer kyle\", \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.711634Z\", \"file\": {\"creator\": {\"groups\": [{\"uid\": \"f45d004e-61ae-11ee-8d39-0242ac110005\"}, {\"name\": \"chairs leisure institution\", \"uid\": \"f45d05e4-61ae-11ee-99f9-0242ac110005\"}], \"name\": \"Catalog\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"f45cf144-61ae-11ee-a33b-0242ac110005\"}, \"name\": \"gothic.m3u\", \"owner\": {\"groups\": [{\"type\": \"britain touch corporations\", \"uid\": \"f45ce500-61ae-11ee-ae50-0242ac110005\"}], \"name\": \"Strengthening\", \"org\": {\"name\": \"wed mpeg mortality\", \"ou_name\": \"penny automatically tops\", \"uid\": \"f45cdfd8-61ae-11ee-9701-0242ac110005\"}, \"type\": \"pentium\", \"type_id\": 99, \"uid\": \"f45cdaba-61ae-11ee-ba9e-0242ac110005\", \"uid_alt\": \"developed drinks university\"}, \"parent_folder\": \"dod emirates promote/knitting.vob\", \"path\": \"dod emirates promote/knitting.vob/gothic.m3u\", \"security_descriptor\": \"retention changing science\", \"signature\": {\"algorithm\": \"supreme\", \"algorithm_id\": 99, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"741DD1242DF463E4748B3F29D59B2CDB444A2B723C098FCD8A61CFF3A2531A1EBEB1D42A7AD9A444FA8D89DC6A11F741547C10080B44BED739B5D0CDC993B842\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"C4824AE8BB216F860CA4CD45F979A59088DD132DF0BFA0EC613752EF4A2EE45E\"}], \"issuer\": \"formation mixer sullivan\", \"serial_number\": \"ser rna serves\", \"subject\": \"tractor bag coleman\", \"version\": \"1.0.0\"}, \"digest\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"7243F8BE75253AFBADF7477867021F8B\"}}, \"type\": \"Block Device\", \"type_id\": 4, \"xattributes\": {}}, \"integrity\": \"guys thus beads\", \"namespace_pid\": 82, \"parent_process\": {\"cmd_line\": \"trails washer home\", \"container\": {\"hash\": {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"68C9913042346CAD7F9FABEBF901C5DBBE49BEAFFE6CDBF271C0CD6F2363033A\"}, \"image\": {\"labels\": [\"malaysia\", \"tough\"], \"name\": \"equation modular saver\", \"uid\": \"f45d4bb2-61ae-11ee-98af-0242ac110005\"}, \"name\": \"requested divx inspector\", \"size\": 648398402, \"uid\": \"f45d3faa-61ae-11ee-95d3-0242ac110005\"}, \"created_time\": 1695272181548, \"lineage\": [\"married funded elections\", \"liquid geek cal\"], \"name\": \"Friends\", \"namespace_pid\": 2, \"parent_process\": {\"cmd_line\": \"guided spine purple\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"10E86C6514D40F2A3E861B31847340EE8C8ED181029A17B042F137121D28863E\"}, \"name\": \"diffs dead mechanical\", \"orchestrator\": \"piano sims editors\", \"pod_uuid\": \"danish\", \"size\": 1480676944, \"tag\": \"cheers cancer russian\", \"uid\": \"f45d8ab4-61ae-11ee-a07b-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Myrl Ilana\", \"created_time_dt\": \"2023-10-03T05:37:34.702607Z\", \"desc\": \"starting invasion flame\", \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"2FF592449E1B208D2349421A0E142A80E875518AA0C20FF64D3610AB6830DD78BF8980FD7F211369C267D93464D86327F78FA84CEDB14D9210655D931C34F7BA\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"A2349F07A5DCE2F05BB0C656C6DEA195972A5C01A7B5DA65FEC562FE2C229B6B5B6930E7613E6323D8F52E25C3E76F85EBED522B17F8EB673C263A290FD26BB7\"}], \"name\": \"manner.app\", \"parent_folder\": \"turn available mighty/grocery.tax2016\", \"path\": \"turn available mighty/grocery.tax2016/manner.app\", \"type\": \"Folder\", \"type_id\": 2, \"version\": \"1.0.0\"}, \"lineage\": [\"at residential ceo\"], \"name\": \"Warnings\", \"namespace_pid\": 67, \"parent_process\": {\"cmd_line\": \"lists accredited manufacture\", \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.711602Z\", \"file\": {\"accessed_time\": 1695272181548, \"accessed_time_dt\": \"2023-10-03T05:37:34.704522Z\", \"confidentiality\": \"fear browsers television\", \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.704513Z\", \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"3B0173ED99A820AB5188A16998FBC2E1957424B5E1E2DB85F6F1F8CAFAE691070EE54DC314BDF2983F9A2CE57CF6E378ABB2AEDB0DA772B4626469F1363D4782\"}], \"modifier\": {\"name\": \"Lopez\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"f45da012-61ae-11ee-8601-0242ac110005\"}, \"name\": \"basename.mpg\", \"parent_folder\": \"general required suspect/commentary.jar\", \"path\": \"general required suspect/commentary.jar/basename.mpg\", \"size\": 2270854617, \"type\": \"Folder\", \"type_id\": 2, \"xattributes\": {}}, \"integrity\": \"disclosure insert americans\", \"name\": \"Hamilton\", \"namespace_pid\": 16, \"parent_process\": {\"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"5DF4BFECA632B9BD1D11E5E5D9549CF30B4849A4C815894151C865C80E13E3D0DE949759C7E1AEE233D178AD52E3AE2E93D99AEA0D993ED5DCE67E03E1578823\"}, \"image\": {\"name\": \"conducted takes renewable\", \"uid\": \"f45dc7b8-61ae-11ee-9630-0242ac110005\"}, \"name\": \"praise britannica rev\", \"uid\": \"f45dc254-61ae-11ee-b035-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessed_time\": 1695272181548, \"confidentiality\": \"applications\", \"confidentiality_id\": 99, \"created_time_dt\": \"2023-10-03T05:37:34.704809Z\", \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"AC3F2D226D9EFC7934195793B402CBBC13E2736E205E59735FD07CE424B1FB37\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"BD1DC345B2C39E8DADCDA520CC809F96FFC8413DD1169269D5E02AE412E1297111E2A26660902A783337A5D4C0D0C9FEBCCBB0C0AED91F2BFA2CCF4845056AAB\"}], \"modified_time\": 1695272181548, \"name\": \"mitsubishi.zip\", \"parent_folder\": \"premium accommodation showtimes/prisoner.deskthemepack\", \"path\": \"premium accommodation showtimes/prisoner.deskthemepack/mitsubishi.zip\", \"type\": \"way\", \"type_id\": 99, \"xattributes\": {}}, \"integrity\": \"times entities fx\", \"namespace_pid\": 98, \"parent_process\": {\"cmd_line\": \"insulation else evidence\", \"container\": {\"hash\": {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"E272B1A204600DF6B8A987C8FB851C7EF2AA8596CF158120722E5966F20081F5\"}, \"image\": {\"name\": \"olympus present empirical\", \"uid\": \"f45df3a0-61ae-11ee-ae83-0242ac110005\"}, \"name\": \"dv cst mug\", \"orchestrator\": \"internationally correct examining\", \"size\": 2782839574, \"uid\": \"f45deefa-61ae-11ee-95f2-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"0D3045A301A866174DD910C13E50427CB610EAD22A8523650B444E52FF16941B\"}, {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"BEE38FBC71DC4377BEF693AF6C11F462AC065BD6\"}], \"name\": \"hockey.part\", \"parent_folder\": \"seafood tape distant/physically.mdf\", \"path\": \"seafood tape distant/physically.mdf/hockey.part\", \"type\": \"Symbolic Link\", \"type_id\": 7, \"uid\": \"f45dd3d4-61ae-11ee-9986-0242ac110005\", \"version\": \"1.0.0\"}, \"integrity\": \"involvement hk speaking\", \"name\": \"Forecasts\", \"namespace_pid\": 56, \"parent_process\": {\"cmd_line\": \"collapse tan demo\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"7CFCBD1C1575DD7EAE454F18B9267188\"}, \"image\": {\"name\": \"pty dramatic measure\", \"uid\": \"f45e1452-61ae-11ee-93ff-0242ac110005\"}, \"name\": \"matters sophisticated hampshire\", \"orchestrator\": \"earned accountability todd\", \"size\": 277669091, \"uid\": \"f45e0b7e-61ae-11ee-9c4e-0242ac110005\"}, \"created_time\": 1695272181548, \"integrity\": \"Protected\", \"integrity_id\": 6, \"name\": \"Heath\", \"namespace_pid\": 36, \"parent_process\": {\"cmd_line\": \"rubber taxi deployment\", \"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"19EA5DD6F7D4532CE968933056B2150CB38D84FBEA07A9B1E71EE7388D9EAD136AFB55A16621065CA950B550FAA589C7E77583279DE84B3C958B13C9BA731D69\"}, \"image\": {\"name\": \"phantom participant employee\", \"uid\": \"f45e29ec-61ae-11ee-b755-0242ac110005\"}, \"name\": \"insulin never metabolism\", \"pod_uuid\": \"luxury\", \"size\": 2875863087, \"uid\": \"f45e2532-61ae-11ee-b4f8-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.711572Z\", \"integrity\": \"Protected\", \"integrity_id\": 6, \"name\": \"Special\", \"namespace_pid\": 45, \"parent_process\": {\"file\": {\"accessed_time_dt\": \"2023-10-03T05:37:34.709414Z\", \"confidentiality\": \"watson\", \"confidentiality_id\": 99, \"created_time_dt\": \"2023-10-03T05:37:34.709410Z\", \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"EC04A154DEAC2F7D6C2C939EA992222061F58A10BD334C6D45E3B9B3BC538985107E3B32A6CA567C7B5C6F8F0D857459E5DDC11A97318AC1AEA8A2461B955401\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"6E170831A56B3AFDAFF2E0614B1495541FDE0CA37B2F9EBCB6D5225A0CADE66CC1E6AD525CAFDD363EAA50505FD613EDBD5C1B4D703D34702968D3AE7E09037C\"}], \"modified_time_dt\": \"2023-10-03T05:37:34.709399Z\", \"name\": \"message.exe\", \"owner\": {\"account\": {\"name\": \"tradition surfaces classification\", \"type\": \"AWS IAM Role\", \"type_id\": 4, \"uid\": \"f45e5af2-61ae-11ee-8e43-0242ac110005\"}, \"domain\": \"existence see evans\", \"groups\": [{\"desc\": \"highways cheat summary\", \"name\": \"careers fixes kai\", \"uid\": \"f45e4da0-61ae-11ee-8ce5-0242ac110005\"}, {\"name\": \"past affiliate london\", \"type\": \"exclusion cleaners mart\", \"uid\": \"f45e51c4-61ae-11ee-af56-0242ac110005\"}], \"name\": \"Vegas\", \"org\": {\"name\": \"super rolling importantly\", \"ou_uid\": \"f45e44ea-61ae-11ee-af1f-0242ac110005\", \"uid\": \"f45e40bc-61ae-11ee-9f84-0242ac110005\"}, \"type\": \"Unknown\", \"type_id\": 0}, \"parent_folder\": \"brunette symbol poem/weekends.htm\", \"path\": \"brunette symbol poem/weekends.htm/message.exe\", \"type\": \"mozilla\", \"type_id\": 99, \"uid\": \"f45e5fa2-61ae-11ee-9642-0242ac110005\"}, \"namespace_pid\": 69, \"parent_process\": {\"cmd_line\": \"changes sad programmes\", \"container\": {\"hash\": {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"05521B80BB22220B8B095A94DA44E07951EE15F402F4BD4A050BD0CFFFD6B154\"}, \"image\": {\"name\": \"soap potter browsers\", \"uid\": \"f45eb3bc-61ae-11ee-871c-0242ac110005\"}, \"orchestrator\": \"matches virginia accepts\", \"size\": 1104975009, \"tag\": \"alexander specs considered\", \"uid\": \"f45eae80-61ae-11ee-8fa9-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Nicholas Betty\", \"confidentiality\": \"sandwich exhibit ellis\", \"created_time_dt\": \"2023-10-03T05:37:34.710639Z\", \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"4DBD2BB0760D9EBBC2743A91879CCBC04A4837BD467C1F3B4E0850E4D459BC52\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"A5469012CF0415AAE3FFA22840287489C3C57811D0FD29A58C2CD702BC84D59ADC43354994A400CA41F16849414FADE8C6A9889E640F7987FF65EAD837C7D8E4\"}], \"name\": \"ambassador.swf\", \"parent_folder\": \"nickel gui cute/vision.m3u\", \"path\": \"nickel gui cute/vision.m3u/ambassador.swf\", \"signature\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"09958F2F29A975C86F4BC77872179A9E719846A48F2022B36957925999CD31F4A0578A6C18EE8BDC0AEE2F0974FB4647FF2A0BFEA8A1E56877193277A827418F\"}], \"issuer\": \"hate passive admission\", \"serial_number\": \"promote dirt hindu\", \"subject\": \"panic aspects reporting\", \"version\": \"1.0.0\"}, \"created_time_dt\": \"2023-10-03T05:37:34.710541Z\", \"digest\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"14B85FA8E87F846F757EACCDA09761641B397F01\"}}, \"type\": \"Symbolic Link\", \"type_id\": 7, \"xattributes\": {}}, \"name\": \"Is\", \"namespace_pid\": 49, \"pid\": 14, \"user\": {\"account\": {\"name\": \"saint view max\", \"type\": \"Apple Account\", \"type_id\": 8, \"uid\": \"f45ea32c-61ae-11ee-9546-0242ac110005\"}, \"credential_uid\": \"f45ea700-61ae-11ee-bb61-0242ac110005\", \"email_addr\": \"Jeana@drill.web\", \"full_name\": \"Lucile Apryl\", \"name\": \"Genres\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"f45e9cb0-61ae-11ee-b849-0242ac110005\"}}, \"pid\": 65, \"sandbox\": \"ut metropolitan adjacent\", \"session\": {\"created_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T05:37:34.710191Z\", \"is_remote\": true, \"uid\": \"f45e805e-61ae-11ee-90d6-0242ac110005\"}, \"terminated_time_dt\": \"2023-10-03T05:37:34.711553Z\", \"uid\": \"f45e7546-61ae-11ee-ab37-0242ac110005\", \"user\": {\"account\": {\"name\": \"wireless trains wave\", \"type\": \"Linux Account\", \"type_id\": 9, \"uid\": \"f45e6eb6-61ae-11ee-9f44-0242ac110005\"}, \"credential_uid\": \"f45e7230-61ae-11ee-a271-0242ac110005\", \"full_name\": \"Rosamaria Norberto\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"f45e68d0-61ae-11ee-a6d3-0242ac110005\"}}, \"pid\": 39, \"user\": {\"name\": \"Mice\", \"type\": \"scoring\", \"type_id\": 99, \"uid\": \"f45e1f4c-61ae-11ee-bd4f-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 26, \"terminated_time\": 1695272181548, \"terminated_time_dt\": \"2023-10-03T05:37:34.711582Z\", \"user\": {\"account\": {\"name\": \"engines robot c\", \"uid\": \"f45e05fc-61ae-11ee-bdef-0242ac110005\"}, \"name\": \"Qualities\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"f45e00c0-61ae-11ee-b4f1-0242ac110005\", \"uid_alt\": \"pathology ordinary ep\"}}, \"pid\": 17, \"sandbox\": \"dans ip tours\", \"uid\": \"f45de978-61ae-11ee-af82-0242ac110005\", \"user\": {\"credential_uid\": \"f45de554-61ae-11ee-bc44-0242ac110005\", \"name\": \"Requires\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"f45de0e0-61ae-11ee-88a9-0242ac110005\", \"uid_alt\": \"monica includes treating\"}}, \"pid\": 26, \"terminated_time\": 1695272181548, \"terminated_time_dt\": \"2023-10-03T05:37:34.711596Z\", \"user\": {\"name\": \"Cardiovascular\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"f45db58e-61ae-11ee-b50c-0242ac110005\", \"uid_alt\": \"sn exception got\"}}, \"pid\": 38, \"terminated_time_dt\": \"2023-10-03T05:37:34.711606Z\"}, \"pid\": 59, \"terminated_time\": 1695272181548, \"tid\": 63, \"uid\": \"f45d835c-61ae-11ee-a0b4-0242ac110005\", \"user\": {\"account\": {\"name\": \"cycles beast pierce\", \"type\": \"Azure AD Account\", \"type_id\": 6, \"uid\": \"f45d7e20-61ae-11ee-9be4-0242ac110005\"}, \"groups\": [{\"name\": \"gamecube sunday foster\", \"privileges\": [\"ceiling pulling chapter\", \"advise lung transparent\"], \"uid\": \"f45d6750-61ae-11ee-bb59-0242ac110005\"}, {\"name\": \"skins korea bubble\", \"privileges\": [\"harbor syracuse quantities\"], \"type\": \"annie rn pot\", \"uid\": \"f45d710a-61ae-11ee-a1f1-0242ac110005\"}], \"name\": \"Dis\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"f45d6034-61ae-11ee-9b9d-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 7, \"uid\": \"f45d3a46-61ae-11ee-89e2-0242ac110005\", \"user\": {\"credential_uid\": \"f45d3654-61ae-11ee-a013-0242ac110005\", \"name\": \"Overall\", \"org\": {\"name\": \"antique crawford mug\", \"ou_name\": \"maximize tx tide\", \"uid\": \"f45d3226-61ae-11ee-b3e9-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"f45d2c18-61ae-11ee-8f99-0242ac110005\", \"uid_alt\": \"areas attachment guy\"}, \"xattributes\": {}}, \"pid\": 43, \"terminated_time_dt\": \"2023-10-03T05:37:34.711638Z\", \"uid\": \"f45d16ba-61ae-11ee-b515-0242ac110005\", \"user\": {\"domain\": \"funky valentine attached\", \"name\": \"Opt\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"f45d1192-61ae-11ee-805a-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 45, \"sandbox\": \"brunette christ monetary\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711652Z\", \"uid\": \"f45cc066-61ae-11ee-b149-0242ac110005\", \"user\": {\"account\": {\"name\": \"pen favors essential\", \"type\": \"AWS Account\", \"type_id\": 10, \"uid\": \"f45cb6ac-61ae-11ee-89fb-0242ac110005\"}, \"credential_uid\": \"f45cba58-61ae-11ee-8137-0242ac110005\", \"email_addr\": \"Moira@upset.nato\", \"full_name\": \"Livia Ji\", \"name\": \"Manufacturing\", \"org\": {\"name\": \"way pros ddr\", \"ou_name\": \"reliability poultry devices\", \"uid\": \"f45cafa4-61ae-11ee-af8c-0242ac110005\"}, \"type\": \"united\", \"type_id\": 99, \"uid\": \"f45ca0ea-61ae-11ee-8476-0242ac110005\"}}, \"pid\": 43, \"terminated_time\": 1695272181548, \"uid\": \"f45c71a6-61ae-11ee-9f7b-0242ac110005\", \"user\": {\"name\": \"Duck\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"f45c6dd2-61ae-11ee-9f94-0242ac110005\"}}, \"pid\": 98, \"session\": {\"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.694465Z\", \"credential_uid\": \"f45c1a1c-61ae-11ee-85ba-0242ac110005\", \"expiration_time_dt\": \"2023-10-03T05:37:34.694457Z\", \"is_remote\": false, \"issuer\": \"spec gambling separated\", \"uid\": \"f45c1288-61ae-11ee-ab6a-0242ac110005\", \"uuid\": \"f45c160c-61ae-11ee-b9ea-0242ac110005\"}, \"tid\": 86, \"user\": {\"email_addr\": \"Lilliana@ability.edu\", \"full_name\": \"Marry Dia\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"f45c0b9e-61ae-11ee-9f3b-0242ac110005\"}, \"xattributes\": {}}", + "user": { + "credential_uid": "f45bdcd2-61ae-11ee-a554-0242ac110005", + "org": { + "name": "setup stolen unexpected", + "ou_name": "iceland threats webcast", + "uid": "f45bd82c-61ae-11ee-9e57-0242ac110005" + }, + "type": "User", + "type_id": "1" + }, + "xattributes": "{}" + }, + "user": { + "type": "User", + "type_id": "1" + } + }, + "user": { + "account": { + "name": "intensive flash narrative", + "type": "Windows Account", + "type_id": "2", + "uid": "f45ed32e-61ae-11ee-9aa9-0242ac110005" + }, + "org": { + "name": "enquiry hottest creations", + "ou_name": "reel metals plain", + "uid": "f45ecb68-61ae-11ee-824c-0242ac110005" + }, + "type": "Admin", + "type_id": "2" + } + }, + "actual_permissions": 14, + "api": { + "operation": "appraisal disappointed iraqi", + "request": { + "uid": "f45046ce-61ae-11ee-8a1b-0242ac110005" + }, + "response": { + "code": 99, + "error": "dash knife stable", + "error_message": "delaware genetic purple", + "message": "julian peninsula bought" + } + }, + "attacks": [ + { + "tactics": [ + { + "name": "Collection | The adversary is trying to gather data of interest to their goal.", + "uid": "TA0009" + } + ], + "technique": { + "name": "Additional Cloud Credentials", + "uid": "T1098.001" + }, + "version": "12.1" + }, + { + "tactics": [ + { + "name": "Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.", + "uid": "TA0040" + }, + { + "name": "Command and Control The adversary is trying to communicate with compromised systems to control them.", + "uid": "TA0011" + } + ], + "technique": { + "name": "Credentials in Registry", + "uid": "T1214" + }, + "version": "12.1" + } + ], + "base_address": "statements dining gnome", + "category_name": "System Activity", + "category_uid": 1, + "class_name": "Memory Activity", + "class_uid": "1004", + "device": { + "created_time": 1695272181548, + "first_seen_time": 1695272181548, + "image": { + "name": "leader mind compliant", + "uid": "f450e20a-61ae-11ee-959b-0242ac110005" + }, + "instance_uid": "f450c02c-61ae-11ee-a04e-0242ac110005", + "interface_name": "adaptive survivor nickname", + "interface_uid": "f450dada-61ae-11ee-9e5c-0242ac110005", + "is_trusted": false, + "last_seen_time": 1695272181548, + "org": { + "name": "gratuit book virtually", + "ou_name": "profit plug fioricet", + "uid": "f4507856-61ae-11ee-b34b-0242ac110005" + }, + "region": "debut instruments alphabetical", + "subnet_uid": "f450b6fe-61ae-11ee-aa6c-0242ac110005", + "type_id": "1" + }, + "disposition": "Deleted", + "disposition_id": "5", + "metadata": { + "log_name": "trademarks wishing accreditation", + "logged_time": 1695272181548, + "original_time": "protection velvet propose", + "product": { + "feature": { + "name": "wish quest practitioners", + "uid": "f4506a32-61ae-11ee-a6bb-0242ac110005", + "version": "1.0.0" + }, + "lang": "en", + "name": "asbestos settings medication", + "uid": "f4506410-61ae-11ee-a485-0242ac110005", + "vendor_name": "evaluations belly reception", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "security_control" + ], + "version": "1.0.0" + }, + "severity": "Critical", + "status_code": "registry", + "time_dt": "2023-10-03T05:37:34.712339Z", + "timezone_offset": 26, + "type_name": "Memory Activity: Allocate Page", + "type_uid": "100401" + } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_5.json b/OCSF/ocsf/tests/test_system_activity_5.json index ef9126b9c..0d4aeeec3 100644 --- a/OCSF/ocsf/tests/test_system_activity_5.json +++ b/OCSF/ocsf/tests/test_system_activity_5.json @@ -28,6 +28,305 @@ "provider": "translate be cabinets", "region": "trap wood power" }, - "ocsf": "{\"activity_id\": 1, \"activity_name\": \"Load\", \"actor\": {\"invoked_by\": \"pantyhose macedonia retained\", \"process\": {\"cmd_line\": \"fame little relax\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"BA691BA042BCEDD9A61A36F5969026BC95859DCCDC7E47F24E6BCE35673BAF2F\"}, \"image\": {\"labels\": [\"printed\", \"safer\"], \"name\": \"babies detective christians\", \"uid\": \"8b8325a8-61b8-11ee-9a88-0242ac110005\"}, \"name\": \"renew angle reject\", \"runtime\": \"annoying remarkable setup\", \"size\": 2132122251, \"uid\": \"8b832030-61b8-11ee-816d-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessor\": {\"credential_uid\": \"8b82f4ca-61b8-11ee-894f-0242ac110005\", \"name\": \"Elections\", \"org\": {\"name\": \"ids mercury milan\", \"ou_name\": \"whether eddie investment\", \"uid\": \"8b82ef20-61b8-11ee-9b3a-0242ac110005\"}, \"type\": \"distributor\", \"type_id\": 99, \"uid\": \"8b82e9d0-61b8-11ee-be3a-0242ac110005\"}, \"desc\": \"computing investors rio\", \"is_system\": false, \"modified_time_dt\": \"2023-10-03T06:46:13.755631Z\", \"name\": \"administrators.tmp\", \"parent_folder\": \"flush faced champagne/cruise.tar.gz\", \"path\": \"flush faced champagne/cruise.tar.gz/administrators.tmp\", \"type\": \"Folder\", \"type_id\": 2}, \"name\": \"Switzerland\", \"namespace_pid\": 97, \"parent_process\": {\"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"1FA53D9A1AEAB5165003DE1755AD56612ABF77A3D033D697439C884637D2DC66DBDFFA147DFDBD69DC6D27340B63C26C93D84C65F59EE3A270CA5BBB1D13613F\"}, \"network_driver\": \"ee australian housewares\", \"size\": 388023740, \"uid\": \"8b834fd8-61b8-11ee-8b6a-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"created_time\": 1695272181548, \"is_system\": false, \"mime_type\": \"today/uniprotkb\", \"name\": \"audi.pspimage\", \"owner\": {\"name\": \"Mastercard\", \"org\": {\"name\": \"qualification twisted australian\", \"ou_name\": \"franklin nb leslie\", \"uid\": \"8b833dfe-61b8-11ee-a745-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"8b833638-61b8-11ee-a13b-0242ac110005\"}, \"parent_folder\": \"paying represent putting/showing.vob\", \"path\": \"paying represent putting/showing.vob/audi.pspimage\", \"type\": \"Block Device\", \"type_id\": 4}, \"name\": \"Containers\", \"namespace_pid\": 5, \"parent_process\": {\"cmd_line\": \"gang spring carlo\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"85434F1527CE237329D0B1927EABF9D3\"}, \"name\": \"victims edit minimum\", \"size\": 2069042340, \"uid\": \"8b83744a-61b8-11ee-9c26-0242ac110005\"}, \"integrity\": \"happening\", \"integrity_id\": 99, \"name\": \"Global\", \"namespace_pid\": 74, \"parent_process\": {\"cmd_line\": \"mm bon estimate\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"CA59BAD8CEAD7A8424AD6823FE6AED5BA7AF4A9FDA854EA5AAB75A41B5369465\"}, \"image\": {\"uid\": \"8b840af4-61b8-11ee-a7b5-0242ac110005\"}, \"name\": \"separation catalogs vocals\", \"uid\": \"8b8402a2-61b8-11ee-92d4-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessor\": {\"groups\": [{\"name\": \"ct disposal rent\", \"uid\": \"8b839358-61b8-11ee-a4c0-0242ac110005\"}, {\"name\": \"cruise ancient chemicals\", \"type\": \"spoke life lee\"}], \"name\": \"Mathematical\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"8b838e30-61b8-11ee-8527-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"CA247333484AEB04EFA2DE65A9EC68032CED9ACC7716F9379404EB2422FC65190E0F56D3C2B21505FE722A0CD1D05AF9B8E47B4CB5005B4C4E71C6C5545C775F\"}], \"mime_type\": \"molecules/sharon\", \"name\": \"planner.bak\", \"parent_folder\": \"sony discussion suit/stomach.gif\", \"path\": \"sony discussion suit/stomach.gif/planner.bak\", \"type\": \"Character Device\", \"type_id\": 3, \"uid\": \"8b838804-61b8-11ee-a06e-0242ac110005\"}, \"integrity\": \"High\", \"integrity_id\": 4, \"name\": \"Pilot\", \"parent_process\": {\"cmd_line\": \"applicable acquire folk\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"6B942E2831F972C22E2B0292EA3A8176AB41CD3B\"}, \"image\": {\"name\": \"pressure sixth happen\", \"uid\": \"8b8431e6-61b8-11ee-9576-0242ac110005\"}, \"name\": \"businesses suspension across\", \"orchestrator\": \"theta create impact\", \"size\": 2843627610, \"uid\": \"8b842ce6-61b8-11ee-acb2-0242ac110005\"}, \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"lineage\": [\"wires largest stamp\", \"handbook dale photograph\"], \"name\": \"Sleep\", \"namespace_pid\": 4, \"parent_process\": {\"cmd_line\": \"packs maximum audit\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"799904B20F1174F01C0D2DD87C57E097\"}, \"image\": {\"labels\": [\"clouds\"], \"name\": \"letter fri mauritius\", \"uid\": \"8b84825e-61b8-11ee-a5b5-0242ac110005\"}, \"name\": \"hotmail midlands ripe\", \"size\": 860474369, \"uid\": \"8b847c96-61b8-11ee-99b1-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T06:46:13.768070Z\", \"file\": {\"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"436DE0B494120DEC66B218D7D67AE5FC65841DA47A5D5A6044D76AE7CD0D793736DCAD5FA9C579A8C53310FA0B70225BB8C079A2E5BEDB5F6F48176972572F1C\"}], \"name\": \"pottery.java\", \"parent_folder\": \"revolutionary such regulations/cheaper.ico\", \"path\": \"revolutionary such regulations/cheaper.ico/pottery.java\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T06:46:13.764297Z\", \"fingerprints\": [{\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"EDE381A3419BC1A2ACD00220F23CE82967A8631DB35FDF0122B8A0E43E8768CABDBDC842A83C48138C523D1A56B3F63F03D85756C9BFED7656AE5097479D9A4C\"}, {\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"AFD38780B76420D3214D2D6D318A6EA972D720518346C2F7339E661205D5F20A5682869DAF56249F9FACD6EDF878C81669184A1D9C736232079EDED66727E297\"}], \"issuer\": \"write watts guitars\", \"serial_number\": \"facing wb drinks\", \"subject\": \"consensus ownership trainer\", \"version\": \"1.0.0\"}}, \"type\": \"Local Socket\", \"type_id\": 5}, \"name\": \"Lie\", \"namespace_pid\": 45, \"parent_process\": {\"cmd_line\": \"prior angry workers\", \"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"B413223A2BB7E91D5C6E244B77A2392BA017906B615F3CDF4BA192FE568C7738ADE3E24CAA9273F592169D682882DAC5E0DF8975B0FDB3859FB69A175B815724\"}, \"image\": {\"name\": \"expenses pdt conditioning\", \"path\": \"valentine corp gcc\", \"tag\": \"recognition albania curtis\", \"uid\": \"8b84d204-61b8-11ee-8eb1-0242ac110005\"}, \"name\": \"horrible scroll del\", \"pod_uuid\": \"gift\", \"size\": 870541982, \"uid\": \"8b84c7c8-61b8-11ee-b0ff-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessed_time_dt\": \"2023-10-03T06:46:13.766265Z\", \"attributes\": 57, \"company_name\": \"Elenore Jeanetta\", \"confidentiality\": \"hitachi shaw tension\", \"created_time_dt\": \"2023-10-03T06:46:13.766258Z\", \"desc\": \"syracuse until as\", \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"8A8173677F164DD2E2CF83BEA2A42A8B\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"6B70D921D9E8DCF0F08A73F508E5D19D274B58D8AC2E29049A23B62D1988C1028A8ECBA2485531BBD6B7AEE51EA822578E859759F8FFC4818023EFD47ABC9C4D\"}], \"name\": \"pledge.ini\", \"parent_folder\": \"internationally remedies back/his.cgi\", \"path\": \"internationally remedies back/his.cgi/pledge.ini\", \"security_descriptor\": \"lower cable requiring\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"F72B1ED0BD7D6BE65211FA1606D1DE35F225DE73CB524C01380509CCE5B6F8F8DDE81A0B0AB6F5ECE9A7E651DD7D0C19DB365A83C018B747DA5B0A79259F3547\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"AEAA2CEC33E27D65690E726E1710D3F4A99A2BF0AE9A3BD9087488F1DFB4D38D\"}], \"issuer\": \"rocket separation opponent\", \"serial_number\": \"edinburgh responsible supervisor\", \"subject\": \"portugal motel preserve\", \"version\": \"1.0.0\"}}, \"type\": \"Character Device\", \"type_id\": 3}, \"name\": \"Homepage\", \"namespace_pid\": 94, \"pid\": 78, \"session\": {\"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T06:46:13.767299Z\", \"expiration_time_dt\": \"2023-10-03T06:46:13.767292Z\", \"issuer\": \"gel submissions finite\", \"uid\": \"8b84b562-61b8-11ee-a0d1-0242ac110005\", \"uuid\": \"8b84bbd4-61b8-11ee-8f0e-0242ac110005\"}, \"uid\": \"8b84ac48-61b8-11ee-97d9-0242ac110005\", \"user\": {\"name\": \"Lauderdale\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"8b84a6e4-61b8-11ee-b1fe-0242ac110005\", \"uid_alt\": \"venezuela path passing\"}}, \"pid\": 43, \"sandbox\": \"holmes guess hyundai\", \"session\": {\"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T06:46:13.764972Z\", \"expiration_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T06:46:13.764963Z\", \"is_remote\": false, \"issuer\": \"fun tomorrow antibodies\", \"uid\": \"8b8460c6-61b8-11ee-9def-0242ac110005\"}, \"user\": {\"account\": {\"name\": \"chrome ones leeds\", \"type\": \"AWS IAM User\", \"type_id\": 3}, \"domain\": \"continuity cases issues\", \"groups\": [{\"name\": \"protein lightweight complications\", \"type\": \"samsung knowledgestorm ppm\", \"uid\": \"8b8458ba-61b8-11ee-9ec2-0242ac110005\"}, {\"name\": \"spyware expensive partnerships\", \"type\": \"lcd moore th\"}], \"name\": \"Wrapping\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"8b8452de-61b8-11ee-9b3c-0242ac110005\", \"uid_alt\": \"mpegs eric ky\"}}, \"pid\": 54, \"session\": {\"created_time_dt\": \"2023-10-03T06:46:13.763445Z\", \"is_remote\": true}, \"uid\": \"8b8424bc-61b8-11ee-aa3b-0242ac110005\", \"user\": {\"name\": \"Edges\", \"type\": \"compute\", \"type_id\": 99, \"uid\": \"8b841ca6-61b8-11ee-ac94-0242ac110005\"}}, \"sandbox\": \"mothers equipped enquiry\", \"tid\": 45, \"uid\": \"8b83fcbc-61b8-11ee-8764-0242ac110005\", \"user\": {\"credential_uid\": \"8b83f94c-61b8-11ee-85e8-0242ac110005\", \"name\": \"Warner\", \"type\": \"interim\", \"type_id\": 99, \"uid\": \"8b83f500-61b8-11ee-9242-0242ac110005\"}}, \"pid\": 30, \"session\": {\"created_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T06:46:13.758724Z\", \"is_remote\": true, \"uid\": \"8b836dc4-61b8-11ee-aa72-0242ac110005\"}, \"uid\": \"8b83682e-61b8-11ee-bf60-0242ac110005\", \"user\": {\"account\": {\"name\": \"desk periodic depth\", \"type\": \"Mac OS Account\", \"type_id\": 7, \"uid\": \"8b836400-61b8-11ee-9913-0242ac110005\"}, \"name\": \"Includes\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"8b835b7c-61b8-11ee-9c7d-0242ac110005\", \"uid_alt\": \"origins demo declaration\"}}, \"pid\": 76, \"uid\": \"8b834aba-61b8-11ee-8172-0242ac110005\", \"user\": {\"domain\": \"klein greg processing\", \"full_name\": \"Franklyn Shantell\", \"name\": \"Prep\", \"type\": \"lot\", \"type_id\": 99, \"uid\": \"8b834682-61b8-11ee-8f6a-0242ac110005\"}}, \"pid\": 8, \"session\": {\"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T06:46:13.756371Z\", \"credential_uid\": \"8b830938-61b8-11ee-9d39-0242ac110005\", \"expiration_time_dt\": \"2023-10-03T06:46:13.756144Z\", \"is_remote\": true, \"issuer\": \"texts advertiser henderson\", \"uid\": \"8b830532-61b8-11ee-bdfd-0242ac110005\"}, \"terminated_time\": 1695272181548, \"tid\": 12, \"uid\": \"8b830046-61b8-11ee-b4bd-0242ac110005\", \"user\": {\"name\": \"Mechanics\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"8b82fc86-61b8-11ee-b5b6-0242ac110005\"}}, \"user\": {\"full_name\": \"Regan Loise\", \"name\": \"Cookies\", \"type\": \"load\", \"type_id\": 99, \"uid\": \"8b84f59a-61b8-11ee-8275-0242ac110005\", \"uid_alt\": \"dawn but titles\"}}, \"api\": {\"operation\": \"helena internationally leo\", \"request\": {\"uid\": \"8b824fc0-61b8-11ee-b26d-0242ac110005\"}, \"response\": {\"code\": 99, \"error\": \"three acdbentity sufficient\", \"message\": \"myrtle trust resort\"}}, \"attacks\": [{\"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}, {\"name\": \"Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.\", \"uid\": \"TA0040\"}], \"technique\": {\"name\": \"PowerShell Profile\", \"uid\": \"T1504\"}, \"version\": \"12.1\"}, {\"tactics\": [{\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}, {\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Securityd Memory\", \"uid\": \"T1555.002\"}, \"version\": \"12.1\"}], \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Module Activity\", \"class_uid\": 1005, \"cloud\": {\"account\": {\"name\": \"abroad takes controversy\", \"type\": \"AWS Account\", \"type_id\": 10, \"uid\": \"8b82630c-61b8-11ee-a1c3-0242ac110005\"}, \"project_uid\": \"8b82679e-61b8-11ee-9ed4-0242ac110005\", \"provider\": \"translate be cabinets\", \"region\": \"trap wood power\"}, \"device\": {\"domain\": \"existence conditional pillow\", \"groups\": [{\"name\": \"ev terminal meals\", \"uid\": \"8b82bf64-61b8-11ee-a83f-0242ac110005\"}, {\"name\": \"born lasting vitamins\", \"privileges\": [\"sheets loading representative\"], \"uid\": \"8b82c338-61b8-11ee-bf95-0242ac110005\"}], \"hostname\": \"tiles.name\", \"hw_info\": {\"cpu_bits\": 95, \"keyboard_info\": {\"keyboard_subtype\": 47}}, \"hypervisor\": \"fundraising kerry peer\", \"imei\": \"moderators sentence ordered\", \"instance_uid\": \"8b82c98c-61b8-11ee-ac91-0242ac110005\", \"interface_uid\": \"8b82d0da-61b8-11ee-b450-0242ac110005\", \"ip\": \"81.2.69.142\", \"mac\": \"6C:91:94:13:50:61:2E:D4\", \"modified_time\": 1695272181548, \"name\": \"assigned daughters creating\", \"network_interfaces\": [{\"hostname\": \"lightbox.gov\", \"ip\": \"81.2.69.142\", \"mac\": \"57:15:98:E9:35:D3:B3:9A\", \"name\": \"henderson treasures dv\", \"type\": \"Tunnel\", \"type_id\": 4}, {\"hostname\": \"horizon.biz\", \"ip\": \"81.2.69.142\", \"mac\": \"47:B8:F6:D1:B8:90:8C:7F\", \"name\": \"forests designation entire\", \"type\": \"fcc\", \"type_id\": 99, \"uid\": \"8b82b79e-61b8-11ee-a441-0242ac110005\"}], \"os\": {\"build\": \"grave pn resist\", \"country\": \"Cuba, Republic of\", \"name\": \"extreme oct care\", \"sp_ver\": 3, \"type\": \"Android\", \"type_id\": 201}, \"region\": \"slight centers swimming\", \"risk_level\": \"Low\", \"risk_level_id\": 1, \"type\": \"frontier\", \"type_id\": 99}, \"disposition\": \"Deleted\", \"disposition_id\": 5, \"malware\": [{\"classification_ids\": [17, 2], \"classifications\": [\"ontario amsterdam archived\", \"newfoundland norman eddie\"], \"name\": \"generally insight ee\", \"path\": \"jc possess fibre\", \"provider\": \"singapore flexible casino\"}, {\"classification_ids\": [16, 5], \"cves\": [{\"created_time\": 1695272181548, \"modified_time\": 1695272181548, \"modified_time_dt\": \"2023-10-03T06:46:13.752477Z\", \"type\": \"graphical acm salt\", \"uid\": \"8b827964-61b8-11ee-822b-0242ac110005\"}], \"name\": \"illustrated lending requirements\", \"path\": \"cho basket ul\", \"provider\": \"goods fitting latter\", \"uid\": \"8b8272c0-61b8-11ee-90e5-0242ac110005\"}], \"message\": \"menu controller plants\", \"metadata\": {\"labels\": [\"moses\"], \"log_name\": \"laboratory instance upon\", \"log_provider\": \"discrimination morrison course\", \"logged_time\": 1695272181548, \"original_time\": \"rights newly filled\", \"product\": {\"lang\": \"en\", \"name\": \"improving consist portfolio\", \"uid\": \"8b82a664-61b8-11ee-bb6e-0242ac110005\", \"vendor_name\": \"completing watershed poor\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"sequence\": 44, \"version\": \"1.0.0\"}, \"module\": {\"base_address\": \"daughters offshore thehun\", \"file\": {\"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"created_time_dt\": \"2023-10-03T06:46:13.753318Z\", \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"795F2AAA00B0D80F2A50C10902A141A3E0AFE3A4BCE0007F213C21994E6AE528B448F2C2F4BDF6C4E1D0AEA3B8396D40A4395AA9730A77E879848BDB750D6468\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"B8C09AA4F584900FEA2DF3DAFBDAF9F0C6E76095BFDBCCF5F0F748D069D706526380A29574124164B0EDC1B56DD8342FC4BF70467A9B6024D999269A45E2A175\"}], \"modified_time\": 1695272181548, \"name\": \"expiration.cpl\", \"parent_folder\": \"pleased dip spiritual/corresponding.java\", \"path\": \"pleased dip spiritual/corresponding.java/expiration.cpl\", \"product\": {\"lang\": \"en\", \"name\": \"traveling yea espn\", \"uid\": \"8b82966a-61b8-11ee-81c7-0242ac110005\", \"vendor_name\": \"manhattan better posts\", \"version\": \"1.0.0\"}, \"type\": \"Character Device\", \"type_id\": 3}, \"load_type\": \"Non Standard\", \"load_type_id\": 2, \"start_address\": \"needs some limit\"}, \"severity\": \"minutes\", \"severity_id\": 99, \"status\": \"Unknown\", \"status_id\": 0, \"time\": 1695272181548, \"timezone_offset\": 8, \"type_name\": \"Module Activity: Load\", \"type_uid\": 100501}" + "ocsf": { + "activity_id": 1, + "activity_name": "Load", + "actor": { + "invoked_by": "pantyhose macedonia retained", + "process": { + "container": { + "hash": { + "algorithm": "SHA-256", + "algorithm_id": "3", + "value": "BA691BA042BCEDD9A61A36F5969026BC95859DCCDC7E47F24E6BCE35673BAF2F" + }, + "image": { + "uid": "8b8325a8-61b8-11ee-9a88-0242ac110005" + }, + "size": 2132122251 + }, + "file": { + "accessor": { + "credential_uid": "8b82f4ca-61b8-11ee-894f-0242ac110005", + "name": "Elections", + "org": { + "name": "ids mercury milan", + "ou_name": "whether eddie investment", + "uid": "8b82ef20-61b8-11ee-9b3a-0242ac110005" + }, + "type": "distributor", + "type_id": "99", + "uid": "8b82e9d0-61b8-11ee-be3a-0242ac110005" + }, + "desc": "computing investors rio", + "is_system": false, + "modified_time_dt": "2023-10-03T06:46:13.755631Z", + "type_id": "2" + }, + "namespace_pid": 97, + "parent_process": { + "container": { + "hash": { + "algorithm": "quickXorHash", + "algorithm_id": "7", + "value": "1FA53D9A1AEAB5165003DE1755AD56612ABF77A3D033D697439C884637D2DC66DBDFFA147DFDBD69DC6D27340B63C26C93D84C65F59EE3A270CA5BBB1D13613F" + }, + "network_driver": "ee australian housewares", + "size": 388023740, + "uid": "8b834fd8-61b8-11ee-8b6a-0242ac110005" + }, + "file": { + "created_time": 1695272181548, + "is_system": false, + "mime_type": "today/uniprotkb", + "name": "audi.pspimage", + "owner": { + "name": "Mastercard", + "org": { + "name": "qualification twisted australian", + "ou_name": "franklin nb leslie", + "uid": "8b833dfe-61b8-11ee-a745-0242ac110005" + }, + "type": "Admin", + "type_id": "2", + "uid": "8b833638-61b8-11ee-a13b-0242ac110005" + }, + "parent_folder": "paying represent putting/showing.vob", + "path": "paying represent putting/showing.vob/audi.pspimage", + "type": "Block Device", + "type_id": "4" + }, + "namespace_pid": 5, + "parent_process": "{\"cmd_line\": \"gang spring carlo\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"85434F1527CE237329D0B1927EABF9D3\"}, \"name\": \"victims edit minimum\", \"size\": 2069042340, \"uid\": \"8b83744a-61b8-11ee-9c26-0242ac110005\"}, \"integrity\": \"happening\", \"integrity_id\": 99, \"name\": \"Global\", \"namespace_pid\": 74, \"parent_process\": {\"cmd_line\": \"mm bon estimate\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"CA59BAD8CEAD7A8424AD6823FE6AED5BA7AF4A9FDA854EA5AAB75A41B5369465\"}, \"image\": {\"uid\": \"8b840af4-61b8-11ee-a7b5-0242ac110005\"}, \"name\": \"separation catalogs vocals\", \"uid\": \"8b8402a2-61b8-11ee-92d4-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessor\": {\"groups\": [{\"name\": \"ct disposal rent\", \"uid\": \"8b839358-61b8-11ee-a4c0-0242ac110005\"}, {\"name\": \"cruise ancient chemicals\", \"type\": \"spoke life lee\"}], \"name\": \"Mathematical\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"8b838e30-61b8-11ee-8527-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"CA247333484AEB04EFA2DE65A9EC68032CED9ACC7716F9379404EB2422FC65190E0F56D3C2B21505FE722A0CD1D05AF9B8E47B4CB5005B4C4E71C6C5545C775F\"}], \"mime_type\": \"molecules/sharon\", \"name\": \"planner.bak\", \"parent_folder\": \"sony discussion suit/stomach.gif\", \"path\": \"sony discussion suit/stomach.gif/planner.bak\", \"type\": \"Character Device\", \"type_id\": 3, \"uid\": \"8b838804-61b8-11ee-a06e-0242ac110005\"}, \"integrity\": \"High\", \"integrity_id\": 4, \"name\": \"Pilot\", \"parent_process\": {\"cmd_line\": \"applicable acquire folk\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"6B942E2831F972C22E2B0292EA3A8176AB41CD3B\"}, \"image\": {\"name\": \"pressure sixth happen\", \"uid\": \"8b8431e6-61b8-11ee-9576-0242ac110005\"}, \"name\": \"businesses suspension across\", \"orchestrator\": \"theta create impact\", \"size\": 2843627610, \"uid\": \"8b842ce6-61b8-11ee-acb2-0242ac110005\"}, \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"lineage\": [\"wires largest stamp\", \"handbook dale photograph\"], \"name\": \"Sleep\", \"namespace_pid\": 4, \"parent_process\": {\"cmd_line\": \"packs maximum audit\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"799904B20F1174F01C0D2DD87C57E097\"}, \"image\": {\"labels\": [\"clouds\"], \"name\": \"letter fri mauritius\", \"uid\": \"8b84825e-61b8-11ee-a5b5-0242ac110005\"}, \"name\": \"hotmail midlands ripe\", \"size\": 860474369, \"uid\": \"8b847c96-61b8-11ee-99b1-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T06:46:13.768070Z\", \"file\": {\"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"436DE0B494120DEC66B218D7D67AE5FC65841DA47A5D5A6044D76AE7CD0D793736DCAD5FA9C579A8C53310FA0B70225BB8C079A2E5BEDB5F6F48176972572F1C\"}], \"name\": \"pottery.java\", \"parent_folder\": \"revolutionary such regulations/cheaper.ico\", \"path\": \"revolutionary such regulations/cheaper.ico/pottery.java\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T06:46:13.764297Z\", \"fingerprints\": [{\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"EDE381A3419BC1A2ACD00220F23CE82967A8631DB35FDF0122B8A0E43E8768CABDBDC842A83C48138C523D1A56B3F63F03D85756C9BFED7656AE5097479D9A4C\"}, {\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"AFD38780B76420D3214D2D6D318A6EA972D720518346C2F7339E661205D5F20A5682869DAF56249F9FACD6EDF878C81669184A1D9C736232079EDED66727E297\"}], \"issuer\": \"write watts guitars\", \"serial_number\": \"facing wb drinks\", \"subject\": \"consensus ownership trainer\", \"version\": \"1.0.0\"}}, \"type\": \"Local Socket\", \"type_id\": 5}, \"name\": \"Lie\", \"namespace_pid\": 45, \"parent_process\": {\"cmd_line\": \"prior angry workers\", \"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"B413223A2BB7E91D5C6E244B77A2392BA017906B615F3CDF4BA192FE568C7738ADE3E24CAA9273F592169D682882DAC5E0DF8975B0FDB3859FB69A175B815724\"}, \"image\": {\"name\": \"expenses pdt conditioning\", \"path\": \"valentine corp gcc\", \"tag\": \"recognition albania curtis\", \"uid\": \"8b84d204-61b8-11ee-8eb1-0242ac110005\"}, \"name\": \"horrible scroll del\", \"pod_uuid\": \"gift\", \"size\": 870541982, \"uid\": \"8b84c7c8-61b8-11ee-b0ff-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessed_time_dt\": \"2023-10-03T06:46:13.766265Z\", \"attributes\": 57, \"company_name\": \"Elenore Jeanetta\", \"confidentiality\": \"hitachi shaw tension\", \"created_time_dt\": \"2023-10-03T06:46:13.766258Z\", \"desc\": \"syracuse until as\", \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"8A8173677F164DD2E2CF83BEA2A42A8B\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"6B70D921D9E8DCF0F08A73F508E5D19D274B58D8AC2E29049A23B62D1988C1028A8ECBA2485531BBD6B7AEE51EA822578E859759F8FFC4818023EFD47ABC9C4D\"}], \"name\": \"pledge.ini\", \"parent_folder\": \"internationally remedies back/his.cgi\", \"path\": \"internationally remedies back/his.cgi/pledge.ini\", \"security_descriptor\": \"lower cable requiring\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"F72B1ED0BD7D6BE65211FA1606D1DE35F225DE73CB524C01380509CCE5B6F8F8DDE81A0B0AB6F5ECE9A7E651DD7D0C19DB365A83C018B747DA5B0A79259F3547\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"AEAA2CEC33E27D65690E726E1710D3F4A99A2BF0AE9A3BD9087488F1DFB4D38D\"}], \"issuer\": \"rocket separation opponent\", \"serial_number\": \"edinburgh responsible supervisor\", \"subject\": \"portugal motel preserve\", \"version\": \"1.0.0\"}}, \"type\": \"Character Device\", \"type_id\": 3}, \"name\": \"Homepage\", \"namespace_pid\": 94, \"pid\": 78, \"session\": {\"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T06:46:13.767299Z\", \"expiration_time_dt\": \"2023-10-03T06:46:13.767292Z\", \"issuer\": \"gel submissions finite\", \"uid\": \"8b84b562-61b8-11ee-a0d1-0242ac110005\", \"uuid\": \"8b84bbd4-61b8-11ee-8f0e-0242ac110005\"}, \"uid\": \"8b84ac48-61b8-11ee-97d9-0242ac110005\", \"user\": {\"name\": \"Lauderdale\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"8b84a6e4-61b8-11ee-b1fe-0242ac110005\", \"uid_alt\": \"venezuela path passing\"}}, \"pid\": 43, \"sandbox\": \"holmes guess hyundai\", \"session\": {\"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T06:46:13.764972Z\", \"expiration_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T06:46:13.764963Z\", \"is_remote\": false, \"issuer\": \"fun tomorrow antibodies\", \"uid\": \"8b8460c6-61b8-11ee-9def-0242ac110005\"}, \"user\": {\"account\": {\"name\": \"chrome ones leeds\", \"type\": \"AWS IAM User\", \"type_id\": 3}, \"domain\": \"continuity cases issues\", \"groups\": [{\"name\": \"protein lightweight complications\", \"type\": \"samsung knowledgestorm ppm\", \"uid\": \"8b8458ba-61b8-11ee-9ec2-0242ac110005\"}, {\"name\": \"spyware expensive partnerships\", \"type\": \"lcd moore th\"}], \"name\": \"Wrapping\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"8b8452de-61b8-11ee-9b3c-0242ac110005\", \"uid_alt\": \"mpegs eric ky\"}}, \"pid\": 54, \"session\": {\"created_time_dt\": \"2023-10-03T06:46:13.763445Z\", \"is_remote\": true}, \"uid\": \"8b8424bc-61b8-11ee-aa3b-0242ac110005\", \"user\": {\"name\": \"Edges\", \"type\": \"compute\", \"type_id\": 99, \"uid\": \"8b841ca6-61b8-11ee-ac94-0242ac110005\"}}, \"sandbox\": \"mothers equipped enquiry\", \"tid\": 45, \"uid\": \"8b83fcbc-61b8-11ee-8764-0242ac110005\", \"user\": {\"credential_uid\": \"8b83f94c-61b8-11ee-85e8-0242ac110005\", \"name\": \"Warner\", \"type\": \"interim\", \"type_id\": 99, \"uid\": \"8b83f500-61b8-11ee-9242-0242ac110005\"}}, \"pid\": 30, \"session\": {\"created_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T06:46:13.758724Z\", \"is_remote\": true, \"uid\": \"8b836dc4-61b8-11ee-aa72-0242ac110005\"}, \"uid\": \"8b83682e-61b8-11ee-bf60-0242ac110005\", \"user\": {\"account\": {\"name\": \"desk periodic depth\", \"type\": \"Mac OS Account\", \"type_id\": 7, \"uid\": \"8b836400-61b8-11ee-9913-0242ac110005\"}, \"name\": \"Includes\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"8b835b7c-61b8-11ee-9c7d-0242ac110005\", \"uid_alt\": \"origins demo declaration\"}}", + "user": { + "type": "lot", + "type_id": "99" + } + }, + "session": { + "created_time": 1695272181548, + "created_time_dt": "2023-10-03T06:46:13.756371Z", + "credential_uid": "8b830938-61b8-11ee-9d39-0242ac110005", + "expiration_time_dt": "2023-10-03T06:46:13.756144Z", + "is_remote": true, + "issuer": "texts advertiser henderson", + "uid": "8b830532-61b8-11ee-bdfd-0242ac110005" + }, + "user": { + "type": "System", + "type_id": "3" + } + }, + "user": { + "type": "load", + "type_id": "99", + "uid_alt": "dawn but titles" + } + }, + "api": { + "operation": "helena internationally leo", + "request": { + "uid": "8b824fc0-61b8-11ee-b26d-0242ac110005" + }, + "response": { + "code": 99, + "error": "three acdbentity sufficient", + "message": "myrtle trust resort" + } + }, + "attacks": [ + { + "tactics": [ + { + "name": "Collection | The adversary is trying to gather data of interest to their goal.", + "uid": "TA0009" + }, + { + "name": "Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.", + "uid": "TA0040" + } + ], + "technique": { + "name": "PowerShell Profile", + "uid": "T1504" + }, + "version": "12.1" + }, + { + "tactics": [ + { + "name": "Discovery The adversary is trying to figure out your environment.", + "uid": "TA0007" + }, + { + "name": "Privilege Escalation | The adversary is trying to gain higher-level permissions.", + "uid": "TA0004" + } + ], + "technique": { + "name": "Securityd Memory", + "uid": "T1555.002" + }, + "version": "12.1" + } + ], + "category_name": "System Activity", + "category_uid": 1, + "class_name": "Module Activity", + "class_uid": "1005", + "cloud": { + "account": { + "type": "AWS Account", + "type_id": "10" + } + }, + "device": { + "groups": [ + { + "name": "ev terminal meals", + "uid": "8b82bf64-61b8-11ee-a83f-0242ac110005" + }, + { + "name": "born lasting vitamins", + "privileges": [ + "sheets loading representative" + ], + "uid": "8b82c338-61b8-11ee-bf95-0242ac110005" + } + ], + "hw_info": { + "cpu_bits": 95, + "keyboard_info": { + "keyboard_subtype": 47 + } + }, + "hypervisor": "fundraising kerry peer", + "imei": "moderators sentence ordered", + "instance_uid": "8b82c98c-61b8-11ee-ac91-0242ac110005", + "interface_uid": "8b82d0da-61b8-11ee-b450-0242ac110005", + "modified_time": 1695272181548, + "network_interfaces": [ + { + "hostname": "lightbox.gov", + "ip": "81.2.69.142", + "mac": "57:15:98:E9:35:D3:B3:9A", + "name": "henderson treasures dv", + "type": "Tunnel", + "type_id": "4" + }, + { + "hostname": "horizon.biz", + "ip": "81.2.69.142", + "mac": "47:B8:F6:D1:B8:90:8C:7F", + "name": "forests designation entire", + "type": "fcc", + "type_id": "99", + "uid": "8b82b79e-61b8-11ee-a441-0242ac110005" + } + ], + "os": { + "country": "Cuba, Republic of", + "sp_ver": "3", + "type": "Android", + "type_id": "201" + }, + "region": "slight centers swimming", + "risk_level_id": "1", + "type_id": "99" + }, + "disposition": "Deleted", + "disposition_id": "5", + "malware": [ + { + "classification_ids": [ + "17", + "2" + ], + "classifications": [ + "ontario amsterdam archived", + "newfoundland norman eddie" + ], + "name": "generally insight ee", + "path": "jc possess fibre", + "provider": "singapore flexible casino" + }, + { + "classification_ids": [ + "16", + "5" + ], + "cves": [ + { + "created_time": 1695272181548, + "modified_time": 1695272181548, + "modified_time_dt": "2023-10-03T06:46:13.752477Z", + "type": "graphical acm salt", + "uid": "8b827964-61b8-11ee-822b-0242ac110005" + } + ], + "name": "illustrated lending requirements", + "path": "cho basket ul", + "provider": "goods fitting latter", + "uid": "8b8272c0-61b8-11ee-90e5-0242ac110005" + } + ], + "metadata": { + "log_name": "laboratory instance upon", + "logged_time": 1695272181548, + "original_time": "rights newly filled", + "product": { + "lang": "en", + "name": "improving consist portfolio", + "uid": "8b82a664-61b8-11ee-bb6e-0242ac110005", + "vendor_name": "completing watershed poor", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "security_control" + ], + "version": "1.0.0" + }, + "module": { + "base_address": "daughters offshore thehun", + "file": { + "confidentiality": "Secret", + "confidentiality_id": "3", + "created_time_dt": "2023-10-03T06:46:13.753318Z", + "hashes": [ + { + "algorithm": "TLSH", + "algorithm_id": "6", + "value": "795F2AAA00B0D80F2A50C10902A141A3E0AFE3A4BCE0007F213C21994E6AE528B448F2C2F4BDF6C4E1D0AEA3B8396D40A4395AA9730A77E879848BDB750D6468" + }, + { + "algorithm": "CTPH", + "algorithm_id": "5", + "value": "B8C09AA4F584900FEA2DF3DAFBDAF9F0C6E76095BFDBCCF5F0F748D069D706526380A29574124164B0EDC1B56DD8342FC4BF70467A9B6024D999269A45E2A175" + } + ], + "product": { + "lang": "en", + "name": "traveling yea espn", + "uid": "8b82966a-61b8-11ee-81c7-0242ac110005", + "vendor_name": "manhattan better posts", + "version": "1.0.0" + }, + "type_id": "3" + }, + "load_type": "Non Standard", + "load_type_id": "2", + "start_address": "needs some limit" + }, + "severity": "minutes", + "status": "Unknown", + "status_id": "0", + "timezone_offset": 8, + "type_name": "Module Activity: Load", + "type_uid": "100501" + } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_6.json b/OCSF/ocsf/tests/test_system_activity_6.json index 69c1fb31b..d70f23c77 100644 --- a/OCSF/ocsf/tests/test_system_activity_6.json +++ b/OCSF/ocsf/tests/test_system_activity_6.json @@ -28,6 +28,171 @@ "provider": "nu connector termination", "region": "lose activists occurred" }, - "ocsf": "{\"activity_id\": 5, \"activity_name\": \"Set User ID\", \"actor\": {\"process\": {\"cmd_line\": \"wrist teach engaging\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"2A9141F10042E65FE9B037DE88C913D5CB6420C809E4F70D77B0C1CD0DB599E0DA4CC22A8E772350CACDACD72722801EA7BEAAE4B6D79D3949E37DB3492F1892\"}, \"image\": {\"labels\": [\"beef\"], \"name\": \"janet flights pct\", \"tag\": \"reporter calculator population\", \"uid\": \"442ca5e8-61be-11ee-ac6f-0242ac110005\"}, \"name\": \"disabled underlying prerequisite\", \"runtime\": \"ntsc replacing emotional\", \"size\": 1294218177, \"uid\": \"442ca070-61be-11ee-b847-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T07:27:11.081059Z\", \"file\": {\"accessed_time_dt\": \"2023-10-03T07:27:11.051398Z\", \"attributes\": 71, \"hashes\": [{\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"DBC811458704E7331C9D9B3365E5DB08E8D9247CEDBE9F8FFED69606E0A5CE644230CB925F7AE8919137B51CE7E4797EC55533D10E6AF32B803BAB785848BD58\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"74900E05175C9BD82834F761CAE8D37E3190933ED2249C16508DB4053419EDAEE6ADD186BACD19C2AF5686BC9D15177A7960A70D7A385EB3E05AF555356368E6\"}], \"name\": \"game.crdownload\", \"parent_folder\": \"district moment specs/consolidation.mp3\", \"path\": \"district moment specs/consolidation.mp3/game.crdownload\", \"type\": \"Symbolic Link\", \"type_id\": 7, \"xattributes\": {}}, \"integrity\": \"Low\", \"integrity_id\": 2, \"name\": \"Woman\", \"namespace_pid\": 96, \"parent_process\": {\"cmd_line\": \"shopzilla signal shift\", \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Margurite Hester\", \"created_time_dt\": \"2023-10-03T07:27:11.052592Z\", \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"C87068358A2AF25FB6462D2E9D5CEE0C1B843771EE363E91B70497182AC6058683881C15DDFF011CE7CAAE6617D935F69F093E8BB488A880E8A559A8AC1073FA\"}], \"modified_time\": 1695272181548, \"name\": \"alice.cur\", \"parent_folder\": \"llc snap glossary/striking.cgi\", \"path\": \"llc snap glossary/striking.cgi/alice.cur\", \"security_descriptor\": \"kurt snowboard baby\", \"type\": \"Block Device\", \"type_id\": 4, \"xattributes\": {}}, \"integrity\": \"brush clinton bride\", \"name\": \"Undergraduate\", \"namespace_pid\": 81, \"parent_process\": {\"cmd_line\": \"growing howard error\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"77D19917CD3F9FDA9C5B453897F0829D1D94450C31CB6991090BF4B4F49578CF29BBBBA4AF270287F408F0B9D696F5C18C16366E5CDFFDB199FDFC3E2BF91A62\"}, \"name\": \"stand tumor previously\", \"network_driver\": \"receiver recommended governor\", \"size\": 61744955, \"uid\": \"442d84ae-61be-11ee-a35f-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessor\": {\"email_addr\": \"Alethea@fa.web\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"442d1b40-61be-11ee-8249-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T07:27:11.055203Z\", \"desc\": \"dynamics dg islamic\", \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"4095391C7E3E04FF12C9AD2E6C49BD63DFE77E885ACAADD3B58A1D8895383044\"}], \"is_system\": false, \"name\": \"es.sql\", \"parent_folder\": \"sarah receivers appropriate/keen.cpl\", \"path\": \"sarah receivers appropriate/keen.cpl/es.sql\", \"type\": \"Regular File\", \"type_id\": 1}, \"loaded_modules\": [\"/instantly/lazy/quickly/junk/relates.gadget\", \"/gentle/sen/bridge/brochure/county.cbr\"], \"name\": \"Danger\", \"namespace_pid\": 25, \"parent_process\": {\"cmd_line\": \"fox breathing excluded\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"34BF8F4BFD5096DFE4AD7B1FC397EE225004242E\"}, \"image\": {\"name\": \"ou false horn\", \"tag\": \"widely concerns ranger\", \"uid\": \"442e7aa8-61be-11ee-92c0-0242ac110005\"}, \"name\": \"obtained thompson wait\", \"orchestrator\": \"cingular grow causing\", \"size\": 1304039495, \"uid\": \"442e74ae-61be-11ee-bee1-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Tamara Porsha\", \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"EA326FE8119ACC03CB82276431BF6120811A2EE778F15E25088100D62EF8410FAD0B948395B7204152892B06C76A6405752FE2115D4B22CAF5461B8DA8D74966\"}], \"modifier\": {\"account\": {\"name\": \"me tagged lang\", \"type\": \"AWS IAM Role\", \"type_id\": 4, \"uid\": \"442e5168-61be-11ee-a406-0242ac110005\"}, \"email_addr\": \"Zona@partners.mil\", \"name\": \"Victory\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"442e4920-61be-11ee-ab85-0242ac110005\"}, \"name\": \"wishlist.fnt\", \"owner\": {\"name\": \"Proof\", \"type\": \"genius\", \"type_id\": 99, \"uid\": \"442e1d74-61be-11ee-ac9e-0242ac110005\"}, \"parent_folder\": \"bouquet bibliography pull/dumb.mov\", \"path\": \"bouquet bibliography pull/dumb.mov/wishlist.fnt\", \"product\": {\"lang\": \"en\", \"name\": \"written em fujitsu\", \"uid\": \"442e6324-61be-11ee-9f29-0242ac110005\", \"vendor_name\": \"sounds di inquiry\", \"version\": \"1.0.0\"}, \"type\": \"Regular File\", \"type_id\": 1}, \"integrity\": \"races parcel generating\", \"name\": \"Virtue\", \"namespace_pid\": 54, \"parent_process\": {\"cmd_line\": \"operations expanded ht\", \"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"27D94D1C177AA8E0E6E8A4F5ECAB104598CD2B62F27D3A26FCDC87A6AA7398BFD85771D86723FEDB24EC75CA439D57127989FB397C1F07F53B35533563BA3274\"}, \"image\": {\"labels\": [\"amplifier\"], \"name\": \"weird sep allowing\", \"uid\": \"442efa14-61be-11ee-8abf-0242ac110005\"}, \"name\": \"victor civic segments\", \"size\": 2232172986, \"uid\": \"442ef1ea-61be-11ee-870d-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T07:27:11.081016Z\", \"file\": {\"accessed_time\": 1695272181548, \"attributes\": 99, \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"is_system\": true, \"modified_time_dt\": \"2023-10-03T07:27:11.064617Z\", \"name\": \"conceptual.py\", \"parent_folder\": \"impression finance trader/fragrances.sql\", \"path\": \"impression finance trader/fragrances.sql/conceptual.py\", \"security_descriptor\": \"ni easter snapshot\", \"signature\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"6B70FC8DC165E533CBF2BCD7C70701DE3B3E114D\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"FCC3C0E1B16A999DE463D9C657DCA7E366719DE7E84E9C4EC1E41B0E744F649955B9E844AD173EBB3075A18E757DAF50733546203C86FB3209652FC0FB80534C\"}], \"issuer\": \"enterprise game humanitarian\", \"serial_number\": \"grad newest earlier\", \"subject\": \"jumping experts visitors\", \"version\": \"1.0.0\"}, \"digest\": {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"46A80AC3F38096FE6828377277FC50B39BB0C646F94FC178876749ADE0DA96DE\"}}, \"type\": \"Named Pipe\", \"type_id\": 6}, \"name\": \"Kai\", \"namespace_pid\": 74, \"parent_process\": {\"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"C4802F4F55FE24BE9AF5F053E8719A9BC77381D625A0D27A35201C772CFD324009461ABCAC4A120286B98C707400807BB9DF7CFB3AA2C3BBF04EBB41E2AD07B3\"}, \"image\": {\"labels\": [\"hourly\"], \"name\": \"struct wind included\", \"uid\": \"442f39ca-61be-11ee-9840-0242ac110005\"}, \"name\": \"irish paid ga\", \"runtime\": \"meetings imported nutrition\", \"size\": 706306619, \"uid\": \"442f19c2-61be-11ee-851e-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessed_time\": 1695272181548, \"created_time\": 1695272181548, \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"F10EEB0D89F01824C27418121C62436F\"}, {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"B883D1D4320E98F7DE7D6913D7C3DF5503FB17747CCE5EBD6F3384A41414FF8D\"}], \"name\": \"rage.ics\", \"parent_folder\": \"slide sensitivity milton/dsc.kml\", \"path\": \"slide sensitivity milton/dsc.kml/rage.ics\", \"type\": \"Regular File\", \"type_id\": 1, \"xattributes\": {}}, \"name\": \"Industries\", \"namespace_pid\": 46, \"parent_process\": {\"cmd_line\": \"directive rico hs\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"FE9E27DD7BF526B57D69D3BD9FAC33DC\"}, \"image\": {\"name\": \"inappropriate burden hoped\", \"uid\": \"442f9c62-61be-11ee-81fa-0242ac110005\"}, \"name\": \"depot lanes mai\", \"size\": 4170062018, \"uid\": \"442f976c-61be-11ee-8026-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"desc\": \"parking hazards hunter\", \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"1FE380DD618981AF242E43F459760A9F0C89B6D74E1C7544A298FBA160545A4F047CFFB754779F8EAD083609F87AB1EF4DE7D3630EDA324A5052064685D8A814\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"27D3F37EB6F68FBB9EDC408AAFC6035EF463633CB1D425DD737C0AD4F6A2442EE5857F1FD9BB49C0A3030802642A48CB4AADBAFC7B20B82DE18144D2E360B551\"}], \"is_system\": true, \"modified_time\": 1695272181548, \"name\": \"nextel.dat\", \"parent_folder\": \"exhibitions grad folks/lonely.yuv\", \"path\": \"exhibitions grad folks/lonely.yuv/nextel.dat\", \"type\": \"Unknown\", \"type_id\": 0}, \"name\": \"Employed\", \"namespace_pid\": 5, \"parent_process\": {\"cmd_line\": \"portfolio syracuse zinc\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"E9264147B413746293E539868C8EDFF71715E1E3\"}, \"image\": {\"uid\": \"442fe870-61be-11ee-8322-0242ac110005\"}, \"name\": \"extremely bridges jane\", \"pod_uuid\": \"save\", \"size\": 2170520292, \"tag\": \"magnificent nerve ethnic\", \"uid\": \"442fe3ca-61be-11ee-ac04-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessor\": {\"credential_uid\": \"442fb5ee-61be-11ee-a469-0242ac110005\", \"email_addr\": \"Almeda@representations.biz\", \"name\": \"Bailey\", \"org\": {\"name\": \"nova identification paul\", \"ou_name\": \"honors tattoo australian\", \"uid\": \"442fb1a2-61be-11ee-9fd5-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1, \"uid\": \"442fac66-61be-11ee-b373-0242ac110005\"}, \"attributes\": 28, \"company_name\": \"Chery Hunter\", \"created_time\": 1695272181548, \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"2E5106CC0168994B4FE52AC9F67394250EE7504DB2DB5DE3CE0AC0A6E01DFA01\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"37A8A4AF49E5E20E61CF73D569C93D3F839D333C98BADE757EC2C5093C969DBEBC2707A0A2C9B4709FB6986E18991E93BA14C3CC2799E6153B1BEA132224F02B\"}], \"mime_type\": \"finish/councils\", \"modified_time\": 1695272181548, \"name\": \"centered.txt\", \"parent_folder\": \"patrol considers alternative/bargains.xlr\", \"path\": \"patrol considers alternative/bargains.xlr/centered.txt\", \"size\": 724911628, \"type\": \"Unknown\", \"type_id\": 0}, \"namespace_pid\": 10, \"parent_process\": {\"cmd_line\": \"easter anaheim introductory\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"A63B60EEA4665F00EDDB1E2A8FECCFEA7634F795\"}, \"image\": {\"name\": \"jonathan calculation incomplete\", \"uid\": \"4430194e-61be-11ee-a776-0242ac110005\"}, \"name\": \"clone sic tight\", \"size\": 3536383459, \"uid\": \"443013cc-61be-11ee-a273-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"desc\": \"supporters billy surgeon\", \"hashes\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"220358975ACF552AE828178DC72009FA5342AB5C33895C6E9E5048EF5BD044736C17B29683CD4CD82D017C7D963FB9AE740735C6D31E956B42C4A45F803F6EDA\"}], \"modified_time_dt\": \"2023-10-03T07:27:11.074123Z\", \"modifier\": {\"type\": \"System\", \"type_id\": 3, \"uid\": \"442ff8e2-61be-11ee-bc3b-0242ac110005\"}, \"name\": \"stats.cs\", \"parent_folder\": \"well vacations concrete/hamburg.vcf\", \"path\": \"well vacations concrete/hamburg.vcf/stats.cs\", \"product\": {\"lang\": \"en\", \"name\": \"rare musical oregon\", \"uid\": \"442ffee6-61be-11ee-b950-0242ac110005\", \"vendor_name\": \"moms scholarships pins\", \"version\": \"1.0.0\"}, \"security_descriptor\": \"dave manufacturing applicant\", \"size\": 3217957879, \"type\": \"Block Device\", \"type_id\": 4}, \"integrity\": \"guys document multimedia\", \"lineage\": [\"weight anytime gzip\", \"subcommittee milan reasonable\"], \"name\": \"Flags\", \"namespace_pid\": 4, \"parent_process\": {\"cmd_line\": \"robinson hunter anne\", \"container\": {\"hash\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"4B4AACD68CE2D5C32C8437FC88E56923FA0DDADFEA6532D34FA536A344FDD0F482CB0159A5237950B31A7F3D097FED596515444734A2DF56CF7D38A74DCA94D7\"}, \"image\": {\"name\": \"mistake baseball jordan\", \"uid\": \"4430571a-61be-11ee-8c37-0242ac110005\"}, \"name\": \"magnificent capabilities ideal\", \"size\": 3127592961, \"uid\": \"44305030-61be-11ee-b7e4-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Archie Lesley\", \"created_time\": 1695272181548, \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"F7EDAF3282DAFB609C7D421B786486F127371E76\"}], \"name\": \"fioricet.lnk\", \"owner\": {\"email_addr\": \"Elise@starts.museum\", \"name\": \"Vid\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"44302a6a-61be-11ee-b70a-0242ac110005\", \"uid_alt\": \"supplied epic spas\"}, \"security_descriptor\": \"believes airlines granted\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"44302f24-61be-11ee-99d3-0242ac110005\"}, \"integrity\": \"reality\", \"integrity_id\": 99, \"loaded_modules\": [\"/timing/norm/crime/apollo/pollution.dwg\"], \"name\": \"Vat\", \"namespace_pid\": 41, \"parent_process\": {\"cmd_line\": \"territories year excluded\", \"created_time\": 1695272181548, \"file\": {\"confidentiality\": \"Not Confidential\", \"confidentiality_id\": 1, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"ADCAA40050F92C2A48474F33D6E697529CA1D0BD1FCC6D553290E4655C5F0BA7FAB42B475667A0C8EAD38187E3AFBE5AC9C7F3A68C87167BCF01080031CE50FB\"}, {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"D1F34CA31A773B2BDD48DB8EC34E2B88EA9746B72EB845256BE259CA7D5D9E5F\"}], \"name\": \"ts.exe\", \"owner\": {\"credential_uid\": \"44306ef8-61be-11ee-b8fd-0242ac110005\", \"domain\": \"andale museum reality\", \"name\": \"Commander\", \"type\": \"motherboard\", \"type_id\": 99, \"uid\": \"44306aca-61be-11ee-be86-0242ac110005\", \"uid_alt\": \"verzeichnis prefer soccer\"}, \"type\": \"Regular File\", \"type_id\": 1, \"xattributes\": {}}, \"name\": \"Cart\", \"namespace_pid\": 51, \"parent_process\": {\"cmd_line\": \"suited pace informal\", \"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"6F4F28E68A201B8127A08D889356FCFA0C736B9FD1330596E58F7D1669820A151705235B2F41C93CE5159EC808FE328BCED0BBC02E6C20382443EBB5ACDD6023\"}, \"name\": \"elegant rankings wild\", \"network_driver\": \"what belgium used\", \"orchestrator\": \"everyone ho alternative\", \"pod_uuid\": \"rocky\", \"size\": 2933994191, \"uid\": \"4430bf98-61be-11ee-b010-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Rosendo Grace\", \"confidentiality\": \"cut salt catch\", \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T07:27:11.078126Z\", \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"0F4CF4B2CE58DE3BF03D760DE38955BF246F80BAB6F81927F253AB5D9773EB75\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"647878B29B754A911F330D47137E3068A61F6185ED78B1AA43695E4A1D98607D\"}], \"name\": \"underwear.sdf\", \"parent_folder\": \"writer photoshop lane/st.sdf\", \"path\": \"writer photoshop lane/st.sdf/underwear.sdf\", \"type\": \"Named Pipe\", \"type_id\": 6, \"version\": \"1.0.0\"}, \"name\": \"Identical\", \"namespace_pid\": 66, \"parent_process\": {\"cmd_line\": \"adolescent agreements wooden\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"6DBDD59AB542C91F19905B4D8672B5320DCBA285\"}, \"name\": \"sparc memphis paid\", \"orchestrator\": \"workstation opening cambridge\", \"pod_uuid\": \"rendering\", \"size\": 3567867280, \"tag\": \"agency ended lambda\", \"uid\": \"4430dfe6-61be-11ee-bbae-0242ac110005\"}, \"file\": {\"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"7F572F2B5A5DED4063EF1594729C97543A900961\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"D6CDFD95B6030B86B739AC2B7575BA411041446BFEF23DF7765EC4B470C9A5D2E182599FBA3C539E0EBEAF5E656A808285FED2455EB8F7E802ABD6245CB543FC\"}], \"modified_time\": 1695272181548, \"name\": \"space.js\", \"parent_folder\": \"cookbook dc effort/abc.pkg\", \"path\": \"cookbook dc effort/abc.pkg/space.js\", \"size\": 3135869827, \"type\": \"Regular File\", \"type_id\": 1, \"version\": \"1.0.0\"}, \"integrity\": \"podcasts owned how\", \"name\": \"Documentation\", \"namespace_pid\": 79, \"parent_process\": {\"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"4DA1DD452B8D517803494B5E00054136CCF55DF19FF70469451D438255FC03B1FA45BB3A48C03F49FCCE16708623DA0458F11C60EC6D10453E6D6AB6C6492E15\"}, \"name\": \"flex operational statistical\", \"orchestrator\": \"performed gadgets bank\", \"pod_uuid\": \"password\", \"uid\": \"4431094e-61be-11ee-a229-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessed_time_dt\": \"2023-10-03T07:27:11.080165Z\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"desc\": \"panic united modeling\", \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"9A5751D5ACECF26FF7EB2B33C144EFCE1C69FE9A\"}, {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"F803B26388365E33184D5CC145D868E1B8DF74D5\"}], \"is_system\": false, \"name\": \"xl.php\", \"parent_folder\": \"beneath among lands/resort.cbr\", \"path\": \"beneath among lands/resort.cbr/xl.php\", \"type\": \"Symbolic Link\", \"type_id\": 7, \"xattributes\": {}}, \"name\": \"Triangle\", \"namespace_pid\": 98, \"pid\": 76, \"tid\": 20, \"uid\": \"443103fe-61be-11ee-8306-0242ac110005\", \"user\": {\"groups\": [{\"name\": \"go prohibited oxford\", \"uid\": \"44310066-61be-11ee-99fb-0242ac110005\"}], \"org\": {\"name\": \"important analog unnecessary\", \"ou_name\": \"highlights douglas manufacturer\", \"uid\": \"4430faee-61be-11ee-b642-0242ac110005\"}, \"type\": \"System\", \"type_id\": 3, \"uid\": \"4430f40e-61be-11ee-86fe-0242ac110005\"}}, \"pid\": 70, \"uid\": \"4430d9d8-61be-11ee-a2ef-0242ac110005\", \"user\": {\"account\": {\"name\": \"pas jacob personals\", \"type\": \"GCP Account\", \"type_id\": 5, \"uid\": \"4430d578-61be-11ee-ab48-0242ac110005\"}, \"email_addr\": \"Charlette@anytime.jobs\", \"name\": \"Ser\", \"org\": {\"ou_name\": \"officials watches house\"}, \"type\": \"boom\", \"type_id\": 99}}, \"user\": {\"credential_uid\": \"4430b912-61be-11ee-8411-0242ac110005\", \"email_addr\": \"Ena@hearing.int\", \"name\": \"Spank\", \"org\": {\"name\": \"von reservoir moore\", \"ou_name\": \"photos nat eds\", \"ou_uid\": \"4430b502-61be-11ee-8f5b-0242ac110005\", \"uid\": \"4430adc8-61be-11ee-b4ba-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1, \"uid\": \"4430a878-61be-11ee-af22-0242ac110005\"}}, \"pid\": 36, \"sandbox\": \"pendant funds intervals\", \"terminated_time_dt\": \"2023-10-03T07:27:11.080957Z\", \"uid\": \"44308c3a-61be-11ee-93fe-0242ac110005\", \"user\": {\"account\": {\"name\": \"hewlett then appendix\", \"type\": \"GCP Account\", \"type_id\": 5}, \"name\": \"Editorial\", \"org\": {\"name\": \"insulin identical prizes\", \"uid\": \"44308564-61be-11ee-abd1-0242ac110005\"}, \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"44307e70-61be-11ee-a962-0242ac110005\"}}, \"pid\": 10, \"session\": {\"created_time\": 1695272181548, \"is_remote\": true, \"issuer\": \"mediterranean provider something\", \"uid\": \"443043ec-61be-11ee-96c0-0242ac110005\"}, \"terminated_time_dt\": \"2023-10-03T07:27:11.080979Z\", \"user\": {\"credential_uid\": \"44303eba-61be-11ee-ab60-0242ac110005\", \"domain\": \"restaurants instead occurring\", \"full_name\": \"Margareta Elden\", \"name\": \"Candles\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"443039a6-61be-11ee-8f9f-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 12, \"sandbox\": \"earl manually converter\", \"uid\": \"44300e5e-61be-11ee-8332-0242ac110005\", \"user\": {\"name\": \"Rod\", \"type\": \"fiji\", \"type_id\": 99, \"uid\": \"44300a4e-61be-11ee-b6bc-0242ac110005\"}}, \"pid\": 4, \"session\": {\"created_time\": 1695272181548, \"is_remote\": false, \"issuer\": \"vacation obligation refused\", \"uid\": \"442fda56-61be-11ee-93d0-0242ac110005\"}, \"uid\": \"442fd27c-61be-11ee-bc32-0242ac110005\", \"user\": {\"account\": {\"name\": \"batman sprint established\", \"type\": \"Linux Account\", \"type_id\": 9}, \"groups\": [{\"name\": \"blackberry genetics dsc\", \"privileges\": [\"counter relocation association\", \"precise nurses satisfactory\"], \"uid\": \"442fc93a-61be-11ee-93e5-0242ac110005\"}, {\"name\": \"munich clothing commit\", \"uid\": \"442fcd54-61be-11ee-ab07-0242ac110005\"}], \"name\": \"Achieving\", \"org\": {\"ou_name\": \"drunk pt locations\", \"uid\": \"442fc408-61be-11ee-a83e-0242ac110005\"}, \"type\": \"System\", \"type_id\": 3, \"uid\": \"442fbf76-61be-11ee-b1ce-0242ac110005\"}}, \"pid\": 49, \"sandbox\": \"mexican broadway volleyball\", \"terminated_time_dt\": \"2023-10-03T07:27:11.081001Z\", \"tid\": 75, \"uid\": \"442f8fb0-61be-11ee-b4aa-0242ac110005\", \"user\": {\"credential_uid\": \"442f8c40-61be-11ee-858e-0242ac110005\", \"name\": \"Affiliation\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"442f881c-61be-11ee-8d6d-0242ac110005\"}}, \"pid\": 93, \"uid\": \"442f1314-61be-11ee-a9ee-0242ac110005\", \"user\": {\"name\": \"Earrings\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"442f0f18-61be-11ee-92c1-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 23, \"session\": {\"created_time\": 1695272181548, \"is_remote\": false, \"issuer\": \"robots places depression\", \"uid\": \"442ee7f4-61be-11ee-a967-0242ac110005\", \"uuid\": \"442eeb3c-61be-11ee-a179-0242ac110005\"}, \"uid\": \"442ee2d6-61be-11ee-ad3f-0242ac110005\", \"user\": {\"domain\": \"dubai sys drum\", \"groups\": [{\"name\": \"implications fred rent\", \"uid\": \"442ed976-61be-11ee-acb4-0242ac110005\"}, {\"type\": \"hundred suggesting radius\", \"uid\": \"442ede6c-61be-11ee-815a-0242ac110005\"}], \"name\": \"Da\", \"type\": \"ben\", \"type_id\": 99, \"uid\": \"442ed390-61be-11ee-902b-0242ac110005\", \"uid_alt\": \"documents harmony austria\"}}, \"pid\": 9, \"sandbox\": \"deep simply nn\", \"uid\": \"442e6b76-61be-11ee-ab8d-0242ac110005\", \"xattributes\": {}}, \"pid\": 27, \"sandbox\": \"repeat checked peace\", \"terminated_time_dt\": \"2023-10-03T07:27:11.081046Z\", \"uid\": \"442d4ee4-61be-11ee-a8b0-0242ac110005\", \"user\": {\"account\": {\"name\": \"allows country mineral\", \"type\": \"AWS IAM Role\", \"type_id\": 4, \"uid\": \"442d4a0c-61be-11ee-bd4c-0242ac110005\"}, \"email_addr\": \"Minta@active.biz\", \"name\": \"Strong\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"442d27de-61be-11ee-b498-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 18, \"sandbox\": \"rational girls corner\", \"tid\": 18, \"uid\": \"442d08c6-61be-11ee-9eea-0242ac110005\", \"user\": {\"type\": \"System\", \"type_id\": 3, \"uid\": \"442d0416-61be-11ee-8f5e-0242ac110005\"}}, \"pid\": 99, \"terminated_time_dt\": \"2023-10-03T07:27:11.081081Z\", \"uid\": \"442c9a58-61be-11ee-8992-0242ac110005\", \"user\": {\"account\": {\"name\": \"filled lunch processing\", \"type\": \"Windows Account\", \"type_id\": 2, \"uid\": \"442c96ac-61be-11ee-945c-0242ac110005\"}, \"name\": \"Laboratory\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"442c90bc-61be-11ee-8334-0242ac110005\"}}, \"user\": {\"credential_uid\": \"44311cae-61be-11ee-9f07-0242ac110005\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"4431189e-61be-11ee-bc71-0242ac110005\"}}, \"actual_permissions\": 48, \"attacks\": [{\"tactics\": [{\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}, {\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Accessibility Features\", \"uid\": \"T1546.008\"}, \"version\": \"12.1\"}, {\"tactics\": [{\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Web Shell\", \"uid\": \"T1100\"}, \"version\": \"12.1\"}], \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Process Activity\", \"class_uid\": 1007, \"cloud\": {\"provider\": \"nu connector termination\", \"region\": \"lose activists occurred\"}, \"device\": {\"hostname\": \"bags.coop\", \"hypervisor\": \"indianapolis finite serious\", \"interface_name\": \"officials janet subscribe\", \"interface_uid\": \"442a8a60-61be-11ee-b5e8-0242ac110005\", \"ip\": \"81.2.69.142\", \"last_seen_time\": 1695272181548, \"location\": {\"city\": \"Guidance marijuana\", \"continent\": \"North America\", \"coordinates\": [139.683, -39.2278], \"country\": \"AG\", \"desc\": \"Antigua and Barbuda\"}, \"modified_time_dt\": \"2023-10-03T07:27:11.038353Z\", \"name\": \"cholesterol republicans albert\", \"org\": {\"name\": \"answer intelligent artificial\", \"ou_name\": \"garlic glucose festival\"}, \"region\": \"argentina andy wyoming\", \"risk_score\": 44, \"type\": \"Virtual\", \"type_id\": 6, \"uid\": \"442a8524-61be-11ee-a4cc-0242ac110005\"}, \"disposition\": \"Unknown\", \"disposition_id\": 0, \"end_time\": 1695272181548, \"message\": \"walnut trucks alabama\", \"metadata\": {\"event_code\": \"paths\", \"log_provider\": \"gays consultation motivated\", \"logged_time\": 1695272181548, \"modified_time_dt\": \"2023-10-03T07:27:11.037636Z\", \"original_time\": \"bolt beds created\", \"processed_time_dt\": \"2023-10-03T07:27:11.037651Z\", \"product\": {\"lang\": \"en\", \"name\": \"rough cfr elephant\", \"uid\": \"442a6c38-61be-11ee-811a-0242ac110005\", \"url_string\": \"cl\", \"vendor_name\": \"turkey directors vacations\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"version\": \"1.0.0\"}, \"severity\": \"doctors\", \"severity_id\": 99, \"start_time\": 1695272181548, \"status\": \"vcr\", \"status_id\": 99, \"time\": 1695272181548, \"timezone_offset\": 75, \"type_name\": \"Process Activity: Set User ID\", \"type_uid\": 100705}" + "ocsf": { + "activity_id": 5, + "activity_name": "Set User ID", + "actor": { + "process": { + "container": { + "hash": { + "algorithm": "TLSH", + "algorithm_id": "6", + "value": "2A9141F10042E65FE9B037DE88C913D5CB6420C809E4F70D77B0C1CD0DB599E0DA4CC22A8E772350CACDACD72722801EA7BEAAE4B6D79D3949E37DB3492F1892" + }, + "image": { + "uid": "442ca5e8-61be-11ee-ac6f-0242ac110005" + }, + "size": 1294218177 + }, + "created_time_dt": "2023-10-03T07:27:11.081059Z", + "file": { + "accessed_time_dt": "2023-10-03T07:27:11.051398Z", + "attributes": 71, + "hashes": [ + { + "algorithm": "Unknown", + "algorithm_id": "0", + "value": "DBC811458704E7331C9D9B3365E5DB08E8D9247CEDBE9F8FFED69606E0A5CE644230CB925F7AE8919137B51CE7E4797EC55533D10E6AF32B803BAB785848BD58" + }, + { + "algorithm": "quickXorHash", + "algorithm_id": "7", + "value": "74900E05175C9BD82834F761CAE8D37E3190933ED2249C16508DB4053419EDAEE6ADD186BACD19C2AF5686BC9D15177A7960A70D7A385EB3E05AF555356368E6" + } + ], + "type_id": "7", + "xattributes": "{}" + }, + "integrity": "Low", + "integrity_id": "2", + "namespace_pid": 96, + "parent_process": { + "file": { + "company_name": "Margurite Hester", + "created_time_dt": "2023-10-03T07:27:11.052592Z", + "hashes": [ + { + "algorithm": "CTPH", + "algorithm_id": "5", + "value": "C87068358A2AF25FB6462D2E9D5CEE0C1B843771EE363E91B70497182AC6058683881C15DDFF011CE7CAAE6617D935F69F093E8BB488A880E8A559A8AC1073FA" + } + ], + "modified_time": 1695272181548, + "name": "alice.cur", + "parent_folder": "llc snap glossary/striking.cgi", + "path": "llc snap glossary/striking.cgi/alice.cur", + "security_descriptor": "kurt snowboard baby", + "type": "Block Device", + "type_id": "4", + "xattributes": "{}" + }, + "integrity": "brush clinton bride", + "namespace_pid": 81, + "parent_process": "{\"cmd_line\": \"growing howard error\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"77D19917CD3F9FDA9C5B453897F0829D1D94450C31CB6991090BF4B4F49578CF29BBBBA4AF270287F408F0B9D696F5C18C16366E5CDFFDB199FDFC3E2BF91A62\"}, \"name\": \"stand tumor previously\", \"network_driver\": \"receiver recommended governor\", \"size\": 61744955, \"uid\": \"442d84ae-61be-11ee-a35f-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessor\": {\"email_addr\": \"Alethea@fa.web\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"442d1b40-61be-11ee-8249-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T07:27:11.055203Z\", \"desc\": \"dynamics dg islamic\", \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"4095391C7E3E04FF12C9AD2E6C49BD63DFE77E885ACAADD3B58A1D8895383044\"}], \"is_system\": false, \"name\": \"es.sql\", \"parent_folder\": \"sarah receivers appropriate/keen.cpl\", \"path\": \"sarah receivers appropriate/keen.cpl/es.sql\", \"type\": \"Regular File\", \"type_id\": 1}, \"loaded_modules\": [\"/instantly/lazy/quickly/junk/relates.gadget\", \"/gentle/sen/bridge/brochure/county.cbr\"], \"name\": \"Danger\", \"namespace_pid\": 25, \"parent_process\": {\"cmd_line\": \"fox breathing excluded\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"34BF8F4BFD5096DFE4AD7B1FC397EE225004242E\"}, \"image\": {\"name\": \"ou false horn\", \"tag\": \"widely concerns ranger\", \"uid\": \"442e7aa8-61be-11ee-92c0-0242ac110005\"}, \"name\": \"obtained thompson wait\", \"orchestrator\": \"cingular grow causing\", \"size\": 1304039495, \"uid\": \"442e74ae-61be-11ee-bee1-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Tamara Porsha\", \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"EA326FE8119ACC03CB82276431BF6120811A2EE778F15E25088100D62EF8410FAD0B948395B7204152892B06C76A6405752FE2115D4B22CAF5461B8DA8D74966\"}], \"modifier\": {\"account\": {\"name\": \"me tagged lang\", \"type\": \"AWS IAM Role\", \"type_id\": 4, \"uid\": \"442e5168-61be-11ee-a406-0242ac110005\"}, \"email_addr\": \"Zona@partners.mil\", \"name\": \"Victory\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"442e4920-61be-11ee-ab85-0242ac110005\"}, \"name\": \"wishlist.fnt\", \"owner\": {\"name\": \"Proof\", \"type\": \"genius\", \"type_id\": 99, \"uid\": \"442e1d74-61be-11ee-ac9e-0242ac110005\"}, \"parent_folder\": \"bouquet bibliography pull/dumb.mov\", \"path\": \"bouquet bibliography pull/dumb.mov/wishlist.fnt\", \"product\": {\"lang\": \"en\", \"name\": \"written em fujitsu\", \"uid\": \"442e6324-61be-11ee-9f29-0242ac110005\", \"vendor_name\": \"sounds di inquiry\", \"version\": \"1.0.0\"}, \"type\": \"Regular File\", \"type_id\": 1}, \"integrity\": \"races parcel generating\", \"name\": \"Virtue\", \"namespace_pid\": 54, \"parent_process\": {\"cmd_line\": \"operations expanded ht\", \"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"27D94D1C177AA8E0E6E8A4F5ECAB104598CD2B62F27D3A26FCDC87A6AA7398BFD85771D86723FEDB24EC75CA439D57127989FB397C1F07F53B35533563BA3274\"}, \"image\": {\"labels\": [\"amplifier\"], \"name\": \"weird sep allowing\", \"uid\": \"442efa14-61be-11ee-8abf-0242ac110005\"}, \"name\": \"victor civic segments\", \"size\": 2232172986, \"uid\": \"442ef1ea-61be-11ee-870d-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T07:27:11.081016Z\", \"file\": {\"accessed_time\": 1695272181548, \"attributes\": 99, \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"is_system\": true, \"modified_time_dt\": \"2023-10-03T07:27:11.064617Z\", \"name\": \"conceptual.py\", \"parent_folder\": \"impression finance trader/fragrances.sql\", \"path\": \"impression finance trader/fragrances.sql/conceptual.py\", \"security_descriptor\": \"ni easter snapshot\", \"signature\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"6B70FC8DC165E533CBF2BCD7C70701DE3B3E114D\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"FCC3C0E1B16A999DE463D9C657DCA7E366719DE7E84E9C4EC1E41B0E744F649955B9E844AD173EBB3075A18E757DAF50733546203C86FB3209652FC0FB80534C\"}], \"issuer\": \"enterprise game humanitarian\", \"serial_number\": \"grad newest earlier\", \"subject\": \"jumping experts visitors\", \"version\": \"1.0.0\"}, \"digest\": {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"46A80AC3F38096FE6828377277FC50B39BB0C646F94FC178876749ADE0DA96DE\"}}, \"type\": \"Named Pipe\", \"type_id\": 6}, \"name\": \"Kai\", \"namespace_pid\": 74, \"parent_process\": {\"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"C4802F4F55FE24BE9AF5F053E8719A9BC77381D625A0D27A35201C772CFD324009461ABCAC4A120286B98C707400807BB9DF7CFB3AA2C3BBF04EBB41E2AD07B3\"}, \"image\": {\"labels\": [\"hourly\"], \"name\": \"struct wind included\", \"uid\": \"442f39ca-61be-11ee-9840-0242ac110005\"}, \"name\": \"irish paid ga\", \"runtime\": \"meetings imported nutrition\", \"size\": 706306619, \"uid\": \"442f19c2-61be-11ee-851e-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessed_time\": 1695272181548, \"created_time\": 1695272181548, \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"F10EEB0D89F01824C27418121C62436F\"}, {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"B883D1D4320E98F7DE7D6913D7C3DF5503FB17747CCE5EBD6F3384A41414FF8D\"}], \"name\": \"rage.ics\", \"parent_folder\": \"slide sensitivity milton/dsc.kml\", \"path\": \"slide sensitivity milton/dsc.kml/rage.ics\", \"type\": \"Regular File\", \"type_id\": 1, \"xattributes\": {}}, \"name\": \"Industries\", \"namespace_pid\": 46, \"parent_process\": {\"cmd_line\": \"directive rico hs\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"FE9E27DD7BF526B57D69D3BD9FAC33DC\"}, \"image\": {\"name\": \"inappropriate burden hoped\", \"uid\": \"442f9c62-61be-11ee-81fa-0242ac110005\"}, \"name\": \"depot lanes mai\", \"size\": 4170062018, \"uid\": \"442f976c-61be-11ee-8026-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"desc\": \"parking hazards hunter\", \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"1FE380DD618981AF242E43F459760A9F0C89B6D74E1C7544A298FBA160545A4F047CFFB754779F8EAD083609F87AB1EF4DE7D3630EDA324A5052064685D8A814\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"27D3F37EB6F68FBB9EDC408AAFC6035EF463633CB1D425DD737C0AD4F6A2442EE5857F1FD9BB49C0A3030802642A48CB4AADBAFC7B20B82DE18144D2E360B551\"}], \"is_system\": true, \"modified_time\": 1695272181548, \"name\": \"nextel.dat\", \"parent_folder\": \"exhibitions grad folks/lonely.yuv\", \"path\": \"exhibitions grad folks/lonely.yuv/nextel.dat\", \"type\": \"Unknown\", \"type_id\": 0}, \"name\": \"Employed\", \"namespace_pid\": 5, \"parent_process\": {\"cmd_line\": \"portfolio syracuse zinc\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"E9264147B413746293E539868C8EDFF71715E1E3\"}, \"image\": {\"uid\": \"442fe870-61be-11ee-8322-0242ac110005\"}, \"name\": \"extremely bridges jane\", \"pod_uuid\": \"save\", \"size\": 2170520292, \"tag\": \"magnificent nerve ethnic\", \"uid\": \"442fe3ca-61be-11ee-ac04-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessor\": {\"credential_uid\": \"442fb5ee-61be-11ee-a469-0242ac110005\", \"email_addr\": \"Almeda@representations.biz\", \"name\": \"Bailey\", \"org\": {\"name\": \"nova identification paul\", \"ou_name\": \"honors tattoo australian\", \"uid\": \"442fb1a2-61be-11ee-9fd5-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1, \"uid\": \"442fac66-61be-11ee-b373-0242ac110005\"}, \"attributes\": 28, \"company_name\": \"Chery Hunter\", \"created_time\": 1695272181548, \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"2E5106CC0168994B4FE52AC9F67394250EE7504DB2DB5DE3CE0AC0A6E01DFA01\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"37A8A4AF49E5E20E61CF73D569C93D3F839D333C98BADE757EC2C5093C969DBEBC2707A0A2C9B4709FB6986E18991E93BA14C3CC2799E6153B1BEA132224F02B\"}], \"mime_type\": \"finish/councils\", \"modified_time\": 1695272181548, \"name\": \"centered.txt\", \"parent_folder\": \"patrol considers alternative/bargains.xlr\", \"path\": \"patrol considers alternative/bargains.xlr/centered.txt\", \"size\": 724911628, \"type\": \"Unknown\", \"type_id\": 0}, \"namespace_pid\": 10, \"parent_process\": {\"cmd_line\": \"easter anaheim introductory\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"A63B60EEA4665F00EDDB1E2A8FECCFEA7634F795\"}, \"image\": {\"name\": \"jonathan calculation incomplete\", \"uid\": \"4430194e-61be-11ee-a776-0242ac110005\"}, \"name\": \"clone sic tight\", \"size\": 3536383459, \"uid\": \"443013cc-61be-11ee-a273-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"desc\": \"supporters billy surgeon\", \"hashes\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"220358975ACF552AE828178DC72009FA5342AB5C33895C6E9E5048EF5BD044736C17B29683CD4CD82D017C7D963FB9AE740735C6D31E956B42C4A45F803F6EDA\"}], \"modified_time_dt\": \"2023-10-03T07:27:11.074123Z\", \"modifier\": {\"type\": \"System\", \"type_id\": 3, \"uid\": \"442ff8e2-61be-11ee-bc3b-0242ac110005\"}, \"name\": \"stats.cs\", \"parent_folder\": \"well vacations concrete/hamburg.vcf\", \"path\": \"well vacations concrete/hamburg.vcf/stats.cs\", \"product\": {\"lang\": \"en\", \"name\": \"rare musical oregon\", \"uid\": \"442ffee6-61be-11ee-b950-0242ac110005\", \"vendor_name\": \"moms scholarships pins\", \"version\": \"1.0.0\"}, \"security_descriptor\": \"dave manufacturing applicant\", \"size\": 3217957879, \"type\": \"Block Device\", \"type_id\": 4}, \"integrity\": \"guys document multimedia\", \"lineage\": [\"weight anytime gzip\", \"subcommittee milan reasonable\"], \"name\": \"Flags\", \"namespace_pid\": 4, \"parent_process\": {\"cmd_line\": \"robinson hunter anne\", \"container\": {\"hash\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"4B4AACD68CE2D5C32C8437FC88E56923FA0DDADFEA6532D34FA536A344FDD0F482CB0159A5237950B31A7F3D097FED596515444734A2DF56CF7D38A74DCA94D7\"}, \"image\": {\"name\": \"mistake baseball jordan\", \"uid\": \"4430571a-61be-11ee-8c37-0242ac110005\"}, \"name\": \"magnificent capabilities ideal\", \"size\": 3127592961, \"uid\": \"44305030-61be-11ee-b7e4-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Archie Lesley\", \"created_time\": 1695272181548, \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"F7EDAF3282DAFB609C7D421B786486F127371E76\"}], \"name\": \"fioricet.lnk\", \"owner\": {\"email_addr\": \"Elise@starts.museum\", \"name\": \"Vid\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"44302a6a-61be-11ee-b70a-0242ac110005\", \"uid_alt\": \"supplied epic spas\"}, \"security_descriptor\": \"believes airlines granted\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"44302f24-61be-11ee-99d3-0242ac110005\"}, \"integrity\": \"reality\", \"integrity_id\": 99, \"loaded_modules\": [\"/timing/norm/crime/apollo/pollution.dwg\"], \"name\": \"Vat\", \"namespace_pid\": 41, \"parent_process\": {\"cmd_line\": \"territories year excluded\", \"created_time\": 1695272181548, \"file\": {\"confidentiality\": \"Not Confidential\", \"confidentiality_id\": 1, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"ADCAA40050F92C2A48474F33D6E697529CA1D0BD1FCC6D553290E4655C5F0BA7FAB42B475667A0C8EAD38187E3AFBE5AC9C7F3A68C87167BCF01080031CE50FB\"}, {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"D1F34CA31A773B2BDD48DB8EC34E2B88EA9746B72EB845256BE259CA7D5D9E5F\"}], \"name\": \"ts.exe\", \"owner\": {\"credential_uid\": \"44306ef8-61be-11ee-b8fd-0242ac110005\", \"domain\": \"andale museum reality\", \"name\": \"Commander\", \"type\": \"motherboard\", \"type_id\": 99, \"uid\": \"44306aca-61be-11ee-be86-0242ac110005\", \"uid_alt\": \"verzeichnis prefer soccer\"}, \"type\": \"Regular File\", \"type_id\": 1, \"xattributes\": {}}, \"name\": \"Cart\", \"namespace_pid\": 51, \"parent_process\": {\"cmd_line\": \"suited pace informal\", \"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"6F4F28E68A201B8127A08D889356FCFA0C736B9FD1330596E58F7D1669820A151705235B2F41C93CE5159EC808FE328BCED0BBC02E6C20382443EBB5ACDD6023\"}, \"name\": \"elegant rankings wild\", \"network_driver\": \"what belgium used\", \"orchestrator\": \"everyone ho alternative\", \"pod_uuid\": \"rocky\", \"size\": 2933994191, \"uid\": \"4430bf98-61be-11ee-b010-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Rosendo Grace\", \"confidentiality\": \"cut salt catch\", \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T07:27:11.078126Z\", \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"0F4CF4B2CE58DE3BF03D760DE38955BF246F80BAB6F81927F253AB5D9773EB75\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"647878B29B754A911F330D47137E3068A61F6185ED78B1AA43695E4A1D98607D\"}], \"name\": \"underwear.sdf\", \"parent_folder\": \"writer photoshop lane/st.sdf\", \"path\": \"writer photoshop lane/st.sdf/underwear.sdf\", \"type\": \"Named Pipe\", \"type_id\": 6, \"version\": \"1.0.0\"}, \"name\": \"Identical\", \"namespace_pid\": 66, \"parent_process\": {\"cmd_line\": \"adolescent agreements wooden\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"6DBDD59AB542C91F19905B4D8672B5320DCBA285\"}, \"name\": \"sparc memphis paid\", \"orchestrator\": \"workstation opening cambridge\", \"pod_uuid\": \"rendering\", \"size\": 3567867280, \"tag\": \"agency ended lambda\", \"uid\": \"4430dfe6-61be-11ee-bbae-0242ac110005\"}, \"file\": {\"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"7F572F2B5A5DED4063EF1594729C97543A900961\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"D6CDFD95B6030B86B739AC2B7575BA411041446BFEF23DF7765EC4B470C9A5D2E182599FBA3C539E0EBEAF5E656A808285FED2455EB8F7E802ABD6245CB543FC\"}], \"modified_time\": 1695272181548, \"name\": \"space.js\", \"parent_folder\": \"cookbook dc effort/abc.pkg\", \"path\": \"cookbook dc effort/abc.pkg/space.js\", \"size\": 3135869827, \"type\": \"Regular File\", \"type_id\": 1, \"version\": \"1.0.0\"}, \"integrity\": \"podcasts owned how\", \"name\": \"Documentation\", \"namespace_pid\": 79, \"parent_process\": {\"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"4DA1DD452B8D517803494B5E00054136CCF55DF19FF70469451D438255FC03B1FA45BB3A48C03F49FCCE16708623DA0458F11C60EC6D10453E6D6AB6C6492E15\"}, \"name\": \"flex operational statistical\", \"orchestrator\": \"performed gadgets bank\", \"pod_uuid\": \"password\", \"uid\": \"4431094e-61be-11ee-a229-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessed_time_dt\": \"2023-10-03T07:27:11.080165Z\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"desc\": \"panic united modeling\", \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"9A5751D5ACECF26FF7EB2B33C144EFCE1C69FE9A\"}, {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"F803B26388365E33184D5CC145D868E1B8DF74D5\"}], \"is_system\": false, \"name\": \"xl.php\", \"parent_folder\": \"beneath among lands/resort.cbr\", \"path\": \"beneath among lands/resort.cbr/xl.php\", \"type\": \"Symbolic Link\", \"type_id\": 7, \"xattributes\": {}}, \"name\": \"Triangle\", \"namespace_pid\": 98, \"pid\": 76, \"tid\": 20, \"uid\": \"443103fe-61be-11ee-8306-0242ac110005\", \"user\": {\"groups\": [{\"name\": \"go prohibited oxford\", \"uid\": \"44310066-61be-11ee-99fb-0242ac110005\"}], \"org\": {\"name\": \"important analog unnecessary\", \"ou_name\": \"highlights douglas manufacturer\", \"uid\": \"4430faee-61be-11ee-b642-0242ac110005\"}, \"type\": \"System\", \"type_id\": 3, \"uid\": \"4430f40e-61be-11ee-86fe-0242ac110005\"}}, \"pid\": 70, \"uid\": \"4430d9d8-61be-11ee-a2ef-0242ac110005\", \"user\": {\"account\": {\"name\": \"pas jacob personals\", \"type\": \"GCP Account\", \"type_id\": 5, \"uid\": \"4430d578-61be-11ee-ab48-0242ac110005\"}, \"email_addr\": \"Charlette@anytime.jobs\", \"name\": \"Ser\", \"org\": {\"ou_name\": \"officials watches house\"}, \"type\": \"boom\", \"type_id\": 99}}, \"user\": {\"credential_uid\": \"4430b912-61be-11ee-8411-0242ac110005\", \"email_addr\": \"Ena@hearing.int\", \"name\": \"Spank\", \"org\": {\"name\": \"von reservoir moore\", \"ou_name\": \"photos nat eds\", \"ou_uid\": \"4430b502-61be-11ee-8f5b-0242ac110005\", \"uid\": \"4430adc8-61be-11ee-b4ba-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1, \"uid\": \"4430a878-61be-11ee-af22-0242ac110005\"}}, \"pid\": 36, \"sandbox\": \"pendant funds intervals\", \"terminated_time_dt\": \"2023-10-03T07:27:11.080957Z\", \"uid\": \"44308c3a-61be-11ee-93fe-0242ac110005\", \"user\": {\"account\": {\"name\": \"hewlett then appendix\", \"type\": \"GCP Account\", \"type_id\": 5}, \"name\": \"Editorial\", \"org\": {\"name\": \"insulin identical prizes\", \"uid\": \"44308564-61be-11ee-abd1-0242ac110005\"}, \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"44307e70-61be-11ee-a962-0242ac110005\"}}, \"pid\": 10, \"session\": {\"created_time\": 1695272181548, \"is_remote\": true, \"issuer\": \"mediterranean provider something\", \"uid\": \"443043ec-61be-11ee-96c0-0242ac110005\"}, \"terminated_time_dt\": \"2023-10-03T07:27:11.080979Z\", \"user\": {\"credential_uid\": \"44303eba-61be-11ee-ab60-0242ac110005\", \"domain\": \"restaurants instead occurring\", \"full_name\": \"Margareta Elden\", \"name\": \"Candles\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"443039a6-61be-11ee-8f9f-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 12, \"sandbox\": \"earl manually converter\", \"uid\": \"44300e5e-61be-11ee-8332-0242ac110005\", \"user\": {\"name\": \"Rod\", \"type\": \"fiji\", \"type_id\": 99, \"uid\": \"44300a4e-61be-11ee-b6bc-0242ac110005\"}}, \"pid\": 4, \"session\": {\"created_time\": 1695272181548, \"is_remote\": false, \"issuer\": \"vacation obligation refused\", \"uid\": \"442fda56-61be-11ee-93d0-0242ac110005\"}, \"uid\": \"442fd27c-61be-11ee-bc32-0242ac110005\", \"user\": {\"account\": {\"name\": \"batman sprint established\", \"type\": \"Linux Account\", \"type_id\": 9}, \"groups\": [{\"name\": \"blackberry genetics dsc\", \"privileges\": [\"counter relocation association\", \"precise nurses satisfactory\"], \"uid\": \"442fc93a-61be-11ee-93e5-0242ac110005\"}, {\"name\": \"munich clothing commit\", \"uid\": \"442fcd54-61be-11ee-ab07-0242ac110005\"}], \"name\": \"Achieving\", \"org\": {\"ou_name\": \"drunk pt locations\", \"uid\": \"442fc408-61be-11ee-a83e-0242ac110005\"}, \"type\": \"System\", \"type_id\": 3, \"uid\": \"442fbf76-61be-11ee-b1ce-0242ac110005\"}}, \"pid\": 49, \"sandbox\": \"mexican broadway volleyball\", \"terminated_time_dt\": \"2023-10-03T07:27:11.081001Z\", \"tid\": 75, \"uid\": \"442f8fb0-61be-11ee-b4aa-0242ac110005\", \"user\": {\"credential_uid\": \"442f8c40-61be-11ee-858e-0242ac110005\", \"name\": \"Affiliation\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"442f881c-61be-11ee-8d6d-0242ac110005\"}}, \"pid\": 93, \"uid\": \"442f1314-61be-11ee-a9ee-0242ac110005\", \"user\": {\"name\": \"Earrings\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"442f0f18-61be-11ee-92c1-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 23, \"session\": {\"created_time\": 1695272181548, \"is_remote\": false, \"issuer\": \"robots places depression\", \"uid\": \"442ee7f4-61be-11ee-a967-0242ac110005\", \"uuid\": \"442eeb3c-61be-11ee-a179-0242ac110005\"}, \"uid\": \"442ee2d6-61be-11ee-ad3f-0242ac110005\", \"user\": {\"domain\": \"dubai sys drum\", \"groups\": [{\"name\": \"implications fred rent\", \"uid\": \"442ed976-61be-11ee-acb4-0242ac110005\"}, {\"type\": \"hundred suggesting radius\", \"uid\": \"442ede6c-61be-11ee-815a-0242ac110005\"}], \"name\": \"Da\", \"type\": \"ben\", \"type_id\": 99, \"uid\": \"442ed390-61be-11ee-902b-0242ac110005\", \"uid_alt\": \"documents harmony austria\"}}, \"pid\": 9, \"sandbox\": \"deep simply nn\", \"uid\": \"442e6b76-61be-11ee-ab8d-0242ac110005\", \"xattributes\": {}}, \"pid\": 27, \"sandbox\": \"repeat checked peace\", \"terminated_time_dt\": \"2023-10-03T07:27:11.081046Z\", \"uid\": \"442d4ee4-61be-11ee-a8b0-0242ac110005\", \"user\": {\"account\": {\"name\": \"allows country mineral\", \"type\": \"AWS IAM Role\", \"type_id\": 4, \"uid\": \"442d4a0c-61be-11ee-bd4c-0242ac110005\"}, \"email_addr\": \"Minta@active.biz\", \"name\": \"Strong\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"442d27de-61be-11ee-b498-0242ac110005\"}, \"xattributes\": {}}", + "sandbox": "rational girls corner", + "user": { + "type": "System", + "type_id": "3" + } + }, + "terminated_time_dt": "2023-10-03T07:27:11.081081Z", + "user": { + "account": { + "name": "filled lunch processing", + "type": "Windows Account", + "type_id": "2", + "uid": "442c96ac-61be-11ee-945c-0242ac110005" + }, + "type": "Unknown", + "type_id": "0" + } + }, + "user": { + "credential_uid": "44311cae-61be-11ee-9f07-0242ac110005", + "type": "System", + "type_id": "3" + } + }, + "actual_permissions": 48, + "attacks": [ + { + "tactics": [ + { + "name": "Exfiltration | The adversary is trying to steal data.", + "uid": "TA0010" + }, + { + "name": "Privilege Escalation | The adversary is trying to gain higher-level permissions.", + "uid": "TA0004" + } + ], + "technique": { + "name": "Accessibility Features", + "uid": "T1546.008" + }, + "version": "12.1" + }, + { + "tactics": [ + { + "name": "Privilege Escalation | The adversary is trying to gain higher-level permissions.", + "uid": "TA0004" + } + ], + "technique": { + "name": "Web Shell", + "uid": "T1100" + }, + "version": "12.1" + } + ], + "category_name": "System Activity", + "category_uid": 1, + "class_name": "Process Activity", + "class_uid": "1007", + "device": { + "hypervisor": "indianapolis finite serious", + "interface_name": "officials janet subscribe", + "interface_uid": "442a8a60-61be-11ee-b5e8-0242ac110005", + "last_seen_time": 1695272181548, + "modified_time_dt": "2023-10-03T07:27:11.038353Z", + "org": { + "name": "answer intelligent artificial", + "ou_name": "garlic glucose festival" + }, + "region": "argentina andy wyoming", + "type_id": "6" + }, + "disposition": "Unknown", + "disposition_id": "0", + "metadata": { + "logged_time": 1695272181548, + "modified_time_dt": "2023-10-03T07:27:11.037636Z", + "original_time": "bolt beds created", + "processed_time_dt": "2023-10-03T07:27:11.037651Z", + "product": { + "lang": "en", + "name": "rough cfr elephant", + "uid": "442a6c38-61be-11ee-811a-0242ac110005", + "url_string": "cl", + "vendor_name": "turkey directors vacations", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "security_control" + ], + "version": "1.0.0" + }, + "severity": "doctors", + "status": "vcr", + "status_id": "99", + "timezone_offset": 75, + "type_name": "Process Activity: Set User ID", + "type_uid": "100705" + } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_7.json b/OCSF/ocsf/tests/test_system_activity_7.json index 59dc2fa6a..5720913a9 100644 --- a/OCSF/ocsf/tests/test_system_activity_7.json +++ b/OCSF/ocsf/tests/test_system_activity_7.json @@ -21,6 +21,116 @@ "provider": "trusts disclose snapshot", "region": "choose consolidated set" }, - "ocsf": "{\"activity_id\": 99, \"activity_name\": \"considerable\", \"attacks\": [{\"tactics\": [{\"name\": \"Execution The adversary is trying to run malicious code.\", \"uid\": \"TA0002\"}], \"technique\": {\"name\": \"Obtain Capabilities\", \"uid\": \"T1588\"}, \"version\": \"12.1\"}, {\"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}, {\"name\": \"Persistence The adversary is trying to maintain their foothold.\", \"uid\": \"TA0003\"}, {\"name\": \"Initial Access | The adversary is trying to get into your network.\", \"uid\": \"TA0001\"}], \"technique\": {\"name\": \"Cloud Instance Metadata API\", \"uid\": \"T1522\"}, \"version\": \"12.1\"}], \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Scheduled Job Activity\", \"class_uid\": 1006, \"cloud\": {\"org\": {\"name\": \"pf months already\", \"ou_name\": \"cry centers expense\", \"uid\": \"1d4398de-61bd-11ee-804b-0242ac110005\"}, \"provider\": \"trusts disclose snapshot\", \"region\": \"choose consolidated set\"}, \"device\": {\"first_seen_time\": 1695272181548, \"first_seen_time_dt\": \"2023-10-03T07:18:56.276163Z\", \"groups\": [{\"name\": \"summit torture accused\", \"uid\": \"1d43dac4-61bd-11ee-8157-0242ac110005\"}, {\"name\": \"silicon headline seniors\", \"uid\": \"1d43df06-61bd-11ee-884b-0242ac110005\"}], \"hostname\": \"paragraph.nato\", \"hypervisor\": \"listening genres rob\", \"imei\": \"seekers sue networks\", \"instance_uid\": \"1d440530-61bd-11ee-9a80-0242ac110005\", \"interface_name\": \"requiring showtimes only\", \"interface_uid\": \"1d440e68-61bd-11ee-9bc1-0242ac110005\", \"ip\": \"81.2.69.142\", \"os\": {\"name\": \"officially marks hook\", \"type\": \"iOS\", \"type_id\": 301}, \"region\": \"terms quarter premium\", \"type\": \"IOT\", \"type_id\": 7, \"uid\": \"1d440972-61bd-11ee-b78b-0242ac110005\"}, \"disposition\": \"Restored\", \"disposition_id\": 9, \"duration\": 4, \"message\": \"appeal verse adjacent\", \"metadata\": {\"extension\": {\"name\": \"attempt directed associate\", \"uid\": \"1d43b58a-61bd-11ee-811e-0242ac110005\", \"version\": \"1.0.0\"}, \"log_name\": \"external cadillac navy\", \"log_provider\": \"deadline emissions whilst\", \"original_time\": \"my northwest exhibitions\", \"product\": {\"lang\": \"en\", \"name\": \"gallery crude arc\", \"uid\": \"1d43be36-61bd-11ee-9314-0242ac110005\", \"url_string\": \"registrar\", \"vendor_name\": \"staffing steven textiles\", \"version\": \"1.0.0\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"uid\": \"1d43c2b4-61bd-11ee-814c-0242ac110005\", \"version\": \"1.0.0\"}, \"severity\": \"Low\", \"severity_id\": 2, \"status\": \"Failure\", \"status_code\": \"respond\", \"status_id\": 2, \"time\": 1695272181548, \"timezone_offset\": 87, \"type_name\": \"Scheduled Job Activity: Other\", \"type_uid\": 100699}" + "ocsf": { + "activity_id": 99, + "activity_name": "considerable", + "attacks": [ + { + "tactics": [ + { + "name": "Execution The adversary is trying to run malicious code.", + "uid": "TA0002" + } + ], + "technique": { + "name": "Obtain Capabilities", + "uid": "T1588" + }, + "version": "12.1" + }, + { + "tactics": [ + { + "name": "Collection | The adversary is trying to gather data of interest to their goal.", + "uid": "TA0009" + }, + { + "name": "Persistence The adversary is trying to maintain their foothold.", + "uid": "TA0003" + }, + { + "name": "Initial Access | The adversary is trying to get into your network.", + "uid": "TA0001" + } + ], + "technique": { + "name": "Cloud Instance Metadata API", + "uid": "T1522" + }, + "version": "12.1" + } + ], + "category_name": "System Activity", + "category_uid": 1, + "class_name": "Scheduled Job Activity", + "class_uid": "1006", + "cloud": { + "org": { + "name": "pf months already", + "ou_name": "cry centers expense", + "uid": "1d4398de-61bd-11ee-804b-0242ac110005" + } + }, + "device": { + "first_seen_time": 1695272181548, + "first_seen_time_dt": "2023-10-03T07:18:56.276163Z", + "groups": [ + { + "name": "summit torture accused", + "uid": "1d43dac4-61bd-11ee-8157-0242ac110005" + }, + { + "name": "silicon headline seniors", + "uid": "1d43df06-61bd-11ee-884b-0242ac110005" + } + ], + "hypervisor": "listening genres rob", + "imei": "seekers sue networks", + "instance_uid": "1d440530-61bd-11ee-9a80-0242ac110005", + "interface_name": "requiring showtimes only", + "interface_uid": "1d440e68-61bd-11ee-9bc1-0242ac110005", + "os": { + "type": "iOS", + "type_id": "301" + }, + "region": "terms quarter premium", + "type_id": "7" + }, + "disposition": "Restored", + "disposition_id": "9", + "duration": 4, + "metadata": { + "extension": { + "name": "attempt directed associate", + "uid": "1d43b58a-61bd-11ee-811e-0242ac110005", + "version": "1.0.0" + }, + "log_name": "external cadillac navy", + "original_time": "my northwest exhibitions", + "product": { + "lang": "en", + "name": "gallery crude arc", + "uid": "1d43be36-61bd-11ee-9314-0242ac110005", + "url_string": "registrar", + "vendor_name": "staffing steven textiles", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "security_control" + ], + "version": "1.0.0" + }, + "severity": "Low", + "status": "Failure", + "status_code": "respond", + "status_id": "2", + "timezone_offset": 87, + "type_name": "Scheduled Job Activity: Other", + "type_uid": "100699" + } } } \ No newline at end of file From 74858897670ca6ed699a6b01bf359a7f847e3377 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 30 Jan 2024 18:04:12 +0200 Subject: [PATCH 09/34] Dump smart desc --- OCSF/ocsf/_meta/smart-descriptions.json | 387 +----------------------- 1 file changed, 2 insertions(+), 385 deletions(-) diff --git a/OCSF/ocsf/_meta/smart-descriptions.json b/OCSF/ocsf/_meta/smart-descriptions.json index 011a09e1b..b76c35159 100644 --- a/OCSF/ocsf/_meta/smart-descriptions.json +++ b/OCSF/ocsf/_meta/smart-descriptions.json @@ -1,389 +1,6 @@ [ { - "value": "File System Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 1001 - } - ] - }, - { - "value": "Kernel Extension Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 1002 - } - ] - }, - { - "value": "Kernel Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 1003 - } - ] - }, - { - "value": "Memory Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 1004 - } - ] - }, - { - "value": "Module Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 1005 - } - ] - }, - { - "value": "Scheduled Job Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 1006 - } - ] - }, - { - "value": "Process Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 1007 - } - ] - }, - { - "value": "Security Finding", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 2001 - } - ] - }, - { - "value": "Vulnerability Finding", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 2002 - } - ] - }, - { - "value": "Compliance Finding", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 2003 - } - ] - }, - { - "value": "Detection Finding", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 2004 - } - ] - }, - { - "value": "Incident Finding", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 2005 - } - ] - }, - { - "value": "Account Change", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 3001 - } - ] - }, - { - "value": "Authentication", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 3002 - } - ] - }, - { - "value": "Authorize Session", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 3003 - } - ] - }, - { - "value": "Entity Management", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 3004 - } - ] - }, - { - "value": "User Access Management", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 3005 - } - ] - }, - { - "value": "Group Management", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 3006 - } - ] - }, - { - "value": "Network Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 4001 - } - ] - }, - { - "value": "HTTP Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 4002 - } - ] - }, - { - "value": "DNS Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 4003 - } - ] - }, - { - "value": "DHCP Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 4004 - } - ] - }, - { - "value": "RDP Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 4005 - } - ] - }, - { - "value": "SMB Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 4006 - } - ] - }, - { - "value": "SSH Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 4007 - } - ] - }, - { - "value": "FTP Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 4008 - } - ] - }, - { - "value": "Email Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 4009 - } - ] - }, - { - "value": "Network File Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 4010 - } - ] - }, - { - "value": "Email File Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 4011 - } - ] - }, - { - "value": "Email URL Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 4012 - } - ] - }, - { - "value": "NTP Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 4013 - } - ] - }, - { - "value": "Device Inventory Info", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 5001 - } - ] - }, - { - "value": "Device Config State", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 5002 - } - ] - }, - { - "value": "User Inventory Info", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 5003 - } - ] - }, - { - "value": "Operating System Patch State", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 5004 - } - ] - }, - { - "value": "Device Config State Change", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 5019 - } - ] - }, - { - "value": "Web Resources Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 6001 - } - ] - }, - { - "value": "Application Lifecycle", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 6002 - } - ] - }, - { - "value": "API Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 6003 - } - ] - }, - { - "value": "Web Resource Access Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 6004 - } - ] - }, - { - "value": "Datastore Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 6005 - } - ] - }, - { - "value": "File Hosting Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 6006 - } - ] - }, - { - "value": "Scan Activity", - "conditions": [ - { - "field": "ocsf.category_uid", - "value": 6007 - } - ] + "value": "{ocsf.class_name}", + "conditions": [{ "field": "ocsf.class_name" }] } ] From f6196daf3fb7e51637bada5a800a7f1ce17dc307 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Wed, 31 Jan 2024 12:33:30 +0200 Subject: [PATCH 10/34] Fix parser --- OCSF/ocsf/ingest/parser.yml | 429 +++++++++--------- .../tests/test_application_activity_1.json | 67 ++- .../tests/test_application_activity_2.json | 17 +- .../tests/test_application_activity_3.json | 25 + OCSF/ocsf/tests/test_discovery_1.json | 30 ++ OCSF/ocsf/tests/test_discovery_2.json | 28 ++ OCSF/ocsf/tests/test_findings_1.json | 27 ++ OCSF/ocsf/tests/test_iam_1.json | 16 + OCSF/ocsf/tests/test_iam_2.json | 5 +- OCSF/ocsf/tests/test_iam_3.json | 24 + OCSF/ocsf/tests/test_iam_4.json | 19 +- OCSF/ocsf/tests/test_network_activity_1.json | 13 +- OCSF/ocsf/tests/test_network_activity_10.json | 66 ++- OCSF/ocsf/tests/test_network_activity_11.json | 49 +- OCSF/ocsf/tests/test_network_activity_12.json | 31 ++ OCSF/ocsf/tests/test_network_activity_2.json | 58 ++- OCSF/ocsf/tests/test_network_activity_3.json | 34 ++ OCSF/ocsf/tests/test_network_activity_4.json | 35 +- OCSF/ocsf/tests/test_network_activity_5.json | 81 +++- OCSF/ocsf/tests/test_network_activity_6.json | 65 ++- OCSF/ocsf/tests/test_network_activity_7.json | 23 +- OCSF/ocsf/tests/test_network_activity_8.json | 28 +- OCSF/ocsf/tests/test_network_activity_9.json | 38 ++ OCSF/ocsf/tests/test_system_activity_1.json | 82 +++- OCSF/ocsf/tests/test_system_activity_2.json | 75 +++ OCSF/ocsf/tests/test_system_activity_3.json | 103 +++++ OCSF/ocsf/tests/test_system_activity_4.json | 108 ++++- OCSF/ocsf/tests/test_system_activity_5.json | 117 ++++- OCSF/ocsf/tests/test_system_activity_6.json | 111 +++++ OCSF/ocsf/tests/test_system_activity_7.json | 39 +- 30 files changed, 1593 insertions(+), 250 deletions(-) diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index 73ea968b6..87ac4b261 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -56,54 +56,6 @@ pipeline: output_field: datetime filter: "{{ parse_event.message.time != null and parse_event.message.time != '' }}" - - name: parse_date_metadata_logged_time_dt - external: - name: date.parse - properties: - input_field: "{{ parse_event.message.metadata.logged_time_dt }}" - output_field: datetime - filter: "{{ parse_event.message.metadata.logged_time_dt != null and parse_event.message.metadata.logged_time_dt != '' }}" - - - name: parse_date_metadata_logged_time - external: - name: date.parse - properties: - input_field: "{{ parse_event.message.metadata.logged_time }}" - output_field: datetime - filter: "{{ parse_event.message.metadata.logged_time != null and parse_event.message.metadata.logged_time != '' }}" - - - name: parse_date_metadata_modified_time_dt - external: - name: date.parse - properties: - input_field: "{{ parse_event.message.metadata.modified_time_dt }}" - output_field: datetime - filter: "{{ parse_event.message.metadata.modified_time_dt != null and parse_event.message.metadata.modified_time_dt != '' }}" - - - name: parse_date_metadata_modified_time - external: - name: date.parse - properties: - input_field: "{{ parse_event.message.metadata.modified_time }}" - output_field: datetime - filter: "{{ parse_event.message.metadata.modified_time != null and parse_event.message.metadata.modified_time != '' }}" - - - name: parse_date_metadata_processed_time_dt - external: - name: date.parse - properties: - input_field: "{{ parse_event.message.metadata.processed_time_dt }}" - output_field: datetime - filter: "{{ parse_event.message.metadata.processed_time_dt != null and parse_event.message.metadata.processed_time_dt != '' }}" - - - name: parse_date_metadata_processed_time - external: - name: date.parse - properties: - input_field: "{{ parse_event.message.metadata.processed_time }}" - output_field: datetime - filter: "{{ parse_event.message.metadata.processed_time != null and parse_event.message.metadata.processed_time != '' }}" - - name: parse_date_start_time_dt external: name: date.parse @@ -120,6 +72,7 @@ pipeline: output_field: datetime filter: "{{ parse_event.message.start_time != null and parse_event.message.start_time != '' }}" + - name: set_timestamp - name: set_event_kind - name: set_event_category - name: set_event_type @@ -127,198 +80,128 @@ pipeline: - name: set_fields - name: pipeline_object_actor - filter: - "{{ parse_event.message.class_uid != null and parse_event.message.class_uid - in ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','5001','5002','6001','6002','6003','6004'] - and parse_event.message.actor != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,3001,3002,3003,3004,3005,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,5001,5002,6001,6002,6003,6004] and parse_event.message.actor != null }}" - # - name: pipeline_object_attack - # filter: '{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,2001,4001,4002,4003,4005,4006,4007,4008,4009,4011,4012] and parse_event.message.attacks != null }}' + - name: pipeline_object_attack + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,2001,4001,4002,4003,4005,4006,4007,4008,4009,4011,4012] and parse_event.message.attacks != null }}" - name: pipeline_object_network_connection_info - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['4001','4002','4003','4005','4006','4007','4008'] and parse_event.message.connection_info != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [4001,4002,4003,4005,4006,4007,4008] and parse_event.message.connection_info != null }}" - name: pipeline_object_device - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4011','4012','5001','5002','6001','6002','6004'] and parse_event.message.device != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,3001,3002,3003,3004,3005,4001,4002,4003,4004,4005,4006,4007,4008,4009,4011,4012,5001,5002,6001,6002,6004] and parse_event.message.device != null }}" - name: pipeline_object_http_request - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['3001','3002','4002','6003','6004'] and parse_event.message.http_request != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [3001,3002,4002,6003,6004] and parse_event.message.http_request != null }}" - name: pipeline_object_malware - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['2001','4001','4002','4003','4005','4006','4007','4008','4009','4011','4012'] and parse_event.message.malware != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [2001,4001,4002,4003,4005,4006,4007,4008,4009,4011,4012] and parse_event.message.malware != null }}" - name: pipeline_object_network_endpoint - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['3001','3002','3003','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','6001','6003','6004'] and parse_event.message.dst_endpoint != null or parse_event.message.src_endpoint != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [3001,3002,3003,3005,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,6001,6003,6004] and parse_event.message.dst_endpoint != null or parse_event.message.src_endpoint != null }}" - name: pipeline_object_process - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['1004','1007','2001'] and parse_event.message.process != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1004,1007,2001] and parse_event.message.process != null }}" - name: pipeline_object_proxy - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['4001','4002','4003','4005','4006','4007','4008'] and parse_event.message.proxy != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [4001,4002,4003,4005,4006,4007,4008] and parse_event.message.proxy != null }}" - name: pipeline_object_tls - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['4001','4002','4003','4005','4006','4007','4008'] and parse_event.message.tls != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [4001,4002,4003,4005,4006,4007,4008] and parse_event.message.tls != null }}" - name: pipeline_object_traffic - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['4001','4002','4003','4005','4006','4007','4008'] and parse_event.message.traffic != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [4001,4002,4003,4005,4006,4007,4008] and parse_event.message.traffic != null }}" - name: pipeline_object_user - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['3001','3002','3003','3005','3006'] and parse_event.message.user != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [3001,3002,3003,3005,3006] and parse_event.message.user != null }}" - name: pipeline_object_file - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['1001','4006','4010','4011'] }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,4006,4010,4011] }}" - name: pipeline_object_system_activity_helper - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in ['1002','1005','1006'] }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1002,1005,1006] }}" - name: pipeline_category_system_activity - filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == '1' }}" + filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == 1 }}" - name: pipeline_category_findings - filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == '2' }}" + filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == 2 }}" - name: pipeline_category_identity_and_access_management - filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == '3' }}" + filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == 3 }}" - name: pipeline_category_network_activity - filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == '4' }}" + filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == 4 }}" - name: pipeline_category_application_activity - filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == '6' }}" + filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == 6 }}" - name: pipeline_category_discovery - filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == '5' }}" + filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == 5 }}" stages: - set_event_kind: + set_timestamp: actions: - set: - event.kind: "event" - filter: "{{parse_event.message.class_uid in ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','5001','5002','6001','6002','6003','6004']}}" + "@timestamp": "{{ parse_date_time.datetime }}" + filter: "{{ parse_date_time.datetime != None }}" - set: - event.kind: "alert" - filter: "{{parse_event.message.class_uid == '2001'}}" + "@timestamp": "{{ parse_date_time_dt.datetime }}" + filter: "{{ parse_date_time_dt.datetime != None }}" - set_event_category: + set_event_kind: actions: - set: - event.category: ["malware"] - filter: "{{parse_event.message.class_uid == 2001 and parse_event.message.malware != null}}" - - - set: - event.category: ["vulnerability"] - filter: "{{parse_event.message.class_uid == 2001 and parse_event.message.vulnerabilities != null}}" - - - set: - event.category: ["iam"] - filter: "{{parse_event.message.class_uid in [3001, 3005, 3006]}}" - - - set: - event.category: ["authentication"] - filter: "{{parse_event.message.class_uid == 3002}}" - - - set: - event.category: ["session"] - filter: "{{parse_event.message.class_uid == 3003}}" - - - set: - event.category: ["network"] - filter: "{{parse_event.message.class_uid in [4001, 4003, 4004, 4005, 4007, 4008, 4010]}}" - - - set: - event.category: ["api"] - filter: "{{parse_event.message.class_uid in [4002, 4006]}}" - - - set: - event.category: ["file"] - filter: "{{parse_event.message.class_uid in [1001, 4006, 4008, 4010, 4011]}}" - - - set: - event.category: ["email"] - filter: "{{parse_event.message.class_uid in [4009, 4011, 4012]}}" - - - set: - event.category: ["web"] - filter: "{{parse_event.message.class_uid in [6003, 6004]}}" - - - set: - event.category: ["package"] - filter: "{{parse_event.message.class_uid == 6002}}" - - - set: - event.category: ["configuration"] - filter: "{{parse_event.message.class_uid == 5002}}" + event.kind: "event" + filter: "{{parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,3001,3002,3003,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,5001,5002,6001,6002,6003,6004]}}" - set: - event.category: ["driver"] - filter: "{{parse_event.message.class_uid in [1002, 1003]}}" + event.kind: "alert" + filter: "{{parse_event.message.class_uid == 2001}}" + set_event_category: + actions: - set: - event.category: ["process"] - filter: "{{parse_event.message.class_uid == 1007}}" + event.category: > + [ + {%- if parse_event.message.class_uid == 2001 and parse_event.message.malware != null -%}'malware',{%- endif -%} + {%- if parse_event.message.class_uid == 2001 and parse_event.message.vulnerabilities != null -%}'vulnerability',{%- endif -%} + {%- if parse_event.message.class_uid in [3001, 3005, 3006] -%}'iam',{%- endif -%} + {%- if parse_event.message.class_uid == 3002 -%}'authentication',{%- endif -%} + {%- if parse_event.message.class_uid == 3003 -%}'session',{%- endif -%} + {%- if parse_event.message.class_uid in [4001, 4003, 4004, 4005, 4007, 4008, 4010] -%}'network',{%- endif -%} + {%- if parse_event.message.class_uid in [4002, 4006] -%}'api',{%- endif -%} + {%- if parse_event.message.class_uid in [1001, 4006, 4008, 4010, 4011] -%}'file',{%- endif -%} + {%- if parse_event.message.class_uid in [4009, 4011, 4012] -%}'email',{%- endif -%} + {%- if parse_event.message.class_uid in [6003, 6004] -%}'web',{%- endif -%} + {%- if parse_event.message.class_uid == 6002 -%}'package',{%- endif -%} + {%- if parse_event.message.class_uid == 5002 -%}'configuration',{%- endif -%} + {%- if parse_event.message.class_uid in [1002, 1003] -%}'driver',{%- endif -%} + {%- if parse_event.message.class_uid == 1007 -%}'process',{%- endif -%} + ] set_event_type: actions: - set: - event.type: ["info"] - filter: "{{parse_event.message.class_uid in [1001,1002,1003,1007,2001,3001,3002,3003,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,5001,5002,6002,6003,6004]}}" - - - set: - event.type: ["user"] - filter: "{{parse_event.message.class_uid in [3001, 3006]}}" - - - set: - event.type: ["group"] - filter: "{{parse_event.message.class_uid in [3005]}}" - - - set: - event.type: ["protocol"] - filter: "{{parse_event.message.class_uid in [4003,4004,4005,4007,4008]}}" - - - set: - event.type: ["creation"] - filter: "{{parse_event.message.class_uid in [1001,3001,4006,5002] and parse_event.message.activity_name in ['Create','File Create','Log']}}" - - - set: - event.type: ["access"] - filter: "{{parse_event.message.class_uid in [1001,4006,4010,5002,6004] and parse_event.message.activity_name in ['Read','File Open','Preview','Open','Access Grant','Access Deny','Access Revoke','Access Error','Log']}}" - - - set: - event.type: ["deletion"] - filter: "{{parse_event.message.class_uid in [1001,3001,4010,6002] and parse_event.message.activity_name in ['Delete','Remove']}}" - - - set: - event.type: ["start"] - filter: "{{parse_event.message.class_uid in [1007,3002,4001,4007,6002] and parse_event.message.activity_name in ['Launch','Logon','Open','Start']}}" - - - set: - event.type: ["end"] - filter: "{{parse_event.message.class_uid in [1007,3002,4001,4007,6002] and parse_event.message.activity_name in ['Terminate','Logoff','Close','Stop']}}" - - - set: - event.type: ["denied"] - filter: "{{parse_event.message.class_uid in [4001, 4003, 4004, 4007] and parse_event.message.activity_name in ['Refuse','Decline']}}" - - - set: - event.type: ["allowed"] - filter: "{{parse_event.message.class_uid in [4004] and parse_event.message.activity_name in ['Ack']}}" - - - set: - event.type: ["change"] - filter: "{{parse_event.message.class_uid in [1001, 4006, 4010] and parse_event.message.activity_name in ['Update','File Supersede','File Overwrite','Update','Rename']}}" - - - set: - event.type: ["connection"] - filter: "{{parse_event.message.class_uid in [4005] and parse_event.message.activity_name in ['Connect Request','Connect Response']}}" - - - set: - event.type: ["installation"] - filter: "{{parse_event.message.class_uid in [6002] and parse_event.message.activity_name in ['Install']}}" - - - set: - event.type: ["error"] - filter: "{{parse_event.message.class_uid in [6004] and parse_event.message.activity_name in ['Access Error']}}" + event.type: > + [ + {%- if parse_event.message.class_uid in [1001,1002,1003,1007,2001,3001,3002,3003,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,5001,5002,6002,6003,6004] -%}'info',{%- endif -%} + {%- if parse_event.message.class_uid in [3001, 3006] -%}'user',{%- endif -%} + {%- if parse_event.message.class_uid in [3005] -%}'group',{%- endif -%} + {%- if parse_event.message.class_uid in [4003,4004,4005,4007,4008] -%}'protocol',{%- endif -%} + {%- if parse_event.message.class_uid in [1001,3001,4006,5002] and parse_event.message.activity_name in ['Create','File Create','Log'] -%}'creation',{%- endif -%} + {%- if parse_event.message.class_uid in [1001,4006,4010,5002,6004] and parse_event.message.activity_name in ['Read','File Open','Preview','Open','Access Grant','Access Deny','Access Revoke','Access Error','Log'] -%}'access',{%- endif -%} + {%- if parse_event.message.class_uid in [1001,3001,4010,6002] and parse_event.message.activity_name in ['Delete','Remove'] -%}'deletion',{%- endif -%} + {%- if parse_event.message.class_uid in [1007,3002,4001,4007,6002] and parse_event.message.activity_name in ['Launch','Logon','Open','Start'] -%}'start',{%- endif -%} + {%- if parse_event.message.class_uid in [1007,3002,4001,4007,6002] and parse_event.message.activity_name in ['Terminate','Logoff','Close','Stop'] -%}'end',{%- endif -%} + {%- if parse_event.message.class_uid in [4001, 4003, 4004, 4007] and parse_event.message.activity_name in ['Refuse','Decline'] -%}'denied',{%- endif -%} + {%- if parse_event.message.class_uid in [4004] and parse_event.message.activity_name in ['Ack'] -%}'allowed',{%- endif -%} + {%- if parse_event.message.class_uid in [1001, 4006, 4010] and parse_event.message.activity_name in ['Update','File Supersede','File Overwrite','Update','Rename'] -%}'change',{%- endif -%} + {%- if parse_event.message.class_uid in [4005] and parse_event.message.activity_name in ['Connect Request','Connect Response'] -%}'connection',{%- endif -%} + {%- if parse_event.message.class_uid in [6002] and parse_event.message.activity_name in ['Install'] -%}'installation',{%- endif -%} + {%- if parse_event.message.class_uid in [6004] and parse_event.message.activity_name in ['Access Error'] -%}'error',{%- endif -%} + ] set_common_fields: actions: @@ -333,7 +216,6 @@ stages: event.action: "{{parse_event.message.activity_name.lower().replace(': ', '-')}}" event.code: "{{parse_event.message.metadata.event_code}}" event.duration: "{{parse_event.message.duration * 1_000_000}}" # in nanoseconds - # event.id: "{{parse_event.message.metadata.uid}}" # @todo we can't assign this. use custom field? event.provider: "{{parse_event.message.metadata.log_provider}}" event.sequence: "{{parse_event.message.metadata.sequence}}" @@ -382,16 +264,16 @@ stages: - "{{ parse_event.message.actor.process.container.image.tag }}" filter: "{{ parse_event.message.actor.process.container.image.tag != null }}" - set: - container.labels: "{{ parse_event.message.actor.process.container.image.labels }}" + container.labels: "{{ parse_event.message.actor.process.container.image.labels }}" # @todo should be a dict? orchestrator.type: "{{ parse_event.message.actor.process.container.orchestrator }}" container.name: "{{ parse_event.message.actor.process.container.name }}" container.runtime: "{{ parse_event.message.actor.process.container.runtime }}" - file.accessed: "{{ parse_event.message.actor.process.file.accessed_time }}" - file.created: "{{ parse_event.message.actor.process.file.created_time }}" + file.accessed: "{{ parse_event.message.actor.process.file.accessed_time | to_rfc3339 }}" + file.created: "{{ parse_event.message.actor.process.file.created_time | to_rfc3339 }}" file.directory: "{{ parse_event.message.actor.process.file.parent_folder }}" file.inode: "{{ parse_event.message.actor.process.file.uid }}" file.mime_type: "{{ parse_event.message.actor.process.file.mime_type }}" - file.mtime: "{{ parse_event.message.actor.process.file.modified_time }}" + file.mtime: "{{ parse_event.message.actor.process.file.modified_time | to_rfc3339 }}" file.name: "{{ parse_event.message.actor.process.file.name }}" file.owner: "{{ parse_event.message.actor.process.file.owner.name }}" file.path: "{{ parse_event.message.actor.process.file.path }}" @@ -399,12 +281,12 @@ stages: file.type: "{{ parse_event.message.actor.process.file.type }}" file.uid: "{{ parse_event.message.actor.process.file.owner.uid }}" file.x509.issuer.distinguished_name: "{{ parse_event.message.actor.process.file.signature.certificate.issuer }}" - file.x509.not_after: "{{ parse_event.message.actor.process.file.signature.certificate.expiration_time }}" + file.x509.not_after: "{{ parse_event.message.actor.process.file.signature.certificate.expiration_time | to_rfc3339 }}" file.x509.serial_number: "{{ parse_event.message.actor.process.file.signature.certificate.serial_number }}" file.x509.subject.distinguished_name: "{{ parse_event.message.actor.process.file.signature.certificate.subject }}" file.x509.version_number: "{{ parse_event.message.actor.process.file.signature.certificate.version }}" process.command_line: "{{ parse_event.message.actor.process.cmd_line }}" - process.end: "{{ parse_event.message.actor.process.terminated_time }}" + process.end: "{{ parse_event.message.actor.process.terminated_tim | to_rfc3339 }}" - set: process.group.id: - "{{ parse_event.message.actor.process.egid }}" @@ -417,7 +299,7 @@ stages: process.group.name: "{{ parse_event.message.actor.process.group.name }}" process.name: "{{ parse_event.message.actor.process.name }}" process.pid: "{{ parse_event.message.actor.process.pid }}" - process.start: "{{ parse_event.message.actor.process.created_time }}" + process.start: "{{ parse_event.message.actor.process.created_time | to_rfc3339 }}" process.thread.id: "{{ parse_event.message.actor.process.tid }}" process.entity_id: "{{ parse_event.message.actor.process.uid }}" process.user.domain: "{{ parse_event.message.actor.process.user.domain }}" @@ -431,6 +313,25 @@ stages: process.user.id: - "{{ parse_event.message.actor.process.user.uid }}" filter: "{{ parse_event.message.actor.process.user.uid != null }}" + - set: + process.user.group.id: > + [{%- for item in parse_event.message.actor.process.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}] + + process.user.group.name: > + [{%- for item in parse_event.message.actor.process.user.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}] + + user.group.id: > + [{%- for item in parse_event.message.actor.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}] + + user.group.name: > + [{%- for item in parse_event.message.actor.user.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}] + + process.parent.user.group.id: > + [{%- for item in parse_event.message.actor.process.parent_process.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}] + + process.parent.user.group.name: > + [{%- for item in parse_event.message.actor.process.parent_process.user.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}] + - set: process.user.name: "{{ parse_event.message.actor.process.user.name }}" user.domain: "{{ parse_event.message.actor.user.domain }}" @@ -439,7 +340,7 @@ stages: user.id: "{{ parse_event.message.actor.user.uid }}" user.name: "{{ parse_event.message.actor.user.name }}" process.parent.command_line: "{{ parse_event.message.actor.process.parent_process.cmd_line }}" - process.parent.end: "{{ parse_event.message.actor.process.parent_process.terminated_time }}" + process.parent.end: "{{ parse_event.message.actor.process.parent_process.terminated_time | to_rfc3339 }}" - set: process.parent.group.id: - "{{ parse_event.message.actor.process.parent_process.egid }}" @@ -452,7 +353,7 @@ stages: process.parent.group.name: "{{ parse_event.message.actor.process.parent_process.group.name }}" process.parent.name: "{{ parse_event.message.actor.process.parent_process.name }}" process.parent.pid: "{{ parse_event.message.actor.process.parent_process.pid }}" - process.parent.start: "{{ parse_event.message.actor.process.parent_process.created_time }}" + process.parent.start: "{{ parse_event.message.actor.process.parent_process.created_time | to_rfc3339 }}" process.parent.thread.id: "{{ parse_event.message.actor.process.parent_process.tid }}" process.parent.entity_id: "{{ parse_event.message.actor.process.parent_process.uid }}" process.parent.user.domain: "{{ parse_event.message.actor.process.parent_process.user.domain }}" @@ -469,6 +370,14 @@ stages: - set: process.parent.user.name: "{{ parse_event.message.actor.process.parent_process.user.name }}" + pipeline_object_attack: + actions: + - set: + threat.technique.name: > + [{%- for item in parse_event.message.attacks -%}{%- if item.technique.name -%}'{{item.technique.name}}',{%- endif -%}{%- endfor -%}] + threat.technique.id: > + [{%- for item in parse_event.message.attacks -%}{%- if item.technique.uid -%}'{{item.technique.uid}}',{%- endif -%}{%- endfor -%}] + pipeline_object_network_connection_info: actions: - set: @@ -501,19 +410,18 @@ stages: host.geo.city_name: "{{ parse_event.message.device.location.city }}" host.geo.continent_name: "{{ parse_event.message.device.location.continent }}" host.geo.country_iso_code: "{{ parse_event.message.device.location.country }}" - host.geo.location: "{{ parse_event.message.device.location.coordinates }}" + host.geo.location.lon: "{{ parse_event.message.device.location.coordinates[0] }}" + host.geo.location.lat: "{{ parse_event.message.device.location.coordinates[1] }}" host.geo.name: "{{ parse_event.message.device.location.desc }}" host.geo.postal_code: "{{ parse_event.message.device.location.postal_code }}" host.geo.region_iso_code: "{{ parse_event.message.device.location.region }}" host.hostname: "{{ parse_event.message.device.hostname }}" host.id: "{{ parse_event.message.device.uid }}" - set: - host.ip: - - "{{ parse_event.message.device.ip }}" + host.ip: ["{{ parse_event.message.device.ip }}"] filter: "{{ parse_event.message.device.ip | is_ipaddress }}" - set: - host.mac: - - "{{ parse_event.message.device.mac }}" + host.mac: ["{{ parse_event.message.device.mac }}"] filter: "{{ parse_event.message.device.mac != null }}" - set: host.os.name: "{{ parse_event.message.device.os.name }}" @@ -575,7 +483,8 @@ stages: - set: destination.geo.city_name: "{{ parse_event.message.dst_endpoint.location.city }}" destination.geo.continent_name: "{{ parse_event.message.dst_endpoint.location.continent }}" - destination.geo.location: "{{ parse_event.message.dst_endpoint.location.coordinates }}" + destination.geo.location.lon: "{{ parse_event.message.dst_endpoint.location.coordinates[0] }}" + destination.geo.location.lat: "{{ parse_event.message.dst_endpoint.location.coordinates[1] }}" destination.geo.country_iso_code: "{{ parse_event.message.dst_endpoint.location.country }}" destination.geo.name: "{{ parse_event.message.dst_endpoint.location.desc }}" destination.geo.postal_code: "{{ parse_event.message.dst_endpoint.location.postal_code }}" @@ -605,12 +514,12 @@ stages: orchestrator.type: "{{ parse_event.message.process.container.orchestrator }}" container.name: "{{ parse_event.message.process.container.name }}" container.runtime: "{{ parse_event.message.process.container.runtime }}" - file.accessed: "{{ parse_event.message.process.file.accessed_time }}" - file.created: "{{ parse_event.message.process.file.created_time }}" + file.accessed: "{{ parse_event.message.process.file.accessed_time | to_rfc3339 }}" + file.created: "{{ parse_event.message.process.file.created_time | to_rfc3339 }}" file.directory: "{{ parse_event.message.process.file.parent_folder }}" file.inode: "{{ parse_event.message.process.file.uid }}" file.mime_type: "{{ parse_event.message.process.file.mime_type }}" - file.mtime: "{{ parse_event.message.process.file.modified_time }}" + file.mtime: "{{ parse_event.message.process.file.modified_time | to_rfc3339 }}" file.name: "{{ parse_event.message.process.file.name }}" file.owner: "{{ parse_event.message.process.file.owner.name }}" file.path: "{{ parse_event.message.process.file.path }}" @@ -618,12 +527,12 @@ stages: file.type: "{{ parse_event.message.process.file.type }}" file.uid: "{{ parse_event.message.process.file.owner.uid }}" file.x509.issuer.distinguished_name: "{{ parse_event.message.process.file.signature.certificate.issuer }}" - file.x509.not_after: "{{ parse_event.message.process.file.signature.certificate.expiration_time }}" + file.x509.not_after: "{{ parse_event.message.process.file.signature.certificate.expiration_time | to_rfc3339 }}" file.x509.serial_number: "{{ parse_event.message.process.file.signature.certificate.serial_number }}" file.x509.subject.distinguished_name: "{{ parse_event.message.process.file.signature.certificate.subject }}" file.x509.version_number: "{{ parse_event.message.process.file.signature.certificate.version }}" process.command_line: "{{ parse_event.message.process.cmd_line }}" - process.end: "{{ parse_event.message.process.terminated_time }}" + process.end: "{{ parse_event.message.process.terminated_time | to_rfc3339 }}" - set: process.group.id: - "{{ parse_event.message.process.egid }}" @@ -636,7 +545,7 @@ stages: process.group.name: "{{ parse_event.message.process.group.name }}" process.name: "{{ parse_event.message.process.name }}" process.pid: "{{ parse_event.message.process.pid }}" - process.start: "{{ parse_event.message.process.created_time }}" + process.start: "{{ parse_event.message.process.created_time | to_rfc3339 }}" process.thread.id: "{{ parse_event.message.process.tid }}" process.entity_id: "{{ parse_event.message.process.uid }}" process.user.domain: "{{ parse_event.message.process.user.domain }}" @@ -650,10 +559,16 @@ stages: process.user.id: - "{{ parse_event.message.process.user.uid }}" filter: "{{ parse_event.message.process.user.uid != null }}" + - set: + process.user.group.id: > + [{%- for item in parse_event.message.process.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}] + process.user.group.name: > + [{%- for item in parse_event.message.process.user.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}] + - set: process.user.name: "{{ parse_event.message.process.user.name }}" process.parent.command_line: "{{ parse_event.message.process.parent_process.cmd_line }}" - process.parent.end: "{{ parse_event.message.process.parent_process.terminated_time }}" + process.parent.end: "{{ parse_event.message.process.parent_process.terminated_time | to_rfc3339 }}" - set: process.parent.group.id: - "{{ parse_event.message.process.parent_process.egid }}" @@ -666,7 +581,7 @@ stages: process.parent.group.name: "{{ parse_event.message.process.parent_process.group.name }}" process.parent.name: "{{ parse_event.message.process.parent_process.name }}" process.parent.pid: "{{ parse_event.message.process.parent_process.pid }}" - process.parent.start: "{{ parse_event.message.process.parent_process.created_time }}" + process.parent.start: "{{ parse_event.message.process.parent_process.created_time | to_rfc3339 }}" process.parent.thread.id: "{{ parse_event.message.process.parent_process.tid }}" process.parent.entity_id: "{{ parse_event.message.process.parent_process.uid }}" process.parent.user.domain: "{{ parse_event.message.process.parent_process.user.domain }}" @@ -682,6 +597,11 @@ stages: filter: "{{ parse_event.message.process.parent_process.user.uid != null }}" - set: process.parent.user.name: "{{ parse_event.message.process.parent_process.user.name }}" + - set: + process.parent.user.group.id: > + [{%- for item in parse_event.message.process.parent_process.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}] + process.parent.user.group.name: > + [{%- for item in parse_event.message.process.parent_process.user.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}] pipeline_object_proxy: actions: [] @@ -693,12 +613,18 @@ stages: tls.client.ja3: "{{ parse_event.message.tls.ja3_hash.value }}" tls.client.server_name: "{{ parse_event.message.tls.sni }}" tls.client.x509.issuer.distinguished_name: "{{ parse_event.message.tls.certificate.issuer }}" - tls.client.x509.not_after: "{{ parse_event.message.tls.certificate.expiration_time }}" + tls.client.x509.not_after: "{{ parse_event.message.tls.certificate.expiration_time | to_rfc3339 }}" tls.client.x509.serial_number: "{{ parse_event.message.tls.certificate.serial_number }}" tls.client.x509.subject.distinguished_name: "{{ parse_event.message.tls.certificate.subject }}" tls.client.x509.version_number: "{{ parse_event.message.tls.certificate.version }}" tls.server.ja3s: "{{ parse_event.message.tls.ja3s_hash.value }}" tls.version: "{{ parse_event.message.tls.version }}" + + - set: + tls.client.supported_ciphers: "{{ parse_event.message.tls.client_ciphers }}" + tls.client.x509.alternative_names: > + [{% for item in parse_event.message.tls.sans %}'{{item.name}}',{% endfor %}] + pipeline_object_traffic: actions: - set: @@ -708,6 +634,7 @@ stages: source.packets: "{{ parse_event.message.traffic.packets_out }}" network.bytes: "{{ parse_event.message.traffic.bytes }}" network.packets: "{{ parse_event.message.traffic.packets }}" + pipeline_object_user: actions: - set: @@ -717,15 +644,22 @@ stages: user.target.id: "{{ parse_event.message.user.uid }}" user.target.name: "{{ parse_event.message.user.name }}" + - set: + user.target.group.id: > + [{%- for item in parse_event.message.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}] + + user.target.group.name: > + [{%- for item in parse_event.message.user.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}] + pipeline_object_file: actions: - set: - file.accessed: "{{ parse_event.message.file.accessed_time }}" - file.created: "{{ parse_event.message.file.created_time }}" + file.accessed: "{{ parse_event.message.file.accessed_time | to_rfc3339 }}" + file.created: "{{ parse_event.message.file.created_time | to_rfc3339 }}" file.directory: "{{ parse_event.message.file.parent_folder }}" file.inode: "{{ parse_event.message.file.uid }}" file.mime_type: "{{ parse_event.message.file.mime_type }}" - file.mtime: "{{ parse_event.message.file.modified_time }}" + file.mtime: "{{ parse_event.message.file.modified_time | to_rfc3339 }}" file.name: "{{ parse_event.message.file.name }}" file.owner: "{{ parse_event.message.file.owner.name }}" file.path: "{{ parse_event.message.file.path }}" @@ -733,7 +667,7 @@ stages: file.type: "{{ parse_event.message.file.type }}" file.uid: "{{ parse_event.message.file.owner.uid }}" file.x509.issuer.distinguished_name: "{{ parse_event.message.file.signature.certificate.issuer }}" - file.x509.not_after: "{{ parse_event.message.file.signature.certificate.expiration_time }}" + file.x509.not_after: "{{ parse_event.message.file.signature.certificate.expiration_time | to_rfc3339 }}" file.x509.serial_number: "{{ parse_event.message.file.signature.certificate.serial_number }}" file.x509.subject.distinguished_name: "{{ parse_event.message.file.signature.certificate.subject }}" file.x509.version_number: "{{ parse_event.message.file.signature.certificate.version }}" @@ -741,12 +675,12 @@ stages: pipeline_object_system_activity_helper: actions: - set: - file.accessed: "{{ parse_event.message.job.file.accessed_time }}" - file.created: "{{ parse_event.message.job.file.created_time }}" + file.accessed: "{{ parse_event.message.job.file.accessed_time | to_rfc3339 }}" + file.created: "{{ parse_event.message.job.file.created_time | to_rfc3339 }}" file.directory: "{{ parse_event.message.job.file.parent_folder }}" file.inode: "{{ parse_event.message.job.file.uid }}" file.mime_type: "{{ parse_event.message.job.file.mime_type }}" - file.mtime: "{{ parse_event.message.job.file.modified_time }}" + file.mtime: "{{ parse_event.message.job.file.modified_time | to_rfc3339 }}" file.name: "{{ parse_event.message.job.file.name }}" file.owner: "{{ parse_event.message.job.file.owner.name }}" file.path: "{{ parse_event.message.job.file.path }}" @@ -754,7 +688,7 @@ stages: file.type: "{{ parse_event.message.job.file.type }}" file.uid: "{{ parse_event.message.job.file.owner.uid }}" file.x509.issuer.distinguished_name: "{{ parse_event.message.job.file.signature.certificate.issuer }}" - file.x509.not_after: "{{ parse_event.message.job.file.signature.certificate.expiration_time }}" + file.x509.not_after: "{{ parse_event.message.job.file.signature.certificate.expiration_time | to_rfc3339 }}" file.x509.serial_number: "{{ parse_event.message.job.file.signature.certificate.serial_number }}" file.x509.subject.distinguished_name: "{{ parse_event.message.job.file.signature.certificate.subject }}" file.x509.version_number: "{{ parse_event.message.job.file.signature.certificate.version }}" @@ -769,12 +703,33 @@ stages: user.target.name: "{{ parse_event.message.job.user.name }}" process.exit_code: "{{ parse_event.message.exit_code }}" + - set: + user.target.group.id: > + [{%- for item in parse_event.message.job.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}] + + user.target.group.name: > + [{%- for item in parse_event.message.job.user.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}] + pipeline_category_findings: actions: - set: event.reference: "{{ parse_event.message.finding.src_url }}" event.risk_score: "{{ parse_event.message.risk_score }}" + - set: + vulnerability.id: > + [{%- for item in parse_event.message.vulnerabilities -%}'{{item.cve.uid}}',{%- endfor -%}] + vulnerability.score.version: > + [{%- for item in parse_event.message.vulnerabilities -%}'{{item.cve.cvss.version}}',{%- endfor -%}] + vulnerability.description: > + [{%- for item in parse_event.message.vulnerabilities -%}'{{item.desc}}',{%- endfor -%}] + vulnerability.score.base: > + [{%- for item in parse_event.message.vulnerabilities -%}'{{item.cve.cvss.base_score}}',{%- endfor -%}] + vulnerability.severity: > + [{%- for item in parse_event.message.vulnerabilities -%}'{{item.severity}}',{%- endfor -%}] + vulnerability.scanner.vendor: > + [{%- for item in parse_event.message.vulnerabilities -%}'{{item.vendor_name}}',{%- endfor -%}] + pipeline_category_identity_and_access_management: actions: - set: @@ -789,14 +744,30 @@ stages: group.name: "{{ parse_event.message.group.name }}" group.id: "{{ parse_event.message.group.uid }}" + - set: + user.changes.group.id: > + [{%- for item in parse_event.message.user_result.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}] + + user.changes.group.name: > + [{%- for item in parse_event.message.user_result.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}] + pipeline_category_network_activity: actions: - set: dns.question.name: "{{ parse_event.message.query.hostname }}" - set: - dns.id: - - "{{ parse_event.message.query.packet_uid }}" - filter: "{{ parse_event.message.query.packet_uid != null }}" + dns.id: > + [ + {%- for item in parse_event.message.answers -%}{% if item.packed_uid %}'{{item.packet_uid}}',{% endif %}{%- endfor -%} + {% if parse_event.message.query.packet_uid != null %}'{{ parse_event.message.query.packet_uid }}'{% endif %} + ] + dns.answers.class: > + [{%- for item in parse_event.message.answers -%}{%- if item.class -%}'{{item.class}}',{%- endif -%}{%- endfor -%}] + dns.answers.type: > + [{%- for item in parse_event.message.answers -%}{%- if item.type -%}'{{item.type}}',{%- endif -%}{%- endfor -%}] + dns.answers.ttl: > + [{%- for item in parse_event.message.answers -%}{%- if item.ttl -%}'{{item.ttl}}',{%- endif -%}{%- endfor -%}] + filter: "{{ parse_event.message.answers != null }}" - set: dns.question.class: - "{{ parse_event.message.query.class }}" @@ -841,17 +812,27 @@ stages: url.subdomain: "{{ parse_event.message.url.subdomain }}" url.original: "{{ parse_event.message.url.url_string }}" - set: - email.attachments.file.size: "{{ parse_event.message.file.size }}" # @TODO fix with foreach + email.attachments.file.size: "{{ parse_event.message.file.size }}" filter: "{{ parse_event.message.file.size != null }}" - set: - email.attachments.file.name: "{{ parse_event.message.file.name }}" # @TODO fix with foreach + email.attachments.file.name: "{{ parse_event.message.file.name }}" filter: "{{ parse_event.message.file.name != null }}" + pipeline_category_application_activity: actions: + - set: + package.description: > + [{%- for item in parse_event.message.web_resources -%}{%- if item.desc -%}'{{item.desc}}',{%- endif -%}{%- endfor -%}] + package.name: > + [{%- for item in parse_event.message.web_resources -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}] + package.type: > + [{%- for item in parse_event.message.web_resources -%}{%- if item.type -%}'{{item.type}}',{%- endif -%}{%- endfor -%}] + - set: http.response.status_code: "{{ parse_event.message.http_response.code }}" http.response.body.bytes: "{{ parse_event.message.http_response.length }}" http.response.body.content: "{{ parse_event.message.http_response.message }}" + pipeline_category_discovery: actions: - set: diff --git a/OCSF/ocsf/tests/test_application_activity_1.json b/OCSF/ocsf/tests/test_application_activity_1.json index 1dd8be1e3..189df2114 100644 --- a/OCSF/ocsf/tests/test_application_activity_1.json +++ b/OCSF/ocsf/tests/test_application_activity_1.json @@ -16,18 +16,45 @@ "web" ], "code": "edward", + "kind": "event", "outcome": "unknown", "provider": "copper protective inexpensive", "sequence": 20, "severity": 4, "start": "2023-09-21T06:42:26.634761Z", "type": [ - "error" + "access", + "error", + "info" ] }, + "@timestamp": "2023-09-21T06:27:59.358000Z", "cloud": { "provider": "speeches mail lack" }, + "host": { + "hostname": "chuck.int", + "id": "072de986-584a-11ee-b258-0242ac110005", + "ip": [ + "81.2.69.142" + ], + "name": "chuck.int", + "type": "IOT" + }, + "http": { + "request": { + "id": "072e083a-584a-11ee-9892-0242ac110005", + "method": "GET" + }, + "response": { + "body": { + "bytes": 40, + "content": "message regarding htp response" + }, + "status_code": 22 + }, + "version": "1.0.0" + }, "ocsf": { "activity_id": 4, "activity_name": "Access Error", @@ -113,6 +140,44 @@ "url_string": "devil" } ] + }, + "package": { + "description": [ + "pleased won coverage" + ], + "name": [ + "ghost formats res" + ], + "type": [ + "package type" + ] + }, + "related": { + "hosts": [ + "chuck.int", + "congress.nato" + ], + "ip": [ + "81.2.69.142" + ] + }, + "url": { + "domain": "congress.nato", + "original": "daily", + "path": "container profiles content", + "port": 51670, + "query": "pads palestinian already", + "scheme": "metallica races fears" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "webpage assets adams", + "os": { + "name": "Other" + } } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_application_activity_2.json b/OCSF/ocsf/tests/test_application_activity_2.json index 7b3534d18..62cc35b86 100644 --- a/OCSF/ocsf/tests/test_application_activity_2.json +++ b/OCSF/ocsf/tests/test_application_activity_2.json @@ -12,12 +12,16 @@ "message": "{\"message\": \"washington like safari\", \"status\": \"Failure\", \"time\": 1695277679358, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"eligible scenes worm\", \"version\": \"1.0.0\", \"uid\": \"f6508420-520e-11ee-adcc-0242ac110004\", \"feature\": {\"name\": \"australia cup bios\", \"version\": \"1.0.0\", \"uid\": \"f6508bfa-520e-11ee-b54c-0242ac110004\"}, \"lang\": \"en\", \"vendor_name\": \"fix complicated accreditation\"}, \"sequence\": 78, \"profiles\": [], \"log_name\": \"ur bother bearing\", \"log_provider\": \"performs elevation fox\", \"log_version\": \"three maritime cowboy\", \"logged_time\": 1695277679358, \"original_time\": \"moore genetic symbols\", \"processed_time\": 1695277679358}, \"start_time\": 1695277679358, \"severity\": \"Unknown\", \"type_name\": \"Web Resources Activity: Create\", \"category_name\": \"Application Activity\", \"timezone_offset\": 83, \"activity_id\": 1, \"class_uid\": 6001, \"type_uid\": 600101, \"category_uid\": 6, \"class_name\": \"Web Resources Activity\", \"activity_name\": \"Create\", \"severity_id\": 0, \"src_endpoint\": {\"name\": \"leasing imperial toner\", \"port\": 31790, \"domain\": \"hawaii unfortunately copying\", \"ip\": \"81.2.69.142\", \"hostname\": \"saudi.int\", \"uid\": \"f650994c-520e-11ee-a9f4-0242ac110004\", \"instance_uid\": \"f6509d0c-520e-11ee-9e6b-0242ac110004\", \"interface_name\": \"somewhere mentor crm\", \"interface_uid\": \"f650a3f6-520e-11ee-882f-0242ac110004\", \"intermediate_ips\": [\"81.2.69.142\", \"81.2.69.143\"], \"svc_name\": \"sheets horror trader\", \"vlan_uid\": \"f650a8a6-520e-11ee-b961-0242ac110004\"}, \"status_detail\": \"only zone its\", \"status_id\": 2, \"web_resources\": [{\"data\": {\"discretion\": \"fhbds\"}, \"desc\": \"Description of web resource\", \"name\": \"concept navigator constitution\", \"type\": \"fundamental previous ty\", \"url_string\": \"past\"}], \"web_resources_result\": [{\"type\": \"prediction sunglasses rounds\", \"uid\": \"f65072d2-520e-11ee-9b9a-0242ac110004\", \"url_string\": \"military\"}, {\"data\": {\"protect\": \"rfvfd\"}, \"url_string\": \"association\"}]}", "event": { "action": "create", + "category": [], + "kind": "event", "outcome": "failure", "provider": "performs elevation fox", "sequence": 78, "severity": 0, - "start": "2023-09-21T06:27:59.358000Z" + "start": "2023-09-21T06:27:59.358000Z", + "type": [] }, + "@timestamp": "2023-09-21T06:27:59.358000Z", "network": { "application": "sheets horror trader" }, @@ -89,6 +93,17 @@ } ] }, + "package": { + "description": [ + "Description of web resource" + ], + "name": [ + "concept navigator constitution" + ], + "type": [ + "fundamental previous ty" + ] + }, "related": { "hosts": [ "saudi.int" diff --git a/OCSF/ocsf/tests/test_application_activity_3.json b/OCSF/ocsf/tests/test_application_activity_3.json index a7c5c8a3e..08386def7 100644 --- a/OCSF/ocsf/tests/test_application_activity_3.json +++ b/OCSF/ocsf/tests/test_application_activity_3.json @@ -15,6 +15,7 @@ "category": [ "package" ], + "kind": "event", "outcome": "success", "provider": "jurisdiction protecting witness", "severity": 6, @@ -23,6 +24,7 @@ "info" ] }, + "@timestamp": "2023-09-21T06:27:59.358000Z", "cloud": { "account": { "id": "65194d7c-584c-11ee-8857-0242ac110005" @@ -30,6 +32,16 @@ "provider": "infrared delayed visiting", "region": "initial lucia designer" }, + "host": { + "domain": "allied had insulation", + "hostname": "zinc.biz", + "id": "651987a6-584c-11ee-ad31-0242ac110005", + "ip": [ + "81.2.69.142" + ], + "name": "zinc.biz", + "type": "Unknown" + }, "ocsf": { "activity_id": 99, "activity_name": "look", @@ -108,6 +120,19 @@ "status_id": "1", "type_name": "Application Lifecycle: Other", "type_uid": "600299" + }, + "package": { + "description": [], + "name": [], + "type": [] + }, + "related": { + "hosts": [ + "zinc.biz" + ], + "ip": [ + "81.2.69.142" + ] } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_discovery_1.json b/OCSF/ocsf/tests/test_discovery_1.json index f8bf47b01..7b6f20d63 100644 --- a/OCSF/ocsf/tests/test_discovery_1.json +++ b/OCSF/ocsf/tests/test_discovery_1.json @@ -15,16 +15,31 @@ "category": [ "configuration" ], + "kind": "event", "provider": "reliance trust interim", "severity": 6, "type": [ "info" ] }, + "@timestamp": "2023-09-21T06:27:59.358000Z", "cloud": { "provider": "mathematical inclusive insured", "region": "gravity bids tennis" }, + "host": { + "hostname": "lucas.pro", + "id": "023e2564-5848-11ee-9c42-0242ac110005", + "ip": [ + "81.2.69.142" + ], + "name": "lucas.pro", + "risk": { + "static_level": "russell customized absolutely", + "static_score": 36 + }, + "type": "Desktop" + }, "ocsf": { "activity_id": 2, "activity_name": "Collect", @@ -91,6 +106,21 @@ "timezone_offset": 0, "type_name": "Device Config State: Collect", "type_uid": "500202" + }, + "related": { + "hosts": [ + "lucas.pro" + ], + "ip": [ + "81.2.69.142" + ] + }, + "rule": { + "category": "descidhscate", + "description": "rule_description", + "name": "rule_name", + "uuid": "rule123", + "version": "0.1.0" } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_discovery_2.json b/OCSF/ocsf/tests/test_discovery_2.json index 11d91d278..b3b20b48c 100644 --- a/OCSF/ocsf/tests/test_discovery_2.json +++ b/OCSF/ocsf/tests/test_discovery_2.json @@ -12,7 +12,9 @@ "message": "{\"message\": \"poster thongs assumptions\", \"status\": \"Success\", \"time\": 1695277679358, \"device\": {\"name\": \"craig functioning literally\", \"type\": \"Laptop\", \"os\": {\"name\": \"spy chronic casual\", \"type\": \"Android\", \"version\": \"1.0.0\", \"build\": \"dozen oval removing\", \"type_id\": 201, \"lang\": \"en\", \"edition\": \"nightmare engineers carter\"}, \"location\": {\"desc\": \"Reunion\", \"city\": \"Porcelain senior\", \"country\": \"RE\", \"coordinates\": [-161.6608, -47.0418], \"continent\": \"Africa\"}, \"uid\": \"7f256308-584d-11ee-8de0-0242ac110005\", \"image\": {\"name\": \"saudi enhanced surgical\", \"uid\": \"7f2554b2-584d-11ee-b26b-0242ac110005\"}, \"mac\": \"C6:49:F0:76:1D:13:CE:F7\", \"type_id\": 3, \"autoscale_uid\": \"7f25415c-584d-11ee-b3fc-0242ac110005\", \"hw_info\": {\"cpu_bits\": 66}, \"instance_uid\": \"7f254ea4-584d-11ee-a68f-0242ac110005\", \"interface_name\": \"watt profile rs\", \"is_personal\": false, \"last_seen_time\": 1695277679358, \"region\": \"airport leaves kitchen\", \"risk_level\": \"organizational economic connecticut\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"butterfly knight log\", \"version\": \"1.0.0\", \"uid\": \"7f25336a-584d-11ee-b2a5-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"disciplinary rec report\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"event_code\": \"spelling\", \"log_name\": \"len falling educational\", \"log_provider\": \"tales asset extremely\", \"log_version\": \"learners headlines linear\", \"original_time\": \"programmers less barcelona\", \"processed_time\": 1695280036393}, \"severity\": \"Critical\", \"type_name\": \"Device Inventory Info: Collect\", \"activity_id\": 2, \"type_uid\": 500102, \"category_name\": \"Discovery\", \"class_uid\": 5001, \"category_uid\": 5, \"class_name\": \"Device Inventory Info\", \"timezone_offset\": 65, \"activity_name\": \"Collect\", \"cloud\": {\"org\": {\"name\": \"black lets promotions\", \"ou_name\": \"recover sol revolutionary\"}, \"provider\": \"mod force sailing\", \"region\": \"ticket resident buried\"}, \"enrichments\": [{\"data\": {\"nintendo\": \"abcd\"}, \"name\": \"visual mv bottom\", \"type\": \"calibration basics quebec\", \"value\": \"alice stick spray\", \"provider\": \"lucy permanent trips\"}], \"severity_id\": 5, \"status_code\": \"vancouver\", \"status_id\": 1, \"start_time_dt\": \"2023-09-21T07:07:16.394812Z\"}", "event": { "action": "collect", + "category": [], "code": "spelling", + "kind": "event", "outcome": "success", "provider": "tales asset extremely", "severity": 5, @@ -21,10 +23,36 @@ "info" ] }, + "@timestamp": "2023-09-21T06:27:59.358000Z", "cloud": { "provider": "mod force sailing", "region": "ticket resident buried" }, + "host": { + "geo": { + "city_name": "Porcelain senior", + "continent_name": "Africa", + "country_iso_code": "RE", + "location": { + "lat": -47.0418, + "lon": -161.6608 + }, + "name": "Reunion" + }, + "id": "7f256308-584d-11ee-8de0-0242ac110005", + "mac": [ + "C6:49:F0:76:1D:13:CE:F7" + ], + "os": { + "name": "spy chronic casual", + "type": "Android", + "version": "dozen oval removing" + }, + "risk": { + "static_level": "organizational economic connecticut" + }, + "type": "Laptop" + }, "ocsf": { "activity_id": 2, "activity_name": "Collect", diff --git a/OCSF/ocsf/tests/test_findings_1.json b/OCSF/ocsf/tests/test_findings_1.json index 7560c3739..97e8ef6f3 100644 --- a/OCSF/ocsf/tests/test_findings_1.json +++ b/OCSF/ocsf/tests/test_findings_1.json @@ -13,13 +13,16 @@ "event": { "action": "update", "category": [ + "malware", "vulnerability" ], + "kind": "alert", "severity": 1, "type": [ "info" ] }, + "@timestamp": "2022-08-04T18:09:19.100000Z", "cloud": { "account": { "id": "522536594833" @@ -154,6 +157,30 @@ "vendor_name": "Alas" } ] + }, + "vulnerability": { + "description": [ + "" + ], + "id": [ + "CVE-2020-12345" + ], + "scanner": { + "vendor": [ + "Alas" + ] + }, + "score": { + "base": [ + 4.7 + ], + "version": [ + "V3" + ] + }, + "severity": [ + "" + ] } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_iam_1.json b/OCSF/ocsf/tests/test_iam_1.json index 5aa6136d3..f15e3af81 100644 --- a/OCSF/ocsf/tests/test_iam_1.json +++ b/OCSF/ocsf/tests/test_iam_1.json @@ -15,6 +15,7 @@ "category": [ "session" ], + "kind": "event", "outcome": "unknown", "provider": "medline putting movie", "sequence": 82, @@ -23,6 +24,11 @@ "info" ] }, + "@timestamp": "2023-10-06T05:28:29Z", + "group": { + "id": "2e6b38da-6409-11ee-a724-0242ac110005", + "name": "hollow alignment one" + }, "ocsf": { "activity_id": 0, "activity_name": "Unknown", @@ -77,6 +83,16 @@ "type": "creations", "type_id": "99" } + }, + "user": { + "target": { + "group": { + "id": [], + "name": [] + }, + "id": "2e6b43e8-6409-11ee-ad4a-0242ac110005", + "name": "And" + } } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_iam_2.json b/OCSF/ocsf/tests/test_iam_2.json index f5349435f..269e77466 100644 --- a/OCSF/ocsf/tests/test_iam_2.json +++ b/OCSF/ocsf/tests/test_iam_2.json @@ -12,10 +12,13 @@ "message": "{\"message\": \"ri retired bargain\", \"status\": \"authors technology bible\", \"time\": 1696570795, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"version\": \"1.0.0\", \"uid\": \"c7a42ac4-640a-11ee-ae25-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"cross networks miles\"}, \"uid\": \"c7a45544-640a-11ee-84b0-0242ac110005\", \"labels\": [\"calm\"], \"sequence\": 53, \"profiles\": [], \"correlation_uid\": \"c7a462e6-640a-11ee-b915-0242ac110005\", \"log_name\": \"intent hobby reserve\", \"log_provider\": \"details contributor departments\"}, \"severity\": \"Unknown\", \"type_name\": \"Entity Management: Read\", \"activity_id\": 2, \"type_uid\": 300402, \"category_name\": \"Identity & Access Management\", \"class_uid\": 3004, \"category_uid\": 3, \"class_name\": \"Entity Management\", \"timezone_offset\": 36, \"activity_name\": \"Read\", \"entity\": {\"name\": \"sweden temperatures paste\", \"type\": \"founder quilt bone\", \"version\": \"1.0.0\", \"uid\": \"c7a47574-640a-11ee-aeb8-0242ac110005\"}, \"severity_id\": 0}", "event": { "action": "read", + "category": [], "provider": "details contributor departments", "sequence": 53, - "severity": 0 + "severity": 0, + "type": [] }, + "@timestamp": "2023-10-06T05:39:55Z", "ocsf": { "activity_id": 2, "activity_name": "Read", diff --git a/OCSF/ocsf/tests/test_iam_3.json b/OCSF/ocsf/tests/test_iam_3.json index ae3bcdb53..83f120650 100644 --- a/OCSF/ocsf/tests/test_iam_3.json +++ b/OCSF/ocsf/tests/test_iam_3.json @@ -16,14 +16,21 @@ "iam" ], "duration": 91000000, + "kind": "event", "outcome": "success", "provider": "adsl exposed rom", "sequence": 35, "severity": 2, "type": [ + "info", "user" ] }, + "@timestamp": "2023-10-06T09:06:46Z", + "group": { + "id": "acca5274-6427-11ee-9dbd-0242ac110005", + "name": "cottages donor awful" + }, "ocsf": { "activity_id": 3, "activity_name": "Add User", @@ -86,6 +93,23 @@ "type": "suited", "type_id": "99" } + }, + "user": { + "target": { + "full_name": "Nicki Christa", + "group": { + "id": [ + "acca6980-6427-11ee-8abc-0242ac110005", + "acca6de0-6427-11ee-84f2-0242ac110005" + ], + "name": [ + "interior husband tvs", + "kim patio tr" + ] + }, + "id": "acca5dd2-6427-11ee-8ef4-0242ac110005", + "name": "Rankings" + } } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_iam_4.json b/OCSF/ocsf/tests/test_iam_4.json index 4fbbb0f40..4015f84db 100644 --- a/OCSF/ocsf/tests/test_iam_4.json +++ b/OCSF/ocsf/tests/test_iam_4.json @@ -15,12 +15,19 @@ "category": [ "iam" ], + "kind": "event", "severity": 3, "start": "2023-10-06T08:45:58Z", "type": [ - "group" + "group", + "info" ] }, + "@timestamp": "2023-10-06T08:45:58Z", + "group": { + "id": "c63f1e24-6424-11ee-af05-0242ac110005", + "name": "then nevada berkeley md" + }, "ocsf": { "activity_id": 0, "activity_name": "Unknown", @@ -93,6 +100,16 @@ "type": "System", "type_id": "3" } + }, + "user": { + "target": { + "group": { + "id": [], + "name": [] + }, + "id": "c52f5236-6424-11ee-9c16-0242ac110005", + "name": "Dd" + } } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_1.json b/OCSF/ocsf/tests/test_network_activity_1.json index db3a7ad23..7a1131183 100644 --- a/OCSF/ocsf/tests/test_network_activity_1.json +++ b/OCSF/ocsf/tests/test_network_activity_1.json @@ -16,12 +16,15 @@ "network" ], "end": "2022-04-12T00:03:08Z", + "kind": "event", "severity": 1, "start": "2022-04-12T00:02:12Z", "type": [ - "denied" + "denied", + "info" ] }, + "@timestamp": "2022-04-12T00:02:12Z", "cloud": { "account": { "id": "123456789012" @@ -35,6 +38,14 @@ "ip": "172.31.2.52", "port": 39938 }, + "network": { + "bytes": 40, + "direction": [ + "inbound" + ], + "iana_number": "6", + "packets": 1 + }, "ocsf": { "activity_id": 5, "activity_name": "Refuse", diff --git a/OCSF/ocsf/tests/test_network_activity_10.json b/OCSF/ocsf/tests/test_network_activity_10.json index 52cd136bc..d9a8f759f 100644 --- a/OCSF/ocsf/tests/test_network_activity_10.json +++ b/OCSF/ocsf/tests/test_network_activity_10.json @@ -13,20 +13,44 @@ "event": { "action": "rename", "category": [ - "file" + "file", + "network" ], + "kind": "event", "provider": "cb indexes boxing", "sequence": 99, "severity": 2, "start": "2023-09-25T21:07:21.445000Z", "type": [ - "change" + "change", + "info" ] }, + "@timestamp": "2023-09-25T21:07:21.549000Z", "cloud": { "provider": "diego ins ext", "region": "kissing wi confidence" }, + "container": { + "id": "84977158-5be7-11ee-b042-0242ac110005", + "image": { + "name": "produced field obituaries" + }, + "name": "ambien cloud eur" + }, + "email": { + "attachments": { + "file": { + "name": "amend.sh" + } + } + }, + "file": { + "directory": "telling saved challenge/wrapped.tga", + "name": "amend.sh", + "path": "telling saved challenge/wrapped.tga/citations.gpx", + "type": "Unknown" + }, "network": { "application": "stanford leisure analyzed" }, @@ -241,12 +265,41 @@ "type_name": "Network File Activity: Rename", "type_uid": "401005" }, + "process": { + "command_line": "goals happen dad", + "entity_id": "849768e8-5be7-11ee-a428-0242ac110005", + "name": "Qualification", + "parent": { + "command_line": "bless addresses backgrounds", + "end": "2023-09-25T21:07:21.564000Z", + "entity_id": "8497ba64-5be7-11ee-b3a6-0242ac110005", + "start": "2023-09-25T21:07:21.518000Z" + }, + "pid": 42, + "start": "2023-09-25T21:07:21.514000Z", + "thread": { + "id": 17 + }, + "user": { + "group": { + "id": [], + "name": [] + }, + "id": [ + "84975f7e-5be7-11ee-bfad-0242ac110005" + ], + "name": "Aquatic" + } + }, "related": { "hosts": [ "menu.travel" ], "ip": [ "175.16.199.1" + ], + "user": [ + "Turkish" ] }, "source": { @@ -256,6 +309,15 @@ "port": 25780, "registered_domain": "menu.travel", "top_level_domain": "travel" + }, + "user": { + "domain": "jones cnet biz", + "group": { + "id": [], + "name": [] + }, + "id": "849f330c-5be7-11ee-aa02-0242ac110005", + "name": "Turkish" } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_11.json b/OCSF/ocsf/tests/test_network_activity_11.json index 3a5ff9003..f2a4e2d44 100644 --- a/OCSF/ocsf/tests/test_network_activity_11.json +++ b/OCSF/ocsf/tests/test_network_activity_11.json @@ -13,19 +13,48 @@ "event": { "action": "send", "category": [ - "email" + "email", + "file" ], + "kind": "event", "severity": 5, "type": [ "info" ] }, + "@timestamp": "2023-09-25T21:08:04.572000Z", "cloud": { "account": { "id": "9e3d6a4a-5be7-11ee-9095-0242ac110005" }, "provider": "antique camp pin" }, + "email": { + "attachments": { + "file": { + "name": "revenge.ged", + "size": 123 + } + }, + "local_id": "9e3d9088-5be7-11ee-b651-0242ac110005" + }, + "file": { + "directory": "pensions lightning push/congress.icns", + "mtime": "2023-09-25T21:08:04.549000Z", + "name": "revenge.ged", + "path": "pensions lightning push/congress.icns/revenge.ged", + "size": 123, + "type": "Block Device" + }, + "host": { + "hostname": "rule.edu", + "id": "9e3dbfa4-5be7-11ee-8f05-0242ac110005", + "ip": [ + "67.43.156.0" + ], + "name": "rule.edu", + "type": "Tablet" + }, "ocsf": { "activity_id": 1, "activity_name": "Send", @@ -144,6 +173,24 @@ "timezone_offset": 0, "type_name": "Email File Activity: Send", "type_uid": "401101" + }, + "related": { + "hosts": [ + "rule.edu" + ], + "ip": [ + "67.43.156.0" + ] + }, + "threat": { + "technique": { + "id": [ + "T1191" + ], + "name": [ + "CMSTP" + ] + } } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_12.json b/OCSF/ocsf/tests/test_network_activity_12.json index 688b9162c..4f56c047f 100644 --- a/OCSF/ocsf/tests/test_network_activity_12.json +++ b/OCSF/ocsf/tests/test_network_activity_12.json @@ -16,6 +16,7 @@ "email" ], "duration": 2000000, + "kind": "event", "outcome": "success", "provider": "immediately accused charlie", "severity": 99, @@ -23,6 +24,7 @@ "info" ] }, + "@timestamp": "2023-09-25T21:08:21.376000Z", "cloud": { "account": { "id": "a844c1f0-5be7-11ee-83dc-0242ac110005", @@ -31,6 +33,18 @@ "provider": "indicated electro washer", "region": "crucial mysimon exit" }, + "email": { + "local_id": "a8450be2-5be7-11ee-bf7c-0242ac110005" + }, + "host": { + "hostname": "australia.aero", + "id": "a845433c-5be7-11ee-8e93-0242ac110005", + "ip": [ + "67.43.156.0" + ], + "name": "australia.aero", + "type": "Virtual" + }, "ocsf": { "activity_id": 2, "activity_name": "Receive", @@ -130,6 +144,23 @@ "54" ] } + }, + "related": { + "hosts": [ + "australia.aero", + "sage.mil" + ], + "ip": [ + "67.43.156.0" + ] + }, + "url": { + "domain": "sage.mil", + "original": "vocal", + "path": "flows affiliation global", + "port": 23624, + "query": "mattress betting covers", + "scheme": "yoga thesaurus regardless" } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_2.json b/OCSF/ocsf/tests/test_network_activity_2.json index 4ac43b7df..ad5f7481a 100644 --- a/OCSF/ocsf/tests/test_network_activity_2.json +++ b/OCSF/ocsf/tests/test_network_activity_2.json @@ -17,6 +17,7 @@ ], "duration": 80000000, "end": "2023-09-25T21:04:49.419000Z", + "kind": "event", "outcome": "success", "provider": "myrtle watts management", "severity": 99, @@ -24,6 +25,7 @@ "info" ] }, + "@timestamp": "2023-09-25T21:04:49.417000Z", "cloud": { "provider": "reflect alarm my", "region": "chrome during bs" @@ -31,8 +33,40 @@ "destination": { "port": 15440 }, + "host": { + "domain": "barbara advantages levitra", + "geo": { + "city_name": "Suspension associations", + "continent_name": "Africa", + "country_iso_code": "LS", + "location": { + "lat": -46.1461, + "lon": -67.6681 + }, + "name": "Lesotho, Kingdom of" + }, + "hostname": "scanners.nato", + "id": "29eed912-5be7-11ee-a07b-0242ac110005", + "ip": [ + "175.16.199.1" + ], + "name": "scanners.nato", + "risk": { + "static_level": "improving jvc directors", + "static_score": 9 + }, + "type": "Virtual" + }, + "http": { + "request": { + "id": "29eee308-5be7-11ee-baad-0242ac110005", + "method": "POST" + }, + "version": "1.0.0" + }, "network": { - "application": "sim lucas entries" + "application": "sim lucas entries", + "iana_number": "67" }, "ocsf": { "activity_id": 1, @@ -167,9 +201,12 @@ }, "related": { "hosts": [ + "collected.org", + "scanners.nato", "side.pro" ], "ip": [ + "175.16.199.1", "67.43.156.0" ] }, @@ -180,6 +217,25 @@ "port": 14669, "registered_domain": "side.pro", "top_level_domain": "pro" + }, + "url": { + "domain": "collected.org", + "original": "illinois", + "path": "proposed opposed vegas", + "port": 17689, + "query": "additions linux furthermore", + "scheme": "gary bibliography font", + "subdomain": "katrina je pieces" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "cheese heading anyway", + "os": { + "name": "Other" + } } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_3.json b/OCSF/ocsf/tests/test_network_activity_3.json index 4b68617b7..22331ecc5 100644 --- a/OCSF/ocsf/tests/test_network_activity_3.json +++ b/OCSF/ocsf/tests/test_network_activity_3.json @@ -15,11 +15,14 @@ "category": [ "network" ], + "kind": "event", "severity": 1, "type": [ + "info", "protocol" ] }, + "@timestamp": "2022-10-13T21:02:37.896000Z", "cloud": { "account": { "id": "123456789012" @@ -27,6 +30,34 @@ "provider": "AWS", "region": "us-east-1" }, + "dns": { + "answers": { + "class": [ + "IN" + ], + "ttl": [], + "type": [ + "A" + ] + }, + "id": [], + "question": { + "class": [ + "IN" + ], + "name": "ip-127-0-0-62.alert.firewall.canary.", + "subdomain": "ip-127-0-0-62.alert.firewall", + "type": [ + "A" + ] + }, + "response_code": "NoError" + }, + "network": { + "direction": [ + "unknown" + ] + }, "ocsf": { "activity_id": 2, "activity_name": "Response", @@ -76,6 +107,9 @@ "unmapped": "{\"firewall_domain_list_id\": \"rslvr-fdl-0000000000000\", \"firewall_rule_group_id\": \"rslvr-frg-000000000000000\"}" }, "related": { + "hosts": [ + "ip-127-0-0-62.alert.firewall.canary." + ], "ip": [ "10.200.21.100" ] diff --git a/OCSF/ocsf/tests/test_network_activity_4.json b/OCSF/ocsf/tests/test_network_activity_4.json index 436d6dc27..5f41065f4 100644 --- a/OCSF/ocsf/tests/test_network_activity_4.json +++ b/OCSF/ocsf/tests/test_network_activity_4.json @@ -16,13 +16,16 @@ "network" ], "code": "population", + "kind": "event", "outcome": "failure", "provider": "remembered substantial possible", "severity": 99, "type": [ + "info", "protocol" ] }, + "@timestamp": "2023-09-25T21:05:19.042000Z", "cloud": { "provider": "finest subdivision assists", "region": "drill bedford post" @@ -34,6 +37,10 @@ "city_name": "Suggests contamination", "continent_name": "North America", "country_iso_code": "LC", + "location": { + "lat": -89.695, + "lon": 54.5116 + }, "name": "Saint Lucia" }, "ip": "67.43.156.0", @@ -41,6 +48,26 @@ "registered_domain": "cloud.int", "top_level_domain": "int" }, + "host": { + "domain": "ordinance died reducing", + "geo": { + "city_name": "Arabic ana", + "continent_name": "Asia", + "country_iso_code": "IR", + "location": { + "lat": -41.4084, + "lon": -170.1816 + }, + "name": "Iran, Islamic Republic of" + }, + "hostname": "labs.org", + "id": "3b9854e0-5be7-11ee-b25b-0242ac110005", + "ip": [ + "67.43.156.0" + ], + "name": "labs.org", + "type": "Laptop" + }, "network": { "application": "where image territories" }, @@ -138,19 +165,13 @@ "related": { "hosts": [ "cloud.int", + "labs.org", "scores.net" ], "ip": [ "67.43.156.0" ] }, - "sekoiaio": { - "intake": { - "parsing_warnings": [ - "Cannot set field 'destination.geo.location' with given definition in stage 'pipeline_object_network_endpoint'. Cannot convert value in field 'destination.geo.location' to type 'dict'" - ] - } - }, "source": { "address": "scores.net", "domain": "scores.net", diff --git a/OCSF/ocsf/tests/test_network_activity_5.json b/OCSF/ocsf/tests/test_network_activity_5.json index e45cc90df..0c971fdd3 100644 --- a/OCSF/ocsf/tests/test_network_activity_5.json +++ b/OCSF/ocsf/tests/test_network_activity_5.json @@ -16,19 +16,23 @@ "network" ], "end": "2023-09-25T21:05:57.699925Z", + "kind": "event", "provider": "unwrap std painful", "severity": 2, "start": "2023-09-25T21:05:57.693000Z", "type": [ + "info", "protocol" ] }, + "@timestamp": "2023-09-25T21:05:57.710000Z", "cloud": { "provider": "lafayette lime metal", "region": "crimes gotten calculators" }, "destination": { "address": "climate.gov", + "bytes": 3737296762, "domain": "climate.gov", "ip": "67.43.156.0", "mac": "6F:86:CF:42:61:43:EF:EC", @@ -36,8 +40,35 @@ "registered_domain": "climate.gov", "top_level_domain": "gov" }, + "host": { + "hostname": "bookstore.com", + "id": "52a3b968-5be7-11ee-8c32-0242ac110005", + "ip": [ + "175.16.199.1" + ], + "name": "bookstore.com", + "risk": { + "static_level": "theory mattress fr", + "static_score": 32 + }, + "type": "cingular" + }, + "http": { + "request": { + "id": "52a3da4c-5be7-11ee-baa3-0242ac110005" + }, + "response": { + "status_code": 79 + } + }, "network": { - "application": "intro contacted payroll" + "application": "intro contacted payroll", + "bytes": 4178624388, + "direction": [ + "unknown" + ], + "iana_number": "7", + "packets": 2072578920 }, "ocsf": { "activity_id": 6, @@ -223,16 +254,64 @@ }, "related": { "hosts": [ + "bookstore.com", "climate.gov" ], "ip": [ + "175.16.199.1", "67.43.156.0" ] }, "source": { "address": "67.43.156.0", + "bytes": 2902061295, "ip": "67.43.156.0", "port": 55305 + }, + "threat": { + "technique": { + "id": [ + "T1193", + "T1587.001" + ], + "name": [ + "Malware", + "Spearphishing Attachment" + ] + } + }, + "tls": { + "cipher": "fabric mess guaranteed", + "client": { + "server_name": "burner funeral singing", + "supported_ciphers": [ + "python ireland aerial", + "season textbook walt" + ], + "x509": { + "alternative_names": [ + "downloads informed warehouse", + "gamma consultant lcd" + ], + "issuer": { + "distinguished_name": "ring vc mild" + }, + "not_after": "2023-09-25T21:05:57.707000Z", + "serial_number": "refrigerator os jumping", + "subject": { + "distinguished_name": "tramadol babe inf" + }, + "version_number": "1.0.0" + } + }, + "server": { + "certificate_chain": [ + "magazines cooler constitute", + "universities investment processing" + ], + "ja3s": "63DA7BD36D87B066DC0E0BB794DBD39ABF21F1A63BA929705FB6C81005838FFA5E8FE456C4DB8ACBD983D90356A5707FC1F4EF069CC70B65B34A5496D5484DDC" + }, + "version": "1.0.0" } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_6.json b/OCSF/ocsf/tests/test_network_activity_6.json index c810021e0..de736c1f1 100644 --- a/OCSF/ocsf/tests/test_network_activity_6.json +++ b/OCSF/ocsf/tests/test_network_activity_6.json @@ -13,15 +13,19 @@ "event": { "action": "file create", "category": [ + "api", "file" ], "duration": 78000000, + "kind": "event", "outcome": "failure", "severity": 3, "type": [ - "creation" + "creation", + "info" ] }, + "@timestamp": "2023-09-25T21:06:16.072807Z", "cloud": { "availability_zone": "silk appointed semi", "provider": "bracelet characteristic scenic", @@ -35,8 +39,51 @@ "registered_domain": "larger.mil", "top_level_domain": "mil" }, + "email": { + "attachments": { + "file": { + "name": "brazil.docx" + } + } + }, + "file": { + "directory": "pay msie consciousness/checking.tiff", + "inode": "5d95ca5a-5be7-11ee-a417-0242ac110005", + "mtime": "2023-09-25T21:06:16.016000Z", + "name": "brazil.docx", + "path": "pay msie consciousness/checking.tiff/brazil.docx", + "type": "Character Device", + "x509": { + "issuer": { + "distinguished_name": "digest june ty" + }, + "not_after": "2023-09-25T21:06:16.057000Z", + "serial_number": "schedules heater hardwood", + "subject": { + "distinguished_name": "tagged military guided" + }, + "version_number": "1.0.0" + } + }, + "host": { + "hostname": "african.museum", + "ip": [ + "175.16.199.1" + ], + "name": "african.museum", + "type": "IOT" + }, + "http": { + "response": { + "status_code": 94 + } + }, "network": { - "application": "galleries facilitate fiji" + "application": "galleries facilitate fiji", + "direction": [ + "unknown" + ], + "iana_number": "89" }, "ocsf": { "activity_id": 3, @@ -212,10 +259,12 @@ }, "related": { "hosts": [ + "african.museum", "larger.mil", "sara.web" ], "ip": [ + "175.16.199.1", "67.43.156.0" ] }, @@ -225,6 +274,18 @@ "ip": "67.43.156.0", "port": 21573, "subdomain": "sara" + }, + "threat": { + "technique": { + "id": [ + "T1059.006", + "T1090.003" + ], + "name": [ + "Multi-hop Proxy", + "Python" + ] + } } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_7.json b/OCSF/ocsf/tests/test_network_activity_7.json index 578d8f618..35d48086a 100644 --- a/OCSF/ocsf/tests/test_network_activity_7.json +++ b/OCSF/ocsf/tests/test_network_activity_7.json @@ -15,14 +15,17 @@ "category": [ "network" ], + "kind": "event", "outcome": "failure", "provider": "babies entities stephanie", "sequence": 3, "severity": 1, "type": [ + "info", "protocol" ] }, + "@timestamp": "2023-09-25T21:06:26.429430Z", "cloud": { "provider": "flights density typical" }, @@ -33,8 +36,24 @@ "registered_domain": "novelty.arpa", "top_level_domain": "arpa" }, + "host": { + "hostname": "incurred.net", + "id": "63c18c7a-5be7-11ee-930e-0242ac110005", + "ip": [ + "127.252.94.88" + ], + "name": "incurred.net", + "type": "Tablet" + }, "network": { - "application": "observations dennis meals" + "application": "observations dennis meals", + "direction": [ + "inbound" + ], + "iana_number": "59", + "vlan": { + "id": "63c18892-5be7-11ee-b15d-0242ac110005" + } }, "ocsf": { "activity_id": 0, @@ -130,10 +149,12 @@ }, "related": { "hosts": [ + "incurred.net", "novelty.arpa", "visit.name" ], "ip": [ + "127.252.94.88", "175.16.199.1", "67.43.156.0" ] diff --git a/OCSF/ocsf/tests/test_network_activity_8.json b/OCSF/ocsf/tests/test_network_activity_8.json index 040086f7e..f8d19c3a7 100644 --- a/OCSF/ocsf/tests/test_network_activity_8.json +++ b/OCSF/ocsf/tests/test_network_activity_8.json @@ -13,15 +13,19 @@ "event": { "action": "unknown", "category": [ - "file" + "file", + "network" ], "end": "2023-09-25T21:06:35.259000Z", + "kind": "event", "provider": "penn awards fp", "severity": 6, "type": [ + "info", "protocol" ] }, + "@timestamp": "2023-09-25T21:06:35.262000Z", "cloud": { "provider": "there underwear pitch" }, @@ -29,12 +33,19 @@ "address": "seattle.cat", "domain": "seattle.cat", "ip": "67.43.156.0", + "packets": 114291882, "port": 37570, "registered_domain": "seattle.cat", "top_level_domain": "cat" }, "network": { - "application": "meditation qualify finish" + "application": "meditation qualify finish", + "bytes": 1018309558, + "direction": [ + "inbound" + ], + "iana_number": "74", + "packets": 3392751261 }, "ocsf": { "activity_id": 0, @@ -159,9 +170,22 @@ }, "source": { "address": "collectible.firm", + "bytes": 469399752, "domain": "collectible.firm", "port": 21528, "subdomain": "collectible" + }, + "threat": { + "technique": { + "id": [ + "T1203", + "T1583" + ], + "name": [ + "Acquire Infrastructure", + "Exploitation for Client Execution" + ] + } } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_9.json b/OCSF/ocsf/tests/test_network_activity_9.json index d02844102..04d423bed 100644 --- a/OCSF/ocsf/tests/test_network_activity_9.json +++ b/OCSF/ocsf/tests/test_network_activity_9.json @@ -15,6 +15,7 @@ "email" ], "end": "2023-09-25T21:07:01.666000Z", + "kind": "event", "outcome": "success", "provider": "sheet satisfaction survey", "severity": 1, @@ -22,10 +23,42 @@ "info" ] }, + "@timestamp": "2023-09-25T21:07:01.669000Z", "cloud": { "provider": "stick harris italy", "region": "cj safer should" }, + "email": { + "from": { + "address": [ + "Han@trans.info" + ] + }, + "local_id": "78c1ed2c-5be7-11ee-9a21-0242ac110005", + "message_id": "78c23354-5be7-11ee-b3ad-0242ac110005", + "reply_to": { + "address": [ + "Nguyet@quoted.edu" + ] + }, + "to": { + "address": [ + "Darnell@stereo.nato", + "Vernia@tba.edu" + ] + } + }, + "host": { + "id": "78c33c0e-5be7-11ee-ba4c-0242ac110005", + "ip": [ + "175.16.199.1" + ], + "os": { + "name": "rfc oman tan", + "type": "macOS" + }, + "type": "Tablet" + }, "ocsf": { "category_name": "Network Activity", "category_uid": 4, @@ -130,6 +163,11 @@ "timezone_offset": 24, "type_name": "Email Activity: Other", "type_uid": "400999" + }, + "related": { + "ip": [ + "175.16.199.1" + ] } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_1.json b/OCSF/ocsf/tests/test_system_activity_1.json index e38c3c7fe..5d502d605 100644 --- a/OCSF/ocsf/tests/test_system_activity_1.json +++ b/OCSF/ocsf/tests/test_system_activity_1.json @@ -15,13 +15,36 @@ "category": [ "file" ], + "kind": "event", "provider": "apr applies bought", "sequence": 36, "severity": 4, "type": [ - "change" + "change", + "info" ] }, + "@timestamp": "2023-09-21T04:56:21.548000Z", + "file": { + "accessed": "2023-09-21T04:56:21.548000Z", + "directory": "basement neighborhood nelson/pointer.mpa", + "name": "phi.tar", + "path": "basement neighborhood nelson/pointer.mpa/phi.tar", + "type": "Named Pipe" + }, + "host": { + "id": "3575127e-583b-11ee-b9cf-0242ac110005", + "ip": [ + "1.128.0.0" + ], + "os": { + "name": "mess deposits scary" + }, + "risk": { + "static_score": 17 + }, + "type": "Browser" + }, "ocsf": { "activity_id": 5, "activity_name": "Rename", @@ -196,6 +219,63 @@ "timezone_offset": 14, "type_name": "File System Activity: Rename", "type_uid": "100105" + }, + "process": { + "command_line": "dd apple updating", + "entity_id": "357539de-583b-11ee-808d-0242ac110005", + "name": "Http", + "parent": { + "command_line": "regardless discussed gb", + "name": "Olympic", + "start": "2023-09-21T04:56:21.548000Z", + "user": { + "email": "Georgeann@compounds.org", + "group": { + "id": [ + "357556c6-583b-11ee-a761-0242ac110005" + ], + "name": [ + "admissions throughout scope" + ] + }, + "id": [ + "357551a8-583b-11ee-9f3a-0242ac110005" + ], + "name": "Salvador" + } + }, + "pid": 39, + "start": "2023-09-21T04:56:21.548000Z", + "user": { + "domain": "canal emerald dry", + "email": "Dotty@bg.info", + "full_name": "Kitty Sabine", + "group": { + "id": [], + "name": [] + }, + "id": [ + "35752d18-583b-11ee-8e91-0242ac110005" + ], + "name": "Proxy" + } + }, + "related": { + "ip": [ + "1.128.0.0" + ], + "user": [ + "Hispanic" + ] + }, + "user": { + "full_name": "Inocencia Adelle", + "group": { + "id": [], + "name": [] + }, + "id": "3576b16a-583b-11ee-9386-0242ac110005", + "name": "Hispanic" } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_2.json b/OCSF/ocsf/tests/test_system_activity_2.json index aa3558a0e..c566257f1 100644 --- a/OCSF/ocsf/tests/test_system_activity_2.json +++ b/OCSF/ocsf/tests/test_system_activity_2.json @@ -16,6 +16,7 @@ "driver" ], "duration": 56000000, + "kind": "event", "outcome": "unknown", "provider": "officially vehicles incorporated", "severity": 2, @@ -23,10 +24,27 @@ "info" ] }, + "@timestamp": "2023-09-21T04:56:21.548000Z", "cloud": { "provider": "locations pharmaceutical aa", "region": "card heroes blogging" }, + "file": { + "directory": "cartoon watershed viewers/magazine.xls", + "mtime": "2023-09-21T04:56:21.548000Z", + "name": "syntax.dds", + "path": "cartoon watershed viewers/magazine.xls/syntax.dds", + "type": "Symbolic Link" + }, + "host": { + "hostname": "founded.pro", + "id": "19e7faee-61aa-11ee-a8f6-0242ac110005", + "ip": [ + "81.2.69.142" + ], + "name": "founded.pro", + "type": "IOT" + }, "ocsf": { "activity_id": 2, "activity_name": "Unload", @@ -224,6 +242,63 @@ "timezone_offset": 26, "type_name": "Kernel Extension Activity: Unload", "type_uid": "100202" + }, + "process": { + "command_line": "quest flashers qualifying", + "entity_id": "19e85aa2-61aa-11ee-9863-0242ac110005", + "name": "Complete", + "parent": { + "command_line": "mere tft rules", + "end": "2023-09-21T04:56:21.548000Z", + "entity_id": "19e86420-61aa-11ee-92e5-0242ac110005", + "name": "Fuzzy", + "pid": 7, + "start": "2023-09-21T04:56:21.548000Z" + }, + "pid": 50, + "user": { + "domain": "settle most mf", + "full_name": "Fae Brendan", + "group": { + "id": [], + "name": [] + }, + "id": [ + "19e84346-61aa-11ee-82b4-0242ac110005" + ], + "name": "Pursue" + } + }, + "related": { + "hosts": [ + "founded.pro" + ], + "ip": [ + "81.2.69.142" + ], + "user": [ + "Fellowship" + ] + }, + "threat": { + "technique": { + "id": [ + "T1026", + "T1111" + ], + "name": [ + "Multiband Communication", + "Two-Factor Authentication Interception" + ] + } + }, + "user": { + "group": { + "id": [], + "name": [] + }, + "id": "19e97d92-61aa-11ee-b56a-0242ac110005", + "name": "Fellowship" } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_3.json b/OCSF/ocsf/tests/test_system_activity_3.json index 291570a4f..da1832f95 100644 --- a/OCSF/ocsf/tests/test_system_activity_3.json +++ b/OCSF/ocsf/tests/test_system_activity_3.json @@ -16,6 +16,7 @@ "driver" ], "duration": 24000000, + "kind": "event", "outcome": "success", "provider": "any alexander rolling", "severity": 3, @@ -23,11 +24,39 @@ "info" ] }, + "@timestamp": "2023-10-03T05:19:09.440241Z", "cloud": { "availability_zone": "friend drops those", "provider": "newman banned showcase", "region": "realized remarkable accompanied" }, + "container": { + "id": "61927746-61ac-11ee-b13c-0242ac110005", + "image": { + "name": "ac tcp helen" + }, + "name": "transaction titans lucky", + "runtime": "justify red wit" + }, + "file": { + "directory": "cigarette until wc/ls.c", + "name": "word.drv", + "path": "cigarette until wc/ls.c/word.drv", + "size": 2389716033, + "type": "Unknown" + }, + "host": { + "hostname": "indexes.jobs", + "id": "619223f4-61ac-11ee-9c42-0242ac110005", + "ip": [ + "81.2.69.142" + ], + "name": "indexes.jobs", + "risk": { + "static_level": "familiar motorcycles wild" + }, + "type": "Browser" + }, "ocsf": { "activity_id": 1, "activity_name": "Create", @@ -269,6 +298,80 @@ "timezone_offset": 54, "type_name": "Kernel Activity: Create", "type_uid": "100301" + }, + "process": { + "command_line": "fy believed resolutions", + "entity_id": "6192707a-61ac-11ee-ac88-0242ac110005", + "name": "Covering", + "parent": { + "command_line": "volunteer trustees tax", + "entity_id": "6192ac3e-61ac-11ee-a0ed-0242ac110005", + "name": "Elect", + "start": "2023-09-21T04:56:21.548000Z", + "user": { + "group": { + "id": [], + "name": [] + }, + "id": [ + "6192a298-61ac-11ee-a78f-0242ac110005" + ] + } + }, + "pid": 91, + "start": "2023-09-21T04:56:21.548000Z", + "thread": { + "id": 36 + }, + "user": { + "full_name": "Winifred Idell", + "group": { + "id": [], + "name": [] + }, + "id": [ + "6192672e-61ac-11ee-a3c0-0242ac110005" + ], + "name": "Beth" + } + }, + "related": { + "hosts": [ + "indexes.jobs" + ], + "ip": [ + "81.2.69.142" + ], + "user": [ + "Affect" + ] + }, + "sekoiaio": { + "intake": { + "parsing_warnings": [ + "Cannot set field 'container.labels' with given definition in stage 'pipeline_object_actor'. Cannot convert value in field 'container.labels' to type 'dict'" + ] + } + }, + "threat": { + "technique": { + "id": [ + "T1003.004", + "T1565" + ], + "name": [ + "Data Manipulation", + "LSA Secrets" + ] + } + }, + "user": { + "group": { + "id": [], + "name": [] + }, + "id": "6193a4e0-61ac-11ee-9d49-0242ac110005", + "name": "Affect" } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_4.json b/OCSF/ocsf/tests/test_system_activity_4.json index 4ece12b69..28eab8906 100644 --- a/OCSF/ocsf/tests/test_system_activity_4.json +++ b/OCSF/ocsf/tests/test_system_activity_4.json @@ -12,10 +12,14 @@ "message": "{\"message\": \"door lotus aol\", \"time\": 1695272181548, \"device\": {\"name\": \"repeated sip distance\", \"type\": \"Server\", \"location\": {\"desc\": \"Taiwan\", \"city\": \"Stephanie hence\", \"country\": \"TW\", \"coordinates\": [161.2949, 22.9251], \"continent\": \"Asia\"}, \"hostname\": \"phd.nato\", \"uid\": \"f450d454-61ae-11ee-b232-0242ac110005\", \"image\": {\"name\": \"leader mind compliant\", \"uid\": \"f450e20a-61ae-11ee-959b-0242ac110005\"}, \"org\": {\"name\": \"gratuit book virtually\", \"uid\": \"f4507856-61ae-11ee-b34b-0242ac110005\", \"ou_name\": \"profit plug fioricet\"}, \"type_id\": 1, \"created_time\": 1695272181548, \"first_seen_time\": 1695272181548, \"instance_uid\": \"f450c02c-61ae-11ee-a04e-0242ac110005\", \"interface_name\": \"adaptive survivor nickname\", \"interface_uid\": \"f450dada-61ae-11ee-9e5c-0242ac110005\", \"is_trusted\": false, \"last_seen_time\": 1695272181548, \"region\": \"debut instruments alphabetical\", \"risk_level\": \"thomson shanghai foreign\", \"subnet_uid\": \"f450b6fe-61ae-11ee-aa6c-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"asbestos settings medication\", \"version\": \"1.0.0\", \"uid\": \"f4506410-61ae-11ee-a485-0242ac110005\", \"feature\": {\"name\": \"wish quest practitioners\", \"version\": \"1.0.0\", \"uid\": \"f4506a32-61ae-11ee-a6bb-0242ac110005\"}, \"lang\": \"en\", \"vendor_name\": \"evaluations belly reception\"}, \"sequence\": 35, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"trademarks wishing accreditation\", \"log_provider\": \"manual equivalent detroit\", \"logged_time\": 1695272181548, \"original_time\": \"protection velvet propose\"}, \"severity\": \"Critical\", \"api\": {\"request\": {\"uid\": \"f45046ce-61ae-11ee-8a1b-0242ac110005\"}, \"response\": {\"error\": \"dash knife stable\", \"code\": 99, \"message\": \"julian peninsula bought\", \"error_message\": \"delaware genetic purple\"}, \"operation\": \"appraisal disappointed iraqi\"}, \"disposition\": \"Deleted\", \"type_name\": \"Memory Activity: Allocate Page\", \"activity_id\": 1, \"disposition_id\": 5, \"type_uid\": 100401, \"category_name\": \"System Activity\", \"class_uid\": 1004, \"category_uid\": 1, \"class_name\": \"Memory Activity\", \"timezone_offset\": 26, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}], \"technique\": {\"name\": \"Additional Cloud Credentials\", \"uid\": \"T1098.001\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.\", \"uid\": \"TA0040\"}, {\"name\": \"Command and Control The adversary is trying to communicate with compromised systems to control them.\", \"uid\": \"TA0011\"}], \"technique\": {\"name\": \"Credentials in Registry\", \"uid\": \"T1214\"}}], \"activity_name\": \"Allocate Page\", \"actor\": {\"process\": {\"name\": \"Quad\", \"pid\": 76, \"file\": {\"name\": \"tenant.prf\", \"type\": \"Symbolic Link\", \"path\": \"daisy bullet expectations/speakers.fon/tenant.prf\", \"type_id\": 7, \"company_name\": \"Hue Marcelina\", \"parent_folder\": \"daisy bullet expectations/speakers.fon\", \"confidentiality\": \"Not Confidential\", \"confidentiality_id\": 1, \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"D593DAFEC471B60EC788CAF95AEB0DBE9F1AF56F9741565D96CEB84FF7C0AB18B97E298266E585A9FE82C4F85EE020C4B4BD974B54373088F0D1ACE2022CE17D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"4F227649B2E932AED413A05B69BAA35D\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"modified_time\": 1695272181548, \"modified_time_dt\": \"2023-10-03T05:37:34.691274Z\"}, \"user\": {\"name\": \"Utc\", \"type\": \"User\", \"uid\": \"f45ba8fc-61ae-11ee-883d-0242ac110005\", \"type_id\": 1, \"full_name\": \"Carin Otha\", \"email_addr\": \"Mireille@associate.mobi\"}, \"uid\": \"f45baed8-61ae-11ee-95e3-0242ac110005\", \"cmd_line\": \"stick strength suffered\", \"container\": {\"name\": \"sp finger reductions\", \"size\": 1112406887, \"tag\": \"dish acc interpretation\", \"uid\": \"f45bb5c2-61ae-11ee-b166-0242ac110005\", \"image\": {\"name\": \"leaves mounted something\", \"uid\": \"f45bbbe4-61ae-11ee-9bd8-0242ac110005\"}, \"hash\": {\"value\": \"0C2DC99EB913832DEE1E00AC1C121596D14346E7971CAF8B9873BA2BB862C4070FDD33F21558BA3B264A80A7B15D1722F1B3603C0858D1247E4359752B166BCC\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, \"network_driver\": \"arizona knight karl\", \"orchestrator\": \"integral economics gc\"}, \"created_time\": 1695272181548, \"namespace_pid\": 50, \"parent_process\": {\"name\": \"Trout\", \"pid\": 61, \"file\": {\"name\": \"download.pptx\", \"type\": \"Regular File\", \"path\": \"qld four roulette/sticker.dwg/download.pptx\", \"desc\": \"vs in contamination\", \"type_id\": 1, \"parent_folder\": \"qld four roulette/sticker.dwg\", \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"value\": \"64188A2F3AF0E7C7E83F429137D1F51F574286F7\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"7C12BD84ACFCEACC8A756BE13D08AF2B1EC193C5411C64B85380EEEC0B1B41F7\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"modified_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.692393Z\", \"accessed_time_dt\": \"2023-10-03T05:37:34.692401Z\"}, \"user\": {\"name\": \"Presidential\", \"type\": \"User\", \"uid\": \"f45bd110-61ae-11ee-b7e4-0242ac110005\", \"org\": {\"name\": \"setup stolen unexpected\", \"uid\": \"f45bd82c-61ae-11ee-9e57-0242ac110005\", \"ou_name\": \"iceland threats webcast\"}, \"type_id\": 1, \"full_name\": \"Rosamaria Mckenzie\", \"credential_uid\": \"f45bdcd2-61ae-11ee-a554-0242ac110005\"}, \"uid\": \"f45be042-61ae-11ee-a467-0242ac110005\", \"cmd_line\": \"red beaches fi\", \"container\": {\"name\": \"dispatch ste exist\", \"uid\": \"f45be5ba-61ae-11ee-88ce-0242ac110005\", \"image\": {\"name\": \"third aged kurt\", \"uid\": \"f45bebfa-61ae-11ee-bf2c-0242ac110005\"}, \"hash\": {\"value\": \"23ABACC1EF47F49C2387DDF45E9C424754AB96A8A4DED29732E05CA4192D028D05F263525EFEB4BBAFD7ECE02D2821858C8F39BADB5B11151131D82A3D8596FA\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695272181548, \"namespace_pid\": 31, \"parent_process\": {\"pid\": 98, \"file\": {\"name\": \"mins.srt\", \"type\": \"Regular File\", \"path\": \"risks rendering meal/surf.pages/mins.srt\", \"signature\": {\"certificate\": {\"subject\": \"lindsay symptoms gel\", \"issuer\": \"agency covers tested\", \"fingerprints\": [{\"value\": \"5F3258EAA1979A8BE0323FCD83F87741B9046FD02DFEDB63CC5E8BBEC47C85C9\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"fool aye tears\"}, \"algorithm\": \"Authenticode\", \"algorithm_id\": 4}, \"product\": {\"name\": \"morocco steam contractors\", \"uid\": \"f45bff78-61ae-11ee-94d1-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"myrtle wn view\"}, \"type_id\": 1, \"parent_folder\": \"risks rendering meal/surf.pages\", \"hashes\": [{\"value\": \"A98DE8AD923CB627EA1CDCCD5CF7356C\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"modified_time_dt\": \"2023-10-03T05:37:34.693818Z\", \"created_time_dt\": \"2023-10-03T05:37:34.693827Z\", \"accessed_time_dt\": \"2023-10-03T05:37:34.693831Z\"}, \"user\": {\"type\": \"Unknown\", \"uid\": \"f45c0b9e-61ae-11ee-9f3b-0242ac110005\", \"type_id\": 0, \"full_name\": \"Marry Dia\", \"email_addr\": \"Lilliana@ability.edu\"}, \"tid\": 86, \"session\": {\"uid\": \"f45c1288-61ae-11ee-ab6a-0242ac110005\", \"uuid\": \"f45c160c-61ae-11ee-b9ea-0242ac110005\", \"issuer\": \"spec gambling separated\", \"created_time\": 1695272181548, \"credential_uid\": \"f45c1a1c-61ae-11ee-85ba-0242ac110005\", \"is_remote\": false, \"expiration_time_dt\": \"2023-10-03T05:37:34.694457Z\", \"created_time_dt\": \"2023-10-03T05:37:34.694465Z\"}, \"container\": {\"name\": \"pest fought calibration\", \"runtime\": \"violation card logged\", \"size\": 1513188610, \"uid\": \"f45c2426-61ae-11ee-9c9d-0242ac110005\", \"image\": {\"name\": \"stripes excerpt baptist\", \"uid\": \"f45c2962-61ae-11ee-8549-0242ac110005\"}, \"hash\": {\"value\": \"5D7318303179149862E7825F7F1712F9E8045CDC54401C79C269DD068E20EA5D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, \"orchestrator\": \"walt truly susan\", \"pod_uuid\": \"techno\"}, \"namespace_pid\": 49, \"parent_process\": {\"name\": \"Telling\", \"pid\": 43, \"file\": {\"name\": \"asked.htm\", \"owner\": {\"name\": \"Initiatives\", \"type\": \"Unknown\", \"domain\": \"voyeurweb strip groove\", \"type_id\": 0, \"full_name\": \"Lynnette Brooke\"}, \"type\": \"Symbolic Link\", \"path\": \"brakes bugs inquire/blogging.ics/asked.htm\", \"signature\": {\"digest\": {\"value\": \"522CB2274A0D096C0F94307F55DB6E9D63211626E8BED23C3C8721CA612F28681D4E0202C137F40265FCAAD0EFE6A9BD02E0CF8323BAF52EFE09FF298791B18D\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"fetish converter communicate\", \"issuer\": \"conclusions medicines exception\", \"fingerprints\": [{\"value\": \"F74C6AF46A78BECB2F1BD3F95BBD5858\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"43F66E6B6CBAF53CC520E58EC65805EC62FA04119845AC53816DA9F36F525AC65E3D7D92BED0351865836C0E97D63184282A5FEDC9AF2E914C6F9B349CB835F0\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"legal grant module\", \"expiration_time_dt\": \"2023-10-03T05:37:34.695275Z\", \"created_time_dt\": \"2023-10-03T05:37:34.695282Z\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2, \"created_time_dt\": \"2023-10-03T05:37:34.695288Z\"}, \"uid\": \"f45c3f9c-61ae-11ee-9d0c-0242ac110005\", \"type_id\": 7, \"accessor\": {\"name\": \"Review\", \"type\": \"Admin\", \"uid\": \"f45c480c-61ae-11ee-acd3-0242ac110005\", \"groups\": [{\"name\": \"holder outstanding vatican\", \"uid\": \"f45c4fe6-61ae-11ee-92f7-0242ac110005\"}, {\"name\": \"conducted egypt siemens\", \"type\": \"rent divine winston\", \"uid\": \"f45c5446-61ae-11ee-9f91-0242ac110005\"}], \"type_id\": 2}, \"creator\": {\"type\": \"availability\", \"uid\": \"f45c601c-61ae-11ee-a457-0242ac110005\", \"groups\": [{\"name\": \"usually gained erotica\", \"uid\": \"f45c65d0-61ae-11ee-b6a8-0242ac110005\"}], \"type_id\": 99}, \"parent_folder\": \"brakes bugs inquire/blogging.ics\", \"hashes\": [{\"value\": \"5FA7429271BF14C077FFD905562FF00BA03D0E577EBDE842D181A43F83B98C5611220439195D98F47BB4838632D59E533816344E1DF7DB00271120083235ABCA\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Duck\", \"type\": \"Admin\", \"uid\": \"f45c6dd2-61ae-11ee-9f94-0242ac110005\", \"type_id\": 2}, \"uid\": \"f45c71a6-61ae-11ee-9f7b-0242ac110005\", \"cmd_line\": \"montana introductory ratings\", \"container\": {\"name\": \"strings provided foster\", \"runtime\": \"accidents usda suit\", \"uid\": \"f45c77be-61ae-11ee-8b06-0242ac110005\", \"image\": {\"name\": \"resources albums born\", \"uid\": \"f45c7e4e-61ae-11ee-955d-0242ac110005\"}, \"hash\": {\"value\": \"AB2620F9B7154D9F9DC1B3C2D949D85D595FE77F45411B3DBE6E5B47DA564177\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695272181548, \"lineage\": [\"copies would makeup\"], \"namespace_pid\": 88, \"parent_process\": {\"name\": \"Brandon\", \"pid\": 45, \"file\": {\"name\": \"instructions.tif\", \"size\": 2331416290, \"type\": \"Unknown\", \"path\": \"passwords floral edition/roland.gif/instructions.tif\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"underwear chancellor basic\", \"issuer\": \"strengths enlarge sorry\", \"fingerprints\": [{\"value\": \"0BB55CC45379DA535A05A8EDE44DF854F408971928C66528377DA784038293CF\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"D8EAE8212E2ED885C71F4117E0C39374\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"neon ban suse\"}, \"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"developer_uid\": \"f45c9208-61ae-11ee-9a72-0242ac110005\"}, \"desc\": \"goto egyptian throw\", \"type_id\": 0, \"parent_folder\": \"passwords floral edition/roland.gif\", \"hashes\": [{\"value\": \"6D856108BBB655CE760736415EE23ECE1B8FCEE045C992B3A971D31ED454BFAD53DE388CBE3FFDE1EF1A4258DDD307E4DAAD413389F51A42155B5F334C9243A4\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"6163CDC7962473142ADF6DA1E4C2B6DB26C7391242E8BBD4EE04661FEC7DF2C941477A0394334EEE5002B17ED4164502FEE4342047E61B7F299B5C98BE241602\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Manufacturing\", \"type\": \"united\", \"uid\": \"f45ca0ea-61ae-11ee-8476-0242ac110005\", \"org\": {\"name\": \"way pros ddr\", \"uid\": \"f45cafa4-61ae-11ee-af8c-0242ac110005\", \"ou_name\": \"reliability poultry devices\"}, \"type_id\": 99, \"full_name\": \"Livia Ji\", \"account\": {\"name\": \"pen favors essential\", \"type\": \"AWS Account\", \"uid\": \"f45cb6ac-61ae-11ee-89fb-0242ac110005\", \"type_id\": 10}, \"credential_uid\": \"f45cba58-61ae-11ee-8137-0242ac110005\", \"email_addr\": \"Moira@upset.nato\"}, \"uid\": \"f45cc066-61ae-11ee-b149-0242ac110005\", \"cmd_line\": \"trembl reverse constantly\", \"container\": {\"name\": \"strain outputs perceived\", \"uid\": \"f45cc660-61ae-11ee-8e56-0242ac110005\", \"image\": {\"name\": \"saturn cincinnati productivity\", \"path\": \"harrison typical operations\", \"uid\": \"f45ccb74-61ae-11ee-9ef0-0242ac110005\"}, \"hash\": {\"value\": \"5F69DE08EF1B52810A2E555253B2561BF4E27E0CF557FEB7502CAD51FCA3AC3B923994EC15B91A6E29CCD01AED752264DCA40FCF45DDB4B47C42836B57984513\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, \"pod_uuid\": \"ontario\"}, \"created_time\": 1695272181548, \"namespace_pid\": 48, \"parent_process\": {\"pid\": 43, \"file\": {\"name\": \"gothic.m3u\", \"owner\": {\"name\": \"Strengthening\", \"type\": \"pentium\", \"uid\": \"f45cdaba-61ae-11ee-ba9e-0242ac110005\", \"org\": {\"name\": \"wed mpeg mortality\", \"uid\": \"f45cdfd8-61ae-11ee-9701-0242ac110005\", \"ou_name\": \"penny automatically tops\"}, \"groups\": [{\"type\": \"britain touch corporations\", \"uid\": \"f45ce500-61ae-11ee-ae50-0242ac110005\"}], \"type_id\": 99, \"uid_alt\": \"developed drinks university\"}, \"type\": \"Block Device\", \"path\": \"dod emirates promote/knitting.vob/gothic.m3u\", \"signature\": {\"digest\": {\"value\": \"7243F8BE75253AFBADF7477867021F8B\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"tractor bag coleman\", \"issuer\": \"formation mixer sullivan\", \"fingerprints\": [{\"value\": \"741DD1242DF463E4748B3F29D59B2CDB444A2B723C098FCD8A61CFF3A2531A1EBEB1D42A7AD9A444FA8D89DC6A11F741547C10080B44BED739B5D0CDC993B842\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"C4824AE8BB216F860CA4CD45F979A59088DD132DF0BFA0EC613752EF4A2EE45E\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"ser rna serves\"}, \"algorithm\": \"supreme\", \"algorithm_id\": 99}, \"type_id\": 4, \"creator\": {\"name\": \"Catalog\", \"type\": \"System\", \"uid\": \"f45cf144-61ae-11ee-a33b-0242ac110005\", \"groups\": [{\"uid\": \"f45d004e-61ae-11ee-8d39-0242ac110005\"}, {\"name\": \"chairs leisure institution\", \"uid\": \"f45d05e4-61ae-11ee-99f9-0242ac110005\"}], \"type_id\": 3}, \"parent_folder\": \"dod emirates promote/knitting.vob\", \"security_descriptor\": \"retention changing science\", \"xattributes\": {}}, \"user\": {\"name\": \"Opt\", \"type\": \"Unknown\", \"domain\": \"funky valentine attached\", \"uid\": \"f45d1192-61ae-11ee-805a-0242ac110005\", \"type_id\": 0}, \"uid\": \"f45d16ba-61ae-11ee-b515-0242ac110005\", \"cmd_line\": \"reductions transfer kyle\", \"created_time\": 1695272181548, \"integrity\": \"guys thus beads\", \"namespace_pid\": 82, \"parent_process\": {\"name\": \"Friends\", \"pid\": 7, \"user\": {\"name\": \"Overall\", \"type\": \"Admin\", \"uid\": \"f45d2c18-61ae-11ee-8f99-0242ac110005\", \"org\": {\"name\": \"antique crawford mug\", \"uid\": \"f45d3226-61ae-11ee-b3e9-0242ac110005\", \"ou_name\": \"maximize tx tide\"}, \"type_id\": 2, \"credential_uid\": \"f45d3654-61ae-11ee-a013-0242ac110005\", \"uid_alt\": \"areas attachment guy\"}, \"uid\": \"f45d3a46-61ae-11ee-89e2-0242ac110005\", \"cmd_line\": \"trails washer home\", \"container\": {\"name\": \"requested divx inspector\", \"size\": 648398402, \"uid\": \"f45d3faa-61ae-11ee-95d3-0242ac110005\", \"image\": {\"name\": \"equation modular saver\", \"uid\": \"f45d4bb2-61ae-11ee-98af-0242ac110005\", \"labels\": [\"malaysia\", \"tough\"]}, \"hash\": {\"value\": \"68C9913042346CAD7F9FABEBF901C5DBBE49BEAFFE6CDBF271C0CD6F2363033A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}}, \"created_time\": 1695272181548, \"lineage\": [\"married funded elections\", \"liquid geek cal\"], \"namespace_pid\": 2, \"parent_process\": {\"name\": \"Warnings\", \"pid\": 59, \"file\": {\"name\": \"manner.app\", \"type\": \"Folder\", \"version\": \"1.0.0\", \"path\": \"turn available mighty/grocery.tax2016/manner.app\", \"desc\": \"starting invasion flame\", \"type_id\": 2, \"company_name\": \"Myrl Ilana\", \"parent_folder\": \"turn available mighty/grocery.tax2016\", \"hashes\": [{\"value\": \"2FF592449E1B208D2349421A0E142A80E875518AA0C20FF64D3610AB6830DD78BF8980FD7F211369C267D93464D86327F78FA84CEDB14D9210655D931C34F7BA\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"A2349F07A5DCE2F05BB0C656C6DEA195972A5C01A7B5DA65FEC562FE2C229B6B5B6930E7613E6323D8F52E25C3E76F85EBED522B17F8EB673C263A290FD26BB7\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"created_time_dt\": \"2023-10-03T05:37:34.702607Z\"}, \"user\": {\"name\": \"Dis\", \"type\": \"Unknown\", \"uid\": \"f45d6034-61ae-11ee-9b9d-0242ac110005\", \"groups\": [{\"name\": \"gamecube sunday foster\", \"uid\": \"f45d6750-61ae-11ee-bb59-0242ac110005\", \"privileges\": [\"ceiling pulling chapter\", \"advise lung transparent\"]}, {\"name\": \"skins korea bubble\", \"type\": \"annie rn pot\", \"uid\": \"f45d710a-61ae-11ee-a1f1-0242ac110005\", \"privileges\": [\"harbor syracuse quantities\"]}], \"type_id\": 0, \"account\": {\"name\": \"cycles beast pierce\", \"type\": \"Azure AD Account\", \"uid\": \"f45d7e20-61ae-11ee-9be4-0242ac110005\", \"type_id\": 6}}, \"tid\": 63, \"uid\": \"f45d835c-61ae-11ee-a0b4-0242ac110005\", \"cmd_line\": \"guided spine purple\", \"container\": {\"name\": \"diffs dead mechanical\", \"size\": 1480676944, \"tag\": \"cheers cancer russian\", \"uid\": \"f45d8ab4-61ae-11ee-a07b-0242ac110005\", \"hash\": {\"value\": \"10E86C6514D40F2A3E861B31847340EE8C8ED181029A17B042F137121D28863E\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, \"orchestrator\": \"piano sims editors\", \"pod_uuid\": \"danish\"}, \"created_time\": 1695272181548, \"lineage\": [\"at residential ceo\"], \"namespace_pid\": 67, \"parent_process\": {\"name\": \"Hamilton\", \"pid\": 38, \"file\": {\"name\": \"basename.mpg\", \"size\": 2270854617, \"type\": \"Folder\", \"path\": \"general required suspect/commentary.jar/basename.mpg\", \"modifier\": {\"name\": \"Lopez\", \"type\": \"Admin\", \"uid\": \"f45da012-61ae-11ee-8601-0242ac110005\", \"type_id\": 2}, \"type_id\": 2, \"parent_folder\": \"general required suspect/commentary.jar\", \"accessed_time\": 1695272181548, \"confidentiality\": \"fear browsers television\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"3B0173ED99A820AB5188A16998FBC2E1957424B5E1E2DB85F6F1F8CAFAE691070EE54DC314BDF2983F9A2CE57CF6E378ABB2AEDB0DA772B4626469F1363D4782\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.704513Z\", \"accessed_time_dt\": \"2023-10-03T05:37:34.704522Z\"}, \"cmd_line\": \"lists accredited manufacture\", \"created_time\": 1695272181548, \"integrity\": \"disclosure insert americans\", \"namespace_pid\": 16, \"parent_process\": {\"pid\": 26, \"file\": {\"name\": \"mitsubishi.zip\", \"type\": \"way\", \"path\": \"premium accommodation showtimes/prisoner.deskthemepack/mitsubishi.zip\", \"type_id\": 99, \"parent_folder\": \"premium accommodation showtimes/prisoner.deskthemepack\", \"accessed_time\": 1695272181548, \"confidentiality\": \"applications\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"AC3F2D226D9EFC7934195793B402CBBC13E2736E205E59735FD07CE424B1FB37\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"BD1DC345B2C39E8DADCDA520CC809F96FFC8413DD1169269D5E02AE412E1297111E2A26660902A783337A5D4C0D0C9FEBCCBB0C0AED91F2BFA2CCF4845056AAB\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1695272181548, \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.704809Z\"}, \"user\": {\"name\": \"Cardiovascular\", \"type\": \"Unknown\", \"uid\": \"f45db58e-61ae-11ee-b50c-0242ac110005\", \"type_id\": 0, \"uid_alt\": \"sn exception got\"}, \"container\": {\"name\": \"praise britannica rev\", \"uid\": \"f45dc254-61ae-11ee-b035-0242ac110005\", \"image\": {\"name\": \"conducted takes renewable\", \"uid\": \"f45dc7b8-61ae-11ee-9630-0242ac110005\"}, \"hash\": {\"value\": \"5DF4BFECA632B9BD1D11E5E5D9549CF30B4849A4C815894151C865C80E13E3D0DE949759C7E1AEE233D178AD52E3AE2E93D99AEA0D993ED5DCE67E03E1578823\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695272181548, \"integrity\": \"times entities fx\", \"namespace_pid\": 98, \"parent_process\": {\"name\": \"Forecasts\", \"pid\": 17, \"file\": {\"name\": \"hockey.part\", \"type\": \"Symbolic Link\", \"version\": \"1.0.0\", \"path\": \"seafood tape distant/physically.mdf/hockey.part\", \"uid\": \"f45dd3d4-61ae-11ee-9986-0242ac110005\", \"type_id\": 7, \"parent_folder\": \"seafood tape distant/physically.mdf\", \"hashes\": [{\"value\": \"0D3045A301A866174DD910C13E50427CB610EAD22A8523650B444E52FF16941B\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"BEE38FBC71DC4377BEF693AF6C11F462AC065BD6\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}]}, \"user\": {\"name\": \"Requires\", \"type\": \"User\", \"uid\": \"f45de0e0-61ae-11ee-88a9-0242ac110005\", \"type_id\": 1, \"credential_uid\": \"f45de554-61ae-11ee-bc44-0242ac110005\", \"uid_alt\": \"monica includes treating\"}, \"uid\": \"f45de978-61ae-11ee-af82-0242ac110005\", \"cmd_line\": \"insulation else evidence\", \"container\": {\"name\": \"dv cst mug\", \"size\": 2782839574, \"uid\": \"f45deefa-61ae-11ee-95f2-0242ac110005\", \"image\": {\"name\": \"olympus present empirical\", \"uid\": \"f45df3a0-61ae-11ee-ae83-0242ac110005\"}, \"hash\": {\"value\": \"E272B1A204600DF6B8A987C8FB851C7EF2AA8596CF158120722E5966F20081F5\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, \"orchestrator\": \"internationally correct examining\"}, \"created_time\": 1695272181548, \"integrity\": \"involvement hk speaking\", \"namespace_pid\": 56, \"parent_process\": {\"name\": \"Heath\", \"pid\": 26, \"user\": {\"name\": \"Qualities\", \"type\": \"System\", \"uid\": \"f45e00c0-61ae-11ee-b4f1-0242ac110005\", \"type_id\": 3, \"account\": {\"name\": \"engines robot c\", \"uid\": \"f45e05fc-61ae-11ee-bdef-0242ac110005\"}, \"uid_alt\": \"pathology ordinary ep\"}, \"cmd_line\": \"collapse tan demo\", \"container\": {\"name\": \"matters sophisticated hampshire\", \"size\": 277669091, \"uid\": \"f45e0b7e-61ae-11ee-9c4e-0242ac110005\", \"image\": {\"name\": \"pty dramatic measure\", \"uid\": \"f45e1452-61ae-11ee-93ff-0242ac110005\"}, \"hash\": {\"value\": \"7CFCBD1C1575DD7EAE454F18B9267188\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, \"orchestrator\": \"earned accountability todd\"}, \"created_time\": 1695272181548, \"integrity\": \"Protected\", \"integrity_id\": 6, \"namespace_pid\": 36, \"parent_process\": {\"name\": \"Special\", \"pid\": 39, \"user\": {\"name\": \"Mice\", \"type\": \"scoring\", \"uid\": \"f45e1f4c-61ae-11ee-bd4f-0242ac110005\", \"type_id\": 99}, \"cmd_line\": \"rubber taxi deployment\", \"container\": {\"name\": \"insulin never metabolism\", \"size\": 2875863087, \"uid\": \"f45e2532-61ae-11ee-b4f8-0242ac110005\", \"image\": {\"name\": \"phantom participant employee\", \"uid\": \"f45e29ec-61ae-11ee-b755-0242ac110005\"}, \"hash\": {\"value\": \"19EA5DD6F7D4532CE968933056B2150CB38D84FBEA07A9B1E71EE7388D9EAD136AFB55A16621065CA950B550FAA589C7E77583279DE84B3C958B13C9BA731D69\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"pod_uuid\": \"luxury\"}, \"created_time\": 1695272181548, \"integrity\": \"Protected\", \"integrity_id\": 6, \"namespace_pid\": 45, \"parent_process\": {\"pid\": 65, \"file\": {\"name\": \"message.exe\", \"owner\": {\"name\": \"Vegas\", \"type\": \"Unknown\", \"domain\": \"existence see evans\", \"org\": {\"name\": \"super rolling importantly\", \"uid\": \"f45e40bc-61ae-11ee-9f84-0242ac110005\", \"ou_uid\": \"f45e44ea-61ae-11ee-af1f-0242ac110005\"}, \"groups\": [{\"name\": \"careers fixes kai\", \"desc\": \"highways cheat summary\", \"uid\": \"f45e4da0-61ae-11ee-8ce5-0242ac110005\"}, {\"name\": \"past affiliate london\", \"type\": \"exclusion cleaners mart\", \"uid\": \"f45e51c4-61ae-11ee-af56-0242ac110005\"}], \"type_id\": 0, \"account\": {\"name\": \"tradition surfaces classification\", \"type\": \"AWS IAM Role\", \"uid\": \"f45e5af2-61ae-11ee-8e43-0242ac110005\", \"type_id\": 4}}, \"type\": \"mozilla\", \"path\": \"brunette symbol poem/weekends.htm/message.exe\", \"uid\": \"f45e5fa2-61ae-11ee-9642-0242ac110005\", \"type_id\": 99, \"parent_folder\": \"brunette symbol poem/weekends.htm\", \"confidentiality\": \"watson\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"EC04A154DEAC2F7D6C2C939EA992222061F58A10BD334C6D45E3B9B3BC538985107E3B32A6CA567C7B5C6F8F0D857459E5DDC11A97318AC1AEA8A2461B955401\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"6E170831A56B3AFDAFF2E0614B1495541FDE0CA37B2F9EBCB6D5225A0CADE66CC1E6AD525CAFDD363EAA50505FD613EDBD5C1B4D703D34702968D3AE7E09037C\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time_dt\": \"2023-10-03T05:37:34.709399Z\", \"created_time_dt\": \"2023-10-03T05:37:34.709410Z\", \"accessed_time_dt\": \"2023-10-03T05:37:34.709414Z\"}, \"user\": {\"type\": \"Unknown\", \"uid\": \"f45e68d0-61ae-11ee-a6d3-0242ac110005\", \"type_id\": 0, \"full_name\": \"Rosamaria Norberto\", \"account\": {\"name\": \"wireless trains wave\", \"type\": \"Linux Account\", \"uid\": \"f45e6eb6-61ae-11ee-9f44-0242ac110005\", \"type_id\": 9}, \"credential_uid\": \"f45e7230-61ae-11ee-a271-0242ac110005\"}, \"uid\": \"f45e7546-61ae-11ee-ab37-0242ac110005\", \"session\": {\"uid\": \"f45e805e-61ae-11ee-90d6-0242ac110005\", \"created_time\": 1695272181548, \"is_remote\": true, \"expiration_time_dt\": \"2023-10-03T05:37:34.710191Z\"}, \"namespace_pid\": 69, \"parent_process\": {\"name\": \"Is\", \"pid\": 14, \"file\": {\"name\": \"ambassador.swf\", \"type\": \"Symbolic Link\", \"path\": \"nickel gui cute/vision.m3u/ambassador.swf\", \"signature\": {\"digest\": {\"value\": \"14B85FA8E87F846F757EACCDA09761641B397F01\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"panic aspects reporting\", \"issuer\": \"hate passive admission\", \"fingerprints\": [{\"value\": \"09958F2F29A975C86F4BC77872179A9E719846A48F2022B36957925999CD31F4A0578A6C18EE8BDC0AEE2F0974FB4647FF2A0BFEA8A1E56877193277A827418F\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"promote dirt hindu\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time_dt\": \"2023-10-03T05:37:34.710541Z\"}, \"type_id\": 7, \"company_name\": \"Nicholas Betty\", \"parent_folder\": \"nickel gui cute/vision.m3u\", \"confidentiality\": \"sandwich exhibit ellis\", \"hashes\": [{\"value\": \"4DBD2BB0760D9EBBC2743A91879CCBC04A4837BD467C1F3B4E0850E4D459BC52\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"A5469012CF0415AAE3FFA22840287489C3C57811D0FD29A58C2CD702BC84D59ADC43354994A400CA41F16849414FADE8C6A9889E640F7987FF65EAD837C7D8E4\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.710639Z\"}, \"user\": {\"name\": \"Genres\", \"type\": \"User\", \"uid\": \"f45e9cb0-61ae-11ee-b849-0242ac110005\", \"type_id\": 1, \"full_name\": \"Lucile Apryl\", \"account\": {\"name\": \"saint view max\", \"type\": \"Apple Account\", \"uid\": \"f45ea32c-61ae-11ee-9546-0242ac110005\", \"type_id\": 8}, \"credential_uid\": \"f45ea700-61ae-11ee-bb61-0242ac110005\", \"email_addr\": \"Jeana@drill.web\"}, \"cmd_line\": \"changes sad programmes\", \"container\": {\"size\": 1104975009, \"tag\": \"alexander specs considered\", \"uid\": \"f45eae80-61ae-11ee-8fa9-0242ac110005\", \"image\": {\"name\": \"soap potter browsers\", \"uid\": \"f45eb3bc-61ae-11ee-871c-0242ac110005\"}, \"hash\": {\"value\": \"05521B80BB22220B8B095A94DA44E07951EE15F402F4BD4A050BD0CFFFD6B154\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, \"orchestrator\": \"matches virginia accepts\"}, \"created_time\": 1695272181548, \"namespace_pid\": 49}, \"sandbox\": \"ut metropolitan adjacent\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711553Z\"}, \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.711572Z\"}, \"terminated_time\": 1695272181548, \"terminated_time_dt\": \"2023-10-03T05:37:34.711582Z\"}, \"sandbox\": \"dans ip tours\"}, \"terminated_time\": 1695272181548, \"terminated_time_dt\": \"2023-10-03T05:37:34.711596Z\"}, \"created_time_dt\": \"2023-10-03T05:37:34.711602Z\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711606Z\"}, \"terminated_time\": 1695272181548, \"xattributes\": {}}, \"xattributes\": {}}, \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.711634Z\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711638Z\"}, \"sandbox\": \"brunette christ monetary\", \"created_time_dt\": \"2023-10-03T05:37:34.711648Z\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711652Z\"}, \"terminated_time\": 1695272181548}, \"xattributes\": {}}, \"xattributes\": {}}}, \"user\": {\"name\": \"We\", \"type\": \"Admin\", \"uid\": \"f45ec2a8-61ae-11ee-90fc-0242ac110005\", \"org\": {\"name\": \"enquiry hottest creations\", \"uid\": \"f45ecb68-61ae-11ee-824c-0242ac110005\", \"ou_name\": \"reel metals plain\"}, \"type_id\": 2, \"account\": {\"name\": \"intensive flash narrative\", \"type\": \"Windows Account\", \"uid\": \"f45ed32e-61ae-11ee-9aa9-0242ac110005\", \"type_id\": 2}}}, \"actual_permissions\": 14, \"base_address\": \"statements dining gnome\", \"cloud\": {\"project_uid\": \"f4505768-61ae-11ee-89e9-0242ac110005\", \"provider\": \"christian studies pioneer\", \"region\": \"increased competitors sparc\"}, \"severity_id\": 5, \"status_code\": \"registry\", \"time_dt\": \"2023-10-03T05:37:34.712339Z\"}", "event": { "action": "allocate page", + "category": [], + "kind": "event", "provider": "manual equivalent detroit", "sequence": 35, - "severity": 5 + "severity": 5, + "type": [] }, + "@timestamp": "2023-10-03T05:37:34.712339Z", "cloud": { "project": { "id": "f4505768-61ae-11ee-89e9-0242ac110005" @@ -23,6 +27,40 @@ "provider": "christian studies pioneer", "region": "increased competitors sparc" }, + "container": { + "id": "f45bb5c2-61ae-11ee-b166-0242ac110005", + "image": { + "name": "leaves mounted something" + }, + "name": "sp finger reductions" + }, + "file": { + "created": "2023-09-21T04:56:21.548000Z", + "directory": "daisy bullet expectations/speakers.fon", + "mtime": "2023-09-21T04:56:21.548000Z", + "name": "tenant.prf", + "path": "daisy bullet expectations/speakers.fon/tenant.prf", + "type": "Symbolic Link" + }, + "host": { + "geo": { + "city_name": "Stephanie hence", + "continent_name": "Asia", + "country_iso_code": "TW", + "location": { + "lat": 22.9251, + "lon": 161.2949 + }, + "name": "Taiwan" + }, + "hostname": "phd.nato", + "id": "f450d454-61ae-11ee-b232-0242ac110005", + "name": "phd.nato", + "risk": { + "static_level": "thomson shanghai foreign" + }, + "type": "Server" + }, "ocsf": { "activity_id": 1, "activity_name": "Allocate Page", @@ -239,6 +277,74 @@ "timezone_offset": 26, "type_name": "Memory Activity: Allocate Page", "type_uid": "100401" + }, + "orchestrator": { + "type": "integral economics gc" + }, + "process": { + "command_line": "stick strength suffered", + "entity_id": "f45baed8-61ae-11ee-95e3-0242ac110005", + "name": "Quad", + "parent": { + "command_line": "red beaches fi", + "entity_id": "f45be042-61ae-11ee-a467-0242ac110005", + "name": "Trout", + "pid": 61, + "start": "2023-09-21T04:56:21.548000Z", + "user": { + "full_name": "Rosamaria Mckenzie", + "group": { + "id": [], + "name": [] + }, + "id": [ + "f45bd110-61ae-11ee-b7e4-0242ac110005" + ], + "name": "Presidential" + } + }, + "pid": 76, + "start": "2023-09-21T04:56:21.548000Z", + "user": { + "email": "Mireille@associate.mobi", + "full_name": "Carin Otha", + "group": { + "id": [], + "name": [] + }, + "id": [ + "f45ba8fc-61ae-11ee-883d-0242ac110005" + ], + "name": "Utc" + } + }, + "related": { + "hosts": [ + "phd.nato" + ], + "user": [ + "We" + ] + }, + "threat": { + "technique": { + "id": [ + "T1098.001", + "T1214" + ], + "name": [ + "Additional Cloud Credentials", + "Credentials in Registry" + ] + } + }, + "user": { + "group": { + "id": [], + "name": [] + }, + "id": "f45ec2a8-61ae-11ee-90fc-0242ac110005", + "name": "We" } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_5.json b/OCSF/ocsf/tests/test_system_activity_5.json index 0d4aeeec3..5676da43f 100644 --- a/OCSF/ocsf/tests/test_system_activity_5.json +++ b/OCSF/ocsf/tests/test_system_activity_5.json @@ -12,11 +12,15 @@ "message": "{\"message\": \"menu controller plants\", \"module\": {\"file\": {\"name\": \"expiration.cpl\", \"type\": \"Character Device\", \"path\": \"pleased dip spiritual/corresponding.java/expiration.cpl\", \"product\": {\"name\": \"traveling yea espn\", \"version\": \"1.0.0\", \"uid\": \"8b82966a-61b8-11ee-81c7-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"manhattan better posts\"}, \"type_id\": 3, \"parent_folder\": \"pleased dip spiritual/corresponding.java\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"value\": \"795F2AAA00B0D80F2A50C10902A141A3E0AFE3A4BCE0007F213C21994E6AE528B448F2C2F4BDF6C4E1D0AEA3B8396D40A4395AA9730A77E879848BDB750D6468\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"B8C09AA4F584900FEA2DF3DAFBDAF9F0C6E76095BFDBCCF5F0F748D069D706526380A29574124164B0EDC1B56DD8342FC4BF70467A9B6024D999269A45E2A175\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T06:46:13.753318Z\"}, \"base_address\": \"daughters offshore thehun\", \"load_type\": \"Non Standard\", \"load_type_id\": 2, \"start_address\": \"needs some limit\"}, \"status\": \"Unknown\", \"time\": 1695272181548, \"device\": {\"name\": \"assigned daughters creating\", \"type\": \"frontier\", \"os\": {\"name\": \"extreme oct care\", \"type\": \"Android\", \"build\": \"grave pn resist\", \"country\": \"Cuba, Republic of\", \"type_id\": 201, \"sp_ver\": 3}, \"domain\": \"existence conditional pillow\", \"ip\": \"81.2.69.142\", \"hostname\": \"tiles.name\", \"mac\": \"6C:91:94:13:50:61:2E:D4\", \"groups\": [{\"name\": \"ev terminal meals\", \"uid\": \"8b82bf64-61b8-11ee-a83f-0242ac110005\"}, {\"name\": \"born lasting vitamins\", \"uid\": \"8b82c338-61b8-11ee-bf95-0242ac110005\", \"privileges\": [\"sheets loading representative\"]}], \"type_id\": 99, \"hw_info\": {\"cpu_bits\": 95, \"keyboard_info\": {\"keyboard_subtype\": 47}}, \"hypervisor\": \"fundraising kerry peer\", \"imei\": \"moderators sentence ordered\", \"instance_uid\": \"8b82c98c-61b8-11ee-ac91-0242ac110005\", \"interface_uid\": \"8b82d0da-61b8-11ee-b450-0242ac110005\", \"modified_time\": 1695272181548, \"network_interfaces\": [{\"name\": \"henderson treasures dv\", \"type\": \"Tunnel\", \"ip\": \"81.2.69.142\", \"hostname\": \"lightbox.gov\", \"mac\": \"57:15:98:E9:35:D3:B3:9A\", \"type_id\": 4}, {\"name\": \"forests designation entire\", \"type\": \"fcc\", \"ip\": \"81.2.69.142\", \"hostname\": \"horizon.biz\", \"uid\": \"8b82b79e-61b8-11ee-a441-0242ac110005\", \"mac\": \"47:B8:F6:D1:B8:90:8C:7F\", \"type_id\": 99}], \"region\": \"slight centers swimming\", \"risk_level\": \"Low\", \"risk_level_id\": 1}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"improving consist portfolio\", \"version\": \"1.0.0\", \"uid\": \"8b82a664-61b8-11ee-bb6e-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"completing watershed poor\"}, \"labels\": [\"moses\"], \"sequence\": 44, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"laboratory instance upon\", \"log_provider\": \"discrimination morrison course\", \"logged_time\": 1695272181548, \"original_time\": \"rights newly filled\"}, \"severity\": \"minutes\", \"api\": {\"request\": {\"uid\": \"8b824fc0-61b8-11ee-b26d-0242ac110005\"}, \"response\": {\"error\": \"three acdbentity sufficient\", \"code\": 99, \"message\": \"myrtle trust resort\"}, \"operation\": \"helena internationally leo\"}, \"disposition\": \"Deleted\", \"type_name\": \"Module Activity: Load\", \"activity_id\": 1, \"disposition_id\": 5, \"type_uid\": 100501, \"category_name\": \"System Activity\", \"class_uid\": 1005, \"category_uid\": 1, \"class_name\": \"Module Activity\", \"timezone_offset\": 8, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}, {\"name\": \"Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.\", \"uid\": \"TA0040\"}], \"technique\": {\"name\": \"PowerShell Profile\", \"uid\": \"T1504\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}, {\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Securityd Memory\", \"uid\": \"T1555.002\"}}], \"activity_name\": \"Load\", \"actor\": {\"process\": {\"name\": \"Switzerland\", \"pid\": 8, \"file\": {\"name\": \"administrators.tmp\", \"type\": \"Folder\", \"path\": \"flush faced champagne/cruise.tar.gz/administrators.tmp\", \"desc\": \"computing investors rio\", \"type_id\": 2, \"accessor\": {\"name\": \"Elections\", \"type\": \"distributor\", \"uid\": \"8b82e9d0-61b8-11ee-be3a-0242ac110005\", \"org\": {\"name\": \"ids mercury milan\", \"uid\": \"8b82ef20-61b8-11ee-9b3a-0242ac110005\", \"ou_name\": \"whether eddie investment\"}, \"type_id\": 99, \"credential_uid\": \"8b82f4ca-61b8-11ee-894f-0242ac110005\"}, \"parent_folder\": \"flush faced champagne/cruise.tar.gz\", \"is_system\": false, \"modified_time_dt\": \"2023-10-03T06:46:13.755631Z\"}, \"user\": {\"name\": \"Mechanics\", \"type\": \"System\", \"uid\": \"8b82fc86-61b8-11ee-b5b6-0242ac110005\", \"type_id\": 3}, \"tid\": 12, \"uid\": \"8b830046-61b8-11ee-b4bd-0242ac110005\", \"session\": {\"uid\": \"8b830532-61b8-11ee-bdfd-0242ac110005\", \"issuer\": \"texts advertiser henderson\", \"created_time\": 1695272181548, \"credential_uid\": \"8b830938-61b8-11ee-9d39-0242ac110005\", \"is_remote\": true, \"expiration_time_dt\": \"2023-10-03T06:46:13.756144Z\", \"created_time_dt\": \"2023-10-03T06:46:13.756371Z\"}, \"cmd_line\": \"fame little relax\", \"container\": {\"name\": \"renew angle reject\", \"runtime\": \"annoying remarkable setup\", \"size\": 2132122251, \"uid\": \"8b832030-61b8-11ee-816d-0242ac110005\", \"image\": {\"name\": \"babies detective christians\", \"uid\": \"8b8325a8-61b8-11ee-9a88-0242ac110005\", \"labels\": [\"printed\", \"safer\"]}, \"hash\": {\"value\": \"BA691BA042BCEDD9A61A36F5969026BC95859DCCDC7E47F24E6BCE35673BAF2F\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695272181548, \"namespace_pid\": 97, \"parent_process\": {\"name\": \"Containers\", \"pid\": 76, \"file\": {\"name\": \"audi.pspimage\", \"owner\": {\"name\": \"Mastercard\", \"type\": \"Admin\", \"uid\": \"8b833638-61b8-11ee-a13b-0242ac110005\", \"org\": {\"name\": \"qualification twisted australian\", \"uid\": \"8b833dfe-61b8-11ee-a745-0242ac110005\", \"ou_name\": \"franklin nb leslie\"}, \"type_id\": 2}, \"type\": \"Block Device\", \"path\": \"paying represent putting/showing.vob/audi.pspimage\", \"type_id\": 4, \"mime_type\": \"today/uniprotkb\", \"parent_folder\": \"paying represent putting/showing.vob\", \"created_time\": 1695272181548, \"is_system\": false}, \"user\": {\"name\": \"Prep\", \"type\": \"lot\", \"domain\": \"klein greg processing\", \"uid\": \"8b834682-61b8-11ee-8f6a-0242ac110005\", \"type_id\": 99, \"full_name\": \"Franklyn Shantell\"}, \"uid\": \"8b834aba-61b8-11ee-8172-0242ac110005\", \"container\": {\"size\": 388023740, \"uid\": \"8b834fd8-61b8-11ee-8b6a-0242ac110005\", \"hash\": {\"value\": \"1FA53D9A1AEAB5165003DE1755AD56612ABF77A3D033D697439C884637D2DC66DBDFFA147DFDBD69DC6D27340B63C26C93D84C65F59EE3A270CA5BBB1D13613F\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"network_driver\": \"ee australian housewares\"}, \"created_time\": 1695272181548, \"namespace_pid\": 5, \"parent_process\": {\"name\": \"Global\", \"pid\": 30, \"user\": {\"name\": \"Includes\", \"type\": \"System\", \"uid\": \"8b835b7c-61b8-11ee-9c7d-0242ac110005\", \"type_id\": 3, \"account\": {\"name\": \"desk periodic depth\", \"type\": \"Mac OS Account\", \"uid\": \"8b836400-61b8-11ee-9913-0242ac110005\", \"type_id\": 7}, \"uid_alt\": \"origins demo declaration\"}, \"uid\": \"8b83682e-61b8-11ee-bf60-0242ac110005\", \"session\": {\"uid\": \"8b836dc4-61b8-11ee-aa72-0242ac110005\", \"created_time\": 1695272181548, \"is_remote\": true, \"expiration_time_dt\": \"2023-10-03T06:46:13.758724Z\"}, \"cmd_line\": \"gang spring carlo\", \"container\": {\"name\": \"victims edit minimum\", \"size\": 2069042340, \"uid\": \"8b83744a-61b8-11ee-9c26-0242ac110005\", \"hash\": {\"value\": \"85434F1527CE237329D0B1927EABF9D3\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"integrity\": \"happening\", \"integrity_id\": 99, \"namespace_pid\": 74, \"parent_process\": {\"name\": \"Pilot\", \"file\": {\"name\": \"planner.bak\", \"type\": \"Character Device\", \"path\": \"sony discussion suit/stomach.gif/planner.bak\", \"uid\": \"8b838804-61b8-11ee-a06e-0242ac110005\", \"type_id\": 3, \"accessor\": {\"name\": \"Mathematical\", \"type\": \"System\", \"uid\": \"8b838e30-61b8-11ee-8527-0242ac110005\", \"groups\": [{\"name\": \"ct disposal rent\", \"uid\": \"8b839358-61b8-11ee-a4c0-0242ac110005\"}, {\"name\": \"cruise ancient chemicals\", \"type\": \"spoke life lee\"}], \"type_id\": 3}, \"mime_type\": \"molecules/sharon\", \"parent_folder\": \"sony discussion suit/stomach.gif\", \"hashes\": [{\"value\": \"CA247333484AEB04EFA2DE65A9EC68032CED9ACC7716F9379404EB2422FC65190E0F56D3C2B21505FE722A0CD1D05AF9B8E47B4CB5005B4C4E71C6C5545C775F\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Warner\", \"type\": \"interim\", \"uid\": \"8b83f500-61b8-11ee-9242-0242ac110005\", \"type_id\": 99, \"credential_uid\": \"8b83f94c-61b8-11ee-85e8-0242ac110005\"}, \"tid\": 45, \"uid\": \"8b83fcbc-61b8-11ee-8764-0242ac110005\", \"cmd_line\": \"mm bon estimate\", \"container\": {\"name\": \"separation catalogs vocals\", \"uid\": \"8b8402a2-61b8-11ee-92d4-0242ac110005\", \"image\": {\"uid\": \"8b840af4-61b8-11ee-a7b5-0242ac110005\"}, \"hash\": {\"value\": \"CA59BAD8CEAD7A8424AD6823FE6AED5BA7AF4A9FDA854EA5AAB75A41B5369465\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"name\": \"Sleep\", \"pid\": 54, \"user\": {\"name\": \"Edges\", \"type\": \"compute\", \"uid\": \"8b841ca6-61b8-11ee-ac94-0242ac110005\", \"type_id\": 99}, \"uid\": \"8b8424bc-61b8-11ee-aa3b-0242ac110005\", \"session\": {\"is_remote\": true, \"created_time_dt\": \"2023-10-03T06:46:13.763445Z\"}, \"cmd_line\": \"applicable acquire folk\", \"container\": {\"name\": \"businesses suspension across\", \"size\": 2843627610, \"uid\": \"8b842ce6-61b8-11ee-acb2-0242ac110005\", \"image\": {\"name\": \"pressure sixth happen\", \"uid\": \"8b8431e6-61b8-11ee-9576-0242ac110005\"}, \"hash\": {\"value\": \"6B942E2831F972C22E2B0292EA3A8176AB41CD3B\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, \"orchestrator\": \"theta create impact\"}, \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"lineage\": [\"wires largest stamp\", \"handbook dale photograph\"], \"namespace_pid\": 4, \"parent_process\": {\"name\": \"Lie\", \"pid\": 43, \"file\": {\"name\": \"pottery.java\", \"type\": \"Local Socket\", \"path\": \"revolutionary such regulations/cheaper.ico/pottery.java\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"consensus ownership trainer\", \"issuer\": \"write watts guitars\", \"fingerprints\": [{\"value\": \"EDE381A3419BC1A2ACD00220F23CE82967A8631DB35FDF0122B8A0E43E8768CABDBDC842A83C48138C523D1A56B3F63F03D85756C9BFED7656AE5097479D9A4C\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"AFD38780B76420D3214D2D6D318A6EA972D720518346C2F7339E661205D5F20A5682869DAF56249F9FACD6EDF878C81669184A1D9C736232079EDED66727E297\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"facing wb drinks\", \"expiration_time_dt\": \"2023-10-03T06:46:13.764297Z\"}, \"algorithm\": \"ECDSA\", \"algorithm_id\": 3}, \"type_id\": 5, \"parent_folder\": \"revolutionary such regulations/cheaper.ico\", \"hashes\": [{\"value\": \"436DE0B494120DEC66B218D7D67AE5FC65841DA47A5D5A6044D76AE7CD0D793736DCAD5FA9C579A8C53310FA0B70225BB8C079A2E5BEDB5F6F48176972572F1C\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Wrapping\", \"type\": \"Unknown\", \"domain\": \"continuity cases issues\", \"uid\": \"8b8452de-61b8-11ee-9b3c-0242ac110005\", \"groups\": [{\"name\": \"protein lightweight complications\", \"type\": \"samsung knowledgestorm ppm\", \"uid\": \"8b8458ba-61b8-11ee-9ec2-0242ac110005\"}, {\"name\": \"spyware expensive partnerships\", \"type\": \"lcd moore th\"}], \"type_id\": 0, \"account\": {\"name\": \"chrome ones leeds\", \"type\": \"AWS IAM User\", \"type_id\": 3}, \"uid_alt\": \"mpegs eric ky\"}, \"session\": {\"uid\": \"8b8460c6-61b8-11ee-9def-0242ac110005\", \"issuer\": \"fun tomorrow antibodies\", \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"is_remote\": false, \"expiration_time_dt\": \"2023-10-03T06:46:13.764963Z\", \"created_time_dt\": \"2023-10-03T06:46:13.764972Z\"}, \"cmd_line\": \"packs maximum audit\", \"container\": {\"name\": \"hotmail midlands ripe\", \"size\": 860474369, \"uid\": \"8b847c96-61b8-11ee-99b1-0242ac110005\", \"image\": {\"name\": \"letter fri mauritius\", \"uid\": \"8b84825e-61b8-11ee-a5b5-0242ac110005\", \"labels\": [\"clouds\"]}, \"hash\": {\"value\": \"799904B20F1174F01C0D2DD87C57E097\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"created_time\": 1695272181548, \"namespace_pid\": 45, \"parent_process\": {\"name\": \"Homepage\", \"pid\": 78, \"file\": {\"attributes\": 57, \"name\": \"pledge.ini\", \"type\": \"Character Device\", \"path\": \"internationally remedies back/his.cgi/pledge.ini\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"portugal motel preserve\", \"issuer\": \"rocket separation opponent\", \"fingerprints\": [{\"value\": \"F72B1ED0BD7D6BE65211FA1606D1DE35F225DE73CB524C01380509CCE5B6F8F8DDE81A0B0AB6F5ECE9A7E651DD7D0C19DB365A83C018B747DA5B0A79259F3547\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"AEAA2CEC33E27D65690E726E1710D3F4A99A2BF0AE9A3BD9087488F1DFB4D38D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"edinburgh responsible supervisor\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"desc\": \"syracuse until as\", \"type_id\": 3, \"company_name\": \"Elenore Jeanetta\", \"parent_folder\": \"internationally remedies back/his.cgi\", \"confidentiality\": \"hitachi shaw tension\", \"hashes\": [{\"value\": \"8A8173677F164DD2E2CF83BEA2A42A8B\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"6B70D921D9E8DCF0F08A73F508E5D19D274B58D8AC2E29049A23B62D1988C1028A8ECBA2485531BBD6B7AEE51EA822578E859759F8FFC4818023EFD47ABC9C4D\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"security_descriptor\": \"lower cable requiring\", \"created_time_dt\": \"2023-10-03T06:46:13.766258Z\", \"accessed_time_dt\": \"2023-10-03T06:46:13.766265Z\"}, \"user\": {\"name\": \"Lauderdale\", \"type\": \"User\", \"uid\": \"8b84a6e4-61b8-11ee-b1fe-0242ac110005\", \"type_id\": 1, \"uid_alt\": \"venezuela path passing\"}, \"uid\": \"8b84ac48-61b8-11ee-97d9-0242ac110005\", \"session\": {\"uid\": \"8b84b562-61b8-11ee-a0d1-0242ac110005\", \"uuid\": \"8b84bbd4-61b8-11ee-8f0e-0242ac110005\", \"issuer\": \"gel submissions finite\", \"created_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T06:46:13.767292Z\", \"created_time_dt\": \"2023-10-03T06:46:13.767299Z\"}, \"cmd_line\": \"prior angry workers\", \"container\": {\"name\": \"horrible scroll del\", \"size\": 870541982, \"uid\": \"8b84c7c8-61b8-11ee-b0ff-0242ac110005\", \"image\": {\"name\": \"expenses pdt conditioning\", \"tag\": \"recognition albania curtis\", \"path\": \"valentine corp gcc\", \"uid\": \"8b84d204-61b8-11ee-8eb1-0242ac110005\"}, \"hash\": {\"value\": \"B413223A2BB7E91D5C6E244B77A2392BA017906B615F3CDF4BA192FE568C7738ADE3E24CAA9273F592169D682882DAC5E0DF8975B0FDB3859FB69A175B815724\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"pod_uuid\": \"gift\"}, \"created_time\": 1695272181548, \"namespace_pid\": 94}, \"sandbox\": \"holmes guess hyundai\", \"created_time_dt\": \"2023-10-03T06:46:13.768070Z\"}}, \"sandbox\": \"mothers equipped enquiry\"}}}, \"terminated_time\": 1695272181548}, \"user\": {\"name\": \"Cookies\", \"type\": \"load\", \"uid\": \"8b84f59a-61b8-11ee-8275-0242ac110005\", \"type_id\": 99, \"full_name\": \"Regan Loise\", \"uid_alt\": \"dawn but titles\"}, \"invoked_by\": \"pantyhose macedonia retained\"}, \"cloud\": {\"account\": {\"name\": \"abroad takes controversy\", \"type\": \"AWS Account\", \"uid\": \"8b82630c-61b8-11ee-a1c3-0242ac110005\", \"type_id\": 10}, \"project_uid\": \"8b82679e-61b8-11ee-9ed4-0242ac110005\", \"provider\": \"translate be cabinets\", \"region\": \"trap wood power\"}, \"malware\": [{\"name\": \"generally insight ee\", \"path\": \"jc possess fibre\", \"classification_ids\": [17, 2], \"classifications\": [\"ontario amsterdam archived\", \"newfoundland norman eddie\"], \"provider\": \"singapore flexible casino\"}, {\"name\": \"illustrated lending requirements\", \"path\": \"cho basket ul\", \"uid\": \"8b8272c0-61b8-11ee-90e5-0242ac110005\", \"classification_ids\": [16, 5], \"cves\": [{\"type\": \"graphical acm salt\", \"uid\": \"8b827964-61b8-11ee-822b-0242ac110005\", \"created_time\": 1695272181548, \"modified_time\": 1695272181548, \"modified_time_dt\": \"2023-10-03T06:46:13.752477Z\"}], \"provider\": \"goods fitting latter\"}], \"severity_id\": 99, \"status_id\": 0}", "event": { "action": "load", + "category": [], + "kind": "event", "outcome": "unknown", "provider": "discrimination morrison course", "sequence": 44, - "severity": 99 + "severity": 99, + "type": [] }, + "@timestamp": "2023-09-21T04:56:21.548000Z", "cloud": { "account": { "id": "8b82630c-61b8-11ee-a1c3-0242ac110005", @@ -28,6 +32,40 @@ "provider": "translate be cabinets", "region": "trap wood power" }, + "container": { + "id": "8b832030-61b8-11ee-816d-0242ac110005", + "image": { + "name": "babies detective christians" + }, + "name": "renew angle reject", + "runtime": "annoying remarkable setup" + }, + "file": { + "directory": "flush faced champagne/cruise.tar.gz", + "name": "administrators.tmp", + "path": "flush faced champagne/cruise.tar.gz/administrators.tmp", + "type": "Folder" + }, + "host": { + "domain": "existence conditional pillow", + "hostname": "tiles.name", + "ip": [ + "81.2.69.142" + ], + "mac": [ + "6C:91:94:13:50:61:2E:D4" + ], + "name": "tiles.name", + "os": { + "name": "extreme oct care", + "type": "Android", + "version": "grave pn resist" + }, + "risk": { + "static_level": "Low" + }, + "type": "frontier" + }, "ocsf": { "activity_id": 1, "activity_name": "Load", @@ -327,6 +365,83 @@ "timezone_offset": 8, "type_name": "Module Activity: Load", "type_uid": "100501" + }, + "process": { + "command_line": "fame little relax", + "entity_id": "8b830046-61b8-11ee-b4bd-0242ac110005", + "name": "Switzerland", + "parent": { + "entity_id": "8b834aba-61b8-11ee-8172-0242ac110005", + "name": "Containers", + "pid": 76, + "start": "2023-09-21T04:56:21.548000Z", + "user": { + "domain": "klein greg processing", + "full_name": "Franklyn Shantell", + "group": { + "id": [], + "name": [] + }, + "id": [ + "8b834682-61b8-11ee-8f6a-0242ac110005" + ], + "name": "Prep" + } + }, + "pid": 8, + "start": "2023-09-21T04:56:21.548000Z", + "thread": { + "id": 12 + }, + "user": { + "group": { + "id": [], + "name": [] + }, + "id": [ + "8b82fc86-61b8-11ee-b5b6-0242ac110005" + ], + "name": "Mechanics" + } + }, + "related": { + "hosts": [ + "tiles.name" + ], + "ip": [ + "81.2.69.142" + ], + "user": [ + "Cookies" + ] + }, + "sekoiaio": { + "intake": { + "parsing_warnings": [ + "Cannot set field 'container.labels' with given definition in stage 'pipeline_object_actor'. Cannot convert value in field 'container.labels' to type 'dict'" + ] + } + }, + "threat": { + "technique": { + "id": [ + "T1504", + "T1555.002" + ], + "name": [ + "PowerShell Profile", + "Securityd Memory" + ] + } + }, + "user": { + "full_name": "Regan Loise", + "group": { + "id": [], + "name": [] + }, + "id": "8b84f59a-61b8-11ee-8275-0242ac110005", + "name": "Cookies" } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_6.json b/OCSF/ocsf/tests/test_system_activity_6.json index d70f23c77..53dd9e444 100644 --- a/OCSF/ocsf/tests/test_system_activity_6.json +++ b/OCSF/ocsf/tests/test_system_activity_6.json @@ -17,6 +17,7 @@ ], "code": "paths", "end": "2023-09-21T04:56:21.548000Z", + "kind": "event", "provider": "gays consultation motivated", "severity": 99, "start": "2023-09-21T04:56:21.548000Z", @@ -24,10 +25,50 @@ "info" ] }, + "@timestamp": "2023-09-21T04:56:21.548000Z", "cloud": { "provider": "nu connector termination", "region": "lose activists occurred" }, + "container": { + "id": "442ca070-61be-11ee-b847-0242ac110005", + "image": { + "name": "janet flights pct", + "tag": [ + "reporter calculator population" + ] + }, + "name": "disabled underlying prerequisite", + "runtime": "ntsc replacing emotional" + }, + "file": { + "directory": "district moment specs/consolidation.mp3", + "name": "game.crdownload", + "path": "district moment specs/consolidation.mp3/game.crdownload", + "type": "Symbolic Link" + }, + "host": { + "geo": { + "city_name": "Guidance marijuana", + "continent_name": "North America", + "country_iso_code": "AG", + "location": { + "lat": -39.2278, + "lon": 139.683 + }, + "name": "Antigua and Barbuda" + }, + "hostname": "bags.coop", + "id": "442a8524-61be-11ee-a4cc-0242ac110005", + "ip": [ + "81.2.69.142" + ], + "name": "bags.coop", + "risk": { + "static_score": 44 + }, + "type": "Virtual" + }, "ocsf": { "activity_id": 5, "activity_name": "Set User ID", @@ -193,6 +234,76 @@ "timezone_offset": 75, "type_name": "Process Activity: Set User ID", "type_uid": "100705" + }, + "process": { + "command_line": "wrist teach engaging", + "entity_id": "442c9a58-61be-11ee-8992-0242ac110005", + "name": "Woman", + "parent": { + "command_line": "shopzilla signal shift", + "entity_id": "442d08c6-61be-11ee-9eea-0242ac110005", + "name": "Undergraduate", + "pid": 18, + "start": "2023-09-21T04:56:21.548000Z", + "thread": { + "id": 18 + }, + "user": { + "group": { + "id": [], + "name": [] + }, + "id": [ + "442d0416-61be-11ee-8f5e-0242ac110005" + ] + } + }, + "pid": 99, + "start": "2023-09-21T04:56:21.548000Z", + "user": { + "group": { + "id": [], + "name": [] + }, + "id": [ + "442c90bc-61be-11ee-8334-0242ac110005" + ], + "name": "Laboratory" + } + }, + "related": { + "hosts": [ + "bags.coop" + ], + "ip": [ + "81.2.69.142" + ] + }, + "sekoiaio": { + "intake": { + "parsing_warnings": [ + "Cannot set field 'container.labels' with given definition in stage 'pipeline_object_actor'. Cannot convert value in field 'container.labels' to type 'dict'" + ] + } + }, + "threat": { + "technique": { + "id": [ + "T1100", + "T1546.008" + ], + "name": [ + "Accessibility Features", + "Web Shell" + ] + } + }, + "user": { + "group": { + "id": [], + "name": [] + }, + "id": "4431189e-61be-11ee-bc71-0242ac110005" } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_7.json b/OCSF/ocsf/tests/test_system_activity_7.json index 5720913a9..10fd5c45d 100644 --- a/OCSF/ocsf/tests/test_system_activity_7.json +++ b/OCSF/ocsf/tests/test_system_activity_7.json @@ -12,15 +12,32 @@ "message": "{\"message\": \"appeal verse adjacent\", \"status\": \"Failure\", \"time\": 1695272181548, \"device\": {\"type\": \"IOT\", \"os\": {\"name\": \"officially marks hook\", \"type\": \"iOS\", \"type_id\": 301}, \"ip\": \"81.2.69.142\", \"hostname\": \"paragraph.nato\", \"uid\": \"1d440972-61bd-11ee-b78b-0242ac110005\", \"groups\": [{\"name\": \"summit torture accused\", \"uid\": \"1d43dac4-61bd-11ee-8157-0242ac110005\"}, {\"name\": \"silicon headline seniors\", \"uid\": \"1d43df06-61bd-11ee-884b-0242ac110005\"}], \"type_id\": 7, \"first_seen_time\": 1695272181548, \"hypervisor\": \"listening genres rob\", \"imei\": \"seekers sue networks\", \"instance_uid\": \"1d440530-61bd-11ee-9a80-0242ac110005\", \"interface_name\": \"requiring showtimes only\", \"interface_uid\": \"1d440e68-61bd-11ee-9bc1-0242ac110005\", \"region\": \"terms quarter premium\", \"first_seen_time_dt\": \"2023-10-03T07:18:56.276163Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"extension\": {\"name\": \"attempt directed associate\", \"version\": \"1.0.0\", \"uid\": \"1d43b58a-61bd-11ee-811e-0242ac110005\"}, \"product\": {\"name\": \"gallery crude arc\", \"version\": \"1.0.0\", \"uid\": \"1d43be36-61bd-11ee-9314-0242ac110005\", \"lang\": \"en\", \"url_string\": \"registrar\", \"vendor_name\": \"staffing steven textiles\"}, \"uid\": \"1d43c2b4-61bd-11ee-814c-0242ac110005\", \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"external cadillac navy\", \"log_provider\": \"deadline emissions whilst\", \"original_time\": \"my northwest exhibitions\"}, \"severity\": \"Low\", \"duration\": 4, \"disposition\": \"Restored\", \"type_name\": \"Scheduled Job Activity: Other\", \"activity_id\": 99, \"disposition_id\": 9, \"type_uid\": 100699, \"category_name\": \"System Activity\", \"class_uid\": 1006, \"category_uid\": 1, \"class_name\": \"Scheduled Job Activity\", \"timezone_offset\": 87, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Execution The adversary is trying to run malicious code.\", \"uid\": \"TA0002\"}], \"technique\": {\"name\": \"Obtain Capabilities\", \"uid\": \"T1588\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}, {\"name\": \"Persistence The adversary is trying to maintain their foothold.\", \"uid\": \"TA0003\"}, {\"name\": \"Initial Access | The adversary is trying to get into your network.\", \"uid\": \"TA0001\"}], \"technique\": {\"name\": \"Cloud Instance Metadata API\", \"uid\": \"T1522\"}}], \"activity_name\": \"considerable\", \"cloud\": {\"org\": {\"name\": \"pf months already\", \"uid\": \"1d4398de-61bd-11ee-804b-0242ac110005\", \"ou_name\": \"cry centers expense\"}, \"provider\": \"trusts disclose snapshot\", \"region\": \"choose consolidated set\"}, \"severity_id\": 2, \"status_code\": \"respond\", \"status_id\": 2}", "event": { "action": "considerable", + "category": [], "duration": 4000000, + "kind": "event", "outcome": "failure", "provider": "deadline emissions whilst", - "severity": 2 + "severity": 2, + "type": [] }, + "@timestamp": "2023-09-21T04:56:21.548000Z", "cloud": { "provider": "trusts disclose snapshot", "region": "choose consolidated set" }, + "host": { + "hostname": "paragraph.nato", + "id": "1d440972-61bd-11ee-b78b-0242ac110005", + "ip": [ + "81.2.69.142" + ], + "name": "paragraph.nato", + "os": { + "name": "officially marks hook", + "type": "iOS" + }, + "type": "IOT" + }, "ocsf": { "activity_id": 99, "activity_name": "considerable", @@ -131,6 +148,26 @@ "timezone_offset": 87, "type_name": "Scheduled Job Activity: Other", "type_uid": "100699" + }, + "related": { + "hosts": [ + "paragraph.nato" + ], + "ip": [ + "81.2.69.142" + ] + }, + "threat": { + "technique": { + "id": [ + "T1522", + "T1588" + ], + "name": [ + "Cloud Instance Metadata API", + "Obtain Capabilities" + ] + } } } } \ No newline at end of file From e2ff31c6650a4bb4f6f2cd8e7ff0cc82e11f37a0 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Wed, 31 Jan 2024 15:42:09 +0200 Subject: [PATCH 11/34] Fixes and improvements --- OCSF/ocsf/_meta/fields.yml | 8 -------- OCSF/ocsf/_meta/manifest.yml | 5 ++++- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/OCSF/ocsf/_meta/fields.yml b/OCSF/ocsf/_meta/fields.yml index 608a8eddf..b1fcdb532 100644 --- a/OCSF/ocsf/_meta/fields.yml +++ b/OCSF/ocsf/_meta/fields.yml @@ -1,11 +1,3 @@ -input.type: - description: Type of filebeat input. - name: input.type - type: keyword -log.offset: - description: Log offset. - name: log.offset - type: long ocsf.access_mask: description: The access mask in a platform-native format. name: ocsf.access_mask diff --git a/OCSF/ocsf/_meta/manifest.yml b/OCSF/ocsf/_meta/manifest.yml index 768c4626c..931c78599 100644 --- a/OCSF/ocsf/_meta/manifest.yml +++ b/OCSF/ocsf/_meta/manifest.yml @@ -3,6 +3,9 @@ name: OCSF slug: ocsf description: >- - The description of the intake + The Open Cybersecurity Schema Framework is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema. data_sources: + File monitoring: + Network device logs: + Process monitoring: From a542f8a11d5f24686ffeecc5ab9a127c44eb1f4c Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Wed, 31 Jan 2024 15:46:04 +0200 Subject: [PATCH 12/34] Add module manifest --- OCSF/_meta/manifest.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 OCSF/_meta/manifest.yml diff --git a/OCSF/_meta/manifest.yml b/OCSF/_meta/manifest.yml new file mode 100644 index 000000000..fcbd450e0 --- /dev/null +++ b/OCSF/_meta/manifest.yml @@ -0,0 +1,5 @@ +uuid: 01f0e9a1-2c78-4118-8a70-0e86ed285a31 +name: OCSF +slug: "ocsf" +description: >- + OCSF From 7e7c5e8a7845bcd0af87c50fbc349482da5e15f9 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Thu, 1 Feb 2024 12:49:03 +0200 Subject: [PATCH 13/34] Remove redundant fields --- OCSF/ocsf/_meta/fields.yml | 14 -------------- OCSF/ocsf/tests/test_application_activity_1.json | 1 - OCSF/ocsf/tests/test_application_activity_2.json | 1 - OCSF/ocsf/tests/test_application_activity_3.json | 1 - OCSF/ocsf/tests/test_discovery_1.json | 1 - OCSF/ocsf/tests/test_discovery_2.json | 2 -- OCSF/ocsf/tests/test_findings_1.json | 1 - OCSF/ocsf/tests/test_iam_1.json | 1 - OCSF/ocsf/tests/test_iam_2.json | 1 - OCSF/ocsf/tests/test_iam_3.json | 2 -- OCSF/ocsf/tests/test_iam_4.json | 1 - OCSF/ocsf/tests/test_network_activity_1.json | 1 - OCSF/ocsf/tests/test_network_activity_10.json | 1 - OCSF/ocsf/tests/test_network_activity_11.json | 1 - OCSF/ocsf/tests/test_network_activity_12.json | 2 -- OCSF/ocsf/tests/test_network_activity_2.json | 2 -- OCSF/ocsf/tests/test_network_activity_3.json | 1 - OCSF/ocsf/tests/test_network_activity_4.json | 1 - OCSF/ocsf/tests/test_network_activity_5.json | 1 - OCSF/ocsf/tests/test_network_activity_6.json | 2 -- OCSF/ocsf/tests/test_network_activity_7.json | 1 - OCSF/ocsf/tests/test_network_activity_8.json | 1 - OCSF/ocsf/tests/test_network_activity_9.json | 2 -- OCSF/ocsf/tests/test_system_activity_1.json | 2 -- OCSF/ocsf/tests/test_system_activity_2.json | 2 -- OCSF/ocsf/tests/test_system_activity_3.json | 2 -- OCSF/ocsf/tests/test_system_activity_4.json | 1 - OCSF/ocsf/tests/test_system_activity_5.json | 2 -- OCSF/ocsf/tests/test_system_activity_6.json | 1 - OCSF/ocsf/tests/test_system_activity_7.json | 3 --- 30 files changed, 55 deletions(-) diff --git a/OCSF/ocsf/_meta/fields.yml b/OCSF/ocsf/_meta/fields.yml index b1fcdb532..54aca5d71 100644 --- a/OCSF/ocsf/_meta/fields.yml +++ b/OCSF/ocsf/_meta/fields.yml @@ -2885,10 +2885,6 @@ ocsf.device.os.sp_ver: description: The version number of the latest Service Pack. name: ocsf.device.os.sp_ver type: keyword -ocsf.device.os.type: - description: The type of the operating system. - name: ocsf.device.os.type - type: keyword ocsf.device.os.type_id: description: The type identifier of the operating system. name: ocsf.device.os.type_id @@ -3614,12 +3610,6 @@ ocsf.dst_endpoint.vpc_uid: description: The unique identifier of the Virtual Private Cloud (VPC). name: ocsf.dst_endpoint.vpc_uid type: keyword -ocsf.duration: - description: - The event duration or aggregate time, the amount of time the event - covers from start_time to end_time in milliseconds. - name: ocsf.duration - type: long ocsf.email.delivered_to: description: The Delivered-To email header field. name: ocsf.email.delivered_to @@ -5565,10 +5555,6 @@ ocsf.metadata.product.url_string: description: The URL pointing towards the product. name: ocsf.metadata.product.url_string type: keyword -ocsf.metadata.product.vendor_name: - description: The name of the vendor of the product. - name: ocsf.metadata.product.vendor_name - type: keyword ocsf.metadata.product.version: description: "The version of the product, as defined by the event source. For example: diff --git a/OCSF/ocsf/tests/test_application_activity_1.json b/OCSF/ocsf/tests/test_application_activity_1.json index 189df2114..31fc0824a 100644 --- a/OCSF/ocsf/tests/test_application_activity_1.json +++ b/OCSF/ocsf/tests/test_application_activity_1.json @@ -109,7 +109,6 @@ "name": "loc bw pa", "uid": "072dafa2-584a-11ee-bca3-0242ac110005", "url_string": "indirect", - "vendor_name": "fotos choir archive", "version": "1.0.0" }, "profiles": [ diff --git a/OCSF/ocsf/tests/test_application_activity_2.json b/OCSF/ocsf/tests/test_application_activity_2.json index 62cc35b86..86a97bfcb 100644 --- a/OCSF/ocsf/tests/test_application_activity_2.json +++ b/OCSF/ocsf/tests/test_application_activity_2.json @@ -47,7 +47,6 @@ "lang": "en", "name": "eligible scenes worm", "uid": "f6508420-520e-11ee-adcc-0242ac110004", - "vendor_name": "fix complicated accreditation", "version": "1.0.0" }, "profiles": [], diff --git a/OCSF/ocsf/tests/test_application_activity_3.json b/OCSF/ocsf/tests/test_application_activity_3.json index 08386def7..9ed9ca01d 100644 --- a/OCSF/ocsf/tests/test_application_activity_3.json +++ b/OCSF/ocsf/tests/test_application_activity_3.json @@ -102,7 +102,6 @@ "name": "enzyme cookie citations", "uid": "65195f88-584c-11ee-8118-0242ac110005", "url_string": "deck", - "vendor_name": "rochester school force", "version": "1.0.0" }, "profiles": [ diff --git a/OCSF/ocsf/tests/test_discovery_1.json b/OCSF/ocsf/tests/test_discovery_1.json index 7b6f20d63..5dfbc4685 100644 --- a/OCSF/ocsf/tests/test_discovery_1.json +++ b/OCSF/ocsf/tests/test_discovery_1.json @@ -89,7 +89,6 @@ "name": "legal subsidiary eleven", "path": "financial spot tennis", "uid": "023dd33e-5848-11ee-aa6d-0242ac110005", - "vendor_name": "assumes podcast went", "version": "1.0.0" }, "profiles": [ diff --git a/OCSF/ocsf/tests/test_discovery_2.json b/OCSF/ocsf/tests/test_discovery_2.json index b3b20b48c..ae75c9b60 100644 --- a/OCSF/ocsf/tests/test_discovery_2.json +++ b/OCSF/ocsf/tests/test_discovery_2.json @@ -82,7 +82,6 @@ "os": { "edition": "nightmare engineers carter", "lang": "en", - "type": "Android", "type_id": "201", "version": "1.0.0" }, @@ -107,7 +106,6 @@ "lang": "en", "name": "butterfly knight log", "uid": "7f25336a-584d-11ee-b2a5-0242ac110005", - "vendor_name": "disciplinary rec report", "version": "1.0.0" }, "profiles": [ diff --git a/OCSF/ocsf/tests/test_findings_1.json b/OCSF/ocsf/tests/test_findings_1.json index 97e8ef6f3..48a85b261 100644 --- a/OCSF/ocsf/tests/test_findings_1.json +++ b/OCSF/ocsf/tests/test_findings_1.json @@ -91,7 +91,6 @@ }, "name": "Security Hub", "uid": "arn:aws:securityhub:us-east-1::product/aws/securityhub", - "vendor_name": "AWS", "version": "2018-10-08" }, "profiles": [ diff --git a/OCSF/ocsf/tests/test_iam_1.json b/OCSF/ocsf/tests/test_iam_1.json index f15e3af81..b22589c12 100644 --- a/OCSF/ocsf/tests/test_iam_1.json +++ b/OCSF/ocsf/tests/test_iam_1.json @@ -51,7 +51,6 @@ "name": "release zealand upon", "path": "fuel style da", "uid": "2e6ae592-6409-11ee-8656-0242ac110005", - "vendor_name": "crest homework turtle", "version": "1.0.0" }, "profiles": [], diff --git a/OCSF/ocsf/tests/test_iam_2.json b/OCSF/ocsf/tests/test_iam_2.json index 269e77466..18ca05dcd 100644 --- a/OCSF/ocsf/tests/test_iam_2.json +++ b/OCSF/ocsf/tests/test_iam_2.json @@ -38,7 +38,6 @@ "product": { "lang": "en", "uid": "c7a42ac4-640a-11ee-ae25-0242ac110005", - "vendor_name": "cross networks miles", "version": "1.0.0" }, "profiles": [], diff --git a/OCSF/ocsf/tests/test_iam_3.json b/OCSF/ocsf/tests/test_iam_3.json index 83f120650..1c0b306bf 100644 --- a/OCSF/ocsf/tests/test_iam_3.json +++ b/OCSF/ocsf/tests/test_iam_3.json @@ -39,7 +39,6 @@ "class_name": "Group Management", "class_uid": "3006", "count": 37, - "duration": 91, "enrichments": [ { "data": "{\"dns\": \"bhrjfd\"}", @@ -55,7 +54,6 @@ "product": { "name": "industry thou favorites", "uid": "acc9db64-6427-11ee-bbd5-0242ac110005", - "vendor_name": "assisted parade monitored", "version": "1.0.0" }, "profiles": [], diff --git a/OCSF/ocsf/tests/test_iam_4.json b/OCSF/ocsf/tests/test_iam_4.json index 4015f84db..a0c4f76ba 100644 --- a/OCSF/ocsf/tests/test_iam_4.json +++ b/OCSF/ocsf/tests/test_iam_4.json @@ -48,7 +48,6 @@ "lang": "en", "name": "advance wellness phentermine", "uid": "c52f3210-6424-11ee-b807-0242ac110005", - "vendor_name": "sphere chef physicians", "version": "1.0.0" }, "profiles": [], diff --git a/OCSF/ocsf/tests/test_network_activity_1.json b/OCSF/ocsf/tests/test_network_activity_1.json index 7a1131183..583e29c7d 100644 --- a/OCSF/ocsf/tests/test_network_activity_1.json +++ b/OCSF/ocsf/tests/test_network_activity_1.json @@ -74,7 +74,6 @@ "name": "Flowlogs" }, "name": "Amazon VPC", - "vendor_name": "AWS", "version": "5" }, "profiles": [ diff --git a/OCSF/ocsf/tests/test_network_activity_10.json b/OCSF/ocsf/tests/test_network_activity_10.json index d9a8f759f..f291dfcc4 100644 --- a/OCSF/ocsf/tests/test_network_activity_10.json +++ b/OCSF/ocsf/tests/test_network_activity_10.json @@ -230,7 +230,6 @@ "name": "describes static geological", "uid": "849714ce-5be7-11ee-981b-0242ac110005", "url_string": "avatar", - "vendor_name": "highly got hook", "version": "1.0.0" }, "profiles": [ diff --git a/OCSF/ocsf/tests/test_network_activity_11.json b/OCSF/ocsf/tests/test_network_activity_11.json index f2a4e2d44..f437c4561 100644 --- a/OCSF/ocsf/tests/test_network_activity_11.json +++ b/OCSF/ocsf/tests/test_network_activity_11.json @@ -155,7 +155,6 @@ "name": "harm dash walter", "path": "contributors rest worried", "uid": "9e3d893a-5be7-11ee-9bf6-0242ac110005", - "vendor_name": "acre shut suzuki", "version": "1.0.0" }, "profiles": [ diff --git a/OCSF/ocsf/tests/test_network_activity_12.json b/OCSF/ocsf/tests/test_network_activity_12.json index 4f56c047f..3a9f17d21 100644 --- a/OCSF/ocsf/tests/test_network_activity_12.json +++ b/OCSF/ocsf/tests/test_network_activity_12.json @@ -104,7 +104,6 @@ }, "disposition": "Delayed", "disposition_id": "14", - "duration": 2, "metadata": { "log_name": "cleaners villa historic", "logged_time": 1695676101375, @@ -119,7 +118,6 @@ "name": "erotica ladies hero", "uid": "a844f346-5be7-11ee-a2c8-0242ac110005", "url_string": "washer", - "vendor_name": "feelings tide perry", "version": "1.0.0" }, "profiles": [ diff --git a/OCSF/ocsf/tests/test_network_activity_2.json b/OCSF/ocsf/tests/test_network_activity_2.json index ad5f7481a..e3949e56d 100644 --- a/OCSF/ocsf/tests/test_network_activity_2.json +++ b/OCSF/ocsf/tests/test_network_activity_2.json @@ -112,7 +112,6 @@ "name": "accounts an verzeichnis", "uid": "29ee8048-5be7-11ee-b29d-0242ac110005" }, - "duration": 80, "end_time_dt": "2023-09-25T21:04:49.412301Z", "http_request": { "http_headers": [ @@ -161,7 +160,6 @@ "name": "helena crystal initiative", "uid": "29ee731e-5be7-11ee-9b80-0242ac110005", "url_string": "bedding", - "vendor_name": "infectious instrumentation malaysia", "version": "1.0.0" }, "profiles": [ diff --git a/OCSF/ocsf/tests/test_network_activity_3.json b/OCSF/ocsf/tests/test_network_activity_3.json index 22331ecc5..46cc4b35d 100644 --- a/OCSF/ocsf/tests/test_network_activity_3.json +++ b/OCSF/ocsf/tests/test_network_activity_3.json @@ -88,7 +88,6 @@ "name": "Resolver Query Logs" }, "name": "Route 53", - "vendor_name": "AWS", "version": "1.100000" }, "profiles": [ diff --git a/OCSF/ocsf/tests/test_network_activity_4.json b/OCSF/ocsf/tests/test_network_activity_4.json index 5f41065f4..93a09c9e3 100644 --- a/OCSF/ocsf/tests/test_network_activity_4.json +++ b/OCSF/ocsf/tests/test_network_activity_4.json @@ -129,7 +129,6 @@ "lang": "en", "path": "trademarks clean client", "uid": "3b98010c-5be7-11ee-b3a3-0242ac110005", - "vendor_name": "parents transit advisor", "version": "1.0.0" }, "profiles": [ diff --git a/OCSF/ocsf/tests/test_network_activity_5.json b/OCSF/ocsf/tests/test_network_activity_5.json index 0c971fdd3..f0194f4ee 100644 --- a/OCSF/ocsf/tests/test_network_activity_5.json +++ b/OCSF/ocsf/tests/test_network_activity_5.json @@ -179,7 +179,6 @@ }, "name": "sleeping roy view", "uid": "52a2a83e-5be7-11ee-b480-0242ac110005", - "vendor_name": "display discipline juvenile", "version": "1.0.0" }, "profiles": [ diff --git a/OCSF/ocsf/tests/test_network_activity_6.json b/OCSF/ocsf/tests/test_network_activity_6.json index de736c1f1..ac0a30725 100644 --- a/OCSF/ocsf/tests/test_network_activity_6.json +++ b/OCSF/ocsf/tests/test_network_activity_6.json @@ -171,7 +171,6 @@ "name": "simulations mountains flow", "uid": "5d954af8-5be7-11ee-9dec-0242ac110005" }, - "duration": 78, "file": { "accessed_time_dt": "2023-09-25T21:06:16.073784Z", "attributes": 43, @@ -222,7 +221,6 @@ "name": "quantities persian easy", "uid": "5d952ece-5be7-11ee-8ef1-0242ac110005", "url_string": "blog", - "vendor_name": "appliances building lauren", "version": "1.0.0" }, "profiles": [ diff --git a/OCSF/ocsf/tests/test_network_activity_7.json b/OCSF/ocsf/tests/test_network_activity_7.json index 35d48086a..d62b0552c 100644 --- a/OCSF/ocsf/tests/test_network_activity_7.json +++ b/OCSF/ocsf/tests/test_network_activity_7.json @@ -101,7 +101,6 @@ "name": "anaheim used riverside", "path": "volvo expired marketing", "uid": "63c0f6ac-5be7-11ee-a542-0242ac110005", - "vendor_name": "flowers billing iso", "version": "1.0.0" }, "profiles": [ diff --git a/OCSF/ocsf/tests/test_network_activity_8.json b/OCSF/ocsf/tests/test_network_activity_8.json index f8d19c3a7..6957b2a84 100644 --- a/OCSF/ocsf/tests/test_network_activity_8.json +++ b/OCSF/ocsf/tests/test_network_activity_8.json @@ -126,7 +126,6 @@ "lang": "en", "name": "islands unless trivia", "uid": "690566e8-5be7-11ee-bbe6-0242ac110005", - "vendor_name": "mai insight ws", "version": "1.0.0" }, "profiles": [ diff --git a/OCSF/ocsf/tests/test_network_activity_9.json b/OCSF/ocsf/tests/test_network_activity_9.json index 04d423bed..c538efa2e 100644 --- a/OCSF/ocsf/tests/test_network_activity_9.json +++ b/OCSF/ocsf/tests/test_network_activity_9.json @@ -98,7 +98,6 @@ "country": "Monaco, Principality of", "edition": "mortality achievements apparatus", "sp_name": "advanced addressed bomb", - "type": "macOS", "type_id": "300" }, "region": "bat johnston disability", @@ -142,7 +141,6 @@ "lang": "en", "name": "civilian clearance powerseller", "uid": "78c28282-5be7-11ee-989a-0242ac110005", - "vendor_name": "activists berlin dramatically", "version": "1.0.0" }, "profiles": [ diff --git a/OCSF/ocsf/tests/test_system_activity_1.json b/OCSF/ocsf/tests/test_system_activity_1.json index 5d502d605..ba5c0b2f0 100644 --- a/OCSF/ocsf/tests/test_system_activity_1.json +++ b/OCSF/ocsf/tests/test_system_activity_1.json @@ -159,7 +159,6 @@ "is_managed": true, "os": { "sp_ver": "35", - "type": "HP-UX", "type_id": "402" }, "region": "survival statewide blog", @@ -207,7 +206,6 @@ "name": "frederick avoiding settlement", "uid": "3574dd04-583b-11ee-9dd6-0242ac110005", "url_string": "subscribers", - "vendor_name": "biographies charts a", "version": "1.0.0" }, "profiles": [], diff --git a/OCSF/ocsf/tests/test_system_activity_2.json b/OCSF/ocsf/tests/test_system_activity_2.json index c566257f1..0caafc684 100644 --- a/OCSF/ocsf/tests/test_system_activity_2.json +++ b/OCSF/ocsf/tests/test_system_activity_2.json @@ -208,7 +208,6 @@ "type_id": "99" } }, - "duration": 56, "metadata": { "extension": { "name": "pirates went connecting", @@ -223,7 +222,6 @@ "path": "jc rim ranch", "uid": "19e7b8b8-61aa-11ee-b357-0242ac110005", "url_string": "placing", - "vendor_name": "lcd belong academics", "version": "1.0.0" }, "profiles": [ diff --git a/OCSF/ocsf/tests/test_system_activity_3.json b/OCSF/ocsf/tests/test_system_activity_3.json index da1832f95..82a03869e 100644 --- a/OCSF/ocsf/tests/test_system_activity_3.json +++ b/OCSF/ocsf/tests/test_system_activity_3.json @@ -251,7 +251,6 @@ }, "disposition": "recipes", "disposition_id": "99", - "duration": 24, "kernel": { "name": "summaries cornell blowing", "type": "System Call", @@ -266,7 +265,6 @@ "product": { "lang": "en", "uid": "6191ccc4-61ac-11ee-aacf-0242ac110005", - "vendor_name": "editors coordinate cvs", "version": "1.0.0" }, "profiles": [ diff --git a/OCSF/ocsf/tests/test_system_activity_4.json b/OCSF/ocsf/tests/test_system_activity_4.json index 28eab8906..6f7e47cd0 100644 --- a/OCSF/ocsf/tests/test_system_activity_4.json +++ b/OCSF/ocsf/tests/test_system_activity_4.json @@ -259,7 +259,6 @@ "lang": "en", "name": "asbestos settings medication", "uid": "f4506410-61ae-11ee-a485-0242ac110005", - "vendor_name": "evaluations belly reception", "version": "1.0.0" }, "profiles": [ diff --git a/OCSF/ocsf/tests/test_system_activity_5.json b/OCSF/ocsf/tests/test_system_activity_5.json index 5676da43f..3bc891719 100644 --- a/OCSF/ocsf/tests/test_system_activity_5.json +++ b/OCSF/ocsf/tests/test_system_activity_5.json @@ -265,7 +265,6 @@ "os": { "country": "Cuba, Republic of", "sp_ver": "3", - "type": "Android", "type_id": "201" }, "region": "slight centers swimming", @@ -316,7 +315,6 @@ "lang": "en", "name": "improving consist portfolio", "uid": "8b82a664-61b8-11ee-bb6e-0242ac110005", - "vendor_name": "completing watershed poor", "version": "1.0.0" }, "profiles": [ diff --git a/OCSF/ocsf/tests/test_system_activity_6.json b/OCSF/ocsf/tests/test_system_activity_6.json index 53dd9e444..f3a012b9e 100644 --- a/OCSF/ocsf/tests/test_system_activity_6.json +++ b/OCSF/ocsf/tests/test_system_activity_6.json @@ -216,7 +216,6 @@ "name": "rough cfr elephant", "uid": "442a6c38-61be-11ee-811a-0242ac110005", "url_string": "cl", - "vendor_name": "turkey directors vacations", "version": "1.0.0" }, "profiles": [ diff --git a/OCSF/ocsf/tests/test_system_activity_7.json b/OCSF/ocsf/tests/test_system_activity_7.json index 10fd5c45d..0e583b0f0 100644 --- a/OCSF/ocsf/tests/test_system_activity_7.json +++ b/OCSF/ocsf/tests/test_system_activity_7.json @@ -107,7 +107,6 @@ "interface_name": "requiring showtimes only", "interface_uid": "1d440e68-61bd-11ee-9bc1-0242ac110005", "os": { - "type": "iOS", "type_id": "301" }, "region": "terms quarter premium", @@ -115,7 +114,6 @@ }, "disposition": "Restored", "disposition_id": "9", - "duration": 4, "metadata": { "extension": { "name": "attempt directed associate", @@ -129,7 +127,6 @@ "name": "gallery crude arc", "uid": "1d43be36-61bd-11ee-9314-0242ac110005", "url_string": "registrar", - "vendor_name": "staffing steven textiles", "version": "1.0.0" }, "profiles": [ From 8c2ca6ade33425403dd7f9cbcdb0fd27c7266b1a Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Thu, 1 Feb 2024 13:08:07 +0200 Subject: [PATCH 14/34] Remove redundant fields --- OCSF/ocsf/_meta/fields.yml | 4 ++-- OCSF/ocsf/tests/test_application_activity_1.json | 4 ++-- OCSF/ocsf/tests/test_application_activity_2.json | 4 ++-- OCSF/ocsf/tests/test_application_activity_3.json | 4 ++-- OCSF/ocsf/tests/test_discovery_1.json | 4 ++-- OCSF/ocsf/tests/test_discovery_2.json | 4 ++-- OCSF/ocsf/tests/test_findings_1.json | 2 +- OCSF/ocsf/tests/test_iam_1.json | 4 ++-- OCSF/ocsf/tests/test_iam_2.json | 2 +- OCSF/ocsf/tests/test_iam_3.json | 4 ++-- OCSF/ocsf/tests/test_iam_4.json | 4 ++-- OCSF/ocsf/tests/test_network_activity_1.json | 2 +- OCSF/ocsf/tests/test_network_activity_10.json | 2 +- OCSF/ocsf/tests/test_network_activity_11.json | 4 ++-- OCSF/ocsf/tests/test_network_activity_12.json | 4 ++-- OCSF/ocsf/tests/test_network_activity_2.json | 4 ++-- OCSF/ocsf/tests/test_network_activity_3.json | 2 +- OCSF/ocsf/tests/test_network_activity_4.json | 4 ++-- OCSF/ocsf/tests/test_network_activity_5.json | 4 ++-- OCSF/ocsf/tests/test_network_activity_6.json | 4 ++-- OCSF/ocsf/tests/test_network_activity_7.json | 4 ++-- OCSF/ocsf/tests/test_network_activity_8.json | 4 ++-- OCSF/ocsf/tests/test_network_activity_9.json | 4 ++-- OCSF/ocsf/tests/test_system_activity_1.json | 4 ++-- OCSF/ocsf/tests/test_system_activity_2.json | 4 ++-- OCSF/ocsf/tests/test_system_activity_3.json | 4 ++-- OCSF/ocsf/tests/test_system_activity_4.json | 2 +- OCSF/ocsf/tests/test_system_activity_5.json | 4 ++-- OCSF/ocsf/tests/test_system_activity_6.json | 4 ++-- OCSF/ocsf/tests/test_system_activity_7.json | 4 ++-- 30 files changed, 54 insertions(+), 54 deletions(-) diff --git a/OCSF/ocsf/_meta/fields.yml b/OCSF/ocsf/_meta/fields.yml index 54aca5d71..571cb19d6 100644 --- a/OCSF/ocsf/_meta/fields.yml +++ b/OCSF/ocsf/_meta/fields.yml @@ -2355,7 +2355,7 @@ ocsf.class_uid: available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. name: ocsf.class_uid - type: keyword + type: long ocsf.client_dialects: description: The list of SMB dialects that the client speaks. name: ocsf.client_dialects @@ -7020,7 +7020,7 @@ ocsf.status_detail: ocsf.status_id: description: The normalized identifier of the event status. name: ocsf.status_id - type: keyword + type: long ocsf.time_dt: description: The normalized event occurrence time. name: ocsf.time_dt diff --git a/OCSF/ocsf/tests/test_application_activity_1.json b/OCSF/ocsf/tests/test_application_activity_1.json index 31fc0824a..b9684ac1c 100644 --- a/OCSF/ocsf/tests/test_application_activity_1.json +++ b/OCSF/ocsf/tests/test_application_activity_1.json @@ -61,7 +61,7 @@ "category_name": "Application Activity", "category_uid": 6, "class_name": "Web Resource Access Activity", - "class_uid": "6004", + "class_uid": 6004, "cloud": { "org": { "name": "brazil newbie loc", @@ -122,7 +122,7 @@ "severity": "High", "start_time_dt": "2023-09-21T06:42:26.634761Z", "status": "Unknown", - "status_id": "0", + "status_id": 0, "timezone_offset": 55, "type_name": "Web Resource Access Activity: Access Error", "type_uid": "600404", diff --git a/OCSF/ocsf/tests/test_application_activity_2.json b/OCSF/ocsf/tests/test_application_activity_2.json index 86a97bfcb..584756a32 100644 --- a/OCSF/ocsf/tests/test_application_activity_2.json +++ b/OCSF/ocsf/tests/test_application_activity_2.json @@ -31,7 +31,7 @@ "category_name": "Application Activity", "category_uid": 6, "class_name": "Web Resources Activity", - "class_uid": "6001", + "class_uid": 6001, "metadata": { "log_name": "ur bother bearing", "log_version": "three maritime cowboy", @@ -67,7 +67,7 @@ }, "status": "Failure", "status_detail": "only zone its", - "status_id": "2", + "status_id": 2, "timezone_offset": 83, "type_name": "Web Resources Activity: Create", "type_uid": "600101", diff --git a/OCSF/ocsf/tests/test_application_activity_3.json b/OCSF/ocsf/tests/test_application_activity_3.json index 9ed9ca01d..0ff3625b1 100644 --- a/OCSF/ocsf/tests/test_application_activity_3.json +++ b/OCSF/ocsf/tests/test_application_activity_3.json @@ -61,7 +61,7 @@ "category_name": "Application Activity", "category_uid": 6, "class_name": "Application Lifecycle", - "class_uid": "6002", + "class_uid": 6002, "cloud": { "account": { "type": "AWS Account", @@ -116,7 +116,7 @@ "start_time_dt": "2023-09-21T06:59:23.200400Z", "status": "Success", "status_detail": "rat forth dishes", - "status_id": "1", + "status_id": 1, "type_name": "Application Lifecycle: Other", "type_uid": "600299" }, diff --git a/OCSF/ocsf/tests/test_discovery_1.json b/OCSF/ocsf/tests/test_discovery_1.json index 5dfbc4685..fb01d6ab5 100644 --- a/OCSF/ocsf/tests/test_discovery_1.json +++ b/OCSF/ocsf/tests/test_discovery_1.json @@ -46,7 +46,7 @@ "category_name": "Discovery", "category_uid": 5, "class_name": "Device Config State", - "class_uid": "5002", + "class_uid": 5002, "cloud": { "org": { "ou_name": "determined apr sheets", @@ -101,7 +101,7 @@ }, "severity": "Fatal", "status": "creativity", - "status_id": "99", + "status_id": 99, "timezone_offset": 0, "type_name": "Device Config State: Collect", "type_uid": "500202" diff --git a/OCSF/ocsf/tests/test_discovery_2.json b/OCSF/ocsf/tests/test_discovery_2.json index ae75c9b60..701b86e69 100644 --- a/OCSF/ocsf/tests/test_discovery_2.json +++ b/OCSF/ocsf/tests/test_discovery_2.json @@ -59,7 +59,7 @@ "category_name": "Discovery", "category_uid": 5, "class_name": "Device Inventory Info", - "class_uid": "5001", + "class_uid": 5001, "cloud": { "org": { "name": "black lets promotions", @@ -120,7 +120,7 @@ "start_time_dt": "2023-09-21T07:07:16.394812Z", "status": "Success", "status_code": "vancouver", - "status_id": "1", + "status_id": 1, "timezone_offset": 65, "type_name": "Device Inventory Info: Collect", "type_uid": "500102" diff --git a/OCSF/ocsf/tests/test_findings_1.json b/OCSF/ocsf/tests/test_findings_1.json index 48a85b261..6a15db2ac 100644 --- a/OCSF/ocsf/tests/test_findings_1.json +++ b/OCSF/ocsf/tests/test_findings_1.json @@ -36,7 +36,7 @@ "category_name": "Findings", "category_uid": 2, "class_name": "Security Finding", - "class_uid": "2001", + "class_uid": 2001, "compliance": { "requirements": [ "PCI1.2" diff --git a/OCSF/ocsf/tests/test_iam_1.json b/OCSF/ocsf/tests/test_iam_1.json index b22589c12..817d6b7b9 100644 --- a/OCSF/ocsf/tests/test_iam_1.json +++ b/OCSF/ocsf/tests/test_iam_1.json @@ -35,7 +35,7 @@ "category_name": "Identity & Access Management", "category_uid": 3, "class_name": "Authorize Session", - "class_uid": "3003", + "class_uid": 3003, "group": { "desc": "checking tion ii", "privileges": [ @@ -69,7 +69,7 @@ "severity": "Low", "status": "Unknown", "status_code": "seo", - "status_id": "0", + "status_id": 0, "timezone_offset": 34, "type_name": "Authorize Session: Unknown", "type_uid": "300300", diff --git a/OCSF/ocsf/tests/test_iam_2.json b/OCSF/ocsf/tests/test_iam_2.json index 18ca05dcd..7eef5727f 100644 --- a/OCSF/ocsf/tests/test_iam_2.json +++ b/OCSF/ocsf/tests/test_iam_2.json @@ -25,7 +25,7 @@ "category_name": "Identity & Access Management", "category_uid": 3, "class_name": "Entity Management", - "class_uid": "3004", + "class_uid": 3004, "entity": { "name": "sweden temperatures paste", "type": "founder quilt bone", diff --git a/OCSF/ocsf/tests/test_iam_3.json b/OCSF/ocsf/tests/test_iam_3.json index 1c0b306bf..b73ce22b4 100644 --- a/OCSF/ocsf/tests/test_iam_3.json +++ b/OCSF/ocsf/tests/test_iam_3.json @@ -37,7 +37,7 @@ "category_name": "Identity & Access Management", "category_uid": 3, "class_name": "Group Management", - "class_uid": "3006", + "class_uid": 3006, "count": 37, "enrichments": [ { @@ -61,7 +61,7 @@ }, "severity": "Low", "status": "Success", - "status_id": "1", + "status_id": 1, "timezone_offset": 81, "type_name": "Group Management: Add User", "type_uid": "300603", diff --git a/OCSF/ocsf/tests/test_iam_4.json b/OCSF/ocsf/tests/test_iam_4.json index a0c4f76ba..17b51d95b 100644 --- a/OCSF/ocsf/tests/test_iam_4.json +++ b/OCSF/ocsf/tests/test_iam_4.json @@ -34,7 +34,7 @@ "category_name": "Identity & Access Management", "category_uid": 3, "class_name": "User Access Management", - "class_uid": "3005", + "class_uid": 3005, "metadata": { "log_name": "gravity bill gp", "logged_time": 1696581958, @@ -90,7 +90,7 @@ }, "severity": "Medium", "status": "abstracts", - "status_id": "99", + "status_id": 99, "timezone_offset": 28, "type_name": "User Access Management: Unknown", "type_uid": "300500", diff --git a/OCSF/ocsf/tests/test_network_activity_1.json b/OCSF/ocsf/tests/test_network_activity_1.json index 583e29c7d..7ec191525 100644 --- a/OCSF/ocsf/tests/test_network_activity_1.json +++ b/OCSF/ocsf/tests/test_network_activity_1.json @@ -52,7 +52,7 @@ "category_name": "Network Activity", "category_uid": 4, "class_name": "Network Activity", - "class_uid": "4001", + "class_uid": 4001, "connection_info": { "boundary": "-", "boundary_id": "99", diff --git a/OCSF/ocsf/tests/test_network_activity_10.json b/OCSF/ocsf/tests/test_network_activity_10.json index f291dfcc4..483317cba 100644 --- a/OCSF/ocsf/tests/test_network_activity_10.json +++ b/OCSF/ocsf/tests/test_network_activity_10.json @@ -174,7 +174,7 @@ "category_name": "Network Activity", "category_uid": 4, "class_name": "Network File Activity", - "class_uid": "4010", + "class_uid": 4010, "enrichments": [ { "data": "{\"drug\": \"drugg7899\"}", diff --git a/OCSF/ocsf/tests/test_network_activity_11.json b/OCSF/ocsf/tests/test_network_activity_11.json index f437c4561..163646bb5 100644 --- a/OCSF/ocsf/tests/test_network_activity_11.json +++ b/OCSF/ocsf/tests/test_network_activity_11.json @@ -76,7 +76,7 @@ "category_name": "Network Activity", "category_uid": 4, "class_name": "Email File Activity", - "class_uid": "4011", + "class_uid": 4011, "cloud": { "account": { "type": "AWS Account", @@ -168,7 +168,7 @@ }, "severity": "Critical", "status": "annually", - "status_id": "99", + "status_id": 99, "timezone_offset": 0, "type_name": "Email File Activity: Send", "type_uid": "401101" diff --git a/OCSF/ocsf/tests/test_network_activity_12.json b/OCSF/ocsf/tests/test_network_activity_12.json index 3a9f17d21..473d8c79c 100644 --- a/OCSF/ocsf/tests/test_network_activity_12.json +++ b/OCSF/ocsf/tests/test_network_activity_12.json @@ -51,7 +51,7 @@ "category_name": "Network Activity", "category_uid": 4, "class_name": "Email URL Activity", - "class_uid": "4012", + "class_uid": 4012, "cloud": { "account": { "type": "Azure AD Account", @@ -132,7 +132,7 @@ "severity": "electrical", "status": "Success", "status_detail": "released oxygen reasonable", - "status_id": "1", + "status_id": 1, "timezone_offset": 34, "type_name": "Email URL Activity: Receive", "type_uid": "401202", diff --git a/OCSF/ocsf/tests/test_network_activity_2.json b/OCSF/ocsf/tests/test_network_activity_2.json index e3949e56d..9662f8f4a 100644 --- a/OCSF/ocsf/tests/test_network_activity_2.json +++ b/OCSF/ocsf/tests/test_network_activity_2.json @@ -74,7 +74,7 @@ "category_name": "Network Activity", "category_uid": 4, "class_name": "HTTP Activity", - "class_uid": "4002", + "class_uid": 4002, "connection_info": { "direction": "andreas", "direction_id": "99" @@ -192,7 +192,7 @@ "vlan_uid": "29ef0900-5be7-11ee-937e-0242ac110005" }, "status": "Success", - "status_id": "1", + "status_id": 1, "timezone_offset": 78, "type_name": "HTTP Activity: Connect", "type_uid": "400201" diff --git a/OCSF/ocsf/tests/test_network_activity_3.json b/OCSF/ocsf/tests/test_network_activity_3.json index 46cc4b35d..28b1336fe 100644 --- a/OCSF/ocsf/tests/test_network_activity_3.json +++ b/OCSF/ocsf/tests/test_network_activity_3.json @@ -71,7 +71,7 @@ "category_name": "Network Activity", "category_uid": 4, "class_name": "DNS Activity", - "class_uid": "4003", + "class_uid": 4003, "connection_info": { "direction": "Unknown", "direction_id": "0" diff --git a/OCSF/ocsf/tests/test_network_activity_4.json b/OCSF/ocsf/tests/test_network_activity_4.json index 93a09c9e3..3f06f9100 100644 --- a/OCSF/ocsf/tests/test_network_activity_4.json +++ b/OCSF/ocsf/tests/test_network_activity_4.json @@ -77,7 +77,7 @@ "category_name": "Network Activity", "category_uid": 4, "class_name": "DHCP Activity", - "class_uid": "4004", + "class_uid": 4004, "count": 2, "device": { "groups": [ @@ -155,7 +155,7 @@ }, "status": "Failure", "status_detail": "relates cornwall cope", - "status_id": "2", + "status_id": 2, "timezone_offset": 7, "transaction_uid": "3b989194-5be7-11ee-b97e-0242ac110005", "type_name": "DHCP Activity: Nak", diff --git a/OCSF/ocsf/tests/test_network_activity_5.json b/OCSF/ocsf/tests/test_network_activity_5.json index f0194f4ee..2c1d659b5 100644 --- a/OCSF/ocsf/tests/test_network_activity_5.json +++ b/OCSF/ocsf/tests/test_network_activity_5.json @@ -131,7 +131,7 @@ "category_name": "Network Activity", "category_uid": 4, "class_name": "RDP Activity", - "class_uid": "4005", + "class_uid": 4005, "connection_info": { "boundary": "direction design hook", "direction": "Unknown", @@ -212,7 +212,7 @@ }, "status": "chronicle", "status_code": "lectures", - "status_id": "99", + "status_id": 99, "timezone_offset": 14, "tls": { "certificate": { diff --git a/OCSF/ocsf/tests/test_network_activity_6.json b/OCSF/ocsf/tests/test_network_activity_6.json index ac0a30725..85f82f101 100644 --- a/OCSF/ocsf/tests/test_network_activity_6.json +++ b/OCSF/ocsf/tests/test_network_activity_6.json @@ -131,7 +131,7 @@ "category_name": "Network Activity", "category_uid": 4, "class_name": "SMB Activity", - "class_uid": "4006", + "class_uid": 4006, "client_dialects": [ "avg pages denial", "gabriel ourselves diameter" @@ -249,7 +249,7 @@ "vpc_uid": "5d95aec6-5be7-11ee-b409-0242ac110005" }, "status": "Failure", - "status_id": "2", + "status_id": 2, "time_dt": "2023-09-25T21:06:16.072807Z", "timezone_offset": 21, "type_name": "SMB Activity: File Create", diff --git a/OCSF/ocsf/tests/test_network_activity_7.json b/OCSF/ocsf/tests/test_network_activity_7.json index d62b0552c..05d2e2ce7 100644 --- a/OCSF/ocsf/tests/test_network_activity_7.json +++ b/OCSF/ocsf/tests/test_network_activity_7.json @@ -61,7 +61,7 @@ "category_name": "Network Activity", "category_uid": 4, "class_name": "SSH Activity", - "class_uid": "4007", + "class_uid": 4007, "client_hassh": { "algorithm": "gave dollars relocation", "fingerprint": { @@ -140,7 +140,7 @@ "vpc_uid": "63c1fa70-5be7-11ee-ac6c-0242ac110005" }, "status": "Failure", - "status_id": "2", + "status_id": 2, "time_dt": "2023-09-25T21:06:26.429430Z", "timezone_offset": 88, "type_name": "SSH Activity: Unknown", diff --git a/OCSF/ocsf/tests/test_network_activity_8.json b/OCSF/ocsf/tests/test_network_activity_8.json index 6957b2a84..b6fc9b042 100644 --- a/OCSF/ocsf/tests/test_network_activity_8.json +++ b/OCSF/ocsf/tests/test_network_activity_8.json @@ -93,7 +93,7 @@ "category_name": "Network Activity", "category_uid": 4, "class_name": "FTP Activity", - "class_uid": "4008", + "class_uid": 4008, "codes": [ 44 ], @@ -152,7 +152,7 @@ }, "status": "discussions", "status_code": "certificates", - "status_id": "99", + "status_id": 99, "timezone_offset": 79, "type": "seller luther nursery", "type_name": "FTP Activity: Unknown", diff --git a/OCSF/ocsf/tests/test_network_activity_9.json b/OCSF/ocsf/tests/test_network_activity_9.json index c538efa2e..10e771bac 100644 --- a/OCSF/ocsf/tests/test_network_activity_9.json +++ b/OCSF/ocsf/tests/test_network_activity_9.json @@ -63,7 +63,7 @@ "category_name": "Network Activity", "category_uid": 4, "class_name": "Email Activity", - "class_uid": "4009", + "class_uid": 4009, "device": { "created_time_dt": "2023-09-25T21:07:01.668193Z", "instance_uid": "78c328c2-5be7-11ee-8cdd-0242ac110005", @@ -157,7 +157,7 @@ "smtp_hello": "jurisdiction charts prerequisite", "status": "Success", "status_detail": "bm around ranking", - "status_id": "1", + "status_id": 1, "timezone_offset": 24, "type_name": "Email Activity: Other", "type_uid": "400999" diff --git a/OCSF/ocsf/tests/test_system_activity_1.json b/OCSF/ocsf/tests/test_system_activity_1.json index ba5c0b2f0..30fb2d06d 100644 --- a/OCSF/ocsf/tests/test_system_activity_1.json +++ b/OCSF/ocsf/tests/test_system_activity_1.json @@ -129,7 +129,7 @@ "category_name": "System Activity", "category_uid": 1, "class_name": "File System Activity", - "class_uid": "1001", + "class_uid": 1001, "create_mask": "lu hairy cases", "device": { "desc": "gene screens plenty", @@ -213,7 +213,7 @@ }, "severity": "High", "status": "same", - "status_id": "99", + "status_id": 99, "timezone_offset": 14, "type_name": "File System Activity: Rename", "type_uid": "100105" diff --git a/OCSF/ocsf/tests/test_system_activity_2.json b/OCSF/ocsf/tests/test_system_activity_2.json index 0caafc684..862586cbc 100644 --- a/OCSF/ocsf/tests/test_system_activity_2.json +++ b/OCSF/ocsf/tests/test_system_activity_2.json @@ -165,7 +165,7 @@ "category_name": "System Activity", "category_uid": 1, "class_name": "Kernel Extension Activity", - "class_uid": "1002", + "class_uid": 1002, "cloud": { "org": { "name": "virus legislative schemes", @@ -236,7 +236,7 @@ "severity": "Low", "status": "Unknown", "status_detail": "tablets vernon opinion", - "status_id": "0", + "status_id": 0, "timezone_offset": 26, "type_name": "Kernel Extension Activity: Unload", "type_uid": "100202" diff --git a/OCSF/ocsf/tests/test_system_activity_3.json b/OCSF/ocsf/tests/test_system_activity_3.json index 82a03869e..4184a0e3a 100644 --- a/OCSF/ocsf/tests/test_system_activity_3.json +++ b/OCSF/ocsf/tests/test_system_activity_3.json @@ -221,7 +221,7 @@ "category_name": "System Activity", "category_uid": 1, "class_name": "Kernel Activity", - "class_uid": "1003", + "class_uid": 1003, "device": { "autoscale_uid": "6191f41a-61ac-11ee-b68a-0242ac110005", "desc": "recommendations norman ventures", @@ -291,7 +291,7 @@ "severity": "Medium", "status": "Success", "status_code": "user", - "status_id": "1", + "status_id": 1, "time_dt": "2023-10-03T05:19:09.440241Z", "timezone_offset": 54, "type_name": "Kernel Activity: Create", diff --git a/OCSF/ocsf/tests/test_system_activity_4.json b/OCSF/ocsf/tests/test_system_activity_4.json index 6f7e47cd0..2745d6b0c 100644 --- a/OCSF/ocsf/tests/test_system_activity_4.json +++ b/OCSF/ocsf/tests/test_system_activity_4.json @@ -222,7 +222,7 @@ "category_name": "System Activity", "category_uid": 1, "class_name": "Memory Activity", - "class_uid": "1004", + "class_uid": 1004, "device": { "created_time": 1695272181548, "first_seen_time": 1695272181548, diff --git a/OCSF/ocsf/tests/test_system_activity_5.json b/OCSF/ocsf/tests/test_system_activity_5.json index 3bc891719..84bc1843e 100644 --- a/OCSF/ocsf/tests/test_system_activity_5.json +++ b/OCSF/ocsf/tests/test_system_activity_5.json @@ -211,7 +211,7 @@ "category_name": "System Activity", "category_uid": 1, "class_name": "Module Activity", - "class_uid": "1005", + "class_uid": 1005, "cloud": { "account": { "type": "AWS Account", @@ -359,7 +359,7 @@ }, "severity": "minutes", "status": "Unknown", - "status_id": "0", + "status_id": 0, "timezone_offset": 8, "type_name": "Module Activity: Load", "type_uid": "100501" diff --git a/OCSF/ocsf/tests/test_system_activity_6.json b/OCSF/ocsf/tests/test_system_activity_6.json index f3a012b9e..4a05c47b4 100644 --- a/OCSF/ocsf/tests/test_system_activity_6.json +++ b/OCSF/ocsf/tests/test_system_activity_6.json @@ -190,7 +190,7 @@ "category_name": "System Activity", "category_uid": 1, "class_name": "Process Activity", - "class_uid": "1007", + "class_uid": 1007, "device": { "hypervisor": "indianapolis finite serious", "interface_name": "officials janet subscribe", @@ -229,7 +229,7 @@ }, "severity": "doctors", "status": "vcr", - "status_id": "99", + "status_id": 99, "timezone_offset": 75, "type_name": "Process Activity: Set User ID", "type_uid": "100705" diff --git a/OCSF/ocsf/tests/test_system_activity_7.json b/OCSF/ocsf/tests/test_system_activity_7.json index 0e583b0f0..a22f58a5e 100644 --- a/OCSF/ocsf/tests/test_system_activity_7.json +++ b/OCSF/ocsf/tests/test_system_activity_7.json @@ -80,7 +80,7 @@ "category_name": "System Activity", "category_uid": 1, "class_name": "Scheduled Job Activity", - "class_uid": "1006", + "class_uid": 1006, "cloud": { "org": { "name": "pf months already", @@ -141,7 +141,7 @@ "severity": "Low", "status": "Failure", "status_code": "respond", - "status_id": "2", + "status_id": 2, "timezone_offset": 87, "type_name": "Scheduled Job Activity: Other", "type_uid": "100699" From 391cc97289b70b93dd75783ceb4821cf19c1a411 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Fri, 2 Feb 2024 14:46:15 +0200 Subject: [PATCH 15/34] Fix parser --- OCSF/ocsf/_meta/fields.yml | 85 -------- OCSF/ocsf/ingest/parser.yml | 127 ++++++++++++ OCSF/ocsf/tests/test_network_activity_10.json | 30 +-- OCSF/ocsf/tests/test_network_activity_11.json | 6 +- OCSF/ocsf/tests/test_network_activity_6.json | 18 +- OCSF/ocsf/tests/test_system_activity_1.json | 40 ++-- OCSF/ocsf/tests/test_system_activity_2.json | 29 +-- OCSF/ocsf/tests/test_system_activity_3.json | 24 +-- OCSF/ocsf/tests/test_system_activity_4.json | 30 +-- OCSF/ocsf/tests/test_system_activity_5.json | 28 +-- OCSF/ocsf/tests/test_system_activity_6.json | 18 +- OCSF/ocsf/tests/test_system_activity_7.json | 196 +++++++----------- 12 files changed, 278 insertions(+), 353 deletions(-) diff --git a/OCSF/ocsf/_meta/fields.yml b/OCSF/ocsf/_meta/fields.yml index 571cb19d6..6f61e4419 100644 --- a/OCSF/ocsf/_meta/fields.yml +++ b/OCSF/ocsf/_meta/fields.yml @@ -369,23 +369,6 @@ ocsf.actor.process.file.desc: the description as returned by the Unix file command or the Windows file type." name: ocsf.actor.process.file.desc type: keyword -ocsf.actor.process.file.hashes.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.actor.process.file.hashes.algorithm - type: keyword -ocsf.actor.process.file.hashes.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.actor.process.file.hashes.algorithm_id - type: keyword -ocsf.actor.process.file.hashes.value: - description: The digital fingerprint value. - name: ocsf.actor.process.file.hashes.value - type: keyword ocsf.actor.process.file.is_system: description: The indication of whether the object is part of the operating system. name: ocsf.actor.process.file.is_system @@ -1112,23 +1095,6 @@ ocsf.actor.process.parent_process.file.desc: the description as returned by the Unix file command or the Windows file type." name: ocsf.actor.process.parent_process.file.desc type: keyword -ocsf.actor.process.parent_process.file.hashes.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.actor.process.parent_process.file.hashes.algorithm - type: keyword -ocsf.actor.process.parent_process.file.hashes.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.actor.process.parent_process.file.hashes.algorithm_id - type: keyword -ocsf.actor.process.parent_process.file.hashes.value: - description: The digital fingerprint value. - name: ocsf.actor.process.parent_process.file.hashes.value - type: keyword ocsf.actor.process.parent_process.file.is_system: description: The indication of whether the object is part of the operating system. name: ocsf.actor.process.parent_process.file.is_system @@ -3202,23 +3168,6 @@ ocsf.driver.file.desc: the description as returned by the Unix file command or the Windows file type." name: ocsf.driver.file.desc type: keyword -ocsf.driver.file.hashes.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.driver.file.hashes.algorithm - type: keyword -ocsf.driver.file.hashes.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.driver.file.hashes.algorithm_id - type: keyword -ocsf.driver.file.hashes.value: - description: The digital fingerprint value. - name: ocsf.driver.file.hashes.value - type: keyword ocsf.driver.file.is_system: description: The indication of whether the object is part of the operating system. name: ocsf.driver.file.is_system @@ -4000,23 +3949,6 @@ ocsf.file.desc: the description as returned by the Unix file command or the Windows file type." name: ocsf.file.desc type: keyword -ocsf.file.hashes.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.file.hashes.algorithm - type: keyword -ocsf.file.hashes.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.file.hashes.algorithm_id - type: keyword -ocsf.file.hashes.value: - description: The digital fingerprint value. - name: ocsf.file.hashes.value - type: keyword ocsf.file.is_system: description: The indication of whether the object is part of the operating system. name: ocsf.file.is_system @@ -5826,23 +5758,6 @@ ocsf.module.file.desc: the description as returned by the Unix file command or the Windows file type." name: ocsf.module.file.desc type: keyword -ocsf.module.file.hashes.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.module.file.hashes.algorithm - type: keyword -ocsf.module.file.hashes.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.module.file.hashes.algorithm_id - type: keyword -ocsf.module.file.hashes.value: - description: The digital fingerprint value. - name: ocsf.module.file.hashes.value - type: keyword ocsf.module.file.is_system: description: The indication of whether the object is part of the operating system. name: ocsf.module.file.is_system diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index 87ac4b261..5d0eecd44 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -287,6 +287,20 @@ stages: file.x509.version_number: "{{ parse_event.message.actor.process.file.signature.certificate.version }}" process.command_line: "{{ parse_event.message.actor.process.cmd_line }}" process.end: "{{ parse_event.message.actor.process.terminated_tim | to_rfc3339 }}" + - set: + file.hash.md5: > + {%- for item in parse_event.message.actor.process.file.hashes -%}{%- if item.algorithm == 'MD5' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha1: > + {%- for item in parse_event.message.actor.process.file.hashes -%}{%- if item.algorithm == 'SHA-1' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha256: > + {%- for item in parse_event.message.actor.process.file.hashes -%}{%- if item.algorithm == 'SHA-256' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha512: > + {%- for item in parse_event.message.actor.process.file.hashes -%}{%- if item.algorithm == 'SHA-512' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.ssdeep: > + {%- for item in parse_event.message.actor.process.file.hashes -%}{%- if item.algorithm == 'CTPH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.tlsh: > + {%- for item in parse_event.message.actor.process.file.hashes -%}{%- if item.algorithm == 'TLSH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + - set: process.group.id: - "{{ parse_event.message.actor.process.egid }}" @@ -533,6 +547,20 @@ stages: file.x509.version_number: "{{ parse_event.message.process.file.signature.certificate.version }}" process.command_line: "{{ parse_event.message.process.cmd_line }}" process.end: "{{ parse_event.message.process.terminated_time | to_rfc3339 }}" + - set: + file.hash.md5: > + {%- for item in parse_event.message.process.file.hashes -%}{%- if item.algorithm == 'MD5' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha1: > + {%- for item in parse_event.message.process.file.hashes -%}{%- if item.algorithm == 'SHA-1' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha256: > + {%- for item in parse_event.message.process.file.hashes -%}{%- if item.algorithm == 'SHA-256' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha512: > + {%- for item in parse_event.message.process.file.hashes -%}{%- if item.algorithm == 'SHA-512' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.ssdeep: > + {%- for item in parse_event.message.process.file.hashes -%}{%- if item.algorithm == 'CTPH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.tlsh: > + {%- for item in parse_event.message.process.file.hashes -%}{%- if item.algorithm == 'TLSH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + - set: process.group.id: - "{{ parse_event.message.process.egid }}" @@ -671,9 +699,57 @@ stages: file.x509.serial_number: "{{ parse_event.message.file.signature.certificate.serial_number }}" file.x509.subject.distinguished_name: "{{ parse_event.message.file.signature.certificate.subject }}" file.x509.version_number: "{{ parse_event.message.file.signature.certificate.version }}" + - set: + file.hash.md5: > + {%- for item in parse_event.message.file.hashes -%}{%- if item.algorithm == 'MD5' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha1: > + {%- for item in parse_event.message.file.hashes -%}{%- if item.algorithm == 'SHA-1' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha256: > + {%- for item in parse_event.message.file.hashes -%}{%- if item.algorithm == 'SHA-256' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha512: > + {%- for item in parse_event.message.file.hashes -%}{%- if item.algorithm == 'SHA-512' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.ssdeep: > + {%- for item in parse_event.message.file.hashes -%}{%- if item.algorithm == 'CTPH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.tlsh: > + {%- for item in parse_event.message.file.hashes -%}{%- if item.algorithm == 'TLSH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} pipeline_object_system_activity_helper: actions: + - set: + file.accessed: "{{ parse_event.message.driver.file.accessed_time | to_rfc3339 }}" + file.created: "{{ parse_event.message.driver.file.created_time | to_rfc3339 }}" + file.directory: "{{ parse_event.message.driver.file.parent_folder }}" + file.inode: "{{ parse_event.message.driver.file.uid }}" + file.mime_type: "{{ parse_event.message.driver.file.mime_type }}" + file.mtime: "{{ parse_event.message.driver.file.modified_time | to_rfc3339 }}" + file.name: "{{ parse_event.message.driver.file.name }}" + file.owner: "{{ parse_event.message.driver.file.owner.name }}" + file.path: "{{ parse_event.message.driver.file.path }}" + file.size: "{{ parse_event.message.driver.file.size }}" + file.type: "{{ parse_event.message.driver.file.type }}" + file.uid: "{{ parse_event.message.driver.file.owner.uid }}" + file.x509.issuer.distinguished_name: "{{ parse_event.message.driver.file.signature.certificate.issuer }}" + file.x509.not_after: "{{ parse_event.message.driver.file.signature.certificate.expiration_time | to_rfc3339 }}" + file.x509.serial_number: "{{ parse_event.message.driver.file.signature.certificate.serial_number }}" + file.x509.subject.distinguished_name: "{{ parse_event.message.driver.file.signature.certificate.subject }}" + file.x509.version_number: "{{ parse_event.message.driver.file.signature.certificate.version }}" + filter: "{{ parse_event.message.driver.file != null }}" + + - set: + file.hash.md5: > + {%- for item in parse_event.message.driver.file.hashes -%}{%- if item.algorithm == 'MD5' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha1: > + {%- for item in parse_event.message.driver.file.hashes -%}{%- if item.algorithm == 'SHA-1' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha256: > + {%- for item in parse_event.message.driver.file.hashes -%}{%- if item.algorithm == 'SHA-256' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha512: > + {%- for item in parse_event.message.driver.file.hashes -%}{%- if item.algorithm == 'SHA-512' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.ssdeep: > + {%- for item in parse_event.message.driver.file.hashes -%}{%- if item.algorithm == 'CTPH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.tlsh: > + {%- for item in parse_event.message.driver.file.hashes -%}{%- if item.algorithm == 'TLSH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + filter: "{{ parse_event.message.driver.file != null }}" + - set: file.accessed: "{{ parse_event.message.job.file.accessed_time | to_rfc3339 }}" file.created: "{{ parse_event.message.job.file.created_time | to_rfc3339 }}" @@ -692,6 +768,57 @@ stages: file.x509.serial_number: "{{ parse_event.message.job.file.signature.certificate.serial_number }}" file.x509.subject.distinguished_name: "{{ parse_event.message.job.file.signature.certificate.subject }}" file.x509.version_number: "{{ parse_event.message.job.file.signature.certificate.version }}" + filter: "{{ parse_event.message.job.file != null }}" + + - set: + file.hash.md5: > + {%- for item in parse_event.message.job.file.hashes -%}{%- if item.algorithm == 'MD5' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha1: > + {%- for item in parse_event.message.job.file.hashes -%}{%- if item.algorithm == 'SHA-1' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha256: > + {%- for item in parse_event.message.job.file.hashes -%}{%- if item.algorithm == 'SHA-256' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha512: > + {%- for item in parse_event.message.job.file.hashes -%}{%- if item.algorithm == 'SHA-512' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.ssdeep: > + {%- for item in parse_event.message.job.file.hashes -%}{%- if item.algorithm == 'CTPH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.tlsh: > + {%- for item in parse_event.message.job.file.hashes -%}{%- if item.algorithm == 'TLSH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + filter: "{{ parse_event.message.job.file != null }}" + + - set: + file.accessed: "{{ parse_event.message.module.file.accessed_time | to_rfc3339 }}" + file.created: "{{ parse_event.message.module.file.created_time | to_rfc3339 }}" + file.directory: "{{ parse_event.message.module.file.parent_folder }}" + file.inode: "{{ parse_event.message.module.file.uid }}" + file.mime_type: "{{ parse_event.message.module.file.mime_type }}" + file.mtime: "{{ parse_event.message.module.file.modified_time | to_rfc3339 }}" + file.name: "{{ parse_event.message.module.file.name }}" + file.owner: "{{ parse_event.message.module.file.owner.name }}" + file.path: "{{ parse_event.message.module.file.path }}" + file.size: "{{ parse_event.message.module.file.size }}" + file.type: "{{ parse_event.message.module.file.type }}" + file.uid: "{{ parse_event.message.module.file.owner.uid }}" + file.x509.issuer.distinguished_name: "{{ parse_event.message.module.file.signature.certificate.issuer }}" + file.x509.not_after: "{{ parse_event.message.module.file.signature.certificate.expiration_time | to_rfc3339 }}" + file.x509.serial_number: "{{ parse_event.message.module.file.signature.certificate.serial_number }}" + file.x509.subject.distinguished_name: "{{ parse_event.message.module.file.signature.certificate.subject }}" + file.x509.version_number: "{{ parse_event.message.module.file.signature.certificate.version }}" + filter: "{{ parse_event.message.module.file != null }}" + + - set: + file.hash.md5: > + {%- for item in parse_event.message.module.file.hashes -%}{%- if item.algorithm == 'MD5' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha1: > + {%- for item in parse_event.message.module.file.hashes -%}{%- if item.algorithm == 'SHA-1' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha256: > + {%- for item in parse_event.message.module.file.hashes -%}{%- if item.algorithm == 'SHA-256' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha512: > + {%- for item in parse_event.message.module.file.hashes -%}{%- if item.algorithm == 'SHA-512' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.ssdeep: > + {%- for item in parse_event.message.module.file.hashes -%}{%- if item.algorithm == 'CTPH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.tlsh: > + {%- for item in parse_event.message.module.file.hashes -%}{%- if item.algorithm == 'TLSH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + filter: "{{ parse_event.message.module.file != null }}" pipeline_category_system_activity: actions: diff --git a/OCSF/ocsf/tests/test_network_activity_10.json b/OCSF/ocsf/tests/test_network_activity_10.json index 483317cba..de032900c 100644 --- a/OCSF/ocsf/tests/test_network_activity_10.json +++ b/OCSF/ocsf/tests/test_network_activity_10.json @@ -47,6 +47,9 @@ }, "file": { "directory": "telling saved challenge/wrapped.tga", + "hash": { + "sha256": "4C3280C17F9D982CCBAC882AE1F48DAD224DBA938BEE87BF18E31C76B0C3B88B" + }, "name": "amend.sh", "path": "telling saved challenge/wrapped.tga/citations.gpx", "type": "Unknown" @@ -98,16 +101,8 @@ }, "desc": "surgeons settled advocacy", "hashes": [ - { - "algorithm": "CTPH", - "algorithm_id": "5", - "value": "2675028478A31F71064C2D8CCA68C7FCA87605C294611E7C2294806CE87B596AD856077767F9D941E21BC5089906C5E6903FE622EE1FE19DB2E3FA8F1F1A8EE9" - }, - { - "algorithm": "magic", - "algorithm_id": "99", - "value": "4D018BA6DBA4C03004FD6E10D1C02BD324F62DE46C5FE687431A2D4BF4335BB7" - } + {}, + {} ], "modified_time_dt": "2023-09-25T21:07:21.517084Z", "name": "finance.3g2", @@ -206,16 +201,8 @@ }, "desc": "arabic suits fun", "hashes": [ - { - "algorithm": "SHA-256", - "algorithm_id": "3", - "value": "4C3280C17F9D982CCBAC882AE1F48DAD224DBA938BEE87BF18E31C76B0C3B88B" - }, - { - "algorithm": "quickXorHash", - "algorithm_id": "7", - "value": "A7F0A2AD03BE8938C945F65DB1A395CE9E98D67F9EE8D4CA97D687FBB394B64FA0AEB15F5B1D82A2922B62320B77DBA842BBEDEE2B5E15D7A883665ADE3F7C2B" - } + {}, + {} ], "modified_time_dt": "2023-09-25T21:07:21.567190Z", "type_id": "0" @@ -291,6 +278,9 @@ } }, "related": { + "hash": [ + "4C3280C17F9D982CCBAC882AE1F48DAD224DBA938BEE87BF18E31C76B0C3B88B" + ], "hosts": [ "menu.travel" ], diff --git a/OCSF/ocsf/tests/test_network_activity_11.json b/OCSF/ocsf/tests/test_network_activity_11.json index 163646bb5..caff76c9a 100644 --- a/OCSF/ocsf/tests/test_network_activity_11.json +++ b/OCSF/ocsf/tests/test_network_activity_11.json @@ -132,11 +132,7 @@ "confidentiality": "Top Secret", "confidentiality_id": "4", "hashes": [ - { - "algorithm": "magic", - "algorithm_id": "99", - "value": "55F23C756971F835627DAD00E0FEAF38D62993462CA63631FDF93D0E8130CDFF" - } + {} ], "security_descriptor": "procedure amsterdam belarus", "type_id": "4" diff --git a/OCSF/ocsf/tests/test_network_activity_6.json b/OCSF/ocsf/tests/test_network_activity_6.json index 85f82f101..a9f6e94cc 100644 --- a/OCSF/ocsf/tests/test_network_activity_6.json +++ b/OCSF/ocsf/tests/test_network_activity_6.json @@ -48,6 +48,9 @@ }, "file": { "directory": "pay msie consciousness/checking.tiff", + "hash": { + "sha256": "B6F8AE88482BDE38221723480B7EE2BE8088C076BDB5F22AA847A66E59C2ACFB" + }, "inode": "5d95ca5a-5be7-11ee-a417-0242ac110005", "mtime": "2023-09-25T21:06:16.016000Z", "name": "brazil.docx", @@ -175,16 +178,8 @@ "accessed_time_dt": "2023-09-25T21:06:16.073784Z", "attributes": 43, "hashes": [ - { - "algorithm": "Unknown", - "algorithm_id": "0", - "value": "37B77065B54AA76AAE4D96BFEA21F81217D2CEDE06CA457D86A77C0609B483B73102B9C600CC6DFEA5252B15E8E823BD2E5137AA311F7A2011B867F18FE9F502" - }, - { - "algorithm": "SHA-256", - "algorithm_id": "3", - "value": "B6F8AE88482BDE38221723480B7EE2BE8088C076BDB5F22AA847A66E59C2ACFB" - } + {}, + {} ], "modified_time_dt": "2023-09-25T21:06:16.073732Z", "product": { @@ -256,6 +251,9 @@ "type_uid": "400603" }, "related": { + "hash": [ + "B6F8AE88482BDE38221723480B7EE2BE8088C076BDB5F22AA847A66E59C2ACFB" + ], "hosts": [ "african.museum", "larger.mil", diff --git a/OCSF/ocsf/tests/test_system_activity_1.json b/OCSF/ocsf/tests/test_system_activity_1.json index 30fb2d06d..02b845d18 100644 --- a/OCSF/ocsf/tests/test_system_activity_1.json +++ b/OCSF/ocsf/tests/test_system_activity_1.json @@ -1,6 +1,6 @@ { "input": { - "message": "{\"message\": \"aug brought masters\", \"status\": \"same\", \"time\": 1695272181548, \"file\": {\"name\": \"phi.tar\", \"type\": \"Named Pipe\", \"path\": \"basement neighborhood nelson/pointer.mpa/phi.tar\", \"product\": {\"name\": \"judgment mel mental\", \"version\": \"1.0.0\", \"uid\": \"3576c3d0-583b-11ee-8a0f-0242ac110005\", \"vendor_name\": \"isp semiconductor screens\"}, \"type_id\": 666, \"parent_folder\": \"basement neighborhood nelson/pointer.mpa\", \"accessed_time\": 1695272181548, \"hashes\": [{\"value\": \"FA9D6D9F8C1E928F43F4CA3DEF6EC2D485AA60CDD4DF04348144D38434095D54EADA230FB5E8BE2A17FD91AEEFC38B4E2AD08D863F260E6244F56873701A53EE\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"device\": {\"name\": \"spirits since tours\", \"type\": \"Browser\", \"os\": {\"name\": \"mess deposits scary\", \"type\": \"HP-UX\", \"type_id\": 402, \"sp_ver\": 35}, \"ip\": \"1.128.0.0\", \"desc\": \"gene screens plenty\", \"uid\": \"3575127e-583b-11ee-b9cf-0242ac110005\", \"image\": {\"name\": \"aol interest statutes\", \"tag\": \"history afraid vcr\", \"path\": \"breaks contrary navigation\", \"uid\": \"3574fc30-583b-11ee-a7af-0242ac110005\"}, \"groups\": [{\"name\": \"spent disclaimer locks\", \"uid\": \"3575019e-583b-11ee-8751-0242ac110005\", \"privileges\": [\"seems freeware tire\"]}, {\"name\": \"stereo thousand cnet\", \"uid\": \"357505d6-583b-11ee-8d50-0242ac110005\"}], \"type_id\": 8, \"subnet\": \"130.109.0.0/16\", \"hypervisor\": \"barbados lcd electoral\", \"instance_uid\": \"3574eefc-583b-11ee-aedd-0242ac110005\", \"interface_name\": \"cleveland households subsidiaries\", \"interface_uid\": \"3574f352-583b-11ee-89fa-0242ac110005\", \"is_managed\": true, \"region\": \"survival statewide blog\", \"risk_score\": 17, \"subnet_uid\": \"3574e7c2-583b-11ee-8763-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"frederick avoiding settlement\", \"version\": \"1.0.0\", \"uid\": \"3574dd04-583b-11ee-9dd6-0242ac110005\", \"lang\": \"en\", \"url_string\": \"subscribers\", \"vendor_name\": \"biographies charts a\"}, \"sequence\": 36, \"profiles\": [], \"log_name\": \"benefits observe block\", \"log_provider\": \"apr applies bought\", \"original_time\": \"basement receipt forces\"}, \"severity\": \"High\", \"type_name\": \"File System Activity: Rename\", \"activity_id\": 5, \"type_uid\": 100105, \"category_name\": \"System Activity\", \"class_uid\": 1001, \"category_uid\": 1, \"class_name\": \"File System Activity\", \"timezone_offset\": 14, \"activity_name\": \"Rename\", \"actor\": {\"process\": {\"name\": \"Http\", \"pid\": 39, \"file\": {\"name\": \"with.com\", \"type\": \"Symbolic Link\", \"path\": \"fact nick marilyn/wives.iso/with.com\", \"type_id\": 7, \"parent_folder\": \"fact nick marilyn/wives.iso\", \"confidentiality\": \"microphone ingredients everybody\", \"hashes\": [{\"value\": \"5448F2E81D8402BD06F1B7A1F25A23A09CF423B5C17631EDC1CB3A06C6135BEA\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"DB43BDA2E28D2B02E0F94993E11FF5A6A49D0E62D62834916C0F623B00401D7C1848EDA3BD47A48ACE755F0AF75D3D92850EEDDD011B6B3ED4D93BA15953F9AD\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Proxy\", \"type\": \"User\", \"domain\": \"canal emerald dry\", \"uid\": \"35752d18-583b-11ee-8e91-0242ac110005\", \"type_id\": 1, \"full_name\": \"Kitty Sabine\", \"account\": {\"name\": \"findarticles awards error\", \"type\": \"AWS IAM User\", \"uid\": \"357534b6-583b-11ee-acbb-0242ac110005\", \"type_id\": 3}, \"email_addr\": \"Dotty@bg.info\", \"uid_alt\": \"mature botswana advisory\"}, \"uid\": \"357539de-583b-11ee-808d-0242ac110005\", \"cmd_line\": \"dd apple updating\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Olympic\", \"file\": {\"name\": \"chrysler.pages\", \"type\": \"Character Device\", \"path\": \"jesus cattle cave/remainder.iso/chrysler.pages\", \"desc\": \"claims runtime directories\", \"uid\": \"3575485c-583b-11ee-b07c-0242ac110005\", \"type_id\": 3, \"company_name\": \"Esta Malena\", \"parent_folder\": \"jesus cattle cave/remainder.iso\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"0983A0F9D6FE6015A7EB984C4D51C74EC818D6B4B2EA630CA2794A51512BEA5EC489606DAA019CA34D4CA678FF154530DBF2211DC9AD7D058363D7630F3AF2B8\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1695272181548, \"security_descriptor\": \"motels derby subtle\"}, \"user\": {\"name\": \"Salvador\", \"type\": \"Admin\", \"uid\": \"357551a8-583b-11ee-9f3a-0242ac110005\", \"groups\": [{\"name\": \"admissions throughout scope\", \"uid\": \"357556c6-583b-11ee-a761-0242ac110005\"}], \"type_id\": 2, \"email_addr\": \"Georgeann@compounds.org\"}, \"cmd_line\": \"regardless discussed gb\", \"created_time\": 1695272181548, \"integrity\": \"eat\", \"integrity_id\": 99, \"lineage\": [\"ff encoding towns\", \"alter reservoir drums\"], \"parent_process\": {\"pid\": 24, \"user\": {\"type\": \"dealer\", \"uid\": \"3575612a-583b-11ee-8729-0242ac110005\", \"type_id\": 99, \"account\": {\"name\": \"lisa avoiding grade\", \"type\": \"Mac OS Account\", \"uid\": \"35756968-583b-11ee-adc7-0242ac110005\", \"type_id\": 7}}, \"tid\": 17, \"uid\": \"35756e18-583b-11ee-8658-0242ac110005\", \"cmd_line\": \"step bernard quiet\", \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"name\": \"Schedules\", \"pid\": 64, \"file\": {\"attributes\": 59, \"name\": \"expectations.sh\", \"size\": 3829463934, \"type\": \"Named Pipe\", \"path\": \"their haven interact/president.log/expectations.sh\", \"type_id\": 6, \"company_name\": \"Johnny Kenia\", \"parent_folder\": \"their haven interact/president.log\", \"hashes\": [{\"value\": \"673864FF7BB72B5CB7535BD3C797DAE6BCDCE37BB6E0BD9D6EDDB8205EE636ACCA593394B1827FD62DAEC350638203EC5021A55A87B54D3BD4E0391CCACFA7B5\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"DA377EE2C5138BD0042100780B04CFB9752DD077344B2CBCACFFBEA5D94D0BB095E7314616D60350025F9E6489D6CBF9FA4C1D07CA52AB9C364397B6A6DB1426\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"is_system\": true}, \"user\": {\"name\": \"Gun\", \"type\": \"User\", \"uid\": \"35757fde-583b-11ee-8426-0242ac110005\", \"org\": {\"name\": \"suitable bother k\", \"uid\": \"357584f2-583b-11ee-b957-0242ac110005\", \"ou_name\": \"signals pixel questions\"}, \"type_id\": 1}, \"uid\": \"35758902-583b-11ee-9a1c-0242ac110005\", \"cmd_line\": \"sons eur fence\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Best\", \"pid\": 51, \"user\": {\"name\": \"Wrapping\", \"type\": \"Unknown\", \"uid\": \"357599c4-583b-11ee-839a-0242ac110005\", \"type_id\": 0, \"email_addr\": \"Valene@water.aero\"}, \"tid\": 72, \"uid\": \"3575a158-583b-11ee-a0c1-0242ac110005\", \"loaded_modules\": [\"/par/addresses/isle/blink/utils.3ds\", \"/conventions/market/normal/lease/absolute.tar.gz\"], \"cmd_line\": \"optional icq refresh\", \"created_time\": 1695272181548, \"integrity\": \"Medium\", \"integrity_id\": 3, \"lineage\": [\"marco danny survival\"], \"parent_process\": {\"name\": \"Expo\", \"pid\": 70, \"file\": {\"attributes\": 73, \"name\": \"wagner.hqx\", \"type\": \"Folder\", \"path\": \"nest communist anthony/tri.tex/wagner.hqx\", \"type_id\": 2, \"parent_folder\": \"nest communist anthony/tri.tex\"}, \"user\": {\"name\": \"Vehicles\", \"type\": \"Unknown\", \"uid\": \"3575b594-583b-11ee-ad61-0242ac110005\", \"groups\": [{\"name\": \"attention horrible saved\", \"type\": \"clinical integration find\"}], \"type_id\": 0, \"uid_alt\": \"immigrants vegetables names\"}, \"uid\": \"3575bbde-583b-11ee-a34c-0242ac110005\", \"cmd_line\": \"furnishings oo elderly\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Gis\", \"pid\": 7, \"file\": {\"name\": \"conviction.dem\", \"owner\": {\"name\": \"Founded\", \"type\": \"System\", \"groups\": [{\"name\": \"picked physicians sponsored\", \"uid\": \"3575cc6e-583b-11ee-9fc6-0242ac110005\"}, {\"name\": \"theft os finished\", \"type\": \"baking how furnished\", \"desc\": \"consistent remind intel\", \"uid\": \"3575d2cc-583b-11ee-9bd2-0242ac110005\", \"privileges\": [\"moscow whom catalogue\", \"bar distant sitting\"]}], \"type_id\": 3}, \"type\": \"Regular File\", \"path\": \"lesbian consistent policy/house.crdownload/conviction.dem\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"equivalent fuzzy password\", \"issuer\": \"rom ge xml\", \"fingerprints\": [{\"value\": \"4AE524EF0A54BC56E3844482DFF66D3DD1C07170A36531500327556E4EB58A66\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"2D3C087352251B27B4B883E464997A204BC6990478F6ADA51535ED9C87BB9BD65BB98AF4BCF9442E5126A77E0D6984B1596D2253167232DA8AC3415D7FB47186\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"streets missouri stack\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"type_id\": 1, \"company_name\": \"Agatha Bridget\", \"parent_folder\": \"lesbian consistent policy/house.crdownload\", \"hashes\": [{\"value\": \"7C44A3A14F05688E4AC527919744E64B96B371173856D178D72F65DAB3DC8EE7563B5E05EE7F625263083247F54503AD771DB5F66B3C9F9216B95114BA6BFCCB\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"security_descriptor\": \"blank special atm\"}, \"user\": {\"name\": \"Sec\", \"type\": \"Unknown\", \"uid\": \"3575f450-583b-11ee-b6bb-0242ac110005\", \"org\": {\"name\": \"delayed cables leads\", \"uid\": \"3575f964-583b-11ee-8c61-0242ac110005\"}, \"type_id\": 0, \"full_name\": \"Katheryn Dario\", \"uid_alt\": \"room suicide poem\"}, \"uid\": \"3575fdb0-583b-11ee-aeb9-0242ac110005\", \"cmd_line\": \"japan sells jeans\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Decrease\", \"pid\": 59, \"file\": {\"name\": \"structural.swf\", \"size\": 688932239, \"type\": \"customs\", \"path\": \"fwd various rr/harper.tar.gz/structural.swf\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"ordering ou explanation\", \"issuer\": \"truck rings arrivals\", \"fingerprints\": [{\"value\": \"D9B2FE68B6C253E250B14667FE79D988B4D2AC568F7FD62357330B906C30A49D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"EBD7275B8E016156D5C802AA81EF32823EF0D89B944B062044092C012CDD5078AF0362403420AB2DD96D282058889BCC6484F8FC42C61C29774AB18337A40FD9\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"expiration_time\": 1695272181548, \"serial_number\": \"rd throw preliminary\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1, \"created_time\": 1695272181548}, \"type_id\": 99, \"parent_folder\": \"fwd various rr/harper.tar.gz\", \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"value\": \"9392895322BB82C443FB155DA3D787E63B9CFF61E9725327EA2B4FAFE964C306117CB523AEBA0D2D8CDF029592125C16C1F892E88D80F9888D7031FD2974B8DE\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"type\": \"Admin\", \"domain\": \"sydney initiatives plymouth\", \"uid\": \"35761822-583b-11ee-beb2-0242ac110005\", \"type_id\": 2, \"full_name\": \"Theron Augustine\"}, \"tid\": 80, \"uid\": \"35761c82-583b-11ee-b824-0242ac110005\", \"cmd_line\": \"terry ld apple\", \"created_time\": 1695272181548, \"lineage\": [\"ts initial roses\", \"wicked sm especially\"], \"parent_process\": {\"pid\": 96, \"file\": {\"name\": \"fcc.gz\", \"type\": \"Local Socket\", \"path\": \"webcast invention brandon/thumbnail.rm/fcc.gz\", \"signature\": {\"digest\": {\"value\": \"F28E98CA59479136BFC3E11371555CF78BDEDDF0332D62DD063B794024CC5C4FE13F9EA7BA6BCE31550B8B7DEFFB31BF20E54B6C1095A68E8E18A26F91C0E838\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"previous furthermore create\", \"issuer\": \"kids permissions cosmetic\", \"fingerprints\": [{\"value\": \"C9E4D5C19777C2E695975FB5FE0D92C5DEEE360C4AFF172B638D981E5BCE505FB3373CF7A620436611A964772215DD15E564B701B09AB141C53258EA7DB63589\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"D02BCEDE7EF63722B56FD76E6C3E0C74E72D5B9C169DE7BA9712A1EAEF0C13F59F27BBFC33274C80889426EB38A8D191AB7B08FE9397BF0BE4D5B4C08CF7956C\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"mold afghanistan pine\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"desc\": \"reads choir while\", \"type_id\": 5, \"company_name\": \"Parthenia Kim\", \"creator\": {\"type\": \"System\", \"uid\": \"357634b0-583b-11ee-aa30-0242ac110005\", \"org\": {\"name\": \"lessons fighting basement\", \"uid\": \"357639f6-583b-11ee-a863-0242ac110005\", \"ou_name\": \"recently iron turning\"}, \"type_id\": 3}, \"parent_folder\": \"webcast invention brandon/thumbnail.rm\", \"hashes\": [{\"value\": \"533747897E1F6754B1E577DEEBA5E673C0DD9F09229F048608C88CA5EEC2A420FFF7F06C5B27F45A1B7A705FF141C4AE11196CAB9BE339546B7EEF258DFED346\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}]}, \"user\": {\"name\": \"Intervals\", \"type\": \"Admin\", \"uid\": \"357644a0-583b-11ee-b222-0242ac110005\", \"type_id\": 2, \"full_name\": \"Margert Debbie\", \"account\": {\"name\": \"gained oldest atomic\", \"type\": \"AWS IAM User\", \"type_id\": 3}, \"email_addr\": \"Ernie@drum.jobs\"}, \"uid\": \"35764af4-583b-11ee-bfee-0242ac110005\", \"session\": {\"uid\": \"35764ff4-583b-11ee-ad30-0242ac110005\", \"issuer\": \"information daisy computational\", \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"is_remote\": false}, \"loaded_modules\": [\"/frequently/tomatoes/one/trembl/trance.php\", \"/supposed/passwords/boutique/codes/coalition.txt\"], \"cmd_line\": \"grounds profits tear\", \"integrity\": \"attempts strategy meetup\", \"lineage\": [\"tar optical per\", \"fixtures while coaches\"], \"parent_process\": {\"name\": \"Speed\", \"pid\": 69, \"file\": {\"name\": \"kathy.gpx\", \"type\": \"Symbolic Link\", \"version\": \"1.0.0\", \"path\": \"stake dame kw/bangladesh.tax2020/kathy.gpx\", \"type_id\": 7, \"parent_folder\": \"stake dame kw/bangladesh.tax2020\", \"confidentiality\": \"smilies ethnic exclusively\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"DF2FF56CB3BAC1E28C3FE0395F52F814539922A774E1B53793268DC61ADD718A6BEED6E464F3D3AB436A5F61A84B21F073DD534943FEFA40E0DAD92DF1C92874\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Class\", \"type\": \"Admin\", \"uid\": \"3576639a-583b-11ee-a0a4-0242ac110005\", \"org\": {\"name\": \"thumb perception casual\", \"uid\": \"357668cc-583b-11ee-9bcd-0242ac110005\", \"ou_name\": \"russell martin tonight\"}, \"type_id\": 2, \"credential_uid\": \"35766f02-583b-11ee-93b4-0242ac110005\", \"uid_alt\": \"acute vocals goat\"}, \"uid\": \"3576731c-583b-11ee-b4bb-0242ac110005\", \"cmd_line\": \"canon istanbul ears\", \"created_time\": 1695272181548, \"integrity\": \"rage cloudy starts\", \"parent_process\": {\"name\": \"Forget\", \"pid\": 6, \"file\": {\"name\": \"rpg.eps\", \"size\": 2219996466, \"type\": \"Unknown\", \"type_id\": 0, \"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"hashes\": [{\"value\": \"25B732B3425CF8421A84FBE8E6EFA1AAF932AD4B\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"501A60A2B28BA8E6A95CE30C11877FDA\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"uid\": \"35768726-583b-11ee-b021-0242ac110005\", \"loaded_modules\": [\"/congo/hundreds/jerry/limousines/meanwhile.lua\", \"/employment/discounts/dg/company/colin.txt\"], \"cmd_line\": \"samuel affiliates stores\", \"created_time\": 1695272181548, \"lineage\": [\"locked feedback tank\", \"kuwait integrity messages\"], \"parent_process\": {\"name\": \"Part\", \"pid\": 72, \"file\": {\"name\": \"transexual.kml\", \"owner\": {\"name\": \"Disappointed\", \"type\": \"Admin\", \"uid\": \"357695ae-583b-11ee-a3e8-0242ac110005\", \"type_id\": 2}, \"type\": \"Local Socket\", \"path\": \"robin imperial rugby/delicious.lua/transexual.kml\", \"product\": {\"name\": \"receptors surgeons dui\", \"path\": \"joins roy in\", \"lang\": \"en\", \"url_string\": \"bias\", \"vendor_name\": \"wonderful earning zealand\"}, \"type_id\": 5, \"company_name\": \"Morris Antonio\", \"parent_folder\": \"robin imperial rugby/delicious.lua\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"value\": \"D9C1ACF117657BB04A8309ECBD6F3771E4F5E0BBEB437019748FFB5028BDA1B7\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}]}, \"user\": {\"name\": \"Tft\", \"type\": \"Unknown\", \"uid\": \"3576a274-583b-11ee-a3dc-0242ac110005\", \"type_id\": 0}, \"uid\": \"3576a6e8-583b-11ee-907e-0242ac110005\", \"loaded_modules\": [\"/initial/example/lenders/manitoba/picked.mdf\"], \"cmd_line\": \"hh officials patient\", \"created_time\": 1695272181548, \"sandbox\": \"new rt auto\"}, \"sandbox\": \"proc budgets magnet\"}}}, \"sandbox\": \"uk worth harmony\", \"xattributes\": {}}, \"sandbox\": \"arbitration saturday very\", \"terminated_time\": 1695272181548, \"xattributes\": {}}}}, \"sandbox\": \"ranked cookbook propecia\", \"xattributes\": {}}}}}, \"user\": {\"name\": \"Hispanic\", \"type\": \"Admin\", \"uid\": \"3576b16a-583b-11ee-9386-0242ac110005\", \"type_id\": 2, \"full_name\": \"Inocencia Adelle\"}, \"idp\": {\"name\": \"through foot query\", \"uid\": \"3576b692-583b-11ee-b9a6-0242ac110005\"}}, \"create_mask\": \"lu hairy cases\", \"enrichments\": [{\"data\": {\"professionals\": \"profess\"}, \"name\": \"universal ex rpg\", \"type\": \"concentrations sciences genuine\", \"value\": \"participants managing combines\", \"provider\": \"dance avon fundamental\"}, {\"data\": {\"hill\": \"rfsvfdc\"}, \"name\": \"strip milton opened\", \"type\": \"volunteers manufacturing argentina\", \"value\": \"needs hopes taxation\", \"provider\": \"held rounds tumor\"}], \"severity_id\": 4, \"status_id\": 99}", + "message": "{\"message\": \"aug brought masters\", \"status\": \"same\", \"time\": 1695272181548, \"file\": {\"name\": \"phi.tar\", \"type\": \"Named Pipe\", \"path\": \"basement neighborhood nelson/pointer.mpa/phi.tar\", \"product\": {\"name\": \"judgment mel mental\", \"version\": \"1.0.0\", \"uid\": \"3576c3d0-583b-11ee-8a0f-0242ac110005\", \"vendor_name\": \"isp semiconductor screens\"}, \"type_id\": 666, \"parent_folder\": \"basement neighborhood nelson/pointer.mpa\", \"accessed_time\": 1695272181548, \"hashes\": [{\"value\": \"FA9D6D9F8C1E928F43F4CA3DEF6EC2D485AA60CDD4DF04348144D38434095D54EADA230FB5E8BE2A17FD91AEEFC38B4E2AD08D863F260E6244F56873701A53EE\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"device\": {\"name\": \"spirits since tours\", \"type\": \"Browser\", \"os\": {\"name\": \"mess deposits scary\", \"type\": \"HP-UX\", \"type_id\": 402, \"sp_ver\": 35}, \"ip\": \"1.128.0.0\", \"desc\": \"gene screens plenty\", \"uid\": \"3575127e-583b-11ee-b9cf-0242ac110005\", \"image\": {\"name\": \"aol interest statutes\", \"tag\": \"history afraid vcr\", \"path\": \"breaks contrary navigation\", \"uid\": \"3574fc30-583b-11ee-a7af-0242ac110005\"}, \"groups\": [{\"name\": \"spent disclaimer locks\", \"uid\": \"3575019e-583b-11ee-8751-0242ac110005\", \"privileges\": [\"seems freeware tire\"]}, {\"name\": \"stereo thousand cnet\", \"uid\": \"357505d6-583b-11ee-8d50-0242ac110005\"}], \"type_id\": 8, \"subnet\": \"130.109.0.0/16\", \"hypervisor\": \"barbados lcd electoral\", \"instance_uid\": \"3574eefc-583b-11ee-aedd-0242ac110005\", \"interface_name\": \"cleveland households subsidiaries\", \"interface_uid\": \"3574f352-583b-11ee-89fa-0242ac110005\", \"is_managed\": true, \"region\": \"survival statewide blog\", \"risk_score\": 17, \"subnet_uid\": \"3574e7c2-583b-11ee-8763-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"frederick avoiding settlement\", \"version\": \"1.0.0\", \"uid\": \"3574dd04-583b-11ee-9dd6-0242ac110005\", \"lang\": \"en\", \"url_string\": \"subscribers\", \"vendor_name\": \"biographies charts a\"}, \"sequence\": 36, \"profiles\": [], \"log_name\": \"benefits observe block\", \"log_provider\": \"apr applies bought\", \"original_time\": \"basement receipt forces\"}, \"severity\": \"High\", \"type_name\": \"File System Activity: Rename\", \"activity_id\": 5, \"type_uid\": 100105, \"category_name\": \"System Activity\", \"class_uid\": 1001, \"category_uid\": 1, \"class_name\": \"File System Activity\", \"timezone_offset\": 14, \"activity_name\": \"Rename\", \"actor\": {\"process\": {\"name\": \"Http\", \"pid\": 39, \"file\": {\"name\": \"with.com\", \"type\": \"Symbolic Link\", \"path\": \"fact nick marilyn/wives.iso/with.com\", \"type_id\": 7, \"parent_folder\": \"fact nick marilyn/wives.iso\", \"confidentiality\": \"microphone ingredients everybody\", \"hashes\": [{\"value\": \"5448F2E81D8402BD06F1B7A1F25A23A09CF423B5C17631EDC1CB3A06C6135BEA\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"DB43BDA2E28D2B02E0F94993E11FF5A6A49D0E62D62834916C0F623B00401D7C1848EDA3BD47A48ACE755F0AF75D3D92850EEDDD011B6B3ED4D93BA15953F9AD\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Proxy\", \"type\": \"User\", \"domain\": \"canal emerald dry\", \"uid\": \"35752d18-583b-11ee-8e91-0242ac110005\", \"type_id\": 1, \"full_name\": \"Kitty Sabine\", \"account\": {\"name\": \"findarticles awards error\", \"type\": \"AWS IAM User\", \"uid\": \"357534b6-583b-11ee-acbb-0242ac110005\", \"type_id\": 3}, \"email_addr\": \"Dotty@bg.info\", \"uid_alt\": \"mature botswana advisory\"}, \"uid\": \"357539de-583b-11ee-808d-0242ac110005\", \"cmd_line\": \"dd apple updating\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Olympic\", \"file\": {\"name\": \"chrysler.pages\", \"type\": \"Character Device\", \"path\": \"jesus cattle cave/remainder.iso/chrysler.pages\", \"desc\": \"claims runtime directories\", \"uid\": \"3575485c-583b-11ee-b07c-0242ac110005\", \"type_id\": 3, \"company_name\": \"Esta Malena\", \"parent_folder\": \"jesus cattle cave/remainder.iso\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"0983A0F9D6FE6015A7EB984C4D51C74EC818D6B4B2EA630CA2794A51512BEA5EC489606DAA019CA34D4CA678FF154530DBF2211DC9AD7D058363D7630F3AF2B8\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1695272181548, \"security_descriptor\": \"motels derby subtle\"}, \"user\": {\"name\": \"Salvador\", \"type\": \"Admin\", \"uid\": \"357551a8-583b-11ee-9f3a-0242ac110005\", \"groups\": [{\"name\": \"admissions throughout scope\", \"uid\": \"357556c6-583b-11ee-a761-0242ac110005\"}], \"type_id\": 2, \"email_addr\": \"Georgeann@compounds.org\"}, \"cmd_line\": \"regardless discussed gb\", \"created_time\": 1695272181548, \"integrity\": \"eat\", \"integrity_id\": 99, \"lineage\": [\"ff encoding towns\", \"alter reservoir drums\"], \"parent_process\": {\"pid\": 24, \"user\": {\"type\": \"dealer\", \"uid\": \"3575612a-583b-11ee-8729-0242ac110005\", \"type_id\": 99, \"account\": {\"name\": \"lisa avoiding grade\", \"type\": \"Mac OS Account\", \"uid\": \"35756968-583b-11ee-adc7-0242ac110005\", \"type_id\": 7}}, \"tid\": 17, \"uid\": \"35756e18-583b-11ee-8658-0242ac110005\", \"cmd_line\": \"step bernard quiet\", \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"name\": \"Schedules\", \"pid\": 64, \"file\": {\"attributes\": 59, \"name\": \"expectations.sh\", \"size\": 3829463934, \"type\": \"Named Pipe\", \"path\": \"their haven interact/president.log/expectations.sh\", \"type_id\": 6, \"company_name\": \"Johnny Kenia\", \"parent_folder\": \"their haven interact/president.log\", \"hashes\": [{\"value\": \"673864FF7BB72B5CB7535BD3C797DAE6BCDCE37BB6E0BD9D6EDDB8205EE636ACCA593394B1827FD62DAEC350638203EC5021A55A87B54D3BD4E0391CCACFA7B5\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"DA377EE2C5138BD0042100780B04CFB9752DD077344B2CBCACFFBEA5D94D0BB095E7314616D60350025F9E6489D6CBF9FA4C1D07CA52AB9C364397B6A6DB1426\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"is_system\": true}, \"user\": {\"name\": \"Gun\", \"type\": \"User\", \"uid\": \"35757fde-583b-11ee-8426-0242ac110005\", \"org\": {\"name\": \"suitable bother k\", \"uid\": \"357584f2-583b-11ee-b957-0242ac110005\", \"ou_name\": \"signals pixel questions\"}, \"type_id\": 1}, \"uid\": \"35758902-583b-11ee-9a1c-0242ac110005\", \"cmd_line\": \"sons eur fence\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Best\", \"pid\": 51, \"user\": {\"name\": \"Wrapping\", \"type\": \"Unknown\", \"uid\": \"357599c4-583b-11ee-839a-0242ac110005\", \"type_id\": 0, \"email_addr\": \"Valene@water.aero\"}, \"tid\": 72, \"uid\": \"3575a158-583b-11ee-a0c1-0242ac110005\", \"loaded_modules\": [\"/par/addresses/isle/blink/utils.3ds\", \"/conventions/market/normal/lease/absolute.tar.gz\"], \"cmd_line\": \"optional icq refresh\", \"created_time\": 1695272181548, \"integrity\": \"Medium\", \"integrity_id\": 3, \"lineage\": [\"marco danny survival\"], \"parent_process\": {\"name\": \"Expo\", \"pid\": 70, \"file\": {\"attributes\": 73, \"name\": \"wagner.hqx\", \"type\": \"Folder\", \"path\": \"nest communist anthony/tri.tex/wagner.hqx\", \"type_id\": 2, \"parent_folder\": \"nest communist anthony/tri.tex\"}, \"user\": {\"name\": \"Vehicles\", \"type\": \"Unknown\", \"uid\": \"3575b594-583b-11ee-ad61-0242ac110005\", \"groups\": [{\"name\": \"attention horrible saved\", \"type\": \"clinical integration find\"}], \"type_id\": 0, \"uid_alt\": \"immigrants vegetables names\"}, \"uid\": \"3575bbde-583b-11ee-a34c-0242ac110005\", \"cmd_line\": \"furnishings oo elderly\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Gis\", \"pid\": 7, \"file\": {\"name\": \"conviction.dem\", \"owner\": {\"name\": \"Founded\", \"type\": \"System\", \"groups\": [{\"name\": \"picked physicians sponsored\", \"uid\": \"3575cc6e-583b-11ee-9fc6-0242ac110005\"}, {\"name\": \"theft os finished\", \"type\": \"baking how furnished\", \"desc\": \"consistent remind intel\", \"uid\": \"3575d2cc-583b-11ee-9bd2-0242ac110005\", \"privileges\": [\"moscow whom catalogue\", \"bar distant sitting\"]}], \"type_id\": 3}, \"type\": \"Regular File\", \"path\": \"lesbian consistent policy/house.crdownload/conviction.dem\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"equivalent fuzzy password\", \"issuer\": \"rom ge xml\", \"fingerprints\": [{\"value\": \"4AE524EF0A54BC56E3844482DFF66D3DD1C07170A36531500327556E4EB58A66\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"2D3C087352251B27B4B883E464997A204BC6990478F6ADA51535ED9C87BB9BD65BB98AF4BCF9442E5126A77E0D6984B1596D2253167232DA8AC3415D7FB47186\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"streets missouri stack\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"type_id\": 1, \"company_name\": \"Agatha Bridget\", \"parent_folder\": \"lesbian consistent policy/house.crdownload\", \"hashes\": [{\"value\": \"7C44A3A14F05688E4AC527919744E64B96B371173856D178D72F65DAB3DC8EE7563B5E05EE7F625263083247F54503AD771DB5F66B3C9F9216B95114BA6BFCCB\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"security_descriptor\": \"blank special atm\"}, \"user\": {\"name\": \"Sec\", \"type\": \"Unknown\", \"uid\": \"3575f450-583b-11ee-b6bb-0242ac110005\", \"org\": {\"name\": \"delayed cables leads\", \"uid\": \"3575f964-583b-11ee-8c61-0242ac110005\"}, \"type_id\": 0, \"full_name\": \"Katheryn Dario\", \"uid_alt\": \"room suicide poem\"}, \"uid\": \"3575fdb0-583b-11ee-aeb9-0242ac110005\", \"cmd_line\": \"japan sells jeans\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Decrease\", \"pid\": 59, \"file\": {\"name\": \"structural.swf\", \"size\": 688932239, \"type\": \"customs\", \"path\": \"fwd various rr/harper.tar.gz/structural.swf\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"ordering ou explanation\", \"issuer\": \"truck rings arrivals\", \"fingerprints\": [{\"value\": \"D9B2FE68B6C253E250B14667FE79D988B4D2AC568F7FD62357330B906C30A49D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"EBD7275B8E016156D5C802AA81EF32823EF0D89B944B062044092C012CDD5078AF0362403420AB2DD96D282058889BCC6484F8FC42C61C29774AB18337A40FD9\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"expiration_time\": 1695272181548, \"serial_number\": \"rd throw preliminary\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1, \"created_time\": 1695272181548}, \"type_id\": 99, \"parent_folder\": \"fwd various rr/harper.tar.gz\", \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"value\": \"9392895322BB82C443FB155DA3D787E63B9CFF61E9725327EA2B4FAFE964C306117CB523AEBA0D2D8CDF029592125C16C1F892E88D80F9888D7031FD2974B8DE\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"type\": \"Admin\", \"domain\": \"sydney initiatives plymouth\", \"uid\": \"35761822-583b-11ee-beb2-0242ac110005\", \"type_id\": 2, \"full_name\": \"Theron Augustine\"}, \"tid\": 80, \"uid\": \"35761c82-583b-11ee-b824-0242ac110005\", \"cmd_line\": \"terry ld apple\", \"created_time\": 1695272181548, \"lineage\": [\"ts initial roses\", \"wicked sm especially\"], \"parent_process\": {\"pid\": 96, \"file\": {\"name\": \"fcc.gz\", \"type\": \"Local Socket\", \"path\": \"webcast invention brandon/thumbnail.rm/fcc.gz\", \"signature\": {\"digest\": {\"value\": \"F28E98CA59479136BFC3E11371555CF78BDEDDF0332D62DD063B794024CC5C4FE13F9EA7BA6BCE31550B8B7DEFFB31BF20E54B6C1095A68E8E18A26F91C0E838\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"previous furthermore create\", \"issuer\": \"kids permissions cosmetic\", \"fingerprints\": [{\"value\": \"C9E4D5C19777C2E695975FB5FE0D92C5DEEE360C4AFF172B638D981E5BCE505FB3373CF7A620436611A964772215DD15E564B701B09AB141C53258EA7DB63589\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"D02BCEDE7EF63722B56FD76E6C3E0C74E72D5B9C169DE7BA9712A1EAEF0C13F59F27BBFC33274C80889426EB38A8D191AB7B08FE9397BF0BE4D5B4C08CF7956C\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"mold afghanistan pine\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"desc\": \"reads choir while\", \"type_id\": 5, \"company_name\": \"Parthenia Kim\", \"creator\": {\"type\": \"System\", \"uid\": \"357634b0-583b-11ee-aa30-0242ac110005\", \"org\": {\"name\": \"lessons fighting basement\", \"uid\": \"357639f6-583b-11ee-a863-0242ac110005\", \"ou_name\": \"recently iron turning\"}, \"type_id\": 3}, \"parent_folder\": \"webcast invention brandon/thumbnail.rm\", \"hashes\": [{\"value\": \"533747897E1F6754B1E577DEEBA5E673C0DD9F09229F048608C88CA5EEC2A420FFF7F06C5B27F45A1B7A705FF141C4AE11196CAB9BE339546B7EEF258DFED346\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}]}, \"user\": {\"name\": \"Intervals\", \"type\": \"Admin\", \"uid\": \"357644a0-583b-11ee-b222-0242ac110005\", \"type_id\": 2, \"full_name\": \"Margert Debbie\", \"account\": {\"name\": \"gained oldest atomic\", \"type\": \"AWS IAM User\", \"type_id\": 3}, \"email_addr\": \"Ernie@drum.jobs\"}, \"uid\": \"35764af4-583b-11ee-bfee-0242ac110005\", \"session\": {\"uid\": \"35764ff4-583b-11ee-ad30-0242ac110005\", \"issuer\": \"information daisy computational\", \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"is_remote\": false}, \"loaded_modules\": [\"/frequently/tomatoes/one/trembl/trance.php\", \"/supposed/passwords/boutique/codes/coalition.txt\"], \"cmd_line\": \"grounds profits tear\", \"integrity\": \"attempts strategy meetup\", \"lineage\": [\"tar optical per\", \"fixtures while coaches\"], \"parent_process\": {\"name\": \"Speed\", \"pid\": 69, \"file\": {\"name\": \"kathy.gpx\", \"type\": \"Symbolic Link\", \"version\": \"1.0.0\", \"path\": \"stake dame kw/bangladesh.tax2020/kathy.gpx\", \"type_id\": 7, \"parent_folder\": \"stake dame kw/bangladesh.tax2020\", \"confidentiality\": \"smilies ethnic exclusively\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"DF2FF56CB3BAC1E28C3FE0395F52F814539922A774E1B53793268DC61ADD718A6BEED6E464F3D3AB436A5F61A84B21F073DD534943FEFA40E0DAD92DF1C92874\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Class\", \"type\": \"Admin\", \"uid\": \"3576639a-583b-11ee-a0a4-0242ac110005\", \"org\": {\"name\": \"thumb perception casual\", \"uid\": \"357668cc-583b-11ee-9bcd-0242ac110005\", \"ou_name\": \"russell martin tonight\"}, \"type_id\": 2, \"credential_uid\": \"35766f02-583b-11ee-93b4-0242ac110005\", \"uid_alt\": \"acute vocals goat\"}, \"uid\": \"3576731c-583b-11ee-b4bb-0242ac110005\", \"cmd_line\": \"canon istanbul ears\", \"created_time\": 1695272181548, \"integrity\": \"rage cloudy starts\", \"parent_process\": {\"name\": \"Forget\", \"pid\": 6, \"file\": {\"name\": \"rpg.eps\", \"size\": 2219996466, \"type\": \"Unknown\", \"type_id\": 0, \"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"hashes\": [{\"value\": \"25B732B3425CF8421A84FBE8E6EFA1AAF932AD4B\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"501A60A2B28BA8E6A95CE30C11877FDA\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"uid\": \"35768726-583b-11ee-b021-0242ac110005\", \"loaded_modules\": [\"/congo/hundreds/jerry/limousines/meanwhile.lua\", \"/employment/discounts/dg/company/colin.txt\"], \"cmd_line\": \"samuel affiliates stores\", \"created_time\": 1695272181548, \"lineage\": [\"locked feedback tank\", \"kuwait integrity messages\"], \"parent_process\": {\"name\": \"Part\", \"pid\": 72, \"file\": {\"name\": \"transexual.kml\", \"owner\": {\"name\": \"Disappointed\", \"type\": \"Admin\", \"uid\": \"357695ae-583b-11ee-a3e8-0242ac110005\", \"type_id\": 2}, \"type\": \"Local Socket\", \"path\": \"robin imperial rugby/delicious.lua/transexual.kml\", \"product\": {\"name\": \"receptors surgeons dui\", \"path\": \"joins roy in\", \"lang\": \"en\", \"url_string\": \"bias\", \"vendor_name\": \"wonderful earning zealand\"}, \"type_id\": 5, \"company_name\": \"Morris Antonio\", \"parent_folder\": \"robin imperial rugby/delicious.lua\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"value\": \"D9C1ACF117657BB04A8309ECBD6F3771E4F5E0BBEB437019748FFB5028BDA1B7\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}]}, \"user\": {\"name\": \"Tft\", \"type\": \"Unknown\", \"uid\": \"3576a274-583b-11ee-a3dc-0242ac110005\", \"type_id\": 0}, \"uid\": \"3576a6e8-583b-11ee-907e-0242ac110005\", \"loaded_modules\": [\"/initial/example/lenders/manitoba/picked.mdf\"], \"cmd_line\": \"hh officials patient\", \"created_time\": 1695272181548, \"sandbox\": \"new rt auto\"}, \"sandbox\": \"proc budgets magnet\"}}}, \"sandbox\": \"uk worth harmony\", \"xattributes\": {}}, \"sandbox\": \"arbitration saturday very\", \"terminated_time\": 1695272181548, \"xattributes\": {}}}}, \"sandbox\": \"ranked cookbook propecia\", \"xattributes\": {}}}}}, \"user\": {\"name\": \"root\", \"type\": \"Admin\", \"uid\": \"3576b16a-583b-11ee-9386-0242ac110005\", \"type_id\": 2, \"full_name\": \"Inocencia Adelle\"}, \"idp\": {\"name\": \"through foot query\", \"uid\": \"3576b692-583b-11ee-b9a6-0242ac110005\"}}, \"create_mask\": \"lu hairy cases\", \"enrichments\": [{\"data\": {\"professionals\": \"profess\"}, \"name\": \"universal ex rpg\", \"type\": \"concentrations sciences genuine\", \"value\": \"participants managing combines\", \"provider\": \"dance avon fundamental\"}, {\"data\": {\"hill\": \"rfsvfdc\"}, \"name\": \"strip milton opened\", \"type\": \"volunteers manufacturing argentina\", \"value\": \"needs hopes taxation\", \"provider\": \"held rounds tumor\"}], \"severity_id\": 4, \"status_id\": 99}", "sekoiaio": { "intake": { "dialect": "OCSF", @@ -9,7 +9,7 @@ } }, "expected": { - "message": "{\"message\": \"aug brought masters\", \"status\": \"same\", \"time\": 1695272181548, \"file\": {\"name\": \"phi.tar\", \"type\": \"Named Pipe\", \"path\": \"basement neighborhood nelson/pointer.mpa/phi.tar\", \"product\": {\"name\": \"judgment mel mental\", \"version\": \"1.0.0\", \"uid\": \"3576c3d0-583b-11ee-8a0f-0242ac110005\", \"vendor_name\": \"isp semiconductor screens\"}, \"type_id\": 666, \"parent_folder\": \"basement neighborhood nelson/pointer.mpa\", \"accessed_time\": 1695272181548, \"hashes\": [{\"value\": \"FA9D6D9F8C1E928F43F4CA3DEF6EC2D485AA60CDD4DF04348144D38434095D54EADA230FB5E8BE2A17FD91AEEFC38B4E2AD08D863F260E6244F56873701A53EE\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"device\": {\"name\": \"spirits since tours\", \"type\": \"Browser\", \"os\": {\"name\": \"mess deposits scary\", \"type\": \"HP-UX\", \"type_id\": 402, \"sp_ver\": 35}, \"ip\": \"1.128.0.0\", \"desc\": \"gene screens plenty\", \"uid\": \"3575127e-583b-11ee-b9cf-0242ac110005\", \"image\": {\"name\": \"aol interest statutes\", \"tag\": \"history afraid vcr\", \"path\": \"breaks contrary navigation\", \"uid\": \"3574fc30-583b-11ee-a7af-0242ac110005\"}, \"groups\": [{\"name\": \"spent disclaimer locks\", \"uid\": \"3575019e-583b-11ee-8751-0242ac110005\", \"privileges\": [\"seems freeware tire\"]}, {\"name\": \"stereo thousand cnet\", \"uid\": \"357505d6-583b-11ee-8d50-0242ac110005\"}], \"type_id\": 8, \"subnet\": \"130.109.0.0/16\", \"hypervisor\": \"barbados lcd electoral\", \"instance_uid\": \"3574eefc-583b-11ee-aedd-0242ac110005\", \"interface_name\": \"cleveland households subsidiaries\", \"interface_uid\": \"3574f352-583b-11ee-89fa-0242ac110005\", \"is_managed\": true, \"region\": \"survival statewide blog\", \"risk_score\": 17, \"subnet_uid\": \"3574e7c2-583b-11ee-8763-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"frederick avoiding settlement\", \"version\": \"1.0.0\", \"uid\": \"3574dd04-583b-11ee-9dd6-0242ac110005\", \"lang\": \"en\", \"url_string\": \"subscribers\", \"vendor_name\": \"biographies charts a\"}, \"sequence\": 36, \"profiles\": [], \"log_name\": \"benefits observe block\", \"log_provider\": \"apr applies bought\", \"original_time\": \"basement receipt forces\"}, \"severity\": \"High\", \"type_name\": \"File System Activity: Rename\", \"activity_id\": 5, \"type_uid\": 100105, \"category_name\": \"System Activity\", \"class_uid\": 1001, \"category_uid\": 1, \"class_name\": \"File System Activity\", \"timezone_offset\": 14, \"activity_name\": \"Rename\", \"actor\": {\"process\": {\"name\": \"Http\", \"pid\": 39, \"file\": {\"name\": \"with.com\", \"type\": \"Symbolic Link\", \"path\": \"fact nick marilyn/wives.iso/with.com\", \"type_id\": 7, \"parent_folder\": \"fact nick marilyn/wives.iso\", \"confidentiality\": \"microphone ingredients everybody\", \"hashes\": [{\"value\": \"5448F2E81D8402BD06F1B7A1F25A23A09CF423B5C17631EDC1CB3A06C6135BEA\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"DB43BDA2E28D2B02E0F94993E11FF5A6A49D0E62D62834916C0F623B00401D7C1848EDA3BD47A48ACE755F0AF75D3D92850EEDDD011B6B3ED4D93BA15953F9AD\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Proxy\", \"type\": \"User\", \"domain\": \"canal emerald dry\", \"uid\": \"35752d18-583b-11ee-8e91-0242ac110005\", \"type_id\": 1, \"full_name\": \"Kitty Sabine\", \"account\": {\"name\": \"findarticles awards error\", \"type\": \"AWS IAM User\", \"uid\": \"357534b6-583b-11ee-acbb-0242ac110005\", \"type_id\": 3}, \"email_addr\": \"Dotty@bg.info\", \"uid_alt\": \"mature botswana advisory\"}, \"uid\": \"357539de-583b-11ee-808d-0242ac110005\", \"cmd_line\": \"dd apple updating\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Olympic\", \"file\": {\"name\": \"chrysler.pages\", \"type\": \"Character Device\", \"path\": \"jesus cattle cave/remainder.iso/chrysler.pages\", \"desc\": \"claims runtime directories\", \"uid\": \"3575485c-583b-11ee-b07c-0242ac110005\", \"type_id\": 3, \"company_name\": \"Esta Malena\", \"parent_folder\": \"jesus cattle cave/remainder.iso\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"0983A0F9D6FE6015A7EB984C4D51C74EC818D6B4B2EA630CA2794A51512BEA5EC489606DAA019CA34D4CA678FF154530DBF2211DC9AD7D058363D7630F3AF2B8\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1695272181548, \"security_descriptor\": \"motels derby subtle\"}, \"user\": {\"name\": \"Salvador\", \"type\": \"Admin\", \"uid\": \"357551a8-583b-11ee-9f3a-0242ac110005\", \"groups\": [{\"name\": \"admissions throughout scope\", \"uid\": \"357556c6-583b-11ee-a761-0242ac110005\"}], \"type_id\": 2, \"email_addr\": \"Georgeann@compounds.org\"}, \"cmd_line\": \"regardless discussed gb\", \"created_time\": 1695272181548, \"integrity\": \"eat\", \"integrity_id\": 99, \"lineage\": [\"ff encoding towns\", \"alter reservoir drums\"], \"parent_process\": {\"pid\": 24, \"user\": {\"type\": \"dealer\", \"uid\": \"3575612a-583b-11ee-8729-0242ac110005\", \"type_id\": 99, \"account\": {\"name\": \"lisa avoiding grade\", \"type\": \"Mac OS Account\", \"uid\": \"35756968-583b-11ee-adc7-0242ac110005\", \"type_id\": 7}}, \"tid\": 17, \"uid\": \"35756e18-583b-11ee-8658-0242ac110005\", \"cmd_line\": \"step bernard quiet\", \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"name\": \"Schedules\", \"pid\": 64, \"file\": {\"attributes\": 59, \"name\": \"expectations.sh\", \"size\": 3829463934, \"type\": \"Named Pipe\", \"path\": \"their haven interact/president.log/expectations.sh\", \"type_id\": 6, \"company_name\": \"Johnny Kenia\", \"parent_folder\": \"their haven interact/president.log\", \"hashes\": [{\"value\": \"673864FF7BB72B5CB7535BD3C797DAE6BCDCE37BB6E0BD9D6EDDB8205EE636ACCA593394B1827FD62DAEC350638203EC5021A55A87B54D3BD4E0391CCACFA7B5\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"DA377EE2C5138BD0042100780B04CFB9752DD077344B2CBCACFFBEA5D94D0BB095E7314616D60350025F9E6489D6CBF9FA4C1D07CA52AB9C364397B6A6DB1426\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"is_system\": true}, \"user\": {\"name\": \"Gun\", \"type\": \"User\", \"uid\": \"35757fde-583b-11ee-8426-0242ac110005\", \"org\": {\"name\": \"suitable bother k\", \"uid\": \"357584f2-583b-11ee-b957-0242ac110005\", \"ou_name\": \"signals pixel questions\"}, \"type_id\": 1}, \"uid\": \"35758902-583b-11ee-9a1c-0242ac110005\", \"cmd_line\": \"sons eur fence\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Best\", \"pid\": 51, \"user\": {\"name\": \"Wrapping\", \"type\": \"Unknown\", \"uid\": \"357599c4-583b-11ee-839a-0242ac110005\", \"type_id\": 0, \"email_addr\": \"Valene@water.aero\"}, \"tid\": 72, \"uid\": \"3575a158-583b-11ee-a0c1-0242ac110005\", \"loaded_modules\": [\"/par/addresses/isle/blink/utils.3ds\", \"/conventions/market/normal/lease/absolute.tar.gz\"], \"cmd_line\": \"optional icq refresh\", \"created_time\": 1695272181548, \"integrity\": \"Medium\", \"integrity_id\": 3, \"lineage\": [\"marco danny survival\"], \"parent_process\": {\"name\": \"Expo\", \"pid\": 70, \"file\": {\"attributes\": 73, \"name\": \"wagner.hqx\", \"type\": \"Folder\", \"path\": \"nest communist anthony/tri.tex/wagner.hqx\", \"type_id\": 2, \"parent_folder\": \"nest communist anthony/tri.tex\"}, \"user\": {\"name\": \"Vehicles\", \"type\": \"Unknown\", \"uid\": \"3575b594-583b-11ee-ad61-0242ac110005\", \"groups\": [{\"name\": \"attention horrible saved\", \"type\": \"clinical integration find\"}], \"type_id\": 0, \"uid_alt\": \"immigrants vegetables names\"}, \"uid\": \"3575bbde-583b-11ee-a34c-0242ac110005\", \"cmd_line\": \"furnishings oo elderly\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Gis\", \"pid\": 7, \"file\": {\"name\": \"conviction.dem\", \"owner\": {\"name\": \"Founded\", \"type\": \"System\", \"groups\": [{\"name\": \"picked physicians sponsored\", \"uid\": \"3575cc6e-583b-11ee-9fc6-0242ac110005\"}, {\"name\": \"theft os finished\", \"type\": \"baking how furnished\", \"desc\": \"consistent remind intel\", \"uid\": \"3575d2cc-583b-11ee-9bd2-0242ac110005\", \"privileges\": [\"moscow whom catalogue\", \"bar distant sitting\"]}], \"type_id\": 3}, \"type\": \"Regular File\", \"path\": \"lesbian consistent policy/house.crdownload/conviction.dem\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"equivalent fuzzy password\", \"issuer\": \"rom ge xml\", \"fingerprints\": [{\"value\": \"4AE524EF0A54BC56E3844482DFF66D3DD1C07170A36531500327556E4EB58A66\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"2D3C087352251B27B4B883E464997A204BC6990478F6ADA51535ED9C87BB9BD65BB98AF4BCF9442E5126A77E0D6984B1596D2253167232DA8AC3415D7FB47186\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"streets missouri stack\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"type_id\": 1, \"company_name\": \"Agatha Bridget\", \"parent_folder\": \"lesbian consistent policy/house.crdownload\", \"hashes\": [{\"value\": \"7C44A3A14F05688E4AC527919744E64B96B371173856D178D72F65DAB3DC8EE7563B5E05EE7F625263083247F54503AD771DB5F66B3C9F9216B95114BA6BFCCB\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"security_descriptor\": \"blank special atm\"}, \"user\": {\"name\": \"Sec\", \"type\": \"Unknown\", \"uid\": \"3575f450-583b-11ee-b6bb-0242ac110005\", \"org\": {\"name\": \"delayed cables leads\", \"uid\": \"3575f964-583b-11ee-8c61-0242ac110005\"}, \"type_id\": 0, \"full_name\": \"Katheryn Dario\", \"uid_alt\": \"room suicide poem\"}, \"uid\": \"3575fdb0-583b-11ee-aeb9-0242ac110005\", \"cmd_line\": \"japan sells jeans\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Decrease\", \"pid\": 59, \"file\": {\"name\": \"structural.swf\", \"size\": 688932239, \"type\": \"customs\", \"path\": \"fwd various rr/harper.tar.gz/structural.swf\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"ordering ou explanation\", \"issuer\": \"truck rings arrivals\", \"fingerprints\": [{\"value\": \"D9B2FE68B6C253E250B14667FE79D988B4D2AC568F7FD62357330B906C30A49D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"EBD7275B8E016156D5C802AA81EF32823EF0D89B944B062044092C012CDD5078AF0362403420AB2DD96D282058889BCC6484F8FC42C61C29774AB18337A40FD9\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"expiration_time\": 1695272181548, \"serial_number\": \"rd throw preliminary\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1, \"created_time\": 1695272181548}, \"type_id\": 99, \"parent_folder\": \"fwd various rr/harper.tar.gz\", \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"value\": \"9392895322BB82C443FB155DA3D787E63B9CFF61E9725327EA2B4FAFE964C306117CB523AEBA0D2D8CDF029592125C16C1F892E88D80F9888D7031FD2974B8DE\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"type\": \"Admin\", \"domain\": \"sydney initiatives plymouth\", \"uid\": \"35761822-583b-11ee-beb2-0242ac110005\", \"type_id\": 2, \"full_name\": \"Theron Augustine\"}, \"tid\": 80, \"uid\": \"35761c82-583b-11ee-b824-0242ac110005\", \"cmd_line\": \"terry ld apple\", \"created_time\": 1695272181548, \"lineage\": [\"ts initial roses\", \"wicked sm especially\"], \"parent_process\": {\"pid\": 96, \"file\": {\"name\": \"fcc.gz\", \"type\": \"Local Socket\", \"path\": \"webcast invention brandon/thumbnail.rm/fcc.gz\", \"signature\": {\"digest\": {\"value\": \"F28E98CA59479136BFC3E11371555CF78BDEDDF0332D62DD063B794024CC5C4FE13F9EA7BA6BCE31550B8B7DEFFB31BF20E54B6C1095A68E8E18A26F91C0E838\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"previous furthermore create\", \"issuer\": \"kids permissions cosmetic\", \"fingerprints\": [{\"value\": \"C9E4D5C19777C2E695975FB5FE0D92C5DEEE360C4AFF172B638D981E5BCE505FB3373CF7A620436611A964772215DD15E564B701B09AB141C53258EA7DB63589\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"D02BCEDE7EF63722B56FD76E6C3E0C74E72D5B9C169DE7BA9712A1EAEF0C13F59F27BBFC33274C80889426EB38A8D191AB7B08FE9397BF0BE4D5B4C08CF7956C\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"mold afghanistan pine\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"desc\": \"reads choir while\", \"type_id\": 5, \"company_name\": \"Parthenia Kim\", \"creator\": {\"type\": \"System\", \"uid\": \"357634b0-583b-11ee-aa30-0242ac110005\", \"org\": {\"name\": \"lessons fighting basement\", \"uid\": \"357639f6-583b-11ee-a863-0242ac110005\", \"ou_name\": \"recently iron turning\"}, \"type_id\": 3}, \"parent_folder\": \"webcast invention brandon/thumbnail.rm\", \"hashes\": [{\"value\": \"533747897E1F6754B1E577DEEBA5E673C0DD9F09229F048608C88CA5EEC2A420FFF7F06C5B27F45A1B7A705FF141C4AE11196CAB9BE339546B7EEF258DFED346\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}]}, \"user\": {\"name\": \"Intervals\", \"type\": \"Admin\", \"uid\": \"357644a0-583b-11ee-b222-0242ac110005\", \"type_id\": 2, \"full_name\": \"Margert Debbie\", \"account\": {\"name\": \"gained oldest atomic\", \"type\": \"AWS IAM User\", \"type_id\": 3}, \"email_addr\": \"Ernie@drum.jobs\"}, \"uid\": \"35764af4-583b-11ee-bfee-0242ac110005\", \"session\": {\"uid\": \"35764ff4-583b-11ee-ad30-0242ac110005\", \"issuer\": \"information daisy computational\", \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"is_remote\": false}, \"loaded_modules\": [\"/frequently/tomatoes/one/trembl/trance.php\", \"/supposed/passwords/boutique/codes/coalition.txt\"], \"cmd_line\": \"grounds profits tear\", \"integrity\": \"attempts strategy meetup\", \"lineage\": [\"tar optical per\", \"fixtures while coaches\"], \"parent_process\": {\"name\": \"Speed\", \"pid\": 69, \"file\": {\"name\": \"kathy.gpx\", \"type\": \"Symbolic Link\", \"version\": \"1.0.0\", \"path\": \"stake dame kw/bangladesh.tax2020/kathy.gpx\", \"type_id\": 7, \"parent_folder\": \"stake dame kw/bangladesh.tax2020\", \"confidentiality\": \"smilies ethnic exclusively\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"DF2FF56CB3BAC1E28C3FE0395F52F814539922A774E1B53793268DC61ADD718A6BEED6E464F3D3AB436A5F61A84B21F073DD534943FEFA40E0DAD92DF1C92874\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Class\", \"type\": \"Admin\", \"uid\": \"3576639a-583b-11ee-a0a4-0242ac110005\", \"org\": {\"name\": \"thumb perception casual\", \"uid\": \"357668cc-583b-11ee-9bcd-0242ac110005\", \"ou_name\": \"russell martin tonight\"}, \"type_id\": 2, \"credential_uid\": \"35766f02-583b-11ee-93b4-0242ac110005\", \"uid_alt\": \"acute vocals goat\"}, \"uid\": \"3576731c-583b-11ee-b4bb-0242ac110005\", \"cmd_line\": \"canon istanbul ears\", \"created_time\": 1695272181548, \"integrity\": \"rage cloudy starts\", \"parent_process\": {\"name\": \"Forget\", \"pid\": 6, \"file\": {\"name\": \"rpg.eps\", \"size\": 2219996466, \"type\": \"Unknown\", \"type_id\": 0, \"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"hashes\": [{\"value\": \"25B732B3425CF8421A84FBE8E6EFA1AAF932AD4B\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"501A60A2B28BA8E6A95CE30C11877FDA\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"uid\": \"35768726-583b-11ee-b021-0242ac110005\", \"loaded_modules\": [\"/congo/hundreds/jerry/limousines/meanwhile.lua\", \"/employment/discounts/dg/company/colin.txt\"], \"cmd_line\": \"samuel affiliates stores\", \"created_time\": 1695272181548, \"lineage\": [\"locked feedback tank\", \"kuwait integrity messages\"], \"parent_process\": {\"name\": \"Part\", \"pid\": 72, \"file\": {\"name\": \"transexual.kml\", \"owner\": {\"name\": \"Disappointed\", \"type\": \"Admin\", \"uid\": \"357695ae-583b-11ee-a3e8-0242ac110005\", \"type_id\": 2}, \"type\": \"Local Socket\", \"path\": \"robin imperial rugby/delicious.lua/transexual.kml\", \"product\": {\"name\": \"receptors surgeons dui\", \"path\": \"joins roy in\", \"lang\": \"en\", \"url_string\": \"bias\", \"vendor_name\": \"wonderful earning zealand\"}, \"type_id\": 5, \"company_name\": \"Morris Antonio\", \"parent_folder\": \"robin imperial rugby/delicious.lua\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"value\": \"D9C1ACF117657BB04A8309ECBD6F3771E4F5E0BBEB437019748FFB5028BDA1B7\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}]}, \"user\": {\"name\": \"Tft\", \"type\": \"Unknown\", \"uid\": \"3576a274-583b-11ee-a3dc-0242ac110005\", \"type_id\": 0}, \"uid\": \"3576a6e8-583b-11ee-907e-0242ac110005\", \"loaded_modules\": [\"/initial/example/lenders/manitoba/picked.mdf\"], \"cmd_line\": \"hh officials patient\", \"created_time\": 1695272181548, \"sandbox\": \"new rt auto\"}, \"sandbox\": \"proc budgets magnet\"}}}, \"sandbox\": \"uk worth harmony\", \"xattributes\": {}}, \"sandbox\": \"arbitration saturday very\", \"terminated_time\": 1695272181548, \"xattributes\": {}}}}, \"sandbox\": \"ranked cookbook propecia\", \"xattributes\": {}}}}}, \"user\": {\"name\": \"Hispanic\", \"type\": \"Admin\", \"uid\": \"3576b16a-583b-11ee-9386-0242ac110005\", \"type_id\": 2, \"full_name\": \"Inocencia Adelle\"}, \"idp\": {\"name\": \"through foot query\", \"uid\": \"3576b692-583b-11ee-b9a6-0242ac110005\"}}, \"create_mask\": \"lu hairy cases\", \"enrichments\": [{\"data\": {\"professionals\": \"profess\"}, \"name\": \"universal ex rpg\", \"type\": \"concentrations sciences genuine\", \"value\": \"participants managing combines\", \"provider\": \"dance avon fundamental\"}, {\"data\": {\"hill\": \"rfsvfdc\"}, \"name\": \"strip milton opened\", \"type\": \"volunteers manufacturing argentina\", \"value\": \"needs hopes taxation\", \"provider\": \"held rounds tumor\"}], \"severity_id\": 4, \"status_id\": 99}", + "message": "{\"message\": \"aug brought masters\", \"status\": \"same\", \"time\": 1695272181548, \"file\": {\"name\": \"phi.tar\", \"type\": \"Named Pipe\", \"path\": \"basement neighborhood nelson/pointer.mpa/phi.tar\", \"product\": {\"name\": \"judgment mel mental\", \"version\": \"1.0.0\", \"uid\": \"3576c3d0-583b-11ee-8a0f-0242ac110005\", \"vendor_name\": \"isp semiconductor screens\"}, \"type_id\": 666, \"parent_folder\": \"basement neighborhood nelson/pointer.mpa\", \"accessed_time\": 1695272181548, \"hashes\": [{\"value\": \"FA9D6D9F8C1E928F43F4CA3DEF6EC2D485AA60CDD4DF04348144D38434095D54EADA230FB5E8BE2A17FD91AEEFC38B4E2AD08D863F260E6244F56873701A53EE\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"device\": {\"name\": \"spirits since tours\", \"type\": \"Browser\", \"os\": {\"name\": \"mess deposits scary\", \"type\": \"HP-UX\", \"type_id\": 402, \"sp_ver\": 35}, \"ip\": \"1.128.0.0\", \"desc\": \"gene screens plenty\", \"uid\": \"3575127e-583b-11ee-b9cf-0242ac110005\", \"image\": {\"name\": \"aol interest statutes\", \"tag\": \"history afraid vcr\", \"path\": \"breaks contrary navigation\", \"uid\": \"3574fc30-583b-11ee-a7af-0242ac110005\"}, \"groups\": [{\"name\": \"spent disclaimer locks\", \"uid\": \"3575019e-583b-11ee-8751-0242ac110005\", \"privileges\": [\"seems freeware tire\"]}, {\"name\": \"stereo thousand cnet\", \"uid\": \"357505d6-583b-11ee-8d50-0242ac110005\"}], \"type_id\": 8, \"subnet\": \"130.109.0.0/16\", \"hypervisor\": \"barbados lcd electoral\", \"instance_uid\": \"3574eefc-583b-11ee-aedd-0242ac110005\", \"interface_name\": \"cleveland households subsidiaries\", \"interface_uid\": \"3574f352-583b-11ee-89fa-0242ac110005\", \"is_managed\": true, \"region\": \"survival statewide blog\", \"risk_score\": 17, \"subnet_uid\": \"3574e7c2-583b-11ee-8763-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"frederick avoiding settlement\", \"version\": \"1.0.0\", \"uid\": \"3574dd04-583b-11ee-9dd6-0242ac110005\", \"lang\": \"en\", \"url_string\": \"subscribers\", \"vendor_name\": \"biographies charts a\"}, \"sequence\": 36, \"profiles\": [], \"log_name\": \"benefits observe block\", \"log_provider\": \"apr applies bought\", \"original_time\": \"basement receipt forces\"}, \"severity\": \"High\", \"type_name\": \"File System Activity: Rename\", \"activity_id\": 5, \"type_uid\": 100105, \"category_name\": \"System Activity\", \"class_uid\": 1001, \"category_uid\": 1, \"class_name\": \"File System Activity\", \"timezone_offset\": 14, \"activity_name\": \"Rename\", \"actor\": {\"process\": {\"name\": \"Http\", \"pid\": 39, \"file\": {\"name\": \"with.com\", \"type\": \"Symbolic Link\", \"path\": \"fact nick marilyn/wives.iso/with.com\", \"type_id\": 7, \"parent_folder\": \"fact nick marilyn/wives.iso\", \"confidentiality\": \"microphone ingredients everybody\", \"hashes\": [{\"value\": \"5448F2E81D8402BD06F1B7A1F25A23A09CF423B5C17631EDC1CB3A06C6135BEA\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"DB43BDA2E28D2B02E0F94993E11FF5A6A49D0E62D62834916C0F623B00401D7C1848EDA3BD47A48ACE755F0AF75D3D92850EEDDD011B6B3ED4D93BA15953F9AD\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Proxy\", \"type\": \"User\", \"domain\": \"canal emerald dry\", \"uid\": \"35752d18-583b-11ee-8e91-0242ac110005\", \"type_id\": 1, \"full_name\": \"Kitty Sabine\", \"account\": {\"name\": \"findarticles awards error\", \"type\": \"AWS IAM User\", \"uid\": \"357534b6-583b-11ee-acbb-0242ac110005\", \"type_id\": 3}, \"email_addr\": \"Dotty@bg.info\", \"uid_alt\": \"mature botswana advisory\"}, \"uid\": \"357539de-583b-11ee-808d-0242ac110005\", \"cmd_line\": \"dd apple updating\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Olympic\", \"file\": {\"name\": \"chrysler.pages\", \"type\": \"Character Device\", \"path\": \"jesus cattle cave/remainder.iso/chrysler.pages\", \"desc\": \"claims runtime directories\", \"uid\": \"3575485c-583b-11ee-b07c-0242ac110005\", \"type_id\": 3, \"company_name\": \"Esta Malena\", \"parent_folder\": \"jesus cattle cave/remainder.iso\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"0983A0F9D6FE6015A7EB984C4D51C74EC818D6B4B2EA630CA2794A51512BEA5EC489606DAA019CA34D4CA678FF154530DBF2211DC9AD7D058363D7630F3AF2B8\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1695272181548, \"security_descriptor\": \"motels derby subtle\"}, \"user\": {\"name\": \"Salvador\", \"type\": \"Admin\", \"uid\": \"357551a8-583b-11ee-9f3a-0242ac110005\", \"groups\": [{\"name\": \"admissions throughout scope\", \"uid\": \"357556c6-583b-11ee-a761-0242ac110005\"}], \"type_id\": 2, \"email_addr\": \"Georgeann@compounds.org\"}, \"cmd_line\": \"regardless discussed gb\", \"created_time\": 1695272181548, \"integrity\": \"eat\", \"integrity_id\": 99, \"lineage\": [\"ff encoding towns\", \"alter reservoir drums\"], \"parent_process\": {\"pid\": 24, \"user\": {\"type\": \"dealer\", \"uid\": \"3575612a-583b-11ee-8729-0242ac110005\", \"type_id\": 99, \"account\": {\"name\": \"lisa avoiding grade\", \"type\": \"Mac OS Account\", \"uid\": \"35756968-583b-11ee-adc7-0242ac110005\", \"type_id\": 7}}, \"tid\": 17, \"uid\": \"35756e18-583b-11ee-8658-0242ac110005\", \"cmd_line\": \"step bernard quiet\", \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"name\": \"Schedules\", \"pid\": 64, \"file\": {\"attributes\": 59, \"name\": \"expectations.sh\", \"size\": 3829463934, \"type\": \"Named Pipe\", \"path\": \"their haven interact/president.log/expectations.sh\", \"type_id\": 6, \"company_name\": \"Johnny Kenia\", \"parent_folder\": \"their haven interact/president.log\", \"hashes\": [{\"value\": \"673864FF7BB72B5CB7535BD3C797DAE6BCDCE37BB6E0BD9D6EDDB8205EE636ACCA593394B1827FD62DAEC350638203EC5021A55A87B54D3BD4E0391CCACFA7B5\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"DA377EE2C5138BD0042100780B04CFB9752DD077344B2CBCACFFBEA5D94D0BB095E7314616D60350025F9E6489D6CBF9FA4C1D07CA52AB9C364397B6A6DB1426\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"is_system\": true}, \"user\": {\"name\": \"Gun\", \"type\": \"User\", \"uid\": \"35757fde-583b-11ee-8426-0242ac110005\", \"org\": {\"name\": \"suitable bother k\", \"uid\": \"357584f2-583b-11ee-b957-0242ac110005\", \"ou_name\": \"signals pixel questions\"}, \"type_id\": 1}, \"uid\": \"35758902-583b-11ee-9a1c-0242ac110005\", \"cmd_line\": \"sons eur fence\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Best\", \"pid\": 51, \"user\": {\"name\": \"Wrapping\", \"type\": \"Unknown\", \"uid\": \"357599c4-583b-11ee-839a-0242ac110005\", \"type_id\": 0, \"email_addr\": \"Valene@water.aero\"}, \"tid\": 72, \"uid\": \"3575a158-583b-11ee-a0c1-0242ac110005\", \"loaded_modules\": [\"/par/addresses/isle/blink/utils.3ds\", \"/conventions/market/normal/lease/absolute.tar.gz\"], \"cmd_line\": \"optional icq refresh\", \"created_time\": 1695272181548, \"integrity\": \"Medium\", \"integrity_id\": 3, \"lineage\": [\"marco danny survival\"], \"parent_process\": {\"name\": \"Expo\", \"pid\": 70, \"file\": {\"attributes\": 73, \"name\": \"wagner.hqx\", \"type\": \"Folder\", \"path\": \"nest communist anthony/tri.tex/wagner.hqx\", \"type_id\": 2, \"parent_folder\": \"nest communist anthony/tri.tex\"}, \"user\": {\"name\": \"Vehicles\", \"type\": \"Unknown\", \"uid\": \"3575b594-583b-11ee-ad61-0242ac110005\", \"groups\": [{\"name\": \"attention horrible saved\", \"type\": \"clinical integration find\"}], \"type_id\": 0, \"uid_alt\": \"immigrants vegetables names\"}, \"uid\": \"3575bbde-583b-11ee-a34c-0242ac110005\", \"cmd_line\": \"furnishings oo elderly\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Gis\", \"pid\": 7, \"file\": {\"name\": \"conviction.dem\", \"owner\": {\"name\": \"Founded\", \"type\": \"System\", \"groups\": [{\"name\": \"picked physicians sponsored\", \"uid\": \"3575cc6e-583b-11ee-9fc6-0242ac110005\"}, {\"name\": \"theft os finished\", \"type\": \"baking how furnished\", \"desc\": \"consistent remind intel\", \"uid\": \"3575d2cc-583b-11ee-9bd2-0242ac110005\", \"privileges\": [\"moscow whom catalogue\", \"bar distant sitting\"]}], \"type_id\": 3}, \"type\": \"Regular File\", \"path\": \"lesbian consistent policy/house.crdownload/conviction.dem\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"equivalent fuzzy password\", \"issuer\": \"rom ge xml\", \"fingerprints\": [{\"value\": \"4AE524EF0A54BC56E3844482DFF66D3DD1C07170A36531500327556E4EB58A66\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"2D3C087352251B27B4B883E464997A204BC6990478F6ADA51535ED9C87BB9BD65BB98AF4BCF9442E5126A77E0D6984B1596D2253167232DA8AC3415D7FB47186\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"streets missouri stack\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"type_id\": 1, \"company_name\": \"Agatha Bridget\", \"parent_folder\": \"lesbian consistent policy/house.crdownload\", \"hashes\": [{\"value\": \"7C44A3A14F05688E4AC527919744E64B96B371173856D178D72F65DAB3DC8EE7563B5E05EE7F625263083247F54503AD771DB5F66B3C9F9216B95114BA6BFCCB\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"security_descriptor\": \"blank special atm\"}, \"user\": {\"name\": \"Sec\", \"type\": \"Unknown\", \"uid\": \"3575f450-583b-11ee-b6bb-0242ac110005\", \"org\": {\"name\": \"delayed cables leads\", \"uid\": \"3575f964-583b-11ee-8c61-0242ac110005\"}, \"type_id\": 0, \"full_name\": \"Katheryn Dario\", \"uid_alt\": \"room suicide poem\"}, \"uid\": \"3575fdb0-583b-11ee-aeb9-0242ac110005\", \"cmd_line\": \"japan sells jeans\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Decrease\", \"pid\": 59, \"file\": {\"name\": \"structural.swf\", \"size\": 688932239, \"type\": \"customs\", \"path\": \"fwd various rr/harper.tar.gz/structural.swf\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"ordering ou explanation\", \"issuer\": \"truck rings arrivals\", \"fingerprints\": [{\"value\": \"D9B2FE68B6C253E250B14667FE79D988B4D2AC568F7FD62357330B906C30A49D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"EBD7275B8E016156D5C802AA81EF32823EF0D89B944B062044092C012CDD5078AF0362403420AB2DD96D282058889BCC6484F8FC42C61C29774AB18337A40FD9\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"expiration_time\": 1695272181548, \"serial_number\": \"rd throw preliminary\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1, \"created_time\": 1695272181548}, \"type_id\": 99, \"parent_folder\": \"fwd various rr/harper.tar.gz\", \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"value\": \"9392895322BB82C443FB155DA3D787E63B9CFF61E9725327EA2B4FAFE964C306117CB523AEBA0D2D8CDF029592125C16C1F892E88D80F9888D7031FD2974B8DE\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"type\": \"Admin\", \"domain\": \"sydney initiatives plymouth\", \"uid\": \"35761822-583b-11ee-beb2-0242ac110005\", \"type_id\": 2, \"full_name\": \"Theron Augustine\"}, \"tid\": 80, \"uid\": \"35761c82-583b-11ee-b824-0242ac110005\", \"cmd_line\": \"terry ld apple\", \"created_time\": 1695272181548, \"lineage\": [\"ts initial roses\", \"wicked sm especially\"], \"parent_process\": {\"pid\": 96, \"file\": {\"name\": \"fcc.gz\", \"type\": \"Local Socket\", \"path\": \"webcast invention brandon/thumbnail.rm/fcc.gz\", \"signature\": {\"digest\": {\"value\": \"F28E98CA59479136BFC3E11371555CF78BDEDDF0332D62DD063B794024CC5C4FE13F9EA7BA6BCE31550B8B7DEFFB31BF20E54B6C1095A68E8E18A26F91C0E838\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"previous furthermore create\", \"issuer\": \"kids permissions cosmetic\", \"fingerprints\": [{\"value\": \"C9E4D5C19777C2E695975FB5FE0D92C5DEEE360C4AFF172B638D981E5BCE505FB3373CF7A620436611A964772215DD15E564B701B09AB141C53258EA7DB63589\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"D02BCEDE7EF63722B56FD76E6C3E0C74E72D5B9C169DE7BA9712A1EAEF0C13F59F27BBFC33274C80889426EB38A8D191AB7B08FE9397BF0BE4D5B4C08CF7956C\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"mold afghanistan pine\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"desc\": \"reads choir while\", \"type_id\": 5, \"company_name\": \"Parthenia Kim\", \"creator\": {\"type\": \"System\", \"uid\": \"357634b0-583b-11ee-aa30-0242ac110005\", \"org\": {\"name\": \"lessons fighting basement\", \"uid\": \"357639f6-583b-11ee-a863-0242ac110005\", \"ou_name\": \"recently iron turning\"}, \"type_id\": 3}, \"parent_folder\": \"webcast invention brandon/thumbnail.rm\", \"hashes\": [{\"value\": \"533747897E1F6754B1E577DEEBA5E673C0DD9F09229F048608C88CA5EEC2A420FFF7F06C5B27F45A1B7A705FF141C4AE11196CAB9BE339546B7EEF258DFED346\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}]}, \"user\": {\"name\": \"Intervals\", \"type\": \"Admin\", \"uid\": \"357644a0-583b-11ee-b222-0242ac110005\", \"type_id\": 2, \"full_name\": \"Margert Debbie\", \"account\": {\"name\": \"gained oldest atomic\", \"type\": \"AWS IAM User\", \"type_id\": 3}, \"email_addr\": \"Ernie@drum.jobs\"}, \"uid\": \"35764af4-583b-11ee-bfee-0242ac110005\", \"session\": {\"uid\": \"35764ff4-583b-11ee-ad30-0242ac110005\", \"issuer\": \"information daisy computational\", \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"is_remote\": false}, \"loaded_modules\": [\"/frequently/tomatoes/one/trembl/trance.php\", \"/supposed/passwords/boutique/codes/coalition.txt\"], \"cmd_line\": \"grounds profits tear\", \"integrity\": \"attempts strategy meetup\", \"lineage\": [\"tar optical per\", \"fixtures while coaches\"], \"parent_process\": {\"name\": \"Speed\", \"pid\": 69, \"file\": {\"name\": \"kathy.gpx\", \"type\": \"Symbolic Link\", \"version\": \"1.0.0\", \"path\": \"stake dame kw/bangladesh.tax2020/kathy.gpx\", \"type_id\": 7, \"parent_folder\": \"stake dame kw/bangladesh.tax2020\", \"confidentiality\": \"smilies ethnic exclusively\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"DF2FF56CB3BAC1E28C3FE0395F52F814539922A774E1B53793268DC61ADD718A6BEED6E464F3D3AB436A5F61A84B21F073DD534943FEFA40E0DAD92DF1C92874\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Class\", \"type\": \"Admin\", \"uid\": \"3576639a-583b-11ee-a0a4-0242ac110005\", \"org\": {\"name\": \"thumb perception casual\", \"uid\": \"357668cc-583b-11ee-9bcd-0242ac110005\", \"ou_name\": \"russell martin tonight\"}, \"type_id\": 2, \"credential_uid\": \"35766f02-583b-11ee-93b4-0242ac110005\", \"uid_alt\": \"acute vocals goat\"}, \"uid\": \"3576731c-583b-11ee-b4bb-0242ac110005\", \"cmd_line\": \"canon istanbul ears\", \"created_time\": 1695272181548, \"integrity\": \"rage cloudy starts\", \"parent_process\": {\"name\": \"Forget\", \"pid\": 6, \"file\": {\"name\": \"rpg.eps\", \"size\": 2219996466, \"type\": \"Unknown\", \"type_id\": 0, \"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"hashes\": [{\"value\": \"25B732B3425CF8421A84FBE8E6EFA1AAF932AD4B\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"501A60A2B28BA8E6A95CE30C11877FDA\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"uid\": \"35768726-583b-11ee-b021-0242ac110005\", \"loaded_modules\": [\"/congo/hundreds/jerry/limousines/meanwhile.lua\", \"/employment/discounts/dg/company/colin.txt\"], \"cmd_line\": \"samuel affiliates stores\", \"created_time\": 1695272181548, \"lineage\": [\"locked feedback tank\", \"kuwait integrity messages\"], \"parent_process\": {\"name\": \"Part\", \"pid\": 72, \"file\": {\"name\": \"transexual.kml\", \"owner\": {\"name\": \"Disappointed\", \"type\": \"Admin\", \"uid\": \"357695ae-583b-11ee-a3e8-0242ac110005\", \"type_id\": 2}, \"type\": \"Local Socket\", \"path\": \"robin imperial rugby/delicious.lua/transexual.kml\", \"product\": {\"name\": \"receptors surgeons dui\", \"path\": \"joins roy in\", \"lang\": \"en\", \"url_string\": \"bias\", \"vendor_name\": \"wonderful earning zealand\"}, \"type_id\": 5, \"company_name\": \"Morris Antonio\", \"parent_folder\": \"robin imperial rugby/delicious.lua\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"value\": \"D9C1ACF117657BB04A8309ECBD6F3771E4F5E0BBEB437019748FFB5028BDA1B7\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}]}, \"user\": {\"name\": \"Tft\", \"type\": \"Unknown\", \"uid\": \"3576a274-583b-11ee-a3dc-0242ac110005\", \"type_id\": 0}, \"uid\": \"3576a6e8-583b-11ee-907e-0242ac110005\", \"loaded_modules\": [\"/initial/example/lenders/manitoba/picked.mdf\"], \"cmd_line\": \"hh officials patient\", \"created_time\": 1695272181548, \"sandbox\": \"new rt auto\"}, \"sandbox\": \"proc budgets magnet\"}}}, \"sandbox\": \"uk worth harmony\", \"xattributes\": {}}, \"sandbox\": \"arbitration saturday very\", \"terminated_time\": 1695272181548, \"xattributes\": {}}}}, \"sandbox\": \"ranked cookbook propecia\", \"xattributes\": {}}}}}, \"user\": {\"name\": \"root\", \"type\": \"Admin\", \"uid\": \"3576b16a-583b-11ee-9386-0242ac110005\", \"type_id\": 2, \"full_name\": \"Inocencia Adelle\"}, \"idp\": {\"name\": \"through foot query\", \"uid\": \"3576b692-583b-11ee-b9a6-0242ac110005\"}}, \"create_mask\": \"lu hairy cases\", \"enrichments\": [{\"data\": {\"professionals\": \"profess\"}, \"name\": \"universal ex rpg\", \"type\": \"concentrations sciences genuine\", \"value\": \"participants managing combines\", \"provider\": \"dance avon fundamental\"}, {\"data\": {\"hill\": \"rfsvfdc\"}, \"name\": \"strip milton opened\", \"type\": \"volunteers manufacturing argentina\", \"value\": \"needs hopes taxation\", \"provider\": \"held rounds tumor\"}], \"severity_id\": 4, \"status_id\": 99}", "event": { "action": "rename", "category": [ @@ -28,6 +28,10 @@ "file": { "accessed": "2023-09-21T04:56:21.548000Z", "directory": "basement neighborhood nelson/pointer.mpa", + "hash": { + "sha256": "5448F2E81D8402BD06F1B7A1F25A23A09CF423B5C17631EDC1CB3A06C6135BEA", + "ssdeep": "DB43BDA2E28D2B02E0F94993E11FF5A6A49D0E62D62834916C0F623B00401D7C1848EDA3BD47A48ACE755F0AF75D3D92850EEDDD011B6B3ED4D93BA15953F9AD" + }, "name": "phi.tar", "path": "basement neighborhood nelson/pointer.mpa/phi.tar", "type": "Named Pipe" @@ -57,16 +61,8 @@ "file": { "confidentiality": "microphone ingredients everybody", "hashes": [ - { - "algorithm": "SHA-256", - "algorithm_id": "3", - "value": "5448F2E81D8402BD06F1B7A1F25A23A09CF423B5C17631EDC1CB3A06C6135BEA" - }, - { - "algorithm": "CTPH", - "algorithm_id": "5", - "value": "DB43BDA2E28D2B02E0F94993E11FF5A6A49D0E62D62834916C0F623B00401D7C1848EDA3BD47A48ACE755F0AF75D3D92850EEDDD011B6B3ED4D93BA15953F9AD" - } + {}, + {} ], "type_id": "7" }, @@ -76,11 +72,7 @@ "created_time": 1695272181548, "desc": "claims runtime directories", "hashes": [ - { - "algorithm": "quickXorHash", - "algorithm_id": "7", - "value": "0983A0F9D6FE6015A7EB984C4D51C74EC818D6B4B2EA630CA2794A51512BEA5EC489606DAA019CA34D4CA678FF154530DBF2211DC9AD7D058363D7630F3AF2B8" - } + {} ], "modified_time": 1695272181548, "name": "chrysler.pages", @@ -184,11 +176,7 @@ ], "file": { "hashes": [ - { - "algorithm": "quickXorHash", - "algorithm_id": "7", - "value": "FA9D6D9F8C1E928F43F4CA3DEF6EC2D485AA60CDD4DF04348144D38434095D54EADA230FB5E8BE2A17FD91AEEFC38B4E2AD08D863F260E6244F56873701A53EE" - } + {} ], "product": { "name": "judgment mel mental", @@ -259,11 +247,15 @@ } }, "related": { + "hash": [ + "5448F2E81D8402BD06F1B7A1F25A23A09CF423B5C17631EDC1CB3A06C6135BEA", + "DB43BDA2E28D2B02E0F94993E11FF5A6A49D0E62D62834916C0F623B00401D7C1848EDA3BD47A48ACE755F0AF75D3D92850EEDDD011B6B3ED4D93BA15953F9AD" + ], "ip": [ "1.128.0.0" ], "user": [ - "Hispanic" + "root" ] }, "user": { @@ -273,7 +265,7 @@ "name": [] }, "id": "3576b16a-583b-11ee-9386-0242ac110005", - "name": "Hispanic" + "name": "root" } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_2.json b/OCSF/ocsf/tests/test_system_activity_2.json index 862586cbc..7e4f69c22 100644 --- a/OCSF/ocsf/tests/test_system_activity_2.json +++ b/OCSF/ocsf/tests/test_system_activity_2.json @@ -30,11 +30,14 @@ "region": "card heroes blogging" }, "file": { - "directory": "cartoon watershed viewers/magazine.xls", + "accessed": "2023-09-21T04:56:21.548000Z", + "directory": "worst jay funds/plc.deskthemepack", + "inode": "19e82104-61aa-11ee-8d53-0242ac110005", + "mime_type": "punishment/gaps", "mtime": "2023-09-21T04:56:21.548000Z", - "name": "syntax.dds", - "path": "cartoon watershed viewers/magazine.xls/syntax.dds", - "type": "Symbolic Link" + "name": "rail.m", + "path": "worst jay funds/plc.deskthemepack/rail.m", + "type": "earning" }, "host": { "hostname": "founded.pro", @@ -53,11 +56,7 @@ "file": { "confidentiality": "donated chapter runtime", "hashes": [ - { - "algorithm": "Unknown", - "algorithm_id": "0", - "value": "2EB64D601392F16BF21F01D7A9A66B62BC3DDC892394D8B44031A3B488A4F611F56951974C7601044DA53283AE3A774822583A678667AC1A5469561ADFC2CB22" - } + {} ], "signature": { "algorithm": "ECDSA", @@ -194,16 +193,8 @@ "driver": { "file": { "hashes": [ - { - "algorithm": "quickXorHash", - "algorithm_id": "7", - "value": "AD3638015A285E049F3EC3B5E96251E3D84A6B834297290B20EF11FE7A6244828ED6FC9E0489232D7B3358C785AA96C87A77266713AD2FB1978142C9CFFD4BF8" - }, - { - "algorithm": "Unknown", - "algorithm_id": "0", - "value": "A47AC519441CF481779776ED56ADE421DEE3E26D0134CAE10E1A518591CCA7AB105D38FE20C7E07843149FF290C536A9E4B0507095FD8A744AF530741D2427B7" - } + {}, + {} ], "type_id": "99" } diff --git a/OCSF/ocsf/tests/test_system_activity_3.json b/OCSF/ocsf/tests/test_system_activity_3.json index 4184a0e3a..70dfe1205 100644 --- a/OCSF/ocsf/tests/test_system_activity_3.json +++ b/OCSF/ocsf/tests/test_system_activity_3.json @@ -40,6 +40,9 @@ }, "file": { "directory": "cigarette until wc/ls.c", + "hash": { + "sha512": "C3BD5B24A4E0467F267EEA0A0378CB224839993F4AEB1BF9A9F519E8484E9A16344FE367E55D08DED2F892D80577FD485A3BC5CA66EB0AE7C1CFA0B33586E766" + }, "name": "word.drv", "path": "cigarette until wc/ls.c/word.drv", "size": 2389716033, @@ -84,16 +87,8 @@ "confidentiality": "tulsa", "confidentiality_id": "99", "hashes": [ - { - "algorithm": "SHA-512", - "algorithm_id": "4", - "value": "C3BD5B24A4E0467F267EEA0A0378CB224839993F4AEB1BF9A9F519E8484E9A16344FE367E55D08DED2F892D80577FD485A3BC5CA66EB0AE7C1CFA0B33586E766" - }, - { - "algorithm": "Unknown", - "algorithm_id": "0", - "value": "FEBD25D9812320828D7312326E19250E4439A6A99BCB4C740A8308671F571A6707A6D2A5A6066EB0DAA87071D23BE71ED56EAFF115D8AEAACEA125D283F45963" - } + {}, + {} ], "security_descriptor": "hospitality conclusions wires", "type_id": "0", @@ -127,11 +122,7 @@ "uid_alt": "limitations compound viewer" }, "hashes": [ - { - "algorithm": "SHA-1", - "algorithm_id": "2", - "value": "C6141BDD46728A85659C19E84135237C41908EF3" - } + {} ], "name": "hazard.aif", "owner": { @@ -334,6 +325,9 @@ } }, "related": { + "hash": [ + "C3BD5B24A4E0467F267EEA0A0378CB224839993F4AEB1BF9A9F519E8484E9A16344FE367E55D08DED2F892D80577FD485A3BC5CA66EB0AE7C1CFA0B33586E766" + ], "hosts": [ "indexes.jobs" ], diff --git a/OCSF/ocsf/tests/test_system_activity_4.json b/OCSF/ocsf/tests/test_system_activity_4.json index 2745d6b0c..3a268ff11 100644 --- a/OCSF/ocsf/tests/test_system_activity_4.json +++ b/OCSF/ocsf/tests/test_system_activity_4.json @@ -37,6 +37,9 @@ "file": { "created": "2023-09-21T04:56:21.548000Z", "directory": "daisy bullet expectations/speakers.fon", + "hash": { + "md5": "4F227649B2E932AED413A05B69BAA35D" + }, "mtime": "2023-09-21T04:56:21.548000Z", "name": "tenant.prf", "path": "daisy bullet expectations/speakers.fon/tenant.prf", @@ -84,16 +87,8 @@ "confidentiality": "Not Confidential", "confidentiality_id": "1", "hashes": [ - { - "algorithm": "quickXorHash", - "algorithm_id": "7", - "value": "D593DAFEC471B60EC788CAF95AEB0DBE9F1AF56F9741565D96CEB84FF7C0AB18B97E298266E585A9FE82C4F85EE020C4B4BD974B54373088F0D1ACE2022CE17D" - }, - { - "algorithm": "MD5", - "algorithm_id": "1", - "value": "4F227649B2E932AED413A05B69BAA35D" - } + {}, + {} ], "modified_time_dt": "2023-10-03T05:37:34.691274Z", "type_id": "7" @@ -120,16 +115,8 @@ "created_time_dt": "2023-10-03T05:37:34.692393Z", "desc": "vs in contamination", "hashes": [ - { - "algorithm": "SHA-1", - "algorithm_id": "2", - "value": "64188A2F3AF0E7C7E83F429137D1F51F574286F7" - }, - { - "algorithm": "SHA-256", - "algorithm_id": "3", - "value": "7C12BD84ACFCEACC8A756BE13D08AF2B1EC193C5411C64B85380EEEC0B1B41F7" - } + {}, + {} ], "modified_time": 1695272181548, "name": "download.pptx", @@ -318,6 +305,9 @@ } }, "related": { + "hash": [ + "4F227649B2E932AED413A05B69BAA35D" + ], "hosts": [ "phd.nato" ], diff --git a/OCSF/ocsf/tests/test_system_activity_5.json b/OCSF/ocsf/tests/test_system_activity_5.json index 84bc1843e..dcc644528 100644 --- a/OCSF/ocsf/tests/test_system_activity_5.json +++ b/OCSF/ocsf/tests/test_system_activity_5.json @@ -41,10 +41,15 @@ "runtime": "annoying remarkable setup" }, "file": { - "directory": "flush faced champagne/cruise.tar.gz", - "name": "administrators.tmp", - "path": "flush faced champagne/cruise.tar.gz/administrators.tmp", - "type": "Folder" + "directory": "pleased dip spiritual/corresponding.java", + "hash": { + "ssdeep": "B8C09AA4F584900FEA2DF3DAFBDAF9F0C6E76095BFDBCCF5F0F748D069D706526380A29574124164B0EDC1B56DD8342FC4BF70467A9B6024D999269A45E2A175", + "tlsh": "795F2AAA00B0D80F2A50C10902A141A3E0AFE3A4BCE0007F213C21994E6AE528B448F2C2F4BDF6C4E1D0AEA3B8396D40A4395AA9730A77E879848BDB750D6468" + }, + "mtime": "2023-09-21T04:56:21.548000Z", + "name": "expiration.cpl", + "path": "pleased dip spiritual/corresponding.java/expiration.cpl", + "type": "Character Device" }, "host": { "domain": "existence conditional pillow", @@ -333,16 +338,8 @@ "confidentiality_id": "3", "created_time_dt": "2023-10-03T06:46:13.753318Z", "hashes": [ - { - "algorithm": "TLSH", - "algorithm_id": "6", - "value": "795F2AAA00B0D80F2A50C10902A141A3E0AFE3A4BCE0007F213C21994E6AE528B448F2C2F4BDF6C4E1D0AEA3B8396D40A4395AA9730A77E879848BDB750D6468" - }, - { - "algorithm": "CTPH", - "algorithm_id": "5", - "value": "B8C09AA4F584900FEA2DF3DAFBDAF9F0C6E76095BFDBCCF5F0F748D069D706526380A29574124164B0EDC1B56DD8342FC4BF70467A9B6024D999269A45E2A175" - } + {}, + {} ], "product": { "lang": "en", @@ -403,6 +400,9 @@ } }, "related": { + "hash": [ + "B8C09AA4F584900FEA2DF3DAFBDAF9F0C6E76095BFDBCCF5F0F748D069D706526380A29574124164B0EDC1B56DD8342FC4BF70467A9B6024D999269A45E2A175" + ], "hosts": [ "tiles.name" ], diff --git a/OCSF/ocsf/tests/test_system_activity_6.json b/OCSF/ocsf/tests/test_system_activity_6.json index 4a05c47b4..d79a5cb88 100644 --- a/OCSF/ocsf/tests/test_system_activity_6.json +++ b/OCSF/ocsf/tests/test_system_activity_6.json @@ -90,16 +90,8 @@ "accessed_time_dt": "2023-10-03T07:27:11.051398Z", "attributes": 71, "hashes": [ - { - "algorithm": "Unknown", - "algorithm_id": "0", - "value": "DBC811458704E7331C9D9B3365E5DB08E8D9247CEDBE9F8FFED69606E0A5CE644230CB925F7AE8919137B51CE7E4797EC55533D10E6AF32B803BAB785848BD58" - }, - { - "algorithm": "quickXorHash", - "algorithm_id": "7", - "value": "74900E05175C9BD82834F761CAE8D37E3190933ED2249C16508DB4053419EDAEE6ADD186BACD19C2AF5686BC9D15177A7960A70D7A385EB3E05AF555356368E6" - } + {}, + {} ], "type_id": "7", "xattributes": "{}" @@ -112,11 +104,7 @@ "company_name": "Margurite Hester", "created_time_dt": "2023-10-03T07:27:11.052592Z", "hashes": [ - { - "algorithm": "CTPH", - "algorithm_id": "5", - "value": "C87068358A2AF25FB6462D2E9D5CEE0C1B843771EE363E91B70497182AC6058683881C15DDFF011CE7CAAE6617D935F69F093E8BB488A880E8A559A8AC1073FA" - } + {} ], "modified_time": 1695272181548, "name": "alice.cur", diff --git a/OCSF/ocsf/tests/test_system_activity_7.json b/OCSF/ocsf/tests/test_system_activity_7.json index a22f58a5e..65a635de7 100644 --- a/OCSF/ocsf/tests/test_system_activity_7.json +++ b/OCSF/ocsf/tests/test_system_activity_7.json @@ -1,6 +1,6 @@ { "input": { - "message": "{\"message\": \"appeal verse adjacent\", \"status\": \"Failure\", \"time\": 1695272181548, \"device\": {\"type\": \"IOT\", \"os\": {\"name\": \"officially marks hook\", \"type\": \"iOS\", \"type_id\": 301}, \"ip\": \"81.2.69.142\", \"hostname\": \"paragraph.nato\", \"uid\": \"1d440972-61bd-11ee-b78b-0242ac110005\", \"groups\": [{\"name\": \"summit torture accused\", \"uid\": \"1d43dac4-61bd-11ee-8157-0242ac110005\"}, {\"name\": \"silicon headline seniors\", \"uid\": \"1d43df06-61bd-11ee-884b-0242ac110005\"}], \"type_id\": 7, \"first_seen_time\": 1695272181548, \"hypervisor\": \"listening genres rob\", \"imei\": \"seekers sue networks\", \"instance_uid\": \"1d440530-61bd-11ee-9a80-0242ac110005\", \"interface_name\": \"requiring showtimes only\", \"interface_uid\": \"1d440e68-61bd-11ee-9bc1-0242ac110005\", \"region\": \"terms quarter premium\", \"first_seen_time_dt\": \"2023-10-03T07:18:56.276163Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"extension\": {\"name\": \"attempt directed associate\", \"version\": \"1.0.0\", \"uid\": \"1d43b58a-61bd-11ee-811e-0242ac110005\"}, \"product\": {\"name\": \"gallery crude arc\", \"version\": \"1.0.0\", \"uid\": \"1d43be36-61bd-11ee-9314-0242ac110005\", \"lang\": \"en\", \"url_string\": \"registrar\", \"vendor_name\": \"staffing steven textiles\"}, \"uid\": \"1d43c2b4-61bd-11ee-814c-0242ac110005\", \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"external cadillac navy\", \"log_provider\": \"deadline emissions whilst\", \"original_time\": \"my northwest exhibitions\"}, \"severity\": \"Low\", \"duration\": 4, \"disposition\": \"Restored\", \"type_name\": \"Scheduled Job Activity: Other\", \"activity_id\": 99, \"disposition_id\": 9, \"type_uid\": 100699, \"category_name\": \"System Activity\", \"class_uid\": 1006, \"category_uid\": 1, \"class_name\": \"Scheduled Job Activity\", \"timezone_offset\": 87, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Execution The adversary is trying to run malicious code.\", \"uid\": \"TA0002\"}], \"technique\": {\"name\": \"Obtain Capabilities\", \"uid\": \"T1588\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}, {\"name\": \"Persistence The adversary is trying to maintain their foothold.\", \"uid\": \"TA0003\"}, {\"name\": \"Initial Access | The adversary is trying to get into your network.\", \"uid\": \"TA0001\"}], \"technique\": {\"name\": \"Cloud Instance Metadata API\", \"uid\": \"T1522\"}}], \"activity_name\": \"considerable\", \"cloud\": {\"org\": {\"name\": \"pf months already\", \"uid\": \"1d4398de-61bd-11ee-804b-0242ac110005\", \"ou_name\": \"cry centers expense\"}, \"provider\": \"trusts disclose snapshot\", \"region\": \"choose consolidated set\"}, \"severity_id\": 2, \"status_code\": \"respond\", \"status_id\": 2}", + "message": "{\"message\": \"jerry mailing blog\", \"status\": \"acdbentity\", \"time\": 1706875973927207, \"device\": {\"name\": \"puzzles ds ellis\", \"type\": \"Desktop\", \"os\": {\"name\": \"cisco nepal saw\", \"type\": \"Linux\", \"type_id\": 200}, \"ip\": \"179.27.89.37\", \"desc\": \"ferrari happens proceedings\", \"uid\": \"64854ab4-c1c4-11ee-aa4b-0242ac110005\", \"hostname\": \"chi.store\", \"type_id\": 2, \"created_time\": 1706875973926694, \"hypervisor\": \"sets denmark contractor\", \"instance_uid\": \"64852b74-c1c4-11ee-b377-0242ac110005\", \"interface_name\": \"perfume sensor min\", \"interface_uid\": \"6485370e-c1c4-11ee-9d9a-0242ac110005\", \"region\": \"measured shuttle adjust\", \"risk_score\": 88, \"uid_alt\": \"eden gym amendments\", \"zone\": \"organizations tool portsmouth\"}, \"metadata\": {\"version\": \"1.1.0\", \"product\": {\"version\": \"1.1.0\", \"uid\": \"6484ff28-c1c4-11ee-a148-0242ac110005\", \"vendor_name\": \"spray villas invasion\"}, \"sequence\": 40, \"profiles\": [], \"log_name\": \"pas personality bend\", \"log_provider\": \"estate oklahoma person\", \"original_time\": \"occupational famous considerable\", \"tenant_uid\": \"64851030-c1c4-11ee-bc6c-0242ac110005\"}, \"start_time\": 1706875973923178, \"severity\": \"Critical\", \"timezone_offset\": 97, \"activity_id\": 3, \"class_uid\": 1006, \"type_uid\": 100603, \"type_name\": \"Scheduled Job Activity: Delete\", \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Scheduled Job Activity\", \"activity_name\": \"Delete\", \"job\": {\"name\": \"medicine discussed parliament\", \"file\": {\"name\": \"med.kml\", \"owner\": {\"name\": \"Bingo\", \"type\": \"quantity\", \"uid\": \"64856224-c1c4-11ee-a77b-0242ac110005\", \"org\": {\"name\": \"nfl she dramatically\", \"uid\": \"64857052-c1c4-11ee-b91a-0242ac110005\", \"ou_name\": \"vernon proven formal\"}, \"type_id\": 99, \"credential_uid\": \"64857534-c1c4-11ee-ad19-0242ac110005\", \"uid_alt\": \"balance butterfly written\"}, \"type\": \"Folder\", \"path\": \"advanced producing remember/brisbane.com/med.kml\", \"desc\": \"calvin shirt others\", \"uid\": \"64857a66-c1c4-11ee-b8fc-0242ac110005\", \"parent_folder\": \"advanced producing remember/brisbane.com\", \"type_id\": 2, \"accessed_time\": 1706875973928416, \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"value\": \"5F806F5374EEDA36778A9CB8F6904267DAD70BC16D49050318A7ADD6D3A595556AE8B2B1F1B94905452FB371CDBACA5332BE97B440BB189A504ABDF93690CB80\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"59AE856CD788D0F57E39FDD66D421BA930CD89BE4682DE3AA36C22A2021A710D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"is_system\": false}, \"desc\": \"ruth worldwide mild\", \"cmd_line\": \"hundreds strategic deutschland\", \"created_time\": 1706875973928530, \"last_run_time\": 1706875973928534, \"run_state\": \"Queued\", \"run_state_id\": 2}, \"severity_id\": 5, \"status_id\": 99}", "sekoiaio": { "intake": { "dialect": "OCSF", @@ -9,162 +9,106 @@ } }, "expected": { - "message": "{\"message\": \"appeal verse adjacent\", \"status\": \"Failure\", \"time\": 1695272181548, \"device\": {\"type\": \"IOT\", \"os\": {\"name\": \"officially marks hook\", \"type\": \"iOS\", \"type_id\": 301}, \"ip\": \"81.2.69.142\", \"hostname\": \"paragraph.nato\", \"uid\": \"1d440972-61bd-11ee-b78b-0242ac110005\", \"groups\": [{\"name\": \"summit torture accused\", \"uid\": \"1d43dac4-61bd-11ee-8157-0242ac110005\"}, {\"name\": \"silicon headline seniors\", \"uid\": \"1d43df06-61bd-11ee-884b-0242ac110005\"}], \"type_id\": 7, \"first_seen_time\": 1695272181548, \"hypervisor\": \"listening genres rob\", \"imei\": \"seekers sue networks\", \"instance_uid\": \"1d440530-61bd-11ee-9a80-0242ac110005\", \"interface_name\": \"requiring showtimes only\", \"interface_uid\": \"1d440e68-61bd-11ee-9bc1-0242ac110005\", \"region\": \"terms quarter premium\", \"first_seen_time_dt\": \"2023-10-03T07:18:56.276163Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"extension\": {\"name\": \"attempt directed associate\", \"version\": \"1.0.0\", \"uid\": \"1d43b58a-61bd-11ee-811e-0242ac110005\"}, \"product\": {\"name\": \"gallery crude arc\", \"version\": \"1.0.0\", \"uid\": \"1d43be36-61bd-11ee-9314-0242ac110005\", \"lang\": \"en\", \"url_string\": \"registrar\", \"vendor_name\": \"staffing steven textiles\"}, \"uid\": \"1d43c2b4-61bd-11ee-814c-0242ac110005\", \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"external cadillac navy\", \"log_provider\": \"deadline emissions whilst\", \"original_time\": \"my northwest exhibitions\"}, \"severity\": \"Low\", \"duration\": 4, \"disposition\": \"Restored\", \"type_name\": \"Scheduled Job Activity: Other\", \"activity_id\": 99, \"disposition_id\": 9, \"type_uid\": 100699, \"category_name\": \"System Activity\", \"class_uid\": 1006, \"category_uid\": 1, \"class_name\": \"Scheduled Job Activity\", \"timezone_offset\": 87, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Execution The adversary is trying to run malicious code.\", \"uid\": \"TA0002\"}], \"technique\": {\"name\": \"Obtain Capabilities\", \"uid\": \"T1588\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}, {\"name\": \"Persistence The adversary is trying to maintain their foothold.\", \"uid\": \"TA0003\"}, {\"name\": \"Initial Access | The adversary is trying to get into your network.\", \"uid\": \"TA0001\"}], \"technique\": {\"name\": \"Cloud Instance Metadata API\", \"uid\": \"T1522\"}}], \"activity_name\": \"considerable\", \"cloud\": {\"org\": {\"name\": \"pf months already\", \"uid\": \"1d4398de-61bd-11ee-804b-0242ac110005\", \"ou_name\": \"cry centers expense\"}, \"provider\": \"trusts disclose snapshot\", \"region\": \"choose consolidated set\"}, \"severity_id\": 2, \"status_code\": \"respond\", \"status_id\": 2}", + "message": "{\"message\": \"jerry mailing blog\", \"status\": \"acdbentity\", \"time\": 1706875973927207, \"device\": {\"name\": \"puzzles ds ellis\", \"type\": \"Desktop\", \"os\": {\"name\": \"cisco nepal saw\", \"type\": \"Linux\", \"type_id\": 200}, \"ip\": \"179.27.89.37\", \"desc\": \"ferrari happens proceedings\", \"uid\": \"64854ab4-c1c4-11ee-aa4b-0242ac110005\", \"hostname\": \"chi.store\", \"type_id\": 2, \"created_time\": 1706875973926694, \"hypervisor\": \"sets denmark contractor\", \"instance_uid\": \"64852b74-c1c4-11ee-b377-0242ac110005\", \"interface_name\": \"perfume sensor min\", \"interface_uid\": \"6485370e-c1c4-11ee-9d9a-0242ac110005\", \"region\": \"measured shuttle adjust\", \"risk_score\": 88, \"uid_alt\": \"eden gym amendments\", \"zone\": \"organizations tool portsmouth\"}, \"metadata\": {\"version\": \"1.1.0\", \"product\": {\"version\": \"1.1.0\", \"uid\": \"6484ff28-c1c4-11ee-a148-0242ac110005\", \"vendor_name\": \"spray villas invasion\"}, \"sequence\": 40, \"profiles\": [], \"log_name\": \"pas personality bend\", \"log_provider\": \"estate oklahoma person\", \"original_time\": \"occupational famous considerable\", \"tenant_uid\": \"64851030-c1c4-11ee-bc6c-0242ac110005\"}, \"start_time\": 1706875973923178, \"severity\": \"Critical\", \"timezone_offset\": 97, \"activity_id\": 3, \"class_uid\": 1006, \"type_uid\": 100603, \"type_name\": \"Scheduled Job Activity: Delete\", \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Scheduled Job Activity\", \"activity_name\": \"Delete\", \"job\": {\"name\": \"medicine discussed parliament\", \"file\": {\"name\": \"med.kml\", \"owner\": {\"name\": \"Bingo\", \"type\": \"quantity\", \"uid\": \"64856224-c1c4-11ee-a77b-0242ac110005\", \"org\": {\"name\": \"nfl she dramatically\", \"uid\": \"64857052-c1c4-11ee-b91a-0242ac110005\", \"ou_name\": \"vernon proven formal\"}, \"type_id\": 99, \"credential_uid\": \"64857534-c1c4-11ee-ad19-0242ac110005\", \"uid_alt\": \"balance butterfly written\"}, \"type\": \"Folder\", \"path\": \"advanced producing remember/brisbane.com/med.kml\", \"desc\": \"calvin shirt others\", \"uid\": \"64857a66-c1c4-11ee-b8fc-0242ac110005\", \"parent_folder\": \"advanced producing remember/brisbane.com\", \"type_id\": 2, \"accessed_time\": 1706875973928416, \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"value\": \"5F806F5374EEDA36778A9CB8F6904267DAD70BC16D49050318A7ADD6D3A595556AE8B2B1F1B94905452FB371CDBACA5332BE97B440BB189A504ABDF93690CB80\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"59AE856CD788D0F57E39FDD66D421BA930CD89BE4682DE3AA36C22A2021A710D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"is_system\": false}, \"desc\": \"ruth worldwide mild\", \"cmd_line\": \"hundreds strategic deutschland\", \"created_time\": 1706875973928530, \"last_run_time\": 1706875973928534, \"run_state\": \"Queued\", \"run_state_id\": 2}, \"severity_id\": 5, \"status_id\": 99}", "event": { - "action": "considerable", + "action": "delete", "category": [], - "duration": 4000000, "kind": "event", - "outcome": "failure", - "provider": "deadline emissions whilst", - "severity": 2, + "provider": "estate oklahoma person", + "sequence": 40, + "severity": 5, + "start": "2024-02-02T12:12:53.923178Z", "type": [] }, - "@timestamp": "2023-09-21T04:56:21.548000Z", - "cloud": { - "provider": "trusts disclose snapshot", - "region": "choose consolidated set" + "@timestamp": "2024-02-02T12:12:53.927207Z", + "file": { + "accessed": "2024-02-02T12:12:53.928416Z", + "directory": "advanced producing remember/brisbane.com", + "hash": { + "sha256": "59AE856CD788D0F57E39FDD66D421BA930CD89BE4682DE3AA36C22A2021A710D" + }, + "inode": "64857a66-c1c4-11ee-b8fc-0242ac110005", + "name": "med.kml", + "owner": "Bingo", + "path": "advanced producing remember/brisbane.com/med.kml", + "type": "Folder", + "uid": "64856224-c1c4-11ee-a77b-0242ac110005" }, "host": { - "hostname": "paragraph.nato", - "id": "1d440972-61bd-11ee-b78b-0242ac110005", + "hostname": "chi.store", + "id": "64854ab4-c1c4-11ee-aa4b-0242ac110005", "ip": [ - "81.2.69.142" + "179.27.89.37" ], - "name": "paragraph.nato", + "name": "chi.store", "os": { - "name": "officially marks hook", - "type": "iOS" + "name": "cisco nepal saw", + "type": "Linux" + }, + "risk": { + "static_score": 88 }, - "type": "IOT" + "type": "Desktop" }, "ocsf": { - "activity_id": 99, - "activity_name": "considerable", - "attacks": [ - { - "tactics": [ - { - "name": "Execution The adversary is trying to run malicious code.", - "uid": "TA0002" - } - ], - "technique": { - "name": "Obtain Capabilities", - "uid": "T1588" - }, - "version": "12.1" - }, - { - "tactics": [ - { - "name": "Collection | The adversary is trying to gather data of interest to their goal.", - "uid": "TA0009" - }, - { - "name": "Persistence The adversary is trying to maintain their foothold.", - "uid": "TA0003" - }, - { - "name": "Initial Access | The adversary is trying to get into your network.", - "uid": "TA0001" - } - ], - "technique": { - "name": "Cloud Instance Metadata API", - "uid": "T1522" - }, - "version": "12.1" - } - ], + "activity_id": 3, + "activity_name": "Delete", "category_name": "System Activity", "category_uid": 1, "class_name": "Scheduled Job Activity", "class_uid": 1006, - "cloud": { - "org": { - "name": "pf months already", - "ou_name": "cry centers expense", - "uid": "1d4398de-61bd-11ee-804b-0242ac110005" - } - }, "device": { - "first_seen_time": 1695272181548, - "first_seen_time_dt": "2023-10-03T07:18:56.276163Z", - "groups": [ - { - "name": "summit torture accused", - "uid": "1d43dac4-61bd-11ee-8157-0242ac110005" - }, - { - "name": "silicon headline seniors", - "uid": "1d43df06-61bd-11ee-884b-0242ac110005" - } - ], - "hypervisor": "listening genres rob", - "imei": "seekers sue networks", - "instance_uid": "1d440530-61bd-11ee-9a80-0242ac110005", - "interface_name": "requiring showtimes only", - "interface_uid": "1d440e68-61bd-11ee-9bc1-0242ac110005", + "created_time": 1706875973926694, + "desc": "ferrari happens proceedings", + "hypervisor": "sets denmark contractor", + "instance_uid": "64852b74-c1c4-11ee-b377-0242ac110005", + "interface_name": "perfume sensor min", + "interface_uid": "6485370e-c1c4-11ee-9d9a-0242ac110005", "os": { - "type_id": "301" + "type_id": "200" }, - "region": "terms quarter premium", - "type_id": "7" + "region": "measured shuttle adjust", + "type_id": "2", + "uid_alt": "eden gym amendments" + }, + "job": { + "file": { + "hashes": [ + {}, + {} + ] + } }, - "disposition": "Restored", - "disposition_id": "9", "metadata": { - "extension": { - "name": "attempt directed associate", - "uid": "1d43b58a-61bd-11ee-811e-0242ac110005", - "version": "1.0.0" - }, - "log_name": "external cadillac navy", - "original_time": "my northwest exhibitions", + "log_name": "pas personality bend", + "original_time": "occupational famous considerable", "product": { - "lang": "en", - "name": "gallery crude arc", - "uid": "1d43be36-61bd-11ee-9314-0242ac110005", - "url_string": "registrar", - "version": "1.0.0" + "uid": "6484ff28-c1c4-11ee-a148-0242ac110005", + "version": "1.1.0" }, - "profiles": [ - "cloud", - "container", - "datetime", - "host", - "security_control" - ], - "version": "1.0.0" + "profiles": [], + "version": "1.1.0" }, - "severity": "Low", - "status": "Failure", - "status_code": "respond", - "status_id": 2, - "timezone_offset": 87, - "type_name": "Scheduled Job Activity: Other", - "type_uid": "100699" + "severity": "Critical", + "status": "acdbentity", + "status_id": 99, + "timezone_offset": 97, + "type_name": "Scheduled Job Activity: Delete", + "type_uid": "100603" }, "related": { + "hash": [ + "59AE856CD788D0F57E39FDD66D421BA930CD89BE4682DE3AA36C22A2021A710D" + ], "hosts": [ - "paragraph.nato" + "chi.store" ], "ip": [ - "81.2.69.142" + "179.27.89.37" + ], + "user": [ + "Bingo" ] - }, - "threat": { - "technique": { - "id": [ - "T1522", - "T1588" - ], - "name": [ - "Cloud Instance Metadata API", - "Obtain Capabilities" - ] - } } } } \ No newline at end of file From dd48a5cb002fafa7f833efeab8ad92ef8e9ea442 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Fri, 2 Feb 2024 14:51:26 +0200 Subject: [PATCH 16/34] Fix datetime parsing for files --- OCSF/ocsf/ingest/parser.yml | 48 +++++++++---------- OCSF/ocsf/tests/test_network_activity_10.json | 1 + OCSF/ocsf/tests/test_network_activity_11.json | 1 + OCSF/ocsf/tests/test_network_activity_6.json | 3 +- OCSF/ocsf/tests/test_system_activity_4.json | 2 +- OCSF/ocsf/tests/test_system_activity_5.json | 1 + OCSF/ocsf/tests/test_system_activity_6.json | 1 + 7 files changed, 31 insertions(+), 26 deletions(-) diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index 5d0eecd44..0bb7b4edb 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -268,12 +268,12 @@ stages: orchestrator.type: "{{ parse_event.message.actor.process.container.orchestrator }}" container.name: "{{ parse_event.message.actor.process.container.name }}" container.runtime: "{{ parse_event.message.actor.process.container.runtime }}" - file.accessed: "{{ parse_event.message.actor.process.file.accessed_time | to_rfc3339 }}" - file.created: "{{ parse_event.message.actor.process.file.created_time | to_rfc3339 }}" + file.accessed: "{{ parse_event.message.actor.process.file.accessed_time_dt or parse_event.message.actor.process.file.accessed_time | to_rfc3339 }}" + file.created: "{{ parse_event.message.actor.process.file.created_time_dt or parse_event.message.actor.process.file.created_time | to_rfc3339 }}" file.directory: "{{ parse_event.message.actor.process.file.parent_folder }}" file.inode: "{{ parse_event.message.actor.process.file.uid }}" file.mime_type: "{{ parse_event.message.actor.process.file.mime_type }}" - file.mtime: "{{ parse_event.message.actor.process.file.modified_time | to_rfc3339 }}" + file.mtime: "{{ parse_event.message.actor.process.file.modified_time_dt or parse_event.message.actor.process.file.modified_time | to_rfc3339 }}" file.name: "{{ parse_event.message.actor.process.file.name }}" file.owner: "{{ parse_event.message.actor.process.file.owner.name }}" file.path: "{{ parse_event.message.actor.process.file.path }}" @@ -281,7 +281,7 @@ stages: file.type: "{{ parse_event.message.actor.process.file.type }}" file.uid: "{{ parse_event.message.actor.process.file.owner.uid }}" file.x509.issuer.distinguished_name: "{{ parse_event.message.actor.process.file.signature.certificate.issuer }}" - file.x509.not_after: "{{ parse_event.message.actor.process.file.signature.certificate.expiration_time | to_rfc3339 }}" + file.x509.not_after: "{{ parse_event.message.actor.process.file.signature.certificate.expiration_time_dt or parse_event.message.actor.process.file.signature.certificate.expiration_time | to_rfc3339 }}" file.x509.serial_number: "{{ parse_event.message.actor.process.file.signature.certificate.serial_number }}" file.x509.subject.distinguished_name: "{{ parse_event.message.actor.process.file.signature.certificate.subject }}" file.x509.version_number: "{{ parse_event.message.actor.process.file.signature.certificate.version }}" @@ -528,12 +528,12 @@ stages: orchestrator.type: "{{ parse_event.message.process.container.orchestrator }}" container.name: "{{ parse_event.message.process.container.name }}" container.runtime: "{{ parse_event.message.process.container.runtime }}" - file.accessed: "{{ parse_event.message.process.file.accessed_time | to_rfc3339 }}" - file.created: "{{ parse_event.message.process.file.created_time | to_rfc3339 }}" + file.accessed: "{{ parse_event.message.process.file.accessed_time_dt or parse_event.message.process.file.accessed_time | to_rfc3339 }}" + file.created: "{{ parse_event.message.process.file.created_time_dt or parse_event.message.process.file.created_time | to_rfc3339 }}" file.directory: "{{ parse_event.message.process.file.parent_folder }}" file.inode: "{{ parse_event.message.process.file.uid }}" file.mime_type: "{{ parse_event.message.process.file.mime_type }}" - file.mtime: "{{ parse_event.message.process.file.modified_time | to_rfc3339 }}" + file.mtime: "{{ parse_event.message.process.file.modified_time_dt or parse_event.message.process.file.modified_time | to_rfc3339 }}" file.name: "{{ parse_event.message.process.file.name }}" file.owner: "{{ parse_event.message.process.file.owner.name }}" file.path: "{{ parse_event.message.process.file.path }}" @@ -541,7 +541,7 @@ stages: file.type: "{{ parse_event.message.process.file.type }}" file.uid: "{{ parse_event.message.process.file.owner.uid }}" file.x509.issuer.distinguished_name: "{{ parse_event.message.process.file.signature.certificate.issuer }}" - file.x509.not_after: "{{ parse_event.message.process.file.signature.certificate.expiration_time | to_rfc3339 }}" + file.x509.not_after: "{{ parse_event.message.process.file.signature.certificate.expiration_time_dt or parse_event.message.process.file.signature.certificate.expiration_time | to_rfc3339 }}" file.x509.serial_number: "{{ parse_event.message.process.file.signature.certificate.serial_number }}" file.x509.subject.distinguished_name: "{{ parse_event.message.process.file.signature.certificate.subject }}" file.x509.version_number: "{{ parse_event.message.process.file.signature.certificate.version }}" @@ -682,12 +682,12 @@ stages: pipeline_object_file: actions: - set: - file.accessed: "{{ parse_event.message.file.accessed_time | to_rfc3339 }}" - file.created: "{{ parse_event.message.file.created_time | to_rfc3339 }}" + file.accessed: "{{ parse_event.message.file.accessed_time_dt or parse_event.message.file.accessed_time | to_rfc3339 }}" + file.created: "{{ parse_event.message.file.created_time_dt or parse_event.message.file.created_time | to_rfc3339 }}" file.directory: "{{ parse_event.message.file.parent_folder }}" file.inode: "{{ parse_event.message.file.uid }}" file.mime_type: "{{ parse_event.message.file.mime_type }}" - file.mtime: "{{ parse_event.message.file.modified_time | to_rfc3339 }}" + file.mtime: "{{ parse_event.message.file.modified_time_dt or parse_event.message.file.modified_time | to_rfc3339 }}" file.name: "{{ parse_event.message.file.name }}" file.owner: "{{ parse_event.message.file.owner.name }}" file.path: "{{ parse_event.message.file.path }}" @@ -695,7 +695,7 @@ stages: file.type: "{{ parse_event.message.file.type }}" file.uid: "{{ parse_event.message.file.owner.uid }}" file.x509.issuer.distinguished_name: "{{ parse_event.message.file.signature.certificate.issuer }}" - file.x509.not_after: "{{ parse_event.message.file.signature.certificate.expiration_time | to_rfc3339 }}" + file.x509.not_after: "{{ parse_event.message.file.signature.certificate.expiration_time_dt or parse_event.message.file.signature.certificate.expiration_time | to_rfc3339 }}" file.x509.serial_number: "{{ parse_event.message.file.signature.certificate.serial_number }}" file.x509.subject.distinguished_name: "{{ parse_event.message.file.signature.certificate.subject }}" file.x509.version_number: "{{ parse_event.message.file.signature.certificate.version }}" @@ -716,12 +716,12 @@ stages: pipeline_object_system_activity_helper: actions: - set: - file.accessed: "{{ parse_event.message.driver.file.accessed_time | to_rfc3339 }}" - file.created: "{{ parse_event.message.driver.file.created_time | to_rfc3339 }}" + file.accessed: "{{ parse_event.message.driver.file.accessed_time_dt or parse_event.message.driver.file.accessed_time | to_rfc3339 }}" + file.created: "{{ parse_event.message.driver.file.created_time_dt or parse_event.message.driver.file.created_time | to_rfc3339 }}" file.directory: "{{ parse_event.message.driver.file.parent_folder }}" file.inode: "{{ parse_event.message.driver.file.uid }}" file.mime_type: "{{ parse_event.message.driver.file.mime_type }}" - file.mtime: "{{ parse_event.message.driver.file.modified_time | to_rfc3339 }}" + file.mtime: "{{ parse_event.message.driver.file.modified_time_dt or parse_event.message.driver.file.modified_time | to_rfc3339 }}" file.name: "{{ parse_event.message.driver.file.name }}" file.owner: "{{ parse_event.message.driver.file.owner.name }}" file.path: "{{ parse_event.message.driver.file.path }}" @@ -729,7 +729,7 @@ stages: file.type: "{{ parse_event.message.driver.file.type }}" file.uid: "{{ parse_event.message.driver.file.owner.uid }}" file.x509.issuer.distinguished_name: "{{ parse_event.message.driver.file.signature.certificate.issuer }}" - file.x509.not_after: "{{ parse_event.message.driver.file.signature.certificate.expiration_time | to_rfc3339 }}" + file.x509.not_after: "{{ parse_event.message.driver.file.signature.certificate.expiration_time_dt or parse_event.message.driver.file.signature.certificate.expiration_time | to_rfc3339 }}" file.x509.serial_number: "{{ parse_event.message.driver.file.signature.certificate.serial_number }}" file.x509.subject.distinguished_name: "{{ parse_event.message.driver.file.signature.certificate.subject }}" file.x509.version_number: "{{ parse_event.message.driver.file.signature.certificate.version }}" @@ -751,12 +751,12 @@ stages: filter: "{{ parse_event.message.driver.file != null }}" - set: - file.accessed: "{{ parse_event.message.job.file.accessed_time | to_rfc3339 }}" - file.created: "{{ parse_event.message.job.file.created_time | to_rfc3339 }}" + file.accessed: "{{ parse_event.message.job.file.accessed_time_dt or parse_event.message.job.file.accessed_time | to_rfc3339 }}" + file.created: "{{ parse_event.message.job.file.created_time_dt or parse_event.message.job.file.created_time | to_rfc3339 }}" file.directory: "{{ parse_event.message.job.file.parent_folder }}" file.inode: "{{ parse_event.message.job.file.uid }}" file.mime_type: "{{ parse_event.message.job.file.mime_type }}" - file.mtime: "{{ parse_event.message.job.file.modified_time | to_rfc3339 }}" + file.mtime: "{{ parse_event.message.job.file.modified_time_dt or parse_event.message.job.file.modified_time | to_rfc3339 }}" file.name: "{{ parse_event.message.job.file.name }}" file.owner: "{{ parse_event.message.job.file.owner.name }}" file.path: "{{ parse_event.message.job.file.path }}" @@ -764,7 +764,7 @@ stages: file.type: "{{ parse_event.message.job.file.type }}" file.uid: "{{ parse_event.message.job.file.owner.uid }}" file.x509.issuer.distinguished_name: "{{ parse_event.message.job.file.signature.certificate.issuer }}" - file.x509.not_after: "{{ parse_event.message.job.file.signature.certificate.expiration_time | to_rfc3339 }}" + file.x509.not_after: "{{ parse_event.message.job.file.signature.certificate.expiration_time_dt or parse_event.message.job.file.signature.certificate.expiration_time | to_rfc3339 }}" file.x509.serial_number: "{{ parse_event.message.job.file.signature.certificate.serial_number }}" file.x509.subject.distinguished_name: "{{ parse_event.message.job.file.signature.certificate.subject }}" file.x509.version_number: "{{ parse_event.message.job.file.signature.certificate.version }}" @@ -786,12 +786,12 @@ stages: filter: "{{ parse_event.message.job.file != null }}" - set: - file.accessed: "{{ parse_event.message.module.file.accessed_time | to_rfc3339 }}" - file.created: "{{ parse_event.message.module.file.created_time | to_rfc3339 }}" + file.accessed: "{{ parse_event.message.module.file.accessed_time_dt or parse_event.message.module.file.accessed_time | to_rfc3339 }}" + file.created: "{{ parse_event.message.module.file.created_time_dt or parse_event.message.module.file.created_time | to_rfc3339 }}" file.directory: "{{ parse_event.message.module.file.parent_folder }}" file.inode: "{{ parse_event.message.module.file.uid }}" file.mime_type: "{{ parse_event.message.module.file.mime_type }}" - file.mtime: "{{ parse_event.message.module.file.modified_time | to_rfc3339 }}" + file.mtime: "{{ parse_event.message.module.file.modified_time_dt or parse_event.message.module.file.modified_time | to_rfc3339 }}" file.name: "{{ parse_event.message.module.file.name }}" file.owner: "{{ parse_event.message.module.file.owner.name }}" file.path: "{{ parse_event.message.module.file.path }}" @@ -799,7 +799,7 @@ stages: file.type: "{{ parse_event.message.module.file.type }}" file.uid: "{{ parse_event.message.module.file.owner.uid }}" file.x509.issuer.distinguished_name: "{{ parse_event.message.module.file.signature.certificate.issuer }}" - file.x509.not_after: "{{ parse_event.message.module.file.signature.certificate.expiration_time | to_rfc3339 }}" + file.x509.not_after: "{{ parse_event.message.module.file.signature.certificate.expiration_time_dt or parse_event.message.module.file.signature.certificate.expiration_time | to_rfc3339 }}" file.x509.serial_number: "{{ parse_event.message.module.file.signature.certificate.serial_number }}" file.x509.subject.distinguished_name: "{{ parse_event.message.module.file.signature.certificate.subject }}" file.x509.version_number: "{{ parse_event.message.module.file.signature.certificate.version }}" diff --git a/OCSF/ocsf/tests/test_network_activity_10.json b/OCSF/ocsf/tests/test_network_activity_10.json index de032900c..df10da309 100644 --- a/OCSF/ocsf/tests/test_network_activity_10.json +++ b/OCSF/ocsf/tests/test_network_activity_10.json @@ -50,6 +50,7 @@ "hash": { "sha256": "4C3280C17F9D982CCBAC882AE1F48DAD224DBA938BEE87BF18E31C76B0C3B88B" }, + "mtime": "2023-09-25T21:07:21.567190Z", "name": "amend.sh", "path": "telling saved challenge/wrapped.tga/citations.gpx", "type": "Unknown" diff --git a/OCSF/ocsf/tests/test_network_activity_11.json b/OCSF/ocsf/tests/test_network_activity_11.json index caff76c9a..1d8c65911 100644 --- a/OCSF/ocsf/tests/test_network_activity_11.json +++ b/OCSF/ocsf/tests/test_network_activity_11.json @@ -39,6 +39,7 @@ "local_id": "9e3d9088-5be7-11ee-b651-0242ac110005" }, "file": { + "accessed": "2023-09-25T21:08:04.549340Z", "directory": "pensions lightning push/congress.icns", "mtime": "2023-09-25T21:08:04.549000Z", "name": "revenge.ged", diff --git a/OCSF/ocsf/tests/test_network_activity_6.json b/OCSF/ocsf/tests/test_network_activity_6.json index a9f6e94cc..99673fce7 100644 --- a/OCSF/ocsf/tests/test_network_activity_6.json +++ b/OCSF/ocsf/tests/test_network_activity_6.json @@ -47,12 +47,13 @@ } }, "file": { + "accessed": "2023-09-25T21:06:16.073784Z", "directory": "pay msie consciousness/checking.tiff", "hash": { "sha256": "B6F8AE88482BDE38221723480B7EE2BE8088C076BDB5F22AA847A66E59C2ACFB" }, "inode": "5d95ca5a-5be7-11ee-a417-0242ac110005", - "mtime": "2023-09-25T21:06:16.016000Z", + "mtime": "2023-09-25T21:06:16.073732Z", "name": "brazil.docx", "path": "pay msie consciousness/checking.tiff/brazil.docx", "type": "Character Device", diff --git a/OCSF/ocsf/tests/test_system_activity_4.json b/OCSF/ocsf/tests/test_system_activity_4.json index 3a268ff11..0ad516100 100644 --- a/OCSF/ocsf/tests/test_system_activity_4.json +++ b/OCSF/ocsf/tests/test_system_activity_4.json @@ -40,7 +40,7 @@ "hash": { "md5": "4F227649B2E932AED413A05B69BAA35D" }, - "mtime": "2023-09-21T04:56:21.548000Z", + "mtime": "2023-10-03T05:37:34.691274Z", "name": "tenant.prf", "path": "daisy bullet expectations/speakers.fon/tenant.prf", "type": "Symbolic Link" diff --git a/OCSF/ocsf/tests/test_system_activity_5.json b/OCSF/ocsf/tests/test_system_activity_5.json index dcc644528..ca61c83f8 100644 --- a/OCSF/ocsf/tests/test_system_activity_5.json +++ b/OCSF/ocsf/tests/test_system_activity_5.json @@ -41,6 +41,7 @@ "runtime": "annoying remarkable setup" }, "file": { + "created": "2023-10-03T06:46:13.753318Z", "directory": "pleased dip spiritual/corresponding.java", "hash": { "ssdeep": "B8C09AA4F584900FEA2DF3DAFBDAF9F0C6E76095BFDBCCF5F0F748D069D706526380A29574124164B0EDC1B56DD8342FC4BF70467A9B6024D999269A45E2A175", diff --git a/OCSF/ocsf/tests/test_system_activity_6.json b/OCSF/ocsf/tests/test_system_activity_6.json index d79a5cb88..d8a504650 100644 --- a/OCSF/ocsf/tests/test_system_activity_6.json +++ b/OCSF/ocsf/tests/test_system_activity_6.json @@ -42,6 +42,7 @@ "runtime": "ntsc replacing emotional" }, "file": { + "accessed": "2023-10-03T07:27:11.051398Z", "directory": "district moment specs/consolidation.mp3", "name": "game.crdownload", "path": "district moment specs/consolidation.mp3/game.crdownload", From 2deaa156a5155660abb4303a554406a937767d19 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Fri, 2 Feb 2024 15:15:20 +0200 Subject: [PATCH 17/34] Basic smart descriptions --- OCSF/ocsf/_meta/smart-descriptions.json | 353 +++++++++++++++++++++++- 1 file changed, 350 insertions(+), 3 deletions(-) diff --git a/OCSF/ocsf/_meta/smart-descriptions.json b/OCSF/ocsf/_meta/smart-descriptions.json index b76c35159..ce205d281 100644 --- a/OCSF/ocsf/_meta/smart-descriptions.json +++ b/OCSF/ocsf/_meta/smart-descriptions.json @@ -1,6 +1,353 @@ [ { - "value": "{ocsf.class_name}", - "conditions": [{ "field": "ocsf.class_name" }] + "value": "File System Activity: {ocsf.activity_name} file {file.name} by {user.name} on {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 1001 + } + ] + }, + { + "value": "Kernel Extension Activity: {ocsf.activity_name} file {file.name} on {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 1002 + } + ] + }, + { + "value": "Kernel Activity: {ocsf.activity_name} file {file.name} on {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 1003 + } + ] + }, + { + "value": "Memory Activity: {ocsf.activity_name} file {file.name} on {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 1004 + } + ] + }, + { + "value": "Module Activity: {ocsf.activity_name} file {file.name} by process {process.name} on {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 1005 + } + ] + }, + { + "value": "Scheduled Job Activity: {ocsf.activity_name} file {file.name} on {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 1006 + } + ] + }, + { + "value": "Process Activity: {ocsf.activity_name} by process {process.name} on {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 1007 + } + ] + }, + { + "value": "Security Finding: {ocsf.activity_name} vulnerability {vulnerability.id}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 2001 + } + ] + }, + { + "value": "Vulnerability Finding: {ocsf.activity_name} vulnerability {vulnerability.id}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 2002 + } + ] + }, + { + "value": "Account Change", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 3001 + } + ] + }, + { + "value": "Authentication", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 3002 + } + ] + }, + { + "value": "Authorize Session: {ocsf.activity_name} to {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 3003 + } + ] + }, + { + "value": "Entity Management: {ocsf.activity_name} to {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 3004 + } + ] + }, + { + "value": "User Access Management: {ocsf.activity_name} user {user.target.name} on {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 3005 + } + ] + }, + { + "value": "Group Management: {ocsf.activity_name} user {user.target.name} on {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 3006 + } + ] + }, + { + "value": "Network Activity: {ocsf.activity_name} on {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4001 + } + ] + }, + { + "value": "HTTP Activity: {ocsf.activity_name} on {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4002 + } + ] + }, + { + "value": "DNS Activity: {ocsf.activity_name} on {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4003 + } + ] + }, + { + "value": "DHCP Activity: {ocsf.activity_name} on {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4004 + } + ] + }, + { + "value": "RDP Activity: {ocsf.activity_name} on {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4005 + } + ] + }, + { + "value": "SMB Activity: {ocsf.activity_name} {file.name} on {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4006 + } + ] + }, + { + "value": "SSH Activity: {ocsf.activity_name} on {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4007 + } + ] + }, + { + "value": "FTP Activity: {ocsf.activity_name} to {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4008 + } + ] + }, + { + "value": "Email Activity: {ocsf.activity_name} to {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4009 + } + ] + }, + { + "value": "Network File Activity: {ocsf.activity_name} file {file.name} on {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4010 + } + ] + }, + { + "value": "Email File Activity: {ocsf.activity_name} to {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4011 + } + ] + }, + { + "value": "Email URL Activity: {ocsf.activity_name} to {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4012 + } + ] + }, + { + "value": "NTP Activity: {ocsf.activity_name} to {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4013 + } + ] + }, + { + "value": "Device Inventory Info: {ocsf.activity_name} on device {host.mac}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5001 + } + ] + }, + { + "value": "Device Config State: {ocsf.activity_name} on {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5002 + } + ] + }, + { + "value": "User Inventory Info: {ocsf.activity_name} on {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5003 + } + ] + }, + { + "value": "Device Config State Change: {ocsf.activity_name} on {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5019 + } + ] + }, + { + "value": "Web Resources Activity: {ocsf.activity_name} from {source.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 6001 + } + ] + }, + { + "value": "Application Lifecycle: {ocsf.activity_name} application {ocsf.app.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 6002 + } + ] + }, + { + "value": "API Activity: {ocsf.activity_name} from {source.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 6003 + } + ] + }, + { + "value": "Web Resource Access Activity: {ocsf.activity_name} to {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 6004 + } + ] + }, + { + "value": "Datastore Activity: {ocsf.activity_name} to {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 6005 + } + ] + }, + { + "value": "File Hosting Activity: {ocsf.activity_name} from {source.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 6006 + } + ] + }, + { + "value": "Scan Activity: {ocsf.activity_name} to {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 6007 + } + ] } -] +] \ No newline at end of file From cf33e73d2223ac8a698de34b4355b21cc8003c49 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Fri, 2 Feb 2024 16:03:22 +0200 Subject: [PATCH 18/34] Apply prettier --- OCSF/ocsf/_meta/smart-descriptions.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OCSF/ocsf/_meta/smart-descriptions.json b/OCSF/ocsf/_meta/smart-descriptions.json index ce205d281..d1c487fe3 100644 --- a/OCSF/ocsf/_meta/smart-descriptions.json +++ b/OCSF/ocsf/_meta/smart-descriptions.json @@ -350,4 +350,4 @@ } ] } -] \ No newline at end of file +] From af89312bf68036f0e3cd5fe5b0350f6e4a9ea672 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 9 Apr 2024 12:31:26 +0300 Subject: [PATCH 19/34] Fix linting --- OCSF/ocsf/_meta/fields.yml | 3510 +++++++++++++++++++++++------------- 1 file changed, 2280 insertions(+), 1230 deletions(-) diff --git a/OCSF/ocsf/_meta/fields.yml b/OCSF/ocsf/_meta/fields.yml index 6f61e4419..ca96c3af9 100644 --- a/OCSF/ocsf/_meta/fields.yml +++ b/OCSF/ocsf/_meta/fields.yml @@ -2,7567 +2,8617 @@ ocsf.access_mask: description: The access mask in a platform-native format. name: ocsf.access_mask type: long + ocsf.activity_id: description: The normalized identifier of the activity that triggered the event. name: ocsf.activity_id type: long + ocsf.activity_name: description: The event activity name, as defined by the activity_id. name: ocsf.activity_name type: keyword + ocsf.actor.authorizations.decision: description: Authorization Result/outcome, e.g. allowed, denied. name: ocsf.actor.authorizations.decision type: keyword + ocsf.actor.authorizations.policy.desc: description: The description of the policy. name: ocsf.actor.authorizations.policy.desc type: keyword + ocsf.actor.authorizations.policy.group.desc: description: The group description. name: ocsf.actor.authorizations.policy.group.desc type: keyword + ocsf.actor.authorizations.policy.group.name: description: The group name. name: ocsf.actor.authorizations.policy.group.name type: keyword + ocsf.actor.authorizations.policy.group.privileges: description: The group privileges. name: ocsf.actor.authorizations.policy.group.privileges type: keyword + ocsf.actor.authorizations.policy.group.type: description: The type of the group or account. name: ocsf.actor.authorizations.policy.group.type type: keyword + ocsf.actor.authorizations.policy.group.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.actor.authorizations.policy.group.uid type: keyword + ocsf.actor.authorizations.policy.name: - description: "The policy name. For example: IAM Policy." + description: 'The policy name. For example: IAM Policy.' name: ocsf.actor.authorizations.policy.name type: keyword + ocsf.actor.authorizations.policy.uid: description: A unique identifier of the policy instance. name: ocsf.actor.authorizations.policy.uid type: keyword + ocsf.actor.authorizations.policy.version: description: The policy version number. name: ocsf.actor.authorizations.policy.version type: keyword + ocsf.actor.idp.name: description: The name of the identity provider. name: ocsf.actor.idp.name type: keyword + ocsf.actor.idp.uid: description: The unique identifier of the identity provider. name: ocsf.actor.idp.uid type: keyword + ocsf.actor.invoked_by: - description: - The name of the service that invoked the activity as described in the + description: The name of the service that invoked the activity as described in the event. name: ocsf.actor.invoked_by type: keyword + ocsf.actor.process.auid: description: The audit user assigned at login by the audit subsystem. name: ocsf.actor.process.auid type: keyword + ocsf.actor.process.container.hash.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.actor.process.container.hash.algorithm type: keyword + ocsf.actor.process.container.hash.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. name: ocsf.actor.process.container.hash.algorithm_id type: keyword + ocsf.actor.process.container.hash.value: description: The digital fingerprint value. name: ocsf.actor.process.container.hash.value type: keyword + ocsf.actor.process.container.image.path: description: The full path to the image file. name: ocsf.actor.process.container.image.path type: keyword + ocsf.actor.process.container.image.uid: description: The unique image ID. name: ocsf.actor.process.container.image.uid type: keyword + ocsf.actor.process.container.network_driver: - description: - The network driver used by the container. For example, bridge, overlay, + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. name: ocsf.actor.process.container.network_driver type: keyword + ocsf.actor.process.container.pod_uuid: - description: - The unique identifier of the pod (or equivalent) that the container + description: The unique identifier of the pod (or equivalent) that the container is executing on. name: ocsf.actor.process.container.pod_uuid type: keyword + ocsf.actor.process.container.size: description: The size of the container image. name: ocsf.actor.process.container.size type: long + ocsf.actor.process.container.tag: description: The tag used by the container. It can indicate version, format, OS. name: ocsf.actor.process.container.tag type: keyword + ocsf.actor.process.created_time_dt: description: The time when the process was created/started. name: ocsf.actor.process.created_time_dt type: date + ocsf.actor.process.file.accessed_time_dt: description: The time when the file was last accessed. name: ocsf.actor.process.file.accessed_time_dt type: date + ocsf.actor.process.file.accessor.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.actor.process.file.accessor.account.name type: keyword + ocsf.actor.process.file.accessor.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.actor.process.file.accessor.account.type type: keyword + ocsf.actor.process.file.accessor.account.type_id: description: The normalized account type identifier. name: ocsf.actor.process.file.accessor.account.type_id type: keyword + ocsf.actor.process.file.accessor.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.actor.process.file.accessor.account.uid type: keyword + ocsf.actor.process.file.accessor.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.actor.process.file.accessor.credential_uid type: keyword + ocsf.actor.process.file.accessor.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.actor.process.file.accessor.domain type: keyword + ocsf.actor.process.file.accessor.email_addr: description: The user's email address. name: ocsf.actor.process.file.accessor.email_addr type: keyword + ocsf.actor.process.file.accessor.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.actor.process.file.accessor.full_name type: keyword + ocsf.actor.process.file.accessor.groups.desc: description: The group description. name: ocsf.actor.process.file.accessor.groups.desc type: keyword + ocsf.actor.process.file.accessor.groups.name: description: The group name. name: ocsf.actor.process.file.accessor.groups.name type: keyword + ocsf.actor.process.file.accessor.groups.privileges: description: The group privileges. name: ocsf.actor.process.file.accessor.groups.privileges type: keyword + ocsf.actor.process.file.accessor.groups.type: description: The type of the group or account. name: ocsf.actor.process.file.accessor.groups.type type: keyword + ocsf.actor.process.file.accessor.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.actor.process.file.accessor.groups.uid type: keyword + ocsf.actor.process.file.accessor.name: description: The username. For example, janedoe1. name: ocsf.actor.process.file.accessor.name type: keyword + ocsf.actor.process.file.accessor.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.actor.process.file.accessor.org.name type: keyword + ocsf.actor.process.file.accessor.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.actor.process.file.accessor.org.ou_name type: keyword + ocsf.actor.process.file.accessor.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.actor.process.file.accessor.org.ou_uid type: keyword + ocsf.actor.process.file.accessor.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.actor.process.file.accessor.org.uid type: keyword + ocsf.actor.process.file.accessor.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.actor.process.file.accessor.type type: keyword + ocsf.actor.process.file.accessor.type_id: description: The account type identifier. name: ocsf.actor.process.file.accessor.type_id type: keyword + ocsf.actor.process.file.accessor.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. name: ocsf.actor.process.file.accessor.uid type: keyword + ocsf.actor.process.file.accessor.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.actor.process.file.accessor.uid_alt type: keyword + ocsf.actor.process.file.attributes: description: The Bitmask value that represents the file attributes. name: ocsf.actor.process.file.attributes type: long + ocsf.actor.process.file.company_name: - description: - "The name of the company that published the file. For example: Microsoft - Corporation." + description: 'The name of the company that published the file. For example: Microsoft + Corporation.' name: ocsf.actor.process.file.company_name type: keyword + ocsf.actor.process.file.confidentiality: - description: - The file content confidentiality, normalized to the confidentiality_id + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. name: ocsf.actor.process.file.confidentiality type: keyword + ocsf.actor.process.file.confidentiality_id: description: The normalized identifier of the file content confidentiality indicator. name: ocsf.actor.process.file.confidentiality_id type: keyword + ocsf.actor.process.file.created_time_dt: description: The time when the file was created. name: ocsf.actor.process.file.created_time_dt type: date + ocsf.actor.process.file.creator.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.actor.process.file.creator.account.name type: keyword + ocsf.actor.process.file.creator.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.actor.process.file.creator.account.type type: keyword + ocsf.actor.process.file.creator.account.type_id: description: The normalized account type identifier. name: ocsf.actor.process.file.creator.account.type_id type: keyword + ocsf.actor.process.file.creator.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.actor.process.file.creator.account.uid type: keyword + ocsf.actor.process.file.creator.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.actor.process.file.creator.credential_uid type: keyword + ocsf.actor.process.file.creator.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.actor.process.file.creator.domain type: keyword + ocsf.actor.process.file.creator.email_addr: description: The user's email address. name: ocsf.actor.process.file.creator.email_addr type: keyword + ocsf.actor.process.file.creator.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.actor.process.file.creator.full_name type: keyword + ocsf.actor.process.file.creator.groups.desc: description: The group description. name: ocsf.actor.process.file.creator.groups.desc type: keyword + ocsf.actor.process.file.creator.groups.name: description: The group name. name: ocsf.actor.process.file.creator.groups.name type: keyword + ocsf.actor.process.file.creator.groups.privileges: description: The group privileges. name: ocsf.actor.process.file.creator.groups.privileges type: keyword + ocsf.actor.process.file.creator.groups.type: description: The type of the group or account. name: ocsf.actor.process.file.creator.groups.type type: keyword + ocsf.actor.process.file.creator.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.actor.process.file.creator.groups.uid type: keyword + ocsf.actor.process.file.creator.name: description: The name of the city. name: ocsf.actor.process.file.creator.name type: keyword + ocsf.actor.process.file.creator.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.actor.process.file.creator.org.name type: keyword + ocsf.actor.process.file.creator.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.actor.process.file.creator.org.ou_name type: keyword + ocsf.actor.process.file.creator.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.actor.process.file.creator.org.ou_uid type: keyword + ocsf.actor.process.file.creator.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.actor.process.file.creator.org.uid type: keyword + ocsf.actor.process.file.creator.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.actor.process.file.creator.type type: keyword + ocsf.actor.process.file.creator.type_id: description: The account type identifier. name: ocsf.actor.process.file.creator.type_id type: keyword + ocsf.actor.process.file.creator.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. name: ocsf.actor.process.file.creator.uid type: keyword + ocsf.actor.process.file.creator.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.actor.process.file.creator.uid_alt type: keyword + ocsf.actor.process.file.desc: - description: - "The description of the file, as returned by file system. For example: - the description as returned by the Unix file command or the Windows file type." + description: 'The description of the file, as returned by file system. For example: + the description as returned by the Unix file command or the Windows file type.' name: ocsf.actor.process.file.desc type: keyword + ocsf.actor.process.file.is_system: description: The indication of whether the object is part of the operating system. name: ocsf.actor.process.file.is_system type: boolean + ocsf.actor.process.file.modified_time_dt: description: The time when the file was last modified. name: ocsf.actor.process.file.modified_time_dt type: date + ocsf.actor.process.file.modifier.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.actor.process.file.modifier.account.name type: keyword + ocsf.actor.process.file.modifier.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.actor.process.file.modifier.account.type type: keyword + ocsf.actor.process.file.modifier.account.type_id: description: The normalized account type identifier. name: ocsf.actor.process.file.modifier.account.type_id type: keyword + ocsf.actor.process.file.modifier.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.actor.process.file.modifier.account.uid type: keyword + ocsf.actor.process.file.modifier.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.actor.process.file.modifier.credential_uid type: keyword + ocsf.actor.process.file.modifier.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.actor.process.file.modifier.domain type: keyword + ocsf.actor.process.file.modifier.email_addr: - description: "The image name. For example: elixir." + description: 'The image name. For example: elixir.' name: ocsf.actor.process.file.modifier.email_addr type: keyword + ocsf.actor.process.file.modifier.full_name: description: The user's email address. name: ocsf.actor.process.file.modifier.full_name type: keyword + ocsf.actor.process.file.modifier.groups.desc: description: The group description. name: ocsf.actor.process.file.modifier.groups.desc type: keyword + ocsf.actor.process.file.modifier.groups.name: description: The group name. name: ocsf.actor.process.file.modifier.groups.name type: keyword + ocsf.actor.process.file.modifier.groups.privileges: description: The group privileges. name: ocsf.actor.process.file.modifier.groups.privileges type: keyword + ocsf.actor.process.file.modifier.groups.type: description: The type of the group or account. name: ocsf.actor.process.file.modifier.groups.type type: keyword + ocsf.actor.process.file.modifier.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.actor.process.file.modifier.groups.uid type: keyword + ocsf.actor.process.file.modifier.name: description: The username. For example, janedoe1. name: ocsf.actor.process.file.modifier.name type: keyword + ocsf.actor.process.file.modifier.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.actor.process.file.modifier.org.name type: keyword + ocsf.actor.process.file.modifier.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.actor.process.file.modifier.org.ou_name type: keyword + ocsf.actor.process.file.modifier.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.actor.process.file.modifier.org.ou_uid type: keyword + ocsf.actor.process.file.modifier.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.actor.process.file.modifier.org.uid type: keyword + ocsf.actor.process.file.modifier.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.actor.process.file.modifier.type type: keyword + ocsf.actor.process.file.modifier.type_id: description: The account type identifier. name: ocsf.actor.process.file.modifier.type_id type: keyword + ocsf.actor.process.file.modifier.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. name: ocsf.actor.process.file.modifier.uid type: keyword + ocsf.actor.process.file.modifier.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.actor.process.file.modifier.uid_alt type: keyword + ocsf.actor.process.file.owner.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.actor.process.file.owner.account.name type: keyword + ocsf.actor.process.file.owner.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.actor.process.file.owner.account.type type: keyword + ocsf.actor.process.file.owner.account.type_id: description: The normalized account type identifier. name: ocsf.actor.process.file.owner.account.type_id type: keyword + ocsf.actor.process.file.owner.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.actor.process.file.owner.account.uid type: keyword + ocsf.actor.process.file.owner.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.actor.process.file.owner.credential_uid type: keyword + ocsf.actor.process.file.owner.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.actor.process.file.owner.domain type: keyword + ocsf.actor.process.file.owner.email_addr: description: The user's email address. name: ocsf.actor.process.file.owner.email_addr type: keyword + ocsf.actor.process.file.owner.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.actor.process.file.owner.full_name type: keyword + ocsf.actor.process.file.owner.groups.desc: description: The group description. name: ocsf.actor.process.file.owner.groups.desc type: keyword + ocsf.actor.process.file.owner.groups.name: description: The group name. name: ocsf.actor.process.file.owner.groups.name type: keyword + ocsf.actor.process.file.owner.groups.privileges: description: The group privileges. name: ocsf.actor.process.file.owner.groups.privileges type: keyword + ocsf.actor.process.file.owner.groups.type: description: The type of the group or account. name: ocsf.actor.process.file.owner.groups.type type: keyword + ocsf.actor.process.file.owner.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.actor.process.file.owner.groups.uid type: keyword + ocsf.actor.process.file.owner.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.actor.process.file.owner.org.name type: keyword + ocsf.actor.process.file.owner.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.actor.process.file.owner.org.ou_name type: keyword + ocsf.actor.process.file.owner.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.actor.process.file.owner.org.ou_uid type: keyword + ocsf.actor.process.file.owner.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.actor.process.file.owner.org.uid type: keyword + ocsf.actor.process.file.owner.type: - description: - The event occurred on a personal device.The type of the user. For example, + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. name: ocsf.actor.process.file.owner.type type: keyword + ocsf.actor.process.file.owner.type_id: description: The account type identifier. name: ocsf.actor.process.file.owner.type_id type: keyword + ocsf.actor.process.file.owner.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.actor.process.file.owner.uid_alt type: keyword + ocsf.actor.process.file.product.feature.name: description: The name of the feature. name: ocsf.actor.process.file.product.feature.name type: keyword + ocsf.actor.process.file.product.feature.uid: description: The unique identifier of the feature. name: ocsf.actor.process.file.product.feature.uid type: keyword + ocsf.actor.process.file.product.feature.version: description: The version of the feature. name: ocsf.actor.process.file.product.feature.version type: keyword + ocsf.actor.process.file.product.lang: - description: - "The two letter lower case language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French)." + description: 'The two letter lower case language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French).' name: ocsf.actor.process.file.product.lang type: keyword + ocsf.actor.process.file.product.name: description: The name of the feature. name: ocsf.actor.process.file.product.name type: keyword + ocsf.actor.process.file.product.path: description: The installation path of the product. name: ocsf.actor.process.file.product.path type: keyword + ocsf.actor.process.file.product.uid: description: The unique identifier of the feature. name: ocsf.actor.process.file.product.uid type: keyword + ocsf.actor.process.file.product.url_string: description: The URL pointing towards the product. name: ocsf.actor.process.file.product.url_string type: keyword + ocsf.actor.process.file.product.vendor_name: description: The name of the vendor of the product. name: ocsf.actor.process.file.product.vendor_name type: keyword + ocsf.actor.process.file.product.version: - description: - "The version of the product, as defined by the event source. For example: - 2013.1.3-beta." + description: 'The version of the product, as defined by the event source. For example: + 2013.1.3-beta.' name: ocsf.actor.process.file.product.version type: keyword + ocsf.actor.process.file.security_descriptor: description: The object security descriptor. name: ocsf.actor.process.file.security_descriptor type: keyword + ocsf.actor.process.file.signature.algorithm: - description: - The digital signature algorithm used to create the signature, normalized + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.actor.process.file.signature.algorithm type: keyword + ocsf.actor.process.file.signature.algorithm_id: description: The identifier of the normalized digital signature algorithm. name: ocsf.actor.process.file.signature.algorithm_id type: keyword + ocsf.actor.process.file.signature.certificate.created_time: description: The time when the certificate was created. name: ocsf.actor.process.file.signature.certificate.created_time type: date + ocsf.actor.process.file.signature.certificate.created_time_dt: description: The time when the certificate was created. name: ocsf.actor.process.file.signature.certificate.created_time_dt type: date + ocsf.actor.process.file.signature.certificate.expiration_time_dt: description: The expiration time of the certificate. name: ocsf.actor.process.file.signature.certificate.expiration_time_dt type: date + ocsf.actor.process.file.signature.certificate.fingerprints.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.actor.process.file.signature.certificate.fingerprints.algorithm type: keyword + ocsf.actor.process.file.signature.certificate.fingerprints.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. name: ocsf.actor.process.file.signature.certificate.fingerprints.algorithm_id type: keyword + ocsf.actor.process.file.signature.certificate.fingerprints.value: description: The digital fingerprint value. name: ocsf.actor.process.file.signature.certificate.fingerprints.value type: keyword + ocsf.actor.process.file.signature.created_time: description: The time when the digital signature was created. name: ocsf.actor.process.file.signature.created_time type: date + ocsf.actor.process.file.signature.created_time_dt: description: The time when the digital signature was created. name: ocsf.actor.process.file.signature.created_time_dt type: date + ocsf.actor.process.file.signature.developer_uid: description: The developer ID on the certificate that signed the file. name: ocsf.actor.process.file.signature.developer_uid type: keyword + ocsf.actor.process.file.signature.digest.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.actor.process.file.signature.digest.algorithm type: keyword + ocsf.actor.process.file.signature.digest.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. name: ocsf.actor.process.file.signature.digest.algorithm_id type: keyword + ocsf.actor.process.file.signature.digest.value: description: The digital fingerprint value. name: ocsf.actor.process.file.signature.digest.value type: keyword + ocsf.actor.process.file.type_id: description: The file type ID. name: ocsf.actor.process.file.type_id type: keyword + ocsf.actor.process.file.version: - description: "The file version. For example: 8.0.7601.17514." + description: 'The file version. For example: 8.0.7601.17514.' name: ocsf.actor.process.file.version type: keyword + ocsf.actor.process.file.xattributes: - description: - An unordered collection of zero or more name/value pairs where each + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. name: ocsf.actor.process.file.xattributes type: keyword + ocsf.actor.process.group.desc: description: The group description. name: ocsf.actor.process.group.desc type: keyword + ocsf.actor.process.group.privileges: description: The group privileges. name: ocsf.actor.process.group.privileges type: keyword + ocsf.actor.process.group.type: description: The type of the group or account. name: ocsf.actor.process.group.type type: keyword + ocsf.actor.process.integrity: - description: - The process integrity level, normalized to the caption of the direction_id + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). name: ocsf.actor.process.integrity type: keyword + ocsf.actor.process.integrity_id: description: The normalized identifier of the process integrity level (Windows only). name: ocsf.actor.process.integrity_id type: keyword + ocsf.actor.process.lineage: - description: - "The lineage of the process, represented by a list of paths for each - ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']." + description: 'The lineage of the process, represented by a list of paths for each + ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' name: ocsf.actor.process.lineage type: keyword + ocsf.actor.process.loaded_modules: description: The list of loaded module names. name: ocsf.actor.process.loaded_modules type: keyword + ocsf.actor.process.namespace_pid: - description: - If running under a process namespace (such as in a container), the + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. name: ocsf.actor.process.namespace_pid type: long + ocsf.actor.process.parent_process.auid: description: The audit user assigned at login by the audit subsystem. name: ocsf.actor.process.parent_process.auid type: keyword + ocsf.actor.process.parent_process.container.hash.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.actor.process.parent_process.container.hash.algorithm type: keyword + ocsf.actor.process.parent_process.container.hash.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. name: ocsf.actor.process.parent_process.container.hash.algorithm_id type: keyword + ocsf.actor.process.parent_process.container.hash.value: description: The digital fingerprint value. name: ocsf.actor.process.parent_process.container.hash.value type: keyword + ocsf.actor.process.parent_process.container.image.labels: description: The image labels. name: ocsf.actor.process.parent_process.container.image.labels type: keyword + ocsf.actor.process.parent_process.container.image.name: description: The image name. name: ocsf.actor.process.parent_process.container.image.name type: keyword + ocsf.actor.process.parent_process.container.image.path: description: The full path to the image file. name: ocsf.actor.process.parent_process.container.image.path type: keyword + ocsf.actor.process.parent_process.container.image.tag: description: The tag used by the container. It can indicate version, format, OS. name: ocsf.actor.process.parent_process.container.image.tag type: keyword + ocsf.actor.process.parent_process.container.image.uid: description: The unique image ID. name: ocsf.actor.process.parent_process.container.image.uid type: keyword + ocsf.actor.process.parent_process.container.name: description: The container name. name: ocsf.actor.process.parent_process.container.name type: keyword + ocsf.actor.process.parent_process.container.network_driver: - description: - The network driver used by the container. For example, bridge, overlay, + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. name: ocsf.actor.process.parent_process.container.network_driver type: keyword + ocsf.actor.process.parent_process.container.orchestrator: - description: - The orchestrator managing the container, such as ECS, EKS, K8s, or + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. name: ocsf.actor.process.parent_process.container.orchestrator type: keyword + ocsf.actor.process.parent_process.container.pod_uuid: - description: - The unique identifier of the pod (or equivalent) that the container + description: The unique identifier of the pod (or equivalent) that the container is executing on. name: ocsf.actor.process.parent_process.container.pod_uuid type: keyword + ocsf.actor.process.parent_process.container.runtime: description: The backend running the container, such as containerd or cri-o. name: ocsf.actor.process.parent_process.container.runtime type: keyword + ocsf.actor.process.parent_process.container.size: description: The size of the container image. name: ocsf.actor.process.parent_process.container.size type: long + ocsf.actor.process.parent_process.container.tag: description: The tag used by the container. It can indicate version, format, OS. name: ocsf.actor.process.parent_process.container.tag type: keyword + ocsf.actor.process.parent_process.container.uid: - description: - The full container unique identifier for this instantiation of the + description: The full container unique identifier for this instantiation of the container. name: ocsf.actor.process.parent_process.container.uid type: keyword + ocsf.actor.process.parent_process.created_time_dt: description: The time when the process was created/started. name: ocsf.actor.process.parent_process.created_time_dt type: date + ocsf.actor.process.parent_process.file.accessed_time: description: The time when the file was last accessed. name: ocsf.actor.process.parent_process.file.accessed_time type: date + ocsf.actor.process.parent_process.file.accessed_time_dt: description: The time when the file was last accessed. name: ocsf.actor.process.parent_process.file.accessed_time_dt type: date + ocsf.actor.process.parent_process.file.accessor.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.actor.process.parent_process.file.accessor.account.name type: keyword + ocsf.actor.process.parent_process.file.accessor.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.actor.process.parent_process.file.accessor.account.type type: keyword + ocsf.actor.process.parent_process.file.accessor.account.type_id: description: The normalized account type identifier. name: ocsf.actor.process.parent_process.file.accessor.account.type_id type: keyword + ocsf.actor.process.parent_process.file.accessor.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.actor.process.parent_process.file.accessor.account.uid type: keyword + ocsf.actor.process.parent_process.file.accessor.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.actor.process.parent_process.file.accessor.credential_uid type: keyword + ocsf.actor.process.parent_process.file.accessor.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.actor.process.parent_process.file.accessor.domain type: keyword + ocsf.actor.process.parent_process.file.accessor.email_addr: description: The user's email address. name: ocsf.actor.process.parent_process.file.accessor.email_addr type: keyword + ocsf.actor.process.parent_process.file.accessor.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.actor.process.parent_process.file.accessor.full_name type: keyword + ocsf.actor.process.parent_process.file.accessor.groups.desc: description: The group description. name: ocsf.actor.process.parent_process.file.accessor.groups.desc type: keyword + ocsf.actor.process.parent_process.file.accessor.groups.name: description: The group name. name: ocsf.actor.process.parent_process.file.accessor.groups.name type: keyword + ocsf.actor.process.parent_process.file.accessor.groups.privileges: description: The group privileges. name: ocsf.actor.process.parent_process.file.accessor.groups.privileges type: keyword + ocsf.actor.process.parent_process.file.accessor.groups.type: description: The type of the group or account. name: ocsf.actor.process.parent_process.file.accessor.groups.type type: keyword + ocsf.actor.process.parent_process.file.accessor.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.actor.process.parent_process.file.accessor.groups.uid type: keyword + ocsf.actor.process.parent_process.file.accessor.name: description: The username. For example, janedoe1. name: ocsf.actor.process.parent_process.file.accessor.name type: keyword + ocsf.actor.process.parent_process.file.accessor.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.actor.process.parent_process.file.accessor.org.name type: keyword + ocsf.actor.process.parent_process.file.accessor.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.actor.process.parent_process.file.accessor.org.ou_name type: keyword + ocsf.actor.process.parent_process.file.accessor.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.actor.process.parent_process.file.accessor.org.ou_uid type: keyword + ocsf.actor.process.parent_process.file.accessor.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.actor.process.parent_process.file.accessor.org.uid type: keyword + ocsf.actor.process.parent_process.file.accessor.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.actor.process.parent_process.file.accessor.type type: keyword + ocsf.actor.process.parent_process.file.accessor.type_id: description: The account type identifier. name: ocsf.actor.process.parent_process.file.accessor.type_id type: keyword + ocsf.actor.process.parent_process.file.accessor.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. name: ocsf.actor.process.parent_process.file.accessor.uid type: keyword + ocsf.actor.process.parent_process.file.accessor.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.actor.process.parent_process.file.accessor.uid_alt type: keyword + ocsf.actor.process.parent_process.file.attributes: description: The Bitmask value that represents the file attributes. name: ocsf.actor.process.parent_process.file.attributes type: long + ocsf.actor.process.parent_process.file.company_name: - description: - "The name of the company that published the file. For example: Microsoft - Corporation." + description: 'The name of the company that published the file. For example: Microsoft + Corporation.' name: ocsf.actor.process.parent_process.file.company_name type: keyword + ocsf.actor.process.parent_process.file.confidentiality: - description: - The file content confidentiality, normalized to the confidentiality_id + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. name: ocsf.actor.process.parent_process.file.confidentiality type: keyword + ocsf.actor.process.parent_process.file.confidentiality_id: description: The normalized identifier of the file content confidentiality indicator. name: ocsf.actor.process.parent_process.file.confidentiality_id type: keyword + ocsf.actor.process.parent_process.file.created_time: description: The time when the file was created. name: ocsf.actor.process.parent_process.file.created_time type: date + ocsf.actor.process.parent_process.file.created_time_dt: description: The time when the file was created. name: ocsf.actor.process.parent_process.file.created_time_dt type: date + ocsf.actor.process.parent_process.file.creator.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.actor.process.parent_process.file.creator.account.name type: keyword + ocsf.actor.process.parent_process.file.creator.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.actor.process.parent_process.file.creator.account.type type: keyword + ocsf.actor.process.parent_process.file.creator.account.type_id: description: The normalized account type identifier. name: ocsf.actor.process.parent_process.file.creator.account.type_id type: keyword + ocsf.actor.process.parent_process.file.creator.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.actor.process.parent_process.file.creator.account.uid type: keyword + ocsf.actor.process.parent_process.file.creator.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.actor.process.parent_process.file.creator.credential_uid type: keyword + ocsf.actor.process.parent_process.file.creator.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.actor.process.parent_process.file.creator.domain type: keyword + ocsf.actor.process.parent_process.file.creator.email_addr: description: The user's email address. name: ocsf.actor.process.parent_process.file.creator.email_addr type: keyword + ocsf.actor.process.parent_process.file.creator.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.actor.process.parent_process.file.creator.full_name type: keyword + ocsf.actor.process.parent_process.file.creator.groups.desc: description: The group description. name: ocsf.actor.process.parent_process.file.creator.groups.desc type: keyword + ocsf.actor.process.parent_process.file.creator.groups.name: description: The group name. name: ocsf.actor.process.parent_process.file.creator.groups.name type: keyword + ocsf.actor.process.parent_process.file.creator.groups.privileges: description: The group privileges. name: ocsf.actor.process.parent_process.file.creator.groups.privileges type: keyword + ocsf.actor.process.parent_process.file.creator.groups.type: description: The type of the group or account. name: ocsf.actor.process.parent_process.file.creator.groups.type type: keyword + ocsf.actor.process.parent_process.file.creator.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.actor.process.parent_process.file.creator.groups.uid type: keyword + ocsf.actor.process.parent_process.file.creator.name: description: The name of the city. name: ocsf.actor.process.parent_process.file.creator.name type: keyword + ocsf.actor.process.parent_process.file.creator.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.actor.process.parent_process.file.creator.org.name type: keyword + ocsf.actor.process.parent_process.file.creator.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.actor.process.parent_process.file.creator.org.ou_name type: keyword + ocsf.actor.process.parent_process.file.creator.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.actor.process.parent_process.file.creator.org.ou_uid type: keyword + ocsf.actor.process.parent_process.file.creator.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.actor.process.parent_process.file.creator.org.uid type: keyword + ocsf.actor.process.parent_process.file.creator.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.actor.process.parent_process.file.creator.type type: keyword + ocsf.actor.process.parent_process.file.creator.type_id: description: The account type identifier. name: ocsf.actor.process.parent_process.file.creator.type_id type: keyword + ocsf.actor.process.parent_process.file.creator.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. name: ocsf.actor.process.parent_process.file.creator.uid type: keyword + ocsf.actor.process.parent_process.file.creator.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.actor.process.parent_process.file.creator.uid_alt type: keyword + ocsf.actor.process.parent_process.file.desc: - description: - "The description of the file, as returned by file system. For example: - the description as returned by the Unix file command or the Windows file type." + description: 'The description of the file, as returned by file system. For example: + the description as returned by the Unix file command or the Windows file type.' name: ocsf.actor.process.parent_process.file.desc type: keyword + ocsf.actor.process.parent_process.file.is_system: description: The indication of whether the object is part of the operating system. name: ocsf.actor.process.parent_process.file.is_system type: boolean + ocsf.actor.process.parent_process.file.mime_type: - description: - The Multipurpose Internet Mail Extensions (MIME) type of the file, + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. name: ocsf.actor.process.parent_process.file.mime_type type: keyword + ocsf.actor.process.parent_process.file.modified_time: description: The time when the file was last modified. name: ocsf.actor.process.parent_process.file.modified_time type: date + ocsf.actor.process.parent_process.file.modified_time_dt: description: The time when the file was last modified. name: ocsf.actor.process.parent_process.file.modified_time_dt type: date + ocsf.actor.process.parent_process.file.modifier.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.actor.process.parent_process.file.modifier.account.name type: keyword + ocsf.actor.process.parent_process.file.modifier.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.actor.process.parent_process.file.modifier.account.type type: keyword + ocsf.actor.process.parent_process.file.modifier.account.type_id: description: The normalized account type identifier. name: ocsf.actor.process.parent_process.file.modifier.account.type_id type: keyword + ocsf.actor.process.parent_process.file.modifier.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.actor.process.parent_process.file.modifier.account.uid type: keyword + ocsf.actor.process.parent_process.file.modifier.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.actor.process.parent_process.file.modifier.credential_uid type: keyword + ocsf.actor.process.parent_process.file.modifier.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.actor.process.parent_process.file.modifier.domain type: keyword + ocsf.actor.process.parent_process.file.modifier.email_addr: - description: "The image name. For example: elixir." + description: 'The image name. For example: elixir.' name: ocsf.actor.process.parent_process.file.modifier.email_addr type: keyword + ocsf.actor.process.parent_process.file.modifier.full_name: description: The user's email address. name: ocsf.actor.process.parent_process.file.modifier.full_name type: keyword + ocsf.actor.process.parent_process.file.modifier.groups.desc: description: The group description. name: ocsf.actor.process.parent_process.file.modifier.groups.desc type: keyword + ocsf.actor.process.parent_process.file.modifier.groups.name: description: The group name. name: ocsf.actor.process.parent_process.file.modifier.groups.name type: keyword + ocsf.actor.process.parent_process.file.modifier.groups.privileges: description: The group privileges. name: ocsf.actor.process.parent_process.file.modifier.groups.privileges type: keyword + ocsf.actor.process.parent_process.file.modifier.groups.type: description: The type of the group or account. name: ocsf.actor.process.parent_process.file.modifier.groups.type type: keyword + ocsf.actor.process.parent_process.file.modifier.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.actor.process.parent_process.file.modifier.groups.uid type: keyword + ocsf.actor.process.parent_process.file.modifier.name: description: The username. For example, janedoe1. name: ocsf.actor.process.parent_process.file.modifier.name type: keyword + ocsf.actor.process.parent_process.file.modifier.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.actor.process.parent_process.file.modifier.org.name type: keyword + ocsf.actor.process.parent_process.file.modifier.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.actor.process.parent_process.file.modifier.org.ou_name type: keyword + ocsf.actor.process.parent_process.file.modifier.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.actor.process.parent_process.file.modifier.org.ou_uid type: keyword + ocsf.actor.process.parent_process.file.modifier.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.actor.process.parent_process.file.modifier.org.uid type: keyword + ocsf.actor.process.parent_process.file.modifier.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.actor.process.parent_process.file.modifier.type type: keyword + ocsf.actor.process.parent_process.file.modifier.type_id: description: The account type identifier. name: ocsf.actor.process.parent_process.file.modifier.type_id type: keyword + ocsf.actor.process.parent_process.file.modifier.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. name: ocsf.actor.process.parent_process.file.modifier.uid type: keyword + ocsf.actor.process.parent_process.file.modifier.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.actor.process.parent_process.file.modifier.uid_alt type: keyword + ocsf.actor.process.parent_process.file.name: - description: "The name of the file. For example: svchost.exe." + description: 'The name of the file. For example: svchost.exe.' name: ocsf.actor.process.parent_process.file.name type: keyword + ocsf.actor.process.parent_process.file.owner.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.actor.process.parent_process.file.owner.account.name type: keyword + ocsf.actor.process.parent_process.file.owner.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.actor.process.parent_process.file.owner.account.type type: keyword + ocsf.actor.process.parent_process.file.owner.account.type_id: description: The normalized account type identifier. name: ocsf.actor.process.parent_process.file.owner.account.type_id type: keyword + ocsf.actor.process.parent_process.file.owner.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.actor.process.parent_process.file.owner.account.uid type: keyword + ocsf.actor.process.parent_process.file.owner.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.actor.process.parent_process.file.owner.credential_uid type: keyword + ocsf.actor.process.parent_process.file.owner.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.actor.process.parent_process.file.owner.domain type: keyword + ocsf.actor.process.parent_process.file.owner.email_addr: description: The user's email address. name: ocsf.actor.process.parent_process.file.owner.email_addr type: keyword + ocsf.actor.process.parent_process.file.owner.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.actor.process.parent_process.file.owner.full_name type: keyword + ocsf.actor.process.parent_process.file.owner.groups.desc: description: The group description. name: ocsf.actor.process.parent_process.file.owner.groups.desc type: keyword + ocsf.actor.process.parent_process.file.owner.groups.name: description: The group name. name: ocsf.actor.process.parent_process.file.owner.groups.name type: keyword + ocsf.actor.process.parent_process.file.owner.groups.privileges: description: The group privileges. name: ocsf.actor.process.parent_process.file.owner.groups.privileges type: keyword + ocsf.actor.process.parent_process.file.owner.groups.type: description: The type of the group or account. name: ocsf.actor.process.parent_process.file.owner.groups.type type: keyword + ocsf.actor.process.parent_process.file.owner.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.actor.process.parent_process.file.owner.groups.uid type: keyword + ocsf.actor.process.parent_process.file.owner.name: description: The username. For example, janedoe1. name: ocsf.actor.process.parent_process.file.owner.name type: keyword + ocsf.actor.process.parent_process.file.owner.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.actor.process.parent_process.file.owner.org.name type: keyword + ocsf.actor.process.parent_process.file.owner.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.actor.process.parent_process.file.owner.org.ou_name type: keyword + ocsf.actor.process.parent_process.file.owner.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.actor.process.parent_process.file.owner.org.ou_uid type: keyword + ocsf.actor.process.parent_process.file.owner.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.actor.process.parent_process.file.owner.org.uid type: keyword + ocsf.actor.process.parent_process.file.owner.type: - description: - The event occurred on a personal device.The type of the user. For example, + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. name: ocsf.actor.process.parent_process.file.owner.type type: keyword + ocsf.actor.process.parent_process.file.owner.type_id: description: The account type identifier. name: ocsf.actor.process.parent_process.file.owner.type_id type: keyword + ocsf.actor.process.parent_process.file.owner.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. name: ocsf.actor.process.parent_process.file.owner.uid type: keyword + ocsf.actor.process.parent_process.file.owner.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.actor.process.parent_process.file.owner.uid_alt type: keyword + ocsf.actor.process.parent_process.file.parent_folder: description: 'The parent folder in which the file resides. For example: c:\windows\system32.' name: ocsf.actor.process.parent_process.file.parent_folder type: keyword + ocsf.actor.process.parent_process.file.path: description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' name: ocsf.actor.process.parent_process.file.path type: keyword + ocsf.actor.process.parent_process.file.product.feature.name: description: The name of the feature. name: ocsf.actor.process.parent_process.file.product.feature.name type: keyword + ocsf.actor.process.parent_process.file.product.feature.uid: description: The unique identifier of the feature. name: ocsf.actor.process.parent_process.file.product.feature.uid type: keyword + ocsf.actor.process.parent_process.file.product.feature.version: description: The version of the feature. name: ocsf.actor.process.parent_process.file.product.feature.version type: keyword + ocsf.actor.process.parent_process.file.product.lang: - description: - "The two letter lower case language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French)." + description: 'The two letter lower case language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French).' name: ocsf.actor.process.parent_process.file.product.lang type: keyword + ocsf.actor.process.parent_process.file.product.name: description: The name of the feature. name: ocsf.actor.process.parent_process.file.product.name type: keyword + ocsf.actor.process.parent_process.file.product.path: description: The installation path of the product. name: ocsf.actor.process.parent_process.file.product.path type: keyword + ocsf.actor.process.parent_process.file.product.uid: description: The unique identifier of the feature. name: ocsf.actor.process.parent_process.file.product.uid type: keyword + ocsf.actor.process.parent_process.file.product.url_string: description: The URL pointing towards the product. name: ocsf.actor.process.parent_process.file.product.url_string type: keyword + ocsf.actor.process.parent_process.file.product.vendor_name: description: The name of the vendor of the product. name: ocsf.actor.process.parent_process.file.product.vendor_name type: keyword + ocsf.actor.process.parent_process.file.product.version: - description: - "The version of the product, as defined by the event source. For example: - 2013.1.3-beta." + description: 'The version of the product, as defined by the event source. For example: + 2013.1.3-beta.' name: ocsf.actor.process.parent_process.file.product.version type: keyword + ocsf.actor.process.parent_process.file.security_descriptor: description: The object security descriptor. name: ocsf.actor.process.parent_process.file.security_descriptor type: keyword + ocsf.actor.process.parent_process.file.signature.algorithm: - description: - The digital signature algorithm used to create the signature, normalized + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.actor.process.parent_process.file.signature.algorithm type: keyword + ocsf.actor.process.parent_process.file.signature.algorithm_id: description: The identifier of the normalized digital signature algorithm. name: ocsf.actor.process.parent_process.file.signature.algorithm_id type: keyword + ocsf.actor.process.parent_process.file.signature.certificate.created_time: description: The time when the certificate was created. name: ocsf.actor.process.parent_process.file.signature.certificate.created_time type: date + ocsf.actor.process.parent_process.file.signature.certificate.created_time_dt: description: The time when the certificate was created. name: ocsf.actor.process.parent_process.file.signature.certificate.created_time_dt type: date + ocsf.actor.process.parent_process.file.signature.certificate.expiration_time: description: The expiration time of the certificate. name: ocsf.actor.process.parent_process.file.signature.certificate.expiration_time type: date + ocsf.actor.process.parent_process.file.signature.certificate.expiration_time_dt: description: The expiration time of the certificate. name: ocsf.actor.process.parent_process.file.signature.certificate.expiration_time_dt type: date + ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm type: keyword + ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. name: ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm_id type: keyword + ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.value: description: The digital fingerprint value. name: ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.value type: keyword + ocsf.actor.process.parent_process.file.signature.certificate.issuer: description: The certificate issuer distinguished name. name: ocsf.actor.process.parent_process.file.signature.certificate.issuer type: keyword + ocsf.actor.process.parent_process.file.signature.certificate.serial_number: description: The serial number of the certificate used to create the digital signature. name: ocsf.actor.process.parent_process.file.signature.certificate.serial_number type: keyword + ocsf.actor.process.parent_process.file.signature.certificate.subject: description: The certificate subject distinguished name. name: ocsf.actor.process.parent_process.file.signature.certificate.subject type: keyword + ocsf.actor.process.parent_process.file.signature.certificate.version: description: The certificate version. name: ocsf.actor.process.parent_process.file.signature.certificate.version type: keyword + ocsf.actor.process.parent_process.file.signature.created_time: description: The time when the digital signature was created. name: ocsf.actor.process.parent_process.file.signature.created_time type: date + ocsf.actor.process.parent_process.file.signature.created_time_dt: description: The time when the digital signature was created. name: ocsf.actor.process.parent_process.file.signature.created_time_dt type: date + ocsf.actor.process.parent_process.file.signature.developer_uid: description: The developer ID on the certificate that signed the file. name: ocsf.actor.process.parent_process.file.signature.developer_uid type: keyword + ocsf.actor.process.parent_process.file.signature.digest.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.actor.process.parent_process.file.signature.digest.algorithm type: keyword + ocsf.actor.process.parent_process.file.signature.digest.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. name: ocsf.actor.process.parent_process.file.signature.digest.algorithm_id type: keyword + ocsf.actor.process.parent_process.file.signature.digest.value: description: The digital fingerprint value. name: ocsf.actor.process.parent_process.file.signature.digest.value type: keyword + ocsf.actor.process.parent_process.file.size: description: The size of data, in bytes. name: ocsf.actor.process.parent_process.file.size type: long + ocsf.actor.process.parent_process.file.type: description: The file type. name: ocsf.actor.process.parent_process.file.type type: keyword + ocsf.actor.process.parent_process.file.type_id: description: The file type ID. name: ocsf.actor.process.parent_process.file.type_id type: keyword + ocsf.actor.process.parent_process.file.uid: - description: - The unique identifier of the file as defined by the storage system, + description: The unique identifier of the file as defined by the storage system, such the file system file ID. name: ocsf.actor.process.parent_process.file.uid type: keyword + ocsf.actor.process.parent_process.file.version: - description: "The file version. For example: 8.0.7601.17514." + description: 'The file version. For example: 8.0.7601.17514.' name: ocsf.actor.process.parent_process.file.version type: keyword + ocsf.actor.process.parent_process.file.xattributes: - description: - An unordered collection of zero or more name/value pairs where each + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. name: ocsf.actor.process.parent_process.file.xattributes type: keyword + ocsf.actor.process.parent_process.group.desc: description: The group description. name: ocsf.actor.process.parent_process.group.desc type: keyword + ocsf.actor.process.parent_process.group.privileges: description: The group privileges. name: ocsf.actor.process.parent_process.group.privileges type: keyword + ocsf.actor.process.parent_process.group.type: description: The type of the group or account. name: ocsf.actor.process.parent_process.group.type type: keyword + ocsf.actor.process.parent_process.integrity: - description: - The process integrity level, normalized to the caption of the direction_id + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). name: ocsf.actor.process.parent_process.integrity type: keyword + ocsf.actor.process.parent_process.integrity_id: description: The normalized identifier of the process integrity level (Windows only). name: ocsf.actor.process.parent_process.integrity_id type: keyword + ocsf.actor.process.parent_process.lineage: - description: - "The lineage of the process, represented by a list of paths for each - ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']." + description: 'The lineage of the process, represented by a list of paths for each + ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' name: ocsf.actor.process.parent_process.lineage type: keyword + ocsf.actor.process.parent_process.loaded_modules: description: The list of loaded module names. name: ocsf.actor.process.parent_process.loaded_modules type: keyword + ocsf.actor.process.parent_process.namespace_pid: - description: - If running under a process namespace (such as in a container), the + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. name: ocsf.actor.process.parent_process.namespace_pid type: long + ocsf.actor.process.parent_process.parent_process: - description: - The parent process of this process object. It is recommended to only + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. name: ocsf.actor.process.parent_process.parent_process type: keyword + ocsf.actor.process.parent_process.parent_process_keyword: - description: "" + description: '' name: ocsf.actor.process.parent_process.parent_process_keyword type: keyword + ocsf.actor.process.parent_process.sandbox: - description: - The name of the containment jail (i.e., sandbox). For example, hardened_ps, + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. name: ocsf.actor.process.parent_process.sandbox type: keyword + ocsf.actor.process.parent_process.session.created_time: description: The time when the session was created. name: ocsf.actor.process.parent_process.session.created_time type: date + ocsf.actor.process.parent_process.session.created_time_dt: description: The time when the session was created. name: ocsf.actor.process.parent_process.session.created_time_dt type: date + ocsf.actor.process.parent_process.session.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.actor.process.parent_process.session.credential_uid type: keyword + ocsf.actor.process.parent_process.session.expiration_time: description: The session expiration time. name: ocsf.actor.process.parent_process.session.expiration_time type: date + ocsf.actor.process.parent_process.session.expiration_time_dt: description: The session expiration time. name: ocsf.actor.process.parent_process.session.expiration_time_dt type: date + ocsf.actor.process.parent_process.session.is_remote: description: The indication of whether the session is remote. name: ocsf.actor.process.parent_process.session.is_remote type: boolean + ocsf.actor.process.parent_process.session.issuer: description: The identifier of the session issuer. name: ocsf.actor.process.parent_process.session.issuer type: keyword + ocsf.actor.process.parent_process.session.mfa: - description: "" + description: '' name: ocsf.actor.process.parent_process.session.mfa type: boolean + ocsf.actor.process.parent_process.session.uid: description: The unique identifier of the session. name: ocsf.actor.process.parent_process.session.uid type: keyword + ocsf.actor.process.parent_process.session.uuid: description: The universally unique identifier of the session. name: ocsf.actor.process.parent_process.session.uuid type: keyword + ocsf.actor.process.parent_process.terminated_time_dt: description: The time when the process was terminated. name: ocsf.actor.process.parent_process.terminated_time_dt type: date + ocsf.actor.process.parent_process.user.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.actor.process.parent_process.user.account.name type: keyword + ocsf.actor.process.parent_process.user.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.actor.process.parent_process.user.account.type type: keyword + ocsf.actor.process.parent_process.user.account.type_id: description: The normalized account type identifier. name: ocsf.actor.process.parent_process.user.account.type_id type: keyword + ocsf.actor.process.parent_process.user.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.actor.process.parent_process.user.account.uid type: keyword + ocsf.actor.process.parent_process.user.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.actor.process.parent_process.user.credential_uid type: keyword + ocsf.actor.process.parent_process.user.groups.desc: description: The group description. name: ocsf.actor.process.parent_process.user.groups.desc type: keyword + ocsf.actor.process.parent_process.user.groups.name: description: The group name. name: ocsf.actor.process.parent_process.user.groups.name type: keyword + ocsf.actor.process.parent_process.user.groups.privileges: description: The group privileges. name: ocsf.actor.process.parent_process.user.groups.privileges type: keyword + ocsf.actor.process.parent_process.user.groups.type: description: The type of the group or account. name: ocsf.actor.process.parent_process.user.groups.type type: keyword + ocsf.actor.process.parent_process.user.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.actor.process.parent_process.user.groups.uid type: keyword + ocsf.actor.process.parent_process.user.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.actor.process.parent_process.user.org.name type: keyword + ocsf.actor.process.parent_process.user.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.actor.process.parent_process.user.org.ou_name type: keyword + ocsf.actor.process.parent_process.user.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.actor.process.parent_process.user.org.ou_uid type: keyword + ocsf.actor.process.parent_process.user.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.actor.process.parent_process.user.org.uid type: keyword + ocsf.actor.process.parent_process.user.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.actor.process.parent_process.user.type type: keyword + ocsf.actor.process.parent_process.user.type_id: description: The account type identifier. name: ocsf.actor.process.parent_process.user.type_id type: keyword + ocsf.actor.process.parent_process.user.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.actor.process.parent_process.user.uid_alt type: keyword + ocsf.actor.process.parent_process.xattributes: - description: - An unordered collection of zero or more name/value pairs that represent + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. name: ocsf.actor.process.parent_process.xattributes type: keyword + ocsf.actor.process.sandbox: - description: - The name of the containment jail (i.e., sandbox). For example, hardened_ps, + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. name: ocsf.actor.process.sandbox type: keyword + ocsf.actor.process.session.created_time: description: The time when the session was created. name: ocsf.actor.process.session.created_time type: date + ocsf.actor.process.session.created_time_dt: description: The time when the session was created. name: ocsf.actor.process.session.created_time_dt type: date + ocsf.actor.process.session.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.actor.process.session.credential_uid type: keyword + ocsf.actor.process.session.expiration_time: description: The session expiration time. name: ocsf.actor.process.session.expiration_time type: date + ocsf.actor.process.session.expiration_time_dt: description: The session expiration time. name: ocsf.actor.process.session.expiration_time_dt type: date + ocsf.actor.process.session.is_remote: description: The indication of whether the session is remote. name: ocsf.actor.process.session.is_remote type: boolean + ocsf.actor.process.session.issuer: description: The identifier of the session issuer. name: ocsf.actor.process.session.issuer type: keyword + ocsf.actor.process.session.mfa: - description: "" + description: '' name: ocsf.actor.process.session.mfa type: boolean + ocsf.actor.process.session.uid: description: The unique identifier of the session. name: ocsf.actor.process.session.uid type: keyword + ocsf.actor.process.session.uuid: description: The universally unique identifier of the session. name: ocsf.actor.process.session.uuid type: keyword + ocsf.actor.process.terminated_time_dt: description: The time when the process was terminated. name: ocsf.actor.process.terminated_time_dt type: date + ocsf.actor.process.user.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.actor.process.user.account.name type: keyword + ocsf.actor.process.user.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.actor.process.user.account.type type: keyword + ocsf.actor.process.user.account.type_id: description: The normalized account type identifier. name: ocsf.actor.process.user.account.type_id type: keyword + ocsf.actor.process.user.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.actor.process.user.account.uid type: keyword + ocsf.actor.process.user.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.actor.process.user.credential_uid type: keyword + ocsf.actor.process.user.groups.desc: description: The group description. name: ocsf.actor.process.user.groups.desc type: keyword + ocsf.actor.process.user.groups.name: description: The group name. name: ocsf.actor.process.user.groups.name type: keyword + ocsf.actor.process.user.groups.privileges: description: The group privileges. name: ocsf.actor.process.user.groups.privileges type: keyword + ocsf.actor.process.user.groups.type: description: The type of the group or account. name: ocsf.actor.process.user.groups.type type: keyword + ocsf.actor.process.user.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.actor.process.user.groups.uid type: keyword + ocsf.actor.process.user.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.actor.process.user.org.name type: keyword + ocsf.actor.process.user.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.actor.process.user.org.ou_name type: keyword + ocsf.actor.process.user.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.actor.process.user.org.ou_uid type: keyword + ocsf.actor.process.user.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.actor.process.user.org.uid type: keyword + ocsf.actor.process.user.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.actor.process.user.type type: keyword + ocsf.actor.process.user.type_id: description: The account type identifier. name: ocsf.actor.process.user.type_id type: keyword + ocsf.actor.process.user.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.actor.process.user.uid_alt type: keyword + ocsf.actor.process.xattributes: - description: - An unordered collection of zero or more name/value pairs that represent + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. name: ocsf.actor.process.xattributes type: keyword + ocsf.actor.session.created_time: description: The time when the session was created. name: ocsf.actor.session.created_time type: date + ocsf.actor.session.created_time_dt: description: The time when the session was created. name: ocsf.actor.session.created_time_dt type: date + ocsf.actor.session.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.actor.session.credential_uid type: keyword + ocsf.actor.session.expiration_time: description: The session expiration time. name: ocsf.actor.session.expiration_time type: date + ocsf.actor.session.expiration_time_dt: description: The session expiration time. name: ocsf.actor.session.expiration_time_dt type: date + ocsf.actor.session.is_remote: description: The indication of whether the session is remote. name: ocsf.actor.session.is_remote type: boolean + ocsf.actor.session.issuer: description: The identifier of the session issuer. name: ocsf.actor.session.issuer type: keyword + ocsf.actor.session.mfa: - description: "" + description: '' name: ocsf.actor.session.mfa type: boolean + ocsf.actor.session.uid: description: The unique identifier of the session. name: ocsf.actor.session.uid type: keyword + ocsf.actor.session.uuid: description: The universally unique identifier of the session. name: ocsf.actor.session.uuid type: keyword + ocsf.actor.user.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.actor.user.account.name type: keyword + ocsf.actor.user.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.actor.user.account.type type: keyword + ocsf.actor.user.account.type_id: description: The normalized account type identifier. name: ocsf.actor.user.account.type_id type: keyword + ocsf.actor.user.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.actor.user.account.uid type: keyword + ocsf.actor.user.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.actor.user.credential_uid type: keyword + ocsf.actor.user.groups.desc: description: The group description. name: ocsf.actor.user.groups.desc type: keyword + ocsf.actor.user.groups.name: description: The group name. name: ocsf.actor.user.groups.name type: keyword + ocsf.actor.user.groups.privileges: description: The group privileges. name: ocsf.actor.user.groups.privileges type: keyword + ocsf.actor.user.groups.type: description: The type of the group or account. name: ocsf.actor.user.groups.type type: keyword + ocsf.actor.user.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.actor.user.groups.uid type: keyword + ocsf.actor.user.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.actor.user.org.name type: keyword + ocsf.actor.user.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.actor.user.org.ou_name type: keyword + ocsf.actor.user.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.actor.user.org.ou_uid type: keyword + ocsf.actor.user.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.actor.user.org.uid type: keyword + ocsf.actor.user.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.actor.user.type type: keyword + ocsf.actor.user.type_id: description: The account type identifier. name: ocsf.actor.user.type_id type: keyword + ocsf.actor.user.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.actor.user.uid_alt type: keyword + ocsf.actual_permissions: description: The permissions that were granted to the in a platform-native format. name: ocsf.actual_permissions type: long + ocsf.analytic.category: description: The analytic category. name: ocsf.analytic.category type: keyword + ocsf.analytic.desc: description: The description of the analytic that generated the finding. name: ocsf.analytic.desc type: keyword + ocsf.analytic.name: description: The name of the analytic that generated the finding. name: ocsf.analytic.name type: keyword + ocsf.analytic.related_analytics.category: description: The analytic category. name: ocsf.analytic.related_analytics.category type: keyword + ocsf.analytic.related_analytics.desc: description: The description of the analytic that generated the finding. name: ocsf.analytic.related_analytics.desc type: keyword + ocsf.analytic.related_analytics.name: description: The name of the analytic that generated the finding. name: ocsf.analytic.related_analytics.name type: keyword + ocsf.analytic.related_analytics.related_analytics: - description: "" + description: '' name: ocsf.analytic.related_analytics.related_analytics type: keyword + ocsf.analytic.related_analytics.type: description: The analytic type. name: ocsf.analytic.related_analytics.type type: keyword + ocsf.analytic.related_analytics.type_id: description: The analytic type ID. name: ocsf.analytic.related_analytics.type_id type: keyword + ocsf.analytic.related_analytics.uid: description: The unique identifier of the analytic that generated the finding. name: ocsf.analytic.related_analytics.uid type: keyword + ocsf.analytic.related_analytics.version: - description: "The analytic version. For example: 1.1." + description: 'The analytic version. For example: 1.1.' name: ocsf.analytic.related_analytics.version type: keyword + ocsf.analytic.type: description: The analytic type. name: ocsf.analytic.type type: keyword + ocsf.analytic.type_id: description: The analytic type ID. name: ocsf.analytic.type_id type: keyword + ocsf.analytic.uid: description: The unique identifier of the analytic that generated the finding. name: ocsf.analytic.uid type: keyword + ocsf.analytic.version: - description: "The analytic version. For example: 1.1." + description: 'The analytic version. For example: 1.1.' name: ocsf.analytic.version type: keyword + ocsf.answers.class: - description: - "The class of DNS data contained in this resource record. See RFC1035. - For example: IN." + description: 'The class of DNS data contained in this resource record. See RFC1035. + For example: IN.' name: ocsf.answers.class type: keyword + ocsf.answers.flag_ids: description: The list of DNS answer header flag IDs. name: ocsf.answers.flag_ids type: keyword + ocsf.answers.flags: description: The list of DNS answer header flags. name: ocsf.answers.flags type: keyword + ocsf.answers.packet_uid: - description: - The DNS packet identifier assigned by the program that generated the + description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. name: ocsf.answers.packet_uid type: keyword + ocsf.answers.rdata: - description: - The data describing the DNS resource. The meaning of this data depends + description: The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record. name: ocsf.answers.rdata type: keyword + ocsf.answers.ttl: - description: - The time interval that the resource record may be cached. Zero value + description: The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached. name: ocsf.answers.ttl type: long + ocsf.answers.type: - description: - "The type of data contained in this resource record. See RFC1035. For - example: CNAME." + description: 'The type of data contained in this resource record. See RFC1035. For + example: CNAME.' name: ocsf.answers.type type: keyword + ocsf.api.operation: description: Verb/Operation associated with the request. name: ocsf.api.operation type: keyword + ocsf.api.request.flags: - description: - The list of communication flags, normalized to the captions of the + description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. name: ocsf.api.request.flags type: keyword + ocsf.api.request.uid: description: The unique request identifier. name: ocsf.api.request.uid type: keyword + ocsf.api.response.code: description: The numeric response sent to a request. name: ocsf.api.response.code type: long + ocsf.api.response.error: description: Error Code. name: ocsf.api.response.error type: keyword + ocsf.api.response.error_message: description: Error Message. name: ocsf.api.response.error_message type: keyword + ocsf.api.response.flags: - description: - The list of communication flags, normalized to the captions of the + description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. name: ocsf.api.response.flags type: keyword + ocsf.api.response.message: description: The description of the event, as defined by the event source. name: ocsf.api.response.message type: keyword + ocsf.api.service.labels: description: The list of labels associated with the service. name: ocsf.api.service.labels type: keyword + ocsf.api.service.name: description: The name of the service. name: ocsf.api.service.name type: keyword + ocsf.api.service.uid: description: The unique identifier of the service. name: ocsf.api.service.uid type: keyword + ocsf.api.service.version: description: The version of the service. name: ocsf.api.service.version type: keyword + ocsf.api.version: description: The version of the API service. name: ocsf.api.version type: keyword + ocsf.app.feature.name: description: The name of the feature. name: ocsf.app.feature.name type: keyword + ocsf.app.feature.uid: description: The unique identifier of the feature. name: ocsf.app.feature.uid type: keyword + ocsf.app.feature.version: description: The version of the feature. name: ocsf.app.feature.version type: keyword + ocsf.app.lang: description: The two letter lower case language codes, as defined by ISO 639-1. name: ocsf.app.lang type: keyword + ocsf.app.name: description: The CIS benchmark name. name: ocsf.app.name type: keyword + ocsf.app.path: description: The installation path of the product. name: ocsf.app.path type: keyword + ocsf.app.uid: description: The unique identifier of the product. name: ocsf.app.uid type: keyword + ocsf.app.url_string: description: The URL pointing towards the product. name: ocsf.app.url_string type: keyword + ocsf.app.vendor_name: description: The name of the vendor of the product. name: ocsf.app.vendor_name type: keyword + ocsf.app.version: description: The version of the product, as defined by the event source. name: ocsf.app.version type: keyword + ocsf.app_name: description: The name of the application that is associated with the event or object. name: ocsf.app_name type: keyword + ocsf.attacks.tactics.name: - description: - The tactic name that is associated with the attack technique, as defined + description: The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM. name: ocsf.attacks.tactics.name type: keyword + ocsf.attacks.tactics.uid: - description: - The tactic ID that is associated with the attack technique, as defined + description: The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM. name: ocsf.attacks.tactics.uid type: keyword + ocsf.attacks.technique.name: - description: - "The name of the attack technique, as defined by ATT&CK MatrixTM. For - example: Drive-by Compromise." + description: 'The name of the attack technique, as defined by ATT&CK MatrixTM. For + example: Drive-by Compromise.' name: ocsf.attacks.technique.name type: keyword + ocsf.attacks.technique.uid: - description: - "The unique identifier of the attack technique, as defined by ATT&CK - MatrixTM. For example: T1189." + description: 'The unique identifier of the attack technique, as defined by ATT&CK + MatrixTM. For example: T1189.' name: ocsf.attacks.technique.uid type: keyword + ocsf.attacks.version: description: The ATT&CK Matrix version. name: ocsf.attacks.version type: keyword + ocsf.attempt: description: The attempt number for attempting to deliver the email. name: ocsf.attempt type: long + ocsf.auth_protocol: - description: - The authentication protocol as defined by the caption of 'auth_protocol_id'. + description: The authentication protocol as defined by the caption of 'auth_protocol_id'. In the case of 'Other', it is defined by the event source. name: ocsf.auth_protocol type: keyword + ocsf.auth_protocol_id: - description: - The normalized identifier of the authentication protocol used to create + description: The normalized identifier of the authentication protocol used to create the user session. name: ocsf.auth_protocol_id type: keyword + ocsf.banner: - description: - The initial SMTP connection response that a messaging server receives + description: The initial SMTP connection response that a messaging server receives after it connects to a email server. name: ocsf.banner type: keyword + ocsf.base_address: description: The memory address that was access or requested. name: ocsf.base_address type: keyword + ocsf.capabilities: description: A list of RDP capabilities. name: ocsf.capabilities type: keyword + ocsf.category_name: - description: - "The event category name, as defined by category_uid value: Identity - & Access Management." + description: 'The event category name, as defined by category_uid value: Identity + & Access Management.' name: ocsf.category_name type: keyword + ocsf.category_uid: - description: - The category unique identifier of the event.3 Identity & Access ManagementIdentity + description: The category unique identifier of the event.3 Identity & Access ManagementIdentity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc. name: ocsf.category_uid type: long + ocsf.certificate.created_time: description: The time when the certificate was created. name: ocsf.certificate.created_time type: date + ocsf.certificate.created_time_dt: description: The time when the certificate was created. name: ocsf.certificate.created_time_dt type: date + ocsf.certificate.expiration_time: description: The expiration time of the certificate. name: ocsf.certificate.expiration_time type: date + ocsf.certificate.expiration_time_dt: description: The expiration time of the certificate. name: ocsf.certificate.expiration_time_dt type: date + ocsf.certificate.fingerprints.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.certificate.fingerprints.algorithm type: keyword + ocsf.certificate.fingerprints.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. name: ocsf.certificate.fingerprints.algorithm_id type: keyword + ocsf.certificate.fingerprints.value: description: The digital fingerprint value. name: ocsf.certificate.fingerprints.value type: keyword + ocsf.certificate.issuer: description: The certificate issuer distinguished name. name: ocsf.certificate.issuer type: keyword + ocsf.certificate.serial_number: description: The serial number of the certificate used to create the digital signature. name: ocsf.certificate.serial_number type: keyword + ocsf.certificate.subject: description: The certificate subject distinguished name. name: ocsf.certificate.subject type: keyword + ocsf.certificate.version: description: The certificate version. name: ocsf.certificate.version type: keyword + ocsf.cis_benchmark_result.desc: description: The CIS benchmark description. name: ocsf.cis_benchmark_result.desc type: keyword + ocsf.cis_benchmark_result.name: description: The CIS benchmark name. name: ocsf.cis_benchmark_result.name type: keyword + ocsf.cis_benchmark_result.remediation.desc: description: The description of the remediation strategy. name: ocsf.cis_benchmark_result.remediation.desc type: keyword + ocsf.cis_benchmark_result.remediation.kb_articles: description: The KB article/s related to the entity. name: ocsf.cis_benchmark_result.remediation.kb_articles type: keyword + ocsf.cis_benchmark_result.rule.type: description: The rule type. name: ocsf.cis_benchmark_result.rule.type type: keyword + ocsf.cis_csc.control: description: The CIS critical security control. name: ocsf.cis_csc.control type: keyword + ocsf.cis_csc.version: description: The CIS critical security control version. name: ocsf.cis_csc.version type: keyword + ocsf.class_name: - description: "The event class name, as defined by class_uid value: Security Finding." + description: 'The event class name, as defined by class_uid value: Security Finding.' name: ocsf.class_name type: keyword + ocsf.class_uid: - description: - The unique identifier of a class. A Class describes the attributes + description: The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. name: ocsf.class_uid type: long + ocsf.client_dialects: description: The list of SMB dialects that the client speaks. name: ocsf.client_dialects type: keyword + ocsf.client_hassh.algorithm: - description: - "The concatenation of key exchange, encryption, authentication and - compression algorithms (separated by ';'). NOTE: This is not the underlying - algorithm for the hash implementation." + description: 'The concatenation of key exchange, encryption, authentication and + compression algorithms (separated by '';''). NOTE: This is not the underlying + algorithm for the hash implementation.' name: ocsf.client_hassh.algorithm type: keyword + ocsf.client_hassh.fingerprint.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.client_hassh.fingerprint.algorithm type: keyword + ocsf.client_hassh.fingerprint.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. name: ocsf.client_hassh.fingerprint.algorithm_id type: keyword + ocsf.client_hassh.fingerprint.value: description: The digital fingerprint value. name: ocsf.client_hassh.fingerprint.value type: keyword + ocsf.cloud.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.cloud.account.type type: keyword + ocsf.cloud.account.type_id: description: The normalized account type identifier. name: ocsf.cloud.account.type_id type: keyword + ocsf.cloud.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.cloud.org.name type: keyword + ocsf.cloud.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.cloud.org.ou_name type: keyword + ocsf.cloud.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.cloud.org.ou_uid type: keyword + ocsf.cloud.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.cloud.org.uid type: keyword + ocsf.codes: description: The list of return codes to the FTP command. name: ocsf.codes type: long + ocsf.command: description: The command name. name: ocsf.command type: keyword + ocsf.command_responses: description: The list of responses to the FTP command. name: ocsf.command_responses type: keyword + ocsf.comment: description: The user provided comment about why the entity was changed. name: ocsf.comment type: keyword + ocsf.compliance.requirements: - description: - A list of applicable compliance requirements for which this finding + description: A list of applicable compliance requirements for which this finding is related to. name: ocsf.compliance.requirements type: keyword + ocsf.compliance.status: - description: - The event status, normalized to the caption of the status_id value. + description: The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. name: ocsf.compliance.status type: keyword + ocsf.compliance.status_detail: - description: - The status details contains additional information about the event + description: The status details contains additional information about the event outcome. name: ocsf.compliance.status_detail type: keyword + ocsf.component: - description: - The name or relative pathname of a sub-component of the data object, + description: The name or relative pathname of a sub-component of the data object, if applicable. name: ocsf.component type: keyword + ocsf.confidence: - description: - The confidence, normalized to the caption of the confidence_id value. + description: The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source. name: ocsf.confidence type: keyword + ocsf.confidence_id: - description: - The normalized confidence refers to the accuracy of the rule that created + description: The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature. name: ocsf.confidence_id type: keyword + ocsf.confidence_score: description: The confidence score as reported by the event source. name: ocsf.confidence_score type: long + ocsf.connection_info.boundary: - description: - The boundary of the connection, normalized to the caption of 'boundary_id'. + description: The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source.For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. name: ocsf.connection_info.boundary type: keyword + ocsf.connection_info.boundary_id: - description: - The normalized identifier of the boundary of the connection. For cloud + description: The normalized identifier of the boundary of the connection. For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. name: ocsf.connection_info.boundary_id type: keyword + ocsf.connection_info.direction: - description: - The direction of the initiated connection, traffic, or email, normalized + description: The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source. name: ocsf.connection_info.direction type: keyword + ocsf.connection_info.direction_id: - description: - The normalized identifier of the direction of the initiated connection, + description: The normalized identifier of the direction of the initiated connection, traffic, or email. name: ocsf.connection_info.direction_id type: keyword + ocsf.connection_info.protocol_ver_id: description: The Internet Protocol version identifier. name: ocsf.connection_info.protocol_ver_id type: keyword + ocsf.connection_info.tcp_flags: description: The network connection TCP header flags (i.e., control bits). name: ocsf.connection_info.tcp_flags type: long + ocsf.connection_info.uid: description: The unique identifier of the connection. name: ocsf.connection_info.uid type: keyword + ocsf.connection_uid: description: The network connection identifier. name: ocsf.connection_uid type: keyword + ocsf.count: - description: - The number of times that events in the same logical group occurred + description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. name: ocsf.count type: long + ocsf.create_mask: description: The original Windows mask that is required to create the object. name: ocsf.create_mask type: keyword + ocsf.data_sources: description: The data sources for the finding. name: ocsf.data_sources type: keyword + ocsf.dce_rpc.command: description: The request command (e.g. REQUEST, BIND). name: ocsf.dce_rpc.command type: keyword + ocsf.dce_rpc.command_response: description: The reply to the request command (e.g. RESPONSE, BINDACK or FAULT). name: ocsf.dce_rpc.command_response type: keyword + ocsf.dce_rpc.flags: description: The list of interface flags. name: ocsf.dce_rpc.flags type: keyword + ocsf.dce_rpc.opnum: - description: - An operation number used to identify a specific remote procedure call + description: An operation number used to identify a specific remote procedure call (RPC) method or a method in an interface. name: ocsf.dce_rpc.opnum type: long + ocsf.dce_rpc.rpc_interface.ack_reason: - description: - An integer that provides a reason code or additional information about + description: An integer that provides a reason code or additional information about the acknowledgment result. name: ocsf.dce_rpc.rpc_interface.ack_reason type: long + ocsf.dce_rpc.rpc_interface.ack_result: description: An integer that denotes the acknowledgment result of the DCE/RPC call. name: ocsf.dce_rpc.rpc_interface.ack_result type: long + ocsf.dce_rpc.rpc_interface.uuid: description: The unique identifier of the particular remote procedure or service. name: ocsf.dce_rpc.rpc_interface.uuid type: keyword + ocsf.dce_rpc.rpc_interface.version: description: The version of the DCE/RPC protocol being used in the session. name: ocsf.dce_rpc.rpc_interface.version type: keyword + ocsf.device.autoscale_uid: description: The unique identifier of the cloud autoscale configuration. name: ocsf.device.autoscale_uid type: keyword + ocsf.device.created_time: description: The time when the device was known to have been created. name: ocsf.device.created_time type: date + ocsf.device.created_time_dt: description: TThe time when the device was known to have been created. name: ocsf.device.created_time_dt type: date + ocsf.device.desc: - description: - The description of the device, ordinarily as reported by the operating + description: The description of the device, ordinarily as reported by the operating system. name: ocsf.device.desc type: keyword + ocsf.device.first_seen_time: description: The initial discovery time of the device. name: ocsf.device.first_seen_time type: date + ocsf.device.first_seen_time_dt: description: The initial discovery time of the device. name: ocsf.device.first_seen_time_dt type: date + ocsf.device.groups.desc: description: The group description. name: ocsf.device.groups.desc type: keyword + ocsf.device.groups.name: description: The group name. name: ocsf.device.groups.name type: keyword + ocsf.device.groups.privileges: description: The group privileges. name: ocsf.device.groups.privileges type: keyword + ocsf.device.groups.type: description: The type of the group or account. name: ocsf.device.groups.type type: keyword + ocsf.device.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.device.groups.uid type: keyword + ocsf.device.hw_info.bios_date: - description: "The BIOS date. For example: 03/31/16." + description: 'The BIOS date. For example: 03/31/16.' name: ocsf.device.hw_info.bios_date type: keyword + ocsf.device.hw_info.bios_manufacturer: - description: "The BIOS manufacturer. For example: LENOVO." + description: 'The BIOS manufacturer. For example: LENOVO.' name: ocsf.device.hw_info.bios_manufacturer type: keyword + ocsf.device.hw_info.bios_ver: - description: "The BIOS version. For example: LENOVO G5ETA2WW (2.62)." + description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' name: ocsf.device.hw_info.bios_ver type: keyword + ocsf.device.hw_info.chassis: - description: - The chassis type describes the system enclosure or physical form factor. + description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. name: ocsf.device.hw_info.chassis type: keyword + ocsf.device.hw_info.cpu_bits: - description: - "The cpu architecture, the number of bits used for addressing in memory. - For example: 32 or 64." + description: 'The cpu architecture, the number of bits used for addressing in memory. + For example: 32 or 64.' name: ocsf.device.hw_info.cpu_bits type: long + ocsf.device.hw_info.cpu_cores: - description: - "The number of processor cores in all installed processors. For Example: - 42." + description: 'The number of processor cores in all installed processors. For Example: + 42.' name: ocsf.device.hw_info.cpu_cores type: long + ocsf.device.hw_info.cpu_count: - description: "The number of physical processors on a system. For example: 1." + description: 'The number of physical processors on a system. For example: 1.' name: ocsf.device.hw_info.cpu_count type: long + ocsf.device.hw_info.cpu_speed: - description: "The speed of the processor in Mhz. For Example: 4200." + description: 'The speed of the processor in Mhz. For Example: 4200.' name: ocsf.device.hw_info.cpu_speed type: long + ocsf.device.hw_info.cpu_type: - description: "The processor type. For example: x86 Family 6 Model 37 Stepping 5." + description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' name: ocsf.device.hw_info.cpu_type type: keyword + ocsf.device.hw_info.desktop_display.color_depth: description: The numeric color depth. name: ocsf.device.hw_info.desktop_display.color_depth type: long + ocsf.device.hw_info.desktop_display.physical_height: description: The numeric physical height of display. name: ocsf.device.hw_info.desktop_display.physical_height type: long + ocsf.device.hw_info.desktop_display.physical_orientation: description: The numeric physical orientation of display. name: ocsf.device.hw_info.desktop_display.physical_orientation type: long + ocsf.device.hw_info.desktop_display.physical_width: description: The numeric physical width of display. name: ocsf.device.hw_info.desktop_display.physical_width type: long + ocsf.device.hw_info.desktop_display.scale_factor: description: The numeric scale factor of display. name: ocsf.device.hw_info.desktop_display.scale_factor type: long + ocsf.device.hw_info.keyboard_info.function_keys: description: The number of function keys on client keyboard. name: ocsf.device.hw_info.keyboard_info.function_keys type: long + ocsf.device.hw_info.keyboard_info.ime: description: The Input Method Editor (IME) file name. name: ocsf.device.hw_info.keyboard_info.ime type: keyword + ocsf.device.hw_info.keyboard_info.keyboard_layout: description: The keyboard locale identifier name (e.g., en-US). name: ocsf.device.hw_info.keyboard_info.keyboard_layout type: keyword + ocsf.device.hw_info.keyboard_info.keyboard_subtype: description: The keyboard numeric code. name: ocsf.device.hw_info.keyboard_info.keyboard_subtype type: long + ocsf.device.hw_info.keyboard_info.keyboard_type: description: The keyboard type (e.g., xt, ico). name: ocsf.device.hw_info.keyboard_info.keyboard_type type: keyword + ocsf.device.hw_info.ram_size: - description: "The total amount of installed RAM, in Megabytes. For example: 2048." + description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' name: ocsf.device.hw_info.ram_size type: long + ocsf.device.hw_info.serial_number: description: The device manufacturer serial number. name: ocsf.device.hw_info.serial_number type: keyword + ocsf.device.hypervisor: - description: - The name of the hypervisor running on the device. For example, Xen, + description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. name: ocsf.device.hypervisor type: keyword + ocsf.device.image.labels: description: The image labels. name: ocsf.device.image.labels type: keyword + ocsf.device.image.name: - description: "The image name. For example: elixir." + description: 'The image name. For example: elixir.' name: ocsf.device.image.name type: keyword + ocsf.device.image.path: description: The full path to the image file. name: ocsf.device.image.path type: keyword + ocsf.device.image.tag: - description: "The image tag. For example: 1.11-alpine." + description: 'The image tag. For example: 1.11-alpine.' name: ocsf.device.image.tag type: keyword + ocsf.device.image.uid: - description: "The unique image ID. For example: 77af4d6b9913." + description: 'The unique image ID. For example: 77af4d6b9913.' name: ocsf.device.image.uid type: keyword + ocsf.device.imei: - description: - The International Mobile Station Equipment Identifier that is associated + description: The International Mobile Station Equipment Identifier that is associated with the device. name: ocsf.device.imei type: keyword + ocsf.device.instance_uid: description: The unique identifier of a VM instance. name: ocsf.device.instance_uid type: keyword + ocsf.device.interface_name: description: The name of the network interface (e.g. eth2). name: ocsf.device.interface_name type: keyword + ocsf.device.interface_uid: description: The unique identifier of the network interface. name: ocsf.device.interface_uid type: keyword + ocsf.device.is_compliant: description: The event occurred on a compliant device. name: ocsf.device.is_compliant type: boolean + ocsf.device.is_managed: description: The event occurred on a managed device. name: ocsf.device.is_managed type: boolean + ocsf.device.is_personal: description: The event occurred on a personal device. name: ocsf.device.is_personal type: boolean + ocsf.device.is_trusted: description: The event occurred on a trusted device. name: ocsf.device.is_trusted type: boolean + ocsf.device.last_seen_time: description: The most recent discovery time of the device. name: ocsf.device.last_seen_time type: date + ocsf.device.last_seen_time_dt: description: The most recent discovery time of the device. name: ocsf.device.last_seen_time_dt type: date + ocsf.device.location.is_on_premises: description: The indication of whether the location is on premises. name: ocsf.device.location.is_on_premises type: boolean + ocsf.device.location.isp: description: The name of the Internet Service Provider (ISP). name: ocsf.device.location.isp type: keyword + ocsf.device.location.provider: description: The provider of the geographical location data. name: ocsf.device.location.provider type: keyword + ocsf.device.modified_time: description: The time when the device was last known to have been modified. name: ocsf.device.modified_time type: date + ocsf.device.modified_time_dt: description: The time when the device was last known to have been modified. name: ocsf.device.modified_time_dt type: date + ocsf.device.network_interfaces.hostname: description: The hostname associated with the network interface. name: ocsf.device.network_interfaces.hostname type: keyword + ocsf.device.network_interfaces.ip: description: The IP address associated with the network interface. name: ocsf.device.network_interfaces.ip type: ip + ocsf.device.network_interfaces.mac: description: The MAC address of the network interface. name: ocsf.device.network_interfaces.mac type: keyword + ocsf.device.network_interfaces.name: description: The name of the network interface. name: ocsf.device.network_interfaces.name type: keyword + ocsf.device.network_interfaces.namespace: - description: - The namespace is useful in merger or acquisition situations. For example, + description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. name: ocsf.device.network_interfaces.namespace type: keyword + ocsf.device.network_interfaces.subnet_prefix: - description: - The subnet prefix length determines the number of bits used to represent + description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. name: ocsf.device.network_interfaces.subnet_prefix type: long + ocsf.device.network_interfaces.type: description: The type of network interface. name: ocsf.device.network_interfaces.type type: keyword + ocsf.device.network_interfaces.type_id: description: The network interface type identifier. name: ocsf.device.network_interfaces.type_id type: keyword + ocsf.device.network_interfaces.uid: description: The unique identifier for the network interface. name: ocsf.device.network_interfaces.uid type: keyword + ocsf.device.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.device.org.name type: keyword + ocsf.device.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.device.org.ou_name type: keyword + ocsf.device.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.device.org.ou_uid type: keyword + ocsf.device.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.device.org.uid type: keyword + ocsf.device.os.country: - description: - The operating system country code, as defined by the ISO 3166-1 standard + description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. name: ocsf.device.os.country type: keyword + ocsf.device.os.cpu_bits: - description: - The cpu architecture, the number of bits used for addressing in memory. + description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. name: ocsf.device.os.cpu_bits type: long + ocsf.device.os.edition: description: The operating system edition. For example, Professional. name: ocsf.device.os.edition type: keyword + ocsf.device.os.lang: description: The two letter lower case language codes, as defined by ISO 639-1. name: ocsf.device.os.lang type: keyword + ocsf.device.os.sp_name: description: The name of the latest Service Pack. name: ocsf.device.os.sp_name type: keyword + ocsf.device.os.sp_ver: description: The version number of the latest Service Pack. name: ocsf.device.os.sp_ver type: keyword + ocsf.device.os.type_id: description: The type identifier of the operating system. name: ocsf.device.os.type_id type: keyword + ocsf.device.os.version: - description: - The version of the OS running on the device that originated the event. + description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". name: ocsf.device.os.version type: keyword + ocsf.device.region: - description: - The region where the virtual machine is located. For example, an AWS + description: The region where the virtual machine is located. For example, an AWS Region. name: ocsf.device.region type: keyword + ocsf.device.risk_level_id: description: The normalized risk level id. name: ocsf.device.risk_level_id type: keyword + ocsf.device.subnet: description: The subnet mask. name: ocsf.device.subnet type: keyword + ocsf.device.subnet_uid: description: The unique identifier of a virtual subnet. name: ocsf.device.subnet_uid type: keyword + ocsf.device.type_id: description: The device type ID. name: ocsf.device.type_id type: keyword + ocsf.device.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.device.uid_alt type: keyword + ocsf.device.vpc_uid: description: The unique identifier of the Virtual Private Cloud (VPC). name: ocsf.device.vpc_uid type: keyword + ocsf.dialect: description: The negotiated protocol dialect. name: ocsf.dialect type: keyword + ocsf.direction: description: The direction of the email, as defined by the direction_id value. name: ocsf.direction type: keyword + ocsf.direction_id: description: The direction of the email relative to the scanning host or organization. name: ocsf.direction_id type: keyword + ocsf.disposition: - description: - The event disposition name, normalized to the caption of the disposition_id + description: The event disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source. name: ocsf.disposition type: keyword + ocsf.disposition_id: - description: - When security issues, such as malware or policy violations, are detected + description: When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product. name: ocsf.disposition_id type: keyword + ocsf.driver.file.accessed_time_dt: description: The time when the file was last accessed. name: ocsf.driver.file.accessed_time_dt type: date + ocsf.driver.file.accessor.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.driver.file.accessor.account.name type: keyword + ocsf.driver.file.accessor.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.driver.file.accessor.account.type type: keyword + ocsf.driver.file.accessor.account.type_id: description: The normalized account type identifier. name: ocsf.driver.file.accessor.account.type_id type: keyword + ocsf.driver.file.accessor.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.driver.file.accessor.account.uid type: keyword + ocsf.driver.file.accessor.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.driver.file.accessor.credential_uid type: keyword + ocsf.driver.file.accessor.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.driver.file.accessor.domain type: keyword + ocsf.driver.file.accessor.email_addr: description: The user's email address. name: ocsf.driver.file.accessor.email_addr type: keyword + ocsf.driver.file.accessor.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.driver.file.accessor.full_name type: keyword + ocsf.driver.file.accessor.groups.desc: description: The group description. name: ocsf.driver.file.accessor.groups.desc type: keyword + ocsf.driver.file.accessor.groups.name: description: The group name. name: ocsf.driver.file.accessor.groups.name type: keyword + ocsf.driver.file.accessor.groups.privileges: description: The group privileges. name: ocsf.driver.file.accessor.groups.privileges type: keyword + ocsf.driver.file.accessor.groups.type: description: The type of the group or account. name: ocsf.driver.file.accessor.groups.type type: keyword + ocsf.driver.file.accessor.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.driver.file.accessor.groups.uid type: keyword + ocsf.driver.file.accessor.name: description: The username. For example, janedoe1. name: ocsf.driver.file.accessor.name type: keyword + ocsf.driver.file.accessor.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.driver.file.accessor.org.name type: keyword + ocsf.driver.file.accessor.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.driver.file.accessor.org.ou_name type: keyword + ocsf.driver.file.accessor.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.driver.file.accessor.org.ou_uid type: keyword + ocsf.driver.file.accessor.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.driver.file.accessor.org.uid type: keyword + ocsf.driver.file.accessor.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.driver.file.accessor.type type: keyword + ocsf.driver.file.accessor.type_id: description: The account type identifier. name: ocsf.driver.file.accessor.type_id type: keyword + ocsf.driver.file.accessor.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. name: ocsf.driver.file.accessor.uid type: keyword + ocsf.driver.file.accessor.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.driver.file.accessor.uid_alt type: keyword + ocsf.driver.file.attributes: description: The Bitmask value that represents the file attributes. name: ocsf.driver.file.attributes type: long + ocsf.driver.file.company_name: - description: - "The name of the company that published the file. For example: Microsoft - Corporation." + description: 'The name of the company that published the file. For example: Microsoft + Corporation.' name: ocsf.driver.file.company_name type: keyword + ocsf.driver.file.confidentiality: - description: - The file content confidentiality, normalized to the confidentiality_id + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. name: ocsf.driver.file.confidentiality type: keyword + ocsf.driver.file.confidentiality_id: description: The normalized identifier of the file content confidentiality indicator. name: ocsf.driver.file.confidentiality_id type: keyword + ocsf.driver.file.created_time_dt: description: The time when the file was created. name: ocsf.driver.file.created_time_dt type: date + ocsf.driver.file.creator.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.driver.file.creator.account.name type: keyword + ocsf.driver.file.creator.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.driver.file.creator.account.type type: keyword + ocsf.driver.file.creator.account.type_id: description: The normalized account type identifier. name: ocsf.driver.file.creator.account.type_id type: keyword + ocsf.driver.file.creator.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.driver.file.creator.account.uid type: keyword + ocsf.driver.file.creator.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.driver.file.creator.credential_uid type: keyword + ocsf.driver.file.creator.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.driver.file.creator.domain type: keyword + ocsf.driver.file.creator.email_addr: description: The user's email address. name: ocsf.driver.file.creator.email_addr type: keyword + ocsf.driver.file.creator.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.driver.file.creator.full_name type: keyword + ocsf.driver.file.creator.groups.desc: description: The group description. name: ocsf.driver.file.creator.groups.desc type: keyword + ocsf.driver.file.creator.groups.name: description: The group name. name: ocsf.driver.file.creator.groups.name type: keyword + ocsf.driver.file.creator.groups.privileges: description: The group privileges. name: ocsf.driver.file.creator.groups.privileges type: keyword + ocsf.driver.file.creator.groups.type: description: The type of the group or account. name: ocsf.driver.file.creator.groups.type type: keyword + ocsf.driver.file.creator.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.driver.file.creator.groups.uid type: keyword + ocsf.driver.file.creator.name: description: The username. For example, janedoe1. name: ocsf.driver.file.creator.name type: keyword + ocsf.driver.file.creator.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.driver.file.creator.org.name type: keyword + ocsf.driver.file.creator.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.driver.file.creator.org.ou_name type: keyword + ocsf.driver.file.creator.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.driver.file.creator.org.ou_uid type: keyword + ocsf.driver.file.creator.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.driver.file.creator.org.uid type: keyword + ocsf.driver.file.creator.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.driver.file.creator.type type: keyword + ocsf.driver.file.creator.type_id: description: The account type identifier. name: ocsf.driver.file.creator.type_id type: keyword + ocsf.driver.file.creator.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. name: ocsf.driver.file.creator.uid type: keyword + ocsf.driver.file.creator.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.driver.file.creator.uid_alt type: keyword + ocsf.driver.file.desc: - description: - "The description of the file, as returned by file system. For example: - the description as returned by the Unix file command or the Windows file type." + description: 'The description of the file, as returned by file system. For example: + the description as returned by the Unix file command or the Windows file type.' name: ocsf.driver.file.desc type: keyword + ocsf.driver.file.is_system: description: The indication of whether the object is part of the operating system. name: ocsf.driver.file.is_system type: boolean + ocsf.driver.file.modified_time_dt: description: The time when the file was last modified. name: ocsf.driver.file.modified_time_dt type: date + ocsf.driver.file.modifier.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.driver.file.modifier.account.name type: keyword + ocsf.driver.file.modifier.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.driver.file.modifier.account.type type: keyword + ocsf.driver.file.modifier.account.type_id: description: The normalized account type identifier. name: ocsf.driver.file.modifier.account.type_id type: keyword + ocsf.driver.file.modifier.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.driver.file.modifier.account.uid type: keyword + ocsf.driver.file.modifier.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.driver.file.modifier.credential_uid type: keyword + ocsf.driver.file.modifier.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.driver.file.modifier.domain type: keyword + ocsf.driver.file.modifier.email_addr: description: The user's email address. name: ocsf.driver.file.modifier.email_addr type: keyword + ocsf.driver.file.modifier.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.driver.file.modifier.full_name type: keyword + ocsf.driver.file.modifier.groups.desc: description: The group description. name: ocsf.driver.file.modifier.groups.desc type: keyword + ocsf.driver.file.modifier.groups.name: description: The group name. name: ocsf.driver.file.modifier.groups.name type: keyword + ocsf.driver.file.modifier.groups.privileges: description: The group privileges. name: ocsf.driver.file.modifier.groups.privileges type: keyword + ocsf.driver.file.modifier.groups.type: description: The type of the group or account. name: ocsf.driver.file.modifier.groups.type type: keyword + ocsf.driver.file.modifier.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.driver.file.modifier.groups.uid type: keyword + ocsf.driver.file.modifier.name: description: The username. For example, janedoe1. name: ocsf.driver.file.modifier.name type: keyword + ocsf.driver.file.modifier.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.driver.file.modifier.org.name type: keyword + ocsf.driver.file.modifier.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.driver.file.modifier.org.ou_name type: keyword + ocsf.driver.file.modifier.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.driver.file.modifier.org.ou_uid type: keyword + ocsf.driver.file.modifier.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.driver.file.modifier.org.uid type: keyword + ocsf.driver.file.modifier.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.driver.file.modifier.type type: keyword + ocsf.driver.file.modifier.type_id: description: The account type identifier. name: ocsf.driver.file.modifier.type_id type: keyword + ocsf.driver.file.modifier.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. name: ocsf.driver.file.modifier.uid type: keyword + ocsf.driver.file.modifier.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.driver.file.modifier.uid_alt type: keyword + ocsf.driver.file.owner.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.driver.file.owner.account.name type: keyword + ocsf.driver.file.owner.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.driver.file.owner.account.type type: keyword + ocsf.driver.file.owner.account.type_id: description: The normalized account type identifier. name: ocsf.driver.file.owner.account.type_id type: keyword + ocsf.driver.file.owner.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.driver.file.owner.account.uid type: keyword + ocsf.driver.file.owner.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.driver.file.owner.credential_uid type: keyword + ocsf.driver.file.owner.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.driver.file.owner.domain type: keyword + ocsf.driver.file.owner.email_addr: description: The user's email address. name: ocsf.driver.file.owner.email_addr type: keyword + ocsf.driver.file.owner.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.driver.file.owner.full_name type: keyword + ocsf.driver.file.owner.groups.desc: description: The group description. name: ocsf.driver.file.owner.groups.desc type: keyword + ocsf.driver.file.owner.groups.name: description: The group name. name: ocsf.driver.file.owner.groups.name type: keyword + ocsf.driver.file.owner.groups.privileges: description: The group privileges. name: ocsf.driver.file.owner.groups.privileges type: keyword + ocsf.driver.file.owner.groups.type: description: The type of the group or account. name: ocsf.driver.file.owner.groups.type type: keyword + ocsf.driver.file.owner.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.driver.file.owner.groups.uid type: keyword + ocsf.driver.file.owner.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.driver.file.owner.org.name type: keyword + ocsf.driver.file.owner.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.driver.file.owner.org.ou_name type: keyword + ocsf.driver.file.owner.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.driver.file.owner.org.ou_uid type: keyword + ocsf.driver.file.owner.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.driver.file.owner.org.uid type: keyword + ocsf.driver.file.owner.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.driver.file.owner.type type: keyword + ocsf.driver.file.owner.type_id: description: The account type identifier. name: ocsf.driver.file.owner.type_id type: keyword + ocsf.driver.file.owner.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.driver.file.owner.uid_alt type: keyword + ocsf.driver.file.product.feature.name: description: The name of the feature. name: ocsf.driver.file.product.feature.name type: keyword + ocsf.driver.file.product.feature.uid: description: The unique identifier of the feature. name: ocsf.driver.file.product.feature.uid type: keyword + ocsf.driver.file.product.feature.version: description: The version of the feature. name: ocsf.driver.file.product.feature.version type: keyword + ocsf.driver.file.product.lang: - description: - "The two letter lower case language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French)." + description: 'The two letter lower case language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French).' name: ocsf.driver.file.product.lang type: keyword + ocsf.driver.file.product.name: description: The name of the product. name: ocsf.driver.file.product.name type: keyword + ocsf.driver.file.product.path: description: The installation path of the product. name: ocsf.driver.file.product.path type: keyword + ocsf.driver.file.product.uid: description: The unique identifier of the product. name: ocsf.driver.file.product.uid type: keyword + ocsf.driver.file.product.vendor_name: description: The name of the vendor of the product. name: ocsf.driver.file.product.vendor_name type: keyword + ocsf.driver.file.product.version: - description: - "The version of the product, as defined by the event source. For example: - 2013.1.3-beta." + description: 'The version of the product, as defined by the event source. For example: + 2013.1.3-beta.' name: ocsf.driver.file.product.version type: keyword + ocsf.driver.file.security_descriptor: description: The object security descriptor. name: ocsf.driver.file.security_descriptor type: keyword + ocsf.driver.file.signature.algorithm: - description: - The digital signature algorithm used to create the signature, normalized + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.driver.file.signature.algorithm type: keyword + ocsf.driver.file.signature.algorithm_id: description: The identifier of the normalized digital signature algorithm. name: ocsf.driver.file.signature.algorithm_id type: keyword + ocsf.driver.file.signature.certificate.created_time: description: The time when the certificate was created. name: ocsf.driver.file.signature.certificate.created_time type: date + ocsf.driver.file.signature.certificate.created_time_dt: description: The time when the certificate was created. name: ocsf.driver.file.signature.certificate.created_time_dt type: date + ocsf.driver.file.signature.certificate.expiration_time_dt: description: The expiration time of the certificate. name: ocsf.driver.file.signature.certificate.expiration_time_dt type: date + ocsf.driver.file.signature.certificate.fingerprints.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.driver.file.signature.certificate.fingerprints.algorithm type: keyword + ocsf.driver.file.signature.certificate.fingerprints.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. name: ocsf.driver.file.signature.certificate.fingerprints.algorithm_id type: keyword + ocsf.driver.file.signature.certificate.fingerprints.value: description: The digital fingerprint value. name: ocsf.driver.file.signature.certificate.fingerprints.value type: keyword + ocsf.driver.file.signature.created_time: description: The time when the digital signature was created. name: ocsf.driver.file.signature.created_time type: date + ocsf.driver.file.signature.created_time_dt: description: The time when the digital signature was created. name: ocsf.driver.file.signature.created_time_dt type: date + ocsf.driver.file.signature.developer_uid: description: The developer ID on the certificate that signed the file. name: ocsf.driver.file.signature.developer_uid type: keyword + ocsf.driver.file.signature.digest.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.driver.file.signature.digest.algorithm type: keyword + ocsf.driver.file.signature.digest.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. name: ocsf.driver.file.signature.digest.algorithm_id type: keyword + ocsf.driver.file.signature.digest.value: description: The digital fingerprint value. name: ocsf.driver.file.signature.digest.value type: keyword + ocsf.driver.file.type_id: description: The file type ID. name: ocsf.driver.file.type_id type: keyword + ocsf.driver.file.version: - description: "The file version. For example: 8.0.7601.17514." + description: 'The file version. For example: 8.0.7601.17514.' name: ocsf.driver.file.version type: keyword + ocsf.driver.file.xattributes: - description: - An unordered collection of zero or more name/value pairs where each + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. name: ocsf.driver.file.xattributes type: keyword + ocsf.dst_endpoint.instance_uid: description: The unique identifier of a VM instance. name: ocsf.dst_endpoint.instance_uid type: keyword + ocsf.dst_endpoint.interface_name: description: The name of the network interface (e.g. eth2). name: ocsf.dst_endpoint.interface_name type: keyword + ocsf.dst_endpoint.interface_uid: description: The unique identifier of the network interface. name: ocsf.dst_endpoint.interface_uid type: keyword + ocsf.dst_endpoint.intermediate_ips: - description: - The intermediate IP Addresses. For example, the IP addresses in the + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. name: ocsf.dst_endpoint.intermediate_ips type: ip + ocsf.dst_endpoint.location.is_on_premises: description: The indication of whether the location is on premises. name: ocsf.dst_endpoint.location.is_on_premises type: boolean + ocsf.dst_endpoint.location.isp: description: The name of the Internet Service Provider (ISP). name: ocsf.dst_endpoint.location.isp type: keyword + ocsf.dst_endpoint.location.provider: description: The provider of the geographical location data. name: ocsf.dst_endpoint.location.provider type: keyword + ocsf.dst_endpoint.name: description: The short name of the endpoint. name: ocsf.dst_endpoint.name type: keyword + ocsf.dst_endpoint.subnet_uid: description: The unique identifier of a virtual subnet. name: ocsf.dst_endpoint.subnet_uid type: keyword + ocsf.dst_endpoint.uid: description: The unique identifier of the endpoint. name: ocsf.dst_endpoint.uid type: keyword + ocsf.dst_endpoint.vlan_uid: description: The Virtual LAN identifier. name: ocsf.dst_endpoint.vlan_uid type: keyword + ocsf.dst_endpoint.vpc_uid: description: The unique identifier of the Virtual Private Cloud (VPC). name: ocsf.dst_endpoint.vpc_uid type: keyword + ocsf.email.delivered_to: description: The Delivered-To email header field. name: ocsf.email.delivered_to type: keyword + ocsf.email.raw_header: description: The email authentication header. name: ocsf.email.raw_header type: keyword + ocsf.email.size: description: The size in bytes of the email, including attachments. name: ocsf.email.size type: long + ocsf.email.smtp_from: description: The value of the SMTP MAIL FROM command. name: ocsf.email.smtp_from type: keyword + ocsf.email.smtp_to: description: The value of the SMTP envelope RCPT TO command. name: ocsf.email.smtp_to type: keyword + ocsf.email.x_originating_ip: description: The X-Originating-IP header identifying the emails originating IP address(es). name: ocsf.email.x_originating_ip type: ip + ocsf.email_auth.dkim: description: The DomainKeys Identified Mail (DKIM) status of the email. name: ocsf.email_auth.dkim type: keyword + ocsf.email_auth.dkim_domain: description: The DomainKeys Identified Mail (DKIM) signing domain of the email. name: ocsf.email_auth.dkim_domain type: keyword + ocsf.email_auth.dkim_signature: - description: - The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving + description: The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system. name: ocsf.email_auth.dkim_signature type: keyword + ocsf.email_auth.dmarc: - description: - The Domain-based Message Authentication, Reporting and Conformance + description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email. name: ocsf.email_auth.dmarc type: keyword + ocsf.email_auth.dmarc_override: - description: - The Domain-based Message Authentication, Reporting and Conformance + description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action. name: ocsf.email_auth.dmarc_override type: keyword + ocsf.email_auth.dmarc_policy: - description: - The Domain-based Message Authentication, Reporting and Conformance + description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status. name: ocsf.email_auth.dmarc_policy type: keyword + ocsf.email_auth.spf: description: The Sender Policy Framework (SPF) status of the email. name: ocsf.email_auth.spf type: keyword + ocsf.end_time_dt: - description: - The end time of a time period, or the time of the most recent event + description: The end time of a time period, or the time of the most recent event included in the aggregate event. name: ocsf.end_time_dt type: date + ocsf.enrichments.data: - description: - The enrichment data associated with the attribute and value. The meaning + description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. name: ocsf.enrichments.data type: keyword + ocsf.enrichments.name: description: The name of the attribute to which the enriched data pertains. name: ocsf.enrichments.name type: keyword + ocsf.enrichments.provider: description: The enrichment data provider name. name: ocsf.enrichments.provider type: keyword + ocsf.enrichments.type: description: The enrichment type. For example, location. name: ocsf.enrichments.type type: keyword + ocsf.enrichments.value: description: The value of the attribute to which the enriched data pertains. name: ocsf.enrichments.value type: keyword + ocsf.entity.data: description: The managed entity content as a JSON object. name: ocsf.entity.data type: keyword + ocsf.entity.name: description: The name of the managed entity. name: ocsf.entity.name type: keyword + ocsf.entity.type: description: The managed entity type. name: ocsf.entity.type type: keyword + ocsf.entity.uid: description: The identifier of the managed entity. name: ocsf.entity.uid type: keyword + ocsf.entity.version: description: The version of the managed entity. name: ocsf.entity.version type: keyword + ocsf.entity_result.data: description: The managed entity content as a JSON object. name: ocsf.entity_result.data type: keyword + ocsf.entity_result.name: description: The name of the managed entity. name: ocsf.entity_result.name type: keyword + ocsf.entity_result.type: description: The managed entity type. name: ocsf.entity_result.type type: keyword + ocsf.entity_result.uid: description: The identifier of the managed entity. name: ocsf.entity_result.uid type: keyword + ocsf.entity_result.version: description: The version of the managed entity. name: ocsf.entity_result.version type: keyword + ocsf.evidence: description: The data the finding exposes to the analyst. name: ocsf.evidence type: keyword + ocsf.expiration_time: description: The share expiration time. name: ocsf.expiration_time type: date + ocsf.expiration_time_dt: description: The share expiration time. name: ocsf.expiration_time_dt type: date + ocsf.file.accessed_time_dt: description: The time when the file was last accessed. name: ocsf.file.accessed_time_dt type: date + ocsf.file.accessor.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.file.accessor.account.name type: keyword + ocsf.file.accessor.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.file.accessor.account.type type: keyword + ocsf.file.accessor.account.type_id: description: The normalized account type identifier. name: ocsf.file.accessor.account.type_id type: keyword + ocsf.file.accessor.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.file.accessor.account.uid type: keyword + ocsf.file.accessor.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.file.accessor.credential_uid type: keyword + ocsf.file.accessor.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.file.accessor.domain type: keyword + ocsf.file.accessor.email_addr: description: The user's email address. name: ocsf.file.accessor.email_addr type: keyword + ocsf.file.accessor.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.file.accessor.full_name type: keyword + ocsf.file.accessor.groups.desc: description: The group description. name: ocsf.file.accessor.groups.desc type: keyword + ocsf.file.accessor.groups.name: description: The group name. name: ocsf.file.accessor.groups.name type: keyword + ocsf.file.accessor.groups.privileges: description: The group privileges. name: ocsf.file.accessor.groups.privileges type: keyword + ocsf.file.accessor.groups.type: description: The type of the group or account. name: ocsf.file.accessor.groups.type type: keyword + ocsf.file.accessor.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.file.accessor.groups.uid type: keyword + ocsf.file.accessor.name: description: The username. For example, janedoe1. name: ocsf.file.accessor.name type: keyword + ocsf.file.accessor.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.file.accessor.org.name type: keyword + ocsf.file.accessor.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.file.accessor.org.ou_name type: keyword + ocsf.file.accessor.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.file.accessor.org.ou_uid type: keyword + ocsf.file.accessor.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.file.accessor.org.uid type: keyword + ocsf.file.accessor.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.file.accessor.type type: keyword + ocsf.file.accessor.type_id: description: The account type identifier. name: ocsf.file.accessor.type_id type: keyword + ocsf.file.accessor.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. name: ocsf.file.accessor.uid type: keyword + ocsf.file.accessor.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.file.accessor.uid_alt type: keyword + ocsf.file.attributes: description: The Bitmask value that represents the file attributes. name: ocsf.file.attributes type: long + ocsf.file.company_name: - description: - "The name of the company that published the file. For example: Microsoft - Corporation." + description: 'The name of the company that published the file. For example: Microsoft + Corporation.' name: ocsf.file.company_name type: keyword + ocsf.file.confidentiality: - description: - The file content confidentiality, normalized to the confidentiality_id + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. name: ocsf.file.confidentiality type: keyword + ocsf.file.confidentiality_id: description: The normalized identifier of the file content confidentiality indicator. name: ocsf.file.confidentiality_id type: keyword + ocsf.file.created_time_dt: description: The time when the file was created. name: ocsf.file.created_time_dt type: date + ocsf.file.creator.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.file.creator.account.name type: keyword + ocsf.file.creator.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.file.creator.account.type type: keyword + ocsf.file.creator.account.type_id: description: The normalized account type identifier. name: ocsf.file.creator.account.type_id type: keyword + ocsf.file.creator.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.file.creator.account.uid type: keyword + ocsf.file.creator.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.file.creator.credential_uid type: keyword + ocsf.file.creator.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.file.creator.domain type: keyword + ocsf.file.creator.email_addr: description: The user's email address. name: ocsf.file.creator.email_addr type: keyword + ocsf.file.creator.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.file.creator.full_name type: keyword + ocsf.file.creator.groups.desc: description: The group description. name: ocsf.file.creator.groups.desc type: keyword + ocsf.file.creator.groups.name: description: The group name. name: ocsf.file.creator.groups.name type: keyword + ocsf.file.creator.groups.privileges: description: The group privileges. name: ocsf.file.creator.groups.privileges type: keyword + ocsf.file.creator.groups.type: description: The type of the group or account. name: ocsf.file.creator.groups.type type: keyword + ocsf.file.creator.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.file.creator.groups.uid type: keyword + ocsf.file.creator.name: description: The username. For example, janedoe1. name: ocsf.file.creator.name type: keyword + ocsf.file.creator.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.file.creator.org.name type: keyword + ocsf.file.creator.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.file.creator.org.ou_name type: keyword + ocsf.file.creator.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.file.creator.org.ou_uid type: keyword + ocsf.file.creator.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.file.creator.org.uid type: keyword + ocsf.file.creator.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.file.creator.type type: keyword + ocsf.file.creator.type_id: description: The account type identifier. name: ocsf.file.creator.type_id type: keyword + ocsf.file.creator.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. name: ocsf.file.creator.uid type: keyword + ocsf.file.creator.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.file.creator.uid_alt type: keyword + ocsf.file.desc: - description: - "The description of the file, as returned by file system. For example: - the description as returned by the Unix file command or the Windows file type." + description: 'The description of the file, as returned by file system. For example: + the description as returned by the Unix file command or the Windows file type.' name: ocsf.file.desc type: keyword + ocsf.file.is_system: description: The indication of whether the object is part of the operating system. name: ocsf.file.is_system type: boolean + ocsf.file.modified_time_dt: description: The time when the file was last modified. name: ocsf.file.modified_time_dt type: date + ocsf.file.modifier.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.file.modifier.account.name type: keyword + ocsf.file.modifier.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.file.modifier.account.type type: keyword + ocsf.file.modifier.account.type_id: description: The normalized account type identifier. name: ocsf.file.modifier.account.type_id type: keyword + ocsf.file.modifier.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.file.modifier.account.uid type: keyword + ocsf.file.modifier.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.file.modifier.credential_uid type: keyword + ocsf.file.modifier.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.file.modifier.domain type: keyword + ocsf.file.modifier.email_addr: description: The user's email address. name: ocsf.file.modifier.email_addr type: keyword + ocsf.file.modifier.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.file.modifier.full_name type: keyword + ocsf.file.modifier.groups.desc: description: The group description. name: ocsf.file.modifier.groups.desc type: keyword + ocsf.file.modifier.groups.name: description: The group name. name: ocsf.file.modifier.groups.name type: keyword + ocsf.file.modifier.groups.privileges: description: The group privileges. name: ocsf.file.modifier.groups.privileges type: keyword + ocsf.file.modifier.groups.type: description: The type of the group or account. name: ocsf.file.modifier.groups.type type: keyword + ocsf.file.modifier.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.file.modifier.groups.uid type: keyword + ocsf.file.modifier.name: description: The username. For example, janedoe1. name: ocsf.file.modifier.name type: keyword + ocsf.file.modifier.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.file.modifier.org.name type: keyword + ocsf.file.modifier.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.file.modifier.org.ou_name type: keyword + ocsf.file.modifier.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.file.modifier.org.ou_uid type: keyword + ocsf.file.modifier.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.file.modifier.org.uid type: keyword + ocsf.file.modifier.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.file.modifier.type type: keyword + ocsf.file.modifier.type_id: description: The account type identifier. name: ocsf.file.modifier.type_id type: keyword + ocsf.file.modifier.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. name: ocsf.file.modifier.uid type: keyword + ocsf.file.modifier.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.file.modifier.uid_alt type: keyword + ocsf.file.owner.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.file.owner.account.name type: keyword + ocsf.file.owner.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.file.owner.account.type type: keyword + ocsf.file.owner.account.type_id: description: The normalized account type identifier. name: ocsf.file.owner.account.type_id type: keyword + ocsf.file.owner.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.file.owner.account.uid type: keyword + ocsf.file.owner.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.file.owner.credential_uid type: keyword + ocsf.file.owner.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.file.owner.domain type: keyword + ocsf.file.owner.email_addr: description: The user's email address. name: ocsf.file.owner.email_addr type: keyword + ocsf.file.owner.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.file.owner.full_name type: keyword + ocsf.file.owner.groups.desc: description: The group description. name: ocsf.file.owner.groups.desc type: keyword + ocsf.file.owner.groups.name: description: The group name. name: ocsf.file.owner.groups.name type: keyword + ocsf.file.owner.groups.privileges: description: The group privileges. name: ocsf.file.owner.groups.privileges type: keyword + ocsf.file.owner.groups.type: description: The type of the group or account. name: ocsf.file.owner.groups.type type: keyword + ocsf.file.owner.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.file.owner.groups.uid type: keyword + ocsf.file.owner.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.file.owner.org.name type: keyword + ocsf.file.owner.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.file.owner.org.ou_name type: keyword + ocsf.file.owner.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.file.owner.org.ou_uid type: keyword + ocsf.file.owner.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.file.owner.org.uid type: keyword + ocsf.file.owner.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.file.owner.type type: keyword + ocsf.file.owner.type_id: description: The account type identifier. name: ocsf.file.owner.type_id type: keyword + ocsf.file.owner.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.file.owner.uid_alt type: keyword + ocsf.file.product.feature.name: description: The name of the feature. name: ocsf.file.product.feature.name type: keyword + ocsf.file.product.feature.uid: description: The unique identifier of the feature. name: ocsf.file.product.feature.uid type: keyword + ocsf.file.product.feature.version: description: The version of the feature. name: ocsf.file.product.feature.version type: keyword + ocsf.file.product.lang: - description: - "The two letter lower case language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French)." + description: 'The two letter lower case language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French).' name: ocsf.file.product.lang type: keyword + ocsf.file.product.name: description: The name of the product. name: ocsf.file.product.name type: keyword + ocsf.file.product.path: description: The installation path of the product. name: ocsf.file.product.path type: keyword + ocsf.file.product.uid: description: The unique identifier of the product. name: ocsf.file.product.uid type: keyword + ocsf.file.product.url_string: description: The URL pointing towards the product. name: ocsf.file.product.url_string type: keyword + ocsf.file.product.vendor_name: description: The name of the vendor of the product. name: ocsf.file.product.vendor_name type: keyword + ocsf.file.product.version: - description: - "The version of the product, as defined by the event source. For example: - 2013.1.3-beta." + description: 'The version of the product, as defined by the event source. For example: + 2013.1.3-beta.' name: ocsf.file.product.version type: keyword + ocsf.file.security_descriptor: description: The object security descriptor. name: ocsf.file.security_descriptor type: keyword + ocsf.file.signature.algorithm: - description: - The digital signature algorithm used to create the signature, normalized + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.file.signature.algorithm type: keyword + ocsf.file.signature.algorithm_id: description: The identifier of the normalized digital signature algorithm. name: ocsf.file.signature.algorithm_id type: keyword + ocsf.file.signature.certificate.created_time: description: The time when the certificate was created. name: ocsf.file.signature.certificate.created_time type: date + ocsf.file.signature.certificate.created_time_dt: description: The time when the certificate was created. name: ocsf.file.signature.certificate.created_time_dt type: date + ocsf.file.signature.certificate.expiration_time_dt: description: The expiration time of the certificate. name: ocsf.file.signature.certificate.expiration_time_dt type: date + ocsf.file.signature.certificate.fingerprints.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.file.signature.certificate.fingerprints.algorithm type: keyword + ocsf.file.signature.certificate.fingerprints.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. name: ocsf.file.signature.certificate.fingerprints.algorithm_id type: keyword + ocsf.file.signature.certificate.fingerprints.value: description: The digital fingerprint value. name: ocsf.file.signature.certificate.fingerprints.value type: keyword + ocsf.file.signature.created_time: description: The time when the digital signature was created. name: ocsf.file.signature.created_time type: date + ocsf.file.signature.created_time_dt: description: The time when the digital signature was created. name: ocsf.file.signature.created_time_dt type: date + ocsf.file.signature.developer_uid: description: The developer ID on the certificate that signed the file. name: ocsf.file.signature.developer_uid type: keyword + ocsf.file.signature.digest.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.file.signature.digest.algorithm type: keyword + ocsf.file.signature.digest.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. name: ocsf.file.signature.digest.algorithm_id type: keyword + ocsf.file.signature.digest.value: description: The digital fingerprint value. name: ocsf.file.signature.digest.value type: keyword + ocsf.file.type_id: description: The file type ID. name: ocsf.file.type_id type: keyword + ocsf.file.version: - description: "The file version. For example: 8.0.7601.17514." + description: 'The file version. For example: 8.0.7601.17514.' name: ocsf.file.version type: keyword + ocsf.file.xattributes: - description: - An unordered collection of zero or more name/value pairs where each + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. name: ocsf.file.xattributes type: keyword + ocsf.file_diff: - description: - File content differences used for change detection. For example, a + description: File content differences used for change detection. For example, a common use case is to identify itemized changes within INI or configuration/property setting values. name: ocsf.file_diff type: keyword + ocsf.file_result.accessed_time: description: The time when the file was last accessed. name: ocsf.file_result.accessed_time type: date + ocsf.file_result.accessed_time_dt: description: The time when the file was last accessed. name: ocsf.file_result.accessed_time_dt type: date + ocsf.file_result.accessor.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.file_result.accessor.account.name type: keyword + ocsf.file_result.accessor.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.file_result.accessor.account.type type: keyword + ocsf.file_result.accessor.account.type_id: description: The normalized account type identifier. name: ocsf.file_result.accessor.account.type_id type: keyword + ocsf.file_result.accessor.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.file_result.accessor.account.uid type: keyword + ocsf.file_result.accessor.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.file_result.accessor.credential_uid type: keyword + ocsf.file_result.accessor.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.file_result.accessor.domain type: keyword + ocsf.file_result.accessor.email_addr: description: The user's email address. name: ocsf.file_result.accessor.email_addr type: keyword + ocsf.file_result.accessor.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.file_result.accessor.full_name type: keyword + ocsf.file_result.accessor.groups.desc: description: The group description. name: ocsf.file_result.accessor.groups.desc type: keyword + ocsf.file_result.accessor.groups.name: description: The group name. name: ocsf.file_result.accessor.groups.name type: keyword + ocsf.file_result.accessor.groups.privileges: description: The group privileges. name: ocsf.file_result.accessor.groups.privileges type: keyword + ocsf.file_result.accessor.groups.type: description: The type of the group or account. name: ocsf.file_result.accessor.groups.type type: keyword + ocsf.file_result.accessor.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.file_result.accessor.groups.uid type: keyword + ocsf.file_result.accessor.name: description: The username. For example, janedoe1. name: ocsf.file_result.accessor.name type: keyword + ocsf.file_result.accessor.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.file_result.accessor.org.name type: keyword + ocsf.file_result.accessor.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.file_result.accessor.org.ou_name type: keyword + ocsf.file_result.accessor.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.file_result.accessor.org.ou_uid type: keyword + ocsf.file_result.accessor.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.file_result.accessor.org.uid type: keyword + ocsf.file_result.accessor.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.file_result.accessor.type type: keyword + ocsf.file_result.accessor.type_id: description: The account type identifier. name: ocsf.file_result.accessor.type_id type: keyword + ocsf.file_result.accessor.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. name: ocsf.file_result.accessor.uid type: keyword + ocsf.file_result.accessor.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.file_result.accessor.uid_alt type: keyword + ocsf.file_result.attributes: description: The Bitmask value that represents the file attributes. name: ocsf.file_result.attributes type: long + ocsf.file_result.company_name: - description: - "The name of the company that published the file. For example: Microsoft - Corporation." + description: 'The name of the company that published the file. For example: Microsoft + Corporation.' name: ocsf.file_result.company_name type: keyword + ocsf.file_result.confidentiality: - description: - The file content confidentiality, normalized to the confidentiality_id + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. name: ocsf.file_result.confidentiality type: keyword + ocsf.file_result.confidentiality_id: description: The normalized identifier of the file content confidentiality indicator. name: ocsf.file_result.confidentiality_id type: keyword + ocsf.file_result.created_time: description: The time when the file was created. name: ocsf.file_result.created_time type: date + ocsf.file_result.created_time_dt: description: The time when the file was created. name: ocsf.file_result.created_time_dt type: date + ocsf.file_result.creator.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.file_result.creator.account.name type: keyword + ocsf.file_result.creator.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.file_result.creator.account.type type: keyword + ocsf.file_result.creator.account.type_id: description: The normalized account type identifier. name: ocsf.file_result.creator.account.type_id type: keyword + ocsf.file_result.creator.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.file_result.creator.account.uid type: keyword + ocsf.file_result.creator.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.file_result.creator.credential_uid type: keyword + ocsf.file_result.creator.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.file_result.creator.domain type: keyword + ocsf.file_result.creator.email_addr: description: The user's email address. name: ocsf.file_result.creator.email_addr type: keyword + ocsf.file_result.creator.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.file_result.creator.full_name type: keyword + ocsf.file_result.creator.groups.desc: description: The group description. name: ocsf.file_result.creator.groups.desc type: keyword + ocsf.file_result.creator.groups.name: description: The group name. name: ocsf.file_result.creator.groups.name type: keyword + ocsf.file_result.creator.groups.privileges: description: The group privileges. name: ocsf.file_result.creator.groups.privileges type: keyword + ocsf.file_result.creator.groups.type: description: The type of the group or account. name: ocsf.file_result.creator.groups.type type: keyword + ocsf.file_result.creator.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.file_result.creator.groups.uid type: keyword + ocsf.file_result.creator.name: description: The username. For example, janedoe1. name: ocsf.file_result.creator.name type: keyword + ocsf.file_result.creator.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.file_result.creator.org.name type: keyword + ocsf.file_result.creator.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.file_result.creator.org.ou_name type: keyword + ocsf.file_result.creator.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.file_result.creator.org.ou_uid type: keyword + ocsf.file_result.creator.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.file_result.creator.org.uid type: keyword + ocsf.file_result.creator.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.file_result.creator.type type: keyword + ocsf.file_result.creator.type_id: description: The account type identifier. name: ocsf.file_result.creator.type_id type: keyword + ocsf.file_result.creator.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. name: ocsf.file_result.creator.uid type: keyword + ocsf.file_result.creator.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.file_result.creator.uid_alt type: keyword + ocsf.file_result.desc: - description: - "The description of the file, as returned by file system. For example: - the description as returned by the Unix file command or the Windows file type." + description: 'The description of the file, as returned by file system. For example: + the description as returned by the Unix file command or the Windows file type.' name: ocsf.file_result.desc type: keyword + ocsf.file_result.hashes.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.file_result.hashes.algorithm type: keyword + ocsf.file_result.hashes.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. name: ocsf.file_result.hashes.algorithm_id type: keyword + ocsf.file_result.hashes.value: description: The digital fingerprint value. name: ocsf.file_result.hashes.value type: keyword + ocsf.file_result.is_system: description: The indication of whether the object is part of the operating system. name: ocsf.file_result.is_system type: boolean + ocsf.file_result.mime_type: - description: - The Multipurpose Internet Mail Extensions (MIME) type of the file, + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. name: ocsf.file_result.mime_type type: keyword + ocsf.file_result.modified_time: description: The time when the file was last modified. name: ocsf.file_result.modified_time type: date + ocsf.file_result.modified_time_dt: description: The time when the file was last modified. name: ocsf.file_result.modified_time_dt type: date + ocsf.file_result.modifier.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.file_result.modifier.account.name type: keyword + ocsf.file_result.modifier.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.file_result.modifier.account.type type: keyword + ocsf.file_result.modifier.account.type_id: description: The normalized account type identifier. name: ocsf.file_result.modifier.account.type_id type: keyword + ocsf.file_result.modifier.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.file_result.modifier.account.uid type: keyword + ocsf.file_result.modifier.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.file_result.modifier.credential_uid type: keyword + ocsf.file_result.modifier.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.file_result.modifier.domain type: keyword + ocsf.file_result.modifier.email_addr: description: The user's email address. name: ocsf.file_result.modifier.email_addr type: keyword + ocsf.file_result.modifier.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.file_result.modifier.full_name type: keyword + ocsf.file_result.modifier.groups.desc: description: The group description. name: ocsf.file_result.modifier.groups.desc type: keyword + ocsf.file_result.modifier.groups.name: description: The group name. name: ocsf.file_result.modifier.groups.name type: keyword + ocsf.file_result.modifier.groups.privileges: description: The group privileges. name: ocsf.file_result.modifier.groups.privileges type: keyword + ocsf.file_result.modifier.groups.type: description: The type of the group or account. name: ocsf.file_result.modifier.groups.type type: keyword + ocsf.file_result.modifier.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.file_result.modifier.groups.uid type: keyword + ocsf.file_result.modifier.name: description: The username. For example, janedoe1. name: ocsf.file_result.modifier.name type: keyword + ocsf.file_result.modifier.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.file_result.modifier.org.name type: keyword + ocsf.file_result.modifier.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.file_result.modifier.org.ou_name type: keyword + ocsf.file_result.modifier.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.file_result.modifier.org.ou_uid type: keyword + ocsf.file_result.modifier.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.file_result.modifier.org.uid type: keyword + ocsf.file_result.modifier.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.file_result.modifier.type type: keyword + ocsf.file_result.modifier.type_id: description: The account type identifier. name: ocsf.file_result.modifier.type_id type: keyword + ocsf.file_result.modifier.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. name: ocsf.file_result.modifier.uid type: keyword + ocsf.file_result.modifier.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.file_result.modifier.uid_alt type: keyword + ocsf.file_result.name: - description: "The name of the file. For example: svchost.exe." + description: 'The name of the file. For example: svchost.exe.' name: ocsf.file_result.name type: keyword + ocsf.file_result.owner.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.file_result.owner.account.name type: keyword + ocsf.file_result.owner.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.file_result.owner.account.type type: keyword + ocsf.file_result.owner.account.type_id: description: The normalized account type identifier. name: ocsf.file_result.owner.account.type_id type: keyword + ocsf.file_result.owner.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.file_result.owner.account.uid type: keyword + ocsf.file_result.owner.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.file_result.owner.credential_uid type: keyword + ocsf.file_result.owner.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.file_result.owner.domain type: keyword + ocsf.file_result.owner.email_addr: description: The user's email address. name: ocsf.file_result.owner.email_addr type: keyword + ocsf.file_result.owner.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.file_result.owner.full_name type: keyword + ocsf.file_result.owner.groups.desc: description: The group description. name: ocsf.file_result.owner.groups.desc type: keyword + ocsf.file_result.owner.groups.name: description: The group name. name: ocsf.file_result.owner.groups.name type: keyword + ocsf.file_result.owner.groups.privileges: description: The group privileges. name: ocsf.file_result.owner.groups.privileges type: keyword + ocsf.file_result.owner.groups.type: description: The type of the group or account. name: ocsf.file_result.owner.groups.type type: keyword + ocsf.file_result.owner.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.file_result.owner.groups.uid type: keyword + ocsf.file_result.owner.name: description: The username. For example, janedoe1. name: ocsf.file_result.owner.name type: keyword + ocsf.file_result.owner.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.file_result.owner.org.name type: keyword + ocsf.file_result.owner.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.file_result.owner.org.ou_name type: keyword + ocsf.file_result.owner.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.file_result.owner.org.ou_uid type: keyword + ocsf.file_result.owner.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.file_result.owner.org.uid type: keyword + ocsf.file_result.owner.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.file_result.owner.type type: keyword + ocsf.file_result.owner.type_id: description: The account type identifier. name: ocsf.file_result.owner.type_id type: keyword + ocsf.file_result.owner.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. name: ocsf.file_result.owner.uid type: keyword + ocsf.file_result.owner.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.file_result.owner.uid_alt type: keyword + ocsf.file_result.parent_folder: description: 'The parent folder in which the file resides. For example: c:\windows\system32.' name: ocsf.file_result.parent_folder type: keyword + ocsf.file_result.path: description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' name: ocsf.file_result.path type: keyword + ocsf.file_result.product.feature.name: description: The name of the feature. name: ocsf.file_result.product.feature.name type: keyword + ocsf.file_result.product.feature.uid: description: The unique identifier of the feature. name: ocsf.file_result.product.feature.uid type: keyword + ocsf.file_result.product.feature.version: description: The version of the feature. name: ocsf.file_result.product.feature.version type: keyword + ocsf.file_result.product.lang: - description: - "The two letter lower case language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French)." + description: 'The two letter lower case language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French).' name: ocsf.file_result.product.lang type: keyword + ocsf.file_result.product.name: description: The name of the product. name: ocsf.file_result.product.name type: keyword + ocsf.file_result.product.path: description: The installation path of the product. name: ocsf.file_result.product.path type: keyword + ocsf.file_result.product.uid: description: The unique identifier of the product. name: ocsf.file_result.product.uid type: keyword + ocsf.file_result.product.vendor_name: description: The name of the vendor of the product. name: ocsf.file_result.product.vendor_name type: keyword + ocsf.file_result.product.version: - description: - "The version of the product, as defined by the event source. For example: - 2013.1.3-beta." + description: 'The version of the product, as defined by the event source. For example: + 2013.1.3-beta.' name: ocsf.file_result.product.version type: keyword + ocsf.file_result.security_descriptor: description: The object security descriptor. name: ocsf.file_result.security_descriptor type: keyword + ocsf.file_result.signature.algorithm: - description: - The digital signature algorithm used to create the signature, normalized + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.file_result.signature.algorithm type: keyword + ocsf.file_result.signature.algorithm_id: description: The identifier of the normalized digital signature algorithm. name: ocsf.file_result.signature.algorithm_id type: keyword + ocsf.file_result.signature.certificate.created_time: description: The time when the certificate was created. name: ocsf.file_result.signature.certificate.created_time type: date + ocsf.file_result.signature.certificate.created_time_dt: description: The time when the certificate was created. name: ocsf.file_result.signature.certificate.created_time_dt type: date + ocsf.file_result.signature.certificate.expiration_time: description: The expiration time of the certificate. name: ocsf.file_result.signature.certificate.expiration_time type: date + ocsf.file_result.signature.certificate.expiration_time_dt: description: The expiration time of the certificate. name: ocsf.file_result.signature.certificate.expiration_time_dt type: date + ocsf.file_result.signature.certificate.fingerprints.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.file_result.signature.certificate.fingerprints.algorithm type: keyword + ocsf.file_result.signature.certificate.fingerprints.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. name: ocsf.file_result.signature.certificate.fingerprints.algorithm_id type: keyword + ocsf.file_result.signature.certificate.fingerprints.value: description: The digital fingerprint value. name: ocsf.file_result.signature.certificate.fingerprints.value type: keyword + ocsf.file_result.signature.certificate.issuer: description: The certificate issuer distinguished name. name: ocsf.file_result.signature.certificate.issuer type: keyword + ocsf.file_result.signature.certificate.serial_number: description: The serial number of the certificate used to create the digital signature. name: ocsf.file_result.signature.certificate.serial_number type: keyword + ocsf.file_result.signature.certificate.subject: description: The certificate subject distinguished name. name: ocsf.file_result.signature.certificate.subject type: keyword + ocsf.file_result.signature.certificate.version: description: The certificate version. name: ocsf.file_result.signature.certificate.version type: keyword + ocsf.file_result.signature.created_time: description: The time when the digital signature was created. name: ocsf.file_result.signature.created_time type: date + ocsf.file_result.signature.created_time_dt: description: The time when the digital signature was created. name: ocsf.file_result.signature.created_time_dt type: date + ocsf.file_result.signature.developer_uid: description: The developer ID on the certificate that signed the file. name: ocsf.file_result.signature.developer_uid type: keyword + ocsf.file_result.signature.digest.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.file_result.signature.digest.algorithm type: keyword + ocsf.file_result.signature.digest.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. name: ocsf.file_result.signature.digest.algorithm_id type: keyword + ocsf.file_result.signature.digest.value: description: The digital fingerprint value. name: ocsf.file_result.signature.digest.value type: keyword + ocsf.file_result.size: description: The size of data, in bytes. name: ocsf.file_result.size type: long + ocsf.file_result.type: description: The file type. name: ocsf.file_result.type type: keyword + ocsf.file_result.type_id: description: The file type ID. name: ocsf.file_result.type_id type: keyword + ocsf.file_result.uid: - description: - The unique identifier of the file as defined by the storage system, + description: The unique identifier of the file as defined by the storage system, such the file system file ID. name: ocsf.file_result.uid type: keyword + ocsf.file_result.version: - description: "The file version. For example: 8.0.7601.17514." + description: 'The file version. For example: 8.0.7601.17514.' name: ocsf.file_result.version type: keyword + ocsf.file_result.xattributes: - description: - An unordered collection of zero or more name/value pairs where each + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. name: ocsf.file_result.xattributes type: keyword + ocsf.finding.created_time_dt: description: The time when the finding was created. name: ocsf.finding.created_time_dt type: date + ocsf.finding.desc: description: The description of the reported finding. name: ocsf.finding.desc type: keyword + ocsf.finding.first_seen_time: description: The time when the finding was first observed. name: ocsf.finding.first_seen_time type: date + ocsf.finding.first_seen_time_dt: description: The time when the finding was first observed. name: ocsf.finding.first_seen_time_dt type: date + ocsf.finding.last_seen_time: description: The time when the finding was most recently observed. name: ocsf.finding.last_seen_time type: date + ocsf.finding.last_seen_time_dt: description: The time when the finding was most recently observed. name: ocsf.finding.last_seen_time_dt type: date + ocsf.finding.modified_time: description: The time when the finding was last modified. name: ocsf.finding.modified_time type: date + ocsf.finding.modified_time_dt: description: The time when the finding was last modified. name: ocsf.finding.modified_time_dt type: date + ocsf.finding.product_uid: description: The unique identifier of the product that reported the finding. name: ocsf.finding.product_uid type: keyword + ocsf.finding.related_events.product_uid: description: The unique identifier of the product that reported the related event. name: ocsf.finding.related_events.product_uid type: keyword + ocsf.finding.related_events.type: - description: "The type of the related event. For example: Process Activity: Launch." + description: 'The type of the related event. For example: Process Activity: Launch.' name: ocsf.finding.related_events.type type: keyword + ocsf.finding.related_events.type_uid: - description: "The unique identifier of the related event type. For example: 100701." + description: 'The unique identifier of the related event type. For example: 100701.' name: ocsf.finding.related_events.type_uid type: keyword + ocsf.finding.related_events.uid: description: The unique identifier of the related event. name: ocsf.finding.related_events.uid type: keyword + ocsf.finding.remediation.desc: description: The description of the remediation strategy. name: ocsf.finding.remediation.desc type: keyword + ocsf.finding.remediation.kb_articles: description: The KB article/s related to the entity. name: ocsf.finding.remediation.kb_articles type: keyword + ocsf.finding.supporting_data: description: Additional data supporting a finding as provided by security tool. name: ocsf.finding.supporting_data type: keyword + ocsf.finding.title: description: The title of the reported finding. name: ocsf.finding.title type: keyword + ocsf.finding.types: description: One or more types of the reported finding. name: ocsf.finding.types type: keyword + ocsf.finding.uid: description: The unique identifier of the reported finding. name: ocsf.finding.uid type: keyword + ocsf.group.desc: description: The group description. name: ocsf.group.desc type: keyword + ocsf.group.privileges: description: The group privileges. name: ocsf.group.privileges type: keyword + ocsf.group.type: description: The type of the group or account. name: ocsf.group.type type: keyword + ocsf.http_request.args: description: The arguments sent along with the HTTP request. name: ocsf.http_request.args type: keyword + ocsf.http_request.http_headers.name: description: The name of the header. name: ocsf.http_request.http_headers.name type: keyword + ocsf.http_request.http_headers.value: description: The value of the header. name: ocsf.http_request.http_headers.value type: keyword + ocsf.http_request.url.categories: description: The Website categorization names, as defined by category_ids enum values. name: ocsf.http_request.url.categories type: keyword + ocsf.http_request.url.category_ids: description: The Website categorization identifies. name: ocsf.http_request.url.category_ids type: keyword + ocsf.http_request.url.resource_type: description: The context in which a resource was retrieved in a web request. name: ocsf.http_request.url.resource_type type: keyword + ocsf.http_request.x_forwarded_for: - description: - The X-Forwarded-For header identifying the originating IP address(es) + description: The X-Forwarded-For header identifying the originating IP address(es) of a client connecting to a web server through an HTTP proxy or a load balancer. name: ocsf.http_request.x_forwarded_for type: ip + ocsf.http_response.content_type: - description: - The request header that identifies the original media type of the resource + description: The request header that identifies the original media type of the resource (prior to any content encoding applied for sending). name: ocsf.http_response.content_type type: keyword + ocsf.http_response.latency: description: The HTTP response latency. In seconds, milliseconds, etc. name: ocsf.http_response.latency type: long + ocsf.http_response.status: description: The response status. name: ocsf.http_response.status type: keyword + ocsf.http_status: - description: - The Hypertext Transfer Protocol (HTTP) status code returned to the + description: The Hypertext Transfer Protocol (HTTP) status code returned to the client. name: ocsf.http_status type: long + ocsf.identifier_cookie: description: The client identifier cookie during client/server exchange. name: ocsf.identifier_cookie type: keyword + ocsf.impact: - description: - The impact , normalized to the caption of the impact_id value. In the + description: The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source. name: ocsf.impact type: keyword + ocsf.impact_id: description: The normalized impact of the finding. name: ocsf.impact_id type: keyword + ocsf.impact_score: description: The impact of the finding, valid range 0-100. name: ocsf.impact_score type: long + ocsf.injection_type: - description: - The process injection method, normalized to the caption of the injection_type_id + description: The process injection method, normalized to the caption of the injection_type_id value. In the case of 'Other', it is defined by the event source. name: ocsf.injection_type type: keyword + ocsf.injection_type_id: description: The normalized identifier of the process injection method. name: ocsf.injection_type_id type: keyword + ocsf.is_cleartext: - description: - "Indicates whether the credentials were passed in clear text.Note: + description: 'Indicates whether the credentials were passed in clear text.Note: True if the credentials were passed in a clear text protocol such as FTP or TELNET, - or if Windows detected that a user's logon password was passed to the authentication - package in clear text." + or if Windows detected that a user''s logon password was passed to the authentication + package in clear text.' name: ocsf.is_cleartext type: boolean + ocsf.is_mfa: description: Indicates whether Multi Factor Authentication was used during authentication. name: ocsf.is_mfa type: boolean + ocsf.is_new_logon: - description: - Indicates logon is from a device not seen before or a first time account + description: Indicates logon is from a device not seen before or a first time account logon. name: ocsf.is_new_logon type: boolean + ocsf.is_remote: description: The attempted authentication is over a remote connection. name: ocsf.is_remote type: boolean + ocsf.is_renewal: description: The indication of whether this is a lease/session renewal event. name: ocsf.is_renewal type: boolean + ocsf.kernel.is_system: description: The indication of whether the object is part of the operating system. name: ocsf.kernel.is_system type: boolean + ocsf.kernel.name: description: The name of the kernel resource. name: ocsf.kernel.name type: keyword + ocsf.kernel.path: description: The full path of the kernel resource. name: ocsf.kernel.path type: keyword + ocsf.kernel.system_call: description: The system call that was invoked. name: ocsf.kernel.system_call type: keyword + ocsf.kernel.type: description: The type of the kernel resource. name: ocsf.kernel.type type: keyword + ocsf.kernel.type_id: description: The type id of the kernel resource. name: ocsf.kernel.type_id type: keyword + ocsf.kill_chain.phase: description: The cyber kill chain phase. name: ocsf.kill_chain.phase type: keyword + ocsf.kill_chain.phase_id: description: The cyber kill chain phase identifier. name: ocsf.kill_chain.phase_id type: keyword + ocsf.lease_dur: - description: - This represents the length of the DHCP lease in seconds. This is present + description: This represents the length of the DHCP lease in seconds. This is present in DHCP Ack events. (activity_id = 1) name: ocsf.lease_dur type: long + ocsf.logon_type: - description: - The logon type, normalized to the caption of the logon_type_id value. + description: The logon type, normalized to the caption of the logon_type_id value. In the case of 'Other', it is defined by the event source. name: ocsf.logon_type type: keyword + ocsf.logon_type_id: description: The normalized logon type identifier name: ocsf.logon_type_id type: keyword + ocsf.malware.classification_ids: description: The list of normalized identifiers of the malware classifications. name: ocsf.malware.classification_ids type: keyword + ocsf.malware.classifications: - description: - The list of malware classifications, normalized to the captions of + description: The list of malware classifications, normalized to the captions of the classification_id values. In the case of 'Other', they are defined by the event source. name: ocsf.malware.classifications type: keyword + ocsf.malware.cves.created_time: - description: - The Record Creation Date identifies when the CVE ID was issued to a + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. name: ocsf.malware.cves.created_time type: date + ocsf.malware.cves.created_time_dt: - description: - The Record Creation Date identifies when the CVE ID was issued to a + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. name: ocsf.malware.cves.created_time_dt type: date + ocsf.malware.cves.cvss.base_score: description: The CVSS base score. name: ocsf.malware.cves.cvss.base_score type: keyword + ocsf.malware.cves.cvss.depth: - description: - The CVSS depth represents a depth of the equation used to calculate + description: The CVSS depth represents a depth of the equation used to calculate CVSS score. name: ocsf.malware.cves.cvss.depth type: keyword + ocsf.malware.cves.cvss.metrics.name: description: The name of the metric. name: ocsf.malware.cves.cvss.metrics.name type: keyword + ocsf.malware.cves.cvss.metrics.value: description: The value of the metric. name: ocsf.malware.cves.cvss.metrics.value type: keyword + ocsf.malware.cves.cvss.overall_score: - description: - The CVSS overall score, impacted by base, temporal, and environmental + description: The CVSS overall score, impacted by base, temporal, and environmental metrics. name: ocsf.malware.cves.cvss.overall_score type: keyword + ocsf.malware.cves.cvss.severity: - description: - The Common Vulnerability Scoring System (CVSS) Qualitative Severity + description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. name: ocsf.malware.cves.cvss.severity type: keyword + ocsf.malware.cves.cvss.vector_string: - description: - "The CVSS vector string is a text representation of a set of CVSS metrics. + description: 'The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise - form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H." + form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.' name: ocsf.malware.cves.cvss.vector_string type: keyword + ocsf.malware.cves.cvss.version: description: The CVSS version. name: ocsf.malware.cves.cvss.version type: keyword + ocsf.malware.cves.cwe_uid: - description: - "The Common Weakness Enumeration (CWE) unique identifier. For example: - CWE-787." + description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: + CWE-787.' name: ocsf.malware.cves.cwe_uid type: keyword + ocsf.malware.cves.cwe_url: description: Common Weakness Enumeration (CWE) definition URL. name: ocsf.malware.cves.cwe_url type: keyword + ocsf.malware.cves.modified_time: description: The Record Modified Date identifies when the CVE record was last updated. name: ocsf.malware.cves.modified_time type: date + ocsf.malware.cves.modified_time_dt: description: The Record Modified Date identifies when the CVE record was last updated. name: ocsf.malware.cves.modified_time_dt type: date + ocsf.malware.cves.product.feature.name: description: The name of the feature. name: ocsf.malware.cves.product.feature.name type: keyword + ocsf.malware.cves.product.feature.uid: description: The unique identifier of the feature. name: ocsf.malware.cves.product.feature.uid type: keyword + ocsf.malware.cves.product.feature.version: description: The version of the feature. name: ocsf.malware.cves.product.feature.version type: keyword + ocsf.malware.cves.product.lang: description: The two letter lower case language codes, as defined by ISO 639-1. name: ocsf.malware.cves.product.lang type: keyword + ocsf.malware.cves.product.name: description: The name of the product. name: ocsf.malware.cves.product.name type: keyword + ocsf.malware.cves.product.path: description: The installation path of the product. name: ocsf.malware.cves.product.path type: keyword + ocsf.malware.cves.product.uid: description: The unique identifier of the product. name: ocsf.malware.cves.product.uid type: keyword + ocsf.malware.cves.product.url_string: description: The URL pointing towards the product. name: ocsf.malware.cves.product.url_string type: keyword + ocsf.malware.cves.product.vendor_name: description: The name of the vendor of the product. name: ocsf.malware.cves.product.vendor_name type: keyword + ocsf.malware.cves.product.version: - description: - "The version of the product, as defined by the event source. For example: - 2013.1.3-beta." + description: 'The version of the product, as defined by the event source. For example: + 2013.1.3-beta.' name: ocsf.malware.cves.product.version type: keyword + ocsf.malware.cves.type: - description: - The vulnerability type as selected from a large dropdown menu during + description: The vulnerability type as selected from a large dropdown menu during CVE refinement. name: ocsf.malware.cves.type type: keyword + ocsf.malware.cves.uid: - description: - "The Common Vulnerabilities and Exposures unique number assigned to + description: 'The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For - example: CVE-2021-12345." + example: CVE-2021-12345.' name: ocsf.malware.cves.uid type: keyword + ocsf.malware.name: description: The malware name, as reported by the detection engine. name: ocsf.malware.name type: keyword + ocsf.malware.path: description: The filesystem path of the malware that was observed. name: ocsf.malware.path type: keyword + ocsf.malware.provider: description: The provider of the malware information. name: ocsf.malware.provider type: keyword + ocsf.malware.uid: - description: - The malware unique identifier, as reported by the detection engine. + description: The malware unique identifier, as reported by the detection engine. For example a virus id or an IPS signature id. name: ocsf.malware.uid type: keyword + ocsf.metadata.correlation_uid: description: The unique identifier used to correlate events. name: ocsf.metadata.correlation_uid type: keyword + ocsf.metadata.extension.name: - description: "The schema extension name. For example: dev." + description: 'The schema extension name. For example: dev.' name: ocsf.metadata.extension.name type: keyword + ocsf.metadata.extension.uid: - description: "The schema extension unique identifier. For example: 999." + description: 'The schema extension unique identifier. For example: 999.' name: ocsf.metadata.extension.uid type: keyword + ocsf.metadata.extension.version: - description: "The schema extension version. For example: 1.0.0-alpha.2." + description: 'The schema extension version. For example: 1.0.0-alpha.2.' name: ocsf.metadata.extension.version type: keyword + ocsf.metadata.log_name: - description: - "The event log name. For example, syslog file name or Windows logging - subsystem: Security." + description: 'The event log name. For example, syslog file name or Windows logging + subsystem: Security.' name: ocsf.metadata.log_name type: keyword + ocsf.metadata.log_version: - description: - The event log schema version that specifies the format of the original + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. name: ocsf.metadata.log_version type: keyword + ocsf.metadata.logged_time: - description: - The time when the logging system collected and logged the event. This + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. name: ocsf.metadata.logged_time type: date + ocsf.metadata.logged_time_dt: - description: - The time when the logging system collected and logged the event. This + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. name: ocsf.metadata.logged_time_dt type: date + ocsf.metadata.modified_time: description: The time when the event was last modified or enriched. name: ocsf.metadata.modified_time type: date + ocsf.metadata.modified_time_dt: description: The time when the event was last modified or enriched. name: ocsf.metadata.modified_time_dt type: date + ocsf.metadata.original_time: - description: - The original event time as reported by the event source. For example, + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. name: ocsf.metadata.original_time type: keyword + ocsf.metadata.processed_time: description: The event processed time, such as an ETL operation. name: ocsf.metadata.processed_time type: date + ocsf.metadata.processed_time_dt: description: The event processed time, such as an ETL operation. name: ocsf.metadata.processed_time_dt type: date + ocsf.metadata.product.feature.name: description: The name of the feature. name: ocsf.metadata.product.feature.name type: keyword + ocsf.metadata.product.feature.uid: description: The unique identifier of the feature. name: ocsf.metadata.product.feature.uid type: keyword + ocsf.metadata.product.feature.version: description: The version of the feature. name: ocsf.metadata.product.feature.version type: keyword + ocsf.metadata.product.lang: - description: - "The two letter lowercase language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French)." + description: 'The two letter lowercase language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French).' name: ocsf.metadata.product.lang type: keyword + ocsf.metadata.product.name: description: The name of the product. name: ocsf.metadata.product.name type: keyword + ocsf.metadata.product.path: description: The installation path of the product. name: ocsf.metadata.product.path type: keyword + ocsf.metadata.product.uid: description: The unique identifier of the product. name: ocsf.metadata.product.uid type: keyword + ocsf.metadata.product.url_string: description: The URL pointing towards the product. name: ocsf.metadata.product.url_string type: keyword + ocsf.metadata.product.version: - description: - "The version of the product, as defined by the event source. For example: - 2013.1.3-beta." + description: 'The version of the product, as defined by the event source. For example: + 2013.1.3-beta.' name: ocsf.metadata.product.version type: keyword + ocsf.metadata.profiles: description: The list of profiles used to create the event. name: ocsf.metadata.profiles type: keyword + ocsf.metadata.version: - description: - "The version of the OCSF schema, using Semantic Versioning Specification + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the - available event attributes." + available event attributes.' name: ocsf.metadata.version type: keyword + ocsf.module.base_address: description: The memory address where the module was loaded. name: ocsf.module.base_address type: keyword + ocsf.module.file.accessed_time_dt: description: The time when the file was last accessed. name: ocsf.module.file.accessed_time_dt type: date + ocsf.module.file.accessor.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.module.file.accessor.account.name type: keyword + ocsf.module.file.accessor.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.module.file.accessor.account.type type: keyword + ocsf.module.file.accessor.account.type_id: description: The normalized account type identifier. name: ocsf.module.file.accessor.account.type_id type: keyword + ocsf.module.file.accessor.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.module.file.accessor.account.uid type: keyword + ocsf.module.file.accessor.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.module.file.accessor.credential_uid type: keyword + ocsf.module.file.accessor.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.module.file.accessor.domain type: keyword + ocsf.module.file.accessor.email_addr: description: The user's email address. name: ocsf.module.file.accessor.email_addr type: keyword + ocsf.module.file.accessor.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.module.file.accessor.full_name type: keyword + ocsf.module.file.accessor.groups.desc: description: The group description. name: ocsf.module.file.accessor.groups.desc type: keyword + ocsf.module.file.accessor.groups.name: description: The group name. name: ocsf.module.file.accessor.groups.name type: keyword + ocsf.module.file.accessor.groups.privileges: description: The group privileges. name: ocsf.module.file.accessor.groups.privileges type: keyword + ocsf.module.file.accessor.groups.type: description: The type of the group or account. name: ocsf.module.file.accessor.groups.type type: keyword + ocsf.module.file.accessor.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.module.file.accessor.groups.uid type: keyword + ocsf.module.file.accessor.name: description: The username. For example, janedoe1. name: ocsf.module.file.accessor.name type: keyword + ocsf.module.file.accessor.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.module.file.accessor.org.name type: keyword + ocsf.module.file.accessor.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.module.file.accessor.org.ou_name type: keyword + ocsf.module.file.accessor.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.module.file.accessor.org.ou_uid type: keyword + ocsf.module.file.accessor.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.module.file.accessor.org.uid type: keyword + ocsf.module.file.accessor.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.module.file.accessor.type type: keyword + ocsf.module.file.accessor.type_id: description: The account type identifier. name: ocsf.module.file.accessor.type_id type: keyword + ocsf.module.file.accessor.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. name: ocsf.module.file.accessor.uid type: keyword + ocsf.module.file.accessor.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.module.file.accessor.uid_alt type: keyword + ocsf.module.file.attributes: description: The Bitmask value that represents the file attributes. name: ocsf.module.file.attributes type: long + ocsf.module.file.company_name: - description: - "The name of the company that published the file. For example: Microsoft - Corporation." + description: 'The name of the company that published the file. For example: Microsoft + Corporation.' name: ocsf.module.file.company_name type: keyword + ocsf.module.file.confidentiality: - description: - The file content confidentiality, normalized to the confidentiality_id + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. name: ocsf.module.file.confidentiality type: keyword + ocsf.module.file.confidentiality_id: description: The normalized identifier of the file content confidentiality indicator. name: ocsf.module.file.confidentiality_id type: keyword + ocsf.module.file.created_time_dt: description: The time when the file was created. name: ocsf.module.file.created_time_dt type: date + ocsf.module.file.creator.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.module.file.creator.account.name type: keyword + ocsf.module.file.creator.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.module.file.creator.account.type type: keyword + ocsf.module.file.creator.account.type_id: description: The normalized account type identifier. name: ocsf.module.file.creator.account.type_id type: keyword + ocsf.module.file.creator.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.module.file.creator.account.uid type: keyword + ocsf.module.file.creator.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.module.file.creator.credential_uid type: keyword + ocsf.module.file.creator.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.module.file.creator.domain type: keyword + ocsf.module.file.creator.email_addr: description: The user's email address. name: ocsf.module.file.creator.email_addr type: keyword + ocsf.module.file.creator.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.module.file.creator.full_name type: keyword + ocsf.module.file.creator.groups.desc: description: The group description. name: ocsf.module.file.creator.groups.desc type: keyword + ocsf.module.file.creator.groups.name: description: The group name. name: ocsf.module.file.creator.groups.name type: keyword + ocsf.module.file.creator.groups.privileges: description: The group privileges. name: ocsf.module.file.creator.groups.privileges type: keyword + ocsf.module.file.creator.groups.type: description: The type of the group or account. name: ocsf.module.file.creator.groups.type type: keyword + ocsf.module.file.creator.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.module.file.creator.groups.uid type: keyword + ocsf.module.file.creator.name: description: The username. For example, janedoe1. name: ocsf.module.file.creator.name type: keyword + ocsf.module.file.creator.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.module.file.creator.org.name type: keyword + ocsf.module.file.creator.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.module.file.creator.org.ou_name type: keyword + ocsf.module.file.creator.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.module.file.creator.org.ou_uid type: keyword + ocsf.module.file.creator.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.module.file.creator.org.uid type: keyword + ocsf.module.file.creator.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.module.file.creator.type type: keyword + ocsf.module.file.creator.type_id: description: The account type identifier. name: ocsf.module.file.creator.type_id type: keyword + ocsf.module.file.creator.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. name: ocsf.module.file.creator.uid type: keyword + ocsf.module.file.creator.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.module.file.creator.uid_alt type: keyword + ocsf.module.file.desc: - description: - "The description of the file, as returned by file system. For example: - the description as returned by the Unix file command or the Windows file type." + description: 'The description of the file, as returned by file system. For example: + the description as returned by the Unix file command or the Windows file type.' name: ocsf.module.file.desc type: keyword + ocsf.module.file.is_system: description: The indication of whether the object is part of the operating system. name: ocsf.module.file.is_system type: boolean + ocsf.module.file.modified_time_dt: description: The time when the file was last modified. name: ocsf.module.file.modified_time_dt type: date + ocsf.module.file.modifier.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.module.file.modifier.account.name type: keyword + ocsf.module.file.modifier.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.module.file.modifier.account.type type: keyword + ocsf.module.file.modifier.account.type_id: description: The normalized account type identifier. name: ocsf.module.file.modifier.account.type_id type: keyword + ocsf.module.file.modifier.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.module.file.modifier.account.uid type: keyword + ocsf.module.file.modifier.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.module.file.modifier.credential_uid type: keyword + ocsf.module.file.modifier.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.module.file.modifier.domain type: keyword + ocsf.module.file.modifier.email_addr: description: The user's email address. name: ocsf.module.file.modifier.email_addr type: keyword + ocsf.module.file.modifier.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.module.file.modifier.full_name type: keyword + ocsf.module.file.modifier.groups.desc: description: The group description. name: ocsf.module.file.modifier.groups.desc type: keyword + ocsf.module.file.modifier.groups.name: description: The group name. name: ocsf.module.file.modifier.groups.name type: keyword + ocsf.module.file.modifier.groups.privileges: description: The group privileges. name: ocsf.module.file.modifier.groups.privileges type: keyword + ocsf.module.file.modifier.groups.type: description: The type of the group or account. name: ocsf.module.file.modifier.groups.type type: keyword + ocsf.module.file.modifier.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.module.file.modifier.groups.uid type: keyword + ocsf.module.file.modifier.name: description: The username. For example, janedoe1. name: ocsf.module.file.modifier.name type: keyword + ocsf.module.file.modifier.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.module.file.modifier.org.name type: keyword + ocsf.module.file.modifier.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.module.file.modifier.org.ou_name type: keyword + ocsf.module.file.modifier.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.module.file.modifier.org.ou_uid type: keyword + ocsf.module.file.modifier.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.module.file.modifier.org.uid type: keyword + ocsf.module.file.modifier.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.module.file.modifier.type type: keyword + ocsf.module.file.modifier.type_id: description: The account type identifier. name: ocsf.module.file.modifier.type_id type: keyword + ocsf.module.file.modifier.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. name: ocsf.module.file.modifier.uid type: keyword + ocsf.module.file.modifier.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.module.file.modifier.uid_alt type: keyword + ocsf.module.file.owner.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.module.file.owner.account.name type: keyword + ocsf.module.file.owner.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.module.file.owner.account.type type: keyword + ocsf.module.file.owner.account.type_id: description: The normalized account type identifier. name: ocsf.module.file.owner.account.type_id type: keyword + ocsf.module.file.owner.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.module.file.owner.account.uid type: keyword + ocsf.module.file.owner.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.module.file.owner.credential_uid type: keyword + ocsf.module.file.owner.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.module.file.owner.domain type: keyword + ocsf.module.file.owner.email_addr: description: The user's email address. name: ocsf.module.file.owner.email_addr type: keyword + ocsf.module.file.owner.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.module.file.owner.full_name type: keyword + ocsf.module.file.owner.groups.desc: description: The group description. name: ocsf.module.file.owner.groups.desc type: keyword + ocsf.module.file.owner.groups.name: description: The group name. name: ocsf.module.file.owner.groups.name type: keyword + ocsf.module.file.owner.groups.privileges: description: The group privileges. name: ocsf.module.file.owner.groups.privileges type: keyword + ocsf.module.file.owner.groups.type: description: The type of the group or account. name: ocsf.module.file.owner.groups.type type: keyword + ocsf.module.file.owner.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.module.file.owner.groups.uid type: keyword + ocsf.module.file.owner.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.module.file.owner.org.name type: keyword + ocsf.module.file.owner.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.module.file.owner.org.ou_name type: keyword + ocsf.module.file.owner.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.module.file.owner.org.ou_uid type: keyword + ocsf.module.file.owner.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.module.file.owner.org.uid type: keyword + ocsf.module.file.owner.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.module.file.owner.type type: keyword + ocsf.module.file.owner.type_id: description: The account type identifier. name: ocsf.module.file.owner.type_id type: keyword + ocsf.module.file.owner.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.module.file.owner.uid_alt type: keyword + ocsf.module.file.product.feature.name: description: The name of the feature. name: ocsf.module.file.product.feature.name type: keyword + ocsf.module.file.product.feature.uid: description: The unique identifier of the feature. name: ocsf.module.file.product.feature.uid type: keyword + ocsf.module.file.product.feature.version: description: The version of the feature. name: ocsf.module.file.product.feature.version type: keyword + ocsf.module.file.product.lang: - description: - "The two letter lower case language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French)." + description: 'The two letter lower case language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French).' name: ocsf.module.file.product.lang type: keyword + ocsf.module.file.product.name: description: The name of the product. name: ocsf.module.file.product.name type: keyword + ocsf.module.file.product.path: description: The installation path of the product. name: ocsf.module.file.product.path type: keyword + ocsf.module.file.product.uid: description: The unique identifier of the product. name: ocsf.module.file.product.uid type: keyword + ocsf.module.file.product.vendor_name: description: The name of the vendor of the product. name: ocsf.module.file.product.vendor_name type: keyword + ocsf.module.file.product.version: - description: - "The version of the product, as defined by the event source. For example: - 2013.1.3-beta." + description: 'The version of the product, as defined by the event source. For example: + 2013.1.3-beta.' name: ocsf.module.file.product.version type: keyword + ocsf.module.file.security_descriptor: description: The object security descriptor. name: ocsf.module.file.security_descriptor type: keyword + ocsf.module.file.signature.algorithm: - description: - The digital signature algorithm used to create the signature, normalized + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.module.file.signature.algorithm type: keyword + ocsf.module.file.signature.algorithm_id: description: The identifier of the normalized digital signature algorithm. name: ocsf.module.file.signature.algorithm_id type: keyword + ocsf.module.file.signature.certificate.created_time: description: The time when the certificate was created. name: ocsf.module.file.signature.certificate.created_time type: date + ocsf.module.file.signature.certificate.created_time_dt: description: The time when the certificate was created. name: ocsf.module.file.signature.certificate.created_time_dt type: date + ocsf.module.file.signature.certificate.expiration_time_dt: description: The expiration time of the certificate. name: ocsf.module.file.signature.certificate.expiration_time_dt type: date + ocsf.module.file.signature.certificate.fingerprints.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.module.file.signature.certificate.fingerprints.algorithm type: keyword + ocsf.module.file.signature.certificate.fingerprints.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. name: ocsf.module.file.signature.certificate.fingerprints.algorithm_id type: keyword + ocsf.module.file.signature.certificate.fingerprints.value: description: The digital fingerprint value. name: ocsf.module.file.signature.certificate.fingerprints.value type: keyword + ocsf.module.file.signature.created_time: description: The time when the digital signature was created. name: ocsf.module.file.signature.created_time type: date + ocsf.module.file.signature.created_time_dt: description: The time when the digital signature was created. name: ocsf.module.file.signature.created_time_dt type: date + ocsf.module.file.signature.developer_uid: description: The developer ID on the certificate that signed the file. name: ocsf.module.file.signature.developer_uid type: keyword + ocsf.module.file.signature.digest.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.module.file.signature.digest.algorithm type: keyword + ocsf.module.file.signature.digest.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. name: ocsf.module.file.signature.digest.algorithm_id type: keyword + ocsf.module.file.signature.digest.value: description: The digital fingerprint value. name: ocsf.module.file.signature.digest.value type: keyword + ocsf.module.file.type_id: description: The file type ID. name: ocsf.module.file.type_id type: keyword + ocsf.module.file.version: - description: "The file version. For example: 8.0.7601.17514." + description: 'The file version. For example: 8.0.7601.17514.' name: ocsf.module.file.version type: keyword + ocsf.module.file.xattributes: - description: - An unordered collection of zero or more name/value pairs where each + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. name: ocsf.module.file.xattributes type: keyword + ocsf.module.function_name: - description: - The entry-point function of the module. The system calls the entry-point + description: The entry-point function of the module. The system calls the entry-point function whenever a process or thread loads or unloads the module. name: ocsf.module.function_name type: keyword + ocsf.module.load_type: - description: - The load type, normalized to the caption of the load_type_id value. + description: The load type, normalized to the caption of the load_type_id value. In the case of 'Other', it is defined by the event source. It describes how the module was loaded in memory. name: ocsf.module.load_type type: keyword + ocsf.module.load_type_id: - description: - The normalized identifier of the load type. It identifies how the module + description: The normalized identifier of the load type. It identifies how the module was loaded in memory. name: ocsf.module.load_type_id type: keyword + ocsf.module.start_address: description: The start address of the execution. name: ocsf.module.start_address type: keyword + ocsf.module.type: description: The module type. name: ocsf.module.type type: keyword + ocsf.name: description: The name of the data affiliated with the command. name: ocsf.name type: keyword + ocsf.nist: - description: - The NIST Cybersecurity Framework recommendations for managing the cybersecurity + description: The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk. name: ocsf.nist type: keyword + ocsf.observables.name: - description: - "The full name of the observable attribute. The name is a pointer/reference - to an attribute within the event data. For example: file.name." + description: 'The full name of the observable attribute. The name is a pointer/reference + to an attribute within the event data. For example: file.name.' name: ocsf.observables.name type: keyword + ocsf.observables.reputation.base_score: description: The reputation score as reported by the event source. name: ocsf.observables.reputation.base_score type: keyword + ocsf.observables.reputation.provider: description: The provider of the reputation information. name: ocsf.observables.reputation.provider type: keyword + ocsf.observables.reputation.score: - description: - The reputation score, normalized to the caption of the score_id value. + description: The reputation score, normalized to the caption of the score_id value. In the case of 'Other', it is defined by the event source. name: ocsf.observables.reputation.score type: keyword + ocsf.observables.reputation.score_id: description: The normalized reputation score identifier. name: ocsf.observables.reputation.score_id type: keyword + ocsf.observables.type: description: The observable value type name. name: ocsf.observables.type type: keyword + ocsf.observables.type_id: description: The observable value type identifier. name: ocsf.observables.type_id type: keyword + ocsf.observables.value: description: The value associated with the observable attribute. name: ocsf.observables.value type: keyword + ocsf.open_type: description: Indicates how the file was opened (e.g. normal, delete on close). name: ocsf.open_type type: keyword + ocsf.port: description: The dynamic port established for impending data transfers. name: ocsf.port type: long + ocsf.privileges: description: The list of sensitive privileges, assigned to the new user session. name: ocsf.privileges type: keyword + ocsf.protocol_ver: description: The Protocol version. name: ocsf.protocol_ver type: keyword + ocsf.proxy.domain: description: The name of the domain. name: ocsf.proxy.domain type: keyword + ocsf.proxy.hostname: description: The fully qualified name of the endpoint. name: ocsf.proxy.hostname type: keyword + ocsf.proxy.instance_uid: description: The unique identifier of a VM instance. name: ocsf.proxy.instance_uid type: keyword + ocsf.proxy.interface_name: description: The name of the network interface (e.g. eth2). name: ocsf.proxy.interface_name type: keyword + ocsf.proxy.interface_uid: description: The unique identifier of the network interface. name: ocsf.proxy.interface_uid type: keyword + ocsf.proxy.intermediate_ips: - description: - The intermediate IP Addresses. For example, the IP addresses in the + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. name: ocsf.proxy.intermediate_ips type: ip + ocsf.proxy.ip: description: The IP address of the endpoint, in either IPv4 or IPv6 format. name: ocsf.proxy.ip type: ip + ocsf.proxy.location.city: description: The name of the city. name: ocsf.proxy.location.city type: keyword + ocsf.proxy.location.continent: description: The name of the continent. name: ocsf.proxy.location.continent type: keyword + ocsf.proxy.location.coordinates: - description: - A two-element array, containing a longitude/latitude pair. The format + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. name: ocsf.proxy.location.coordinates type: geo_point + ocsf.proxy.location.country: - description: - The ISO 3166-1 Alpha-2 country code. For the complete list of country + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. name: ocsf.proxy.location.country type: keyword + ocsf.proxy.location.desc: description: The description of the geographical location. name: ocsf.proxy.location.desc type: keyword + ocsf.proxy.location.is_on_premises: description: The indication of whether the location is on premises. name: ocsf.proxy.location.is_on_premises type: boolean + ocsf.proxy.location.isp: description: The name of the Internet Service Provider (ISP). name: ocsf.proxy.location.isp type: keyword + ocsf.proxy.location.postal_code: description: The postal code of the location. name: ocsf.proxy.location.postal_code type: keyword + ocsf.proxy.location.provider: description: The provider of the geographical location data. name: ocsf.proxy.location.provider type: keyword + ocsf.proxy.location.region: - description: - The alphanumeric code that identifies the principal subdivision (e.g. + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. name: ocsf.proxy.location.region type: keyword + ocsf.proxy.mac: description: The Media Access Control (MAC) address of the endpoint. name: ocsf.proxy.mac type: keyword + ocsf.proxy.name: description: The short name of the endpoint. name: ocsf.proxy.name type: keyword + ocsf.proxy.port: description: The port used for communication within the network connection. name: ocsf.proxy.port type: long + ocsf.proxy.subnet_uid: description: The unique identifier of a virtual subnet. name: ocsf.proxy.subnet_uid type: keyword + ocsf.proxy.svc_name: - description: - The service name in service-to-service connections. For example, AWS + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. name: ocsf.proxy.svc_name type: keyword + ocsf.proxy.uid: description: The unique identifier of the endpoint. name: ocsf.proxy.uid type: keyword + ocsf.proxy.vlan_uid: description: The Virtual LAN identifier. name: ocsf.proxy.vlan_uid type: keyword + ocsf.proxy.vpc_uid: description: The unique identifier of the Virtual Private Cloud (VPC). name: ocsf.proxy.vpc_uid type: keyword + ocsf.query.opcode: description: The DNS opcode specifies the type of the query message. name: ocsf.query.opcode type: keyword + ocsf.query.opcode_id: description: The DNS opcode ID specifies the normalized query message type. name: ocsf.query.opcode_id type: keyword + ocsf.query_time: description: The Domain Name System (DNS) query time. name: ocsf.query_time type: date + ocsf.query_time_dt: description: The Domain Name System (DNS) query time. name: ocsf.query_time_dt type: date + ocsf.raw_data: description: The event data as received from the event source. name: ocsf.raw_data type: keyword + ocsf.raw_data_keyword: - description: "" + description: '' name: ocsf.raw_data_keyword type: keyword + ocsf.rcode_id: description: The normalized identifier of the DNS server response code. name: ocsf.rcode_id type: keyword + ocsf.relay.namespace: - description: - The namespace is useful in merger or acquisition situations. For example, + description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. name: ocsf.relay.namespace type: keyword + ocsf.relay.subnet_prefix: - description: - The subnet prefix length determines the number of bits used to represent + description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. name: ocsf.relay.subnet_prefix type: long + ocsf.relay.type_id: description: The network interface type identifier. name: ocsf.relay.type_id type: keyword + ocsf.relay.uid: description: The unique identifier for the network interface. name: ocsf.relay.uid type: keyword + ocsf.remote_display.color_depth: description: The numeric color depth. name: ocsf.remote_display.color_depth type: long + ocsf.remote_display.physical_height: description: The numeric physical height of display. name: ocsf.remote_display.physical_height type: long + ocsf.remote_display.physical_orientation: description: The numeric physical orientation of display. name: ocsf.remote_display.physical_orientation type: long + ocsf.remote_display.physical_width: description: The numeric physical width of display. name: ocsf.remote_display.physical_width type: long + ocsf.remote_display.scale_factor: description: The numeric scale factor of display. name: ocsf.remote_display.scale_factor type: long + ocsf.request.flags: - description: - The list of communication flags, normalized to the captions of the + description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. name: ocsf.request.flags type: date + ocsf.requested_permissions: description: The permissions mask that were requested by the process. name: ocsf.requested_permissions type: long + ocsf.resource.cloud_partition: - description: - "The canonical cloud partition name to which the region is assigned - (e.g. AWS Partitions: aws, aws-cn, aws-us-gov)." + description: 'The canonical cloud partition name to which the region is assigned + (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' name: ocsf.resource.cloud_partition type: keyword + ocsf.resource.criticality: description: The criticality of the resource as defined by the event source. name: ocsf.resource.criticality type: keyword + ocsf.resource.data: description: Additional data describing the resource. name: ocsf.resource.data type: keyword + ocsf.resource.group.desc: description: The group description. name: ocsf.resource.group.desc type: keyword + ocsf.resource.group.name: description: The group name. name: ocsf.resource.group.name type: keyword + ocsf.resource.group.privileges: description: The group privileges. name: ocsf.resource.group.privileges type: keyword + ocsf.resource.group.type: description: The type of the group or account. name: ocsf.resource.group.type type: keyword + ocsf.resource.group.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.resource.group.uid type: keyword + ocsf.resource.labels: description: The list of labels/tags associated to a resource. name: ocsf.resource.labels type: keyword + ocsf.resource.name: description: The name of the resource. name: ocsf.resource.name type: keyword + ocsf.resource.owner.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.resource.owner.account.name type: keyword + ocsf.resource.owner.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.resource.owner.account.type type: keyword + ocsf.resource.owner.account.type_id: description: The normalized account type identifier. name: ocsf.resource.owner.account.type_id type: keyword + ocsf.resource.owner.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.resource.owner.account.uid type: keyword + ocsf.resource.owner.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.resource.owner.credential_uid type: keyword + ocsf.resource.owner.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.resource.owner.domain type: keyword + ocsf.resource.owner.email_addr: description: The user's email address. name: ocsf.resource.owner.email_addr type: keyword + ocsf.resource.owner.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.resource.owner.full_name type: keyword + ocsf.resource.owner.groups.desc: description: The group description. name: ocsf.resource.owner.groups.desc type: keyword + ocsf.resource.owner.groups.name: description: The group name. name: ocsf.resource.owner.groups.name type: keyword + ocsf.resource.owner.groups.privileges: description: The group privileges. name: ocsf.resource.owner.groups.privileges type: keyword + ocsf.resource.owner.groups.type: description: The type of the group or account. name: ocsf.resource.owner.groups.type type: keyword + ocsf.resource.owner.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.resource.owner.groups.uid type: keyword + ocsf.resource.owner.name: description: The username. For example, janedoe1. name: ocsf.resource.owner.name type: keyword + ocsf.resource.owner.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.resource.owner.org.name type: keyword + ocsf.resource.owner.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.resource.owner.org.ou_name type: keyword + ocsf.resource.owner.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.resource.owner.org.ou_uid type: keyword + ocsf.resource.owner.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.resource.owner.org.uid type: keyword + ocsf.resource.owner.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.resource.owner.type type: keyword + ocsf.resource.owner.type_id: description: The account type identifier. name: ocsf.resource.owner.type_id type: keyword + ocsf.resource.owner.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. name: ocsf.resource.owner.uid type: keyword + ocsf.resource.owner.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.resource.owner.uid_alt type: keyword + ocsf.resource.region: description: The cloud region of the resource. name: ocsf.resource.region type: keyword + ocsf.resource.type: description: The resource type as defined by the event source. name: ocsf.resource.type type: keyword + ocsf.resource.uid: description: The unique identifier of the resource. name: ocsf.resource.uid type: keyword + ocsf.resource.version: description: The version of the resource. For example 1.2.3. name: ocsf.resource.version type: keyword + ocsf.resources.cloud_partition: - description: - "The canonical cloud partition name to which the region is assigned - (e.g. AWS Partitions: aws, aws-cn, aws-us-gov)." + description: 'The canonical cloud partition name to which the region is assigned + (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' name: ocsf.resources.cloud_partition type: keyword + ocsf.resources.criticality: description: The criticality of the resource as defined by the event source. name: ocsf.resources.criticality type: keyword + ocsf.resources.data: description: Additional data describing the resource. name: ocsf.resources.data type: keyword + ocsf.resources.group.desc: description: The group description. name: ocsf.resources.group.desc type: keyword + ocsf.resources.group.name: description: The group name. name: ocsf.resources.group.name type: keyword + ocsf.resources.group.privileges: description: The group privileges. name: ocsf.resources.group.privileges type: keyword + ocsf.resources.group.type: description: The type of the group or account. name: ocsf.resources.group.type type: keyword + ocsf.resources.group.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.resources.group.uid type: keyword + ocsf.resources.labels: description: The list of labels/tags associated to a resource. name: ocsf.resources.labels type: keyword + ocsf.resources.name: description: The name of the resource. name: ocsf.resources.name type: keyword + ocsf.resources.owner.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.resources.owner.account.name type: keyword + ocsf.resources.owner.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.resources.owner.account.type type: keyword + ocsf.resources.owner.account.type_id: description: The normalized account type identifier. name: ocsf.resources.owner.account.type_id type: keyword + ocsf.resources.owner.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.resources.owner.account.uid type: keyword + ocsf.resources.owner.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.resources.owner.credential_uid type: keyword + ocsf.resources.owner.domain: - description: - "The domain where the user is defined. For example: the LDAP or Active - Directory domain." + description: 'The domain where the user is defined. For example: the LDAP or Active + Directory domain.' name: ocsf.resources.owner.domain type: keyword + ocsf.resources.owner.email_addr: description: The user's email address. name: ocsf.resources.owner.email_addr type: keyword + ocsf.resources.owner.full_name: - description: - The full name of the person, as per the LDAP Common Name attribute + description: The full name of the person, as per the LDAP Common Name attribute (cn). name: ocsf.resources.owner.full_name type: keyword + ocsf.resources.owner.groups.desc: description: The group description. name: ocsf.resources.owner.groups.desc type: keyword + ocsf.resources.owner.groups.name: description: The group name. name: ocsf.resources.owner.groups.name type: keyword + ocsf.resources.owner.groups.privileges: description: The group privileges. name: ocsf.resources.owner.groups.privileges type: keyword + ocsf.resources.owner.groups.type: description: The type of the group or account. name: ocsf.resources.owner.groups.type type: keyword + ocsf.resources.owner.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.resources.owner.groups.uid type: keyword + ocsf.resources.owner.name: description: The username. For example, janedoe1. name: ocsf.resources.owner.name type: keyword + ocsf.resources.owner.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.resources.owner.org.name type: keyword + ocsf.resources.owner.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.resources.owner.org.ou_name type: keyword + ocsf.resources.owner.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.resources.owner.org.ou_uid type: keyword + ocsf.resources.owner.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.resources.owner.org.uid type: keyword + ocsf.resources.owner.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.resources.owner.type type: keyword + ocsf.resources.owner.type_id: description: The account type identifier. name: ocsf.resources.owner.type_id type: keyword + ocsf.resources.owner.uid: - description: - The unique user identifier. For example, the Windows user SID, ActiveDirectory + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. name: ocsf.resources.owner.uid type: keyword + ocsf.resources.owner.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.resources.owner.uid_alt type: keyword + ocsf.resources.region: description: The cloud region of the resource. name: ocsf.resources.region type: keyword + ocsf.resources.type: description: The resource type as defined by the event source. name: ocsf.resources.type type: keyword + ocsf.resources.uid: description: The unique identifier of the resource. name: ocsf.resources.uid type: keyword + ocsf.resources.version: description: The version of the resource. For example 1.2.3. name: ocsf.resources.version type: keyword + ocsf.response.error: description: Error Code. name: ocsf.response.error type: keyword + ocsf.response.error_message: description: Error Message. name: ocsf.response.error_message type: keyword + ocsf.response.flags: - description: - The list of communication flags, normalized to the captions of the + description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. name: ocsf.response.flags type: keyword + ocsf.response.message: description: The description of the event, as defined by the event source. name: ocsf.response.message type: keyword + ocsf.response_time: description: The Domain Name System (DNS) response time. name: ocsf.response_time type: date + ocsf.response_time_dt: description: The Domain Name System (DNS) response time. name: ocsf.response_time_dt type: date + ocsf.risk_level: - description: - The risk level, normalized to the caption of the risk_level_id value. + description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. name: ocsf.risk_level type: keyword + ocsf.risk_level_id: description: The normalized risk level id. name: ocsf.risk_level_id type: keyword + ocsf.server_hassh.algorithm: - description: - "The concatenation of key exchange, encryption, authentication and - compression algorithms (separated by ';'). NOTE: This is not the underlying - algorithm for the hash implementation." + description: 'The concatenation of key exchange, encryption, authentication and + compression algorithms (separated by '';''). NOTE: This is not the underlying + algorithm for the hash implementation.' name: ocsf.server_hassh.algorithm type: keyword + ocsf.server_hassh.fingerprint.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.server_hassh.fingerprint.algorithm type: keyword + ocsf.server_hassh.fingerprint.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. name: ocsf.server_hassh.fingerprint.algorithm_id type: keyword + ocsf.server_hassh.fingerprint.value: description: The digital fingerprint value. name: ocsf.server_hassh.fingerprint.value type: keyword + ocsf.service.labels: description: The list of labels associated with the service. name: ocsf.service.labels type: keyword + ocsf.session.created_time: description: The time when the session was created. name: ocsf.session.created_time type: date + ocsf.session.created_time_dt: description: The time when the session was created. name: ocsf.session.created_time_dt type: date + ocsf.session.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.session.credential_uid type: keyword + ocsf.session.expiration_time: description: The session expiration time. name: ocsf.session.expiration_time type: date + ocsf.session.expiration_time_dt: description: The session expiration time. name: ocsf.session.expiration_time_dt type: date + ocsf.session.is_remote: description: The indication of whether the session is remote. name: ocsf.session.is_remote type: boolean + ocsf.session.issuer: description: The identifier of the session issuer. name: ocsf.session.issuer type: keyword + ocsf.session.mfa: - description: "" + description: '' name: ocsf.session.mfa type: boolean + ocsf.session.uid: description: The unique identifier of the session. name: ocsf.session.uid type: keyword + ocsf.session.uuid: description: The universally unique identifier of the session. name: ocsf.session.uuid type: keyword + ocsf.severity: - description: - The event severity, normalized to the caption of the severity_id value. + description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. name: ocsf.severity type: keyword + ocsf.share: description: The SMB share name. name: ocsf.share type: keyword + ocsf.share_type: - description: - The SMB share type, normalized to the caption of the share_type_id + description: The SMB share type, normalized to the caption of the share_type_id value. In the case of 'Other', it is defined by the event source. name: ocsf.share_type type: keyword + ocsf.share_type_id: description: The normalized identifier of the SMB share type. name: ocsf.share_type_id type: keyword + ocsf.size: description: The memory size that was access or requested. name: ocsf.size type: long + ocsf.smtp_hello: description: The value of the SMTP HELO or EHLO command sent by the initiator (client). name: ocsf.smtp_hello type: keyword + ocsf.src_endpoint.instance_uid: description: The unique identifier of a VM instance. name: ocsf.src_endpoint.instance_uid type: keyword + ocsf.src_endpoint.interface_name: description: The name of the network interface (e.g. eth2). name: ocsf.src_endpoint.interface_name type: keyword + ocsf.src_endpoint.interface_uid: description: The unique identifier of the network interface. name: ocsf.src_endpoint.interface_uid type: keyword + ocsf.src_endpoint.intermediate_ips: - description: - The intermediate IP Addresses. For example, the IP addresses in the + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. name: ocsf.src_endpoint.intermediate_ips type: ip + ocsf.src_endpoint.location.is_on_premises: description: The indication of whether the location is on premises. name: ocsf.src_endpoint.location.is_on_premises type: boolean + ocsf.src_endpoint.location.isp: description: The name of the Internet Service Provider (ISP). name: ocsf.src_endpoint.location.isp type: keyword + ocsf.src_endpoint.location.provider: description: The provider of the geographical location data. name: ocsf.src_endpoint.location.provider type: keyword + ocsf.src_endpoint.name: description: The short name of the endpoint. name: ocsf.src_endpoint.name type: keyword + ocsf.src_endpoint.subnet_uid: description: The unique identifier of a virtual subnet. name: ocsf.src_endpoint.subnet_uid type: keyword + ocsf.src_endpoint.uid: description: The unique identifier of the endpoint. name: ocsf.src_endpoint.uid type: keyword + ocsf.src_endpoint.vlan_uid: description: The Virtual LAN identifier. name: ocsf.src_endpoint.vlan_uid type: keyword + ocsf.src_endpoint.vpc_uid: description: The unique identifier of the Virtual Private Cloud (VPC). name: ocsf.src_endpoint.vpc_uid type: keyword + ocsf.start_time_dt: - description: - The start time of a time period, or the time of the least recent event + description: The start time of a time period, or the time of the least recent event included in the aggregate event. name: ocsf.start_time_dt type: date + ocsf.state: description: The normalized state of a security finding. name: ocsf.state type: keyword + ocsf.state_id: description: The normalized state identifier of a security finding. name: ocsf.state_id type: keyword + ocsf.status: - description: - The event status, normalized to the caption of the status_id value. + description: The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. name: ocsf.status type: keyword + ocsf.status_code: - description: - The event status code, as reported by the event source. For example, + description: The event status code, as reported by the event source. For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18. name: ocsf.status_code type: keyword + ocsf.status_detail: - description: - The status details contains additional information about the event + description: The status details contains additional information about the event outcome. name: ocsf.status_detail type: keyword + ocsf.status_id: description: The normalized identifier of the event status. name: ocsf.status_id type: long + ocsf.time_dt: description: The normalized event occurrence time. name: ocsf.time_dt type: date + ocsf.timezone_offset: - description: - The number of minutes that the reported event time is ahead or behind + description: The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080. name: ocsf.timezone_offset type: long + ocsf.tls.alert: - description: - The integer value of TLS alert if present. The alerts are defined in + description: The integer value of TLS alert if present. The alerts are defined in the TLS specification in RFC-2246. name: ocsf.tls.alert type: long + ocsf.tls.certificate.created_time: description: The time when the certificate was created. name: ocsf.tls.certificate.created_time type: date + ocsf.tls.certificate.created_time_dt: description: The time when the certificate was created. name: ocsf.tls.certificate.created_time_dt type: date + ocsf.tls.certificate.expiration_time_dt: description: The expiration time of the certificate. name: ocsf.tls.certificate.expiration_time_dt type: date + ocsf.tls.certificate.fingerprints.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.tls.certificate.fingerprints.algorithm type: keyword + ocsf.tls.certificate.fingerprints.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. name: ocsf.tls.certificate.fingerprints.algorithm_id type: keyword + ocsf.tls.certificate.fingerprints.value: description: The digital fingerprint value. name: ocsf.tls.certificate.fingerprints.value type: keyword + ocsf.tls.certificate_chain: - description: - The Chain of Certificate Serial Numbers field provides a chain of Certificate + description: The Chain of Certificate Serial Numbers field provides a chain of Certificate Issuer Serial Numbers leading to the Root Certificate Issuer. name: ocsf.tls.certificate_chain type: keyword + ocsf.tls.extension_list.data: - description: - The data contains information specific to the particular extension + description: The data contains information specific to the particular extension type. name: ocsf.tls.extension_list.data type: keyword + ocsf.tls.extension_list.type: - description: "The TLS extension type. For example: Server Name." + description: 'The TLS extension type. For example: Server Name.' name: ocsf.tls.extension_list.type type: keyword + ocsf.tls.extension_list.type_id: - description: - The TLS extension type identifier. See The Transport Layer Security + description: The TLS extension type identifier. See The Transport Layer Security (TLS) extension page. name: ocsf.tls.extension_list.type_id type: keyword + ocsf.tls.handshake_dur: - description: - The amount of total time for the TLS handshake to complete after the + description: The amount of total time for the TLS handshake to complete after the TCP connection is established, including client-side delays, in milliseconds. name: ocsf.tls.handshake_dur type: long + ocsf.tls.ja3_hash.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.tls.ja3_hash.algorithm type: keyword + ocsf.tls.ja3_hash.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. name: ocsf.tls.ja3_hash.algorithm_id type: keyword + ocsf.tls.ja3s_hash.algorithm: - description: - The hash algorithm used to create the digital fingerprint, normalized + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. name: ocsf.tls.ja3s_hash.algorithm type: keyword + ocsf.tls.ja3s_hash.algorithm_id: - description: - The identifier of the normalized hash algorithm, which was used to + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. name: ocsf.tls.ja3s_hash.algorithm_id type: keyword + ocsf.tls.key_length: description: The length of the encryption key. name: ocsf.tls.key_length type: long + ocsf.tls.sans.name: description: Name of SAN (e.g. The actual IP Address or domain.) name: ocsf.tls.sans.name type: keyword + ocsf.tls.sans.type: description: Type descriptor of SAN (e.g. IP Address/domain/etc.) name: ocsf.tls.sans.type type: keyword + ocsf.tls.server_ciphers: - description: - The server cipher suites that were exchanged during the TLS handshake + description: The server cipher suites that were exchanged during the TLS handshake negotiation. name: ocsf.tls.server_ciphers type: keyword + ocsf.transaction_uid: - description: - The unique identifier of the transaction. This is typically a random + description: The unique identifier of the transaction. This is typically a random number generated from the client to associate a dhcp request/response pair. name: ocsf.transaction_uid type: keyword + ocsf.tree_uid: - description: - The tree id is a unique SMB identifier which represents an open connection + description: The tree id is a unique SMB identifier which represents an open connection to a share. name: ocsf.tree_uid type: keyword + ocsf.type: description: The type of FTP network connection (e.g. active, passive). name: ocsf.type type: keyword + ocsf.type_name: description: The event type name, as defined by the type_uid. name: ocsf.type_name type: keyword + ocsf.type_uid: - description: - 'The event type ID. It identifies the events semantics and structure. + description: 'The event type ID. It identifies the events semantics and structure. The value is calculated by the logging system as: class_uid \* 100 + activity_id.' name: ocsf.type_uid type: keyword + ocsf.unmapped: - description: - The attributes that are not mapped to the event schema. The names and + description: The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. name: ocsf.unmapped type: keyword + ocsf.url.categories: description: The Website categorization names, as defined by category_ids enum values. name: ocsf.url.categories type: keyword + ocsf.url.category_ids: description: The Website categorization identifies. name: ocsf.url.category_ids type: keyword + ocsf.url.resource_type: description: The context in which a resource was retrieved in a web request. name: ocsf.url.resource_type type: keyword + ocsf.user.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.user.account.name type: keyword + ocsf.user.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.user.account.type type: keyword + ocsf.user.account.type_id: description: The normalized account type identifier. name: ocsf.user.account.type_id type: keyword + ocsf.user.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.user.account.uid type: keyword + ocsf.user.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.user.credential_uid type: keyword + ocsf.user.groups.desc: description: The group description. name: ocsf.user.groups.desc type: keyword + ocsf.user.groups.name: description: The group name. name: ocsf.user.groups.name type: keyword + ocsf.user.groups.privileges: description: The group privileges. name: ocsf.user.groups.privileges type: keyword + ocsf.user.groups.type: description: The type of the group or account. name: ocsf.user.groups.type type: keyword + ocsf.user.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.user.groups.uid type: keyword + ocsf.user.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.user.org.name type: keyword + ocsf.user.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.user.org.ou_name type: keyword + ocsf.user.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.user.org.ou_uid type: keyword + ocsf.user.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.user.org.uid type: keyword + ocsf.user.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.user.type type: keyword + ocsf.user.type_id: description: The account type identifier. name: ocsf.user.type_id type: keyword + ocsf.user.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.user.uid_alt type: keyword + ocsf.user_result.account.name: description: The name of the account (e.g. GCP Account Name). name: ocsf.user_result.account.name type: keyword + ocsf.user_result.account.type: - description: - The account type, normalized to the caption of 'account_type_id'. In + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. name: ocsf.user_result.account.type type: keyword + ocsf.user_result.account.type_id: description: The normalized account type identifier. name: ocsf.user_result.account.type_id type: keyword + ocsf.user_result.account.uid: description: The unique identifier of the account (e.g. AWS Account ID). name: ocsf.user_result.account.uid type: keyword + ocsf.user_result.credential_uid: - description: - The unique identifier of the user's credential. For example, AWS Access + description: The unique identifier of the user's credential. For example, AWS Access Key ID. name: ocsf.user_result.credential_uid type: keyword + ocsf.user_result.groups.desc: description: The group description. name: ocsf.user_result.groups.desc type: keyword + ocsf.user_result.groups.name: description: The group name. name: ocsf.user_result.groups.name type: keyword + ocsf.user_result.groups.privileges: description: The group privileges. name: ocsf.user_result.groups.privileges type: keyword + ocsf.user_result.groups.type: description: The type of the group or account. name: ocsf.user_result.groups.type type: keyword + ocsf.user_result.groups.uid: - description: - The unique identifier of the group. For example, for Windows events + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. name: ocsf.user_result.groups.uid type: keyword + ocsf.user_result.org.name: description: The name of the organization. For example, Widget, Inc. name: ocsf.user_result.org.name type: keyword + ocsf.user_result.org.ou_name: - description: - The name of the organizational unit, within an organization. For example, + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. name: ocsf.user_result.org.ou_name type: keyword + ocsf.user_result.org.ou_uid: - description: - The alternate identifier for an entity's unique identifier. For example, + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. name: ocsf.user_result.org.ou_uid type: keyword + ocsf.user_result.org.uid: - description: - The unique identifier of the organization. For example, its Active + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. name: ocsf.user_result.org.uid type: keyword + ocsf.user_result.type: description: The type of the user. For example, System, AWS IAM User, etc. name: ocsf.user_result.type type: keyword + ocsf.user_result.type_id: description: The account type identifier. name: ocsf.user_result.type_id type: keyword + ocsf.user_result.uid_alt: - description: - The alternate user identifier. For example, the Active Directory user + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. name: ocsf.user_result.uid_alt type: keyword + ocsf.vulnerabilities.cve.created_time: - description: - The Record Creation Date identifies when the CVE ID was issued to a + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. name: ocsf.vulnerabilities.cve.created_time type: date + ocsf.vulnerabilities.cve.created_time_dt: - description: - The Record Creation Date identifies when the CVE ID was issued to a + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. name: ocsf.vulnerabilities.cve.created_time_dt type: date + ocsf.vulnerabilities.cve.cvss.base_score: - description: "The CVSS base score. For example: 9.1." + description: 'The CVSS base score. For example: 9.1.' name: ocsf.vulnerabilities.cve.cvss.base_score type: keyword + ocsf.vulnerabilities.cve.cvss.depth: - description: - The CVSS depth represents a depth of the equation used to calculate + description: The CVSS depth represents a depth of the equation used to calculate CVSS score. name: ocsf.vulnerabilities.cve.cvss.depth type: keyword + ocsf.vulnerabilities.cve.cvss.metrics.name: description: The name of the metric. name: ocsf.vulnerabilities.cve.cvss.metrics.name type: keyword + ocsf.vulnerabilities.cve.cvss.metrics.value: description: The value of the metric. name: ocsf.vulnerabilities.cve.cvss.metrics.value type: keyword + ocsf.vulnerabilities.cve.cvss.overall_score: - description: - "The CVSS overall score, impacted by base, temporal, and environmental - metrics. For example: 9.1." + description: 'The CVSS overall score, impacted by base, temporal, and environmental + metrics. For example: 9.1.' name: ocsf.vulnerabilities.cve.cvss.overall_score type: keyword + ocsf.vulnerabilities.cve.cvss.severity: - description: - The Common Vulnerability Scoring System (CVSS) Qualitative Severity + description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. name: ocsf.vulnerabilities.cve.cvss.severity type: keyword + ocsf.vulnerabilities.cve.cvss.vector_string: - description: - "The CVSS vector string is a text representation of a set of CVSS metrics. + description: 'The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise - form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H." + form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.' name: ocsf.vulnerabilities.cve.cvss.vector_string type: keyword + ocsf.vulnerabilities.cve.cvss.version: - description: "The CVSS version. For example: 3.1." + description: 'The CVSS version. For example: 3.1.' name: ocsf.vulnerabilities.cve.cvss.version type: keyword + ocsf.vulnerabilities.cve.cwe_uid: - description: - "The Common Weakness Enumeration (CWE) unique identifier. For example: - CWE-787." + description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: + CWE-787.' name: ocsf.vulnerabilities.cve.cwe_uid type: keyword + ocsf.vulnerabilities.cve.cwe_url: - description: "Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html." + description: 'Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.' name: ocsf.vulnerabilities.cve.cwe_url type: keyword + ocsf.vulnerabilities.cve.modified_time: description: The Record Modified Date identifies when the CVE record was last updated. name: ocsf.vulnerabilities.cve.modified_time type: date + ocsf.vulnerabilities.cve.modified_time_dt: description: The Record Modified Date identifies when the CVE record was last updated. name: ocsf.vulnerabilities.cve.modified_time_dt type: date + ocsf.vulnerabilities.cve.product.feature.name: description: The name of the feature. name: ocsf.vulnerabilities.cve.product.feature.name type: keyword + ocsf.vulnerabilities.cve.product.feature.uid: description: The unique identifier of the feature. name: ocsf.vulnerabilities.cve.product.feature.uid type: keyword + ocsf.vulnerabilities.cve.product.feature.version: description: The version of the feature. name: ocsf.vulnerabilities.cve.product.feature.version type: keyword + ocsf.vulnerabilities.cve.product.lang: - description: - "The two letter lower case language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French)." + description: 'The two letter lower case language codes, as defined by ISO 639-1. + For example: en (English), de (German), or fr (French).' name: ocsf.vulnerabilities.cve.product.lang type: keyword + ocsf.vulnerabilities.cve.product.name: description: The name of the product. name: ocsf.vulnerabilities.cve.product.name type: keyword + ocsf.vulnerabilities.cve.product.path: description: The installation path of the product. name: ocsf.vulnerabilities.cve.product.path type: keyword + ocsf.vulnerabilities.cve.product.uid: description: The unique identifier of the product. name: ocsf.vulnerabilities.cve.product.uid type: keyword + ocsf.vulnerabilities.cve.product.url_string: description: The URL pointing towards the product. name: ocsf.vulnerabilities.cve.product.url_string type: keyword + ocsf.vulnerabilities.cve.product.vendor_name: description: The name of the vendor of the product. name: ocsf.vulnerabilities.cve.product.vendor_name type: keyword + ocsf.vulnerabilities.cve.product.version: - description: - "The version of the product, as defined by the event source. For example: - 2013.1.3-beta." + description: 'The version of the product, as defined by the event source. For example: + 2013.1.3-beta.' name: ocsf.vulnerabilities.cve.product.version type: keyword + ocsf.vulnerabilities.cve.type: - description: - The vulnerability type as selected from a large dropdown menu during + description: The vulnerability type as selected from a large dropdown menu during CVE refinement. name: ocsf.vulnerabilities.cve.type type: keyword + ocsf.vulnerabilities.cve.uid: - description: - "The Common Vulnerabilities and Exposures unique number assigned to + description: 'The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For - example: CVE-2021-12345." + example: CVE-2021-12345.' name: ocsf.vulnerabilities.cve.uid type: keyword + ocsf.vulnerabilities.desc: description: The description of the vulnerability. name: ocsf.vulnerabilities.desc type: keyword + ocsf.vulnerabilities.fix_available: description: Indicates if a fix is available for the reported vulnerability. name: ocsf.vulnerabilities.fix_available type: boolean + ocsf.vulnerabilities.kb_articles: description: The KB article/s related to the entity. name: ocsf.vulnerabilities.kb_articles type: keyword + ocsf.vulnerabilities.packages.architecture: - description: - Architecture is a shorthand name describing the type of computer hardware + description: Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. name: ocsf.vulnerabilities.packages.architecture type: keyword + ocsf.vulnerabilities.packages.epoch: - description: - The software package epoch. Epoch is a way to define weighted dependencies + description: The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. name: ocsf.vulnerabilities.packages.epoch type: long + ocsf.vulnerabilities.packages.license: description: The software license applied to this package. name: ocsf.vulnerabilities.packages.license type: keyword + ocsf.vulnerabilities.packages.name: description: The software package name. name: ocsf.vulnerabilities.packages.name type: keyword + ocsf.vulnerabilities.packages.release: description: Release is the number of times a version of the software has been packaged. name: ocsf.vulnerabilities.packages.release type: keyword + ocsf.vulnerabilities.packages.version: description: The software package version. name: ocsf.vulnerabilities.packages.version type: keyword + ocsf.vulnerabilities.references: description: Supporting reference URLs. name: ocsf.vulnerabilities.references type: keyword + ocsf.vulnerabilities.related_vulnerabilities: description: List of vulnerabilities that are related to this vulnerability. name: ocsf.vulnerabilities.related_vulnerabilities type: keyword + ocsf.vulnerabilities.severity: - description: - The event severity, normalized to the caption of the severity_id value. + description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. name: ocsf.vulnerabilities.severity type: keyword + ocsf.vulnerabilities.title: description: The title of the vulnerability. name: ocsf.vulnerabilities.title type: keyword + ocsf.vulnerabilities.vendor_name: description: The vendor who identified the vulnerability. name: ocsf.vulnerabilities.vendor_name type: keyword + ocsf.web_resources.data: - description: - Details of the web resource, e.g, file details, search results or application-defined + description: Details of the web resource, e.g, file details, search results or application-defined resource. name: ocsf.web_resources.data type: keyword + ocsf.web_resources.desc: description: Description of the web resource. name: ocsf.web_resources.desc type: keyword + ocsf.web_resources.labels: description: The list of labels/tags associated to a resource. name: ocsf.web_resources.labels type: keyword + ocsf.web_resources.name: description: The name of the web resource. name: ocsf.web_resources.name type: keyword + ocsf.web_resources.type: description: The web resource type as defined by the event source. name: ocsf.web_resources.type type: keyword + ocsf.web_resources.uid: description: The unique identifier of the web resource. name: ocsf.web_resources.uid type: keyword + ocsf.web_resources.url_string: description: The URL pointing towards the source of the web resource. name: ocsf.web_resources.url_string type: keyword + ocsf.web_resources_result.data: - description: - Details of the web resource, e.g, file details, search results or application-defined + description: Details of the web resource, e.g, file details, search results or application-defined resource. name: ocsf.web_resources_result.data type: keyword + ocsf.web_resources_result.desc: description: Description of the web resource. name: ocsf.web_resources_result.desc type: keyword + ocsf.web_resources_result.labels: description: The list of labels/tags associated to a resource. name: ocsf.web_resources_result.labels type: keyword + ocsf.web_resources_result.name: description: The name of the web resource. name: ocsf.web_resources_result.name type: keyword + ocsf.web_resources_result.type: description: The web resource type as defined by the event source. name: ocsf.web_resources_result.type type: keyword + ocsf.web_resources_result.uid: description: The unique identifier of the web resource. name: ocsf.web_resources_result.uid type: keyword + ocsf.web_resources_result.url_string: description: The URL pointing towards the source of the web resource. name: ocsf.web_resources_result.url_string type: keyword + process.group.id: - description: "" + description: '' name: process.group.id type: keyword + process.group.name: - description: "" + description: '' name: process.group.name type: keyword + process.parent.user.domain: - description: "" + description: '' name: process.parent.user.domain type: keyword + process.parent.user.email: - description: "" + description: '' name: process.parent.user.email type: keyword + process.parent.user.full_name: - description: "" + description: '' name: process.parent.user.full_name type: keyword + process.parent.user.group.id: - description: "" + description: '' name: process.parent.user.group.id type: keyword + process.parent.user.group.name: - description: "" + description: '' name: process.parent.user.group.name type: keyword + process.user.domain: - description: "" + description: '' name: process.user.domain type: keyword + process.user.email: - description: "" + description: '' name: process.user.email type: keyword + process.user.full_name: - description: "" + description: '' name: process.user.full_name type: keyword + process.user.group.id: - description: "" + description: '' name: process.user.group.id type: keyword + process.user.group.name: - description: "" + description: '' name: process.user.group.name type: keyword From 6ac38f95f56f9b30b6496a1063b6719c48a11570 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 9 Apr 2024 13:02:57 +0300 Subject: [PATCH 20/34] Remove unnecessary fields --- OCSF/ocsf/_meta/fields.yml | 8554 ----------------- OCSF/ocsf/ingest/parser.yml | 4 +- .../tests/test_application_activity_1.json | 84 +- .../tests/test_application_activity_2.json | 66 +- .../tests/test_application_activity_3.json | 77 +- OCSF/ocsf/tests/test_discovery_1.json | 65 +- OCSF/ocsf/tests/test_discovery_2.json | 71 +- OCSF/ocsf/tests/test_findings_1.json | 126 +- OCSF/ocsf/tests/test_iam_1.json | 53 +- OCSF/ocsf/tests/test_iam_2.json | 29 +- OCSF/ocsf/tests/test_iam_3.json | 60 +- OCSF/ocsf/tests/test_iam_4.json | 71 +- OCSF/ocsf/tests/test_network_activity_1.json | 41 +- OCSF/ocsf/tests/test_network_activity_10.json | 193 +- OCSF/ocsf/tests/test_network_activity_11.json | 113 +- OCSF/ocsf/tests/test_network_activity_12.json | 97 +- OCSF/ocsf/tests/test_network_activity_2.json | 128 +- OCSF/ocsf/tests/test_network_activity_3.json | 46 +- OCSF/ocsf/tests/test_network_activity_4.json | 89 +- OCSF/ocsf/tests/test_network_activity_5.json | 180 +- OCSF/ocsf/tests/test_network_activity_6.json | 161 +- OCSF/ocsf/tests/test_network_activity_7.json | 90 +- OCSF/ocsf/tests/test_network_activity_8.json | 110 +- OCSF/ocsf/tests/test_network_activity_9.json | 103 - OCSF/ocsf/tests/test_system_activity_1.json | 156 +- OCSF/ocsf/tests/test_system_activity_2.json | 183 +- OCSF/ocsf/tests/test_system_activity_3.json | 234 +- OCSF/ocsf/tests/test_system_activity_4.json | 199 +- OCSF/ocsf/tests/test_system_activity_5.json | 296 +- OCSF/ocsf/tests/test_system_activity_6.json | 159 +- OCSF/ocsf/tests/test_system_activity_7.json | 45 +- 31 files changed, 30 insertions(+), 11853 deletions(-) diff --git a/OCSF/ocsf/_meta/fields.yml b/OCSF/ocsf/_meta/fields.yml index ca96c3af9..07b96a762 100644 --- a/OCSF/ocsf/_meta/fields.yml +++ b/OCSF/ocsf/_meta/fields.yml @@ -1,8562 +1,8 @@ -ocsf.access_mask: - description: The access mask in a platform-native format. - name: ocsf.access_mask - type: long - ocsf.activity_id: description: The normalized identifier of the activity that triggered the event. name: ocsf.activity_id type: long -ocsf.activity_name: - description: The event activity name, as defined by the activity_id. - name: ocsf.activity_name - type: keyword - -ocsf.actor.authorizations.decision: - description: Authorization Result/outcome, e.g. allowed, denied. - name: ocsf.actor.authorizations.decision - type: keyword - -ocsf.actor.authorizations.policy.desc: - description: The description of the policy. - name: ocsf.actor.authorizations.policy.desc - type: keyword - -ocsf.actor.authorizations.policy.group.desc: - description: The group description. - name: ocsf.actor.authorizations.policy.group.desc - type: keyword - -ocsf.actor.authorizations.policy.group.name: - description: The group name. - name: ocsf.actor.authorizations.policy.group.name - type: keyword - -ocsf.actor.authorizations.policy.group.privileges: - description: The group privileges. - name: ocsf.actor.authorizations.policy.group.privileges - type: keyword - -ocsf.actor.authorizations.policy.group.type: - description: The type of the group or account. - name: ocsf.actor.authorizations.policy.group.type - type: keyword - -ocsf.actor.authorizations.policy.group.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.authorizations.policy.group.uid - type: keyword - -ocsf.actor.authorizations.policy.name: - description: 'The policy name. For example: IAM Policy.' - name: ocsf.actor.authorizations.policy.name - type: keyword - -ocsf.actor.authorizations.policy.uid: - description: A unique identifier of the policy instance. - name: ocsf.actor.authorizations.policy.uid - type: keyword - -ocsf.actor.authorizations.policy.version: - description: The policy version number. - name: ocsf.actor.authorizations.policy.version - type: keyword - -ocsf.actor.idp.name: - description: The name of the identity provider. - name: ocsf.actor.idp.name - type: keyword - -ocsf.actor.idp.uid: - description: The unique identifier of the identity provider. - name: ocsf.actor.idp.uid - type: keyword - -ocsf.actor.invoked_by: - description: The name of the service that invoked the activity as described in the - event. - name: ocsf.actor.invoked_by - type: keyword - -ocsf.actor.process.auid: - description: The audit user assigned at login by the audit subsystem. - name: ocsf.actor.process.auid - type: keyword - -ocsf.actor.process.container.hash.algorithm: - description: The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.actor.process.container.hash.algorithm - type: keyword - -ocsf.actor.process.container.hash.algorithm_id: - description: The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.actor.process.container.hash.algorithm_id - type: keyword - -ocsf.actor.process.container.hash.value: - description: The digital fingerprint value. - name: ocsf.actor.process.container.hash.value - type: keyword - -ocsf.actor.process.container.image.path: - description: The full path to the image file. - name: ocsf.actor.process.container.image.path - type: keyword - -ocsf.actor.process.container.image.uid: - description: The unique image ID. - name: ocsf.actor.process.container.image.uid - type: keyword - -ocsf.actor.process.container.network_driver: - description: The network driver used by the container. For example, bridge, overlay, - host, none, etc. - name: ocsf.actor.process.container.network_driver - type: keyword - -ocsf.actor.process.container.pod_uuid: - description: The unique identifier of the pod (or equivalent) that the container - is executing on. - name: ocsf.actor.process.container.pod_uuid - type: keyword - -ocsf.actor.process.container.size: - description: The size of the container image. - name: ocsf.actor.process.container.size - type: long - -ocsf.actor.process.container.tag: - description: The tag used by the container. It can indicate version, format, OS. - name: ocsf.actor.process.container.tag - type: keyword - -ocsf.actor.process.created_time_dt: - description: The time when the process was created/started. - name: ocsf.actor.process.created_time_dt - type: date - -ocsf.actor.process.file.accessed_time_dt: - description: The time when the file was last accessed. - name: ocsf.actor.process.file.accessed_time_dt - type: date - -ocsf.actor.process.file.accessor.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.actor.process.file.accessor.account.name - type: keyword - -ocsf.actor.process.file.accessor.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.file.accessor.account.type - type: keyword - -ocsf.actor.process.file.accessor.account.type_id: - description: The normalized account type identifier. - name: ocsf.actor.process.file.accessor.account.type_id - type: keyword - -ocsf.actor.process.file.accessor.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.actor.process.file.accessor.account.uid - type: keyword - -ocsf.actor.process.file.accessor.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.file.accessor.credential_uid - type: keyword - -ocsf.actor.process.file.accessor.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.actor.process.file.accessor.domain - type: keyword - -ocsf.actor.process.file.accessor.email_addr: - description: The user's email address. - name: ocsf.actor.process.file.accessor.email_addr - type: keyword - -ocsf.actor.process.file.accessor.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.actor.process.file.accessor.full_name - type: keyword - -ocsf.actor.process.file.accessor.groups.desc: - description: The group description. - name: ocsf.actor.process.file.accessor.groups.desc - type: keyword - -ocsf.actor.process.file.accessor.groups.name: - description: The group name. - name: ocsf.actor.process.file.accessor.groups.name - type: keyword - -ocsf.actor.process.file.accessor.groups.privileges: - description: The group privileges. - name: ocsf.actor.process.file.accessor.groups.privileges - type: keyword - -ocsf.actor.process.file.accessor.groups.type: - description: The type of the group or account. - name: ocsf.actor.process.file.accessor.groups.type - type: keyword - -ocsf.actor.process.file.accessor.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.process.file.accessor.groups.uid - type: keyword - -ocsf.actor.process.file.accessor.name: - description: The username. For example, janedoe1. - name: ocsf.actor.process.file.accessor.name - type: keyword - -ocsf.actor.process.file.accessor.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.actor.process.file.accessor.org.name - type: keyword - -ocsf.actor.process.file.accessor.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.actor.process.file.accessor.org.ou_name - type: keyword - -ocsf.actor.process.file.accessor.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.actor.process.file.accessor.org.ou_uid - type: keyword - -ocsf.actor.process.file.accessor.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.actor.process.file.accessor.org.uid - type: keyword - -ocsf.actor.process.file.accessor.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.actor.process.file.accessor.type - type: keyword - -ocsf.actor.process.file.accessor.type_id: - description: The account type identifier. - name: ocsf.actor.process.file.accessor.type_id - type: keyword - -ocsf.actor.process.file.accessor.uid: - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.actor.process.file.accessor.uid - type: keyword - -ocsf.actor.process.file.accessor.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.actor.process.file.accessor.uid_alt - type: keyword - -ocsf.actor.process.file.attributes: - description: The Bitmask value that represents the file attributes. - name: ocsf.actor.process.file.attributes - type: long - -ocsf.actor.process.file.company_name: - description: 'The name of the company that published the file. For example: Microsoft - Corporation.' - name: ocsf.actor.process.file.company_name - type: keyword - -ocsf.actor.process.file.confidentiality: - description: The file content confidentiality, normalized to the confidentiality_id - value. In the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.file.confidentiality - type: keyword - -ocsf.actor.process.file.confidentiality_id: - description: The normalized identifier of the file content confidentiality indicator. - name: ocsf.actor.process.file.confidentiality_id - type: keyword - -ocsf.actor.process.file.created_time_dt: - description: The time when the file was created. - name: ocsf.actor.process.file.created_time_dt - type: date - -ocsf.actor.process.file.creator.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.actor.process.file.creator.account.name - type: keyword - -ocsf.actor.process.file.creator.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.file.creator.account.type - type: keyword - -ocsf.actor.process.file.creator.account.type_id: - description: The normalized account type identifier. - name: ocsf.actor.process.file.creator.account.type_id - type: keyword - -ocsf.actor.process.file.creator.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.actor.process.file.creator.account.uid - type: keyword - -ocsf.actor.process.file.creator.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.file.creator.credential_uid - type: keyword - -ocsf.actor.process.file.creator.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.actor.process.file.creator.domain - type: keyword - -ocsf.actor.process.file.creator.email_addr: - description: The user's email address. - name: ocsf.actor.process.file.creator.email_addr - type: keyword - -ocsf.actor.process.file.creator.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.actor.process.file.creator.full_name - type: keyword - -ocsf.actor.process.file.creator.groups.desc: - description: The group description. - name: ocsf.actor.process.file.creator.groups.desc - type: keyword - -ocsf.actor.process.file.creator.groups.name: - description: The group name. - name: ocsf.actor.process.file.creator.groups.name - type: keyword - -ocsf.actor.process.file.creator.groups.privileges: - description: The group privileges. - name: ocsf.actor.process.file.creator.groups.privileges - type: keyword - -ocsf.actor.process.file.creator.groups.type: - description: The type of the group or account. - name: ocsf.actor.process.file.creator.groups.type - type: keyword - -ocsf.actor.process.file.creator.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.process.file.creator.groups.uid - type: keyword - -ocsf.actor.process.file.creator.name: - description: The name of the city. - name: ocsf.actor.process.file.creator.name - type: keyword - -ocsf.actor.process.file.creator.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.actor.process.file.creator.org.name - type: keyword - -ocsf.actor.process.file.creator.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.actor.process.file.creator.org.ou_name - type: keyword - -ocsf.actor.process.file.creator.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.actor.process.file.creator.org.ou_uid - type: keyword - -ocsf.actor.process.file.creator.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.actor.process.file.creator.org.uid - type: keyword - -ocsf.actor.process.file.creator.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.actor.process.file.creator.type - type: keyword - -ocsf.actor.process.file.creator.type_id: - description: The account type identifier. - name: ocsf.actor.process.file.creator.type_id - type: keyword - -ocsf.actor.process.file.creator.uid: - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.actor.process.file.creator.uid - type: keyword - -ocsf.actor.process.file.creator.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.actor.process.file.creator.uid_alt - type: keyword - -ocsf.actor.process.file.desc: - description: 'The description of the file, as returned by file system. For example: - the description as returned by the Unix file command or the Windows file type.' - name: ocsf.actor.process.file.desc - type: keyword - -ocsf.actor.process.file.is_system: - description: The indication of whether the object is part of the operating system. - name: ocsf.actor.process.file.is_system - type: boolean - -ocsf.actor.process.file.modified_time_dt: - description: The time when the file was last modified. - name: ocsf.actor.process.file.modified_time_dt - type: date - -ocsf.actor.process.file.modifier.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.actor.process.file.modifier.account.name - type: keyword - -ocsf.actor.process.file.modifier.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.file.modifier.account.type - type: keyword - -ocsf.actor.process.file.modifier.account.type_id: - description: The normalized account type identifier. - name: ocsf.actor.process.file.modifier.account.type_id - type: keyword - -ocsf.actor.process.file.modifier.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.actor.process.file.modifier.account.uid - type: keyword - -ocsf.actor.process.file.modifier.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.file.modifier.credential_uid - type: keyword - -ocsf.actor.process.file.modifier.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.actor.process.file.modifier.domain - type: keyword - -ocsf.actor.process.file.modifier.email_addr: - description: 'The image name. For example: elixir.' - name: ocsf.actor.process.file.modifier.email_addr - type: keyword - -ocsf.actor.process.file.modifier.full_name: - description: The user's email address. - name: ocsf.actor.process.file.modifier.full_name - type: keyword - -ocsf.actor.process.file.modifier.groups.desc: - description: The group description. - name: ocsf.actor.process.file.modifier.groups.desc - type: keyword - -ocsf.actor.process.file.modifier.groups.name: - description: The group name. - name: ocsf.actor.process.file.modifier.groups.name - type: keyword - -ocsf.actor.process.file.modifier.groups.privileges: - description: The group privileges. - name: ocsf.actor.process.file.modifier.groups.privileges - type: keyword - -ocsf.actor.process.file.modifier.groups.type: - description: The type of the group or account. - name: ocsf.actor.process.file.modifier.groups.type - type: keyword - -ocsf.actor.process.file.modifier.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.process.file.modifier.groups.uid - type: keyword - -ocsf.actor.process.file.modifier.name: - description: The username. For example, janedoe1. - name: ocsf.actor.process.file.modifier.name - type: keyword - -ocsf.actor.process.file.modifier.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.actor.process.file.modifier.org.name - type: keyword - -ocsf.actor.process.file.modifier.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.actor.process.file.modifier.org.ou_name - type: keyword - -ocsf.actor.process.file.modifier.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.actor.process.file.modifier.org.ou_uid - type: keyword - -ocsf.actor.process.file.modifier.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.actor.process.file.modifier.org.uid - type: keyword - -ocsf.actor.process.file.modifier.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.actor.process.file.modifier.type - type: keyword - -ocsf.actor.process.file.modifier.type_id: - description: The account type identifier. - name: ocsf.actor.process.file.modifier.type_id - type: keyword - -ocsf.actor.process.file.modifier.uid: - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.actor.process.file.modifier.uid - type: keyword - -ocsf.actor.process.file.modifier.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.actor.process.file.modifier.uid_alt - type: keyword - -ocsf.actor.process.file.owner.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.actor.process.file.owner.account.name - type: keyword - -ocsf.actor.process.file.owner.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.file.owner.account.type - type: keyword - -ocsf.actor.process.file.owner.account.type_id: - description: The normalized account type identifier. - name: ocsf.actor.process.file.owner.account.type_id - type: keyword - -ocsf.actor.process.file.owner.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.actor.process.file.owner.account.uid - type: keyword - -ocsf.actor.process.file.owner.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.file.owner.credential_uid - type: keyword - -ocsf.actor.process.file.owner.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.actor.process.file.owner.domain - type: keyword - -ocsf.actor.process.file.owner.email_addr: - description: The user's email address. - name: ocsf.actor.process.file.owner.email_addr - type: keyword - -ocsf.actor.process.file.owner.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.actor.process.file.owner.full_name - type: keyword - -ocsf.actor.process.file.owner.groups.desc: - description: The group description. - name: ocsf.actor.process.file.owner.groups.desc - type: keyword - -ocsf.actor.process.file.owner.groups.name: - description: The group name. - name: ocsf.actor.process.file.owner.groups.name - type: keyword - -ocsf.actor.process.file.owner.groups.privileges: - description: The group privileges. - name: ocsf.actor.process.file.owner.groups.privileges - type: keyword - -ocsf.actor.process.file.owner.groups.type: - description: The type of the group or account. - name: ocsf.actor.process.file.owner.groups.type - type: keyword - -ocsf.actor.process.file.owner.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.process.file.owner.groups.uid - type: keyword - -ocsf.actor.process.file.owner.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.actor.process.file.owner.org.name - type: keyword - -ocsf.actor.process.file.owner.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.actor.process.file.owner.org.ou_name - type: keyword - -ocsf.actor.process.file.owner.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.actor.process.file.owner.org.ou_uid - type: keyword - -ocsf.actor.process.file.owner.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.actor.process.file.owner.org.uid - type: keyword - -ocsf.actor.process.file.owner.type: - description: The event occurred on a personal device.The type of the user. For example, - System, AWS IAM User, etc. - name: ocsf.actor.process.file.owner.type - type: keyword - -ocsf.actor.process.file.owner.type_id: - description: The account type identifier. - name: ocsf.actor.process.file.owner.type_id - type: keyword - -ocsf.actor.process.file.owner.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.actor.process.file.owner.uid_alt - type: keyword - -ocsf.actor.process.file.product.feature.name: - description: The name of the feature. - name: ocsf.actor.process.file.product.feature.name - type: keyword - -ocsf.actor.process.file.product.feature.uid: - description: The unique identifier of the feature. - name: ocsf.actor.process.file.product.feature.uid - type: keyword - -ocsf.actor.process.file.product.feature.version: - description: The version of the feature. - name: ocsf.actor.process.file.product.feature.version - type: keyword - -ocsf.actor.process.file.product.lang: - description: 'The two letter lower case language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French).' - name: ocsf.actor.process.file.product.lang - type: keyword - -ocsf.actor.process.file.product.name: - description: The name of the feature. - name: ocsf.actor.process.file.product.name - type: keyword - -ocsf.actor.process.file.product.path: - description: The installation path of the product. - name: ocsf.actor.process.file.product.path - type: keyword - -ocsf.actor.process.file.product.uid: - description: The unique identifier of the feature. - name: ocsf.actor.process.file.product.uid - type: keyword - -ocsf.actor.process.file.product.url_string: - description: The URL pointing towards the product. - name: ocsf.actor.process.file.product.url_string - type: keyword - -ocsf.actor.process.file.product.vendor_name: - description: The name of the vendor of the product. - name: ocsf.actor.process.file.product.vendor_name - type: keyword - -ocsf.actor.process.file.product.version: - description: 'The version of the product, as defined by the event source. For example: - 2013.1.3-beta.' - name: ocsf.actor.process.file.product.version - type: keyword - -ocsf.actor.process.file.security_descriptor: - description: The object security descriptor. - name: ocsf.actor.process.file.security_descriptor - type: keyword - -ocsf.actor.process.file.signature.algorithm: - description: The digital signature algorithm used to create the signature, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.actor.process.file.signature.algorithm - type: keyword - -ocsf.actor.process.file.signature.algorithm_id: - description: The identifier of the normalized digital signature algorithm. - name: ocsf.actor.process.file.signature.algorithm_id - type: keyword - -ocsf.actor.process.file.signature.certificate.created_time: - description: The time when the certificate was created. - name: ocsf.actor.process.file.signature.certificate.created_time - type: date - -ocsf.actor.process.file.signature.certificate.created_time_dt: - description: The time when the certificate was created. - name: ocsf.actor.process.file.signature.certificate.created_time_dt - type: date - -ocsf.actor.process.file.signature.certificate.expiration_time_dt: - description: The expiration time of the certificate. - name: ocsf.actor.process.file.signature.certificate.expiration_time_dt - type: date - -ocsf.actor.process.file.signature.certificate.fingerprints.algorithm: - description: The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.actor.process.file.signature.certificate.fingerprints.algorithm - type: keyword - -ocsf.actor.process.file.signature.certificate.fingerprints.algorithm_id: - description: The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.actor.process.file.signature.certificate.fingerprints.algorithm_id - type: keyword - -ocsf.actor.process.file.signature.certificate.fingerprints.value: - description: The digital fingerprint value. - name: ocsf.actor.process.file.signature.certificate.fingerprints.value - type: keyword - -ocsf.actor.process.file.signature.created_time: - description: The time when the digital signature was created. - name: ocsf.actor.process.file.signature.created_time - type: date - -ocsf.actor.process.file.signature.created_time_dt: - description: The time when the digital signature was created. - name: ocsf.actor.process.file.signature.created_time_dt - type: date - -ocsf.actor.process.file.signature.developer_uid: - description: The developer ID on the certificate that signed the file. - name: ocsf.actor.process.file.signature.developer_uid - type: keyword - -ocsf.actor.process.file.signature.digest.algorithm: - description: The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.actor.process.file.signature.digest.algorithm - type: keyword - -ocsf.actor.process.file.signature.digest.algorithm_id: - description: The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.actor.process.file.signature.digest.algorithm_id - type: keyword - -ocsf.actor.process.file.signature.digest.value: - description: The digital fingerprint value. - name: ocsf.actor.process.file.signature.digest.value - type: keyword - -ocsf.actor.process.file.type_id: - description: The file type ID. - name: ocsf.actor.process.file.type_id - type: keyword - -ocsf.actor.process.file.version: - description: 'The file version. For example: 8.0.7601.17514.' - name: ocsf.actor.process.file.version - type: keyword - -ocsf.actor.process.file.xattributes: - description: An unordered collection of zero or more name/value pairs where each - pair represents a file or folder extended attribute. - name: ocsf.actor.process.file.xattributes - type: keyword - -ocsf.actor.process.group.desc: - description: The group description. - name: ocsf.actor.process.group.desc - type: keyword - -ocsf.actor.process.group.privileges: - description: The group privileges. - name: ocsf.actor.process.group.privileges - type: keyword - -ocsf.actor.process.group.type: - description: The type of the group or account. - name: ocsf.actor.process.group.type - type: keyword - -ocsf.actor.process.integrity: - description: The process integrity level, normalized to the caption of the direction_id - value. In the case of 'Other', it is defined by the event source (Windows only). - name: ocsf.actor.process.integrity - type: keyword - -ocsf.actor.process.integrity_id: - description: The normalized identifier of the process integrity level (Windows only). - name: ocsf.actor.process.integrity_id - type: keyword - -ocsf.actor.process.lineage: - description: 'The lineage of the process, represented by a list of paths for each - ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - name: ocsf.actor.process.lineage - type: keyword - -ocsf.actor.process.loaded_modules: - description: The list of loaded module names. - name: ocsf.actor.process.loaded_modules - type: keyword - -ocsf.actor.process.namespace_pid: - description: If running under a process namespace (such as in a container), the - process identifier within that process namespace. - name: ocsf.actor.process.namespace_pid - type: long - -ocsf.actor.process.parent_process.auid: - description: The audit user assigned at login by the audit subsystem. - name: ocsf.actor.process.parent_process.auid - type: keyword - -ocsf.actor.process.parent_process.container.hash.algorithm: - description: The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.actor.process.parent_process.container.hash.algorithm - type: keyword - -ocsf.actor.process.parent_process.container.hash.algorithm_id: - description: The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.actor.process.parent_process.container.hash.algorithm_id - type: keyword - -ocsf.actor.process.parent_process.container.hash.value: - description: The digital fingerprint value. - name: ocsf.actor.process.parent_process.container.hash.value - type: keyword - -ocsf.actor.process.parent_process.container.image.labels: - description: The image labels. - name: ocsf.actor.process.parent_process.container.image.labels - type: keyword - -ocsf.actor.process.parent_process.container.image.name: - description: The image name. - name: ocsf.actor.process.parent_process.container.image.name - type: keyword - -ocsf.actor.process.parent_process.container.image.path: - description: The full path to the image file. - name: ocsf.actor.process.parent_process.container.image.path - type: keyword - -ocsf.actor.process.parent_process.container.image.tag: - description: The tag used by the container. It can indicate version, format, OS. - name: ocsf.actor.process.parent_process.container.image.tag - type: keyword - -ocsf.actor.process.parent_process.container.image.uid: - description: The unique image ID. - name: ocsf.actor.process.parent_process.container.image.uid - type: keyword - -ocsf.actor.process.parent_process.container.name: - description: The container name. - name: ocsf.actor.process.parent_process.container.name - type: keyword - -ocsf.actor.process.parent_process.container.network_driver: - description: The network driver used by the container. For example, bridge, overlay, - host, none, etc. - name: ocsf.actor.process.parent_process.container.network_driver - type: keyword - -ocsf.actor.process.parent_process.container.orchestrator: - description: The orchestrator managing the container, such as ECS, EKS, K8s, or - OpenShift. - name: ocsf.actor.process.parent_process.container.orchestrator - type: keyword - -ocsf.actor.process.parent_process.container.pod_uuid: - description: The unique identifier of the pod (or equivalent) that the container - is executing on. - name: ocsf.actor.process.parent_process.container.pod_uuid - type: keyword - -ocsf.actor.process.parent_process.container.runtime: - description: The backend running the container, such as containerd or cri-o. - name: ocsf.actor.process.parent_process.container.runtime - type: keyword - -ocsf.actor.process.parent_process.container.size: - description: The size of the container image. - name: ocsf.actor.process.parent_process.container.size - type: long - -ocsf.actor.process.parent_process.container.tag: - description: The tag used by the container. It can indicate version, format, OS. - name: ocsf.actor.process.parent_process.container.tag - type: keyword - -ocsf.actor.process.parent_process.container.uid: - description: The full container unique identifier for this instantiation of the - container. - name: ocsf.actor.process.parent_process.container.uid - type: keyword - -ocsf.actor.process.parent_process.created_time_dt: - description: The time when the process was created/started. - name: ocsf.actor.process.parent_process.created_time_dt - type: date - -ocsf.actor.process.parent_process.file.accessed_time: - description: The time when the file was last accessed. - name: ocsf.actor.process.parent_process.file.accessed_time - type: date - -ocsf.actor.process.parent_process.file.accessed_time_dt: - description: The time when the file was last accessed. - name: ocsf.actor.process.parent_process.file.accessed_time_dt - type: date - -ocsf.actor.process.parent_process.file.accessor.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.actor.process.parent_process.file.accessor.account.name - type: keyword - -ocsf.actor.process.parent_process.file.accessor.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.parent_process.file.accessor.account.type - type: keyword - -ocsf.actor.process.parent_process.file.accessor.account.type_id: - description: The normalized account type identifier. - name: ocsf.actor.process.parent_process.file.accessor.account.type_id - type: keyword - -ocsf.actor.process.parent_process.file.accessor.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.actor.process.parent_process.file.accessor.account.uid - type: keyword - -ocsf.actor.process.parent_process.file.accessor.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.parent_process.file.accessor.credential_uid - type: keyword - -ocsf.actor.process.parent_process.file.accessor.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.actor.process.parent_process.file.accessor.domain - type: keyword - -ocsf.actor.process.parent_process.file.accessor.email_addr: - description: The user's email address. - name: ocsf.actor.process.parent_process.file.accessor.email_addr - type: keyword - -ocsf.actor.process.parent_process.file.accessor.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.actor.process.parent_process.file.accessor.full_name - type: keyword - -ocsf.actor.process.parent_process.file.accessor.groups.desc: - description: The group description. - name: ocsf.actor.process.parent_process.file.accessor.groups.desc - type: keyword - -ocsf.actor.process.parent_process.file.accessor.groups.name: - description: The group name. - name: ocsf.actor.process.parent_process.file.accessor.groups.name - type: keyword - -ocsf.actor.process.parent_process.file.accessor.groups.privileges: - description: The group privileges. - name: ocsf.actor.process.parent_process.file.accessor.groups.privileges - type: keyword - -ocsf.actor.process.parent_process.file.accessor.groups.type: - description: The type of the group or account. - name: ocsf.actor.process.parent_process.file.accessor.groups.type - type: keyword - -ocsf.actor.process.parent_process.file.accessor.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.process.parent_process.file.accessor.groups.uid - type: keyword - -ocsf.actor.process.parent_process.file.accessor.name: - description: The username. For example, janedoe1. - name: ocsf.actor.process.parent_process.file.accessor.name - type: keyword - -ocsf.actor.process.parent_process.file.accessor.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.actor.process.parent_process.file.accessor.org.name - type: keyword - -ocsf.actor.process.parent_process.file.accessor.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.actor.process.parent_process.file.accessor.org.ou_name - type: keyword - -ocsf.actor.process.parent_process.file.accessor.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.actor.process.parent_process.file.accessor.org.ou_uid - type: keyword - -ocsf.actor.process.parent_process.file.accessor.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.actor.process.parent_process.file.accessor.org.uid - type: keyword - -ocsf.actor.process.parent_process.file.accessor.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.actor.process.parent_process.file.accessor.type - type: keyword - -ocsf.actor.process.parent_process.file.accessor.type_id: - description: The account type identifier. - name: ocsf.actor.process.parent_process.file.accessor.type_id - type: keyword - -ocsf.actor.process.parent_process.file.accessor.uid: - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.actor.process.parent_process.file.accessor.uid - type: keyword - -ocsf.actor.process.parent_process.file.accessor.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.actor.process.parent_process.file.accessor.uid_alt - type: keyword - -ocsf.actor.process.parent_process.file.attributes: - description: The Bitmask value that represents the file attributes. - name: ocsf.actor.process.parent_process.file.attributes - type: long - -ocsf.actor.process.parent_process.file.company_name: - description: 'The name of the company that published the file. For example: Microsoft - Corporation.' - name: ocsf.actor.process.parent_process.file.company_name - type: keyword - -ocsf.actor.process.parent_process.file.confidentiality: - description: The file content confidentiality, normalized to the confidentiality_id - value. In the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.parent_process.file.confidentiality - type: keyword - -ocsf.actor.process.parent_process.file.confidentiality_id: - description: The normalized identifier of the file content confidentiality indicator. - name: ocsf.actor.process.parent_process.file.confidentiality_id - type: keyword - -ocsf.actor.process.parent_process.file.created_time: - description: The time when the file was created. - name: ocsf.actor.process.parent_process.file.created_time - type: date - -ocsf.actor.process.parent_process.file.created_time_dt: - description: The time when the file was created. - name: ocsf.actor.process.parent_process.file.created_time_dt - type: date - -ocsf.actor.process.parent_process.file.creator.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.actor.process.parent_process.file.creator.account.name - type: keyword - -ocsf.actor.process.parent_process.file.creator.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.parent_process.file.creator.account.type - type: keyword - -ocsf.actor.process.parent_process.file.creator.account.type_id: - description: The normalized account type identifier. - name: ocsf.actor.process.parent_process.file.creator.account.type_id - type: keyword - -ocsf.actor.process.parent_process.file.creator.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.actor.process.parent_process.file.creator.account.uid - type: keyword - -ocsf.actor.process.parent_process.file.creator.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.parent_process.file.creator.credential_uid - type: keyword - -ocsf.actor.process.parent_process.file.creator.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.actor.process.parent_process.file.creator.domain - type: keyword - -ocsf.actor.process.parent_process.file.creator.email_addr: - description: The user's email address. - name: ocsf.actor.process.parent_process.file.creator.email_addr - type: keyword - -ocsf.actor.process.parent_process.file.creator.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.actor.process.parent_process.file.creator.full_name - type: keyword - -ocsf.actor.process.parent_process.file.creator.groups.desc: - description: The group description. - name: ocsf.actor.process.parent_process.file.creator.groups.desc - type: keyword - -ocsf.actor.process.parent_process.file.creator.groups.name: - description: The group name. - name: ocsf.actor.process.parent_process.file.creator.groups.name - type: keyword - -ocsf.actor.process.parent_process.file.creator.groups.privileges: - description: The group privileges. - name: ocsf.actor.process.parent_process.file.creator.groups.privileges - type: keyword - -ocsf.actor.process.parent_process.file.creator.groups.type: - description: The type of the group or account. - name: ocsf.actor.process.parent_process.file.creator.groups.type - type: keyword - -ocsf.actor.process.parent_process.file.creator.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.process.parent_process.file.creator.groups.uid - type: keyword - -ocsf.actor.process.parent_process.file.creator.name: - description: The name of the city. - name: ocsf.actor.process.parent_process.file.creator.name - type: keyword - -ocsf.actor.process.parent_process.file.creator.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.actor.process.parent_process.file.creator.org.name - type: keyword - -ocsf.actor.process.parent_process.file.creator.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.actor.process.parent_process.file.creator.org.ou_name - type: keyword - -ocsf.actor.process.parent_process.file.creator.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.actor.process.parent_process.file.creator.org.ou_uid - type: keyword - -ocsf.actor.process.parent_process.file.creator.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.actor.process.parent_process.file.creator.org.uid - type: keyword - -ocsf.actor.process.parent_process.file.creator.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.actor.process.parent_process.file.creator.type - type: keyword - -ocsf.actor.process.parent_process.file.creator.type_id: - description: The account type identifier. - name: ocsf.actor.process.parent_process.file.creator.type_id - type: keyword - -ocsf.actor.process.parent_process.file.creator.uid: - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.actor.process.parent_process.file.creator.uid - type: keyword - -ocsf.actor.process.parent_process.file.creator.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.actor.process.parent_process.file.creator.uid_alt - type: keyword - -ocsf.actor.process.parent_process.file.desc: - description: 'The description of the file, as returned by file system. For example: - the description as returned by the Unix file command or the Windows file type.' - name: ocsf.actor.process.parent_process.file.desc - type: keyword - -ocsf.actor.process.parent_process.file.is_system: - description: The indication of whether the object is part of the operating system. - name: ocsf.actor.process.parent_process.file.is_system - type: boolean - -ocsf.actor.process.parent_process.file.mime_type: - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, - if applicable. - name: ocsf.actor.process.parent_process.file.mime_type - type: keyword - -ocsf.actor.process.parent_process.file.modified_time: - description: The time when the file was last modified. - name: ocsf.actor.process.parent_process.file.modified_time - type: date - -ocsf.actor.process.parent_process.file.modified_time_dt: - description: The time when the file was last modified. - name: ocsf.actor.process.parent_process.file.modified_time_dt - type: date - -ocsf.actor.process.parent_process.file.modifier.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.actor.process.parent_process.file.modifier.account.name - type: keyword - -ocsf.actor.process.parent_process.file.modifier.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.parent_process.file.modifier.account.type - type: keyword - -ocsf.actor.process.parent_process.file.modifier.account.type_id: - description: The normalized account type identifier. - name: ocsf.actor.process.parent_process.file.modifier.account.type_id - type: keyword - -ocsf.actor.process.parent_process.file.modifier.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.actor.process.parent_process.file.modifier.account.uid - type: keyword - -ocsf.actor.process.parent_process.file.modifier.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.parent_process.file.modifier.credential_uid - type: keyword - -ocsf.actor.process.parent_process.file.modifier.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.actor.process.parent_process.file.modifier.domain - type: keyword - -ocsf.actor.process.parent_process.file.modifier.email_addr: - description: 'The image name. For example: elixir.' - name: ocsf.actor.process.parent_process.file.modifier.email_addr - type: keyword - -ocsf.actor.process.parent_process.file.modifier.full_name: - description: The user's email address. - name: ocsf.actor.process.parent_process.file.modifier.full_name - type: keyword - -ocsf.actor.process.parent_process.file.modifier.groups.desc: - description: The group description. - name: ocsf.actor.process.parent_process.file.modifier.groups.desc - type: keyword - -ocsf.actor.process.parent_process.file.modifier.groups.name: - description: The group name. - name: ocsf.actor.process.parent_process.file.modifier.groups.name - type: keyword - -ocsf.actor.process.parent_process.file.modifier.groups.privileges: - description: The group privileges. - name: ocsf.actor.process.parent_process.file.modifier.groups.privileges - type: keyword - -ocsf.actor.process.parent_process.file.modifier.groups.type: - description: The type of the group or account. - name: ocsf.actor.process.parent_process.file.modifier.groups.type - type: keyword - -ocsf.actor.process.parent_process.file.modifier.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.process.parent_process.file.modifier.groups.uid - type: keyword - -ocsf.actor.process.parent_process.file.modifier.name: - description: The username. For example, janedoe1. - name: ocsf.actor.process.parent_process.file.modifier.name - type: keyword - -ocsf.actor.process.parent_process.file.modifier.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.actor.process.parent_process.file.modifier.org.name - type: keyword - -ocsf.actor.process.parent_process.file.modifier.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.actor.process.parent_process.file.modifier.org.ou_name - type: keyword - -ocsf.actor.process.parent_process.file.modifier.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.actor.process.parent_process.file.modifier.org.ou_uid - type: keyword - -ocsf.actor.process.parent_process.file.modifier.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.actor.process.parent_process.file.modifier.org.uid - type: keyword - -ocsf.actor.process.parent_process.file.modifier.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.actor.process.parent_process.file.modifier.type - type: keyword - -ocsf.actor.process.parent_process.file.modifier.type_id: - description: The account type identifier. - name: ocsf.actor.process.parent_process.file.modifier.type_id - type: keyword - -ocsf.actor.process.parent_process.file.modifier.uid: - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.actor.process.parent_process.file.modifier.uid - type: keyword - -ocsf.actor.process.parent_process.file.modifier.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.actor.process.parent_process.file.modifier.uid_alt - type: keyword - -ocsf.actor.process.parent_process.file.name: - description: 'The name of the file. For example: svchost.exe.' - name: ocsf.actor.process.parent_process.file.name - type: keyword - -ocsf.actor.process.parent_process.file.owner.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.actor.process.parent_process.file.owner.account.name - type: keyword - -ocsf.actor.process.parent_process.file.owner.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.parent_process.file.owner.account.type - type: keyword - -ocsf.actor.process.parent_process.file.owner.account.type_id: - description: The normalized account type identifier. - name: ocsf.actor.process.parent_process.file.owner.account.type_id - type: keyword - -ocsf.actor.process.parent_process.file.owner.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.actor.process.parent_process.file.owner.account.uid - type: keyword - -ocsf.actor.process.parent_process.file.owner.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.parent_process.file.owner.credential_uid - type: keyword - -ocsf.actor.process.parent_process.file.owner.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.actor.process.parent_process.file.owner.domain - type: keyword - -ocsf.actor.process.parent_process.file.owner.email_addr: - description: The user's email address. - name: ocsf.actor.process.parent_process.file.owner.email_addr - type: keyword - -ocsf.actor.process.parent_process.file.owner.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.actor.process.parent_process.file.owner.full_name - type: keyword - -ocsf.actor.process.parent_process.file.owner.groups.desc: - description: The group description. - name: ocsf.actor.process.parent_process.file.owner.groups.desc - type: keyword - -ocsf.actor.process.parent_process.file.owner.groups.name: - description: The group name. - name: ocsf.actor.process.parent_process.file.owner.groups.name - type: keyword - -ocsf.actor.process.parent_process.file.owner.groups.privileges: - description: The group privileges. - name: ocsf.actor.process.parent_process.file.owner.groups.privileges - type: keyword - -ocsf.actor.process.parent_process.file.owner.groups.type: - description: The type of the group or account. - name: ocsf.actor.process.parent_process.file.owner.groups.type - type: keyword - -ocsf.actor.process.parent_process.file.owner.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.process.parent_process.file.owner.groups.uid - type: keyword - -ocsf.actor.process.parent_process.file.owner.name: - description: The username. For example, janedoe1. - name: ocsf.actor.process.parent_process.file.owner.name - type: keyword - -ocsf.actor.process.parent_process.file.owner.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.actor.process.parent_process.file.owner.org.name - type: keyword - -ocsf.actor.process.parent_process.file.owner.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.actor.process.parent_process.file.owner.org.ou_name - type: keyword - -ocsf.actor.process.parent_process.file.owner.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.actor.process.parent_process.file.owner.org.ou_uid - type: keyword - -ocsf.actor.process.parent_process.file.owner.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.actor.process.parent_process.file.owner.org.uid - type: keyword - -ocsf.actor.process.parent_process.file.owner.type: - description: The event occurred on a personal device.The type of the user. For example, - System, AWS IAM User, etc. - name: ocsf.actor.process.parent_process.file.owner.type - type: keyword - -ocsf.actor.process.parent_process.file.owner.type_id: - description: The account type identifier. - name: ocsf.actor.process.parent_process.file.owner.type_id - type: keyword - -ocsf.actor.process.parent_process.file.owner.uid: - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.actor.process.parent_process.file.owner.uid - type: keyword - -ocsf.actor.process.parent_process.file.owner.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.actor.process.parent_process.file.owner.uid_alt - type: keyword - -ocsf.actor.process.parent_process.file.parent_folder: - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - name: ocsf.actor.process.parent_process.file.parent_folder - type: keyword - -ocsf.actor.process.parent_process.file.path: - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - name: ocsf.actor.process.parent_process.file.path - type: keyword - -ocsf.actor.process.parent_process.file.product.feature.name: - description: The name of the feature. - name: ocsf.actor.process.parent_process.file.product.feature.name - type: keyword - -ocsf.actor.process.parent_process.file.product.feature.uid: - description: The unique identifier of the feature. - name: ocsf.actor.process.parent_process.file.product.feature.uid - type: keyword - -ocsf.actor.process.parent_process.file.product.feature.version: - description: The version of the feature. - name: ocsf.actor.process.parent_process.file.product.feature.version - type: keyword - -ocsf.actor.process.parent_process.file.product.lang: - description: 'The two letter lower case language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French).' - name: ocsf.actor.process.parent_process.file.product.lang - type: keyword - -ocsf.actor.process.parent_process.file.product.name: - description: The name of the feature. - name: ocsf.actor.process.parent_process.file.product.name - type: keyword - -ocsf.actor.process.parent_process.file.product.path: - description: The installation path of the product. - name: ocsf.actor.process.parent_process.file.product.path - type: keyword - -ocsf.actor.process.parent_process.file.product.uid: - description: The unique identifier of the feature. - name: ocsf.actor.process.parent_process.file.product.uid - type: keyword - -ocsf.actor.process.parent_process.file.product.url_string: - description: The URL pointing towards the product. - name: ocsf.actor.process.parent_process.file.product.url_string - type: keyword - -ocsf.actor.process.parent_process.file.product.vendor_name: - description: The name of the vendor of the product. - name: ocsf.actor.process.parent_process.file.product.vendor_name - type: keyword - -ocsf.actor.process.parent_process.file.product.version: - description: 'The version of the product, as defined by the event source. For example: - 2013.1.3-beta.' - name: ocsf.actor.process.parent_process.file.product.version - type: keyword - -ocsf.actor.process.parent_process.file.security_descriptor: - description: The object security descriptor. - name: ocsf.actor.process.parent_process.file.security_descriptor - type: keyword - -ocsf.actor.process.parent_process.file.signature.algorithm: - description: The digital signature algorithm used to create the signature, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.actor.process.parent_process.file.signature.algorithm - type: keyword - -ocsf.actor.process.parent_process.file.signature.algorithm_id: - description: The identifier of the normalized digital signature algorithm. - name: ocsf.actor.process.parent_process.file.signature.algorithm_id - type: keyword - -ocsf.actor.process.parent_process.file.signature.certificate.created_time: - description: The time when the certificate was created. - name: ocsf.actor.process.parent_process.file.signature.certificate.created_time - type: date - -ocsf.actor.process.parent_process.file.signature.certificate.created_time_dt: - description: The time when the certificate was created. - name: ocsf.actor.process.parent_process.file.signature.certificate.created_time_dt - type: date - -ocsf.actor.process.parent_process.file.signature.certificate.expiration_time: - description: The expiration time of the certificate. - name: ocsf.actor.process.parent_process.file.signature.certificate.expiration_time - type: date - -ocsf.actor.process.parent_process.file.signature.certificate.expiration_time_dt: - description: The expiration time of the certificate. - name: ocsf.actor.process.parent_process.file.signature.certificate.expiration_time_dt - type: date - -ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm: - description: The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm - type: keyword - -ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm_id: - description: The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm_id - type: keyword - -ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.value: - description: The digital fingerprint value. - name: ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.value - type: keyword - -ocsf.actor.process.parent_process.file.signature.certificate.issuer: - description: The certificate issuer distinguished name. - name: ocsf.actor.process.parent_process.file.signature.certificate.issuer - type: keyword - -ocsf.actor.process.parent_process.file.signature.certificate.serial_number: - description: The serial number of the certificate used to create the digital signature. - name: ocsf.actor.process.parent_process.file.signature.certificate.serial_number - type: keyword - -ocsf.actor.process.parent_process.file.signature.certificate.subject: - description: The certificate subject distinguished name. - name: ocsf.actor.process.parent_process.file.signature.certificate.subject - type: keyword - -ocsf.actor.process.parent_process.file.signature.certificate.version: - description: The certificate version. - name: ocsf.actor.process.parent_process.file.signature.certificate.version - type: keyword - -ocsf.actor.process.parent_process.file.signature.created_time: - description: The time when the digital signature was created. - name: ocsf.actor.process.parent_process.file.signature.created_time - type: date - -ocsf.actor.process.parent_process.file.signature.created_time_dt: - description: The time when the digital signature was created. - name: ocsf.actor.process.parent_process.file.signature.created_time_dt - type: date - -ocsf.actor.process.parent_process.file.signature.developer_uid: - description: The developer ID on the certificate that signed the file. - name: ocsf.actor.process.parent_process.file.signature.developer_uid - type: keyword - -ocsf.actor.process.parent_process.file.signature.digest.algorithm: - description: The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.actor.process.parent_process.file.signature.digest.algorithm - type: keyword - -ocsf.actor.process.parent_process.file.signature.digest.algorithm_id: - description: The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.actor.process.parent_process.file.signature.digest.algorithm_id - type: keyword - -ocsf.actor.process.parent_process.file.signature.digest.value: - description: The digital fingerprint value. - name: ocsf.actor.process.parent_process.file.signature.digest.value - type: keyword - -ocsf.actor.process.parent_process.file.size: - description: The size of data, in bytes. - name: ocsf.actor.process.parent_process.file.size - type: long - -ocsf.actor.process.parent_process.file.type: - description: The file type. - name: ocsf.actor.process.parent_process.file.type - type: keyword - -ocsf.actor.process.parent_process.file.type_id: - description: The file type ID. - name: ocsf.actor.process.parent_process.file.type_id - type: keyword - -ocsf.actor.process.parent_process.file.uid: - description: The unique identifier of the file as defined by the storage system, - such the file system file ID. - name: ocsf.actor.process.parent_process.file.uid - type: keyword - -ocsf.actor.process.parent_process.file.version: - description: 'The file version. For example: 8.0.7601.17514.' - name: ocsf.actor.process.parent_process.file.version - type: keyword - -ocsf.actor.process.parent_process.file.xattributes: - description: An unordered collection of zero or more name/value pairs where each - pair represents a file or folder extended attribute. - name: ocsf.actor.process.parent_process.file.xattributes - type: keyword - -ocsf.actor.process.parent_process.group.desc: - description: The group description. - name: ocsf.actor.process.parent_process.group.desc - type: keyword - -ocsf.actor.process.parent_process.group.privileges: - description: The group privileges. - name: ocsf.actor.process.parent_process.group.privileges - type: keyword - -ocsf.actor.process.parent_process.group.type: - description: The type of the group or account. - name: ocsf.actor.process.parent_process.group.type - type: keyword - -ocsf.actor.process.parent_process.integrity: - description: The process integrity level, normalized to the caption of the direction_id - value. In the case of 'Other', it is defined by the event source (Windows only). - name: ocsf.actor.process.parent_process.integrity - type: keyword - -ocsf.actor.process.parent_process.integrity_id: - description: The normalized identifier of the process integrity level (Windows only). - name: ocsf.actor.process.parent_process.integrity_id - type: keyword - -ocsf.actor.process.parent_process.lineage: - description: 'The lineage of the process, represented by a list of paths for each - ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - name: ocsf.actor.process.parent_process.lineage - type: keyword - -ocsf.actor.process.parent_process.loaded_modules: - description: The list of loaded module names. - name: ocsf.actor.process.parent_process.loaded_modules - type: keyword - -ocsf.actor.process.parent_process.namespace_pid: - description: If running under a process namespace (such as in a container), the - process identifier within that process namespace. - name: ocsf.actor.process.parent_process.namespace_pid - type: long - -ocsf.actor.process.parent_process.parent_process: - description: The parent process of this process object. It is recommended to only - populate this field for the first process object, to prevent deep nesting. - name: ocsf.actor.process.parent_process.parent_process - type: keyword - -ocsf.actor.process.parent_process.parent_process_keyword: - description: '' - name: ocsf.actor.process.parent_process.parent_process_keyword - type: keyword - -ocsf.actor.process.parent_process.sandbox: - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, - high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - name: ocsf.actor.process.parent_process.sandbox - type: keyword - -ocsf.actor.process.parent_process.session.created_time: - description: The time when the session was created. - name: ocsf.actor.process.parent_process.session.created_time - type: date - -ocsf.actor.process.parent_process.session.created_time_dt: - description: The time when the session was created. - name: ocsf.actor.process.parent_process.session.created_time_dt - type: date - -ocsf.actor.process.parent_process.session.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.parent_process.session.credential_uid - type: keyword - -ocsf.actor.process.parent_process.session.expiration_time: - description: The session expiration time. - name: ocsf.actor.process.parent_process.session.expiration_time - type: date - -ocsf.actor.process.parent_process.session.expiration_time_dt: - description: The session expiration time. - name: ocsf.actor.process.parent_process.session.expiration_time_dt - type: date - -ocsf.actor.process.parent_process.session.is_remote: - description: The indication of whether the session is remote. - name: ocsf.actor.process.parent_process.session.is_remote - type: boolean - -ocsf.actor.process.parent_process.session.issuer: - description: The identifier of the session issuer. - name: ocsf.actor.process.parent_process.session.issuer - type: keyword - -ocsf.actor.process.parent_process.session.mfa: - description: '' - name: ocsf.actor.process.parent_process.session.mfa - type: boolean - -ocsf.actor.process.parent_process.session.uid: - description: The unique identifier of the session. - name: ocsf.actor.process.parent_process.session.uid - type: keyword - -ocsf.actor.process.parent_process.session.uuid: - description: The universally unique identifier of the session. - name: ocsf.actor.process.parent_process.session.uuid - type: keyword - -ocsf.actor.process.parent_process.terminated_time_dt: - description: The time when the process was terminated. - name: ocsf.actor.process.parent_process.terminated_time_dt - type: date - -ocsf.actor.process.parent_process.user.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.actor.process.parent_process.user.account.name - type: keyword - -ocsf.actor.process.parent_process.user.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.parent_process.user.account.type - type: keyword - -ocsf.actor.process.parent_process.user.account.type_id: - description: The normalized account type identifier. - name: ocsf.actor.process.parent_process.user.account.type_id - type: keyword - -ocsf.actor.process.parent_process.user.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.actor.process.parent_process.user.account.uid - type: keyword - -ocsf.actor.process.parent_process.user.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.parent_process.user.credential_uid - type: keyword - -ocsf.actor.process.parent_process.user.groups.desc: - description: The group description. - name: ocsf.actor.process.parent_process.user.groups.desc - type: keyword - -ocsf.actor.process.parent_process.user.groups.name: - description: The group name. - name: ocsf.actor.process.parent_process.user.groups.name - type: keyword - -ocsf.actor.process.parent_process.user.groups.privileges: - description: The group privileges. - name: ocsf.actor.process.parent_process.user.groups.privileges - type: keyword - -ocsf.actor.process.parent_process.user.groups.type: - description: The type of the group or account. - name: ocsf.actor.process.parent_process.user.groups.type - type: keyword - -ocsf.actor.process.parent_process.user.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.process.parent_process.user.groups.uid - type: keyword - -ocsf.actor.process.parent_process.user.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.actor.process.parent_process.user.org.name - type: keyword - -ocsf.actor.process.parent_process.user.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.actor.process.parent_process.user.org.ou_name - type: keyword - -ocsf.actor.process.parent_process.user.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.actor.process.parent_process.user.org.ou_uid - type: keyword - -ocsf.actor.process.parent_process.user.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.actor.process.parent_process.user.org.uid - type: keyword - -ocsf.actor.process.parent_process.user.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.actor.process.parent_process.user.type - type: keyword - -ocsf.actor.process.parent_process.user.type_id: - description: The account type identifier. - name: ocsf.actor.process.parent_process.user.type_id - type: keyword - -ocsf.actor.process.parent_process.user.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.actor.process.parent_process.user.uid_alt - type: keyword - -ocsf.actor.process.parent_process.xattributes: - description: An unordered collection of zero or more name/value pairs that represent - a process extended attribute. - name: ocsf.actor.process.parent_process.xattributes - type: keyword - -ocsf.actor.process.sandbox: - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, - high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - name: ocsf.actor.process.sandbox - type: keyword - -ocsf.actor.process.session.created_time: - description: The time when the session was created. - name: ocsf.actor.process.session.created_time - type: date - -ocsf.actor.process.session.created_time_dt: - description: The time when the session was created. - name: ocsf.actor.process.session.created_time_dt - type: date - -ocsf.actor.process.session.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.session.credential_uid - type: keyword - -ocsf.actor.process.session.expiration_time: - description: The session expiration time. - name: ocsf.actor.process.session.expiration_time - type: date - -ocsf.actor.process.session.expiration_time_dt: - description: The session expiration time. - name: ocsf.actor.process.session.expiration_time_dt - type: date - -ocsf.actor.process.session.is_remote: - description: The indication of whether the session is remote. - name: ocsf.actor.process.session.is_remote - type: boolean - -ocsf.actor.process.session.issuer: - description: The identifier of the session issuer. - name: ocsf.actor.process.session.issuer - type: keyword - -ocsf.actor.process.session.mfa: - description: '' - name: ocsf.actor.process.session.mfa - type: boolean - -ocsf.actor.process.session.uid: - description: The unique identifier of the session. - name: ocsf.actor.process.session.uid - type: keyword - -ocsf.actor.process.session.uuid: - description: The universally unique identifier of the session. - name: ocsf.actor.process.session.uuid - type: keyword - -ocsf.actor.process.terminated_time_dt: - description: The time when the process was terminated. - name: ocsf.actor.process.terminated_time_dt - type: date - -ocsf.actor.process.user.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.actor.process.user.account.name - type: keyword - -ocsf.actor.process.user.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.actor.process.user.account.type - type: keyword - -ocsf.actor.process.user.account.type_id: - description: The normalized account type identifier. - name: ocsf.actor.process.user.account.type_id - type: keyword - -ocsf.actor.process.user.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.actor.process.user.account.uid - type: keyword - -ocsf.actor.process.user.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.process.user.credential_uid - type: keyword - -ocsf.actor.process.user.groups.desc: - description: The group description. - name: ocsf.actor.process.user.groups.desc - type: keyword - -ocsf.actor.process.user.groups.name: - description: The group name. - name: ocsf.actor.process.user.groups.name - type: keyword - -ocsf.actor.process.user.groups.privileges: - description: The group privileges. - name: ocsf.actor.process.user.groups.privileges - type: keyword - -ocsf.actor.process.user.groups.type: - description: The type of the group or account. - name: ocsf.actor.process.user.groups.type - type: keyword - -ocsf.actor.process.user.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.process.user.groups.uid - type: keyword - -ocsf.actor.process.user.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.actor.process.user.org.name - type: keyword - -ocsf.actor.process.user.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.actor.process.user.org.ou_name - type: keyword - -ocsf.actor.process.user.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.actor.process.user.org.ou_uid - type: keyword - -ocsf.actor.process.user.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.actor.process.user.org.uid - type: keyword - -ocsf.actor.process.user.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.actor.process.user.type - type: keyword - -ocsf.actor.process.user.type_id: - description: The account type identifier. - name: ocsf.actor.process.user.type_id - type: keyword - -ocsf.actor.process.user.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.actor.process.user.uid_alt - type: keyword - -ocsf.actor.process.xattributes: - description: An unordered collection of zero or more name/value pairs that represent - a process extended attribute. - name: ocsf.actor.process.xattributes - type: keyword - -ocsf.actor.session.created_time: - description: The time when the session was created. - name: ocsf.actor.session.created_time - type: date - -ocsf.actor.session.created_time_dt: - description: The time when the session was created. - name: ocsf.actor.session.created_time_dt - type: date - -ocsf.actor.session.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.session.credential_uid - type: keyword - -ocsf.actor.session.expiration_time: - description: The session expiration time. - name: ocsf.actor.session.expiration_time - type: date - -ocsf.actor.session.expiration_time_dt: - description: The session expiration time. - name: ocsf.actor.session.expiration_time_dt - type: date - -ocsf.actor.session.is_remote: - description: The indication of whether the session is remote. - name: ocsf.actor.session.is_remote - type: boolean - -ocsf.actor.session.issuer: - description: The identifier of the session issuer. - name: ocsf.actor.session.issuer - type: keyword - -ocsf.actor.session.mfa: - description: '' - name: ocsf.actor.session.mfa - type: boolean - -ocsf.actor.session.uid: - description: The unique identifier of the session. - name: ocsf.actor.session.uid - type: keyword - -ocsf.actor.session.uuid: - description: The universally unique identifier of the session. - name: ocsf.actor.session.uuid - type: keyword - -ocsf.actor.user.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.actor.user.account.name - type: keyword - -ocsf.actor.user.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.actor.user.account.type - type: keyword - -ocsf.actor.user.account.type_id: - description: The normalized account type identifier. - name: ocsf.actor.user.account.type_id - type: keyword - -ocsf.actor.user.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.actor.user.account.uid - type: keyword - -ocsf.actor.user.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.actor.user.credential_uid - type: keyword - -ocsf.actor.user.groups.desc: - description: The group description. - name: ocsf.actor.user.groups.desc - type: keyword - -ocsf.actor.user.groups.name: - description: The group name. - name: ocsf.actor.user.groups.name - type: keyword - -ocsf.actor.user.groups.privileges: - description: The group privileges. - name: ocsf.actor.user.groups.privileges - type: keyword - -ocsf.actor.user.groups.type: - description: The type of the group or account. - name: ocsf.actor.user.groups.type - type: keyword - -ocsf.actor.user.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.actor.user.groups.uid - type: keyword - -ocsf.actor.user.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.actor.user.org.name - type: keyword - -ocsf.actor.user.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.actor.user.org.ou_name - type: keyword - -ocsf.actor.user.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.actor.user.org.ou_uid - type: keyword - -ocsf.actor.user.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.actor.user.org.uid - type: keyword - -ocsf.actor.user.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.actor.user.type - type: keyword - -ocsf.actor.user.type_id: - description: The account type identifier. - name: ocsf.actor.user.type_id - type: keyword - -ocsf.actor.user.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.actor.user.uid_alt - type: keyword - -ocsf.actual_permissions: - description: The permissions that were granted to the in a platform-native format. - name: ocsf.actual_permissions - type: long - -ocsf.analytic.category: - description: The analytic category. - name: ocsf.analytic.category - type: keyword - -ocsf.analytic.desc: - description: The description of the analytic that generated the finding. - name: ocsf.analytic.desc - type: keyword - -ocsf.analytic.name: - description: The name of the analytic that generated the finding. - name: ocsf.analytic.name - type: keyword - -ocsf.analytic.related_analytics.category: - description: The analytic category. - name: ocsf.analytic.related_analytics.category - type: keyword - -ocsf.analytic.related_analytics.desc: - description: The description of the analytic that generated the finding. - name: ocsf.analytic.related_analytics.desc - type: keyword - -ocsf.analytic.related_analytics.name: - description: The name of the analytic that generated the finding. - name: ocsf.analytic.related_analytics.name - type: keyword - -ocsf.analytic.related_analytics.related_analytics: - description: '' - name: ocsf.analytic.related_analytics.related_analytics - type: keyword - -ocsf.analytic.related_analytics.type: - description: The analytic type. - name: ocsf.analytic.related_analytics.type - type: keyword - -ocsf.analytic.related_analytics.type_id: - description: The analytic type ID. - name: ocsf.analytic.related_analytics.type_id - type: keyword - -ocsf.analytic.related_analytics.uid: - description: The unique identifier of the analytic that generated the finding. - name: ocsf.analytic.related_analytics.uid - type: keyword - -ocsf.analytic.related_analytics.version: - description: 'The analytic version. For example: 1.1.' - name: ocsf.analytic.related_analytics.version - type: keyword - -ocsf.analytic.type: - description: The analytic type. - name: ocsf.analytic.type - type: keyword - -ocsf.analytic.type_id: - description: The analytic type ID. - name: ocsf.analytic.type_id - type: keyword - -ocsf.analytic.uid: - description: The unique identifier of the analytic that generated the finding. - name: ocsf.analytic.uid - type: keyword - -ocsf.analytic.version: - description: 'The analytic version. For example: 1.1.' - name: ocsf.analytic.version - type: keyword - -ocsf.answers.class: - description: 'The class of DNS data contained in this resource record. See RFC1035. - For example: IN.' - name: ocsf.answers.class - type: keyword - -ocsf.answers.flag_ids: - description: The list of DNS answer header flag IDs. - name: ocsf.answers.flag_ids - type: keyword - -ocsf.answers.flags: - description: The list of DNS answer header flags. - name: ocsf.answers.flags - type: keyword - -ocsf.answers.packet_uid: - description: The DNS packet identifier assigned by the program that generated the - query. The identifier is copied to the response. - name: ocsf.answers.packet_uid - type: keyword - -ocsf.answers.rdata: - description: The data describing the DNS resource. The meaning of this data depends - on the type and class of the resource record. - name: ocsf.answers.rdata - type: keyword - -ocsf.answers.ttl: - description: The time interval that the resource record may be cached. Zero value - means that the resource record can only be used for the transaction in progress, - and should not be cached. - name: ocsf.answers.ttl - type: long - -ocsf.answers.type: - description: 'The type of data contained in this resource record. See RFC1035. For - example: CNAME.' - name: ocsf.answers.type - type: keyword - -ocsf.api.operation: - description: Verb/Operation associated with the request. - name: ocsf.api.operation - type: keyword - -ocsf.api.request.flags: - description: The list of communication flags, normalized to the captions of the - flag_ids values. In the case of 'Other', they are defined by the event source. - name: ocsf.api.request.flags - type: keyword - -ocsf.api.request.uid: - description: The unique request identifier. - name: ocsf.api.request.uid - type: keyword - -ocsf.api.response.code: - description: The numeric response sent to a request. - name: ocsf.api.response.code - type: long - -ocsf.api.response.error: - description: Error Code. - name: ocsf.api.response.error - type: keyword - -ocsf.api.response.error_message: - description: Error Message. - name: ocsf.api.response.error_message - type: keyword - -ocsf.api.response.flags: - description: The list of communication flags, normalized to the captions of the - flag_ids values. In the case of 'Other', they are defined by the event source. - name: ocsf.api.response.flags - type: keyword - -ocsf.api.response.message: - description: The description of the event, as defined by the event source. - name: ocsf.api.response.message - type: keyword - -ocsf.api.service.labels: - description: The list of labels associated with the service. - name: ocsf.api.service.labels - type: keyword - -ocsf.api.service.name: - description: The name of the service. - name: ocsf.api.service.name - type: keyword - -ocsf.api.service.uid: - description: The unique identifier of the service. - name: ocsf.api.service.uid - type: keyword - -ocsf.api.service.version: - description: The version of the service. - name: ocsf.api.service.version - type: keyword - -ocsf.api.version: - description: The version of the API service. - name: ocsf.api.version - type: keyword - -ocsf.app.feature.name: - description: The name of the feature. - name: ocsf.app.feature.name - type: keyword - -ocsf.app.feature.uid: - description: The unique identifier of the feature. - name: ocsf.app.feature.uid - type: keyword - -ocsf.app.feature.version: - description: The version of the feature. - name: ocsf.app.feature.version - type: keyword - -ocsf.app.lang: - description: The two letter lower case language codes, as defined by ISO 639-1. - name: ocsf.app.lang - type: keyword - -ocsf.app.name: - description: The CIS benchmark name. - name: ocsf.app.name - type: keyword - -ocsf.app.path: - description: The installation path of the product. - name: ocsf.app.path - type: keyword - -ocsf.app.uid: - description: The unique identifier of the product. - name: ocsf.app.uid - type: keyword - -ocsf.app.url_string: - description: The URL pointing towards the product. - name: ocsf.app.url_string - type: keyword - -ocsf.app.vendor_name: - description: The name of the vendor of the product. - name: ocsf.app.vendor_name - type: keyword - -ocsf.app.version: - description: The version of the product, as defined by the event source. - name: ocsf.app.version - type: keyword - -ocsf.app_name: - description: The name of the application that is associated with the event or object. - name: ocsf.app_name - type: keyword - -ocsf.attacks.tactics.name: - description: The tactic name that is associated with the attack technique, as defined - by ATT&CK MatrixTM. - name: ocsf.attacks.tactics.name - type: keyword - -ocsf.attacks.tactics.uid: - description: The tactic ID that is associated with the attack technique, as defined - by ATT&CK MatrixTM. - name: ocsf.attacks.tactics.uid - type: keyword - -ocsf.attacks.technique.name: - description: 'The name of the attack technique, as defined by ATT&CK MatrixTM. For - example: Drive-by Compromise.' - name: ocsf.attacks.technique.name - type: keyword - -ocsf.attacks.technique.uid: - description: 'The unique identifier of the attack technique, as defined by ATT&CK - MatrixTM. For example: T1189.' - name: ocsf.attacks.technique.uid - type: keyword - -ocsf.attacks.version: - description: The ATT&CK Matrix version. - name: ocsf.attacks.version - type: keyword - -ocsf.attempt: - description: The attempt number for attempting to deliver the email. - name: ocsf.attempt - type: long - -ocsf.auth_protocol: - description: The authentication protocol as defined by the caption of 'auth_protocol_id'. - In the case of 'Other', it is defined by the event source. - name: ocsf.auth_protocol - type: keyword - -ocsf.auth_protocol_id: - description: The normalized identifier of the authentication protocol used to create - the user session. - name: ocsf.auth_protocol_id - type: keyword - -ocsf.banner: - description: The initial SMTP connection response that a messaging server receives - after it connects to a email server. - name: ocsf.banner - type: keyword - -ocsf.base_address: - description: The memory address that was access or requested. - name: ocsf.base_address - type: keyword - -ocsf.capabilities: - description: A list of RDP capabilities. - name: ocsf.capabilities - type: keyword - -ocsf.category_name: - description: 'The event category name, as defined by category_uid value: Identity - & Access Management.' - name: ocsf.category_name - type: keyword - -ocsf.category_uid: - description: The category unique identifier of the event.3 Identity & Access ManagementIdentity - & Access Management (IAM) events relate to the supervision of the system's authentication - and access control model. Examples of such events are the success or failure of - authentication, granting of authority, password change, entity change, privileged - use etc. - name: ocsf.category_uid - type: long - -ocsf.certificate.created_time: - description: The time when the certificate was created. - name: ocsf.certificate.created_time - type: date - -ocsf.certificate.created_time_dt: - description: The time when the certificate was created. - name: ocsf.certificate.created_time_dt - type: date - -ocsf.certificate.expiration_time: - description: The expiration time of the certificate. - name: ocsf.certificate.expiration_time - type: date - -ocsf.certificate.expiration_time_dt: - description: The expiration time of the certificate. - name: ocsf.certificate.expiration_time_dt - type: date - -ocsf.certificate.fingerprints.algorithm: - description: The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.certificate.fingerprints.algorithm - type: keyword - -ocsf.certificate.fingerprints.algorithm_id: - description: The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.certificate.fingerprints.algorithm_id - type: keyword - -ocsf.certificate.fingerprints.value: - description: The digital fingerprint value. - name: ocsf.certificate.fingerprints.value - type: keyword - -ocsf.certificate.issuer: - description: The certificate issuer distinguished name. - name: ocsf.certificate.issuer - type: keyword - -ocsf.certificate.serial_number: - description: The serial number of the certificate used to create the digital signature. - name: ocsf.certificate.serial_number - type: keyword - -ocsf.certificate.subject: - description: The certificate subject distinguished name. - name: ocsf.certificate.subject - type: keyword - -ocsf.certificate.version: - description: The certificate version. - name: ocsf.certificate.version - type: keyword - -ocsf.cis_benchmark_result.desc: - description: The CIS benchmark description. - name: ocsf.cis_benchmark_result.desc - type: keyword - -ocsf.cis_benchmark_result.name: - description: The CIS benchmark name. - name: ocsf.cis_benchmark_result.name - type: keyword - -ocsf.cis_benchmark_result.remediation.desc: - description: The description of the remediation strategy. - name: ocsf.cis_benchmark_result.remediation.desc - type: keyword - -ocsf.cis_benchmark_result.remediation.kb_articles: - description: The KB article/s related to the entity. - name: ocsf.cis_benchmark_result.remediation.kb_articles - type: keyword - -ocsf.cis_benchmark_result.rule.type: - description: The rule type. - name: ocsf.cis_benchmark_result.rule.type - type: keyword - -ocsf.cis_csc.control: - description: The CIS critical security control. - name: ocsf.cis_csc.control - type: keyword - -ocsf.cis_csc.version: - description: The CIS critical security control version. - name: ocsf.cis_csc.version - type: keyword - -ocsf.class_name: - description: 'The event class name, as defined by class_uid value: Security Finding.' - name: ocsf.class_name - type: keyword - -ocsf.class_uid: - description: The unique identifier of a class. A Class describes the attributes - available in an event.2001 Security FindingSecurity Finding events describe findings, - detections, anomalies, alerts and/or actions performed by security products. - name: ocsf.class_uid - type: long - -ocsf.client_dialects: - description: The list of SMB dialects that the client speaks. - name: ocsf.client_dialects - type: keyword - -ocsf.client_hassh.algorithm: - description: 'The concatenation of key exchange, encryption, authentication and - compression algorithms (separated by '';''). NOTE: This is not the underlying - algorithm for the hash implementation.' - name: ocsf.client_hassh.algorithm - type: keyword - -ocsf.client_hassh.fingerprint.algorithm: - description: The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.client_hassh.fingerprint.algorithm - type: keyword - -ocsf.client_hassh.fingerprint.algorithm_id: - description: The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.client_hassh.fingerprint.algorithm_id - type: keyword - -ocsf.client_hassh.fingerprint.value: - description: The digital fingerprint value. - name: ocsf.client_hassh.fingerprint.value - type: keyword - -ocsf.cloud.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.cloud.account.type - type: keyword - -ocsf.cloud.account.type_id: - description: The normalized account type identifier. - name: ocsf.cloud.account.type_id - type: keyword - -ocsf.cloud.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.cloud.org.name - type: keyword - -ocsf.cloud.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.cloud.org.ou_name - type: keyword - -ocsf.cloud.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.cloud.org.ou_uid - type: keyword - -ocsf.cloud.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.cloud.org.uid - type: keyword - -ocsf.codes: - description: The list of return codes to the FTP command. - name: ocsf.codes - type: long - -ocsf.command: - description: The command name. - name: ocsf.command - type: keyword - -ocsf.command_responses: - description: The list of responses to the FTP command. - name: ocsf.command_responses - type: keyword - -ocsf.comment: - description: The user provided comment about why the entity was changed. - name: ocsf.comment - type: keyword - -ocsf.compliance.requirements: - description: A list of applicable compliance requirements for which this finding - is related to. - name: ocsf.compliance.requirements - type: keyword - -ocsf.compliance.status: - description: The event status, normalized to the caption of the status_id value. - In the case of 'Other', it is defined by the event source. - name: ocsf.compliance.status - type: keyword - -ocsf.compliance.status_detail: - description: The status details contains additional information about the event - outcome. - name: ocsf.compliance.status_detail - type: keyword - -ocsf.component: - description: The name or relative pathname of a sub-component of the data object, - if applicable. - name: ocsf.component - type: keyword - -ocsf.confidence: - description: The confidence, normalized to the caption of the confidence_id value. - In the case of 'Other', it is defined by the event source. - name: ocsf.confidence - type: keyword - -ocsf.confidence_id: - description: The normalized confidence refers to the accuracy of the rule that created - the finding. A rule with a low confidence means that the finding scope is wide - and may create finding reports that may not be malicious in nature. - name: ocsf.confidence_id - type: keyword - -ocsf.confidence_score: - description: The confidence score as reported by the event source. - name: ocsf.confidence_score - type: long - -ocsf.connection_info.boundary: - description: The boundary of the connection, normalized to the caption of 'boundary_id'. - In the case of 'Other', it is defined by the event source.For cloud connections, - this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional - networks, this is described as Local, Internal, or External. - name: ocsf.connection_info.boundary - type: keyword - -ocsf.connection_info.boundary_id: - description: The normalized identifier of the boundary of the connection. For cloud - connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). - For traditional networks, this is described as Local, Internal, or External. - name: ocsf.connection_info.boundary_id - type: keyword - -ocsf.connection_info.direction: - description: The direction of the initiated connection, traffic, or email, normalized - to the caption of the direction_id value. In the case of 'Other', it is defined - by the event source. - name: ocsf.connection_info.direction - type: keyword - -ocsf.connection_info.direction_id: - description: The normalized identifier of the direction of the initiated connection, - traffic, or email. - name: ocsf.connection_info.direction_id - type: keyword - -ocsf.connection_info.protocol_ver_id: - description: The Internet Protocol version identifier. - name: ocsf.connection_info.protocol_ver_id - type: keyword - -ocsf.connection_info.tcp_flags: - description: The network connection TCP header flags (i.e., control bits). - name: ocsf.connection_info.tcp_flags - type: long - -ocsf.connection_info.uid: - description: The unique identifier of the connection. - name: ocsf.connection_info.uid - type: keyword - -ocsf.connection_uid: - description: The network connection identifier. - name: ocsf.connection_uid - type: keyword - -ocsf.count: - description: The number of times that events in the same logical group occurred - during the event Start Time to End Time period. - name: ocsf.count - type: long - -ocsf.create_mask: - description: The original Windows mask that is required to create the object. - name: ocsf.create_mask - type: keyword - -ocsf.data_sources: - description: The data sources for the finding. - name: ocsf.data_sources - type: keyword - -ocsf.dce_rpc.command: - description: The request command (e.g. REQUEST, BIND). - name: ocsf.dce_rpc.command - type: keyword - -ocsf.dce_rpc.command_response: - description: The reply to the request command (e.g. RESPONSE, BINDACK or FAULT). - name: ocsf.dce_rpc.command_response - type: keyword - -ocsf.dce_rpc.flags: - description: The list of interface flags. - name: ocsf.dce_rpc.flags - type: keyword - -ocsf.dce_rpc.opnum: - description: An operation number used to identify a specific remote procedure call - (RPC) method or a method in an interface. - name: ocsf.dce_rpc.opnum - type: long - -ocsf.dce_rpc.rpc_interface.ack_reason: - description: An integer that provides a reason code or additional information about - the acknowledgment result. - name: ocsf.dce_rpc.rpc_interface.ack_reason - type: long - -ocsf.dce_rpc.rpc_interface.ack_result: - description: An integer that denotes the acknowledgment result of the DCE/RPC call. - name: ocsf.dce_rpc.rpc_interface.ack_result - type: long - -ocsf.dce_rpc.rpc_interface.uuid: - description: The unique identifier of the particular remote procedure or service. - name: ocsf.dce_rpc.rpc_interface.uuid - type: keyword - -ocsf.dce_rpc.rpc_interface.version: - description: The version of the DCE/RPC protocol being used in the session. - name: ocsf.dce_rpc.rpc_interface.version - type: keyword - -ocsf.device.autoscale_uid: - description: The unique identifier of the cloud autoscale configuration. - name: ocsf.device.autoscale_uid - type: keyword - -ocsf.device.created_time: - description: The time when the device was known to have been created. - name: ocsf.device.created_time - type: date - -ocsf.device.created_time_dt: - description: TThe time when the device was known to have been created. - name: ocsf.device.created_time_dt - type: date - -ocsf.device.desc: - description: The description of the device, ordinarily as reported by the operating - system. - name: ocsf.device.desc - type: keyword - -ocsf.device.first_seen_time: - description: The initial discovery time of the device. - name: ocsf.device.first_seen_time - type: date - -ocsf.device.first_seen_time_dt: - description: The initial discovery time of the device. - name: ocsf.device.first_seen_time_dt - type: date - -ocsf.device.groups.desc: - description: The group description. - name: ocsf.device.groups.desc - type: keyword - -ocsf.device.groups.name: - description: The group name. - name: ocsf.device.groups.name - type: keyword - -ocsf.device.groups.privileges: - description: The group privileges. - name: ocsf.device.groups.privileges - type: keyword - -ocsf.device.groups.type: - description: The type of the group or account. - name: ocsf.device.groups.type - type: keyword - -ocsf.device.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.device.groups.uid - type: keyword - -ocsf.device.hw_info.bios_date: - description: 'The BIOS date. For example: 03/31/16.' - name: ocsf.device.hw_info.bios_date - type: keyword - -ocsf.device.hw_info.bios_manufacturer: - description: 'The BIOS manufacturer. For example: LENOVO.' - name: ocsf.device.hw_info.bios_manufacturer - type: keyword - -ocsf.device.hw_info.bios_ver: - description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' - name: ocsf.device.hw_info.bios_ver - type: keyword - -ocsf.device.hw_info.chassis: - description: The chassis type describes the system enclosure or physical form factor. - Such as the following examples for Windows Windows Chassis Types. - name: ocsf.device.hw_info.chassis - type: keyword - -ocsf.device.hw_info.cpu_bits: - description: 'The cpu architecture, the number of bits used for addressing in memory. - For example: 32 or 64.' - name: ocsf.device.hw_info.cpu_bits - type: long - -ocsf.device.hw_info.cpu_cores: - description: 'The number of processor cores in all installed processors. For Example: - 42.' - name: ocsf.device.hw_info.cpu_cores - type: long - -ocsf.device.hw_info.cpu_count: - description: 'The number of physical processors on a system. For example: 1.' - name: ocsf.device.hw_info.cpu_count - type: long - -ocsf.device.hw_info.cpu_speed: - description: 'The speed of the processor in Mhz. For Example: 4200.' - name: ocsf.device.hw_info.cpu_speed - type: long - -ocsf.device.hw_info.cpu_type: - description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' - name: ocsf.device.hw_info.cpu_type - type: keyword - -ocsf.device.hw_info.desktop_display.color_depth: - description: The numeric color depth. - name: ocsf.device.hw_info.desktop_display.color_depth - type: long - -ocsf.device.hw_info.desktop_display.physical_height: - description: The numeric physical height of display. - name: ocsf.device.hw_info.desktop_display.physical_height - type: long - -ocsf.device.hw_info.desktop_display.physical_orientation: - description: The numeric physical orientation of display. - name: ocsf.device.hw_info.desktop_display.physical_orientation - type: long - -ocsf.device.hw_info.desktop_display.physical_width: - description: The numeric physical width of display. - name: ocsf.device.hw_info.desktop_display.physical_width - type: long - -ocsf.device.hw_info.desktop_display.scale_factor: - description: The numeric scale factor of display. - name: ocsf.device.hw_info.desktop_display.scale_factor - type: long - -ocsf.device.hw_info.keyboard_info.function_keys: - description: The number of function keys on client keyboard. - name: ocsf.device.hw_info.keyboard_info.function_keys - type: long - -ocsf.device.hw_info.keyboard_info.ime: - description: The Input Method Editor (IME) file name. - name: ocsf.device.hw_info.keyboard_info.ime - type: keyword - -ocsf.device.hw_info.keyboard_info.keyboard_layout: - description: The keyboard locale identifier name (e.g., en-US). - name: ocsf.device.hw_info.keyboard_info.keyboard_layout - type: keyword - -ocsf.device.hw_info.keyboard_info.keyboard_subtype: - description: The keyboard numeric code. - name: ocsf.device.hw_info.keyboard_info.keyboard_subtype - type: long - -ocsf.device.hw_info.keyboard_info.keyboard_type: - description: The keyboard type (e.g., xt, ico). - name: ocsf.device.hw_info.keyboard_info.keyboard_type - type: keyword - -ocsf.device.hw_info.ram_size: - description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' - name: ocsf.device.hw_info.ram_size - type: long - -ocsf.device.hw_info.serial_number: - description: The device manufacturer serial number. - name: ocsf.device.hw_info.serial_number - type: keyword - -ocsf.device.hypervisor: - description: The name of the hypervisor running on the device. For example, Xen, - VMware, Hyper-V, VirtualBox, etc. - name: ocsf.device.hypervisor - type: keyword - -ocsf.device.image.labels: - description: The image labels. - name: ocsf.device.image.labels - type: keyword - -ocsf.device.image.name: - description: 'The image name. For example: elixir.' - name: ocsf.device.image.name - type: keyword - -ocsf.device.image.path: - description: The full path to the image file. - name: ocsf.device.image.path - type: keyword - -ocsf.device.image.tag: - description: 'The image tag. For example: 1.11-alpine.' - name: ocsf.device.image.tag - type: keyword - -ocsf.device.image.uid: - description: 'The unique image ID. For example: 77af4d6b9913.' - name: ocsf.device.image.uid - type: keyword - -ocsf.device.imei: - description: The International Mobile Station Equipment Identifier that is associated - with the device. - name: ocsf.device.imei - type: keyword - -ocsf.device.instance_uid: - description: The unique identifier of a VM instance. - name: ocsf.device.instance_uid - type: keyword - -ocsf.device.interface_name: - description: The name of the network interface (e.g. eth2). - name: ocsf.device.interface_name - type: keyword - -ocsf.device.interface_uid: - description: The unique identifier of the network interface. - name: ocsf.device.interface_uid - type: keyword - -ocsf.device.is_compliant: - description: The event occurred on a compliant device. - name: ocsf.device.is_compliant - type: boolean - -ocsf.device.is_managed: - description: The event occurred on a managed device. - name: ocsf.device.is_managed - type: boolean - -ocsf.device.is_personal: - description: The event occurred on a personal device. - name: ocsf.device.is_personal - type: boolean - -ocsf.device.is_trusted: - description: The event occurred on a trusted device. - name: ocsf.device.is_trusted - type: boolean - -ocsf.device.last_seen_time: - description: The most recent discovery time of the device. - name: ocsf.device.last_seen_time - type: date - -ocsf.device.last_seen_time_dt: - description: The most recent discovery time of the device. - name: ocsf.device.last_seen_time_dt - type: date - -ocsf.device.location.is_on_premises: - description: The indication of whether the location is on premises. - name: ocsf.device.location.is_on_premises - type: boolean - -ocsf.device.location.isp: - description: The name of the Internet Service Provider (ISP). - name: ocsf.device.location.isp - type: keyword - -ocsf.device.location.provider: - description: The provider of the geographical location data. - name: ocsf.device.location.provider - type: keyword - -ocsf.device.modified_time: - description: The time when the device was last known to have been modified. - name: ocsf.device.modified_time - type: date - -ocsf.device.modified_time_dt: - description: The time when the device was last known to have been modified. - name: ocsf.device.modified_time_dt - type: date - -ocsf.device.network_interfaces.hostname: - description: The hostname associated with the network interface. - name: ocsf.device.network_interfaces.hostname - type: keyword - -ocsf.device.network_interfaces.ip: - description: The IP address associated with the network interface. - name: ocsf.device.network_interfaces.ip - type: ip - -ocsf.device.network_interfaces.mac: - description: The MAC address of the network interface. - name: ocsf.device.network_interfaces.mac - type: keyword - -ocsf.device.network_interfaces.name: - description: The name of the network interface. - name: ocsf.device.network_interfaces.name - type: keyword - -ocsf.device.network_interfaces.namespace: - description: The namespace is useful in merger or acquisition situations. For example, - when similar entities exists that you need to keep separate. - name: ocsf.device.network_interfaces.namespace - type: keyword - -ocsf.device.network_interfaces.subnet_prefix: - description: The subnet prefix length determines the number of bits used to represent - the network part of the IP address. The remaining bits are reserved for identifying - individual hosts within that subnet. - name: ocsf.device.network_interfaces.subnet_prefix - type: long - -ocsf.device.network_interfaces.type: - description: The type of network interface. - name: ocsf.device.network_interfaces.type - type: keyword - -ocsf.device.network_interfaces.type_id: - description: The network interface type identifier. - name: ocsf.device.network_interfaces.type_id - type: keyword - -ocsf.device.network_interfaces.uid: - description: The unique identifier for the network interface. - name: ocsf.device.network_interfaces.uid - type: keyword - -ocsf.device.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.device.org.name - type: keyword - -ocsf.device.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.device.org.ou_name - type: keyword - -ocsf.device.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.device.org.ou_uid - type: keyword - -ocsf.device.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.device.org.uid - type: keyword - -ocsf.device.os.country: - description: The operating system country code, as defined by the ISO 3166-1 standard - (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 - codes. - name: ocsf.device.os.country - type: keyword - -ocsf.device.os.cpu_bits: - description: The cpu architecture, the number of bits used for addressing in memory. - For example, 32 or 64. - name: ocsf.device.os.cpu_bits - type: long - -ocsf.device.os.edition: - description: The operating system edition. For example, Professional. - name: ocsf.device.os.edition - type: keyword - -ocsf.device.os.lang: - description: The two letter lower case language codes, as defined by ISO 639-1. - name: ocsf.device.os.lang - type: keyword - -ocsf.device.os.sp_name: - description: The name of the latest Service Pack. - name: ocsf.device.os.sp_name - type: keyword - -ocsf.device.os.sp_ver: - description: The version number of the latest Service Pack. - name: ocsf.device.os.sp_ver - type: keyword - -ocsf.device.os.type_id: - description: The type identifier of the operating system. - name: ocsf.device.os.type_id - type: keyword - -ocsf.device.os.version: - description: The version of the OS running on the device that originated the event. - For example, "Windows 10", "OS X 10.7", or "iOS 9". - name: ocsf.device.os.version - type: keyword - -ocsf.device.region: - description: The region where the virtual machine is located. For example, an AWS - Region. - name: ocsf.device.region - type: keyword - -ocsf.device.risk_level_id: - description: The normalized risk level id. - name: ocsf.device.risk_level_id - type: keyword - -ocsf.device.subnet: - description: The subnet mask. - name: ocsf.device.subnet - type: keyword - -ocsf.device.subnet_uid: - description: The unique identifier of a virtual subnet. - name: ocsf.device.subnet_uid - type: keyword - -ocsf.device.type_id: - description: The device type ID. - name: ocsf.device.type_id - type: keyword - -ocsf.device.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.device.uid_alt - type: keyword - -ocsf.device.vpc_uid: - description: The unique identifier of the Virtual Private Cloud (VPC). - name: ocsf.device.vpc_uid - type: keyword - -ocsf.dialect: - description: The negotiated protocol dialect. - name: ocsf.dialect - type: keyword - -ocsf.direction: - description: The direction of the email, as defined by the direction_id value. - name: ocsf.direction - type: keyword - -ocsf.direction_id: - description: The direction of the email relative to the scanning host or organization. - name: ocsf.direction_id - type: keyword - -ocsf.disposition: - description: The event disposition name, normalized to the caption of the disposition_id - value. In the case of 'Other', it is defined by the event source. - name: ocsf.disposition - type: keyword - -ocsf.disposition_id: - description: When security issues, such as malware or policy violations, are detected - and possibly corrected, then disposition_id describes the action taken by the - security product. - name: ocsf.disposition_id - type: keyword - -ocsf.driver.file.accessed_time_dt: - description: The time when the file was last accessed. - name: ocsf.driver.file.accessed_time_dt - type: date - -ocsf.driver.file.accessor.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.driver.file.accessor.account.name - type: keyword - -ocsf.driver.file.accessor.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.driver.file.accessor.account.type - type: keyword - -ocsf.driver.file.accessor.account.type_id: - description: The normalized account type identifier. - name: ocsf.driver.file.accessor.account.type_id - type: keyword - -ocsf.driver.file.accessor.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.driver.file.accessor.account.uid - type: keyword - -ocsf.driver.file.accessor.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.driver.file.accessor.credential_uid - type: keyword - -ocsf.driver.file.accessor.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.driver.file.accessor.domain - type: keyword - -ocsf.driver.file.accessor.email_addr: - description: The user's email address. - name: ocsf.driver.file.accessor.email_addr - type: keyword - -ocsf.driver.file.accessor.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.driver.file.accessor.full_name - type: keyword - -ocsf.driver.file.accessor.groups.desc: - description: The group description. - name: ocsf.driver.file.accessor.groups.desc - type: keyword - -ocsf.driver.file.accessor.groups.name: - description: The group name. - name: ocsf.driver.file.accessor.groups.name - type: keyword - -ocsf.driver.file.accessor.groups.privileges: - description: The group privileges. - name: ocsf.driver.file.accessor.groups.privileges - type: keyword - -ocsf.driver.file.accessor.groups.type: - description: The type of the group or account. - name: ocsf.driver.file.accessor.groups.type - type: keyword - -ocsf.driver.file.accessor.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.driver.file.accessor.groups.uid - type: keyword - -ocsf.driver.file.accessor.name: - description: The username. For example, janedoe1. - name: ocsf.driver.file.accessor.name - type: keyword - -ocsf.driver.file.accessor.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.driver.file.accessor.org.name - type: keyword - -ocsf.driver.file.accessor.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.driver.file.accessor.org.ou_name - type: keyword - -ocsf.driver.file.accessor.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.driver.file.accessor.org.ou_uid - type: keyword - -ocsf.driver.file.accessor.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.driver.file.accessor.org.uid - type: keyword - -ocsf.driver.file.accessor.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.driver.file.accessor.type - type: keyword - -ocsf.driver.file.accessor.type_id: - description: The account type identifier. - name: ocsf.driver.file.accessor.type_id - type: keyword - -ocsf.driver.file.accessor.uid: - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.driver.file.accessor.uid - type: keyword - -ocsf.driver.file.accessor.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.driver.file.accessor.uid_alt - type: keyword - -ocsf.driver.file.attributes: - description: The Bitmask value that represents the file attributes. - name: ocsf.driver.file.attributes - type: long - -ocsf.driver.file.company_name: - description: 'The name of the company that published the file. For example: Microsoft - Corporation.' - name: ocsf.driver.file.company_name - type: keyword - -ocsf.driver.file.confidentiality: - description: The file content confidentiality, normalized to the confidentiality_id - value. In the case of 'Other', it is defined by the event source. - name: ocsf.driver.file.confidentiality - type: keyword - -ocsf.driver.file.confidentiality_id: - description: The normalized identifier of the file content confidentiality indicator. - name: ocsf.driver.file.confidentiality_id - type: keyword - -ocsf.driver.file.created_time_dt: - description: The time when the file was created. - name: ocsf.driver.file.created_time_dt - type: date - -ocsf.driver.file.creator.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.driver.file.creator.account.name - type: keyword - -ocsf.driver.file.creator.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.driver.file.creator.account.type - type: keyword - -ocsf.driver.file.creator.account.type_id: - description: The normalized account type identifier. - name: ocsf.driver.file.creator.account.type_id - type: keyword - -ocsf.driver.file.creator.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.driver.file.creator.account.uid - type: keyword - -ocsf.driver.file.creator.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.driver.file.creator.credential_uid - type: keyword - -ocsf.driver.file.creator.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.driver.file.creator.domain - type: keyword - -ocsf.driver.file.creator.email_addr: - description: The user's email address. - name: ocsf.driver.file.creator.email_addr - type: keyword - -ocsf.driver.file.creator.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.driver.file.creator.full_name - type: keyword - -ocsf.driver.file.creator.groups.desc: - description: The group description. - name: ocsf.driver.file.creator.groups.desc - type: keyword - -ocsf.driver.file.creator.groups.name: - description: The group name. - name: ocsf.driver.file.creator.groups.name - type: keyword - -ocsf.driver.file.creator.groups.privileges: - description: The group privileges. - name: ocsf.driver.file.creator.groups.privileges - type: keyword - -ocsf.driver.file.creator.groups.type: - description: The type of the group or account. - name: ocsf.driver.file.creator.groups.type - type: keyword - -ocsf.driver.file.creator.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.driver.file.creator.groups.uid - type: keyword - -ocsf.driver.file.creator.name: - description: The username. For example, janedoe1. - name: ocsf.driver.file.creator.name - type: keyword - -ocsf.driver.file.creator.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.driver.file.creator.org.name - type: keyword - -ocsf.driver.file.creator.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.driver.file.creator.org.ou_name - type: keyword - -ocsf.driver.file.creator.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.driver.file.creator.org.ou_uid - type: keyword - -ocsf.driver.file.creator.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.driver.file.creator.org.uid - type: keyword - -ocsf.driver.file.creator.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.driver.file.creator.type - type: keyword - -ocsf.driver.file.creator.type_id: - description: The account type identifier. - name: ocsf.driver.file.creator.type_id - type: keyword - -ocsf.driver.file.creator.uid: - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.driver.file.creator.uid - type: keyword - -ocsf.driver.file.creator.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.driver.file.creator.uid_alt - type: keyword - -ocsf.driver.file.desc: - description: 'The description of the file, as returned by file system. For example: - the description as returned by the Unix file command or the Windows file type.' - name: ocsf.driver.file.desc - type: keyword - -ocsf.driver.file.is_system: - description: The indication of whether the object is part of the operating system. - name: ocsf.driver.file.is_system - type: boolean - -ocsf.driver.file.modified_time_dt: - description: The time when the file was last modified. - name: ocsf.driver.file.modified_time_dt - type: date - -ocsf.driver.file.modifier.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.driver.file.modifier.account.name - type: keyword - -ocsf.driver.file.modifier.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.driver.file.modifier.account.type - type: keyword - -ocsf.driver.file.modifier.account.type_id: - description: The normalized account type identifier. - name: ocsf.driver.file.modifier.account.type_id - type: keyword - -ocsf.driver.file.modifier.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.driver.file.modifier.account.uid - type: keyword - -ocsf.driver.file.modifier.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.driver.file.modifier.credential_uid - type: keyword - -ocsf.driver.file.modifier.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.driver.file.modifier.domain - type: keyword - -ocsf.driver.file.modifier.email_addr: - description: The user's email address. - name: ocsf.driver.file.modifier.email_addr - type: keyword - -ocsf.driver.file.modifier.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.driver.file.modifier.full_name - type: keyword - -ocsf.driver.file.modifier.groups.desc: - description: The group description. - name: ocsf.driver.file.modifier.groups.desc - type: keyword - -ocsf.driver.file.modifier.groups.name: - description: The group name. - name: ocsf.driver.file.modifier.groups.name - type: keyword - -ocsf.driver.file.modifier.groups.privileges: - description: The group privileges. - name: ocsf.driver.file.modifier.groups.privileges - type: keyword - -ocsf.driver.file.modifier.groups.type: - description: The type of the group or account. - name: ocsf.driver.file.modifier.groups.type - type: keyword - -ocsf.driver.file.modifier.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.driver.file.modifier.groups.uid - type: keyword - -ocsf.driver.file.modifier.name: - description: The username. For example, janedoe1. - name: ocsf.driver.file.modifier.name - type: keyword - -ocsf.driver.file.modifier.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.driver.file.modifier.org.name - type: keyword - -ocsf.driver.file.modifier.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.driver.file.modifier.org.ou_name - type: keyword - -ocsf.driver.file.modifier.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.driver.file.modifier.org.ou_uid - type: keyword - -ocsf.driver.file.modifier.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.driver.file.modifier.org.uid - type: keyword - -ocsf.driver.file.modifier.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.driver.file.modifier.type - type: keyword - -ocsf.driver.file.modifier.type_id: - description: The account type identifier. - name: ocsf.driver.file.modifier.type_id - type: keyword - -ocsf.driver.file.modifier.uid: - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.driver.file.modifier.uid - type: keyword - -ocsf.driver.file.modifier.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.driver.file.modifier.uid_alt - type: keyword - -ocsf.driver.file.owner.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.driver.file.owner.account.name - type: keyword - -ocsf.driver.file.owner.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.driver.file.owner.account.type - type: keyword - -ocsf.driver.file.owner.account.type_id: - description: The normalized account type identifier. - name: ocsf.driver.file.owner.account.type_id - type: keyword - -ocsf.driver.file.owner.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.driver.file.owner.account.uid - type: keyword - -ocsf.driver.file.owner.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.driver.file.owner.credential_uid - type: keyword - -ocsf.driver.file.owner.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.driver.file.owner.domain - type: keyword - -ocsf.driver.file.owner.email_addr: - description: The user's email address. - name: ocsf.driver.file.owner.email_addr - type: keyword - -ocsf.driver.file.owner.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.driver.file.owner.full_name - type: keyword - -ocsf.driver.file.owner.groups.desc: - description: The group description. - name: ocsf.driver.file.owner.groups.desc - type: keyword - -ocsf.driver.file.owner.groups.name: - description: The group name. - name: ocsf.driver.file.owner.groups.name - type: keyword - -ocsf.driver.file.owner.groups.privileges: - description: The group privileges. - name: ocsf.driver.file.owner.groups.privileges - type: keyword - -ocsf.driver.file.owner.groups.type: - description: The type of the group or account. - name: ocsf.driver.file.owner.groups.type - type: keyword - -ocsf.driver.file.owner.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.driver.file.owner.groups.uid - type: keyword - -ocsf.driver.file.owner.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.driver.file.owner.org.name - type: keyword - -ocsf.driver.file.owner.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.driver.file.owner.org.ou_name - type: keyword - -ocsf.driver.file.owner.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.driver.file.owner.org.ou_uid - type: keyword - -ocsf.driver.file.owner.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.driver.file.owner.org.uid - type: keyword - -ocsf.driver.file.owner.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.driver.file.owner.type - type: keyword - -ocsf.driver.file.owner.type_id: - description: The account type identifier. - name: ocsf.driver.file.owner.type_id - type: keyword - -ocsf.driver.file.owner.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.driver.file.owner.uid_alt - type: keyword - -ocsf.driver.file.product.feature.name: - description: The name of the feature. - name: ocsf.driver.file.product.feature.name - type: keyword - -ocsf.driver.file.product.feature.uid: - description: The unique identifier of the feature. - name: ocsf.driver.file.product.feature.uid - type: keyword - -ocsf.driver.file.product.feature.version: - description: The version of the feature. - name: ocsf.driver.file.product.feature.version - type: keyword - -ocsf.driver.file.product.lang: - description: 'The two letter lower case language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French).' - name: ocsf.driver.file.product.lang - type: keyword - -ocsf.driver.file.product.name: - description: The name of the product. - name: ocsf.driver.file.product.name - type: keyword - -ocsf.driver.file.product.path: - description: The installation path of the product. - name: ocsf.driver.file.product.path - type: keyword - -ocsf.driver.file.product.uid: - description: The unique identifier of the product. - name: ocsf.driver.file.product.uid - type: keyword - -ocsf.driver.file.product.vendor_name: - description: The name of the vendor of the product. - name: ocsf.driver.file.product.vendor_name - type: keyword - -ocsf.driver.file.product.version: - description: 'The version of the product, as defined by the event source. For example: - 2013.1.3-beta.' - name: ocsf.driver.file.product.version - type: keyword - -ocsf.driver.file.security_descriptor: - description: The object security descriptor. - name: ocsf.driver.file.security_descriptor - type: keyword - -ocsf.driver.file.signature.algorithm: - description: The digital signature algorithm used to create the signature, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.driver.file.signature.algorithm - type: keyword - -ocsf.driver.file.signature.algorithm_id: - description: The identifier of the normalized digital signature algorithm. - name: ocsf.driver.file.signature.algorithm_id - type: keyword - -ocsf.driver.file.signature.certificate.created_time: - description: The time when the certificate was created. - name: ocsf.driver.file.signature.certificate.created_time - type: date - -ocsf.driver.file.signature.certificate.created_time_dt: - description: The time when the certificate was created. - name: ocsf.driver.file.signature.certificate.created_time_dt - type: date - -ocsf.driver.file.signature.certificate.expiration_time_dt: - description: The expiration time of the certificate. - name: ocsf.driver.file.signature.certificate.expiration_time_dt - type: date - -ocsf.driver.file.signature.certificate.fingerprints.algorithm: - description: The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.driver.file.signature.certificate.fingerprints.algorithm - type: keyword - -ocsf.driver.file.signature.certificate.fingerprints.algorithm_id: - description: The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.driver.file.signature.certificate.fingerprints.algorithm_id - type: keyword - -ocsf.driver.file.signature.certificate.fingerprints.value: - description: The digital fingerprint value. - name: ocsf.driver.file.signature.certificate.fingerprints.value - type: keyword - -ocsf.driver.file.signature.created_time: - description: The time when the digital signature was created. - name: ocsf.driver.file.signature.created_time - type: date - -ocsf.driver.file.signature.created_time_dt: - description: The time when the digital signature was created. - name: ocsf.driver.file.signature.created_time_dt - type: date - -ocsf.driver.file.signature.developer_uid: - description: The developer ID on the certificate that signed the file. - name: ocsf.driver.file.signature.developer_uid - type: keyword - -ocsf.driver.file.signature.digest.algorithm: - description: The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.driver.file.signature.digest.algorithm - type: keyword - -ocsf.driver.file.signature.digest.algorithm_id: - description: The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.driver.file.signature.digest.algorithm_id - type: keyword - -ocsf.driver.file.signature.digest.value: - description: The digital fingerprint value. - name: ocsf.driver.file.signature.digest.value - type: keyword - -ocsf.driver.file.type_id: - description: The file type ID. - name: ocsf.driver.file.type_id - type: keyword - -ocsf.driver.file.version: - description: 'The file version. For example: 8.0.7601.17514.' - name: ocsf.driver.file.version - type: keyword - -ocsf.driver.file.xattributes: - description: An unordered collection of zero or more name/value pairs where each - pair represents a file or folder extended attribute. - name: ocsf.driver.file.xattributes - type: keyword - -ocsf.dst_endpoint.instance_uid: - description: The unique identifier of a VM instance. - name: ocsf.dst_endpoint.instance_uid - type: keyword - -ocsf.dst_endpoint.interface_name: - description: The name of the network interface (e.g. eth2). - name: ocsf.dst_endpoint.interface_name - type: keyword - -ocsf.dst_endpoint.interface_uid: - description: The unique identifier of the network interface. - name: ocsf.dst_endpoint.interface_uid - type: keyword - -ocsf.dst_endpoint.intermediate_ips: - description: The intermediate IP Addresses. For example, the IP addresses in the - HTTP X-Forwarded-For header. - name: ocsf.dst_endpoint.intermediate_ips - type: ip - -ocsf.dst_endpoint.location.is_on_premises: - description: The indication of whether the location is on premises. - name: ocsf.dst_endpoint.location.is_on_premises - type: boolean - -ocsf.dst_endpoint.location.isp: - description: The name of the Internet Service Provider (ISP). - name: ocsf.dst_endpoint.location.isp - type: keyword - -ocsf.dst_endpoint.location.provider: - description: The provider of the geographical location data. - name: ocsf.dst_endpoint.location.provider - type: keyword - -ocsf.dst_endpoint.name: - description: The short name of the endpoint. - name: ocsf.dst_endpoint.name - type: keyword - -ocsf.dst_endpoint.subnet_uid: - description: The unique identifier of a virtual subnet. - name: ocsf.dst_endpoint.subnet_uid - type: keyword - -ocsf.dst_endpoint.uid: - description: The unique identifier of the endpoint. - name: ocsf.dst_endpoint.uid - type: keyword - -ocsf.dst_endpoint.vlan_uid: - description: The Virtual LAN identifier. - name: ocsf.dst_endpoint.vlan_uid - type: keyword - -ocsf.dst_endpoint.vpc_uid: - description: The unique identifier of the Virtual Private Cloud (VPC). - name: ocsf.dst_endpoint.vpc_uid - type: keyword - -ocsf.email.delivered_to: - description: The Delivered-To email header field. - name: ocsf.email.delivered_to - type: keyword - -ocsf.email.raw_header: - description: The email authentication header. - name: ocsf.email.raw_header - type: keyword - -ocsf.email.size: - description: The size in bytes of the email, including attachments. - name: ocsf.email.size - type: long - -ocsf.email.smtp_from: - description: The value of the SMTP MAIL FROM command. - name: ocsf.email.smtp_from - type: keyword - -ocsf.email.smtp_to: - description: The value of the SMTP envelope RCPT TO command. - name: ocsf.email.smtp_to - type: keyword - -ocsf.email.x_originating_ip: - description: The X-Originating-IP header identifying the emails originating IP address(es). - name: ocsf.email.x_originating_ip - type: ip - -ocsf.email_auth.dkim: - description: The DomainKeys Identified Mail (DKIM) status of the email. - name: ocsf.email_auth.dkim - type: keyword - -ocsf.email_auth.dkim_domain: - description: The DomainKeys Identified Mail (DKIM) signing domain of the email. - name: ocsf.email_auth.dkim_domain - type: keyword - -ocsf.email_auth.dkim_signature: - description: The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving - system. - name: ocsf.email_auth.dkim_signature - type: keyword - -ocsf.email_auth.dmarc: - description: The Domain-based Message Authentication, Reporting and Conformance - (DMARC) status of the email. - name: ocsf.email_auth.dmarc - type: keyword - -ocsf.email_auth.dmarc_override: - description: The Domain-based Message Authentication, Reporting and Conformance - (DMARC) override action. - name: ocsf.email_auth.dmarc_override - type: keyword - -ocsf.email_auth.dmarc_policy: - description: The Domain-based Message Authentication, Reporting and Conformance - (DMARC) policy status. - name: ocsf.email_auth.dmarc_policy - type: keyword - -ocsf.email_auth.spf: - description: The Sender Policy Framework (SPF) status of the email. - name: ocsf.email_auth.spf - type: keyword - -ocsf.end_time_dt: - description: The end time of a time period, or the time of the most recent event - included in the aggregate event. - name: ocsf.end_time_dt - type: date - -ocsf.enrichments.data: - description: The enrichment data associated with the attribute and value. The meaning - of this data depends on the type the enrichment record. - name: ocsf.enrichments.data - type: keyword - -ocsf.enrichments.name: - description: The name of the attribute to which the enriched data pertains. - name: ocsf.enrichments.name - type: keyword - -ocsf.enrichments.provider: - description: The enrichment data provider name. - name: ocsf.enrichments.provider - type: keyword - -ocsf.enrichments.type: - description: The enrichment type. For example, location. - name: ocsf.enrichments.type - type: keyword - -ocsf.enrichments.value: - description: The value of the attribute to which the enriched data pertains. - name: ocsf.enrichments.value - type: keyword - -ocsf.entity.data: - description: The managed entity content as a JSON object. - name: ocsf.entity.data - type: keyword - -ocsf.entity.name: - description: The name of the managed entity. - name: ocsf.entity.name - type: keyword - -ocsf.entity.type: - description: The managed entity type. - name: ocsf.entity.type - type: keyword - -ocsf.entity.uid: - description: The identifier of the managed entity. - name: ocsf.entity.uid - type: keyword - -ocsf.entity.version: - description: The version of the managed entity. - name: ocsf.entity.version - type: keyword - -ocsf.entity_result.data: - description: The managed entity content as a JSON object. - name: ocsf.entity_result.data - type: keyword - -ocsf.entity_result.name: - description: The name of the managed entity. - name: ocsf.entity_result.name - type: keyword - -ocsf.entity_result.type: - description: The managed entity type. - name: ocsf.entity_result.type - type: keyword - -ocsf.entity_result.uid: - description: The identifier of the managed entity. - name: ocsf.entity_result.uid - type: keyword - -ocsf.entity_result.version: - description: The version of the managed entity. - name: ocsf.entity_result.version - type: keyword - -ocsf.evidence: - description: The data the finding exposes to the analyst. - name: ocsf.evidence - type: keyword - -ocsf.expiration_time: - description: The share expiration time. - name: ocsf.expiration_time - type: date - -ocsf.expiration_time_dt: - description: The share expiration time. - name: ocsf.expiration_time_dt - type: date - -ocsf.file.accessed_time_dt: - description: The time when the file was last accessed. - name: ocsf.file.accessed_time_dt - type: date - -ocsf.file.accessor.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.file.accessor.account.name - type: keyword - -ocsf.file.accessor.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.file.accessor.account.type - type: keyword - -ocsf.file.accessor.account.type_id: - description: The normalized account type identifier. - name: ocsf.file.accessor.account.type_id - type: keyword - -ocsf.file.accessor.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.file.accessor.account.uid - type: keyword - -ocsf.file.accessor.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.file.accessor.credential_uid - type: keyword - -ocsf.file.accessor.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.file.accessor.domain - type: keyword - -ocsf.file.accessor.email_addr: - description: The user's email address. - name: ocsf.file.accessor.email_addr - type: keyword - -ocsf.file.accessor.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.file.accessor.full_name - type: keyword - -ocsf.file.accessor.groups.desc: - description: The group description. - name: ocsf.file.accessor.groups.desc - type: keyword - -ocsf.file.accessor.groups.name: - description: The group name. - name: ocsf.file.accessor.groups.name - type: keyword - -ocsf.file.accessor.groups.privileges: - description: The group privileges. - name: ocsf.file.accessor.groups.privileges - type: keyword - -ocsf.file.accessor.groups.type: - description: The type of the group or account. - name: ocsf.file.accessor.groups.type - type: keyword - -ocsf.file.accessor.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.file.accessor.groups.uid - type: keyword - -ocsf.file.accessor.name: - description: The username. For example, janedoe1. - name: ocsf.file.accessor.name - type: keyword - -ocsf.file.accessor.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.file.accessor.org.name - type: keyword - -ocsf.file.accessor.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.file.accessor.org.ou_name - type: keyword - -ocsf.file.accessor.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.file.accessor.org.ou_uid - type: keyword - -ocsf.file.accessor.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.file.accessor.org.uid - type: keyword - -ocsf.file.accessor.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.file.accessor.type - type: keyword - -ocsf.file.accessor.type_id: - description: The account type identifier. - name: ocsf.file.accessor.type_id - type: keyword - -ocsf.file.accessor.uid: - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.file.accessor.uid - type: keyword - -ocsf.file.accessor.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.file.accessor.uid_alt - type: keyword - -ocsf.file.attributes: - description: The Bitmask value that represents the file attributes. - name: ocsf.file.attributes - type: long - -ocsf.file.company_name: - description: 'The name of the company that published the file. For example: Microsoft - Corporation.' - name: ocsf.file.company_name - type: keyword - -ocsf.file.confidentiality: - description: The file content confidentiality, normalized to the confidentiality_id - value. In the case of 'Other', it is defined by the event source. - name: ocsf.file.confidentiality - type: keyword - -ocsf.file.confidentiality_id: - description: The normalized identifier of the file content confidentiality indicator. - name: ocsf.file.confidentiality_id - type: keyword - -ocsf.file.created_time_dt: - description: The time when the file was created. - name: ocsf.file.created_time_dt - type: date - -ocsf.file.creator.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.file.creator.account.name - type: keyword - -ocsf.file.creator.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.file.creator.account.type - type: keyword - -ocsf.file.creator.account.type_id: - description: The normalized account type identifier. - name: ocsf.file.creator.account.type_id - type: keyword - -ocsf.file.creator.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.file.creator.account.uid - type: keyword - -ocsf.file.creator.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.file.creator.credential_uid - type: keyword - -ocsf.file.creator.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.file.creator.domain - type: keyword - -ocsf.file.creator.email_addr: - description: The user's email address. - name: ocsf.file.creator.email_addr - type: keyword - -ocsf.file.creator.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.file.creator.full_name - type: keyword - -ocsf.file.creator.groups.desc: - description: The group description. - name: ocsf.file.creator.groups.desc - type: keyword - -ocsf.file.creator.groups.name: - description: The group name. - name: ocsf.file.creator.groups.name - type: keyword - -ocsf.file.creator.groups.privileges: - description: The group privileges. - name: ocsf.file.creator.groups.privileges - type: keyword - -ocsf.file.creator.groups.type: - description: The type of the group or account. - name: ocsf.file.creator.groups.type - type: keyword - -ocsf.file.creator.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.file.creator.groups.uid - type: keyword - -ocsf.file.creator.name: - description: The username. For example, janedoe1. - name: ocsf.file.creator.name - type: keyword - -ocsf.file.creator.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.file.creator.org.name - type: keyword - -ocsf.file.creator.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.file.creator.org.ou_name - type: keyword - -ocsf.file.creator.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.file.creator.org.ou_uid - type: keyword - -ocsf.file.creator.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.file.creator.org.uid - type: keyword - -ocsf.file.creator.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.file.creator.type - type: keyword - -ocsf.file.creator.type_id: - description: The account type identifier. - name: ocsf.file.creator.type_id - type: keyword - -ocsf.file.creator.uid: - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.file.creator.uid - type: keyword - -ocsf.file.creator.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.file.creator.uid_alt - type: keyword - -ocsf.file.desc: - description: 'The description of the file, as returned by file system. For example: - the description as returned by the Unix file command or the Windows file type.' - name: ocsf.file.desc - type: keyword - -ocsf.file.is_system: - description: The indication of whether the object is part of the operating system. - name: ocsf.file.is_system - type: boolean - -ocsf.file.modified_time_dt: - description: The time when the file was last modified. - name: ocsf.file.modified_time_dt - type: date - -ocsf.file.modifier.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.file.modifier.account.name - type: keyword - -ocsf.file.modifier.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.file.modifier.account.type - type: keyword - -ocsf.file.modifier.account.type_id: - description: The normalized account type identifier. - name: ocsf.file.modifier.account.type_id - type: keyword - -ocsf.file.modifier.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.file.modifier.account.uid - type: keyword - -ocsf.file.modifier.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.file.modifier.credential_uid - type: keyword - -ocsf.file.modifier.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.file.modifier.domain - type: keyword - -ocsf.file.modifier.email_addr: - description: The user's email address. - name: ocsf.file.modifier.email_addr - type: keyword - -ocsf.file.modifier.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.file.modifier.full_name - type: keyword - -ocsf.file.modifier.groups.desc: - description: The group description. - name: ocsf.file.modifier.groups.desc - type: keyword - -ocsf.file.modifier.groups.name: - description: The group name. - name: ocsf.file.modifier.groups.name - type: keyword - -ocsf.file.modifier.groups.privileges: - description: The group privileges. - name: ocsf.file.modifier.groups.privileges - type: keyword - -ocsf.file.modifier.groups.type: - description: The type of the group or account. - name: ocsf.file.modifier.groups.type - type: keyword - -ocsf.file.modifier.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.file.modifier.groups.uid - type: keyword - -ocsf.file.modifier.name: - description: The username. For example, janedoe1. - name: ocsf.file.modifier.name - type: keyword - -ocsf.file.modifier.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.file.modifier.org.name - type: keyword - -ocsf.file.modifier.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.file.modifier.org.ou_name - type: keyword - -ocsf.file.modifier.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.file.modifier.org.ou_uid - type: keyword - -ocsf.file.modifier.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.file.modifier.org.uid - type: keyword - -ocsf.file.modifier.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.file.modifier.type - type: keyword - -ocsf.file.modifier.type_id: - description: The account type identifier. - name: ocsf.file.modifier.type_id - type: keyword - -ocsf.file.modifier.uid: - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.file.modifier.uid - type: keyword - -ocsf.file.modifier.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.file.modifier.uid_alt - type: keyword - -ocsf.file.owner.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.file.owner.account.name - type: keyword - -ocsf.file.owner.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.file.owner.account.type - type: keyword - -ocsf.file.owner.account.type_id: - description: The normalized account type identifier. - name: ocsf.file.owner.account.type_id - type: keyword - -ocsf.file.owner.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.file.owner.account.uid - type: keyword - -ocsf.file.owner.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.file.owner.credential_uid - type: keyword - -ocsf.file.owner.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.file.owner.domain - type: keyword - -ocsf.file.owner.email_addr: - description: The user's email address. - name: ocsf.file.owner.email_addr - type: keyword - -ocsf.file.owner.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.file.owner.full_name - type: keyword - -ocsf.file.owner.groups.desc: - description: The group description. - name: ocsf.file.owner.groups.desc - type: keyword - -ocsf.file.owner.groups.name: - description: The group name. - name: ocsf.file.owner.groups.name - type: keyword - -ocsf.file.owner.groups.privileges: - description: The group privileges. - name: ocsf.file.owner.groups.privileges - type: keyword - -ocsf.file.owner.groups.type: - description: The type of the group or account. - name: ocsf.file.owner.groups.type - type: keyword - -ocsf.file.owner.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.file.owner.groups.uid - type: keyword - -ocsf.file.owner.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.file.owner.org.name - type: keyword - -ocsf.file.owner.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.file.owner.org.ou_name - type: keyword - -ocsf.file.owner.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.file.owner.org.ou_uid - type: keyword - -ocsf.file.owner.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.file.owner.org.uid - type: keyword - -ocsf.file.owner.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.file.owner.type - type: keyword - -ocsf.file.owner.type_id: - description: The account type identifier. - name: ocsf.file.owner.type_id - type: keyword - -ocsf.file.owner.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.file.owner.uid_alt - type: keyword - -ocsf.file.product.feature.name: - description: The name of the feature. - name: ocsf.file.product.feature.name - type: keyword - -ocsf.file.product.feature.uid: - description: The unique identifier of the feature. - name: ocsf.file.product.feature.uid - type: keyword - -ocsf.file.product.feature.version: - description: The version of the feature. - name: ocsf.file.product.feature.version - type: keyword - -ocsf.file.product.lang: - description: 'The two letter lower case language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French).' - name: ocsf.file.product.lang - type: keyword - -ocsf.file.product.name: - description: The name of the product. - name: ocsf.file.product.name - type: keyword - -ocsf.file.product.path: - description: The installation path of the product. - name: ocsf.file.product.path - type: keyword - -ocsf.file.product.uid: - description: The unique identifier of the product. - name: ocsf.file.product.uid - type: keyword - -ocsf.file.product.url_string: - description: The URL pointing towards the product. - name: ocsf.file.product.url_string - type: keyword - -ocsf.file.product.vendor_name: - description: The name of the vendor of the product. - name: ocsf.file.product.vendor_name - type: keyword - -ocsf.file.product.version: - description: 'The version of the product, as defined by the event source. For example: - 2013.1.3-beta.' - name: ocsf.file.product.version - type: keyword - -ocsf.file.security_descriptor: - description: The object security descriptor. - name: ocsf.file.security_descriptor - type: keyword - -ocsf.file.signature.algorithm: - description: The digital signature algorithm used to create the signature, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.file.signature.algorithm - type: keyword - -ocsf.file.signature.algorithm_id: - description: The identifier of the normalized digital signature algorithm. - name: ocsf.file.signature.algorithm_id - type: keyword - -ocsf.file.signature.certificate.created_time: - description: The time when the certificate was created. - name: ocsf.file.signature.certificate.created_time - type: date - -ocsf.file.signature.certificate.created_time_dt: - description: The time when the certificate was created. - name: ocsf.file.signature.certificate.created_time_dt - type: date - -ocsf.file.signature.certificate.expiration_time_dt: - description: The expiration time of the certificate. - name: ocsf.file.signature.certificate.expiration_time_dt - type: date - -ocsf.file.signature.certificate.fingerprints.algorithm: - description: The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.file.signature.certificate.fingerprints.algorithm - type: keyword - -ocsf.file.signature.certificate.fingerprints.algorithm_id: - description: The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.file.signature.certificate.fingerprints.algorithm_id - type: keyword - -ocsf.file.signature.certificate.fingerprints.value: - description: The digital fingerprint value. - name: ocsf.file.signature.certificate.fingerprints.value - type: keyword - -ocsf.file.signature.created_time: - description: The time when the digital signature was created. - name: ocsf.file.signature.created_time - type: date - -ocsf.file.signature.created_time_dt: - description: The time when the digital signature was created. - name: ocsf.file.signature.created_time_dt - type: date - -ocsf.file.signature.developer_uid: - description: The developer ID on the certificate that signed the file. - name: ocsf.file.signature.developer_uid - type: keyword - -ocsf.file.signature.digest.algorithm: - description: The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.file.signature.digest.algorithm - type: keyword - -ocsf.file.signature.digest.algorithm_id: - description: The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.file.signature.digest.algorithm_id - type: keyword - -ocsf.file.signature.digest.value: - description: The digital fingerprint value. - name: ocsf.file.signature.digest.value - type: keyword - -ocsf.file.type_id: - description: The file type ID. - name: ocsf.file.type_id - type: keyword - -ocsf.file.version: - description: 'The file version. For example: 8.0.7601.17514.' - name: ocsf.file.version - type: keyword - -ocsf.file.xattributes: - description: An unordered collection of zero or more name/value pairs where each - pair represents a file or folder extended attribute. - name: ocsf.file.xattributes - type: keyword - -ocsf.file_diff: - description: File content differences used for change detection. For example, a - common use case is to identify itemized changes within INI or configuration/property - setting values. - name: ocsf.file_diff - type: keyword - -ocsf.file_result.accessed_time: - description: The time when the file was last accessed. - name: ocsf.file_result.accessed_time - type: date - -ocsf.file_result.accessed_time_dt: - description: The time when the file was last accessed. - name: ocsf.file_result.accessed_time_dt - type: date - -ocsf.file_result.accessor.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.file_result.accessor.account.name - type: keyword - -ocsf.file_result.accessor.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.file_result.accessor.account.type - type: keyword - -ocsf.file_result.accessor.account.type_id: - description: The normalized account type identifier. - name: ocsf.file_result.accessor.account.type_id - type: keyword - -ocsf.file_result.accessor.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.file_result.accessor.account.uid - type: keyword - -ocsf.file_result.accessor.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.file_result.accessor.credential_uid - type: keyword - -ocsf.file_result.accessor.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.file_result.accessor.domain - type: keyword - -ocsf.file_result.accessor.email_addr: - description: The user's email address. - name: ocsf.file_result.accessor.email_addr - type: keyword - -ocsf.file_result.accessor.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.file_result.accessor.full_name - type: keyword - -ocsf.file_result.accessor.groups.desc: - description: The group description. - name: ocsf.file_result.accessor.groups.desc - type: keyword - -ocsf.file_result.accessor.groups.name: - description: The group name. - name: ocsf.file_result.accessor.groups.name - type: keyword - -ocsf.file_result.accessor.groups.privileges: - description: The group privileges. - name: ocsf.file_result.accessor.groups.privileges - type: keyword - -ocsf.file_result.accessor.groups.type: - description: The type of the group or account. - name: ocsf.file_result.accessor.groups.type - type: keyword - -ocsf.file_result.accessor.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.file_result.accessor.groups.uid - type: keyword - -ocsf.file_result.accessor.name: - description: The username. For example, janedoe1. - name: ocsf.file_result.accessor.name - type: keyword - -ocsf.file_result.accessor.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.file_result.accessor.org.name - type: keyword - -ocsf.file_result.accessor.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.file_result.accessor.org.ou_name - type: keyword - -ocsf.file_result.accessor.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.file_result.accessor.org.ou_uid - type: keyword - -ocsf.file_result.accessor.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.file_result.accessor.org.uid - type: keyword - -ocsf.file_result.accessor.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.file_result.accessor.type - type: keyword - -ocsf.file_result.accessor.type_id: - description: The account type identifier. - name: ocsf.file_result.accessor.type_id - type: keyword - -ocsf.file_result.accessor.uid: - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.file_result.accessor.uid - type: keyword - -ocsf.file_result.accessor.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.file_result.accessor.uid_alt - type: keyword - -ocsf.file_result.attributes: - description: The Bitmask value that represents the file attributes. - name: ocsf.file_result.attributes - type: long - -ocsf.file_result.company_name: - description: 'The name of the company that published the file. For example: Microsoft - Corporation.' - name: ocsf.file_result.company_name - type: keyword - -ocsf.file_result.confidentiality: - description: The file content confidentiality, normalized to the confidentiality_id - value. In the case of 'Other', it is defined by the event source. - name: ocsf.file_result.confidentiality - type: keyword - -ocsf.file_result.confidentiality_id: - description: The normalized identifier of the file content confidentiality indicator. - name: ocsf.file_result.confidentiality_id - type: keyword - -ocsf.file_result.created_time: - description: The time when the file was created. - name: ocsf.file_result.created_time - type: date - -ocsf.file_result.created_time_dt: - description: The time when the file was created. - name: ocsf.file_result.created_time_dt - type: date - -ocsf.file_result.creator.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.file_result.creator.account.name - type: keyword - -ocsf.file_result.creator.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.file_result.creator.account.type - type: keyword - -ocsf.file_result.creator.account.type_id: - description: The normalized account type identifier. - name: ocsf.file_result.creator.account.type_id - type: keyword - -ocsf.file_result.creator.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.file_result.creator.account.uid - type: keyword - -ocsf.file_result.creator.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.file_result.creator.credential_uid - type: keyword - -ocsf.file_result.creator.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.file_result.creator.domain - type: keyword - -ocsf.file_result.creator.email_addr: - description: The user's email address. - name: ocsf.file_result.creator.email_addr - type: keyword - -ocsf.file_result.creator.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.file_result.creator.full_name - type: keyword - -ocsf.file_result.creator.groups.desc: - description: The group description. - name: ocsf.file_result.creator.groups.desc - type: keyword - -ocsf.file_result.creator.groups.name: - description: The group name. - name: ocsf.file_result.creator.groups.name - type: keyword - -ocsf.file_result.creator.groups.privileges: - description: The group privileges. - name: ocsf.file_result.creator.groups.privileges - type: keyword - -ocsf.file_result.creator.groups.type: - description: The type of the group or account. - name: ocsf.file_result.creator.groups.type - type: keyword - -ocsf.file_result.creator.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.file_result.creator.groups.uid - type: keyword - -ocsf.file_result.creator.name: - description: The username. For example, janedoe1. - name: ocsf.file_result.creator.name - type: keyword - -ocsf.file_result.creator.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.file_result.creator.org.name - type: keyword - -ocsf.file_result.creator.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.file_result.creator.org.ou_name - type: keyword - -ocsf.file_result.creator.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.file_result.creator.org.ou_uid - type: keyword - -ocsf.file_result.creator.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.file_result.creator.org.uid - type: keyword - -ocsf.file_result.creator.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.file_result.creator.type - type: keyword - -ocsf.file_result.creator.type_id: - description: The account type identifier. - name: ocsf.file_result.creator.type_id - type: keyword - -ocsf.file_result.creator.uid: - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.file_result.creator.uid - type: keyword - -ocsf.file_result.creator.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.file_result.creator.uid_alt - type: keyword - -ocsf.file_result.desc: - description: 'The description of the file, as returned by file system. For example: - the description as returned by the Unix file command or the Windows file type.' - name: ocsf.file_result.desc - type: keyword - -ocsf.file_result.hashes.algorithm: - description: The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.file_result.hashes.algorithm - type: keyword - -ocsf.file_result.hashes.algorithm_id: - description: The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.file_result.hashes.algorithm_id - type: keyword - -ocsf.file_result.hashes.value: - description: The digital fingerprint value. - name: ocsf.file_result.hashes.value - type: keyword - -ocsf.file_result.is_system: - description: The indication of whether the object is part of the operating system. - name: ocsf.file_result.is_system - type: boolean - -ocsf.file_result.mime_type: - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, - if applicable. - name: ocsf.file_result.mime_type - type: keyword - -ocsf.file_result.modified_time: - description: The time when the file was last modified. - name: ocsf.file_result.modified_time - type: date - -ocsf.file_result.modified_time_dt: - description: The time when the file was last modified. - name: ocsf.file_result.modified_time_dt - type: date - -ocsf.file_result.modifier.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.file_result.modifier.account.name - type: keyword - -ocsf.file_result.modifier.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.file_result.modifier.account.type - type: keyword - -ocsf.file_result.modifier.account.type_id: - description: The normalized account type identifier. - name: ocsf.file_result.modifier.account.type_id - type: keyword - -ocsf.file_result.modifier.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.file_result.modifier.account.uid - type: keyword - -ocsf.file_result.modifier.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.file_result.modifier.credential_uid - type: keyword - -ocsf.file_result.modifier.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.file_result.modifier.domain - type: keyword - -ocsf.file_result.modifier.email_addr: - description: The user's email address. - name: ocsf.file_result.modifier.email_addr - type: keyword - -ocsf.file_result.modifier.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.file_result.modifier.full_name - type: keyword - -ocsf.file_result.modifier.groups.desc: - description: The group description. - name: ocsf.file_result.modifier.groups.desc - type: keyword - -ocsf.file_result.modifier.groups.name: - description: The group name. - name: ocsf.file_result.modifier.groups.name - type: keyword - -ocsf.file_result.modifier.groups.privileges: - description: The group privileges. - name: ocsf.file_result.modifier.groups.privileges - type: keyword - -ocsf.file_result.modifier.groups.type: - description: The type of the group or account. - name: ocsf.file_result.modifier.groups.type - type: keyword - -ocsf.file_result.modifier.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.file_result.modifier.groups.uid - type: keyword - -ocsf.file_result.modifier.name: - description: The username. For example, janedoe1. - name: ocsf.file_result.modifier.name - type: keyword - -ocsf.file_result.modifier.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.file_result.modifier.org.name - type: keyword - -ocsf.file_result.modifier.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.file_result.modifier.org.ou_name - type: keyword - -ocsf.file_result.modifier.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.file_result.modifier.org.ou_uid - type: keyword - -ocsf.file_result.modifier.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.file_result.modifier.org.uid - type: keyword - -ocsf.file_result.modifier.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.file_result.modifier.type - type: keyword - -ocsf.file_result.modifier.type_id: - description: The account type identifier. - name: ocsf.file_result.modifier.type_id - type: keyword - -ocsf.file_result.modifier.uid: - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.file_result.modifier.uid - type: keyword - -ocsf.file_result.modifier.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.file_result.modifier.uid_alt - type: keyword - -ocsf.file_result.name: - description: 'The name of the file. For example: svchost.exe.' - name: ocsf.file_result.name - type: keyword - -ocsf.file_result.owner.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.file_result.owner.account.name - type: keyword - -ocsf.file_result.owner.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.file_result.owner.account.type - type: keyword - -ocsf.file_result.owner.account.type_id: - description: The normalized account type identifier. - name: ocsf.file_result.owner.account.type_id - type: keyword - -ocsf.file_result.owner.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.file_result.owner.account.uid - type: keyword - -ocsf.file_result.owner.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.file_result.owner.credential_uid - type: keyword - -ocsf.file_result.owner.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.file_result.owner.domain - type: keyword - -ocsf.file_result.owner.email_addr: - description: The user's email address. - name: ocsf.file_result.owner.email_addr - type: keyword - -ocsf.file_result.owner.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.file_result.owner.full_name - type: keyword - -ocsf.file_result.owner.groups.desc: - description: The group description. - name: ocsf.file_result.owner.groups.desc - type: keyword - -ocsf.file_result.owner.groups.name: - description: The group name. - name: ocsf.file_result.owner.groups.name - type: keyword - -ocsf.file_result.owner.groups.privileges: - description: The group privileges. - name: ocsf.file_result.owner.groups.privileges - type: keyword - -ocsf.file_result.owner.groups.type: - description: The type of the group or account. - name: ocsf.file_result.owner.groups.type - type: keyword - -ocsf.file_result.owner.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.file_result.owner.groups.uid - type: keyword - -ocsf.file_result.owner.name: - description: The username. For example, janedoe1. - name: ocsf.file_result.owner.name - type: keyword - -ocsf.file_result.owner.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.file_result.owner.org.name - type: keyword - -ocsf.file_result.owner.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.file_result.owner.org.ou_name - type: keyword - -ocsf.file_result.owner.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.file_result.owner.org.ou_uid - type: keyword - -ocsf.file_result.owner.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.file_result.owner.org.uid - type: keyword - -ocsf.file_result.owner.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.file_result.owner.type - type: keyword - -ocsf.file_result.owner.type_id: - description: The account type identifier. - name: ocsf.file_result.owner.type_id - type: keyword - -ocsf.file_result.owner.uid: - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.file_result.owner.uid - type: keyword - -ocsf.file_result.owner.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.file_result.owner.uid_alt - type: keyword - -ocsf.file_result.parent_folder: - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - name: ocsf.file_result.parent_folder - type: keyword - -ocsf.file_result.path: - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - name: ocsf.file_result.path - type: keyword - -ocsf.file_result.product.feature.name: - description: The name of the feature. - name: ocsf.file_result.product.feature.name - type: keyword - -ocsf.file_result.product.feature.uid: - description: The unique identifier of the feature. - name: ocsf.file_result.product.feature.uid - type: keyword - -ocsf.file_result.product.feature.version: - description: The version of the feature. - name: ocsf.file_result.product.feature.version - type: keyword - -ocsf.file_result.product.lang: - description: 'The two letter lower case language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French).' - name: ocsf.file_result.product.lang - type: keyword - -ocsf.file_result.product.name: - description: The name of the product. - name: ocsf.file_result.product.name - type: keyword - -ocsf.file_result.product.path: - description: The installation path of the product. - name: ocsf.file_result.product.path - type: keyword - -ocsf.file_result.product.uid: - description: The unique identifier of the product. - name: ocsf.file_result.product.uid - type: keyword - -ocsf.file_result.product.vendor_name: - description: The name of the vendor of the product. - name: ocsf.file_result.product.vendor_name - type: keyword - -ocsf.file_result.product.version: - description: 'The version of the product, as defined by the event source. For example: - 2013.1.3-beta.' - name: ocsf.file_result.product.version - type: keyword - -ocsf.file_result.security_descriptor: - description: The object security descriptor. - name: ocsf.file_result.security_descriptor - type: keyword - -ocsf.file_result.signature.algorithm: - description: The digital signature algorithm used to create the signature, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.file_result.signature.algorithm - type: keyword - -ocsf.file_result.signature.algorithm_id: - description: The identifier of the normalized digital signature algorithm. - name: ocsf.file_result.signature.algorithm_id - type: keyword - -ocsf.file_result.signature.certificate.created_time: - description: The time when the certificate was created. - name: ocsf.file_result.signature.certificate.created_time - type: date - -ocsf.file_result.signature.certificate.created_time_dt: - description: The time when the certificate was created. - name: ocsf.file_result.signature.certificate.created_time_dt - type: date - -ocsf.file_result.signature.certificate.expiration_time: - description: The expiration time of the certificate. - name: ocsf.file_result.signature.certificate.expiration_time - type: date - -ocsf.file_result.signature.certificate.expiration_time_dt: - description: The expiration time of the certificate. - name: ocsf.file_result.signature.certificate.expiration_time_dt - type: date - -ocsf.file_result.signature.certificate.fingerprints.algorithm: - description: The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.file_result.signature.certificate.fingerprints.algorithm - type: keyword - -ocsf.file_result.signature.certificate.fingerprints.algorithm_id: - description: The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.file_result.signature.certificate.fingerprints.algorithm_id - type: keyword - -ocsf.file_result.signature.certificate.fingerprints.value: - description: The digital fingerprint value. - name: ocsf.file_result.signature.certificate.fingerprints.value - type: keyword - -ocsf.file_result.signature.certificate.issuer: - description: The certificate issuer distinguished name. - name: ocsf.file_result.signature.certificate.issuer - type: keyword - -ocsf.file_result.signature.certificate.serial_number: - description: The serial number of the certificate used to create the digital signature. - name: ocsf.file_result.signature.certificate.serial_number - type: keyword - -ocsf.file_result.signature.certificate.subject: - description: The certificate subject distinguished name. - name: ocsf.file_result.signature.certificate.subject - type: keyword - -ocsf.file_result.signature.certificate.version: - description: The certificate version. - name: ocsf.file_result.signature.certificate.version - type: keyword - -ocsf.file_result.signature.created_time: - description: The time when the digital signature was created. - name: ocsf.file_result.signature.created_time - type: date - -ocsf.file_result.signature.created_time_dt: - description: The time when the digital signature was created. - name: ocsf.file_result.signature.created_time_dt - type: date - -ocsf.file_result.signature.developer_uid: - description: The developer ID on the certificate that signed the file. - name: ocsf.file_result.signature.developer_uid - type: keyword - -ocsf.file_result.signature.digest.algorithm: - description: The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.file_result.signature.digest.algorithm - type: keyword - -ocsf.file_result.signature.digest.algorithm_id: - description: The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.file_result.signature.digest.algorithm_id - type: keyword - -ocsf.file_result.signature.digest.value: - description: The digital fingerprint value. - name: ocsf.file_result.signature.digest.value - type: keyword - -ocsf.file_result.size: - description: The size of data, in bytes. - name: ocsf.file_result.size - type: long - -ocsf.file_result.type: - description: The file type. - name: ocsf.file_result.type - type: keyword - -ocsf.file_result.type_id: - description: The file type ID. - name: ocsf.file_result.type_id - type: keyword - -ocsf.file_result.uid: - description: The unique identifier of the file as defined by the storage system, - such the file system file ID. - name: ocsf.file_result.uid - type: keyword - -ocsf.file_result.version: - description: 'The file version. For example: 8.0.7601.17514.' - name: ocsf.file_result.version - type: keyword - -ocsf.file_result.xattributes: - description: An unordered collection of zero or more name/value pairs where each - pair represents a file or folder extended attribute. - name: ocsf.file_result.xattributes - type: keyword - -ocsf.finding.created_time_dt: - description: The time when the finding was created. - name: ocsf.finding.created_time_dt - type: date - -ocsf.finding.desc: - description: The description of the reported finding. - name: ocsf.finding.desc - type: keyword - -ocsf.finding.first_seen_time: - description: The time when the finding was first observed. - name: ocsf.finding.first_seen_time - type: date - -ocsf.finding.first_seen_time_dt: - description: The time when the finding was first observed. - name: ocsf.finding.first_seen_time_dt - type: date - -ocsf.finding.last_seen_time: - description: The time when the finding was most recently observed. - name: ocsf.finding.last_seen_time - type: date - -ocsf.finding.last_seen_time_dt: - description: The time when the finding was most recently observed. - name: ocsf.finding.last_seen_time_dt - type: date - -ocsf.finding.modified_time: - description: The time when the finding was last modified. - name: ocsf.finding.modified_time - type: date - -ocsf.finding.modified_time_dt: - description: The time when the finding was last modified. - name: ocsf.finding.modified_time_dt - type: date - -ocsf.finding.product_uid: - description: The unique identifier of the product that reported the finding. - name: ocsf.finding.product_uid - type: keyword - -ocsf.finding.related_events.product_uid: - description: The unique identifier of the product that reported the related event. - name: ocsf.finding.related_events.product_uid - type: keyword - -ocsf.finding.related_events.type: - description: 'The type of the related event. For example: Process Activity: Launch.' - name: ocsf.finding.related_events.type - type: keyword - -ocsf.finding.related_events.type_uid: - description: 'The unique identifier of the related event type. For example: 100701.' - name: ocsf.finding.related_events.type_uid - type: keyword - -ocsf.finding.related_events.uid: - description: The unique identifier of the related event. - name: ocsf.finding.related_events.uid - type: keyword - -ocsf.finding.remediation.desc: - description: The description of the remediation strategy. - name: ocsf.finding.remediation.desc - type: keyword - -ocsf.finding.remediation.kb_articles: - description: The KB article/s related to the entity. - name: ocsf.finding.remediation.kb_articles - type: keyword - -ocsf.finding.supporting_data: - description: Additional data supporting a finding as provided by security tool. - name: ocsf.finding.supporting_data - type: keyword - -ocsf.finding.title: - description: The title of the reported finding. - name: ocsf.finding.title - type: keyword - -ocsf.finding.types: - description: One or more types of the reported finding. - name: ocsf.finding.types - type: keyword - -ocsf.finding.uid: - description: The unique identifier of the reported finding. - name: ocsf.finding.uid - type: keyword - -ocsf.group.desc: - description: The group description. - name: ocsf.group.desc - type: keyword - -ocsf.group.privileges: - description: The group privileges. - name: ocsf.group.privileges - type: keyword - -ocsf.group.type: - description: The type of the group or account. - name: ocsf.group.type - type: keyword - -ocsf.http_request.args: - description: The arguments sent along with the HTTP request. - name: ocsf.http_request.args - type: keyword - -ocsf.http_request.http_headers.name: - description: The name of the header. - name: ocsf.http_request.http_headers.name - type: keyword - -ocsf.http_request.http_headers.value: - description: The value of the header. - name: ocsf.http_request.http_headers.value - type: keyword - -ocsf.http_request.url.categories: - description: The Website categorization names, as defined by category_ids enum values. - name: ocsf.http_request.url.categories - type: keyword - -ocsf.http_request.url.category_ids: - description: The Website categorization identifies. - name: ocsf.http_request.url.category_ids - type: keyword - -ocsf.http_request.url.resource_type: - description: The context in which a resource was retrieved in a web request. - name: ocsf.http_request.url.resource_type - type: keyword - -ocsf.http_request.x_forwarded_for: - description: The X-Forwarded-For header identifying the originating IP address(es) - of a client connecting to a web server through an HTTP proxy or a load balancer. - name: ocsf.http_request.x_forwarded_for - type: ip - -ocsf.http_response.content_type: - description: The request header that identifies the original media type of the resource - (prior to any content encoding applied for sending). - name: ocsf.http_response.content_type - type: keyword - -ocsf.http_response.latency: - description: The HTTP response latency. In seconds, milliseconds, etc. - name: ocsf.http_response.latency - type: long - -ocsf.http_response.status: - description: The response status. - name: ocsf.http_response.status - type: keyword - -ocsf.http_status: - description: The Hypertext Transfer Protocol (HTTP) status code returned to the - client. - name: ocsf.http_status - type: long - -ocsf.identifier_cookie: - description: The client identifier cookie during client/server exchange. - name: ocsf.identifier_cookie - type: keyword - -ocsf.impact: - description: The impact , normalized to the caption of the impact_id value. In the - case of 'Other', it is defined by the event source. - name: ocsf.impact - type: keyword - -ocsf.impact_id: - description: The normalized impact of the finding. - name: ocsf.impact_id - type: keyword - -ocsf.impact_score: - description: The impact of the finding, valid range 0-100. - name: ocsf.impact_score - type: long - -ocsf.injection_type: - description: The process injection method, normalized to the caption of the injection_type_id - value. In the case of 'Other', it is defined by the event source. - name: ocsf.injection_type - type: keyword - -ocsf.injection_type_id: - description: The normalized identifier of the process injection method. - name: ocsf.injection_type_id - type: keyword - -ocsf.is_cleartext: - description: 'Indicates whether the credentials were passed in clear text.Note: - True if the credentials were passed in a clear text protocol such as FTP or TELNET, - or if Windows detected that a user''s logon password was passed to the authentication - package in clear text.' - name: ocsf.is_cleartext - type: boolean - -ocsf.is_mfa: - description: Indicates whether Multi Factor Authentication was used during authentication. - name: ocsf.is_mfa - type: boolean - -ocsf.is_new_logon: - description: Indicates logon is from a device not seen before or a first time account - logon. - name: ocsf.is_new_logon - type: boolean - -ocsf.is_remote: - description: The attempted authentication is over a remote connection. - name: ocsf.is_remote - type: boolean - -ocsf.is_renewal: - description: The indication of whether this is a lease/session renewal event. - name: ocsf.is_renewal - type: boolean - -ocsf.kernel.is_system: - description: The indication of whether the object is part of the operating system. - name: ocsf.kernel.is_system - type: boolean - -ocsf.kernel.name: - description: The name of the kernel resource. - name: ocsf.kernel.name - type: keyword - -ocsf.kernel.path: - description: The full path of the kernel resource. - name: ocsf.kernel.path - type: keyword - -ocsf.kernel.system_call: - description: The system call that was invoked. - name: ocsf.kernel.system_call - type: keyword - -ocsf.kernel.type: - description: The type of the kernel resource. - name: ocsf.kernel.type - type: keyword - -ocsf.kernel.type_id: - description: The type id of the kernel resource. - name: ocsf.kernel.type_id - type: keyword - -ocsf.kill_chain.phase: - description: The cyber kill chain phase. - name: ocsf.kill_chain.phase - type: keyword - -ocsf.kill_chain.phase_id: - description: The cyber kill chain phase identifier. - name: ocsf.kill_chain.phase_id - type: keyword - -ocsf.lease_dur: - description: This represents the length of the DHCP lease in seconds. This is present - in DHCP Ack events. (activity_id = 1) - name: ocsf.lease_dur - type: long - -ocsf.logon_type: - description: The logon type, normalized to the caption of the logon_type_id value. - In the case of 'Other', it is defined by the event source. - name: ocsf.logon_type - type: keyword - -ocsf.logon_type_id: - description: The normalized logon type identifier - name: ocsf.logon_type_id - type: keyword - -ocsf.malware.classification_ids: - description: The list of normalized identifiers of the malware classifications. - name: ocsf.malware.classification_ids - type: keyword - -ocsf.malware.classifications: - description: The list of malware classifications, normalized to the captions of - the classification_id values. In the case of 'Other', they are defined by the - event source. - name: ocsf.malware.classifications - type: keyword - -ocsf.malware.cves.created_time: - description: The Record Creation Date identifies when the CVE ID was issued to a - CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. - Note that the Record Creation Date does not necessarily indicate when this vulnerability - was discovered, shared with the affected vendor, publicly disclosed, or updated - in CVE. - name: ocsf.malware.cves.created_time - type: date - -ocsf.malware.cves.created_time_dt: - description: The Record Creation Date identifies when the CVE ID was issued to a - CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. - Note that the Record Creation Date does not necessarily indicate when this vulnerability - was discovered, shared with the affected vendor, publicly disclosed, or updated - in CVE. - name: ocsf.malware.cves.created_time_dt - type: date - -ocsf.malware.cves.cvss.base_score: - description: The CVSS base score. - name: ocsf.malware.cves.cvss.base_score - type: keyword - -ocsf.malware.cves.cvss.depth: - description: The CVSS depth represents a depth of the equation used to calculate - CVSS score. - name: ocsf.malware.cves.cvss.depth - type: keyword - -ocsf.malware.cves.cvss.metrics.name: - description: The name of the metric. - name: ocsf.malware.cves.cvss.metrics.name - type: keyword - -ocsf.malware.cves.cvss.metrics.value: - description: The value of the metric. - name: ocsf.malware.cves.cvss.metrics.value - type: keyword - -ocsf.malware.cves.cvss.overall_score: - description: The CVSS overall score, impacted by base, temporal, and environmental - metrics. - name: ocsf.malware.cves.cvss.overall_score - type: keyword - -ocsf.malware.cves.cvss.severity: - description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity - Rating. A textual representation of the numeric score. - name: ocsf.malware.cves.cvss.severity - type: keyword - -ocsf.malware.cves.cvss.vector_string: - description: 'The CVSS vector string is a text representation of a set of CVSS metrics. - It is commonly used to record or transfer CVSS metric information in a concise - form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.' - name: ocsf.malware.cves.cvss.vector_string - type: keyword - -ocsf.malware.cves.cvss.version: - description: The CVSS version. - name: ocsf.malware.cves.cvss.version - type: keyword - -ocsf.malware.cves.cwe_uid: - description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: - CWE-787.' - name: ocsf.malware.cves.cwe_uid - type: keyword - -ocsf.malware.cves.cwe_url: - description: Common Weakness Enumeration (CWE) definition URL. - name: ocsf.malware.cves.cwe_url - type: keyword - -ocsf.malware.cves.modified_time: - description: The Record Modified Date identifies when the CVE record was last updated. - name: ocsf.malware.cves.modified_time - type: date - -ocsf.malware.cves.modified_time_dt: - description: The Record Modified Date identifies when the CVE record was last updated. - name: ocsf.malware.cves.modified_time_dt - type: date - -ocsf.malware.cves.product.feature.name: - description: The name of the feature. - name: ocsf.malware.cves.product.feature.name - type: keyword - -ocsf.malware.cves.product.feature.uid: - description: The unique identifier of the feature. - name: ocsf.malware.cves.product.feature.uid - type: keyword - -ocsf.malware.cves.product.feature.version: - description: The version of the feature. - name: ocsf.malware.cves.product.feature.version - type: keyword - -ocsf.malware.cves.product.lang: - description: The two letter lower case language codes, as defined by ISO 639-1. - name: ocsf.malware.cves.product.lang - type: keyword - -ocsf.malware.cves.product.name: - description: The name of the product. - name: ocsf.malware.cves.product.name - type: keyword - -ocsf.malware.cves.product.path: - description: The installation path of the product. - name: ocsf.malware.cves.product.path - type: keyword - -ocsf.malware.cves.product.uid: - description: The unique identifier of the product. - name: ocsf.malware.cves.product.uid - type: keyword - -ocsf.malware.cves.product.url_string: - description: The URL pointing towards the product. - name: ocsf.malware.cves.product.url_string - type: keyword - -ocsf.malware.cves.product.vendor_name: - description: The name of the vendor of the product. - name: ocsf.malware.cves.product.vendor_name - type: keyword - -ocsf.malware.cves.product.version: - description: 'The version of the product, as defined by the event source. For example: - 2013.1.3-beta.' - name: ocsf.malware.cves.product.version - type: keyword - -ocsf.malware.cves.type: - description: The vulnerability type as selected from a large dropdown menu during - CVE refinement. - name: ocsf.malware.cves.type - type: keyword - -ocsf.malware.cves.uid: - description: 'The Common Vulnerabilities and Exposures unique number assigned to - a specific computer vulnerability. A CVE Identifier begins with 4 digits representing - the year followed by a sequence of digits that acts as a unique identifier. For - example: CVE-2021-12345.' - name: ocsf.malware.cves.uid - type: keyword - -ocsf.malware.name: - description: The malware name, as reported by the detection engine. - name: ocsf.malware.name - type: keyword - -ocsf.malware.path: - description: The filesystem path of the malware that was observed. - name: ocsf.malware.path - type: keyword - -ocsf.malware.provider: - description: The provider of the malware information. - name: ocsf.malware.provider - type: keyword - -ocsf.malware.uid: - description: The malware unique identifier, as reported by the detection engine. - For example a virus id or an IPS signature id. - name: ocsf.malware.uid - type: keyword - -ocsf.metadata.correlation_uid: - description: The unique identifier used to correlate events. - name: ocsf.metadata.correlation_uid - type: keyword - -ocsf.metadata.extension.name: - description: 'The schema extension name. For example: dev.' - name: ocsf.metadata.extension.name - type: keyword - -ocsf.metadata.extension.uid: - description: 'The schema extension unique identifier. For example: 999.' - name: ocsf.metadata.extension.uid - type: keyword - -ocsf.metadata.extension.version: - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - name: ocsf.metadata.extension.version - type: keyword - -ocsf.metadata.log_name: - description: 'The event log name. For example, syslog file name or Windows logging - subsystem: Security.' - name: ocsf.metadata.log_name - type: keyword - -ocsf.metadata.log_version: - description: The event log schema version that specifies the format of the original - event. For example syslog version or Cisco Log Schema Version. - name: ocsf.metadata.log_version - type: keyword - -ocsf.metadata.logged_time: - description: The time when the logging system collected and logged the event. This - attribute is distinct from the event time in that event time typically contain - the time extracted from the original event. Most of the time, these two times - will be different. - name: ocsf.metadata.logged_time - type: date - -ocsf.metadata.logged_time_dt: - description: The time when the logging system collected and logged the event. This - attribute is distinct from the event time in that event time typically contain - the time extracted from the original event. Most of the time, these two times - will be different. - name: ocsf.metadata.logged_time_dt - type: date - -ocsf.metadata.modified_time: - description: The time when the event was last modified or enriched. - name: ocsf.metadata.modified_time - type: date - -ocsf.metadata.modified_time_dt: - description: The time when the event was last modified or enriched. - name: ocsf.metadata.modified_time_dt - type: date - -ocsf.metadata.original_time: - description: The original event time as reported by the event source. For example, - the time in the original format from system event log such as Syslog on Unix/Linux - and the System event file on Windows. Omit if event is generated instead of collected - via logs. - name: ocsf.metadata.original_time - type: keyword - -ocsf.metadata.processed_time: - description: The event processed time, such as an ETL operation. - name: ocsf.metadata.processed_time - type: date - -ocsf.metadata.processed_time_dt: - description: The event processed time, such as an ETL operation. - name: ocsf.metadata.processed_time_dt - type: date - -ocsf.metadata.product.feature.name: - description: The name of the feature. - name: ocsf.metadata.product.feature.name - type: keyword - -ocsf.metadata.product.feature.uid: - description: The unique identifier of the feature. - name: ocsf.metadata.product.feature.uid - type: keyword - -ocsf.metadata.product.feature.version: - description: The version of the feature. - name: ocsf.metadata.product.feature.version - type: keyword - -ocsf.metadata.product.lang: - description: 'The two letter lowercase language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French).' - name: ocsf.metadata.product.lang - type: keyword - -ocsf.metadata.product.name: - description: The name of the product. - name: ocsf.metadata.product.name - type: keyword - -ocsf.metadata.product.path: - description: The installation path of the product. - name: ocsf.metadata.product.path - type: keyword - -ocsf.metadata.product.uid: - description: The unique identifier of the product. - name: ocsf.metadata.product.uid - type: keyword - -ocsf.metadata.product.url_string: - description: The URL pointing towards the product. - name: ocsf.metadata.product.url_string - type: keyword - -ocsf.metadata.product.version: - description: 'The version of the product, as defined by the event source. For example: - 2013.1.3-beta.' - name: ocsf.metadata.product.version - type: keyword - -ocsf.metadata.profiles: - description: The list of profiles used to create the event. - name: ocsf.metadata.profiles - type: keyword - -ocsf.metadata.version: - description: 'The version of the OCSF schema, using Semantic Versioning Specification - (SemVer). For example: 1.0.0. Event consumers use the version to determine the - available event attributes.' - name: ocsf.metadata.version - type: keyword - -ocsf.module.base_address: - description: The memory address where the module was loaded. - name: ocsf.module.base_address - type: keyword - -ocsf.module.file.accessed_time_dt: - description: The time when the file was last accessed. - name: ocsf.module.file.accessed_time_dt - type: date - -ocsf.module.file.accessor.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.module.file.accessor.account.name - type: keyword - -ocsf.module.file.accessor.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.module.file.accessor.account.type - type: keyword - -ocsf.module.file.accessor.account.type_id: - description: The normalized account type identifier. - name: ocsf.module.file.accessor.account.type_id - type: keyword - -ocsf.module.file.accessor.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.module.file.accessor.account.uid - type: keyword - -ocsf.module.file.accessor.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.module.file.accessor.credential_uid - type: keyword - -ocsf.module.file.accessor.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.module.file.accessor.domain - type: keyword - -ocsf.module.file.accessor.email_addr: - description: The user's email address. - name: ocsf.module.file.accessor.email_addr - type: keyword - -ocsf.module.file.accessor.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.module.file.accessor.full_name - type: keyword - -ocsf.module.file.accessor.groups.desc: - description: The group description. - name: ocsf.module.file.accessor.groups.desc - type: keyword - -ocsf.module.file.accessor.groups.name: - description: The group name. - name: ocsf.module.file.accessor.groups.name - type: keyword - -ocsf.module.file.accessor.groups.privileges: - description: The group privileges. - name: ocsf.module.file.accessor.groups.privileges - type: keyword - -ocsf.module.file.accessor.groups.type: - description: The type of the group or account. - name: ocsf.module.file.accessor.groups.type - type: keyword - -ocsf.module.file.accessor.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.module.file.accessor.groups.uid - type: keyword - -ocsf.module.file.accessor.name: - description: The username. For example, janedoe1. - name: ocsf.module.file.accessor.name - type: keyword - -ocsf.module.file.accessor.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.module.file.accessor.org.name - type: keyword - -ocsf.module.file.accessor.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.module.file.accessor.org.ou_name - type: keyword - -ocsf.module.file.accessor.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.module.file.accessor.org.ou_uid - type: keyword - -ocsf.module.file.accessor.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.module.file.accessor.org.uid - type: keyword - -ocsf.module.file.accessor.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.module.file.accessor.type - type: keyword - -ocsf.module.file.accessor.type_id: - description: The account type identifier. - name: ocsf.module.file.accessor.type_id - type: keyword - -ocsf.module.file.accessor.uid: - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.module.file.accessor.uid - type: keyword - -ocsf.module.file.accessor.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.module.file.accessor.uid_alt - type: keyword - -ocsf.module.file.attributes: - description: The Bitmask value that represents the file attributes. - name: ocsf.module.file.attributes - type: long - -ocsf.module.file.company_name: - description: 'The name of the company that published the file. For example: Microsoft - Corporation.' - name: ocsf.module.file.company_name - type: keyword - -ocsf.module.file.confidentiality: - description: The file content confidentiality, normalized to the confidentiality_id - value. In the case of 'Other', it is defined by the event source. - name: ocsf.module.file.confidentiality - type: keyword - -ocsf.module.file.confidentiality_id: - description: The normalized identifier of the file content confidentiality indicator. - name: ocsf.module.file.confidentiality_id - type: keyword - -ocsf.module.file.created_time_dt: - description: The time when the file was created. - name: ocsf.module.file.created_time_dt - type: date - -ocsf.module.file.creator.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.module.file.creator.account.name - type: keyword - -ocsf.module.file.creator.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.module.file.creator.account.type - type: keyword - -ocsf.module.file.creator.account.type_id: - description: The normalized account type identifier. - name: ocsf.module.file.creator.account.type_id - type: keyword - -ocsf.module.file.creator.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.module.file.creator.account.uid - type: keyword - -ocsf.module.file.creator.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.module.file.creator.credential_uid - type: keyword - -ocsf.module.file.creator.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.module.file.creator.domain - type: keyword - -ocsf.module.file.creator.email_addr: - description: The user's email address. - name: ocsf.module.file.creator.email_addr - type: keyword - -ocsf.module.file.creator.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.module.file.creator.full_name - type: keyword - -ocsf.module.file.creator.groups.desc: - description: The group description. - name: ocsf.module.file.creator.groups.desc - type: keyword - -ocsf.module.file.creator.groups.name: - description: The group name. - name: ocsf.module.file.creator.groups.name - type: keyword - -ocsf.module.file.creator.groups.privileges: - description: The group privileges. - name: ocsf.module.file.creator.groups.privileges - type: keyword - -ocsf.module.file.creator.groups.type: - description: The type of the group or account. - name: ocsf.module.file.creator.groups.type - type: keyword - -ocsf.module.file.creator.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.module.file.creator.groups.uid - type: keyword - -ocsf.module.file.creator.name: - description: The username. For example, janedoe1. - name: ocsf.module.file.creator.name - type: keyword - -ocsf.module.file.creator.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.module.file.creator.org.name - type: keyword - -ocsf.module.file.creator.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.module.file.creator.org.ou_name - type: keyword - -ocsf.module.file.creator.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.module.file.creator.org.ou_uid - type: keyword - -ocsf.module.file.creator.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.module.file.creator.org.uid - type: keyword - -ocsf.module.file.creator.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.module.file.creator.type - type: keyword - -ocsf.module.file.creator.type_id: - description: The account type identifier. - name: ocsf.module.file.creator.type_id - type: keyword - -ocsf.module.file.creator.uid: - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.module.file.creator.uid - type: keyword - -ocsf.module.file.creator.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.module.file.creator.uid_alt - type: keyword - -ocsf.module.file.desc: - description: 'The description of the file, as returned by file system. For example: - the description as returned by the Unix file command or the Windows file type.' - name: ocsf.module.file.desc - type: keyword - -ocsf.module.file.is_system: - description: The indication of whether the object is part of the operating system. - name: ocsf.module.file.is_system - type: boolean - -ocsf.module.file.modified_time_dt: - description: The time when the file was last modified. - name: ocsf.module.file.modified_time_dt - type: date - -ocsf.module.file.modifier.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.module.file.modifier.account.name - type: keyword - -ocsf.module.file.modifier.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.module.file.modifier.account.type - type: keyword - -ocsf.module.file.modifier.account.type_id: - description: The normalized account type identifier. - name: ocsf.module.file.modifier.account.type_id - type: keyword - -ocsf.module.file.modifier.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.module.file.modifier.account.uid - type: keyword - -ocsf.module.file.modifier.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.module.file.modifier.credential_uid - type: keyword - -ocsf.module.file.modifier.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.module.file.modifier.domain - type: keyword - -ocsf.module.file.modifier.email_addr: - description: The user's email address. - name: ocsf.module.file.modifier.email_addr - type: keyword - -ocsf.module.file.modifier.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.module.file.modifier.full_name - type: keyword - -ocsf.module.file.modifier.groups.desc: - description: The group description. - name: ocsf.module.file.modifier.groups.desc - type: keyword - -ocsf.module.file.modifier.groups.name: - description: The group name. - name: ocsf.module.file.modifier.groups.name - type: keyword - -ocsf.module.file.modifier.groups.privileges: - description: The group privileges. - name: ocsf.module.file.modifier.groups.privileges - type: keyword - -ocsf.module.file.modifier.groups.type: - description: The type of the group or account. - name: ocsf.module.file.modifier.groups.type - type: keyword - -ocsf.module.file.modifier.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.module.file.modifier.groups.uid - type: keyword - -ocsf.module.file.modifier.name: - description: The username. For example, janedoe1. - name: ocsf.module.file.modifier.name - type: keyword - -ocsf.module.file.modifier.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.module.file.modifier.org.name - type: keyword - -ocsf.module.file.modifier.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.module.file.modifier.org.ou_name - type: keyword - -ocsf.module.file.modifier.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.module.file.modifier.org.ou_uid - type: keyword - -ocsf.module.file.modifier.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.module.file.modifier.org.uid - type: keyword - -ocsf.module.file.modifier.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.module.file.modifier.type - type: keyword - -ocsf.module.file.modifier.type_id: - description: The account type identifier. - name: ocsf.module.file.modifier.type_id - type: keyword - -ocsf.module.file.modifier.uid: - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.module.file.modifier.uid - type: keyword - -ocsf.module.file.modifier.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.module.file.modifier.uid_alt - type: keyword - -ocsf.module.file.owner.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.module.file.owner.account.name - type: keyword - -ocsf.module.file.owner.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.module.file.owner.account.type - type: keyword - -ocsf.module.file.owner.account.type_id: - description: The normalized account type identifier. - name: ocsf.module.file.owner.account.type_id - type: keyword - -ocsf.module.file.owner.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.module.file.owner.account.uid - type: keyword - -ocsf.module.file.owner.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.module.file.owner.credential_uid - type: keyword - -ocsf.module.file.owner.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.module.file.owner.domain - type: keyword - -ocsf.module.file.owner.email_addr: - description: The user's email address. - name: ocsf.module.file.owner.email_addr - type: keyword - -ocsf.module.file.owner.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.module.file.owner.full_name - type: keyword - -ocsf.module.file.owner.groups.desc: - description: The group description. - name: ocsf.module.file.owner.groups.desc - type: keyword - -ocsf.module.file.owner.groups.name: - description: The group name. - name: ocsf.module.file.owner.groups.name - type: keyword - -ocsf.module.file.owner.groups.privileges: - description: The group privileges. - name: ocsf.module.file.owner.groups.privileges - type: keyword - -ocsf.module.file.owner.groups.type: - description: The type of the group or account. - name: ocsf.module.file.owner.groups.type - type: keyword - -ocsf.module.file.owner.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.module.file.owner.groups.uid - type: keyword - -ocsf.module.file.owner.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.module.file.owner.org.name - type: keyword - -ocsf.module.file.owner.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.module.file.owner.org.ou_name - type: keyword - -ocsf.module.file.owner.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.module.file.owner.org.ou_uid - type: keyword - -ocsf.module.file.owner.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.module.file.owner.org.uid - type: keyword - -ocsf.module.file.owner.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.module.file.owner.type - type: keyword - -ocsf.module.file.owner.type_id: - description: The account type identifier. - name: ocsf.module.file.owner.type_id - type: keyword - -ocsf.module.file.owner.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.module.file.owner.uid_alt - type: keyword - -ocsf.module.file.product.feature.name: - description: The name of the feature. - name: ocsf.module.file.product.feature.name - type: keyword - -ocsf.module.file.product.feature.uid: - description: The unique identifier of the feature. - name: ocsf.module.file.product.feature.uid - type: keyword - -ocsf.module.file.product.feature.version: - description: The version of the feature. - name: ocsf.module.file.product.feature.version - type: keyword - -ocsf.module.file.product.lang: - description: 'The two letter lower case language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French).' - name: ocsf.module.file.product.lang - type: keyword - -ocsf.module.file.product.name: - description: The name of the product. - name: ocsf.module.file.product.name - type: keyword - -ocsf.module.file.product.path: - description: The installation path of the product. - name: ocsf.module.file.product.path - type: keyword - -ocsf.module.file.product.uid: - description: The unique identifier of the product. - name: ocsf.module.file.product.uid - type: keyword - -ocsf.module.file.product.vendor_name: - description: The name of the vendor of the product. - name: ocsf.module.file.product.vendor_name - type: keyword - -ocsf.module.file.product.version: - description: 'The version of the product, as defined by the event source. For example: - 2013.1.3-beta.' - name: ocsf.module.file.product.version - type: keyword - -ocsf.module.file.security_descriptor: - description: The object security descriptor. - name: ocsf.module.file.security_descriptor - type: keyword - -ocsf.module.file.signature.algorithm: - description: The digital signature algorithm used to create the signature, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.module.file.signature.algorithm - type: keyword - -ocsf.module.file.signature.algorithm_id: - description: The identifier of the normalized digital signature algorithm. - name: ocsf.module.file.signature.algorithm_id - type: keyword - -ocsf.module.file.signature.certificate.created_time: - description: The time when the certificate was created. - name: ocsf.module.file.signature.certificate.created_time - type: date - -ocsf.module.file.signature.certificate.created_time_dt: - description: The time when the certificate was created. - name: ocsf.module.file.signature.certificate.created_time_dt - type: date - -ocsf.module.file.signature.certificate.expiration_time_dt: - description: The expiration time of the certificate. - name: ocsf.module.file.signature.certificate.expiration_time_dt - type: date - -ocsf.module.file.signature.certificate.fingerprints.algorithm: - description: The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.module.file.signature.certificate.fingerprints.algorithm - type: keyword - -ocsf.module.file.signature.certificate.fingerprints.algorithm_id: - description: The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.module.file.signature.certificate.fingerprints.algorithm_id - type: keyword - -ocsf.module.file.signature.certificate.fingerprints.value: - description: The digital fingerprint value. - name: ocsf.module.file.signature.certificate.fingerprints.value - type: keyword - -ocsf.module.file.signature.created_time: - description: The time when the digital signature was created. - name: ocsf.module.file.signature.created_time - type: date - -ocsf.module.file.signature.created_time_dt: - description: The time when the digital signature was created. - name: ocsf.module.file.signature.created_time_dt - type: date - -ocsf.module.file.signature.developer_uid: - description: The developer ID on the certificate that signed the file. - name: ocsf.module.file.signature.developer_uid - type: keyword - -ocsf.module.file.signature.digest.algorithm: - description: The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.module.file.signature.digest.algorithm - type: keyword - -ocsf.module.file.signature.digest.algorithm_id: - description: The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.module.file.signature.digest.algorithm_id - type: keyword - -ocsf.module.file.signature.digest.value: - description: The digital fingerprint value. - name: ocsf.module.file.signature.digest.value - type: keyword - -ocsf.module.file.type_id: - description: The file type ID. - name: ocsf.module.file.type_id - type: keyword - -ocsf.module.file.version: - description: 'The file version. For example: 8.0.7601.17514.' - name: ocsf.module.file.version - type: keyword - -ocsf.module.file.xattributes: - description: An unordered collection of zero or more name/value pairs where each - pair represents a file or folder extended attribute. - name: ocsf.module.file.xattributes - type: keyword - -ocsf.module.function_name: - description: The entry-point function of the module. The system calls the entry-point - function whenever a process or thread loads or unloads the module. - name: ocsf.module.function_name - type: keyword - -ocsf.module.load_type: - description: The load type, normalized to the caption of the load_type_id value. - In the case of 'Other', it is defined by the event source. It describes how the - module was loaded in memory. - name: ocsf.module.load_type - type: keyword - -ocsf.module.load_type_id: - description: The normalized identifier of the load type. It identifies how the module - was loaded in memory. - name: ocsf.module.load_type_id - type: keyword - -ocsf.module.start_address: - description: The start address of the execution. - name: ocsf.module.start_address - type: keyword - -ocsf.module.type: - description: The module type. - name: ocsf.module.type - type: keyword - -ocsf.name: - description: The name of the data affiliated with the command. - name: ocsf.name - type: keyword - -ocsf.nist: - description: The NIST Cybersecurity Framework recommendations for managing the cybersecurity - risk. - name: ocsf.nist - type: keyword - -ocsf.observables.name: - description: 'The full name of the observable attribute. The name is a pointer/reference - to an attribute within the event data. For example: file.name.' - name: ocsf.observables.name - type: keyword - -ocsf.observables.reputation.base_score: - description: The reputation score as reported by the event source. - name: ocsf.observables.reputation.base_score - type: keyword - -ocsf.observables.reputation.provider: - description: The provider of the reputation information. - name: ocsf.observables.reputation.provider - type: keyword - -ocsf.observables.reputation.score: - description: The reputation score, normalized to the caption of the score_id value. - In the case of 'Other', it is defined by the event source. - name: ocsf.observables.reputation.score - type: keyword - -ocsf.observables.reputation.score_id: - description: The normalized reputation score identifier. - name: ocsf.observables.reputation.score_id - type: keyword - -ocsf.observables.type: - description: The observable value type name. - name: ocsf.observables.type - type: keyword - -ocsf.observables.type_id: - description: The observable value type identifier. - name: ocsf.observables.type_id - type: keyword - -ocsf.observables.value: - description: The value associated with the observable attribute. - name: ocsf.observables.value - type: keyword - -ocsf.open_type: - description: Indicates how the file was opened (e.g. normal, delete on close). - name: ocsf.open_type - type: keyword - -ocsf.port: - description: The dynamic port established for impending data transfers. - name: ocsf.port - type: long - -ocsf.privileges: - description: The list of sensitive privileges, assigned to the new user session. - name: ocsf.privileges - type: keyword - -ocsf.protocol_ver: - description: The Protocol version. - name: ocsf.protocol_ver - type: keyword - -ocsf.proxy.domain: - description: The name of the domain. - name: ocsf.proxy.domain - type: keyword - -ocsf.proxy.hostname: - description: The fully qualified name of the endpoint. - name: ocsf.proxy.hostname - type: keyword - -ocsf.proxy.instance_uid: - description: The unique identifier of a VM instance. - name: ocsf.proxy.instance_uid - type: keyword - -ocsf.proxy.interface_name: - description: The name of the network interface (e.g. eth2). - name: ocsf.proxy.interface_name - type: keyword - -ocsf.proxy.interface_uid: - description: The unique identifier of the network interface. - name: ocsf.proxy.interface_uid - type: keyword - -ocsf.proxy.intermediate_ips: - description: The intermediate IP Addresses. For example, the IP addresses in the - HTTP X-Forwarded-For header. - name: ocsf.proxy.intermediate_ips - type: ip - -ocsf.proxy.ip: - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - name: ocsf.proxy.ip - type: ip - -ocsf.proxy.location.city: - description: The name of the city. - name: ocsf.proxy.location.city - type: keyword - -ocsf.proxy.location.continent: - description: The name of the continent. - name: ocsf.proxy.location.continent - type: keyword - -ocsf.proxy.location.coordinates: - description: A two-element array, containing a longitude/latitude pair. The format - conforms with GeoJSON. - name: ocsf.proxy.location.coordinates - type: geo_point - -ocsf.proxy.location.country: - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country - codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - name: ocsf.proxy.location.country - type: keyword - -ocsf.proxy.location.desc: - description: The description of the geographical location. - name: ocsf.proxy.location.desc - type: keyword - -ocsf.proxy.location.is_on_premises: - description: The indication of whether the location is on premises. - name: ocsf.proxy.location.is_on_premises - type: boolean - -ocsf.proxy.location.isp: - description: The name of the Internet Service Provider (ISP). - name: ocsf.proxy.location.isp - type: keyword - -ocsf.proxy.location.postal_code: - description: The postal code of the location. - name: ocsf.proxy.location.postal_code - type: keyword - -ocsf.proxy.location.provider: - description: The provider of the geographical location data. - name: ocsf.proxy.location.provider - type: keyword - -ocsf.proxy.location.region: - description: The alphanumeric code that identifies the principal subdivision (e.g. - province or state) of the country. Region codes are defined at ISO 3166-2 and - have a limit of three characters. For example, see the region codes for the US. - name: ocsf.proxy.location.region - type: keyword - -ocsf.proxy.mac: - description: The Media Access Control (MAC) address of the endpoint. - name: ocsf.proxy.mac - type: keyword - -ocsf.proxy.name: - description: The short name of the endpoint. - name: ocsf.proxy.name - type: keyword - -ocsf.proxy.port: - description: The port used for communication within the network connection. - name: ocsf.proxy.port - type: long - -ocsf.proxy.subnet_uid: - description: The unique identifier of a virtual subnet. - name: ocsf.proxy.subnet_uid - type: keyword - -ocsf.proxy.svc_name: - description: The service name in service-to-service connections. For example, AWS - VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection - is coming from or going to an AWS service. - name: ocsf.proxy.svc_name - type: keyword - -ocsf.proxy.uid: - description: The unique identifier of the endpoint. - name: ocsf.proxy.uid - type: keyword - -ocsf.proxy.vlan_uid: - description: The Virtual LAN identifier. - name: ocsf.proxy.vlan_uid - type: keyword - -ocsf.proxy.vpc_uid: - description: The unique identifier of the Virtual Private Cloud (VPC). - name: ocsf.proxy.vpc_uid - type: keyword - -ocsf.query.opcode: - description: The DNS opcode specifies the type of the query message. - name: ocsf.query.opcode - type: keyword - -ocsf.query.opcode_id: - description: The DNS opcode ID specifies the normalized query message type. - name: ocsf.query.opcode_id - type: keyword - -ocsf.query_time: - description: The Domain Name System (DNS) query time. - name: ocsf.query_time - type: date - -ocsf.query_time_dt: - description: The Domain Name System (DNS) query time. - name: ocsf.query_time_dt - type: date - -ocsf.raw_data: - description: The event data as received from the event source. - name: ocsf.raw_data - type: keyword - -ocsf.raw_data_keyword: - description: '' - name: ocsf.raw_data_keyword - type: keyword - -ocsf.rcode_id: - description: The normalized identifier of the DNS server response code. - name: ocsf.rcode_id - type: keyword - -ocsf.relay.namespace: - description: The namespace is useful in merger or acquisition situations. For example, - when similar entities exists that you need to keep separate. - name: ocsf.relay.namespace - type: keyword - -ocsf.relay.subnet_prefix: - description: The subnet prefix length determines the number of bits used to represent - the network part of the IP address. The remaining bits are reserved for identifying - individual hosts within that subnet. - name: ocsf.relay.subnet_prefix - type: long - -ocsf.relay.type_id: - description: The network interface type identifier. - name: ocsf.relay.type_id - type: keyword - -ocsf.relay.uid: - description: The unique identifier for the network interface. - name: ocsf.relay.uid - type: keyword - -ocsf.remote_display.color_depth: - description: The numeric color depth. - name: ocsf.remote_display.color_depth - type: long - -ocsf.remote_display.physical_height: - description: The numeric physical height of display. - name: ocsf.remote_display.physical_height - type: long - -ocsf.remote_display.physical_orientation: - description: The numeric physical orientation of display. - name: ocsf.remote_display.physical_orientation - type: long - -ocsf.remote_display.physical_width: - description: The numeric physical width of display. - name: ocsf.remote_display.physical_width - type: long - -ocsf.remote_display.scale_factor: - description: The numeric scale factor of display. - name: ocsf.remote_display.scale_factor - type: long - -ocsf.request.flags: - description: The list of communication flags, normalized to the captions of the - flag_ids values. In the case of 'Other', they are defined by the event source. - name: ocsf.request.flags - type: date - -ocsf.requested_permissions: - description: The permissions mask that were requested by the process. - name: ocsf.requested_permissions - type: long - -ocsf.resource.cloud_partition: - description: 'The canonical cloud partition name to which the region is assigned - (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' - name: ocsf.resource.cloud_partition - type: keyword - -ocsf.resource.criticality: - description: The criticality of the resource as defined by the event source. - name: ocsf.resource.criticality - type: keyword - -ocsf.resource.data: - description: Additional data describing the resource. - name: ocsf.resource.data - type: keyword - -ocsf.resource.group.desc: - description: The group description. - name: ocsf.resource.group.desc - type: keyword - -ocsf.resource.group.name: - description: The group name. - name: ocsf.resource.group.name - type: keyword - -ocsf.resource.group.privileges: - description: The group privileges. - name: ocsf.resource.group.privileges - type: keyword - -ocsf.resource.group.type: - description: The type of the group or account. - name: ocsf.resource.group.type - type: keyword - -ocsf.resource.group.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.resource.group.uid - type: keyword - -ocsf.resource.labels: - description: The list of labels/tags associated to a resource. - name: ocsf.resource.labels - type: keyword - -ocsf.resource.name: - description: The name of the resource. - name: ocsf.resource.name - type: keyword - -ocsf.resource.owner.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.resource.owner.account.name - type: keyword - -ocsf.resource.owner.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.resource.owner.account.type - type: keyword - -ocsf.resource.owner.account.type_id: - description: The normalized account type identifier. - name: ocsf.resource.owner.account.type_id - type: keyword - -ocsf.resource.owner.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.resource.owner.account.uid - type: keyword - -ocsf.resource.owner.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.resource.owner.credential_uid - type: keyword - -ocsf.resource.owner.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.resource.owner.domain - type: keyword - -ocsf.resource.owner.email_addr: - description: The user's email address. - name: ocsf.resource.owner.email_addr - type: keyword - -ocsf.resource.owner.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.resource.owner.full_name - type: keyword - -ocsf.resource.owner.groups.desc: - description: The group description. - name: ocsf.resource.owner.groups.desc - type: keyword - -ocsf.resource.owner.groups.name: - description: The group name. - name: ocsf.resource.owner.groups.name - type: keyword - -ocsf.resource.owner.groups.privileges: - description: The group privileges. - name: ocsf.resource.owner.groups.privileges - type: keyword - -ocsf.resource.owner.groups.type: - description: The type of the group or account. - name: ocsf.resource.owner.groups.type - type: keyword - -ocsf.resource.owner.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.resource.owner.groups.uid - type: keyword - -ocsf.resource.owner.name: - description: The username. For example, janedoe1. - name: ocsf.resource.owner.name - type: keyword - -ocsf.resource.owner.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.resource.owner.org.name - type: keyword - -ocsf.resource.owner.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.resource.owner.org.ou_name - type: keyword - -ocsf.resource.owner.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.resource.owner.org.ou_uid - type: keyword - -ocsf.resource.owner.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.resource.owner.org.uid - type: keyword - -ocsf.resource.owner.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.resource.owner.type - type: keyword - -ocsf.resource.owner.type_id: - description: The account type identifier. - name: ocsf.resource.owner.type_id - type: keyword - -ocsf.resource.owner.uid: - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.resource.owner.uid - type: keyword - -ocsf.resource.owner.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.resource.owner.uid_alt - type: keyword - -ocsf.resource.region: - description: The cloud region of the resource. - name: ocsf.resource.region - type: keyword - -ocsf.resource.type: - description: The resource type as defined by the event source. - name: ocsf.resource.type - type: keyword - -ocsf.resource.uid: - description: The unique identifier of the resource. - name: ocsf.resource.uid - type: keyword - -ocsf.resource.version: - description: The version of the resource. For example 1.2.3. - name: ocsf.resource.version - type: keyword - -ocsf.resources.cloud_partition: - description: 'The canonical cloud partition name to which the region is assigned - (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' - name: ocsf.resources.cloud_partition - type: keyword - -ocsf.resources.criticality: - description: The criticality of the resource as defined by the event source. - name: ocsf.resources.criticality - type: keyword - -ocsf.resources.data: - description: Additional data describing the resource. - name: ocsf.resources.data - type: keyword - -ocsf.resources.group.desc: - description: The group description. - name: ocsf.resources.group.desc - type: keyword - -ocsf.resources.group.name: - description: The group name. - name: ocsf.resources.group.name - type: keyword - -ocsf.resources.group.privileges: - description: The group privileges. - name: ocsf.resources.group.privileges - type: keyword - -ocsf.resources.group.type: - description: The type of the group or account. - name: ocsf.resources.group.type - type: keyword - -ocsf.resources.group.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.resources.group.uid - type: keyword - -ocsf.resources.labels: - description: The list of labels/tags associated to a resource. - name: ocsf.resources.labels - type: keyword - -ocsf.resources.name: - description: The name of the resource. - name: ocsf.resources.name - type: keyword - -ocsf.resources.owner.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.resources.owner.account.name - type: keyword - -ocsf.resources.owner.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.resources.owner.account.type - type: keyword - -ocsf.resources.owner.account.type_id: - description: The normalized account type identifier. - name: ocsf.resources.owner.account.type_id - type: keyword - -ocsf.resources.owner.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.resources.owner.account.uid - type: keyword - -ocsf.resources.owner.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.resources.owner.credential_uid - type: keyword - -ocsf.resources.owner.domain: - description: 'The domain where the user is defined. For example: the LDAP or Active - Directory domain.' - name: ocsf.resources.owner.domain - type: keyword - -ocsf.resources.owner.email_addr: - description: The user's email address. - name: ocsf.resources.owner.email_addr - type: keyword - -ocsf.resources.owner.full_name: - description: The full name of the person, as per the LDAP Common Name attribute - (cn). - name: ocsf.resources.owner.full_name - type: keyword - -ocsf.resources.owner.groups.desc: - description: The group description. - name: ocsf.resources.owner.groups.desc - type: keyword - -ocsf.resources.owner.groups.name: - description: The group name. - name: ocsf.resources.owner.groups.name - type: keyword - -ocsf.resources.owner.groups.privileges: - description: The group privileges. - name: ocsf.resources.owner.groups.privileges - type: keyword - -ocsf.resources.owner.groups.type: - description: The type of the group or account. - name: ocsf.resources.owner.groups.type - type: keyword - -ocsf.resources.owner.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.resources.owner.groups.uid - type: keyword - -ocsf.resources.owner.name: - description: The username. For example, janedoe1. - name: ocsf.resources.owner.name - type: keyword - -ocsf.resources.owner.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.resources.owner.org.name - type: keyword - -ocsf.resources.owner.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.resources.owner.org.ou_name - type: keyword - -ocsf.resources.owner.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.resources.owner.org.ou_uid - type: keyword - -ocsf.resources.owner.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.resources.owner.org.uid - type: keyword - -ocsf.resources.owner.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.resources.owner.type - type: keyword - -ocsf.resources.owner.type_id: - description: The account type identifier. - name: ocsf.resources.owner.type_id - type: keyword - -ocsf.resources.owner.uid: - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory - DN or AWS user ARN. - name: ocsf.resources.owner.uid - type: keyword - -ocsf.resources.owner.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.resources.owner.uid_alt - type: keyword - -ocsf.resources.region: - description: The cloud region of the resource. - name: ocsf.resources.region - type: keyword - -ocsf.resources.type: - description: The resource type as defined by the event source. - name: ocsf.resources.type - type: keyword - -ocsf.resources.uid: - description: The unique identifier of the resource. - name: ocsf.resources.uid - type: keyword - -ocsf.resources.version: - description: The version of the resource. For example 1.2.3. - name: ocsf.resources.version - type: keyword - -ocsf.response.error: - description: Error Code. - name: ocsf.response.error - type: keyword - -ocsf.response.error_message: - description: Error Message. - name: ocsf.response.error_message - type: keyword - -ocsf.response.flags: - description: The list of communication flags, normalized to the captions of the - flag_ids values. In the case of 'Other', they are defined by the event source. - name: ocsf.response.flags - type: keyword - -ocsf.response.message: - description: The description of the event, as defined by the event source. - name: ocsf.response.message - type: keyword - -ocsf.response_time: - description: The Domain Name System (DNS) response time. - name: ocsf.response_time - type: date - -ocsf.response_time_dt: - description: The Domain Name System (DNS) response time. - name: ocsf.response_time_dt - type: date - -ocsf.risk_level: - description: The risk level, normalized to the caption of the risk_level_id value. - In the case of 'Other', it is defined by the event source. - name: ocsf.risk_level - type: keyword - -ocsf.risk_level_id: - description: The normalized risk level id. - name: ocsf.risk_level_id - type: keyword - -ocsf.server_hassh.algorithm: - description: 'The concatenation of key exchange, encryption, authentication and - compression algorithms (separated by '';''). NOTE: This is not the underlying - algorithm for the hash implementation.' - name: ocsf.server_hassh.algorithm - type: keyword - -ocsf.server_hassh.fingerprint.algorithm: - description: The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.server_hassh.fingerprint.algorithm - type: keyword - -ocsf.server_hassh.fingerprint.algorithm_id: - description: The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.server_hassh.fingerprint.algorithm_id - type: keyword - -ocsf.server_hassh.fingerprint.value: - description: The digital fingerprint value. - name: ocsf.server_hassh.fingerprint.value - type: keyword - -ocsf.service.labels: - description: The list of labels associated with the service. - name: ocsf.service.labels - type: keyword - -ocsf.session.created_time: - description: The time when the session was created. - name: ocsf.session.created_time - type: date - -ocsf.session.created_time_dt: - description: The time when the session was created. - name: ocsf.session.created_time_dt - type: date - -ocsf.session.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.session.credential_uid - type: keyword - -ocsf.session.expiration_time: - description: The session expiration time. - name: ocsf.session.expiration_time - type: date - -ocsf.session.expiration_time_dt: - description: The session expiration time. - name: ocsf.session.expiration_time_dt - type: date - -ocsf.session.is_remote: - description: The indication of whether the session is remote. - name: ocsf.session.is_remote - type: boolean - -ocsf.session.issuer: - description: The identifier of the session issuer. - name: ocsf.session.issuer - type: keyword - -ocsf.session.mfa: - description: '' - name: ocsf.session.mfa - type: boolean - -ocsf.session.uid: - description: The unique identifier of the session. - name: ocsf.session.uid - type: keyword - -ocsf.session.uuid: - description: The universally unique identifier of the session. - name: ocsf.session.uuid - type: keyword - -ocsf.severity: - description: The event severity, normalized to the caption of the severity_id value. - In the case of 'Other', it is defined by the event source. - name: ocsf.severity - type: keyword - -ocsf.share: - description: The SMB share name. - name: ocsf.share - type: keyword - -ocsf.share_type: - description: The SMB share type, normalized to the caption of the share_type_id - value. In the case of 'Other', it is defined by the event source. - name: ocsf.share_type - type: keyword - -ocsf.share_type_id: - description: The normalized identifier of the SMB share type. - name: ocsf.share_type_id - type: keyword - -ocsf.size: - description: The memory size that was access or requested. - name: ocsf.size - type: long - -ocsf.smtp_hello: - description: The value of the SMTP HELO or EHLO command sent by the initiator (client). - name: ocsf.smtp_hello - type: keyword - -ocsf.src_endpoint.instance_uid: - description: The unique identifier of a VM instance. - name: ocsf.src_endpoint.instance_uid - type: keyword - -ocsf.src_endpoint.interface_name: - description: The name of the network interface (e.g. eth2). - name: ocsf.src_endpoint.interface_name - type: keyword - -ocsf.src_endpoint.interface_uid: - description: The unique identifier of the network interface. - name: ocsf.src_endpoint.interface_uid - type: keyword - -ocsf.src_endpoint.intermediate_ips: - description: The intermediate IP Addresses. For example, the IP addresses in the - HTTP X-Forwarded-For header. - name: ocsf.src_endpoint.intermediate_ips - type: ip - -ocsf.src_endpoint.location.is_on_premises: - description: The indication of whether the location is on premises. - name: ocsf.src_endpoint.location.is_on_premises - type: boolean - -ocsf.src_endpoint.location.isp: - description: The name of the Internet Service Provider (ISP). - name: ocsf.src_endpoint.location.isp - type: keyword - -ocsf.src_endpoint.location.provider: - description: The provider of the geographical location data. - name: ocsf.src_endpoint.location.provider - type: keyword - -ocsf.src_endpoint.name: - description: The short name of the endpoint. - name: ocsf.src_endpoint.name - type: keyword - -ocsf.src_endpoint.subnet_uid: - description: The unique identifier of a virtual subnet. - name: ocsf.src_endpoint.subnet_uid - type: keyword - -ocsf.src_endpoint.uid: - description: The unique identifier of the endpoint. - name: ocsf.src_endpoint.uid - type: keyword - -ocsf.src_endpoint.vlan_uid: - description: The Virtual LAN identifier. - name: ocsf.src_endpoint.vlan_uid - type: keyword - -ocsf.src_endpoint.vpc_uid: - description: The unique identifier of the Virtual Private Cloud (VPC). - name: ocsf.src_endpoint.vpc_uid - type: keyword - -ocsf.start_time_dt: - description: The start time of a time period, or the time of the least recent event - included in the aggregate event. - name: ocsf.start_time_dt - type: date - -ocsf.state: - description: The normalized state of a security finding. - name: ocsf.state - type: keyword - -ocsf.state_id: - description: The normalized state identifier of a security finding. - name: ocsf.state_id - type: keyword - -ocsf.status: - description: The event status, normalized to the caption of the status_id value. - In the case of 'Other', it is defined by the event source. - name: ocsf.status - type: keyword - -ocsf.status_code: - description: The event status code, as reported by the event source. For example, - in a Windows Failed Authentication event, this would be the value of 'Failure - Code', e.g. 0x18. - name: ocsf.status_code - type: keyword - -ocsf.status_detail: - description: The status details contains additional information about the event - outcome. - name: ocsf.status_detail - type: keyword - -ocsf.status_id: - description: The normalized identifier of the event status. - name: ocsf.status_id - type: long - -ocsf.time_dt: - description: The normalized event occurrence time. - name: ocsf.time_dt - type: date - -ocsf.timezone_offset: - description: The number of minutes that the reported event time is ahead or behind - UTC, in the range -1,080 to +1,080. - name: ocsf.timezone_offset - type: long - -ocsf.tls.alert: - description: The integer value of TLS alert if present. The alerts are defined in - the TLS specification in RFC-2246. - name: ocsf.tls.alert - type: long - -ocsf.tls.certificate.created_time: - description: The time when the certificate was created. - name: ocsf.tls.certificate.created_time - type: date - -ocsf.tls.certificate.created_time_dt: - description: The time when the certificate was created. - name: ocsf.tls.certificate.created_time_dt - type: date - -ocsf.tls.certificate.expiration_time_dt: - description: The expiration time of the certificate. - name: ocsf.tls.certificate.expiration_time_dt - type: date - -ocsf.tls.certificate.fingerprints.algorithm: - description: The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.tls.certificate.fingerprints.algorithm - type: keyword - -ocsf.tls.certificate.fingerprints.algorithm_id: - description: The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.tls.certificate.fingerprints.algorithm_id - type: keyword - -ocsf.tls.certificate.fingerprints.value: - description: The digital fingerprint value. - name: ocsf.tls.certificate.fingerprints.value - type: keyword - -ocsf.tls.certificate_chain: - description: The Chain of Certificate Serial Numbers field provides a chain of Certificate - Issuer Serial Numbers leading to the Root Certificate Issuer. - name: ocsf.tls.certificate_chain - type: keyword - -ocsf.tls.extension_list.data: - description: The data contains information specific to the particular extension - type. - name: ocsf.tls.extension_list.data - type: keyword - -ocsf.tls.extension_list.type: - description: 'The TLS extension type. For example: Server Name.' - name: ocsf.tls.extension_list.type - type: keyword - -ocsf.tls.extension_list.type_id: - description: The TLS extension type identifier. See The Transport Layer Security - (TLS) extension page. - name: ocsf.tls.extension_list.type_id - type: keyword - -ocsf.tls.handshake_dur: - description: The amount of total time for the TLS handshake to complete after the - TCP connection is established, including client-side delays, in milliseconds. - name: ocsf.tls.handshake_dur - type: long - -ocsf.tls.ja3_hash.algorithm: - description: The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.tls.ja3_hash.algorithm - type: keyword - -ocsf.tls.ja3_hash.algorithm_id: - description: The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.tls.ja3_hash.algorithm_id - type: keyword - -ocsf.tls.ja3s_hash.algorithm: - description: The hash algorithm used to create the digital fingerprint, normalized - to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the - event source. - name: ocsf.tls.ja3s_hash.algorithm - type: keyword - -ocsf.tls.ja3s_hash.algorithm_id: - description: The identifier of the normalized hash algorithm, which was used to - create the digital fingerprint. - name: ocsf.tls.ja3s_hash.algorithm_id - type: keyword - -ocsf.tls.key_length: - description: The length of the encryption key. - name: ocsf.tls.key_length - type: long - -ocsf.tls.sans.name: - description: Name of SAN (e.g. The actual IP Address or domain.) - name: ocsf.tls.sans.name - type: keyword - -ocsf.tls.sans.type: - description: Type descriptor of SAN (e.g. IP Address/domain/etc.) - name: ocsf.tls.sans.type - type: keyword - -ocsf.tls.server_ciphers: - description: The server cipher suites that were exchanged during the TLS handshake - negotiation. - name: ocsf.tls.server_ciphers - type: keyword - -ocsf.transaction_uid: - description: The unique identifier of the transaction. This is typically a random - number generated from the client to associate a dhcp request/response pair. - name: ocsf.transaction_uid - type: keyword - -ocsf.tree_uid: - description: The tree id is a unique SMB identifier which represents an open connection - to a share. - name: ocsf.tree_uid - type: keyword - -ocsf.type: - description: The type of FTP network connection (e.g. active, passive). - name: ocsf.type - type: keyword - -ocsf.type_name: - description: The event type name, as defined by the type_uid. - name: ocsf.type_name - type: keyword - -ocsf.type_uid: - description: 'The event type ID. It identifies the events semantics and structure. - The value is calculated by the logging system as: class_uid \* 100 + activity_id.' - name: ocsf.type_uid - type: keyword - -ocsf.unmapped: - description: The attributes that are not mapped to the event schema. The names and - values of those attributes are specific to the event source. - name: ocsf.unmapped - type: keyword - -ocsf.url.categories: - description: The Website categorization names, as defined by category_ids enum values. - name: ocsf.url.categories - type: keyword - -ocsf.url.category_ids: - description: The Website categorization identifies. - name: ocsf.url.category_ids - type: keyword - -ocsf.url.resource_type: - description: The context in which a resource was retrieved in a web request. - name: ocsf.url.resource_type - type: keyword - -ocsf.user.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.user.account.name - type: keyword - -ocsf.user.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.user.account.type - type: keyword - -ocsf.user.account.type_id: - description: The normalized account type identifier. - name: ocsf.user.account.type_id - type: keyword - -ocsf.user.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.user.account.uid - type: keyword - -ocsf.user.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.user.credential_uid - type: keyword - -ocsf.user.groups.desc: - description: The group description. - name: ocsf.user.groups.desc - type: keyword - -ocsf.user.groups.name: - description: The group name. - name: ocsf.user.groups.name - type: keyword - -ocsf.user.groups.privileges: - description: The group privileges. - name: ocsf.user.groups.privileges - type: keyword - -ocsf.user.groups.type: - description: The type of the group or account. - name: ocsf.user.groups.type - type: keyword - -ocsf.user.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.user.groups.uid - type: keyword - -ocsf.user.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.user.org.name - type: keyword - -ocsf.user.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.user.org.ou_name - type: keyword - -ocsf.user.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.user.org.ou_uid - type: keyword - -ocsf.user.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.user.org.uid - type: keyword - -ocsf.user.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.user.type - type: keyword - -ocsf.user.type_id: - description: The account type identifier. - name: ocsf.user.type_id - type: keyword - -ocsf.user.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.user.uid_alt - type: keyword - -ocsf.user_result.account.name: - description: The name of the account (e.g. GCP Account Name). - name: ocsf.user_result.account.name - type: keyword - -ocsf.user_result.account.type: - description: The account type, normalized to the caption of 'account_type_id'. In - the case of 'Other', it is defined by the event source. - name: ocsf.user_result.account.type - type: keyword - -ocsf.user_result.account.type_id: - description: The normalized account type identifier. - name: ocsf.user_result.account.type_id - type: keyword - -ocsf.user_result.account.uid: - description: The unique identifier of the account (e.g. AWS Account ID). - name: ocsf.user_result.account.uid - type: keyword - -ocsf.user_result.credential_uid: - description: The unique identifier of the user's credential. For example, AWS Access - Key ID. - name: ocsf.user_result.credential_uid - type: keyword - -ocsf.user_result.groups.desc: - description: The group description. - name: ocsf.user_result.groups.desc - type: keyword - -ocsf.user_result.groups.name: - description: The group name. - name: ocsf.user_result.groups.name - type: keyword - -ocsf.user_result.groups.privileges: - description: The group privileges. - name: ocsf.user_result.groups.privileges - type: keyword - -ocsf.user_result.groups.type: - description: The type of the group or account. - name: ocsf.user_result.groups.type - type: keyword - -ocsf.user_result.groups.uid: - description: The unique identifier of the group. For example, for Windows events - this is the security identifier (SID) of the group. - name: ocsf.user_result.groups.uid - type: keyword - -ocsf.user_result.org.name: - description: The name of the organization. For example, Widget, Inc. - name: ocsf.user_result.org.name - type: keyword - -ocsf.user_result.org.ou_name: - description: The name of the organizational unit, within an organization. For example, - Finance, IT, R&D. - name: ocsf.user_result.org.ou_name - type: keyword - -ocsf.user_result.org.ou_uid: - description: The alternate identifier for an entity's unique identifier. For example, - its Active Directory OU DN or AWS OU ID. - name: ocsf.user_result.org.ou_uid - type: keyword - -ocsf.user_result.org.uid: - description: The unique identifier of the organization. For example, its Active - Directory or AWS Org ID. - name: ocsf.user_result.org.uid - type: keyword - -ocsf.user_result.type: - description: The type of the user. For example, System, AWS IAM User, etc. - name: ocsf.user_result.type - type: keyword - -ocsf.user_result.type_id: - description: The account type identifier. - name: ocsf.user_result.type_id - type: keyword - -ocsf.user_result.uid_alt: - description: The alternate user identifier. For example, the Active Directory user - GUID or AWS user Principal ID. - name: ocsf.user_result.uid_alt - type: keyword - -ocsf.vulnerabilities.cve.created_time: - description: The Record Creation Date identifies when the CVE ID was issued to a - CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. - Note that the Record Creation Date does not necessarily indicate when this vulnerability - was discovered, shared with the affected vendor, publicly disclosed, or updated - in CVE. - name: ocsf.vulnerabilities.cve.created_time - type: date - -ocsf.vulnerabilities.cve.created_time_dt: - description: The Record Creation Date identifies when the CVE ID was issued to a - CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. - Note that the Record Creation Date does not necessarily indicate when this vulnerability - was discovered, shared with the affected vendor, publicly disclosed, or updated - in CVE. - name: ocsf.vulnerabilities.cve.created_time_dt - type: date - -ocsf.vulnerabilities.cve.cvss.base_score: - description: 'The CVSS base score. For example: 9.1.' - name: ocsf.vulnerabilities.cve.cvss.base_score - type: keyword - -ocsf.vulnerabilities.cve.cvss.depth: - description: The CVSS depth represents a depth of the equation used to calculate - CVSS score. - name: ocsf.vulnerabilities.cve.cvss.depth - type: keyword - -ocsf.vulnerabilities.cve.cvss.metrics.name: - description: The name of the metric. - name: ocsf.vulnerabilities.cve.cvss.metrics.name - type: keyword - -ocsf.vulnerabilities.cve.cvss.metrics.value: - description: The value of the metric. - name: ocsf.vulnerabilities.cve.cvss.metrics.value - type: keyword - -ocsf.vulnerabilities.cve.cvss.overall_score: - description: 'The CVSS overall score, impacted by base, temporal, and environmental - metrics. For example: 9.1.' - name: ocsf.vulnerabilities.cve.cvss.overall_score - type: keyword - -ocsf.vulnerabilities.cve.cvss.severity: - description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity - Rating. A textual representation of the numeric score. - name: ocsf.vulnerabilities.cve.cvss.severity - type: keyword - -ocsf.vulnerabilities.cve.cvss.vector_string: - description: 'The CVSS vector string is a text representation of a set of CVSS metrics. - It is commonly used to record or transfer CVSS metric information in a concise - form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.' - name: ocsf.vulnerabilities.cve.cvss.vector_string - type: keyword - -ocsf.vulnerabilities.cve.cvss.version: - description: 'The CVSS version. For example: 3.1.' - name: ocsf.vulnerabilities.cve.cvss.version - type: keyword - -ocsf.vulnerabilities.cve.cwe_uid: - description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: - CWE-787.' - name: ocsf.vulnerabilities.cve.cwe_uid - type: keyword - -ocsf.vulnerabilities.cve.cwe_url: - description: 'Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.' - name: ocsf.vulnerabilities.cve.cwe_url - type: keyword - -ocsf.vulnerabilities.cve.modified_time: - description: The Record Modified Date identifies when the CVE record was last updated. - name: ocsf.vulnerabilities.cve.modified_time - type: date - -ocsf.vulnerabilities.cve.modified_time_dt: - description: The Record Modified Date identifies when the CVE record was last updated. - name: ocsf.vulnerabilities.cve.modified_time_dt - type: date - -ocsf.vulnerabilities.cve.product.feature.name: - description: The name of the feature. - name: ocsf.vulnerabilities.cve.product.feature.name - type: keyword - -ocsf.vulnerabilities.cve.product.feature.uid: - description: The unique identifier of the feature. - name: ocsf.vulnerabilities.cve.product.feature.uid - type: keyword - -ocsf.vulnerabilities.cve.product.feature.version: - description: The version of the feature. - name: ocsf.vulnerabilities.cve.product.feature.version - type: keyword - -ocsf.vulnerabilities.cve.product.lang: - description: 'The two letter lower case language codes, as defined by ISO 639-1. - For example: en (English), de (German), or fr (French).' - name: ocsf.vulnerabilities.cve.product.lang - type: keyword - -ocsf.vulnerabilities.cve.product.name: - description: The name of the product. - name: ocsf.vulnerabilities.cve.product.name - type: keyword - -ocsf.vulnerabilities.cve.product.path: - description: The installation path of the product. - name: ocsf.vulnerabilities.cve.product.path - type: keyword - -ocsf.vulnerabilities.cve.product.uid: - description: The unique identifier of the product. - name: ocsf.vulnerabilities.cve.product.uid - type: keyword - -ocsf.vulnerabilities.cve.product.url_string: - description: The URL pointing towards the product. - name: ocsf.vulnerabilities.cve.product.url_string - type: keyword - -ocsf.vulnerabilities.cve.product.vendor_name: - description: The name of the vendor of the product. - name: ocsf.vulnerabilities.cve.product.vendor_name - type: keyword - -ocsf.vulnerabilities.cve.product.version: - description: 'The version of the product, as defined by the event source. For example: - 2013.1.3-beta.' - name: ocsf.vulnerabilities.cve.product.version - type: keyword - -ocsf.vulnerabilities.cve.type: - description: The vulnerability type as selected from a large dropdown menu during - CVE refinement. - name: ocsf.vulnerabilities.cve.type - type: keyword - -ocsf.vulnerabilities.cve.uid: - description: 'The Common Vulnerabilities and Exposures unique number assigned to - a specific computer vulnerability. A CVE Identifier begins with 4 digits representing - the year followed by a sequence of digits that acts as a unique identifier. For - example: CVE-2021-12345.' - name: ocsf.vulnerabilities.cve.uid - type: keyword - -ocsf.vulnerabilities.desc: - description: The description of the vulnerability. - name: ocsf.vulnerabilities.desc - type: keyword - -ocsf.vulnerabilities.fix_available: - description: Indicates if a fix is available for the reported vulnerability. - name: ocsf.vulnerabilities.fix_available - type: boolean - -ocsf.vulnerabilities.kb_articles: - description: The KB article/s related to the entity. - name: ocsf.vulnerabilities.kb_articles - type: keyword - -ocsf.vulnerabilities.packages.architecture: - description: Architecture is a shorthand name describing the type of computer hardware - the packaged software is meant to run on. - name: ocsf.vulnerabilities.packages.architecture - type: keyword - -ocsf.vulnerabilities.packages.epoch: - description: The software package epoch. Epoch is a way to define weighted dependencies - based on version numbers. - name: ocsf.vulnerabilities.packages.epoch - type: long - -ocsf.vulnerabilities.packages.license: - description: The software license applied to this package. - name: ocsf.vulnerabilities.packages.license - type: keyword - -ocsf.vulnerabilities.packages.name: - description: The software package name. - name: ocsf.vulnerabilities.packages.name - type: keyword - -ocsf.vulnerabilities.packages.release: - description: Release is the number of times a version of the software has been packaged. - name: ocsf.vulnerabilities.packages.release - type: keyword - -ocsf.vulnerabilities.packages.version: - description: The software package version. - name: ocsf.vulnerabilities.packages.version - type: keyword - -ocsf.vulnerabilities.references: - description: Supporting reference URLs. - name: ocsf.vulnerabilities.references - type: keyword - -ocsf.vulnerabilities.related_vulnerabilities: - description: List of vulnerabilities that are related to this vulnerability. - name: ocsf.vulnerabilities.related_vulnerabilities - type: keyword - -ocsf.vulnerabilities.severity: - description: The event severity, normalized to the caption of the severity_id value. - In the case of 'Other', it is defined by the event source. - name: ocsf.vulnerabilities.severity - type: keyword - -ocsf.vulnerabilities.title: - description: The title of the vulnerability. - name: ocsf.vulnerabilities.title - type: keyword - -ocsf.vulnerabilities.vendor_name: - description: The vendor who identified the vulnerability. - name: ocsf.vulnerabilities.vendor_name - type: keyword - -ocsf.web_resources.data: - description: Details of the web resource, e.g, file details, search results or application-defined - resource. - name: ocsf.web_resources.data - type: keyword - -ocsf.web_resources.desc: - description: Description of the web resource. - name: ocsf.web_resources.desc - type: keyword - -ocsf.web_resources.labels: - description: The list of labels/tags associated to a resource. - name: ocsf.web_resources.labels - type: keyword - -ocsf.web_resources.name: - description: The name of the web resource. - name: ocsf.web_resources.name - type: keyword - -ocsf.web_resources.type: - description: The web resource type as defined by the event source. - name: ocsf.web_resources.type - type: keyword - -ocsf.web_resources.uid: - description: The unique identifier of the web resource. - name: ocsf.web_resources.uid - type: keyword - -ocsf.web_resources.url_string: - description: The URL pointing towards the source of the web resource. - name: ocsf.web_resources.url_string - type: keyword - -ocsf.web_resources_result.data: - description: Details of the web resource, e.g, file details, search results or application-defined - resource. - name: ocsf.web_resources_result.data - type: keyword - -ocsf.web_resources_result.desc: - description: Description of the web resource. - name: ocsf.web_resources_result.desc - type: keyword - -ocsf.web_resources_result.labels: - description: The list of labels/tags associated to a resource. - name: ocsf.web_resources_result.labels - type: keyword - -ocsf.web_resources_result.name: - description: The name of the web resource. - name: ocsf.web_resources_result.name - type: keyword - -ocsf.web_resources_result.type: - description: The web resource type as defined by the event source. - name: ocsf.web_resources_result.type - type: keyword - -ocsf.web_resources_result.uid: - description: The unique identifier of the web resource. - name: ocsf.web_resources_result.uid - type: keyword - -ocsf.web_resources_result.url_string: - description: The URL pointing towards the source of the web resource. - name: ocsf.web_resources_result.url_string - type: keyword - process.group.id: description: '' name: process.group.id diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index 0bb7b4edb..e6728128d 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -252,7 +252,7 @@ stages: set_fields: actions: - set: - ocsf: "{{parse_event.message}}" + ocsf.activity_id: "{{parse_event.message.activity_id}}" pipeline_object_actor: actions: @@ -264,8 +264,8 @@ stages: - "{{ parse_event.message.actor.process.container.image.tag }}" filter: "{{ parse_event.message.actor.process.container.image.tag != null }}" - set: - container.labels: "{{ parse_event.message.actor.process.container.image.labels }}" # @todo should be a dict? orchestrator.type: "{{ parse_event.message.actor.process.container.orchestrator }}" + #container.labels: "{{ parse_event.message.actor.process.container.image.labels }}" # @todo should be a dict? container.name: "{{ parse_event.message.actor.process.container.name }}" container.runtime: "{{ parse_event.message.actor.process.container.runtime }}" file.accessed: "{{ parse_event.message.actor.process.file.accessed_time_dt or parse_event.message.actor.process.file.accessed_time | to_rfc3339 }}" diff --git a/OCSF/ocsf/tests/test_application_activity_1.json b/OCSF/ocsf/tests/test_application_activity_1.json index b9684ac1c..732348a73 100644 --- a/OCSF/ocsf/tests/test_application_activity_1.json +++ b/OCSF/ocsf/tests/test_application_activity_1.json @@ -56,89 +56,7 @@ "version": "1.0.0" }, "ocsf": { - "activity_id": 4, - "activity_name": "Access Error", - "category_name": "Application Activity", - "category_uid": 6, - "class_name": "Web Resource Access Activity", - "class_uid": 6004, - "cloud": { - "org": { - "name": "brazil newbie loc", - "ou_name": "predicted themselves missile", - "ou_uid": "072da124-584a-11ee-bf8b-0242ac110005", - "uid": "072d99ea-584a-11ee-920a-0242ac110005" - } - }, - "device": { - "desc": "evaluate permits yesterday", - "interface_name": "uzbekistan published feedback", - "interface_uid": "072ddc66-584a-11ee-9824-0242ac110005", - "last_seen_time": 1695277679358, - "region": "invalid expressed participating", - "type_id": "7" - }, - "http_request": { - "http_headers": [ - { - "name": "aol jim thick", - "value": "unexpected counts ease" - }, - { - "name": "ride sender reflections", - "value": "persistent irc finest" - } - ], - "url": { - "category_ids": [ - "35", - "59" - ] - } - }, - "http_response": { - "latency": 3 - }, - "metadata": { - "correlation_uid": "072db420-584a-11ee-adc0-0242ac110005", - "log_name": "foul jackson termination", - "logged_time_dt": "2023-09-21T06:42:26.632427Z", - "original_time": "diploma mesh certified", - "product": { - "lang": "en", - "name": "loc bw pa", - "uid": "072dafa2-584a-11ee-bca3-0242ac110005", - "url_string": "indirect", - "version": "1.0.0" - }, - "profiles": [ - "cloud", - "container", - "datetime", - "host" - ], - "version": "1.0.0" - }, - "severity": "High", - "start_time_dt": "2023-09-21T06:42:26.634761Z", - "status": "Unknown", - "status_id": 0, - "timezone_offset": 55, - "type_name": "Web Resource Access Activity: Access Error", - "type_uid": "600404", - "web_resources": [ - { - "desc": "pleased won coverage", - "name": "ghost formats res", - "type": "package type", - "uid": "072dbbbe-584a-11ee-b4cc-0242ac110005", - "url_string": "consists" - }, - { - "data": "{\"logitech\": \"dehbs\"}", - "url_string": "devil" - } - ] + "activity_id": 4 }, "package": { "description": [ diff --git a/OCSF/ocsf/tests/test_application_activity_2.json b/OCSF/ocsf/tests/test_application_activity_2.json index 584756a32..09169edec 100644 --- a/OCSF/ocsf/tests/test_application_activity_2.json +++ b/OCSF/ocsf/tests/test_application_activity_2.json @@ -26,71 +26,7 @@ "application": "sheets horror trader" }, "ocsf": { - "activity_id": 1, - "activity_name": "Create", - "category_name": "Application Activity", - "category_uid": 6, - "class_name": "Web Resources Activity", - "class_uid": 6001, - "metadata": { - "log_name": "ur bother bearing", - "log_version": "three maritime cowboy", - "logged_time": 1695277679358, - "original_time": "moore genetic symbols", - "processed_time": 1695277679358, - "product": { - "feature": { - "name": "australia cup bios", - "uid": "f6508bfa-520e-11ee-b54c-0242ac110004", - "version": "1.0.0" - }, - "lang": "en", - "name": "eligible scenes worm", - "uid": "f6508420-520e-11ee-adcc-0242ac110004", - "version": "1.0.0" - }, - "profiles": [], - "version": "1.0.0" - }, - "severity": "Unknown", - "src_endpoint": { - "instance_uid": "f6509d0c-520e-11ee-9e6b-0242ac110004", - "interface_name": "somewhere mentor crm", - "interface_uid": "f650a3f6-520e-11ee-882f-0242ac110004", - "intermediate_ips": [ - "81.2.69.142", - "81.2.69.143" - ], - "name": "leasing imperial toner", - "uid": "f650994c-520e-11ee-a9f4-0242ac110004", - "vlan_uid": "f650a8a6-520e-11ee-b961-0242ac110004" - }, - "status": "Failure", - "status_detail": "only zone its", - "status_id": 2, - "timezone_offset": 83, - "type_name": "Web Resources Activity: Create", - "type_uid": "600101", - "web_resources": [ - { - "data": "{\"discretion\": \"fhbds\"}", - "desc": "Description of web resource", - "name": "concept navigator constitution", - "type": "fundamental previous ty", - "url_string": "past" - } - ], - "web_resources_result": [ - { - "type": "prediction sunglasses rounds", - "uid": "f65072d2-520e-11ee-9b9a-0242ac110004", - "url_string": "military" - }, - { - "data": "{\"protect\": \"rfvfd\"}", - "url_string": "association" - } - ] + "activity_id": 1 }, "package": { "description": [ diff --git a/OCSF/ocsf/tests/test_application_activity_3.json b/OCSF/ocsf/tests/test_application_activity_3.json index 0ff3625b1..2526070ff 100644 --- a/OCSF/ocsf/tests/test_application_activity_3.json +++ b/OCSF/ocsf/tests/test_application_activity_3.json @@ -43,82 +43,7 @@ "type": "Unknown" }, "ocsf": { - "activity_id": 99, - "activity_name": "look", - "app": { - "feature": { - "name": "mit received implemented", - "uid": "6519aa4c-584c-11ee-ac40-0242ac110005", - "version": "1.0.0" - }, - "lang": "en", - "name": "bottom loud knowledge", - "path": "path o f", - "uid": "6519a3da-584c-11ee-8c89-0242ac110005", - "vendor_name": "ss keeping administered", - "version": "1.0.0" - }, - "category_name": "Application Activity", - "category_uid": 6, - "class_name": "Application Lifecycle", - "class_uid": 6002, - "cloud": { - "account": { - "type": "AWS Account", - "type_id": "10" - }, - "org": { - "name": "exclusive variables tag", - "ou_name": "custom packard pierre", - "uid": "65193f12-584c-11ee-ae9b-0242ac110005" - } - }, - "device": { - "created_time": 1695277679358, - "hw_info": { - "ram_size": 84, - "serial_number": "training blink executives" - }, - "instance_uid": "65197efa-584c-11ee-bc04-0242ac110005", - "interface_name": "lightbox bugs spain", - "interface_uid": "6519835a-584c-11ee-b813-0242ac110005", - "is_personal": false, - "org": { - "name": "chaos winner entered", - "ou_name": "music client leaf", - "uid": "65197a86-584c-11ee-96c1-0242ac110005" - }, - "region": "casio paris norway", - "subnet_uid": "6519725c-584c-11ee-b6a2-0242ac110005", - "type_id": "0", - "uid_alt": "older audience trends" - }, - "metadata": { - "log_name": "collaboration blood loan", - "modified_time_dt": "2023-09-21T06:59:23.198620Z", - "original_time": "effectively dimensional reservation", - "product": { - "lang": "en", - "name": "enzyme cookie citations", - "uid": "65195f88-584c-11ee-8118-0242ac110005", - "url_string": "deck", - "version": "1.0.0" - }, - "profiles": [ - "cloud", - "container", - "datetime", - "host" - ], - "version": "1.0.0" - }, - "severity": "Fatal", - "start_time_dt": "2023-09-21T06:59:23.200400Z", - "status": "Success", - "status_detail": "rat forth dishes", - "status_id": 1, - "type_name": "Application Lifecycle: Other", - "type_uid": "600299" + "activity_id": 99 }, "package": { "description": [], diff --git a/OCSF/ocsf/tests/test_discovery_1.json b/OCSF/ocsf/tests/test_discovery_1.json index fb01d6ab5..e84ff6be2 100644 --- a/OCSF/ocsf/tests/test_discovery_1.json +++ b/OCSF/ocsf/tests/test_discovery_1.json @@ -41,70 +41,7 @@ "type": "Desktop" }, "ocsf": { - "activity_id": 2, - "activity_name": "Collect", - "category_name": "Discovery", - "category_uid": 5, - "class_name": "Device Config State", - "class_uid": 5002, - "cloud": { - "org": { - "ou_name": "determined apr sheets", - "uid": "023dbdcc-5848-11ee-bd54-0242ac110005" - } - }, - "count": 73, - "device": { - "autoscale_uid": "023de734-5848-11ee-b193-0242ac110005", - "first_seen_time_dt": "2023-09-21T06:27:59.356353Z", - "instance_uid": "023dec02-5848-11ee-8203-0242ac110005", - "interface_name": "jerry street buried", - "interface_uid": "023e1a06-5848-11ee-89c6-0242ac110005", - "modified_time_dt": "2023-09-21T06:27:59.357977Z", - "region": "inline contains milwaukee", - "subnet": "49.28.0.0/16", - "type_id": "2", - "uid_alt": "burst premier reverse", - "vpc_uid": "023e205a-5848-11ee-a8d6-0242ac110005" - }, - "enrichments": [ - { - "data": "{\"inexpensive\": \"abddfg\"}", - "name": "preview belarus licking", - "provider": "surgical disaster individually", - "type": "separation passes distance", - "value": "magnitude cancellation weed" - } - ], - "metadata": { - "correlation_uid": "023dd7c6-5848-11ee-9d4d-0242ac110005", - "extension": { - "name": "chess entry productive", - "uid": "023dccfe-5848-11ee-8227-0242ac110005", - "version": "1.0.0" - }, - "original_time": "database darwin area", - "processed_time_dt": "2023-09-21T06:27:59.356124Z", - "product": { - "name": "legal subsidiary eleven", - "path": "financial spot tennis", - "uid": "023dd33e-5848-11ee-aa6d-0242ac110005", - "version": "1.0.0" - }, - "profiles": [ - "cloud", - "container", - "datetime", - "host" - ], - "version": "1.0.0" - }, - "severity": "Fatal", - "status": "creativity", - "status_id": 99, - "timezone_offset": 0, - "type_name": "Device Config State: Collect", - "type_uid": "500202" + "activity_id": 2 }, "related": { "hosts": [ diff --git a/OCSF/ocsf/tests/test_discovery_2.json b/OCSF/ocsf/tests/test_discovery_2.json index 701b86e69..3ea758dab 100644 --- a/OCSF/ocsf/tests/test_discovery_2.json +++ b/OCSF/ocsf/tests/test_discovery_2.json @@ -54,76 +54,7 @@ "type": "Laptop" }, "ocsf": { - "activity_id": 2, - "activity_name": "Collect", - "category_name": "Discovery", - "category_uid": 5, - "class_name": "Device Inventory Info", - "class_uid": 5001, - "cloud": { - "org": { - "name": "black lets promotions", - "ou_name": "recover sol revolutionary" - } - }, - "device": { - "autoscale_uid": "7f25415c-584d-11ee-b3fc-0242ac110005", - "hw_info": { - "cpu_bits": 66 - }, - "image": { - "name": "saudi enhanced surgical", - "uid": "7f2554b2-584d-11ee-b26b-0242ac110005" - }, - "instance_uid": "7f254ea4-584d-11ee-a68f-0242ac110005", - "interface_name": "watt profile rs", - "is_personal": false, - "last_seen_time": 1695277679358, - "os": { - "edition": "nightmare engineers carter", - "lang": "en", - "type_id": "201", - "version": "1.0.0" - }, - "region": "airport leaves kitchen", - "type_id": "3" - }, - "enrichments": [ - { - "data": "{\"nintendo\": \"abcd\"}", - "name": "visual mv bottom", - "provider": "lucy permanent trips", - "type": "calibration basics quebec", - "value": "alice stick spray" - } - ], - "metadata": { - "log_name": "len falling educational", - "log_version": "learners headlines linear", - "original_time": "programmers less barcelona", - "processed_time": 1695280036393, - "product": { - "lang": "en", - "name": "butterfly knight log", - "uid": "7f25336a-584d-11ee-b2a5-0242ac110005", - "version": "1.0.0" - }, - "profiles": [ - "cloud", - "container", - "datetime", - "host" - ], - "version": "1.0.0" - }, - "severity": "Critical", - "start_time_dt": "2023-09-21T07:07:16.394812Z", - "status": "Success", - "status_code": "vancouver", - "status_id": 1, - "timezone_offset": 65, - "type_name": "Device Inventory Info: Collect", - "type_uid": "500102" + "activity_id": 2 } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_findings_1.json b/OCSF/ocsf/tests/test_findings_1.json index 6a15db2ac..7db46cd73 100644 --- a/OCSF/ocsf/tests/test_findings_1.json +++ b/OCSF/ocsf/tests/test_findings_1.json @@ -31,131 +31,7 @@ "region": "us-east-1" }, "ocsf": { - "activity_id": 2, - "activity_name": "Update", - "category_name": "Findings", - "category_uid": 2, - "class_name": "Security Finding", - "class_uid": 2001, - "compliance": { - "requirements": [ - "PCI1.2" - ], - "status": "PASSED", - "status_detail": "CloudWatch alarms do not exist in the account" - }, - "finding": { - "desc": "This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports [3389, 20, 23, 110, 143, 3306, 8080, 1433, 9200, 9300, 25, 445, 135, 21, 1434, 4333, 5432, 5500, 5601, 22, 3000, 5000, 8088, 8888] that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for the listed ports.", - "first_seen_time": 1635449619417, - "last_seen_time": 1659636565316, - "modified_time": 1659636559100, - "related_events": [ - { - "product_uid": "arn:aws:securityhub:us-west-2::product/aws/guardduty", - "uid": "123e4567-e89b-12d3-a456-426655440000" - }, - { - "product_uid": "arn:aws:securityhub:us-west-2::product/aws/guardduty", - "uid": "AcmeNerfHerder-111111111111-x189dx7824" - } - ], - "remediation": { - "desc": "For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.", - "kb_articles": [ - "https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation" - ] - }, - "title": "EC2.19 Security groups should not allow unrestricted access to ports with high risk", - "types": [ - "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" - ], - "uid": "test" - }, - "malware": [ - { - "classification_ids": [ - "1" - ], - "classifications": [ - "Adware" - ], - "name": "Stringler", - "path": "/usr/sbin/stringler" - } - ], - "metadata": { - "product": { - "feature": { - "name": "Security Hub", - "uid": "aws-foundational-security-best-practices/v/1.0.0/EC2.19" - }, - "name": "Security Hub", - "uid": "arn:aws:securityhub:us-east-1::product/aws/securityhub", - "version": "2018-10-08" - }, - "profiles": [ - "cloud" - ], - "version": "1.0.0-rc.2" - }, - "resources": [ - { - "cloud_partition": "aws", - "labels": [ - "billingCode=Lotus-1-2-3", - "needsPatching=true" - ], - "region": "us-east-1", - "type": "AwsEc2SecurityGroup", - "uid": "arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499" - } - ], - "severity": "Informational", - "state": "Resolved", - "state_id": "4", - "type_name": "Security Finding: Update", - "type_uid": "200102", - "unmapped": "{\"CompanyName\": \"AWS\", \"Compliance.StatusReasons[].ReasonCode\": \"CW_ALARMS_NOT_PRESENT\", \"FindingProviderFields.Severity.Label\": \"INFORMATIONAL\", \"FindingProviderFields.Severity.Original\": \"INFORMATIONAL\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\", \"Malware[].State\": \"OBSERVED\", \"ProductFields.ControlId\": \"EC2.19\", \"ProductFields.RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation\", \"ProductFields.RelatedAWSResources:0/name\": \"securityhub-vpc-sg-restricted-common-ports-2af29baf\", \"ProductFields.RelatedAWSResources:0/type\": \"AWS::Config::ConfigRule\", \"ProductFields.Resources:0/Id\": \"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499\", \"ProductFields.StandardsArn\": \"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0\", \"ProductFields.StandardsControlArn\": \"arn:aws:securityhub:us-east-1:522536594833:control/aws-foundational-security-best-practices/v/1.0.0/EC2.19\", \"ProductFields.StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0\", \"ProductFields.aws/securityhub/CompanyName\": \"AWS\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bf428107-eee0-4d19-a013-92748ed69eef\", \"ProductFields.aws/securityhub/ProductName\": \"Security Hub\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"0\", \"Severity.Original\": \"INFORMATIONAL\", \"Severity.Product\": \"0\", \"Vulnerabilities[].Cvss[].BaseScore\": \"4.7,1.0\", \"Vulnerabilities[].Cvss[].BaseVector\": \"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N,AV:L/AC:M/Au:N/C:C/I:N/A:N\", \"Vulnerabilities[].Cvss[].Version\": \"V3,V2\", \"Vulnerabilities[].Vendor.VendorSeverity\": \"Medium\", \"WorkflowState\": \"NEW\"}", - "vulnerabilities": [ - { - "cve": { - "created_time": 1579132903000, - "cvss": { - "base_score": "4.7", - "vector_string": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "version": "V3" - }, - "modified_time": 1579132903000, - "uid": "CVE-2020-12345" - }, - "kb_articles": [ - "https://alas.aws.amazon.com/ALAS-2020-1337.html" - ], - "packages": [ - { - "architecture": "x86_64", - "epoch": 1, - "name": "openssl", - "release": "16.amzn2.0.3", - "version": "1.0.2k" - }, - { - "architecture": "x86_64", - "epoch": 3, - "name": "yaml", - "release": "16.amzn2.0.3", - "version": "4.3.2" - } - ], - "references": [ - "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418" - ], - "related_vulnerabilities": [ - "CVE-2020-12345" - ], - "vendor_name": "Alas" - } - ] + "activity_id": 2 }, "vulnerability": { "description": [ diff --git a/OCSF/ocsf/tests/test_iam_1.json b/OCSF/ocsf/tests/test_iam_1.json index 817d6b7b9..e8602082f 100644 --- a/OCSF/ocsf/tests/test_iam_1.json +++ b/OCSF/ocsf/tests/test_iam_1.json @@ -30,58 +30,7 @@ "name": "hollow alignment one" }, "ocsf": { - "activity_id": 0, - "activity_name": "Unknown", - "category_name": "Identity & Access Management", - "category_uid": 3, - "class_name": "Authorize Session", - "class_uid": 3003, - "group": { - "desc": "checking tion ii", - "privileges": [ - "powder exams monkey" - ] - }, - "metadata": { - "log_name": "ebony pay tablets", - "logged_time": 1696570109, - "original_time": "gentleman brings relationship", - "product": { - "lang": "en", - "name": "release zealand upon", - "path": "fuel style da", - "uid": "2e6ae592-6409-11ee-8656-0242ac110005", - "version": "1.0.0" - }, - "profiles": [], - "version": "1.0.0" - }, - "privileges": [ - "arrive wu supervisors", - "fix kevin networking" - ], - "session": { - "credential_uid": "2e6b0d6a-6409-11ee-bff8-0242ac110005", - "is_remote": true, - "issuer": "available towns recorder", - "uid": "2e6b0374-6409-11ee-9a31-0242ac110005" - }, - "severity": "Low", - "status": "Unknown", - "status_code": "seo", - "status_id": 0, - "timezone_offset": 34, - "type_name": "Authorize Session: Unknown", - "type_uid": "300300", - "user": { - "account": { - "name": "minimal bumper shortly", - "type": "Unknown", - "type_id": "0" - }, - "type": "creations", - "type_id": "99" - } + "activity_id": 0 }, "user": { "target": { diff --git a/OCSF/ocsf/tests/test_iam_2.json b/OCSF/ocsf/tests/test_iam_2.json index 7eef5727f..6bd3f03f0 100644 --- a/OCSF/ocsf/tests/test_iam_2.json +++ b/OCSF/ocsf/tests/test_iam_2.json @@ -20,34 +20,7 @@ }, "@timestamp": "2023-10-06T05:39:55Z", "ocsf": { - "activity_id": 2, - "activity_name": "Read", - "category_name": "Identity & Access Management", - "category_uid": 3, - "class_name": "Entity Management", - "class_uid": 3004, - "entity": { - "name": "sweden temperatures paste", - "type": "founder quilt bone", - "uid": "c7a47574-640a-11ee-aeb8-0242ac110005", - "version": "1.0.0" - }, - "metadata": { - "correlation_uid": "c7a462e6-640a-11ee-b915-0242ac110005", - "log_name": "intent hobby reserve", - "product": { - "lang": "en", - "uid": "c7a42ac4-640a-11ee-ae25-0242ac110005", - "version": "1.0.0" - }, - "profiles": [], - "version": "1.0.0" - }, - "severity": "Unknown", - "status": "authors technology bible", - "timezone_offset": 36, - "type_name": "Entity Management: Read", - "type_uid": "300402" + "activity_id": 2 } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_iam_3.json b/OCSF/ocsf/tests/test_iam_3.json index b73ce22b4..eea9c89ef 100644 --- a/OCSF/ocsf/tests/test_iam_3.json +++ b/OCSF/ocsf/tests/test_iam_3.json @@ -32,65 +32,7 @@ "name": "cottages donor awful" }, "ocsf": { - "activity_id": 3, - "activity_name": "Add User", - "category_name": "Identity & Access Management", - "category_uid": 3, - "class_name": "Group Management", - "class_uid": 3006, - "count": 37, - "enrichments": [ - { - "data": "{\"dns\": \"bhrjfd\"}", - "name": "consisting loves arrives", - "provider": "case safari sw", - "type": "babes rrp normally", - "value": "cooking pot enough" - } - ], - "metadata": { - "log_name": "declared exhibits me", - "original_time": "affordable mixture nigeria", - "product": { - "name": "industry thou favorites", - "uid": "acc9db64-6427-11ee-bbd5-0242ac110005", - "version": "1.0.0" - }, - "profiles": [], - "version": "1.0.0" - }, - "severity": "Low", - "status": "Success", - "status_id": 1, - "timezone_offset": 81, - "type_name": "Group Management: Add User", - "type_uid": "300603", - "user": { - "groups": [ - { - "desc": "fire transsexual uri", - "name": "kim patio tr", - "uid": "acca6980-6427-11ee-8abc-0242ac110005" - }, - { - "desc": "snake avi only", - "name": "interior husband tvs", - "privileges": [ - "fresh provision sociology", - "foundations twisted couple" - ], - "type": "magnetic peninsula riders", - "uid": "acca6de0-6427-11ee-84f2-0242ac110005" - } - ], - "org": { - "name": "lesson machinery nutritional", - "ou_name": "to walnut dash", - "uid": "acca6354-6427-11ee-ae9b-0242ac110005" - }, - "type": "suited", - "type_id": "99" - } + "activity_id": 3 }, "user": { "target": { diff --git a/OCSF/ocsf/tests/test_iam_4.json b/OCSF/ocsf/tests/test_iam_4.json index 17b51d95b..e651ce9d7 100644 --- a/OCSF/ocsf/tests/test_iam_4.json +++ b/OCSF/ocsf/tests/test_iam_4.json @@ -29,76 +29,7 @@ "name": "then nevada berkeley md" }, "ocsf": { - "activity_id": 0, - "activity_name": "Unknown", - "category_name": "Identity & Access Management", - "category_uid": 3, - "class_name": "User Access Management", - "class_uid": 3005, - "metadata": { - "log_name": "gravity bill gp", - "logged_time": 1696581958, - "original_time": "escape mic warner", - "product": { - "feature": { - "name": "services cultural ali", - "uid": "c52f43f4-6424-11ee-9b6e-0242ac110005", - "version": "1.0.0" - }, - "lang": "en", - "name": "advance wellness phentermine", - "uid": "c52f3210-6424-11ee-b807-0242ac110005", - "version": "1.0.0" - }, - "profiles": [], - "version": "1.0.0" - }, - "observables": [ - { - "name": "devices arguments label", - "type": "Fingerprint", - "type_id": "30" - }, - { - "name": "line nightlife expo", - "reputation": { - "base_score": "45.5971", - "provider": "marcus magnetic expressed", - "score": "May not be Safe", - "score_id": "5" - }, - "type": "Container", - "type_id": "27" - } - ], - "privileges": [ - "returned funeral cave" - ], - "resource": { - "group": { - "name": "then nevada berkeley", - "uid": "c52f1e24-6424-11ee-af05-0242ac110005" - }, - "owner": { - "domain": "regions gr dean", - "email_addr": "Art@his.name", - "name": "Fatty", - "type": "forecast", - "type_id": "99", - "uid": "c52f060a-6424-11ee-b378-0242ac110005" - } - }, - "severity": "Medium", - "status": "abstracts", - "status_id": 99, - "timezone_offset": 28, - "type_name": "User Access Management: Unknown", - "type_uid": "300500", - "user": { - "credential_uid": "c52f57ae-6424-11ee-b8be-0242ac110005", - "type": "System", - "type_id": "3" - } + "activity_id": 0 }, "user": { "target": { diff --git a/OCSF/ocsf/tests/test_network_activity_1.json b/OCSF/ocsf/tests/test_network_activity_1.json index 7ec191525..ec274815b 100644 --- a/OCSF/ocsf/tests/test_network_activity_1.json +++ b/OCSF/ocsf/tests/test_network_activity_1.json @@ -47,46 +47,7 @@ "packets": 1 }, "ocsf": { - "activity_id": 5, - "activity_name": "Refuse", - "category_name": "Network Activity", - "category_uid": 4, - "class_name": "Network Activity", - "class_uid": 4001, - "connection_info": { - "boundary": "-", - "boundary_id": "99", - "direction": "Inbound", - "direction_id": "1", - "tcp_flags": 2 - }, - "disposition": "Blocked", - "disposition_id": "2", - "dst_endpoint": { - "instance_uid": "i-000000000000000000", - "interface_uid": "eni-000000000000000000", - "subnet_uid": "subnet-000000000000000000", - "vpc_uid": "vpc-00000000" - }, - "metadata": { - "product": { - "feature": { - "name": "Flowlogs" - }, - "name": "Amazon VPC", - "version": "5" - }, - "profiles": [ - "cloud", - "security_control" - ], - "version": "1.0.0-rc.2" - }, - "severity": "Informational", - "status_code": "OK", - "type_name": "Network Activity: Refuse", - "type_uid": "400105", - "unmapped": "{\"sublocation_id\": \"-\", \"sublocation_type\": \"-\"}" + "activity_id": 5 }, "related": { "ip": [ diff --git a/OCSF/ocsf/tests/test_network_activity_10.json b/OCSF/ocsf/tests/test_network_activity_10.json index df10da309..0c9801bc0 100644 --- a/OCSF/ocsf/tests/test_network_activity_10.json +++ b/OCSF/ocsf/tests/test_network_activity_10.json @@ -59,198 +59,7 @@ "application": "stanford leisure analyzed" }, "ocsf": { - "activity_id": 5, - "activity_name": "Rename", - "actor": { - "process": { - "container": { - "image": { - "path": "adaptive granny knew", - "uid": "849779dc-5be7-11ee-8f66-0242ac110005" - }, - "network_driver": "cute desktops arrest", - "size": 2164055839 - }, - "file": { - "attributes": 9, - "type_id": "3" - }, - "namespace_pid": 41, - "parent_process": { - "container": { - "hash": { - "algorithm": "Unknown", - "algorithm_id": "0", - "value": "08759209B8F0A761FFF2B978AB8DAB0B6AE7B63C9AC9D3694BC0FED57BB2E27F5AAFB08486F656D6C6FE784F7DF07513FCB0975EC8B772EE000F56F793867A77" - }, - "image": { - "name": "assistance grande an", - "uid": "8497dec2-5be7-11ee-9c88-0242ac110005" - }, - "name": "citizenship caribbean twisted", - "size": 2686118868, - "uid": "8497d15c-5be7-11ee-aa8b-0242ac110005" - }, - "file": { - "creator": { - "credential_uid": "8497ab3c-5be7-11ee-8df1-0242ac110005", - "full_name": "Kirstin Thersa", - "name": "Additionally", - "type": "beat", - "type_id": "99", - "uid": "84979804-5be7-11ee-848b-0242ac110005" - }, - "desc": "surgeons settled advocacy", - "hashes": [ - {}, - {} - ], - "modified_time_dt": "2023-09-25T21:07:21.517084Z", - "name": "finance.3g2", - "parent_folder": "attention matching forest/met.mpa", - "path": "attention matching forest/met.mpa/finance.3g2", - "signature": { - "algorithm": "RSA", - "algorithm_id": "2", - "certificate": { - "created_time_dt": "2023-09-25T21:07:21.516247Z", - "expiration_time": 1695676041516, - "expiration_time_dt": "2023-09-25T21:07:21.516239Z", - "fingerprints": [ - { - "algorithm": "TLSH", - "algorithm_id": "6", - "value": "B3305921648A755AA6C1E2C028691A6861EAE8922BAE5ACE52B76E01AD96DF87ECE4E22E06EDC6715A0CAE469323620A07CCC384FD40C69EBA60E8BBEE8EA805" - } - ], - "issuer": "shall systematic vatican", - "serial_number": "requirement sodium situated", - "subject": "mt minutes bids", - "version": "1.0.0" - } - }, - "type": "wrap", - "type_id": "99" - }, - "lineage": [ - "vhs mechanism dates" - ], - "loaded_modules": [ - "/ourselves/lynn/gpl/helped/narrow.tga", - "/super/disclose/barnes/pg/california.png" - ], - "namespace_pid": 97, - "parent_process": "{\"cmd_line\": \"harder interventions pb\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"6A9A10210588981DD8FAA6BE10E39F2C65E816FEFE4768884F7B0BB0A10CD9D6\"}, \"name\": \"kg sources houses\", \"pod_uuid\": \"kiss\", \"runtime\": \"kate through furniture\", \"size\": 2387392206, \"uid\": \"849829cc-5be7-11ee-bb7a-0242ac110005\"}, \"created_time\": 1695676041517, \"file\": {\"created_time_dt\": \"2023-09-25T21:07:21.519646Z\", \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"E7B2EBCA4F63795EBE380FFBEAB194BCF3E2EB5C74F10C6B8AAB95F4C0B8D7AC\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"AFD9AD7A88CFF487A60962E99C6219806726EB352DD1591D375AD3BB143C0DABBFBC6DBFFA5D99B3662AE82C9B7EED847E30B7EA516D2AD9DFF07D8775F8AE36\"}], \"modifier\": {\"groups\": [{\"name\": \"winds seeking reply\", \"uid\": \"8497fde4-5be7-11ee-9733-0242ac110005\"}, {\"name\": \"hamburg roommate environment\", \"uid\": \"8498099c-5be7-11ee-ac6f-0242ac110005\"}], \"name\": \"Complete\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"8497f38a-5be7-11ee-97c6-0242ac110005\"}, \"name\": \"dame.svg\", \"parent_folder\": \"wives pamela karl/articles.c\", \"path\": \"wives pamela karl/articles.c/dame.svg\", \"security_descriptor\": \"robinson queens graduate\", \"type\": \"Regular File\", \"type_id\": 1}, \"integrity\": \"they thermal eau\", \"lineage\": [\"attraction cord adjustment\", \"announcements summer introduce\"], \"name\": \"Bid\", \"namespace_pid\": 49, \"parent_process\": {\"cmd_line\": \"creation defense carolina\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"666334EB7A1E55E189435FFF3F0CA7266F484FB44970AAFF3E72546D8B04B02ABB1A66B209CAFD44267701CA1392DF35B8EC3EECE0DC492D093880F2E4FF352C\"}, \"name\": \"hunt indicating radiation\", \"size\": 3179758248, \"tag\": \"reader prevention as\", \"uid\": \"84985df2-5be7-11ee-be06-0242ac110005\"}, \"created_time\": 1695676041527, \"file\": {\"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"created_time\": 1695676041520845, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"7D875B5EB312ADEF7D530DD6E43468170B094A5F54CA1AC26E7788A81A01238428E62D581423E70B05DA11F15513291EB10776B4E14DE1844072ACDF11BBDFD1\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"1100511F3469E3CDE7D081EC6E78154C8476D546F615EEEB37C4CDFBD41740440FC77660EE3A4B9C67DE81C63172A49F835656F85ED5E36A65A2A25E2A733358\"}], \"modifier\": {\"name\": \"Officer\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"84984362-5be7-11ee-af2c-0242ac110005\"}, \"name\": \"seq.wpd\", \"parent_folder\": \"conflicts disability citysearch/ieee.dtd\", \"path\": \"conflicts disability citysearch/ieee.dtd/seq.wpd\", \"type\": \"Character Device\", \"type_id\": 3}, \"name\": \"Jamie\", \"namespace_pid\": 46, \"parent_process\": {\"cmd_line\": \"plan agents converter\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"E7EFDA40B1C94805070CD9BF9638AE27\"}, \"image\": {\"labels\": [\"golf\", \"nov\"], \"name\": \"extending construction inkjet\", \"path\": \"empirical precipitation builder\", \"uid\": \"84989f42-5be7-11ee-8820-0242ac110005\"}, \"name\": \"thongs routine an\", \"size\": 2099983603, \"uid\": \"84989948-5be7-11ee-b4fb-0242ac110005\"}, \"created_time\": 1695676041523226, \"file\": {\"created_time\": 1695676042262, \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"60F202A3BE4EF214E24EA9D3555D194C\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"B0B2D200728B0DACE6CB6829F90EE31A9AD123FF1982012B003249D4F2C5351924E6DBBD1242EE722D4C5A0B80C983DC7B94DDD594FCFCEF4E63552956E2B26A\"}], \"modified_time_dt\": \"2023-09-25T21:07:21.522441Z\", \"name\": \"startup.3dm\", \"signature\": {\"algorithm\": \"RSA\", \"algorithm_id\": 2, \"certificate\": {\"created_time\": 1695676041522, \"created_time_dt\": \"2023-09-25T21:07:21.521904Z\", \"expiration_time\": 1695676041526, \"fingerprints\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"8E4DE5CC0D59311697B0D4061FDBFB4CB99E38121EA17CF740789A0CBC85B56703E1341C940E7A2220C02211CC84447A19061569BE42AC4A2C03010FB6CB1A75\"}, {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"205D64FF9B580AADBF4829EC41DD4EF0\"}], \"issuer\": \"previous price thing\", \"serial_number\": \"files the parish\", \"subject\": \"shades bad tradition\"}}, \"size\": 3504413585, \"type\": \"Named Pipe\", \"type_id\": 6, \"uid\": \"84987ae4-5be7-11ee-b247-0242ac110005\", \"version\": \"1.0.0\"}, \"integrity\": \"conspiracy unions allocated\", \"name\": \"Arbor\", \"parent_process\": {\"cmd_line\": \"sixth pc peoples\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"F4001D4FD76B73412DB0EFD2C66F0AB3C27D9FE9BD375B1659A1DDDA68C17DC1C0F5402A6AE571DC073E94F1B720821E4208595D5BB4B13D917A12CE3DA53C1E\"}, \"image\": {\"name\": \"version treating tall\", \"uid\": \"8498df20-5be7-11ee-8257-0242ac110005\"}, \"name\": \"warrior document workflow\", \"pod_uuid\": \"sas\", \"size\": 2697694450, \"uid\": \"8498da2a-5be7-11ee-9d00-0242ac110005\"}, \"created_time\": 1695676041523, \"file\": {\"accessor\": {\"email_addr\": \"Shin@cause.mobi\", \"full_name\": \"Twyla Cherise\", \"name\": \"Wildlife\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"8498c030-5be7-11ee-80d9-0242ac110005\", \"uid_alt\": \"excellent far varied\"}, \"created_time\": 1695676041524, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"707CF5E50A11D69874235DED9A045B6AB42439F7495DED03049CB7E997949E8B014295A25059CD1A9F06BFE9E4101ED176615E69D43FE199E849DEC0BC4AEB4D\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"6F487B974BDB9DBDF014F50502D9F70BC2630E6C974E4C6E6AA2EB3BEC95A3BDCA7AE609DA34179E0677F042734A767ADA4F6CA04788916644262CDC60BC2FB2\"}], \"mime_type\": \"star/flyer\", \"name\": \"considerations.jar\", \"parent_folder\": \"roger economy macro/mesh.gadget\", \"path\": \"roger economy macro/mesh.gadget/considerations.jar\", \"type\": \"Local Socket\", \"type_id\": 5}, \"integrity\": \"aviation blame tion\", \"name\": \"Processes\", \"namespace_pid\": 76, \"parent_process\": {\"container\": {\"image\": {\"tag\": \"vocal trim jon\", \"uid\": \"849944f6-5be7-11ee-bc62-0242ac110005\"}, \"name\": \"acquired minority slip\", \"size\": 2257875576, \"uid\": \"84993ce0-5be7-11ee-8a18-0242ac110005\"}, \"file\": {\"accessed_time\": 1695676041556, \"confidentiality\": \"suburban ati mostly\", \"created_time_dt\": \"2023-09-25T21:07:21.526737Z\", \"hashes\": [{\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"00EF9DADDE482AF5432B0BFC5F69023736D4A0ECD59F74884C4B8AD83D21429B78023351C5DBD07407EAB2BFA527A0586016DE3C92F37913920E221F7D452802\"}], \"is_system\": false, \"modified_time_dt\": \"2023-09-25T21:07:21.526727Z\", \"name\": \"pic.vcd\", \"owner\": {\"full_name\": \"Blythe Jamie\", \"name\": \"Enquiry\", \"type\": \"minneapolis\", \"type_id\": 99, \"uid\": \"849901e4-5be7-11ee-bfe1-0242ac110005\"}, \"parent_folder\": \"const foreign pressed/among.ged\", \"path\": \"const foreign pressed/among.ged/pic.vcd\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"certificate\": {\"created_time\": 1695676041526, \"expiration_time\": 1695676045872, \"fingerprints\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"9E41EB47ABD226D92CFE27DBDA0C924C190A1B0C0136B09923B419089B013DF14CB58C38F651F710540E348BF800DFE364197904B11FFFAD98BB2B10006B28E2\"}, {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"3DE877DDFB06DB510E63893D98DDAC9524696C14\"}], \"issuer\": \"everybody brunei disciplinary\", \"serial_number\": \"approaches symbol assembly\", \"subject\": \"strap liz boulder\", \"version\": \"1.0.0\"}, \"created_time_dt\": \"2023-09-25T21:07:21.526203Z\", \"developer_uid\": \"84991526-5be7-11ee-a2ca-0242ac110005\"}, \"type\": \"charged\", \"type_id\": 99, \"uid\": \"84992264-5be7-11ee-8071-0242ac110005\"}, \"name\": \"Job\", \"namespace_pid\": 29, \"parent_process\": {\"cmd_line\": \"brush bouquet alto\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"82B5F7770097973F2962C241C557369EC2D38E9A1BDA03176B9CA511F1CA56CF\"}, \"image\": {\"name\": \"adipex into polo\", \"uid\": \"849984fc-5be7-11ee-af4c-0242ac110005\"}, \"name\": \"deutschland pic newcastle\", \"size\": 797071549, \"uid\": \"84996db4-5be7-11ee-bada-0242ac110005\"}, \"created_time\": 1695676041528, \"file\": {\"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"44CA9EA761C2131C73960AD47472741B13D305EE2D07FE91E8F1B47F4F062B8A16DD3611E4439E4C163A7CF42F1AE5989CF9683117DB801FD1BC222A16618E19\"}, {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"C25DDA249CDECE9D908CC33ADCD16AA05E20290F\"}], \"name\": \"tuner.pdb\", \"parent_folder\": \"architectural pink phil/overview.dtd\", \"path\": \"architectural pink phil/overview.dtd/tuner.pdb\", \"type\": \"Named Pipe\", \"type_id\": 6, \"version\": \"1.0.0\", \"xattributes\": {}}, \"lineage\": [\"familiar privilege canvas\"], \"namespace_pid\": 23, \"parent_process\": {\"cmd_line\": \"in blowing memorial\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"6B2A589B76A482CD379A7FF8AF13EE0F9ABF937DE60010068FEC808F5B6B22521C2A28C7F48BC5C2EDC81EAE5E5812D95F5E0F3DF5685571E5DB36B146DB82EC\"}, \"image\": {\"name\": \"robert through mailing\", \"tag\": \"struggle gerald weather\", \"uid\": \"8499d704-5be7-11ee-b617-0242ac110005\"}, \"name\": \"france sg charger\", \"network_driver\": \"catch sun general\", \"orchestrator\": \"sf varieties queries\", \"size\": 1048383191, \"tag\": \"deserve focused select\", \"uid\": \"8499d164-5be7-11ee-a7e8-0242ac110005\"}, \"created_time\": 1695676041539, \"file\": {\"attributes\": 83, \"desc\": \"escape steady bow\", \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"718C92FD5ECC9B483CA9A76E309BD60F7DAD6035254FAD5EA9430568F36EB16D5532657DE90C3B3B41896C8A9B601BF1E1083D5BB299127118B535C347D13549\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"D13D53927A745D27511C298846343093D7E92D919905B6C22ABBF727AD18EF7E3B3850949F8CC772390749C8644B5CF6F8618FEF524E9589DB73F57FE128AA88\"}], \"name\": \"spirit.max\", \"owner\": {\"email_addr\": \"Pamelia@directed.com\", \"name\": \"Friend\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"84999e10-5be7-11ee-914b-0242ac110005\"}, \"parent_folder\": \"fish largest alberta/solutions.deskthemepack\", \"path\": \"fish largest alberta/solutions.deskthemepack/spirit.max\", \"type\": \"Regular File\", \"type_id\": 1, \"version\": \"1.0.0\"}, \"integrity\": \"faculty hardcover generated\", \"name\": \"Cialis\", \"namespace_pid\": 79, \"parent_process\": {\"cmd_line\": \"text ana range\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"79F7EED760813BF63DC0EE7F986F1CC6345DD170AB03CA1350684CB8720E3C67F9FCE3B075A22266EB0C66A1CDA2D3BD540E777D9A294433377B83DB6DE3D6DB\"}, \"image\": {\"name\": \"layers branch lucas\", \"tag\": \"nations chances trips\", \"uid\": \"849a32bc-5be7-11ee-86bb-0242ac110005\"}, \"name\": \"own drawing acute\", \"size\": 1512724327, \"uid\": \"849a2420-5be7-11ee-94c5-0242ac110005\"}, \"created_time\": 1695676041533, \"file\": {\"creator\": {\"domain\": \"coupons dropped pantyhose\", \"name\": \"Booking\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"8499f1ee-5be7-11ee-a02c-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"F01EB1DD5E5D955CF3DA810E1FAABA4136E09F5EF69DA3753223183EF836741A617AAAEB52D8B014D900A4A11B94974298F7D3C4EAE57C107CF3A3230AD34188\"}], \"modified_time_dt\": \"2023-09-25T21:07:21.531893Z\", \"name\": \"premises.sln\", \"owner\": {\"account\": {\"name\": \"discs outlets general\", \"type\": \"Mac OS Account\", \"type_id\": 7, \"uid\": \"8499eb2c-5be7-11ee-86b7-0242ac110005\"}, \"name\": \"Welcome\", \"type\": \"User\", \"type_id\": 1}, \"parent_folder\": \"ralph tales librarian/simpsons.psd\", \"path\": \"ralph tales librarian/simpsons.psd/premises.sln\", \"type\": \"ships\", \"type_id\": 99}, \"lineage\": [\"guru hosted bradley\"], \"name\": \"Devices\", \"namespace_pid\": 39, \"parent_process\": {\"cmd_line\": \"merchandise initiatives accessibility\", \"container\": {\"hash\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"12FC9239ABF2C07159EBC92013171DA43175589170BD05B55220534634A9D1FEFC88B117A95FCE4FE3C5A5FEDB9DC4EB3F700C0386931C889F815E86BCD4B509\"}, \"image\": {\"name\": \"evaluating apartments disaster\", \"uid\": \"849a6a66-5be7-11ee-95e4-0242ac110005\"}, \"name\": \"apartment drunk amateur\", \"size\": 3702557326, \"uid\": \"849a646c-5be7-11ee-90ce-0242ac110005\"}, \"created_time\": 1695676041535, \"file\": {\"attributes\": 22, \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"6FD1E1613C3918067E01585E32D4AA461C485DF01C56BD5A294FD82B353B5EC64A7EBAED614D28451E3AECB3ACA75900593A20D8AE7F7A1E2CF9DD4F0496B9C4\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"B66E94D9133A6E41392C5AFCBF3F6EEB29E45C041350255AEE34ADD6C4E6BD15FF9060177954793B5D078A8802B4B1ADDD73BECACB7D5827D9A1CB9F96D5E153\"}], \"is_system\": false, \"modified_time_dt\": \"2023-09-25T21:07:21.533963Z\", \"name\": \"hunt.ppt\", \"type\": \"Local Socket\", \"type_id\": 5}, \"name\": \"Bags\", \"namespace_pid\": 29, \"parent_process\": {\"cmd_line\": \"recordings countries slides\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"383B6630E8241D34D54BFD689DECC0CAB88770D935667989A3A1DE8397F5520F\"}, \"image\": {\"name\": \"evanescence plans courts\", \"tag\": \"buy archives predict\", \"uid\": \"849aaa9e-5be7-11ee-a47a-0242ac110005\"}, \"name\": \"distant modeling monaco\", \"runtime\": \"peace up sailing\", \"uid\": \"849aa490-5be7-11ee-bb98-0242ac110005\"}, \"created_time\": 1695676041539, \"file\": {\"attributes\": 35, \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"6BD48B1E57856137037BFEE4DEC8D57F\"}], \"name\": \"hardware.wma\", \"owner\": {\"name\": \"Asia\", \"type\": \"meetup\", \"type_id\": 99, \"uid\": \"849a7ac4-5be7-11ee-a06d-0242ac110005\"}, \"parent_folder\": \"interactions malta thoughts/laden.pdf\", \"path\": \"interactions malta thoughts/laden.pdf/hardware.wma\", \"signature\": {\"algorithm\": \"Authenticode\", \"algorithm_id\": 4, \"digest\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"3188206324B062751CE36D4251C19C94\"}}, \"type\": \"Unknown\", \"type_id\": 0}, \"integrity\": \"bookings qc dictionaries\", \"lineage\": [\"lanka manufacture bra\", \"gibson implementation pope\"], \"name\": \"Sen\", \"namespace_pid\": 6, \"parent_process\": {\"cmd_line\": \"amount anywhere suffered\", \"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"B7F1BFFEB47BCFB30F891852F769572A9816784BF4A4073805850F9F969A5335CFC878CACC9E0F8A71B547F60832FE712A59A7DD7DBD6E94BB9D155309EB3581\"}, \"image\": {\"name\": \"cross tray influenced\", \"tag\": \"afternoon counseling governance\", \"uid\": \"849b1f7e-5be7-11ee-bb9d-0242ac110005\"}, \"name\": \"author channel disappointed\", \"network_driver\": \"slovakia friend username\", \"size\": 191473515, \"uid\": \"849aff08-5be7-11ee-80bd-0242ac110005\"}, \"created_time\": 1695676041539630, \"file\": {\"accessed_time\": 1695676041534, \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"CE850E16E049A60B4B8F465DC00ADBFB7207CC76FD94F5EBC335F637B8052B77\"}], \"name\": \"removal.obj\", \"parent_folder\": \"jeff puts assignments/thing.msi\", \"path\": \"jeff puts assignments/thing.msi/removal.obj\", \"security_descriptor\": \"bureau myspace barrel\", \"type\": \"Named Pipe\", \"type_id\": 6}, \"name\": \"Impacts\", \"namespace_pid\": 49, \"parent_process\": {\"cmd_line\": \"techno now vid\", \"created_time\": 1695676041593, \"file\": {\"accessor\": {\"credential_uid\": \"849b5b88-5be7-11ee-af7a-0242ac110005\", \"name\": \"Dragon\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"849b52b4-5be7-11ee-863c-0242ac110005\"}, \"attributes\": 78, \"created_time_dt\": \"2023-09-25T21:07:21.541195Z\", \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"AABE45CE23939AE53AA3AF15C6123A6ED98FC106E4C7491B89A814D8EB040F3B9D5842B5A215D1D27ED1B4DC8DD3D3F0D50197DD105E37461661D98A23E0917C\"}], \"modified_time\": 1695676041541, \"modified_time_dt\": \"2023-09-25T21:07:21.541163Z\", \"name\": \"human.pdb\", \"parent_folder\": \"let dawn representing/surrounding.dwg\", \"path\": \"let dawn representing/surrounding.dwg/human.pdb\", \"product\": {\"feature\": {\"name\": \"metric th alt\", \"uid\": \"849b46a2-5be7-11ee-824d-0242ac110005\", \"version\": \"1.0.0\"}, \"name\": \"heavy payroll timothy\", \"uid\": \"849b3fd6-5be7-11ee-83d2-0242ac110005\", \"vendor_name\": \"rv brother vaccine\", \"version\": \"1.0.0\"}, \"type\": \"Symbolic Link\", \"type_id\": 7}, \"lineage\": [\"qualify insight reproduce\", \"placing download tomato\"], \"name\": \"Sampling\", \"namespace_pid\": 91, \"parent_process\": {\"cmd_line\": \"treatments proceeding assumed\", \"created_time\": 1695676041548, \"created_time_dt\": \"2023-09-25T21:07:21.565904Z\", \"file\": {\"accessor\": {\"email_addr\": \"Stormy@postcard.mobi\", \"name\": \"Xhtml\", \"type\": \"disabilities\", \"type_id\": 99, \"uid\": \"849ba016-5be7-11ee-8738-0242ac110005\"}, \"creator\": {\"domain\": \"neural fig colin\", \"full_name\": \"Otelia Kori\", \"name\": \"Tap\", \"org\": {\"name\": \"timing process palestinian\", \"ou_name\": \"step mouth drunk\", \"uid\": \"849bad9a-5be7-11ee-9fa0-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1}, \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"A5064ED27DDBDCBA4CBCADF1DB39DA3F2EEE6B58C7A1239C64CABA643C220D3F292A1DE7E239A9314ECD04E09E02E1289265DB1375370F0E2CB9844F235B40B9\"}], \"is_system\": true, \"mime_type\": \"talked/wishlist\", \"modified_time\": 1695676041546, \"name\": \"sunday.crdownload\", \"parent_folder\": \"designing designed kim/butts.crx\", \"path\": \"designing designed kim/butts.crx/sunday.crdownload\", \"product\": {\"feature\": {\"name\": \"seminar automatic gui\", \"uid\": \"849b9742-5be7-11ee-9904-0242ac110005\", \"version\": \"1.0.0\"}, \"lang\": \"en\", \"name\": \"nights validity updated\", \"uid\": \"849b866c-5be7-11ee-a7ff-0242ac110005\", \"url_string\": \"however\", \"vendor_name\": \"favorite album ncaa\", \"version\": \"1.0.0\"}, \"signature\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"certificate\": {\"created_time\": 1695676041542, \"expiration_time\": 1695676041577, \"fingerprints\": [{\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"A1636B226D49D354EAD09345190417B47EC13762648D8C196823FB556456DD5A2ED39FDF2ADE536CF2D0AFA33A47F9404800085FE205A49A4DA6C280AF603AA9\"}], \"issuer\": \"cooperation worldcat southwest\", \"serial_number\": \"distributed characters bin\", \"subject\": \"annually ic quest\", \"version\": \"1.0.0\"}, \"created_time_dt\": \"2023-09-25T21:07:21.542032Z\"}, \"size\": 1384349588, \"type\": \"Unknown\", \"type_id\": 0}, \"integrity\": \"written\", \"integrity_id\": 99, \"lineage\": [\"tenant surveillance nature\", \"securities joining bite\"], \"loaded_modules\": [\"/aims/hammer/duke/implementation/roland.jar\", \"/illustration/reads/adaptation/ppc/footage.cab\"], \"name\": \"Foundation\", \"parent_process\": {\"cmd_line\": \"remain weird municipal\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"53CB2A3DF41EA583C9DAD815CC228E623D600CA69DD3B138EBA03828A95C399AC2319E8C246FAF2EB345362B0931618009C8A5FF4C8E100C7B414107D51F849D\"}, \"image\": {\"name\": \"titten live cvs\", \"uid\": \"849c105a-5be7-11ee-8337-0242ac110005\"}, \"name\": \"anthony serial medline\", \"size\": 2006500672, \"uid\": \"849c059c-5be7-11ee-b620-0242ac110005\"}, \"created_time\": 1695676041542, \"created_time_dt\": \"2023-09-25T21:07:21.565886Z\", \"file\": {\"accessed_time\": 1695676044937, \"accessor\": {\"domain\": \"operates collectables presentations\", \"name\": \"Qualities\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849bf00c-5be7-11ee-a0de-0242ac110005\", \"uid_alt\": \"welsh constraints elimination\"}, \"created_time\": 1695676041545, \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"BADBDA50632954800C02D40EB49D1BEF8E5A883D\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"22B65F9CC3DDECE17BC92C741314C0C01D6C398B477BCFE22CCB63F4975A066119C2A3F4E9BDC342383345BCEEA9046C0573AEA278C1EBD8E1578337B1640606\"}], \"is_system\": false, \"name\": \"moral.kmz\", \"parent_folder\": \"suit who pics/arrange.torrent\", \"path\": \"suit who pics/arrange.torrent/moral.kmz\", \"type\": \"Local Socket\", \"type_id\": 5}, \"integrity\": \"High\", \"integrity_id\": 4, \"name\": \"Restore\", \"namespace_pid\": 8, \"parent_process\": {\"cmd_line\": \"arrangements makes handy\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"FC25F43E993A1FB725021E78097481FDD1FECA2EC91BF14AE34067FC31DBCD1005D4B0AFC4F050872672CC3EAB72236EADE80DFF4CCBB844F8ED0489F697D2F1\"}, \"image\": {\"labels\": [\"mumbai\"], \"name\": \"capabilities huge hometown\", \"uid\": \"849c6d2a-5be7-11ee-a411-0242ac110005\"}, \"name\": \"yahoo plains basically\", \"uid\": \"849c6776-5be7-11ee-94b5-0242ac110005\"}, \"created_time\": 1695676041544, \"file\": {\"accessor\": {\"account\": {\"name\": \"cards gratis necklace\", \"type\": \"Apple Account\", \"type_id\": 8}, \"full_name\": \"Crysta Damaris\", \"name\": \"Class\", \"type\": \"pie\", \"type_id\": 99, \"uid_alt\": \"linux has luis\"}, \"attributes\": 79, \"company_name\": \"Mckenzie Ardith\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"creator\": {\"domain\": \"glass outlet lopez\", \"groups\": [{\"name\": \"suspected contributor counting\", \"type\": \"vacations wines biological\", \"uid\": \"849c5ae2-5be7-11ee-97a7-0242ac110005\"}], \"org\": {\"name\": \"reproductive balloon stanley\", \"ou_name\": \"pick rear governance\", \"ou_uid\": \"849c5470-5be7-11ee-b89d-0242ac110005\", \"uid\": \"849c5060-5be7-11ee-b740-0242ac110005\"}, \"type\": \"selected\", \"type_id\": 99, \"uid\": \"849c4b2e-5be7-11ee-9c0b-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"1B8BF6AF4C4E0F5A64ED59860F5673F5762D1E214D4B3127BAC626D3811952EAF98972460DF098DEAB2B6D4FF02723546AEBA4108F2A03A20044552141A4447E\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"221C1DF278F5DBE8C04CCC89DB66A355ABA13C3F27B4E23A19D0E73C64E5E9A7951D5102BA2F416429122A6110C57ED22F7216EB73939FF0E7E4BDB574A90CC4\"}], \"is_system\": false, \"name\": \"revolution.vcf\", \"owner\": {\"email_addr\": \"Suzan@communicate.coop\", \"name\": \"Sunny\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849c24fa-5be7-11ee-93d2-0242ac110005\"}, \"parent_folder\": \"nintendo smilies thank/ought.vb\", \"path\": \"nintendo smilies thank/ought.vb/revolution.vcf\", \"product\": {\"lang\": \"en\", \"name\": \"pci invasion producers\", \"uid\": \"849c3e4a-5be7-11ee-80be-0242ac110005\", \"vendor_name\": \"australian payments crm\", \"version\": \"1.0.0\"}, \"security_descriptor\": \"recommended approve environment\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"certificate\": {\"created_time\": 1695676041548, \"expiration_time\": 1695676041514, \"fingerprints\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"35C90137B6BD19F8D464173B9904DBFA60D62BFF8BCBCF99235987ACC2D4840DBA02F991522C533C211C54B3A1016A0A76AF0578E30D0190414926A1EA56FEB7\"}], \"issuer\": \"foundation review shaft\", \"serial_number\": \"windsor sponsor google\", \"subject\": \"microwave marriott okay\", \"version\": \"1.0.0\"}}, \"type\": \"Folder\", \"type_id\": 2, \"version\": \"1.0.0\"}, \"namespace_pid\": 13, \"parent_process\": {\"cmd_line\": \"well absent shoe\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"A813ED16B0B3E58FA959C0BA26A47058\"}, \"image\": {\"name\": \"audio miracle leader\", \"uid\": \"849ce32c-5be7-11ee-b7a9-0242ac110005\"}, \"name\": \"hospitality walker vs\", \"size\": 1224758347, \"uid\": \"849cdd28-5be7-11ee-9250-0242ac110005\"}, \"created_time\": 1695676041555, \"file\": {\"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"3BC175E9CE56D1FC2D86AB6EA2EC56EB21930540B56A5B6E3840DFB64287ACAB\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"31588C71F04798D44E2202431AE7025AF3BC67EC8192E94F362A9B9121FB5AC23510026F8391A0A54234D8D0DB8D2DEBD112DEEF6AC598A11A194875191A4975\"}], \"is_system\": true, \"mime_type\": \"engineer/habitat\", \"modifier\": {\"domain\": \"ln resolved couple\", \"email_addr\": \"Deloise@agreed.arpa\", \"name\": \"Heritage\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"849c8878-5be7-11ee-98bd-0242ac110005\"}, \"name\": \"world.jpg\", \"parent_folder\": \"blend roommates closed/died.docx\", \"path\": \"blend roommates closed/died.docx/world.jpg\", \"type\": \"Block Device\", \"type_id\": 4}, \"lineage\": [\"achievement courage send\", \"expansion instructional agreements\"], \"loaded_modules\": [\"/rev/amazon/casino/june/fails.bin\", \"/credit/potential/lawsuit/clause/nine.bmp\"], \"name\": \"Tell\", \"namespace_pid\": 62, \"parent_process\": {\"cmd_line\": \"challenges prompt cumulative\", \"container\": {\"hash\": {\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"6E73C76AD0B2D03EB35088BB834D7A1949E2174F0288EAC8066F5CC920923FEC2568825E7A9B3B3B871DC2AA82AD34DAC42A8E327CAD3D3E720D2ADD7C13CAB0\"}, \"image\": {\"name\": \"charges fragrances complex\", \"uid\": \"849d1342-5be7-11ee-a4ca-0242ac110005\"}, \"name\": \"develop affiliates required\", \"network_driver\": \"familiar movies legitimate\", \"pod_uuid\": \"legally\", \"size\": 2138922450, \"uid\": \"849d0e7e-5be7-11ee-a8e4-0242ac110005\"}, \"file\": {\"confidentiality\": \"venue rl epa\", \"created_time_dt\": \"2023-09-25T21:07:21.551631Z\", \"hashes\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"2347F66D3EE9CCBD7191F650BE1EF4F94E8B6ED61D543709A1A907FBC76BFC089577CB78BFA772DA65746573746C4AB26AF19E7A8E9DB821E3979ED04051B9BC\"}, {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"256D62122A8BA5E06B613EAD639B79BA7875995217AC6E2C854DBB610631D33C\"}], \"mime_type\": \"silicon/limousines\", \"modified_time\": 1695676041500, \"name\": \"flexible.vcxproj\", \"product\": {\"lang\": \"en\", \"name\": \"external polar galaxy\", \"vendor_name\": \"hack infection generator\", \"version\": \"1.0.0\"}, \"type\": \"Folder\", \"type_id\": 2, \"xattributes\": {}}, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"name\": \"Airfare\", \"namespace_pid\": 2, \"parent_process\": {\"cmd_line\": \"reporter techno regarded\", \"container\": {\"hash\": {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"0895F371F264F7E3AA4A79B16A3C6EEAABE10BBF6A7DC2B7D8DD4F14B3C6F05D\"}, \"image\": {\"labels\": [\"responsibility\"], \"uid\": \"849d468c-5be7-11ee-85e3-0242ac110005\"}, \"name\": \"cpu mission hacker\", \"orchestrator\": \"helpful pasta matthew\", \"runtime\": \"cables vanilla amendments\", \"size\": 1820268463, \"uid\": \"849d3caa-5be7-11ee-9fe6-0242ac110005\"}, \"file\": {\"attributes\": 44, \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"8A25185F3C5523EF3B08C1ECDD83016224863C95\"}, {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"6B9ED75DAE7A1E692073FC400B558EA4\"}], \"mime_type\": \"will/executed\", \"name\": \"uzbekistan.jar\", \"type\": \"Block Device\", \"type_id\": 4, \"uid\": \"849d2170-5be7-11ee-a637-0242ac110005\", \"xattributes\": {}}, \"name\": \"Eternal\", \"namespace_pid\": 84, \"parent_process\": {\"container\": {\"hash\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"308FD1FED7D34B9AFAB9224FF617D64E4CA9AC20FC59F1FB3B80AB2CBB1511245EC668E138B6C330D86E2B874BD66ED33E16E931B3D344A8365BE63CAB39562C\"}, \"image\": {\"labels\": [\"fix\"], \"name\": \"curtis burns park\", \"uid\": \"849d83f4-5be7-11ee-8f40-0242ac110005\"}, \"network_driver\": \"surely assistance actively\", \"pod_uuid\": \"gardening\", \"size\": 1668291787, \"uid\": \"849d7cce-5be7-11ee-80f3-0242ac110005\"}, \"created_time\": 1695676041553, \"file\": {\"company_name\": \"Frederica Hertha\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"created_time\": 1695676041554, \"created_time_dt\": \"2023-09-25T21:07:21.554150Z\", \"desc\": \"closed hydraulic connecting\", \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"5C5069744142886E3127F2CCFE145C68A0B1A4DFA3BB504B858390D851E16A9F\"}], \"name\": \"titanium.avi\", \"parent_folder\": \"slideshow configurations lens/nations.flv\", \"path\": \"slideshow configurations lens/nations.flv/titanium.avi\", \"type\": \"Unknown\", \"type_id\": 0, \"xattributes\": {}}, \"integrity\": \"System\", \"integrity_id\": 5, \"name\": \"Music\", \"parent_process\": {\"cmd_line\": \"pursuant proceed discussed\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"8876489CE00D6D9FDF61ED1C773F047E\"}, \"image\": {\"name\": \"bubble architects vancouver\", \"path\": \"hairy pixel time\", \"uid\": \"849e0ebe-5be7-11ee-8341-0242ac110005\"}, \"name\": \"insight style ca\", \"runtime\": \"williams ng xhtml\", \"size\": 220440282, \"uid\": \"849e031a-5be7-11ee-b55b-0242ac110005\"}, \"created_time\": 1695676041558, \"file\": {\"accessor\": {\"account\": {\"name\": \"hourly toll disappointed\", \"uid\": \"849dabd6-5be7-11ee-ba6a-0242ac110005\"}, \"credential_uid\": \"849db838-5be7-11ee-8a18-0242ac110005\", \"name\": \"Mine\", \"type\": \"fcc\", \"type_id\": 99, \"uid\": \"849da17c-5be7-11ee-9d3a-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"599DCCE2998A6B40B1E38E8C6006CB0A\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"E3C48119D2F351FBEB28EABE137BB8D7969A9AA7CEBF71A153DA4670481EFAAB267B6B39C0EDBDDAF4DD1B9E9B5FF0B28D72E0A5FA27336A282A0FDBA4D0C9D4\"}], \"modified_time\": 1695676041557, \"modifier\": {\"full_name\": \"Katheryn Kena\", \"name\": \"Infected\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"849d94de-5be7-11ee-b30d-0242ac110005\"}, \"name\": \"opening.vob\", \"parent_folder\": \"venezuela flyer seller/os.kml\", \"path\": \"venezuela flyer seller/os.kml/opening.vob\", \"security_descriptor\": \"graham occupations become\", \"type\": \"Local Socket\", \"type_id\": 5}, \"lineage\": [\"bk destinations est\", \"whose playback congressional\"], \"name\": \"Surprise\", \"namespace_pid\": 54, \"parent_process\": {\"cmd_line\": \"peer rail specialist\", \"container\": {\"image\": {\"name\": \"committed plastic does\", \"uid\": \"849e6972-5be7-11ee-b803-0242ac110005\"}, \"name\": \"priority mirrors although\", \"network_driver\": \"conduct linking lb\", \"runtime\": \"rock relation block\", \"size\": 2559819198, \"uid\": \"849e509a-5be7-11ee-ad75-0242ac110005\"}, \"created_time\": 1695676041434, \"file\": {\"accessor\": {\"full_name\": \"Lorna Francisco\", \"name\": \"Intl\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849e39a2-5be7-11ee-b3b8-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"9471ED19416B8099E51855CB0EF61AE3\"}], \"modified_time\": 1695676041563, \"modifier\": {\"domain\": \"informational advisory mg\", \"name\": \"Constraints\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849e2a2a-5be7-11ee-82b2-0242ac110005\"}, \"name\": \"filled.mdb\", \"parent_folder\": \"disc dividend incentives/crucial.wps\", \"path\": \"disc dividend incentives/crucial.wps/filled.mdb\", \"product\": {\"lang\": \"en\", \"name\": \"michigan slight torture\", \"path\": \"costumes somewhat qui\", \"uid\": \"849e3088-5be7-11ee-8510-0242ac110005\", \"vendor_name\": \"franchise portland experiment\", \"version\": \"1.0.0\"}, \"signature\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"certificate\": {\"created_time\": 1695676041558, \"expiration_time\": 1695676041554, \"fingerprints\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"372885B9675F31EF37D14F711A430940E777638ADCB2F77B36D079076E38606F\"}], \"issuer\": \"worker attended mel\", \"serial_number\": \"durham graham course\", \"subject\": \"infectious replication lock\", \"version\": \"1.0.0\"}}, \"size\": 2881440001, \"type\": \"Character Device\", \"type_id\": 3}, \"lineage\": [\"desktop lakes moscow\", \"barrel touch increasing\"], \"name\": \"Courage\", \"namespace_pid\": 13, \"parent_process\": {\"cmd_line\": \"institutes yes inputs\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"7CA5C1BF6D37F1E7389DB34F7617B7101F65DED1\"}, \"image\": {\"name\": \"belfast interests activation\", \"uid\": \"849f1dc2-5be7-11ee-b432-0242ac110005\"}, \"name\": \"missed foreign palmer\", \"size\": 903476370, \"uid\": \"849f0878-5be7-11ee-b335-0242ac110005\"}, \"created_time\": 1695676041565, \"created_time_dt\": \"2023-09-25T21:07:21.565824Z\", \"file\": {\"accessed_time_dt\": \"2023-09-25T21:07:21.564734Z\", \"creator\": {\"account\": {\"name\": \"workers observer lonely\", \"type\": \"GCP Account\", \"type_id\": 5, \"uid\": \"849ef310-5be7-11ee-b8e1-0242ac110005\"}, \"email_addr\": \"Myrta@of.cat\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849edfe2-5be7-11ee-97f0-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"5F8105C9976CE93253600A074BD373A5286734FB9650F503EF4AD611A9422D3554C34BD6C2672159C2F485A59C83965804D6F2532A8DADF2749DF74B1B089C10\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"C1E19A5C30DB36D9FEA3088EBBCF2E05B7F2E3B108DA82565EF183591D036A615456960CA1BF3DEDAEF8450140669F4E45A239D12DE570D5B2322AEADAE0EE7B\"}], \"name\": \"metabolism.gadget\", \"owner\": {\"org\": {\"name\": \"syndication joseph realized\", \"ou_name\": \"advertise scored usr\", \"ou_uid\": \"849e9852-5be7-11ee-9c6a-0242ac110005\", \"uid\": \"849e8ff6-5be7-11ee-be3f-0242ac110005\"}, \"type\": \"System\", \"type_id\": 3, \"uid\": \"849e86dc-5be7-11ee-9b00-0242ac110005\"}, \"parent_folder\": \"patch attempting mf/nashville.dxf\", \"path\": \"patch attempting mf/nashville.dxf/metabolism.gadget\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"certificate\": {\"created_time\": 1695676041504, \"expiration_time\": 1695676041569, \"fingerprints\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"6467C5C0EA62DB25016E724973C845BA50F0BBD72AE91F11E4CB5F3884CF1852EC05AA4B971CA59B372F8DC7B8E49562276E89C888FFDE3DD41BFC2E88336E98\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"80A346634E5CD09AAFC3C417ABCE0C6A156B40EBB910123FAC486DC6197D24EC4C575301A8CC06D58FBAEEAE6F40E42B6D84FDA6996E06EE2F68282EA73FDA93\"}], \"issuer\": \"database verse prince\", \"serial_number\": \"termination vi limitation\", \"subject\": \"signals book follow\", \"version\": \"1.0.0\"}}, \"type\": \"Character Device\", \"type_id\": 3}, \"name\": \"Harley\", \"namespace_pid\": 44, \"pid\": 38, \"terminated_time\": 1695676041566, \"uid\": \"849f00ee-5be7-11ee-954b-0242ac110005\", \"user\": {\"full_name\": \"Lyndsay Ricky\", \"name\": \"Referenced\", \"type\": \"Admin\", \"type_id\": 2}, \"xattributes\": {}}, \"pid\": 5, \"user\": {\"name\": \"Motorcycle\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"849e4a46-5be7-11ee-bc81-0242ac110005\"}}, \"pid\": 50, \"sandbox\": \"final corporations performances\", \"user\": {\"account\": {\"type\": \"Windows Account\", \"type_id\": 2, \"uid\": \"849df820-5be7-11ee-82f1-0242ac110005\"}, \"credential_uid\": \"849dfc62-5be7-11ee-a9bc-0242ac110005\", \"name\": \"Simulations\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"849debb4-5be7-11ee-bfac-0242ac110005\"}}, \"pid\": 28, \"uid\": \"849d64dc-5be7-11ee-b02a-0242ac110005\", \"user\": {\"name\": \"Be\", \"type\": \"types\", \"type_id\": 99, \"uid\": \"849d60a4-5be7-11ee-98cb-0242ac110005\"}}, \"pid\": 76, \"uid\": \"849d308e-5be7-11ee-a5ad-0242ac110005\", \"user\": {\"email_addr\": \"Josefina@holders.museum\", \"name\": \"Manager\", \"type\": \"legs\", \"type_id\": 99, \"uid\": \"849d2c24-5be7-11ee-953d-0242ac110005\"}, \"xattributes\": {}}, \"user\": {\"account\": {\"name\": \"strict manufactured invest\", \"type\": \"AWS IAM User\", \"type_id\": 3, \"uid\": \"849d0500-5be7-11ee-97bd-0242ac110005\"}, \"credential_uid\": \"849d08ca-5be7-11ee-bfe2-0242ac110005\", \"name\": \"Track\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849cfe70-5be7-11ee-b38b-0242ac110005\"}}, \"sandbox\": \"distributor workshops maldives\", \"session\": {\"created_time\": 1695676041550, \"expiration_time_dt\": \"2023-09-25T21:07:21.550638Z\", \"is_remote\": false, \"issuer\": \"volunteer meetings medline\", \"uid\": \"849ccebe-5be7-11ee-a1ca-0242ac110005\"}, \"uid\": \"849cc522-5be7-11ee-aa87-0242ac110005\", \"user\": {\"credential_uid\": \"849cc0f4-5be7-11ee-9c36-0242ac110005\", \"domain\": \"our installing clinical\", \"name\": \"Weather\", \"org\": {\"name\": \"top riverside asthma\", \"ou_name\": \"stats dans soviet\", \"uid\": \"849cb208-5be7-11ee-a4a6-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"849ca4ca-5be7-11ee-b39c-0242ac110005\"}}, \"pid\": 20, \"uid\": \"849c61f4-5be7-11ee-8006-0242ac110005\"}, \"pid\": 74, \"sandbox\": \"upload stages deutsch\", \"terminated_time_dt\": \"2023-09-25T21:07:21.565891Z\", \"xattributes\": {}}, \"pid\": 41, \"sandbox\": \"facial gossip lopez\", \"session\": {\"created_time\": 1695676041544, \"is_remote\": true, \"issuer\": \"mind file superior\", \"uid\": \"849bd89c-5be7-11ee-bbae-0242ac110005\"}, \"terminated_time\": 1695676041561, \"terminated_time_dt\": \"2023-09-25T21:07:21.565908Z\", \"tid\": 86, \"uid\": \"849bcfb4-5be7-11ee-b896-0242ac110005\", \"user\": {\"email_addr\": \"Reba@contemporary.mobi\", \"groups\": [{\"desc\": \"twenty protection innovative\", \"name\": \"penn laundry woods\", \"type\": \"powerpoint jump hospitality\", \"uid\": \"849bbdee-5be7-11ee-95a2-0242ac110005\"}, {\"uid\": \"849bc780-5be7-11ee-9955-0242ac110005\"}], \"name\": \"Certain\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849bb81c-5be7-11ee-bbec-0242ac110005\", \"uid_alt\": \"technical critics nationally\"}}, \"pid\": 71, \"sandbox\": \"compounds s time\", \"terminated_time\": 1695676041567, \"uid\": \"849b6dee-5be7-11ee-84f0-0242ac110005\", \"user\": {\"domain\": \"lexmark refers dylan\", \"email_addr\": \"Yelena@communities.nato\", \"name\": \"Particles\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"849b6916-5be7-11ee-a01e-0242ac110005\"}}, \"pid\": 86, \"sandbox\": \"romance volunteer entrepreneurs\", \"uid\": \"849adea6-5be7-11ee-aa53-0242ac110005\", \"user\": {\"domain\": \"statistical poland gregory\", \"full_name\": \"Paul Julian\", \"groups\": [{\"desc\": \"luggage species belkin\", \"name\": \"accessed thanks instructions\", \"privileges\": [\"flashing aol autumn\"], \"uid\": \"849ad5fa-5be7-11ee-a0e9-0242ac110005\"}, {\"name\": \"cognitive times agent\", \"privileges\": [\"sodium believed housing\", \"incorporated jungle asian\"], \"uid\": \"849ada50-5be7-11ee-824e-0242ac110005\"}], \"name\": \"Alliance\", \"org\": {\"name\": \"nyc kidney drawings\", \"uid\": \"849accae-5be7-11ee-af7b-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"849abe76-5be7-11ee-a5a1-0242ac110005\"}}, \"pid\": 13, \"uid\": \"849a9ed2-5be7-11ee-ae61-0242ac110005\", \"user\": {\"account\": {\"name\": \"fragrances bulk specialty\", \"type\": \"LDAP Account\", \"type_id\": 1, \"uid\": \"849a9702-5be7-11ee-9f5d-0242ac110005\"}, \"credential_uid\": \"849a9afe-5be7-11ee-b27a-0242ac110005\", \"email_addr\": \"Wava@promises.info\", \"full_name\": \"Marisela Towanda\", \"name\": \"Round\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"849a900e-5be7-11ee-9894-0242ac110005\"}}, \"uid\": \"849a5d78-5be7-11ee-ac24-0242ac110005\", \"user\": {\"full_name\": \"Elisa Cleora\", \"name\": \"Sisters\", \"type\": \"rebound\", \"type_id\": 99, \"uid\": \"849a52ce-5be7-11ee-a468-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 90, \"sandbox\": \"moon exercise starring\", \"terminated_time\": 1695676041562, \"uid\": \"849a1af2-5be7-11ee-82a9-0242ac110005\", \"user\": {\"groups\": [{\"privileges\": [\"independent vegetables assisted\", \"refinance lee seating\"], \"uid\": \"849a1124-5be7-11ee-9a8e-0242ac110005\"}, {\"name\": \"div violence strange\", \"uid\": \"849a1674-5be7-11ee-aa3b-0242ac110005\"}], \"name\": \"Immediate\", \"org\": {\"name\": \"velvet days pubs\", \"ou_name\": \"brake craps campaign\"}, \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"849a06c0-5be7-11ee-acfe-0242ac110005\"}}, \"pid\": 21, \"session\": {\"created_time\": 1695676041534, \"expiration_time\": 1695676041542, \"is_remote\": true, \"uid\": \"8499ca0c-5be7-11ee-aae9-0242ac110005\"}, \"uid\": \"8499bc88-5be7-11ee-b028-0242ac110005\", \"user\": {\"name\": \"Apartments\", \"type\": \"ad\", \"type_id\": 99, \"uid\": \"8499b5da-5be7-11ee-b276-0242ac110005\", \"uid_alt\": \"serving turbo spy\"}}, \"pid\": 67, \"terminated_time\": 1695676041561, \"uid\": \"84996800-5be7-11ee-8754-0242ac110005\", \"user\": {\"name\": \"Fantastic\", \"org\": {\"name\": \"dryer asn trying\", \"ou_name\": \"wr r gibraltar\", \"uid\": \"849963aa-5be7-11ee-b57a-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"84995d06-5be7-11ee-8223-0242ac110005\"}}, \"pid\": 86, \"uid\": \"8499377c-5be7-11ee-9164-0242ac110005\", \"user\": {\"email_addr\": \"Renita@pete.cat\", \"name\": \"Rice\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"84993312-5be7-11ee-b956-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 49, \"uid\": \"8498d430-5be7-11ee-b1bf-0242ac110005\", \"user\": {\"name\": \"Hour\", \"type\": \"insert\", \"type_id\": 99, \"uid\": \"8498cd14-5be7-11ee-94d7-0242ac110005\", \"uid_alt\": \"organizations guild beds\"}}, \"pid\": 20, \"sandbox\": \"keeps pour rent\", \"terminated_time\": 1695676041566, \"uid\": \"84989376-5be7-11ee-9216-0242ac110005\", \"user\": {\"email_addr\": \"Elza@girls.mil\", \"full_name\": \"Karoline Meggan\", \"name\": \"Provided\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"84988e80-5be7-11ee-bf3c-0242ac110005\"}}, \"pid\": 28, \"uid\": \"8498530c-5be7-11ee-86f3-0242ac110005\", \"user\": {\"domain\": \"sao uri flesh\", \"name\": \"Knows\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"84984db2-5be7-11ee-ba4e-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 26, \"sandbox\": \"species tourism system\", \"terminated_time\": 1695676041564, \"uid\": \"849823d2-5be7-11ee-92d1-0242ac110005\", \"user\": {\"name\": \"Shipment\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"84981f68-5be7-11ee-b652-0242ac110005\", \"uid_alt\": \"singh dim static\"}, \"xattributes\": {}}", - "session": { - "created_time": 1695676041516, - "credential_uid": "8497c716-5be7-11ee-bd7a-0242ac110005", - "issuer": "discussing capital ottawa", - "uid": "8497c27a-5be7-11ee-8a34-0242ac110005" - } - }, - "user": { - "account": { - "name": "suspended cg sisters", - "uid": "8497655a-5be7-11ee-ab52-0242ac110005" - }, - "type": "System", - "type_id": "3" - } - }, - "user": { - "org": { - "name": "performed assignments undefined", - "ou_name": "headquarters informal nigeria", - "uid": "849f3870-5be7-11ee-8857-0242ac110005" - }, - "type": "metres", - "type_id": "99" - } - }, - "category_name": "Network Activity", - "category_uid": 4, - "class_name": "Network File Activity", - "class_uid": 4010, - "enrichments": [ - { - "data": "{\"drug\": \"drugg7899\"}", - "name": "tree cities corner", - "type": "knife super bat", - "value": "thy qualification booth" - }, - { - "data": "{\"wallpaper\": \"feded\"}", - "name": "hc saskatchewan quickly", - "provider": "outlet toolkit person", - "type": "thu loves strong", - "value": "sword somebody equilibrium" - } - ], - "expiration_time": 1695676041527, - "file": { - "accessor": { - "name": "Uruguay", - "org": { - "name": "lottery political own", - "ou_name": "confirmed towards declined", - "ou_uid": "849f540e-5be7-11ee-841c-0242ac110005", - "uid": "849f501c-5be7-11ee-ab6f-0242ac110005" - }, - "type": "User", - "type_id": "1", - "uid": "849f49fa-5be7-11ee-bfe2-0242ac110005" - }, - "desc": "arabic suits fun", - "hashes": [ - {}, - {} - ], - "modified_time_dt": "2023-09-25T21:07:21.567190Z", - "type_id": "0" - }, - "metadata": { - "correlation_uid": "84971e10-5be7-11ee-b5e7-0242ac110005", - "log_name": "proud iso ticket", - "modified_time_dt": "2023-09-25T21:07:21.513376Z", - "original_time": "tournaments leisure comedy", - "processed_time_dt": "2023-09-25T21:07:21.513394Z", - "product": { - "name": "describes static geological", - "uid": "849714ce-5be7-11ee-981b-0242ac110005", - "url_string": "avatar", - "version": "1.0.0" - }, - "profiles": [ - "cloud", - "container", - "datetime" - ], - "version": "1.0.0" - }, - "observables": [ - { - "name": "except visitor vbulletin", - "type": "Uniform Resource Locator", - "type_id": "23" - }, - { - "name": "hong rhode para", - "type": "Process Name", - "type_id": "9" - } - ], - "severity": "Low", - "src_endpoint": { - "instance_uid": "849732a6-5be7-11ee-bdb0-0242ac110005", - "interface_name": "grown reflect expressed", - "interface_uid": "84973670-5be7-11ee-8000-0242ac110005", - "name": "replaced wa unlock", - "uid": "84972e82-5be7-11ee-8eac-0242ac110005" - }, - "status": "patch emma midi", - "timezone_offset": 42, - "type_name": "Network File Activity: Rename", - "type_uid": "401005" + "activity_id": 5 }, "process": { "command_line": "goals happen dad", diff --git a/OCSF/ocsf/tests/test_network_activity_11.json b/OCSF/ocsf/tests/test_network_activity_11.json index 1d8c65911..66e36f3bc 100644 --- a/OCSF/ocsf/tests/test_network_activity_11.json +++ b/OCSF/ocsf/tests/test_network_activity_11.json @@ -57,118 +57,7 @@ "type": "Tablet" }, "ocsf": { - "activity_id": 1, - "activity_name": "Send", - "attacks": [ - { - "tactics": [ - { - "name": "Privilege Escalation | The adversary is trying to gain higher-level permissions.", - "uid": "TA0004" - } - ], - "technique": { - "name": "CMSTP", - "uid": "T1191" - }, - "version": "12.1" - } - ], - "category_name": "Network Activity", - "category_uid": 4, - "class_name": "Email File Activity", - "class_uid": 4011, - "cloud": { - "account": { - "type": "AWS Account", - "type_id": "10" - } - }, - "device": { - "autoscale_uid": "9e3d9b1e-5be7-11ee-ab96-0242ac110005", - "groups": [ - { - "name": "tires modifications calendars", - "uid": "9e3dbc02-5be7-11ee-9470-0242ac110005" - }, - { - "name": "scanned consisting expense", - "privileges": [ - "photography derived log", - "dna ec believed" - ], - "type": "odds traditions trick", - "uid": "9e3db702-5be7-11ee-a715-0242ac110005" - } - ], - "instance_uid": "9e3d9f74-5be7-11ee-a549-0242ac110005", - "interface_name": "accurately shadows node", - "interface_uid": "9e3da38e-5be7-11ee-bda3-0242ac110005", - "is_personal": false, - "modified_time": 1695676084549, - "region": "cosmetics preston msgstr", - "type_id": "4", - "uid_alt": "technology alex metallica" - }, - "disposition": "Blocked", - "disposition_id": "2", - "enrichments": [ - { - "data": "{\"meat\": \"meattt\"}", - "name": "another polyester collectors", - "provider": "companion fy mat", - "type": "gen cap beauty", - "value": "recipes generating stored" - }, - { - "data": "{\"meatd\": \"meattt\"}", - "name": "brandon fraser seed", - "provider": "hearings gossip shadows", - "type": "grove bradley ddr", - "value": "written thumbnail looksmart" - } - ], - "file": { - "accessed_time_dt": "2023-09-25T21:08:04.549340Z", - "confidentiality": "Top Secret", - "confidentiality_id": "4", - "hashes": [ - {} - ], - "security_descriptor": "procedure amsterdam belarus", - "type_id": "4" - }, - "metadata": { - "extension": { - "name": "editor nerve offset", - "uid": "9e3d7ff8-5be7-11ee-8454-0242ac110005", - "version": "1.0.0" - }, - "log_version": "flow tribunal aging", - "original_time": "consistently sauce duke", - "processed_time_dt": "2023-09-25T21:08:04.547033Z", - "product": { - "lang": "en", - "name": "harm dash walter", - "path": "contributors rest worried", - "uid": "9e3d893a-5be7-11ee-9bf6-0242ac110005", - "version": "1.0.0" - }, - "profiles": [ - "cloud", - "container", - "datetime", - "host", - "security_control" - ], - "version": "1.0.0" - }, - "severity": "Critical", - "status": "annually", - "status_id": 99, - "timezone_offset": 0, - "type_name": "Email File Activity: Send", - "type_uid": "401101" + "activity_id": 1 }, "related": { "hosts": [ diff --git a/OCSF/ocsf/tests/test_network_activity_12.json b/OCSF/ocsf/tests/test_network_activity_12.json index 473d8c79c..d0458e816 100644 --- a/OCSF/ocsf/tests/test_network_activity_12.json +++ b/OCSF/ocsf/tests/test_network_activity_12.json @@ -46,102 +46,7 @@ "type": "Virtual" }, "ocsf": { - "activity_id": 2, - "activity_name": "Receive", - "category_name": "Network Activity", - "category_uid": 4, - "class_name": "Email URL Activity", - "class_uid": 4012, - "cloud": { - "account": { - "type": "Azure AD Account", - "type_id": "6" - } - }, - "count": 43, - "device": { - "desc": "beta culture receiving", - "groups": [ - { - "desc": "blessed drive took", - "name": "karaoke finnish coordination", - "uid": "a8453b30-5be7-11ee-90d5-0242ac110005" - }, - { - "name": "briefs iii andy", - "type": "ireland arch trademark", - "uid": "a8453fc2-5be7-11ee-bd52-0242ac110005" - } - ], - "image": { - "name": "bank ftp newman", - "uid": "a84532d4-5be7-11ee-af3a-0242ac110005" - }, - "instance_uid": "a84525fa-5be7-11ee-987a-0242ac110005", - "interface_name": "subsection get techno", - "interface_uid": "a8452b90-5be7-11ee-9db2-0242ac110005", - "last_seen_time_dt": "2023-09-25T21:08:21.374251Z", - "network_interfaces": [ - { - "hostname": "personalized.nato", - "ip": "175.16.199.1", - "mac": "30:29:E4:EE:B6:98:14:3A", - "name": "animals economy signals", - "type": "proven", - "type_id": "99" - }, - { - "hostname": "mitchell.nato", - "ip": "224.61.168.94", - "mac": "69:8D:D4:20:55:3A:43:D0", - "name": "announces restaurants deposits", - "type": "Wired", - "type_id": "1" - } - ], - "region": "propecia commonwealth equipment", - "type_id": "6" - }, - "disposition": "Delayed", - "disposition_id": "14", - "metadata": { - "log_name": "cleaners villa historic", - "logged_time": 1695676101375, - "original_time": "medline prospect ict", - "product": { - "feature": { - "name": "mess const microwave", - "uid": "a8450084-5be7-11ee-93f7-0242ac110005", - "version": "1.0.0" - }, - "lang": "en", - "name": "erotica ladies hero", - "uid": "a844f346-5be7-11ee-a2c8-0242ac110005", - "url_string": "washer", - "version": "1.0.0" - }, - "profiles": [ - "cloud", - "container", - "datetime", - "host", - "security_control" - ], - "version": "1.0.0" - }, - "severity": "electrical", - "status": "Success", - "status_detail": "released oxygen reasonable", - "status_id": 1, - "timezone_offset": 34, - "type_name": "Email URL Activity: Receive", - "type_uid": "401202", - "url": { - "category_ids": [ - "49", - "54" - ] - } + "activity_id": 2 }, "related": { "hosts": [ diff --git a/OCSF/ocsf/tests/test_network_activity_2.json b/OCSF/ocsf/tests/test_network_activity_2.json index 9662f8f4a..ac97b84a4 100644 --- a/OCSF/ocsf/tests/test_network_activity_2.json +++ b/OCSF/ocsf/tests/test_network_activity_2.json @@ -69,133 +69,7 @@ "iana_number": "67" }, "ocsf": { - "activity_id": 1, - "activity_name": "Connect", - "category_name": "Network Activity", - "category_uid": 4, - "class_name": "HTTP Activity", - "class_uid": 4002, - "connection_info": { - "direction": "andreas", - "direction_id": "99" - }, - "device": { - "created_time_dt": "2023-09-25T21:04:49.414353Z", - "hw_info": { - "bios_ver": "1.4.4", - "chassis": "pubs remarks desktops" - }, - "image": { - "labels": [ - "meaningful" - ], - "name": "cover hearts magazine", - "path": "ts recording cooling", - "uid": "29eece90-5be7-11ee-8106-0242ac110005" - }, - "instance_uid": "29eeb9b4-5be7-11ee-9f8e-0242ac110005", - "interface_name": "hall td flash", - "interface_uid": "29eebe78-5be7-11ee-bef3-0242ac110005", - "is_compliant": true, - "is_personal": false, - "last_seen_time_dt": "2023-09-25T21:04:49.414926Z", - "region": "coverage financing sympathy", - "subnet_uid": "29eea79e-5be7-11ee-9005-0242ac110005", - "type_id": "6" - }, - "disposition": "Quarantined", - "disposition_id": "3", - "dst_endpoint": { - "instance_uid": "29ee849e-5be7-11ee-af0f-0242ac110005", - "interface_name": "probability pins and", - "interface_uid": "29ee88b8-5be7-11ee-ae4f-0242ac110005", - "name": "accounts an verzeichnis", - "uid": "29ee8048-5be7-11ee-b29d-0242ac110005" - }, - "end_time_dt": "2023-09-25T21:04:49.412301Z", - "http_request": { - "http_headers": [ - { - "name": "using closed scientists", - "value": "y montana command" - }, - { - "name": "mileage wheels temple", - "value": "where relate sheet" - } - ], - "url": { - "categories": [ - "ratios amount prevent", - "rpg beauty base" - ], - "category_ids": [ - "109" - ], - "resource_type": "tours entering camping" - }, - "x_forwarded_for": [ - "175.16.199.1" - ] - }, - "http_status": 51, - "malware": [ - { - "classification_ids": [ - "9", - "11" - ], - "name": "exception scholarship accessed", - "path": "victim reductions pursue", - "provider": "computed oxygen viewer" - } - ], - "metadata": { - "log_name": "directors clinton zone", - "logged_time": 1695675889413, - "original_time": "mix carrying provides", - "processed_time": 1695675889453, - "product": { - "lang": "en", - "name": "helena crystal initiative", - "uid": "29ee731e-5be7-11ee-9b80-0242ac110005", - "url_string": "bedding", - "version": "1.0.0" - }, - "profiles": [ - "cloud", - "container", - "datetime", - "host", - "security_control" - ], - "version": "1.0.0" - }, - "proxy": { - "hostname": "excel.info", - "instance_uid": "29ef1a80-5be7-11ee-b25a-0242ac110005", - "interface_name": "ipaq brazil justify", - "interface_uid": "29ef1e7c-5be7-11ee-9f23-0242ac110005", - "ip": "67.43.156.0", - "name": "exec cholesterol fossil", - "port": 24281, - "svc_name": "boys participant drove", - "uid": "29ef1436-5be7-11ee-aebf-0242ac110005" - }, - "severity": "uw", - "src_endpoint": { - "instance_uid": "29eeff46-5be7-11ee-9978-0242ac110005", - "interface_name": "jc mistress announced", - "name": "exercise identified exciting", - "subnet_uid": "29ef0446-5be7-11ee-9887-0242ac110005", - "uid": "29eef9ba-5be7-11ee-8245-0242ac110005", - "vlan_uid": "29ef0900-5be7-11ee-937e-0242ac110005" - }, - "status": "Success", - "status_id": 1, - "timezone_offset": 78, - "type_name": "HTTP Activity: Connect", - "type_uid": "400201" + "activity_id": 1 }, "related": { "hosts": [ diff --git a/OCSF/ocsf/tests/test_network_activity_3.json b/OCSF/ocsf/tests/test_network_activity_3.json index 28b1336fe..e827d2176 100644 --- a/OCSF/ocsf/tests/test_network_activity_3.json +++ b/OCSF/ocsf/tests/test_network_activity_3.json @@ -59,51 +59,7 @@ ] }, "ocsf": { - "activity_id": 2, - "activity_name": "Response", - "answers": [ - { - "class": "IN", - "rdata": "127.0.0.62", - "type": "A" - } - ], - "category_name": "Network Activity", - "category_uid": 4, - "class_name": "DNS Activity", - "class_uid": 4003, - "connection_info": { - "direction": "Unknown", - "direction_id": "0" - }, - "disposition": "No Action", - "disposition_id": "16", - "dst_endpoint": { - "instance_uid": "rslvr-in-0000000000000000", - "interface_uid": "rni-0000000000000000" - }, - "metadata": { - "product": { - "feature": { - "name": "Resolver Query Logs" - }, - "name": "Route 53", - "version": "1.100000" - }, - "profiles": [ - "cloud", - "security_control" - ], - "version": "1.0.0-rc.2" - }, - "rcode_id": "0", - "severity": "Informational", - "src_endpoint": { - "vpc_uid": "vpc-00000000000000000" - }, - "type_name": "DNS Activity: Response", - "type_uid": "400302", - "unmapped": "{\"firewall_domain_list_id\": \"rslvr-fdl-0000000000000\", \"firewall_rule_group_id\": \"rslvr-frg-000000000000000\"}" + "activity_id": 2 }, "related": { "hosts": [ diff --git a/OCSF/ocsf/tests/test_network_activity_4.json b/OCSF/ocsf/tests/test_network_activity_4.json index 3f06f9100..25f3dd876 100644 --- a/OCSF/ocsf/tests/test_network_activity_4.json +++ b/OCSF/ocsf/tests/test_network_activity_4.json @@ -72,94 +72,7 @@ "application": "where image territories" }, "ocsf": { - "activity_id": 6, - "activity_name": "Nak", - "category_name": "Network Activity", - "category_uid": 4, - "class_name": "DHCP Activity", - "class_uid": 4004, - "count": 2, - "device": { - "groups": [ - { - "name": "funds lawyers conferencing", - "uid": "3b985120-5be7-11ee-b8c3-0242ac110005" - }, - { - "name": "crisis burlington stood", - "type": "regional yourself ho", - "uid": "3b984cde-5be7-11ee-a8b4-0242ac110005" - } - ], - "instance_uid": "3b98409a-5be7-11ee-87fa-0242ac110005", - "interface_name": "bestsellers qualifying blog", - "interface_uid": "3b984586-5be7-11ee-b105-0242ac110005", - "is_managed": false, - "modified_time": 1695675919042, - "network_interfaces": [ - { - "hostname": "signed.name", - "ip": "175.16.199.1", - "mac": "F7:10:E8:11:73:9A:1F:AD", - "name": "leading ste lingerie", - "type": "Wired", - "type_id": "1" - } - ], - "region": "accused continuous fibre", - "type_id": "3", - "uid_alt": "matter resolutions likely" - }, - "dst_endpoint": { - "instance_uid": "3b9815de-5be7-11ee-8748-0242ac110005", - "interface_name": "rentals generic singles", - "interface_uid": "3b981cd2-5be7-11ee-9f36-0242ac110005", - "name": "pickup offshore readers", - "subnet_uid": "3b9820e2-5be7-11ee-af45-0242ac110005", - "uid": "3b9810ca-5be7-11ee-8a5e-0242ac110005" - }, - "is_renewal": false, - "metadata": { - "log_name": "rod nine dont", - "modified_time": 1695675919045, - "modified_time_dt": "2023-09-25T21:05:19.045538Z", - "original_time": "processes payroll cheque", - "processed_time_dt": "2023-09-25T21:05:19.045551Z", - "product": { - "lang": "en", - "path": "trademarks clean client", - "uid": "3b98010c-5be7-11ee-b3a3-0242ac110005", - "version": "1.0.0" - }, - "profiles": [ - "cloud", - "container", - "datetime", - "host", - "security_control" - ], - "version": "1.0.0" - }, - "severity": "undefined", - "src_endpoint": { - "instance_uid": "3b987272-5be7-11ee-a84f-0242ac110005", - "interface_name": "habits quantitative second", - "interface_uid": "3b987966-5be7-11ee-ae16-0242ac110005", - "intermediate_ips": [ - "175.16.199.1", - "89.160.20.112" - ], - "name": "proceeding industries archive", - "uid": "3b986b2e-5be7-11ee-9b3c-0242ac110005", - "vpc_uid": "3b988096-5be7-11ee-bdee-0242ac110005" - }, - "status": "Failure", - "status_detail": "relates cornwall cope", - "status_id": 2, - "timezone_offset": 7, - "transaction_uid": "3b989194-5be7-11ee-b97e-0242ac110005", - "type_name": "DHCP Activity: Nak", - "type_uid": "400406" + "activity_id": 6 }, "related": { "hosts": [ diff --git a/OCSF/ocsf/tests/test_network_activity_5.json b/OCSF/ocsf/tests/test_network_activity_5.json index 2c1d659b5..6fca27560 100644 --- a/OCSF/ocsf/tests/test_network_activity_5.json +++ b/OCSF/ocsf/tests/test_network_activity_5.json @@ -71,185 +71,7 @@ "packets": 2072578920 }, "ocsf": { - "activity_id": 6, - "activity_name": "Traffic", - "api": { - "operation": "examinations convention inquire", - "request": { - "uid": "52a2f4d8-5be7-11ee-9aad-0242ac110005" - }, - "response": { - "error": "column reform improved", - "error_message": "glen spray dear" - }, - "version": "1.0.0" - }, - "attacks": [ - { - "tactics": [ - { - "name": "Lateral Movement | The adversary is trying to move through your environment.", - "uid": "TA0008" - }, - { - "name": "Defense Evasion The adversary is trying to avoid being detected.", - "uid": "TA0005" - } - ], - "technique": { - "name": "Spearphishing Attachment", - "uid": "T1193" - }, - "version": "12.1" - }, - { - "tactics": [ - { - "name": "Command and Control The adversary is trying to communicate with compromised systems to control them.", - "uid": "TA0011" - }, - { - "name": "Lateral Movement | The adversary is trying to move through your environment.", - "uid": "TA0008" - }, - { - "name": "Privilege Escalation | The adversary is trying to gain higher-level permissions.", - "uid": "TA0004" - } - ], - "technique": { - "name": "Malware", - "uid": "T1587.001" - }, - "version": "12.1" - } - ], - "capabilities": [ - "makers inkjet wealth", - "statistical athletic tactics" - ], - "category_name": "Network Activity", - "category_uid": 4, - "class_name": "RDP Activity", - "class_uid": 4005, - "connection_info": { - "boundary": "direction design hook", - "direction": "Unknown", - "direction_id": "0", - "protocol_ver_id": "99" - }, - "device": { - "autoscale_uid": "52a3aa7c-5be7-11ee-afac-0242ac110005", - "hypervisor": "t contacting bomb", - "instance_uid": "52a3af0e-5be7-11ee-8962-0242ac110005", - "interface_name": "fifth cancer ties", - "interface_uid": "52a3b382-5be7-11ee-b868-0242ac110005", - "network_interfaces": [ - { - "hostname": "tray.gov", - "ip": "175.16.199.1", - "mac": "D3:B5:6A:19:38:2F:24:A1", - "name": "extensive confirmation invisible", - "type": "Unknown", - "type_id": "0", - "uid": "52a3a572-5be7-11ee-b24b-0242ac110005" - } - ], - "region": "childrens carriers contracting", - "type_id": "99" - }, - "disposition": "Quarantined", - "disposition_id": "3", - "dst_endpoint": { - "instance_uid": "52a3919a-5be7-11ee-a566-0242ac110005", - "name": "codes acts containers", - "uid": "52a30022-5be7-11ee-b27b-0242ac110005" - }, - "end_time_dt": "2023-09-25T21:05:57.699925Z", - "metadata": { - "log_name": "structured electron theaters", - "modified_time": 1695675957701, - "modified_time_dt": "2023-09-25T21:05:57.703141Z", - "original_time": "skins child clearance", - "product": { - "feature": { - "name": "purse support el", - "uid": "52a2b0e0-5be7-11ee-9130-0242ac110005", - "version": "1.0.0" - }, - "name": "sleeping roy view", - "uid": "52a2a83e-5be7-11ee-b480-0242ac110005", - "version": "1.0.0" - }, - "profiles": [ - "cloud", - "container", - "datetime", - "host", - "security_control" - ], - "version": "1.0.0" - }, - "protocol_ver": "1.1.1", - "response": { - "error": "earn bios diamonds", - "flags": [ - "doors plus tool" - ], - "message": "mysimon forum john" - }, - "severity": "Low", - "src_endpoint": { - "instance_uid": "52a3cca0-5be7-11ee-bb44-0242ac110005", - "interface_name": "caring interface recipe", - "interface_uid": "52a3d06a-5be7-11ee-b15e-0242ac110005", - "intermediate_ips": [ - "175.16.199.1", - "89.160.20.112" - ], - "name": "request brakes anyway", - "uid": "52a3c912-5be7-11ee-a7e5-0242ac110005" - }, - "status": "chronicle", - "status_code": "lectures", - "status_id": 99, - "timezone_offset": 14, - "tls": { - "certificate": { - "created_time": 1695675957703, - "fingerprints": [ - { - "algorithm": "MD5", - "algorithm_id": "1", - "value": "FC52C21756C177325B755781195254D9" - }, - { - "algorithm": "CTPH", - "algorithm_id": "5", - "value": "B840263DB579453C080DA366BADC329FC04B253D1ACCC2F6FDEB475D2C1B4811CED673F4981DBFC8FC88877A7516C41B28BA654D3911FE15ED7E4BA5849624F9" - } - ] - }, - "certificate_chain": [ - "permissions logistics pipe" - ], - "ja3s_hash": { - "algorithm": "SHA-512", - "algorithm_id": "4" - }, - "sans": [ - { - "name": "downloads informed warehouse", - "type": "ordinance place flower" - }, - { - "name": "gamma consultant lcd", - "type": "experienced loved premises" - } - ] - }, - "type_name": "RDP Activity: Traffic", - "type_uid": "400506" + "activity_id": 6 }, "related": { "hosts": [ diff --git a/OCSF/ocsf/tests/test_network_activity_6.json b/OCSF/ocsf/tests/test_network_activity_6.json index 99673fce7..64ec0e921 100644 --- a/OCSF/ocsf/tests/test_network_activity_6.json +++ b/OCSF/ocsf/tests/test_network_activity_6.json @@ -90,166 +90,7 @@ "iana_number": "89" }, "ocsf": { - "activity_id": 3, - "activity_name": "File Create", - "attacks": [ - { - "tactics": [ - { - "name": "Credential Access The adversary is trying to steal account names and passwords.", - "uid": "TA0006" - }, - { - "name": "Exfiltration | The adversary is trying to steal data.", - "uid": "TA0010" - } - ], - "technique": { - "name": "Multi-hop Proxy", - "uid": "T1090.003" - }, - "version": "12.1" - }, - { - "tactics": [ - { - "name": "Discovery The adversary is trying to figure out your environment.", - "uid": "TA0007" - }, - { - "name": "Resource Development | The adversary is trying to establish resources they can use to support operations.", - "uid": "TA0042" - }, - { - "name": "Reconnaissance | The adversary is trying to gather information they can use to plan future operations.", - "uid": "TA0043" - } - ], - "technique": { - "name": "Python", - "uid": "T1059.006" - }, - "version": "12.1" - } - ], - "category_name": "Network Activity", - "category_uid": 4, - "class_name": "SMB Activity", - "class_uid": 4006, - "client_dialects": [ - "avg pages denial", - "gabriel ourselves diameter" - ], - "command": "switch text springs", - "connection_info": { - "direction": "Unknown", - "direction_id": "0" - }, - "device": { - "autoscale_uid": "5d957758-5be7-11ee-bdd5-0242ac110005", - "groups": [ - { - "name": "medical discovered punishment", - "uid": "5d958856-5be7-11ee-bf58-0242ac110005" - }, - { - "name": "layer achieving api", - "type": "prefers biol broke", - "uid": "5d958cc0-5be7-11ee-8274-0242ac110005" - } - ], - "instance_uid": "5d957cd0-5be7-11ee-b6eb-0242ac110005", - "interface_name": "guided educational wy", - "interface_uid": "5d958130-5be7-11ee-894c-0242ac110005", - "is_personal": false, - "region": "retain ste cfr", - "type_id": "7" - }, - "dialect": "teams restaurants altered", - "disposition": "Allowed", - "disposition_id": "1", - "dst_endpoint": { - "instance_uid": "5d9550f2-5be7-11ee-8ce8-0242ac110005", - "interface_name": "remaining james spent", - "interface_uid": "5d955516-5be7-11ee-8913-0242ac110005", - "name": "simulations mountains flow", - "uid": "5d954af8-5be7-11ee-9dec-0242ac110005" - }, - "file": { - "accessed_time_dt": "2023-09-25T21:06:16.073784Z", - "attributes": 43, - "hashes": [ - {}, - {} - ], - "modified_time_dt": "2023-09-25T21:06:16.073732Z", - "product": { - "lang": "en", - "name": "oecd initiatives purposes", - "uid": "5d95c636-5be7-11ee-8b22-0242ac110005", - "vendor_name": "personal harmful referrals", - "version": "1.0.0" - }, - "security_descriptor": "subsequent latinas quotes", - "signature": { - "algorithm": "DSA", - "algorithm_id": "1", - "certificate": { - "created_time": 1695675976051, - "fingerprints": [ - { - "algorithm": "magic", - "algorithm_id": "99", - "value": "9B0FBD383D667D48DB1FE9647C1E4BAA821ACA2908D5FFED88F145781F8B1A35" - } - ] - } - }, - "type_id": "3" - }, - "metadata": { - "correlation_uid": "5d9534be-5be7-11ee-a413-0242ac110005", - "log_name": "tampa array expired", - "modified_time_dt": "2023-09-25T21:06:16.069686Z", - "original_time": "gis holmes roads", - "processed_time": 1695675976062, - "product": { - "name": "quantities persian easy", - "uid": "5d952ece-5be7-11ee-8ef1-0242ac110005", - "url_string": "blog", - "version": "1.0.0" - }, - "profiles": [ - "cloud", - "container", - "datetime", - "host", - "security_control" - ], - "version": "1.0.0" - }, - "open_type": "estates collections cia", - "response": { - "error": "monsters pl positioning", - "error_message": "wires hart dirty" - }, - "severity": "Medium", - "share_type": "File", - "share_type_id": "1", - "src_endpoint": { - "instance_uid": "5d95a4ee-5be7-11ee-a0b5-0242ac110005", - "interface_name": "christians comparing garbage", - "interface_uid": "5d95a8e0-5be7-11ee-800d-0242ac110005", - "name": "wyoming relocation sufficiently", - "uid": "5d95a0ac-5be7-11ee-a3e8-0242ac110005", - "vpc_uid": "5d95aec6-5be7-11ee-b409-0242ac110005" - }, - "status": "Failure", - "status_id": 2, - "time_dt": "2023-09-25T21:06:16.072807Z", - "timezone_offset": 21, - "type_name": "SMB Activity: File Create", - "type_uid": "400603" + "activity_id": 3 }, "related": { "hash": [ diff --git a/OCSF/ocsf/tests/test_network_activity_7.json b/OCSF/ocsf/tests/test_network_activity_7.json index 05d2e2ce7..d7b5f899d 100644 --- a/OCSF/ocsf/tests/test_network_activity_7.json +++ b/OCSF/ocsf/tests/test_network_activity_7.json @@ -56,95 +56,7 @@ } }, "ocsf": { - "activity_id": 0, - "activity_name": "Unknown", - "category_name": "Network Activity", - "category_uid": 4, - "class_name": "SSH Activity", - "class_uid": 4007, - "client_hassh": { - "algorithm": "gave dollars relocation", - "fingerprint": { - "algorithm": "quickXorHash", - "algorithm_id": "7", - "value": "232BC0C0B14F890B4F4BBBBD5985A67835F29296946D5D7F9401A44A441D72A2E3C86A7ED1DABF2390B70C41466925E22D45442C6CE2C51BF2BD75A66EBA67AC" - } - }, - "connection_info": { - "direction": "Inbound", - "direction_id": "1", - "tcp_flags": 18 - }, - "device": { - "hypervisor": "attempt missouri lan", - "instance_uid": "63c182d4-5be7-11ee-afba-0242ac110005", - "interface_name": "mozambique pm carol", - "is_personal": false, - "is_trusted": true, - "region": "southeast packed cookies", - "type_id": "4" - }, - "disposition": "Custom Action", - "disposition_id": "7", - "dst_endpoint": { - "instance_uid": "63c1091c-5be7-11ee-a143-0242ac110005", - "interface_name": "salvador far disable", - "interface_uid": "63c10d18-5be7-11ee-9b99-0242ac110005", - "uid": "63c1050c-5be7-11ee-8213-0242ac110005", - "vpc_uid": "63c11100-5be7-11ee-9b51-0242ac110005" - }, - "metadata": { - "log_name": "bowling consistently pgp", - "original_time": "weed treasury specifications", - "product": { - "lang": "en", - "name": "anaheim used riverside", - "path": "volvo expired marketing", - "uid": "63c0f6ac-5be7-11ee-a542-0242ac110005", - "version": "1.0.0" - }, - "profiles": [ - "cloud", - "container", - "datetime", - "host", - "security_control" - ], - "version": "1.0.0" - }, - "proxy": { - "hostname": "problems.org", - "instance_uid": "63c20466-5be7-11ee-a825-0242ac110005", - "interface_name": "probe drugs bonds", - "interface_uid": "63c24e08-5be7-11ee-be10-0242ac110005", - "name": "involve teacher calls", - "port": 50284, - "subnet_uid": "63c25358-5be7-11ee-a90c-0242ac110005", - "svc_name": "selecting regional enrollment", - "vlan_uid": "63c257fe-5be7-11ee-bca6-0242ac110005" - }, - "server_hassh": { - "algorithm": "shelter remember stickers", - "fingerprint": { - "algorithm": "SHA-256", - "algorithm_id": "3", - "value": "B23B6D25324F518146005AEA01FD7A7C64EC137532780572E3852F9D8E8556F4" - } - }, - "severity": "Informational", - "src_endpoint": { - "instance_uid": "63c1c4ec-5be7-11ee-ac25-0242ac110005", - "interface_name": "successful maryland study", - "name": "spas enclosure pleased", - "uid": "63c1bb1e-5be7-11ee-b5ab-0242ac110005", - "vpc_uid": "63c1fa70-5be7-11ee-ac6c-0242ac110005" - }, - "status": "Failure", - "status_id": 2, - "time_dt": "2023-09-25T21:06:26.429430Z", - "timezone_offset": 88, - "type_name": "SSH Activity: Unknown", - "type_uid": "400700" + "activity_id": 0 }, "related": { "hosts": [ diff --git a/OCSF/ocsf/tests/test_network_activity_8.json b/OCSF/ocsf/tests/test_network_activity_8.json index b6fc9b042..f6a2de5a1 100644 --- a/OCSF/ocsf/tests/test_network_activity_8.json +++ b/OCSF/ocsf/tests/test_network_activity_8.json @@ -48,115 +48,7 @@ "packets": 3392751261 }, "ocsf": { - "activity_id": 0, - "activity_name": "Unknown", - "attacks": [ - { - "tactics": [ - { - "name": "Reconnaissance | The adversary is trying to gather information they can use to plan future operations.", - "uid": "TA0043" - }, - { - "name": "Exfiltration | The adversary is trying to steal data.", - "uid": "TA0010" - }, - { - "name": "Exfiltration | The adversary is trying to steal data.", - "uid": "TA0010" - } - ], - "technique": { - "name": "Exploitation for Client Execution", - "uid": "T1203" - }, - "version": "12.1" - }, - { - "tactics": [ - { - "name": "Lateral Movement | The adversary is trying to move through your environment.", - "uid": "TA0008" - }, - { - "name": "Reconnaissance | The adversary is trying to gather information they can use to plan future operations.", - "uid": "TA0043" - } - ], - "technique": { - "name": "Acquire Infrastructure", - "uid": "T1583" - }, - "version": "12.1" - } - ], - "category_name": "Network Activity", - "category_uid": 4, - "class_name": "FTP Activity", - "class_uid": 4008, - "codes": [ - 44 - ], - "command": "moving sensitivity uri", - "command_responses": [ - "equations studios metallic", - "heat designated unto" - ], - "connection_info": { - "direction": "Inbound", - "direction_id": "1" - }, - "disposition": "Blocked", - "disposition_id": "2", - "dst_endpoint": { - "instance_uid": "690581f0-5be7-11ee-8486-0242ac110005", - "interface_name": "towards suzuki opportunities", - "interface_uid": "690585f6-5be7-11ee-a611-0242ac110005", - "uid": "69057d22-5be7-11ee-b5d1-0242ac110005", - "vlan_uid": "69058a1a-5be7-11ee-bf51-0242ac110005" - }, - "end_time_dt": "2023-09-25T21:06:35.259215Z", - "metadata": { - "correlation_uid": "69056d3c-5be7-11ee-8e34-0242ac110005", - "log_name": "investor direct pickup", - "modified_time_dt": "2023-09-25T21:06:35.260101Z", - "original_time": "fax pro carries", - "processed_time": 1695675995263, - "product": { - "lang": "en", - "name": "islands unless trivia", - "uid": "690566e8-5be7-11ee-bbe6-0242ac110005", - "version": "1.0.0" - }, - "profiles": [ - "cloud", - "container", - "datetime", - "host", - "security_control" - ], - "version": "1.0.0" - }, - "port": 58038, - "severity": "Fatal", - "src_endpoint": { - "instance_uid": "6905cb2e-5be7-11ee-bd4d-0242ac110005", - "interface_name": "drives center wondering", - "interface_uid": "6905cf66-5be7-11ee-af73-0242ac110005", - "intermediate_ips": [ - "67.43.156.0", - "89.160.20.112" - ], - "uid": "6905c674-5be7-11ee-8e5b-0242ac110005", - "vpc_uid": "6905d4a2-5be7-11ee-b06b-0242ac110005" - }, - "status": "discussions", - "status_code": "certificates", - "status_id": 99, - "timezone_offset": 79, - "type": "seller luther nursery", - "type_name": "FTP Activity: Unknown", - "type_uid": "400800" + "activity_id": 0 }, "related": { "hosts": [ diff --git a/OCSF/ocsf/tests/test_network_activity_9.json b/OCSF/ocsf/tests/test_network_activity_9.json index 10e771bac..cdea19bf1 100644 --- a/OCSF/ocsf/tests/test_network_activity_9.json +++ b/OCSF/ocsf/tests/test_network_activity_9.json @@ -59,109 +59,6 @@ }, "type": "Tablet" }, - "ocsf": { - "category_name": "Network Activity", - "category_uid": 4, - "class_name": "Email Activity", - "class_uid": 4009, - "device": { - "created_time_dt": "2023-09-25T21:07:01.668193Z", - "instance_uid": "78c328c2-5be7-11ee-8cdd-0242ac110005", - "interface_name": "instruments diana nature", - "interface_uid": "78c336c8-5be7-11ee-82fb-0242ac110005", - "network_interfaces": [ - { - "hostname": "buried.museum", - "ip": "175.16.199.1", - "mac": "8A:A5:A8:8F:C5:1E:88:79", - "name": "sick mobility terrain", - "type": "Wired", - "type_id": "1" - }, - { - "hostname": "acts.edu", - "ip": "175.16.199.1", - "mac": "AB:AB:43:8:B2:A1:B7:8", - "name": "wiki philippines quick", - "namespace": "that rare html", - "subnet_prefix": 34, - "type": "Unknown", - "type_id": "0" - } - ], - "org": { - "ou_name": "florence homes divine", - "ou_uid": "78c2fda2-5be7-11ee-9d5a-0242ac110005", - "uid": "78c2f8d4-5be7-11ee-b0f0-0242ac110005" - }, - "os": { - "country": "Monaco, Principality of", - "edition": "mortality achievements apparatus", - "sp_name": "advanced addressed bomb", - "type_id": "300" - }, - "region": "bat johnston disability", - "type_id": "4" - }, - "direction": "Unknown", - "direction_id": "0", - "disposition": "No Action", - "disposition_id": "16", - "email": { - "size": 2106286084, - "smtp_from": "Joyce@lending.org", - "smtp_to": [ - "Kesha@whose.firm" - ] - }, - "enrichments": [ - { - "data": "{\"chubby\": \"7895ss\"}", - "name": "force energy satin", - "provider": "lie allowance compressed", - "value": "dogs violation qualified" - }, - { - "data": "{\"healthcare\": \"hddhj\"}", - "name": "remind jury laden", - "provider": "in hurt hl", - "type": "sale updating poll", - "value": "savings ref bbc" - } - ], - "metadata": { - "extension": { - "name": "broad fears transfers", - "uid": "78c2668a-5be7-11ee-a776-0242ac110005", - "version": "1.0.0" - }, - "log_name": "seats briefly charming", - "original_time": "administered respected angeles", - "product": { - "lang": "en", - "name": "civilian clearance powerseller", - "uid": "78c28282-5be7-11ee-989a-0242ac110005", - "version": "1.0.0" - }, - "profiles": [ - "cloud", - "container", - "datetime", - "host", - "security_control" - ], - "version": "1.0.0" - }, - "raw_data": "lakes cycles remainder", - "severity": "Informational", - "smtp_hello": "jurisdiction charts prerequisite", - "status": "Success", - "status_detail": "bm around ranking", - "status_id": 1, - "timezone_offset": 24, - "type_name": "Email Activity: Other", - "type_uid": "400999" - }, "related": { "ip": [ "175.16.199.1" diff --git a/OCSF/ocsf/tests/test_system_activity_1.json b/OCSF/ocsf/tests/test_system_activity_1.json index 02b845d18..cfa924b9e 100644 --- a/OCSF/ocsf/tests/test_system_activity_1.json +++ b/OCSF/ocsf/tests/test_system_activity_1.json @@ -50,161 +50,7 @@ "type": "Browser" }, "ocsf": { - "activity_id": 5, - "activity_name": "Rename", - "actor": { - "idp": { - "name": "through foot query", - "uid": "3576b692-583b-11ee-b9a6-0242ac110005" - }, - "process": { - "file": { - "confidentiality": "microphone ingredients everybody", - "hashes": [ - {}, - {} - ], - "type_id": "7" - }, - "parent_process": { - "file": { - "company_name": "Esta Malena", - "created_time": 1695272181548, - "desc": "claims runtime directories", - "hashes": [ - {} - ], - "modified_time": 1695272181548, - "name": "chrysler.pages", - "parent_folder": "jesus cattle cave/remainder.iso", - "path": "jesus cattle cave/remainder.iso/chrysler.pages", - "security_descriptor": "motels derby subtle", - "type": "Character Device", - "type_id": "3", - "uid": "3575485c-583b-11ee-b07c-0242ac110005" - }, - "integrity": "eat", - "integrity_id": "99", - "lineage": [ - "alter reservoir drums", - "ff encoding towns" - ], - "parent_process": "{\"cmd_line\": \"step bernard quiet\", \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"cmd_line\": \"sons eur fence\", \"created_time\": 1695272181548, \"file\": {\"attributes\": 59, \"company_name\": \"Johnny Kenia\", \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"673864FF7BB72B5CB7535BD3C797DAE6BCDCE37BB6E0BD9D6EDDB8205EE636ACCA593394B1827FD62DAEC350638203EC5021A55A87B54D3BD4E0391CCACFA7B5\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"DA377EE2C5138BD0042100780B04CFB9752DD077344B2CBCACFFBEA5D94D0BB095E7314616D60350025F9E6489D6CBF9FA4C1D07CA52AB9C364397B6A6DB1426\"}], \"is_system\": true, \"name\": \"expectations.sh\", \"parent_folder\": \"their haven interact/president.log\", \"path\": \"their haven interact/president.log/expectations.sh\", \"size\": 3829463934, \"type\": \"Named Pipe\", \"type_id\": 6}, \"name\": \"Schedules\", \"parent_process\": {\"cmd_line\": \"optional icq refresh\", \"created_time\": 1695272181548, \"integrity\": \"Medium\", \"integrity_id\": 3, \"lineage\": [\"marco danny survival\"], \"loaded_modules\": [\"/par/addresses/isle/blink/utils.3ds\", \"/conventions/market/normal/lease/absolute.tar.gz\"], \"name\": \"Best\", \"parent_process\": {\"cmd_line\": \"furnishings oo elderly\", \"created_time\": 1695272181548, \"file\": {\"attributes\": 73, \"name\": \"wagner.hqx\", \"parent_folder\": \"nest communist anthony/tri.tex\", \"path\": \"nest communist anthony/tri.tex/wagner.hqx\", \"type\": \"Folder\", \"type_id\": 2}, \"name\": \"Expo\", \"parent_process\": {\"cmd_line\": \"japan sells jeans\", \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Agatha Bridget\", \"hashes\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"7C44A3A14F05688E4AC527919744E64B96B371173856D178D72F65DAB3DC8EE7563B5E05EE7F625263083247F54503AD771DB5F66B3C9F9216B95114BA6BFCCB\"}], \"name\": \"conviction.dem\", \"owner\": {\"groups\": [{\"name\": \"picked physicians sponsored\", \"uid\": \"3575cc6e-583b-11ee-9fc6-0242ac110005\"}, {\"desc\": \"consistent remind intel\", \"name\": \"theft os finished\", \"privileges\": [\"moscow whom catalogue\", \"bar distant sitting\"], \"type\": \"baking how furnished\", \"uid\": \"3575d2cc-583b-11ee-9bd2-0242ac110005\"}], \"name\": \"Founded\", \"type\": \"System\", \"type_id\": 3}, \"parent_folder\": \"lesbian consistent policy/house.crdownload\", \"path\": \"lesbian consistent policy/house.crdownload/conviction.dem\", \"security_descriptor\": \"blank special atm\", \"signature\": {\"algorithm\": \"RSA\", \"algorithm_id\": 2, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"4AE524EF0A54BC56E3844482DFF66D3DD1C07170A36531500327556E4EB58A66\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"2D3C087352251B27B4B883E464997A204BC6990478F6ADA51535ED9C87BB9BD65BB98AF4BCF9442E5126A77E0D6984B1596D2253167232DA8AC3415D7FB47186\"}], \"issuer\": \"rom ge xml\", \"serial_number\": \"streets missouri stack\", \"subject\": \"equivalent fuzzy password\", \"version\": \"1.0.0\"}}, \"type\": \"Regular File\", \"type_id\": 1}, \"name\": \"Gis\", \"parent_process\": {\"cmd_line\": \"terry ld apple\", \"created_time\": 1695272181548, \"file\": {\"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"9392895322BB82C443FB155DA3D787E63B9CFF61E9725327EA2B4FAFE964C306117CB523AEBA0D2D8CDF029592125C16C1F892E88D80F9888D7031FD2974B8DE\"}], \"name\": \"structural.swf\", \"parent_folder\": \"fwd various rr/harper.tar.gz\", \"path\": \"fwd various rr/harper.tar.gz/structural.swf\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1, \"certificate\": {\"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"D9B2FE68B6C253E250B14667FE79D988B4D2AC568F7FD62357330B906C30A49D\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"EBD7275B8E016156D5C802AA81EF32823EF0D89B944B062044092C012CDD5078AF0362403420AB2DD96D282058889BCC6484F8FC42C61C29774AB18337A40FD9\"}], \"issuer\": \"truck rings arrivals\", \"serial_number\": \"rd throw preliminary\", \"subject\": \"ordering ou explanation\", \"version\": \"1.0.0\"}, \"created_time\": 1695272181548}, \"size\": 688932239, \"type\": \"customs\", \"type_id\": 99}, \"lineage\": [\"ts initial roses\", \"wicked sm especially\"], \"name\": \"Decrease\", \"parent_process\": {\"cmd_line\": \"grounds profits tear\", \"file\": {\"company_name\": \"Parthenia Kim\", \"creator\": {\"org\": {\"name\": \"lessons fighting basement\", \"ou_name\": \"recently iron turning\", \"uid\": \"357639f6-583b-11ee-a863-0242ac110005\"}, \"type\": \"System\", \"type_id\": 3, \"uid\": \"357634b0-583b-11ee-aa30-0242ac110005\"}, \"desc\": \"reads choir while\", \"hashes\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"533747897E1F6754B1E577DEEBA5E673C0DD9F09229F048608C88CA5EEC2A420FFF7F06C5B27F45A1B7A705FF141C4AE11196CAB9BE339546B7EEF258DFED346\"}], \"name\": \"fcc.gz\", \"parent_folder\": \"webcast invention brandon/thumbnail.rm\", \"path\": \"webcast invention brandon/thumbnail.rm/fcc.gz\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"C9E4D5C19777C2E695975FB5FE0D92C5DEEE360C4AFF172B638D981E5BCE505FB3373CF7A620436611A964772215DD15E564B701B09AB141C53258EA7DB63589\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"D02BCEDE7EF63722B56FD76E6C3E0C74E72D5B9C169DE7BA9712A1EAEF0C13F59F27BBFC33274C80889426EB38A8D191AB7B08FE9397BF0BE4D5B4C08CF7956C\"}], \"issuer\": \"kids permissions cosmetic\", \"serial_number\": \"mold afghanistan pine\", \"subject\": \"previous furthermore create\", \"version\": \"1.0.0\"}, \"digest\": {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"F28E98CA59479136BFC3E11371555CF78BDEDDF0332D62DD063B794024CC5C4FE13F9EA7BA6BCE31550B8B7DEFFB31BF20E54B6C1095A68E8E18A26F91C0E838\"}}, \"type\": \"Local Socket\", \"type_id\": 5}, \"integrity\": \"attempts strategy meetup\", \"lineage\": [\"tar optical per\", \"fixtures while coaches\"], \"loaded_modules\": [\"/frequently/tomatoes/one/trembl/trance.php\", \"/supposed/passwords/boutique/codes/coalition.txt\"], \"parent_process\": {\"cmd_line\": \"canon istanbul ears\", \"created_time\": 1695272181548, \"file\": {\"confidentiality\": \"smilies ethnic exclusively\", \"created_time\": 1695272181548, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"DF2FF56CB3BAC1E28C3FE0395F52F814539922A774E1B53793268DC61ADD718A6BEED6E464F3D3AB436A5F61A84B21F073DD534943FEFA40E0DAD92DF1C92874\"}], \"modified_time\": 1695272181548, \"name\": \"kathy.gpx\", \"parent_folder\": \"stake dame kw/bangladesh.tax2020\", \"path\": \"stake dame kw/bangladesh.tax2020/kathy.gpx\", \"type\": \"Symbolic Link\", \"type_id\": 7, \"version\": \"1.0.0\"}, \"integrity\": \"rage cloudy starts\", \"name\": \"Speed\", \"parent_process\": {\"cmd_line\": \"samuel affiliates stores\", \"created_time\": 1695272181548, \"file\": {\"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"25B732B3425CF8421A84FBE8E6EFA1AAF932AD4B\"}, {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"501A60A2B28BA8E6A95CE30C11877FDA\"}], \"name\": \"rpg.eps\", \"size\": 2219996466, \"type\": \"Unknown\", \"type_id\": 0}, \"lineage\": [\"locked feedback tank\", \"kuwait integrity messages\"], \"loaded_modules\": [\"/congo/hundreds/jerry/limousines/meanwhile.lua\", \"/employment/discounts/dg/company/colin.txt\"], \"name\": \"Forget\", \"parent_process\": {\"cmd_line\": \"hh officials patient\", \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Morris Antonio\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"D9C1ACF117657BB04A8309ECBD6F3771E4F5E0BBEB437019748FFB5028BDA1B7\"}], \"name\": \"transexual.kml\", \"owner\": {\"name\": \"Disappointed\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"357695ae-583b-11ee-a3e8-0242ac110005\"}, \"parent_folder\": \"robin imperial rugby/delicious.lua\", \"path\": \"robin imperial rugby/delicious.lua/transexual.kml\", \"product\": {\"lang\": \"en\", \"name\": \"receptors surgeons dui\", \"path\": \"joins roy in\", \"url_string\": \"bias\", \"vendor_name\": \"wonderful earning zealand\"}, \"type\": \"Local Socket\", \"type_id\": 5}, \"loaded_modules\": [\"/initial/example/lenders/manitoba/picked.mdf\"], \"name\": \"Part\", \"pid\": 72, \"sandbox\": \"new rt auto\", \"uid\": \"3576a6e8-583b-11ee-907e-0242ac110005\", \"user\": {\"name\": \"Tft\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"3576a274-583b-11ee-a3dc-0242ac110005\"}}, \"pid\": 6, \"sandbox\": \"proc budgets magnet\", \"uid\": \"35768726-583b-11ee-b021-0242ac110005\"}, \"pid\": 69, \"uid\": \"3576731c-583b-11ee-b4bb-0242ac110005\", \"user\": {\"credential_uid\": \"35766f02-583b-11ee-93b4-0242ac110005\", \"name\": \"Class\", \"org\": {\"name\": \"thumb perception casual\", \"ou_name\": \"russell martin tonight\", \"uid\": \"357668cc-583b-11ee-9bcd-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"3576639a-583b-11ee-a0a4-0242ac110005\", \"uid_alt\": \"acute vocals goat\"}}, \"pid\": 96, \"session\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"is_remote\": false, \"issuer\": \"information daisy computational\", \"uid\": \"35764ff4-583b-11ee-ad30-0242ac110005\"}, \"uid\": \"35764af4-583b-11ee-bfee-0242ac110005\", \"user\": {\"account\": {\"name\": \"gained oldest atomic\", \"type\": \"AWS IAM User\", \"type_id\": 3}, \"email_addr\": \"Ernie@drum.jobs\", \"full_name\": \"Margert Debbie\", \"name\": \"Intervals\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"357644a0-583b-11ee-b222-0242ac110005\"}}, \"pid\": 59, \"sandbox\": \"uk worth harmony\", \"tid\": 80, \"uid\": \"35761c82-583b-11ee-b824-0242ac110005\", \"user\": {\"domain\": \"sydney initiatives plymouth\", \"full_name\": \"Theron Augustine\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"35761822-583b-11ee-beb2-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 7, \"sandbox\": \"arbitration saturday very\", \"terminated_time\": 1695272181548, \"uid\": \"3575fdb0-583b-11ee-aeb9-0242ac110005\", \"user\": {\"full_name\": \"Katheryn Dario\", \"name\": \"Sec\", \"org\": {\"name\": \"delayed cables leads\", \"uid\": \"3575f964-583b-11ee-8c61-0242ac110005\"}, \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"3575f450-583b-11ee-b6bb-0242ac110005\", \"uid_alt\": \"room suicide poem\"}, \"xattributes\": {}}, \"pid\": 70, \"uid\": \"3575bbde-583b-11ee-a34c-0242ac110005\", \"user\": {\"groups\": [{\"name\": \"attention horrible saved\", \"type\": \"clinical integration find\"}], \"name\": \"Vehicles\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"3575b594-583b-11ee-ad61-0242ac110005\", \"uid_alt\": \"immigrants vegetables names\"}}, \"pid\": 51, \"tid\": 72, \"uid\": \"3575a158-583b-11ee-a0c1-0242ac110005\", \"user\": {\"email_addr\": \"Valene@water.aero\", \"name\": \"Wrapping\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"357599c4-583b-11ee-839a-0242ac110005\"}}, \"pid\": 64, \"sandbox\": \"ranked cookbook propecia\", \"uid\": \"35758902-583b-11ee-9a1c-0242ac110005\", \"user\": {\"name\": \"Gun\", \"org\": {\"name\": \"suitable bother k\", \"ou_name\": \"signals pixel questions\", \"uid\": \"357584f2-583b-11ee-b957-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1, \"uid\": \"35757fde-583b-11ee-8426-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 24, \"tid\": 17, \"uid\": \"35756e18-583b-11ee-8658-0242ac110005\", \"user\": {\"account\": {\"name\": \"lisa avoiding grade\", \"type\": \"Mac OS Account\", \"type_id\": 7, \"uid\": \"35756968-583b-11ee-adc7-0242ac110005\"}, \"type\": \"dealer\", \"type_id\": 99, \"uid\": \"3575612a-583b-11ee-8729-0242ac110005\"}}", - "user": { - "groups": [ - { - "name": "admissions throughout scope", - "uid": "357556c6-583b-11ee-a761-0242ac110005" - } - ], - "type": "Admin", - "type_id": "2" - } - }, - "user": { - "account": { - "name": "findarticles awards error", - "type": "AWS IAM User", - "type_id": "3", - "uid": "357534b6-583b-11ee-acbb-0242ac110005" - }, - "type": "User", - "type_id": "1", - "uid_alt": "mature botswana advisory" - } - }, - "user": { - "type": "Admin", - "type_id": "2" - } - }, - "category_name": "System Activity", - "category_uid": 1, - "class_name": "File System Activity", - "class_uid": 1001, - "create_mask": "lu hairy cases", - "device": { - "desc": "gene screens plenty", - "groups": [ - { - "name": "stereo thousand cnet", - "uid": "357505d6-583b-11ee-8d50-0242ac110005" - }, - { - "name": "spent disclaimer locks", - "privileges": [ - "seems freeware tire" - ], - "uid": "3575019e-583b-11ee-8751-0242ac110005" - } - ], - "hypervisor": "barbados lcd electoral", - "image": { - "name": "aol interest statutes", - "path": "breaks contrary navigation", - "tag": "history afraid vcr", - "uid": "3574fc30-583b-11ee-a7af-0242ac110005" - }, - "instance_uid": "3574eefc-583b-11ee-aedd-0242ac110005", - "interface_name": "cleveland households subsidiaries", - "interface_uid": "3574f352-583b-11ee-89fa-0242ac110005", - "is_managed": true, - "os": { - "sp_ver": "35", - "type_id": "402" - }, - "region": "survival statewide blog", - "subnet": "130.109.0.0/16", - "subnet_uid": "3574e7c2-583b-11ee-8763-0242ac110005", - "type_id": "8" - }, - "enrichments": [ - { - "data": "{\"professionals\": \"profess\"}", - "name": "universal ex rpg", - "provider": "dance avon fundamental", - "type": "concentrations sciences genuine", - "value": "participants managing combines" - }, - { - "data": "{\"hill\": \"rfsvfdc\"}", - "name": "strip milton opened", - "provider": "held rounds tumor", - "type": "volunteers manufacturing argentina", - "value": "needs hopes taxation" - } - ], - "file": { - "hashes": [ - {} - ], - "product": { - "name": "judgment mel mental", - "uid": "3576c3d0-583b-11ee-8a0f-0242ac110005", - "vendor_name": "isp semiconductor screens", - "version": "1.0.0" - }, - "type_id": "666" - }, - "metadata": { - "log_name": "benefits observe block", - "original_time": "basement receipt forces", - "product": { - "lang": "en", - "name": "frederick avoiding settlement", - "uid": "3574dd04-583b-11ee-9dd6-0242ac110005", - "url_string": "subscribers", - "version": "1.0.0" - }, - "profiles": [], - "version": "1.0.0" - }, - "severity": "High", - "status": "same", - "status_id": 99, - "timezone_offset": 14, - "type_name": "File System Activity: Rename", - "type_uid": "100105" + "activity_id": 5 }, "process": { "command_line": "dd apple updating", diff --git a/OCSF/ocsf/tests/test_system_activity_2.json b/OCSF/ocsf/tests/test_system_activity_2.json index 7e4f69c22..10fe97e1d 100644 --- a/OCSF/ocsf/tests/test_system_activity_2.json +++ b/OCSF/ocsf/tests/test_system_activity_2.json @@ -49,188 +49,7 @@ "type": "IOT" }, "ocsf": { - "activity_id": 2, - "activity_name": "Unload", - "actor": { - "process": { - "file": { - "confidentiality": "donated chapter runtime", - "hashes": [ - {} - ], - "signature": { - "algorithm": "ECDSA", - "algorithm_id": "3" - }, - "type_id": "7" - }, - "integrity": "Untrusted", - "integrity_id": "1", - "namespace_pid": 20, - "parent_process": { - "container": { - "hash": { - "algorithm": "SHA-512", - "algorithm_id": "4", - "value": "99402752D9F0ADEE2B8CB7268DC3FCBF7900B5491AEECBCF11718BBA6969507DF048B5A627AE37D63F6235C52A9FFB0A874DB6E542EFB0E17DD61FFF02543A1B" - }, - "image": { - "name": "place questionnaire evil", - "uid": "19e878de-61aa-11ee-8abe-0242ac110005" - }, - "name": "contains thriller incl", - "network_driver": "balloon cj virtual", - "runtime": "briefing portrait pj", - "size": 4086519029, - "uid": "19e86ef2-61aa-11ee-961e-0242ac110005" - }, - "created_time_dt": "2023-10-03T05:02:50.212708Z", - "integrity": "System", - "integrity_id": "5", - "namespace_pid": 34, - "parent_process": "{\"cmd_line\": \"valued leasing equilibrium\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"AACD3103F3F1FCAB0248F041A315AB6816C8A0E9\"}, \"size\": 2331695977, \"uid\": \"19e89a1c-61aa-11ee-930f-0242ac110005\"}, \"file\": {\"attributes\": 11, \"confidentiality\": \"outlook\", \"confidentiality_id\": 99, \"created_time_dt\": \"2023-10-03T05:02:50.206981Z\", \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"79B9213DDB8E561C9F5F0374719DBA7E55A481E720B75C53A12AF714880E51A4\"}, {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"C32B941D4ED063DE2F7FB1669124175ED90CDE46\"}], \"is_system\": true, \"name\": \"unlimited.wmv\", \"product\": {\"lang\": \"en\", \"name\": \"astrology musical magic\", \"uid\": \"19e88b3a-61aa-11ee-a044-0242ac110005\", \"vendor_name\": \"logos texture jews\", \"version\": \"1.0.0\"}, \"type\": \"huntington\", \"type_id\": 99, \"version\": \"1.0.0\"}, \"integrity\": \"System\", \"integrity_id\": 5, \"lineage\": [\"layer rachel performed\"], \"loaded_modules\": [\"/faith/cbs/hispanic/lancaster/ncaa.swf\", \"/pulled/consecutive/treatment/myself/pittsburgh.wav\"], \"name\": \"Pt\", \"namespace_pid\": 75, \"parent_process\": {\"cmd_line\": \"vendor laptops germany\", \"container\": {\"hash\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"BBC85ACA84E370B3CD546CED854C6725D3242C1E1E174F6B4A803754254A38359A7A4CA50F4AD39E07AE04452C28859CAE5DB5FAF8D68075026A04F2C026726C\"}, \"image\": {\"labels\": [\"aka\"], \"name\": \"puzzles conditions sequences\", \"uid\": \"19e94566-61aa-11ee-9d6d-0242ac110005\"}, \"name\": \"patients couple tmp\", \"orchestrator\": \"helping cork mortality\", \"runtime\": \"jul tommy um\", \"size\": 1196597453, \"uid\": \"19e93ddc-61aa-11ee-8ac2-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Marie Enoch\", \"creator\": {\"name\": \"Journals\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"19e8c136-61aa-11ee-8148-0242ac110005\"}, \"desc\": \"referrals nottingham communication\", \"modified_time_dt\": \"2023-10-03T05:02:50.208298Z\", \"modifier\": {\"name\": \"Resistant\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"19e8ac78-61aa-11ee-a8f4-0242ac110005\"}, \"name\": \"jefferson.cbr\", \"parent_folder\": \"vacations floppy slides/crack.cs\", \"path\": \"vacations floppy slides/crack.cs/jefferson.cbr\", \"size\": 3328615981, \"type\": \"Unknown\", \"type_id\": 0}, \"integrity\": \"five priest needle\", \"name\": \"Clinton\", \"namespace_pid\": 94, \"parent_process\": {\"cmd_line\": \"front accommodate advocate\", \"container\": {\"hash\": {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"DE46E578D10170889D94C44F29A8357C36E325D960A26A598ED7022BD1E1EDAD4B7C9E676EF5EED4AE64B21998EE85F24AFBB1A8DE06CD5B385EFE4AB1185F90\"}, \"image\": {\"name\": \"obituaries seeing judgment\", \"path\": \"fit slightly ja\", \"uid\": \"19e96b36-61aa-11ee-97e4-0242ac110005\"}, \"name\": \"finest world pontiac\", \"orchestrator\": \"vp bridal testimonials\", \"size\": 55618839, \"uid\": \"19e964b0-61aa-11ee-86d6-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"9FD540B749A6D9C916406C5F4EB228F85F9FC35B5769F67886F778ACFE23F9DA44D2AA1E26E09B2EC8942215CD4C9DE71D9A27F539FC4E753E44181F1DA6899D\"}], \"mime_type\": \"transcription/warned\", \"name\": \"fixes.c\", \"parent_folder\": \"retro earthquake teachers/corruption.kml\", \"path\": \"retro earthquake teachers/corruption.kml/fixes.c\", \"type\": \"Folder\", \"type_id\": 2}, \"name\": \"Sms\", \"namespace_pid\": 19, \"pid\": 52, \"session\": {\"created_time\": 1695272181548, \"is_remote\": false, \"uid\": \"19e95e70-61aa-11ee-bf06-0242ac110005\"}, \"terminated_time\": 1695272181548, \"uid\": \"19e95920-61aa-11ee-a247-0242ac110005\"}, \"pid\": 77, \"terminated_time_dt\": \"2023-10-03T05:02:50.212696Z\", \"uid\": \"19e8e4fe-61aa-11ee-869a-0242ac110005\", \"user\": {\"email_addr\": \"Johnette@flexibility.biz\", \"full_name\": \"Glayds Glenda\", \"name\": \"Nudist\", \"type\": \"directories\", \"type_id\": 99, \"uid\": \"19e8cb2c-61aa-11ee-8668-0242ac110005\", \"uid_alt\": \"facts local za\"}}, \"pid\": 53, \"uid\": \"19e89346-61aa-11ee-bb7f-0242ac110005\"}" - }, - "sandbox": "homes bachelor reach", - "terminated_time_dt": "2023-10-03T05:02:50.212738Z", - "user": { - "org": { - "name": "contributions agents displayed", - "ou_name": "with cpu scout", - "uid": "19e854e4-61aa-11ee-b27b-0242ac110005" - }, - "type": "User", - "type_id": "1" - }, - "xattributes": "{}" - }, - "user": { - "org": { - "name": "ali authors bacterial", - "ou_name": "ebay october staff", - "uid": "19e9c5d6-61aa-11ee-96f2-0242ac110005" - }, - "type": "Admin", - "type_id": "2" - } - }, - "api": { - "operation": "glucose spyware trustees", - "request": { - "flags": [ - "blind putting connectors", - "development suddenly affiliate" - ], - "uid": "19e78050-61aa-11ee-81a3-0242ac110005" - }, - "response": { - "code": 48, - "error": "storm edwards gateway", - "error_message": "retro wood cheese", - "message": "ac apnic applicants" - } - }, - "attacks": [ - { - "tactics": [ - { - "name": "Command and Control The adversary is trying to communicate with compromised systems to control them.", - "uid": "TA0011" - } - ], - "technique": { - "name": "Two-Factor Authentication Interception", - "uid": "T1111" - }, - "version": "12.1" - }, - { - "tactics": [ - { - "name": "Credential Access The adversary is trying to steal account names and passwords.", - "uid": "TA0006" - }, - { - "name": "Discovery The adversary is trying to figure out your environment.", - "uid": "TA0007" - } - ], - "technique": { - "name": "Multiband Communication", - "uid": "T1026" - }, - "version": "12.1" - } - ], - "category_name": "System Activity", - "category_uid": 1, - "class_name": "Kernel Extension Activity", - "class_uid": 1002, - "cloud": { - "org": { - "name": "virus legislative schemes", - "ou_name": "aus radical chess", - "ou_uid": "19e79b26-61aa-11ee-bc41-0242ac110005", - "uid": "19e79248-61aa-11ee-83d4-0242ac110005" - } - }, - "device": { - "first_seen_time": 1695272181548, - "hypervisor": "consoles voting wellington", - "image": { - "name": "casinos my pacific", - "uid": "19e81448-61aa-11ee-bc86-0242ac110005" - }, - "instance_uid": "19e7f62a-61aa-11ee-ace6-0242ac110005", - "interface_name": "see namespace chef", - "interface_uid": "19e80ce6-61aa-11ee-bfc1-0242ac110005", - "is_compliant": true, - "modified_time_dt": "2023-10-03T05:02:50.203874Z", - "region": "pledge cod growth", - "type_id": "7" - }, - "disposition": "Corrected", - "disposition_id": "11", - "driver": { - "file": { - "hashes": [ - {}, - {} - ], - "type_id": "99" - } - }, - "metadata": { - "extension": { - "name": "pirates went connecting", - "uid": "19e7a6de-61aa-11ee-b198-0242ac110005", - "version": "1.0.0" - }, - "log_name": "louisville displaying universities", - "original_time": "bodies jenny chris", - "product": { - "lang": "en", - "name": "completed longer likes", - "path": "jc rim ranch", - "uid": "19e7b8b8-61aa-11ee-b357-0242ac110005", - "url_string": "placing", - "version": "1.0.0" - }, - "profiles": [ - "cloud", - "container", - "datetime", - "host", - "security_control" - ], - "version": "1.0.0" - }, - "severity": "Low", - "status": "Unknown", - "status_detail": "tablets vernon opinion", - "status_id": 0, - "timezone_offset": 26, - "type_name": "Kernel Extension Activity: Unload", - "type_uid": "100202" + "activity_id": 2 }, "process": { "command_line": "quest flashers qualifying", diff --git a/OCSF/ocsf/tests/test_system_activity_3.json b/OCSF/ocsf/tests/test_system_activity_3.json index 70dfe1205..db74a64f5 100644 --- a/OCSF/ocsf/tests/test_system_activity_3.json +++ b/OCSF/ocsf/tests/test_system_activity_3.json @@ -61,232 +61,7 @@ "type": "Browser" }, "ocsf": { - "activity_id": 1, - "activity_name": "Create", - "actor": { - "idp": { - "name": "rachel grey swiss", - "uid": "6193b0ca-61ac-11ee-b37d-0242ac110005" - }, - "invoked_by": "substitute choice extent", - "process": { - "container": { - "hash": { - "algorithm": "SHA-512", - "algorithm_id": "4", - "value": "F19FE42A1B9BB9BBFC77F8F0A52EC5C411DC9200836F0C5D41A56543D8951D5AD8A1FA6F248A975A90B28E8B5268C50F220F5CAE2B47F74A204FB47E835AAE80" - }, - "image": { - "uid": "61927e30-61ac-11ee-ab18-0242ac110005" - }, - "size": 4198558845, - "tag": "gambling romance place" - }, - "created_time_dt": "2023-10-03T05:19:09.439688Z", - "file": { - "confidentiality": "tulsa", - "confidentiality_id": "99", - "hashes": [ - {}, - {} - ], - "security_descriptor": "hospitality conclusions wires", - "type_id": "0", - "version": "1.0.0", - "xattributes": "{}" - }, - "namespace_pid": 6, - "parent_process": { - "container": { - "hash": { - "algorithm": "MD5", - "algorithm_id": "1", - "value": "B85EC314BF443B797EF8A66B3B03F8A4" - }, - "image": { - "name": "occupations pie meanwhile", - "uid": "6192b990-61ac-11ee-b095-0242ac110005" - }, - "name": "stood moms serving", - "pod_uuid": "effectiveness", - "size": 1947076520, - "uid": "6192b44a-61ac-11ee-a1ac-0242ac110005" - }, - "file": { - "company_name": "Latisha Billye", - "creator": { - "name": "Remain", - "type": "Unknown", - "type_id": "0", - "uid": "61929852-61ac-11ee-b767-0242ac110005", - "uid_alt": "limitations compound viewer" - }, - "hashes": [ - {} - ], - "name": "hazard.aif", - "owner": { - "email_addr": "Ryann@libraries.store", - "name": "Principle", - "type": "User", - "type_id": "1", - "uid": "6192910e-61ac-11ee-9b83-0242ac110005" - }, - "parent_folder": "seeds divx firefox/kirk.cbr", - "path": "seeds divx firefox/kirk.cbr/hazard.aif", - "type": "Symbolic Link", - "type_id": "7" - }, - "namespace_pid": 64, - "parent_process": "{\"cmd_line\": \"arlington charger skins\", \"created_time\": 1695272181548, \"file\": {\"attributes\": 21, \"desc\": \"fruit hop dean\", \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"8A1AB46C5F0A7BC9F0562A16DEBAB8746A8BEF57920B6FE78D0B18EE49175C8F8CC8CD5F02E37B486B4CA85EBA2B18558E2D171B09545BB234AD29AB09936187\"}], \"is_system\": false, \"modified_time_dt\": \"2023-10-03T05:19:09.434332Z\", \"modifier\": {\"email_addr\": \"Winona@teens.web\", \"name\": \"Few\", \"type\": \"System\", \"type_id\": 3}, \"name\": \"interests.png\", \"parent_folder\": \"wagon workforce whatever/boundaries.bat\", \"path\": \"wagon workforce whatever/boundaries.bat/interests.png\", \"type\": \"Symbolic Link\", \"type_id\": 7}, \"name\": \"Rugs\", \"namespace_pid\": 65, \"parent_process\": {\"cmd_line\": \"trinity comfort varieties\", \"created_time\": 1695272181548, \"file\": {\"accessed_time_dt\": \"2023-10-03T05:19:09.435701Z\", \"modifier\": {\"account\": {\"name\": \"lose fotos fraction\", \"type\": \"Azure AD Account\", \"type_id\": 6}, \"name\": \"Spots\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"6192f6bc-61ac-11ee-9638-0242ac110005\"}, \"name\": \"border.bmp\", \"parent_folder\": \"exterior quick striking/females.cpp\", \"path\": \"exterior quick striking/females.cpp/border.bmp\", \"product\": {\"lang\": \"en\", \"name\": \"democratic announcement crime\", \"uid\": \"6192ff54-61ac-11ee-9d07-0242ac110005\", \"vendor_name\": \"three schema bench\", \"version\": \"1.0.0\"}, \"type\": \"Local Socket\", \"type_id\": 5, \"version\": \"1.0.0\"}, \"loaded_modules\": [\"/te/ut/obviously/inform/assignment.cue\", \"/clicks/importance/raw/agenda/soccer.js\"], \"name\": \"Infant\", \"namespace_pid\": 54, \"parent_process\": {\"cmd_line\": \"italian kid properly\", \"container\": {\"hash\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"A34D9E58DB53A2451A09B961F644E04C794AEFD5AF71BB6785BF8D771D1BC27EABC888BE87A7B3E92BB750215FC097CEB0FD238D44C5494F35746A4A9A0B4159\"}, \"image\": {\"name\": \"assessments effects soap\", \"uid\": \"61934414-61ac-11ee-943e-0242ac110005\"}, \"name\": \"additions wyoming weekly\", \"pod_uuid\": \"hear\", \"size\": 3239910166, \"tag\": \"practical metals respected\", \"uid\": \"61933e06-61ac-11ee-8e9b-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessed_time\": 1695272181548, \"confidentiality\": \"keeps integrate specifies\", \"created_time_dt\": \"2023-10-03T05:19:09.436838Z\", \"desc\": \"floating told foul\", \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"5A4194525971186E774FC3205628B611B5CCCE42\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"11BA65852271CD24C56C865A9635B90616326949FF2BF6CD07EACAF788BAD320\"}], \"name\": \"outline.msg\", \"parent_folder\": \"visiting guide believe/intense.rss\", \"path\": \"visiting guide believe/intense.rss/outline.msg\", \"security_descriptor\": \"chance gmc ghana\", \"type\": \"Unknown\", \"type_id\": 0, \"xattributes\": {}}, \"integrity\": \"High\", \"integrity_id\": 4, \"lineage\": [\"picked purchase freelance\", \"scripts hybrid worked\"], \"name\": \"Valid\", \"namespace_pid\": 65, \"parent_process\": {\"cmd_line\": \"injured metabolism martha\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"EA07DCC807FFE0D653259BB7C0DE7E6F136D741B4596E3E11BD60E98F38FE0B5\"}, \"image\": {\"labels\": [\"put\", \"experience\"], \"name\": \"versions soc fifteen\", \"tag\": \"actors des guardian\", \"uid\": \"61939900-61ac-11ee-89bb-0242ac110005\"}, \"name\": \"optimize unsigned reforms\", \"size\": 1197726829, \"uid\": \"619392fc-61ac-11ee-95a0-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Courtney Kendal\", \"created_time_dt\": \"2023-10-03T05:19:09.438101Z\", \"hashes\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"7653C24F6B758E09C2F78D41ED16D4D98AC9589616AA7DDE3CE38AC3018F86F726082E5D7895E732CB2D0C979A4B85FE853F95A815DF845615257B5A82F05144\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"1D5072F894A9D4122CBB317567CA88F6EAF3C8B645271C7E86EF241EBC1EBA51\"}], \"mime_type\": \"reflects/shore\", \"modifier\": {\"full_name\": \"Calvin Marquitta\", \"name\": \"Feelings\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"61935512-61ac-11ee-9f87-0242ac110005\"}, \"name\": \"comes.css\", \"parent_folder\": \"death payday queens/fleece.app\", \"path\": \"death payday queens/fleece.app/comes.css\", \"product\": {\"lang\": \"en\", \"uid\": \"61935b2a-61ac-11ee-9f18-0242ac110005\", \"vendor_name\": \"marie stays nested\", \"version\": \"1.0.0\"}, \"type\": \"Local Socket\", \"type_id\": 5}, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"loaded_modules\": [\"/handbook/great/egyptian/guestbook/died.bat\", \"/matrix/ecommerce/management/just/songs.dcr\"], \"name\": \"Si\", \"namespace_pid\": 54, \"terminated_time_dt\": \"2023-10-03T05:19:09.439671Z\", \"tid\": 9, \"uid\": \"6193888e-61ac-11ee-92f7-0242ac110005\", \"user\": {\"credential_uid\": \"61938474-61ac-11ee-8547-0242ac110005\", \"email_addr\": \"Ilana@moses.firm\", \"groups\": [{\"name\": \"tires online movement\", \"privileges\": [\"jan hindu collectible\", \"competitors antique disc\"], \"uid\": \"61937b46-61ac-11ee-8129-0242ac110005\"}, {\"name\": \"raymond shirts techno\", \"uid\": \"619380aa-61ac-11ee-9e69-0242ac110005\"}], \"org\": {\"name\": \"msgstr et pure\", \"ou_name\": \"mg usa blair\", \"uid\": \"619374a2-61ac-11ee-8d19-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"61936e76-61ac-11ee-aa0d-0242ac110005\", \"uid_alt\": \"serbia named dns\"}}, \"pid\": 27, \"uid\": \"61933410-61ac-11ee-8072-0242ac110005\", \"user\": {\"full_name\": \"Alfredo Pauline\", \"name\": \"Swing\", \"type\": \"User\", \"type_id\": 1}}, \"pid\": 92, \"tid\": 60, \"uid\": \"61931cbe-61ac-11ee-b447-0242ac110005\", \"user\": {\"credential_uid\": \"619318cc-61ac-11ee-82d0-0242ac110005\", \"name\": \"Fires\", \"org\": {\"name\": \"nationwide yea yoga\", \"ou_name\": \"meeting kiss first\", \"uid\": \"6193126e-61ac-11ee-9d91-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1, \"uid\": \"61930b98-61ac-11ee-bb18-0242ac110005\"}}, \"pid\": 77, \"session\": {\"created_time\": 1695272181548, \"is_remote\": true, \"issuer\": \"covers advise flux\", \"uid\": \"6192e51e-61ac-11ee-8c76-0242ac110005\"}, \"terminated_time\": 1695272181548, \"uid\": \"6192dff6-61ac-11ee-89c7-0242ac110005\", \"user\": {\"account\": {\"name\": \"peer amounts pros\", \"type\": \"AWS IAM User\", \"type_id\": 3, \"uid\": \"6192dbaa-61ac-11ee-8151-0242ac110005\"}, \"name\": \"Structured\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"6192d272-61ac-11ee-ae27-0242ac110005\", \"uid_alt\": \"allocation vector lexus\"}}", - "user": { - "org": { - "name": "lexus porcelain february", - "ou_name": "realm lesson pal", - "uid": "6192a810-61ac-11ee-bb74-0242ac110005" - }, - "type": "System", - "type_id": "3" - } - }, - "user": { - "credential_uid": "61926cce-61ac-11ee-8202-0242ac110005", - "type": "User", - "type_id": "1" - } - }, - "session": { - "created_time": 1695272181548, - "issuer": "conventional tar relay", - "uid": "6193ab66-61ac-11ee-b4d7-0242ac110005" - }, - "user": { - "type": "User", - "type_id": "1" - } - }, - "attacks": [ - { - "tactics": [ - { - "name": "Collection | The adversary is trying to gather data of interest to their goal.", - "uid": "TA0009" - }, - { - "name": "Reconnaissance | The adversary is trying to gather information they can use to plan future operations.", - "uid": "TA0043" - }, - { - "name": "Discovery The adversary is trying to figure out your environment.", - "uid": "TA0007" - } - ], - "technique": { - "name": "Data Manipulation", - "uid": "T1565" - }, - "version": "12.1" - }, - { - "tactics": [ - { - "name": "Initial Access | The adversary is trying to get into your network.", - "uid": "TA0001" - }, - { - "name": "Credential Access The adversary is trying to steal account names and passwords.", - "uid": "TA0006" - }, - { - "name": "Persistence The adversary is trying to maintain their foothold.", - "uid": "TA0003" - } - ], - "technique": { - "name": "LSA Secrets", - "uid": "T1003.004" - }, - "version": "12.1" - } - ], - "category_name": "System Activity", - "category_uid": 1, - "class_name": "Kernel Activity", - "class_uid": 1003, - "device": { - "autoscale_uid": "6191f41a-61ac-11ee-b68a-0242ac110005", - "desc": "recommendations norman ventures", - "first_seen_time": 1695272181548, - "first_seen_time_dt": "2023-10-03T05:19:09.429787Z", - "hw_info": { - "bios_manufacturer": "newman marble developed", - "serial_number": "dave cst enlarge" - }, - "instance_uid": "61921fda-61ac-11ee-ad02-0242ac110005", - "interface_name": "local rules scholarship", - "interface_uid": "61922b1a-61ac-11ee-afbc-0242ac110005", - "network_interfaces": [ - { - "hostname": "motherboard.info", - "ip": "81.2.69.142", - "mac": "CE:92:5B:C1:90:45:60:31", - "name": "hewlett dozens asthma", - "subnet_prefix": 8, - "type": "Mobile", - "type_id": "3" - } - ], - "region": "without featured amazon", - "type_id": "8", - "vpc_uid": "619230c4-61ac-11ee-8fa9-0242ac110005" - }, - "disposition": "recipes", - "disposition_id": "99", - "kernel": { - "name": "summaries cornell blowing", - "type": "System Call", - "type_id": "2" - }, - "metadata": { - "log_name": "inkjet klein mechanical", - "log_version": "receptor literally shut", - "modified_time": 1695272181548, - "modified_time_dt": "2023-10-03T05:19:09.427926Z", - "original_time": "jewish ethiopia invitation", - "product": { - "lang": "en", - "uid": "6191ccc4-61ac-11ee-aacf-0242ac110005", - "version": "1.0.0" - }, - "profiles": [ - "cloud", - "container", - "datetime", - "host", - "security_control" - ], - "version": "1.0.0" - }, - "observables": [ - { - "name": "car trust sister", - "type": "Fingerprint", - "type_id": "30" - }, - { - "name": "evidence because locate", - "type": "IP Address", - "type_id": "2" - } - ], - "severity": "Medium", - "status": "Success", - "status_code": "user", - "status_id": 1, - "time_dt": "2023-10-03T05:19:09.440241Z", - "timezone_offset": 54, - "type_name": "Kernel Activity: Create", - "type_uid": "100301" + "activity_id": 1 }, "process": { "command_line": "fy believed resolutions", @@ -338,13 +113,6 @@ "Affect" ] }, - "sekoiaio": { - "intake": { - "parsing_warnings": [ - "Cannot set field 'container.labels' with given definition in stage 'pipeline_object_actor'. Cannot convert value in field 'container.labels' to type 'dict'" - ] - } - }, "threat": { "technique": { "id": [ diff --git a/OCSF/ocsf/tests/test_system_activity_4.json b/OCSF/ocsf/tests/test_system_activity_4.json index 0ad516100..d26d00d45 100644 --- a/OCSF/ocsf/tests/test_system_activity_4.json +++ b/OCSF/ocsf/tests/test_system_activity_4.json @@ -65,204 +65,7 @@ "type": "Server" }, "ocsf": { - "activity_id": 1, - "activity_name": "Allocate Page", - "actor": { - "process": { - "container": { - "hash": { - "algorithm": "CTPH", - "algorithm_id": "5", - "value": "0C2DC99EB913832DEE1E00AC1C121596D14346E7971CAF8B9873BA2BB862C4070FDD33F21558BA3B264A80A7B15D1722F1B3603C0858D1247E4359752B166BCC" - }, - "image": { - "uid": "f45bbbe4-61ae-11ee-9bd8-0242ac110005" - }, - "network_driver": "arizona knight karl", - "size": 1112406887, - "tag": "dish acc interpretation" - }, - "file": { - "company_name": "Hue Marcelina", - "confidentiality": "Not Confidential", - "confidentiality_id": "1", - "hashes": [ - {}, - {} - ], - "modified_time_dt": "2023-10-03T05:37:34.691274Z", - "type_id": "7" - }, - "namespace_pid": 50, - "parent_process": { - "container": { - "hash": { - "algorithm": "TLSH", - "algorithm_id": "6", - "value": "23ABACC1EF47F49C2387DDF45E9C424754AB96A8A4DED29732E05CA4192D028D05F263525EFEB4BBAFD7ECE02D2821858C8F39BADB5B11151131D82A3D8596FA" - }, - "image": { - "name": "third aged kurt", - "uid": "f45bebfa-61ae-11ee-bf2c-0242ac110005" - }, - "name": "dispatch ste exist", - "uid": "f45be5ba-61ae-11ee-88ce-0242ac110005" - }, - "file": { - "accessed_time_dt": "2023-10-03T05:37:34.692401Z", - "confidentiality": "Confidential", - "confidentiality_id": "2", - "created_time_dt": "2023-10-03T05:37:34.692393Z", - "desc": "vs in contamination", - "hashes": [ - {}, - {} - ], - "modified_time": 1695272181548, - "name": "download.pptx", - "parent_folder": "qld four roulette/sticker.dwg", - "path": "qld four roulette/sticker.dwg/download.pptx", - "type": "Regular File", - "type_id": "1" - }, - "namespace_pid": 31, - "parent_process": "{\"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"5D7318303179149862E7825F7F1712F9E8045CDC54401C79C269DD068E20EA5D\"}, \"image\": {\"name\": \"stripes excerpt baptist\", \"uid\": \"f45c2962-61ae-11ee-8549-0242ac110005\"}, \"name\": \"pest fought calibration\", \"orchestrator\": \"walt truly susan\", \"pod_uuid\": \"techno\", \"runtime\": \"violation card logged\", \"size\": 1513188610, \"uid\": \"f45c2426-61ae-11ee-9c9d-0242ac110005\"}, \"file\": {\"accessed_time_dt\": \"2023-10-03T05:37:34.693831Z\", \"created_time_dt\": \"2023-10-03T05:37:34.693827Z\", \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"A98DE8AD923CB627EA1CDCCD5CF7356C\"}], \"modified_time_dt\": \"2023-10-03T05:37:34.693818Z\", \"name\": \"mins.srt\", \"parent_folder\": \"risks rendering meal/surf.pages\", \"path\": \"risks rendering meal/surf.pages/mins.srt\", \"product\": {\"lang\": \"en\", \"name\": \"morocco steam contractors\", \"uid\": \"f45bff78-61ae-11ee-94d1-0242ac110005\", \"vendor_name\": \"myrtle wn view\"}, \"signature\": {\"algorithm\": \"Authenticode\", \"algorithm_id\": 4, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"5F3258EAA1979A8BE0323FCD83F87741B9046FD02DFEDB63CC5E8BBEC47C85C9\"}], \"issuer\": \"agency covers tested\", \"serial_number\": \"fool aye tears\", \"subject\": \"lindsay symptoms gel\"}}, \"type\": \"Regular File\", \"type_id\": 1}, \"namespace_pid\": 49, \"parent_process\": {\"cmd_line\": \"montana introductory ratings\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"AB2620F9B7154D9F9DC1B3C2D949D85D595FE77F45411B3DBE6E5B47DA564177\"}, \"image\": {\"name\": \"resources albums born\", \"uid\": \"f45c7e4e-61ae-11ee-955d-0242ac110005\"}, \"name\": \"strings provided foster\", \"runtime\": \"accidents usda suit\", \"uid\": \"f45c77be-61ae-11ee-8b06-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessor\": {\"groups\": [{\"name\": \"holder outstanding vatican\", \"uid\": \"f45c4fe6-61ae-11ee-92f7-0242ac110005\"}, {\"name\": \"conducted egypt siemens\", \"type\": \"rent divine winston\", \"uid\": \"f45c5446-61ae-11ee-9f91-0242ac110005\"}], \"name\": \"Review\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"f45c480c-61ae-11ee-acd3-0242ac110005\"}, \"creator\": {\"groups\": [{\"name\": \"usually gained erotica\", \"uid\": \"f45c65d0-61ae-11ee-b6a8-0242ac110005\"}], \"type\": \"availability\", \"type_id\": 99, \"uid\": \"f45c601c-61ae-11ee-a457-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"5FA7429271BF14C077FFD905562FF00BA03D0E577EBDE842D181A43F83B98C5611220439195D98F47BB4838632D59E533816344E1DF7DB00271120083235ABCA\"}], \"name\": \"asked.htm\", \"owner\": {\"domain\": \"voyeurweb strip groove\", \"full_name\": \"Lynnette Brooke\", \"name\": \"Initiatives\", \"type\": \"Unknown\", \"type_id\": 0}, \"parent_folder\": \"brakes bugs inquire/blogging.ics\", \"path\": \"brakes bugs inquire/blogging.ics/asked.htm\", \"signature\": {\"algorithm\": \"RSA\", \"algorithm_id\": 2, \"certificate\": {\"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.695282Z\", \"expiration_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T05:37:34.695275Z\", \"fingerprints\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"F74C6AF46A78BECB2F1BD3F95BBD5858\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"43F66E6B6CBAF53CC520E58EC65805EC62FA04119845AC53816DA9F36F525AC65E3D7D92BED0351865836C0E97D63184282A5FEDC9AF2E914C6F9B349CB835F0\"}], \"issuer\": \"conclusions medicines exception\", \"serial_number\": \"legal grant module\", \"subject\": \"fetish converter communicate\", \"version\": \"1.0.0\"}, \"created_time_dt\": \"2023-10-03T05:37:34.695288Z\", \"digest\": {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"522CB2274A0D096C0F94307F55DB6E9D63211626E8BED23C3C8721CA612F28681D4E0202C137F40265FCAAD0EFE6A9BD02E0CF8323BAF52EFE09FF298791B18D\"}}, \"type\": \"Symbolic Link\", \"type_id\": 7, \"uid\": \"f45c3f9c-61ae-11ee-9d0c-0242ac110005\"}, \"lineage\": [\"copies would makeup\"], \"name\": \"Telling\", \"namespace_pid\": 88, \"parent_process\": {\"cmd_line\": \"trembl reverse constantly\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"5F69DE08EF1B52810A2E555253B2561BF4E27E0CF557FEB7502CAD51FCA3AC3B923994EC15B91A6E29CCD01AED752264DCA40FCF45DDB4B47C42836B57984513\"}, \"image\": {\"name\": \"saturn cincinnati productivity\", \"path\": \"harrison typical operations\", \"uid\": \"f45ccb74-61ae-11ee-9ef0-0242ac110005\"}, \"name\": \"strain outputs perceived\", \"pod_uuid\": \"ontario\", \"uid\": \"f45cc660-61ae-11ee-8e56-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.711648Z\", \"file\": {\"desc\": \"goto egyptian throw\", \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"6D856108BBB655CE760736415EE23ECE1B8FCEE045C992B3A971D31ED454BFAD53DE388CBE3FFDE1EF1A4258DDD307E4DAAD413389F51A42155B5F334C9243A4\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"6163CDC7962473142ADF6DA1E4C2B6DB26C7391242E8BBD4EE04661FEC7DF2C941477A0394334EEE5002B17ED4164502FEE4342047E61B7F299B5C98BE241602\"}], \"modified_time\": 1695272181548, \"name\": \"instructions.tif\", \"parent_folder\": \"passwords floral edition/roland.gif\", \"path\": \"passwords floral edition/roland.gif/instructions.tif\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"0BB55CC45379DA535A05A8EDE44DF854F408971928C66528377DA784038293CF\"}, {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"D8EAE8212E2ED885C71F4117E0C39374\"}], \"issuer\": \"strengths enlarge sorry\", \"serial_number\": \"neon ban suse\", \"subject\": \"underwear chancellor basic\", \"version\": \"1.0.0\"}, \"developer_uid\": \"f45c9208-61ae-11ee-9a72-0242ac110005\"}, \"size\": 2331416290, \"type\": \"Unknown\", \"type_id\": 0}, \"name\": \"Brandon\", \"namespace_pid\": 48, \"parent_process\": {\"cmd_line\": \"reductions transfer kyle\", \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.711634Z\", \"file\": {\"creator\": {\"groups\": [{\"uid\": \"f45d004e-61ae-11ee-8d39-0242ac110005\"}, {\"name\": \"chairs leisure institution\", \"uid\": \"f45d05e4-61ae-11ee-99f9-0242ac110005\"}], \"name\": \"Catalog\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"f45cf144-61ae-11ee-a33b-0242ac110005\"}, \"name\": \"gothic.m3u\", \"owner\": {\"groups\": [{\"type\": \"britain touch corporations\", \"uid\": \"f45ce500-61ae-11ee-ae50-0242ac110005\"}], \"name\": \"Strengthening\", \"org\": {\"name\": \"wed mpeg mortality\", \"ou_name\": \"penny automatically tops\", \"uid\": \"f45cdfd8-61ae-11ee-9701-0242ac110005\"}, \"type\": \"pentium\", \"type_id\": 99, \"uid\": \"f45cdaba-61ae-11ee-ba9e-0242ac110005\", \"uid_alt\": \"developed drinks university\"}, \"parent_folder\": \"dod emirates promote/knitting.vob\", \"path\": \"dod emirates promote/knitting.vob/gothic.m3u\", \"security_descriptor\": \"retention changing science\", \"signature\": {\"algorithm\": \"supreme\", \"algorithm_id\": 99, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"741DD1242DF463E4748B3F29D59B2CDB444A2B723C098FCD8A61CFF3A2531A1EBEB1D42A7AD9A444FA8D89DC6A11F741547C10080B44BED739B5D0CDC993B842\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"C4824AE8BB216F860CA4CD45F979A59088DD132DF0BFA0EC613752EF4A2EE45E\"}], \"issuer\": \"formation mixer sullivan\", \"serial_number\": \"ser rna serves\", \"subject\": \"tractor bag coleman\", \"version\": \"1.0.0\"}, \"digest\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"7243F8BE75253AFBADF7477867021F8B\"}}, \"type\": \"Block Device\", \"type_id\": 4, \"xattributes\": {}}, \"integrity\": \"guys thus beads\", \"namespace_pid\": 82, \"parent_process\": {\"cmd_line\": \"trails washer home\", \"container\": {\"hash\": {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"68C9913042346CAD7F9FABEBF901C5DBBE49BEAFFE6CDBF271C0CD6F2363033A\"}, \"image\": {\"labels\": [\"malaysia\", \"tough\"], \"name\": \"equation modular saver\", \"uid\": \"f45d4bb2-61ae-11ee-98af-0242ac110005\"}, \"name\": \"requested divx inspector\", \"size\": 648398402, \"uid\": \"f45d3faa-61ae-11ee-95d3-0242ac110005\"}, \"created_time\": 1695272181548, \"lineage\": [\"married funded elections\", \"liquid geek cal\"], \"name\": \"Friends\", \"namespace_pid\": 2, \"parent_process\": {\"cmd_line\": \"guided spine purple\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"10E86C6514D40F2A3E861B31847340EE8C8ED181029A17B042F137121D28863E\"}, \"name\": \"diffs dead mechanical\", \"orchestrator\": \"piano sims editors\", \"pod_uuid\": \"danish\", \"size\": 1480676944, \"tag\": \"cheers cancer russian\", \"uid\": \"f45d8ab4-61ae-11ee-a07b-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Myrl Ilana\", \"created_time_dt\": \"2023-10-03T05:37:34.702607Z\", \"desc\": \"starting invasion flame\", \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"2FF592449E1B208D2349421A0E142A80E875518AA0C20FF64D3610AB6830DD78BF8980FD7F211369C267D93464D86327F78FA84CEDB14D9210655D931C34F7BA\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"A2349F07A5DCE2F05BB0C656C6DEA195972A5C01A7B5DA65FEC562FE2C229B6B5B6930E7613E6323D8F52E25C3E76F85EBED522B17F8EB673C263A290FD26BB7\"}], \"name\": \"manner.app\", \"parent_folder\": \"turn available mighty/grocery.tax2016\", \"path\": \"turn available mighty/grocery.tax2016/manner.app\", \"type\": \"Folder\", \"type_id\": 2, \"version\": \"1.0.0\"}, \"lineage\": [\"at residential ceo\"], \"name\": \"Warnings\", \"namespace_pid\": 67, \"parent_process\": {\"cmd_line\": \"lists accredited manufacture\", \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.711602Z\", \"file\": {\"accessed_time\": 1695272181548, \"accessed_time_dt\": \"2023-10-03T05:37:34.704522Z\", \"confidentiality\": \"fear browsers television\", \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.704513Z\", \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"3B0173ED99A820AB5188A16998FBC2E1957424B5E1E2DB85F6F1F8CAFAE691070EE54DC314BDF2983F9A2CE57CF6E378ABB2AEDB0DA772B4626469F1363D4782\"}], \"modifier\": {\"name\": \"Lopez\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"f45da012-61ae-11ee-8601-0242ac110005\"}, \"name\": \"basename.mpg\", \"parent_folder\": \"general required suspect/commentary.jar\", \"path\": \"general required suspect/commentary.jar/basename.mpg\", \"size\": 2270854617, \"type\": \"Folder\", \"type_id\": 2, \"xattributes\": {}}, \"integrity\": \"disclosure insert americans\", \"name\": \"Hamilton\", \"namespace_pid\": 16, \"parent_process\": {\"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"5DF4BFECA632B9BD1D11E5E5D9549CF30B4849A4C815894151C865C80E13E3D0DE949759C7E1AEE233D178AD52E3AE2E93D99AEA0D993ED5DCE67E03E1578823\"}, \"image\": {\"name\": \"conducted takes renewable\", \"uid\": \"f45dc7b8-61ae-11ee-9630-0242ac110005\"}, \"name\": \"praise britannica rev\", \"uid\": \"f45dc254-61ae-11ee-b035-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessed_time\": 1695272181548, \"confidentiality\": \"applications\", \"confidentiality_id\": 99, \"created_time_dt\": \"2023-10-03T05:37:34.704809Z\", \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"AC3F2D226D9EFC7934195793B402CBBC13E2736E205E59735FD07CE424B1FB37\"}, {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"BD1DC345B2C39E8DADCDA520CC809F96FFC8413DD1169269D5E02AE412E1297111E2A26660902A783337A5D4C0D0C9FEBCCBB0C0AED91F2BFA2CCF4845056AAB\"}], \"modified_time\": 1695272181548, \"name\": \"mitsubishi.zip\", \"parent_folder\": \"premium accommodation showtimes/prisoner.deskthemepack\", \"path\": \"premium accommodation showtimes/prisoner.deskthemepack/mitsubishi.zip\", \"type\": \"way\", \"type_id\": 99, \"xattributes\": {}}, \"integrity\": \"times entities fx\", \"namespace_pid\": 98, \"parent_process\": {\"cmd_line\": \"insulation else evidence\", \"container\": {\"hash\": {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"E272B1A204600DF6B8A987C8FB851C7EF2AA8596CF158120722E5966F20081F5\"}, \"image\": {\"name\": \"olympus present empirical\", \"uid\": \"f45df3a0-61ae-11ee-ae83-0242ac110005\"}, \"name\": \"dv cst mug\", \"orchestrator\": \"internationally correct examining\", \"size\": 2782839574, \"uid\": \"f45deefa-61ae-11ee-95f2-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"0D3045A301A866174DD910C13E50427CB610EAD22A8523650B444E52FF16941B\"}, {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"BEE38FBC71DC4377BEF693AF6C11F462AC065BD6\"}], \"name\": \"hockey.part\", \"parent_folder\": \"seafood tape distant/physically.mdf\", \"path\": \"seafood tape distant/physically.mdf/hockey.part\", \"type\": \"Symbolic Link\", \"type_id\": 7, \"uid\": \"f45dd3d4-61ae-11ee-9986-0242ac110005\", \"version\": \"1.0.0\"}, \"integrity\": \"involvement hk speaking\", \"name\": \"Forecasts\", \"namespace_pid\": 56, \"parent_process\": {\"cmd_line\": \"collapse tan demo\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"7CFCBD1C1575DD7EAE454F18B9267188\"}, \"image\": {\"name\": \"pty dramatic measure\", \"uid\": \"f45e1452-61ae-11ee-93ff-0242ac110005\"}, \"name\": \"matters sophisticated hampshire\", \"orchestrator\": \"earned accountability todd\", \"size\": 277669091, \"uid\": \"f45e0b7e-61ae-11ee-9c4e-0242ac110005\"}, \"created_time\": 1695272181548, \"integrity\": \"Protected\", \"integrity_id\": 6, \"name\": \"Heath\", \"namespace_pid\": 36, \"parent_process\": {\"cmd_line\": \"rubber taxi deployment\", \"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"19EA5DD6F7D4532CE968933056B2150CB38D84FBEA07A9B1E71EE7388D9EAD136AFB55A16621065CA950B550FAA589C7E77583279DE84B3C958B13C9BA731D69\"}, \"image\": {\"name\": \"phantom participant employee\", \"uid\": \"f45e29ec-61ae-11ee-b755-0242ac110005\"}, \"name\": \"insulin never metabolism\", \"pod_uuid\": \"luxury\", \"size\": 2875863087, \"uid\": \"f45e2532-61ae-11ee-b4f8-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.711572Z\", \"integrity\": \"Protected\", \"integrity_id\": 6, \"name\": \"Special\", \"namespace_pid\": 45, \"parent_process\": {\"file\": {\"accessed_time_dt\": \"2023-10-03T05:37:34.709414Z\", \"confidentiality\": \"watson\", \"confidentiality_id\": 99, \"created_time_dt\": \"2023-10-03T05:37:34.709410Z\", \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"EC04A154DEAC2F7D6C2C939EA992222061F58A10BD334C6D45E3B9B3BC538985107E3B32A6CA567C7B5C6F8F0D857459E5DDC11A97318AC1AEA8A2461B955401\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"6E170831A56B3AFDAFF2E0614B1495541FDE0CA37B2F9EBCB6D5225A0CADE66CC1E6AD525CAFDD363EAA50505FD613EDBD5C1B4D703D34702968D3AE7E09037C\"}], \"modified_time_dt\": \"2023-10-03T05:37:34.709399Z\", \"name\": \"message.exe\", \"owner\": {\"account\": {\"name\": \"tradition surfaces classification\", \"type\": \"AWS IAM Role\", \"type_id\": 4, \"uid\": \"f45e5af2-61ae-11ee-8e43-0242ac110005\"}, \"domain\": \"existence see evans\", \"groups\": [{\"desc\": \"highways cheat summary\", \"name\": \"careers fixes kai\", \"uid\": \"f45e4da0-61ae-11ee-8ce5-0242ac110005\"}, {\"name\": \"past affiliate london\", \"type\": \"exclusion cleaners mart\", \"uid\": \"f45e51c4-61ae-11ee-af56-0242ac110005\"}], \"name\": \"Vegas\", \"org\": {\"name\": \"super rolling importantly\", \"ou_uid\": \"f45e44ea-61ae-11ee-af1f-0242ac110005\", \"uid\": \"f45e40bc-61ae-11ee-9f84-0242ac110005\"}, \"type\": \"Unknown\", \"type_id\": 0}, \"parent_folder\": \"brunette symbol poem/weekends.htm\", \"path\": \"brunette symbol poem/weekends.htm/message.exe\", \"type\": \"mozilla\", \"type_id\": 99, \"uid\": \"f45e5fa2-61ae-11ee-9642-0242ac110005\"}, \"namespace_pid\": 69, \"parent_process\": {\"cmd_line\": \"changes sad programmes\", \"container\": {\"hash\": {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"05521B80BB22220B8B095A94DA44E07951EE15F402F4BD4A050BD0CFFFD6B154\"}, \"image\": {\"name\": \"soap potter browsers\", \"uid\": \"f45eb3bc-61ae-11ee-871c-0242ac110005\"}, \"orchestrator\": \"matches virginia accepts\", \"size\": 1104975009, \"tag\": \"alexander specs considered\", \"uid\": \"f45eae80-61ae-11ee-8fa9-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Nicholas Betty\", \"confidentiality\": \"sandwich exhibit ellis\", \"created_time_dt\": \"2023-10-03T05:37:34.710639Z\", \"hashes\": [{\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"4DBD2BB0760D9EBBC2743A91879CCBC04A4837BD467C1F3B4E0850E4D459BC52\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"A5469012CF0415AAE3FFA22840287489C3C57811D0FD29A58C2CD702BC84D59ADC43354994A400CA41F16849414FADE8C6A9889E640F7987FF65EAD837C7D8E4\"}], \"name\": \"ambassador.swf\", \"parent_folder\": \"nickel gui cute/vision.m3u\", \"path\": \"nickel gui cute/vision.m3u/ambassador.swf\", \"signature\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"09958F2F29A975C86F4BC77872179A9E719846A48F2022B36957925999CD31F4A0578A6C18EE8BDC0AEE2F0974FB4647FF2A0BFEA8A1E56877193277A827418F\"}], \"issuer\": \"hate passive admission\", \"serial_number\": \"promote dirt hindu\", \"subject\": \"panic aspects reporting\", \"version\": \"1.0.0\"}, \"created_time_dt\": \"2023-10-03T05:37:34.710541Z\", \"digest\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"14B85FA8E87F846F757EACCDA09761641B397F01\"}}, \"type\": \"Symbolic Link\", \"type_id\": 7, \"xattributes\": {}}, \"name\": \"Is\", \"namespace_pid\": 49, \"pid\": 14, \"user\": {\"account\": {\"name\": \"saint view max\", \"type\": \"Apple Account\", \"type_id\": 8, \"uid\": \"f45ea32c-61ae-11ee-9546-0242ac110005\"}, \"credential_uid\": \"f45ea700-61ae-11ee-bb61-0242ac110005\", \"email_addr\": \"Jeana@drill.web\", \"full_name\": \"Lucile Apryl\", \"name\": \"Genres\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"f45e9cb0-61ae-11ee-b849-0242ac110005\"}}, \"pid\": 65, \"sandbox\": \"ut metropolitan adjacent\", \"session\": {\"created_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T05:37:34.710191Z\", \"is_remote\": true, \"uid\": \"f45e805e-61ae-11ee-90d6-0242ac110005\"}, \"terminated_time_dt\": \"2023-10-03T05:37:34.711553Z\", \"uid\": \"f45e7546-61ae-11ee-ab37-0242ac110005\", \"user\": {\"account\": {\"name\": \"wireless trains wave\", \"type\": \"Linux Account\", \"type_id\": 9, \"uid\": \"f45e6eb6-61ae-11ee-9f44-0242ac110005\"}, \"credential_uid\": \"f45e7230-61ae-11ee-a271-0242ac110005\", \"full_name\": \"Rosamaria Norberto\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"f45e68d0-61ae-11ee-a6d3-0242ac110005\"}}, \"pid\": 39, \"user\": {\"name\": \"Mice\", \"type\": \"scoring\", \"type_id\": 99, \"uid\": \"f45e1f4c-61ae-11ee-bd4f-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 26, \"terminated_time\": 1695272181548, \"terminated_time_dt\": \"2023-10-03T05:37:34.711582Z\", \"user\": {\"account\": {\"name\": \"engines robot c\", \"uid\": \"f45e05fc-61ae-11ee-bdef-0242ac110005\"}, \"name\": \"Qualities\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"f45e00c0-61ae-11ee-b4f1-0242ac110005\", \"uid_alt\": \"pathology ordinary ep\"}}, \"pid\": 17, \"sandbox\": \"dans ip tours\", \"uid\": \"f45de978-61ae-11ee-af82-0242ac110005\", \"user\": {\"credential_uid\": \"f45de554-61ae-11ee-bc44-0242ac110005\", \"name\": \"Requires\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"f45de0e0-61ae-11ee-88a9-0242ac110005\", \"uid_alt\": \"monica includes treating\"}}, \"pid\": 26, \"terminated_time\": 1695272181548, \"terminated_time_dt\": \"2023-10-03T05:37:34.711596Z\", \"user\": {\"name\": \"Cardiovascular\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"f45db58e-61ae-11ee-b50c-0242ac110005\", \"uid_alt\": \"sn exception got\"}}, \"pid\": 38, \"terminated_time_dt\": \"2023-10-03T05:37:34.711606Z\"}, \"pid\": 59, \"terminated_time\": 1695272181548, \"tid\": 63, \"uid\": \"f45d835c-61ae-11ee-a0b4-0242ac110005\", \"user\": {\"account\": {\"name\": \"cycles beast pierce\", \"type\": \"Azure AD Account\", \"type_id\": 6, \"uid\": \"f45d7e20-61ae-11ee-9be4-0242ac110005\"}, \"groups\": [{\"name\": \"gamecube sunday foster\", \"privileges\": [\"ceiling pulling chapter\", \"advise lung transparent\"], \"uid\": \"f45d6750-61ae-11ee-bb59-0242ac110005\"}, {\"name\": \"skins korea bubble\", \"privileges\": [\"harbor syracuse quantities\"], \"type\": \"annie rn pot\", \"uid\": \"f45d710a-61ae-11ee-a1f1-0242ac110005\"}], \"name\": \"Dis\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"f45d6034-61ae-11ee-9b9d-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 7, \"uid\": \"f45d3a46-61ae-11ee-89e2-0242ac110005\", \"user\": {\"credential_uid\": \"f45d3654-61ae-11ee-a013-0242ac110005\", \"name\": \"Overall\", \"org\": {\"name\": \"antique crawford mug\", \"ou_name\": \"maximize tx tide\", \"uid\": \"f45d3226-61ae-11ee-b3e9-0242ac110005\"}, \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"f45d2c18-61ae-11ee-8f99-0242ac110005\", \"uid_alt\": \"areas attachment guy\"}, \"xattributes\": {}}, \"pid\": 43, \"terminated_time_dt\": \"2023-10-03T05:37:34.711638Z\", \"uid\": \"f45d16ba-61ae-11ee-b515-0242ac110005\", \"user\": {\"domain\": \"funky valentine attached\", \"name\": \"Opt\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"f45d1192-61ae-11ee-805a-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 45, \"sandbox\": \"brunette christ monetary\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711652Z\", \"uid\": \"f45cc066-61ae-11ee-b149-0242ac110005\", \"user\": {\"account\": {\"name\": \"pen favors essential\", \"type\": \"AWS Account\", \"type_id\": 10, \"uid\": \"f45cb6ac-61ae-11ee-89fb-0242ac110005\"}, \"credential_uid\": \"f45cba58-61ae-11ee-8137-0242ac110005\", \"email_addr\": \"Moira@upset.nato\", \"full_name\": \"Livia Ji\", \"name\": \"Manufacturing\", \"org\": {\"name\": \"way pros ddr\", \"ou_name\": \"reliability poultry devices\", \"uid\": \"f45cafa4-61ae-11ee-af8c-0242ac110005\"}, \"type\": \"united\", \"type_id\": 99, \"uid\": \"f45ca0ea-61ae-11ee-8476-0242ac110005\"}}, \"pid\": 43, \"terminated_time\": 1695272181548, \"uid\": \"f45c71a6-61ae-11ee-9f7b-0242ac110005\", \"user\": {\"name\": \"Duck\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"f45c6dd2-61ae-11ee-9f94-0242ac110005\"}}, \"pid\": 98, \"session\": {\"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.694465Z\", \"credential_uid\": \"f45c1a1c-61ae-11ee-85ba-0242ac110005\", \"expiration_time_dt\": \"2023-10-03T05:37:34.694457Z\", \"is_remote\": false, \"issuer\": \"spec gambling separated\", \"uid\": \"f45c1288-61ae-11ee-ab6a-0242ac110005\", \"uuid\": \"f45c160c-61ae-11ee-b9ea-0242ac110005\"}, \"tid\": 86, \"user\": {\"email_addr\": \"Lilliana@ability.edu\", \"full_name\": \"Marry Dia\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"f45c0b9e-61ae-11ee-9f3b-0242ac110005\"}, \"xattributes\": {}}", - "user": { - "credential_uid": "f45bdcd2-61ae-11ee-a554-0242ac110005", - "org": { - "name": "setup stolen unexpected", - "ou_name": "iceland threats webcast", - "uid": "f45bd82c-61ae-11ee-9e57-0242ac110005" - }, - "type": "User", - "type_id": "1" - }, - "xattributes": "{}" - }, - "user": { - "type": "User", - "type_id": "1" - } - }, - "user": { - "account": { - "name": "intensive flash narrative", - "type": "Windows Account", - "type_id": "2", - "uid": "f45ed32e-61ae-11ee-9aa9-0242ac110005" - }, - "org": { - "name": "enquiry hottest creations", - "ou_name": "reel metals plain", - "uid": "f45ecb68-61ae-11ee-824c-0242ac110005" - }, - "type": "Admin", - "type_id": "2" - } - }, - "actual_permissions": 14, - "api": { - "operation": "appraisal disappointed iraqi", - "request": { - "uid": "f45046ce-61ae-11ee-8a1b-0242ac110005" - }, - "response": { - "code": 99, - "error": "dash knife stable", - "error_message": "delaware genetic purple", - "message": "julian peninsula bought" - } - }, - "attacks": [ - { - "tactics": [ - { - "name": "Collection | The adversary is trying to gather data of interest to their goal.", - "uid": "TA0009" - } - ], - "technique": { - "name": "Additional Cloud Credentials", - "uid": "T1098.001" - }, - "version": "12.1" - }, - { - "tactics": [ - { - "name": "Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.", - "uid": "TA0040" - }, - { - "name": "Command and Control The adversary is trying to communicate with compromised systems to control them.", - "uid": "TA0011" - } - ], - "technique": { - "name": "Credentials in Registry", - "uid": "T1214" - }, - "version": "12.1" - } - ], - "base_address": "statements dining gnome", - "category_name": "System Activity", - "category_uid": 1, - "class_name": "Memory Activity", - "class_uid": 1004, - "device": { - "created_time": 1695272181548, - "first_seen_time": 1695272181548, - "image": { - "name": "leader mind compliant", - "uid": "f450e20a-61ae-11ee-959b-0242ac110005" - }, - "instance_uid": "f450c02c-61ae-11ee-a04e-0242ac110005", - "interface_name": "adaptive survivor nickname", - "interface_uid": "f450dada-61ae-11ee-9e5c-0242ac110005", - "is_trusted": false, - "last_seen_time": 1695272181548, - "org": { - "name": "gratuit book virtually", - "ou_name": "profit plug fioricet", - "uid": "f4507856-61ae-11ee-b34b-0242ac110005" - }, - "region": "debut instruments alphabetical", - "subnet_uid": "f450b6fe-61ae-11ee-aa6c-0242ac110005", - "type_id": "1" - }, - "disposition": "Deleted", - "disposition_id": "5", - "metadata": { - "log_name": "trademarks wishing accreditation", - "logged_time": 1695272181548, - "original_time": "protection velvet propose", - "product": { - "feature": { - "name": "wish quest practitioners", - "uid": "f4506a32-61ae-11ee-a6bb-0242ac110005", - "version": "1.0.0" - }, - "lang": "en", - "name": "asbestos settings medication", - "uid": "f4506410-61ae-11ee-a485-0242ac110005", - "version": "1.0.0" - }, - "profiles": [ - "cloud", - "container", - "datetime", - "host", - "security_control" - ], - "version": "1.0.0" - }, - "severity": "Critical", - "status_code": "registry", - "time_dt": "2023-10-03T05:37:34.712339Z", - "timezone_offset": 26, - "type_name": "Memory Activity: Allocate Page", - "type_uid": "100401" + "activity_id": 1 }, "orchestrator": { "type": "integral economics gc" diff --git a/OCSF/ocsf/tests/test_system_activity_5.json b/OCSF/ocsf/tests/test_system_activity_5.json index ca61c83f8..ef72d62d2 100644 --- a/OCSF/ocsf/tests/test_system_activity_5.json +++ b/OCSF/ocsf/tests/test_system_activity_5.json @@ -73,294 +73,7 @@ "type": "frontier" }, "ocsf": { - "activity_id": 1, - "activity_name": "Load", - "actor": { - "invoked_by": "pantyhose macedonia retained", - "process": { - "container": { - "hash": { - "algorithm": "SHA-256", - "algorithm_id": "3", - "value": "BA691BA042BCEDD9A61A36F5969026BC95859DCCDC7E47F24E6BCE35673BAF2F" - }, - "image": { - "uid": "8b8325a8-61b8-11ee-9a88-0242ac110005" - }, - "size": 2132122251 - }, - "file": { - "accessor": { - "credential_uid": "8b82f4ca-61b8-11ee-894f-0242ac110005", - "name": "Elections", - "org": { - "name": "ids mercury milan", - "ou_name": "whether eddie investment", - "uid": "8b82ef20-61b8-11ee-9b3a-0242ac110005" - }, - "type": "distributor", - "type_id": "99", - "uid": "8b82e9d0-61b8-11ee-be3a-0242ac110005" - }, - "desc": "computing investors rio", - "is_system": false, - "modified_time_dt": "2023-10-03T06:46:13.755631Z", - "type_id": "2" - }, - "namespace_pid": 97, - "parent_process": { - "container": { - "hash": { - "algorithm": "quickXorHash", - "algorithm_id": "7", - "value": "1FA53D9A1AEAB5165003DE1755AD56612ABF77A3D033D697439C884637D2DC66DBDFFA147DFDBD69DC6D27340B63C26C93D84C65F59EE3A270CA5BBB1D13613F" - }, - "network_driver": "ee australian housewares", - "size": 388023740, - "uid": "8b834fd8-61b8-11ee-8b6a-0242ac110005" - }, - "file": { - "created_time": 1695272181548, - "is_system": false, - "mime_type": "today/uniprotkb", - "name": "audi.pspimage", - "owner": { - "name": "Mastercard", - "org": { - "name": "qualification twisted australian", - "ou_name": "franklin nb leslie", - "uid": "8b833dfe-61b8-11ee-a745-0242ac110005" - }, - "type": "Admin", - "type_id": "2", - "uid": "8b833638-61b8-11ee-a13b-0242ac110005" - }, - "parent_folder": "paying represent putting/showing.vob", - "path": "paying represent putting/showing.vob/audi.pspimage", - "type": "Block Device", - "type_id": "4" - }, - "namespace_pid": 5, - "parent_process": "{\"cmd_line\": \"gang spring carlo\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"85434F1527CE237329D0B1927EABF9D3\"}, \"name\": \"victims edit minimum\", \"size\": 2069042340, \"uid\": \"8b83744a-61b8-11ee-9c26-0242ac110005\"}, \"integrity\": \"happening\", \"integrity_id\": 99, \"name\": \"Global\", \"namespace_pid\": 74, \"parent_process\": {\"cmd_line\": \"mm bon estimate\", \"container\": {\"hash\": {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"CA59BAD8CEAD7A8424AD6823FE6AED5BA7AF4A9FDA854EA5AAB75A41B5369465\"}, \"image\": {\"uid\": \"8b840af4-61b8-11ee-a7b5-0242ac110005\"}, \"name\": \"separation catalogs vocals\", \"uid\": \"8b8402a2-61b8-11ee-92d4-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessor\": {\"groups\": [{\"name\": \"ct disposal rent\", \"uid\": \"8b839358-61b8-11ee-a4c0-0242ac110005\"}, {\"name\": \"cruise ancient chemicals\", \"type\": \"spoke life lee\"}], \"name\": \"Mathematical\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"8b838e30-61b8-11ee-8527-0242ac110005\"}, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"CA247333484AEB04EFA2DE65A9EC68032CED9ACC7716F9379404EB2422FC65190E0F56D3C2B21505FE722A0CD1D05AF9B8E47B4CB5005B4C4E71C6C5545C775F\"}], \"mime_type\": \"molecules/sharon\", \"name\": \"planner.bak\", \"parent_folder\": \"sony discussion suit/stomach.gif\", \"path\": \"sony discussion suit/stomach.gif/planner.bak\", \"type\": \"Character Device\", \"type_id\": 3, \"uid\": \"8b838804-61b8-11ee-a06e-0242ac110005\"}, \"integrity\": \"High\", \"integrity_id\": 4, \"name\": \"Pilot\", \"parent_process\": {\"cmd_line\": \"applicable acquire folk\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"6B942E2831F972C22E2B0292EA3A8176AB41CD3B\"}, \"image\": {\"name\": \"pressure sixth happen\", \"uid\": \"8b8431e6-61b8-11ee-9576-0242ac110005\"}, \"name\": \"businesses suspension across\", \"orchestrator\": \"theta create impact\", \"size\": 2843627610, \"uid\": \"8b842ce6-61b8-11ee-acb2-0242ac110005\"}, \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"lineage\": [\"wires largest stamp\", \"handbook dale photograph\"], \"name\": \"Sleep\", \"namespace_pid\": 4, \"parent_process\": {\"cmd_line\": \"packs maximum audit\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"799904B20F1174F01C0D2DD87C57E097\"}, \"image\": {\"labels\": [\"clouds\"], \"name\": \"letter fri mauritius\", \"uid\": \"8b84825e-61b8-11ee-a5b5-0242ac110005\"}, \"name\": \"hotmail midlands ripe\", \"size\": 860474369, \"uid\": \"8b847c96-61b8-11ee-99b1-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T06:46:13.768070Z\", \"file\": {\"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"436DE0B494120DEC66B218D7D67AE5FC65841DA47A5D5A6044D76AE7CD0D793736DCAD5FA9C579A8C53310FA0B70225BB8C079A2E5BEDB5F6F48176972572F1C\"}], \"name\": \"pottery.java\", \"parent_folder\": \"revolutionary such regulations/cheaper.ico\", \"path\": \"revolutionary such regulations/cheaper.ico/pottery.java\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T06:46:13.764297Z\", \"fingerprints\": [{\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"EDE381A3419BC1A2ACD00220F23CE82967A8631DB35FDF0122B8A0E43E8768CABDBDC842A83C48138C523D1A56B3F63F03D85756C9BFED7656AE5097479D9A4C\"}, {\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"AFD38780B76420D3214D2D6D318A6EA972D720518346C2F7339E661205D5F20A5682869DAF56249F9FACD6EDF878C81669184A1D9C736232079EDED66727E297\"}], \"issuer\": \"write watts guitars\", \"serial_number\": \"facing wb drinks\", \"subject\": \"consensus ownership trainer\", \"version\": \"1.0.0\"}}, \"type\": \"Local Socket\", \"type_id\": 5}, \"name\": \"Lie\", \"namespace_pid\": 45, \"parent_process\": {\"cmd_line\": \"prior angry workers\", \"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"B413223A2BB7E91D5C6E244B77A2392BA017906B615F3CDF4BA192FE568C7738ADE3E24CAA9273F592169D682882DAC5E0DF8975B0FDB3859FB69A175B815724\"}, \"image\": {\"name\": \"expenses pdt conditioning\", \"path\": \"valentine corp gcc\", \"tag\": \"recognition albania curtis\", \"uid\": \"8b84d204-61b8-11ee-8eb1-0242ac110005\"}, \"name\": \"horrible scroll del\", \"pod_uuid\": \"gift\", \"size\": 870541982, \"uid\": \"8b84c7c8-61b8-11ee-b0ff-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessed_time_dt\": \"2023-10-03T06:46:13.766265Z\", \"attributes\": 57, \"company_name\": \"Elenore Jeanetta\", \"confidentiality\": \"hitachi shaw tension\", \"created_time_dt\": \"2023-10-03T06:46:13.766258Z\", \"desc\": \"syracuse until as\", \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"8A8173677F164DD2E2CF83BEA2A42A8B\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"6B70D921D9E8DCF0F08A73F508E5D19D274B58D8AC2E29049A23B62D1988C1028A8ECBA2485531BBD6B7AEE51EA822578E859759F8FFC4818023EFD47ABC9C4D\"}], \"name\": \"pledge.ini\", \"parent_folder\": \"internationally remedies back/his.cgi\", \"path\": \"internationally remedies back/his.cgi/pledge.ini\", \"security_descriptor\": \"lower cable requiring\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"F72B1ED0BD7D6BE65211FA1606D1DE35F225DE73CB524C01380509CCE5B6F8F8DDE81A0B0AB6F5ECE9A7E651DD7D0C19DB365A83C018B747DA5B0A79259F3547\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"AEAA2CEC33E27D65690E726E1710D3F4A99A2BF0AE9A3BD9087488F1DFB4D38D\"}], \"issuer\": \"rocket separation opponent\", \"serial_number\": \"edinburgh responsible supervisor\", \"subject\": \"portugal motel preserve\", \"version\": \"1.0.0\"}}, \"type\": \"Character Device\", \"type_id\": 3}, \"name\": \"Homepage\", \"namespace_pid\": 94, \"pid\": 78, \"session\": {\"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T06:46:13.767299Z\", \"expiration_time_dt\": \"2023-10-03T06:46:13.767292Z\", \"issuer\": \"gel submissions finite\", \"uid\": \"8b84b562-61b8-11ee-a0d1-0242ac110005\", \"uuid\": \"8b84bbd4-61b8-11ee-8f0e-0242ac110005\"}, \"uid\": \"8b84ac48-61b8-11ee-97d9-0242ac110005\", \"user\": {\"name\": \"Lauderdale\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"8b84a6e4-61b8-11ee-b1fe-0242ac110005\", \"uid_alt\": \"venezuela path passing\"}}, \"pid\": 43, \"sandbox\": \"holmes guess hyundai\", \"session\": {\"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T06:46:13.764972Z\", \"expiration_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T06:46:13.764963Z\", \"is_remote\": false, \"issuer\": \"fun tomorrow antibodies\", \"uid\": \"8b8460c6-61b8-11ee-9def-0242ac110005\"}, \"user\": {\"account\": {\"name\": \"chrome ones leeds\", \"type\": \"AWS IAM User\", \"type_id\": 3}, \"domain\": \"continuity cases issues\", \"groups\": [{\"name\": \"protein lightweight complications\", \"type\": \"samsung knowledgestorm ppm\", \"uid\": \"8b8458ba-61b8-11ee-9ec2-0242ac110005\"}, {\"name\": \"spyware expensive partnerships\", \"type\": \"lcd moore th\"}], \"name\": \"Wrapping\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"8b8452de-61b8-11ee-9b3c-0242ac110005\", \"uid_alt\": \"mpegs eric ky\"}}, \"pid\": 54, \"session\": {\"created_time_dt\": \"2023-10-03T06:46:13.763445Z\", \"is_remote\": true}, \"uid\": \"8b8424bc-61b8-11ee-aa3b-0242ac110005\", \"user\": {\"name\": \"Edges\", \"type\": \"compute\", \"type_id\": 99, \"uid\": \"8b841ca6-61b8-11ee-ac94-0242ac110005\"}}, \"sandbox\": \"mothers equipped enquiry\", \"tid\": 45, \"uid\": \"8b83fcbc-61b8-11ee-8764-0242ac110005\", \"user\": {\"credential_uid\": \"8b83f94c-61b8-11ee-85e8-0242ac110005\", \"name\": \"Warner\", \"type\": \"interim\", \"type_id\": 99, \"uid\": \"8b83f500-61b8-11ee-9242-0242ac110005\"}}, \"pid\": 30, \"session\": {\"created_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T06:46:13.758724Z\", \"is_remote\": true, \"uid\": \"8b836dc4-61b8-11ee-aa72-0242ac110005\"}, \"uid\": \"8b83682e-61b8-11ee-bf60-0242ac110005\", \"user\": {\"account\": {\"name\": \"desk periodic depth\", \"type\": \"Mac OS Account\", \"type_id\": 7, \"uid\": \"8b836400-61b8-11ee-9913-0242ac110005\"}, \"name\": \"Includes\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"8b835b7c-61b8-11ee-9c7d-0242ac110005\", \"uid_alt\": \"origins demo declaration\"}}", - "user": { - "type": "lot", - "type_id": "99" - } - }, - "session": { - "created_time": 1695272181548, - "created_time_dt": "2023-10-03T06:46:13.756371Z", - "credential_uid": "8b830938-61b8-11ee-9d39-0242ac110005", - "expiration_time_dt": "2023-10-03T06:46:13.756144Z", - "is_remote": true, - "issuer": "texts advertiser henderson", - "uid": "8b830532-61b8-11ee-bdfd-0242ac110005" - }, - "user": { - "type": "System", - "type_id": "3" - } - }, - "user": { - "type": "load", - "type_id": "99", - "uid_alt": "dawn but titles" - } - }, - "api": { - "operation": "helena internationally leo", - "request": { - "uid": "8b824fc0-61b8-11ee-b26d-0242ac110005" - }, - "response": { - "code": 99, - "error": "three acdbentity sufficient", - "message": "myrtle trust resort" - } - }, - "attacks": [ - { - "tactics": [ - { - "name": "Collection | The adversary is trying to gather data of interest to their goal.", - "uid": "TA0009" - }, - { - "name": "Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.", - "uid": "TA0040" - } - ], - "technique": { - "name": "PowerShell Profile", - "uid": "T1504" - }, - "version": "12.1" - }, - { - "tactics": [ - { - "name": "Discovery The adversary is trying to figure out your environment.", - "uid": "TA0007" - }, - { - "name": "Privilege Escalation | The adversary is trying to gain higher-level permissions.", - "uid": "TA0004" - } - ], - "technique": { - "name": "Securityd Memory", - "uid": "T1555.002" - }, - "version": "12.1" - } - ], - "category_name": "System Activity", - "category_uid": 1, - "class_name": "Module Activity", - "class_uid": 1005, - "cloud": { - "account": { - "type": "AWS Account", - "type_id": "10" - } - }, - "device": { - "groups": [ - { - "name": "ev terminal meals", - "uid": "8b82bf64-61b8-11ee-a83f-0242ac110005" - }, - { - "name": "born lasting vitamins", - "privileges": [ - "sheets loading representative" - ], - "uid": "8b82c338-61b8-11ee-bf95-0242ac110005" - } - ], - "hw_info": { - "cpu_bits": 95, - "keyboard_info": { - "keyboard_subtype": 47 - } - }, - "hypervisor": "fundraising kerry peer", - "imei": "moderators sentence ordered", - "instance_uid": "8b82c98c-61b8-11ee-ac91-0242ac110005", - "interface_uid": "8b82d0da-61b8-11ee-b450-0242ac110005", - "modified_time": 1695272181548, - "network_interfaces": [ - { - "hostname": "lightbox.gov", - "ip": "81.2.69.142", - "mac": "57:15:98:E9:35:D3:B3:9A", - "name": "henderson treasures dv", - "type": "Tunnel", - "type_id": "4" - }, - { - "hostname": "horizon.biz", - "ip": "81.2.69.142", - "mac": "47:B8:F6:D1:B8:90:8C:7F", - "name": "forests designation entire", - "type": "fcc", - "type_id": "99", - "uid": "8b82b79e-61b8-11ee-a441-0242ac110005" - } - ], - "os": { - "country": "Cuba, Republic of", - "sp_ver": "3", - "type_id": "201" - }, - "region": "slight centers swimming", - "risk_level_id": "1", - "type_id": "99" - }, - "disposition": "Deleted", - "disposition_id": "5", - "malware": [ - { - "classification_ids": [ - "17", - "2" - ], - "classifications": [ - "ontario amsterdam archived", - "newfoundland norman eddie" - ], - "name": "generally insight ee", - "path": "jc possess fibre", - "provider": "singapore flexible casino" - }, - { - "classification_ids": [ - "16", - "5" - ], - "cves": [ - { - "created_time": 1695272181548, - "modified_time": 1695272181548, - "modified_time_dt": "2023-10-03T06:46:13.752477Z", - "type": "graphical acm salt", - "uid": "8b827964-61b8-11ee-822b-0242ac110005" - } - ], - "name": "illustrated lending requirements", - "path": "cho basket ul", - "provider": "goods fitting latter", - "uid": "8b8272c0-61b8-11ee-90e5-0242ac110005" - } - ], - "metadata": { - "log_name": "laboratory instance upon", - "logged_time": 1695272181548, - "original_time": "rights newly filled", - "product": { - "lang": "en", - "name": "improving consist portfolio", - "uid": "8b82a664-61b8-11ee-bb6e-0242ac110005", - "version": "1.0.0" - }, - "profiles": [ - "cloud", - "container", - "datetime", - "host", - "security_control" - ], - "version": "1.0.0" - }, - "module": { - "base_address": "daughters offshore thehun", - "file": { - "confidentiality": "Secret", - "confidentiality_id": "3", - "created_time_dt": "2023-10-03T06:46:13.753318Z", - "hashes": [ - {}, - {} - ], - "product": { - "lang": "en", - "name": "traveling yea espn", - "uid": "8b82966a-61b8-11ee-81c7-0242ac110005", - "vendor_name": "manhattan better posts", - "version": "1.0.0" - }, - "type_id": "3" - }, - "load_type": "Non Standard", - "load_type_id": "2", - "start_address": "needs some limit" - }, - "severity": "minutes", - "status": "Unknown", - "status_id": 0, - "timezone_offset": 8, - "type_name": "Module Activity: Load", - "type_uid": "100501" + "activity_id": 1 }, "process": { "command_line": "fame little relax", @@ -414,13 +127,6 @@ "Cookies" ] }, - "sekoiaio": { - "intake": { - "parsing_warnings": [ - "Cannot set field 'container.labels' with given definition in stage 'pipeline_object_actor'. Cannot convert value in field 'container.labels' to type 'dict'" - ] - } - }, "threat": { "technique": { "id": [ diff --git a/OCSF/ocsf/tests/test_system_activity_6.json b/OCSF/ocsf/tests/test_system_activity_6.json index d8a504650..f8cf1c171 100644 --- a/OCSF/ocsf/tests/test_system_activity_6.json +++ b/OCSF/ocsf/tests/test_system_activity_6.json @@ -71,157 +71,7 @@ "type": "Virtual" }, "ocsf": { - "activity_id": 5, - "activity_name": "Set User ID", - "actor": { - "process": { - "container": { - "hash": { - "algorithm": "TLSH", - "algorithm_id": "6", - "value": "2A9141F10042E65FE9B037DE88C913D5CB6420C809E4F70D77B0C1CD0DB599E0DA4CC22A8E772350CACDACD72722801EA7BEAAE4B6D79D3949E37DB3492F1892" - }, - "image": { - "uid": "442ca5e8-61be-11ee-ac6f-0242ac110005" - }, - "size": 1294218177 - }, - "created_time_dt": "2023-10-03T07:27:11.081059Z", - "file": { - "accessed_time_dt": "2023-10-03T07:27:11.051398Z", - "attributes": 71, - "hashes": [ - {}, - {} - ], - "type_id": "7", - "xattributes": "{}" - }, - "integrity": "Low", - "integrity_id": "2", - "namespace_pid": 96, - "parent_process": { - "file": { - "company_name": "Margurite Hester", - "created_time_dt": "2023-10-03T07:27:11.052592Z", - "hashes": [ - {} - ], - "modified_time": 1695272181548, - "name": "alice.cur", - "parent_folder": "llc snap glossary/striking.cgi", - "path": "llc snap glossary/striking.cgi/alice.cur", - "security_descriptor": "kurt snowboard baby", - "type": "Block Device", - "type_id": "4", - "xattributes": "{}" - }, - "integrity": "brush clinton bride", - "namespace_pid": 81, - "parent_process": "{\"cmd_line\": \"growing howard error\", \"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"77D19917CD3F9FDA9C5B453897F0829D1D94450C31CB6991090BF4B4F49578CF29BBBBA4AF270287F408F0B9D696F5C18C16366E5CDFFDB199FDFC3E2BF91A62\"}, \"name\": \"stand tumor previously\", \"network_driver\": \"receiver recommended governor\", \"size\": 61744955, \"uid\": \"442d84ae-61be-11ee-a35f-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessor\": {\"email_addr\": \"Alethea@fa.web\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"442d1b40-61be-11ee-8249-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T07:27:11.055203Z\", \"desc\": \"dynamics dg islamic\", \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"4095391C7E3E04FF12C9AD2E6C49BD63DFE77E885ACAADD3B58A1D8895383044\"}], \"is_system\": false, \"name\": \"es.sql\", \"parent_folder\": \"sarah receivers appropriate/keen.cpl\", \"path\": \"sarah receivers appropriate/keen.cpl/es.sql\", \"type\": \"Regular File\", \"type_id\": 1}, \"loaded_modules\": [\"/instantly/lazy/quickly/junk/relates.gadget\", \"/gentle/sen/bridge/brochure/county.cbr\"], \"name\": \"Danger\", \"namespace_pid\": 25, \"parent_process\": {\"cmd_line\": \"fox breathing excluded\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"34BF8F4BFD5096DFE4AD7B1FC397EE225004242E\"}, \"image\": {\"name\": \"ou false horn\", \"tag\": \"widely concerns ranger\", \"uid\": \"442e7aa8-61be-11ee-92c0-0242ac110005\"}, \"name\": \"obtained thompson wait\", \"orchestrator\": \"cingular grow causing\", \"size\": 1304039495, \"uid\": \"442e74ae-61be-11ee-bee1-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Tamara Porsha\", \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"EA326FE8119ACC03CB82276431BF6120811A2EE778F15E25088100D62EF8410FAD0B948395B7204152892B06C76A6405752FE2115D4B22CAF5461B8DA8D74966\"}], \"modifier\": {\"account\": {\"name\": \"me tagged lang\", \"type\": \"AWS IAM Role\", \"type_id\": 4, \"uid\": \"442e5168-61be-11ee-a406-0242ac110005\"}, \"email_addr\": \"Zona@partners.mil\", \"name\": \"Victory\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"442e4920-61be-11ee-ab85-0242ac110005\"}, \"name\": \"wishlist.fnt\", \"owner\": {\"name\": \"Proof\", \"type\": \"genius\", \"type_id\": 99, \"uid\": \"442e1d74-61be-11ee-ac9e-0242ac110005\"}, \"parent_folder\": \"bouquet bibliography pull/dumb.mov\", \"path\": \"bouquet bibliography pull/dumb.mov/wishlist.fnt\", \"product\": {\"lang\": \"en\", \"name\": \"written em fujitsu\", \"uid\": \"442e6324-61be-11ee-9f29-0242ac110005\", \"vendor_name\": \"sounds di inquiry\", \"version\": \"1.0.0\"}, \"type\": \"Regular File\", \"type_id\": 1}, \"integrity\": \"races parcel generating\", \"name\": \"Virtue\", \"namespace_pid\": 54, \"parent_process\": {\"cmd_line\": \"operations expanded ht\", \"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"27D94D1C177AA8E0E6E8A4F5ECAB104598CD2B62F27D3A26FCDC87A6AA7398BFD85771D86723FEDB24EC75CA439D57127989FB397C1F07F53B35533563BA3274\"}, \"image\": {\"labels\": [\"amplifier\"], \"name\": \"weird sep allowing\", \"uid\": \"442efa14-61be-11ee-8abf-0242ac110005\"}, \"name\": \"victor civic segments\", \"size\": 2232172986, \"uid\": \"442ef1ea-61be-11ee-870d-0242ac110005\"}, \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T07:27:11.081016Z\", \"file\": {\"accessed_time\": 1695272181548, \"attributes\": 99, \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"is_system\": true, \"modified_time_dt\": \"2023-10-03T07:27:11.064617Z\", \"name\": \"conceptual.py\", \"parent_folder\": \"impression finance trader/fragrances.sql\", \"path\": \"impression finance trader/fragrances.sql/conceptual.py\", \"security_descriptor\": \"ni easter snapshot\", \"signature\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"certificate\": {\"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"fingerprints\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"6B70FC8DC165E533CBF2BCD7C70701DE3B3E114D\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"FCC3C0E1B16A999DE463D9C657DCA7E366719DE7E84E9C4EC1E41B0E744F649955B9E844AD173EBB3075A18E757DAF50733546203C86FB3209652FC0FB80534C\"}], \"issuer\": \"enterprise game humanitarian\", \"serial_number\": \"grad newest earlier\", \"subject\": \"jumping experts visitors\", \"version\": \"1.0.0\"}, \"digest\": {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"46A80AC3F38096FE6828377277FC50B39BB0C646F94FC178876749ADE0DA96DE\"}}, \"type\": \"Named Pipe\", \"type_id\": 6}, \"name\": \"Kai\", \"namespace_pid\": 74, \"parent_process\": {\"container\": {\"hash\": {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"C4802F4F55FE24BE9AF5F053E8719A9BC77381D625A0D27A35201C772CFD324009461ABCAC4A120286B98C707400807BB9DF7CFB3AA2C3BBF04EBB41E2AD07B3\"}, \"image\": {\"labels\": [\"hourly\"], \"name\": \"struct wind included\", \"uid\": \"442f39ca-61be-11ee-9840-0242ac110005\"}, \"name\": \"irish paid ga\", \"runtime\": \"meetings imported nutrition\", \"size\": 706306619, \"uid\": \"442f19c2-61be-11ee-851e-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessed_time\": 1695272181548, \"created_time\": 1695272181548, \"hashes\": [{\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"F10EEB0D89F01824C27418121C62436F\"}, {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"B883D1D4320E98F7DE7D6913D7C3DF5503FB17747CCE5EBD6F3384A41414FF8D\"}], \"name\": \"rage.ics\", \"parent_folder\": \"slide sensitivity milton/dsc.kml\", \"path\": \"slide sensitivity milton/dsc.kml/rage.ics\", \"type\": \"Regular File\", \"type_id\": 1, \"xattributes\": {}}, \"name\": \"Industries\", \"namespace_pid\": 46, \"parent_process\": {\"cmd_line\": \"directive rico hs\", \"container\": {\"hash\": {\"algorithm\": \"MD5\", \"algorithm_id\": 1, \"value\": \"FE9E27DD7BF526B57D69D3BD9FAC33DC\"}, \"image\": {\"name\": \"inappropriate burden hoped\", \"uid\": \"442f9c62-61be-11ee-81fa-0242ac110005\"}, \"name\": \"depot lanes mai\", \"size\": 4170062018, \"uid\": \"442f976c-61be-11ee-8026-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"desc\": \"parking hazards hunter\", \"hashes\": [{\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"1FE380DD618981AF242E43F459760A9F0C89B6D74E1C7544A298FBA160545A4F047CFFB754779F8EAD083609F87AB1EF4DE7D3630EDA324A5052064685D8A814\"}, {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"27D3F37EB6F68FBB9EDC408AAFC6035EF463633CB1D425DD737C0AD4F6A2442EE5857F1FD9BB49C0A3030802642A48CB4AADBAFC7B20B82DE18144D2E360B551\"}], \"is_system\": true, \"modified_time\": 1695272181548, \"name\": \"nextel.dat\", \"parent_folder\": \"exhibitions grad folks/lonely.yuv\", \"path\": \"exhibitions grad folks/lonely.yuv/nextel.dat\", \"type\": \"Unknown\", \"type_id\": 0}, \"name\": \"Employed\", \"namespace_pid\": 5, \"parent_process\": {\"cmd_line\": \"portfolio syracuse zinc\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"E9264147B413746293E539868C8EDFF71715E1E3\"}, \"image\": {\"uid\": \"442fe870-61be-11ee-8322-0242ac110005\"}, \"name\": \"extremely bridges jane\", \"pod_uuid\": \"save\", \"size\": 2170520292, \"tag\": \"magnificent nerve ethnic\", \"uid\": \"442fe3ca-61be-11ee-ac04-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessor\": {\"credential_uid\": \"442fb5ee-61be-11ee-a469-0242ac110005\", \"email_addr\": \"Almeda@representations.biz\", \"name\": \"Bailey\", \"org\": {\"name\": \"nova identification paul\", \"ou_name\": \"honors tattoo australian\", \"uid\": \"442fb1a2-61be-11ee-9fd5-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1, \"uid\": \"442fac66-61be-11ee-b373-0242ac110005\"}, \"attributes\": 28, \"company_name\": \"Chery Hunter\", \"created_time\": 1695272181548, \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"2E5106CC0168994B4FE52AC9F67394250EE7504DB2DB5DE3CE0AC0A6E01DFA01\"}, {\"algorithm\": \"TLSH\", \"algorithm_id\": 6, \"value\": \"37A8A4AF49E5E20E61CF73D569C93D3F839D333C98BADE757EC2C5093C969DBEBC2707A0A2C9B4709FB6986E18991E93BA14C3CC2799E6153B1BEA132224F02B\"}], \"mime_type\": \"finish/councils\", \"modified_time\": 1695272181548, \"name\": \"centered.txt\", \"parent_folder\": \"patrol considers alternative/bargains.xlr\", \"path\": \"patrol considers alternative/bargains.xlr/centered.txt\", \"size\": 724911628, \"type\": \"Unknown\", \"type_id\": 0}, \"namespace_pid\": 10, \"parent_process\": {\"cmd_line\": \"easter anaheim introductory\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"A63B60EEA4665F00EDDB1E2A8FECCFEA7634F795\"}, \"image\": {\"name\": \"jonathan calculation incomplete\", \"uid\": \"4430194e-61be-11ee-a776-0242ac110005\"}, \"name\": \"clone sic tight\", \"size\": 3536383459, \"uid\": \"443013cc-61be-11ee-a273-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"desc\": \"supporters billy surgeon\", \"hashes\": [{\"algorithm\": \"SHA-512\", \"algorithm_id\": 4, \"value\": \"220358975ACF552AE828178DC72009FA5342AB5C33895C6E9E5048EF5BD044736C17B29683CD4CD82D017C7D963FB9AE740735C6D31E956B42C4A45F803F6EDA\"}], \"modified_time_dt\": \"2023-10-03T07:27:11.074123Z\", \"modifier\": {\"type\": \"System\", \"type_id\": 3, \"uid\": \"442ff8e2-61be-11ee-bc3b-0242ac110005\"}, \"name\": \"stats.cs\", \"parent_folder\": \"well vacations concrete/hamburg.vcf\", \"path\": \"well vacations concrete/hamburg.vcf/stats.cs\", \"product\": {\"lang\": \"en\", \"name\": \"rare musical oregon\", \"uid\": \"442ffee6-61be-11ee-b950-0242ac110005\", \"vendor_name\": \"moms scholarships pins\", \"version\": \"1.0.0\"}, \"security_descriptor\": \"dave manufacturing applicant\", \"size\": 3217957879, \"type\": \"Block Device\", \"type_id\": 4}, \"integrity\": \"guys document multimedia\", \"lineage\": [\"weight anytime gzip\", \"subcommittee milan reasonable\"], \"name\": \"Flags\", \"namespace_pid\": 4, \"parent_process\": {\"cmd_line\": \"robinson hunter anne\", \"container\": {\"hash\": {\"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"value\": \"4B4AACD68CE2D5C32C8437FC88E56923FA0DDADFEA6532D34FA536A344FDD0F482CB0159A5237950B31A7F3D097FED596515444734A2DF56CF7D38A74DCA94D7\"}, \"image\": {\"name\": \"mistake baseball jordan\", \"uid\": \"4430571a-61be-11ee-8c37-0242ac110005\"}, \"name\": \"magnificent capabilities ideal\", \"size\": 3127592961, \"uid\": \"44305030-61be-11ee-b7e4-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Archie Lesley\", \"created_time\": 1695272181548, \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"F7EDAF3282DAFB609C7D421B786486F127371E76\"}], \"name\": \"fioricet.lnk\", \"owner\": {\"email_addr\": \"Elise@starts.museum\", \"name\": \"Vid\", \"type\": \"Admin\", \"type_id\": 2, \"uid\": \"44302a6a-61be-11ee-b70a-0242ac110005\", \"uid_alt\": \"supplied epic spas\"}, \"security_descriptor\": \"believes airlines granted\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"44302f24-61be-11ee-99d3-0242ac110005\"}, \"integrity\": \"reality\", \"integrity_id\": 99, \"loaded_modules\": [\"/timing/norm/crime/apollo/pollution.dwg\"], \"name\": \"Vat\", \"namespace_pid\": 41, \"parent_process\": {\"cmd_line\": \"territories year excluded\", \"created_time\": 1695272181548, \"file\": {\"confidentiality\": \"Not Confidential\", \"confidentiality_id\": 1, \"hashes\": [{\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"ADCAA40050F92C2A48474F33D6E697529CA1D0BD1FCC6D553290E4655C5F0BA7FAB42B475667A0C8EAD38187E3AFBE5AC9C7F3A68C87167BCF01080031CE50FB\"}, {\"algorithm\": \"magic\", \"algorithm_id\": 99, \"value\": \"D1F34CA31A773B2BDD48DB8EC34E2B88EA9746B72EB845256BE259CA7D5D9E5F\"}], \"name\": \"ts.exe\", \"owner\": {\"credential_uid\": \"44306ef8-61be-11ee-b8fd-0242ac110005\", \"domain\": \"andale museum reality\", \"name\": \"Commander\", \"type\": \"motherboard\", \"type_id\": 99, \"uid\": \"44306aca-61be-11ee-be86-0242ac110005\", \"uid_alt\": \"verzeichnis prefer soccer\"}, \"type\": \"Regular File\", \"type_id\": 1, \"xattributes\": {}}, \"name\": \"Cart\", \"namespace_pid\": 51, \"parent_process\": {\"cmd_line\": \"suited pace informal\", \"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"6F4F28E68A201B8127A08D889356FCFA0C736B9FD1330596E58F7D1669820A151705235B2F41C93CE5159EC808FE328BCED0BBC02E6C20382443EBB5ACDD6023\"}, \"name\": \"elegant rankings wild\", \"network_driver\": \"what belgium used\", \"orchestrator\": \"everyone ho alternative\", \"pod_uuid\": \"rocky\", \"size\": 2933994191, \"uid\": \"4430bf98-61be-11ee-b010-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"company_name\": \"Rosendo Grace\", \"confidentiality\": \"cut salt catch\", \"created_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T07:27:11.078126Z\", \"hashes\": [{\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"0F4CF4B2CE58DE3BF03D760DE38955BF246F80BAB6F81927F253AB5D9773EB75\"}, {\"algorithm\": \"SHA-256\", \"algorithm_id\": 3, \"value\": \"647878B29B754A911F330D47137E3068A61F6185ED78B1AA43695E4A1D98607D\"}], \"name\": \"underwear.sdf\", \"parent_folder\": \"writer photoshop lane/st.sdf\", \"path\": \"writer photoshop lane/st.sdf/underwear.sdf\", \"type\": \"Named Pipe\", \"type_id\": 6, \"version\": \"1.0.0\"}, \"name\": \"Identical\", \"namespace_pid\": 66, \"parent_process\": {\"cmd_line\": \"adolescent agreements wooden\", \"container\": {\"hash\": {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"6DBDD59AB542C91F19905B4D8672B5320DCBA285\"}, \"name\": \"sparc memphis paid\", \"orchestrator\": \"workstation opening cambridge\", \"pod_uuid\": \"rendering\", \"size\": 3567867280, \"tag\": \"agency ended lambda\", \"uid\": \"4430dfe6-61be-11ee-bbae-0242ac110005\"}, \"file\": {\"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"7F572F2B5A5DED4063EF1594729C97543A900961\"}, {\"algorithm\": \"CTPH\", \"algorithm_id\": 5, \"value\": \"D6CDFD95B6030B86B739AC2B7575BA411041446BFEF23DF7765EC4B470C9A5D2E182599FBA3C539E0EBEAF5E656A808285FED2455EB8F7E802ABD6245CB543FC\"}], \"modified_time\": 1695272181548, \"name\": \"space.js\", \"parent_folder\": \"cookbook dc effort/abc.pkg\", \"path\": \"cookbook dc effort/abc.pkg/space.js\", \"size\": 3135869827, \"type\": \"Regular File\", \"type_id\": 1, \"version\": \"1.0.0\"}, \"integrity\": \"podcasts owned how\", \"name\": \"Documentation\", \"namespace_pid\": 79, \"parent_process\": {\"container\": {\"hash\": {\"algorithm\": \"quickXorHash\", \"algorithm_id\": 7, \"value\": \"4DA1DD452B8D517803494B5E00054136CCF55DF19FF70469451D438255FC03B1FA45BB3A48C03F49FCCE16708623DA0458F11C60EC6D10453E6D6AB6C6492E15\"}, \"name\": \"flex operational statistical\", \"orchestrator\": \"performed gadgets bank\", \"pod_uuid\": \"password\", \"uid\": \"4431094e-61be-11ee-a229-0242ac110005\"}, \"created_time\": 1695272181548, \"file\": {\"accessed_time_dt\": \"2023-10-03T07:27:11.080165Z\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"desc\": \"panic united modeling\", \"hashes\": [{\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"9A5751D5ACECF26FF7EB2B33C144EFCE1C69FE9A\"}, {\"algorithm\": \"SHA-1\", \"algorithm_id\": 2, \"value\": \"F803B26388365E33184D5CC145D868E1B8DF74D5\"}], \"is_system\": false, \"name\": \"xl.php\", \"parent_folder\": \"beneath among lands/resort.cbr\", \"path\": \"beneath among lands/resort.cbr/xl.php\", \"type\": \"Symbolic Link\", \"type_id\": 7, \"xattributes\": {}}, \"name\": \"Triangle\", \"namespace_pid\": 98, \"pid\": 76, \"tid\": 20, \"uid\": \"443103fe-61be-11ee-8306-0242ac110005\", \"user\": {\"groups\": [{\"name\": \"go prohibited oxford\", \"uid\": \"44310066-61be-11ee-99fb-0242ac110005\"}], \"org\": {\"name\": \"important analog unnecessary\", \"ou_name\": \"highlights douglas manufacturer\", \"uid\": \"4430faee-61be-11ee-b642-0242ac110005\"}, \"type\": \"System\", \"type_id\": 3, \"uid\": \"4430f40e-61be-11ee-86fe-0242ac110005\"}}, \"pid\": 70, \"uid\": \"4430d9d8-61be-11ee-a2ef-0242ac110005\", \"user\": {\"account\": {\"name\": \"pas jacob personals\", \"type\": \"GCP Account\", \"type_id\": 5, \"uid\": \"4430d578-61be-11ee-ab48-0242ac110005\"}, \"email_addr\": \"Charlette@anytime.jobs\", \"name\": \"Ser\", \"org\": {\"ou_name\": \"officials watches house\"}, \"type\": \"boom\", \"type_id\": 99}}, \"user\": {\"credential_uid\": \"4430b912-61be-11ee-8411-0242ac110005\", \"email_addr\": \"Ena@hearing.int\", \"name\": \"Spank\", \"org\": {\"name\": \"von reservoir moore\", \"ou_name\": \"photos nat eds\", \"ou_uid\": \"4430b502-61be-11ee-8f5b-0242ac110005\", \"uid\": \"4430adc8-61be-11ee-b4ba-0242ac110005\"}, \"type\": \"User\", \"type_id\": 1, \"uid\": \"4430a878-61be-11ee-af22-0242ac110005\"}}, \"pid\": 36, \"sandbox\": \"pendant funds intervals\", \"terminated_time_dt\": \"2023-10-03T07:27:11.080957Z\", \"uid\": \"44308c3a-61be-11ee-93fe-0242ac110005\", \"user\": {\"account\": {\"name\": \"hewlett then appendix\", \"type\": \"GCP Account\", \"type_id\": 5}, \"name\": \"Editorial\", \"org\": {\"name\": \"insulin identical prizes\", \"uid\": \"44308564-61be-11ee-abd1-0242ac110005\"}, \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"44307e70-61be-11ee-a962-0242ac110005\"}}, \"pid\": 10, \"session\": {\"created_time\": 1695272181548, \"is_remote\": true, \"issuer\": \"mediterranean provider something\", \"uid\": \"443043ec-61be-11ee-96c0-0242ac110005\"}, \"terminated_time_dt\": \"2023-10-03T07:27:11.080979Z\", \"user\": {\"credential_uid\": \"44303eba-61be-11ee-ab60-0242ac110005\", \"domain\": \"restaurants instead occurring\", \"full_name\": \"Margareta Elden\", \"name\": \"Candles\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"443039a6-61be-11ee-8f9f-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 12, \"sandbox\": \"earl manually converter\", \"uid\": \"44300e5e-61be-11ee-8332-0242ac110005\", \"user\": {\"name\": \"Rod\", \"type\": \"fiji\", \"type_id\": 99, \"uid\": \"44300a4e-61be-11ee-b6bc-0242ac110005\"}}, \"pid\": 4, \"session\": {\"created_time\": 1695272181548, \"is_remote\": false, \"issuer\": \"vacation obligation refused\", \"uid\": \"442fda56-61be-11ee-93d0-0242ac110005\"}, \"uid\": \"442fd27c-61be-11ee-bc32-0242ac110005\", \"user\": {\"account\": {\"name\": \"batman sprint established\", \"type\": \"Linux Account\", \"type_id\": 9}, \"groups\": [{\"name\": \"blackberry genetics dsc\", \"privileges\": [\"counter relocation association\", \"precise nurses satisfactory\"], \"uid\": \"442fc93a-61be-11ee-93e5-0242ac110005\"}, {\"name\": \"munich clothing commit\", \"uid\": \"442fcd54-61be-11ee-ab07-0242ac110005\"}], \"name\": \"Achieving\", \"org\": {\"ou_name\": \"drunk pt locations\", \"uid\": \"442fc408-61be-11ee-a83e-0242ac110005\"}, \"type\": \"System\", \"type_id\": 3, \"uid\": \"442fbf76-61be-11ee-b1ce-0242ac110005\"}}, \"pid\": 49, \"sandbox\": \"mexican broadway volleyball\", \"terminated_time_dt\": \"2023-10-03T07:27:11.081001Z\", \"tid\": 75, \"uid\": \"442f8fb0-61be-11ee-b4aa-0242ac110005\", \"user\": {\"credential_uid\": \"442f8c40-61be-11ee-858e-0242ac110005\", \"name\": \"Affiliation\", \"type\": \"User\", \"type_id\": 1, \"uid\": \"442f881c-61be-11ee-8d6d-0242ac110005\"}}, \"pid\": 93, \"uid\": \"442f1314-61be-11ee-a9ee-0242ac110005\", \"user\": {\"name\": \"Earrings\", \"type\": \"System\", \"type_id\": 3, \"uid\": \"442f0f18-61be-11ee-92c1-0242ac110005\"}, \"xattributes\": {}}, \"pid\": 23, \"session\": {\"created_time\": 1695272181548, \"is_remote\": false, \"issuer\": \"robots places depression\", \"uid\": \"442ee7f4-61be-11ee-a967-0242ac110005\", \"uuid\": \"442eeb3c-61be-11ee-a179-0242ac110005\"}, \"uid\": \"442ee2d6-61be-11ee-ad3f-0242ac110005\", \"user\": {\"domain\": \"dubai sys drum\", \"groups\": [{\"name\": \"implications fred rent\", \"uid\": \"442ed976-61be-11ee-acb4-0242ac110005\"}, {\"type\": \"hundred suggesting radius\", \"uid\": \"442ede6c-61be-11ee-815a-0242ac110005\"}], \"name\": \"Da\", \"type\": \"ben\", \"type_id\": 99, \"uid\": \"442ed390-61be-11ee-902b-0242ac110005\", \"uid_alt\": \"documents harmony austria\"}}, \"pid\": 9, \"sandbox\": \"deep simply nn\", \"uid\": \"442e6b76-61be-11ee-ab8d-0242ac110005\", \"xattributes\": {}}, \"pid\": 27, \"sandbox\": \"repeat checked peace\", \"terminated_time_dt\": \"2023-10-03T07:27:11.081046Z\", \"uid\": \"442d4ee4-61be-11ee-a8b0-0242ac110005\", \"user\": {\"account\": {\"name\": \"allows country mineral\", \"type\": \"AWS IAM Role\", \"type_id\": 4, \"uid\": \"442d4a0c-61be-11ee-bd4c-0242ac110005\"}, \"email_addr\": \"Minta@active.biz\", \"name\": \"Strong\", \"type\": \"Unknown\", \"type_id\": 0, \"uid\": \"442d27de-61be-11ee-b498-0242ac110005\"}, \"xattributes\": {}}", - "sandbox": "rational girls corner", - "user": { - "type": "System", - "type_id": "3" - } - }, - "terminated_time_dt": "2023-10-03T07:27:11.081081Z", - "user": { - "account": { - "name": "filled lunch processing", - "type": "Windows Account", - "type_id": "2", - "uid": "442c96ac-61be-11ee-945c-0242ac110005" - }, - "type": "Unknown", - "type_id": "0" - } - }, - "user": { - "credential_uid": "44311cae-61be-11ee-9f07-0242ac110005", - "type": "System", - "type_id": "3" - } - }, - "actual_permissions": 48, - "attacks": [ - { - "tactics": [ - { - "name": "Exfiltration | The adversary is trying to steal data.", - "uid": "TA0010" - }, - { - "name": "Privilege Escalation | The adversary is trying to gain higher-level permissions.", - "uid": "TA0004" - } - ], - "technique": { - "name": "Accessibility Features", - "uid": "T1546.008" - }, - "version": "12.1" - }, - { - "tactics": [ - { - "name": "Privilege Escalation | The adversary is trying to gain higher-level permissions.", - "uid": "TA0004" - } - ], - "technique": { - "name": "Web Shell", - "uid": "T1100" - }, - "version": "12.1" - } - ], - "category_name": "System Activity", - "category_uid": 1, - "class_name": "Process Activity", - "class_uid": 1007, - "device": { - "hypervisor": "indianapolis finite serious", - "interface_name": "officials janet subscribe", - "interface_uid": "442a8a60-61be-11ee-b5e8-0242ac110005", - "last_seen_time": 1695272181548, - "modified_time_dt": "2023-10-03T07:27:11.038353Z", - "org": { - "name": "answer intelligent artificial", - "ou_name": "garlic glucose festival" - }, - "region": "argentina andy wyoming", - "type_id": "6" - }, - "disposition": "Unknown", - "disposition_id": "0", - "metadata": { - "logged_time": 1695272181548, - "modified_time_dt": "2023-10-03T07:27:11.037636Z", - "original_time": "bolt beds created", - "processed_time_dt": "2023-10-03T07:27:11.037651Z", - "product": { - "lang": "en", - "name": "rough cfr elephant", - "uid": "442a6c38-61be-11ee-811a-0242ac110005", - "url_string": "cl", - "version": "1.0.0" - }, - "profiles": [ - "cloud", - "container", - "datetime", - "host", - "security_control" - ], - "version": "1.0.0" - }, - "severity": "doctors", - "status": "vcr", - "status_id": 99, - "timezone_offset": 75, - "type_name": "Process Activity: Set User ID", - "type_uid": "100705" + "activity_id": 5 }, "process": { "command_line": "wrist teach engaging", @@ -267,13 +117,6 @@ "81.2.69.142" ] }, - "sekoiaio": { - "intake": { - "parsing_warnings": [ - "Cannot set field 'container.labels' with given definition in stage 'pipeline_object_actor'. Cannot convert value in field 'container.labels' to type 'dict'" - ] - } - }, "threat": { "technique": { "id": [ diff --git a/OCSF/ocsf/tests/test_system_activity_7.json b/OCSF/ocsf/tests/test_system_activity_7.json index 65a635de7..d915b8f6b 100644 --- a/OCSF/ocsf/tests/test_system_activity_7.json +++ b/OCSF/ocsf/tests/test_system_activity_7.json @@ -51,50 +51,7 @@ "type": "Desktop" }, "ocsf": { - "activity_id": 3, - "activity_name": "Delete", - "category_name": "System Activity", - "category_uid": 1, - "class_name": "Scheduled Job Activity", - "class_uid": 1006, - "device": { - "created_time": 1706875973926694, - "desc": "ferrari happens proceedings", - "hypervisor": "sets denmark contractor", - "instance_uid": "64852b74-c1c4-11ee-b377-0242ac110005", - "interface_name": "perfume sensor min", - "interface_uid": "6485370e-c1c4-11ee-9d9a-0242ac110005", - "os": { - "type_id": "200" - }, - "region": "measured shuttle adjust", - "type_id": "2", - "uid_alt": "eden gym amendments" - }, - "job": { - "file": { - "hashes": [ - {}, - {} - ] - } - }, - "metadata": { - "log_name": "pas personality bend", - "original_time": "occupational famous considerable", - "product": { - "uid": "6484ff28-c1c4-11ee-a148-0242ac110005", - "version": "1.1.0" - }, - "profiles": [], - "version": "1.1.0" - }, - "severity": "Critical", - "status": "acdbentity", - "status_id": 99, - "timezone_offset": 97, - "type_name": "Scheduled Job Activity: Delete", - "type_uid": "100603" + "activity_id": 3 }, "related": { "hash": [ From fbab742782654e9617f88ed1bd853de7f9436bb8 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 9 Apr 2024 13:07:40 +0300 Subject: [PATCH 21/34] Fix organization fields --- OCSF/ocsf/ingest/parser.yml | 10 ++++------ OCSF/ocsf/tests/test_application_activity_1.json | 4 ++++ OCSF/ocsf/tests/test_application_activity_3.json | 4 ++++ OCSF/ocsf/tests/test_discovery_1.json | 3 +++ OCSF/ocsf/tests/test_discovery_2.json | 3 +++ OCSF/ocsf/tests/test_system_activity_2.json | 4 ++++ 6 files changed, 22 insertions(+), 6 deletions(-) diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index e6728128d..28d6c4389 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -77,7 +77,6 @@ pipeline: - name: set_event_category - name: set_event_type - name: set_common_fields - - name: set_fields - name: pipeline_object_actor filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,3001,3002,3003,3004,3005,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,5001,5002,6001,6002,6003,6004] and parse_event.message.actor != null }}" @@ -206,6 +205,10 @@ stages: set_common_fields: actions: - set: + ocsf.activity_id: "{{parse_event.message.activity_id}}" + organization.id: "{{parse_event.message.cloud.org.uid}}" + organization.name: "{{parse_event.message.cloud.org.name}}" + cloud.account.id: "{{parse_event.message.cloud.account.uid}}" cloud.account.name: "{{parse_event.message.cloud.account.name}}" cloud.availability_zone: "{{parse_event.message.cloud.zone}}" @@ -249,11 +252,6 @@ stages: mapping: parse_event.message.status_id: event.outcome - set_fields: - actions: - - set: - ocsf.activity_id: "{{parse_event.message.activity_id}}" - pipeline_object_actor: actions: - set: diff --git a/OCSF/ocsf/tests/test_application_activity_1.json b/OCSF/ocsf/tests/test_application_activity_1.json index 732348a73..4cc33d2ec 100644 --- a/OCSF/ocsf/tests/test_application_activity_1.json +++ b/OCSF/ocsf/tests/test_application_activity_1.json @@ -58,6 +58,10 @@ "ocsf": { "activity_id": 4 }, + "organization": { + "id": "072d99ea-584a-11ee-920a-0242ac110005", + "name": "brazil newbie loc" + }, "package": { "description": [ "pleased won coverage" diff --git a/OCSF/ocsf/tests/test_application_activity_3.json b/OCSF/ocsf/tests/test_application_activity_3.json index 2526070ff..588cc0681 100644 --- a/OCSF/ocsf/tests/test_application_activity_3.json +++ b/OCSF/ocsf/tests/test_application_activity_3.json @@ -45,6 +45,10 @@ "ocsf": { "activity_id": 99 }, + "organization": { + "id": "65193f12-584c-11ee-ae9b-0242ac110005", + "name": "exclusive variables tag" + }, "package": { "description": [], "name": [], diff --git a/OCSF/ocsf/tests/test_discovery_1.json b/OCSF/ocsf/tests/test_discovery_1.json index e84ff6be2..ea2da2f3e 100644 --- a/OCSF/ocsf/tests/test_discovery_1.json +++ b/OCSF/ocsf/tests/test_discovery_1.json @@ -43,6 +43,9 @@ "ocsf": { "activity_id": 2 }, + "organization": { + "id": "023dbdcc-5848-11ee-bd54-0242ac110005" + }, "related": { "hosts": [ "lucas.pro" diff --git a/OCSF/ocsf/tests/test_discovery_2.json b/OCSF/ocsf/tests/test_discovery_2.json index 3ea758dab..417409fdb 100644 --- a/OCSF/ocsf/tests/test_discovery_2.json +++ b/OCSF/ocsf/tests/test_discovery_2.json @@ -55,6 +55,9 @@ }, "ocsf": { "activity_id": 2 + }, + "organization": { + "name": "black lets promotions" } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_2.json b/OCSF/ocsf/tests/test_system_activity_2.json index 10fe97e1d..5bbdce530 100644 --- a/OCSF/ocsf/tests/test_system_activity_2.json +++ b/OCSF/ocsf/tests/test_system_activity_2.json @@ -51,6 +51,10 @@ "ocsf": { "activity_id": 2 }, + "organization": { + "id": "19e79248-61aa-11ee-83d4-0242ac110005", + "name": "virus legislative schemes" + }, "process": { "command_line": "quest flashers qualifying", "entity_id": "19e85aa2-61aa-11ee-9863-0242ac110005", From b19c448d312d0067b9b852955f07b659739a0458 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 9 Apr 2024 13:10:49 +0300 Subject: [PATCH 22/34] Return class_uid field --- OCSF/ocsf/_meta/fields.yml | 7 +++++++ OCSF/ocsf/ingest/parser.yml | 2 ++ OCSF/ocsf/tests/test_application_activity_1.json | 3 ++- OCSF/ocsf/tests/test_application_activity_2.json | 3 ++- OCSF/ocsf/tests/test_application_activity_3.json | 3 ++- OCSF/ocsf/tests/test_discovery_1.json | 3 ++- OCSF/ocsf/tests/test_discovery_2.json | 3 ++- OCSF/ocsf/tests/test_findings_1.json | 3 ++- OCSF/ocsf/tests/test_iam_1.json | 3 ++- OCSF/ocsf/tests/test_iam_2.json | 3 ++- OCSF/ocsf/tests/test_iam_3.json | 3 ++- OCSF/ocsf/tests/test_iam_4.json | 3 ++- OCSF/ocsf/tests/test_network_activity_1.json | 3 ++- OCSF/ocsf/tests/test_network_activity_10.json | 3 ++- OCSF/ocsf/tests/test_network_activity_11.json | 3 ++- OCSF/ocsf/tests/test_network_activity_12.json | 3 ++- OCSF/ocsf/tests/test_network_activity_2.json | 3 ++- OCSF/ocsf/tests/test_network_activity_3.json | 3 ++- OCSF/ocsf/tests/test_network_activity_4.json | 3 ++- OCSF/ocsf/tests/test_network_activity_5.json | 3 ++- OCSF/ocsf/tests/test_network_activity_6.json | 3 ++- OCSF/ocsf/tests/test_network_activity_7.json | 3 ++- OCSF/ocsf/tests/test_network_activity_8.json | 3 ++- OCSF/ocsf/tests/test_network_activity_9.json | 3 +++ OCSF/ocsf/tests/test_system_activity_1.json | 3 ++- OCSF/ocsf/tests/test_system_activity_2.json | 3 ++- OCSF/ocsf/tests/test_system_activity_3.json | 3 ++- OCSF/ocsf/tests/test_system_activity_4.json | 3 ++- OCSF/ocsf/tests/test_system_activity_5.json | 3 ++- OCSF/ocsf/tests/test_system_activity_6.json | 3 ++- OCSF/ocsf/tests/test_system_activity_7.json | 3 ++- 31 files changed, 68 insertions(+), 28 deletions(-) diff --git a/OCSF/ocsf/_meta/fields.yml b/OCSF/ocsf/_meta/fields.yml index 07b96a762..27d1994ef 100644 --- a/OCSF/ocsf/_meta/fields.yml +++ b/OCSF/ocsf/_meta/fields.yml @@ -3,6 +3,13 @@ ocsf.activity_id: name: ocsf.activity_id type: long +ocsf.class_uid: + description: The unique identifier of a class. A Class describes the attributes + available in an event.2001 Security FindingSecurity Finding events describe findings, + detections, anomalies, alerts and/or actions performed by security products. + name: ocsf.class_uid + type: long + process.group.id: description: '' name: process.group.id diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index 28d6c4389..b8d03b5f6 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -206,6 +206,8 @@ stages: actions: - set: ocsf.activity_id: "{{parse_event.message.activity_id}}" + ocsf.class_uid: "{{parse_event.message.class_uid}}" + organization.id: "{{parse_event.message.cloud.org.uid}}" organization.name: "{{parse_event.message.cloud.org.name}}" diff --git a/OCSF/ocsf/tests/test_application_activity_1.json b/OCSF/ocsf/tests/test_application_activity_1.json index 4cc33d2ec..91a99ba61 100644 --- a/OCSF/ocsf/tests/test_application_activity_1.json +++ b/OCSF/ocsf/tests/test_application_activity_1.json @@ -56,7 +56,8 @@ "version": "1.0.0" }, "ocsf": { - "activity_id": 4 + "activity_id": 4, + "class_uid": 6004 }, "organization": { "id": "072d99ea-584a-11ee-920a-0242ac110005", diff --git a/OCSF/ocsf/tests/test_application_activity_2.json b/OCSF/ocsf/tests/test_application_activity_2.json index 09169edec..60cff9a35 100644 --- a/OCSF/ocsf/tests/test_application_activity_2.json +++ b/OCSF/ocsf/tests/test_application_activity_2.json @@ -26,7 +26,8 @@ "application": "sheets horror trader" }, "ocsf": { - "activity_id": 1 + "activity_id": 1, + "class_uid": 6001 }, "package": { "description": [ diff --git a/OCSF/ocsf/tests/test_application_activity_3.json b/OCSF/ocsf/tests/test_application_activity_3.json index 588cc0681..8b65aff85 100644 --- a/OCSF/ocsf/tests/test_application_activity_3.json +++ b/OCSF/ocsf/tests/test_application_activity_3.json @@ -43,7 +43,8 @@ "type": "Unknown" }, "ocsf": { - "activity_id": 99 + "activity_id": 99, + "class_uid": 6002 }, "organization": { "id": "65193f12-584c-11ee-ae9b-0242ac110005", diff --git a/OCSF/ocsf/tests/test_discovery_1.json b/OCSF/ocsf/tests/test_discovery_1.json index ea2da2f3e..7cf3af1f2 100644 --- a/OCSF/ocsf/tests/test_discovery_1.json +++ b/OCSF/ocsf/tests/test_discovery_1.json @@ -41,7 +41,8 @@ "type": "Desktop" }, "ocsf": { - "activity_id": 2 + "activity_id": 2, + "class_uid": 5002 }, "organization": { "id": "023dbdcc-5848-11ee-bd54-0242ac110005" diff --git a/OCSF/ocsf/tests/test_discovery_2.json b/OCSF/ocsf/tests/test_discovery_2.json index 417409fdb..4a2978779 100644 --- a/OCSF/ocsf/tests/test_discovery_2.json +++ b/OCSF/ocsf/tests/test_discovery_2.json @@ -54,7 +54,8 @@ "type": "Laptop" }, "ocsf": { - "activity_id": 2 + "activity_id": 2, + "class_uid": 5001 }, "organization": { "name": "black lets promotions" diff --git a/OCSF/ocsf/tests/test_findings_1.json b/OCSF/ocsf/tests/test_findings_1.json index 7db46cd73..02b863955 100644 --- a/OCSF/ocsf/tests/test_findings_1.json +++ b/OCSF/ocsf/tests/test_findings_1.json @@ -31,7 +31,8 @@ "region": "us-east-1" }, "ocsf": { - "activity_id": 2 + "activity_id": 2, + "class_uid": 2001 }, "vulnerability": { "description": [ diff --git a/OCSF/ocsf/tests/test_iam_1.json b/OCSF/ocsf/tests/test_iam_1.json index e8602082f..099e8045f 100644 --- a/OCSF/ocsf/tests/test_iam_1.json +++ b/OCSF/ocsf/tests/test_iam_1.json @@ -30,7 +30,8 @@ "name": "hollow alignment one" }, "ocsf": { - "activity_id": 0 + "activity_id": 0, + "class_uid": 3003 }, "user": { "target": { diff --git a/OCSF/ocsf/tests/test_iam_2.json b/OCSF/ocsf/tests/test_iam_2.json index 6bd3f03f0..373adf109 100644 --- a/OCSF/ocsf/tests/test_iam_2.json +++ b/OCSF/ocsf/tests/test_iam_2.json @@ -20,7 +20,8 @@ }, "@timestamp": "2023-10-06T05:39:55Z", "ocsf": { - "activity_id": 2 + "activity_id": 2, + "class_uid": 3004 } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_iam_3.json b/OCSF/ocsf/tests/test_iam_3.json index eea9c89ef..73f3ec357 100644 --- a/OCSF/ocsf/tests/test_iam_3.json +++ b/OCSF/ocsf/tests/test_iam_3.json @@ -32,7 +32,8 @@ "name": "cottages donor awful" }, "ocsf": { - "activity_id": 3 + "activity_id": 3, + "class_uid": 3006 }, "user": { "target": { diff --git a/OCSF/ocsf/tests/test_iam_4.json b/OCSF/ocsf/tests/test_iam_4.json index e651ce9d7..b90a636fb 100644 --- a/OCSF/ocsf/tests/test_iam_4.json +++ b/OCSF/ocsf/tests/test_iam_4.json @@ -29,7 +29,8 @@ "name": "then nevada berkeley md" }, "ocsf": { - "activity_id": 0 + "activity_id": 0, + "class_uid": 3005 }, "user": { "target": { diff --git a/OCSF/ocsf/tests/test_network_activity_1.json b/OCSF/ocsf/tests/test_network_activity_1.json index ec274815b..e1cf5bd21 100644 --- a/OCSF/ocsf/tests/test_network_activity_1.json +++ b/OCSF/ocsf/tests/test_network_activity_1.json @@ -47,7 +47,8 @@ "packets": 1 }, "ocsf": { - "activity_id": 5 + "activity_id": 5, + "class_uid": 4001 }, "related": { "ip": [ diff --git a/OCSF/ocsf/tests/test_network_activity_10.json b/OCSF/ocsf/tests/test_network_activity_10.json index 0c9801bc0..0746e9daf 100644 --- a/OCSF/ocsf/tests/test_network_activity_10.json +++ b/OCSF/ocsf/tests/test_network_activity_10.json @@ -59,7 +59,8 @@ "application": "stanford leisure analyzed" }, "ocsf": { - "activity_id": 5 + "activity_id": 5, + "class_uid": 4010 }, "process": { "command_line": "goals happen dad", diff --git a/OCSF/ocsf/tests/test_network_activity_11.json b/OCSF/ocsf/tests/test_network_activity_11.json index 66e36f3bc..be3d01fc5 100644 --- a/OCSF/ocsf/tests/test_network_activity_11.json +++ b/OCSF/ocsf/tests/test_network_activity_11.json @@ -57,7 +57,8 @@ "type": "Tablet" }, "ocsf": { - "activity_id": 1 + "activity_id": 1, + "class_uid": 4011 }, "related": { "hosts": [ diff --git a/OCSF/ocsf/tests/test_network_activity_12.json b/OCSF/ocsf/tests/test_network_activity_12.json index d0458e816..5a9f0c3da 100644 --- a/OCSF/ocsf/tests/test_network_activity_12.json +++ b/OCSF/ocsf/tests/test_network_activity_12.json @@ -46,7 +46,8 @@ "type": "Virtual" }, "ocsf": { - "activity_id": 2 + "activity_id": 2, + "class_uid": 4012 }, "related": { "hosts": [ diff --git a/OCSF/ocsf/tests/test_network_activity_2.json b/OCSF/ocsf/tests/test_network_activity_2.json index ac97b84a4..5c41a4c45 100644 --- a/OCSF/ocsf/tests/test_network_activity_2.json +++ b/OCSF/ocsf/tests/test_network_activity_2.json @@ -69,7 +69,8 @@ "iana_number": "67" }, "ocsf": { - "activity_id": 1 + "activity_id": 1, + "class_uid": 4002 }, "related": { "hosts": [ diff --git a/OCSF/ocsf/tests/test_network_activity_3.json b/OCSF/ocsf/tests/test_network_activity_3.json index e827d2176..75e9e1399 100644 --- a/OCSF/ocsf/tests/test_network_activity_3.json +++ b/OCSF/ocsf/tests/test_network_activity_3.json @@ -59,7 +59,8 @@ ] }, "ocsf": { - "activity_id": 2 + "activity_id": 2, + "class_uid": 4003 }, "related": { "hosts": [ diff --git a/OCSF/ocsf/tests/test_network_activity_4.json b/OCSF/ocsf/tests/test_network_activity_4.json index 25f3dd876..94f0f504a 100644 --- a/OCSF/ocsf/tests/test_network_activity_4.json +++ b/OCSF/ocsf/tests/test_network_activity_4.json @@ -72,7 +72,8 @@ "application": "where image territories" }, "ocsf": { - "activity_id": 6 + "activity_id": 6, + "class_uid": 4004 }, "related": { "hosts": [ diff --git a/OCSF/ocsf/tests/test_network_activity_5.json b/OCSF/ocsf/tests/test_network_activity_5.json index 6fca27560..7a37ebd77 100644 --- a/OCSF/ocsf/tests/test_network_activity_5.json +++ b/OCSF/ocsf/tests/test_network_activity_5.json @@ -71,7 +71,8 @@ "packets": 2072578920 }, "ocsf": { - "activity_id": 6 + "activity_id": 6, + "class_uid": 4005 }, "related": { "hosts": [ diff --git a/OCSF/ocsf/tests/test_network_activity_6.json b/OCSF/ocsf/tests/test_network_activity_6.json index 64ec0e921..552be6c25 100644 --- a/OCSF/ocsf/tests/test_network_activity_6.json +++ b/OCSF/ocsf/tests/test_network_activity_6.json @@ -90,7 +90,8 @@ "iana_number": "89" }, "ocsf": { - "activity_id": 3 + "activity_id": 3, + "class_uid": 4006 }, "related": { "hash": [ diff --git a/OCSF/ocsf/tests/test_network_activity_7.json b/OCSF/ocsf/tests/test_network_activity_7.json index d7b5f899d..4a1d29db8 100644 --- a/OCSF/ocsf/tests/test_network_activity_7.json +++ b/OCSF/ocsf/tests/test_network_activity_7.json @@ -56,7 +56,8 @@ } }, "ocsf": { - "activity_id": 0 + "activity_id": 0, + "class_uid": 4007 }, "related": { "hosts": [ diff --git a/OCSF/ocsf/tests/test_network_activity_8.json b/OCSF/ocsf/tests/test_network_activity_8.json index f6a2de5a1..a6ec0df65 100644 --- a/OCSF/ocsf/tests/test_network_activity_8.json +++ b/OCSF/ocsf/tests/test_network_activity_8.json @@ -48,7 +48,8 @@ "packets": 3392751261 }, "ocsf": { - "activity_id": 0 + "activity_id": 0, + "class_uid": 4008 }, "related": { "hosts": [ diff --git a/OCSF/ocsf/tests/test_network_activity_9.json b/OCSF/ocsf/tests/test_network_activity_9.json index cdea19bf1..3d396a87b 100644 --- a/OCSF/ocsf/tests/test_network_activity_9.json +++ b/OCSF/ocsf/tests/test_network_activity_9.json @@ -59,6 +59,9 @@ }, "type": "Tablet" }, + "ocsf": { + "class_uid": 4009 + }, "related": { "ip": [ "175.16.199.1" diff --git a/OCSF/ocsf/tests/test_system_activity_1.json b/OCSF/ocsf/tests/test_system_activity_1.json index cfa924b9e..948b11a71 100644 --- a/OCSF/ocsf/tests/test_system_activity_1.json +++ b/OCSF/ocsf/tests/test_system_activity_1.json @@ -50,7 +50,8 @@ "type": "Browser" }, "ocsf": { - "activity_id": 5 + "activity_id": 5, + "class_uid": 1001 }, "process": { "command_line": "dd apple updating", diff --git a/OCSF/ocsf/tests/test_system_activity_2.json b/OCSF/ocsf/tests/test_system_activity_2.json index 5bbdce530..07a537358 100644 --- a/OCSF/ocsf/tests/test_system_activity_2.json +++ b/OCSF/ocsf/tests/test_system_activity_2.json @@ -49,7 +49,8 @@ "type": "IOT" }, "ocsf": { - "activity_id": 2 + "activity_id": 2, + "class_uid": 1002 }, "organization": { "id": "19e79248-61aa-11ee-83d4-0242ac110005", diff --git a/OCSF/ocsf/tests/test_system_activity_3.json b/OCSF/ocsf/tests/test_system_activity_3.json index db74a64f5..1ff88c63a 100644 --- a/OCSF/ocsf/tests/test_system_activity_3.json +++ b/OCSF/ocsf/tests/test_system_activity_3.json @@ -61,7 +61,8 @@ "type": "Browser" }, "ocsf": { - "activity_id": 1 + "activity_id": 1, + "class_uid": 1003 }, "process": { "command_line": "fy believed resolutions", diff --git a/OCSF/ocsf/tests/test_system_activity_4.json b/OCSF/ocsf/tests/test_system_activity_4.json index d26d00d45..ad0ef9f85 100644 --- a/OCSF/ocsf/tests/test_system_activity_4.json +++ b/OCSF/ocsf/tests/test_system_activity_4.json @@ -65,7 +65,8 @@ "type": "Server" }, "ocsf": { - "activity_id": 1 + "activity_id": 1, + "class_uid": 1004 }, "orchestrator": { "type": "integral economics gc" diff --git a/OCSF/ocsf/tests/test_system_activity_5.json b/OCSF/ocsf/tests/test_system_activity_5.json index ef72d62d2..2b6febb61 100644 --- a/OCSF/ocsf/tests/test_system_activity_5.json +++ b/OCSF/ocsf/tests/test_system_activity_5.json @@ -73,7 +73,8 @@ "type": "frontier" }, "ocsf": { - "activity_id": 1 + "activity_id": 1, + "class_uid": 1005 }, "process": { "command_line": "fame little relax", diff --git a/OCSF/ocsf/tests/test_system_activity_6.json b/OCSF/ocsf/tests/test_system_activity_6.json index f8cf1c171..18fb5b0e1 100644 --- a/OCSF/ocsf/tests/test_system_activity_6.json +++ b/OCSF/ocsf/tests/test_system_activity_6.json @@ -71,7 +71,8 @@ "type": "Virtual" }, "ocsf": { - "activity_id": 5 + "activity_id": 5, + "class_uid": 1007 }, "process": { "command_line": "wrist teach engaging", diff --git a/OCSF/ocsf/tests/test_system_activity_7.json b/OCSF/ocsf/tests/test_system_activity_7.json index d915b8f6b..e35675dea 100644 --- a/OCSF/ocsf/tests/test_system_activity_7.json +++ b/OCSF/ocsf/tests/test_system_activity_7.json @@ -51,7 +51,8 @@ "type": "Desktop" }, "ocsf": { - "activity_id": 3 + "activity_id": 3, + "class_uid": 1006 }, "related": { "hash": [ From 1bfede6c6054b225db68fc000cf4aa6cb507b2fd Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 9 Apr 2024 13:16:06 +0300 Subject: [PATCH 23/34] Restore event class fields --- OCSF/ocsf/_meta/fields.yml | 10 ++++++++++ OCSF/ocsf/ingest/parser.yml | 3 +++ OCSF/ocsf/tests/test_application_activity_1.json | 2 ++ OCSF/ocsf/tests/test_application_activity_2.json | 2 ++ OCSF/ocsf/tests/test_application_activity_3.json | 2 ++ OCSF/ocsf/tests/test_discovery_1.json | 2 ++ OCSF/ocsf/tests/test_discovery_2.json | 2 ++ OCSF/ocsf/tests/test_findings_1.json | 2 ++ OCSF/ocsf/tests/test_iam_1.json | 2 ++ OCSF/ocsf/tests/test_iam_2.json | 2 ++ OCSF/ocsf/tests/test_iam_3.json | 2 ++ OCSF/ocsf/tests/test_iam_4.json | 2 ++ OCSF/ocsf/tests/test_network_activity_1.json | 2 ++ OCSF/ocsf/tests/test_network_activity_10.json | 2 ++ OCSF/ocsf/tests/test_network_activity_11.json | 2 ++ OCSF/ocsf/tests/test_network_activity_12.json | 2 ++ OCSF/ocsf/tests/test_network_activity_2.json | 2 ++ OCSF/ocsf/tests/test_network_activity_3.json | 2 ++ OCSF/ocsf/tests/test_network_activity_4.json | 2 ++ OCSF/ocsf/tests/test_network_activity_5.json | 2 ++ OCSF/ocsf/tests/test_network_activity_6.json | 2 ++ OCSF/ocsf/tests/test_network_activity_7.json | 2 ++ OCSF/ocsf/tests/test_network_activity_8.json | 2 ++ OCSF/ocsf/tests/test_network_activity_9.json | 1 + OCSF/ocsf/tests/test_system_activity_1.json | 2 ++ OCSF/ocsf/tests/test_system_activity_2.json | 2 ++ OCSF/ocsf/tests/test_system_activity_3.json | 2 ++ OCSF/ocsf/tests/test_system_activity_4.json | 2 ++ OCSF/ocsf/tests/test_system_activity_5.json | 2 ++ OCSF/ocsf/tests/test_system_activity_6.json | 2 ++ OCSF/ocsf/tests/test_system_activity_7.json | 2 ++ 31 files changed, 70 insertions(+) diff --git a/OCSF/ocsf/_meta/fields.yml b/OCSF/ocsf/_meta/fields.yml index 27d1994ef..081424c29 100644 --- a/OCSF/ocsf/_meta/fields.yml +++ b/OCSF/ocsf/_meta/fields.yml @@ -3,6 +3,16 @@ ocsf.activity_id: name: ocsf.activity_id type: long +ocsf.activity_name: + description: The event activity name, as defined by the activity_id. + name: ocsf.activity_name + type: keyword + +ocsf.class_name: + description: 'The event class name, as defined by class_uid value: Security Finding.' + name: ocsf.class_name + type: keyword + ocsf.class_uid: description: The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index b8d03b5f6..25a075954 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -206,7 +206,10 @@ stages: actions: - set: ocsf.activity_id: "{{parse_event.message.activity_id}}" + ocsf.activity_name: "{{parse_event.message.activity_name}}" + ocsf.class_uid: "{{parse_event.message.class_uid}}" + ocsf.class_name: "{{parse_event.message.class_name}}" organization.id: "{{parse_event.message.cloud.org.uid}}" organization.name: "{{parse_event.message.cloud.org.name}}" diff --git a/OCSF/ocsf/tests/test_application_activity_1.json b/OCSF/ocsf/tests/test_application_activity_1.json index 91a99ba61..fec1ba4d2 100644 --- a/OCSF/ocsf/tests/test_application_activity_1.json +++ b/OCSF/ocsf/tests/test_application_activity_1.json @@ -57,6 +57,8 @@ }, "ocsf": { "activity_id": 4, + "activity_name": "Access Error", + "class_name": "Web Resource Access Activity", "class_uid": 6004 }, "organization": { diff --git a/OCSF/ocsf/tests/test_application_activity_2.json b/OCSF/ocsf/tests/test_application_activity_2.json index 60cff9a35..b2e370bf9 100644 --- a/OCSF/ocsf/tests/test_application_activity_2.json +++ b/OCSF/ocsf/tests/test_application_activity_2.json @@ -27,6 +27,8 @@ }, "ocsf": { "activity_id": 1, + "activity_name": "Create", + "class_name": "Web Resources Activity", "class_uid": 6001 }, "package": { diff --git a/OCSF/ocsf/tests/test_application_activity_3.json b/OCSF/ocsf/tests/test_application_activity_3.json index 8b65aff85..17f2c4c72 100644 --- a/OCSF/ocsf/tests/test_application_activity_3.json +++ b/OCSF/ocsf/tests/test_application_activity_3.json @@ -44,6 +44,8 @@ }, "ocsf": { "activity_id": 99, + "activity_name": "look", + "class_name": "Application Lifecycle", "class_uid": 6002 }, "organization": { diff --git a/OCSF/ocsf/tests/test_discovery_1.json b/OCSF/ocsf/tests/test_discovery_1.json index 7cf3af1f2..eeb096f1d 100644 --- a/OCSF/ocsf/tests/test_discovery_1.json +++ b/OCSF/ocsf/tests/test_discovery_1.json @@ -42,6 +42,8 @@ }, "ocsf": { "activity_id": 2, + "activity_name": "Collect", + "class_name": "Device Config State", "class_uid": 5002 }, "organization": { diff --git a/OCSF/ocsf/tests/test_discovery_2.json b/OCSF/ocsf/tests/test_discovery_2.json index 4a2978779..b803ebfbe 100644 --- a/OCSF/ocsf/tests/test_discovery_2.json +++ b/OCSF/ocsf/tests/test_discovery_2.json @@ -55,6 +55,8 @@ }, "ocsf": { "activity_id": 2, + "activity_name": "Collect", + "class_name": "Device Inventory Info", "class_uid": 5001 }, "organization": { diff --git a/OCSF/ocsf/tests/test_findings_1.json b/OCSF/ocsf/tests/test_findings_1.json index 02b863955..225de3140 100644 --- a/OCSF/ocsf/tests/test_findings_1.json +++ b/OCSF/ocsf/tests/test_findings_1.json @@ -32,6 +32,8 @@ }, "ocsf": { "activity_id": 2, + "activity_name": "Update", + "class_name": "Security Finding", "class_uid": 2001 }, "vulnerability": { diff --git a/OCSF/ocsf/tests/test_iam_1.json b/OCSF/ocsf/tests/test_iam_1.json index 099e8045f..677b40caf 100644 --- a/OCSF/ocsf/tests/test_iam_1.json +++ b/OCSF/ocsf/tests/test_iam_1.json @@ -31,6 +31,8 @@ }, "ocsf": { "activity_id": 0, + "activity_name": "Unknown", + "class_name": "Authorize Session", "class_uid": 3003 }, "user": { diff --git a/OCSF/ocsf/tests/test_iam_2.json b/OCSF/ocsf/tests/test_iam_2.json index 373adf109..28febbc87 100644 --- a/OCSF/ocsf/tests/test_iam_2.json +++ b/OCSF/ocsf/tests/test_iam_2.json @@ -21,6 +21,8 @@ "@timestamp": "2023-10-06T05:39:55Z", "ocsf": { "activity_id": 2, + "activity_name": "Read", + "class_name": "Entity Management", "class_uid": 3004 } } diff --git a/OCSF/ocsf/tests/test_iam_3.json b/OCSF/ocsf/tests/test_iam_3.json index 73f3ec357..42ce069d0 100644 --- a/OCSF/ocsf/tests/test_iam_3.json +++ b/OCSF/ocsf/tests/test_iam_3.json @@ -33,6 +33,8 @@ }, "ocsf": { "activity_id": 3, + "activity_name": "Add User", + "class_name": "Group Management", "class_uid": 3006 }, "user": { diff --git a/OCSF/ocsf/tests/test_iam_4.json b/OCSF/ocsf/tests/test_iam_4.json index b90a636fb..60f35797f 100644 --- a/OCSF/ocsf/tests/test_iam_4.json +++ b/OCSF/ocsf/tests/test_iam_4.json @@ -30,6 +30,8 @@ }, "ocsf": { "activity_id": 0, + "activity_name": "Unknown", + "class_name": "User Access Management", "class_uid": 3005 }, "user": { diff --git a/OCSF/ocsf/tests/test_network_activity_1.json b/OCSF/ocsf/tests/test_network_activity_1.json index e1cf5bd21..ad71f9abe 100644 --- a/OCSF/ocsf/tests/test_network_activity_1.json +++ b/OCSF/ocsf/tests/test_network_activity_1.json @@ -48,6 +48,8 @@ }, "ocsf": { "activity_id": 5, + "activity_name": "Refuse", + "class_name": "Network Activity", "class_uid": 4001 }, "related": { diff --git a/OCSF/ocsf/tests/test_network_activity_10.json b/OCSF/ocsf/tests/test_network_activity_10.json index 0746e9daf..3c7b73476 100644 --- a/OCSF/ocsf/tests/test_network_activity_10.json +++ b/OCSF/ocsf/tests/test_network_activity_10.json @@ -60,6 +60,8 @@ }, "ocsf": { "activity_id": 5, + "activity_name": "Rename", + "class_name": "Network File Activity", "class_uid": 4010 }, "process": { diff --git a/OCSF/ocsf/tests/test_network_activity_11.json b/OCSF/ocsf/tests/test_network_activity_11.json index be3d01fc5..1b76f9663 100644 --- a/OCSF/ocsf/tests/test_network_activity_11.json +++ b/OCSF/ocsf/tests/test_network_activity_11.json @@ -58,6 +58,8 @@ }, "ocsf": { "activity_id": 1, + "activity_name": "Send", + "class_name": "Email File Activity", "class_uid": 4011 }, "related": { diff --git a/OCSF/ocsf/tests/test_network_activity_12.json b/OCSF/ocsf/tests/test_network_activity_12.json index 5a9f0c3da..734887981 100644 --- a/OCSF/ocsf/tests/test_network_activity_12.json +++ b/OCSF/ocsf/tests/test_network_activity_12.json @@ -47,6 +47,8 @@ }, "ocsf": { "activity_id": 2, + "activity_name": "Receive", + "class_name": "Email URL Activity", "class_uid": 4012 }, "related": { diff --git a/OCSF/ocsf/tests/test_network_activity_2.json b/OCSF/ocsf/tests/test_network_activity_2.json index 5c41a4c45..db8576005 100644 --- a/OCSF/ocsf/tests/test_network_activity_2.json +++ b/OCSF/ocsf/tests/test_network_activity_2.json @@ -70,6 +70,8 @@ }, "ocsf": { "activity_id": 1, + "activity_name": "Connect", + "class_name": "HTTP Activity", "class_uid": 4002 }, "related": { diff --git a/OCSF/ocsf/tests/test_network_activity_3.json b/OCSF/ocsf/tests/test_network_activity_3.json index 75e9e1399..e1abf8f23 100644 --- a/OCSF/ocsf/tests/test_network_activity_3.json +++ b/OCSF/ocsf/tests/test_network_activity_3.json @@ -60,6 +60,8 @@ }, "ocsf": { "activity_id": 2, + "activity_name": "Response", + "class_name": "DNS Activity", "class_uid": 4003 }, "related": { diff --git a/OCSF/ocsf/tests/test_network_activity_4.json b/OCSF/ocsf/tests/test_network_activity_4.json index 94f0f504a..de1d495f2 100644 --- a/OCSF/ocsf/tests/test_network_activity_4.json +++ b/OCSF/ocsf/tests/test_network_activity_4.json @@ -73,6 +73,8 @@ }, "ocsf": { "activity_id": 6, + "activity_name": "Nak", + "class_name": "DHCP Activity", "class_uid": 4004 }, "related": { diff --git a/OCSF/ocsf/tests/test_network_activity_5.json b/OCSF/ocsf/tests/test_network_activity_5.json index 7a37ebd77..2bfd8e317 100644 --- a/OCSF/ocsf/tests/test_network_activity_5.json +++ b/OCSF/ocsf/tests/test_network_activity_5.json @@ -72,6 +72,8 @@ }, "ocsf": { "activity_id": 6, + "activity_name": "Traffic", + "class_name": "RDP Activity", "class_uid": 4005 }, "related": { diff --git a/OCSF/ocsf/tests/test_network_activity_6.json b/OCSF/ocsf/tests/test_network_activity_6.json index 552be6c25..b0c7a819c 100644 --- a/OCSF/ocsf/tests/test_network_activity_6.json +++ b/OCSF/ocsf/tests/test_network_activity_6.json @@ -91,6 +91,8 @@ }, "ocsf": { "activity_id": 3, + "activity_name": "File Create", + "class_name": "SMB Activity", "class_uid": 4006 }, "related": { diff --git a/OCSF/ocsf/tests/test_network_activity_7.json b/OCSF/ocsf/tests/test_network_activity_7.json index 4a1d29db8..2d1395e3f 100644 --- a/OCSF/ocsf/tests/test_network_activity_7.json +++ b/OCSF/ocsf/tests/test_network_activity_7.json @@ -57,6 +57,8 @@ }, "ocsf": { "activity_id": 0, + "activity_name": "Unknown", + "class_name": "SSH Activity", "class_uid": 4007 }, "related": { diff --git a/OCSF/ocsf/tests/test_network_activity_8.json b/OCSF/ocsf/tests/test_network_activity_8.json index a6ec0df65..f88e9e6a8 100644 --- a/OCSF/ocsf/tests/test_network_activity_8.json +++ b/OCSF/ocsf/tests/test_network_activity_8.json @@ -49,6 +49,8 @@ }, "ocsf": { "activity_id": 0, + "activity_name": "Unknown", + "class_name": "FTP Activity", "class_uid": 4008 }, "related": { diff --git a/OCSF/ocsf/tests/test_network_activity_9.json b/OCSF/ocsf/tests/test_network_activity_9.json index 3d396a87b..5a85f7c05 100644 --- a/OCSF/ocsf/tests/test_network_activity_9.json +++ b/OCSF/ocsf/tests/test_network_activity_9.json @@ -60,6 +60,7 @@ "type": "Tablet" }, "ocsf": { + "class_name": "Email Activity", "class_uid": 4009 }, "related": { diff --git a/OCSF/ocsf/tests/test_system_activity_1.json b/OCSF/ocsf/tests/test_system_activity_1.json index 948b11a71..b52d44c26 100644 --- a/OCSF/ocsf/tests/test_system_activity_1.json +++ b/OCSF/ocsf/tests/test_system_activity_1.json @@ -51,6 +51,8 @@ }, "ocsf": { "activity_id": 5, + "activity_name": "Rename", + "class_name": "File System Activity", "class_uid": 1001 }, "process": { diff --git a/OCSF/ocsf/tests/test_system_activity_2.json b/OCSF/ocsf/tests/test_system_activity_2.json index 07a537358..058cec8b2 100644 --- a/OCSF/ocsf/tests/test_system_activity_2.json +++ b/OCSF/ocsf/tests/test_system_activity_2.json @@ -50,6 +50,8 @@ }, "ocsf": { "activity_id": 2, + "activity_name": "Unload", + "class_name": "Kernel Extension Activity", "class_uid": 1002 }, "organization": { diff --git a/OCSF/ocsf/tests/test_system_activity_3.json b/OCSF/ocsf/tests/test_system_activity_3.json index 1ff88c63a..69bb731a8 100644 --- a/OCSF/ocsf/tests/test_system_activity_3.json +++ b/OCSF/ocsf/tests/test_system_activity_3.json @@ -62,6 +62,8 @@ }, "ocsf": { "activity_id": 1, + "activity_name": "Create", + "class_name": "Kernel Activity", "class_uid": 1003 }, "process": { diff --git a/OCSF/ocsf/tests/test_system_activity_4.json b/OCSF/ocsf/tests/test_system_activity_4.json index ad0ef9f85..e785dacae 100644 --- a/OCSF/ocsf/tests/test_system_activity_4.json +++ b/OCSF/ocsf/tests/test_system_activity_4.json @@ -66,6 +66,8 @@ }, "ocsf": { "activity_id": 1, + "activity_name": "Allocate Page", + "class_name": "Memory Activity", "class_uid": 1004 }, "orchestrator": { diff --git a/OCSF/ocsf/tests/test_system_activity_5.json b/OCSF/ocsf/tests/test_system_activity_5.json index 2b6febb61..cec6da7dc 100644 --- a/OCSF/ocsf/tests/test_system_activity_5.json +++ b/OCSF/ocsf/tests/test_system_activity_5.json @@ -74,6 +74,8 @@ }, "ocsf": { "activity_id": 1, + "activity_name": "Load", + "class_name": "Module Activity", "class_uid": 1005 }, "process": { diff --git a/OCSF/ocsf/tests/test_system_activity_6.json b/OCSF/ocsf/tests/test_system_activity_6.json index 18fb5b0e1..210ebf40b 100644 --- a/OCSF/ocsf/tests/test_system_activity_6.json +++ b/OCSF/ocsf/tests/test_system_activity_6.json @@ -72,6 +72,8 @@ }, "ocsf": { "activity_id": 5, + "activity_name": "Set User ID", + "class_name": "Process Activity", "class_uid": 1007 }, "process": { diff --git a/OCSF/ocsf/tests/test_system_activity_7.json b/OCSF/ocsf/tests/test_system_activity_7.json index e35675dea..2160c2ea2 100644 --- a/OCSF/ocsf/tests/test_system_activity_7.json +++ b/OCSF/ocsf/tests/test_system_activity_7.json @@ -52,6 +52,8 @@ }, "ocsf": { "activity_id": 3, + "activity_name": "Delete", + "class_name": "Scheduled Job Activity", "class_uid": 1006 }, "related": { From 57d036d523130330971eb363b7341db62669b3c6 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Thu, 25 Apr 2024 15:50:31 +0300 Subject: [PATCH 24/34] Use realistic samples --- OCSF/ocsf/ingest/parser.yml | 4 +- OCSF/ocsf/tests/test_account_change_1.json | 67 ++++++++ OCSF/ocsf/tests/test_api_activity_1.json | 68 ++++++++ OCSF/ocsf/tests/test_api_activity_2.json | 68 ++++++++ .../tests/test_application_activity_1.json | 107 ------------ .../tests/test_application_activity_2.json | 62 ------- .../tests/test_application_activity_3.json | 69 -------- OCSF/ocsf/tests/test_authentication_1.json | 76 +++++++++ OCSF/ocsf/tests/test_authentication_2.json | 80 +++++++++ OCSF/ocsf/tests/test_authentication_3.json | 71 ++++++++ .../ocsf/tests/test_compliance_finding_1.json | 40 +++++ OCSF/ocsf/tests/test_detection_finding_1.json | 40 +++++ OCSF/ocsf/tests/test_discovery_1.json | 68 -------- OCSF/ocsf/tests/test_discovery_2.json | 66 -------- OCSF/ocsf/tests/test_dns_activity_1.json | 75 +++++++++ OCSF/ocsf/tests/test_findings_1.json | 64 -------- OCSF/ocsf/tests/test_http_activity_1.json | 60 +++++++ OCSF/ocsf/tests/test_iam_1.json | 49 ------ OCSF/ocsf/tests/test_iam_2.json | 29 ---- OCSF/ocsf/tests/test_iam_3.json | 58 ------- OCSF/ocsf/tests/test_iam_4.json | 48 ------ OCSF/ocsf/tests/test_network_activity_1.json | 53 +++--- OCSF/ocsf/tests/test_network_activity_10.json | 125 -------------- OCSF/ocsf/tests/test_network_activity_11.json | 84 ---------- OCSF/ocsf/tests/test_network_activity_12.json | 72 -------- OCSF/ocsf/tests/test_network_activity_2.json | 121 ++++---------- OCSF/ocsf/tests/test_network_activity_3.json | 79 +++------ OCSF/ocsf/tests/test_network_activity_4.json | 91 ++-------- OCSF/ocsf/tests/test_network_activity_5.json | 133 ++------------- OCSF/ocsf/tests/test_network_activity_6.json | 129 +++------------ OCSF/ocsf/tests/test_network_activity_7.json | 85 ---------- OCSF/ocsf/tests/test_network_activity_8.json | 85 ---------- OCSF/ocsf/tests/test_network_activity_9.json | 72 -------- OCSF/ocsf/tests/test_process_activity_1.json | 73 +++++++++ OCSF/ocsf/tests/test_process_activity_2.json | 64 ++++++++ OCSF/ocsf/tests/test_security_finding_1.json | 35 ++++ OCSF/ocsf/tests/test_security_finding_2.json | 40 +++++ OCSF/ocsf/tests/test_security_finding_3.json | 39 +++++ OCSF/ocsf/tests/test_security_finding_4.json | 39 +++++ OCSF/ocsf/tests/test_security_finding_5.json | 39 +++++ OCSF/ocsf/tests/test_security_finding_6.json | 39 +++++ OCSF/ocsf/tests/test_system_activity_1.json | 119 +------------- OCSF/ocsf/tests/test_system_activity_2.json | 118 +------------ OCSF/ocsf/tests/test_system_activity_3.json | 140 ---------------- OCSF/ocsf/tests/test_system_activity_4.json | 145 ---------------- OCSF/ocsf/tests/test_system_activity_5.json | 155 ------------------ OCSF/ocsf/tests/test_system_activity_6.json | 143 ---------------- OCSF/ocsf/tests/test_system_activity_7.json | 74 --------- .../tests/test_vulnerability_finding_1.json | 49 ++++++ .../test_windows_resource_activity_1.json | 22 +++ 50 files changed, 1238 insertions(+), 2493 deletions(-) create mode 100644 OCSF/ocsf/tests/test_account_change_1.json create mode 100644 OCSF/ocsf/tests/test_api_activity_1.json create mode 100644 OCSF/ocsf/tests/test_api_activity_2.json delete mode 100644 OCSF/ocsf/tests/test_application_activity_1.json delete mode 100644 OCSF/ocsf/tests/test_application_activity_2.json delete mode 100644 OCSF/ocsf/tests/test_application_activity_3.json create mode 100644 OCSF/ocsf/tests/test_authentication_1.json create mode 100644 OCSF/ocsf/tests/test_authentication_2.json create mode 100644 OCSF/ocsf/tests/test_authentication_3.json create mode 100644 OCSF/ocsf/tests/test_compliance_finding_1.json create mode 100644 OCSF/ocsf/tests/test_detection_finding_1.json delete mode 100644 OCSF/ocsf/tests/test_discovery_1.json delete mode 100644 OCSF/ocsf/tests/test_discovery_2.json create mode 100644 OCSF/ocsf/tests/test_dns_activity_1.json delete mode 100644 OCSF/ocsf/tests/test_findings_1.json create mode 100644 OCSF/ocsf/tests/test_http_activity_1.json delete mode 100644 OCSF/ocsf/tests/test_iam_1.json delete mode 100644 OCSF/ocsf/tests/test_iam_2.json delete mode 100644 OCSF/ocsf/tests/test_iam_3.json delete mode 100644 OCSF/ocsf/tests/test_iam_4.json delete mode 100644 OCSF/ocsf/tests/test_network_activity_10.json delete mode 100644 OCSF/ocsf/tests/test_network_activity_11.json delete mode 100644 OCSF/ocsf/tests/test_network_activity_12.json delete mode 100644 OCSF/ocsf/tests/test_network_activity_7.json delete mode 100644 OCSF/ocsf/tests/test_network_activity_8.json delete mode 100644 OCSF/ocsf/tests/test_network_activity_9.json create mode 100644 OCSF/ocsf/tests/test_process_activity_1.json create mode 100644 OCSF/ocsf/tests/test_process_activity_2.json create mode 100644 OCSF/ocsf/tests/test_security_finding_1.json create mode 100644 OCSF/ocsf/tests/test_security_finding_2.json create mode 100644 OCSF/ocsf/tests/test_security_finding_3.json create mode 100644 OCSF/ocsf/tests/test_security_finding_4.json create mode 100644 OCSF/ocsf/tests/test_security_finding_5.json create mode 100644 OCSF/ocsf/tests/test_security_finding_6.json delete mode 100644 OCSF/ocsf/tests/test_system_activity_3.json delete mode 100644 OCSF/ocsf/tests/test_system_activity_4.json delete mode 100644 OCSF/ocsf/tests/test_system_activity_5.json delete mode 100644 OCSF/ocsf/tests/test_system_activity_6.json delete mode 100644 OCSF/ocsf/tests/test_system_activity_7.json create mode 100644 OCSF/ocsf/tests/test_vulnerability_finding_1.json create mode 100644 OCSF/ocsf/tests/test_windows_resource_activity_1.json diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index 25a075954..61f7255e3 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -489,6 +489,8 @@ stages: filter: "{{ parse_event.message.src_endpoint.hostname != null }}" - set: source.ip: "{{ parse_event.message.src_endpoint.ip }}" + filter: "{{ parse_event.message.src_endpoint.ip | is_ipaddress }}" + - set: source.mac: "{{ parse_event.message.src_endpoint.mac }}" source.port: "{{ parse_event.message.src_endpoint.port }}" - set: @@ -854,7 +856,7 @@ stages: vulnerability.description: > [{%- for item in parse_event.message.vulnerabilities -%}'{{item.desc}}',{%- endfor -%}] vulnerability.score.base: > - [{%- for item in parse_event.message.vulnerabilities -%}'{{item.cve.cvss.base_score}}',{%- endfor -%}] + [{%- for item in parse_event.message.vulnerabilities -%}'{{item.cve.cvss.base_score | float}}',{%- endfor -%}] vulnerability.severity: > [{%- for item in parse_event.message.vulnerabilities -%}'{{item.severity}}',{%- endfor -%}] vulnerability.scanner.vendor: > diff --git a/OCSF/ocsf/tests/test_account_change_1.json b/OCSF/ocsf/tests/test_account_change_1.json new file mode 100644 index 000000000..9a09eed7b --- /dev/null +++ b/OCSF/ocsf/tests/test_account_change_1.json @@ -0,0 +1,67 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"actor\": {\"idp\": {\"name\": null}, \"invoked_by\": null, \"session\": {\"created_time\": 1700239437000, \"created_time_dt\": \"2023-11-17T16:43:57Z\", \"is_mfa\": false, \"issuer\": \"arn:aws:iam::112233445566:role/Admin\"}, \"user\": {\"account\": {\"uid\": \"112233445566\"}, \"credential_uid\": null, \"type\": \"AssumedRole\", \"uid\": \"arn:aws:sts::112233445566:assumed-role/Admin/Admin-user\", \"uid_alt\": \"AROA2W7SOKHEXAMPLE:Admin-user\"}}, \"api\": {\"operation\": \"CreateUser\", \"request\": {\"data\": {\"userName\": \"test_user2\"}, \"uid\": \"c99bf9da-e0bd-4bf7-bb32-example\"}, \"response\": {\"data\": {\"user\": {\"arn\": \"arn:aws:iam::112233445566:user/test_user2\", \"createDate\": \"Mar 17, 2023 5:07:59 PM\", \"path\": \"/\", \"userId\": \"AIDA2W7SOKHEXAMPLE\", \"userName\": \"test_user2\"}}, \"error\": null, \"message\": null}, \"service\": {\"name\": \"iam.amazonaws.com\"}, \"version\": null}, \"category_name\": \"Identity & Access Management Category\", \"category_uid\": 3, \"class_name\": \"Account Change\", \"class_uid\": 3001, \"cloud\": {\"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"http_request\": {\"user_agent\": \"AWS Internal\"}, \"metadata\": {\"log_name\": \"AwsApiCall\", \"log_provider\": \"CloudTrail\", \"product\": {\"feature\": {\"name\": \"Management\"}, \"name\": \"CloudTrail\", \"vendor_name\": \"AWS\", \"version\": \"1.08\"}, \"profiles\": [\"cloud\", \"datetime\"], \"uid\": \"7dd15a89-ae0f-4340-8e6c-example\", \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"user.name\", \"type\": \"User\", \"type_id\": 4, \"value\": \"test_user2\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"52.95.4.21\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"52.95.4.21\", \"uid\": null}, \"time\": 1679072879000, \"time_dt\": \"2023-03-17T17:07:59Z\", \"type_name\": \"Account Change: Create\", \"type_uid\": 300101, \"unmapped\": {\"eventType\": \"AwsApiCall\", \"managementEvent\": true, \"readOnly\": false, \"recipientAccountId\": \"112233445566\", \"requestParameters\": {\"userName\": \"test_user2\"}, \"responseElements\": {\"user\": {\"arn\": \"arn:aws:iam::112233445566:user/test_user2\", \"createDate\": \"Mar 17, 2023 5:07:59 PM\", \"path\": \"/\", \"userId\": \"AIDA2W7SOKHEXAMPLE\", \"userName\": \"test_user2\"}}, \"sessionCredentialFromConsole\": \"true\", \"userIdentity\": {\"sessionContext\": {\"attributes\": {\"mfaAuthenticated\": \"false\"}, \"sessionIssuer\": {\"accountId\": \"112233445566\", \"principalId\": \"AROA2W7SOKHEXAMPLE\", \"type\": \"Role\"}, \"webIdFederationData\": {}}}}, \"user\": {\"name\": \"test_user2\", \"uid\": \"AROA2W7SOKHEXAMPLE:Admin-user\"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"actor\": {\"idp\": {\"name\": null}, \"invoked_by\": null, \"session\": {\"created_time\": 1700239437000, \"created_time_dt\": \"2023-11-17T16:43:57Z\", \"is_mfa\": false, \"issuer\": \"arn:aws:iam::112233445566:role/Admin\"}, \"user\": {\"account\": {\"uid\": \"112233445566\"}, \"credential_uid\": null, \"type\": \"AssumedRole\", \"uid\": \"arn:aws:sts::112233445566:assumed-role/Admin/Admin-user\", \"uid_alt\": \"AROA2W7SOKHEXAMPLE:Admin-user\"}}, \"api\": {\"operation\": \"CreateUser\", \"request\": {\"data\": {\"userName\": \"test_user2\"}, \"uid\": \"c99bf9da-e0bd-4bf7-bb32-example\"}, \"response\": {\"data\": {\"user\": {\"arn\": \"arn:aws:iam::112233445566:user/test_user2\", \"createDate\": \"Mar 17, 2023 5:07:59 PM\", \"path\": \"/\", \"userId\": \"AIDA2W7SOKHEXAMPLE\", \"userName\": \"test_user2\"}}, \"error\": null, \"message\": null}, \"service\": {\"name\": \"iam.amazonaws.com\"}, \"version\": null}, \"category_name\": \"Identity & Access Management Category\", \"category_uid\": 3, \"class_name\": \"Account Change\", \"class_uid\": 3001, \"cloud\": {\"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"http_request\": {\"user_agent\": \"AWS Internal\"}, \"metadata\": {\"log_name\": \"AwsApiCall\", \"log_provider\": \"CloudTrail\", \"product\": {\"feature\": {\"name\": \"Management\"}, \"name\": \"CloudTrail\", \"vendor_name\": \"AWS\", \"version\": \"1.08\"}, \"profiles\": [\"cloud\", \"datetime\"], \"uid\": \"7dd15a89-ae0f-4340-8e6c-example\", \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"user.name\", \"type\": \"User\", \"type_id\": 4, \"value\": \"test_user2\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"52.95.4.21\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"52.95.4.21\", \"uid\": null}, \"time\": 1679072879000, \"time_dt\": \"2023-03-17T17:07:59Z\", \"type_name\": \"Account Change: Create\", \"type_uid\": 300101, \"unmapped\": {\"eventType\": \"AwsApiCall\", \"managementEvent\": true, \"readOnly\": false, \"recipientAccountId\": \"112233445566\", \"requestParameters\": {\"userName\": \"test_user2\"}, \"responseElements\": {\"user\": {\"arn\": \"arn:aws:iam::112233445566:user/test_user2\", \"createDate\": \"Mar 17, 2023 5:07:59 PM\", \"path\": \"/\", \"userId\": \"AIDA2W7SOKHEXAMPLE\", \"userName\": \"test_user2\"}}, \"sessionCredentialFromConsole\": \"true\", \"userIdentity\": {\"sessionContext\": {\"attributes\": {\"mfaAuthenticated\": \"false\"}, \"sessionIssuer\": {\"accountId\": \"112233445566\", \"principalId\": \"AROA2W7SOKHEXAMPLE\", \"type\": \"Role\"}, \"webIdFederationData\": {}}}}, \"user\": {\"name\": \"test_user2\", \"uid\": \"AROA2W7SOKHEXAMPLE:Admin-user\"}}", + "event": { + "action": "create", + "category": [ + "iam" + ], + "kind": "event", + "provider": "CloudTrail", + "severity": 1, + "type": [ + "creation", + "info", + "user" + ] + }, + "@timestamp": "2023-03-17T17:07:59Z", + "cloud": { + "provider": "AWS", + "region": "us-east-1" + }, + "ocsf": { + "activity_id": 1, + "activity_name": "Create", + "class_name": "Account Change", + "class_uid": 3001 + }, + "related": { + "ip": [ + "52.95.4.21" + ] + }, + "source": { + "address": "52.95.4.21", + "ip": "52.95.4.21" + }, + "user": { + "group": { + "id": [], + "name": [] + }, + "id": "arn:aws:sts::112233445566:assumed-role/Admin/Admin-user", + "target": { + "group": { + "id": [], + "name": [] + }, + "id": "AROA2W7SOKHEXAMPLE:Admin-user", + "name": "test_user2" + } + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "AWS Internal", + "os": { + "name": "Other" + } + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_api_activity_1.json b/OCSF/ocsf/tests/test_api_activity_1.json new file mode 100644 index 000000000..1c78111ee --- /dev/null +++ b/OCSF/ocsf/tests/test_api_activity_1.json @@ -0,0 +1,68 @@ +{ + "input": { + "message": "{\"activity_id\": 2, \"activity_name\": \"Read\", \"actor\": {\"idp\": {\"name\": null}, \"invoked_by\": null, \"session\": {\"created_time\": 0, \"created_time_dt\": null, \"issuer\": null}, \"user\": {\"account\": {\"uid\": \"1111111111111\"}, \"credential_uid\": \"AKIA3Z2XBVEXAMPLE\", \"name\": \"Level6\", \"type\": \"IAMUser\", \"uid\": \"arn:aws:iam::1111111111111:user/Level6\", \"uid_alt\": \"AIDADO2GQEXAMPLE\"}}, \"api\": {\"operation\": \"DescribeDirectConnectGateways\", \"request\": {\"data\": null, \"uid\": \"1c8a6220-4263-4763-b526-example\"}, \"response\": {\"data\": {\"directConnectGateways\": []}, \"error\": null, \"message\": null}, \"service\": {\"name\": \"directconnect.amazonaws.com\"}, \"version\": null}, \"category_name\": \"Application Activity\", \"category_uid\": 6, \"class_name\": \"API Activity\", \"class_uid\": 6003, \"cloud\": {\"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"http_request\": {\"user_agent\": \"Boto3/1.15.2 Python/3.8.2 Linux/5.6.3-arch1-1 Botocore/1.18.2\"}, \"metadata\": {\"log_name\": \"AwsApiCall\", \"log_provider\": \"CloudTrail\", \"product\": {\"feature\": {\"name\": null}, \"name\": \"CloudTrail\", \"vendor_name\": \"AWS\", \"version\": \"1.05\"}, \"profiles\": [\"cloud\", \"datetime\"], \"uid\": \"71c88be9-ea5c-43c7-8c82-example\", \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"actor.user.name\", \"type\": \"User\", \"type_id\": 4, \"value\": \"Level6\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"205.8.181.128\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"205.8.181.128\"}, \"status\": null, \"status_id\": 99, \"time\": 1695334972000, \"time_dt\": \"2023-09-21T22:22:52Z\", \"type_name\": \"API Activity: Read\", \"type_uid\": 600302, \"unmapped\": {\"eventType\": \"AwsApiCall\", \"recipientAccountId\": \"1111111111111\", \"requestParameters\": null, \"responseElements\": {\"directConnectGateways\": []}, \"userIdentity\": {}}}" + }, + "expected": { + "message": "{\"activity_id\": 2, \"activity_name\": \"Read\", \"actor\": {\"idp\": {\"name\": null}, \"invoked_by\": null, \"session\": {\"created_time\": 0, \"created_time_dt\": null, \"issuer\": null}, \"user\": {\"account\": {\"uid\": \"1111111111111\"}, \"credential_uid\": \"AKIA3Z2XBVEXAMPLE\", \"name\": \"Level6\", \"type\": \"IAMUser\", \"uid\": \"arn:aws:iam::1111111111111:user/Level6\", \"uid_alt\": \"AIDADO2GQEXAMPLE\"}}, \"api\": {\"operation\": \"DescribeDirectConnectGateways\", \"request\": {\"data\": null, \"uid\": \"1c8a6220-4263-4763-b526-example\"}, \"response\": {\"data\": {\"directConnectGateways\": []}, \"error\": null, \"message\": null}, \"service\": {\"name\": \"directconnect.amazonaws.com\"}, \"version\": null}, \"category_name\": \"Application Activity\", \"category_uid\": 6, \"class_name\": \"API Activity\", \"class_uid\": 6003, \"cloud\": {\"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"http_request\": {\"user_agent\": \"Boto3/1.15.2 Python/3.8.2 Linux/5.6.3-arch1-1 Botocore/1.18.2\"}, \"metadata\": {\"log_name\": \"AwsApiCall\", \"log_provider\": \"CloudTrail\", \"product\": {\"feature\": {\"name\": null}, \"name\": \"CloudTrail\", \"vendor_name\": \"AWS\", \"version\": \"1.05\"}, \"profiles\": [\"cloud\", \"datetime\"], \"uid\": \"71c88be9-ea5c-43c7-8c82-example\", \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"actor.user.name\", \"type\": \"User\", \"type_id\": 4, \"value\": \"Level6\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"205.8.181.128\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"205.8.181.128\"}, \"status\": null, \"status_id\": 99, \"time\": 1695334972000, \"time_dt\": \"2023-09-21T22:22:52Z\", \"type_name\": \"API Activity: Read\", \"type_uid\": 600302, \"unmapped\": {\"eventType\": \"AwsApiCall\", \"recipientAccountId\": \"1111111111111\", \"requestParameters\": null, \"responseElements\": {\"directConnectGateways\": []}, \"userIdentity\": {}}}", + "event": { + "action": "read", + "category": [ + "web" + ], + "kind": "event", + "provider": "CloudTrail", + "severity": 1, + "type": [ + "info" + ] + }, + "@timestamp": "2023-09-21T22:22:52Z", + "cloud": { + "provider": "AWS", + "region": "us-east-1" + }, + "ocsf": { + "activity_id": 2, + "activity_name": "Read", + "class_name": "API Activity", + "class_uid": 6003 + }, + "package": { + "description": [], + "name": [], + "type": [] + }, + "related": { + "ip": [ + "205.8.181.128" + ], + "user": [ + "Level6" + ] + }, + "source": { + "address": "205.8.181.128", + "ip": "205.8.181.128" + }, + "user": { + "group": { + "id": [], + "name": [] + }, + "id": "arn:aws:iam::1111111111111:user/Level6", + "name": "Level6" + }, + "user_agent": { + "device": { + "name": "Spider" + }, + "name": "Boto3", + "original": "Boto3/1.15.2 Python/3.8.2 Linux/5.6.3-arch1-1 Botocore/1.18.2", + "os": { + "name": "Linux", + "version": "5.6.3" + }, + "version": "1.15.2" + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_api_activity_2.json b/OCSF/ocsf/tests/test_api_activity_2.json new file mode 100644 index 000000000..f72001c31 --- /dev/null +++ b/OCSF/ocsf/tests/test_api_activity_2.json @@ -0,0 +1,68 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"actor\": {\"session\": {\"credential_uid\": \"EXAMPLEUIDTEST\", \"issuer\": \"arn:aws:iam::123456789012:role/example-test-161366663-NodeInstanceRole-abc12345678912\", \"uid\": \"i-12345678901\"}, \"user\": {\"groups\": [{\"name\": \"system:bootstrappers\"}, {\"name\": \"system:nodes\"}, {\"name\": \"system:authenticated\"}], \"name\": \"system:node:ip-192-001-02-03.ec2.internal\", \"type_id\": 0, \"uid\": \"heptio-authenticator-aws:123456789012:ABCD1234567890EXAMPLE\"}}, \"api\": {\"operation\": \"create\", \"request\": {\"uid\": \"f47c68f2-d3ac-4f96-b2f4-5d497bf79b64\"}, \"response\": {\"code\": 201}, \"version\": \"v1\"}, \"category_name\": \"Application Activity\", \"category_uid\": 6, \"class_name\": \"API Activity\", \"class_uid\": 6003, \"cloud\": {\"account\": {\"uid\": \"arn:aws:sts::123456789012:assumed-role/example-test-161366663-NodeInstanceRole-abc12345678912/i-12345678901\"}, \"provider\": \"AWS\"}, \"http_request\": {\"url\": {\"path\": \"/api/v1/nodes\"}, \"user_agent\": \"kubelet/v1.21.2 (linux/amd64) kubernetes/729bdfc\"}, \"message\": \"ResponseComplete\", \"metadata\": {\"log_level\": \"RequestResponse\", \"product\": {\"feature\": {\"name\": \"Elastic Kubernetes Service\"}, \"name\": \"Amazon EKS\", \"vendor_name\": \"AWS\", \"version\": \"audit.k8s.io/v1\"}, \"profiles\": [\"cloud\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"actor.user.name\", \"type\": \"User Name\", \"type_id\": 4, \"value\": \"system:node:ip-192-001-02-03.ec2.internal\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"12.000.22.33\"}, {\"name\": \"http_request.url.path\", \"type\": \"URL String\", \"type_id\": 6, \"value\": \"/api/v1/nodes\"}], \"resources\": [{\"name\": \"ip-192-001-02-03.ec2.internal\", \"type\": \"nodes\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"12.000.22.33\"}, \"start_time_dt\": \"2021-09-07 20:37:30.502000\", \"time\": 1631047050642, \"time_dt\": \"2021-09-07 20:37:30.642000\", \"type_name\": \"API Activity: Create\", \"type_uid\": 600301, \"unmapped\": {\"responseObject.status.capacity.cpu\": \"4\", \"annotations.authorization.k8s.io/reason\": \"\", \"requestObject.metadata.annotations.volumes.kubernetes.io/controller-managed-attach-detach\": \"true\", \"responseObject.metadata.labels.kubernetes.io/hostname\": \"ip-192-001-02-03.ec2.internal\", \"requestObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateVersion\": \"1\", \"responseObject.metadata.labels.alpha.eksctl.io/cluster-name\": \"ABCD1234567890EXAMPLE\", \"responseObject.metadata.labels.eks.amazonaws.com/nodegroup-image\": \"ami-0193ebf9573ebc9f7\", \"responseObject.metadata.managedFields[].time\": \"2021-09-07T20:37:30Z\", \"responseObject.status.nodeInfo.kubeletVersion\": \"v1.21.2-eks-55daa9d\", \"responseObject.status.nodeInfo.kubeProxyVersion\": \"v1.21.2-eks-55daa9d\", \"requestObject.status.capacity.hugepages-1Gi\": \"0\", \"responseObject.metadata.managedFields[].manager\": \"kubelet\", \"annotations.authorization.k8s.io/decision\": \"allow\", \"requestObject.status.nodeInfo.systemUUID\": \"ec2483c6-33b0-e271-f36c-e14e45a361b8\", \"responseObject.metadata.name\": \"ip-192-001-02-03.ec2.internal\", \"responseObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateVersion\": \"1\", \"responseObject.apiVersion\": \"v1\", \"requestObject.metadata.labels.kubernetes.io/arch\": \"amd64\", \"requestObject.status.allocatable.hugepages-2Mi\": \"0\", \"requestObject.metadata.labels.alpha.eksctl.io/cluster-name\": \"ABCD1234567890EXAMPLE\", \"responseObject.status.allocatable.memory\": \"15076868Ki\", \"responseObject.status.conditions[].lastHeartbeatTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"responseObject.spec.providerID\": \"aws:///us-east-1f/i-12345678901\", \"requestObject.status.nodeInfo.architecture\": \"amd64\", \"responseObject.status.nodeInfo.kernelVersion\": \"5.4.141-67.229.amzn2.x86_64\", \"responseObject.status.allocatable.pods\": \"58\", \"requestObject.status.conditions[].status\": \"False,False,False,False\", \"requestObject.metadata.labels.failure-domain.beta.kubernetes.io/region\": \"us-east-1\", \"responseObject.metadata.labels.beta.kubernetes.io/os\": \"linux\", \"responseObject.metadata.labels.kubernetes.io/os\": \"linux\", \"requestObject.status.addresses[].address\": \"192.000.22.33,12.000.22.33,ip-192-001-02-03.ec2.internal,ip-192-001-02-03.ec2.internal,ec2-12.000.22.33.compute-1.amazonaws.com\", \"responseObject.status.capacity.hugepages-1Gi\": \"0\", \"responseObject.status.conditions[].reason\": \"KubeletHasSufficientMemory,KubeletHasNoDiskPressure,KubeletHasSufficientPID,KubeletNotReady\", \"requestObject.apiVersion\": \"v1\", \"requestObject.status.capacity.cpu\": \"4\", \"requestObject.metadata.labels.node.kubernetes.io/instance-type\": \"m5.xlarge\", \"requestObject.metadata.labels.eks.amazonaws.com/nodegroup-image\": \"ami-0193ebf9573ebc9f7\", \"responseObject.metadata.labels.node.kubernetes.io/instance-type\": \"m5.xlarge\", \"responseObject.status.allocatable.hugepages-2Mi\": \"0\", \"responseObject.status.allocatable.attachable-volumes-aws-ebs\": \"25\", \"requestObject.status.nodeInfo.containerRuntimeVersion\": \"docker://19.3.13\", \"requestObject.status.allocatable.attachable-volumes-aws-ebs\": \"25\", \"responseObject.status.conditions[].lastTransitionTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"responseObject.metadata.creationTimestamp\": \"2021-09-07T20:37:30Z\", \"requestObject.metadata.labels.kubernetes.io/hostname\": \"ip-192-001-02-03.ec2.internal\", \"requestObject.status.nodeInfo.bootID\": \"0d0dd4f2-8829-4b03-9f29-794f4908281b\", \"requestObject.status.nodeInfo.kubeProxyVersion\": \"v1.21.2-eks-55daa9d\", \"responseObject.kind\": \"Node\", \"requestObject.status.nodeInfo.osImage\": \"Amazon Linux 2\", \"requestObject.status.conditions[].type\": \"MemoryPressure,DiskPressure,PIDPressure,Ready\", \"requestObject.status.daemonEndpoints.kubeletEndpoint.Port\": \"10250\", \"responseObject.metadata.labels.kubernetes.io/arch\": \"amd64\", \"responseObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateId\": \"lt-0f20d6f901007611e\", \"requestObject.status.capacity.attachable-volumes-aws-ebs\": \"25\", \"responseObject.status.conditions[].message\": \"kubelet has sufficient memory available,kubelet has no disk pressure,kubelet has sufficient PID available,[container runtime status check may not have completed yet, container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized, CSINode is not yet initialized, missing node capacity for resources: ephemeral-storage]\", \"responseObject.status.nodeInfo.operatingSystem\": \"linux\", \"requestObject.metadata.labels.alpha.eksctl.io/nodegroup-name\": \"ng-5fe434eb\", \"responseObject.status.capacity.memory\": \"16093700Ki\", \"requestObject.metadata.labels.beta.kubernetes.io/arch\": \"amd64\", \"requestObject.metadata.labels.eks.amazonaws.com/capacityType\": \"ON_DEMAND\", \"requestObject.status.allocatable.memory\": \"15076868Ki\", \"requestObject.status.conditions[].lastHeartbeatTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"responseObject.status.capacity.attachable-volumes-aws-ebs\": \"25\", \"responseObject.status.nodeInfo.osImage\": \"Amazon Linux 2\", \"responseObject.metadata.labels.beta.kubernetes.io/instance-type\": \"m5.xlarge\", \"responseObject.metadata.labels.alpha.eksctl.io/nodegroup-name\": \"ng-5fe434eb\", \"requestObject.metadata.labels.beta.kubernetes.io/instance-type\": \"m5.xlarge\", \"responseObject.status.nodeInfo.architecture\": \"amd64\", \"responseObject.metadata.labels.topology.kubernetes.io/zone\": \"us-east-1f\", \"requestObject.status.capacity.hugepages-2Mi\": \"0\", \"requestObject.status.conditions[].message\": \"kubelet has sufficient memory available,kubelet has no disk pressure,kubelet has sufficient PID available,[container runtime status check may not have completed yet, container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized, CSINode is not yet initialized, missing node capacity for resources: ephemeral-storage]\", \"responseObject.metadata.labels.failure-domain.beta.kubernetes.io/region\": \"us-east-1\", \"requestObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateId\": \"lt-0f20d6f901007611e\", \"responseObject.spec.taints[].effect\": \"NoSchedule\", \"requestObject.metadata.labels.topology.kubernetes.io/region\": \"us-east-1\", \"requestObject.metadata.name\": \"ip-192-001-02-03.ec2.internal\", \"responseObject.status.nodeInfo.machineID\": \"ec2483c633b0e271f36ce14e45a361b8\", \"kind\": \"Event\", \"responseObject.metadata.annotations.volumes.kubernetes.io/controller-managed-attach-detach\": \"true\", \"responseObject.status.nodeInfo.bootID\": \"0d0dd4f2-8829-4b03-9f29-794f4908281b\", \"responseObject.status.conditions[].status\": \"False,False,False,False\", \"requestObject.metadata.labels.beta.kubernetes.io/os\": \"linux\", \"requestObject.status.allocatable.hugepages-1Gi\": \"0\", \"requestObject.status.addresses[].type\": \"InternalIP,ExternalIP,Hostname,InternalDNS,ExternalDNS\", \"requestObject.metadata.labels.failure-domain.beta.kubernetes.io/zone\": \"us-east-1f\", \"requestObject.status.allocatable.cpu\": \"3920m\", \"requestObject.metadata.labels.kubernetes.io/os\": \"linux\", \"requestObject.status.nodeInfo.operatingSystem\": \"linux\", \"responseObject.status.daemonEndpoints.kubeletEndpoint.Port\": \"10250\", \"responseObject.status.nodeInfo.systemUUID\": \"ec2483c6-33b0-e271-f36c-e14e45a361b8\", \"responseObject.metadata.labels.failure-domain.beta.kubernetes.io/zone\": \"us-east-1f\", \"requestObject.metadata.labels.topology.kubernetes.io/zone\": \"us-east-1f\", \"responseObject.status.nodeInfo.containerRuntimeVersion\": \"docker://19.3.13\", \"requestObject.status.nodeInfo.kernelVersion\": \"5.4.141-67.229.amzn2.x86_64\", \"requestObject.kind\": \"Node\", \"requestObject.spec.providerID\": \"aws:///us-east-1f/i-12345678901\", \"responseObject.metadata.uid\": \"4ecf628a-1b50-47ed-932c-bb1df89dad10\", \"responseObject.status.capacity.hugepages-2Mi\": \"0\", \"responseObject.metadata.managedFields[].fieldsType\": \"FieldsV1\", \"responseObject.metadata.labels.topology.kubernetes.io/region\": \"us-east-1\", \"responseObject.status.capacity.pods\": \"58\", \"requestObject.status.capacity.memory\": \"16093700Ki\", \"responseObject.metadata.managedFields[].apiVersion\": \"v1\", \"responseObject.status.allocatable.hugepages-1Gi\": \"0\", \"responseObject.metadata.resourceVersion\": \"67933403\", \"responseObject.status.addresses[].address\": \"192.000.22.33,12.000.22.33,ip-192-001-02-03.ec2.internal,ip-192-001-02-03.ec2.internal,ec2-12.000.22.33.compute-1.amazonaws.com\", \"requestObject.status.conditions[].lastTransitionTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"requestObject.status.nodeInfo.kubeletVersion\": \"v1.21.2-eks-55daa9d\", \"responseObject.metadata.labels.eks.amazonaws.com/nodegroup\": \"ng-5fe434eb\", \"requestObject.metadata.labels.eks.amazonaws.com/nodegroup\": \"ng-5fe434eb\", \"requestObject.status.conditions[].reason\": \"KubeletHasSufficientMemory,KubeletHasNoDiskPressure,KubeletHasSufficientPID,KubeletNotReady\", \"responseObject.metadata.labels.eks.amazonaws.com/capacityType\": \"ON_DEMAND\", \"requestObject.status.nodeInfo.machineID\": \"ec2483c633b0e271f36ce14e45a361b8\", \"responseObject.status.addresses[].type\": \"InternalIP,ExternalIP,Hostname,InternalDNS,ExternalDNS\", \"responseObject.metadata.labels.beta.kubernetes.io/arch\": \"amd64\", \"responseObject.metadata.managedFields[].operation\": \"Update\", \"responseObject.status.allocatable.cpu\": \"3920m\", \"responseObject.status.conditions[].type\": \"MemoryPressure,DiskPressure,PIDPressure,Ready\", \"responseObject.spec.taints[].key\": \"node.kubernetes.io/not-ready\", \"sourceIPs[]\": \"12.000.22.33\", \"requestObject.status.capacity.pods\": \"58\", \"requestObject.status.allocatable.pods\": \"58\"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"actor\": {\"session\": {\"credential_uid\": \"EXAMPLEUIDTEST\", \"issuer\": \"arn:aws:iam::123456789012:role/example-test-161366663-NodeInstanceRole-abc12345678912\", \"uid\": \"i-12345678901\"}, \"user\": {\"groups\": [{\"name\": \"system:bootstrappers\"}, {\"name\": \"system:nodes\"}, {\"name\": \"system:authenticated\"}], \"name\": \"system:node:ip-192-001-02-03.ec2.internal\", \"type_id\": 0, \"uid\": \"heptio-authenticator-aws:123456789012:ABCD1234567890EXAMPLE\"}}, \"api\": {\"operation\": \"create\", \"request\": {\"uid\": \"f47c68f2-d3ac-4f96-b2f4-5d497bf79b64\"}, \"response\": {\"code\": 201}, \"version\": \"v1\"}, \"category_name\": \"Application Activity\", \"category_uid\": 6, \"class_name\": \"API Activity\", \"class_uid\": 6003, \"cloud\": {\"account\": {\"uid\": \"arn:aws:sts::123456789012:assumed-role/example-test-161366663-NodeInstanceRole-abc12345678912/i-12345678901\"}, \"provider\": \"AWS\"}, \"http_request\": {\"url\": {\"path\": \"/api/v1/nodes\"}, \"user_agent\": \"kubelet/v1.21.2 (linux/amd64) kubernetes/729bdfc\"}, \"message\": \"ResponseComplete\", \"metadata\": {\"log_level\": \"RequestResponse\", \"product\": {\"feature\": {\"name\": \"Elastic Kubernetes Service\"}, \"name\": \"Amazon EKS\", \"vendor_name\": \"AWS\", \"version\": \"audit.k8s.io/v1\"}, \"profiles\": [\"cloud\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"actor.user.name\", \"type\": \"User Name\", \"type_id\": 4, \"value\": \"system:node:ip-192-001-02-03.ec2.internal\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"12.000.22.33\"}, {\"name\": \"http_request.url.path\", \"type\": \"URL String\", \"type_id\": 6, \"value\": \"/api/v1/nodes\"}], \"resources\": [{\"name\": \"ip-192-001-02-03.ec2.internal\", \"type\": \"nodes\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"12.000.22.33\"}, \"start_time_dt\": \"2021-09-07 20:37:30.502000\", \"time\": 1631047050642, \"time_dt\": \"2021-09-07 20:37:30.642000\", \"type_name\": \"API Activity: Create\", \"type_uid\": 600301, \"unmapped\": {\"responseObject.status.capacity.cpu\": \"4\", \"annotations.authorization.k8s.io/reason\": \"\", \"requestObject.metadata.annotations.volumes.kubernetes.io/controller-managed-attach-detach\": \"true\", \"responseObject.metadata.labels.kubernetes.io/hostname\": \"ip-192-001-02-03.ec2.internal\", \"requestObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateVersion\": \"1\", \"responseObject.metadata.labels.alpha.eksctl.io/cluster-name\": \"ABCD1234567890EXAMPLE\", \"responseObject.metadata.labels.eks.amazonaws.com/nodegroup-image\": \"ami-0193ebf9573ebc9f7\", \"responseObject.metadata.managedFields[].time\": \"2021-09-07T20:37:30Z\", \"responseObject.status.nodeInfo.kubeletVersion\": \"v1.21.2-eks-55daa9d\", \"responseObject.status.nodeInfo.kubeProxyVersion\": \"v1.21.2-eks-55daa9d\", \"requestObject.status.capacity.hugepages-1Gi\": \"0\", \"responseObject.metadata.managedFields[].manager\": \"kubelet\", \"annotations.authorization.k8s.io/decision\": \"allow\", \"requestObject.status.nodeInfo.systemUUID\": \"ec2483c6-33b0-e271-f36c-e14e45a361b8\", \"responseObject.metadata.name\": \"ip-192-001-02-03.ec2.internal\", \"responseObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateVersion\": \"1\", \"responseObject.apiVersion\": \"v1\", \"requestObject.metadata.labels.kubernetes.io/arch\": \"amd64\", \"requestObject.status.allocatable.hugepages-2Mi\": \"0\", \"requestObject.metadata.labels.alpha.eksctl.io/cluster-name\": \"ABCD1234567890EXAMPLE\", \"responseObject.status.allocatable.memory\": \"15076868Ki\", \"responseObject.status.conditions[].lastHeartbeatTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"responseObject.spec.providerID\": \"aws:///us-east-1f/i-12345678901\", \"requestObject.status.nodeInfo.architecture\": \"amd64\", \"responseObject.status.nodeInfo.kernelVersion\": \"5.4.141-67.229.amzn2.x86_64\", \"responseObject.status.allocatable.pods\": \"58\", \"requestObject.status.conditions[].status\": \"False,False,False,False\", \"requestObject.metadata.labels.failure-domain.beta.kubernetes.io/region\": \"us-east-1\", \"responseObject.metadata.labels.beta.kubernetes.io/os\": \"linux\", \"responseObject.metadata.labels.kubernetes.io/os\": \"linux\", \"requestObject.status.addresses[].address\": \"192.000.22.33,12.000.22.33,ip-192-001-02-03.ec2.internal,ip-192-001-02-03.ec2.internal,ec2-12.000.22.33.compute-1.amazonaws.com\", \"responseObject.status.capacity.hugepages-1Gi\": \"0\", \"responseObject.status.conditions[].reason\": \"KubeletHasSufficientMemory,KubeletHasNoDiskPressure,KubeletHasSufficientPID,KubeletNotReady\", \"requestObject.apiVersion\": \"v1\", \"requestObject.status.capacity.cpu\": \"4\", \"requestObject.metadata.labels.node.kubernetes.io/instance-type\": \"m5.xlarge\", \"requestObject.metadata.labels.eks.amazonaws.com/nodegroup-image\": \"ami-0193ebf9573ebc9f7\", \"responseObject.metadata.labels.node.kubernetes.io/instance-type\": \"m5.xlarge\", \"responseObject.status.allocatable.hugepages-2Mi\": \"0\", \"responseObject.status.allocatable.attachable-volumes-aws-ebs\": \"25\", \"requestObject.status.nodeInfo.containerRuntimeVersion\": \"docker://19.3.13\", \"requestObject.status.allocatable.attachable-volumes-aws-ebs\": \"25\", \"responseObject.status.conditions[].lastTransitionTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"responseObject.metadata.creationTimestamp\": \"2021-09-07T20:37:30Z\", \"requestObject.metadata.labels.kubernetes.io/hostname\": \"ip-192-001-02-03.ec2.internal\", \"requestObject.status.nodeInfo.bootID\": \"0d0dd4f2-8829-4b03-9f29-794f4908281b\", \"requestObject.status.nodeInfo.kubeProxyVersion\": \"v1.21.2-eks-55daa9d\", \"responseObject.kind\": \"Node\", \"requestObject.status.nodeInfo.osImage\": \"Amazon Linux 2\", \"requestObject.status.conditions[].type\": \"MemoryPressure,DiskPressure,PIDPressure,Ready\", \"requestObject.status.daemonEndpoints.kubeletEndpoint.Port\": \"10250\", \"responseObject.metadata.labels.kubernetes.io/arch\": \"amd64\", \"responseObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateId\": \"lt-0f20d6f901007611e\", \"requestObject.status.capacity.attachable-volumes-aws-ebs\": \"25\", \"responseObject.status.conditions[].message\": \"kubelet has sufficient memory available,kubelet has no disk pressure,kubelet has sufficient PID available,[container runtime status check may not have completed yet, container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized, CSINode is not yet initialized, missing node capacity for resources: ephemeral-storage]\", \"responseObject.status.nodeInfo.operatingSystem\": \"linux\", \"requestObject.metadata.labels.alpha.eksctl.io/nodegroup-name\": \"ng-5fe434eb\", \"responseObject.status.capacity.memory\": \"16093700Ki\", \"requestObject.metadata.labels.beta.kubernetes.io/arch\": \"amd64\", \"requestObject.metadata.labels.eks.amazonaws.com/capacityType\": \"ON_DEMAND\", \"requestObject.status.allocatable.memory\": \"15076868Ki\", \"requestObject.status.conditions[].lastHeartbeatTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"responseObject.status.capacity.attachable-volumes-aws-ebs\": \"25\", \"responseObject.status.nodeInfo.osImage\": \"Amazon Linux 2\", \"responseObject.metadata.labels.beta.kubernetes.io/instance-type\": \"m5.xlarge\", \"responseObject.metadata.labels.alpha.eksctl.io/nodegroup-name\": \"ng-5fe434eb\", \"requestObject.metadata.labels.beta.kubernetes.io/instance-type\": \"m5.xlarge\", \"responseObject.status.nodeInfo.architecture\": \"amd64\", \"responseObject.metadata.labels.topology.kubernetes.io/zone\": \"us-east-1f\", \"requestObject.status.capacity.hugepages-2Mi\": \"0\", \"requestObject.status.conditions[].message\": \"kubelet has sufficient memory available,kubelet has no disk pressure,kubelet has sufficient PID available,[container runtime status check may not have completed yet, container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized, CSINode is not yet initialized, missing node capacity for resources: ephemeral-storage]\", \"responseObject.metadata.labels.failure-domain.beta.kubernetes.io/region\": \"us-east-1\", \"requestObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateId\": \"lt-0f20d6f901007611e\", \"responseObject.spec.taints[].effect\": \"NoSchedule\", \"requestObject.metadata.labels.topology.kubernetes.io/region\": \"us-east-1\", \"requestObject.metadata.name\": \"ip-192-001-02-03.ec2.internal\", \"responseObject.status.nodeInfo.machineID\": \"ec2483c633b0e271f36ce14e45a361b8\", \"kind\": \"Event\", \"responseObject.metadata.annotations.volumes.kubernetes.io/controller-managed-attach-detach\": \"true\", \"responseObject.status.nodeInfo.bootID\": \"0d0dd4f2-8829-4b03-9f29-794f4908281b\", \"responseObject.status.conditions[].status\": \"False,False,False,False\", \"requestObject.metadata.labels.beta.kubernetes.io/os\": \"linux\", \"requestObject.status.allocatable.hugepages-1Gi\": \"0\", \"requestObject.status.addresses[].type\": \"InternalIP,ExternalIP,Hostname,InternalDNS,ExternalDNS\", \"requestObject.metadata.labels.failure-domain.beta.kubernetes.io/zone\": \"us-east-1f\", \"requestObject.status.allocatable.cpu\": \"3920m\", \"requestObject.metadata.labels.kubernetes.io/os\": \"linux\", \"requestObject.status.nodeInfo.operatingSystem\": \"linux\", \"responseObject.status.daemonEndpoints.kubeletEndpoint.Port\": \"10250\", \"responseObject.status.nodeInfo.systemUUID\": \"ec2483c6-33b0-e271-f36c-e14e45a361b8\", \"responseObject.metadata.labels.failure-domain.beta.kubernetes.io/zone\": \"us-east-1f\", \"requestObject.metadata.labels.topology.kubernetes.io/zone\": \"us-east-1f\", \"responseObject.status.nodeInfo.containerRuntimeVersion\": \"docker://19.3.13\", \"requestObject.status.nodeInfo.kernelVersion\": \"5.4.141-67.229.amzn2.x86_64\", \"requestObject.kind\": \"Node\", \"requestObject.spec.providerID\": \"aws:///us-east-1f/i-12345678901\", \"responseObject.metadata.uid\": \"4ecf628a-1b50-47ed-932c-bb1df89dad10\", \"responseObject.status.capacity.hugepages-2Mi\": \"0\", \"responseObject.metadata.managedFields[].fieldsType\": \"FieldsV1\", \"responseObject.metadata.labels.topology.kubernetes.io/region\": \"us-east-1\", \"responseObject.status.capacity.pods\": \"58\", \"requestObject.status.capacity.memory\": \"16093700Ki\", \"responseObject.metadata.managedFields[].apiVersion\": \"v1\", \"responseObject.status.allocatable.hugepages-1Gi\": \"0\", \"responseObject.metadata.resourceVersion\": \"67933403\", \"responseObject.status.addresses[].address\": \"192.000.22.33,12.000.22.33,ip-192-001-02-03.ec2.internal,ip-192-001-02-03.ec2.internal,ec2-12.000.22.33.compute-1.amazonaws.com\", \"requestObject.status.conditions[].lastTransitionTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"requestObject.status.nodeInfo.kubeletVersion\": \"v1.21.2-eks-55daa9d\", \"responseObject.metadata.labels.eks.amazonaws.com/nodegroup\": \"ng-5fe434eb\", \"requestObject.metadata.labels.eks.amazonaws.com/nodegroup\": \"ng-5fe434eb\", \"requestObject.status.conditions[].reason\": \"KubeletHasSufficientMemory,KubeletHasNoDiskPressure,KubeletHasSufficientPID,KubeletNotReady\", \"responseObject.metadata.labels.eks.amazonaws.com/capacityType\": \"ON_DEMAND\", \"requestObject.status.nodeInfo.machineID\": \"ec2483c633b0e271f36ce14e45a361b8\", \"responseObject.status.addresses[].type\": \"InternalIP,ExternalIP,Hostname,InternalDNS,ExternalDNS\", \"responseObject.metadata.labels.beta.kubernetes.io/arch\": \"amd64\", \"responseObject.metadata.managedFields[].operation\": \"Update\", \"responseObject.status.allocatable.cpu\": \"3920m\", \"responseObject.status.conditions[].type\": \"MemoryPressure,DiskPressure,PIDPressure,Ready\", \"responseObject.spec.taints[].key\": \"node.kubernetes.io/not-ready\", \"sourceIPs[]\": \"12.000.22.33\", \"requestObject.status.capacity.pods\": \"58\", \"requestObject.status.allocatable.pods\": \"58\"}}", + "event": { + "action": "create", + "category": [ + "web" + ], + "kind": "event", + "severity": 1, + "start": "2021-09-07T20:37:30.502000Z", + "type": [ + "info" + ] + }, + "@timestamp": "2021-09-07T20:37:30.642000Z", + "cloud": { + "account": { + "id": "arn:aws:sts::123456789012:assumed-role/example-test-161366663-NodeInstanceRole-abc12345678912/i-12345678901" + }, + "provider": "AWS" + }, + "ocsf": { + "activity_id": 1, + "activity_name": "Create", + "class_name": "API Activity", + "class_uid": 6003 + }, + "package": { + "description": [], + "name": [], + "type": [] + }, + "related": { + "user": [ + "system:node:ip-192-001-02-03.ec2.internal" + ] + }, + "url": { + "path": "/api/v1/nodes" + }, + "user": { + "group": { + "id": [], + "name": [ + "system:authenticated", + "system:bootstrappers", + "system:nodes" + ] + }, + "id": "heptio-authenticator-aws:123456789012:ABCD1234567890EXAMPLE", + "name": "system:node:ip-192-001-02-03.ec2.internal" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "kubelet/v1.21.2 (linux/amd64) kubernetes/729bdfc", + "os": { + "name": "Linux" + } + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_application_activity_1.json b/OCSF/ocsf/tests/test_application_activity_1.json deleted file mode 100644 index fec1ba4d2..000000000 --- a/OCSF/ocsf/tests/test_application_activity_1.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "input": { - "message": "{\"http_request\": {\"version\": \"1.0.0\", \"uid\": \"072e083a-584a-11ee-9892-0242ac110005\", \"url\": {\"port\": 51670, \"scheme\": \"metallica races fears\", \"path\": \"container profiles content\", \"hostname\": \"congress.nato\", \"query_string\": \"pads palestinian already\", \"category_ids\": [35, 59], \"url_string\": \"daily\"}, \"user_agent\": \"webpage assets adams\", \"http_headers\": [{\"name\": \"aol jim thick\", \"value\": \"unexpected counts ease\"}, {\"name\": \"ride sender reflections\", \"value\": \"persistent irc finest\"}], \"http_method\": \"GET\"}, \"message\": \"brain bear brush\", \"status\": \"Unknown\", \"time\": 1695277679358, \"device\": {\"name\": \"explains slow junior\", \"type\": \"IOT\", \"ip\": \"81.2.69.142\", \"desc\": \"evaluate permits yesterday\", \"uid\": \"072de986-584a-11ee-b258-0242ac110005\", \"hostname\": \"chuck.int\", \"type_id\": 7, \"interface_name\": \"uzbekistan published feedback\", \"interface_uid\": \"072ddc66-584a-11ee-9824-0242ac110005\", \"last_seen_time\": 1695277679358, \"region\": \"invalid expressed participating\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"loc bw pa\", \"version\": \"1.0.0\", \"uid\": \"072dafa2-584a-11ee-bca3-0242ac110005\", \"lang\": \"en\", \"url_string\": \"indirect\", \"vendor_name\": \"fotos choir archive\"}, \"sequence\": 20, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"correlation_uid\": \"072db420-584a-11ee-adc0-0242ac110005\", \"event_code\": \"edward\", \"log_name\": \"foul jackson termination\", \"log_provider\": \"copper protective inexpensive\", \"original_time\": \"diploma mesh certified\", \"logged_time_dt\": \"2023-09-21T06:42:26.632427Z\"}, \"severity\": \"High\", \"type_name\": \"Web Resource Access Activity: Access Error\", \"activity_id\": 4, \"type_uid\": 600404, \"category_name\": \"Application Activity\", \"class_uid\": 6004, \"category_uid\": 6, \"class_name\": \"Web Resource Access Activity\", \"timezone_offset\": 55, \"activity_name\": \"Access Error\", \"cloud\": {\"org\": {\"name\": \"brazil newbie loc\", \"uid\": \"072d99ea-584a-11ee-920a-0242ac110005\", \"ou_name\": \"predicted themselves missile\", \"ou_uid\": \"072da124-584a-11ee-bf8b-0242ac110005\"}, \"provider\": \"speeches mail lack\"}, \"severity_id\": 4, \"status_id\": 0, \"web_resources\": [{\"name\": \"ghost formats res\", \"desc\": \"pleased won coverage\", \"uid\": \"072dbbbe-584a-11ee-b4cc-0242ac110005\", \"type\": \"package type\", \"url_string\": \"consists\"}, {\"data\": {\"logitech\": \"dehbs\"}, \"url_string\": \"devil\"}], \"start_time_dt\": \"2023-09-21T06:42:26.634761Z\", \"http_response\": {\"code\": 22, \"length\": 40, \"latency\": 3, \"message\": \"message regarding htp response\"}}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"http_request\": {\"version\": \"1.0.0\", \"uid\": \"072e083a-584a-11ee-9892-0242ac110005\", \"url\": {\"port\": 51670, \"scheme\": \"metallica races fears\", \"path\": \"container profiles content\", \"hostname\": \"congress.nato\", \"query_string\": \"pads palestinian already\", \"category_ids\": [35, 59], \"url_string\": \"daily\"}, \"user_agent\": \"webpage assets adams\", \"http_headers\": [{\"name\": \"aol jim thick\", \"value\": \"unexpected counts ease\"}, {\"name\": \"ride sender reflections\", \"value\": \"persistent irc finest\"}], \"http_method\": \"GET\"}, \"message\": \"brain bear brush\", \"status\": \"Unknown\", \"time\": 1695277679358, \"device\": {\"name\": \"explains slow junior\", \"type\": \"IOT\", \"ip\": \"81.2.69.142\", \"desc\": \"evaluate permits yesterday\", \"uid\": \"072de986-584a-11ee-b258-0242ac110005\", \"hostname\": \"chuck.int\", \"type_id\": 7, \"interface_name\": \"uzbekistan published feedback\", \"interface_uid\": \"072ddc66-584a-11ee-9824-0242ac110005\", \"last_seen_time\": 1695277679358, \"region\": \"invalid expressed participating\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"loc bw pa\", \"version\": \"1.0.0\", \"uid\": \"072dafa2-584a-11ee-bca3-0242ac110005\", \"lang\": \"en\", \"url_string\": \"indirect\", \"vendor_name\": \"fotos choir archive\"}, \"sequence\": 20, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"correlation_uid\": \"072db420-584a-11ee-adc0-0242ac110005\", \"event_code\": \"edward\", \"log_name\": \"foul jackson termination\", \"log_provider\": \"copper protective inexpensive\", \"original_time\": \"diploma mesh certified\", \"logged_time_dt\": \"2023-09-21T06:42:26.632427Z\"}, \"severity\": \"High\", \"type_name\": \"Web Resource Access Activity: Access Error\", \"activity_id\": 4, \"type_uid\": 600404, \"category_name\": \"Application Activity\", \"class_uid\": 6004, \"category_uid\": 6, \"class_name\": \"Web Resource Access Activity\", \"timezone_offset\": 55, \"activity_name\": \"Access Error\", \"cloud\": {\"org\": {\"name\": \"brazil newbie loc\", \"uid\": \"072d99ea-584a-11ee-920a-0242ac110005\", \"ou_name\": \"predicted themselves missile\", \"ou_uid\": \"072da124-584a-11ee-bf8b-0242ac110005\"}, \"provider\": \"speeches mail lack\"}, \"severity_id\": 4, \"status_id\": 0, \"web_resources\": [{\"name\": \"ghost formats res\", \"desc\": \"pleased won coverage\", \"uid\": \"072dbbbe-584a-11ee-b4cc-0242ac110005\", \"type\": \"package type\", \"url_string\": \"consists\"}, {\"data\": {\"logitech\": \"dehbs\"}, \"url_string\": \"devil\"}], \"start_time_dt\": \"2023-09-21T06:42:26.634761Z\", \"http_response\": {\"code\": 22, \"length\": 40, \"latency\": 3, \"message\": \"message regarding htp response\"}}", - "event": { - "action": "access error", - "category": [ - "web" - ], - "code": "edward", - "kind": "event", - "outcome": "unknown", - "provider": "copper protective inexpensive", - "sequence": 20, - "severity": 4, - "start": "2023-09-21T06:42:26.634761Z", - "type": [ - "access", - "error", - "info" - ] - }, - "@timestamp": "2023-09-21T06:27:59.358000Z", - "cloud": { - "provider": "speeches mail lack" - }, - "host": { - "hostname": "chuck.int", - "id": "072de986-584a-11ee-b258-0242ac110005", - "ip": [ - "81.2.69.142" - ], - "name": "chuck.int", - "type": "IOT" - }, - "http": { - "request": { - "id": "072e083a-584a-11ee-9892-0242ac110005", - "method": "GET" - }, - "response": { - "body": { - "bytes": 40, - "content": "message regarding htp response" - }, - "status_code": 22 - }, - "version": "1.0.0" - }, - "ocsf": { - "activity_id": 4, - "activity_name": "Access Error", - "class_name": "Web Resource Access Activity", - "class_uid": 6004 - }, - "organization": { - "id": "072d99ea-584a-11ee-920a-0242ac110005", - "name": "brazil newbie loc" - }, - "package": { - "description": [ - "pleased won coverage" - ], - "name": [ - "ghost formats res" - ], - "type": [ - "package type" - ] - }, - "related": { - "hosts": [ - "chuck.int", - "congress.nato" - ], - "ip": [ - "81.2.69.142" - ] - }, - "url": { - "domain": "congress.nato", - "original": "daily", - "path": "container profiles content", - "port": 51670, - "query": "pads palestinian already", - "scheme": "metallica races fears" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Other", - "original": "webpage assets adams", - "os": { - "name": "Other" - } - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_application_activity_2.json b/OCSF/ocsf/tests/test_application_activity_2.json deleted file mode 100644 index b2e370bf9..000000000 --- a/OCSF/ocsf/tests/test_application_activity_2.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "input": { - "message": "{\"message\": \"washington like safari\", \"status\": \"Failure\", \"time\": 1695277679358, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"eligible scenes worm\", \"version\": \"1.0.0\", \"uid\": \"f6508420-520e-11ee-adcc-0242ac110004\", \"feature\": {\"name\": \"australia cup bios\", \"version\": \"1.0.0\", \"uid\": \"f6508bfa-520e-11ee-b54c-0242ac110004\"}, \"lang\": \"en\", \"vendor_name\": \"fix complicated accreditation\"}, \"sequence\": 78, \"profiles\": [], \"log_name\": \"ur bother bearing\", \"log_provider\": \"performs elevation fox\", \"log_version\": \"three maritime cowboy\", \"logged_time\": 1695277679358, \"original_time\": \"moore genetic symbols\", \"processed_time\": 1695277679358}, \"start_time\": 1695277679358, \"severity\": \"Unknown\", \"type_name\": \"Web Resources Activity: Create\", \"category_name\": \"Application Activity\", \"timezone_offset\": 83, \"activity_id\": 1, \"class_uid\": 6001, \"type_uid\": 600101, \"category_uid\": 6, \"class_name\": \"Web Resources Activity\", \"activity_name\": \"Create\", \"severity_id\": 0, \"src_endpoint\": {\"name\": \"leasing imperial toner\", \"port\": 31790, \"domain\": \"hawaii unfortunately copying\", \"ip\": \"81.2.69.142\", \"hostname\": \"saudi.int\", \"uid\": \"f650994c-520e-11ee-a9f4-0242ac110004\", \"instance_uid\": \"f6509d0c-520e-11ee-9e6b-0242ac110004\", \"interface_name\": \"somewhere mentor crm\", \"interface_uid\": \"f650a3f6-520e-11ee-882f-0242ac110004\", \"intermediate_ips\": [\"81.2.69.142\", \"81.2.69.143\"], \"svc_name\": \"sheets horror trader\", \"vlan_uid\": \"f650a8a6-520e-11ee-b961-0242ac110004\"}, \"status_detail\": \"only zone its\", \"status_id\": 2, \"web_resources\": [{\"data\": {\"discretion\": \"fhbds\"}, \"desc\": \"Description of web resource\", \"name\": \"concept navigator constitution\", \"type\": \"fundamental previous ty\", \"url_string\": \"past\"}], \"web_resources_result\": [{\"type\": \"prediction sunglasses rounds\", \"uid\": \"f65072d2-520e-11ee-9b9a-0242ac110004\", \"url_string\": \"military\"}, {\"data\": {\"protect\": \"rfvfd\"}, \"url_string\": \"association\"}]}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"message\": \"washington like safari\", \"status\": \"Failure\", \"time\": 1695277679358, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"eligible scenes worm\", \"version\": \"1.0.0\", \"uid\": \"f6508420-520e-11ee-adcc-0242ac110004\", \"feature\": {\"name\": \"australia cup bios\", \"version\": \"1.0.0\", \"uid\": \"f6508bfa-520e-11ee-b54c-0242ac110004\"}, \"lang\": \"en\", \"vendor_name\": \"fix complicated accreditation\"}, \"sequence\": 78, \"profiles\": [], \"log_name\": \"ur bother bearing\", \"log_provider\": \"performs elevation fox\", \"log_version\": \"three maritime cowboy\", \"logged_time\": 1695277679358, \"original_time\": \"moore genetic symbols\", \"processed_time\": 1695277679358}, \"start_time\": 1695277679358, \"severity\": \"Unknown\", \"type_name\": \"Web Resources Activity: Create\", \"category_name\": \"Application Activity\", \"timezone_offset\": 83, \"activity_id\": 1, \"class_uid\": 6001, \"type_uid\": 600101, \"category_uid\": 6, \"class_name\": \"Web Resources Activity\", \"activity_name\": \"Create\", \"severity_id\": 0, \"src_endpoint\": {\"name\": \"leasing imperial toner\", \"port\": 31790, \"domain\": \"hawaii unfortunately copying\", \"ip\": \"81.2.69.142\", \"hostname\": \"saudi.int\", \"uid\": \"f650994c-520e-11ee-a9f4-0242ac110004\", \"instance_uid\": \"f6509d0c-520e-11ee-9e6b-0242ac110004\", \"interface_name\": \"somewhere mentor crm\", \"interface_uid\": \"f650a3f6-520e-11ee-882f-0242ac110004\", \"intermediate_ips\": [\"81.2.69.142\", \"81.2.69.143\"], \"svc_name\": \"sheets horror trader\", \"vlan_uid\": \"f650a8a6-520e-11ee-b961-0242ac110004\"}, \"status_detail\": \"only zone its\", \"status_id\": 2, \"web_resources\": [{\"data\": {\"discretion\": \"fhbds\"}, \"desc\": \"Description of web resource\", \"name\": \"concept navigator constitution\", \"type\": \"fundamental previous ty\", \"url_string\": \"past\"}], \"web_resources_result\": [{\"type\": \"prediction sunglasses rounds\", \"uid\": \"f65072d2-520e-11ee-9b9a-0242ac110004\", \"url_string\": \"military\"}, {\"data\": {\"protect\": \"rfvfd\"}, \"url_string\": \"association\"}]}", - "event": { - "action": "create", - "category": [], - "kind": "event", - "outcome": "failure", - "provider": "performs elevation fox", - "sequence": 78, - "severity": 0, - "start": "2023-09-21T06:27:59.358000Z", - "type": [] - }, - "@timestamp": "2023-09-21T06:27:59.358000Z", - "network": { - "application": "sheets horror trader" - }, - "ocsf": { - "activity_id": 1, - "activity_name": "Create", - "class_name": "Web Resources Activity", - "class_uid": 6001 - }, - "package": { - "description": [ - "Description of web resource" - ], - "name": [ - "concept navigator constitution" - ], - "type": [ - "fundamental previous ty" - ] - }, - "related": { - "hosts": [ - "saudi.int" - ], - "ip": [ - "81.2.69.142" - ] - }, - "source": { - "address": "saudi.int", - "domain": "saudi.int", - "ip": "81.2.69.142", - "port": 31790, - "registered_domain": "saudi.int", - "top_level_domain": "int" - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_application_activity_3.json b/OCSF/ocsf/tests/test_application_activity_3.json deleted file mode 100644 index 17f2c4c72..000000000 --- a/OCSF/ocsf/tests/test_application_activity_3.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "input": { - "message": "{\"message\": \"issues kings loop\", \"status\": \"Success\", \"time\": 1695277679358, \"device\": {\"name\": \"knows col covered\", \"type\": \"Unknown\", \"domain\": \"allied had insulation\", \"ip\": \"81.2.69.142\", \"uid\": \"651987a6-584c-11ee-ad31-0242ac110005\", \"hostname\": \"zinc.biz\", \"org\": {\"name\": \"chaos winner entered\", \"uid\": \"65197a86-584c-11ee-96c1-0242ac110005\", \"ou_name\": \"music client leaf\"}, \"type_id\": 0, \"created_time\": 1695277679358, \"hw_info\": {\"ram_size\": 84, \"serial_number\": \"training blink executives\"}, \"instance_uid\": \"65197efa-584c-11ee-bc04-0242ac110005\", \"interface_name\": \"lightbox bugs spain\", \"interface_uid\": \"6519835a-584c-11ee-b813-0242ac110005\", \"is_personal\": false, \"region\": \"casio paris norway\", \"subnet_uid\": \"6519725c-584c-11ee-b6a2-0242ac110005\", \"uid_alt\": \"older audience trends\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"enzyme cookie citations\", \"version\": \"1.0.0\", \"uid\": \"65195f88-584c-11ee-8118-0242ac110005\", \"lang\": \"en\", \"url_string\": \"deck\", \"vendor_name\": \"rochester school force\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"log_name\": \"collaboration blood loan\", \"log_provider\": \"jurisdiction protecting witness\", \"original_time\": \"effectively dimensional reservation\", \"modified_time_dt\": \"2023-09-21T06:59:23.198620Z\"}, \"app\": {\"name\": \"bottom loud knowledge\", \"version\": \"1.0.0\", \"uid\": \"6519a3da-584c-11ee-8c89-0242ac110005\", \"path\": \"path o f\", \"feature\": {\"name\": \"mit received implemented\", \"version\": \"1.0.0\", \"uid\": \"6519aa4c-584c-11ee-ac40-0242ac110005\"}, \"lang\": \"en\", \"vendor_name\": \"ss keeping administered\"}, \"severity\": \"Fatal\", \"type_name\": \"Application Lifecycle: Other\", \"activity_id\": 99, \"type_uid\": 600299, \"category_name\": \"Application Activity\", \"class_uid\": 6002, \"category_uid\": 6, \"class_name\": \"Application Lifecycle\", \"activity_name\": \"look\", \"cloud\": {\"org\": {\"name\": \"exclusive variables tag\", \"uid\": \"65193f12-584c-11ee-ae9b-0242ac110005\", \"ou_name\": \"custom packard pierre\"}, \"account\": {\"type\": \"AWS Account\", \"uid\": \"65194d7c-584c-11ee-8857-0242ac110005\", \"type_id\": 10}, \"provider\": \"infrared delayed visiting\", \"region\": \"initial lucia designer\"}, \"severity_id\": 6, \"status_detail\": \"rat forth dishes\", \"status_id\": 1, \"start_time_dt\": \"2023-09-21T06:59:23.200400Z\"}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"message\": \"issues kings loop\", \"status\": \"Success\", \"time\": 1695277679358, \"device\": {\"name\": \"knows col covered\", \"type\": \"Unknown\", \"domain\": \"allied had insulation\", \"ip\": \"81.2.69.142\", \"uid\": \"651987a6-584c-11ee-ad31-0242ac110005\", \"hostname\": \"zinc.biz\", \"org\": {\"name\": \"chaos winner entered\", \"uid\": \"65197a86-584c-11ee-96c1-0242ac110005\", \"ou_name\": \"music client leaf\"}, \"type_id\": 0, \"created_time\": 1695277679358, \"hw_info\": {\"ram_size\": 84, \"serial_number\": \"training blink executives\"}, \"instance_uid\": \"65197efa-584c-11ee-bc04-0242ac110005\", \"interface_name\": \"lightbox bugs spain\", \"interface_uid\": \"6519835a-584c-11ee-b813-0242ac110005\", \"is_personal\": false, \"region\": \"casio paris norway\", \"subnet_uid\": \"6519725c-584c-11ee-b6a2-0242ac110005\", \"uid_alt\": \"older audience trends\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"enzyme cookie citations\", \"version\": \"1.0.0\", \"uid\": \"65195f88-584c-11ee-8118-0242ac110005\", \"lang\": \"en\", \"url_string\": \"deck\", \"vendor_name\": \"rochester school force\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"log_name\": \"collaboration blood loan\", \"log_provider\": \"jurisdiction protecting witness\", \"original_time\": \"effectively dimensional reservation\", \"modified_time_dt\": \"2023-09-21T06:59:23.198620Z\"}, \"app\": {\"name\": \"bottom loud knowledge\", \"version\": \"1.0.0\", \"uid\": \"6519a3da-584c-11ee-8c89-0242ac110005\", \"path\": \"path o f\", \"feature\": {\"name\": \"mit received implemented\", \"version\": \"1.0.0\", \"uid\": \"6519aa4c-584c-11ee-ac40-0242ac110005\"}, \"lang\": \"en\", \"vendor_name\": \"ss keeping administered\"}, \"severity\": \"Fatal\", \"type_name\": \"Application Lifecycle: Other\", \"activity_id\": 99, \"type_uid\": 600299, \"category_name\": \"Application Activity\", \"class_uid\": 6002, \"category_uid\": 6, \"class_name\": \"Application Lifecycle\", \"activity_name\": \"look\", \"cloud\": {\"org\": {\"name\": \"exclusive variables tag\", \"uid\": \"65193f12-584c-11ee-ae9b-0242ac110005\", \"ou_name\": \"custom packard pierre\"}, \"account\": {\"type\": \"AWS Account\", \"uid\": \"65194d7c-584c-11ee-8857-0242ac110005\", \"type_id\": 10}, \"provider\": \"infrared delayed visiting\", \"region\": \"initial lucia designer\"}, \"severity_id\": 6, \"status_detail\": \"rat forth dishes\", \"status_id\": 1, \"start_time_dt\": \"2023-09-21T06:59:23.200400Z\"}", - "event": { - "action": "look", - "category": [ - "package" - ], - "kind": "event", - "outcome": "success", - "provider": "jurisdiction protecting witness", - "severity": 6, - "start": "2023-09-21T06:59:23.200400Z", - "type": [ - "info" - ] - }, - "@timestamp": "2023-09-21T06:27:59.358000Z", - "cloud": { - "account": { - "id": "65194d7c-584c-11ee-8857-0242ac110005" - }, - "provider": "infrared delayed visiting", - "region": "initial lucia designer" - }, - "host": { - "domain": "allied had insulation", - "hostname": "zinc.biz", - "id": "651987a6-584c-11ee-ad31-0242ac110005", - "ip": [ - "81.2.69.142" - ], - "name": "zinc.biz", - "type": "Unknown" - }, - "ocsf": { - "activity_id": 99, - "activity_name": "look", - "class_name": "Application Lifecycle", - "class_uid": 6002 - }, - "organization": { - "id": "65193f12-584c-11ee-ae9b-0242ac110005", - "name": "exclusive variables tag" - }, - "package": { - "description": [], - "name": [], - "type": [] - }, - "related": { - "hosts": [ - "zinc.biz" - ], - "ip": [ - "81.2.69.142" - ] - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_authentication_1.json b/OCSF/ocsf/tests/test_authentication_1.json new file mode 100644 index 000000000..3bae772bc --- /dev/null +++ b/OCSF/ocsf/tests/test_authentication_1.json @@ -0,0 +1,76 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Logon\", \"actor\": {\"idp\": {\"name\": null}, \"invoked_by\": null, \"session\": {\"issuer\": null}, \"user\": {\"account\": {\"uid\": \"111122223333\"}, \"credential_uid\": null, \"name\": \"anaya\", \"type\": \"IAMUser\", \"uid\": \"arn:aws:iam::111122223333:user/anaya\", \"uid_alt\": \"AIDACKCEVSQ6C2EXAMPLE\"}}, \"api\": {\"operation\": \"ConsoleLogin\", \"request\": {\"data\": null, \"uid\": \"\"}, \"response\": {\"data\": {\"ConsoleLogin\": \"Success\"}, \"error\": null, \"message\": null}, \"service\": {\"name\": \"signin.amazonaws.com\"}, \"version\": null}, \"category_name\": \"Identity & Access Management Category\", \"category_uid\": 3, \"class_name\": \"Authentication\", \"class_uid\": 3002, \"cloud\": {\"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"dst_endpoint\": {\"svc_name\": \"https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true\"}, \"http_request\": {\"user_agent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36\"}, \"is_mfa\": true, \"metadata\": {\"event_code\": \"AwsConsoleSignIn\", \"log_provider\": \"CloudTrail\", \"product\": {\"feature\": {\"name\": \"Management\"}, \"name\": \"CloudTrail\", \"vendor_name\": \"AWS\", \"version\": \"1.08\"}, \"profiles\": [\"cloud\", \"datetime\"], \"uid\": \"fed06f42-cb12-4764-8c69-example\", \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"192.0.2.0\"}], \"session\": {\"expiration_time\": null}, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"192.0.2.0\"}, \"status\": \"Success\", \"status_id\": 1, \"time\": 1699633474000, \"time_dt\": \"2023-11-10T16:24:34Z\", \"type_name\": \"Authentication: Logon\", \"type_uid\": 300201, \"unmapped\": {\"additionalEventData\": {\"LoginTo\": \"https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true\", \"MFAIdentifier\": \"arn:aws:iam::111122223333:u2f/user/anaya/default-AAAAAAAABBBBBBBBCCCCCCCCDD\", \"MobileVersion\": \"No\"}, \"eventType\": \"AwsConsoleSignIn\", \"recipientAccountId\": \"111122223333\", \"requestParameters\": null, \"responseElements\": {}, \"userIdentity\": {}}, \"user\": {\"uid\": \"arn:aws:iam::111122223333:user/anaya\", \"uid_alt\": \"AIDACKCEVSQ6C2EXAMPLE\"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Logon\", \"actor\": {\"idp\": {\"name\": null}, \"invoked_by\": null, \"session\": {\"issuer\": null}, \"user\": {\"account\": {\"uid\": \"111122223333\"}, \"credential_uid\": null, \"name\": \"anaya\", \"type\": \"IAMUser\", \"uid\": \"arn:aws:iam::111122223333:user/anaya\", \"uid_alt\": \"AIDACKCEVSQ6C2EXAMPLE\"}}, \"api\": {\"operation\": \"ConsoleLogin\", \"request\": {\"data\": null, \"uid\": \"\"}, \"response\": {\"data\": {\"ConsoleLogin\": \"Success\"}, \"error\": null, \"message\": null}, \"service\": {\"name\": \"signin.amazonaws.com\"}, \"version\": null}, \"category_name\": \"Identity & Access Management Category\", \"category_uid\": 3, \"class_name\": \"Authentication\", \"class_uid\": 3002, \"cloud\": {\"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"dst_endpoint\": {\"svc_name\": \"https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true\"}, \"http_request\": {\"user_agent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36\"}, \"is_mfa\": true, \"metadata\": {\"event_code\": \"AwsConsoleSignIn\", \"log_provider\": \"CloudTrail\", \"product\": {\"feature\": {\"name\": \"Management\"}, \"name\": \"CloudTrail\", \"vendor_name\": \"AWS\", \"version\": \"1.08\"}, \"profiles\": [\"cloud\", \"datetime\"], \"uid\": \"fed06f42-cb12-4764-8c69-example\", \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"192.0.2.0\"}], \"session\": {\"expiration_time\": null}, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"192.0.2.0\"}, \"status\": \"Success\", \"status_id\": 1, \"time\": 1699633474000, \"time_dt\": \"2023-11-10T16:24:34Z\", \"type_name\": \"Authentication: Logon\", \"type_uid\": 300201, \"unmapped\": {\"additionalEventData\": {\"LoginTo\": \"https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true\", \"MFAIdentifier\": \"arn:aws:iam::111122223333:u2f/user/anaya/default-AAAAAAAABBBBBBBBCCCCCCCCDD\", \"MobileVersion\": \"No\"}, \"eventType\": \"AwsConsoleSignIn\", \"recipientAccountId\": \"111122223333\", \"requestParameters\": null, \"responseElements\": {}, \"userIdentity\": {}}, \"user\": {\"uid\": \"arn:aws:iam::111122223333:user/anaya\", \"uid_alt\": \"AIDACKCEVSQ6C2EXAMPLE\"}}", + "event": { + "action": "logon", + "category": [ + "authentication" + ], + "code": "AwsConsoleSignIn", + "kind": "event", + "outcome": "success", + "provider": "CloudTrail", + "severity": 1, + "type": [ + "info", + "start" + ] + }, + "@timestamp": "2023-11-10T16:24:34Z", + "cloud": { + "provider": "AWS", + "region": "us-east-1" + }, + "network": { + "application": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true" + }, + "ocsf": { + "activity_id": 1, + "activity_name": "Logon", + "class_name": "Authentication", + "class_uid": 3002 + }, + "related": { + "ip": [ + "192.0.2.0" + ], + "user": [ + "anaya" + ] + }, + "source": { + "address": "192.0.2.0", + "ip": "192.0.2.0" + }, + "user": { + "group": { + "id": [], + "name": [] + }, + "id": "arn:aws:iam::111122223333:user/anaya", + "name": "anaya", + "target": { + "group": { + "id": [], + "name": [] + }, + "id": "arn:aws:iam::111122223333:user/anaya" + } + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", + "os": { + "name": "Mac OS X", + "version": "10.11.6" + }, + "version": "67.0.3396" + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_authentication_2.json b/OCSF/ocsf/tests/test_authentication_2.json new file mode 100644 index 000000000..ce5f0fd6e --- /dev/null +++ b/OCSF/ocsf/tests/test_authentication_2.json @@ -0,0 +1,80 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Logon\", \"actor\": {\"process\": {\"file\": {\"name\": \"services.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 848}, \"session\": {\"uid\": \"0x3E7\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"ATTACKRANGE\", \"name\": \"WIN-DC-725$\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}, \"auth_protocol\": \"Other\", \"auth_protocol_id\": 99, \"category_name\": \"Audit Activity\", \"category_uid\": 3, \"class_name\": \"Authentication\", \"class_uid\": 3002, \"device\": {\"hostname\": \"win-dc-725.attackrange.local\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"dst_endpoint\": {\"hostname\": \"win-dc-725.attackrange.local\"}, \"logon_process\": {\"name\": \"Advapi \", \"pid\": -1}, \"logon_type\": \"OS Service\", \"logon_type_id\": 5, \"message\": \"An account was successfully logged on.\", \"metadata\": {\"original_time\": \"03/12/2021 10:48:14 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"ce139867-ced1-4742-9bb0-ad1926b8bbe1\", \"version\": \"1.0.0-rc.2\"}, \"session\": {\"uid\": \"0x3E7\", \"uuid\": \"{00000000-0000-0000-0000-000000000000}\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"-\", \"name\": \"-\", \"port\": 0}, \"status\": \"Success\", \"status_id\": 1, \"time\": 1615564094000, \"type_name\": \"Authentication: Logon\", \"type_uid\": 300201, \"unmapped\": {\"Detailed Authentication Information\": {\"Key Length\": \"0\", \"Package Name (NTLM only)\": \"-\", \"Transited Services\": \"-\"}, \"EventCode\": \"4624\", \"EventType\": \"0\", \"Impersonation Level\": \"Impersonation\", \"Logon Information\": {\"Elevated Token\": \"Yes\", \"Restricted Admin Mode\": \"-\", \"Virtual Account\": \"No\"}, \"New Logon\": {\"Linked Logon ID\": \"0x0\", \"Network Account Domain\": \"-\", \"Network Account Name\": \"-\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"257879\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Logon\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"NT AUTHORITY\", \"name\": \"SYSTEM\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Logon\", \"actor\": {\"process\": {\"file\": {\"name\": \"services.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 848}, \"session\": {\"uid\": \"0x3E7\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"ATTACKRANGE\", \"name\": \"WIN-DC-725$\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}, \"auth_protocol\": \"Other\", \"auth_protocol_id\": 99, \"category_name\": \"Audit Activity\", \"category_uid\": 3, \"class_name\": \"Authentication\", \"class_uid\": 3002, \"device\": {\"hostname\": \"win-dc-725.attackrange.local\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"dst_endpoint\": {\"hostname\": \"win-dc-725.attackrange.local\"}, \"logon_process\": {\"name\": \"Advapi \", \"pid\": -1}, \"logon_type\": \"OS Service\", \"logon_type_id\": 5, \"message\": \"An account was successfully logged on.\", \"metadata\": {\"original_time\": \"03/12/2021 10:48:14 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"ce139867-ced1-4742-9bb0-ad1926b8bbe1\", \"version\": \"1.0.0-rc.2\"}, \"session\": {\"uid\": \"0x3E7\", \"uuid\": \"{00000000-0000-0000-0000-000000000000}\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"-\", \"name\": \"-\", \"port\": 0}, \"status\": \"Success\", \"status_id\": 1, \"time\": 1615564094000, \"type_name\": \"Authentication: Logon\", \"type_uid\": 300201, \"unmapped\": {\"Detailed Authentication Information\": {\"Key Length\": \"0\", \"Package Name (NTLM only)\": \"-\", \"Transited Services\": \"-\"}, \"EventCode\": \"4624\", \"EventType\": \"0\", \"Impersonation Level\": \"Impersonation\", \"Logon Information\": {\"Elevated Token\": \"Yes\", \"Restricted Admin Mode\": \"-\", \"Virtual Account\": \"No\"}, \"New Logon\": {\"Linked Logon ID\": \"0x0\", \"Network Account Domain\": \"-\", \"Network Account Name\": \"-\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"257879\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Logon\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"NT AUTHORITY\", \"name\": \"SYSTEM\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}", + "event": { + "action": "logon", + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "success", + "severity": 1, + "type": [ + "info", + "start" + ] + }, + "@timestamp": "2021-03-12T15:48:14Z", + "destination": { + "address": "win-dc-725.attackrange.local", + "domain": "win-dc-725.attackrange.local", + "subdomain": "win-dc-725.attackrange" + }, + "file": { + "directory": "C:\\Windows\\System32", + "name": "services.exe", + "path": "C:\\Windows\\System32\\services.exe", + "type": "Regular File" + }, + "host": { + "hostname": "win-dc-725.attackrange.local", + "name": "win-dc-725.attackrange.local", + "os": { + "name": "Windows", + "type": "Windows" + }, + "type": "Unknown" + }, + "ocsf": { + "activity_id": 1, + "activity_name": "Logon", + "class_name": "Authentication", + "class_uid": 3002 + }, + "process": { + "pid": 848 + }, + "related": { + "hosts": [ + "win-dc-725.attackrange.local" + ], + "user": [ + "WIN-DC-725$" + ] + }, + "source": { + "port": 0 + }, + "user": { + "domain": "ATTACKRANGE", + "group": { + "id": [], + "name": [] + }, + "id": "NT AUTHORITY\\SYSTEM", + "name": "WIN-DC-725$", + "target": { + "domain": "NT AUTHORITY", + "group": { + "id": [], + "name": [] + }, + "id": "NT AUTHORITY\\SYSTEM", + "name": "SYSTEM" + } + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_authentication_3.json b/OCSF/ocsf/tests/test_authentication_3.json new file mode 100644 index 000000000..bea1b2602 --- /dev/null +++ b/OCSF/ocsf/tests/test_authentication_3.json @@ -0,0 +1,71 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Logon\", \"actor\": {\"process\": {\"file\": {\"name\": \"-\", \"path\": \"-\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 0}, \"session\": {\"uid\": \"0x0\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"-\", \"name\": \"-\", \"uid\": \"NULL SID\"}}, \"auth_protocol\": \"NTLM\", \"auth_protocol_id\": 1, \"category_name\": \"Audit Activity\", \"category_uid\": 3, \"class_name\": \"Authentication\", \"class_uid\": 3002, \"device\": {\"hostname\": \"EC2AMAZ-6KJ2BPP\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"dst_endpoint\": {\"hostname\": \"EC2AMAZ-6KJ2BPP\"}, \"logon_process\": {\"name\": \"NtLmSsp \", \"pid\": -1}, \"logon_type\": \"Network\", \"logon_type_id\": 3, \"message\": \"An account failed to log on.\", \"metadata\": {\"original_time\": \"10/08/2020 12:41:47 PM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"a738d6e6-4ebd-49bb-805e-45d0604a1bef\", \"version\": \"1.0.0-rc.2\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"-\", \"name\": \"EC2AMAZ-6KJ2BPP\", \"port\": 0}, \"status\": \"0xC000006D\", \"status_detail\": \"Unknown user name or bad password.\", \"status_id\": 2, \"time\": 1602175307000, \"type_name\": \"Authentication: Logon\", \"type_uid\": 300201, \"unmapped\": {\"Detailed Authentication Information\": {\"Key Length\": \"0\", \"Package Name (NTLM only)\": \"-\", \"Transited Services\": \"-\"}, \"EventCode\": \"4625\", \"EventType\": \"0\", \"Failure Information\": {\"Sub Status\": \"0xC000006A\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"223742\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Logon\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"EC2AMAZ-6KJ2BPP\", \"name\": \"Administrator\", \"uid\": \"NULL SID\"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Logon\", \"actor\": {\"process\": {\"file\": {\"name\": \"-\", \"path\": \"-\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 0}, \"session\": {\"uid\": \"0x0\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"-\", \"name\": \"-\", \"uid\": \"NULL SID\"}}, \"auth_protocol\": \"NTLM\", \"auth_protocol_id\": 1, \"category_name\": \"Audit Activity\", \"category_uid\": 3, \"class_name\": \"Authentication\", \"class_uid\": 3002, \"device\": {\"hostname\": \"EC2AMAZ-6KJ2BPP\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"dst_endpoint\": {\"hostname\": \"EC2AMAZ-6KJ2BPP\"}, \"logon_process\": {\"name\": \"NtLmSsp \", \"pid\": -1}, \"logon_type\": \"Network\", \"logon_type_id\": 3, \"message\": \"An account failed to log on.\", \"metadata\": {\"original_time\": \"10/08/2020 12:41:47 PM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"a738d6e6-4ebd-49bb-805e-45d0604a1bef\", \"version\": \"1.0.0-rc.2\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"-\", \"name\": \"EC2AMAZ-6KJ2BPP\", \"port\": 0}, \"status\": \"0xC000006D\", \"status_detail\": \"Unknown user name or bad password.\", \"status_id\": 2, \"time\": 1602175307000, \"type_name\": \"Authentication: Logon\", \"type_uid\": 300201, \"unmapped\": {\"Detailed Authentication Information\": {\"Key Length\": \"0\", \"Package Name (NTLM only)\": \"-\", \"Transited Services\": \"-\"}, \"EventCode\": \"4625\", \"EventType\": \"0\", \"Failure Information\": {\"Sub Status\": \"0xC000006A\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"223742\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Logon\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"EC2AMAZ-6KJ2BPP\", \"name\": \"Administrator\", \"uid\": \"NULL SID\"}}", + "event": { + "action": "logon", + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "failure", + "severity": 1, + "type": [ + "info", + "start" + ] + }, + "@timestamp": "2020-10-08T16:41:47Z", + "destination": { + "address": "EC2AMAZ-6KJ2BPP", + "domain": "EC2AMAZ-6KJ2BPP" + }, + "file": { + "type": "Regular File" + }, + "host": { + "hostname": "EC2AMAZ-6KJ2BPP", + "name": "EC2AMAZ-6KJ2BPP", + "os": { + "name": "Windows", + "type": "Windows" + }, + "type": "Unknown" + }, + "ocsf": { + "activity_id": 1, + "activity_name": "Logon", + "class_name": "Authentication", + "class_uid": 3002 + }, + "process": { + "pid": 0 + }, + "related": { + "hosts": [ + "EC2AMAZ-6KJ2BPP" + ] + }, + "source": { + "port": 0 + }, + "user": { + "group": { + "id": [], + "name": [] + }, + "id": "NULL SID", + "target": { + "domain": "EC2AMAZ-6KJ2BPP", + "group": { + "id": [], + "name": [] + }, + "id": "NULL SID", + "name": "Administrator" + } + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_compliance_finding_1.json b/OCSF/ocsf/tests/test_compliance_finding_1.json new file mode 100644 index 000000000..4a6672f83 --- /dev/null +++ b/OCSF/ocsf/tests/test_compliance_finding_1.json @@ -0,0 +1,40 @@ +{ + "input": { + "message": "{\"activity_id\": 2, \"activity_name\": \"Update\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Compliance Finding\", \"class_uid\": 2003, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"compliance\": {\"control\": \"Config.1\", \"requirements\": [\"PCI DSS 10.5.2\", \"PCI DSS 11.5\"], \"standards\": [\"standards/pci-dss/v/3.2.1\"], \"status\": \"FAILED\"}, \"finding_info\": {\"created_time_dt\": \"2023-01-13T15:08:44.967-05:00\", \"desc\": \"This AWS control checks whether AWS Config is enabled in current account and region.\", \"first_seen_time_dt\": \"2023-01-13T15:08:44.967-05:00\", \"last_seen_time_dt\": \"2023-07-21T14:12:05.693-04:00\", \"modified_time_dt\": \"2023-07-21T14:11:53.060-04:00\", \"title\": \"PCI.Config.1 AWS Config should be enabled\", \"types\": [\"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS\"], \"uid\": \"arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1/PCI.Config.1/finding/7d619054-6f0d-456b-aa75-23b20f74fae6\"}, \"metadata\": {\"log_version\": \"2018-10-08\", \"processed_time_dt\": \"2023-07-21T14:12:08.489-04:00\", \"product\": {\"feature\": {\"uid\": \"pci-dss/v/3.2.1/PCI.Config.1\"}, \"name\": \"Security Hub\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/securityhub\", \"vendor_name\": \"AWS\"}, \"profiles\": [\"cloud\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"resource.uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"AWS::::Account:111111111111\"}], \"remediation\": {\"desc\": \"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\", \"references\": [\"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\"]}, \"resource\": {\"cloud_partition\": \"aws\", \"region\": \"us-east-2\", \"type\": \"AwsAccount\", \"uid\": \"AWS::::Account:111111111111\"}, \"severity\": \"Medium\", \"severity_id\": 3, \"status\": \"New\", \"time\": 1689963113060, \"time_dt\": \"2023-07-21T14:11:53.060-04:00\", \"type_name\": \"Compliance Finding: Update\", \"type_uid\": 200302, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"MEDIUM\", \"FindingProviderFields.Severity.Original\": \"MEDIUM\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS\", \"ProductFields.ControlId\": \"PCI.Config.1\", \"ProductFields.RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\", \"ProductFields.Resources:0/Id\": \"arn:aws:iam::111111111111:root\", \"ProductFields.StandardsArn\": \"arn:aws:securityhub:::standards/pci-dss/v/3.2.1\", \"ProductFields.StandardsControlArn\": \"arn:aws:securityhub:us-east-2:111111111111:control/pci-dss/v/3.2.1/PCI.Config.1\", \"ProductFields.StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1\", \"ProductFields.aws/securityhub/CompanyName\": \"AWS\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1/PCI.Config.1/finding/7d619054-6f0d-456b-aa75-23b20f74fae6\", \"ProductFields.aws/securityhub/ProductName\": \"Security Hub\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"40\", \"Severity.Original\": \"MEDIUM\", \"Severity.Product\": \"40\", \"WorkflowState\": \"NEW\"}}" + }, + "expected": { + "message": "{\"activity_id\": 2, \"activity_name\": \"Update\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Compliance Finding\", \"class_uid\": 2003, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"compliance\": {\"control\": \"Config.1\", \"requirements\": [\"PCI DSS 10.5.2\", \"PCI DSS 11.5\"], \"standards\": [\"standards/pci-dss/v/3.2.1\"], \"status\": \"FAILED\"}, \"finding_info\": {\"created_time_dt\": \"2023-01-13T15:08:44.967-05:00\", \"desc\": \"This AWS control checks whether AWS Config is enabled in current account and region.\", \"first_seen_time_dt\": \"2023-01-13T15:08:44.967-05:00\", \"last_seen_time_dt\": \"2023-07-21T14:12:05.693-04:00\", \"modified_time_dt\": \"2023-07-21T14:11:53.060-04:00\", \"title\": \"PCI.Config.1 AWS Config should be enabled\", \"types\": [\"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS\"], \"uid\": \"arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1/PCI.Config.1/finding/7d619054-6f0d-456b-aa75-23b20f74fae6\"}, \"metadata\": {\"log_version\": \"2018-10-08\", \"processed_time_dt\": \"2023-07-21T14:12:08.489-04:00\", \"product\": {\"feature\": {\"uid\": \"pci-dss/v/3.2.1/PCI.Config.1\"}, \"name\": \"Security Hub\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/securityhub\", \"vendor_name\": \"AWS\"}, \"profiles\": [\"cloud\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"resource.uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"AWS::::Account:111111111111\"}], \"remediation\": {\"desc\": \"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\", \"references\": [\"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\"]}, \"resource\": {\"cloud_partition\": \"aws\", \"region\": \"us-east-2\", \"type\": \"AwsAccount\", \"uid\": \"AWS::::Account:111111111111\"}, \"severity\": \"Medium\", \"severity_id\": 3, \"status\": \"New\", \"time\": 1689963113060, \"time_dt\": \"2023-07-21T14:11:53.060-04:00\", \"type_name\": \"Compliance Finding: Update\", \"type_uid\": 200302, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"MEDIUM\", \"FindingProviderFields.Severity.Original\": \"MEDIUM\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS\", \"ProductFields.ControlId\": \"PCI.Config.1\", \"ProductFields.RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\", \"ProductFields.Resources:0/Id\": \"arn:aws:iam::111111111111:root\", \"ProductFields.StandardsArn\": \"arn:aws:securityhub:::standards/pci-dss/v/3.2.1\", \"ProductFields.StandardsControlArn\": \"arn:aws:securityhub:us-east-2:111111111111:control/pci-dss/v/3.2.1/PCI.Config.1\", \"ProductFields.StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1\", \"ProductFields.aws/securityhub/CompanyName\": \"AWS\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1/PCI.Config.1/finding/7d619054-6f0d-456b-aa75-23b20f74fae6\", \"ProductFields.aws/securityhub/ProductName\": \"Security Hub\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"40\", \"Severity.Original\": \"MEDIUM\", \"Severity.Product\": \"40\", \"WorkflowState\": \"NEW\"}}", + "event": { + "action": "update", + "category": [], + "severity": 3, + "type": [] + }, + "@timestamp": "2023-07-21T18:11:53.060000Z", + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "AWS", + "region": "us-east-2" + }, + "ocsf": { + "activity_id": 2, + "activity_name": "Update", + "class_name": "Compliance Finding", + "class_uid": 2003 + }, + "vulnerability": { + "description": [], + "id": [], + "scanner": { + "vendor": [] + }, + "score": { + "base": [], + "version": [] + }, + "severity": [] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_detection_finding_1.json b/OCSF/ocsf/tests/test_detection_finding_1.json new file mode 100644 index 000000000..21f6f7051 --- /dev/null +++ b/OCSF/ocsf/tests/test_detection_finding_1.json @@ -0,0 +1,40 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Detection Finding\", \"class_uid\": 2004, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"evidences\": [{\"api\": {\"operation\": \"DeleteTrail\", \"service\": {\"name\": \"cloudtrail.amazonaws.com\"}}, \"data\": \"\", \"src_endpoint\": {\"ip\": \"52.94.133.131\", \"location\": {\"city\": \"\", \"coordinates\": [-100.821999, 37.751], \"country\": \"United States\"}}}], \"finding_info\": {\"created_time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"desc\": \"AWS CloudTrail trail arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me was disabled by Admin calling DeleteTrail under unusual circumstances. This can be attackers attempt to cover their tracks by eliminating any trace of activity performed while they accessed your account.\", \"first_seen_time_dt\": \"2023-09-19T10:55:09.000-04:00\", \"last_seen_time_dt\": \"2023-09-19T10:55:09.000-04:00\", \"modified_time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"src_url\": \"https://us-east-2.console.aws.amazon.com/guardduty/home?region=us-east-2#/findings?macros=current&fId=a6c556fcbc9bea427a19f8b787099a0b\", \"title\": \"AWS CloudTrail trail arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me was disabled.\", \"types\": [\"TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled\"], \"uid\": \"arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE/finding/a6c556fcbc9bea427a19f8b787099a0b\"}, \"metadata\": {\"extensions\": [{\"name\": \"linux\", \"uid\": \"1\", \"version\": \"1.1.0\"}], \"log_version\": \"2018-10-08\", \"product\": {\"feature\": {\"uid\": \"arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE\"}, \"name\": \"GuardDuty\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/guardduty\", \"vendor_name\": \"Amazon\"}, \"profiles\": [\"cloud\", \"datetime\", \"linux\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"evidences[].src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"52.94.133.131\"}, {\"name\": \"resources[].uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"AWS::IAM::AccessKey:ASIATMJPC7EXAMPLE\"}], \"resources\": [{\"cloud_partition\": \"aws\", \"data\": \"{\\\"AwsIamAccessKey\\\":{\\\"PrincipalId\\\":\\\"AROATMJPC7YEXAMPLE:example\\\",\\\"PrincipalName\\\":\\\"Admin\\\",\\\"PrincipalType\\\":\\\"AssumedRole\\\"}}\", \"region\": \"us-east-2\", \"type\": \"AwsIamAccessKey\", \"uid\": \"AWS::IAM::AccessKey:ASIATMJPC7EXAMPLE\"}], \"severity\": \"Low\", \"severity_id\": 2, \"status\": \"New\", \"time\": 1695135922487, \"time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"type_name\": \"Detection Finding: Create\", \"type_uid\": 200401, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"LOW\", \"FindingProviderFields.Types[]\": \"TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled\", \"ProductFields.aws/guardduty/service/action/actionType\": \"AWS_API_CALL\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::CloudTrail::Trail\": \"arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/callerType\": \"Remote IP\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn\": \"16509\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg\": \"AMAZON-02\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp\": \"Amazon Office\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org\": \"Amazon Office\", \"ProductFields.aws/guardduty/service/additionalInfo/type\": \"default\", \"ProductFields.aws/guardduty/service/archived\": \"false\", \"ProductFields.aws/guardduty/service/count\": \"1\", \"ProductFields.aws/guardduty/service/detectorId\": \"1ac1bfceda6679698215d5d0EXAMPLE\", \"ProductFields.aws/guardduty/service/eventFirstSeen\": \"2023-09-19T14:55:09.000Z\", \"ProductFields.aws/guardduty/service/eventLastSeen\": \"2023-09-19T14:55:09.000Z\", \"ProductFields.aws/guardduty/service/resourceRole\": \"TARGET\", \"ProductFields.aws/guardduty/service/serviceName\": \"guardduty\", \"ProductFields.aws/securityhub/CompanyName\": \"Amazon\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/guardduty/arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE/finding/a6c556fcbc9bea427a19f8b787099a0b\", \"ProductFields.aws/securityhub/ProductName\": \"GuardDuty\", \"RecordState\": \"ACTIVE\", \"Sample\": \"false\", \"Severity.Normalized\": \"40\", \"Severity.Product\": \"2\", \"WorkflowState\": \"NEW\"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Detection Finding\", \"class_uid\": 2004, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"evidences\": [{\"api\": {\"operation\": \"DeleteTrail\", \"service\": {\"name\": \"cloudtrail.amazonaws.com\"}}, \"data\": \"\", \"src_endpoint\": {\"ip\": \"52.94.133.131\", \"location\": {\"city\": \"\", \"coordinates\": [-100.821999, 37.751], \"country\": \"United States\"}}}], \"finding_info\": {\"created_time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"desc\": \"AWS CloudTrail trail arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me was disabled by Admin calling DeleteTrail under unusual circumstances. This can be attackers attempt to cover their tracks by eliminating any trace of activity performed while they accessed your account.\", \"first_seen_time_dt\": \"2023-09-19T10:55:09.000-04:00\", \"last_seen_time_dt\": \"2023-09-19T10:55:09.000-04:00\", \"modified_time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"src_url\": \"https://us-east-2.console.aws.amazon.com/guardduty/home?region=us-east-2#/findings?macros=current&fId=a6c556fcbc9bea427a19f8b787099a0b\", \"title\": \"AWS CloudTrail trail arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me was disabled.\", \"types\": [\"TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled\"], \"uid\": \"arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE/finding/a6c556fcbc9bea427a19f8b787099a0b\"}, \"metadata\": {\"extensions\": [{\"name\": \"linux\", \"uid\": \"1\", \"version\": \"1.1.0\"}], \"log_version\": \"2018-10-08\", \"product\": {\"feature\": {\"uid\": \"arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE\"}, \"name\": \"GuardDuty\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/guardduty\", \"vendor_name\": \"Amazon\"}, \"profiles\": [\"cloud\", \"datetime\", \"linux\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"evidences[].src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"52.94.133.131\"}, {\"name\": \"resources[].uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"AWS::IAM::AccessKey:ASIATMJPC7EXAMPLE\"}], \"resources\": [{\"cloud_partition\": \"aws\", \"data\": \"{\\\"AwsIamAccessKey\\\":{\\\"PrincipalId\\\":\\\"AROATMJPC7YEXAMPLE:example\\\",\\\"PrincipalName\\\":\\\"Admin\\\",\\\"PrincipalType\\\":\\\"AssumedRole\\\"}}\", \"region\": \"us-east-2\", \"type\": \"AwsIamAccessKey\", \"uid\": \"AWS::IAM::AccessKey:ASIATMJPC7EXAMPLE\"}], \"severity\": \"Low\", \"severity_id\": 2, \"status\": \"New\", \"time\": 1695135922487, \"time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"type_name\": \"Detection Finding: Create\", \"type_uid\": 200401, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"LOW\", \"FindingProviderFields.Types[]\": \"TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled\", \"ProductFields.aws/guardduty/service/action/actionType\": \"AWS_API_CALL\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::CloudTrail::Trail\": \"arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/callerType\": \"Remote IP\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn\": \"16509\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg\": \"AMAZON-02\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp\": \"Amazon Office\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org\": \"Amazon Office\", \"ProductFields.aws/guardduty/service/additionalInfo/type\": \"default\", \"ProductFields.aws/guardduty/service/archived\": \"false\", \"ProductFields.aws/guardduty/service/count\": \"1\", \"ProductFields.aws/guardduty/service/detectorId\": \"1ac1bfceda6679698215d5d0EXAMPLE\", \"ProductFields.aws/guardduty/service/eventFirstSeen\": \"2023-09-19T14:55:09.000Z\", \"ProductFields.aws/guardduty/service/eventLastSeen\": \"2023-09-19T14:55:09.000Z\", \"ProductFields.aws/guardduty/service/resourceRole\": \"TARGET\", \"ProductFields.aws/guardduty/service/serviceName\": \"guardduty\", \"ProductFields.aws/securityhub/CompanyName\": \"Amazon\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/guardduty/arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE/finding/a6c556fcbc9bea427a19f8b787099a0b\", \"ProductFields.aws/securityhub/ProductName\": \"GuardDuty\", \"RecordState\": \"ACTIVE\", \"Sample\": \"false\", \"Severity.Normalized\": \"40\", \"Severity.Product\": \"2\", \"WorkflowState\": \"NEW\"}}", + "event": { + "action": "create", + "category": [], + "severity": 2, + "type": [] + }, + "@timestamp": "2023-09-19T15:05:22.487000Z", + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "AWS", + "region": "us-east-2" + }, + "ocsf": { + "activity_id": 1, + "activity_name": "Create", + "class_name": "Detection Finding", + "class_uid": 2004 + }, + "vulnerability": { + "description": [], + "id": [], + "scanner": { + "vendor": [] + }, + "score": { + "base": [], + "version": [] + }, + "severity": [] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_discovery_1.json b/OCSF/ocsf/tests/test_discovery_1.json deleted file mode 100644 index eeb096f1d..000000000 --- a/OCSF/ocsf/tests/test_discovery_1.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "input": { - "message": "{\"count\": 73, \"message\": \"flags feel absolute\", \"cis_benchmark_result\": {\"rule\": {\"category\": \"descidhscate\", \"desc\": \"rule_description\", \"name\": \"rule_name\", \"uid\": \"rule123\", \"version\": \"0.1.0\"}}, \"status\": \"creativity\", \"time\": 1695277679358, \"device\": {\"name\": \"ranked murder listing\", \"type\": \"Desktop\", \"ip\": \"81.2.69.142\", \"uid\": \"023e2564-5848-11ee-9c42-0242ac110005\", \"hostname\": \"lucas.pro\", \"type_id\": 2, \"subnet\": \"49.28.0.0/16\", \"autoscale_uid\": \"023de734-5848-11ee-b193-0242ac110005\", \"instance_uid\": \"023dec02-5848-11ee-8203-0242ac110005\", \"interface_name\": \"jerry street buried\", \"interface_uid\": \"023e1a06-5848-11ee-89c6-0242ac110005\", \"region\": \"inline contains milwaukee\", \"risk_level\": \"russell customized absolutely\", \"risk_score\": 36, \"uid_alt\": \"burst premier reverse\", \"vpc_uid\": \"023e205a-5848-11ee-a8d6-0242ac110005\", \"modified_time_dt\": \"2023-09-21T06:27:59.357977Z\", \"first_seen_time_dt\": \"2023-09-21T06:27:59.356353Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"extension\": {\"name\": \"chess entry productive\", \"version\": \"1.0.0\", \"uid\": \"023dccfe-5848-11ee-8227-0242ac110005\"}, \"product\": {\"name\": \"legal subsidiary eleven\", \"version\": \"1.0.0\", \"path\": \"financial spot tennis\", \"uid\": \"023dd33e-5848-11ee-aa6d-0242ac110005\", \"vendor_name\": \"assumes podcast went\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"correlation_uid\": \"023dd7c6-5848-11ee-9d4d-0242ac110005\", \"log_provider\": \"reliance trust interim\", \"original_time\": \"database darwin area\", \"processed_time_dt\": \"2023-09-21T06:27:59.356124Z\"}, \"severity\": \"Fatal\", \"type_name\": \"Device Config State: Collect\", \"activity_id\": 2, \"type_uid\": 500202, \"category_name\": \"Discovery\", \"class_uid\": 5002, \"category_uid\": 5, \"class_name\": \"Device Config State\", \"timezone_offset\": 0, \"activity_name\": \"Collect\", \"cloud\": {\"org\": {\"uid\": \"023dbdcc-5848-11ee-bd54-0242ac110005\", \"ou_name\": \"determined apr sheets\"}, \"provider\": \"mathematical inclusive insured\", \"region\": \"gravity bids tennis\"}, \"enrichments\": [{\"data\": {\"inexpensive\": \"abddfg\"}, \"name\": \"preview belarus licking\", \"type\": \"separation passes distance\", \"value\": \"magnitude cancellation weed\", \"provider\": \"surgical disaster individually\"}], \"severity_id\": 6, \"status_id\": 99}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"count\": 73, \"message\": \"flags feel absolute\", \"cis_benchmark_result\": {\"rule\": {\"category\": \"descidhscate\", \"desc\": \"rule_description\", \"name\": \"rule_name\", \"uid\": \"rule123\", \"version\": \"0.1.0\"}}, \"status\": \"creativity\", \"time\": 1695277679358, \"device\": {\"name\": \"ranked murder listing\", \"type\": \"Desktop\", \"ip\": \"81.2.69.142\", \"uid\": \"023e2564-5848-11ee-9c42-0242ac110005\", \"hostname\": \"lucas.pro\", \"type_id\": 2, \"subnet\": \"49.28.0.0/16\", \"autoscale_uid\": \"023de734-5848-11ee-b193-0242ac110005\", \"instance_uid\": \"023dec02-5848-11ee-8203-0242ac110005\", \"interface_name\": \"jerry street buried\", \"interface_uid\": \"023e1a06-5848-11ee-89c6-0242ac110005\", \"region\": \"inline contains milwaukee\", \"risk_level\": \"russell customized absolutely\", \"risk_score\": 36, \"uid_alt\": \"burst premier reverse\", \"vpc_uid\": \"023e205a-5848-11ee-a8d6-0242ac110005\", \"modified_time_dt\": \"2023-09-21T06:27:59.357977Z\", \"first_seen_time_dt\": \"2023-09-21T06:27:59.356353Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"extension\": {\"name\": \"chess entry productive\", \"version\": \"1.0.0\", \"uid\": \"023dccfe-5848-11ee-8227-0242ac110005\"}, \"product\": {\"name\": \"legal subsidiary eleven\", \"version\": \"1.0.0\", \"path\": \"financial spot tennis\", \"uid\": \"023dd33e-5848-11ee-aa6d-0242ac110005\", \"vendor_name\": \"assumes podcast went\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"correlation_uid\": \"023dd7c6-5848-11ee-9d4d-0242ac110005\", \"log_provider\": \"reliance trust interim\", \"original_time\": \"database darwin area\", \"processed_time_dt\": \"2023-09-21T06:27:59.356124Z\"}, \"severity\": \"Fatal\", \"type_name\": \"Device Config State: Collect\", \"activity_id\": 2, \"type_uid\": 500202, \"category_name\": \"Discovery\", \"class_uid\": 5002, \"category_uid\": 5, \"class_name\": \"Device Config State\", \"timezone_offset\": 0, \"activity_name\": \"Collect\", \"cloud\": {\"org\": {\"uid\": \"023dbdcc-5848-11ee-bd54-0242ac110005\", \"ou_name\": \"determined apr sheets\"}, \"provider\": \"mathematical inclusive insured\", \"region\": \"gravity bids tennis\"}, \"enrichments\": [{\"data\": {\"inexpensive\": \"abddfg\"}, \"name\": \"preview belarus licking\", \"type\": \"separation passes distance\", \"value\": \"magnitude cancellation weed\", \"provider\": \"surgical disaster individually\"}], \"severity_id\": 6, \"status_id\": 99}", - "event": { - "action": "collect", - "category": [ - "configuration" - ], - "kind": "event", - "provider": "reliance trust interim", - "severity": 6, - "type": [ - "info" - ] - }, - "@timestamp": "2023-09-21T06:27:59.358000Z", - "cloud": { - "provider": "mathematical inclusive insured", - "region": "gravity bids tennis" - }, - "host": { - "hostname": "lucas.pro", - "id": "023e2564-5848-11ee-9c42-0242ac110005", - "ip": [ - "81.2.69.142" - ], - "name": "lucas.pro", - "risk": { - "static_level": "russell customized absolutely", - "static_score": 36 - }, - "type": "Desktop" - }, - "ocsf": { - "activity_id": 2, - "activity_name": "Collect", - "class_name": "Device Config State", - "class_uid": 5002 - }, - "organization": { - "id": "023dbdcc-5848-11ee-bd54-0242ac110005" - }, - "related": { - "hosts": [ - "lucas.pro" - ], - "ip": [ - "81.2.69.142" - ] - }, - "rule": { - "category": "descidhscate", - "description": "rule_description", - "name": "rule_name", - "uuid": "rule123", - "version": "0.1.0" - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_discovery_2.json b/OCSF/ocsf/tests/test_discovery_2.json deleted file mode 100644 index b803ebfbe..000000000 --- a/OCSF/ocsf/tests/test_discovery_2.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "input": { - "message": "{\"message\": \"poster thongs assumptions\", \"status\": \"Success\", \"time\": 1695277679358, \"device\": {\"name\": \"craig functioning literally\", \"type\": \"Laptop\", \"os\": {\"name\": \"spy chronic casual\", \"type\": \"Android\", \"version\": \"1.0.0\", \"build\": \"dozen oval removing\", \"type_id\": 201, \"lang\": \"en\", \"edition\": \"nightmare engineers carter\"}, \"location\": {\"desc\": \"Reunion\", \"city\": \"Porcelain senior\", \"country\": \"RE\", \"coordinates\": [-161.6608, -47.0418], \"continent\": \"Africa\"}, \"uid\": \"7f256308-584d-11ee-8de0-0242ac110005\", \"image\": {\"name\": \"saudi enhanced surgical\", \"uid\": \"7f2554b2-584d-11ee-b26b-0242ac110005\"}, \"mac\": \"C6:49:F0:76:1D:13:CE:F7\", \"type_id\": 3, \"autoscale_uid\": \"7f25415c-584d-11ee-b3fc-0242ac110005\", \"hw_info\": {\"cpu_bits\": 66}, \"instance_uid\": \"7f254ea4-584d-11ee-a68f-0242ac110005\", \"interface_name\": \"watt profile rs\", \"is_personal\": false, \"last_seen_time\": 1695277679358, \"region\": \"airport leaves kitchen\", \"risk_level\": \"organizational economic connecticut\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"butterfly knight log\", \"version\": \"1.0.0\", \"uid\": \"7f25336a-584d-11ee-b2a5-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"disciplinary rec report\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"event_code\": \"spelling\", \"log_name\": \"len falling educational\", \"log_provider\": \"tales asset extremely\", \"log_version\": \"learners headlines linear\", \"original_time\": \"programmers less barcelona\", \"processed_time\": 1695280036393}, \"severity\": \"Critical\", \"type_name\": \"Device Inventory Info: Collect\", \"activity_id\": 2, \"type_uid\": 500102, \"category_name\": \"Discovery\", \"class_uid\": 5001, \"category_uid\": 5, \"class_name\": \"Device Inventory Info\", \"timezone_offset\": 65, \"activity_name\": \"Collect\", \"cloud\": {\"org\": {\"name\": \"black lets promotions\", \"ou_name\": \"recover sol revolutionary\"}, \"provider\": \"mod force sailing\", \"region\": \"ticket resident buried\"}, \"enrichments\": [{\"data\": {\"nintendo\": \"abcd\"}, \"name\": \"visual mv bottom\", \"type\": \"calibration basics quebec\", \"value\": \"alice stick spray\", \"provider\": \"lucy permanent trips\"}], \"severity_id\": 5, \"status_code\": \"vancouver\", \"status_id\": 1, \"start_time_dt\": \"2023-09-21T07:07:16.394812Z\"}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"message\": \"poster thongs assumptions\", \"status\": \"Success\", \"time\": 1695277679358, \"device\": {\"name\": \"craig functioning literally\", \"type\": \"Laptop\", \"os\": {\"name\": \"spy chronic casual\", \"type\": \"Android\", \"version\": \"1.0.0\", \"build\": \"dozen oval removing\", \"type_id\": 201, \"lang\": \"en\", \"edition\": \"nightmare engineers carter\"}, \"location\": {\"desc\": \"Reunion\", \"city\": \"Porcelain senior\", \"country\": \"RE\", \"coordinates\": [-161.6608, -47.0418], \"continent\": \"Africa\"}, \"uid\": \"7f256308-584d-11ee-8de0-0242ac110005\", \"image\": {\"name\": \"saudi enhanced surgical\", \"uid\": \"7f2554b2-584d-11ee-b26b-0242ac110005\"}, \"mac\": \"C6:49:F0:76:1D:13:CE:F7\", \"type_id\": 3, \"autoscale_uid\": \"7f25415c-584d-11ee-b3fc-0242ac110005\", \"hw_info\": {\"cpu_bits\": 66}, \"instance_uid\": \"7f254ea4-584d-11ee-a68f-0242ac110005\", \"interface_name\": \"watt profile rs\", \"is_personal\": false, \"last_seen_time\": 1695277679358, \"region\": \"airport leaves kitchen\", \"risk_level\": \"organizational economic connecticut\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"butterfly knight log\", \"version\": \"1.0.0\", \"uid\": \"7f25336a-584d-11ee-b2a5-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"disciplinary rec report\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\"], \"event_code\": \"spelling\", \"log_name\": \"len falling educational\", \"log_provider\": \"tales asset extremely\", \"log_version\": \"learners headlines linear\", \"original_time\": \"programmers less barcelona\", \"processed_time\": 1695280036393}, \"severity\": \"Critical\", \"type_name\": \"Device Inventory Info: Collect\", \"activity_id\": 2, \"type_uid\": 500102, \"category_name\": \"Discovery\", \"class_uid\": 5001, \"category_uid\": 5, \"class_name\": \"Device Inventory Info\", \"timezone_offset\": 65, \"activity_name\": \"Collect\", \"cloud\": {\"org\": {\"name\": \"black lets promotions\", \"ou_name\": \"recover sol revolutionary\"}, \"provider\": \"mod force sailing\", \"region\": \"ticket resident buried\"}, \"enrichments\": [{\"data\": {\"nintendo\": \"abcd\"}, \"name\": \"visual mv bottom\", \"type\": \"calibration basics quebec\", \"value\": \"alice stick spray\", \"provider\": \"lucy permanent trips\"}], \"severity_id\": 5, \"status_code\": \"vancouver\", \"status_id\": 1, \"start_time_dt\": \"2023-09-21T07:07:16.394812Z\"}", - "event": { - "action": "collect", - "category": [], - "code": "spelling", - "kind": "event", - "outcome": "success", - "provider": "tales asset extremely", - "severity": 5, - "start": "2023-09-21T07:07:16.394812Z", - "type": [ - "info" - ] - }, - "@timestamp": "2023-09-21T06:27:59.358000Z", - "cloud": { - "provider": "mod force sailing", - "region": "ticket resident buried" - }, - "host": { - "geo": { - "city_name": "Porcelain senior", - "continent_name": "Africa", - "country_iso_code": "RE", - "location": { - "lat": -47.0418, - "lon": -161.6608 - }, - "name": "Reunion" - }, - "id": "7f256308-584d-11ee-8de0-0242ac110005", - "mac": [ - "C6:49:F0:76:1D:13:CE:F7" - ], - "os": { - "name": "spy chronic casual", - "type": "Android", - "version": "dozen oval removing" - }, - "risk": { - "static_level": "organizational economic connecticut" - }, - "type": "Laptop" - }, - "ocsf": { - "activity_id": 2, - "activity_name": "Collect", - "class_name": "Device Inventory Info", - "class_uid": 5001 - }, - "organization": { - "name": "black lets promotions" - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_dns_activity_1.json b/OCSF/ocsf/tests/test_dns_activity_1.json new file mode 100644 index 000000000..7567bb466 --- /dev/null +++ b/OCSF/ocsf/tests/test_dns_activity_1.json @@ -0,0 +1,75 @@ +{ + "input": { + "message": "{\"action\": \"Allowed\", \"action_id\": 1, \"activity_id\": 6, \"activity_name\": \"Traffic\", \"answers\": [{\"class\": \"IN\", \"rdata\": \"127.0.0.62\", \"type\": \"A\"}], \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"DNS Activity\", \"class_uid\": 4003, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"connection_info\": {\"direction\": \"Unknown\", \"direction_id\": 0, \"protocol_name\": \"UDP\"}, \"disposition\": \"Alert\", \"dst_endpoint\": {\"instance_uid\": \"rslvr-in-0000000000000000\", \"interface_uid\": \"rni-0000000000000000\"}, \"firewall_rule\": {\"uid\": \"rslvr-frg-000000000000000\"}, \"metadata\": {\"product\": {\"feature\": {\"name\": \"Resolver Query Logs\"}, \"name\": \"Route 53\", \"vendor_name\": \"AWS\", \"version\": \"1.100000\"}, \"profiles\": [\"cloud\", \"security_control\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"answers[].rdata\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"127.0.0.62\"}, {\"name\": \"dst_endpoint.instance_uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"rslvr-in-0000000000000000\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"10.200.21.100\"}, {\"name\": \"query.hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"ip-127-0-0-62.alert.firewall.canary.\"}], \"query\": {\"class\": \"IN\", \"hostname\": \"ip-127-0-0-62.alert.firewall.canary.\", \"type\": \"A\"}, \"rcode\": \"NoError\", \"rcode_id\": 0, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"10.200.21.100\", \"port\": 15083, \"vpc_uid\": \"vpc-00000000000000000\"}, \"time\": 1665694956000, \"time_dt\": \"2022-10-13T17:02:36.000-04:00\", \"type_name\": \"DNS Activity: Traffic\", \"type_uid\": 400306, \"unmapped\": {\"firewall_domain_list_id\": \"rslvr-fdl-0000000000000\"}}" + }, + "expected": { + "message": "{\"action\": \"Allowed\", \"action_id\": 1, \"activity_id\": 6, \"activity_name\": \"Traffic\", \"answers\": [{\"class\": \"IN\", \"rdata\": \"127.0.0.62\", \"type\": \"A\"}], \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"DNS Activity\", \"class_uid\": 4003, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"connection_info\": {\"direction\": \"Unknown\", \"direction_id\": 0, \"protocol_name\": \"UDP\"}, \"disposition\": \"Alert\", \"dst_endpoint\": {\"instance_uid\": \"rslvr-in-0000000000000000\", \"interface_uid\": \"rni-0000000000000000\"}, \"firewall_rule\": {\"uid\": \"rslvr-frg-000000000000000\"}, \"metadata\": {\"product\": {\"feature\": {\"name\": \"Resolver Query Logs\"}, \"name\": \"Route 53\", \"vendor_name\": \"AWS\", \"version\": \"1.100000\"}, \"profiles\": [\"cloud\", \"security_control\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"answers[].rdata\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"127.0.0.62\"}, {\"name\": \"dst_endpoint.instance_uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"rslvr-in-0000000000000000\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"10.200.21.100\"}, {\"name\": \"query.hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"ip-127-0-0-62.alert.firewall.canary.\"}], \"query\": {\"class\": \"IN\", \"hostname\": \"ip-127-0-0-62.alert.firewall.canary.\", \"type\": \"A\"}, \"rcode\": \"NoError\", \"rcode_id\": 0, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"10.200.21.100\", \"port\": 15083, \"vpc_uid\": \"vpc-00000000000000000\"}, \"time\": 1665694956000, \"time_dt\": \"2022-10-13T17:02:36.000-04:00\", \"type_name\": \"DNS Activity: Traffic\", \"type_uid\": 400306, \"unmapped\": {\"firewall_domain_list_id\": \"rslvr-fdl-0000000000000\"}}", + "event": { + "action": "traffic", + "category": [ + "network" + ], + "kind": "event", + "severity": 1, + "type": [ + "info", + "protocol" + ] + }, + "@timestamp": "2022-10-13T21:02:36Z", + "cloud": { + "account": { + "id": "123456789012" + }, + "provider": "AWS", + "region": "us-east-1" + }, + "dns": { + "answers": { + "class": [ + "IN" + ], + "ttl": [], + "type": [ + "A" + ] + }, + "id": [], + "question": { + "class": [ + "IN" + ], + "name": "ip-127-0-0-62.alert.firewall.canary.", + "subdomain": "ip-127-0-0-62.alert.firewall", + "type": [ + "A" + ] + }, + "response_code": "NoError" + }, + "network": { + "direction": [ + "unknown" + ] + }, + "ocsf": { + "activity_id": 6, + "activity_name": "Traffic", + "class_name": "DNS Activity", + "class_uid": 4003 + }, + "related": { + "hosts": [ + "ip-127-0-0-62.alert.firewall.canary." + ], + "ip": [ + "10.200.21.100" + ] + }, + "source": { + "address": "10.200.21.100", + "ip": "10.200.21.100", + "port": 15083 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_findings_1.json b/OCSF/ocsf/tests/test_findings_1.json deleted file mode 100644 index 225de3140..000000000 --- a/OCSF/ocsf/tests/test_findings_1.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "input": { - "message": "{\"activity_id\": 2, \"activity_name\": \"Update\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"cloud\": {\"account\": {\"uid\": \"522536594833\"}, \"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"compliance\": {\"requirements\": [\"PCI1.2\"], \"status\": \"PASSED\", \"status_detail\": \"CloudWatch alarms do not exist in the account\"}, \"finding\": {\"created_time\": 1635449619417, \"desc\": \"This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports [3389, 20, 23, 110, 143, 3306, 8080, 1433, 9200, 9300, 25, 445, 135, 21, 1434, 4333, 5432, 5500, 5601, 22, 3000, 5000, 8088, 8888] that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for the listed ports.\", \"first_seen_time\": 1635449619417, \"last_seen_time\": 1659636565316, \"modified_time\": 1659636559100, \"related_events\": [{\"product_uid\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\", \"uid\": \"123e4567-e89b-12d3-a456-426655440000\"}, {\"product_uid\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\", \"uid\": \"AcmeNerfHerder-111111111111-x189dx7824\"}], \"remediation\": {\"desc\": \"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\", \"kb_articles\": [\"https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation\"]}, \"title\": \"EC2.19 Security groups should not allow unrestricted access to ports with high risk\", \"types\": [\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"], \"uid\": \"test\"}, \"malware\": [{\"classification_ids\": [1], \"classifications\": [\"Adware\"], \"name\": \"Stringler\", \"path\": \"/usr/sbin/stringler\"}], \"metadata\": {\"product\": {\"feature\": {\"name\": \"Security Hub\", \"uid\": \"aws-foundational-security-best-practices/v/1.0.0/EC2.19\"}, \"name\": \"Security Hub\", \"uid\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\", \"vendor_name\": \"AWS\", \"version\": \"2018-10-08\"}, \"profiles\": [\"cloud\"], \"version\": \"1.0.0-rc.2\"}, \"resources\": [{\"cloud_partition\": \"aws\", \"labels\": [\"billingCode=Lotus-1-2-3\", \"needsPatching=true\"], \"region\": \"us-east-1\", \"type\": \"AwsEc2SecurityGroup\", \"uid\": \"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"state\": \"Resolved\", \"state_id\": 4, \"time\": 1659636559100, \"type_name\": \"Security Finding: Update\", \"type_uid\": 200102, \"unmapped\": {\"CompanyName\": \"AWS\", \"Compliance.StatusReasons[].ReasonCode\": \"CW_ALARMS_NOT_PRESENT\", \"FindingProviderFields.Severity.Label\": \"INFORMATIONAL\", \"FindingProviderFields.Severity.Original\": \"INFORMATIONAL\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\", \"Malware[].State\": \"OBSERVED\", \"ProductFields.ControlId\": \"EC2.19\", \"ProductFields.RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation\", \"ProductFields.RelatedAWSResources:0/name\": \"securityhub-vpc-sg-restricted-common-ports-2af29baf\", \"ProductFields.RelatedAWSResources:0/type\": \"AWS::Config::ConfigRule\", \"ProductFields.Resources:0/Id\": \"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499\", \"ProductFields.StandardsArn\": \"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0\", \"ProductFields.StandardsControlArn\": \"arn:aws:securityhub:us-east-1:522536594833:control/aws-foundational-security-best-practices/v/1.0.0/EC2.19\", \"ProductFields.StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0\", \"ProductFields.aws/securityhub/CompanyName\": \"AWS\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bf428107-eee0-4d19-a013-92748ed69eef\", \"ProductFields.aws/securityhub/ProductName\": \"Security Hub\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"0\", \"Severity.Original\": \"INFORMATIONAL\", \"Severity.Product\": \"0\", \"Vulnerabilities[].Cvss[].BaseScore\": \"4.7,1.0\", \"Vulnerabilities[].Cvss[].BaseVector\": \"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N,AV:L/AC:M/Au:N/C:C/I:N/A:N\", \"Vulnerabilities[].Cvss[].Version\": \"V3,V2\", \"Vulnerabilities[].Vendor.VendorSeverity\": \"Medium\", \"WorkflowState\": \"NEW\"}, \"vulnerabilities\": [{\"cve\": {\"created_time\": 1579132903000, \"cvss\": {\"base_score\": 4.7, \"vector_string\": \"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"version\": \"V3\"}, \"modified_time\": 1579132903000, \"uid\": \"CVE-2020-12345\"}, \"kb_articles\": [\"https://alas.aws.amazon.com/ALAS-2020-1337.html\"], \"packages\": [{\"architecture\": \"x86_64\", \"epoch\": 1, \"name\": \"openssl\", \"release\": \"16.amzn2.0.3\", \"version\": \"1.0.2k\"}, {\"architecture\": \"x86_64\", \"epoch\": 3, \"name\": \"yaml\", \"release\": \"16.amzn2.0.3\", \"version\": \"4.3.2\"}], \"references\": [\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418\"], \"related_vulnerabilities\": [\"CVE-2020-12345\"], \"vendor_name\": \"Alas\"}]}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"activity_id\": 2, \"activity_name\": \"Update\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"cloud\": {\"account\": {\"uid\": \"522536594833\"}, \"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"compliance\": {\"requirements\": [\"PCI1.2\"], \"status\": \"PASSED\", \"status_detail\": \"CloudWatch alarms do not exist in the account\"}, \"finding\": {\"created_time\": 1635449619417, \"desc\": \"This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports [3389, 20, 23, 110, 143, 3306, 8080, 1433, 9200, 9300, 25, 445, 135, 21, 1434, 4333, 5432, 5500, 5601, 22, 3000, 5000, 8088, 8888] that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for the listed ports.\", \"first_seen_time\": 1635449619417, \"last_seen_time\": 1659636565316, \"modified_time\": 1659636559100, \"related_events\": [{\"product_uid\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\", \"uid\": \"123e4567-e89b-12d3-a456-426655440000\"}, {\"product_uid\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\", \"uid\": \"AcmeNerfHerder-111111111111-x189dx7824\"}], \"remediation\": {\"desc\": \"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\", \"kb_articles\": [\"https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation\"]}, \"title\": \"EC2.19 Security groups should not allow unrestricted access to ports with high risk\", \"types\": [\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"], \"uid\": \"test\"}, \"malware\": [{\"classification_ids\": [1], \"classifications\": [\"Adware\"], \"name\": \"Stringler\", \"path\": \"/usr/sbin/stringler\"}], \"metadata\": {\"product\": {\"feature\": {\"name\": \"Security Hub\", \"uid\": \"aws-foundational-security-best-practices/v/1.0.0/EC2.19\"}, \"name\": \"Security Hub\", \"uid\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\", \"vendor_name\": \"AWS\", \"version\": \"2018-10-08\"}, \"profiles\": [\"cloud\"], \"version\": \"1.0.0-rc.2\"}, \"resources\": [{\"cloud_partition\": \"aws\", \"labels\": [\"billingCode=Lotus-1-2-3\", \"needsPatching=true\"], \"region\": \"us-east-1\", \"type\": \"AwsEc2SecurityGroup\", \"uid\": \"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"state\": \"Resolved\", \"state_id\": 4, \"time\": 1659636559100, \"type_name\": \"Security Finding: Update\", \"type_uid\": 200102, \"unmapped\": {\"CompanyName\": \"AWS\", \"Compliance.StatusReasons[].ReasonCode\": \"CW_ALARMS_NOT_PRESENT\", \"FindingProviderFields.Severity.Label\": \"INFORMATIONAL\", \"FindingProviderFields.Severity.Original\": \"INFORMATIONAL\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\", \"Malware[].State\": \"OBSERVED\", \"ProductFields.ControlId\": \"EC2.19\", \"ProductFields.RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation\", \"ProductFields.RelatedAWSResources:0/name\": \"securityhub-vpc-sg-restricted-common-ports-2af29baf\", \"ProductFields.RelatedAWSResources:0/type\": \"AWS::Config::ConfigRule\", \"ProductFields.Resources:0/Id\": \"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499\", \"ProductFields.StandardsArn\": \"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0\", \"ProductFields.StandardsControlArn\": \"arn:aws:securityhub:us-east-1:522536594833:control/aws-foundational-security-best-practices/v/1.0.0/EC2.19\", \"ProductFields.StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0\", \"ProductFields.aws/securityhub/CompanyName\": \"AWS\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bf428107-eee0-4d19-a013-92748ed69eef\", \"ProductFields.aws/securityhub/ProductName\": \"Security Hub\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"0\", \"Severity.Original\": \"INFORMATIONAL\", \"Severity.Product\": \"0\", \"Vulnerabilities[].Cvss[].BaseScore\": \"4.7,1.0\", \"Vulnerabilities[].Cvss[].BaseVector\": \"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N,AV:L/AC:M/Au:N/C:C/I:N/A:N\", \"Vulnerabilities[].Cvss[].Version\": \"V3,V2\", \"Vulnerabilities[].Vendor.VendorSeverity\": \"Medium\", \"WorkflowState\": \"NEW\"}, \"vulnerabilities\": [{\"cve\": {\"created_time\": 1579132903000, \"cvss\": {\"base_score\": 4.7, \"vector_string\": \"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"version\": \"V3\"}, \"modified_time\": 1579132903000, \"uid\": \"CVE-2020-12345\"}, \"kb_articles\": [\"https://alas.aws.amazon.com/ALAS-2020-1337.html\"], \"packages\": [{\"architecture\": \"x86_64\", \"epoch\": 1, \"name\": \"openssl\", \"release\": \"16.amzn2.0.3\", \"version\": \"1.0.2k\"}, {\"architecture\": \"x86_64\", \"epoch\": 3, \"name\": \"yaml\", \"release\": \"16.amzn2.0.3\", \"version\": \"4.3.2\"}], \"references\": [\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418\"], \"related_vulnerabilities\": [\"CVE-2020-12345\"], \"vendor_name\": \"Alas\"}]}", - "event": { - "action": "update", - "category": [ - "malware", - "vulnerability" - ], - "kind": "alert", - "severity": 1, - "type": [ - "info" - ] - }, - "@timestamp": "2022-08-04T18:09:19.100000Z", - "cloud": { - "account": { - "id": "522536594833" - }, - "provider": "AWS", - "region": "us-east-1" - }, - "ocsf": { - "activity_id": 2, - "activity_name": "Update", - "class_name": "Security Finding", - "class_uid": 2001 - }, - "vulnerability": { - "description": [ - "" - ], - "id": [ - "CVE-2020-12345" - ], - "scanner": { - "vendor": [ - "Alas" - ] - }, - "score": { - "base": [ - 4.7 - ], - "version": [ - "V3" - ] - }, - "severity": [ - "" - ] - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_http_activity_1.json b/OCSF/ocsf/tests/test_http_activity_1.json new file mode 100644 index 000000000..effda93fa --- /dev/null +++ b/OCSF/ocsf/tests/test_http_activity_1.json @@ -0,0 +1,60 @@ +{ + "input": { + "message": "{\"activity_id\": 3, \"activity_name\": \"Get\", \"category_name\": \"Network Activitys\", \"category_uid\": 4, \"class_name\": \"HTTP Activity\", \"class_uid\": 4002, \"cloud\": {\"provider\": \"AWS\"}, \"dst_endpoint\": {\"domain\": \"/CanaryTest\"}, \"firewall_rule\": {\"type\": \"RATE_BASED\", \"uid\": \"RateBasedRule\"}, \"http_request\": {\"args\": \"\", \"http_method\": \"GET\", \"uid\": \"Ed0AiHF_CGYF-DA=\", \"url\": {\"path\": \"/CanaryTest\"}, \"version\": \"HTTP/1.1\"}, \"http_response\": {\"code\": 403}, \"metadata\": {\"labels\": null, \"product\": {\"feature\": {\"uid\": \"...\"}, \"name\": \"AWS WAF\", \"vendor_name\": \"AWS\", \"version\": \"1\"}, \"version\": \"1.1.0-dev\"}, \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"52.46.82.45\", \"location\": {\"country\": \"FR\"}, \"svc_name\": \"APIGW\", \"uid\": \"EXAMPLE11:rjvegx5guh:CanaryTest\"}, \"time\": 0, \"type_name\": \"HTTP Activity: Get\", \"type_uid\": 400203, \"unmapped\": [[\"rateBasedRuleList[].rateBasedRuleId\", \"...\"], [\"rateBasedRuleList[].customValues[].value\", \"ella\"], [\"rateBasedRuleList[].customValues[].name\", \"dogname\"], [\"rateBasedRuleList[].limitKey\", \"CUSTOMKEYS\"], [\"rateBasedRuleList[].customValues[].key\", \"HEADER\"], [\"httpRequest.headers[].value\", \"52.46.82.45,https,443,rjvegx5guh.execute-api.eu-west-3.amazonaws.com,Root=1-645566cf-7cb058b04d9bb3ee01dc4036,ella,RateBasedRuleTestKoipOneKeyModulePV2,gzip,deflate\"], [\"rateBasedRuleList[].rateBasedRuleName\", \"RateBasedRule\"], [\"rateBasedRuleList[].maxRateAllowed\", \"100\"], [\"httpRequest.headers[].name\", \"X-Forwarded-For,X-Forwarded-Proto,X-Forwarded-Port,Host,X-Amzn-Trace-Id,dogname,User-Agent,Accept-Encoding\"]]}" + }, + "expected": { + "message": "{\"activity_id\": 3, \"activity_name\": \"Get\", \"category_name\": \"Network Activitys\", \"category_uid\": 4, \"class_name\": \"HTTP Activity\", \"class_uid\": 4002, \"cloud\": {\"provider\": \"AWS\"}, \"dst_endpoint\": {\"domain\": \"/CanaryTest\"}, \"firewall_rule\": {\"type\": \"RATE_BASED\", \"uid\": \"RateBasedRule\"}, \"http_request\": {\"args\": \"\", \"http_method\": \"GET\", \"uid\": \"Ed0AiHF_CGYF-DA=\", \"url\": {\"path\": \"/CanaryTest\"}, \"version\": \"HTTP/1.1\"}, \"http_response\": {\"code\": 403}, \"metadata\": {\"labels\": null, \"product\": {\"feature\": {\"uid\": \"...\"}, \"name\": \"AWS WAF\", \"vendor_name\": \"AWS\", \"version\": \"1\"}, \"version\": \"1.1.0-dev\"}, \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"52.46.82.45\", \"location\": {\"country\": \"FR\"}, \"svc_name\": \"APIGW\", \"uid\": \"EXAMPLE11:rjvegx5guh:CanaryTest\"}, \"time\": 0, \"type_name\": \"HTTP Activity: Get\", \"type_uid\": 400203, \"unmapped\": [[\"rateBasedRuleList[].rateBasedRuleId\", \"...\"], [\"rateBasedRuleList[].customValues[].value\", \"ella\"], [\"rateBasedRuleList[].customValues[].name\", \"dogname\"], [\"rateBasedRuleList[].limitKey\", \"CUSTOMKEYS\"], [\"rateBasedRuleList[].customValues[].key\", \"HEADER\"], [\"httpRequest.headers[].value\", \"52.46.82.45,https,443,rjvegx5guh.execute-api.eu-west-3.amazonaws.com,Root=1-645566cf-7cb058b04d9bb3ee01dc4036,ella,RateBasedRuleTestKoipOneKeyModulePV2,gzip,deflate\"], [\"rateBasedRuleList[].rateBasedRuleName\", \"RateBasedRule\"], [\"rateBasedRuleList[].maxRateAllowed\", \"100\"], [\"httpRequest.headers[].name\", \"X-Forwarded-For,X-Forwarded-Proto,X-Forwarded-Port,Host,X-Amzn-Trace-Id,dogname,User-Agent,Accept-Encoding\"]]}", + "event": { + "action": "get", + "category": [ + "api" + ], + "kind": "event", + "severity": 1, + "type": [ + "info" + ] + }, + "cloud": { + "provider": "AWS" + }, + "destination": { + "address": "/CanaryTest", + "domain": "/CanaryTest" + }, + "http": { + "request": { + "id": "Ed0AiHF_CGYF-DA=", + "method": "GET" + }, + "version": "HTTP/1.1" + }, + "network": { + "application": "APIGW" + }, + "ocsf": { + "activity_id": 3, + "activity_name": "Get", + "class_name": "HTTP Activity", + "class_uid": 4002 + }, + "related": { + "hosts": [ + "/CanaryTest" + ], + "ip": [ + "52.46.82.45" + ] + }, + "source": { + "address": "52.46.82.45", + "geo": { + "country_iso_code": "FR" + }, + "ip": "52.46.82.45" + }, + "url": { + "path": "/CanaryTest" + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_iam_1.json b/OCSF/ocsf/tests/test_iam_1.json deleted file mode 100644 index 677b40caf..000000000 --- a/OCSF/ocsf/tests/test_iam_1.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "input": { - "message": "{\"message\": \"gr rap prospect\", \"status\": \"Unknown\", \"time\": 1696570109, \"user\": {\"name\": \"And\", \"type\": \"creations\", \"uid\": \"2e6b43e8-6409-11ee-ad4a-0242ac110005\", \"type_id\": 99, \"account\": {\"name\": \"minimal bumper shortly\", \"type\": \"Unknown\", \"type_id\": 0}}, \"group\": {\"name\": \"hollow alignment one\", \"desc\": \"checking tion ii\", \"uid\": \"2e6b38da-6409-11ee-a724-0242ac110005\", \"privileges\": [\"powder exams monkey\"]}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"release zealand upon\", \"version\": \"1.0.0\", \"path\": \"fuel style da\", \"uid\": \"2e6ae592-6409-11ee-8656-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"crest homework turtle\"}, \"sequence\": 82, \"profiles\": [], \"log_name\": \"ebony pay tablets\", \"log_provider\": \"medline putting movie\", \"logged_time\": 1696570109, \"original_time\": \"gentleman brings relationship\"}, \"severity\": \"Low\", \"session\": {\"uid\": \"2e6b0374-6409-11ee-9a31-0242ac110005\", \"issuer\": \"available towns recorder\", \"credential_uid\": \"2e6b0d6a-6409-11ee-bff8-0242ac110005\", \"is_remote\": true}, \"type_name\": \"Authorize Session: Unknown\", \"activity_id\": 0, \"type_uid\": 300300, \"category_name\": \"Identity & Access Management\", \"class_uid\": 3003, \"category_uid\": 3, \"class_name\": \"Authorize Session\", \"timezone_offset\": 34, \"activity_name\": \"Unknown\", \"privileges\": [\"arrive wu supervisors\", \"fix kevin networking\"], \"severity_id\": 2, \"status_code\": \"seo\", \"status_id\": 0}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"message\": \"gr rap prospect\", \"status\": \"Unknown\", \"time\": 1696570109, \"user\": {\"name\": \"And\", \"type\": \"creations\", \"uid\": \"2e6b43e8-6409-11ee-ad4a-0242ac110005\", \"type_id\": 99, \"account\": {\"name\": \"minimal bumper shortly\", \"type\": \"Unknown\", \"type_id\": 0}}, \"group\": {\"name\": \"hollow alignment one\", \"desc\": \"checking tion ii\", \"uid\": \"2e6b38da-6409-11ee-a724-0242ac110005\", \"privileges\": [\"powder exams monkey\"]}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"release zealand upon\", \"version\": \"1.0.0\", \"path\": \"fuel style da\", \"uid\": \"2e6ae592-6409-11ee-8656-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"crest homework turtle\"}, \"sequence\": 82, \"profiles\": [], \"log_name\": \"ebony pay tablets\", \"log_provider\": \"medline putting movie\", \"logged_time\": 1696570109, \"original_time\": \"gentleman brings relationship\"}, \"severity\": \"Low\", \"session\": {\"uid\": \"2e6b0374-6409-11ee-9a31-0242ac110005\", \"issuer\": \"available towns recorder\", \"credential_uid\": \"2e6b0d6a-6409-11ee-bff8-0242ac110005\", \"is_remote\": true}, \"type_name\": \"Authorize Session: Unknown\", \"activity_id\": 0, \"type_uid\": 300300, \"category_name\": \"Identity & Access Management\", \"class_uid\": 3003, \"category_uid\": 3, \"class_name\": \"Authorize Session\", \"timezone_offset\": 34, \"activity_name\": \"Unknown\", \"privileges\": [\"arrive wu supervisors\", \"fix kevin networking\"], \"severity_id\": 2, \"status_code\": \"seo\", \"status_id\": 0}", - "event": { - "action": "unknown", - "category": [ - "session" - ], - "kind": "event", - "outcome": "unknown", - "provider": "medline putting movie", - "sequence": 82, - "severity": 2, - "type": [ - "info" - ] - }, - "@timestamp": "2023-10-06T05:28:29Z", - "group": { - "id": "2e6b38da-6409-11ee-a724-0242ac110005", - "name": "hollow alignment one" - }, - "ocsf": { - "activity_id": 0, - "activity_name": "Unknown", - "class_name": "Authorize Session", - "class_uid": 3003 - }, - "user": { - "target": { - "group": { - "id": [], - "name": [] - }, - "id": "2e6b43e8-6409-11ee-ad4a-0242ac110005", - "name": "And" - } - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_iam_2.json b/OCSF/ocsf/tests/test_iam_2.json deleted file mode 100644 index 28febbc87..000000000 --- a/OCSF/ocsf/tests/test_iam_2.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "input": { - "message": "{\"message\": \"ri retired bargain\", \"status\": \"authors technology bible\", \"time\": 1696570795, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"version\": \"1.0.0\", \"uid\": \"c7a42ac4-640a-11ee-ae25-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"cross networks miles\"}, \"uid\": \"c7a45544-640a-11ee-84b0-0242ac110005\", \"labels\": [\"calm\"], \"sequence\": 53, \"profiles\": [], \"correlation_uid\": \"c7a462e6-640a-11ee-b915-0242ac110005\", \"log_name\": \"intent hobby reserve\", \"log_provider\": \"details contributor departments\"}, \"severity\": \"Unknown\", \"type_name\": \"Entity Management: Read\", \"activity_id\": 2, \"type_uid\": 300402, \"category_name\": \"Identity & Access Management\", \"class_uid\": 3004, \"category_uid\": 3, \"class_name\": \"Entity Management\", \"timezone_offset\": 36, \"activity_name\": \"Read\", \"entity\": {\"name\": \"sweden temperatures paste\", \"type\": \"founder quilt bone\", \"version\": \"1.0.0\", \"uid\": \"c7a47574-640a-11ee-aeb8-0242ac110005\"}, \"severity_id\": 0}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"message\": \"ri retired bargain\", \"status\": \"authors technology bible\", \"time\": 1696570795, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"version\": \"1.0.0\", \"uid\": \"c7a42ac4-640a-11ee-ae25-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"cross networks miles\"}, \"uid\": \"c7a45544-640a-11ee-84b0-0242ac110005\", \"labels\": [\"calm\"], \"sequence\": 53, \"profiles\": [], \"correlation_uid\": \"c7a462e6-640a-11ee-b915-0242ac110005\", \"log_name\": \"intent hobby reserve\", \"log_provider\": \"details contributor departments\"}, \"severity\": \"Unknown\", \"type_name\": \"Entity Management: Read\", \"activity_id\": 2, \"type_uid\": 300402, \"category_name\": \"Identity & Access Management\", \"class_uid\": 3004, \"category_uid\": 3, \"class_name\": \"Entity Management\", \"timezone_offset\": 36, \"activity_name\": \"Read\", \"entity\": {\"name\": \"sweden temperatures paste\", \"type\": \"founder quilt bone\", \"version\": \"1.0.0\", \"uid\": \"c7a47574-640a-11ee-aeb8-0242ac110005\"}, \"severity_id\": 0}", - "event": { - "action": "read", - "category": [], - "provider": "details contributor departments", - "sequence": 53, - "severity": 0, - "type": [] - }, - "@timestamp": "2023-10-06T05:39:55Z", - "ocsf": { - "activity_id": 2, - "activity_name": "Read", - "class_name": "Entity Management", - "class_uid": 3004 - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_iam_3.json b/OCSF/ocsf/tests/test_iam_3.json deleted file mode 100644 index 42ce069d0..000000000 --- a/OCSF/ocsf/tests/test_iam_3.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "input": { - "message": "{\"count\": 37, \"message\": \"obj permitted belong\", \"status\": \"Success\", \"time\": 1696583206, \"user\": {\"name\": \"Rankings\", \"type\": \"suited\", \"uid\": \"acca5dd2-6427-11ee-8ef4-0242ac110005\", \"org\": {\"name\": \"lesson machinery nutritional\", \"uid\": \"acca6354-6427-11ee-ae9b-0242ac110005\", \"ou_name\": \"to walnut dash\"}, \"groups\": [{\"name\": \"kim patio tr\", \"desc\": \"fire transsexual uri\", \"uid\": \"acca6980-6427-11ee-8abc-0242ac110005\"}, {\"name\": \"interior husband tvs\", \"type\": \"magnetic peninsula riders\", \"desc\": \"snake avi only\", \"uid\": \"acca6de0-6427-11ee-84f2-0242ac110005\", \"privileges\": [\"fresh provision sociology\", \"foundations twisted couple\"]}], \"type_id\": 99, \"full_name\": \"Nicki Christa\"}, \"group\": {\"name\": \"cottages donor awful\", \"uid\": \"acca5274-6427-11ee-9dbd-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"industry thou favorites\", \"version\": \"1.0.0\", \"uid\": \"acc9db64-6427-11ee-bbd5-0242ac110005\", \"vendor_name\": \"assisted parade monitored\"}, \"sequence\": 35, \"profiles\": [], \"log_name\": \"declared exhibits me\", \"log_provider\": \"adsl exposed rom\", \"original_time\": \"affordable mixture nigeria\"}, \"severity\": \"Low\", \"duration\": 91, \"type_name\": \"Group Management: Add User\", \"activity_id\": 3, \"type_uid\": 300603, \"category_name\": \"Identity & Access Management\", \"class_uid\": 3006, \"category_uid\": 3, \"class_name\": \"Group Management\", \"timezone_offset\": 81, \"activity_name\": \"Add User\", \"enrichments\": [{\"data\": {\"dns\": \"bhrjfd\"}, \"name\": \"consisting loves arrives\", \"type\": \"babes rrp normally\", \"value\": \"cooking pot enough\", \"provider\": \"case safari sw\"}], \"severity_id\": 2, \"status_id\": 1}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"count\": 37, \"message\": \"obj permitted belong\", \"status\": \"Success\", \"time\": 1696583206, \"user\": {\"name\": \"Rankings\", \"type\": \"suited\", \"uid\": \"acca5dd2-6427-11ee-8ef4-0242ac110005\", \"org\": {\"name\": \"lesson machinery nutritional\", \"uid\": \"acca6354-6427-11ee-ae9b-0242ac110005\", \"ou_name\": \"to walnut dash\"}, \"groups\": [{\"name\": \"kim patio tr\", \"desc\": \"fire transsexual uri\", \"uid\": \"acca6980-6427-11ee-8abc-0242ac110005\"}, {\"name\": \"interior husband tvs\", \"type\": \"magnetic peninsula riders\", \"desc\": \"snake avi only\", \"uid\": \"acca6de0-6427-11ee-84f2-0242ac110005\", \"privileges\": [\"fresh provision sociology\", \"foundations twisted couple\"]}], \"type_id\": 99, \"full_name\": \"Nicki Christa\"}, \"group\": {\"name\": \"cottages donor awful\", \"uid\": \"acca5274-6427-11ee-9dbd-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"industry thou favorites\", \"version\": \"1.0.0\", \"uid\": \"acc9db64-6427-11ee-bbd5-0242ac110005\", \"vendor_name\": \"assisted parade monitored\"}, \"sequence\": 35, \"profiles\": [], \"log_name\": \"declared exhibits me\", \"log_provider\": \"adsl exposed rom\", \"original_time\": \"affordable mixture nigeria\"}, \"severity\": \"Low\", \"duration\": 91, \"type_name\": \"Group Management: Add User\", \"activity_id\": 3, \"type_uid\": 300603, \"category_name\": \"Identity & Access Management\", \"class_uid\": 3006, \"category_uid\": 3, \"class_name\": \"Group Management\", \"timezone_offset\": 81, \"activity_name\": \"Add User\", \"enrichments\": [{\"data\": {\"dns\": \"bhrjfd\"}, \"name\": \"consisting loves arrives\", \"type\": \"babes rrp normally\", \"value\": \"cooking pot enough\", \"provider\": \"case safari sw\"}], \"severity_id\": 2, \"status_id\": 1}", - "event": { - "action": "add user", - "category": [ - "iam" - ], - "duration": 91000000, - "kind": "event", - "outcome": "success", - "provider": "adsl exposed rom", - "sequence": 35, - "severity": 2, - "type": [ - "info", - "user" - ] - }, - "@timestamp": "2023-10-06T09:06:46Z", - "group": { - "id": "acca5274-6427-11ee-9dbd-0242ac110005", - "name": "cottages donor awful" - }, - "ocsf": { - "activity_id": 3, - "activity_name": "Add User", - "class_name": "Group Management", - "class_uid": 3006 - }, - "user": { - "target": { - "full_name": "Nicki Christa", - "group": { - "id": [ - "acca6980-6427-11ee-8abc-0242ac110005", - "acca6de0-6427-11ee-84f2-0242ac110005" - ], - "name": [ - "interior husband tvs", - "kim patio tr" - ] - }, - "id": "acca5dd2-6427-11ee-8ef4-0242ac110005", - "name": "Rankings" - } - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_iam_4.json b/OCSF/ocsf/tests/test_iam_4.json deleted file mode 100644 index 60f35797f..000000000 --- a/OCSF/ocsf/tests/test_iam_4.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "input": { - "message": "{\"message\": \"isaac uncertainty replication\", \"status\": \"abstracts\", \"time\": 1696581958, \"group\": {\"name\": \"then nevada berkeley md\", \"uid\": \"c63f1e24-6424-11ee-af05-0242ac110005\"}, \"user\": {\"name\": \"Dd\", \"type\": \"System\", \"uid\": \"c52f5236-6424-11ee-9c16-0242ac110005\", \"type_id\": 3, \"credential_uid\": \"c52f57ae-6424-11ee-b8be-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"advance wellness phentermine\", \"version\": \"1.0.0\", \"uid\": \"c52f3210-6424-11ee-b807-0242ac110005\", \"feature\": {\"name\": \"services cultural ali\", \"version\": \"1.0.0\", \"uid\": \"c52f43f4-6424-11ee-9b6e-0242ac110005\"}, \"lang\": \"en\", \"vendor_name\": \"sphere chef physicians\"}, \"profiles\": [], \"log_name\": \"gravity bill gp\", \"logged_time\": 1696581958, \"original_time\": \"escape mic warner\"}, \"resource\": {\"owner\": {\"name\": \"Fatty\", \"type\": \"forecast\", \"domain\": \"regions gr dean\", \"uid\": \"c52f060a-6424-11ee-b378-0242ac110005\", \"type_id\": 99, \"email_addr\": \"Art@his.name\"}, \"group\": {\"name\": \"then nevada berkeley\", \"uid\": \"c52f1e24-6424-11ee-af05-0242ac110005\"}}, \"start_time\": 1696581958, \"severity\": \"Medium\", \"type_name\": \"User Access Management: Unknown\", \"activity_id\": 0, \"type_uid\": 300500, \"observables\": [{\"name\": \"devices arguments label\", \"type\": \"Fingerprint\", \"type_id\": 30}, {\"name\": \"line nightlife expo\", \"type\": \"Container\", \"type_id\": 27, \"reputation\": {\"base_score\": 45.5971, \"provider\": \"marcus magnetic expressed\", \"score\": \"May not be Safe\", \"score_id\": 5}}], \"category_name\": \"Identity & Access Management\", \"class_uid\": 3005, \"category_uid\": 3, \"class_name\": \"User Access Management\", \"timezone_offset\": 28, \"activity_name\": \"Unknown\", \"privileges\": [\"returned funeral cave\"], \"severity_id\": 3, \"status_id\": 99}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"message\": \"isaac uncertainty replication\", \"status\": \"abstracts\", \"time\": 1696581958, \"group\": {\"name\": \"then nevada berkeley md\", \"uid\": \"c63f1e24-6424-11ee-af05-0242ac110005\"}, \"user\": {\"name\": \"Dd\", \"type\": \"System\", \"uid\": \"c52f5236-6424-11ee-9c16-0242ac110005\", \"type_id\": 3, \"credential_uid\": \"c52f57ae-6424-11ee-b8be-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"advance wellness phentermine\", \"version\": \"1.0.0\", \"uid\": \"c52f3210-6424-11ee-b807-0242ac110005\", \"feature\": {\"name\": \"services cultural ali\", \"version\": \"1.0.0\", \"uid\": \"c52f43f4-6424-11ee-9b6e-0242ac110005\"}, \"lang\": \"en\", \"vendor_name\": \"sphere chef physicians\"}, \"profiles\": [], \"log_name\": \"gravity bill gp\", \"logged_time\": 1696581958, \"original_time\": \"escape mic warner\"}, \"resource\": {\"owner\": {\"name\": \"Fatty\", \"type\": \"forecast\", \"domain\": \"regions gr dean\", \"uid\": \"c52f060a-6424-11ee-b378-0242ac110005\", \"type_id\": 99, \"email_addr\": \"Art@his.name\"}, \"group\": {\"name\": \"then nevada berkeley\", \"uid\": \"c52f1e24-6424-11ee-af05-0242ac110005\"}}, \"start_time\": 1696581958, \"severity\": \"Medium\", \"type_name\": \"User Access Management: Unknown\", \"activity_id\": 0, \"type_uid\": 300500, \"observables\": [{\"name\": \"devices arguments label\", \"type\": \"Fingerprint\", \"type_id\": 30}, {\"name\": \"line nightlife expo\", \"type\": \"Container\", \"type_id\": 27, \"reputation\": {\"base_score\": 45.5971, \"provider\": \"marcus magnetic expressed\", \"score\": \"May not be Safe\", \"score_id\": 5}}], \"category_name\": \"Identity & Access Management\", \"class_uid\": 3005, \"category_uid\": 3, \"class_name\": \"User Access Management\", \"timezone_offset\": 28, \"activity_name\": \"Unknown\", \"privileges\": [\"returned funeral cave\"], \"severity_id\": 3, \"status_id\": 99}", - "event": { - "action": "unknown", - "category": [ - "iam" - ], - "kind": "event", - "severity": 3, - "start": "2023-10-06T08:45:58Z", - "type": [ - "group", - "info" - ] - }, - "@timestamp": "2023-10-06T08:45:58Z", - "group": { - "id": "c63f1e24-6424-11ee-af05-0242ac110005", - "name": "then nevada berkeley md" - }, - "ocsf": { - "activity_id": 0, - "activity_name": "Unknown", - "class_name": "User Access Management", - "class_uid": 3005 - }, - "user": { - "target": { - "group": { - "id": [], - "name": [] - }, - "id": "c52f5236-6424-11ee-9c16-0242ac110005", - "name": "Dd" - } - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_1.json b/OCSF/ocsf/tests/test_network_activity_1.json index ad71f9abe..0a39b9b10 100644 --- a/OCSF/ocsf/tests/test_network_activity_1.json +++ b/OCSF/ocsf/tests/test_network_activity_1.json @@ -1,67 +1,54 @@ { "input": { - "message": "{\"metadata\": {\"product\": {\"version\": \"5\", \"name\": \"Amazon VPC\", \"feature\": {\"name\": \"Flowlogs\"}, \"vendor_name\": \"AWS\"}, \"profiles\": [\"cloud\", \"security_control\"], \"version\": \"1.0.0-rc.2\"}, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"region\": \"us-east-1\", \"zone\": \"use1-az1\", \"provider\": \"AWS\"}, \"src_endpoint\": {\"port\": 56858, \"svc_name\": \"-\", \"ip\": \"1.128.0.0\"}, \"dst_endpoint\": {\"port\": 39938, \"svc_name\": \"-\", \"ip\": \"172.31.2.52\", \"interface_uid\": \"eni-000000000000000000\", \"vpc_uid\": \"vpc-00000000\", \"instance_uid\": \"i-000000000000000000\", \"subnet_uid\": \"subnet-000000000000000000\"}, \"connection_info\": {\"protocol_num\": 6, \"tcp_flags\": 2, \"protocol_ver\": \"IPv4\", \"boundary_id\": 99, \"boundary\": \"-\", \"direction_id\": 1, \"direction\": \"Inbound\"}, \"traffic\": {\"packets\": 1, \"bytes\": 40}, \"time\": 1649721732000, \"start_time\": 1649721732000, \"end_time\": 1649721788000, \"status_code\": \"OK\", \"severity_id\": 1, \"severity\": \"Informational\", \"class_name\": \"Network Activity\", \"class_uid\": 4001, \"category_name\": \"Network Activity\", \"category_uid\": 4, \"activity_name\": \"Refuse\", \"activity_id\": 5, \"disposition\": \"Blocked\", \"disposition_id\": 2, \"type_uid\": 400105, \"type_name\": \"Network Activity: Refuse\", \"unmapped\": {\"sublocation_id\": \"-\", \"sublocation_type\": \"-\"}}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } + "message": "{\"cloud\": {\"account_uid\": \"987654321098\", \"region\": \"us-west-2\", \"zone\": \"use2-az2\", \"provider\": \"AWS\"}, \"action\": \"Allowed\", \"action_id\": 1, \"status_code\": \"OK\", \"traffic\": {\"bytes\": 85, \"packets\": 10}, \"src_endpoint\": {\"ip\": \"192.168.1.10\", \"port\": 8080, \"svc_name\": \"amazon-s3\", \"subnet_uid\": \"subnet-33333333333333333\", \"vpc_uid\": \"vpc-44444444444444444\"}, \"dst_endpoint\": {\"ip\": \"192.168.1.20\", \"port\": 443, \"svc_name\": \"amazon-ec2\", \"interface_uid\": \"eni-22222222222222222\", \"instance_uid\": \"i-111111111111111111\"}, \"connection_info\": {\"protocol_num\": 17, \"protocol_ver\": \"IPv6\", \"tcp_flags\": 6, \"direction\": \"egress\", \"direction_id\": 2, \"boundary_id\": 99, \"boundary\": \"vpn\", \"start_time\": 1653200123, \"end_time\": 1653200100}, \"time\": 1653200100, \"type_name\": \"Network Activity: Traffic\", \"type_uid\": 400105, \"activity_id\": 5, \"activity_name\": \"Traffic\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"category_uid\": 4, \"category_name\": \"Network Activity\", \"metadata\": {\"product\": {\"name\": \"Amazon VPC\", \"feature\": {\"name\": \"Flowlogs\"}, \"vendor_name\": \"AWS\"}, \"profiles\": [\"cloud\", \"security_control\"], \"version\": \"1.1.0\"}, \"severity_id\": 1, \"severity\": \"Informational\", \"status_id\": 1, \"status\": \"Success\", \"disposition\": \"Allowed\", \"pkt_src_aws_service\": \"amazon-s3\", \"pkt_dst_aws_service\": \"amazon-ec2\", \"sublocation_type\": \"subnet\", \"sublocation_id\": \"subnet-33333333333333333\"}" }, "expected": { - "message": "{\"metadata\": {\"product\": {\"version\": \"5\", \"name\": \"Amazon VPC\", \"feature\": {\"name\": \"Flowlogs\"}, \"vendor_name\": \"AWS\"}, \"profiles\": [\"cloud\", \"security_control\"], \"version\": \"1.0.0-rc.2\"}, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"region\": \"us-east-1\", \"zone\": \"use1-az1\", \"provider\": \"AWS\"}, \"src_endpoint\": {\"port\": 56858, \"svc_name\": \"-\", \"ip\": \"1.128.0.0\"}, \"dst_endpoint\": {\"port\": 39938, \"svc_name\": \"-\", \"ip\": \"172.31.2.52\", \"interface_uid\": \"eni-000000000000000000\", \"vpc_uid\": \"vpc-00000000\", \"instance_uid\": \"i-000000000000000000\", \"subnet_uid\": \"subnet-000000000000000000\"}, \"connection_info\": {\"protocol_num\": 6, \"tcp_flags\": 2, \"protocol_ver\": \"IPv4\", \"boundary_id\": 99, \"boundary\": \"-\", \"direction_id\": 1, \"direction\": \"Inbound\"}, \"traffic\": {\"packets\": 1, \"bytes\": 40}, \"time\": 1649721732000, \"start_time\": 1649721732000, \"end_time\": 1649721788000, \"status_code\": \"OK\", \"severity_id\": 1, \"severity\": \"Informational\", \"class_name\": \"Network Activity\", \"class_uid\": 4001, \"category_name\": \"Network Activity\", \"category_uid\": 4, \"activity_name\": \"Refuse\", \"activity_id\": 5, \"disposition\": \"Blocked\", \"disposition_id\": 2, \"type_uid\": 400105, \"type_name\": \"Network Activity: Refuse\", \"unmapped\": {\"sublocation_id\": \"-\", \"sublocation_type\": \"-\"}}", + "message": "{\"cloud\": {\"account_uid\": \"987654321098\", \"region\": \"us-west-2\", \"zone\": \"use2-az2\", \"provider\": \"AWS\"}, \"action\": \"Allowed\", \"action_id\": 1, \"status_code\": \"OK\", \"traffic\": {\"bytes\": 85, \"packets\": 10}, \"src_endpoint\": {\"ip\": \"192.168.1.10\", \"port\": 8080, \"svc_name\": \"amazon-s3\", \"subnet_uid\": \"subnet-33333333333333333\", \"vpc_uid\": \"vpc-44444444444444444\"}, \"dst_endpoint\": {\"ip\": \"192.168.1.20\", \"port\": 443, \"svc_name\": \"amazon-ec2\", \"interface_uid\": \"eni-22222222222222222\", \"instance_uid\": \"i-111111111111111111\"}, \"connection_info\": {\"protocol_num\": 17, \"protocol_ver\": \"IPv6\", \"tcp_flags\": 6, \"direction\": \"egress\", \"direction_id\": 2, \"boundary_id\": 99, \"boundary\": \"vpn\", \"start_time\": 1653200123, \"end_time\": 1653200100}, \"time\": 1653200100, \"type_name\": \"Network Activity: Traffic\", \"type_uid\": 400105, \"activity_id\": 5, \"activity_name\": \"Traffic\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"category_uid\": 4, \"category_name\": \"Network Activity\", \"metadata\": {\"product\": {\"name\": \"Amazon VPC\", \"feature\": {\"name\": \"Flowlogs\"}, \"vendor_name\": \"AWS\"}, \"profiles\": [\"cloud\", \"security_control\"], \"version\": \"1.1.0\"}, \"severity_id\": 1, \"severity\": \"Informational\", \"status_id\": 1, \"status\": \"Success\", \"disposition\": \"Allowed\", \"pkt_src_aws_service\": \"amazon-s3\", \"pkt_dst_aws_service\": \"amazon-ec2\", \"sublocation_type\": \"subnet\", \"sublocation_id\": \"subnet-33333333333333333\"}", "event": { - "action": "refuse", + "action": "traffic", "category": [ "network" ], - "end": "2022-04-12T00:03:08Z", "kind": "event", + "outcome": "success", "severity": 1, - "start": "2022-04-12T00:02:12Z", "type": [ - "denied", "info" ] }, - "@timestamp": "2022-04-12T00:02:12Z", + "@timestamp": "2022-05-22T06:15:00Z", "cloud": { - "account": { - "id": "123456789012" - }, - "availability_zone": "use1-az1", + "availability_zone": "use2-az2", "provider": "AWS", - "region": "us-east-1" + "region": "us-west-2" }, "destination": { - "address": "172.31.2.52", - "ip": "172.31.2.52", - "port": 39938 + "address": "192.168.1.20", + "ip": "192.168.1.20", + "port": 443 }, "network": { - "bytes": 40, - "direction": [ - "inbound" - ], - "iana_number": "6", - "packets": 1 + "application": "amazon-ec2", + "bytes": 85, + "iana_number": "17", + "packets": 10 }, "ocsf": { "activity_id": 5, - "activity_name": "Refuse", + "activity_name": "Traffic", "class_name": "Network Activity", "class_uid": 4001 }, "related": { "ip": [ - "1.128.0.0", - "172.31.2.52" + "192.168.1.10", + "192.168.1.20" ] }, "source": { - "address": "1.128.0.0", - "ip": "1.128.0.0", - "port": 56858 + "address": "192.168.1.10", + "ip": "192.168.1.10", + "port": 8080 } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_10.json b/OCSF/ocsf/tests/test_network_activity_10.json deleted file mode 100644 index 3c7b73476..000000000 --- a/OCSF/ocsf/tests/test_network_activity_10.json +++ /dev/null @@ -1,125 +0,0 @@ -{ - "input": { - "message": "{\"message\": \"kelkoo interactions constitute\", \"status\": \"patch emma midi\", \"time\": 1695676041549, \"file\": {\"name\": \"amend.sh\", \"type\": \"Unknown\", \"desc\": \"arabic suits fun\", \"type_id\": 0, \"accessor\": {\"name\": \"Uruguay\", \"type\": \"User\", \"uid\": \"849f49fa-5be7-11ee-bfe2-0242ac110005\", \"org\": {\"name\": \"lottery political own\", \"uid\": \"849f501c-5be7-11ee-ab6f-0242ac110005\", \"ou_name\": \"confirmed towards declined\", \"ou_uid\": \"849f540e-5be7-11ee-841c-0242ac110005\"}, \"type_id\": 1}, \"hashes\": [{\"value\": \"4C3280C17F9D982CCBAC882AE1F48DAD224DBA938BEE87BF18E31C76B0C3B88B\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"A7F0A2AD03BE8938C945F65DB1A395CE9E98D67F9EE8D4CA97D687FBB394B64FA0AEB15F5B1D82A2922B62320B77DBA842BBEDEE2B5E15D7A883665ADE3F7C2B\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time_dt\": \"2023-09-25T21:07:21.567190Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"describes static geological\", \"version\": \"1.0.0\", \"uid\": \"849714ce-5be7-11ee-981b-0242ac110005\", \"url_string\": \"avatar\", \"vendor_name\": \"highly got hook\"}, \"sequence\": 99, \"profiles\": [\"cloud\", \"container\", \"datetime\"], \"correlation_uid\": \"84971e10-5be7-11ee-b5e7-0242ac110005\", \"log_name\": \"proud iso ticket\", \"log_provider\": \"cb indexes boxing\", \"original_time\": \"tournaments leisure comedy\", \"modified_time_dt\": \"2023-09-25T21:07:21.513376Z\", \"processed_time_dt\": \"2023-09-25T21:07:21.513394Z\"}, \"start_time\": 1695676041445, \"severity\": \"Low\", \"type_name\": \"Network File Activity: Rename\", \"activity_id\": 5, \"type_uid\": 401005, \"observables\": [{\"name\": \"except visitor vbulletin\", \"type\": \"Uniform Resource Locator\", \"type_id\": 23}, {\"name\": \"hong rhode para\", \"type\": \"Process Name\", \"type_id\": 9}], \"category_name\": \"Network Activity\", \"class_uid\": 4010, \"category_uid\": 4, \"class_name\": \"Network File Activity\", \"timezone_offset\": 42, \"activity_name\": \"Rename\", \"actor\": {\"process\": {\"name\": \"Qualification\", \"pid\": 42, \"file\": {\"attributes\": 9, \"name\": \"citations.gpx\", \"type\": \"Character Device\", \"path\": \"telling saved challenge/wrapped.tga/citations.gpx\", \"type_id\": 3, \"parent_folder\": \"telling saved challenge/wrapped.tga\"}, \"user\": {\"name\": \"Aquatic\", \"type\": \"System\", \"uid\": \"84975f7e-5be7-11ee-bfad-0242ac110005\", \"type_id\": 3, \"account\": {\"name\": \"suspended cg sisters\", \"uid\": \"8497655a-5be7-11ee-ab52-0242ac110005\"}}, \"tid\": 17, \"uid\": \"849768e8-5be7-11ee-a428-0242ac110005\", \"cmd_line\": \"goals happen dad\", \"container\": {\"name\": \"ambien cloud eur\", \"size\": 2164055839, \"uid\": \"84977158-5be7-11ee-b042-0242ac110005\", \"image\": {\"name\": \"produced field obituaries\", \"path\": \"adaptive granny knew\", \"uid\": \"849779dc-5be7-11ee-8f66-0242ac110005\"}, \"network_driver\": \"cute desktops arrest\"}, \"created_time\": 1695676041514, \"namespace_pid\": 41, \"parent_process\": {\"file\": {\"name\": \"finance.3g2\", \"type\": \"wrap\", \"path\": \"attention matching forest/met.mpa/finance.3g2\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"mt minutes bids\", \"issuer\": \"shall systematic vatican\", \"fingerprints\": [{\"value\": \"B3305921648A755AA6C1E2C028691A6861EAE8922BAE5ACE52B76E01AD96DF87ECE4E22E06EDC6715A0CAE469323620A07CCC384FD40C69EBA60E8BBEE8EA805\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"expiration_time\": 1695676041516, \"serial_number\": \"requirement sodium situated\", \"expiration_time_dt\": \"2023-09-25T21:07:21.516239Z\", \"created_time_dt\": \"2023-09-25T21:07:21.516247Z\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"desc\": \"surgeons settled advocacy\", \"type_id\": 99, \"creator\": {\"name\": \"Additionally\", \"type\": \"beat\", \"uid\": \"84979804-5be7-11ee-848b-0242ac110005\", \"type_id\": 99, \"full_name\": \"Kirstin Thersa\", \"credential_uid\": \"8497ab3c-5be7-11ee-8df1-0242ac110005\"}, \"parent_folder\": \"attention matching forest/met.mpa\", \"hashes\": [{\"value\": \"2675028478A31F71064C2D8CCA68C7FCA87605C294611E7C2294806CE87B596AD856077767F9D941E21BC5089906C5E6903FE622EE1FE19DB2E3FA8F1F1A8EE9\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"4D018BA6DBA4C03004FD6E10D1C02BD324F62DE46C5FE687431A2D4BF4335BB7\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"modified_time_dt\": \"2023-09-25T21:07:21.517084Z\"}, \"uid\": \"8497ba64-5be7-11ee-b3a6-0242ac110005\", \"session\": {\"uid\": \"8497c27a-5be7-11ee-8a34-0242ac110005\", \"issuer\": \"discussing capital ottawa\", \"created_time\": 1695676041516, \"credential_uid\": \"8497c716-5be7-11ee-bd7a-0242ac110005\"}, \"loaded_modules\": [\"/super/disclose/barnes/pg/california.png\", \"/ourselves/lynn/gpl/helped/narrow.tga\"], \"cmd_line\": \"bless addresses backgrounds\", \"container\": {\"name\": \"citizenship caribbean twisted\", \"size\": 2686118868, \"uid\": \"8497d15c-5be7-11ee-aa8b-0242ac110005\", \"image\": {\"name\": \"assistance grande an\", \"uid\": \"8497dec2-5be7-11ee-9c88-0242ac110005\"}, \"hash\": {\"value\": \"08759209B8F0A761FFF2B978AB8DAB0B6AE7B63C9AC9D3694BC0FED57BB2E27F5AAFB08486F656D6C6FE784F7DF07513FCB0975EC8B772EE000F56F793867A77\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}}, \"created_time\": 1695676041518, \"lineage\": [\"vhs mechanism dates\"], \"namespace_pid\": 97, \"parent_process\": {\"name\": \"Bid\", \"pid\": 26, \"file\": {\"name\": \"dame.svg\", \"type\": \"Regular File\", \"path\": \"wives pamela karl/articles.c/dame.svg\", \"modifier\": {\"name\": \"Complete\", \"type\": \"Unknown\", \"uid\": \"8497f38a-5be7-11ee-97c6-0242ac110005\", \"groups\": [{\"name\": \"winds seeking reply\", \"uid\": \"8497fde4-5be7-11ee-9733-0242ac110005\"}, {\"name\": \"hamburg roommate environment\", \"uid\": \"8498099c-5be7-11ee-ac6f-0242ac110005\"}], \"type_id\": 0}, \"type_id\": 1, \"parent_folder\": \"wives pamela karl/articles.c\", \"hashes\": [{\"value\": \"E7B2EBCA4F63795EBE380FFBEAB194BCF3E2EB5C74F10C6B8AAB95F4C0B8D7AC\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"AFD9AD7A88CFF487A60962E99C6219806726EB352DD1591D375AD3BB143C0DABBFBC6DBFFA5D99B3662AE82C9B7EED847E30B7EA516D2AD9DFF07D8775F8AE36\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"security_descriptor\": \"robinson queens graduate\", \"created_time_dt\": \"2023-09-25T21:07:21.519646Z\"}, \"user\": {\"name\": \"Shipment\", \"type\": \"Unknown\", \"uid\": \"84981f68-5be7-11ee-b652-0242ac110005\", \"type_id\": 0, \"uid_alt\": \"singh dim static\"}, \"uid\": \"849823d2-5be7-11ee-92d1-0242ac110005\", \"cmd_line\": \"harder interventions pb\", \"container\": {\"name\": \"kg sources houses\", \"runtime\": \"kate through furniture\", \"size\": 2387392206, \"uid\": \"849829cc-5be7-11ee-bb7a-0242ac110005\", \"hash\": {\"value\": \"6A9A10210588981DD8FAA6BE10E39F2C65E816FEFE4768884F7B0BB0A10CD9D6\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, \"pod_uuid\": \"kiss\"}, \"created_time\": 1695676041517, \"integrity\": \"they thermal eau\", \"lineage\": [\"attraction cord adjustment\", \"announcements summer introduce\"], \"namespace_pid\": 49, \"parent_process\": {\"name\": \"Jamie\", \"pid\": 28, \"file\": {\"name\": \"seq.wpd\", \"type\": \"Character Device\", \"path\": \"conflicts disability citysearch/ieee.dtd/seq.wpd\", \"modifier\": {\"name\": \"Officer\", \"type\": \"Admin\", \"uid\": \"84984362-5be7-11ee-af2c-0242ac110005\", \"type_id\": 2}, \"type_id\": 3, \"parent_folder\": \"conflicts disability citysearch/ieee.dtd\", \"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"created_time\": 1695676041520845, \"hashes\": [{\"value\": \"7D875B5EB312ADEF7D530DD6E43468170B094A5F54CA1AC26E7788A81A01238428E62D581423E70B05DA11F15513291EB10776B4E14DE1844072ACDF11BBDFD1\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"1100511F3469E3CDE7D081EC6E78154C8476D546F615EEEB37C4CDFBD41740440FC77660EE3A4B9C67DE81C63172A49F835656F85ED5E36A65A2A25E2A733358\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"user\": {\"name\": \"Knows\", \"type\": \"User\", \"domain\": \"sao uri flesh\", \"uid\": \"84984db2-5be7-11ee-ba4e-0242ac110005\", \"type_id\": 1}, \"uid\": \"8498530c-5be7-11ee-86f3-0242ac110005\", \"cmd_line\": \"creation defense carolina\", \"container\": {\"name\": \"hunt indicating radiation\", \"size\": 3179758248, \"tag\": \"reader prevention as\", \"uid\": \"84985df2-5be7-11ee-be06-0242ac110005\", \"hash\": {\"value\": \"666334EB7A1E55E189435FFF3F0CA7266F484FB44970AAFF3E72546D8B04B02ABB1A66B209CAFD44267701CA1392DF35B8EC3EECE0DC492D093880F2E4FF352C\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695676041527, \"namespace_pid\": 46, \"parent_process\": {\"name\": \"Arbor\", \"pid\": 20, \"file\": {\"name\": \"startup.3dm\", \"size\": 3504413585, \"type\": \"Named Pipe\", \"version\": \"1.0.0\", \"signature\": {\"certificate\": {\"subject\": \"shades bad tradition\", \"issuer\": \"previous price thing\", \"fingerprints\": [{\"value\": \"8E4DE5CC0D59311697B0D4061FDBFB4CB99E38121EA17CF740789A0CBC85B56703E1341C940E7A2220C02211CC84447A19061569BE42AC4A2C03010FB6CB1A75\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"205D64FF9B580AADBF4829EC41DD4EF0\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"created_time\": 1695676041522, \"expiration_time\": 1695676041526, \"serial_number\": \"files the parish\", \"created_time_dt\": \"2023-09-25T21:07:21.521904Z\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"uid\": \"84987ae4-5be7-11ee-b247-0242ac110005\", \"type_id\": 6, \"created_time\": 1695676042262, \"hashes\": [{\"value\": \"60F202A3BE4EF214E24EA9D3555D194C\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"B0B2D200728B0DACE6CB6829F90EE31A9AD123FF1982012B003249D4F2C5351924E6DBBD1242EE722D4C5A0B80C983DC7B94DDD594FCFCEF4E63552956E2B26A\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"modified_time_dt\": \"2023-09-25T21:07:21.522441Z\"}, \"user\": {\"name\": \"Provided\", \"type\": \"Admin\", \"uid\": \"84988e80-5be7-11ee-bf3c-0242ac110005\", \"type_id\": 2, \"full_name\": \"Karoline Meggan\", \"email_addr\": \"Elza@girls.mil\"}, \"uid\": \"84989376-5be7-11ee-9216-0242ac110005\", \"cmd_line\": \"plan agents converter\", \"container\": {\"name\": \"thongs routine an\", \"size\": 2099983603, \"uid\": \"84989948-5be7-11ee-b4fb-0242ac110005\", \"image\": {\"name\": \"extending construction inkjet\", \"path\": \"empirical precipitation builder\", \"uid\": \"84989f42-5be7-11ee-8820-0242ac110005\", \"labels\": [\"golf\", \"nov\"]}, \"hash\": {\"value\": \"E7EFDA40B1C94805070CD9BF9638AE27\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"created_time\": 1695676041523226, \"integrity\": \"conspiracy unions allocated\", \"parent_process\": {\"name\": \"Processes\", \"pid\": 49, \"file\": {\"name\": \"considerations.jar\", \"type\": \"Local Socket\", \"path\": \"roger economy macro/mesh.gadget/considerations.jar\", \"type_id\": 5, \"accessor\": {\"name\": \"Wildlife\", \"type\": \"Admin\", \"uid\": \"8498c030-5be7-11ee-80d9-0242ac110005\", \"type_id\": 2, \"full_name\": \"Twyla Cherise\", \"email_addr\": \"Shin@cause.mobi\", \"uid_alt\": \"excellent far varied\"}, \"mime_type\": \"star/flyer\", \"parent_folder\": \"roger economy macro/mesh.gadget\", \"created_time\": 1695676041524, \"hashes\": [{\"value\": \"707CF5E50A11D69874235DED9A045B6AB42439F7495DED03049CB7E997949E8B014295A25059CD1A9F06BFE9E4101ED176615E69D43FE199E849DEC0BC4AEB4D\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"6F487B974BDB9DBDF014F50502D9F70BC2630E6C974E4C6E6AA2EB3BEC95A3BDCA7AE609DA34179E0677F042734A767ADA4F6CA04788916644262CDC60BC2FB2\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Hour\", \"type\": \"insert\", \"uid\": \"8498cd14-5be7-11ee-94d7-0242ac110005\", \"type_id\": 99, \"uid_alt\": \"organizations guild beds\"}, \"uid\": \"8498d430-5be7-11ee-b1bf-0242ac110005\", \"cmd_line\": \"sixth pc peoples\", \"container\": {\"name\": \"warrior document workflow\", \"size\": 2697694450, \"uid\": \"8498da2a-5be7-11ee-9d00-0242ac110005\", \"image\": {\"name\": \"version treating tall\", \"uid\": \"8498df20-5be7-11ee-8257-0242ac110005\"}, \"hash\": {\"value\": \"F4001D4FD76B73412DB0EFD2C66F0AB3C27D9FE9BD375B1659A1DDDA68C17DC1C0F5402A6AE571DC073E94F1B720821E4208595D5BB4B13D917A12CE3DA53C1E\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, \"pod_uuid\": \"sas\"}, \"created_time\": 1695676041523, \"integrity\": \"aviation blame tion\", \"namespace_pid\": 76, \"parent_process\": {\"name\": \"Job\", \"pid\": 86, \"file\": {\"name\": \"pic.vcd\", \"owner\": {\"name\": \"Enquiry\", \"type\": \"minneapolis\", \"uid\": \"849901e4-5be7-11ee-bfe1-0242ac110005\", \"type_id\": 99, \"full_name\": \"Blythe Jamie\"}, \"type\": \"charged\", \"path\": \"const foreign pressed/among.ged/pic.vcd\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"strap liz boulder\", \"issuer\": \"everybody brunei disciplinary\", \"fingerprints\": [{\"value\": \"9E41EB47ABD226D92CFE27DBDA0C924C190A1B0C0136B09923B419089B013DF14CB58C38F651F710540E348BF800DFE364197904B11FFFAD98BB2B10006B28E2\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"3DE877DDFB06DB510E63893D98DDAC9524696C14\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"created_time\": 1695676041526, \"expiration_time\": 1695676045872, \"serial_number\": \"approaches symbol assembly\"}, \"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"developer_uid\": \"84991526-5be7-11ee-a2ca-0242ac110005\", \"created_time_dt\": \"2023-09-25T21:07:21.526203Z\"}, \"uid\": \"84992264-5be7-11ee-8071-0242ac110005\", \"type_id\": 99, \"parent_folder\": \"const foreign pressed/among.ged\", \"accessed_time\": 1695676041556, \"confidentiality\": \"suburban ati mostly\", \"hashes\": [{\"value\": \"00EF9DADDE482AF5432B0BFC5F69023736D4A0ECD59F74884C4B8AD83D21429B78023351C5DBD07407EAB2BFA527A0586016DE3C92F37913920E221F7D452802\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"is_system\": false, \"modified_time_dt\": \"2023-09-25T21:07:21.526727Z\", \"created_time_dt\": \"2023-09-25T21:07:21.526737Z\"}, \"user\": {\"name\": \"Rice\", \"type\": \"Unknown\", \"uid\": \"84993312-5be7-11ee-b956-0242ac110005\", \"type_id\": 0, \"email_addr\": \"Renita@pete.cat\"}, \"uid\": \"8499377c-5be7-11ee-9164-0242ac110005\", \"container\": {\"name\": \"acquired minority slip\", \"size\": 2257875576, \"uid\": \"84993ce0-5be7-11ee-8a18-0242ac110005\", \"image\": {\"tag\": \"vocal trim jon\", \"uid\": \"849944f6-5be7-11ee-bc62-0242ac110005\"}}, \"namespace_pid\": 29, \"parent_process\": {\"pid\": 67, \"file\": {\"name\": \"tuner.pdb\", \"type\": \"Named Pipe\", \"version\": \"1.0.0\", \"path\": \"architectural pink phil/overview.dtd/tuner.pdb\", \"type_id\": 6, \"parent_folder\": \"architectural pink phil/overview.dtd\", \"hashes\": [{\"value\": \"44CA9EA761C2131C73960AD47472741B13D305EE2D07FE91E8F1B47F4F062B8A16DD3611E4439E4C163A7CF42F1AE5989CF9683117DB801FD1BC222A16618E19\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"C25DDA249CDECE9D908CC33ADCD16AA05E20290F\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"xattributes\": {}}, \"user\": {\"name\": \"Fantastic\", \"type\": \"Admin\", \"uid\": \"84995d06-5be7-11ee-8223-0242ac110005\", \"org\": {\"name\": \"dryer asn trying\", \"uid\": \"849963aa-5be7-11ee-b57a-0242ac110005\", \"ou_name\": \"wr r gibraltar\"}, \"type_id\": 2}, \"uid\": \"84996800-5be7-11ee-8754-0242ac110005\", \"cmd_line\": \"brush bouquet alto\", \"container\": {\"name\": \"deutschland pic newcastle\", \"size\": 797071549, \"uid\": \"84996db4-5be7-11ee-bada-0242ac110005\", \"image\": {\"name\": \"adipex into polo\", \"uid\": \"849984fc-5be7-11ee-af4c-0242ac110005\"}, \"hash\": {\"value\": \"82B5F7770097973F2962C241C557369EC2D38E9A1BDA03176B9CA511F1CA56CF\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695676041528, \"lineage\": [\"familiar privilege canvas\"], \"namespace_pid\": 23, \"parent_process\": {\"name\": \"Cialis\", \"pid\": 21, \"file\": {\"attributes\": 83, \"name\": \"spirit.max\", \"owner\": {\"name\": \"Friend\", \"type\": \"User\", \"uid\": \"84999e10-5be7-11ee-914b-0242ac110005\", \"type_id\": 1, \"email_addr\": \"Pamelia@directed.com\"}, \"type\": \"Regular File\", \"version\": \"1.0.0\", \"path\": \"fish largest alberta/solutions.deskthemepack/spirit.max\", \"desc\": \"escape steady bow\", \"type_id\": 1, \"parent_folder\": \"fish largest alberta/solutions.deskthemepack\", \"hashes\": [{\"value\": \"718C92FD5ECC9B483CA9A76E309BD60F7DAD6035254FAD5EA9430568F36EB16D5532657DE90C3B3B41896C8A9B601BF1E1083D5BB299127118B535C347D13549\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"D13D53927A745D27511C298846343093D7E92D919905B6C22ABBF727AD18EF7E3B3850949F8CC772390749C8644B5CF6F8618FEF524E9589DB73F57FE128AA88\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}]}, \"user\": {\"name\": \"Apartments\", \"type\": \"ad\", \"uid\": \"8499b5da-5be7-11ee-b276-0242ac110005\", \"type_id\": 99, \"uid_alt\": \"serving turbo spy\"}, \"uid\": \"8499bc88-5be7-11ee-b028-0242ac110005\", \"session\": {\"uid\": \"8499ca0c-5be7-11ee-aae9-0242ac110005\", \"created_time\": 1695676041534, \"expiration_time\": 1695676041542, \"is_remote\": true}, \"cmd_line\": \"in blowing memorial\", \"container\": {\"name\": \"france sg charger\", \"size\": 1048383191, \"tag\": \"deserve focused select\", \"uid\": \"8499d164-5be7-11ee-a7e8-0242ac110005\", \"image\": {\"name\": \"robert through mailing\", \"tag\": \"struggle gerald weather\", \"uid\": \"8499d704-5be7-11ee-b617-0242ac110005\"}, \"hash\": {\"value\": \"6B2A589B76A482CD379A7FF8AF13EE0F9ABF937DE60010068FEC808F5B6B22521C2A28C7F48BC5C2EDC81EAE5E5812D95F5E0F3DF5685571E5DB36B146DB82EC\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, \"network_driver\": \"catch sun general\", \"orchestrator\": \"sf varieties queries\"}, \"created_time\": 1695676041539, \"integrity\": \"faculty hardcover generated\", \"namespace_pid\": 79, \"parent_process\": {\"name\": \"Devices\", \"pid\": 90, \"file\": {\"name\": \"premises.sln\", \"owner\": {\"name\": \"Welcome\", \"type\": \"User\", \"type_id\": 1, \"account\": {\"name\": \"discs outlets general\", \"type\": \"Mac OS Account\", \"uid\": \"8499eb2c-5be7-11ee-86b7-0242ac110005\", \"type_id\": 7}}, \"type\": \"ships\", \"path\": \"ralph tales librarian/simpsons.psd/premises.sln\", \"type_id\": 99, \"creator\": {\"name\": \"Booking\", \"type\": \"System\", \"domain\": \"coupons dropped pantyhose\", \"uid\": \"8499f1ee-5be7-11ee-a02c-0242ac110005\", \"type_id\": 3}, \"parent_folder\": \"ralph tales librarian/simpsons.psd\", \"hashes\": [{\"value\": \"F01EB1DD5E5D955CF3DA810E1FAABA4136E09F5EF69DA3753223183EF836741A617AAAEB52D8B014D900A4A11B94974298F7D3C4EAE57C107CF3A3230AD34188\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"modified_time_dt\": \"2023-09-25T21:07:21.531893Z\"}, \"user\": {\"name\": \"Immediate\", \"type\": \"Unknown\", \"uid\": \"849a06c0-5be7-11ee-acfe-0242ac110005\", \"org\": {\"name\": \"velvet days pubs\", \"ou_name\": \"brake craps campaign\"}, \"groups\": [{\"uid\": \"849a1124-5be7-11ee-9a8e-0242ac110005\", \"privileges\": [\"independent vegetables assisted\", \"refinance lee seating\"]}, {\"name\": \"div violence strange\", \"uid\": \"849a1674-5be7-11ee-aa3b-0242ac110005\"}], \"type_id\": 0}, \"uid\": \"849a1af2-5be7-11ee-82a9-0242ac110005\", \"cmd_line\": \"text ana range\", \"container\": {\"name\": \"own drawing acute\", \"size\": 1512724327, \"uid\": \"849a2420-5be7-11ee-94c5-0242ac110005\", \"image\": {\"name\": \"layers branch lucas\", \"tag\": \"nations chances trips\", \"uid\": \"849a32bc-5be7-11ee-86bb-0242ac110005\"}, \"hash\": {\"value\": \"79F7EED760813BF63DC0EE7F986F1CC6345DD170AB03CA1350684CB8720E3C67F9FCE3B075A22266EB0C66A1CDA2D3BD540E777D9A294433377B83DB6DE3D6DB\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695676041533, \"lineage\": [\"guru hosted bradley\"], \"namespace_pid\": 39, \"parent_process\": {\"name\": \"Bags\", \"file\": {\"attributes\": 22, \"name\": \"hunt.ppt\", \"type\": \"Local Socket\", \"type_id\": 5, \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"value\": \"6FD1E1613C3918067E01585E32D4AA461C485DF01C56BD5A294FD82B353B5EC64A7EBAED614D28451E3AECB3ACA75900593A20D8AE7F7A1E2CF9DD4F0496B9C4\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"B66E94D9133A6E41392C5AFCBF3F6EEB29E45C041350255AEE34ADD6C4E6BD15FF9060177954793B5D078A8802B4B1ADDD73BECACB7D5827D9A1CB9F96D5E153\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"is_system\": false, \"modified_time_dt\": \"2023-09-25T21:07:21.533963Z\"}, \"user\": {\"name\": \"Sisters\", \"type\": \"rebound\", \"uid\": \"849a52ce-5be7-11ee-a468-0242ac110005\", \"type_id\": 99, \"full_name\": \"Elisa Cleora\"}, \"uid\": \"849a5d78-5be7-11ee-ac24-0242ac110005\", \"cmd_line\": \"merchandise initiatives accessibility\", \"container\": {\"name\": \"apartment drunk amateur\", \"size\": 3702557326, \"uid\": \"849a646c-5be7-11ee-90ce-0242ac110005\", \"image\": {\"name\": \"evaluating apartments disaster\", \"uid\": \"849a6a66-5be7-11ee-95e4-0242ac110005\"}, \"hash\": {\"value\": \"12FC9239ABF2C07159EBC92013171DA43175589170BD05B55220534634A9D1FEFC88B117A95FCE4FE3C5A5FEDB9DC4EB3F700C0386931C889F815E86BCD4B509\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}}, \"created_time\": 1695676041535, \"namespace_pid\": 29, \"parent_process\": {\"name\": \"Sen\", \"pid\": 13, \"file\": {\"attributes\": 35, \"name\": \"hardware.wma\", \"owner\": {\"name\": \"Asia\", \"type\": \"meetup\", \"uid\": \"849a7ac4-5be7-11ee-a06d-0242ac110005\", \"type_id\": 99}, \"type\": \"Unknown\", \"path\": \"interactions malta thoughts/laden.pdf/hardware.wma\", \"signature\": {\"digest\": {\"value\": \"3188206324B062751CE36D4251C19C94\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, \"algorithm\": \"Authenticode\", \"algorithm_id\": 4}, \"type_id\": 0, \"parent_folder\": \"interactions malta thoughts/laden.pdf\", \"hashes\": [{\"value\": \"6BD48B1E57856137037BFEE4DEC8D57F\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"user\": {\"name\": \"Round\", \"type\": \"System\", \"uid\": \"849a900e-5be7-11ee-9894-0242ac110005\", \"type_id\": 3, \"full_name\": \"Marisela Towanda\", \"account\": {\"name\": \"fragrances bulk specialty\", \"type\": \"LDAP Account\", \"uid\": \"849a9702-5be7-11ee-9f5d-0242ac110005\", \"type_id\": 1}, \"credential_uid\": \"849a9afe-5be7-11ee-b27a-0242ac110005\", \"email_addr\": \"Wava@promises.info\"}, \"uid\": \"849a9ed2-5be7-11ee-ae61-0242ac110005\", \"cmd_line\": \"recordings countries slides\", \"container\": {\"name\": \"distant modeling monaco\", \"runtime\": \"peace up sailing\", \"uid\": \"849aa490-5be7-11ee-bb98-0242ac110005\", \"image\": {\"name\": \"evanescence plans courts\", \"tag\": \"buy archives predict\", \"uid\": \"849aaa9e-5be7-11ee-a47a-0242ac110005\"}, \"hash\": {\"value\": \"383B6630E8241D34D54BFD689DECC0CAB88770D935667989A3A1DE8397F5520F\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695676041539, \"integrity\": \"bookings qc dictionaries\", \"lineage\": [\"lanka manufacture bra\", \"gibson implementation pope\"], \"namespace_pid\": 6, \"parent_process\": {\"name\": \"Impacts\", \"pid\": 86, \"file\": {\"name\": \"removal.obj\", \"type\": \"Named Pipe\", \"path\": \"jeff puts assignments/thing.msi/removal.obj\", \"type_id\": 6, \"parent_folder\": \"jeff puts assignments/thing.msi\", \"accessed_time\": 1695676041534, \"hashes\": [{\"value\": \"CE850E16E049A60B4B8F465DC00ADBFB7207CC76FD94F5EBC335F637B8052B77\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"security_descriptor\": \"bureau myspace barrel\"}, \"user\": {\"name\": \"Alliance\", \"type\": \"Admin\", \"domain\": \"statistical poland gregory\", \"uid\": \"849abe76-5be7-11ee-a5a1-0242ac110005\", \"org\": {\"name\": \"nyc kidney drawings\", \"uid\": \"849accae-5be7-11ee-af7b-0242ac110005\"}, \"groups\": [{\"name\": \"accessed thanks instructions\", \"desc\": \"luggage species belkin\", \"uid\": \"849ad5fa-5be7-11ee-a0e9-0242ac110005\", \"privileges\": [\"flashing aol autumn\"]}, {\"name\": \"cognitive times agent\", \"uid\": \"849ada50-5be7-11ee-824e-0242ac110005\", \"privileges\": [\"sodium believed housing\", \"incorporated jungle asian\"]}], \"type_id\": 2, \"full_name\": \"Paul Julian\"}, \"uid\": \"849adea6-5be7-11ee-aa53-0242ac110005\", \"cmd_line\": \"amount anywhere suffered\", \"container\": {\"name\": \"author channel disappointed\", \"size\": 191473515, \"uid\": \"849aff08-5be7-11ee-80bd-0242ac110005\", \"image\": {\"name\": \"cross tray influenced\", \"tag\": \"afternoon counseling governance\", \"uid\": \"849b1f7e-5be7-11ee-bb9d-0242ac110005\"}, \"hash\": {\"value\": \"B7F1BFFEB47BCFB30F891852F769572A9816784BF4A4073805850F9F969A5335CFC878CACC9E0F8A71B547F60832FE712A59A7DD7DBD6E94BB9D155309EB3581\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"network_driver\": \"slovakia friend username\"}, \"created_time\": 1695676041539630, \"namespace_pid\": 49, \"parent_process\": {\"name\": \"Sampling\", \"pid\": 71, \"file\": {\"attributes\": 78, \"name\": \"human.pdb\", \"type\": \"Symbolic Link\", \"path\": \"let dawn representing/surrounding.dwg/human.pdb\", \"product\": {\"name\": \"heavy payroll timothy\", \"version\": \"1.0.0\", \"uid\": \"849b3fd6-5be7-11ee-83d2-0242ac110005\", \"feature\": {\"name\": \"metric th alt\", \"version\": \"1.0.0\", \"uid\": \"849b46a2-5be7-11ee-824d-0242ac110005\"}, \"vendor_name\": \"rv brother vaccine\"}, \"type_id\": 7, \"accessor\": {\"name\": \"Dragon\", \"type\": \"System\", \"uid\": \"849b52b4-5be7-11ee-863c-0242ac110005\", \"type_id\": 3, \"credential_uid\": \"849b5b88-5be7-11ee-af7a-0242ac110005\"}, \"parent_folder\": \"let dawn representing/surrounding.dwg\", \"hashes\": [{\"value\": \"AABE45CE23939AE53AA3AF15C6123A6ED98FC106E4C7491B89A814D8EB040F3B9D5842B5A215D1D27ED1B4DC8DD3D3F0D50197DD105E37461661D98A23E0917C\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1695676041541, \"modified_time_dt\": \"2023-09-25T21:07:21.541163Z\", \"created_time_dt\": \"2023-09-25T21:07:21.541195Z\"}, \"user\": {\"name\": \"Particles\", \"type\": \"User\", \"domain\": \"lexmark refers dylan\", \"uid\": \"849b6916-5be7-11ee-a01e-0242ac110005\", \"type_id\": 1, \"email_addr\": \"Yelena@communities.nato\"}, \"uid\": \"849b6dee-5be7-11ee-84f0-0242ac110005\", \"cmd_line\": \"techno now vid\", \"created_time\": 1695676041593, \"lineage\": [\"qualify insight reproduce\", \"placing download tomato\"], \"namespace_pid\": 91, \"parent_process\": {\"name\": \"Foundation\", \"pid\": 41, \"file\": {\"name\": \"sunday.crdownload\", \"size\": 1384349588, \"type\": \"Unknown\", \"path\": \"designing designed kim/butts.crx/sunday.crdownload\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"annually ic quest\", \"issuer\": \"cooperation worldcat southwest\", \"fingerprints\": [{\"value\": \"A1636B226D49D354EAD09345190417B47EC13762648D8C196823FB556456DD5A2ED39FDF2ADE536CF2D0AFA33A47F9404800085FE205A49A4DA6C280AF603AA9\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"created_time\": 1695676041542, \"expiration_time\": 1695676041577, \"serial_number\": \"distributed characters bin\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time_dt\": \"2023-09-25T21:07:21.542032Z\"}, \"product\": {\"name\": \"nights validity updated\", \"version\": \"1.0.0\", \"uid\": \"849b866c-5be7-11ee-a7ff-0242ac110005\", \"feature\": {\"name\": \"seminar automatic gui\", \"version\": \"1.0.0\", \"uid\": \"849b9742-5be7-11ee-9904-0242ac110005\"}, \"lang\": \"en\", \"url_string\": \"however\", \"vendor_name\": \"favorite album ncaa\"}, \"type_id\": 0, \"accessor\": {\"name\": \"Xhtml\", \"type\": \"disabilities\", \"uid\": \"849ba016-5be7-11ee-8738-0242ac110005\", \"type_id\": 99, \"email_addr\": \"Stormy@postcard.mobi\"}, \"creator\": {\"name\": \"Tap\", \"type\": \"User\", \"domain\": \"neural fig colin\", \"org\": {\"name\": \"timing process palestinian\", \"uid\": \"849bad9a-5be7-11ee-9fa0-0242ac110005\", \"ou_name\": \"step mouth drunk\"}, \"type_id\": 1, \"full_name\": \"Otelia Kori\"}, \"mime_type\": \"talked/wishlist\", \"parent_folder\": \"designing designed kim/butts.crx\", \"hashes\": [{\"value\": \"A5064ED27DDBDCBA4CBCADF1DB39DA3F2EEE6B58C7A1239C64CABA643C220D3F292A1DE7E239A9314ECD04E09E02E1289265DB1375370F0E2CB9844F235B40B9\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"is_system\": true, \"modified_time\": 1695676041546}, \"user\": {\"name\": \"Certain\", \"type\": \"Unknown\", \"uid\": \"849bb81c-5be7-11ee-bbec-0242ac110005\", \"groups\": [{\"name\": \"penn laundry woods\", \"type\": \"powerpoint jump hospitality\", \"desc\": \"twenty protection innovative\", \"uid\": \"849bbdee-5be7-11ee-95a2-0242ac110005\"}, {\"uid\": \"849bc780-5be7-11ee-9955-0242ac110005\"}], \"type_id\": 0, \"email_addr\": \"Reba@contemporary.mobi\", \"uid_alt\": \"technical critics nationally\"}, \"tid\": 86, \"uid\": \"849bcfb4-5be7-11ee-b896-0242ac110005\", \"session\": {\"uid\": \"849bd89c-5be7-11ee-bbae-0242ac110005\", \"issuer\": \"mind file superior\", \"created_time\": 1695676041544, \"is_remote\": true}, \"loaded_modules\": [\"/aims/hammer/duke/implementation/roland.jar\", \"/illustration/reads/adaptation/ppc/footage.cab\"], \"cmd_line\": \"treatments proceeding assumed\", \"created_time\": 1695676041548, \"integrity\": \"written\", \"integrity_id\": 99, \"lineage\": [\"tenant surveillance nature\", \"securities joining bite\"], \"parent_process\": {\"name\": \"Restore\", \"pid\": 74, \"file\": {\"name\": \"moral.kmz\", \"type\": \"Local Socket\", \"path\": \"suit who pics/arrange.torrent/moral.kmz\", \"type_id\": 5, \"accessor\": {\"name\": \"Qualities\", \"type\": \"Unknown\", \"domain\": \"operates collectables presentations\", \"uid\": \"849bf00c-5be7-11ee-a0de-0242ac110005\", \"type_id\": 0, \"uid_alt\": \"welsh constraints elimination\"}, \"parent_folder\": \"suit who pics/arrange.torrent\", \"accessed_time\": 1695676044937, \"created_time\": 1695676041545, \"hashes\": [{\"value\": \"BADBDA50632954800C02D40EB49D1BEF8E5A883D\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"22B65F9CC3DDECE17BC92C741314C0C01D6C398B477BCFE22CCB63F4975A066119C2A3F4E9BDC342383345BCEEA9046C0573AEA278C1EBD8E1578337B1640606\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"is_system\": false}, \"cmd_line\": \"remain weird municipal\", \"container\": {\"name\": \"anthony serial medline\", \"size\": 2006500672, \"uid\": \"849c059c-5be7-11ee-b620-0242ac110005\", \"image\": {\"name\": \"titten live cvs\", \"uid\": \"849c105a-5be7-11ee-8337-0242ac110005\"}, \"hash\": {\"value\": \"53CB2A3DF41EA583C9DAD815CC228E623D600CA69DD3B138EBA03828A95C399AC2319E8C246FAF2EB345362B0931618009C8A5FF4C8E100C7B414107D51F849D\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695676041542, \"integrity\": \"High\", \"integrity_id\": 4, \"namespace_pid\": 8, \"parent_process\": {\"pid\": 20, \"file\": {\"attributes\": 79, \"name\": \"revolution.vcf\", \"owner\": {\"name\": \"Sunny\", \"type\": \"Unknown\", \"uid\": \"849c24fa-5be7-11ee-93d2-0242ac110005\", \"type_id\": 0, \"email_addr\": \"Suzan@communicate.coop\"}, \"type\": \"Folder\", \"version\": \"1.0.0\", \"path\": \"nintendo smilies thank/ought.vb/revolution.vcf\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"microwave marriott okay\", \"issuer\": \"foundation review shaft\", \"fingerprints\": [{\"value\": \"35C90137B6BD19F8D464173B9904DBFA60D62BFF8BCBCF99235987ACC2D4840DBA02F991522C533C211C54B3A1016A0A76AF0578E30D0190414926A1EA56FEB7\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1695676041548, \"expiration_time\": 1695676041514, \"serial_number\": \"windsor sponsor google\"}, \"algorithm\": \"ECDSA\", \"algorithm_id\": 3}, \"product\": {\"name\": \"pci invasion producers\", \"version\": \"1.0.0\", \"uid\": \"849c3e4a-5be7-11ee-80be-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"australian payments crm\"}, \"type_id\": 2, \"accessor\": {\"name\": \"Class\", \"type\": \"pie\", \"type_id\": 99, \"full_name\": \"Crysta Damaris\", \"account\": {\"name\": \"cards gratis necklace\", \"type\": \"Apple Account\", \"type_id\": 8}, \"uid_alt\": \"linux has luis\"}, \"company_name\": \"Mckenzie Ardith\", \"creator\": {\"type\": \"selected\", \"domain\": \"glass outlet lopez\", \"uid\": \"849c4b2e-5be7-11ee-9c0b-0242ac110005\", \"org\": {\"name\": \"reproductive balloon stanley\", \"uid\": \"849c5060-5be7-11ee-b740-0242ac110005\", \"ou_name\": \"pick rear governance\", \"ou_uid\": \"849c5470-5be7-11ee-b89d-0242ac110005\"}, \"groups\": [{\"name\": \"suspected contributor counting\", \"type\": \"vacations wines biological\", \"uid\": \"849c5ae2-5be7-11ee-97a7-0242ac110005\"}], \"type_id\": 99}, \"parent_folder\": \"nintendo smilies thank/ought.vb\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"hashes\": [{\"value\": \"1B8BF6AF4C4E0F5A64ED59860F5673F5762D1E214D4B3127BAC626D3811952EAF98972460DF098DEAB2B6D4FF02723546AEBA4108F2A03A20044552141A4447E\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"221C1DF278F5DBE8C04CCC89DB66A355ABA13C3F27B4E23A19D0E73C64E5E9A7951D5102BA2F416429122A6110C57ED22F7216EB73939FF0E7E4BDB574A90CC4\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"is_system\": false, \"security_descriptor\": \"recommended approve environment\"}, \"uid\": \"849c61f4-5be7-11ee-8006-0242ac110005\", \"cmd_line\": \"arrangements makes handy\", \"container\": {\"name\": \"yahoo plains basically\", \"uid\": \"849c6776-5be7-11ee-94b5-0242ac110005\", \"image\": {\"name\": \"capabilities huge hometown\", \"uid\": \"849c6d2a-5be7-11ee-a411-0242ac110005\", \"labels\": [\"mumbai\"]}, \"hash\": {\"value\": \"FC25F43E993A1FB725021E78097481FDD1FECA2EC91BF14AE34067FC31DBCD1005D4B0AFC4F050872672CC3EAB72236EADE80DFF4CCBB844F8ED0489F697D2F1\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695676041544, \"namespace_pid\": 13, \"parent_process\": {\"name\": \"Tell\", \"file\": {\"name\": \"world.jpg\", \"type\": \"Block Device\", \"path\": \"blend roommates closed/died.docx/world.jpg\", \"modifier\": {\"name\": \"Heritage\", \"type\": \"System\", \"domain\": \"ln resolved couple\", \"uid\": \"849c8878-5be7-11ee-98bd-0242ac110005\", \"type_id\": 3, \"email_addr\": \"Deloise@agreed.arpa\"}, \"type_id\": 4, \"mime_type\": \"engineer/habitat\", \"parent_folder\": \"blend roommates closed/died.docx\", \"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"hashes\": [{\"value\": \"3BC175E9CE56D1FC2D86AB6EA2EC56EB21930540B56A5B6E3840DFB64287ACAB\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"31588C71F04798D44E2202431AE7025AF3BC67EC8192E94F362A9B9121FB5AC23510026F8391A0A54234D8D0DB8D2DEBD112DEEF6AC598A11A194875191A4975\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"is_system\": true}, \"user\": {\"name\": \"Weather\", \"type\": \"Admin\", \"domain\": \"our installing clinical\", \"uid\": \"849ca4ca-5be7-11ee-b39c-0242ac110005\", \"org\": {\"name\": \"top riverside asthma\", \"uid\": \"849cb208-5be7-11ee-a4a6-0242ac110005\", \"ou_name\": \"stats dans soviet\"}, \"type_id\": 2, \"credential_uid\": \"849cc0f4-5be7-11ee-9c36-0242ac110005\"}, \"uid\": \"849cc522-5be7-11ee-aa87-0242ac110005\", \"session\": {\"uid\": \"849ccebe-5be7-11ee-a1ca-0242ac110005\", \"issuer\": \"volunteer meetings medline\", \"created_time\": 1695676041550, \"is_remote\": false, \"expiration_time_dt\": \"2023-09-25T21:07:21.550638Z\"}, \"loaded_modules\": [\"/rev/amazon/casino/june/fails.bin\", \"/credit/potential/lawsuit/clause/nine.bmp\"], \"cmd_line\": \"well absent shoe\", \"container\": {\"name\": \"hospitality walker vs\", \"size\": 1224758347, \"uid\": \"849cdd28-5be7-11ee-9250-0242ac110005\", \"image\": {\"name\": \"audio miracle leader\", \"uid\": \"849ce32c-5be7-11ee-b7a9-0242ac110005\"}, \"hash\": {\"value\": \"A813ED16B0B3E58FA959C0BA26A47058\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"created_time\": 1695676041555, \"lineage\": [\"achievement courage send\", \"expansion instructional agreements\"], \"namespace_pid\": 62, \"parent_process\": {\"name\": \"Airfare\", \"file\": {\"name\": \"flexible.vcxproj\", \"type\": \"Folder\", \"product\": {\"name\": \"external polar galaxy\", \"version\": \"1.0.0\", \"lang\": \"en\", \"vendor_name\": \"hack infection generator\"}, \"type_id\": 2, \"mime_type\": \"silicon/limousines\", \"confidentiality\": \"venue rl epa\", \"hashes\": [{\"value\": \"2347F66D3EE9CCBD7191F650BE1EF4F94E8B6ED61D543709A1A907FBC76BFC089577CB78BFA772DA65746573746C4AB26AF19E7A8E9DB821E3979ED04051B9BC\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"256D62122A8BA5E06B613EAD639B79BA7875995217AC6E2C854DBB610631D33C\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"modified_time\": 1695676041500, \"xattributes\": {}, \"created_time_dt\": \"2023-09-25T21:07:21.551631Z\"}, \"user\": {\"name\": \"Track\", \"type\": \"Unknown\", \"uid\": \"849cfe70-5be7-11ee-b38b-0242ac110005\", \"type_id\": 0, \"account\": {\"name\": \"strict manufactured invest\", \"type\": \"AWS IAM User\", \"uid\": \"849d0500-5be7-11ee-97bd-0242ac110005\", \"type_id\": 3}, \"credential_uid\": \"849d08ca-5be7-11ee-bfe2-0242ac110005\"}, \"cmd_line\": \"challenges prompt cumulative\", \"container\": {\"name\": \"develop affiliates required\", \"size\": 2138922450, \"uid\": \"849d0e7e-5be7-11ee-a8e4-0242ac110005\", \"image\": {\"name\": \"charges fragrances complex\", \"uid\": \"849d1342-5be7-11ee-a4ca-0242ac110005\"}, \"hash\": {\"value\": \"6E73C76AD0B2D03EB35088BB834D7A1949E2174F0288EAC8066F5CC920923FEC2568825E7A9B3B3B871DC2AA82AD34DAC42A8E327CAD3D3E720D2ADD7C13CAB0\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, \"network_driver\": \"familiar movies legitimate\", \"pod_uuid\": \"legally\"}, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"namespace_pid\": 2, \"parent_process\": {\"name\": \"Eternal\", \"pid\": 76, \"file\": {\"attributes\": 44, \"name\": \"uzbekistan.jar\", \"type\": \"Block Device\", \"uid\": \"849d2170-5be7-11ee-a637-0242ac110005\", \"type_id\": 4, \"mime_type\": \"will/executed\", \"hashes\": [{\"value\": \"8A25185F3C5523EF3B08C1ECDD83016224863C95\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"6B9ED75DAE7A1E692073FC400B558EA4\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"xattributes\": {}}, \"user\": {\"name\": \"Manager\", \"type\": \"legs\", \"uid\": \"849d2c24-5be7-11ee-953d-0242ac110005\", \"type_id\": 99, \"email_addr\": \"Josefina@holders.museum\"}, \"uid\": \"849d308e-5be7-11ee-a5ad-0242ac110005\", \"cmd_line\": \"reporter techno regarded\", \"container\": {\"name\": \"cpu mission hacker\", \"runtime\": \"cables vanilla amendments\", \"size\": 1820268463, \"uid\": \"849d3caa-5be7-11ee-9fe6-0242ac110005\", \"image\": {\"uid\": \"849d468c-5be7-11ee-85e3-0242ac110005\", \"labels\": [\"responsibility\"]}, \"hash\": {\"value\": \"0895F371F264F7E3AA4A79B16A3C6EEAABE10BBF6A7DC2B7D8DD4F14B3C6F05D\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, \"orchestrator\": \"helpful pasta matthew\"}, \"namespace_pid\": 84, \"parent_process\": {\"name\": \"Music\", \"pid\": 28, \"file\": {\"name\": \"titanium.avi\", \"type\": \"Unknown\", \"path\": \"slideshow configurations lens/nations.flv/titanium.avi\", \"desc\": \"closed hydraulic connecting\", \"type_id\": 0, \"company_name\": \"Frederica Hertha\", \"parent_folder\": \"slideshow configurations lens/nations.flv\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"created_time\": 1695676041554, \"hashes\": [{\"value\": \"5C5069744142886E3127F2CCFE145C68A0B1A4DFA3BB504B858390D851E16A9F\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"xattributes\": {}, \"created_time_dt\": \"2023-09-25T21:07:21.554150Z\"}, \"user\": {\"name\": \"Be\", \"type\": \"types\", \"uid\": \"849d60a4-5be7-11ee-98cb-0242ac110005\", \"type_id\": 99}, \"uid\": \"849d64dc-5be7-11ee-b02a-0242ac110005\", \"container\": {\"size\": 1668291787, \"uid\": \"849d7cce-5be7-11ee-80f3-0242ac110005\", \"image\": {\"name\": \"curtis burns park\", \"uid\": \"849d83f4-5be7-11ee-8f40-0242ac110005\", \"labels\": [\"fix\"]}, \"hash\": {\"value\": \"308FD1FED7D34B9AFAB9224FF617D64E4CA9AC20FC59F1FB3B80AB2CBB1511245EC668E138B6C330D86E2B874BD66ED33E16E931B3D344A8365BE63CAB39562C\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"network_driver\": \"surely assistance actively\", \"pod_uuid\": \"gardening\"}, \"created_time\": 1695676041553, \"integrity\": \"System\", \"integrity_id\": 5, \"parent_process\": {\"name\": \"Surprise\", \"pid\": 50, \"file\": {\"name\": \"opening.vob\", \"type\": \"Local Socket\", \"path\": \"venezuela flyer seller/os.kml/opening.vob\", \"modifier\": {\"name\": \"Infected\", \"type\": \"User\", \"uid\": \"849d94de-5be7-11ee-b30d-0242ac110005\", \"type_id\": 1, \"full_name\": \"Katheryn Kena\"}, \"type_id\": 5, \"accessor\": {\"name\": \"Mine\", \"type\": \"fcc\", \"uid\": \"849da17c-5be7-11ee-9d3a-0242ac110005\", \"type_id\": 99, \"account\": {\"name\": \"hourly toll disappointed\", \"uid\": \"849dabd6-5be7-11ee-ba6a-0242ac110005\"}, \"credential_uid\": \"849db838-5be7-11ee-8a18-0242ac110005\"}, \"parent_folder\": \"venezuela flyer seller/os.kml\", \"hashes\": [{\"value\": \"599DCCE2998A6B40B1E38E8C6006CB0A\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"E3C48119D2F351FBEB28EABE137BB8D7969A9AA7CEBF71A153DA4670481EFAAB267B6B39C0EDBDDAF4DD1B9E9B5FF0B28D72E0A5FA27336A282A0FDBA4D0C9D4\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"modified_time\": 1695676041557, \"security_descriptor\": \"graham occupations become\"}, \"user\": {\"name\": \"Simulations\", \"type\": \"User\", \"uid\": \"849debb4-5be7-11ee-bfac-0242ac110005\", \"type_id\": 1, \"account\": {\"type\": \"Windows Account\", \"uid\": \"849df820-5be7-11ee-82f1-0242ac110005\", \"type_id\": 2}, \"credential_uid\": \"849dfc62-5be7-11ee-a9bc-0242ac110005\"}, \"cmd_line\": \"pursuant proceed discussed\", \"container\": {\"name\": \"insight style ca\", \"runtime\": \"williams ng xhtml\", \"size\": 220440282, \"uid\": \"849e031a-5be7-11ee-b55b-0242ac110005\", \"image\": {\"name\": \"bubble architects vancouver\", \"path\": \"hairy pixel time\", \"uid\": \"849e0ebe-5be7-11ee-8341-0242ac110005\"}, \"hash\": {\"value\": \"8876489CE00D6D9FDF61ED1C773F047E\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"created_time\": 1695676041558, \"lineage\": [\"bk destinations est\", \"whose playback congressional\"], \"namespace_pid\": 54, \"parent_process\": {\"name\": \"Courage\", \"pid\": 5, \"file\": {\"name\": \"filled.mdb\", \"size\": 2881440001, \"type\": \"Character Device\", \"path\": \"disc dividend incentives/crucial.wps/filled.mdb\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"infectious replication lock\", \"issuer\": \"worker attended mel\", \"fingerprints\": [{\"value\": \"372885B9675F31EF37D14F711A430940E777638ADCB2F77B36D079076E38606F\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1695676041558, \"expiration_time\": 1695676041554, \"serial_number\": \"durham graham course\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"modifier\": {\"name\": \"Constraints\", \"type\": \"Unknown\", \"domain\": \"informational advisory mg\", \"uid\": \"849e2a2a-5be7-11ee-82b2-0242ac110005\", \"type_id\": 0}, \"product\": {\"name\": \"michigan slight torture\", \"version\": \"1.0.0\", \"path\": \"costumes somewhat qui\", \"uid\": \"849e3088-5be7-11ee-8510-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"franchise portland experiment\"}, \"type_id\": 3, \"accessor\": {\"name\": \"Intl\", \"type\": \"Unknown\", \"uid\": \"849e39a2-5be7-11ee-b3b8-0242ac110005\", \"type_id\": 0, \"full_name\": \"Lorna Francisco\"}, \"parent_folder\": \"disc dividend incentives/crucial.wps\", \"hashes\": [{\"value\": \"9471ED19416B8099E51855CB0EF61AE3\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"modified_time\": 1695676041563}, \"user\": {\"name\": \"Motorcycle\", \"type\": \"Admin\", \"uid\": \"849e4a46-5be7-11ee-bc81-0242ac110005\", \"type_id\": 2}, \"cmd_line\": \"peer rail specialist\", \"container\": {\"name\": \"priority mirrors although\", \"runtime\": \"rock relation block\", \"size\": 2559819198, \"uid\": \"849e509a-5be7-11ee-ad75-0242ac110005\", \"image\": {\"name\": \"committed plastic does\", \"uid\": \"849e6972-5be7-11ee-b803-0242ac110005\"}, \"network_driver\": \"conduct linking lb\"}, \"created_time\": 1695676041434, \"lineage\": [\"desktop lakes moscow\", \"barrel touch increasing\"], \"namespace_pid\": 13, \"parent_process\": {\"name\": \"Harley\", \"pid\": 38, \"file\": {\"name\": \"metabolism.gadget\", \"owner\": {\"type\": \"System\", \"uid\": \"849e86dc-5be7-11ee-9b00-0242ac110005\", \"org\": {\"name\": \"syndication joseph realized\", \"uid\": \"849e8ff6-5be7-11ee-be3f-0242ac110005\", \"ou_name\": \"advertise scored usr\", \"ou_uid\": \"849e9852-5be7-11ee-9c6a-0242ac110005\"}, \"type_id\": 3}, \"type\": \"Character Device\", \"path\": \"patch attempting mf/nashville.dxf/metabolism.gadget\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"signals book follow\", \"issuer\": \"database verse prince\", \"fingerprints\": [{\"value\": \"6467C5C0EA62DB25016E724973C845BA50F0BBD72AE91F11E4CB5F3884CF1852EC05AA4B971CA59B372F8DC7B8E49562276E89C888FFDE3DD41BFC2E88336E98\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"80A346634E5CD09AAFC3C417ABCE0C6A156B40EBB910123FAC486DC6197D24EC4C575301A8CC06D58FBAEEAE6F40E42B6D84FDA6996E06EE2F68282EA73FDA93\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"created_time\": 1695676041504, \"expiration_time\": 1695676041569, \"serial_number\": \"termination vi limitation\"}, \"algorithm\": \"ECDSA\", \"algorithm_id\": 3}, \"type_id\": 3, \"creator\": {\"type\": \"Unknown\", \"uid\": \"849edfe2-5be7-11ee-97f0-0242ac110005\", \"type_id\": 0, \"account\": {\"name\": \"workers observer lonely\", \"type\": \"GCP Account\", \"uid\": \"849ef310-5be7-11ee-b8e1-0242ac110005\", \"type_id\": 5}, \"email_addr\": \"Myrta@of.cat\"}, \"parent_folder\": \"patch attempting mf/nashville.dxf\", \"hashes\": [{\"value\": \"5F8105C9976CE93253600A074BD373A5286734FB9650F503EF4AD611A9422D3554C34BD6C2672159C2F485A59C83965804D6F2532A8DADF2749DF74B1B089C10\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"C1E19A5C30DB36D9FEA3088EBBCF2E05B7F2E3B108DA82565EF183591D036A615456960CA1BF3DEDAEF8450140669F4E45A239D12DE570D5B2322AEADAE0EE7B\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"accessed_time_dt\": \"2023-09-25T21:07:21.564734Z\"}, \"user\": {\"name\": \"Referenced\", \"type\": \"Admin\", \"type_id\": 2, \"full_name\": \"Lyndsay Ricky\"}, \"uid\": \"849f00ee-5be7-11ee-954b-0242ac110005\", \"cmd_line\": \"institutes yes inputs\", \"container\": {\"name\": \"missed foreign palmer\", \"size\": 903476370, \"uid\": \"849f0878-5be7-11ee-b335-0242ac110005\", \"image\": {\"name\": \"belfast interests activation\", \"uid\": \"849f1dc2-5be7-11ee-b432-0242ac110005\"}, \"hash\": {\"value\": \"7CA5C1BF6D37F1E7389DB34F7617B7101F65DED1\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}}, \"created_time\": 1695676041565, \"namespace_pid\": 44, \"terminated_time\": 1695676041566, \"xattributes\": {}, \"created_time_dt\": \"2023-09-25T21:07:21.565824Z\"}}, \"sandbox\": \"final corporations performances\"}}, \"xattributes\": {}}}, \"sandbox\": \"distributor workshops maldives\"}}, \"sandbox\": \"upload stages deutsch\", \"xattributes\": {}, \"created_time_dt\": \"2023-09-25T21:07:21.565886Z\", \"terminated_time_dt\": \"2023-09-25T21:07:21.565891Z\"}, \"sandbox\": \"facial gossip lopez\", \"terminated_time\": 1695676041561, \"created_time_dt\": \"2023-09-25T21:07:21.565904Z\", \"terminated_time_dt\": \"2023-09-25T21:07:21.565908Z\"}, \"sandbox\": \"compounds s time\", \"terminated_time\": 1695676041567}, \"sandbox\": \"romance volunteer entrepreneurs\"}}, \"xattributes\": {}}, \"sandbox\": \"moon exercise starring\", \"terminated_time\": 1695676041562}}, \"terminated_time\": 1695676041561}, \"xattributes\": {}}}, \"sandbox\": \"keeps pour rent\", \"terminated_time\": 1695676041566}, \"xattributes\": {}}, \"sandbox\": \"species tourism system\", \"terminated_time\": 1695676041564, \"xattributes\": {}}, \"terminated_time\": 1695676041564}}, \"user\": {\"name\": \"Turkish\", \"type\": \"metres\", \"domain\": \"jones cnet biz\", \"uid\": \"849f330c-5be7-11ee-aa02-0242ac110005\", \"org\": {\"name\": \"performed assignments undefined\", \"uid\": \"849f3870-5be7-11ee-8857-0242ac110005\", \"ou_name\": \"headquarters informal nigeria\"}, \"type_id\": 99}}, \"cloud\": {\"provider\": \"diego ins ext\", \"region\": \"kissing wi confidence\"}, \"enrichments\": [{\"data\": {\"wallpaper\": \"feded\"}, \"name\": \"hc saskatchewan quickly\", \"type\": \"thu loves strong\", \"value\": \"sword somebody equilibrium\", \"provider\": \"outlet toolkit person\"}, {\"data\": {\"drug\": \"drugg7899\"}, \"name\": \"tree cities corner\", \"type\": \"knife super bat\", \"value\": \"thy qualification booth\"}], \"expiration_time\": 1695676041527, \"severity_id\": 2, \"src_endpoint\": {\"name\": \"replaced wa unlock\", \"port\": 25780, \"ip\": \"175.16.199.1\", \"uid\": \"84972e82-5be7-11ee-8eac-0242ac110005\", \"hostname\": \"menu.travel\", \"instance_uid\": \"849732a6-5be7-11ee-bdb0-0242ac110005\", \"interface_name\": \"grown reflect expressed\", \"interface_uid\": \"84973670-5be7-11ee-8000-0242ac110005\", \"svc_name\": \"stanford leisure analyzed\"}}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"message\": \"kelkoo interactions constitute\", \"status\": \"patch emma midi\", \"time\": 1695676041549, \"file\": {\"name\": \"amend.sh\", \"type\": \"Unknown\", \"desc\": \"arabic suits fun\", \"type_id\": 0, \"accessor\": {\"name\": \"Uruguay\", \"type\": \"User\", \"uid\": \"849f49fa-5be7-11ee-bfe2-0242ac110005\", \"org\": {\"name\": \"lottery political own\", \"uid\": \"849f501c-5be7-11ee-ab6f-0242ac110005\", \"ou_name\": \"confirmed towards declined\", \"ou_uid\": \"849f540e-5be7-11ee-841c-0242ac110005\"}, \"type_id\": 1}, \"hashes\": [{\"value\": \"4C3280C17F9D982CCBAC882AE1F48DAD224DBA938BEE87BF18E31C76B0C3B88B\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"A7F0A2AD03BE8938C945F65DB1A395CE9E98D67F9EE8D4CA97D687FBB394B64FA0AEB15F5B1D82A2922B62320B77DBA842BBEDEE2B5E15D7A883665ADE3F7C2B\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time_dt\": \"2023-09-25T21:07:21.567190Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"describes static geological\", \"version\": \"1.0.0\", \"uid\": \"849714ce-5be7-11ee-981b-0242ac110005\", \"url_string\": \"avatar\", \"vendor_name\": \"highly got hook\"}, \"sequence\": 99, \"profiles\": [\"cloud\", \"container\", \"datetime\"], \"correlation_uid\": \"84971e10-5be7-11ee-b5e7-0242ac110005\", \"log_name\": \"proud iso ticket\", \"log_provider\": \"cb indexes boxing\", \"original_time\": \"tournaments leisure comedy\", \"modified_time_dt\": \"2023-09-25T21:07:21.513376Z\", \"processed_time_dt\": \"2023-09-25T21:07:21.513394Z\"}, \"start_time\": 1695676041445, \"severity\": \"Low\", \"type_name\": \"Network File Activity: Rename\", \"activity_id\": 5, \"type_uid\": 401005, \"observables\": [{\"name\": \"except visitor vbulletin\", \"type\": \"Uniform Resource Locator\", \"type_id\": 23}, {\"name\": \"hong rhode para\", \"type\": \"Process Name\", \"type_id\": 9}], \"category_name\": \"Network Activity\", \"class_uid\": 4010, \"category_uid\": 4, \"class_name\": \"Network File Activity\", \"timezone_offset\": 42, \"activity_name\": \"Rename\", \"actor\": {\"process\": {\"name\": \"Qualification\", \"pid\": 42, \"file\": {\"attributes\": 9, \"name\": \"citations.gpx\", \"type\": \"Character Device\", \"path\": \"telling saved challenge/wrapped.tga/citations.gpx\", \"type_id\": 3, \"parent_folder\": \"telling saved challenge/wrapped.tga\"}, \"user\": {\"name\": \"Aquatic\", \"type\": \"System\", \"uid\": \"84975f7e-5be7-11ee-bfad-0242ac110005\", \"type_id\": 3, \"account\": {\"name\": \"suspended cg sisters\", \"uid\": \"8497655a-5be7-11ee-ab52-0242ac110005\"}}, \"tid\": 17, \"uid\": \"849768e8-5be7-11ee-a428-0242ac110005\", \"cmd_line\": \"goals happen dad\", \"container\": {\"name\": \"ambien cloud eur\", \"size\": 2164055839, \"uid\": \"84977158-5be7-11ee-b042-0242ac110005\", \"image\": {\"name\": \"produced field obituaries\", \"path\": \"adaptive granny knew\", \"uid\": \"849779dc-5be7-11ee-8f66-0242ac110005\"}, \"network_driver\": \"cute desktops arrest\"}, \"created_time\": 1695676041514, \"namespace_pid\": 41, \"parent_process\": {\"file\": {\"name\": \"finance.3g2\", \"type\": \"wrap\", \"path\": \"attention matching forest/met.mpa/finance.3g2\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"mt minutes bids\", \"issuer\": \"shall systematic vatican\", \"fingerprints\": [{\"value\": \"B3305921648A755AA6C1E2C028691A6861EAE8922BAE5ACE52B76E01AD96DF87ECE4E22E06EDC6715A0CAE469323620A07CCC384FD40C69EBA60E8BBEE8EA805\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"expiration_time\": 1695676041516, \"serial_number\": \"requirement sodium situated\", \"expiration_time_dt\": \"2023-09-25T21:07:21.516239Z\", \"created_time_dt\": \"2023-09-25T21:07:21.516247Z\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"desc\": \"surgeons settled advocacy\", \"type_id\": 99, \"creator\": {\"name\": \"Additionally\", \"type\": \"beat\", \"uid\": \"84979804-5be7-11ee-848b-0242ac110005\", \"type_id\": 99, \"full_name\": \"Kirstin Thersa\", \"credential_uid\": \"8497ab3c-5be7-11ee-8df1-0242ac110005\"}, \"parent_folder\": \"attention matching forest/met.mpa\", \"hashes\": [{\"value\": \"2675028478A31F71064C2D8CCA68C7FCA87605C294611E7C2294806CE87B596AD856077767F9D941E21BC5089906C5E6903FE622EE1FE19DB2E3FA8F1F1A8EE9\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"4D018BA6DBA4C03004FD6E10D1C02BD324F62DE46C5FE687431A2D4BF4335BB7\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"modified_time_dt\": \"2023-09-25T21:07:21.517084Z\"}, \"uid\": \"8497ba64-5be7-11ee-b3a6-0242ac110005\", \"session\": {\"uid\": \"8497c27a-5be7-11ee-8a34-0242ac110005\", \"issuer\": \"discussing capital ottawa\", \"created_time\": 1695676041516, \"credential_uid\": \"8497c716-5be7-11ee-bd7a-0242ac110005\"}, \"loaded_modules\": [\"/super/disclose/barnes/pg/california.png\", \"/ourselves/lynn/gpl/helped/narrow.tga\"], \"cmd_line\": \"bless addresses backgrounds\", \"container\": {\"name\": \"citizenship caribbean twisted\", \"size\": 2686118868, \"uid\": \"8497d15c-5be7-11ee-aa8b-0242ac110005\", \"image\": {\"name\": \"assistance grande an\", \"uid\": \"8497dec2-5be7-11ee-9c88-0242ac110005\"}, \"hash\": {\"value\": \"08759209B8F0A761FFF2B978AB8DAB0B6AE7B63C9AC9D3694BC0FED57BB2E27F5AAFB08486F656D6C6FE784F7DF07513FCB0975EC8B772EE000F56F793867A77\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}}, \"created_time\": 1695676041518, \"lineage\": [\"vhs mechanism dates\"], \"namespace_pid\": 97, \"parent_process\": {\"name\": \"Bid\", \"pid\": 26, \"file\": {\"name\": \"dame.svg\", \"type\": \"Regular File\", \"path\": \"wives pamela karl/articles.c/dame.svg\", \"modifier\": {\"name\": \"Complete\", \"type\": \"Unknown\", \"uid\": \"8497f38a-5be7-11ee-97c6-0242ac110005\", \"groups\": [{\"name\": \"winds seeking reply\", \"uid\": \"8497fde4-5be7-11ee-9733-0242ac110005\"}, {\"name\": \"hamburg roommate environment\", \"uid\": \"8498099c-5be7-11ee-ac6f-0242ac110005\"}], \"type_id\": 0}, \"type_id\": 1, \"parent_folder\": \"wives pamela karl/articles.c\", \"hashes\": [{\"value\": \"E7B2EBCA4F63795EBE380FFBEAB194BCF3E2EB5C74F10C6B8AAB95F4C0B8D7AC\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"AFD9AD7A88CFF487A60962E99C6219806726EB352DD1591D375AD3BB143C0DABBFBC6DBFFA5D99B3662AE82C9B7EED847E30B7EA516D2AD9DFF07D8775F8AE36\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"security_descriptor\": \"robinson queens graduate\", \"created_time_dt\": \"2023-09-25T21:07:21.519646Z\"}, \"user\": {\"name\": \"Shipment\", \"type\": \"Unknown\", \"uid\": \"84981f68-5be7-11ee-b652-0242ac110005\", \"type_id\": 0, \"uid_alt\": \"singh dim static\"}, \"uid\": \"849823d2-5be7-11ee-92d1-0242ac110005\", \"cmd_line\": \"harder interventions pb\", \"container\": {\"name\": \"kg sources houses\", \"runtime\": \"kate through furniture\", \"size\": 2387392206, \"uid\": \"849829cc-5be7-11ee-bb7a-0242ac110005\", \"hash\": {\"value\": \"6A9A10210588981DD8FAA6BE10E39F2C65E816FEFE4768884F7B0BB0A10CD9D6\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, \"pod_uuid\": \"kiss\"}, \"created_time\": 1695676041517, \"integrity\": \"they thermal eau\", \"lineage\": [\"attraction cord adjustment\", \"announcements summer introduce\"], \"namespace_pid\": 49, \"parent_process\": {\"name\": \"Jamie\", \"pid\": 28, \"file\": {\"name\": \"seq.wpd\", \"type\": \"Character Device\", \"path\": \"conflicts disability citysearch/ieee.dtd/seq.wpd\", \"modifier\": {\"name\": \"Officer\", \"type\": \"Admin\", \"uid\": \"84984362-5be7-11ee-af2c-0242ac110005\", \"type_id\": 2}, \"type_id\": 3, \"parent_folder\": \"conflicts disability citysearch/ieee.dtd\", \"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"created_time\": 1695676041520845, \"hashes\": [{\"value\": \"7D875B5EB312ADEF7D530DD6E43468170B094A5F54CA1AC26E7788A81A01238428E62D581423E70B05DA11F15513291EB10776B4E14DE1844072ACDF11BBDFD1\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"1100511F3469E3CDE7D081EC6E78154C8476D546F615EEEB37C4CDFBD41740440FC77660EE3A4B9C67DE81C63172A49F835656F85ED5E36A65A2A25E2A733358\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"user\": {\"name\": \"Knows\", \"type\": \"User\", \"domain\": \"sao uri flesh\", \"uid\": \"84984db2-5be7-11ee-ba4e-0242ac110005\", \"type_id\": 1}, \"uid\": \"8498530c-5be7-11ee-86f3-0242ac110005\", \"cmd_line\": \"creation defense carolina\", \"container\": {\"name\": \"hunt indicating radiation\", \"size\": 3179758248, \"tag\": \"reader prevention as\", \"uid\": \"84985df2-5be7-11ee-be06-0242ac110005\", \"hash\": {\"value\": \"666334EB7A1E55E189435FFF3F0CA7266F484FB44970AAFF3E72546D8B04B02ABB1A66B209CAFD44267701CA1392DF35B8EC3EECE0DC492D093880F2E4FF352C\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695676041527, \"namespace_pid\": 46, \"parent_process\": {\"name\": \"Arbor\", \"pid\": 20, \"file\": {\"name\": \"startup.3dm\", \"size\": 3504413585, \"type\": \"Named Pipe\", \"version\": \"1.0.0\", \"signature\": {\"certificate\": {\"subject\": \"shades bad tradition\", \"issuer\": \"previous price thing\", \"fingerprints\": [{\"value\": \"8E4DE5CC0D59311697B0D4061FDBFB4CB99E38121EA17CF740789A0CBC85B56703E1341C940E7A2220C02211CC84447A19061569BE42AC4A2C03010FB6CB1A75\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"205D64FF9B580AADBF4829EC41DD4EF0\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"created_time\": 1695676041522, \"expiration_time\": 1695676041526, \"serial_number\": \"files the parish\", \"created_time_dt\": \"2023-09-25T21:07:21.521904Z\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"uid\": \"84987ae4-5be7-11ee-b247-0242ac110005\", \"type_id\": 6, \"created_time\": 1695676042262, \"hashes\": [{\"value\": \"60F202A3BE4EF214E24EA9D3555D194C\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"B0B2D200728B0DACE6CB6829F90EE31A9AD123FF1982012B003249D4F2C5351924E6DBBD1242EE722D4C5A0B80C983DC7B94DDD594FCFCEF4E63552956E2B26A\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"modified_time_dt\": \"2023-09-25T21:07:21.522441Z\"}, \"user\": {\"name\": \"Provided\", \"type\": \"Admin\", \"uid\": \"84988e80-5be7-11ee-bf3c-0242ac110005\", \"type_id\": 2, \"full_name\": \"Karoline Meggan\", \"email_addr\": \"Elza@girls.mil\"}, \"uid\": \"84989376-5be7-11ee-9216-0242ac110005\", \"cmd_line\": \"plan agents converter\", \"container\": {\"name\": \"thongs routine an\", \"size\": 2099983603, \"uid\": \"84989948-5be7-11ee-b4fb-0242ac110005\", \"image\": {\"name\": \"extending construction inkjet\", \"path\": \"empirical precipitation builder\", \"uid\": \"84989f42-5be7-11ee-8820-0242ac110005\", \"labels\": [\"golf\", \"nov\"]}, \"hash\": {\"value\": \"E7EFDA40B1C94805070CD9BF9638AE27\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"created_time\": 1695676041523226, \"integrity\": \"conspiracy unions allocated\", \"parent_process\": {\"name\": \"Processes\", \"pid\": 49, \"file\": {\"name\": \"considerations.jar\", \"type\": \"Local Socket\", \"path\": \"roger economy macro/mesh.gadget/considerations.jar\", \"type_id\": 5, \"accessor\": {\"name\": \"Wildlife\", \"type\": \"Admin\", \"uid\": \"8498c030-5be7-11ee-80d9-0242ac110005\", \"type_id\": 2, \"full_name\": \"Twyla Cherise\", \"email_addr\": \"Shin@cause.mobi\", \"uid_alt\": \"excellent far varied\"}, \"mime_type\": \"star/flyer\", \"parent_folder\": \"roger economy macro/mesh.gadget\", \"created_time\": 1695676041524, \"hashes\": [{\"value\": \"707CF5E50A11D69874235DED9A045B6AB42439F7495DED03049CB7E997949E8B014295A25059CD1A9F06BFE9E4101ED176615E69D43FE199E849DEC0BC4AEB4D\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"6F487B974BDB9DBDF014F50502D9F70BC2630E6C974E4C6E6AA2EB3BEC95A3BDCA7AE609DA34179E0677F042734A767ADA4F6CA04788916644262CDC60BC2FB2\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Hour\", \"type\": \"insert\", \"uid\": \"8498cd14-5be7-11ee-94d7-0242ac110005\", \"type_id\": 99, \"uid_alt\": \"organizations guild beds\"}, \"uid\": \"8498d430-5be7-11ee-b1bf-0242ac110005\", \"cmd_line\": \"sixth pc peoples\", \"container\": {\"name\": \"warrior document workflow\", \"size\": 2697694450, \"uid\": \"8498da2a-5be7-11ee-9d00-0242ac110005\", \"image\": {\"name\": \"version treating tall\", \"uid\": \"8498df20-5be7-11ee-8257-0242ac110005\"}, \"hash\": {\"value\": \"F4001D4FD76B73412DB0EFD2C66F0AB3C27D9FE9BD375B1659A1DDDA68C17DC1C0F5402A6AE571DC073E94F1B720821E4208595D5BB4B13D917A12CE3DA53C1E\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, \"pod_uuid\": \"sas\"}, \"created_time\": 1695676041523, \"integrity\": \"aviation blame tion\", \"namespace_pid\": 76, \"parent_process\": {\"name\": \"Job\", \"pid\": 86, \"file\": {\"name\": \"pic.vcd\", \"owner\": {\"name\": \"Enquiry\", \"type\": \"minneapolis\", \"uid\": \"849901e4-5be7-11ee-bfe1-0242ac110005\", \"type_id\": 99, \"full_name\": \"Blythe Jamie\"}, \"type\": \"charged\", \"path\": \"const foreign pressed/among.ged/pic.vcd\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"strap liz boulder\", \"issuer\": \"everybody brunei disciplinary\", \"fingerprints\": [{\"value\": \"9E41EB47ABD226D92CFE27DBDA0C924C190A1B0C0136B09923B419089B013DF14CB58C38F651F710540E348BF800DFE364197904B11FFFAD98BB2B10006B28E2\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"3DE877DDFB06DB510E63893D98DDAC9524696C14\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"created_time\": 1695676041526, \"expiration_time\": 1695676045872, \"serial_number\": \"approaches symbol assembly\"}, \"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"developer_uid\": \"84991526-5be7-11ee-a2ca-0242ac110005\", \"created_time_dt\": \"2023-09-25T21:07:21.526203Z\"}, \"uid\": \"84992264-5be7-11ee-8071-0242ac110005\", \"type_id\": 99, \"parent_folder\": \"const foreign pressed/among.ged\", \"accessed_time\": 1695676041556, \"confidentiality\": \"suburban ati mostly\", \"hashes\": [{\"value\": \"00EF9DADDE482AF5432B0BFC5F69023736D4A0ECD59F74884C4B8AD83D21429B78023351C5DBD07407EAB2BFA527A0586016DE3C92F37913920E221F7D452802\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"is_system\": false, \"modified_time_dt\": \"2023-09-25T21:07:21.526727Z\", \"created_time_dt\": \"2023-09-25T21:07:21.526737Z\"}, \"user\": {\"name\": \"Rice\", \"type\": \"Unknown\", \"uid\": \"84993312-5be7-11ee-b956-0242ac110005\", \"type_id\": 0, \"email_addr\": \"Renita@pete.cat\"}, \"uid\": \"8499377c-5be7-11ee-9164-0242ac110005\", \"container\": {\"name\": \"acquired minority slip\", \"size\": 2257875576, \"uid\": \"84993ce0-5be7-11ee-8a18-0242ac110005\", \"image\": {\"tag\": \"vocal trim jon\", \"uid\": \"849944f6-5be7-11ee-bc62-0242ac110005\"}}, \"namespace_pid\": 29, \"parent_process\": {\"pid\": 67, \"file\": {\"name\": \"tuner.pdb\", \"type\": \"Named Pipe\", \"version\": \"1.0.0\", \"path\": \"architectural pink phil/overview.dtd/tuner.pdb\", \"type_id\": 6, \"parent_folder\": \"architectural pink phil/overview.dtd\", \"hashes\": [{\"value\": \"44CA9EA761C2131C73960AD47472741B13D305EE2D07FE91E8F1B47F4F062B8A16DD3611E4439E4C163A7CF42F1AE5989CF9683117DB801FD1BC222A16618E19\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"C25DDA249CDECE9D908CC33ADCD16AA05E20290F\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"xattributes\": {}}, \"user\": {\"name\": \"Fantastic\", \"type\": \"Admin\", \"uid\": \"84995d06-5be7-11ee-8223-0242ac110005\", \"org\": {\"name\": \"dryer asn trying\", \"uid\": \"849963aa-5be7-11ee-b57a-0242ac110005\", \"ou_name\": \"wr r gibraltar\"}, \"type_id\": 2}, \"uid\": \"84996800-5be7-11ee-8754-0242ac110005\", \"cmd_line\": \"brush bouquet alto\", \"container\": {\"name\": \"deutschland pic newcastle\", \"size\": 797071549, \"uid\": \"84996db4-5be7-11ee-bada-0242ac110005\", \"image\": {\"name\": \"adipex into polo\", \"uid\": \"849984fc-5be7-11ee-af4c-0242ac110005\"}, \"hash\": {\"value\": \"82B5F7770097973F2962C241C557369EC2D38E9A1BDA03176B9CA511F1CA56CF\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695676041528, \"lineage\": [\"familiar privilege canvas\"], \"namespace_pid\": 23, \"parent_process\": {\"name\": \"Cialis\", \"pid\": 21, \"file\": {\"attributes\": 83, \"name\": \"spirit.max\", \"owner\": {\"name\": \"Friend\", \"type\": \"User\", \"uid\": \"84999e10-5be7-11ee-914b-0242ac110005\", \"type_id\": 1, \"email_addr\": \"Pamelia@directed.com\"}, \"type\": \"Regular File\", \"version\": \"1.0.0\", \"path\": \"fish largest alberta/solutions.deskthemepack/spirit.max\", \"desc\": \"escape steady bow\", \"type_id\": 1, \"parent_folder\": \"fish largest alberta/solutions.deskthemepack\", \"hashes\": [{\"value\": \"718C92FD5ECC9B483CA9A76E309BD60F7DAD6035254FAD5EA9430568F36EB16D5532657DE90C3B3B41896C8A9B601BF1E1083D5BB299127118B535C347D13549\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"D13D53927A745D27511C298846343093D7E92D919905B6C22ABBF727AD18EF7E3B3850949F8CC772390749C8644B5CF6F8618FEF524E9589DB73F57FE128AA88\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}]}, \"user\": {\"name\": \"Apartments\", \"type\": \"ad\", \"uid\": \"8499b5da-5be7-11ee-b276-0242ac110005\", \"type_id\": 99, \"uid_alt\": \"serving turbo spy\"}, \"uid\": \"8499bc88-5be7-11ee-b028-0242ac110005\", \"session\": {\"uid\": \"8499ca0c-5be7-11ee-aae9-0242ac110005\", \"created_time\": 1695676041534, \"expiration_time\": 1695676041542, \"is_remote\": true}, \"cmd_line\": \"in blowing memorial\", \"container\": {\"name\": \"france sg charger\", \"size\": 1048383191, \"tag\": \"deserve focused select\", \"uid\": \"8499d164-5be7-11ee-a7e8-0242ac110005\", \"image\": {\"name\": \"robert through mailing\", \"tag\": \"struggle gerald weather\", \"uid\": \"8499d704-5be7-11ee-b617-0242ac110005\"}, \"hash\": {\"value\": \"6B2A589B76A482CD379A7FF8AF13EE0F9ABF937DE60010068FEC808F5B6B22521C2A28C7F48BC5C2EDC81EAE5E5812D95F5E0F3DF5685571E5DB36B146DB82EC\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, \"network_driver\": \"catch sun general\", \"orchestrator\": \"sf varieties queries\"}, \"created_time\": 1695676041539, \"integrity\": \"faculty hardcover generated\", \"namespace_pid\": 79, \"parent_process\": {\"name\": \"Devices\", \"pid\": 90, \"file\": {\"name\": \"premises.sln\", \"owner\": {\"name\": \"Welcome\", \"type\": \"User\", \"type_id\": 1, \"account\": {\"name\": \"discs outlets general\", \"type\": \"Mac OS Account\", \"uid\": \"8499eb2c-5be7-11ee-86b7-0242ac110005\", \"type_id\": 7}}, \"type\": \"ships\", \"path\": \"ralph tales librarian/simpsons.psd/premises.sln\", \"type_id\": 99, \"creator\": {\"name\": \"Booking\", \"type\": \"System\", \"domain\": \"coupons dropped pantyhose\", \"uid\": \"8499f1ee-5be7-11ee-a02c-0242ac110005\", \"type_id\": 3}, \"parent_folder\": \"ralph tales librarian/simpsons.psd\", \"hashes\": [{\"value\": \"F01EB1DD5E5D955CF3DA810E1FAABA4136E09F5EF69DA3753223183EF836741A617AAAEB52D8B014D900A4A11B94974298F7D3C4EAE57C107CF3A3230AD34188\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"modified_time_dt\": \"2023-09-25T21:07:21.531893Z\"}, \"user\": {\"name\": \"Immediate\", \"type\": \"Unknown\", \"uid\": \"849a06c0-5be7-11ee-acfe-0242ac110005\", \"org\": {\"name\": \"velvet days pubs\", \"ou_name\": \"brake craps campaign\"}, \"groups\": [{\"uid\": \"849a1124-5be7-11ee-9a8e-0242ac110005\", \"privileges\": [\"independent vegetables assisted\", \"refinance lee seating\"]}, {\"name\": \"div violence strange\", \"uid\": \"849a1674-5be7-11ee-aa3b-0242ac110005\"}], \"type_id\": 0}, \"uid\": \"849a1af2-5be7-11ee-82a9-0242ac110005\", \"cmd_line\": \"text ana range\", \"container\": {\"name\": \"own drawing acute\", \"size\": 1512724327, \"uid\": \"849a2420-5be7-11ee-94c5-0242ac110005\", \"image\": {\"name\": \"layers branch lucas\", \"tag\": \"nations chances trips\", \"uid\": \"849a32bc-5be7-11ee-86bb-0242ac110005\"}, \"hash\": {\"value\": \"79F7EED760813BF63DC0EE7F986F1CC6345DD170AB03CA1350684CB8720E3C67F9FCE3B075A22266EB0C66A1CDA2D3BD540E777D9A294433377B83DB6DE3D6DB\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695676041533, \"lineage\": [\"guru hosted bradley\"], \"namespace_pid\": 39, \"parent_process\": {\"name\": \"Bags\", \"file\": {\"attributes\": 22, \"name\": \"hunt.ppt\", \"type\": \"Local Socket\", \"type_id\": 5, \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"value\": \"6FD1E1613C3918067E01585E32D4AA461C485DF01C56BD5A294FD82B353B5EC64A7EBAED614D28451E3AECB3ACA75900593A20D8AE7F7A1E2CF9DD4F0496B9C4\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"B66E94D9133A6E41392C5AFCBF3F6EEB29E45C041350255AEE34ADD6C4E6BD15FF9060177954793B5D078A8802B4B1ADDD73BECACB7D5827D9A1CB9F96D5E153\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"is_system\": false, \"modified_time_dt\": \"2023-09-25T21:07:21.533963Z\"}, \"user\": {\"name\": \"Sisters\", \"type\": \"rebound\", \"uid\": \"849a52ce-5be7-11ee-a468-0242ac110005\", \"type_id\": 99, \"full_name\": \"Elisa Cleora\"}, \"uid\": \"849a5d78-5be7-11ee-ac24-0242ac110005\", \"cmd_line\": \"merchandise initiatives accessibility\", \"container\": {\"name\": \"apartment drunk amateur\", \"size\": 3702557326, \"uid\": \"849a646c-5be7-11ee-90ce-0242ac110005\", \"image\": {\"name\": \"evaluating apartments disaster\", \"uid\": \"849a6a66-5be7-11ee-95e4-0242ac110005\"}, \"hash\": {\"value\": \"12FC9239ABF2C07159EBC92013171DA43175589170BD05B55220534634A9D1FEFC88B117A95FCE4FE3C5A5FEDB9DC4EB3F700C0386931C889F815E86BCD4B509\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}}, \"created_time\": 1695676041535, \"namespace_pid\": 29, \"parent_process\": {\"name\": \"Sen\", \"pid\": 13, \"file\": {\"attributes\": 35, \"name\": \"hardware.wma\", \"owner\": {\"name\": \"Asia\", \"type\": \"meetup\", \"uid\": \"849a7ac4-5be7-11ee-a06d-0242ac110005\", \"type_id\": 99}, \"type\": \"Unknown\", \"path\": \"interactions malta thoughts/laden.pdf/hardware.wma\", \"signature\": {\"digest\": {\"value\": \"3188206324B062751CE36D4251C19C94\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, \"algorithm\": \"Authenticode\", \"algorithm_id\": 4}, \"type_id\": 0, \"parent_folder\": \"interactions malta thoughts/laden.pdf\", \"hashes\": [{\"value\": \"6BD48B1E57856137037BFEE4DEC8D57F\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"user\": {\"name\": \"Round\", \"type\": \"System\", \"uid\": \"849a900e-5be7-11ee-9894-0242ac110005\", \"type_id\": 3, \"full_name\": \"Marisela Towanda\", \"account\": {\"name\": \"fragrances bulk specialty\", \"type\": \"LDAP Account\", \"uid\": \"849a9702-5be7-11ee-9f5d-0242ac110005\", \"type_id\": 1}, \"credential_uid\": \"849a9afe-5be7-11ee-b27a-0242ac110005\", \"email_addr\": \"Wava@promises.info\"}, \"uid\": \"849a9ed2-5be7-11ee-ae61-0242ac110005\", \"cmd_line\": \"recordings countries slides\", \"container\": {\"name\": \"distant modeling monaco\", \"runtime\": \"peace up sailing\", \"uid\": \"849aa490-5be7-11ee-bb98-0242ac110005\", \"image\": {\"name\": \"evanescence plans courts\", \"tag\": \"buy archives predict\", \"uid\": \"849aaa9e-5be7-11ee-a47a-0242ac110005\"}, \"hash\": {\"value\": \"383B6630E8241D34D54BFD689DECC0CAB88770D935667989A3A1DE8397F5520F\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695676041539, \"integrity\": \"bookings qc dictionaries\", \"lineage\": [\"lanka manufacture bra\", \"gibson implementation pope\"], \"namespace_pid\": 6, \"parent_process\": {\"name\": \"Impacts\", \"pid\": 86, \"file\": {\"name\": \"removal.obj\", \"type\": \"Named Pipe\", \"path\": \"jeff puts assignments/thing.msi/removal.obj\", \"type_id\": 6, \"parent_folder\": \"jeff puts assignments/thing.msi\", \"accessed_time\": 1695676041534, \"hashes\": [{\"value\": \"CE850E16E049A60B4B8F465DC00ADBFB7207CC76FD94F5EBC335F637B8052B77\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"security_descriptor\": \"bureau myspace barrel\"}, \"user\": {\"name\": \"Alliance\", \"type\": \"Admin\", \"domain\": \"statistical poland gregory\", \"uid\": \"849abe76-5be7-11ee-a5a1-0242ac110005\", \"org\": {\"name\": \"nyc kidney drawings\", \"uid\": \"849accae-5be7-11ee-af7b-0242ac110005\"}, \"groups\": [{\"name\": \"accessed thanks instructions\", \"desc\": \"luggage species belkin\", \"uid\": \"849ad5fa-5be7-11ee-a0e9-0242ac110005\", \"privileges\": [\"flashing aol autumn\"]}, {\"name\": \"cognitive times agent\", \"uid\": \"849ada50-5be7-11ee-824e-0242ac110005\", \"privileges\": [\"sodium believed housing\", \"incorporated jungle asian\"]}], \"type_id\": 2, \"full_name\": \"Paul Julian\"}, \"uid\": \"849adea6-5be7-11ee-aa53-0242ac110005\", \"cmd_line\": \"amount anywhere suffered\", \"container\": {\"name\": \"author channel disappointed\", \"size\": 191473515, \"uid\": \"849aff08-5be7-11ee-80bd-0242ac110005\", \"image\": {\"name\": \"cross tray influenced\", \"tag\": \"afternoon counseling governance\", \"uid\": \"849b1f7e-5be7-11ee-bb9d-0242ac110005\"}, \"hash\": {\"value\": \"B7F1BFFEB47BCFB30F891852F769572A9816784BF4A4073805850F9F969A5335CFC878CACC9E0F8A71B547F60832FE712A59A7DD7DBD6E94BB9D155309EB3581\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"network_driver\": \"slovakia friend username\"}, \"created_time\": 1695676041539630, \"namespace_pid\": 49, \"parent_process\": {\"name\": \"Sampling\", \"pid\": 71, \"file\": {\"attributes\": 78, \"name\": \"human.pdb\", \"type\": \"Symbolic Link\", \"path\": \"let dawn representing/surrounding.dwg/human.pdb\", \"product\": {\"name\": \"heavy payroll timothy\", \"version\": \"1.0.0\", \"uid\": \"849b3fd6-5be7-11ee-83d2-0242ac110005\", \"feature\": {\"name\": \"metric th alt\", \"version\": \"1.0.0\", \"uid\": \"849b46a2-5be7-11ee-824d-0242ac110005\"}, \"vendor_name\": \"rv brother vaccine\"}, \"type_id\": 7, \"accessor\": {\"name\": \"Dragon\", \"type\": \"System\", \"uid\": \"849b52b4-5be7-11ee-863c-0242ac110005\", \"type_id\": 3, \"credential_uid\": \"849b5b88-5be7-11ee-af7a-0242ac110005\"}, \"parent_folder\": \"let dawn representing/surrounding.dwg\", \"hashes\": [{\"value\": \"AABE45CE23939AE53AA3AF15C6123A6ED98FC106E4C7491B89A814D8EB040F3B9D5842B5A215D1D27ED1B4DC8DD3D3F0D50197DD105E37461661D98A23E0917C\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1695676041541, \"modified_time_dt\": \"2023-09-25T21:07:21.541163Z\", \"created_time_dt\": \"2023-09-25T21:07:21.541195Z\"}, \"user\": {\"name\": \"Particles\", \"type\": \"User\", \"domain\": \"lexmark refers dylan\", \"uid\": \"849b6916-5be7-11ee-a01e-0242ac110005\", \"type_id\": 1, \"email_addr\": \"Yelena@communities.nato\"}, \"uid\": \"849b6dee-5be7-11ee-84f0-0242ac110005\", \"cmd_line\": \"techno now vid\", \"created_time\": 1695676041593, \"lineage\": [\"qualify insight reproduce\", \"placing download tomato\"], \"namespace_pid\": 91, \"parent_process\": {\"name\": \"Foundation\", \"pid\": 41, \"file\": {\"name\": \"sunday.crdownload\", \"size\": 1384349588, \"type\": \"Unknown\", \"path\": \"designing designed kim/butts.crx/sunday.crdownload\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"annually ic quest\", \"issuer\": \"cooperation worldcat southwest\", \"fingerprints\": [{\"value\": \"A1636B226D49D354EAD09345190417B47EC13762648D8C196823FB556456DD5A2ED39FDF2ADE536CF2D0AFA33A47F9404800085FE205A49A4DA6C280AF603AA9\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"created_time\": 1695676041542, \"expiration_time\": 1695676041577, \"serial_number\": \"distributed characters bin\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time_dt\": \"2023-09-25T21:07:21.542032Z\"}, \"product\": {\"name\": \"nights validity updated\", \"version\": \"1.0.0\", \"uid\": \"849b866c-5be7-11ee-a7ff-0242ac110005\", \"feature\": {\"name\": \"seminar automatic gui\", \"version\": \"1.0.0\", \"uid\": \"849b9742-5be7-11ee-9904-0242ac110005\"}, \"lang\": \"en\", \"url_string\": \"however\", \"vendor_name\": \"favorite album ncaa\"}, \"type_id\": 0, \"accessor\": {\"name\": \"Xhtml\", \"type\": \"disabilities\", \"uid\": \"849ba016-5be7-11ee-8738-0242ac110005\", \"type_id\": 99, \"email_addr\": \"Stormy@postcard.mobi\"}, \"creator\": {\"name\": \"Tap\", \"type\": \"User\", \"domain\": \"neural fig colin\", \"org\": {\"name\": \"timing process palestinian\", \"uid\": \"849bad9a-5be7-11ee-9fa0-0242ac110005\", \"ou_name\": \"step mouth drunk\"}, \"type_id\": 1, \"full_name\": \"Otelia Kori\"}, \"mime_type\": \"talked/wishlist\", \"parent_folder\": \"designing designed kim/butts.crx\", \"hashes\": [{\"value\": \"A5064ED27DDBDCBA4CBCADF1DB39DA3F2EEE6B58C7A1239C64CABA643C220D3F292A1DE7E239A9314ECD04E09E02E1289265DB1375370F0E2CB9844F235B40B9\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"is_system\": true, \"modified_time\": 1695676041546}, \"user\": {\"name\": \"Certain\", \"type\": \"Unknown\", \"uid\": \"849bb81c-5be7-11ee-bbec-0242ac110005\", \"groups\": [{\"name\": \"penn laundry woods\", \"type\": \"powerpoint jump hospitality\", \"desc\": \"twenty protection innovative\", \"uid\": \"849bbdee-5be7-11ee-95a2-0242ac110005\"}, {\"uid\": \"849bc780-5be7-11ee-9955-0242ac110005\"}], \"type_id\": 0, \"email_addr\": \"Reba@contemporary.mobi\", \"uid_alt\": \"technical critics nationally\"}, \"tid\": 86, \"uid\": \"849bcfb4-5be7-11ee-b896-0242ac110005\", \"session\": {\"uid\": \"849bd89c-5be7-11ee-bbae-0242ac110005\", \"issuer\": \"mind file superior\", \"created_time\": 1695676041544, \"is_remote\": true}, \"loaded_modules\": [\"/aims/hammer/duke/implementation/roland.jar\", \"/illustration/reads/adaptation/ppc/footage.cab\"], \"cmd_line\": \"treatments proceeding assumed\", \"created_time\": 1695676041548, \"integrity\": \"written\", \"integrity_id\": 99, \"lineage\": [\"tenant surveillance nature\", \"securities joining bite\"], \"parent_process\": {\"name\": \"Restore\", \"pid\": 74, \"file\": {\"name\": \"moral.kmz\", \"type\": \"Local Socket\", \"path\": \"suit who pics/arrange.torrent/moral.kmz\", \"type_id\": 5, \"accessor\": {\"name\": \"Qualities\", \"type\": \"Unknown\", \"domain\": \"operates collectables presentations\", \"uid\": \"849bf00c-5be7-11ee-a0de-0242ac110005\", \"type_id\": 0, \"uid_alt\": \"welsh constraints elimination\"}, \"parent_folder\": \"suit who pics/arrange.torrent\", \"accessed_time\": 1695676044937, \"created_time\": 1695676041545, \"hashes\": [{\"value\": \"BADBDA50632954800C02D40EB49D1BEF8E5A883D\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"22B65F9CC3DDECE17BC92C741314C0C01D6C398B477BCFE22CCB63F4975A066119C2A3F4E9BDC342383345BCEEA9046C0573AEA278C1EBD8E1578337B1640606\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"is_system\": false}, \"cmd_line\": \"remain weird municipal\", \"container\": {\"name\": \"anthony serial medline\", \"size\": 2006500672, \"uid\": \"849c059c-5be7-11ee-b620-0242ac110005\", \"image\": {\"name\": \"titten live cvs\", \"uid\": \"849c105a-5be7-11ee-8337-0242ac110005\"}, \"hash\": {\"value\": \"53CB2A3DF41EA583C9DAD815CC228E623D600CA69DD3B138EBA03828A95C399AC2319E8C246FAF2EB345362B0931618009C8A5FF4C8E100C7B414107D51F849D\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695676041542, \"integrity\": \"High\", \"integrity_id\": 4, \"namespace_pid\": 8, \"parent_process\": {\"pid\": 20, \"file\": {\"attributes\": 79, \"name\": \"revolution.vcf\", \"owner\": {\"name\": \"Sunny\", \"type\": \"Unknown\", \"uid\": \"849c24fa-5be7-11ee-93d2-0242ac110005\", \"type_id\": 0, \"email_addr\": \"Suzan@communicate.coop\"}, \"type\": \"Folder\", \"version\": \"1.0.0\", \"path\": \"nintendo smilies thank/ought.vb/revolution.vcf\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"microwave marriott okay\", \"issuer\": \"foundation review shaft\", \"fingerprints\": [{\"value\": \"35C90137B6BD19F8D464173B9904DBFA60D62BFF8BCBCF99235987ACC2D4840DBA02F991522C533C211C54B3A1016A0A76AF0578E30D0190414926A1EA56FEB7\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1695676041548, \"expiration_time\": 1695676041514, \"serial_number\": \"windsor sponsor google\"}, \"algorithm\": \"ECDSA\", \"algorithm_id\": 3}, \"product\": {\"name\": \"pci invasion producers\", \"version\": \"1.0.0\", \"uid\": \"849c3e4a-5be7-11ee-80be-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"australian payments crm\"}, \"type_id\": 2, \"accessor\": {\"name\": \"Class\", \"type\": \"pie\", \"type_id\": 99, \"full_name\": \"Crysta Damaris\", \"account\": {\"name\": \"cards gratis necklace\", \"type\": \"Apple Account\", \"type_id\": 8}, \"uid_alt\": \"linux has luis\"}, \"company_name\": \"Mckenzie Ardith\", \"creator\": {\"type\": \"selected\", \"domain\": \"glass outlet lopez\", \"uid\": \"849c4b2e-5be7-11ee-9c0b-0242ac110005\", \"org\": {\"name\": \"reproductive balloon stanley\", \"uid\": \"849c5060-5be7-11ee-b740-0242ac110005\", \"ou_name\": \"pick rear governance\", \"ou_uid\": \"849c5470-5be7-11ee-b89d-0242ac110005\"}, \"groups\": [{\"name\": \"suspected contributor counting\", \"type\": \"vacations wines biological\", \"uid\": \"849c5ae2-5be7-11ee-97a7-0242ac110005\"}], \"type_id\": 99}, \"parent_folder\": \"nintendo smilies thank/ought.vb\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"hashes\": [{\"value\": \"1B8BF6AF4C4E0F5A64ED59860F5673F5762D1E214D4B3127BAC626D3811952EAF98972460DF098DEAB2B6D4FF02723546AEBA4108F2A03A20044552141A4447E\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"221C1DF278F5DBE8C04CCC89DB66A355ABA13C3F27B4E23A19D0E73C64E5E9A7951D5102BA2F416429122A6110C57ED22F7216EB73939FF0E7E4BDB574A90CC4\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"is_system\": false, \"security_descriptor\": \"recommended approve environment\"}, \"uid\": \"849c61f4-5be7-11ee-8006-0242ac110005\", \"cmd_line\": \"arrangements makes handy\", \"container\": {\"name\": \"yahoo plains basically\", \"uid\": \"849c6776-5be7-11ee-94b5-0242ac110005\", \"image\": {\"name\": \"capabilities huge hometown\", \"uid\": \"849c6d2a-5be7-11ee-a411-0242ac110005\", \"labels\": [\"mumbai\"]}, \"hash\": {\"value\": \"FC25F43E993A1FB725021E78097481FDD1FECA2EC91BF14AE34067FC31DBCD1005D4B0AFC4F050872672CC3EAB72236EADE80DFF4CCBB844F8ED0489F697D2F1\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695676041544, \"namespace_pid\": 13, \"parent_process\": {\"name\": \"Tell\", \"file\": {\"name\": \"world.jpg\", \"type\": \"Block Device\", \"path\": \"blend roommates closed/died.docx/world.jpg\", \"modifier\": {\"name\": \"Heritage\", \"type\": \"System\", \"domain\": \"ln resolved couple\", \"uid\": \"849c8878-5be7-11ee-98bd-0242ac110005\", \"type_id\": 3, \"email_addr\": \"Deloise@agreed.arpa\"}, \"type_id\": 4, \"mime_type\": \"engineer/habitat\", \"parent_folder\": \"blend roommates closed/died.docx\", \"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"hashes\": [{\"value\": \"3BC175E9CE56D1FC2D86AB6EA2EC56EB21930540B56A5B6E3840DFB64287ACAB\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"31588C71F04798D44E2202431AE7025AF3BC67EC8192E94F362A9B9121FB5AC23510026F8391A0A54234D8D0DB8D2DEBD112DEEF6AC598A11A194875191A4975\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"is_system\": true}, \"user\": {\"name\": \"Weather\", \"type\": \"Admin\", \"domain\": \"our installing clinical\", \"uid\": \"849ca4ca-5be7-11ee-b39c-0242ac110005\", \"org\": {\"name\": \"top riverside asthma\", \"uid\": \"849cb208-5be7-11ee-a4a6-0242ac110005\", \"ou_name\": \"stats dans soviet\"}, \"type_id\": 2, \"credential_uid\": \"849cc0f4-5be7-11ee-9c36-0242ac110005\"}, \"uid\": \"849cc522-5be7-11ee-aa87-0242ac110005\", \"session\": {\"uid\": \"849ccebe-5be7-11ee-a1ca-0242ac110005\", \"issuer\": \"volunteer meetings medline\", \"created_time\": 1695676041550, \"is_remote\": false, \"expiration_time_dt\": \"2023-09-25T21:07:21.550638Z\"}, \"loaded_modules\": [\"/rev/amazon/casino/june/fails.bin\", \"/credit/potential/lawsuit/clause/nine.bmp\"], \"cmd_line\": \"well absent shoe\", \"container\": {\"name\": \"hospitality walker vs\", \"size\": 1224758347, \"uid\": \"849cdd28-5be7-11ee-9250-0242ac110005\", \"image\": {\"name\": \"audio miracle leader\", \"uid\": \"849ce32c-5be7-11ee-b7a9-0242ac110005\"}, \"hash\": {\"value\": \"A813ED16B0B3E58FA959C0BA26A47058\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"created_time\": 1695676041555, \"lineage\": [\"achievement courage send\", \"expansion instructional agreements\"], \"namespace_pid\": 62, \"parent_process\": {\"name\": \"Airfare\", \"file\": {\"name\": \"flexible.vcxproj\", \"type\": \"Folder\", \"product\": {\"name\": \"external polar galaxy\", \"version\": \"1.0.0\", \"lang\": \"en\", \"vendor_name\": \"hack infection generator\"}, \"type_id\": 2, \"mime_type\": \"silicon/limousines\", \"confidentiality\": \"venue rl epa\", \"hashes\": [{\"value\": \"2347F66D3EE9CCBD7191F650BE1EF4F94E8B6ED61D543709A1A907FBC76BFC089577CB78BFA772DA65746573746C4AB26AF19E7A8E9DB821E3979ED04051B9BC\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"256D62122A8BA5E06B613EAD639B79BA7875995217AC6E2C854DBB610631D33C\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"modified_time\": 1695676041500, \"xattributes\": {}, \"created_time_dt\": \"2023-09-25T21:07:21.551631Z\"}, \"user\": {\"name\": \"Track\", \"type\": \"Unknown\", \"uid\": \"849cfe70-5be7-11ee-b38b-0242ac110005\", \"type_id\": 0, \"account\": {\"name\": \"strict manufactured invest\", \"type\": \"AWS IAM User\", \"uid\": \"849d0500-5be7-11ee-97bd-0242ac110005\", \"type_id\": 3}, \"credential_uid\": \"849d08ca-5be7-11ee-bfe2-0242ac110005\"}, \"cmd_line\": \"challenges prompt cumulative\", \"container\": {\"name\": \"develop affiliates required\", \"size\": 2138922450, \"uid\": \"849d0e7e-5be7-11ee-a8e4-0242ac110005\", \"image\": {\"name\": \"charges fragrances complex\", \"uid\": \"849d1342-5be7-11ee-a4ca-0242ac110005\"}, \"hash\": {\"value\": \"6E73C76AD0B2D03EB35088BB834D7A1949E2174F0288EAC8066F5CC920923FEC2568825E7A9B3B3B871DC2AA82AD34DAC42A8E327CAD3D3E720D2ADD7C13CAB0\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, \"network_driver\": \"familiar movies legitimate\", \"pod_uuid\": \"legally\"}, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"namespace_pid\": 2, \"parent_process\": {\"name\": \"Eternal\", \"pid\": 76, \"file\": {\"attributes\": 44, \"name\": \"uzbekistan.jar\", \"type\": \"Block Device\", \"uid\": \"849d2170-5be7-11ee-a637-0242ac110005\", \"type_id\": 4, \"mime_type\": \"will/executed\", \"hashes\": [{\"value\": \"8A25185F3C5523EF3B08C1ECDD83016224863C95\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"6B9ED75DAE7A1E692073FC400B558EA4\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"xattributes\": {}}, \"user\": {\"name\": \"Manager\", \"type\": \"legs\", \"uid\": \"849d2c24-5be7-11ee-953d-0242ac110005\", \"type_id\": 99, \"email_addr\": \"Josefina@holders.museum\"}, \"uid\": \"849d308e-5be7-11ee-a5ad-0242ac110005\", \"cmd_line\": \"reporter techno regarded\", \"container\": {\"name\": \"cpu mission hacker\", \"runtime\": \"cables vanilla amendments\", \"size\": 1820268463, \"uid\": \"849d3caa-5be7-11ee-9fe6-0242ac110005\", \"image\": {\"uid\": \"849d468c-5be7-11ee-85e3-0242ac110005\", \"labels\": [\"responsibility\"]}, \"hash\": {\"value\": \"0895F371F264F7E3AA4A79B16A3C6EEAABE10BBF6A7DC2B7D8DD4F14B3C6F05D\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, \"orchestrator\": \"helpful pasta matthew\"}, \"namespace_pid\": 84, \"parent_process\": {\"name\": \"Music\", \"pid\": 28, \"file\": {\"name\": \"titanium.avi\", \"type\": \"Unknown\", \"path\": \"slideshow configurations lens/nations.flv/titanium.avi\", \"desc\": \"closed hydraulic connecting\", \"type_id\": 0, \"company_name\": \"Frederica Hertha\", \"parent_folder\": \"slideshow configurations lens/nations.flv\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"created_time\": 1695676041554, \"hashes\": [{\"value\": \"5C5069744142886E3127F2CCFE145C68A0B1A4DFA3BB504B858390D851E16A9F\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"xattributes\": {}, \"created_time_dt\": \"2023-09-25T21:07:21.554150Z\"}, \"user\": {\"name\": \"Be\", \"type\": \"types\", \"uid\": \"849d60a4-5be7-11ee-98cb-0242ac110005\", \"type_id\": 99}, \"uid\": \"849d64dc-5be7-11ee-b02a-0242ac110005\", \"container\": {\"size\": 1668291787, \"uid\": \"849d7cce-5be7-11ee-80f3-0242ac110005\", \"image\": {\"name\": \"curtis burns park\", \"uid\": \"849d83f4-5be7-11ee-8f40-0242ac110005\", \"labels\": [\"fix\"]}, \"hash\": {\"value\": \"308FD1FED7D34B9AFAB9224FF617D64E4CA9AC20FC59F1FB3B80AB2CBB1511245EC668E138B6C330D86E2B874BD66ED33E16E931B3D344A8365BE63CAB39562C\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"network_driver\": \"surely assistance actively\", \"pod_uuid\": \"gardening\"}, \"created_time\": 1695676041553, \"integrity\": \"System\", \"integrity_id\": 5, \"parent_process\": {\"name\": \"Surprise\", \"pid\": 50, \"file\": {\"name\": \"opening.vob\", \"type\": \"Local Socket\", \"path\": \"venezuela flyer seller/os.kml/opening.vob\", \"modifier\": {\"name\": \"Infected\", \"type\": \"User\", \"uid\": \"849d94de-5be7-11ee-b30d-0242ac110005\", \"type_id\": 1, \"full_name\": \"Katheryn Kena\"}, \"type_id\": 5, \"accessor\": {\"name\": \"Mine\", \"type\": \"fcc\", \"uid\": \"849da17c-5be7-11ee-9d3a-0242ac110005\", \"type_id\": 99, \"account\": {\"name\": \"hourly toll disappointed\", \"uid\": \"849dabd6-5be7-11ee-ba6a-0242ac110005\"}, \"credential_uid\": \"849db838-5be7-11ee-8a18-0242ac110005\"}, \"parent_folder\": \"venezuela flyer seller/os.kml\", \"hashes\": [{\"value\": \"599DCCE2998A6B40B1E38E8C6006CB0A\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"E3C48119D2F351FBEB28EABE137BB8D7969A9AA7CEBF71A153DA4670481EFAAB267B6B39C0EDBDDAF4DD1B9E9B5FF0B28D72E0A5FA27336A282A0FDBA4D0C9D4\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"modified_time\": 1695676041557, \"security_descriptor\": \"graham occupations become\"}, \"user\": {\"name\": \"Simulations\", \"type\": \"User\", \"uid\": \"849debb4-5be7-11ee-bfac-0242ac110005\", \"type_id\": 1, \"account\": {\"type\": \"Windows Account\", \"uid\": \"849df820-5be7-11ee-82f1-0242ac110005\", \"type_id\": 2}, \"credential_uid\": \"849dfc62-5be7-11ee-a9bc-0242ac110005\"}, \"cmd_line\": \"pursuant proceed discussed\", \"container\": {\"name\": \"insight style ca\", \"runtime\": \"williams ng xhtml\", \"size\": 220440282, \"uid\": \"849e031a-5be7-11ee-b55b-0242ac110005\", \"image\": {\"name\": \"bubble architects vancouver\", \"path\": \"hairy pixel time\", \"uid\": \"849e0ebe-5be7-11ee-8341-0242ac110005\"}, \"hash\": {\"value\": \"8876489CE00D6D9FDF61ED1C773F047E\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"created_time\": 1695676041558, \"lineage\": [\"bk destinations est\", \"whose playback congressional\"], \"namespace_pid\": 54, \"parent_process\": {\"name\": \"Courage\", \"pid\": 5, \"file\": {\"name\": \"filled.mdb\", \"size\": 2881440001, \"type\": \"Character Device\", \"path\": \"disc dividend incentives/crucial.wps/filled.mdb\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"infectious replication lock\", \"issuer\": \"worker attended mel\", \"fingerprints\": [{\"value\": \"372885B9675F31EF37D14F711A430940E777638ADCB2F77B36D079076E38606F\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1695676041558, \"expiration_time\": 1695676041554, \"serial_number\": \"durham graham course\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"modifier\": {\"name\": \"Constraints\", \"type\": \"Unknown\", \"domain\": \"informational advisory mg\", \"uid\": \"849e2a2a-5be7-11ee-82b2-0242ac110005\", \"type_id\": 0}, \"product\": {\"name\": \"michigan slight torture\", \"version\": \"1.0.0\", \"path\": \"costumes somewhat qui\", \"uid\": \"849e3088-5be7-11ee-8510-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"franchise portland experiment\"}, \"type_id\": 3, \"accessor\": {\"name\": \"Intl\", \"type\": \"Unknown\", \"uid\": \"849e39a2-5be7-11ee-b3b8-0242ac110005\", \"type_id\": 0, \"full_name\": \"Lorna Francisco\"}, \"parent_folder\": \"disc dividend incentives/crucial.wps\", \"hashes\": [{\"value\": \"9471ED19416B8099E51855CB0EF61AE3\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"modified_time\": 1695676041563}, \"user\": {\"name\": \"Motorcycle\", \"type\": \"Admin\", \"uid\": \"849e4a46-5be7-11ee-bc81-0242ac110005\", \"type_id\": 2}, \"cmd_line\": \"peer rail specialist\", \"container\": {\"name\": \"priority mirrors although\", \"runtime\": \"rock relation block\", \"size\": 2559819198, \"uid\": \"849e509a-5be7-11ee-ad75-0242ac110005\", \"image\": {\"name\": \"committed plastic does\", \"uid\": \"849e6972-5be7-11ee-b803-0242ac110005\"}, \"network_driver\": \"conduct linking lb\"}, \"created_time\": 1695676041434, \"lineage\": [\"desktop lakes moscow\", \"barrel touch increasing\"], \"namespace_pid\": 13, \"parent_process\": {\"name\": \"Harley\", \"pid\": 38, \"file\": {\"name\": \"metabolism.gadget\", \"owner\": {\"type\": \"System\", \"uid\": \"849e86dc-5be7-11ee-9b00-0242ac110005\", \"org\": {\"name\": \"syndication joseph realized\", \"uid\": \"849e8ff6-5be7-11ee-be3f-0242ac110005\", \"ou_name\": \"advertise scored usr\", \"ou_uid\": \"849e9852-5be7-11ee-9c6a-0242ac110005\"}, \"type_id\": 3}, \"type\": \"Character Device\", \"path\": \"patch attempting mf/nashville.dxf/metabolism.gadget\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"signals book follow\", \"issuer\": \"database verse prince\", \"fingerprints\": [{\"value\": \"6467C5C0EA62DB25016E724973C845BA50F0BBD72AE91F11E4CB5F3884CF1852EC05AA4B971CA59B372F8DC7B8E49562276E89C888FFDE3DD41BFC2E88336E98\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"80A346634E5CD09AAFC3C417ABCE0C6A156B40EBB910123FAC486DC6197D24EC4C575301A8CC06D58FBAEEAE6F40E42B6D84FDA6996E06EE2F68282EA73FDA93\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"created_time\": 1695676041504, \"expiration_time\": 1695676041569, \"serial_number\": \"termination vi limitation\"}, \"algorithm\": \"ECDSA\", \"algorithm_id\": 3}, \"type_id\": 3, \"creator\": {\"type\": \"Unknown\", \"uid\": \"849edfe2-5be7-11ee-97f0-0242ac110005\", \"type_id\": 0, \"account\": {\"name\": \"workers observer lonely\", \"type\": \"GCP Account\", \"uid\": \"849ef310-5be7-11ee-b8e1-0242ac110005\", \"type_id\": 5}, \"email_addr\": \"Myrta@of.cat\"}, \"parent_folder\": \"patch attempting mf/nashville.dxf\", \"hashes\": [{\"value\": \"5F8105C9976CE93253600A074BD373A5286734FB9650F503EF4AD611A9422D3554C34BD6C2672159C2F485A59C83965804D6F2532A8DADF2749DF74B1B089C10\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"C1E19A5C30DB36D9FEA3088EBBCF2E05B7F2E3B108DA82565EF183591D036A615456960CA1BF3DEDAEF8450140669F4E45A239D12DE570D5B2322AEADAE0EE7B\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"accessed_time_dt\": \"2023-09-25T21:07:21.564734Z\"}, \"user\": {\"name\": \"Referenced\", \"type\": \"Admin\", \"type_id\": 2, \"full_name\": \"Lyndsay Ricky\"}, \"uid\": \"849f00ee-5be7-11ee-954b-0242ac110005\", \"cmd_line\": \"institutes yes inputs\", \"container\": {\"name\": \"missed foreign palmer\", \"size\": 903476370, \"uid\": \"849f0878-5be7-11ee-b335-0242ac110005\", \"image\": {\"name\": \"belfast interests activation\", \"uid\": \"849f1dc2-5be7-11ee-b432-0242ac110005\"}, \"hash\": {\"value\": \"7CA5C1BF6D37F1E7389DB34F7617B7101F65DED1\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}}, \"created_time\": 1695676041565, \"namespace_pid\": 44, \"terminated_time\": 1695676041566, \"xattributes\": {}, \"created_time_dt\": \"2023-09-25T21:07:21.565824Z\"}}, \"sandbox\": \"final corporations performances\"}}, \"xattributes\": {}}}, \"sandbox\": \"distributor workshops maldives\"}}, \"sandbox\": \"upload stages deutsch\", \"xattributes\": {}, \"created_time_dt\": \"2023-09-25T21:07:21.565886Z\", \"terminated_time_dt\": \"2023-09-25T21:07:21.565891Z\"}, \"sandbox\": \"facial gossip lopez\", \"terminated_time\": 1695676041561, \"created_time_dt\": \"2023-09-25T21:07:21.565904Z\", \"terminated_time_dt\": \"2023-09-25T21:07:21.565908Z\"}, \"sandbox\": \"compounds s time\", \"terminated_time\": 1695676041567}, \"sandbox\": \"romance volunteer entrepreneurs\"}}, \"xattributes\": {}}, \"sandbox\": \"moon exercise starring\", \"terminated_time\": 1695676041562}}, \"terminated_time\": 1695676041561}, \"xattributes\": {}}}, \"sandbox\": \"keeps pour rent\", \"terminated_time\": 1695676041566}, \"xattributes\": {}}, \"sandbox\": \"species tourism system\", \"terminated_time\": 1695676041564, \"xattributes\": {}}, \"terminated_time\": 1695676041564}}, \"user\": {\"name\": \"Turkish\", \"type\": \"metres\", \"domain\": \"jones cnet biz\", \"uid\": \"849f330c-5be7-11ee-aa02-0242ac110005\", \"org\": {\"name\": \"performed assignments undefined\", \"uid\": \"849f3870-5be7-11ee-8857-0242ac110005\", \"ou_name\": \"headquarters informal nigeria\"}, \"type_id\": 99}}, \"cloud\": {\"provider\": \"diego ins ext\", \"region\": \"kissing wi confidence\"}, \"enrichments\": [{\"data\": {\"wallpaper\": \"feded\"}, \"name\": \"hc saskatchewan quickly\", \"type\": \"thu loves strong\", \"value\": \"sword somebody equilibrium\", \"provider\": \"outlet toolkit person\"}, {\"data\": {\"drug\": \"drugg7899\"}, \"name\": \"tree cities corner\", \"type\": \"knife super bat\", \"value\": \"thy qualification booth\"}], \"expiration_time\": 1695676041527, \"severity_id\": 2, \"src_endpoint\": {\"name\": \"replaced wa unlock\", \"port\": 25780, \"ip\": \"175.16.199.1\", \"uid\": \"84972e82-5be7-11ee-8eac-0242ac110005\", \"hostname\": \"menu.travel\", \"instance_uid\": \"849732a6-5be7-11ee-bdb0-0242ac110005\", \"interface_name\": \"grown reflect expressed\", \"interface_uid\": \"84973670-5be7-11ee-8000-0242ac110005\", \"svc_name\": \"stanford leisure analyzed\"}}", - "event": { - "action": "rename", - "category": [ - "file", - "network" - ], - "kind": "event", - "provider": "cb indexes boxing", - "sequence": 99, - "severity": 2, - "start": "2023-09-25T21:07:21.445000Z", - "type": [ - "change", - "info" - ] - }, - "@timestamp": "2023-09-25T21:07:21.549000Z", - "cloud": { - "provider": "diego ins ext", - "region": "kissing wi confidence" - }, - "container": { - "id": "84977158-5be7-11ee-b042-0242ac110005", - "image": { - "name": "produced field obituaries" - }, - "name": "ambien cloud eur" - }, - "email": { - "attachments": { - "file": { - "name": "amend.sh" - } - } - }, - "file": { - "directory": "telling saved challenge/wrapped.tga", - "hash": { - "sha256": "4C3280C17F9D982CCBAC882AE1F48DAD224DBA938BEE87BF18E31C76B0C3B88B" - }, - "mtime": "2023-09-25T21:07:21.567190Z", - "name": "amend.sh", - "path": "telling saved challenge/wrapped.tga/citations.gpx", - "type": "Unknown" - }, - "network": { - "application": "stanford leisure analyzed" - }, - "ocsf": { - "activity_id": 5, - "activity_name": "Rename", - "class_name": "Network File Activity", - "class_uid": 4010 - }, - "process": { - "command_line": "goals happen dad", - "entity_id": "849768e8-5be7-11ee-a428-0242ac110005", - "name": "Qualification", - "parent": { - "command_line": "bless addresses backgrounds", - "end": "2023-09-25T21:07:21.564000Z", - "entity_id": "8497ba64-5be7-11ee-b3a6-0242ac110005", - "start": "2023-09-25T21:07:21.518000Z" - }, - "pid": 42, - "start": "2023-09-25T21:07:21.514000Z", - "thread": { - "id": 17 - }, - "user": { - "group": { - "id": [], - "name": [] - }, - "id": [ - "84975f7e-5be7-11ee-bfad-0242ac110005" - ], - "name": "Aquatic" - } - }, - "related": { - "hash": [ - "4C3280C17F9D982CCBAC882AE1F48DAD224DBA938BEE87BF18E31C76B0C3B88B" - ], - "hosts": [ - "menu.travel" - ], - "ip": [ - "175.16.199.1" - ], - "user": [ - "Turkish" - ] - }, - "source": { - "address": "menu.travel", - "domain": "menu.travel", - "ip": "175.16.199.1", - "port": 25780, - "registered_domain": "menu.travel", - "top_level_domain": "travel" - }, - "user": { - "domain": "jones cnet biz", - "group": { - "id": [], - "name": [] - }, - "id": "849f330c-5be7-11ee-aa02-0242ac110005", - "name": "Turkish" - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_11.json b/OCSF/ocsf/tests/test_network_activity_11.json deleted file mode 100644 index 1b76f9663..000000000 --- a/OCSF/ocsf/tests/test_network_activity_11.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "input": { - "message": "{\"message\": \"distances authorization packed\", \"status\": \"annually\", \"time\": 1695676084572, \"file\": {\"name\": \"revenge.ged\", \"size\": 123, \"type\": \"Block Device\", \"path\": \"pensions lightning push/congress.icns/revenge.ged\", \"type_id\": 4, \"parent_folder\": \"pensions lightning push/congress.icns\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"hashes\": [{\"value\": \"55F23C756971F835627DAD00E0FEAF38D62993462CA63631FDF93D0E8130CDFF\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"modified_time\": 1695676084549, \"security_descriptor\": \"procedure amsterdam belarus\", \"accessed_time_dt\": \"2023-09-25T21:08:04.549340Z\"}, \"device\": {\"name\": \"walter qt hitting\", \"type\": \"Tablet\", \"ip\": \"67.43.156.0\", \"uid\": \"9e3dbfa4-5be7-11ee-8f05-0242ac110005\", \"hostname\": \"rule.edu\", \"groups\": [{\"name\": \"scanned consisting expense\", \"type\": \"odds traditions trick\", \"uid\": \"9e3db702-5be7-11ee-a715-0242ac110005\", \"privileges\": [\"photography derived log\", \"dna ec believed\"]}, {\"name\": \"tires modifications calendars\", \"uid\": \"9e3dbc02-5be7-11ee-9470-0242ac110005\"}], \"type_id\": 4, \"autoscale_uid\": \"9e3d9b1e-5be7-11ee-ab96-0242ac110005\", \"instance_uid\": \"9e3d9f74-5be7-11ee-a549-0242ac110005\", \"interface_name\": \"accurately shadows node\", \"interface_uid\": \"9e3da38e-5be7-11ee-bda3-0242ac110005\", \"is_personal\": false, \"modified_time\": 1695676084549, \"region\": \"cosmetics preston msgstr\", \"uid_alt\": \"technology alex metallica\"}, \"metadata\": {\"version\": \"1.0.0\", \"extension\": {\"name\": \"editor nerve offset\", \"version\": \"1.0.0\", \"uid\": \"9e3d7ff8-5be7-11ee-8454-0242ac110005\"}, \"product\": {\"name\": \"harm dash walter\", \"version\": \"1.0.0\", \"path\": \"contributors rest worried\", \"uid\": \"9e3d893a-5be7-11ee-9bf6-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"acre shut suzuki\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_version\": \"flow tribunal aging\", \"original_time\": \"consistently sauce duke\", \"processed_time_dt\": \"2023-09-25T21:08:04.547033Z\"}, \"severity\": \"Critical\", \"disposition\": \"Blocked\", \"type_name\": \"Email File Activity: Send\", \"activity_id\": 1, \"disposition_id\": 2, \"type_uid\": 401101, \"category_name\": \"Network Activity\", \"class_uid\": 4011, \"category_uid\": 4, \"class_name\": \"Email File Activity\", \"timezone_offset\": 0, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"CMSTP\", \"uid\": \"T1191\"}}], \"activity_name\": \"Send\", \"cloud\": {\"account\": {\"type\": \"AWS Account\", \"uid\": \"9e3d6a4a-5be7-11ee-9095-0242ac110005\", \"type_id\": 10}, \"provider\": \"antique camp pin\"}, \"email_uid\": \"9e3d9088-5be7-11ee-b651-0242ac110005\", \"enrichments\": [{\"data\": {\"meat\": \"meattt\"}, \"name\": \"another polyester collectors\", \"type\": \"gen cap beauty\", \"value\": \"recipes generating stored\", \"provider\": \"companion fy mat\"}, {\"data\": {\"meatd\": \"meattt\"}, \"name\": \"brandon fraser seed\", \"type\": \"grove bradley ddr\", \"value\": \"written thumbnail looksmart\", \"provider\": \"hearings gossip shadows\"}], \"severity_id\": 5, \"status_id\": 99}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"message\": \"distances authorization packed\", \"status\": \"annually\", \"time\": 1695676084572, \"file\": {\"name\": \"revenge.ged\", \"size\": 123, \"type\": \"Block Device\", \"path\": \"pensions lightning push/congress.icns/revenge.ged\", \"type_id\": 4, \"parent_folder\": \"pensions lightning push/congress.icns\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"hashes\": [{\"value\": \"55F23C756971F835627DAD00E0FEAF38D62993462CA63631FDF93D0E8130CDFF\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"modified_time\": 1695676084549, \"security_descriptor\": \"procedure amsterdam belarus\", \"accessed_time_dt\": \"2023-09-25T21:08:04.549340Z\"}, \"device\": {\"name\": \"walter qt hitting\", \"type\": \"Tablet\", \"ip\": \"67.43.156.0\", \"uid\": \"9e3dbfa4-5be7-11ee-8f05-0242ac110005\", \"hostname\": \"rule.edu\", \"groups\": [{\"name\": \"scanned consisting expense\", \"type\": \"odds traditions trick\", \"uid\": \"9e3db702-5be7-11ee-a715-0242ac110005\", \"privileges\": [\"photography derived log\", \"dna ec believed\"]}, {\"name\": \"tires modifications calendars\", \"uid\": \"9e3dbc02-5be7-11ee-9470-0242ac110005\"}], \"type_id\": 4, \"autoscale_uid\": \"9e3d9b1e-5be7-11ee-ab96-0242ac110005\", \"instance_uid\": \"9e3d9f74-5be7-11ee-a549-0242ac110005\", \"interface_name\": \"accurately shadows node\", \"interface_uid\": \"9e3da38e-5be7-11ee-bda3-0242ac110005\", \"is_personal\": false, \"modified_time\": 1695676084549, \"region\": \"cosmetics preston msgstr\", \"uid_alt\": \"technology alex metallica\"}, \"metadata\": {\"version\": \"1.0.0\", \"extension\": {\"name\": \"editor nerve offset\", \"version\": \"1.0.0\", \"uid\": \"9e3d7ff8-5be7-11ee-8454-0242ac110005\"}, \"product\": {\"name\": \"harm dash walter\", \"version\": \"1.0.0\", \"path\": \"contributors rest worried\", \"uid\": \"9e3d893a-5be7-11ee-9bf6-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"acre shut suzuki\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_version\": \"flow tribunal aging\", \"original_time\": \"consistently sauce duke\", \"processed_time_dt\": \"2023-09-25T21:08:04.547033Z\"}, \"severity\": \"Critical\", \"disposition\": \"Blocked\", \"type_name\": \"Email File Activity: Send\", \"activity_id\": 1, \"disposition_id\": 2, \"type_uid\": 401101, \"category_name\": \"Network Activity\", \"class_uid\": 4011, \"category_uid\": 4, \"class_name\": \"Email File Activity\", \"timezone_offset\": 0, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"CMSTP\", \"uid\": \"T1191\"}}], \"activity_name\": \"Send\", \"cloud\": {\"account\": {\"type\": \"AWS Account\", \"uid\": \"9e3d6a4a-5be7-11ee-9095-0242ac110005\", \"type_id\": 10}, \"provider\": \"antique camp pin\"}, \"email_uid\": \"9e3d9088-5be7-11ee-b651-0242ac110005\", \"enrichments\": [{\"data\": {\"meat\": \"meattt\"}, \"name\": \"another polyester collectors\", \"type\": \"gen cap beauty\", \"value\": \"recipes generating stored\", \"provider\": \"companion fy mat\"}, {\"data\": {\"meatd\": \"meattt\"}, \"name\": \"brandon fraser seed\", \"type\": \"grove bradley ddr\", \"value\": \"written thumbnail looksmart\", \"provider\": \"hearings gossip shadows\"}], \"severity_id\": 5, \"status_id\": 99}", - "event": { - "action": "send", - "category": [ - "email", - "file" - ], - "kind": "event", - "severity": 5, - "type": [ - "info" - ] - }, - "@timestamp": "2023-09-25T21:08:04.572000Z", - "cloud": { - "account": { - "id": "9e3d6a4a-5be7-11ee-9095-0242ac110005" - }, - "provider": "antique camp pin" - }, - "email": { - "attachments": { - "file": { - "name": "revenge.ged", - "size": 123 - } - }, - "local_id": "9e3d9088-5be7-11ee-b651-0242ac110005" - }, - "file": { - "accessed": "2023-09-25T21:08:04.549340Z", - "directory": "pensions lightning push/congress.icns", - "mtime": "2023-09-25T21:08:04.549000Z", - "name": "revenge.ged", - "path": "pensions lightning push/congress.icns/revenge.ged", - "size": 123, - "type": "Block Device" - }, - "host": { - "hostname": "rule.edu", - "id": "9e3dbfa4-5be7-11ee-8f05-0242ac110005", - "ip": [ - "67.43.156.0" - ], - "name": "rule.edu", - "type": "Tablet" - }, - "ocsf": { - "activity_id": 1, - "activity_name": "Send", - "class_name": "Email File Activity", - "class_uid": 4011 - }, - "related": { - "hosts": [ - "rule.edu" - ], - "ip": [ - "67.43.156.0" - ] - }, - "threat": { - "technique": { - "id": [ - "T1191" - ], - "name": [ - "CMSTP" - ] - } - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_12.json b/OCSF/ocsf/tests/test_network_activity_12.json deleted file mode 100644 index 734887981..000000000 --- a/OCSF/ocsf/tests/test_network_activity_12.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "input": { - "message": "{\"count\": 43, \"message\": \"carb fujitsu spots\", \"status\": \"Success\", \"time\": 1695676101376, \"device\": {\"name\": \"experiments old guides\", \"type\": \"Virtual\", \"ip\": \"67.43.156.0\", \"desc\": \"beta culture receiving\", \"uid\": \"a845433c-5be7-11ee-8e93-0242ac110005\", \"hostname\": \"australia.aero\", \"image\": {\"name\": \"bank ftp newman\", \"uid\": \"a84532d4-5be7-11ee-af3a-0242ac110005\"}, \"groups\": [{\"name\": \"karaoke finnish coordination\", \"desc\": \"blessed drive took\", \"uid\": \"a8453b30-5be7-11ee-90d5-0242ac110005\"}, {\"name\": \"briefs iii andy\", \"type\": \"ireland arch trademark\", \"uid\": \"a8453fc2-5be7-11ee-bd52-0242ac110005\"}], \"type_id\": 6, \"instance_uid\": \"a84525fa-5be7-11ee-987a-0242ac110005\", \"interface_name\": \"subsection get techno\", \"interface_uid\": \"a8452b90-5be7-11ee-9db2-0242ac110005\", \"network_interfaces\": [{\"name\": \"animals economy signals\", \"type\": \"proven\", \"ip\": \"175.16.199.1\", \"hostname\": \"personalized.nato\", \"mac\": \"30:29:E4:EE:B6:98:14:3A\", \"type_id\": 99}, {\"name\": \"announces restaurants deposits\", \"type\": \"Wired\", \"ip\": \"224.61.168.94\", \"hostname\": \"mitchell.nato\", \"mac\": \"69:8D:D4:20:55:3A:43:D0\", \"type_id\": 1}], \"region\": \"propecia commonwealth equipment\", \"last_seen_time_dt\": \"2023-09-25T21:08:21.374251Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"erotica ladies hero\", \"version\": \"1.0.0\", \"uid\": \"a844f346-5be7-11ee-a2c8-0242ac110005\", \"feature\": {\"name\": \"mess const microwave\", \"version\": \"1.0.0\", \"uid\": \"a8450084-5be7-11ee-93f7-0242ac110005\"}, \"lang\": \"en\", \"url_string\": \"washer\", \"vendor_name\": \"feelings tide perry\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"cleaners villa historic\", \"log_provider\": \"immediately accused charlie\", \"logged_time\": 1695676101375, \"original_time\": \"medline prospect ict\"}, \"severity\": \"electrical\", \"url\": {\"port\": 23624, \"scheme\": \"yoga thesaurus regardless\", \"path\": \"flows affiliation global\", \"hostname\": \"sage.mil\", \"query_string\": \"mattress betting covers\", \"category_ids\": [49, 54], \"url_string\": \"vocal\"}, \"duration\": 2, \"disposition\": \"Delayed\", \"type_name\": \"Email URL Activity: Receive\", \"activity_id\": 2, \"disposition_id\": 14, \"type_uid\": 401202, \"category_name\": \"Network Activity\", \"class_uid\": 4012, \"category_uid\": 4, \"class_name\": \"Email URL Activity\", \"timezone_offset\": 34, \"activity_name\": \"Receive\", \"cloud\": {\"account\": {\"name\": \"bubble prototype interstate\", \"type\": \"Azure AD Account\", \"uid\": \"a844c1f0-5be7-11ee-83dc-0242ac110005\", \"type_id\": 6}, \"provider\": \"indicated electro washer\", \"region\": \"crucial mysimon exit\"}, \"email_uid\": \"a8450be2-5be7-11ee-bf7c-0242ac110005\", \"severity_id\": 99, \"status_detail\": \"released oxygen reasonable\", \"status_id\": 1}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"count\": 43, \"message\": \"carb fujitsu spots\", \"status\": \"Success\", \"time\": 1695676101376, \"device\": {\"name\": \"experiments old guides\", \"type\": \"Virtual\", \"ip\": \"67.43.156.0\", \"desc\": \"beta culture receiving\", \"uid\": \"a845433c-5be7-11ee-8e93-0242ac110005\", \"hostname\": \"australia.aero\", \"image\": {\"name\": \"bank ftp newman\", \"uid\": \"a84532d4-5be7-11ee-af3a-0242ac110005\"}, \"groups\": [{\"name\": \"karaoke finnish coordination\", \"desc\": \"blessed drive took\", \"uid\": \"a8453b30-5be7-11ee-90d5-0242ac110005\"}, {\"name\": \"briefs iii andy\", \"type\": \"ireland arch trademark\", \"uid\": \"a8453fc2-5be7-11ee-bd52-0242ac110005\"}], \"type_id\": 6, \"instance_uid\": \"a84525fa-5be7-11ee-987a-0242ac110005\", \"interface_name\": \"subsection get techno\", \"interface_uid\": \"a8452b90-5be7-11ee-9db2-0242ac110005\", \"network_interfaces\": [{\"name\": \"animals economy signals\", \"type\": \"proven\", \"ip\": \"175.16.199.1\", \"hostname\": \"personalized.nato\", \"mac\": \"30:29:E4:EE:B6:98:14:3A\", \"type_id\": 99}, {\"name\": \"announces restaurants deposits\", \"type\": \"Wired\", \"ip\": \"224.61.168.94\", \"hostname\": \"mitchell.nato\", \"mac\": \"69:8D:D4:20:55:3A:43:D0\", \"type_id\": 1}], \"region\": \"propecia commonwealth equipment\", \"last_seen_time_dt\": \"2023-09-25T21:08:21.374251Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"erotica ladies hero\", \"version\": \"1.0.0\", \"uid\": \"a844f346-5be7-11ee-a2c8-0242ac110005\", \"feature\": {\"name\": \"mess const microwave\", \"version\": \"1.0.0\", \"uid\": \"a8450084-5be7-11ee-93f7-0242ac110005\"}, \"lang\": \"en\", \"url_string\": \"washer\", \"vendor_name\": \"feelings tide perry\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"cleaners villa historic\", \"log_provider\": \"immediately accused charlie\", \"logged_time\": 1695676101375, \"original_time\": \"medline prospect ict\"}, \"severity\": \"electrical\", \"url\": {\"port\": 23624, \"scheme\": \"yoga thesaurus regardless\", \"path\": \"flows affiliation global\", \"hostname\": \"sage.mil\", \"query_string\": \"mattress betting covers\", \"category_ids\": [49, 54], \"url_string\": \"vocal\"}, \"duration\": 2, \"disposition\": \"Delayed\", \"type_name\": \"Email URL Activity: Receive\", \"activity_id\": 2, \"disposition_id\": 14, \"type_uid\": 401202, \"category_name\": \"Network Activity\", \"class_uid\": 4012, \"category_uid\": 4, \"class_name\": \"Email URL Activity\", \"timezone_offset\": 34, \"activity_name\": \"Receive\", \"cloud\": {\"account\": {\"name\": \"bubble prototype interstate\", \"type\": \"Azure AD Account\", \"uid\": \"a844c1f0-5be7-11ee-83dc-0242ac110005\", \"type_id\": 6}, \"provider\": \"indicated electro washer\", \"region\": \"crucial mysimon exit\"}, \"email_uid\": \"a8450be2-5be7-11ee-bf7c-0242ac110005\", \"severity_id\": 99, \"status_detail\": \"released oxygen reasonable\", \"status_id\": 1}", - "event": { - "action": "receive", - "category": [ - "email" - ], - "duration": 2000000, - "kind": "event", - "outcome": "success", - "provider": "immediately accused charlie", - "severity": 99, - "type": [ - "info" - ] - }, - "@timestamp": "2023-09-25T21:08:21.376000Z", - "cloud": { - "account": { - "id": "a844c1f0-5be7-11ee-83dc-0242ac110005", - "name": "bubble prototype interstate" - }, - "provider": "indicated electro washer", - "region": "crucial mysimon exit" - }, - "email": { - "local_id": "a8450be2-5be7-11ee-bf7c-0242ac110005" - }, - "host": { - "hostname": "australia.aero", - "id": "a845433c-5be7-11ee-8e93-0242ac110005", - "ip": [ - "67.43.156.0" - ], - "name": "australia.aero", - "type": "Virtual" - }, - "ocsf": { - "activity_id": 2, - "activity_name": "Receive", - "class_name": "Email URL Activity", - "class_uid": 4012 - }, - "related": { - "hosts": [ - "australia.aero", - "sage.mil" - ], - "ip": [ - "67.43.156.0" - ] - }, - "url": { - "domain": "sage.mil", - "original": "vocal", - "path": "flows affiliation global", - "port": 23624, - "query": "mattress betting covers", - "scheme": "yoga thesaurus regardless" - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_2.json b/OCSF/ocsf/tests/test_network_activity_2.json index db8576005..aefba6a98 100644 --- a/OCSF/ocsf/tests/test_network_activity_2.json +++ b/OCSF/ocsf/tests/test_network_activity_2.json @@ -1,116 +1,61 @@ { "input": { - "message": "{\"http_response\": {\"code\": 83}, \"http_request\": {\"version\": \"1.0.0\", \"uid\": \"29eee308-5be7-11ee-baad-0242ac110005\", \"url\": {\"port\": 17689, \"scheme\": \"gary bibliography font\", \"path\": \"proposed opposed vegas\", \"hostname\": \"collected.org\", \"query_string\": \"additions linux furthermore\", \"categories\": [\"ratios amount prevent\", \"rpg beauty base\"], \"category_ids\": [109], \"resource_type\": \"tours entering camping\", \"subdomain\": \"katrina je pieces\", \"url_string\": \"illinois\"}, \"user_agent\": \"cheese heading anyway\", \"http_headers\": [{\"name\": \"using closed scientists\", \"value\": \"y montana command\"}, {\"name\": \"mileage wheels temple\", \"value\": \"where relate sheet\"}], \"http_method\": \"POST\", \"x_forwarded_for\": [\"175.16.199.1\"]}, \"message\": \"lt trusted genes\", \"status\": \"Success\", \"time\": 1695675889417, \"device\": {\"name\": \"calcium saudi allows\", \"type\": \"Virtual\", \"domain\": \"barbara advantages levitra\", \"ip\": \"175.16.199.1\", \"location\": {\"desc\": \"Lesotho, Kingdom of\", \"city\": \"Suspension associations\", \"country\": \"LS\", \"coordinates\": [-67.6681, -46.1461], \"continent\": \"Africa\"}, \"uid\": \"29eed912-5be7-11ee-a07b-0242ac110005\", \"hostname\": \"scanners.nato\", \"image\": {\"name\": \"cover hearts magazine\", \"path\": \"ts recording cooling\", \"uid\": \"29eece90-5be7-11ee-8106-0242ac110005\", \"labels\": [\"meaningful\"]}, \"type_id\": 6, \"hw_info\": {\"bios_ver\": \"1.4.4\", \"chassis\": \"pubs remarks desktops\"}, \"instance_uid\": \"29eeb9b4-5be7-11ee-9f8e-0242ac110005\", \"interface_name\": \"hall td flash\", \"interface_uid\": \"29eebe78-5be7-11ee-bef3-0242ac110005\", \"is_compliant\": true, \"is_personal\": false, \"region\": \"coverage financing sympathy\", \"risk_level\": \"improving jvc directors\", \"risk_score\": 9, \"subnet_uid\": \"29eea79e-5be7-11ee-9005-0242ac110005\", \"created_time_dt\": \"2023-09-25T21:04:49.414353Z\", \"last_seen_time_dt\": \"2023-09-25T21:04:49.414926Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"helena crystal initiative\", \"version\": \"1.0.0\", \"uid\": \"29ee731e-5be7-11ee-9b80-0242ac110005\", \"lang\": \"en\", \"url_string\": \"bedding\", \"vendor_name\": \"infectious instrumentation malaysia\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"directors clinton zone\", \"log_provider\": \"myrtle watts management\", \"logged_time\": 1695675889413, \"original_time\": \"mix carrying provides\", \"processed_time\": 1695675889453}, \"proxy\": {\"name\": \"exec cholesterol fossil\", \"port\": 24281, \"ip\": \"67.43.156.0\", \"uid\": \"29ef1436-5be7-11ee-aebf-0242ac110005\", \"hostname\": \"excel.info\", \"instance_uid\": \"29ef1a80-5be7-11ee-b25a-0242ac110005\", \"interface_name\": \"ipaq brazil justify\", \"interface_uid\": \"29ef1e7c-5be7-11ee-9f23-0242ac110005\", \"svc_name\": \"boys participant drove\"}, \"connection_info\": {\"direction\": \"andreas\", \"direction_id\": 99, \"protocol_num\": 67, \"protocol_ver\": \"1.4\"}, \"severity\": \"uw\", \"duration\": 80, \"disposition\": \"Quarantined\", \"type_name\": \"HTTP Activity: Connect\", \"activity_id\": 1, \"disposition_id\": 3, \"type_uid\": 400201, \"category_name\": \"Network Activity\", \"class_uid\": 4002, \"category_uid\": 4, \"class_name\": \"HTTP Activity\", \"timezone_offset\": 78, \"activity_name\": \"Connect\", \"cloud\": {\"provider\": \"reflect alarm my\", \"region\": \"chrome during bs\"}, \"dst_endpoint\": {\"name\": \"accounts an verzeichnis\", \"port\": 15440, \"uid\": \"29ee8048-5be7-11ee-b29d-0242ac110005\", \"instance_uid\": \"29ee849e-5be7-11ee-af0f-0242ac110005\", \"interface_name\": \"probability pins and\", \"interface_uid\": \"29ee88b8-5be7-11ee-ae4f-0242ac110005\", \"svc_name\": \"sim lucas entries\"}, \"end_time\": 1695675889419, \"http_status\": 51, \"malware\": [{\"name\": \"exception scholarship accessed\", \"path\": \"victim reductions pursue\", \"classification_ids\": [9, 11], \"provider\": \"computed oxygen viewer\"}], \"severity_id\": 99, \"src_endpoint\": {\"name\": \"exercise identified exciting\", \"port\": 14669, \"ip\": \"67.43.156.0\", \"uid\": \"29eef9ba-5be7-11ee-8245-0242ac110005\", \"hostname\": \"side.pro\", \"instance_uid\": \"29eeff46-5be7-11ee-9978-0242ac110005\", \"interface_name\": \"jc mistress announced\", \"subnet_uid\": \"29ef0446-5be7-11ee-9887-0242ac110005\", \"svc_name\": \"street truly arise\", \"vlan_uid\": \"29ef0900-5be7-11ee-937e-0242ac110005\"}, \"status_id\": 1, \"end_time_dt\": \"2023-09-25T21:04:49.412301Z\"}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } + "message": "{\"action\": \"Denied\", \"action_id\": 2, \"activity_id\": 5, \"activity_name\": \"Refuse\", \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"Network Activity\", \"class_uid\": 4001, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"provider\": \"AWS\", \"region\": \"us-east-1\", \"zone\": \"use1-az1\"}, \"connection_info\": {\"boundary\": \"-\", \"boundary_id\": 99, \"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_num\": 6, \"protocol_ver\": \"IPv4\", \"tcp_flags\": 2}, \"disposition\": \"Blocked\", \"dst_endpoint\": {\"instance_uid\": \"i-000000000000000000\", \"interface_uid\": \"eni-000000000000000000\", \"ip\": \"172.31.2.52\", \"port\": 39938, \"subnet_uid\": \"subnet-000000000000000000\", \"svc_name\": \"-\", \"vpc_uid\": \"vpc-00000000\"}, \"end_time_dt\": \"2022-04-11T20:03:08.000-04:00\", \"metadata\": {\"product\": {\"feature\": {\"name\": \"Flowlogs\"}, \"name\": \"Amazon VPC\", \"vendor_name\": \"AWS\", \"version\": \"5\"}, \"profiles\": [\"cloud\", \"security_control\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"dst_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"172.31.2.52\"}, {\"name\": \"dst_endpoint.instance_uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"i-000000000000000000\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"1.2.3.4\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"1.2.3.4\", \"port\": 56858, \"svc_name\": \"-\"}, \"start_time_dt\": \"2022-04-11T20:02:12.000-04:00\", \"status_code\": \"OK\", \"time\": 1649721732000, \"time_dt\": \"2022-04-11T20:02:12.000-04:00\", \"traffic\": {\"bytes\": 40, \"packets\": 1}, \"type_name\": \"Network Activity: Refuse\", \"type_uid\": 400105, \"unmapped\": {\"sublocation_id\": \"-\", \"sublocation_type\": \"-\"}}" }, "expected": { - "message": "{\"http_response\": {\"code\": 83}, \"http_request\": {\"version\": \"1.0.0\", \"uid\": \"29eee308-5be7-11ee-baad-0242ac110005\", \"url\": {\"port\": 17689, \"scheme\": \"gary bibliography font\", \"path\": \"proposed opposed vegas\", \"hostname\": \"collected.org\", \"query_string\": \"additions linux furthermore\", \"categories\": [\"ratios amount prevent\", \"rpg beauty base\"], \"category_ids\": [109], \"resource_type\": \"tours entering camping\", \"subdomain\": \"katrina je pieces\", \"url_string\": \"illinois\"}, \"user_agent\": \"cheese heading anyway\", \"http_headers\": [{\"name\": \"using closed scientists\", \"value\": \"y montana command\"}, {\"name\": \"mileage wheels temple\", \"value\": \"where relate sheet\"}], \"http_method\": \"POST\", \"x_forwarded_for\": [\"175.16.199.1\"]}, \"message\": \"lt trusted genes\", \"status\": \"Success\", \"time\": 1695675889417, \"device\": {\"name\": \"calcium saudi allows\", \"type\": \"Virtual\", \"domain\": \"barbara advantages levitra\", \"ip\": \"175.16.199.1\", \"location\": {\"desc\": \"Lesotho, Kingdom of\", \"city\": \"Suspension associations\", \"country\": \"LS\", \"coordinates\": [-67.6681, -46.1461], \"continent\": \"Africa\"}, \"uid\": \"29eed912-5be7-11ee-a07b-0242ac110005\", \"hostname\": \"scanners.nato\", \"image\": {\"name\": \"cover hearts magazine\", \"path\": \"ts recording cooling\", \"uid\": \"29eece90-5be7-11ee-8106-0242ac110005\", \"labels\": [\"meaningful\"]}, \"type_id\": 6, \"hw_info\": {\"bios_ver\": \"1.4.4\", \"chassis\": \"pubs remarks desktops\"}, \"instance_uid\": \"29eeb9b4-5be7-11ee-9f8e-0242ac110005\", \"interface_name\": \"hall td flash\", \"interface_uid\": \"29eebe78-5be7-11ee-bef3-0242ac110005\", \"is_compliant\": true, \"is_personal\": false, \"region\": \"coverage financing sympathy\", \"risk_level\": \"improving jvc directors\", \"risk_score\": 9, \"subnet_uid\": \"29eea79e-5be7-11ee-9005-0242ac110005\", \"created_time_dt\": \"2023-09-25T21:04:49.414353Z\", \"last_seen_time_dt\": \"2023-09-25T21:04:49.414926Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"helena crystal initiative\", \"version\": \"1.0.0\", \"uid\": \"29ee731e-5be7-11ee-9b80-0242ac110005\", \"lang\": \"en\", \"url_string\": \"bedding\", \"vendor_name\": \"infectious instrumentation malaysia\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"directors clinton zone\", \"log_provider\": \"myrtle watts management\", \"logged_time\": 1695675889413, \"original_time\": \"mix carrying provides\", \"processed_time\": 1695675889453}, \"proxy\": {\"name\": \"exec cholesterol fossil\", \"port\": 24281, \"ip\": \"67.43.156.0\", \"uid\": \"29ef1436-5be7-11ee-aebf-0242ac110005\", \"hostname\": \"excel.info\", \"instance_uid\": \"29ef1a80-5be7-11ee-b25a-0242ac110005\", \"interface_name\": \"ipaq brazil justify\", \"interface_uid\": \"29ef1e7c-5be7-11ee-9f23-0242ac110005\", \"svc_name\": \"boys participant drove\"}, \"connection_info\": {\"direction\": \"andreas\", \"direction_id\": 99, \"protocol_num\": 67, \"protocol_ver\": \"1.4\"}, \"severity\": \"uw\", \"duration\": 80, \"disposition\": \"Quarantined\", \"type_name\": \"HTTP Activity: Connect\", \"activity_id\": 1, \"disposition_id\": 3, \"type_uid\": 400201, \"category_name\": \"Network Activity\", \"class_uid\": 4002, \"category_uid\": 4, \"class_name\": \"HTTP Activity\", \"timezone_offset\": 78, \"activity_name\": \"Connect\", \"cloud\": {\"provider\": \"reflect alarm my\", \"region\": \"chrome during bs\"}, \"dst_endpoint\": {\"name\": \"accounts an verzeichnis\", \"port\": 15440, \"uid\": \"29ee8048-5be7-11ee-b29d-0242ac110005\", \"instance_uid\": \"29ee849e-5be7-11ee-af0f-0242ac110005\", \"interface_name\": \"probability pins and\", \"interface_uid\": \"29ee88b8-5be7-11ee-ae4f-0242ac110005\", \"svc_name\": \"sim lucas entries\"}, \"end_time\": 1695675889419, \"http_status\": 51, \"malware\": [{\"name\": \"exception scholarship accessed\", \"path\": \"victim reductions pursue\", \"classification_ids\": [9, 11], \"provider\": \"computed oxygen viewer\"}], \"severity_id\": 99, \"src_endpoint\": {\"name\": \"exercise identified exciting\", \"port\": 14669, \"ip\": \"67.43.156.0\", \"uid\": \"29eef9ba-5be7-11ee-8245-0242ac110005\", \"hostname\": \"side.pro\", \"instance_uid\": \"29eeff46-5be7-11ee-9978-0242ac110005\", \"interface_name\": \"jc mistress announced\", \"subnet_uid\": \"29ef0446-5be7-11ee-9887-0242ac110005\", \"svc_name\": \"street truly arise\", \"vlan_uid\": \"29ef0900-5be7-11ee-937e-0242ac110005\"}, \"status_id\": 1, \"end_time_dt\": \"2023-09-25T21:04:49.412301Z\"}", + "message": "{\"action\": \"Denied\", \"action_id\": 2, \"activity_id\": 5, \"activity_name\": \"Refuse\", \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"Network Activity\", \"class_uid\": 4001, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"provider\": \"AWS\", \"region\": \"us-east-1\", \"zone\": \"use1-az1\"}, \"connection_info\": {\"boundary\": \"-\", \"boundary_id\": 99, \"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_num\": 6, \"protocol_ver\": \"IPv4\", \"tcp_flags\": 2}, \"disposition\": \"Blocked\", \"dst_endpoint\": {\"instance_uid\": \"i-000000000000000000\", \"interface_uid\": \"eni-000000000000000000\", \"ip\": \"172.31.2.52\", \"port\": 39938, \"subnet_uid\": \"subnet-000000000000000000\", \"svc_name\": \"-\", \"vpc_uid\": \"vpc-00000000\"}, \"end_time_dt\": \"2022-04-11T20:03:08.000-04:00\", \"metadata\": {\"product\": {\"feature\": {\"name\": \"Flowlogs\"}, \"name\": \"Amazon VPC\", \"vendor_name\": \"AWS\", \"version\": \"5\"}, \"profiles\": [\"cloud\", \"security_control\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"dst_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"172.31.2.52\"}, {\"name\": \"dst_endpoint.instance_uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"i-000000000000000000\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"1.2.3.4\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"1.2.3.4\", \"port\": 56858, \"svc_name\": \"-\"}, \"start_time_dt\": \"2022-04-11T20:02:12.000-04:00\", \"status_code\": \"OK\", \"time\": 1649721732000, \"time_dt\": \"2022-04-11T20:02:12.000-04:00\", \"traffic\": {\"bytes\": 40, \"packets\": 1}, \"type_name\": \"Network Activity: Refuse\", \"type_uid\": 400105, \"unmapped\": {\"sublocation_id\": \"-\", \"sublocation_type\": \"-\"}}", "event": { - "action": "connect", + "action": "refuse", "category": [ - "api" + "network" ], - "duration": 80000000, - "end": "2023-09-25T21:04:49.419000Z", + "end": "2022-04-12T00:03:08Z", "kind": "event", - "outcome": "success", - "provider": "myrtle watts management", - "severity": 99, + "severity": 1, + "start": "2022-04-12T00:02:12Z", "type": [ + "denied", "info" ] }, - "@timestamp": "2023-09-25T21:04:49.417000Z", + "@timestamp": "2022-04-12T00:02:12Z", "cloud": { - "provider": "reflect alarm my", - "region": "chrome during bs" - }, - "destination": { - "port": 15440 - }, - "host": { - "domain": "barbara advantages levitra", - "geo": { - "city_name": "Suspension associations", - "continent_name": "Africa", - "country_iso_code": "LS", - "location": { - "lat": -46.1461, - "lon": -67.6681 - }, - "name": "Lesotho, Kingdom of" - }, - "hostname": "scanners.nato", - "id": "29eed912-5be7-11ee-a07b-0242ac110005", - "ip": [ - "175.16.199.1" - ], - "name": "scanners.nato", - "risk": { - "static_level": "improving jvc directors", - "static_score": 9 + "account": { + "id": "123456789012" }, - "type": "Virtual" + "availability_zone": "use1-az1", + "provider": "AWS", + "region": "us-east-1" }, - "http": { - "request": { - "id": "29eee308-5be7-11ee-baad-0242ac110005", - "method": "POST" - }, - "version": "1.0.0" + "destination": { + "address": "172.31.2.52", + "ip": "172.31.2.52", + "port": 39938 }, "network": { - "application": "sim lucas entries", - "iana_number": "67" + "bytes": 40, + "direction": [ + "inbound" + ], + "iana_number": "6", + "packets": 1 }, "ocsf": { - "activity_id": 1, - "activity_name": "Connect", - "class_name": "HTTP Activity", - "class_uid": 4002 + "activity_id": 5, + "activity_name": "Refuse", + "class_name": "Network Activity", + "class_uid": 4001 }, "related": { - "hosts": [ - "collected.org", - "scanners.nato", - "side.pro" - ], "ip": [ - "175.16.199.1", - "67.43.156.0" + "1.2.3.4", + "172.31.2.52" ] }, "source": { - "address": "side.pro", - "domain": "side.pro", - "ip": "67.43.156.0", - "port": 14669, - "registered_domain": "side.pro", - "top_level_domain": "pro" - }, - "url": { - "domain": "collected.org", - "original": "illinois", - "path": "proposed opposed vegas", - "port": 17689, - "query": "additions linux furthermore", - "scheme": "gary bibliography font", - "subdomain": "katrina je pieces" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Other", - "original": "cheese heading anyway", - "os": { - "name": "Other" - } + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 56858 } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_3.json b/OCSF/ocsf/tests/test_network_activity_3.json index e1abf8f23..191c39ac2 100644 --- a/OCSF/ocsf/tests/test_network_activity_3.json +++ b/OCSF/ocsf/tests/test_network_activity_3.json @@ -1,81 +1,52 @@ { "input": { - "message": "{\"metadata\": {\"product\": {\"version\": \"1.100000\", \"name\": \"Route 53\", \"feature\": {\"name\": \"Resolver Query Logs\"}, \"vendor_name\": \"AWS\"}, \"profiles\": [\"cloud\", \"security_control\"], \"version\": \"1.0.0-rc.2\"}, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"region\": \"us-east-1\", \"provider\": \"AWS\"}, \"src_endpoint\": {\"vpc_uid\": \"vpc-00000000000000000\", \"ip\": \"10.200.21.100\", \"port\": 15083}, \"time\": 1665694957896, \"query\": {\"hostname\": \"ip-127-0-0-62.alert.firewall.canary.\", \"type\": \"A\", \"class\": \"IN\"}, \"answers\": [{\"type\": \"A\", \"rdata\": \"127.0.0.62\", \"class\": \"IN\"}], \"connection_info\": {\"protocol_name\": \"UDP\", \"direction\": \"Unknown\", \"direction_id\": 0}, \"dst_endpoint\": {\"instance_uid\": \"rslvr-in-0000000000000000\", \"interface_uid\": \"rni-0000000000000000\"}, \"severity_id\": 1, \"severity\": \"Informational\", \"class_name\": \"DNS Activity\", \"class_uid\": 4003, \"category_name\": \"Network Activity\", \"category_uid\": 4, \"disposition\": \"No Action\", \"disposition_id\": 16, \"rcode_id\": 0, \"rcode\": \"NoError\", \"activity_id\": 2, \"activity_name\": \"Response\", \"type_name\": \"DNS Activity: Response\", \"type_uid\": 400302, \"unmapped\": {\"firewall_rule_group_id\": \"rslvr-frg-000000000000000\", \"firewall_domain_list_id\": \"rslvr-fdl-0000000000000\"}}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } + "message": "{\"activity_name\": \"Traffic\", \"activity_id\": 6, \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"Network Activity\", \"class_uid\": 4001, \"type_uid\": 400106, \"type_name\": \"Network Activity: Traffic\", \"severity_id\": 1, \"severity\": \"Informational\", \"start_time\": \"2015/06/17T00:00:00.083\", \"end_time\": \"2015/06/17T00:00:00.089\", \"duration\": 0.006, \"metadata\": {\"product\": {\"version\": \"3.9.0\", \"name\": \"SiLK\", \"feature\": {\"name\": \" Network Flow Data\"}, \"vendor_name\": \"CERT/NetSA at Carnegie Mellon University - Software Engineering Institute\"}, \"version\": \"1.0.0-rc.3\"}, \"src_endpoint\": {\"port\": 63975, \"ip\": \"192.168.40.20\"}, \"dst_endpoint\": {\"port\": 443, \"ip\": \"10.0.40.21\"}, \"connection_info\": {\"protocol_num\": 6, \"tcp_flags\": 19, \"boundary_id\": 99, \"boundary\": \"Other\", \"direction_id\": 2, \"direction\": \"Outbound\"}, \"traffic\": {\"packets\": 8, \"bytes\": 344}, \"unmapped\": {\"sensor\": \"S1\", \"in\": 0, \"out\": 0, \"nhIP\": \"0.0.0.0\", \"initialFlags\": \"\", \"sessionFlags\": \"\", \"attributes\": \"\", \"application\": 0, \"class\": \"all\", \"type\": \"outweb\", \"iType\": \"\", \"iCode\": \"\"}}" }, "expected": { - "message": "{\"metadata\": {\"product\": {\"version\": \"1.100000\", \"name\": \"Route 53\", \"feature\": {\"name\": \"Resolver Query Logs\"}, \"vendor_name\": \"AWS\"}, \"profiles\": [\"cloud\", \"security_control\"], \"version\": \"1.0.0-rc.2\"}, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"region\": \"us-east-1\", \"provider\": \"AWS\"}, \"src_endpoint\": {\"vpc_uid\": \"vpc-00000000000000000\", \"ip\": \"10.200.21.100\", \"port\": 15083}, \"time\": 1665694957896, \"query\": {\"hostname\": \"ip-127-0-0-62.alert.firewall.canary.\", \"type\": \"A\", \"class\": \"IN\"}, \"answers\": [{\"type\": \"A\", \"rdata\": \"127.0.0.62\", \"class\": \"IN\"}], \"connection_info\": {\"protocol_name\": \"UDP\", \"direction\": \"Unknown\", \"direction_id\": 0}, \"dst_endpoint\": {\"instance_uid\": \"rslvr-in-0000000000000000\", \"interface_uid\": \"rni-0000000000000000\"}, \"severity_id\": 1, \"severity\": \"Informational\", \"class_name\": \"DNS Activity\", \"class_uid\": 4003, \"category_name\": \"Network Activity\", \"category_uid\": 4, \"disposition\": \"No Action\", \"disposition_id\": 16, \"rcode_id\": 0, \"rcode\": \"NoError\", \"activity_id\": 2, \"activity_name\": \"Response\", \"type_name\": \"DNS Activity: Response\", \"type_uid\": 400302, \"unmapped\": {\"firewall_rule_group_id\": \"rslvr-frg-000000000000000\", \"firewall_domain_list_id\": \"rslvr-fdl-0000000000000\"}}", + "message": "{\"activity_name\": \"Traffic\", \"activity_id\": 6, \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"Network Activity\", \"class_uid\": 4001, \"type_uid\": 400106, \"type_name\": \"Network Activity: Traffic\", \"severity_id\": 1, \"severity\": \"Informational\", \"start_time\": \"2015/06/17T00:00:00.083\", \"end_time\": \"2015/06/17T00:00:00.089\", \"duration\": 0.006, \"metadata\": {\"product\": {\"version\": \"3.9.0\", \"name\": \"SiLK\", \"feature\": {\"name\": \" Network Flow Data\"}, \"vendor_name\": \"CERT/NetSA at Carnegie Mellon University - Software Engineering Institute\"}, \"version\": \"1.0.0-rc.3\"}, \"src_endpoint\": {\"port\": 63975, \"ip\": \"192.168.40.20\"}, \"dst_endpoint\": {\"port\": 443, \"ip\": \"10.0.40.21\"}, \"connection_info\": {\"protocol_num\": 6, \"tcp_flags\": 19, \"boundary_id\": 99, \"boundary\": \"Other\", \"direction_id\": 2, \"direction\": \"Outbound\"}, \"traffic\": {\"packets\": 8, \"bytes\": 344}, \"unmapped\": {\"sensor\": \"S1\", \"in\": 0, \"out\": 0, \"nhIP\": \"0.0.0.0\", \"initialFlags\": \"\", \"sessionFlags\": \"\", \"attributes\": \"\", \"application\": 0, \"class\": \"all\", \"type\": \"outweb\", \"iType\": \"\", \"iCode\": \"\"}}", "event": { - "action": "response", + "action": "traffic", "category": [ "network" ], + "duration": 6000.0, + "end": "2015-06-17T00:00:00.089000Z", "kind": "event", "severity": 1, + "start": "2015-06-17T00:00:00.083000Z", "type": [ - "info", - "protocol" + "info" ] }, - "@timestamp": "2022-10-13T21:02:37.896000Z", - "cloud": { - "account": { - "id": "123456789012" - }, - "provider": "AWS", - "region": "us-east-1" - }, - "dns": { - "answers": { - "class": [ - "IN" - ], - "ttl": [], - "type": [ - "A" - ] - }, - "id": [], - "question": { - "class": [ - "IN" - ], - "name": "ip-127-0-0-62.alert.firewall.canary.", - "subdomain": "ip-127-0-0-62.alert.firewall", - "type": [ - "A" - ] - }, - "response_code": "NoError" + "destination": { + "address": "10.0.40.21", + "ip": "10.0.40.21", + "port": 443 }, "network": { + "bytes": 344, "direction": [ - "unknown" - ] + "outbound" + ], + "iana_number": "6", + "packets": 8 }, "ocsf": { - "activity_id": 2, - "activity_name": "Response", - "class_name": "DNS Activity", - "class_uid": 4003 + "activity_id": 6, + "activity_name": "Traffic", + "class_name": "Network Activity", + "class_uid": 4001 }, "related": { - "hosts": [ - "ip-127-0-0-62.alert.firewall.canary." - ], "ip": [ - "10.200.21.100" + "10.0.40.21", + "192.168.40.20" ] }, "source": { - "address": "10.200.21.100", - "ip": "10.200.21.100", - "port": 15083 + "address": "192.168.40.20", + "ip": "192.168.40.20", + "port": 63975 } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_4.json b/OCSF/ocsf/tests/test_network_activity_4.json index de1d495f2..a2042d955 100644 --- a/OCSF/ocsf/tests/test_network_activity_4.json +++ b/OCSF/ocsf/tests/test_network_activity_4.json @@ -1,99 +1,40 @@ { "input": { - "message": "{\"count\": 2, \"status\": \"Failure\", \"time\": 1695675919042, \"device\": {\"name\": \"worry scout director\", \"type\": \"Laptop\", \"domain\": \"ordinance died reducing\", \"ip\": \"67.43.156.0\", \"location\": {\"desc\": \"Iran, Islamic Republic of\", \"city\": \"Arabic ana\", \"country\": \"IR\", \"coordinates\": [-170.1816, -41.4084], \"continent\": \"Asia\"}, \"uid\": \"3b9854e0-5be7-11ee-b25b-0242ac110005\", \"hostname\": \"labs.org\", \"groups\": [{\"name\": \"crisis burlington stood\", \"type\": \"regional yourself ho\", \"uid\": \"3b984cde-5be7-11ee-a8b4-0242ac110005\"}, {\"name\": \"funds lawyers conferencing\", \"uid\": \"3b985120-5be7-11ee-b8c3-0242ac110005\"}], \"type_id\": 3, \"instance_uid\": \"3b98409a-5be7-11ee-87fa-0242ac110005\", \"interface_name\": \"bestsellers qualifying blog\", \"interface_uid\": \"3b984586-5be7-11ee-b105-0242ac110005\", \"is_managed\": false, \"modified_time\": 1695675919042, \"network_interfaces\": [{\"name\": \"leading ste lingerie\", \"type\": \"Wired\", \"ip\": \"175.16.199.1\", \"hostname\": \"signed.name\", \"mac\": \"F7:10:E8:11:73:9A:1F:AD\", \"type_id\": 1}], \"region\": \"accused continuous fibre\", \"uid_alt\": \"matter resolutions likely\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"version\": \"1.0.0\", \"path\": \"trademarks clean client\", \"uid\": \"3b98010c-5be7-11ee-b3a3-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"parents transit advisor\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"event_code\": \"population\", \"log_name\": \"rod nine dont\", \"log_provider\": \"remembered substantial possible\", \"modified_time\": 1695675919045, \"original_time\": \"processes payroll cheque\", \"modified_time_dt\": \"2023-09-25T21:05:19.045538Z\", \"processed_time_dt\": \"2023-09-25T21:05:19.045551Z\"}, \"severity\": \"undefined\", \"type_name\": \"DHCP Activity: Nak\", \"activity_id\": 6, \"type_uid\": 400406, \"category_name\": \"Network Activity\", \"class_uid\": 4004, \"category_uid\": 4, \"class_name\": \"DHCP Activity\", \"timezone_offset\": 7, \"activity_name\": \"Nak\", \"cloud\": {\"provider\": \"finest subdivision assists\", \"region\": \"drill bedford post\"}, \"dst_endpoint\": {\"name\": \"pickup offshore readers\", \"port\": 21794, \"ip\": \"67.43.156.0\", \"location\": {\"desc\": \"Saint Lucia\", \"city\": \"Suggests contamination\", \"country\": \"LC\", \"coordinates\": [54.5116, -89.695], \"continent\": \"North America\"}, \"uid\": \"3b9810ca-5be7-11ee-8a5e-0242ac110005\", \"hostname\": \"cloud.int\", \"instance_uid\": \"3b9815de-5be7-11ee-8748-0242ac110005\", \"interface_name\": \"rentals generic singles\", \"interface_uid\": \"3b981cd2-5be7-11ee-9f36-0242ac110005\", \"subnet_uid\": \"3b9820e2-5be7-11ee-af45-0242ac110005\", \"svc_name\": \"where image territories\"}, \"is_renewal\": false, \"severity_id\": 99, \"src_endpoint\": {\"name\": \"proceeding industries archive\", \"port\": 35266, \"ip\": \"67.43.156.0\", \"uid\": \"3b986b2e-5be7-11ee-9b3c-0242ac110005\", \"hostname\": \"scores.net\", \"instance_uid\": \"3b987272-5be7-11ee-a84f-0242ac110005\", \"interface_name\": \"habits quantitative second\", \"interface_uid\": \"3b987966-5be7-11ee-ae16-0242ac110005\", \"intermediate_ips\": [\"175.16.199.1\", \"89.160.20.112\"], \"svc_name\": \"marking misc alarm\", \"vpc_uid\": \"3b988096-5be7-11ee-bdee-0242ac110005\"}, \"status_detail\": \"relates cornwall cope\", \"status_id\": 2, \"transaction_uid\": \"3b989194-5be7-11ee-b97e-0242ac110005\"}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } + "message": "{\"time\": 1591367999.305988, \"uuid\": \"CMdzit1AMNsmfAIiQc\", \"src_endpoint\": {\"ip\": \"192.168.4.76\", \"port\": 36844}, \"dst_endpoint\": {\"ip\": \"192.168.4.1\", \"port\": 53}, \"connection_info\": {\"protocol_name\": \"udp\"}, \"bytes_in\": 62, \"packets_in\": 2, \"orig_bytes\": {\"ip\": 118}, \"bytes_out\": 141, \"packets_out\": 2, \"resp_bytes\": {\"ip\": 197}, \"duration\": 0.06685185432434082, \"unmapped\": {\"conn_state\": \"SF\"}, \"category_uid\": 4, \"category_name\": \"Network Activity\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"metadata\": {\"profiles\": [\"security_control\"], \"product\": {\"name\": \"Zeek\", \"feature\": {\"name\": \"conn.log\"}, \"vendor_name\": \"Zeek\"}}, \"severity\": \"Informational\", \"severity_id\": 1, \"proposed_new_attributes\": {\"application_protocol\": \"dns\", \"bytes_missed\": 0, \"connection_history\": \"Dd\"}}" }, "expected": { - "message": "{\"count\": 2, \"status\": \"Failure\", \"time\": 1695675919042, \"device\": {\"name\": \"worry scout director\", \"type\": \"Laptop\", \"domain\": \"ordinance died reducing\", \"ip\": \"67.43.156.0\", \"location\": {\"desc\": \"Iran, Islamic Republic of\", \"city\": \"Arabic ana\", \"country\": \"IR\", \"coordinates\": [-170.1816, -41.4084], \"continent\": \"Asia\"}, \"uid\": \"3b9854e0-5be7-11ee-b25b-0242ac110005\", \"hostname\": \"labs.org\", \"groups\": [{\"name\": \"crisis burlington stood\", \"type\": \"regional yourself ho\", \"uid\": \"3b984cde-5be7-11ee-a8b4-0242ac110005\"}, {\"name\": \"funds lawyers conferencing\", \"uid\": \"3b985120-5be7-11ee-b8c3-0242ac110005\"}], \"type_id\": 3, \"instance_uid\": \"3b98409a-5be7-11ee-87fa-0242ac110005\", \"interface_name\": \"bestsellers qualifying blog\", \"interface_uid\": \"3b984586-5be7-11ee-b105-0242ac110005\", \"is_managed\": false, \"modified_time\": 1695675919042, \"network_interfaces\": [{\"name\": \"leading ste lingerie\", \"type\": \"Wired\", \"ip\": \"175.16.199.1\", \"hostname\": \"signed.name\", \"mac\": \"F7:10:E8:11:73:9A:1F:AD\", \"type_id\": 1}], \"region\": \"accused continuous fibre\", \"uid_alt\": \"matter resolutions likely\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"version\": \"1.0.0\", \"path\": \"trademarks clean client\", \"uid\": \"3b98010c-5be7-11ee-b3a3-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"parents transit advisor\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"event_code\": \"population\", \"log_name\": \"rod nine dont\", \"log_provider\": \"remembered substantial possible\", \"modified_time\": 1695675919045, \"original_time\": \"processes payroll cheque\", \"modified_time_dt\": \"2023-09-25T21:05:19.045538Z\", \"processed_time_dt\": \"2023-09-25T21:05:19.045551Z\"}, \"severity\": \"undefined\", \"type_name\": \"DHCP Activity: Nak\", \"activity_id\": 6, \"type_uid\": 400406, \"category_name\": \"Network Activity\", \"class_uid\": 4004, \"category_uid\": 4, \"class_name\": \"DHCP Activity\", \"timezone_offset\": 7, \"activity_name\": \"Nak\", \"cloud\": {\"provider\": \"finest subdivision assists\", \"region\": \"drill bedford post\"}, \"dst_endpoint\": {\"name\": \"pickup offshore readers\", \"port\": 21794, \"ip\": \"67.43.156.0\", \"location\": {\"desc\": \"Saint Lucia\", \"city\": \"Suggests contamination\", \"country\": \"LC\", \"coordinates\": [54.5116, -89.695], \"continent\": \"North America\"}, \"uid\": \"3b9810ca-5be7-11ee-8a5e-0242ac110005\", \"hostname\": \"cloud.int\", \"instance_uid\": \"3b9815de-5be7-11ee-8748-0242ac110005\", \"interface_name\": \"rentals generic singles\", \"interface_uid\": \"3b981cd2-5be7-11ee-9f36-0242ac110005\", \"subnet_uid\": \"3b9820e2-5be7-11ee-af45-0242ac110005\", \"svc_name\": \"where image territories\"}, \"is_renewal\": false, \"severity_id\": 99, \"src_endpoint\": {\"name\": \"proceeding industries archive\", \"port\": 35266, \"ip\": \"67.43.156.0\", \"uid\": \"3b986b2e-5be7-11ee-9b3c-0242ac110005\", \"hostname\": \"scores.net\", \"instance_uid\": \"3b987272-5be7-11ee-a84f-0242ac110005\", \"interface_name\": \"habits quantitative second\", \"interface_uid\": \"3b987966-5be7-11ee-ae16-0242ac110005\", \"intermediate_ips\": [\"175.16.199.1\", \"89.160.20.112\"], \"svc_name\": \"marking misc alarm\", \"vpc_uid\": \"3b988096-5be7-11ee-bdee-0242ac110005\"}, \"status_detail\": \"relates cornwall cope\", \"status_id\": 2, \"transaction_uid\": \"3b989194-5be7-11ee-b97e-0242ac110005\"}", + "message": "{\"time\": 1591367999.305988, \"uuid\": \"CMdzit1AMNsmfAIiQc\", \"src_endpoint\": {\"ip\": \"192.168.4.76\", \"port\": 36844}, \"dst_endpoint\": {\"ip\": \"192.168.4.1\", \"port\": 53}, \"connection_info\": {\"protocol_name\": \"udp\"}, \"bytes_in\": 62, \"packets_in\": 2, \"orig_bytes\": {\"ip\": 118}, \"bytes_out\": 141, \"packets_out\": 2, \"resp_bytes\": {\"ip\": 197}, \"duration\": 0.06685185432434082, \"unmapped\": {\"conn_state\": \"SF\"}, \"category_uid\": 4, \"category_name\": \"Network Activity\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"metadata\": {\"profiles\": [\"security_control\"], \"product\": {\"name\": \"Zeek\", \"feature\": {\"name\": \"conn.log\"}, \"vendor_name\": \"Zeek\"}}, \"severity\": \"Informational\", \"severity_id\": 1, \"proposed_new_attributes\": {\"application_protocol\": \"dns\", \"bytes_missed\": 0, \"connection_history\": \"Dd\"}}", "event": { - "action": "nak", "category": [ "network" ], - "code": "population", + "duration": 66851.85432434082, "kind": "event", - "outcome": "failure", - "provider": "remembered substantial possible", - "severity": 99, + "severity": 1, "type": [ - "info", - "protocol" + "info" ] }, - "@timestamp": "2023-09-25T21:05:19.042000Z", - "cloud": { - "provider": "finest subdivision assists", - "region": "drill bedford post" - }, + "@timestamp": "2020-06-05T14:39:59.305988Z", "destination": { - "address": "cloud.int", - "domain": "cloud.int", - "geo": { - "city_name": "Suggests contamination", - "continent_name": "North America", - "country_iso_code": "LC", - "location": { - "lat": -89.695, - "lon": 54.5116 - }, - "name": "Saint Lucia" - }, - "ip": "67.43.156.0", - "port": 21794, - "registered_domain": "cloud.int", - "top_level_domain": "int" - }, - "host": { - "domain": "ordinance died reducing", - "geo": { - "city_name": "Arabic ana", - "continent_name": "Asia", - "country_iso_code": "IR", - "location": { - "lat": -41.4084, - "lon": -170.1816 - }, - "name": "Iran, Islamic Republic of" - }, - "hostname": "labs.org", - "id": "3b9854e0-5be7-11ee-b25b-0242ac110005", - "ip": [ - "67.43.156.0" - ], - "name": "labs.org", - "type": "Laptop" - }, - "network": { - "application": "where image territories" + "address": "192.168.4.1", + "ip": "192.168.4.1", + "port": 53 }, "ocsf": { - "activity_id": 6, - "activity_name": "Nak", - "class_name": "DHCP Activity", - "class_uid": 4004 + "class_name": "Network Activity", + "class_uid": 4001 }, "related": { - "hosts": [ - "cloud.int", - "labs.org", - "scores.net" - ], "ip": [ - "67.43.156.0" + "192.168.4.1", + "192.168.4.76" ] }, "source": { - "address": "scores.net", - "domain": "scores.net", - "ip": "67.43.156.0", - "port": 35266, - "registered_domain": "scores.net", - "top_level_domain": "net" + "address": "192.168.4.76", + "ip": "192.168.4.76", + "port": 36844 } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_5.json b/OCSF/ocsf/tests/test_network_activity_5.json index 2bfd8e317..a2042d955 100644 --- a/OCSF/ocsf/tests/test_network_activity_5.json +++ b/OCSF/ocsf/tests/test_network_activity_5.json @@ -1,141 +1,40 @@ { "input": { - "message": "{\"category_uid\": 4, \"request\": {\"uid\": \"52a3da4c-5be7-11ee-baa3-0242ac110005\"}, \"type_uid\": 400506, \"time\": 1695675957710, \"certificate_chain\": [\"universities investment processing\", \"magazines cooler constitute\"], \"src_endpoint\": {\"name\": \"request brakes anyway\", \"port\": 55305, \"ip\": \"67.43.156.0\", \"uid\": \"52a3c912-5be7-11ee-a7e5-0242ac110005\", \"instance_uid\": \"52a3cca0-5be7-11ee-bb44-0242ac110005\", \"interface_name\": \"caring interface recipe\", \"interface_uid\": \"52a3d06a-5be7-11ee-b15e-0242ac110005\", \"intermediate_ips\": [\"175.16.199.1\", \"89.160.20.112\"], \"svc_name\": \"leo fraser mic\"}, \"type_name\": \"RDP Activity: Traffic\", \"response\": {\"error\": \"earn bios diamonds\", \"code\": 79, \"flags\": [\"doors plus tool\"], \"message\": \"mysimon forum john\"}, \"status_id\": 99, \"activity_name\": \"Traffic\", \"capabilities\": [\"makers inkjet wealth\", \"statistical athletic tactics\"], \"activity_id\": 6, \"timezone_offset\": 14, \"severity_id\": 2, \"severity\": \"Low\", \"message\": \"start gifts correlation\", \"status\": \"chronicle\", \"connection_info\": {\"boundary\": \"direction design hook\", \"direction\": \"Unknown\", \"direction_id\": 0, \"protocol_num\": 7, \"protocol_ver\": \"compliant\", \"protocol_ver_id\": 99}, \"device\": {\"name\": \"mpg mumbai feedback\", \"type\": \"cingular\", \"ip\": \"175.16.199.1\", \"uid\": \"52a3b968-5be7-11ee-8c32-0242ac110005\", \"hostname\": \"bookstore.com\", \"type_id\": 99, \"autoscale_uid\": \"52a3aa7c-5be7-11ee-afac-0242ac110005\", \"hypervisor\": \"t contacting bomb\", \"instance_uid\": \"52a3af0e-5be7-11ee-8962-0242ac110005\", \"interface_name\": \"fifth cancer ties\", \"interface_uid\": \"52a3b382-5be7-11ee-b868-0242ac110005\", \"network_interfaces\": [{\"name\": \"extensive confirmation invisible\", \"type\": \"Unknown\", \"ip\": \"175.16.199.1\", \"uid\": \"52a3a572-5be7-11ee-b24b-0242ac110005\", \"hostname\": \"tray.gov\", \"mac\": \"D3:B5:6A:19:38:2F:24:A1\", \"type_id\": 0}], \"region\": \"childrens carriers contracting\", \"risk_level\": \"theory mattress fr\", \"risk_score\": 32}, \"disposition\": \"Quarantined\", \"dst_endpoint\": {\"name\": \"codes acts containers\", \"port\": 11600, \"ip\": \"67.43.156.0\", \"uid\": \"52a30022-5be7-11ee-b27b-0242ac110005\", \"hostname\": \"climate.gov\", \"mac\": \"6F:86:CF:42:61:43:EF:EC\", \"instance_uid\": \"52a3919a-5be7-11ee-a566-0242ac110005\", \"svc_name\": \"intro contacted payroll\"}, \"protocol_ver\": \"1.1.1\", \"api\": {\"version\": \"1.0.0\", \"request\": {\"uid\": \"52a2f4d8-5be7-11ee-9aad-0242ac110005\"}, \"response\": {\"error\": \"column reform improved\", \"error_message\": \"glen spray dear\"}, \"operation\": \"examinations convention inquire\"}, \"traffic\": {\"bytes\": 4178624388, \"bytes_in\": 3737296762, \"bytes_out\": 2902061295, \"packets\": 2072578920}, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Lateral Movement | The adversary is trying to move through your environment.\", \"uid\": \"TA0008\"}, {\"name\": \"Defense Evasion The adversary is trying to avoid being detected.\", \"uid\": \"TA0005\"}], \"technique\": {\"name\": \"Spearphishing Attachment\", \"uid\": \"T1193\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Command and Control The adversary is trying to communicate with compromised systems to control them.\", \"uid\": \"TA0011\"}, {\"name\": \"Lateral Movement | The adversary is trying to move through your environment.\", \"uid\": \"TA0008\"}, {\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Malware\", \"uid\": \"T1587.001\"}}], \"tls\": {\"version\": \"1.0.0\", \"cipher\": \"fabric mess guaranteed\", \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"tramadol babe inf\", \"issuer\": \"ring vc mild\", \"fingerprints\": [{\"value\": \"FC52C21756C177325B755781195254D9\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"B840263DB579453C080DA366BADC329FC04B253D1ACCC2F6FDEB475D2C1B4811CED673F4981DBFC8FC88877A7516C41B28BA654D3911FE15ED7E4BA5849624F9\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1695675957703, \"expiration_time\": 1695675957707, \"serial_number\": \"refrigerator os jumping\"}, \"sni\": \"burner funeral singing\", \"certificate_chain\": [\"permissions logistics pipe\"], \"client_ciphers\": [\"python ireland aerial\", \"season textbook walt\"], \"ja3s_hash\": {\"value\": \"63DA7BD36D87B066DC0E0BB794DBD39ABF21F1A63BA929705FB6C81005838FFA5E8FE456C4DB8ACBD983D90356A5707FC1F4EF069CC70B65B34A5496D5484DDC\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, \"sans\": [{\"name\": \"downloads informed warehouse\", \"type\": \"ordinance place flower\"}, {\"name\": \"gamma consultant lcd\", \"type\": \"experienced loved premises\"}]}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"sleeping roy view\", \"version\": \"1.0.0\", \"uid\": \"52a2a83e-5be7-11ee-b480-0242ac110005\", \"feature\": {\"name\": \"purse support el\", \"version\": \"1.0.0\", \"uid\": \"52a2b0e0-5be7-11ee-9130-0242ac110005\"}, \"vendor_name\": \"display discipline juvenile\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"structured electron theaters\", \"log_provider\": \"unwrap std painful\", \"modified_time\": 1695675957701, \"original_time\": \"skins child clearance\", \"modified_time_dt\": \"2023-09-25T21:05:57.703141Z\"}, \"class_name\": \"RDP Activity\", \"category_name\": \"Network Activity\", \"disposition_id\": 3, \"cloud\": {\"provider\": \"lafayette lime metal\", \"region\": \"crimes gotten calculators\"}, \"end_time_dt\": \"2023-09-25T21:05:57.699925Z\", \"start_time\": 1695675957693, \"class_uid\": 4005, \"status_code\": \"lectures\"}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } + "message": "{\"time\": 1591367999.305988, \"uuid\": \"CMdzit1AMNsmfAIiQc\", \"src_endpoint\": {\"ip\": \"192.168.4.76\", \"port\": 36844}, \"dst_endpoint\": {\"ip\": \"192.168.4.1\", \"port\": 53}, \"connection_info\": {\"protocol_name\": \"udp\"}, \"bytes_in\": 62, \"packets_in\": 2, \"orig_bytes\": {\"ip\": 118}, \"bytes_out\": 141, \"packets_out\": 2, \"resp_bytes\": {\"ip\": 197}, \"duration\": 0.06685185432434082, \"unmapped\": {\"conn_state\": \"SF\"}, \"category_uid\": 4, \"category_name\": \"Network Activity\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"metadata\": {\"profiles\": [\"security_control\"], \"product\": {\"name\": \"Zeek\", \"feature\": {\"name\": \"conn.log\"}, \"vendor_name\": \"Zeek\"}}, \"severity\": \"Informational\", \"severity_id\": 1, \"proposed_new_attributes\": {\"application_protocol\": \"dns\", \"bytes_missed\": 0, \"connection_history\": \"Dd\"}}" }, "expected": { - "message": "{\"category_uid\": 4, \"request\": {\"uid\": \"52a3da4c-5be7-11ee-baa3-0242ac110005\"}, \"type_uid\": 400506, \"time\": 1695675957710, \"certificate_chain\": [\"universities investment processing\", \"magazines cooler constitute\"], \"src_endpoint\": {\"name\": \"request brakes anyway\", \"port\": 55305, \"ip\": \"67.43.156.0\", \"uid\": \"52a3c912-5be7-11ee-a7e5-0242ac110005\", \"instance_uid\": \"52a3cca0-5be7-11ee-bb44-0242ac110005\", \"interface_name\": \"caring interface recipe\", \"interface_uid\": \"52a3d06a-5be7-11ee-b15e-0242ac110005\", \"intermediate_ips\": [\"175.16.199.1\", \"89.160.20.112\"], \"svc_name\": \"leo fraser mic\"}, \"type_name\": \"RDP Activity: Traffic\", \"response\": {\"error\": \"earn bios diamonds\", \"code\": 79, \"flags\": [\"doors plus tool\"], \"message\": \"mysimon forum john\"}, \"status_id\": 99, \"activity_name\": \"Traffic\", \"capabilities\": [\"makers inkjet wealth\", \"statistical athletic tactics\"], \"activity_id\": 6, \"timezone_offset\": 14, \"severity_id\": 2, \"severity\": \"Low\", \"message\": \"start gifts correlation\", \"status\": \"chronicle\", \"connection_info\": {\"boundary\": \"direction design hook\", \"direction\": \"Unknown\", \"direction_id\": 0, \"protocol_num\": 7, \"protocol_ver\": \"compliant\", \"protocol_ver_id\": 99}, \"device\": {\"name\": \"mpg mumbai feedback\", \"type\": \"cingular\", \"ip\": \"175.16.199.1\", \"uid\": \"52a3b968-5be7-11ee-8c32-0242ac110005\", \"hostname\": \"bookstore.com\", \"type_id\": 99, \"autoscale_uid\": \"52a3aa7c-5be7-11ee-afac-0242ac110005\", \"hypervisor\": \"t contacting bomb\", \"instance_uid\": \"52a3af0e-5be7-11ee-8962-0242ac110005\", \"interface_name\": \"fifth cancer ties\", \"interface_uid\": \"52a3b382-5be7-11ee-b868-0242ac110005\", \"network_interfaces\": [{\"name\": \"extensive confirmation invisible\", \"type\": \"Unknown\", \"ip\": \"175.16.199.1\", \"uid\": \"52a3a572-5be7-11ee-b24b-0242ac110005\", \"hostname\": \"tray.gov\", \"mac\": \"D3:B5:6A:19:38:2F:24:A1\", \"type_id\": 0}], \"region\": \"childrens carriers contracting\", \"risk_level\": \"theory mattress fr\", \"risk_score\": 32}, \"disposition\": \"Quarantined\", \"dst_endpoint\": {\"name\": \"codes acts containers\", \"port\": 11600, \"ip\": \"67.43.156.0\", \"uid\": \"52a30022-5be7-11ee-b27b-0242ac110005\", \"hostname\": \"climate.gov\", \"mac\": \"6F:86:CF:42:61:43:EF:EC\", \"instance_uid\": \"52a3919a-5be7-11ee-a566-0242ac110005\", \"svc_name\": \"intro contacted payroll\"}, \"protocol_ver\": \"1.1.1\", \"api\": {\"version\": \"1.0.0\", \"request\": {\"uid\": \"52a2f4d8-5be7-11ee-9aad-0242ac110005\"}, \"response\": {\"error\": \"column reform improved\", \"error_message\": \"glen spray dear\"}, \"operation\": \"examinations convention inquire\"}, \"traffic\": {\"bytes\": 4178624388, \"bytes_in\": 3737296762, \"bytes_out\": 2902061295, \"packets\": 2072578920}, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Lateral Movement | The adversary is trying to move through your environment.\", \"uid\": \"TA0008\"}, {\"name\": \"Defense Evasion The adversary is trying to avoid being detected.\", \"uid\": \"TA0005\"}], \"technique\": {\"name\": \"Spearphishing Attachment\", \"uid\": \"T1193\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Command and Control The adversary is trying to communicate with compromised systems to control them.\", \"uid\": \"TA0011\"}, {\"name\": \"Lateral Movement | The adversary is trying to move through your environment.\", \"uid\": \"TA0008\"}, {\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Malware\", \"uid\": \"T1587.001\"}}], \"tls\": {\"version\": \"1.0.0\", \"cipher\": \"fabric mess guaranteed\", \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"tramadol babe inf\", \"issuer\": \"ring vc mild\", \"fingerprints\": [{\"value\": \"FC52C21756C177325B755781195254D9\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"B840263DB579453C080DA366BADC329FC04B253D1ACCC2F6FDEB475D2C1B4811CED673F4981DBFC8FC88877A7516C41B28BA654D3911FE15ED7E4BA5849624F9\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1695675957703, \"expiration_time\": 1695675957707, \"serial_number\": \"refrigerator os jumping\"}, \"sni\": \"burner funeral singing\", \"certificate_chain\": [\"permissions logistics pipe\"], \"client_ciphers\": [\"python ireland aerial\", \"season textbook walt\"], \"ja3s_hash\": {\"value\": \"63DA7BD36D87B066DC0E0BB794DBD39ABF21F1A63BA929705FB6C81005838FFA5E8FE456C4DB8ACBD983D90356A5707FC1F4EF069CC70B65B34A5496D5484DDC\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, \"sans\": [{\"name\": \"downloads informed warehouse\", \"type\": \"ordinance place flower\"}, {\"name\": \"gamma consultant lcd\", \"type\": \"experienced loved premises\"}]}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"sleeping roy view\", \"version\": \"1.0.0\", \"uid\": \"52a2a83e-5be7-11ee-b480-0242ac110005\", \"feature\": {\"name\": \"purse support el\", \"version\": \"1.0.0\", \"uid\": \"52a2b0e0-5be7-11ee-9130-0242ac110005\"}, \"vendor_name\": \"display discipline juvenile\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"structured electron theaters\", \"log_provider\": \"unwrap std painful\", \"modified_time\": 1695675957701, \"original_time\": \"skins child clearance\", \"modified_time_dt\": \"2023-09-25T21:05:57.703141Z\"}, \"class_name\": \"RDP Activity\", \"category_name\": \"Network Activity\", \"disposition_id\": 3, \"cloud\": {\"provider\": \"lafayette lime metal\", \"region\": \"crimes gotten calculators\"}, \"end_time_dt\": \"2023-09-25T21:05:57.699925Z\", \"start_time\": 1695675957693, \"class_uid\": 4005, \"status_code\": \"lectures\"}", + "message": "{\"time\": 1591367999.305988, \"uuid\": \"CMdzit1AMNsmfAIiQc\", \"src_endpoint\": {\"ip\": \"192.168.4.76\", \"port\": 36844}, \"dst_endpoint\": {\"ip\": \"192.168.4.1\", \"port\": 53}, \"connection_info\": {\"protocol_name\": \"udp\"}, \"bytes_in\": 62, \"packets_in\": 2, \"orig_bytes\": {\"ip\": 118}, \"bytes_out\": 141, \"packets_out\": 2, \"resp_bytes\": {\"ip\": 197}, \"duration\": 0.06685185432434082, \"unmapped\": {\"conn_state\": \"SF\"}, \"category_uid\": 4, \"category_name\": \"Network Activity\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"metadata\": {\"profiles\": [\"security_control\"], \"product\": {\"name\": \"Zeek\", \"feature\": {\"name\": \"conn.log\"}, \"vendor_name\": \"Zeek\"}}, \"severity\": \"Informational\", \"severity_id\": 1, \"proposed_new_attributes\": {\"application_protocol\": \"dns\", \"bytes_missed\": 0, \"connection_history\": \"Dd\"}}", "event": { - "action": "traffic", "category": [ "network" ], - "end": "2023-09-25T21:05:57.699925Z", + "duration": 66851.85432434082, "kind": "event", - "provider": "unwrap std painful", - "severity": 2, - "start": "2023-09-25T21:05:57.693000Z", + "severity": 1, "type": [ - "info", - "protocol" + "info" ] }, - "@timestamp": "2023-09-25T21:05:57.710000Z", - "cloud": { - "provider": "lafayette lime metal", - "region": "crimes gotten calculators" - }, + "@timestamp": "2020-06-05T14:39:59.305988Z", "destination": { - "address": "climate.gov", - "bytes": 3737296762, - "domain": "climate.gov", - "ip": "67.43.156.0", - "mac": "6F:86:CF:42:61:43:EF:EC", - "port": 11600, - "registered_domain": "climate.gov", - "top_level_domain": "gov" - }, - "host": { - "hostname": "bookstore.com", - "id": "52a3b968-5be7-11ee-8c32-0242ac110005", - "ip": [ - "175.16.199.1" - ], - "name": "bookstore.com", - "risk": { - "static_level": "theory mattress fr", - "static_score": 32 - }, - "type": "cingular" - }, - "http": { - "request": { - "id": "52a3da4c-5be7-11ee-baa3-0242ac110005" - }, - "response": { - "status_code": 79 - } - }, - "network": { - "application": "intro contacted payroll", - "bytes": 4178624388, - "direction": [ - "unknown" - ], - "iana_number": "7", - "packets": 2072578920 + "address": "192.168.4.1", + "ip": "192.168.4.1", + "port": 53 }, "ocsf": { - "activity_id": 6, - "activity_name": "Traffic", - "class_name": "RDP Activity", - "class_uid": 4005 + "class_name": "Network Activity", + "class_uid": 4001 }, "related": { - "hosts": [ - "bookstore.com", - "climate.gov" - ], "ip": [ - "175.16.199.1", - "67.43.156.0" + "192.168.4.1", + "192.168.4.76" ] }, "source": { - "address": "67.43.156.0", - "bytes": 2902061295, - "ip": "67.43.156.0", - "port": 55305 - }, - "threat": { - "technique": { - "id": [ - "T1193", - "T1587.001" - ], - "name": [ - "Malware", - "Spearphishing Attachment" - ] - } - }, - "tls": { - "cipher": "fabric mess guaranteed", - "client": { - "server_name": "burner funeral singing", - "supported_ciphers": [ - "python ireland aerial", - "season textbook walt" - ], - "x509": { - "alternative_names": [ - "downloads informed warehouse", - "gamma consultant lcd" - ], - "issuer": { - "distinguished_name": "ring vc mild" - }, - "not_after": "2023-09-25T21:05:57.707000Z", - "serial_number": "refrigerator os jumping", - "subject": { - "distinguished_name": "tramadol babe inf" - }, - "version_number": "1.0.0" - } - }, - "server": { - "certificate_chain": [ - "magazines cooler constitute", - "universities investment processing" - ], - "ja3s": "63DA7BD36D87B066DC0E0BB794DBD39ABF21F1A63BA929705FB6C81005838FFA5E8FE456C4DB8ACBD983D90356A5707FC1F4EF069CC70B65B34A5496D5484DDC" - }, - "version": "1.0.0" + "address": "192.168.4.76", + "ip": "192.168.4.76", + "port": 36844 } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_6.json b/OCSF/ocsf/tests/test_network_activity_6.json index b0c7a819c..7c337a7ce 100644 --- a/OCSF/ocsf/tests/test_network_activity_6.json +++ b/OCSF/ocsf/tests/test_network_activity_6.json @@ -1,130 +1,47 @@ { "input": { - "message": "{\"category_uid\": 4, \"file\": {\"attributes\": 43, \"name\": \"brazil.docx\", \"type\": \"Character Device\", \"path\": \"pay msie consciousness/checking.tiff/brazil.docx\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"tagged military guided\", \"issuer\": \"digest june ty\", \"fingerprints\": [{\"value\": \"9B0FBD383D667D48DB1FE9647C1E4BAA821ACA2908D5FFED88F145781F8B1A35\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1695675976051, \"expiration_time\": 1695675976057, \"serial_number\": \"schedules heater hardwood\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"product\": {\"name\": \"oecd initiatives purposes\", \"version\": \"1.0.0\", \"uid\": \"5d95c636-5be7-11ee-8b22-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"personal harmful referrals\"}, \"uid\": \"5d95ca5a-5be7-11ee-a417-0242ac110005\", \"type_id\": 3, \"parent_folder\": \"pay msie consciousness/checking.tiff\", \"hashes\": [{\"value\": \"37B77065B54AA76AAE4D96BFEA21F81217D2CEDE06CA457D86A77C0609B483B73102B9C600CC6DFEA5252B15E8E823BD2E5137AA311F7A2011B867F18FE9F502\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"B6F8AE88482BDE38221723480B7EE2BE8088C076BDB5F22AA847A66E59C2ACFB\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"modified_time\": 1695675976016, \"security_descriptor\": \"subsequent latinas quotes\", \"modified_time_dt\": \"2023-09-25T21:06:16.073732Z\", \"accessed_time_dt\": \"2023-09-25T21:06:16.073784Z\"}, \"time_dt\": \"2023-09-25T21:06:16.072807Z\", \"type_uid\": 400603, \"time\": 1695675976070, \"command\": \"switch text springs\", \"src_endpoint\": {\"name\": \"wyoming relocation sufficiently\", \"port\": 21573, \"ip\": \"67.43.156.0\", \"uid\": \"5d95a0ac-5be7-11ee-a3e8-0242ac110005\", \"hostname\": \"sara.web\", \"instance_uid\": \"5d95a4ee-5be7-11ee-a0b5-0242ac110005\", \"interface_name\": \"christians comparing garbage\", \"interface_uid\": \"5d95a8e0-5be7-11ee-800d-0242ac110005\", \"svc_name\": \"photographers do nobody\", \"vpc_uid\": \"5d95aec6-5be7-11ee-b409-0242ac110005\"}, \"type_name\": \"SMB Activity: File Create\", \"share_type_id\": 1, \"response\": {\"error\": \"monsters pl positioning\", \"code\": 94, \"error_message\": \"wires hart dirty\"}, \"status_id\": 2, \"activity_name\": \"File Create\", \"activity_id\": 3, \"client_dialects\": [\"gabriel ourselves diameter\", \"avg pages denial\"], \"timezone_offset\": 21, \"severity_id\": 3, \"open_type\": \"estates collections cia\", \"share_type\": \"File\", \"severity\": \"Medium\", \"message\": \"hotels boc parcel\", \"status\": \"Failure\", \"connection_info\": {\"direction\": \"Unknown\", \"direction_id\": 0, \"protocol_num\": 89}, \"device\": {\"name\": \"rwanda medal hazardous\", \"type\": \"IOT\", \"ip\": \"175.16.199.1\", \"hostname\": \"african.museum\", \"groups\": [{\"name\": \"medical discovered punishment\", \"uid\": \"5d958856-5be7-11ee-bf58-0242ac110005\"}, {\"name\": \"layer achieving api\", \"type\": \"prefers biol broke\", \"uid\": \"5d958cc0-5be7-11ee-8274-0242ac110005\"}], \"type_id\": 7, \"autoscale_uid\": \"5d957758-5be7-11ee-bdd5-0242ac110005\", \"instance_uid\": \"5d957cd0-5be7-11ee-b6eb-0242ac110005\", \"interface_name\": \"guided educational wy\", \"interface_uid\": \"5d958130-5be7-11ee-894c-0242ac110005\", \"is_personal\": false, \"region\": \"retain ste cfr\"}, \"disposition\": \"Allowed\", \"dst_endpoint\": {\"name\": \"simulations mountains flow\", \"port\": 3375, \"ip\": \"67.43.156.0\", \"uid\": \"5d954af8-5be7-11ee-9dec-0242ac110005\", \"hostname\": \"larger.mil\", \"instance_uid\": \"5d9550f2-5be7-11ee-8ce8-0242ac110005\", \"interface_name\": \"remaining james spent\", \"interface_uid\": \"5d955516-5be7-11ee-8913-0242ac110005\", \"svc_name\": \"galleries facilitate fiji\"}, \"dialect\": \"teams restaurants altered\", \"duration\": 78, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Credential Access The adversary is trying to steal account names and passwords.\", \"uid\": \"TA0006\"}, {\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}], \"technique\": {\"name\": \"Multi-hop Proxy\", \"uid\": \"T1090.003\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}, {\"name\": \"Resource Development | The adversary is trying to establish resources they can use to support operations.\", \"uid\": \"TA0042\"}, {\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}], \"technique\": {\"name\": \"Python\", \"uid\": \"T1059.006\"}}], \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"quantities persian easy\", \"version\": \"1.0.0\", \"uid\": \"5d952ece-5be7-11ee-8ef1-0242ac110005\", \"url_string\": \"blog\", \"vendor_name\": \"appliances building lauren\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"correlation_uid\": \"5d9534be-5be7-11ee-a413-0242ac110005\", \"log_name\": \"tampa array expired\", \"original_time\": \"gis holmes roads\", \"processed_time\": 1695675976062, \"modified_time_dt\": \"2023-09-25T21:06:16.069686Z\"}, \"class_name\": \"SMB Activity\", \"category_name\": \"Network Activity\", \"disposition_id\": 1, \"cloud\": {\"provider\": \"bracelet characteristic scenic\", \"region\": \"southern handles paradise\", \"zone\": \"silk appointed semi\"}, \"class_uid\": 4006}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } + "message": "{\"time\": 1598377391.921726, \"uuid\": \"CsukF91Bx9mrqdEaH9\", \"src_endpoint\": {\"ip\": \"192.168.4.49\", \"port\": 56718}, \"dst_endpoint\": {\"ip\": \"13.32.202.10\", \"port\": 443}, \"version\": \"TLSv12\", \"cipher\": \"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\", \"certificate\": \"secp256r1\", \"domain\": \"www.taosecurity.com\", \"certificate_chain\": [\"F2XEvj1CahhdhtfvT4\", \"FZ7ygD3ERPfEVVohG9\", \"F7vklpOKI4yX9wmvh\", \"FAnbnR32nIIr2j9XV\"], \"subject\": \"CN=www.taosecurity.com\", \"issuer\": \"CN=Amazon,OU=Server CA 1B,O=Amazon,C=US\", \"unmapped\": {\"next_protocol\": \"h2\", \"resumed\": false}, \"network_activity\": {\"status_id\": \"1\"}, \"category_uid\": 4, \"category_name\": \"Network Activity\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"metadata\": {\"profiles\": [\"security_control\"], \"product\": {\"name\": \"Zeek\", \"feature\": {\"name\": \"ssl.log\"}, \"vendor_name\": \"Zeek\"}}, \"severity\": \"Informational\", \"severity_id\": 1}" }, "expected": { - "message": "{\"category_uid\": 4, \"file\": {\"attributes\": 43, \"name\": \"brazil.docx\", \"type\": \"Character Device\", \"path\": \"pay msie consciousness/checking.tiff/brazil.docx\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"tagged military guided\", \"issuer\": \"digest june ty\", \"fingerprints\": [{\"value\": \"9B0FBD383D667D48DB1FE9647C1E4BAA821ACA2908D5FFED88F145781F8B1A35\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1695675976051, \"expiration_time\": 1695675976057, \"serial_number\": \"schedules heater hardwood\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"product\": {\"name\": \"oecd initiatives purposes\", \"version\": \"1.0.0\", \"uid\": \"5d95c636-5be7-11ee-8b22-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"personal harmful referrals\"}, \"uid\": \"5d95ca5a-5be7-11ee-a417-0242ac110005\", \"type_id\": 3, \"parent_folder\": \"pay msie consciousness/checking.tiff\", \"hashes\": [{\"value\": \"37B77065B54AA76AAE4D96BFEA21F81217D2CEDE06CA457D86A77C0609B483B73102B9C600CC6DFEA5252B15E8E823BD2E5137AA311F7A2011B867F18FE9F502\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"B6F8AE88482BDE38221723480B7EE2BE8088C076BDB5F22AA847A66E59C2ACFB\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"modified_time\": 1695675976016, \"security_descriptor\": \"subsequent latinas quotes\", \"modified_time_dt\": \"2023-09-25T21:06:16.073732Z\", \"accessed_time_dt\": \"2023-09-25T21:06:16.073784Z\"}, \"time_dt\": \"2023-09-25T21:06:16.072807Z\", \"type_uid\": 400603, \"time\": 1695675976070, \"command\": \"switch text springs\", \"src_endpoint\": {\"name\": \"wyoming relocation sufficiently\", \"port\": 21573, \"ip\": \"67.43.156.0\", \"uid\": \"5d95a0ac-5be7-11ee-a3e8-0242ac110005\", \"hostname\": \"sara.web\", \"instance_uid\": \"5d95a4ee-5be7-11ee-a0b5-0242ac110005\", \"interface_name\": \"christians comparing garbage\", \"interface_uid\": \"5d95a8e0-5be7-11ee-800d-0242ac110005\", \"svc_name\": \"photographers do nobody\", \"vpc_uid\": \"5d95aec6-5be7-11ee-b409-0242ac110005\"}, \"type_name\": \"SMB Activity: File Create\", \"share_type_id\": 1, \"response\": {\"error\": \"monsters pl positioning\", \"code\": 94, \"error_message\": \"wires hart dirty\"}, \"status_id\": 2, \"activity_name\": \"File Create\", \"activity_id\": 3, \"client_dialects\": [\"gabriel ourselves diameter\", \"avg pages denial\"], \"timezone_offset\": 21, \"severity_id\": 3, \"open_type\": \"estates collections cia\", \"share_type\": \"File\", \"severity\": \"Medium\", \"message\": \"hotels boc parcel\", \"status\": \"Failure\", \"connection_info\": {\"direction\": \"Unknown\", \"direction_id\": 0, \"protocol_num\": 89}, \"device\": {\"name\": \"rwanda medal hazardous\", \"type\": \"IOT\", \"ip\": \"175.16.199.1\", \"hostname\": \"african.museum\", \"groups\": [{\"name\": \"medical discovered punishment\", \"uid\": \"5d958856-5be7-11ee-bf58-0242ac110005\"}, {\"name\": \"layer achieving api\", \"type\": \"prefers biol broke\", \"uid\": \"5d958cc0-5be7-11ee-8274-0242ac110005\"}], \"type_id\": 7, \"autoscale_uid\": \"5d957758-5be7-11ee-bdd5-0242ac110005\", \"instance_uid\": \"5d957cd0-5be7-11ee-b6eb-0242ac110005\", \"interface_name\": \"guided educational wy\", \"interface_uid\": \"5d958130-5be7-11ee-894c-0242ac110005\", \"is_personal\": false, \"region\": \"retain ste cfr\"}, \"disposition\": \"Allowed\", \"dst_endpoint\": {\"name\": \"simulations mountains flow\", \"port\": 3375, \"ip\": \"67.43.156.0\", \"uid\": \"5d954af8-5be7-11ee-9dec-0242ac110005\", \"hostname\": \"larger.mil\", \"instance_uid\": \"5d9550f2-5be7-11ee-8ce8-0242ac110005\", \"interface_name\": \"remaining james spent\", \"interface_uid\": \"5d955516-5be7-11ee-8913-0242ac110005\", \"svc_name\": \"galleries facilitate fiji\"}, \"dialect\": \"teams restaurants altered\", \"duration\": 78, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Credential Access The adversary is trying to steal account names and passwords.\", \"uid\": \"TA0006\"}, {\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}], \"technique\": {\"name\": \"Multi-hop Proxy\", \"uid\": \"T1090.003\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}, {\"name\": \"Resource Development | The adversary is trying to establish resources they can use to support operations.\", \"uid\": \"TA0042\"}, {\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}], \"technique\": {\"name\": \"Python\", \"uid\": \"T1059.006\"}}], \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"quantities persian easy\", \"version\": \"1.0.0\", \"uid\": \"5d952ece-5be7-11ee-8ef1-0242ac110005\", \"url_string\": \"blog\", \"vendor_name\": \"appliances building lauren\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"correlation_uid\": \"5d9534be-5be7-11ee-a413-0242ac110005\", \"log_name\": \"tampa array expired\", \"original_time\": \"gis holmes roads\", \"processed_time\": 1695675976062, \"modified_time_dt\": \"2023-09-25T21:06:16.069686Z\"}, \"class_name\": \"SMB Activity\", \"category_name\": \"Network Activity\", \"disposition_id\": 1, \"cloud\": {\"provider\": \"bracelet characteristic scenic\", \"region\": \"southern handles paradise\", \"zone\": \"silk appointed semi\"}, \"class_uid\": 4006}", + "message": "{\"time\": 1598377391.921726, \"uuid\": \"CsukF91Bx9mrqdEaH9\", \"src_endpoint\": {\"ip\": \"192.168.4.49\", \"port\": 56718}, \"dst_endpoint\": {\"ip\": \"13.32.202.10\", \"port\": 443}, \"version\": \"TLSv12\", \"cipher\": \"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\", \"certificate\": \"secp256r1\", \"domain\": \"www.taosecurity.com\", \"certificate_chain\": [\"F2XEvj1CahhdhtfvT4\", \"FZ7ygD3ERPfEVVohG9\", \"F7vklpOKI4yX9wmvh\", \"FAnbnR32nIIr2j9XV\"], \"subject\": \"CN=www.taosecurity.com\", \"issuer\": \"CN=Amazon,OU=Server CA 1B,O=Amazon,C=US\", \"unmapped\": {\"next_protocol\": \"h2\", \"resumed\": false}, \"network_activity\": {\"status_id\": \"1\"}, \"category_uid\": 4, \"category_name\": \"Network Activity\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"metadata\": {\"profiles\": [\"security_control\"], \"product\": {\"name\": \"Zeek\", \"feature\": {\"name\": \"ssl.log\"}, \"vendor_name\": \"Zeek\"}}, \"severity\": \"Informational\", \"severity_id\": 1}", "event": { - "action": "file create", "category": [ - "api", - "file" + "network" ], - "duration": 78000000, "kind": "event", - "outcome": "failure", - "severity": 3, + "severity": 1, "type": [ - "creation", "info" ] }, - "@timestamp": "2023-09-25T21:06:16.072807Z", - "cloud": { - "availability_zone": "silk appointed semi", - "provider": "bracelet characteristic scenic", - "region": "southern handles paradise" - }, + "@timestamp": "2020-08-25T17:43:11.921726Z", "destination": { - "address": "larger.mil", - "domain": "larger.mil", - "ip": "67.43.156.0", - "port": 3375, - "registered_domain": "larger.mil", - "top_level_domain": "mil" - }, - "email": { - "attachments": { - "file": { - "name": "brazil.docx" - } - } - }, - "file": { - "accessed": "2023-09-25T21:06:16.073784Z", - "directory": "pay msie consciousness/checking.tiff", - "hash": { - "sha256": "B6F8AE88482BDE38221723480B7EE2BE8088C076BDB5F22AA847A66E59C2ACFB" - }, - "inode": "5d95ca5a-5be7-11ee-a417-0242ac110005", - "mtime": "2023-09-25T21:06:16.073732Z", - "name": "brazil.docx", - "path": "pay msie consciousness/checking.tiff/brazil.docx", - "type": "Character Device", - "x509": { - "issuer": { - "distinguished_name": "digest june ty" - }, - "not_after": "2023-09-25T21:06:16.057000Z", - "serial_number": "schedules heater hardwood", - "subject": { - "distinguished_name": "tagged military guided" - }, - "version_number": "1.0.0" - } - }, - "host": { - "hostname": "african.museum", - "ip": [ - "175.16.199.1" - ], - "name": "african.museum", - "type": "IOT" - }, - "http": { - "response": { - "status_code": 94 - } - }, - "network": { - "application": "galleries facilitate fiji", - "direction": [ - "unknown" - ], - "iana_number": "89" + "address": "13.32.202.10", + "ip": "13.32.202.10", + "port": 443 }, "ocsf": { - "activity_id": 3, - "activity_name": "File Create", - "class_name": "SMB Activity", - "class_uid": 4006 + "class_name": "Network Activity", + "class_uid": 4001 }, "related": { - "hash": [ - "B6F8AE88482BDE38221723480B7EE2BE8088C076BDB5F22AA847A66E59C2ACFB" - ], - "hosts": [ - "african.museum", - "larger.mil", - "sara.web" - ], "ip": [ - "175.16.199.1", - "67.43.156.0" + "13.32.202.10", + "192.168.4.49" ] }, "source": { - "address": "sara.web", - "domain": "sara.web", - "ip": "67.43.156.0", - "port": 21573, - "subdomain": "sara" - }, - "threat": { - "technique": { - "id": [ - "T1059.006", - "T1090.003" - ], - "name": [ - "Multi-hop Proxy", - "Python" + "address": "192.168.4.49", + "ip": "192.168.4.49", + "port": 56718 + }, + "tls": { + "server": { + "certificate_chain": [ + "F2XEvj1CahhdhtfvT4", + "F7vklpOKI4yX9wmvh", + "FAnbnR32nIIr2j9XV", + "FZ7ygD3ERPfEVVohG9" ] } } diff --git a/OCSF/ocsf/tests/test_network_activity_7.json b/OCSF/ocsf/tests/test_network_activity_7.json deleted file mode 100644 index 2d1395e3f..000000000 --- a/OCSF/ocsf/tests/test_network_activity_7.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "input": { - "message": "{\"message\": \"necessarily concord washer\", \"status\": \"Failure\", \"time\": 1695675986429, \"device\": {\"name\": \"britney diseases bhutan\", \"type\": \"Tablet\", \"ip\": \"127.252.94.88\", \"uid\": \"63c18c7a-5be7-11ee-930e-0242ac110005\", \"hostname\": \"incurred.net\", \"type_id\": 4, \"hypervisor\": \"attempt missouri lan\", \"instance_uid\": \"63c182d4-5be7-11ee-afba-0242ac110005\", \"interface_name\": \"mozambique pm carol\", \"is_personal\": false, \"is_trusted\": true, \"region\": \"southeast packed cookies\", \"vlan_uid\": \"63c18892-5be7-11ee-b15d-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"anaheim used riverside\", \"version\": \"1.0.0\", \"path\": \"volvo expired marketing\", \"uid\": \"63c0f6ac-5be7-11ee-a542-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"flowers billing iso\"}, \"uid\": \"63c0fbfc-5be7-11ee-82e8-0242ac110005\", \"sequence\": 3, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"bowling consistently pgp\", \"log_provider\": \"babies entities stephanie\", \"original_time\": \"weed treasury specifications\"}, \"proxy\": {\"name\": \"involve teacher calls\", \"port\": 50284, \"hostname\": \"problems.org\", \"instance_uid\": \"63c20466-5be7-11ee-a825-0242ac110005\", \"interface_name\": \"probe drugs bonds\", \"interface_uid\": \"63c24e08-5be7-11ee-be10-0242ac110005\", \"subnet_uid\": \"63c25358-5be7-11ee-a90c-0242ac110005\", \"svc_name\": \"selecting regional enrollment\", \"vlan_uid\": \"63c257fe-5be7-11ee-bca6-0242ac110005\"}, \"connection_info\": {\"protocol_name\": \"genes booth confirm\", \"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_num\": 59, \"tcp_flags\": 18}, \"severity\": \"Informational\", \"disposition\": \"Custom Action\", \"type_name\": \"SSH Activity: Unknown\", \"activity_id\": 0, \"disposition_id\": 7, \"type_uid\": 400700, \"category_name\": \"Network Activity\", \"class_uid\": 4007, \"category_uid\": 4, \"class_name\": \"SSH Activity\", \"timezone_offset\": 88, \"activity_name\": \"Unknown\", \"client_hassh\": {\"algorithm\": \"gave dollars relocation\", \"fingerprint\": {\"value\": \"232BC0C0B14F890B4F4BBBBD5985A67835F29296946D5D7F9401A44A441D72A2E3C86A7ED1DABF2390B70C41466925E22D45442C6CE2C51BF2BD75A66EBA67AC\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}}, \"cloud\": {\"provider\": \"flights density typical\"}, \"dst_endpoint\": {\"ip\": \"175.16.199.1\", \"uid\": \"63c1050c-5be7-11ee-8213-0242ac110005\", \"hostname\": \"novelty.arpa\", \"instance_uid\": \"63c1091c-5be7-11ee-a143-0242ac110005\", \"interface_name\": \"salvador far disable\", \"interface_uid\": \"63c10d18-5be7-11ee-9b99-0242ac110005\", \"svc_name\": \"observations dennis meals\", \"vpc_uid\": \"63c11100-5be7-11ee-9b51-0242ac110005\"}, \"server_hassh\": {\"algorithm\": \"shelter remember stickers\", \"fingerprint\": {\"value\": \"B23B6D25324F518146005AEA01FD7A7C64EC137532780572E3852F9D8E8556F4\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"severity_id\": 1, \"src_endpoint\": {\"name\": \"spas enclosure pleased\", \"port\": 63141, \"ip\": \"67.43.156.0\", \"uid\": \"63c1bb1e-5be7-11ee-b5ab-0242ac110005\", \"hostname\": \"visit.name\", \"instance_uid\": \"63c1c4ec-5be7-11ee-ac25-0242ac110005\", \"interface_name\": \"successful maryland study\", \"svc_name\": \"shipment miscellaneous highlights\", \"vpc_uid\": \"63c1fa70-5be7-11ee-ac6c-0242ac110005\"}, \"status_id\": 2, \"time_dt\": \"2023-09-25T21:06:26.429430Z\"}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"message\": \"necessarily concord washer\", \"status\": \"Failure\", \"time\": 1695675986429, \"device\": {\"name\": \"britney diseases bhutan\", \"type\": \"Tablet\", \"ip\": \"127.252.94.88\", \"uid\": \"63c18c7a-5be7-11ee-930e-0242ac110005\", \"hostname\": \"incurred.net\", \"type_id\": 4, \"hypervisor\": \"attempt missouri lan\", \"instance_uid\": \"63c182d4-5be7-11ee-afba-0242ac110005\", \"interface_name\": \"mozambique pm carol\", \"is_personal\": false, \"is_trusted\": true, \"region\": \"southeast packed cookies\", \"vlan_uid\": \"63c18892-5be7-11ee-b15d-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"anaheim used riverside\", \"version\": \"1.0.0\", \"path\": \"volvo expired marketing\", \"uid\": \"63c0f6ac-5be7-11ee-a542-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"flowers billing iso\"}, \"uid\": \"63c0fbfc-5be7-11ee-82e8-0242ac110005\", \"sequence\": 3, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"bowling consistently pgp\", \"log_provider\": \"babies entities stephanie\", \"original_time\": \"weed treasury specifications\"}, \"proxy\": {\"name\": \"involve teacher calls\", \"port\": 50284, \"hostname\": \"problems.org\", \"instance_uid\": \"63c20466-5be7-11ee-a825-0242ac110005\", \"interface_name\": \"probe drugs bonds\", \"interface_uid\": \"63c24e08-5be7-11ee-be10-0242ac110005\", \"subnet_uid\": \"63c25358-5be7-11ee-a90c-0242ac110005\", \"svc_name\": \"selecting regional enrollment\", \"vlan_uid\": \"63c257fe-5be7-11ee-bca6-0242ac110005\"}, \"connection_info\": {\"protocol_name\": \"genes booth confirm\", \"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_num\": 59, \"tcp_flags\": 18}, \"severity\": \"Informational\", \"disposition\": \"Custom Action\", \"type_name\": \"SSH Activity: Unknown\", \"activity_id\": 0, \"disposition_id\": 7, \"type_uid\": 400700, \"category_name\": \"Network Activity\", \"class_uid\": 4007, \"category_uid\": 4, \"class_name\": \"SSH Activity\", \"timezone_offset\": 88, \"activity_name\": \"Unknown\", \"client_hassh\": {\"algorithm\": \"gave dollars relocation\", \"fingerprint\": {\"value\": \"232BC0C0B14F890B4F4BBBBD5985A67835F29296946D5D7F9401A44A441D72A2E3C86A7ED1DABF2390B70C41466925E22D45442C6CE2C51BF2BD75A66EBA67AC\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}}, \"cloud\": {\"provider\": \"flights density typical\"}, \"dst_endpoint\": {\"ip\": \"175.16.199.1\", \"uid\": \"63c1050c-5be7-11ee-8213-0242ac110005\", \"hostname\": \"novelty.arpa\", \"instance_uid\": \"63c1091c-5be7-11ee-a143-0242ac110005\", \"interface_name\": \"salvador far disable\", \"interface_uid\": \"63c10d18-5be7-11ee-9b99-0242ac110005\", \"svc_name\": \"observations dennis meals\", \"vpc_uid\": \"63c11100-5be7-11ee-9b51-0242ac110005\"}, \"server_hassh\": {\"algorithm\": \"shelter remember stickers\", \"fingerprint\": {\"value\": \"B23B6D25324F518146005AEA01FD7A7C64EC137532780572E3852F9D8E8556F4\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"severity_id\": 1, \"src_endpoint\": {\"name\": \"spas enclosure pleased\", \"port\": 63141, \"ip\": \"67.43.156.0\", \"uid\": \"63c1bb1e-5be7-11ee-b5ab-0242ac110005\", \"hostname\": \"visit.name\", \"instance_uid\": \"63c1c4ec-5be7-11ee-ac25-0242ac110005\", \"interface_name\": \"successful maryland study\", \"svc_name\": \"shipment miscellaneous highlights\", \"vpc_uid\": \"63c1fa70-5be7-11ee-ac6c-0242ac110005\"}, \"status_id\": 2, \"time_dt\": \"2023-09-25T21:06:26.429430Z\"}", - "event": { - "action": "unknown", - "category": [ - "network" - ], - "kind": "event", - "outcome": "failure", - "provider": "babies entities stephanie", - "sequence": 3, - "severity": 1, - "type": [ - "info", - "protocol" - ] - }, - "@timestamp": "2023-09-25T21:06:26.429430Z", - "cloud": { - "provider": "flights density typical" - }, - "destination": { - "address": "novelty.arpa", - "domain": "novelty.arpa", - "ip": "175.16.199.1", - "registered_domain": "novelty.arpa", - "top_level_domain": "arpa" - }, - "host": { - "hostname": "incurred.net", - "id": "63c18c7a-5be7-11ee-930e-0242ac110005", - "ip": [ - "127.252.94.88" - ], - "name": "incurred.net", - "type": "Tablet" - }, - "network": { - "application": "observations dennis meals", - "direction": [ - "inbound" - ], - "iana_number": "59", - "vlan": { - "id": "63c18892-5be7-11ee-b15d-0242ac110005" - } - }, - "ocsf": { - "activity_id": 0, - "activity_name": "Unknown", - "class_name": "SSH Activity", - "class_uid": 4007 - }, - "related": { - "hosts": [ - "incurred.net", - "novelty.arpa", - "visit.name" - ], - "ip": [ - "127.252.94.88", - "175.16.199.1", - "67.43.156.0" - ] - }, - "source": { - "address": "visit.name", - "domain": "visit.name", - "ip": "67.43.156.0", - "port": 63141, - "registered_domain": "visit.name", - "top_level_domain": "name" - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_8.json b/OCSF/ocsf/tests/test_network_activity_8.json deleted file mode 100644 index f88e9e6a8..000000000 --- a/OCSF/ocsf/tests/test_network_activity_8.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "input": { - "message": "{\"command\": \"moving sensitivity uri\", \"message\": \"cyber flower lyric\", \"port\": 58038, \"status\": \"discussions\", \"type\": \"seller luther nursery\", \"time\": 1695675995262, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"islands unless trivia\", \"version\": \"1.0.0\", \"uid\": \"690566e8-5be7-11ee-bbe6-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"mai insight ws\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"correlation_uid\": \"69056d3c-5be7-11ee-8e34-0242ac110005\", \"log_name\": \"investor direct pickup\", \"log_provider\": \"penn awards fp\", \"original_time\": \"fax pro carries\", \"processed_time\": 1695675995263, \"modified_time_dt\": \"2023-09-25T21:06:35.260101Z\"}, \"connection_info\": {\"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_num\": 74}, \"severity\": \"Fatal\", \"disposition\": \"Blocked\", \"type_name\": \"FTP Activity: Unknown\", \"activity_id\": 0, \"disposition_id\": 2, \"type_uid\": 400800, \"category_name\": \"Network Activity\", \"class_uid\": 4008, \"category_uid\": 4, \"class_name\": \"FTP Activity\", \"timezone_offset\": 79, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}, {\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}, {\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}], \"technique\": {\"name\": \"Exploitation for Client Execution\", \"uid\": \"T1203\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Lateral Movement | The adversary is trying to move through your environment.\", \"uid\": \"TA0008\"}, {\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}], \"technique\": {\"name\": \"Acquire Infrastructure\", \"uid\": \"T1583\"}}], \"activity_name\": \"Unknown\", \"cloud\": {\"provider\": \"there underwear pitch\"}, \"codes\": [44], \"command_responses\": [\"equations studios metallic\", \"heat designated unto\"], \"dst_endpoint\": {\"port\": 37570, \"ip\": \"67.43.156.0\", \"uid\": \"69057d22-5be7-11ee-b5d1-0242ac110005\", \"hostname\": \"seattle.cat\", \"instance_uid\": \"690581f0-5be7-11ee-8486-0242ac110005\", \"interface_name\": \"towards suzuki opportunities\", \"interface_uid\": \"690585f6-5be7-11ee-a611-0242ac110005\", \"svc_name\": \"meditation qualify finish\", \"vlan_uid\": \"69058a1a-5be7-11ee-bf51-0242ac110005\"}, \"end_time\": 1695675995259, \"severity_id\": 6, \"src_endpoint\": {\"port\": 21528, \"domain\": \"preview lectures oo\", \"uid\": \"6905c674-5be7-11ee-8e5b-0242ac110005\", \"hostname\": \"collectible.firm\", \"instance_uid\": \"6905cb2e-5be7-11ee-bd4d-0242ac110005\", \"interface_name\": \"drives center wondering\", \"interface_uid\": \"6905cf66-5be7-11ee-af73-0242ac110005\", \"intermediate_ips\": [\"67.43.156.0\", \"89.160.20.112\"], \"svc_name\": \"burn mental trembl\", \"vpc_uid\": \"6905d4a2-5be7-11ee-b06b-0242ac110005\"}, \"status_code\": \"certificates\", \"status_id\": 99, \"traffic\": {\"bytes\": 1018309558, \"bytes_out\": 469399752, \"packets\": 3392751261, \"packets_in\": 114291882}, \"end_time_dt\": \"2023-09-25T21:06:35.259215Z\"}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"command\": \"moving sensitivity uri\", \"message\": \"cyber flower lyric\", \"port\": 58038, \"status\": \"discussions\", \"type\": \"seller luther nursery\", \"time\": 1695675995262, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"islands unless trivia\", \"version\": \"1.0.0\", \"uid\": \"690566e8-5be7-11ee-bbe6-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"mai insight ws\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"correlation_uid\": \"69056d3c-5be7-11ee-8e34-0242ac110005\", \"log_name\": \"investor direct pickup\", \"log_provider\": \"penn awards fp\", \"original_time\": \"fax pro carries\", \"processed_time\": 1695675995263, \"modified_time_dt\": \"2023-09-25T21:06:35.260101Z\"}, \"connection_info\": {\"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_num\": 74}, \"severity\": \"Fatal\", \"disposition\": \"Blocked\", \"type_name\": \"FTP Activity: Unknown\", \"activity_id\": 0, \"disposition_id\": 2, \"type_uid\": 400800, \"category_name\": \"Network Activity\", \"class_uid\": 4008, \"category_uid\": 4, \"class_name\": \"FTP Activity\", \"timezone_offset\": 79, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}, {\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}, {\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}], \"technique\": {\"name\": \"Exploitation for Client Execution\", \"uid\": \"T1203\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Lateral Movement | The adversary is trying to move through your environment.\", \"uid\": \"TA0008\"}, {\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}], \"technique\": {\"name\": \"Acquire Infrastructure\", \"uid\": \"T1583\"}}], \"activity_name\": \"Unknown\", \"cloud\": {\"provider\": \"there underwear pitch\"}, \"codes\": [44], \"command_responses\": [\"equations studios metallic\", \"heat designated unto\"], \"dst_endpoint\": {\"port\": 37570, \"ip\": \"67.43.156.0\", \"uid\": \"69057d22-5be7-11ee-b5d1-0242ac110005\", \"hostname\": \"seattle.cat\", \"instance_uid\": \"690581f0-5be7-11ee-8486-0242ac110005\", \"interface_name\": \"towards suzuki opportunities\", \"interface_uid\": \"690585f6-5be7-11ee-a611-0242ac110005\", \"svc_name\": \"meditation qualify finish\", \"vlan_uid\": \"69058a1a-5be7-11ee-bf51-0242ac110005\"}, \"end_time\": 1695675995259, \"severity_id\": 6, \"src_endpoint\": {\"port\": 21528, \"domain\": \"preview lectures oo\", \"uid\": \"6905c674-5be7-11ee-8e5b-0242ac110005\", \"hostname\": \"collectible.firm\", \"instance_uid\": \"6905cb2e-5be7-11ee-bd4d-0242ac110005\", \"interface_name\": \"drives center wondering\", \"interface_uid\": \"6905cf66-5be7-11ee-af73-0242ac110005\", \"intermediate_ips\": [\"67.43.156.0\", \"89.160.20.112\"], \"svc_name\": \"burn mental trembl\", \"vpc_uid\": \"6905d4a2-5be7-11ee-b06b-0242ac110005\"}, \"status_code\": \"certificates\", \"status_id\": 99, \"traffic\": {\"bytes\": 1018309558, \"bytes_out\": 469399752, \"packets\": 3392751261, \"packets_in\": 114291882}, \"end_time_dt\": \"2023-09-25T21:06:35.259215Z\"}", - "event": { - "action": "unknown", - "category": [ - "file", - "network" - ], - "end": "2023-09-25T21:06:35.259000Z", - "kind": "event", - "provider": "penn awards fp", - "severity": 6, - "type": [ - "info", - "protocol" - ] - }, - "@timestamp": "2023-09-25T21:06:35.262000Z", - "cloud": { - "provider": "there underwear pitch" - }, - "destination": { - "address": "seattle.cat", - "domain": "seattle.cat", - "ip": "67.43.156.0", - "packets": 114291882, - "port": 37570, - "registered_domain": "seattle.cat", - "top_level_domain": "cat" - }, - "network": { - "application": "meditation qualify finish", - "bytes": 1018309558, - "direction": [ - "inbound" - ], - "iana_number": "74", - "packets": 3392751261 - }, - "ocsf": { - "activity_id": 0, - "activity_name": "Unknown", - "class_name": "FTP Activity", - "class_uid": 4008 - }, - "related": { - "hosts": [ - "collectible.firm", - "seattle.cat" - ], - "ip": [ - "67.43.156.0" - ] - }, - "source": { - "address": "collectible.firm", - "bytes": 469399752, - "domain": "collectible.firm", - "port": 21528, - "subdomain": "collectible" - }, - "threat": { - "technique": { - "id": [ - "T1203", - "T1583" - ], - "name": [ - "Acquire Infrastructure", - "Exploitation for Client Execution" - ] - } - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_9.json b/OCSF/ocsf/tests/test_network_activity_9.json deleted file mode 100644 index 5a85f7c05..000000000 --- a/OCSF/ocsf/tests/test_network_activity_9.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "input": { - "message": "{\"message\": \"freeware sticks unsigned\", \"status\": \"Success\", \"time\": 1695676021669, \"device\": {\"name\": \"programming apr remark\", \"type\": \"Tablet\", \"os\": {\"name\": \"rfc oman tan\", \"type\": \"macOS\", \"country\": \"Monaco, Principality of\", \"type_id\": 300, \"edition\": \"mortality achievements apparatus\", \"sp_name\": \"advanced addressed bomb\"}, \"ip\": \"175.16.199.1\", \"uid\": \"78c33c0e-5be7-11ee-ba4c-0242ac110005\", \"org\": {\"uid\": \"78c2f8d4-5be7-11ee-b0f0-0242ac110005\", \"ou_name\": \"florence homes divine\", \"ou_uid\": \"78c2fda2-5be7-11ee-9d5a-0242ac110005\"}, \"type_id\": 4, \"instance_uid\": \"78c328c2-5be7-11ee-8cdd-0242ac110005\", \"interface_name\": \"instruments diana nature\", \"interface_uid\": \"78c336c8-5be7-11ee-82fb-0242ac110005\", \"network_interfaces\": [{\"name\": \"sick mobility terrain\", \"type\": \"Wired\", \"ip\": \"175.16.199.1\", \"hostname\": \"buried.museum\", \"mac\": \"8A:A5:A8:8F:C5:1E:88:79\", \"type_id\": 1}, {\"name\": \"wiki philippines quick\", \"type\": \"Unknown\", \"ip\": \"175.16.199.1\", \"hostname\": \"acts.edu\", \"mac\": \"AB:AB:43:8:B2:A1:B7:8\", \"namespace\": \"that rare html\", \"type_id\": 0, \"subnet_prefix\": 34}], \"region\": \"bat johnston disability\", \"created_time_dt\": \"2023-09-25T21:07:01.668193Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"extension\": {\"name\": \"broad fears transfers\", \"version\": \"1.0.0\", \"uid\": \"78c2668a-5be7-11ee-a776-0242ac110005\"}, \"product\": {\"name\": \"civilian clearance powerseller\", \"version\": \"1.0.0\", \"uid\": \"78c28282-5be7-11ee-989a-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"activists berlin dramatically\"}, \"uid\": \"78c29cfe-5be7-11ee-9fb1-0242ac110005\", \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"seats briefly charming\", \"log_provider\": \"sheet satisfaction survey\", \"original_time\": \"administered respected angeles\"}, \"severity\": \"Informational\", \"email\": {\"size\": 2106286084, \"uid\": \"78c1ed2c-5be7-11ee-9a21-0242ac110005\", \"from\": \"Han@trans.info\", \"to\": [\"Vernia@tba.edu\", \"Darnell@stereo.nato\"], \"message_uid\": \"78c23354-5be7-11ee-b3ad-0242ac110005\", \"reply_to\": \"Nguyet@quoted.edu\", \"smtp_from\": \"Joyce@lending.org\", \"smtp_to\": [\"Kesha@whose.firm\"]}, \"direction\": \"Unknown\", \"disposition\": \"No Action\", \"type_name\": \"Email Activity: Other\", \"disposition_id\": 16, \"type_uid\": 400999, \"category_name\": \"Network Activity\", \"class_uid\": 4009, \"category_uid\": 4, \"class_name\": \"Email Activity\", \"timezone_offset\": 24, \"raw_data\": \"lakes cycles remainder\", \"cloud\": {\"provider\": \"stick harris italy\", \"region\": \"cj safer should\"}, \"direction_id\": 0, \"end_time\": 1695676021666, \"enrichments\": [{\"data\": {\"healthcare\": \"hddhj\"}, \"name\": \"remind jury laden\", \"type\": \"sale updating poll\", \"value\": \"savings ref bbc\", \"provider\": \"in hurt hl\"}, {\"data\": {\"chubby\": \"7895ss\"}, \"name\": \"force energy satin\", \"value\": \"dogs violation qualified\", \"provider\": \"lie allowance compressed\"}], \"severity_id\": 1, \"smtp_hello\": \"jurisdiction charts prerequisite\", \"status_detail\": \"bm around ranking\", \"status_id\": 1}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"message\": \"freeware sticks unsigned\", \"status\": \"Success\", \"time\": 1695676021669, \"device\": {\"name\": \"programming apr remark\", \"type\": \"Tablet\", \"os\": {\"name\": \"rfc oman tan\", \"type\": \"macOS\", \"country\": \"Monaco, Principality of\", \"type_id\": 300, \"edition\": \"mortality achievements apparatus\", \"sp_name\": \"advanced addressed bomb\"}, \"ip\": \"175.16.199.1\", \"uid\": \"78c33c0e-5be7-11ee-ba4c-0242ac110005\", \"org\": {\"uid\": \"78c2f8d4-5be7-11ee-b0f0-0242ac110005\", \"ou_name\": \"florence homes divine\", \"ou_uid\": \"78c2fda2-5be7-11ee-9d5a-0242ac110005\"}, \"type_id\": 4, \"instance_uid\": \"78c328c2-5be7-11ee-8cdd-0242ac110005\", \"interface_name\": \"instruments diana nature\", \"interface_uid\": \"78c336c8-5be7-11ee-82fb-0242ac110005\", \"network_interfaces\": [{\"name\": \"sick mobility terrain\", \"type\": \"Wired\", \"ip\": \"175.16.199.1\", \"hostname\": \"buried.museum\", \"mac\": \"8A:A5:A8:8F:C5:1E:88:79\", \"type_id\": 1}, {\"name\": \"wiki philippines quick\", \"type\": \"Unknown\", \"ip\": \"175.16.199.1\", \"hostname\": \"acts.edu\", \"mac\": \"AB:AB:43:8:B2:A1:B7:8\", \"namespace\": \"that rare html\", \"type_id\": 0, \"subnet_prefix\": 34}], \"region\": \"bat johnston disability\", \"created_time_dt\": \"2023-09-25T21:07:01.668193Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"extension\": {\"name\": \"broad fears transfers\", \"version\": \"1.0.0\", \"uid\": \"78c2668a-5be7-11ee-a776-0242ac110005\"}, \"product\": {\"name\": \"civilian clearance powerseller\", \"version\": \"1.0.0\", \"uid\": \"78c28282-5be7-11ee-989a-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"activists berlin dramatically\"}, \"uid\": \"78c29cfe-5be7-11ee-9fb1-0242ac110005\", \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"seats briefly charming\", \"log_provider\": \"sheet satisfaction survey\", \"original_time\": \"administered respected angeles\"}, \"severity\": \"Informational\", \"email\": {\"size\": 2106286084, \"uid\": \"78c1ed2c-5be7-11ee-9a21-0242ac110005\", \"from\": \"Han@trans.info\", \"to\": [\"Vernia@tba.edu\", \"Darnell@stereo.nato\"], \"message_uid\": \"78c23354-5be7-11ee-b3ad-0242ac110005\", \"reply_to\": \"Nguyet@quoted.edu\", \"smtp_from\": \"Joyce@lending.org\", \"smtp_to\": [\"Kesha@whose.firm\"]}, \"direction\": \"Unknown\", \"disposition\": \"No Action\", \"type_name\": \"Email Activity: Other\", \"disposition_id\": 16, \"type_uid\": 400999, \"category_name\": \"Network Activity\", \"class_uid\": 4009, \"category_uid\": 4, \"class_name\": \"Email Activity\", \"timezone_offset\": 24, \"raw_data\": \"lakes cycles remainder\", \"cloud\": {\"provider\": \"stick harris italy\", \"region\": \"cj safer should\"}, \"direction_id\": 0, \"end_time\": 1695676021666, \"enrichments\": [{\"data\": {\"healthcare\": \"hddhj\"}, \"name\": \"remind jury laden\", \"type\": \"sale updating poll\", \"value\": \"savings ref bbc\", \"provider\": \"in hurt hl\"}, {\"data\": {\"chubby\": \"7895ss\"}, \"name\": \"force energy satin\", \"value\": \"dogs violation qualified\", \"provider\": \"lie allowance compressed\"}], \"severity_id\": 1, \"smtp_hello\": \"jurisdiction charts prerequisite\", \"status_detail\": \"bm around ranking\", \"status_id\": 1}", - "event": { - "category": [ - "email" - ], - "end": "2023-09-25T21:07:01.666000Z", - "kind": "event", - "outcome": "success", - "provider": "sheet satisfaction survey", - "severity": 1, - "type": [ - "info" - ] - }, - "@timestamp": "2023-09-25T21:07:01.669000Z", - "cloud": { - "provider": "stick harris italy", - "region": "cj safer should" - }, - "email": { - "from": { - "address": [ - "Han@trans.info" - ] - }, - "local_id": "78c1ed2c-5be7-11ee-9a21-0242ac110005", - "message_id": "78c23354-5be7-11ee-b3ad-0242ac110005", - "reply_to": { - "address": [ - "Nguyet@quoted.edu" - ] - }, - "to": { - "address": [ - "Darnell@stereo.nato", - "Vernia@tba.edu" - ] - } - }, - "host": { - "id": "78c33c0e-5be7-11ee-ba4c-0242ac110005", - "ip": [ - "175.16.199.1" - ], - "os": { - "name": "rfc oman tan", - "type": "macOS" - }, - "type": "Tablet" - }, - "ocsf": { - "class_name": "Email Activity", - "class_uid": 4009 - }, - "related": { - "ip": [ - "175.16.199.1" - ] - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_process_activity_1.json b/OCSF/ocsf/tests/test_process_activity_1.json new file mode 100644 index 000000000..8a96b43e7 --- /dev/null +++ b/OCSF/ocsf/tests/test_process_activity_1.json @@ -0,0 +1,73 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Launch\", \"actor\": {\"process\": {\"file\": {\"name\": \"cmd.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 3948}, \"session\": {\"uid\": \"0x55E621\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"ATTACKRANGE\", \"name\": \"Administrator\", \"uid\": \"ATTACKRANGE\\\\Administrator\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Process Activity\", \"class_uid\": 1007, \"device\": {\"hostname\": \"win-dc-725.attackrange.local\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"message\": \"A new process has been created.\", \"metadata\": {\"original_time\": \"03/12/2021 10:48:14 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"a47bd2fb-4da1-4378-8961-81f81f90aec2\", \"version\": \"1.0.0-rc.2\"}, \"process\": {\"cmd_line\": \"reg save HKLM\\\\system C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\system \", \"file\": {\"name\": \"reg.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\reg.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 4696, \"session\": {\"uid\": \"0x0\"}, \"user\": {\"domain\": \"-\", \"name\": \"-\", \"uid\": \"NULL SID\"}}, \"severity\": \"Informational\", \"severity_id\": 1, \"status\": \"Success\", \"status_id\": 1, \"time\": 1615564094000, \"type_name\": \"Process Activity: Launch\", \"type_uid\": 100701, \"unmapped\": {\"EventCode\": \"4688\", \"EventType\": \"0\", \"OpCode\": \"Info\", \"Process Information\": {\"Mandatory Label\": \"Mandatory Label\\\\High Mandatory Level\", \"Token Elevation Type\": \"%%1936\"}, \"RecordNumber\": \"257874\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Process Creation\"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Launch\", \"actor\": {\"process\": {\"file\": {\"name\": \"cmd.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 3948}, \"session\": {\"uid\": \"0x55E621\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"ATTACKRANGE\", \"name\": \"Administrator\", \"uid\": \"ATTACKRANGE\\\\Administrator\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Process Activity\", \"class_uid\": 1007, \"device\": {\"hostname\": \"win-dc-725.attackrange.local\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"message\": \"A new process has been created.\", \"metadata\": {\"original_time\": \"03/12/2021 10:48:14 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"a47bd2fb-4da1-4378-8961-81f81f90aec2\", \"version\": \"1.0.0-rc.2\"}, \"process\": {\"cmd_line\": \"reg save HKLM\\\\system C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\system \", \"file\": {\"name\": \"reg.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\reg.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 4696, \"session\": {\"uid\": \"0x0\"}, \"user\": {\"domain\": \"-\", \"name\": \"-\", \"uid\": \"NULL SID\"}}, \"severity\": \"Informational\", \"severity_id\": 1, \"status\": \"Success\", \"status_id\": 1, \"time\": 1615564094000, \"type_name\": \"Process Activity: Launch\", \"type_uid\": 100701, \"unmapped\": {\"EventCode\": \"4688\", \"EventType\": \"0\", \"OpCode\": \"Info\", \"Process Information\": {\"Mandatory Label\": \"Mandatory Label\\\\High Mandatory Level\", \"Token Elevation Type\": \"%%1936\"}, \"RecordNumber\": \"257874\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Process Creation\"}}", + "event": { + "action": "launch", + "category": [ + "process" + ], + "kind": "event", + "outcome": "success", + "severity": 1, + "type": [ + "info", + "start" + ] + }, + "@timestamp": "2021-03-12T15:48:14Z", + "file": { + "directory": "C:\\Windows\\System32", + "name": "reg.exe", + "path": "C:\\Windows\\System32\\reg.exe", + "type": "Regular File" + }, + "host": { + "hostname": "win-dc-725.attackrange.local", + "name": "win-dc-725.attackrange.local", + "os": { + "name": "Windows", + "type": "Windows" + }, + "type": "Unknown" + }, + "ocsf": { + "activity_id": 1, + "activity_name": "Launch", + "class_name": "Process Activity", + "class_uid": 1007 + }, + "process": { + "command_line": "reg save HKLM\\system C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\system ", + "pid": 4696, + "user": { + "group": { + "id": [], + "name": [] + }, + "id": [ + "NULL SID" + ] + } + }, + "related": { + "hosts": [ + "win-dc-725.attackrange.local" + ], + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "ATTACKRANGE", + "group": { + "id": [], + "name": [] + }, + "id": "ATTACKRANGE\\Administrator", + "name": "Administrator" + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_process_activity_2.json b/OCSF/ocsf/tests/test_process_activity_2.json new file mode 100644 index 000000000..738b40b03 --- /dev/null +++ b/OCSF/ocsf/tests/test_process_activity_2.json @@ -0,0 +1,64 @@ +{ + "input": { + "message": "{\"activity_id\": 2, \"activity_name\": \"Terminate\", \"actor\": {\"process\": {\"file\": {\"name\": \"auditon.exe\", \"parent_folder\": \"C:\\\\Generate_Security_Events1\", \"path\": \"C:\\\\Generate_Security_Events1\\\\auditon.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 1524}, \"session\": {\"uid\": \"0x1806d9\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"LOGISTICS\", \"name\": \"Administrator\", \"uid\": \"S-1-5-21-1135140816-2109348461-2107143693-500\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Process Activity\", \"class_uid\": 1007, \"device\": {\"hostname\": \"dcc1.Logistics.local\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"exit_code\": 0, \"message\": \"A process has exited.\", \"metadata\": {\"original_time\": \"09/05/2019 11:22:49 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"cc27b41c-94e0-48a9-8cc2-5a1598fb8d1f\", \"version\": \"1.0.0-rc.2\"}, \"process\": {\"file\": {\"name\": \"auditon.exe\", \"parent_folder\": \"C:\\\\Generate_Security_Events1\", \"path\": \"C:\\\\Generate_Security_Events1\\\\auditon.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 1524}, \"severity\": \"Informational\", \"severity_id\": 1, \"status\": \"Success\", \"status_id\": 1, \"time\": 1567696969000, \"type_name\": \"Process Activity: Terminate\", \"type_uid\": 100702, \"unmapped\": {\"EventCode\": \"4689\", \"EventType\": \"0\", \"OpCode\": \"Info\", \"RecordNumber\": \"6828379\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Process Termination\"}}" + }, + "expected": { + "message": "{\"activity_id\": 2, \"activity_name\": \"Terminate\", \"actor\": {\"process\": {\"file\": {\"name\": \"auditon.exe\", \"parent_folder\": \"C:\\\\Generate_Security_Events1\", \"path\": \"C:\\\\Generate_Security_Events1\\\\auditon.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 1524}, \"session\": {\"uid\": \"0x1806d9\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"LOGISTICS\", \"name\": \"Administrator\", \"uid\": \"S-1-5-21-1135140816-2109348461-2107143693-500\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Process Activity\", \"class_uid\": 1007, \"device\": {\"hostname\": \"dcc1.Logistics.local\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"exit_code\": 0, \"message\": \"A process has exited.\", \"metadata\": {\"original_time\": \"09/05/2019 11:22:49 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"cc27b41c-94e0-48a9-8cc2-5a1598fb8d1f\", \"version\": \"1.0.0-rc.2\"}, \"process\": {\"file\": {\"name\": \"auditon.exe\", \"parent_folder\": \"C:\\\\Generate_Security_Events1\", \"path\": \"C:\\\\Generate_Security_Events1\\\\auditon.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 1524}, \"severity\": \"Informational\", \"severity_id\": 1, \"status\": \"Success\", \"status_id\": 1, \"time\": 1567696969000, \"type_name\": \"Process Activity: Terminate\", \"type_uid\": 100702, \"unmapped\": {\"EventCode\": \"4689\", \"EventType\": \"0\", \"OpCode\": \"Info\", \"RecordNumber\": \"6828379\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Process Termination\"}}", + "event": { + "action": "terminate", + "category": [ + "process" + ], + "kind": "event", + "outcome": "success", + "severity": 1, + "type": [ + "end", + "info" + ] + }, + "@timestamp": "2019-09-05T15:22:49Z", + "file": { + "directory": "C:\\Generate_Security_Events1", + "name": "auditon.exe", + "path": "C:\\Generate_Security_Events1\\auditon.exe", + "type": "Regular File" + }, + "host": { + "hostname": "dcc1.Logistics.local", + "name": "dcc1.Logistics.local", + "os": { + "name": "Windows", + "type": "Windows" + }, + "type": "Unknown" + }, + "ocsf": { + "activity_id": 2, + "activity_name": "Terminate", + "class_name": "Process Activity", + "class_uid": 1007 + }, + "process": { + "exit_code": 0, + "pid": 1524 + }, + "related": { + "hosts": [ + "dcc1.Logistics.local" + ], + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "LOGISTICS", + "group": { + "id": [], + "name": [] + }, + "id": "S-1-5-21-1135140816-2109348461-2107143693-500", + "name": "Administrator" + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_security_finding_1.json b/OCSF/ocsf/tests/test_security_finding_1.json new file mode 100644 index 000000000..9b7fec197 --- /dev/null +++ b/OCSF/ocsf/tests/test_security_finding_1.json @@ -0,0 +1,35 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"classname\": \"Security Finding\", \"class_uid\": 2001, \"finding\": {\"created_time\": 1672758699558, \"desc\": \"Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag)\", \"title\": \"Linux Kernel Module Injection Detected\", \"types\": [\"syscalls\"], \"uid\": \"ec834826-90c1-458a-8eec-a014e7266754\"}, \"message\": \"Linux Kernel Module Injection Detected\", \"metadata\": {\"version\": \"0.1.0\", \"product\": {\"vendor_name\": \"Falcosecurity\", \"name\": \"Falco\"}, \"labels\": [\"process\"]}, \"observables\": [{\"name\": \"hostname\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"host0.local\"}, {\"name\": \"proc.pname\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"proc.pname\"}, {\"name\": \"container.info\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"container.info\"}, {\"name\": \"proc.args\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"proc.args\"}, {\"name\": \"user.loginuid\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"user.loginuid\"}, {\"name\": \"user.name\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"user.name\"}, {\"name\": \"container.image.repository\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"container.image.repository\"}, {\"name\": \"container.image.tag\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"container.image.tag\"}], \"raw_data\": \"{\\\"uuid\\\":\\\"ec834826-90c1-458a-8eec-a014e7266754\\\",\\\"output\\\":\\\"Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag)\\\",\\\"priority\\\":\\\"Warning\\\",\\\"rule\\\":\\\"Linux Kernel Module Injection Detected\\\",\\\"time\\\":\\\"2023-01-03T15:11:39.558068644Z\\\",\\\"output_fields\\\":{\\\"akey\\\":\\\"AValue\\\",\\\"bkey\\\":\\\"BValue\\\",\\\"ckey\\\":\\\"CValue\\\",\\\"container.image.repository\\\":\\\"container.image.repository\\\",\\\"container.image.tag\\\":\\\"container.image.tag\\\",\\\"container.info\\\":\\\"container.info\\\",\\\"dkey\\\":\\\"bar\\\",\\\"proc.args\\\":\\\"proc.args\\\",\\\"proc.pname\\\":\\\"proc.pname\\\",\\\"user.loginuid\\\":\\\"user.loginuid\\\",\\\"user.name\\\":\\\"user.name\\\"},\\\"source\\\":\\\"syscalls\\\",\\\"tags\\\":[\\\"process\\\"],\\\"hostname\\\":\\\"host0.local\\\"}\", \"severity\": \"Medium\", \"severity_id\": 3, \"state\": \"New\", \"state_id\": 1, \"status\": \"Warning\", \"time\": 1672758699558, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"classname\": \"Security Finding\", \"class_uid\": 2001, \"finding\": {\"created_time\": 1672758699558, \"desc\": \"Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag)\", \"title\": \"Linux Kernel Module Injection Detected\", \"types\": [\"syscalls\"], \"uid\": \"ec834826-90c1-458a-8eec-a014e7266754\"}, \"message\": \"Linux Kernel Module Injection Detected\", \"metadata\": {\"version\": \"0.1.0\", \"product\": {\"vendor_name\": \"Falcosecurity\", \"name\": \"Falco\"}, \"labels\": [\"process\"]}, \"observables\": [{\"name\": \"hostname\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"host0.local\"}, {\"name\": \"proc.pname\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"proc.pname\"}, {\"name\": \"container.info\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"container.info\"}, {\"name\": \"proc.args\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"proc.args\"}, {\"name\": \"user.loginuid\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"user.loginuid\"}, {\"name\": \"user.name\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"user.name\"}, {\"name\": \"container.image.repository\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"container.image.repository\"}, {\"name\": \"container.image.tag\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"container.image.tag\"}], \"raw_data\": \"{\\\"uuid\\\":\\\"ec834826-90c1-458a-8eec-a014e7266754\\\",\\\"output\\\":\\\"Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag)\\\",\\\"priority\\\":\\\"Warning\\\",\\\"rule\\\":\\\"Linux Kernel Module Injection Detected\\\",\\\"time\\\":\\\"2023-01-03T15:11:39.558068644Z\\\",\\\"output_fields\\\":{\\\"akey\\\":\\\"AValue\\\",\\\"bkey\\\":\\\"BValue\\\",\\\"ckey\\\":\\\"CValue\\\",\\\"container.image.repository\\\":\\\"container.image.repository\\\",\\\"container.image.tag\\\":\\\"container.image.tag\\\",\\\"container.info\\\":\\\"container.info\\\",\\\"dkey\\\":\\\"bar\\\",\\\"proc.args\\\":\\\"proc.args\\\",\\\"proc.pname\\\":\\\"proc.pname\\\",\\\"user.loginuid\\\":\\\"user.loginuid\\\",\\\"user.name\\\":\\\"user.name\\\"},\\\"source\\\":\\\"syscalls\\\",\\\"tags\\\":[\\\"process\\\"],\\\"hostname\\\":\\\"host0.local\\\"}\", \"severity\": \"Medium\", \"severity_id\": 3, \"state\": \"New\", \"state_id\": 1, \"status\": \"Warning\", \"time\": 1672758699558, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101}", + "event": { + "action": "generate", + "category": [], + "kind": "alert", + "severity": 3, + "type": [ + "info" + ] + }, + "@timestamp": "2023-01-03T15:11:39.558000Z", + "ocsf": { + "activity_id": 1, + "activity_name": "Generate", + "class_uid": 2001 + }, + "vulnerability": { + "description": [], + "id": [], + "scanner": { + "vendor": [] + }, + "score": { + "base": [], + "version": [] + }, + "severity": [] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_security_finding_2.json b/OCSF/ocsf/tests/test_security_finding_2.json new file mode 100644 index 000000000..a4d8a09ea --- /dev/null +++ b/OCSF/ocsf/tests/test_security_finding_2.json @@ -0,0 +1,40 @@ +{ + "input": { + "message": "{\"analytic\": {\"desc\": \"Custom Rule Engine\", \"name\": \"CRE\", \"relatedAnalytics\": [{\"category\": \"CRE_RULE\", \"name\": \"Network DoS Attack Detected\", \"type\": \"Rule\", \"typeId\": 1, \"uid\": \"100079\"}], \"type\": \"Rule\", \"typeId\": 1}, \"finding\": {\"uid\": \"591\", \"title\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\\n\", \"created_time\": 1682347463218, \"desc\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\\n\", \"first_seen_time\": 1682347463000, \"last_seen_time\": 1682781010000}, \"confidence_score\": 2, \"confidence\": \"Low\", \"confidence_id\": 2, \"data_sources\": [\"Snort @ wolverine\"], \"impact_score\": 0, \"impact\": \"Low\", \"impact_id\": 1, \"malware\": [{\"classification_ids\": [5], \"classifications\": [\"DDOS\"], \"name\": \"ICMP DoS\"}], \"risk_level\": \"High\", \"risk_level_id\": 3, \"risk_score\": 3, \"state\": \"In Progress\", \"state_id\": 2, \"activity_id\": 1, \"category_uid\": 2, \"class_uid\": 2001, \"time\": 1682347463218, \"message\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\\n\", \"metadata\": {\"log_name\": \"Offense\", \"log_provider\": \"IBM QRadar\", \"original_time\": 1682347463218, \"product\": {\"lang\": \"en\", \"name\": \"QRadar SIEM\", \"version\": \"7.5.0\", \"vendor_name\": \"IBM\"}, \"version\": \"7.5.0\", \"modified_time\": 1682347469220}, \"activity_name\": \"Create\", \"category_name\": \"Findings\", \"class_name\": \"Security Finding\", \"count\": 2, \"end_time\": 1682781010000, \"enrichments\": [{\"name\": \"Magnitude\", \"provider\": \"Event Processor\", \"type\": \"score\", \"value\": \"3\"}, {\"name\": \"offense_type\", \"provider\": \"Event Processor\", \"type\": \"correlation\", \"value\": \"2\"}, {\"name\": \"offense_source\", \"provider\": \"Event Processor\", \"type\": \"correlation\", \"value\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\"}, {\"name\": \"category_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"device_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"event_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"2\"}, {\"name\": \"flow_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"policy_category_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"remote_destination_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"local_destination_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"2\"}, {\"name\": \"security_category_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"source_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"user_name_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"domain_id\", \"provider\": \"Event Processor\", \"type\": \"correlation\", \"value\": \"0\"}, {\"name\": \"source_network\", \"provider\": \"Event Processor\", \"type\": \"network\", \"value\": \"Net-99-99-99.Net_99_0_0_0\"}, {\"name\": \"destination_network\", \"provider\": \"Event Processor\", \"type\": \"network\", \"value\": \"Net-88-88-88.Net_88_88_0_0\"}, {\"name\": \"destination_network\", \"provider\": \"Event Processor\", \"type\": \"network\", \"value\": \"Net-77-77-77.Net_77_0_0_0\"}], \"observables\": [{\"name\": \"log_source_id\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"112\"}, {\"name\": \"log_source_name\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"Snort @ wolverine\"}, {\"name\": \"log_source_type_id\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"2\"}, {\"name\": \"log_source_type_name\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"Snort\"}, {\"name\": \"assigned_to\", \"type\": \"User\", \"type_id\": 21, \"value\": \"SomeUser\"}, {\"name\": \"low_level_category\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"ICMP DoS\"}, {\"name\": \"source_address\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"99.99.99.99\"}, {\"name\": \"local_destination_address\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"88.88.88.88\"}, {\"name\": \"local_destination_address\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"77.77.77.77\"}], \"status_code\": \"OPEN\"}" + }, + "expected": { + "message": "{\"analytic\": {\"desc\": \"Custom Rule Engine\", \"name\": \"CRE\", \"relatedAnalytics\": [{\"category\": \"CRE_RULE\", \"name\": \"Network DoS Attack Detected\", \"type\": \"Rule\", \"typeId\": 1, \"uid\": \"100079\"}], \"type\": \"Rule\", \"typeId\": 1}, \"finding\": {\"uid\": \"591\", \"title\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\\n\", \"created_time\": 1682347463218, \"desc\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\\n\", \"first_seen_time\": 1682347463000, \"last_seen_time\": 1682781010000}, \"confidence_score\": 2, \"confidence\": \"Low\", \"confidence_id\": 2, \"data_sources\": [\"Snort @ wolverine\"], \"impact_score\": 0, \"impact\": \"Low\", \"impact_id\": 1, \"malware\": [{\"classification_ids\": [5], \"classifications\": [\"DDOS\"], \"name\": \"ICMP DoS\"}], \"risk_level\": \"High\", \"risk_level_id\": 3, \"risk_score\": 3, \"state\": \"In Progress\", \"state_id\": 2, \"activity_id\": 1, \"category_uid\": 2, \"class_uid\": 2001, \"time\": 1682347463218, \"message\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\\n\", \"metadata\": {\"log_name\": \"Offense\", \"log_provider\": \"IBM QRadar\", \"original_time\": 1682347463218, \"product\": {\"lang\": \"en\", \"name\": \"QRadar SIEM\", \"version\": \"7.5.0\", \"vendor_name\": \"IBM\"}, \"version\": \"7.5.0\", \"modified_time\": 1682347469220}, \"activity_name\": \"Create\", \"category_name\": \"Findings\", \"class_name\": \"Security Finding\", \"count\": 2, \"end_time\": 1682781010000, \"enrichments\": [{\"name\": \"Magnitude\", \"provider\": \"Event Processor\", \"type\": \"score\", \"value\": \"3\"}, {\"name\": \"offense_type\", \"provider\": \"Event Processor\", \"type\": \"correlation\", \"value\": \"2\"}, {\"name\": \"offense_source\", \"provider\": \"Event Processor\", \"type\": \"correlation\", \"value\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\"}, {\"name\": \"category_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"device_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"event_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"2\"}, {\"name\": \"flow_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"policy_category_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"remote_destination_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"local_destination_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"2\"}, {\"name\": \"security_category_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"source_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"user_name_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"domain_id\", \"provider\": \"Event Processor\", \"type\": \"correlation\", \"value\": \"0\"}, {\"name\": \"source_network\", \"provider\": \"Event Processor\", \"type\": \"network\", \"value\": \"Net-99-99-99.Net_99_0_0_0\"}, {\"name\": \"destination_network\", \"provider\": \"Event Processor\", \"type\": \"network\", \"value\": \"Net-88-88-88.Net_88_88_0_0\"}, {\"name\": \"destination_network\", \"provider\": \"Event Processor\", \"type\": \"network\", \"value\": \"Net-77-77-77.Net_77_0_0_0\"}], \"observables\": [{\"name\": \"log_source_id\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"112\"}, {\"name\": \"log_source_name\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"Snort @ wolverine\"}, {\"name\": \"log_source_type_id\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"2\"}, {\"name\": \"log_source_type_name\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"Snort\"}, {\"name\": \"assigned_to\", \"type\": \"User\", \"type_id\": 21, \"value\": \"SomeUser\"}, {\"name\": \"low_level_category\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"ICMP DoS\"}, {\"name\": \"source_address\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"99.99.99.99\"}, {\"name\": \"local_destination_address\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"88.88.88.88\"}, {\"name\": \"local_destination_address\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"77.77.77.77\"}], \"status_code\": \"OPEN\"}", + "event": { + "action": "create", + "category": [ + "malware" + ], + "end": "2023-04-29T15:10:10Z", + "kind": "alert", + "provider": "IBM QRadar", + "risk_score": 3, + "type": [ + "info" + ] + }, + "@timestamp": "2023-04-24T14:44:23.218000Z", + "ocsf": { + "activity_id": 1, + "activity_name": "Create", + "class_name": "Security Finding", + "class_uid": 2001 + }, + "vulnerability": { + "description": [], + "id": [], + "scanner": { + "vendor": [] + }, + "score": { + "base": [], + "version": [] + }, + "severity": [] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_security_finding_3.json b/OCSF/ocsf/tests/test_security_finding_3.json new file mode 100644 index 000000000..16386afa1 --- /dev/null +++ b/OCSF/ocsf/tests/test_security_finding_3.json @@ -0,0 +1,39 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Potentially vulnerable application\"], \"name\": \"pva.torrent.openinternet\", \"provider\": \"SecurityScorecard\", \"uid\": \"pva.torrent.openinternet_9d153be3-a48e-4498-b476-18c2a847d214\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"-\\\",\\\"enc_host\\\":\\\"open-internet.nl\\\",\\\"enc_raw_header\\\":\\\"-\\\",\\\"enc_request\\\":\\\"SOCKET_UDP%20%2F\\\",\\\"enc_request_body\\\":\\\"AAAEFycQGYAAAAAAiWPgag==\\\",\\\"family\\\":\\\"pva.torrent.openinternet\\\",\\\"field_1\\\":\\\"2022-06-27T01:37:06.385325 version_5\\\",\\\"remote_addr\\\":\\\"1.183.190.110\\\",\\\"remote_port\\\":\\\"2048\\\",\\\"remote_user\\\":\\\"-\\\", \\\"status\\\":\\\"200\\\",\\\"time_local\\\":\\\"2022-06-27T01:36:21.515207\\\"}\", \"message\": \"Potentially vulnerable application infection detected on IP address 1.183.190.110 by Malware DNS sinkhole on communication domain for sinkholed domain open-internet.nl\", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199945, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199945, \"original_time\": \"2022-11-15T17:59:59.945Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 1.183.190.110 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"chinatelecom.cn\", \"uid\": \"1.183.190.110\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"1.183.190.110\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Potentially vulnerable application\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"open-internet.nl\"}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"pva.torrent.openinternet\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"2048\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"Bieligutai, China\"}], \"finding\": {\"title\": \"Infection found on 1.183.190.110\", \"uid\": \"2b7908d7-4b72-4f65-afa0-09bdaea46ae3\", \"types\": [\"malware_infection\", \"infected_device\", \"pva.torrent.openinternet\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/1.183.190.110\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199945, \"desc\": \"Potentially vulnerable application infection detected on IP address 1.183.190.110 communicating with Command-and-Control domain open-internet.nl\"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Potentially vulnerable application\"], \"name\": \"pva.torrent.openinternet\", \"provider\": \"SecurityScorecard\", \"uid\": \"pva.torrent.openinternet_9d153be3-a48e-4498-b476-18c2a847d214\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"-\\\",\\\"enc_host\\\":\\\"open-internet.nl\\\",\\\"enc_raw_header\\\":\\\"-\\\",\\\"enc_request\\\":\\\"SOCKET_UDP%20%2F\\\",\\\"enc_request_body\\\":\\\"AAAEFycQGYAAAAAAiWPgag==\\\",\\\"family\\\":\\\"pva.torrent.openinternet\\\",\\\"field_1\\\":\\\"2022-06-27T01:37:06.385325 version_5\\\",\\\"remote_addr\\\":\\\"1.183.190.110\\\",\\\"remote_port\\\":\\\"2048\\\",\\\"remote_user\\\":\\\"-\\\", \\\"status\\\":\\\"200\\\",\\\"time_local\\\":\\\"2022-06-27T01:36:21.515207\\\"}\", \"message\": \"Potentially vulnerable application infection detected on IP address 1.183.190.110 by Malware DNS sinkhole on communication domain for sinkholed domain open-internet.nl\", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199945, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199945, \"original_time\": \"2022-11-15T17:59:59.945Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 1.183.190.110 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"chinatelecom.cn\", \"uid\": \"1.183.190.110\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"1.183.190.110\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Potentially vulnerable application\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"open-internet.nl\"}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"pva.torrent.openinternet\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"2048\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"Bieligutai, China\"}], \"finding\": {\"title\": \"Infection found on 1.183.190.110\", \"uid\": \"2b7908d7-4b72-4f65-afa0-09bdaea46ae3\", \"types\": [\"malware_infection\", \"infected_device\", \"pva.torrent.openinternet\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/1.183.190.110\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199945, \"desc\": \"Potentially vulnerable application infection detected on IP address 1.183.190.110 communicating with Command-and-Control domain open-internet.nl\"}}", + "event": { + "action": "generate", + "category": [ + "malware" + ], + "kind": "alert", + "reference": "https://platform.securityscorecard.io/#/asi/details/1.183.190.110", + "severity": 1, + "type": [ + "info" + ] + }, + "@timestamp": "2022-11-15T17:59:59.945000Z", + "ocsf": { + "activity_id": 1, + "activity_name": "Generate", + "class_name": "Security Finding", + "class_uid": 2001 + }, + "vulnerability": { + "description": [], + "id": [], + "scanner": { + "vendor": [] + }, + "score": { + "base": [], + "version": [] + }, + "severity": [] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_security_finding_4.json b/OCSF/ocsf/tests/test_security_finding_4.json new file mode 100644 index 000000000..c4aa70409 --- /dev/null +++ b/OCSF/ocsf/tests/test_security_finding_4.json @@ -0,0 +1,39 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Potentially vulnerable application\"], \"name\": \"pva.torrent.openinternet\", \"provider\": \"SecurityScorecard\", \"uid\": \"pva.torrent.openinternet_e1472f25-0d2d-4b88-aac9-b7bd439218f5\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"-\\\",\\\"enc_host\\\":\\\"open-internet.nl\\\",\\\"enc_raw_header\\\":\\\"-\\\",\\\"enc_request\\\":\\\"SOCKET_UDP%20%2F\\\",\\\"enc_request_body\\\":\\\"AAAEFycQGYAAAAAAtdIQjw==\\\",\\\"family\\\":\\\"pva.torrent.openinternet\\\",\\\"field_1\\\":\\\"2022-06-04T10:35:07.143255 version_5\\\",\\\"remote_addr\\\":\\\"59.11.81.231\\\",\\\"remote_port\\\":\\\"6927\\\",\\\"remote_user\\\":\\\"-\\\", \\\"status\\\":\\\"200\\\",\\\"time_local\\\":\\\"2022-06-04T10:34:45.835005\\\"}\", \"message\": \"Potentially vulnerable application infection detected on IP address 59.11.81.231 by Malware DNS sinkhole on communication domain for sinkholed domain \", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199946, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199946, \"original_time\": \"2022-11-15T17:59:59.946Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 59.11.81.231 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"krnic.or.kr\", \"uid\": \"59.11.81.231\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"59.11.81.231\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Potentially vulnerable application\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": null}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"pva.torrent.openinternet\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"6927\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"Seongnam-si (Buljeong-ro), Korea, Republic of\"}], \"finding\": {\"title\": \"Infection found on 59.11.81.231\", \"uid\": \"45521c66-6498-442d-ad9b-40da9f0e9236\", \"types\": [\"malware_infection\", \"infected_device\", \"pva.torrent.openinternet\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/59.11.81.231\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199947, \"desc\": \"Potentially vulnerable application infection detected on IP address 59.11.81.231 communicating with Command-and-Control domain \"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Potentially vulnerable application\"], \"name\": \"pva.torrent.openinternet\", \"provider\": \"SecurityScorecard\", \"uid\": \"pva.torrent.openinternet_e1472f25-0d2d-4b88-aac9-b7bd439218f5\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"-\\\",\\\"enc_host\\\":\\\"open-internet.nl\\\",\\\"enc_raw_header\\\":\\\"-\\\",\\\"enc_request\\\":\\\"SOCKET_UDP%20%2F\\\",\\\"enc_request_body\\\":\\\"AAAEFycQGYAAAAAAtdIQjw==\\\",\\\"family\\\":\\\"pva.torrent.openinternet\\\",\\\"field_1\\\":\\\"2022-06-04T10:35:07.143255 version_5\\\",\\\"remote_addr\\\":\\\"59.11.81.231\\\",\\\"remote_port\\\":\\\"6927\\\",\\\"remote_user\\\":\\\"-\\\", \\\"status\\\":\\\"200\\\",\\\"time_local\\\":\\\"2022-06-04T10:34:45.835005\\\"}\", \"message\": \"Potentially vulnerable application infection detected on IP address 59.11.81.231 by Malware DNS sinkhole on communication domain for sinkholed domain \", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199946, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199946, \"original_time\": \"2022-11-15T17:59:59.946Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 59.11.81.231 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"krnic.or.kr\", \"uid\": \"59.11.81.231\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"59.11.81.231\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Potentially vulnerable application\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": null}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"pva.torrent.openinternet\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"6927\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"Seongnam-si (Buljeong-ro), Korea, Republic of\"}], \"finding\": {\"title\": \"Infection found on 59.11.81.231\", \"uid\": \"45521c66-6498-442d-ad9b-40da9f0e9236\", \"types\": [\"malware_infection\", \"infected_device\", \"pva.torrent.openinternet\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/59.11.81.231\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199947, \"desc\": \"Potentially vulnerable application infection detected on IP address 59.11.81.231 communicating with Command-and-Control domain \"}}", + "event": { + "action": "generate", + "category": [ + "malware" + ], + "kind": "alert", + "reference": "https://platform.securityscorecard.io/#/asi/details/59.11.81.231", + "severity": 1, + "type": [ + "info" + ] + }, + "@timestamp": "2022-11-15T17:59:59.946000Z", + "ocsf": { + "activity_id": 1, + "activity_name": "Generate", + "class_name": "Security Finding", + "class_uid": 2001 + }, + "vulnerability": { + "description": [], + "id": [], + "scanner": { + "vendor": [] + }, + "score": { + "base": [], + "version": [] + }, + "severity": [] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_security_finding_5.json b/OCSF/ocsf/tests/test_security_finding_5.json new file mode 100644 index 000000000..4a82902e1 --- /dev/null +++ b/OCSF/ocsf/tests/test_security_finding_5.json @@ -0,0 +1,39 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Potentially vulnerable application\"], \"name\": \"pva.torrent.kickasstracker\", \"provider\": \"SecurityScorecard\", \"uid\": \"pva.torrent.kickasstracker_d605642d-9f8b-46ed-bb19-882ffc34a8f4\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"152\\\",\\\"enc_host\\\":\\\"open.kickasstracker.com\\\",\\\"enc_raw_header\\\":\\\"R0VUIC9zY3JhcGU/aW5mb19oYXNoPSUwMiUyNSVkYiVmMiVmZlElZWVLJTNmJWMxJTI4MW8lMGMlMDklYWElODN4JWVlJTk5IEhUVFAvMS4xDQpVc2VyLUFnZW50OiBUcmFuc21pc3Npb24vMi44NA0KSG9zdDogb3Blbi5raWNrYXNzdHJhY2tlci5jb20NCkFjY2VwdDogKi8qDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXA7cT0xLjAsIGRlZmxhdGUsIGlkZW50aXR5DQoNCg==\\\",\\\"enc_request\\\":\\\"GET%20%2Fscrape%3Finfo_hash%3D%2502%2525%25db%25f2%25ffQ%25eeK%253f%25c1%25281o%250c%2509%25aa%2583x%25ee%2599%20HTTP%2F1.1\\\",\\\"enc_request_body\\\":\\\"\\\",\\\"family\\\":\\\"pva.torrent.kickasstracker\\\",\\\"field_1\\\":\\\"2022-09-30T21:26:09.028507 version_5\\\",\\\"remote_addr\\\":\\\"190.109.227.80\\\",\\\"remote_port\\\":\\\"21886\\\",\\\"remote_user\\\":\\\"-\\\", \\\"status\\\":\\\"404\\\",\\\"time_local\\\":\\\"2022-09-30T21:25:21+00:00\\\"}\", \"message\": \"Potentially vulnerable application infection detected on IP address 190.109.227.80 by Malware DNS sinkhole on communication domain for sinkholed domain open.kickasstracker.com\", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199947, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199947, \"original_time\": \"2022-11-15T17:59:59.947Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 190.109.227.80 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"cotel.bo\", \"uid\": \"190.109.227.80\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"190.109.227.80\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Potentially vulnerable application\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"open.kickasstracker.com\"}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"pva.torrent.kickasstracker\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"21886\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"La Paz (Macrodistrito Centro), Bolivia, Plurinational State of\"}], \"finding\": {\"title\": \"Infection found on 190.109.227.80\", \"uid\": \"8f91e92d-b75c-4d55-a6a2-c9f611cdea28\", \"types\": [\"malware_infection\", \"infected_device\", \"pva.torrent.kickasstracker\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/190.109.227.80\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199948, \"desc\": \"Potentially vulnerable application infection detected on IP address 190.109.227.80 communicating with Command-and-Control domain open.kickasstracker.com\"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Potentially vulnerable application\"], \"name\": \"pva.torrent.kickasstracker\", \"provider\": \"SecurityScorecard\", \"uid\": \"pva.torrent.kickasstracker_d605642d-9f8b-46ed-bb19-882ffc34a8f4\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"152\\\",\\\"enc_host\\\":\\\"open.kickasstracker.com\\\",\\\"enc_raw_header\\\":\\\"R0VUIC9zY3JhcGU/aW5mb19oYXNoPSUwMiUyNSVkYiVmMiVmZlElZWVLJTNmJWMxJTI4MW8lMGMlMDklYWElODN4JWVlJTk5IEhUVFAvMS4xDQpVc2VyLUFnZW50OiBUcmFuc21pc3Npb24vMi44NA0KSG9zdDogb3Blbi5raWNrYXNzdHJhY2tlci5jb20NCkFjY2VwdDogKi8qDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXA7cT0xLjAsIGRlZmxhdGUsIGlkZW50aXR5DQoNCg==\\\",\\\"enc_request\\\":\\\"GET%20%2Fscrape%3Finfo_hash%3D%2502%2525%25db%25f2%25ffQ%25eeK%253f%25c1%25281o%250c%2509%25aa%2583x%25ee%2599%20HTTP%2F1.1\\\",\\\"enc_request_body\\\":\\\"\\\",\\\"family\\\":\\\"pva.torrent.kickasstracker\\\",\\\"field_1\\\":\\\"2022-09-30T21:26:09.028507 version_5\\\",\\\"remote_addr\\\":\\\"190.109.227.80\\\",\\\"remote_port\\\":\\\"21886\\\",\\\"remote_user\\\":\\\"-\\\", \\\"status\\\":\\\"404\\\",\\\"time_local\\\":\\\"2022-09-30T21:25:21+00:00\\\"}\", \"message\": \"Potentially vulnerable application infection detected on IP address 190.109.227.80 by Malware DNS sinkhole on communication domain for sinkholed domain open.kickasstracker.com\", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199947, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199947, \"original_time\": \"2022-11-15T17:59:59.947Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 190.109.227.80 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"cotel.bo\", \"uid\": \"190.109.227.80\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"190.109.227.80\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Potentially vulnerable application\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"open.kickasstracker.com\"}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"pva.torrent.kickasstracker\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"21886\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"La Paz (Macrodistrito Centro), Bolivia, Plurinational State of\"}], \"finding\": {\"title\": \"Infection found on 190.109.227.80\", \"uid\": \"8f91e92d-b75c-4d55-a6a2-c9f611cdea28\", \"types\": [\"malware_infection\", \"infected_device\", \"pva.torrent.kickasstracker\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/190.109.227.80\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199948, \"desc\": \"Potentially vulnerable application infection detected on IP address 190.109.227.80 communicating with Command-and-Control domain open.kickasstracker.com\"}}", + "event": { + "action": "generate", + "category": [ + "malware" + ], + "kind": "alert", + "reference": "https://platform.securityscorecard.io/#/asi/details/190.109.227.80", + "severity": 1, + "type": [ + "info" + ] + }, + "@timestamp": "2022-11-15T17:59:59.947000Z", + "ocsf": { + "activity_id": 1, + "activity_name": "Generate", + "class_name": "Security Finding", + "class_uid": 2001 + }, + "vulnerability": { + "description": [], + "id": [], + "scanner": { + "vendor": [] + }, + "score": { + "base": [], + "version": [] + }, + "severity": [] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_security_finding_6.json b/OCSF/ocsf/tests/test_security_finding_6.json new file mode 100644 index 000000000..90b549040 --- /dev/null +++ b/OCSF/ocsf/tests/test_security_finding_6.json @@ -0,0 +1,39 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Adware\"], \"name\": \"adware.android.imp\", \"provider\": \"SecurityScorecard\", \"uid\": \"adware.android.imp_7cd5cf7b-4c99-406c-ad46-621487394fba\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"152\\\",\\\"enc_host\\\":\\\"x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\\\",\\\"enc_raw_header\\\":\\\"UE9TVCAvYXVjdGlvbi9pbml0IEhUVFAvMS4xDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtcHJvdG9idWYNCkFjY2VwdC1FbmNvZGluZzogZ3ppcA0KQ29udGVudC1FbmNvZGluZzogZ3ppcA0KVXNlci1BZ2VudDogRGFsdmlrLzIuMS4wIChMaW51eDsgVTsgQW5kcm9pZCAxMTsgU00tQTIwN0YgQnVpbGQvUlAxQS4yMDA3MjAuMDEyKQ0KSG9zdDogeC1ldS41OGRhYzE2ZTdiMmM4NmMxOWNmZTQ4OTE0YTZlOGZjZGFjOWFlMDZmZTVjZjUzMzY5YmVhYTQ1Yi5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvbnRlbnQtTGVuZ3RoOiAzMDMNCg0K\\\",\\\"enc_request\\\":\\\"POST%20%2Fauction%2Finit%20HTTP%2F1.1\\\",\\\"enc_request_body\\\":\\\"H4sIAAAAAAAAAK3PzUoDMRQFYEhbSwNSnI1lljKrgYQkzd+47MqNIIg/u3qTTHCUzshMacFHEHwGwbUPaStVQTcu3F3uOXxwcI8X02TsmwWFdUehDm1ThQk6QpznvZs3JPCsCqfgb6u6PB5wWlA9y0oLzjGvCHPGE+kgEif05iq5YVZZkEye9M+Qy6LVLETpiXfOEilAE2sUJ9EIr4WCGKfibqSoVJQRrttMhKijLhjxQhsijSo29NSS4IOSDJRRzDy+IvyC8H5dLtdNe9/Nqzo2yTMSTwhf55c4wcNdlAzTwaKFKuAUj3e/+apsu6qptxnb7LE4w4efGQR4WJbtV2eUDj82U46v8gt88C3vpf0VdMt/gC/y8x9wvYUnv+FB2uOU/Y19BzRbkezaAQAA\\\",\\\"family\\\":\\\"adware.android.imp\\\",\\\"field_1\\\":\\\"2022-09-23T16:20:10.540428 version_5\\\",\\\"remote_addr\\\":\\\"38.7.186.198\\\",\\\"remote_port\\\":\\\"59750\\\",\\\"remote_user\\\":\\\"-\\\",\\\"status\\\":\\\"404\\\",\\\"time_local\\\":\\\"2022-09-23T16:19:38+00:00\\\"}\", \"message\": \"Adware infection detected on IP address 38.7.186.198 by Malware DNS sinkhole on communication domain for sinkholed domain x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199948, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199948, \"original_time\": \"2022-11-15T17:59:59.948Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 38.7.186.198 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"emix.net.ae\", \"uid\": \"38.7.186.198\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"38.7.186.198\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Adware\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\"}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"adware.android.imp\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"59750\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"Karachi (Sector Five F), Pakistan\"}], \"finding\": {\"title\": \"Infection found on 38.7.186.198\", \"uid\": \"26c7c83d-0aad-411b-88ee-52343ff22064\", \"types\": [\"malware_infection\", \"infected_device\", \"adware.android.imp\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/38.7.186.198\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199948, \"desc\": \"Adware infection detected on IP address 38.7.186.198 communicating with Command-and-Control domain x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Adware\"], \"name\": \"adware.android.imp\", \"provider\": \"SecurityScorecard\", \"uid\": \"adware.android.imp_7cd5cf7b-4c99-406c-ad46-621487394fba\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"152\\\",\\\"enc_host\\\":\\\"x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\\\",\\\"enc_raw_header\\\":\\\"UE9TVCAvYXVjdGlvbi9pbml0IEhUVFAvMS4xDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtcHJvdG9idWYNCkFjY2VwdC1FbmNvZGluZzogZ3ppcA0KQ29udGVudC1FbmNvZGluZzogZ3ppcA0KVXNlci1BZ2VudDogRGFsdmlrLzIuMS4wIChMaW51eDsgVTsgQW5kcm9pZCAxMTsgU00tQTIwN0YgQnVpbGQvUlAxQS4yMDA3MjAuMDEyKQ0KSG9zdDogeC1ldS41OGRhYzE2ZTdiMmM4NmMxOWNmZTQ4OTE0YTZlOGZjZGFjOWFlMDZmZTVjZjUzMzY5YmVhYTQ1Yi5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvbnRlbnQtTGVuZ3RoOiAzMDMNCg0K\\\",\\\"enc_request\\\":\\\"POST%20%2Fauction%2Finit%20HTTP%2F1.1\\\",\\\"enc_request_body\\\":\\\"H4sIAAAAAAAAAK3PzUoDMRQFYEhbSwNSnI1lljKrgYQkzd+47MqNIIg/u3qTTHCUzshMacFHEHwGwbUPaStVQTcu3F3uOXxwcI8X02TsmwWFdUehDm1ThQk6QpznvZs3JPCsCqfgb6u6PB5wWlA9y0oLzjGvCHPGE+kgEif05iq5YVZZkEye9M+Qy6LVLETpiXfOEilAE2sUJ9EIr4WCGKfibqSoVJQRrttMhKijLhjxQhsijSo29NSS4IOSDJRRzDy+IvyC8H5dLtdNe9/Nqzo2yTMSTwhf55c4wcNdlAzTwaKFKuAUj3e/+apsu6qptxnb7LE4w4efGQR4WJbtV2eUDj82U46v8gt88C3vpf0VdMt/gC/y8x9wvYUnv+FB2uOU/Y19BzRbkezaAQAA\\\",\\\"family\\\":\\\"adware.android.imp\\\",\\\"field_1\\\":\\\"2022-09-23T16:20:10.540428 version_5\\\",\\\"remote_addr\\\":\\\"38.7.186.198\\\",\\\"remote_port\\\":\\\"59750\\\",\\\"remote_user\\\":\\\"-\\\",\\\"status\\\":\\\"404\\\",\\\"time_local\\\":\\\"2022-09-23T16:19:38+00:00\\\"}\", \"message\": \"Adware infection detected on IP address 38.7.186.198 by Malware DNS sinkhole on communication domain for sinkholed domain x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199948, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199948, \"original_time\": \"2022-11-15T17:59:59.948Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 38.7.186.198 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"emix.net.ae\", \"uid\": \"38.7.186.198\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"38.7.186.198\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Adware\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\"}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"adware.android.imp\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"59750\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"Karachi (Sector Five F), Pakistan\"}], \"finding\": {\"title\": \"Infection found on 38.7.186.198\", \"uid\": \"26c7c83d-0aad-411b-88ee-52343ff22064\", \"types\": [\"malware_infection\", \"infected_device\", \"adware.android.imp\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/38.7.186.198\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199948, \"desc\": \"Adware infection detected on IP address 38.7.186.198 communicating with Command-and-Control domain x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\"}}", + "event": { + "action": "generate", + "category": [ + "malware" + ], + "kind": "alert", + "reference": "https://platform.securityscorecard.io/#/asi/details/38.7.186.198", + "severity": 1, + "type": [ + "info" + ] + }, + "@timestamp": "2022-11-15T17:59:59.948000Z", + "ocsf": { + "activity_id": 1, + "activity_name": "Generate", + "class_name": "Security Finding", + "class_uid": 2001 + }, + "vulnerability": { + "description": [], + "id": [], + "scanner": { + "vendor": [] + }, + "score": { + "base": [], + "version": [] + }, + "severity": [] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_1.json b/OCSF/ocsf/tests/test_system_activity_1.json index b52d44c26..1801fe461 100644 --- a/OCSF/ocsf/tests/test_system_activity_1.json +++ b/OCSF/ocsf/tests/test_system_activity_1.json @@ -1,120 +1,19 @@ { "input": { - "message": "{\"message\": \"aug brought masters\", \"status\": \"same\", \"time\": 1695272181548, \"file\": {\"name\": \"phi.tar\", \"type\": \"Named Pipe\", \"path\": \"basement neighborhood nelson/pointer.mpa/phi.tar\", \"product\": {\"name\": \"judgment mel mental\", \"version\": \"1.0.0\", \"uid\": \"3576c3d0-583b-11ee-8a0f-0242ac110005\", \"vendor_name\": \"isp semiconductor screens\"}, \"type_id\": 666, \"parent_folder\": \"basement neighborhood nelson/pointer.mpa\", \"accessed_time\": 1695272181548, \"hashes\": [{\"value\": \"FA9D6D9F8C1E928F43F4CA3DEF6EC2D485AA60CDD4DF04348144D38434095D54EADA230FB5E8BE2A17FD91AEEFC38B4E2AD08D863F260E6244F56873701A53EE\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"device\": {\"name\": \"spirits since tours\", \"type\": \"Browser\", \"os\": {\"name\": \"mess deposits scary\", \"type\": \"HP-UX\", \"type_id\": 402, \"sp_ver\": 35}, \"ip\": \"1.128.0.0\", \"desc\": \"gene screens plenty\", \"uid\": \"3575127e-583b-11ee-b9cf-0242ac110005\", \"image\": {\"name\": \"aol interest statutes\", \"tag\": \"history afraid vcr\", \"path\": \"breaks contrary navigation\", \"uid\": \"3574fc30-583b-11ee-a7af-0242ac110005\"}, \"groups\": [{\"name\": \"spent disclaimer locks\", \"uid\": \"3575019e-583b-11ee-8751-0242ac110005\", \"privileges\": [\"seems freeware tire\"]}, {\"name\": \"stereo thousand cnet\", \"uid\": \"357505d6-583b-11ee-8d50-0242ac110005\"}], \"type_id\": 8, \"subnet\": \"130.109.0.0/16\", \"hypervisor\": \"barbados lcd electoral\", \"instance_uid\": \"3574eefc-583b-11ee-aedd-0242ac110005\", \"interface_name\": \"cleveland households subsidiaries\", \"interface_uid\": \"3574f352-583b-11ee-89fa-0242ac110005\", \"is_managed\": true, \"region\": \"survival statewide blog\", \"risk_score\": 17, \"subnet_uid\": \"3574e7c2-583b-11ee-8763-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"frederick avoiding settlement\", \"version\": \"1.0.0\", \"uid\": \"3574dd04-583b-11ee-9dd6-0242ac110005\", \"lang\": \"en\", \"url_string\": \"subscribers\", \"vendor_name\": \"biographies charts a\"}, \"sequence\": 36, \"profiles\": [], \"log_name\": \"benefits observe block\", \"log_provider\": \"apr applies bought\", \"original_time\": \"basement receipt forces\"}, \"severity\": \"High\", \"type_name\": \"File System Activity: Rename\", \"activity_id\": 5, \"type_uid\": 100105, \"category_name\": \"System Activity\", \"class_uid\": 1001, \"category_uid\": 1, \"class_name\": \"File System Activity\", \"timezone_offset\": 14, \"activity_name\": \"Rename\", \"actor\": {\"process\": {\"name\": \"Http\", \"pid\": 39, \"file\": {\"name\": \"with.com\", \"type\": \"Symbolic Link\", \"path\": \"fact nick marilyn/wives.iso/with.com\", \"type_id\": 7, \"parent_folder\": \"fact nick marilyn/wives.iso\", \"confidentiality\": \"microphone ingredients everybody\", \"hashes\": [{\"value\": \"5448F2E81D8402BD06F1B7A1F25A23A09CF423B5C17631EDC1CB3A06C6135BEA\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"DB43BDA2E28D2B02E0F94993E11FF5A6A49D0E62D62834916C0F623B00401D7C1848EDA3BD47A48ACE755F0AF75D3D92850EEDDD011B6B3ED4D93BA15953F9AD\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Proxy\", \"type\": \"User\", \"domain\": \"canal emerald dry\", \"uid\": \"35752d18-583b-11ee-8e91-0242ac110005\", \"type_id\": 1, \"full_name\": \"Kitty Sabine\", \"account\": {\"name\": \"findarticles awards error\", \"type\": \"AWS IAM User\", \"uid\": \"357534b6-583b-11ee-acbb-0242ac110005\", \"type_id\": 3}, \"email_addr\": \"Dotty@bg.info\", \"uid_alt\": \"mature botswana advisory\"}, \"uid\": \"357539de-583b-11ee-808d-0242ac110005\", \"cmd_line\": \"dd apple updating\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Olympic\", \"file\": {\"name\": \"chrysler.pages\", \"type\": \"Character Device\", \"path\": \"jesus cattle cave/remainder.iso/chrysler.pages\", \"desc\": \"claims runtime directories\", \"uid\": \"3575485c-583b-11ee-b07c-0242ac110005\", \"type_id\": 3, \"company_name\": \"Esta Malena\", \"parent_folder\": \"jesus cattle cave/remainder.iso\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"0983A0F9D6FE6015A7EB984C4D51C74EC818D6B4B2EA630CA2794A51512BEA5EC489606DAA019CA34D4CA678FF154530DBF2211DC9AD7D058363D7630F3AF2B8\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1695272181548, \"security_descriptor\": \"motels derby subtle\"}, \"user\": {\"name\": \"Salvador\", \"type\": \"Admin\", \"uid\": \"357551a8-583b-11ee-9f3a-0242ac110005\", \"groups\": [{\"name\": \"admissions throughout scope\", \"uid\": \"357556c6-583b-11ee-a761-0242ac110005\"}], \"type_id\": 2, \"email_addr\": \"Georgeann@compounds.org\"}, \"cmd_line\": \"regardless discussed gb\", \"created_time\": 1695272181548, \"integrity\": \"eat\", \"integrity_id\": 99, \"lineage\": [\"ff encoding towns\", \"alter reservoir drums\"], \"parent_process\": {\"pid\": 24, \"user\": {\"type\": \"dealer\", \"uid\": \"3575612a-583b-11ee-8729-0242ac110005\", \"type_id\": 99, \"account\": {\"name\": \"lisa avoiding grade\", \"type\": \"Mac OS Account\", \"uid\": \"35756968-583b-11ee-adc7-0242ac110005\", \"type_id\": 7}}, \"tid\": 17, \"uid\": \"35756e18-583b-11ee-8658-0242ac110005\", \"cmd_line\": \"step bernard quiet\", \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"name\": \"Schedules\", \"pid\": 64, \"file\": {\"attributes\": 59, \"name\": \"expectations.sh\", \"size\": 3829463934, \"type\": \"Named Pipe\", \"path\": \"their haven interact/president.log/expectations.sh\", \"type_id\": 6, \"company_name\": \"Johnny Kenia\", \"parent_folder\": \"their haven interact/president.log\", \"hashes\": [{\"value\": \"673864FF7BB72B5CB7535BD3C797DAE6BCDCE37BB6E0BD9D6EDDB8205EE636ACCA593394B1827FD62DAEC350638203EC5021A55A87B54D3BD4E0391CCACFA7B5\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"DA377EE2C5138BD0042100780B04CFB9752DD077344B2CBCACFFBEA5D94D0BB095E7314616D60350025F9E6489D6CBF9FA4C1D07CA52AB9C364397B6A6DB1426\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"is_system\": true}, \"user\": {\"name\": \"Gun\", \"type\": \"User\", \"uid\": \"35757fde-583b-11ee-8426-0242ac110005\", \"org\": {\"name\": \"suitable bother k\", \"uid\": \"357584f2-583b-11ee-b957-0242ac110005\", \"ou_name\": \"signals pixel questions\"}, \"type_id\": 1}, \"uid\": \"35758902-583b-11ee-9a1c-0242ac110005\", \"cmd_line\": \"sons eur fence\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Best\", \"pid\": 51, \"user\": {\"name\": \"Wrapping\", \"type\": \"Unknown\", \"uid\": \"357599c4-583b-11ee-839a-0242ac110005\", \"type_id\": 0, \"email_addr\": \"Valene@water.aero\"}, \"tid\": 72, \"uid\": \"3575a158-583b-11ee-a0c1-0242ac110005\", \"loaded_modules\": [\"/par/addresses/isle/blink/utils.3ds\", \"/conventions/market/normal/lease/absolute.tar.gz\"], \"cmd_line\": \"optional icq refresh\", \"created_time\": 1695272181548, \"integrity\": \"Medium\", \"integrity_id\": 3, \"lineage\": [\"marco danny survival\"], \"parent_process\": {\"name\": \"Expo\", \"pid\": 70, \"file\": {\"attributes\": 73, \"name\": \"wagner.hqx\", \"type\": \"Folder\", \"path\": \"nest communist anthony/tri.tex/wagner.hqx\", \"type_id\": 2, \"parent_folder\": \"nest communist anthony/tri.tex\"}, \"user\": {\"name\": \"Vehicles\", \"type\": \"Unknown\", \"uid\": \"3575b594-583b-11ee-ad61-0242ac110005\", \"groups\": [{\"name\": \"attention horrible saved\", \"type\": \"clinical integration find\"}], \"type_id\": 0, \"uid_alt\": \"immigrants vegetables names\"}, \"uid\": \"3575bbde-583b-11ee-a34c-0242ac110005\", \"cmd_line\": \"furnishings oo elderly\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Gis\", \"pid\": 7, \"file\": {\"name\": \"conviction.dem\", \"owner\": {\"name\": \"Founded\", \"type\": \"System\", \"groups\": [{\"name\": \"picked physicians sponsored\", \"uid\": \"3575cc6e-583b-11ee-9fc6-0242ac110005\"}, {\"name\": \"theft os finished\", \"type\": \"baking how furnished\", \"desc\": \"consistent remind intel\", \"uid\": \"3575d2cc-583b-11ee-9bd2-0242ac110005\", \"privileges\": [\"moscow whom catalogue\", \"bar distant sitting\"]}], \"type_id\": 3}, \"type\": \"Regular File\", \"path\": \"lesbian consistent policy/house.crdownload/conviction.dem\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"equivalent fuzzy password\", \"issuer\": \"rom ge xml\", \"fingerprints\": [{\"value\": \"4AE524EF0A54BC56E3844482DFF66D3DD1C07170A36531500327556E4EB58A66\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"2D3C087352251B27B4B883E464997A204BC6990478F6ADA51535ED9C87BB9BD65BB98AF4BCF9442E5126A77E0D6984B1596D2253167232DA8AC3415D7FB47186\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"streets missouri stack\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"type_id\": 1, \"company_name\": \"Agatha Bridget\", \"parent_folder\": \"lesbian consistent policy/house.crdownload\", \"hashes\": [{\"value\": \"7C44A3A14F05688E4AC527919744E64B96B371173856D178D72F65DAB3DC8EE7563B5E05EE7F625263083247F54503AD771DB5F66B3C9F9216B95114BA6BFCCB\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"security_descriptor\": \"blank special atm\"}, \"user\": {\"name\": \"Sec\", \"type\": \"Unknown\", \"uid\": \"3575f450-583b-11ee-b6bb-0242ac110005\", \"org\": {\"name\": \"delayed cables leads\", \"uid\": \"3575f964-583b-11ee-8c61-0242ac110005\"}, \"type_id\": 0, \"full_name\": \"Katheryn Dario\", \"uid_alt\": \"room suicide poem\"}, \"uid\": \"3575fdb0-583b-11ee-aeb9-0242ac110005\", \"cmd_line\": \"japan sells jeans\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Decrease\", \"pid\": 59, \"file\": {\"name\": \"structural.swf\", \"size\": 688932239, \"type\": \"customs\", \"path\": \"fwd various rr/harper.tar.gz/structural.swf\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"ordering ou explanation\", \"issuer\": \"truck rings arrivals\", \"fingerprints\": [{\"value\": \"D9B2FE68B6C253E250B14667FE79D988B4D2AC568F7FD62357330B906C30A49D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"EBD7275B8E016156D5C802AA81EF32823EF0D89B944B062044092C012CDD5078AF0362403420AB2DD96D282058889BCC6484F8FC42C61C29774AB18337A40FD9\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"expiration_time\": 1695272181548, \"serial_number\": \"rd throw preliminary\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1, \"created_time\": 1695272181548}, \"type_id\": 99, \"parent_folder\": \"fwd various rr/harper.tar.gz\", \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"value\": \"9392895322BB82C443FB155DA3D787E63B9CFF61E9725327EA2B4FAFE964C306117CB523AEBA0D2D8CDF029592125C16C1F892E88D80F9888D7031FD2974B8DE\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"type\": \"Admin\", \"domain\": \"sydney initiatives plymouth\", \"uid\": \"35761822-583b-11ee-beb2-0242ac110005\", \"type_id\": 2, \"full_name\": \"Theron Augustine\"}, \"tid\": 80, \"uid\": \"35761c82-583b-11ee-b824-0242ac110005\", \"cmd_line\": \"terry ld apple\", \"created_time\": 1695272181548, \"lineage\": [\"ts initial roses\", \"wicked sm especially\"], \"parent_process\": {\"pid\": 96, \"file\": {\"name\": \"fcc.gz\", \"type\": \"Local Socket\", \"path\": \"webcast invention brandon/thumbnail.rm/fcc.gz\", \"signature\": {\"digest\": {\"value\": \"F28E98CA59479136BFC3E11371555CF78BDEDDF0332D62DD063B794024CC5C4FE13F9EA7BA6BCE31550B8B7DEFFB31BF20E54B6C1095A68E8E18A26F91C0E838\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"previous furthermore create\", \"issuer\": \"kids permissions cosmetic\", \"fingerprints\": [{\"value\": \"C9E4D5C19777C2E695975FB5FE0D92C5DEEE360C4AFF172B638D981E5BCE505FB3373CF7A620436611A964772215DD15E564B701B09AB141C53258EA7DB63589\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"D02BCEDE7EF63722B56FD76E6C3E0C74E72D5B9C169DE7BA9712A1EAEF0C13F59F27BBFC33274C80889426EB38A8D191AB7B08FE9397BF0BE4D5B4C08CF7956C\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"mold afghanistan pine\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"desc\": \"reads choir while\", \"type_id\": 5, \"company_name\": \"Parthenia Kim\", \"creator\": {\"type\": \"System\", \"uid\": \"357634b0-583b-11ee-aa30-0242ac110005\", \"org\": {\"name\": \"lessons fighting basement\", \"uid\": \"357639f6-583b-11ee-a863-0242ac110005\", \"ou_name\": \"recently iron turning\"}, \"type_id\": 3}, \"parent_folder\": \"webcast invention brandon/thumbnail.rm\", \"hashes\": [{\"value\": \"533747897E1F6754B1E577DEEBA5E673C0DD9F09229F048608C88CA5EEC2A420FFF7F06C5B27F45A1B7A705FF141C4AE11196CAB9BE339546B7EEF258DFED346\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}]}, \"user\": {\"name\": \"Intervals\", \"type\": \"Admin\", \"uid\": \"357644a0-583b-11ee-b222-0242ac110005\", \"type_id\": 2, \"full_name\": \"Margert Debbie\", \"account\": {\"name\": \"gained oldest atomic\", \"type\": \"AWS IAM User\", \"type_id\": 3}, \"email_addr\": \"Ernie@drum.jobs\"}, \"uid\": \"35764af4-583b-11ee-bfee-0242ac110005\", \"session\": {\"uid\": \"35764ff4-583b-11ee-ad30-0242ac110005\", \"issuer\": \"information daisy computational\", \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"is_remote\": false}, \"loaded_modules\": [\"/frequently/tomatoes/one/trembl/trance.php\", \"/supposed/passwords/boutique/codes/coalition.txt\"], \"cmd_line\": \"grounds profits tear\", \"integrity\": \"attempts strategy meetup\", \"lineage\": [\"tar optical per\", \"fixtures while coaches\"], \"parent_process\": {\"name\": \"Speed\", \"pid\": 69, \"file\": {\"name\": \"kathy.gpx\", \"type\": \"Symbolic Link\", \"version\": \"1.0.0\", \"path\": \"stake dame kw/bangladesh.tax2020/kathy.gpx\", \"type_id\": 7, \"parent_folder\": \"stake dame kw/bangladesh.tax2020\", \"confidentiality\": \"smilies ethnic exclusively\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"DF2FF56CB3BAC1E28C3FE0395F52F814539922A774E1B53793268DC61ADD718A6BEED6E464F3D3AB436A5F61A84B21F073DD534943FEFA40E0DAD92DF1C92874\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Class\", \"type\": \"Admin\", \"uid\": \"3576639a-583b-11ee-a0a4-0242ac110005\", \"org\": {\"name\": \"thumb perception casual\", \"uid\": \"357668cc-583b-11ee-9bcd-0242ac110005\", \"ou_name\": \"russell martin tonight\"}, \"type_id\": 2, \"credential_uid\": \"35766f02-583b-11ee-93b4-0242ac110005\", \"uid_alt\": \"acute vocals goat\"}, \"uid\": \"3576731c-583b-11ee-b4bb-0242ac110005\", \"cmd_line\": \"canon istanbul ears\", \"created_time\": 1695272181548, \"integrity\": \"rage cloudy starts\", \"parent_process\": {\"name\": \"Forget\", \"pid\": 6, \"file\": {\"name\": \"rpg.eps\", \"size\": 2219996466, \"type\": \"Unknown\", \"type_id\": 0, \"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"hashes\": [{\"value\": \"25B732B3425CF8421A84FBE8E6EFA1AAF932AD4B\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"501A60A2B28BA8E6A95CE30C11877FDA\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"uid\": \"35768726-583b-11ee-b021-0242ac110005\", \"loaded_modules\": [\"/congo/hundreds/jerry/limousines/meanwhile.lua\", \"/employment/discounts/dg/company/colin.txt\"], \"cmd_line\": \"samuel affiliates stores\", \"created_time\": 1695272181548, \"lineage\": [\"locked feedback tank\", \"kuwait integrity messages\"], \"parent_process\": {\"name\": \"Part\", \"pid\": 72, \"file\": {\"name\": \"transexual.kml\", \"owner\": {\"name\": \"Disappointed\", \"type\": \"Admin\", \"uid\": \"357695ae-583b-11ee-a3e8-0242ac110005\", \"type_id\": 2}, \"type\": \"Local Socket\", \"path\": \"robin imperial rugby/delicious.lua/transexual.kml\", \"product\": {\"name\": \"receptors surgeons dui\", \"path\": \"joins roy in\", \"lang\": \"en\", \"url_string\": \"bias\", \"vendor_name\": \"wonderful earning zealand\"}, \"type_id\": 5, \"company_name\": \"Morris Antonio\", \"parent_folder\": \"robin imperial rugby/delicious.lua\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"value\": \"D9C1ACF117657BB04A8309ECBD6F3771E4F5E0BBEB437019748FFB5028BDA1B7\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}]}, \"user\": {\"name\": \"Tft\", \"type\": \"Unknown\", \"uid\": \"3576a274-583b-11ee-a3dc-0242ac110005\", \"type_id\": 0}, \"uid\": \"3576a6e8-583b-11ee-907e-0242ac110005\", \"loaded_modules\": [\"/initial/example/lenders/manitoba/picked.mdf\"], \"cmd_line\": \"hh officials patient\", \"created_time\": 1695272181548, \"sandbox\": \"new rt auto\"}, \"sandbox\": \"proc budgets magnet\"}}}, \"sandbox\": \"uk worth harmony\", \"xattributes\": {}}, \"sandbox\": \"arbitration saturday very\", \"terminated_time\": 1695272181548, \"xattributes\": {}}}}, \"sandbox\": \"ranked cookbook propecia\", \"xattributes\": {}}}}}, \"user\": {\"name\": \"root\", \"type\": \"Admin\", \"uid\": \"3576b16a-583b-11ee-9386-0242ac110005\", \"type_id\": 2, \"full_name\": \"Inocencia Adelle\"}, \"idp\": {\"name\": \"through foot query\", \"uid\": \"3576b692-583b-11ee-b9a6-0242ac110005\"}}, \"create_mask\": \"lu hairy cases\", \"enrichments\": [{\"data\": {\"professionals\": \"profess\"}, \"name\": \"universal ex rpg\", \"type\": \"concentrations sciences genuine\", \"value\": \"participants managing combines\", \"provider\": \"dance avon fundamental\"}, {\"data\": {\"hill\": \"rfsvfdc\"}, \"name\": \"strip milton opened\", \"type\": \"volunteers manufacturing argentina\", \"value\": \"needs hopes taxation\", \"provider\": \"held rounds tumor\"}], \"severity_id\": 4, \"status_id\": 99}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } + "message": "{\"activity_id\": 99, \"actor\": {\"process\": {\"file\": {\"name\": \"lsass.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\lsass.exe\", \"type_id\": 1}, \"pid\": 492}, \"session\": {\"uid\": \"0x3e7\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"DIR\", \"name\": \"STLDIRDC1$\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}, \"category_uid\": 1, \"class_uid\": 1010, \"device\": {\"hostname\": \"STLDIRDC1.dir.solutia.com\", \"os\": {\"name\": \"Windows\", \"type_id\": 100}, \"type_id\": 0}, \"message\": \"A handle to an object was requested.\", \"metadata\": {\"original_time\": \"01/09/2019 12:46:00 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"d9e6a7b1-3177-4542-8de1-bfd582f87727\", \"version\": \"1.0.0-rc.2\"}, \"severity_id\": 1, \"status_id\": 1, \"time\": 1547012760000, \"unmapped\": {\"Access Request Information\": {\"Access Mask\": \"0x2d\", \"Accesses\": [\"DELETE\", \"READ_CONTROL\", \"WRITE_DAC\", \"WRITE_OWNER\", \"ReadPasswordParameters\", \"WritePasswordParameters\", \"ReadOtherParameters\", \"WriteOtherParameters\", \"CreateUser\", \"CreateGlobalGroup\", \"CreateLocalGroup\", \"GetLocalGroupMembership\", \"ListAccounts\"], \"Privileges Used for Access Check\": \"\\u01ff\\\\x0F-\", \"Properties\": [\"---\", \"domain\", \"DELETE\", \"READ_CONTROL\", \"WRITE_DAC\", \"WRITE_OWNER\", \"ReadPasswordParameters\", \"WritePasswordParameters\", \"ReadOtherParameters\", \"WriteOtherParameters\", \"CreateUser\", \"CreateGlobalGroup\", \"CreateLocalGroup\", \"GetLocalGroupMembership\", \"ListAccounts\", \"Domain Password & Lockout Policies\", \"lockOutObservationWindow\", \"lockoutDuration\", \"lockoutThreshold\", \"maxPwdAge\", \"minPwdAge\", \"minPwdLength\", \"pwdHistoryLength\", \"pwdProperties\", \"Other Domain Parameters (for use by SAM)\", \"serverState\", \"serverRole\", \"modifiedCount\", \"uASCompat\", \"forceLogoff\", \"domainReplica\", \"oEMInformation\", \"Domain Administer Server\"], \"Restricted SID Count\": \"0\", \"Transaction ID\": \"{00000000-0000-0000-0000-000000000000}\"}, \"EventCode\": \"4661\", \"EventType\": \"0\", \"Object\": {\"Object Server\": \"Security Account Manager\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"3166250565\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"SAM\"}, \"win_resource\": {\"name\": \"DC=dir,DC=solutia,DC=com\", \"type_id\": 36, \"uid\": \"0x7f79620\"}}" }, "expected": { - "message": "{\"message\": \"aug brought masters\", \"status\": \"same\", \"time\": 1695272181548, \"file\": {\"name\": \"phi.tar\", \"type\": \"Named Pipe\", \"path\": \"basement neighborhood nelson/pointer.mpa/phi.tar\", \"product\": {\"name\": \"judgment mel mental\", \"version\": \"1.0.0\", \"uid\": \"3576c3d0-583b-11ee-8a0f-0242ac110005\", \"vendor_name\": \"isp semiconductor screens\"}, \"type_id\": 666, \"parent_folder\": \"basement neighborhood nelson/pointer.mpa\", \"accessed_time\": 1695272181548, \"hashes\": [{\"value\": \"FA9D6D9F8C1E928F43F4CA3DEF6EC2D485AA60CDD4DF04348144D38434095D54EADA230FB5E8BE2A17FD91AEEFC38B4E2AD08D863F260E6244F56873701A53EE\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"device\": {\"name\": \"spirits since tours\", \"type\": \"Browser\", \"os\": {\"name\": \"mess deposits scary\", \"type\": \"HP-UX\", \"type_id\": 402, \"sp_ver\": 35}, \"ip\": \"1.128.0.0\", \"desc\": \"gene screens plenty\", \"uid\": \"3575127e-583b-11ee-b9cf-0242ac110005\", \"image\": {\"name\": \"aol interest statutes\", \"tag\": \"history afraid vcr\", \"path\": \"breaks contrary navigation\", \"uid\": \"3574fc30-583b-11ee-a7af-0242ac110005\"}, \"groups\": [{\"name\": \"spent disclaimer locks\", \"uid\": \"3575019e-583b-11ee-8751-0242ac110005\", \"privileges\": [\"seems freeware tire\"]}, {\"name\": \"stereo thousand cnet\", \"uid\": \"357505d6-583b-11ee-8d50-0242ac110005\"}], \"type_id\": 8, \"subnet\": \"130.109.0.0/16\", \"hypervisor\": \"barbados lcd electoral\", \"instance_uid\": \"3574eefc-583b-11ee-aedd-0242ac110005\", \"interface_name\": \"cleveland households subsidiaries\", \"interface_uid\": \"3574f352-583b-11ee-89fa-0242ac110005\", \"is_managed\": true, \"region\": \"survival statewide blog\", \"risk_score\": 17, \"subnet_uid\": \"3574e7c2-583b-11ee-8763-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"frederick avoiding settlement\", \"version\": \"1.0.0\", \"uid\": \"3574dd04-583b-11ee-9dd6-0242ac110005\", \"lang\": \"en\", \"url_string\": \"subscribers\", \"vendor_name\": \"biographies charts a\"}, \"sequence\": 36, \"profiles\": [], \"log_name\": \"benefits observe block\", \"log_provider\": \"apr applies bought\", \"original_time\": \"basement receipt forces\"}, \"severity\": \"High\", \"type_name\": \"File System Activity: Rename\", \"activity_id\": 5, \"type_uid\": 100105, \"category_name\": \"System Activity\", \"class_uid\": 1001, \"category_uid\": 1, \"class_name\": \"File System Activity\", \"timezone_offset\": 14, \"activity_name\": \"Rename\", \"actor\": {\"process\": {\"name\": \"Http\", \"pid\": 39, \"file\": {\"name\": \"with.com\", \"type\": \"Symbolic Link\", \"path\": \"fact nick marilyn/wives.iso/with.com\", \"type_id\": 7, \"parent_folder\": \"fact nick marilyn/wives.iso\", \"confidentiality\": \"microphone ingredients everybody\", \"hashes\": [{\"value\": \"5448F2E81D8402BD06F1B7A1F25A23A09CF423B5C17631EDC1CB3A06C6135BEA\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"DB43BDA2E28D2B02E0F94993E11FF5A6A49D0E62D62834916C0F623B00401D7C1848EDA3BD47A48ACE755F0AF75D3D92850EEDDD011B6B3ED4D93BA15953F9AD\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Proxy\", \"type\": \"User\", \"domain\": \"canal emerald dry\", \"uid\": \"35752d18-583b-11ee-8e91-0242ac110005\", \"type_id\": 1, \"full_name\": \"Kitty Sabine\", \"account\": {\"name\": \"findarticles awards error\", \"type\": \"AWS IAM User\", \"uid\": \"357534b6-583b-11ee-acbb-0242ac110005\", \"type_id\": 3}, \"email_addr\": \"Dotty@bg.info\", \"uid_alt\": \"mature botswana advisory\"}, \"uid\": \"357539de-583b-11ee-808d-0242ac110005\", \"cmd_line\": \"dd apple updating\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Olympic\", \"file\": {\"name\": \"chrysler.pages\", \"type\": \"Character Device\", \"path\": \"jesus cattle cave/remainder.iso/chrysler.pages\", \"desc\": \"claims runtime directories\", \"uid\": \"3575485c-583b-11ee-b07c-0242ac110005\", \"type_id\": 3, \"company_name\": \"Esta Malena\", \"parent_folder\": \"jesus cattle cave/remainder.iso\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"0983A0F9D6FE6015A7EB984C4D51C74EC818D6B4B2EA630CA2794A51512BEA5EC489606DAA019CA34D4CA678FF154530DBF2211DC9AD7D058363D7630F3AF2B8\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1695272181548, \"security_descriptor\": \"motels derby subtle\"}, \"user\": {\"name\": \"Salvador\", \"type\": \"Admin\", \"uid\": \"357551a8-583b-11ee-9f3a-0242ac110005\", \"groups\": [{\"name\": \"admissions throughout scope\", \"uid\": \"357556c6-583b-11ee-a761-0242ac110005\"}], \"type_id\": 2, \"email_addr\": \"Georgeann@compounds.org\"}, \"cmd_line\": \"regardless discussed gb\", \"created_time\": 1695272181548, \"integrity\": \"eat\", \"integrity_id\": 99, \"lineage\": [\"ff encoding towns\", \"alter reservoir drums\"], \"parent_process\": {\"pid\": 24, \"user\": {\"type\": \"dealer\", \"uid\": \"3575612a-583b-11ee-8729-0242ac110005\", \"type_id\": 99, \"account\": {\"name\": \"lisa avoiding grade\", \"type\": \"Mac OS Account\", \"uid\": \"35756968-583b-11ee-adc7-0242ac110005\", \"type_id\": 7}}, \"tid\": 17, \"uid\": \"35756e18-583b-11ee-8658-0242ac110005\", \"cmd_line\": \"step bernard quiet\", \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"name\": \"Schedules\", \"pid\": 64, \"file\": {\"attributes\": 59, \"name\": \"expectations.sh\", \"size\": 3829463934, \"type\": \"Named Pipe\", \"path\": \"their haven interact/president.log/expectations.sh\", \"type_id\": 6, \"company_name\": \"Johnny Kenia\", \"parent_folder\": \"their haven interact/president.log\", \"hashes\": [{\"value\": \"673864FF7BB72B5CB7535BD3C797DAE6BCDCE37BB6E0BD9D6EDDB8205EE636ACCA593394B1827FD62DAEC350638203EC5021A55A87B54D3BD4E0391CCACFA7B5\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"DA377EE2C5138BD0042100780B04CFB9752DD077344B2CBCACFFBEA5D94D0BB095E7314616D60350025F9E6489D6CBF9FA4C1D07CA52AB9C364397B6A6DB1426\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"is_system\": true}, \"user\": {\"name\": \"Gun\", \"type\": \"User\", \"uid\": \"35757fde-583b-11ee-8426-0242ac110005\", \"org\": {\"name\": \"suitable bother k\", \"uid\": \"357584f2-583b-11ee-b957-0242ac110005\", \"ou_name\": \"signals pixel questions\"}, \"type_id\": 1}, \"uid\": \"35758902-583b-11ee-9a1c-0242ac110005\", \"cmd_line\": \"sons eur fence\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Best\", \"pid\": 51, \"user\": {\"name\": \"Wrapping\", \"type\": \"Unknown\", \"uid\": \"357599c4-583b-11ee-839a-0242ac110005\", \"type_id\": 0, \"email_addr\": \"Valene@water.aero\"}, \"tid\": 72, \"uid\": \"3575a158-583b-11ee-a0c1-0242ac110005\", \"loaded_modules\": [\"/par/addresses/isle/blink/utils.3ds\", \"/conventions/market/normal/lease/absolute.tar.gz\"], \"cmd_line\": \"optional icq refresh\", \"created_time\": 1695272181548, \"integrity\": \"Medium\", \"integrity_id\": 3, \"lineage\": [\"marco danny survival\"], \"parent_process\": {\"name\": \"Expo\", \"pid\": 70, \"file\": {\"attributes\": 73, \"name\": \"wagner.hqx\", \"type\": \"Folder\", \"path\": \"nest communist anthony/tri.tex/wagner.hqx\", \"type_id\": 2, \"parent_folder\": \"nest communist anthony/tri.tex\"}, \"user\": {\"name\": \"Vehicles\", \"type\": \"Unknown\", \"uid\": \"3575b594-583b-11ee-ad61-0242ac110005\", \"groups\": [{\"name\": \"attention horrible saved\", \"type\": \"clinical integration find\"}], \"type_id\": 0, \"uid_alt\": \"immigrants vegetables names\"}, \"uid\": \"3575bbde-583b-11ee-a34c-0242ac110005\", \"cmd_line\": \"furnishings oo elderly\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Gis\", \"pid\": 7, \"file\": {\"name\": \"conviction.dem\", \"owner\": {\"name\": \"Founded\", \"type\": \"System\", \"groups\": [{\"name\": \"picked physicians sponsored\", \"uid\": \"3575cc6e-583b-11ee-9fc6-0242ac110005\"}, {\"name\": \"theft os finished\", \"type\": \"baking how furnished\", \"desc\": \"consistent remind intel\", \"uid\": \"3575d2cc-583b-11ee-9bd2-0242ac110005\", \"privileges\": [\"moscow whom catalogue\", \"bar distant sitting\"]}], \"type_id\": 3}, \"type\": \"Regular File\", \"path\": \"lesbian consistent policy/house.crdownload/conviction.dem\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"equivalent fuzzy password\", \"issuer\": \"rom ge xml\", \"fingerprints\": [{\"value\": \"4AE524EF0A54BC56E3844482DFF66D3DD1C07170A36531500327556E4EB58A66\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"2D3C087352251B27B4B883E464997A204BC6990478F6ADA51535ED9C87BB9BD65BB98AF4BCF9442E5126A77E0D6984B1596D2253167232DA8AC3415D7FB47186\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"streets missouri stack\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"type_id\": 1, \"company_name\": \"Agatha Bridget\", \"parent_folder\": \"lesbian consistent policy/house.crdownload\", \"hashes\": [{\"value\": \"7C44A3A14F05688E4AC527919744E64B96B371173856D178D72F65DAB3DC8EE7563B5E05EE7F625263083247F54503AD771DB5F66B3C9F9216B95114BA6BFCCB\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"security_descriptor\": \"blank special atm\"}, \"user\": {\"name\": \"Sec\", \"type\": \"Unknown\", \"uid\": \"3575f450-583b-11ee-b6bb-0242ac110005\", \"org\": {\"name\": \"delayed cables leads\", \"uid\": \"3575f964-583b-11ee-8c61-0242ac110005\"}, \"type_id\": 0, \"full_name\": \"Katheryn Dario\", \"uid_alt\": \"room suicide poem\"}, \"uid\": \"3575fdb0-583b-11ee-aeb9-0242ac110005\", \"cmd_line\": \"japan sells jeans\", \"created_time\": 1695272181548, \"parent_process\": {\"name\": \"Decrease\", \"pid\": 59, \"file\": {\"name\": \"structural.swf\", \"size\": 688932239, \"type\": \"customs\", \"path\": \"fwd various rr/harper.tar.gz/structural.swf\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"ordering ou explanation\", \"issuer\": \"truck rings arrivals\", \"fingerprints\": [{\"value\": \"D9B2FE68B6C253E250B14667FE79D988B4D2AC568F7FD62357330B906C30A49D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"EBD7275B8E016156D5C802AA81EF32823EF0D89B944B062044092C012CDD5078AF0362403420AB2DD96D282058889BCC6484F8FC42C61C29774AB18337A40FD9\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"expiration_time\": 1695272181548, \"serial_number\": \"rd throw preliminary\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1, \"created_time\": 1695272181548}, \"type_id\": 99, \"parent_folder\": \"fwd various rr/harper.tar.gz\", \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"value\": \"9392895322BB82C443FB155DA3D787E63B9CFF61E9725327EA2B4FAFE964C306117CB523AEBA0D2D8CDF029592125C16C1F892E88D80F9888D7031FD2974B8DE\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"type\": \"Admin\", \"domain\": \"sydney initiatives plymouth\", \"uid\": \"35761822-583b-11ee-beb2-0242ac110005\", \"type_id\": 2, \"full_name\": \"Theron Augustine\"}, \"tid\": 80, \"uid\": \"35761c82-583b-11ee-b824-0242ac110005\", \"cmd_line\": \"terry ld apple\", \"created_time\": 1695272181548, \"lineage\": [\"ts initial roses\", \"wicked sm especially\"], \"parent_process\": {\"pid\": 96, \"file\": {\"name\": \"fcc.gz\", \"type\": \"Local Socket\", \"path\": \"webcast invention brandon/thumbnail.rm/fcc.gz\", \"signature\": {\"digest\": {\"value\": \"F28E98CA59479136BFC3E11371555CF78BDEDDF0332D62DD063B794024CC5C4FE13F9EA7BA6BCE31550B8B7DEFFB31BF20E54B6C1095A68E8E18A26F91C0E838\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"previous furthermore create\", \"issuer\": \"kids permissions cosmetic\", \"fingerprints\": [{\"value\": \"C9E4D5C19777C2E695975FB5FE0D92C5DEEE360C4AFF172B638D981E5BCE505FB3373CF7A620436611A964772215DD15E564B701B09AB141C53258EA7DB63589\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"D02BCEDE7EF63722B56FD76E6C3E0C74E72D5B9C169DE7BA9712A1EAEF0C13F59F27BBFC33274C80889426EB38A8D191AB7B08FE9397BF0BE4D5B4C08CF7956C\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"mold afghanistan pine\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"desc\": \"reads choir while\", \"type_id\": 5, \"company_name\": \"Parthenia Kim\", \"creator\": {\"type\": \"System\", \"uid\": \"357634b0-583b-11ee-aa30-0242ac110005\", \"org\": {\"name\": \"lessons fighting basement\", \"uid\": \"357639f6-583b-11ee-a863-0242ac110005\", \"ou_name\": \"recently iron turning\"}, \"type_id\": 3}, \"parent_folder\": \"webcast invention brandon/thumbnail.rm\", \"hashes\": [{\"value\": \"533747897E1F6754B1E577DEEBA5E673C0DD9F09229F048608C88CA5EEC2A420FFF7F06C5B27F45A1B7A705FF141C4AE11196CAB9BE339546B7EEF258DFED346\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}]}, \"user\": {\"name\": \"Intervals\", \"type\": \"Admin\", \"uid\": \"357644a0-583b-11ee-b222-0242ac110005\", \"type_id\": 2, \"full_name\": \"Margert Debbie\", \"account\": {\"name\": \"gained oldest atomic\", \"type\": \"AWS IAM User\", \"type_id\": 3}, \"email_addr\": \"Ernie@drum.jobs\"}, \"uid\": \"35764af4-583b-11ee-bfee-0242ac110005\", \"session\": {\"uid\": \"35764ff4-583b-11ee-ad30-0242ac110005\", \"issuer\": \"information daisy computational\", \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"is_remote\": false}, \"loaded_modules\": [\"/frequently/tomatoes/one/trembl/trance.php\", \"/supposed/passwords/boutique/codes/coalition.txt\"], \"cmd_line\": \"grounds profits tear\", \"integrity\": \"attempts strategy meetup\", \"lineage\": [\"tar optical per\", \"fixtures while coaches\"], \"parent_process\": {\"name\": \"Speed\", \"pid\": 69, \"file\": {\"name\": \"kathy.gpx\", \"type\": \"Symbolic Link\", \"version\": \"1.0.0\", \"path\": \"stake dame kw/bangladesh.tax2020/kathy.gpx\", \"type_id\": 7, \"parent_folder\": \"stake dame kw/bangladesh.tax2020\", \"confidentiality\": \"smilies ethnic exclusively\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"DF2FF56CB3BAC1E28C3FE0395F52F814539922A774E1B53793268DC61ADD718A6BEED6E464F3D3AB436A5F61A84B21F073DD534943FEFA40E0DAD92DF1C92874\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Class\", \"type\": \"Admin\", \"uid\": \"3576639a-583b-11ee-a0a4-0242ac110005\", \"org\": {\"name\": \"thumb perception casual\", \"uid\": \"357668cc-583b-11ee-9bcd-0242ac110005\", \"ou_name\": \"russell martin tonight\"}, \"type_id\": 2, \"credential_uid\": \"35766f02-583b-11ee-93b4-0242ac110005\", \"uid_alt\": \"acute vocals goat\"}, \"uid\": \"3576731c-583b-11ee-b4bb-0242ac110005\", \"cmd_line\": \"canon istanbul ears\", \"created_time\": 1695272181548, \"integrity\": \"rage cloudy starts\", \"parent_process\": {\"name\": \"Forget\", \"pid\": 6, \"file\": {\"name\": \"rpg.eps\", \"size\": 2219996466, \"type\": \"Unknown\", \"type_id\": 0, \"confidentiality\": \"Unknown\", \"confidentiality_id\": 0, \"hashes\": [{\"value\": \"25B732B3425CF8421A84FBE8E6EFA1AAF932AD4B\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"501A60A2B28BA8E6A95CE30C11877FDA\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"uid\": \"35768726-583b-11ee-b021-0242ac110005\", \"loaded_modules\": [\"/congo/hundreds/jerry/limousines/meanwhile.lua\", \"/employment/discounts/dg/company/colin.txt\"], \"cmd_line\": \"samuel affiliates stores\", \"created_time\": 1695272181548, \"lineage\": [\"locked feedback tank\", \"kuwait integrity messages\"], \"parent_process\": {\"name\": \"Part\", \"pid\": 72, \"file\": {\"name\": \"transexual.kml\", \"owner\": {\"name\": \"Disappointed\", \"type\": \"Admin\", \"uid\": \"357695ae-583b-11ee-a3e8-0242ac110005\", \"type_id\": 2}, \"type\": \"Local Socket\", \"path\": \"robin imperial rugby/delicious.lua/transexual.kml\", \"product\": {\"name\": \"receptors surgeons dui\", \"path\": \"joins roy in\", \"lang\": \"en\", \"url_string\": \"bias\", \"vendor_name\": \"wonderful earning zealand\"}, \"type_id\": 5, \"company_name\": \"Morris Antonio\", \"parent_folder\": \"robin imperial rugby/delicious.lua\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"value\": \"D9C1ACF117657BB04A8309ECBD6F3771E4F5E0BBEB437019748FFB5028BDA1B7\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}]}, \"user\": {\"name\": \"Tft\", \"type\": \"Unknown\", \"uid\": \"3576a274-583b-11ee-a3dc-0242ac110005\", \"type_id\": 0}, \"uid\": \"3576a6e8-583b-11ee-907e-0242ac110005\", \"loaded_modules\": [\"/initial/example/lenders/manitoba/picked.mdf\"], \"cmd_line\": \"hh officials patient\", \"created_time\": 1695272181548, \"sandbox\": \"new rt auto\"}, \"sandbox\": \"proc budgets magnet\"}}}, \"sandbox\": \"uk worth harmony\", \"xattributes\": {}}, \"sandbox\": \"arbitration saturday very\", \"terminated_time\": 1695272181548, \"xattributes\": {}}}}, \"sandbox\": \"ranked cookbook propecia\", \"xattributes\": {}}}}}, \"user\": {\"name\": \"root\", \"type\": \"Admin\", \"uid\": \"3576b16a-583b-11ee-9386-0242ac110005\", \"type_id\": 2, \"full_name\": \"Inocencia Adelle\"}, \"idp\": {\"name\": \"through foot query\", \"uid\": \"3576b692-583b-11ee-b9a6-0242ac110005\"}}, \"create_mask\": \"lu hairy cases\", \"enrichments\": [{\"data\": {\"professionals\": \"profess\"}, \"name\": \"universal ex rpg\", \"type\": \"concentrations sciences genuine\", \"value\": \"participants managing combines\", \"provider\": \"dance avon fundamental\"}, {\"data\": {\"hill\": \"rfsvfdc\"}, \"name\": \"strip milton opened\", \"type\": \"volunteers manufacturing argentina\", \"value\": \"needs hopes taxation\", \"provider\": \"held rounds tumor\"}], \"severity_id\": 4, \"status_id\": 99}", + "message": "{\"activity_id\": 99, \"actor\": {\"process\": {\"file\": {\"name\": \"lsass.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\lsass.exe\", \"type_id\": 1}, \"pid\": 492}, \"session\": {\"uid\": \"0x3e7\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"DIR\", \"name\": \"STLDIRDC1$\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}, \"category_uid\": 1, \"class_uid\": 1010, \"device\": {\"hostname\": \"STLDIRDC1.dir.solutia.com\", \"os\": {\"name\": \"Windows\", \"type_id\": 100}, \"type_id\": 0}, \"message\": \"A handle to an object was requested.\", \"metadata\": {\"original_time\": \"01/09/2019 12:46:00 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"d9e6a7b1-3177-4542-8de1-bfd582f87727\", \"version\": \"1.0.0-rc.2\"}, \"severity_id\": 1, \"status_id\": 1, \"time\": 1547012760000, \"unmapped\": {\"Access Request Information\": {\"Access Mask\": \"0x2d\", \"Accesses\": [\"DELETE\", \"READ_CONTROL\", \"WRITE_DAC\", \"WRITE_OWNER\", \"ReadPasswordParameters\", \"WritePasswordParameters\", \"ReadOtherParameters\", \"WriteOtherParameters\", \"CreateUser\", \"CreateGlobalGroup\", \"CreateLocalGroup\", \"GetLocalGroupMembership\", \"ListAccounts\"], \"Privileges Used for Access Check\": \"\\u01ff\\\\x0F-\", \"Properties\": [\"---\", \"domain\", \"DELETE\", \"READ_CONTROL\", \"WRITE_DAC\", \"WRITE_OWNER\", \"ReadPasswordParameters\", \"WritePasswordParameters\", \"ReadOtherParameters\", \"WriteOtherParameters\", \"CreateUser\", \"CreateGlobalGroup\", \"CreateLocalGroup\", \"GetLocalGroupMembership\", \"ListAccounts\", \"Domain Password & Lockout Policies\", \"lockOutObservationWindow\", \"lockoutDuration\", \"lockoutThreshold\", \"maxPwdAge\", \"minPwdAge\", \"minPwdLength\", \"pwdHistoryLength\", \"pwdProperties\", \"Other Domain Parameters (for use by SAM)\", \"serverState\", \"serverRole\", \"modifiedCount\", \"uASCompat\", \"forceLogoff\", \"domainReplica\", \"oEMInformation\", \"Domain Administer Server\"], \"Restricted SID Count\": \"0\", \"Transaction ID\": \"{00000000-0000-0000-0000-000000000000}\"}, \"EventCode\": \"4661\", \"EventType\": \"0\", \"Object\": {\"Object Server\": \"Security Account Manager\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"3166250565\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"SAM\"}, \"win_resource\": {\"name\": \"DC=dir,DC=solutia,DC=com\", \"type_id\": 36, \"uid\": \"0x7f79620\"}}", "event": { - "action": "rename", - "category": [ - "file" - ], - "kind": "event", - "provider": "apr applies bought", - "sequence": 36, - "severity": 4, - "type": [ - "change", - "info" - ] - }, - "@timestamp": "2023-09-21T04:56:21.548000Z", - "file": { - "accessed": "2023-09-21T04:56:21.548000Z", - "directory": "basement neighborhood nelson/pointer.mpa", - "hash": { - "sha256": "5448F2E81D8402BD06F1B7A1F25A23A09CF423B5C17631EDC1CB3A06C6135BEA", - "ssdeep": "DB43BDA2E28D2B02E0F94993E11FF5A6A49D0E62D62834916C0F623B00401D7C1848EDA3BD47A48ACE755F0AF75D3D92850EEDDD011B6B3ED4D93BA15953F9AD" - }, - "name": "phi.tar", - "path": "basement neighborhood nelson/pointer.mpa/phi.tar", - "type": "Named Pipe" - }, - "host": { - "id": "3575127e-583b-11ee-b9cf-0242ac110005", - "ip": [ - "1.128.0.0" - ], - "os": { - "name": "mess deposits scary" - }, - "risk": { - "static_score": 17 - }, - "type": "Browser" + "category": [], + "outcome": "success", + "severity": 1, + "type": [] }, + "@timestamp": "2019-01-09T05:46:00Z", "ocsf": { - "activity_id": 5, - "activity_name": "Rename", - "class_name": "File System Activity", - "class_uid": 1001 - }, - "process": { - "command_line": "dd apple updating", - "entity_id": "357539de-583b-11ee-808d-0242ac110005", - "name": "Http", - "parent": { - "command_line": "regardless discussed gb", - "name": "Olympic", - "start": "2023-09-21T04:56:21.548000Z", - "user": { - "email": "Georgeann@compounds.org", - "group": { - "id": [ - "357556c6-583b-11ee-a761-0242ac110005" - ], - "name": [ - "admissions throughout scope" - ] - }, - "id": [ - "357551a8-583b-11ee-9f3a-0242ac110005" - ], - "name": "Salvador" - } - }, - "pid": 39, - "start": "2023-09-21T04:56:21.548000Z", - "user": { - "domain": "canal emerald dry", - "email": "Dotty@bg.info", - "full_name": "Kitty Sabine", - "group": { - "id": [], - "name": [] - }, - "id": [ - "35752d18-583b-11ee-8e91-0242ac110005" - ], - "name": "Proxy" - } - }, - "related": { - "hash": [ - "5448F2E81D8402BD06F1B7A1F25A23A09CF423B5C17631EDC1CB3A06C6135BEA", - "DB43BDA2E28D2B02E0F94993E11FF5A6A49D0E62D62834916C0F623B00401D7C1848EDA3BD47A48ACE755F0AF75D3D92850EEDDD011B6B3ED4D93BA15953F9AD" - ], - "ip": [ - "1.128.0.0" - ], - "user": [ - "root" - ] - }, - "user": { - "full_name": "Inocencia Adelle", - "group": { - "id": [], - "name": [] - }, - "id": "3576b16a-583b-11ee-9386-0242ac110005", - "name": "root" + "activity_id": 99, + "class_uid": 1010 } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_2.json b/OCSF/ocsf/tests/test_system_activity_2.json index 058cec8b2..fbcad8694 100644 --- a/OCSF/ocsf/tests/test_system_activity_2.json +++ b/OCSF/ocsf/tests/test_system_activity_2.json @@ -1,119 +1,19 @@ { "input": { - "message": "{\"driver\": {\"file\": {\"name\": \"rail.m\", \"type\": \"earning\", \"path\": \"worst jay funds/plc.deskthemepack/rail.m\", \"uid\": \"19e82104-61aa-11ee-8d53-0242ac110005\", \"type_id\": 99, \"mime_type\": \"punishment/gaps\", \"parent_folder\": \"worst jay funds/plc.deskthemepack\", \"accessed_time\": 1695272181548, \"hashes\": [{\"value\": \"AD3638015A285E049F3EC3B5E96251E3D84A6B834297290B20EF11FE7A6244828ED6FC9E0489232D7B3358C785AA96C87A77266713AD2FB1978142C9CFFD4BF8\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"A47AC519441CF481779776ED56ADE421DEE3E26D0134CAE10E1A518591CCA7AB105D38FE20C7E07843149FF290C536A9E4B0507095FD8A744AF530741D2427B7\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}]}}, \"message\": \"allan juice leader\", \"status\": \"Unknown\", \"time\": 1695272181548, \"device\": {\"name\": \"madagascar made stability\", \"type\": \"IOT\", \"ip\": \"81.2.69.142\", \"hostname\": \"founded.pro\", \"uid\": \"19e7faee-61aa-11ee-a8f6-0242ac110005\", \"image\": {\"name\": \"casinos my pacific\", \"uid\": \"19e81448-61aa-11ee-bc86-0242ac110005\"}, \"type_id\": 7, \"first_seen_time\": 1695272181548, \"hypervisor\": \"consoles voting wellington\", \"instance_uid\": \"19e7f62a-61aa-11ee-ace6-0242ac110005\", \"interface_name\": \"see namespace chef\", \"interface_uid\": \"19e80ce6-61aa-11ee-bfc1-0242ac110005\", \"is_compliant\": true, \"region\": \"pledge cod growth\", \"modified_time_dt\": \"2023-10-03T05:02:50.203874Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"extension\": {\"name\": \"pirates went connecting\", \"version\": \"1.0.0\", \"uid\": \"19e7a6de-61aa-11ee-b198-0242ac110005\"}, \"product\": {\"name\": \"completed longer likes\", \"version\": \"1.0.0\", \"path\": \"jc rim ranch\", \"uid\": \"19e7b8b8-61aa-11ee-b357-0242ac110005\", \"lang\": \"en\", \"url_string\": \"placing\", \"vendor_name\": \"lcd belong academics\"}, \"uid\": \"19e7be44-61aa-11ee-919d-0242ac110005\", \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"louisville displaying universities\", \"log_provider\": \"officially vehicles incorporated\", \"original_time\": \"bodies jenny chris\"}, \"severity\": \"Low\", \"duration\": 56, \"api\": {\"request\": {\"flags\": [\"development suddenly affiliate\", \"blind putting connectors\"], \"uid\": \"19e78050-61aa-11ee-81a3-0242ac110005\"}, \"response\": {\"error\": \"storm edwards gateway\", \"code\": 48, \"message\": \"ac apnic applicants\", \"error_message\": \"retro wood cheese\"}, \"operation\": \"glucose spyware trustees\"}, \"disposition\": \"Corrected\", \"type_name\": \"Kernel Extension Activity: Unload\", \"activity_id\": 2, \"disposition_id\": 11, \"type_uid\": 100202, \"category_name\": \"System Activity\", \"class_uid\": 1002, \"category_uid\": 1, \"class_name\": \"Kernel Extension Activity\", \"timezone_offset\": 26, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Command and Control The adversary is trying to communicate with compromised systems to control them.\", \"uid\": \"TA0011\"}], \"technique\": {\"name\": \"Two-Factor Authentication Interception\", \"uid\": \"T1111\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Credential Access The adversary is trying to steal account names and passwords.\", \"uid\": \"TA0006\"}, {\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}], \"technique\": {\"name\": \"Multiband Communication\", \"uid\": \"T1026\"}}], \"activity_name\": \"Unload\", \"actor\": {\"process\": {\"name\": \"Complete\", \"pid\": 50, \"file\": {\"name\": \"syntax.dds\", \"type\": \"Symbolic Link\", \"path\": \"cartoon watershed viewers/magazine.xls/syntax.dds\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3}, \"type_id\": 7, \"parent_folder\": \"cartoon watershed viewers/magazine.xls\", \"confidentiality\": \"donated chapter runtime\", \"hashes\": [{\"value\": \"2EB64D601392F16BF21F01D7A9A66B62BC3DDC892394D8B44031A3B488A4F611F56951974C7601044DA53283AE3A774822583A678667AC1A5469561ADFC2CB22\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Pursue\", \"type\": \"User\", \"domain\": \"settle most mf\", \"uid\": \"19e84346-61aa-11ee-82b4-0242ac110005\", \"org\": {\"name\": \"contributions agents displayed\", \"uid\": \"19e854e4-61aa-11ee-b27b-0242ac110005\", \"ou_name\": \"with cpu scout\"}, \"type_id\": 1, \"full_name\": \"Fae Brendan\"}, \"uid\": \"19e85aa2-61aa-11ee-9863-0242ac110005\", \"cmd_line\": \"quest flashers qualifying\", \"integrity\": \"Untrusted\", \"integrity_id\": 1, \"namespace_pid\": 20, \"parent_process\": {\"name\": \"Fuzzy\", \"pid\": 7, \"uid\": \"19e86420-61aa-11ee-92e5-0242ac110005\", \"cmd_line\": \"mere tft rules\", \"container\": {\"name\": \"contains thriller incl\", \"runtime\": \"briefing portrait pj\", \"size\": 4086519029, \"uid\": \"19e86ef2-61aa-11ee-961e-0242ac110005\", \"image\": {\"name\": \"place questionnaire evil\", \"uid\": \"19e878de-61aa-11ee-8abe-0242ac110005\"}, \"hash\": {\"value\": \"99402752D9F0ADEE2B8CB7268DC3FCBF7900B5491AEECBCF11718BBA6969507DF048B5A627AE37D63F6235C52A9FFB0A874DB6E542EFB0E17DD61FFF02543A1B\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, \"network_driver\": \"balloon cj virtual\"}, \"created_time\": 1695272181548, \"integrity\": \"System\", \"integrity_id\": 5, \"namespace_pid\": 34, \"parent_process\": {\"name\": \"Pt\", \"pid\": 53, \"file\": {\"attributes\": 11, \"name\": \"unlimited.wmv\", \"type\": \"huntington\", \"version\": \"1.0.0\", \"product\": {\"name\": \"astrology musical magic\", \"version\": \"1.0.0\", \"uid\": \"19e88b3a-61aa-11ee-a044-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"logos texture jews\"}, \"type_id\": 99, \"confidentiality\": \"outlook\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"79B9213DDB8E561C9F5F0374719DBA7E55A481E720B75C53A12AF714880E51A4\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"C32B941D4ED063DE2F7FB1669124175ED90CDE46\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"is_system\": true, \"created_time_dt\": \"2023-10-03T05:02:50.206981Z\"}, \"uid\": \"19e89346-61aa-11ee-bb7f-0242ac110005\", \"loaded_modules\": [\"/faith/cbs/hispanic/lancaster/ncaa.swf\", \"/pulled/consecutive/treatment/myself/pittsburgh.wav\"], \"cmd_line\": \"valued leasing equilibrium\", \"container\": {\"size\": 2331695977, \"uid\": \"19e89a1c-61aa-11ee-930f-0242ac110005\", \"hash\": {\"value\": \"AACD3103F3F1FCAB0248F041A315AB6816C8A0E9\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}}, \"integrity\": \"System\", \"integrity_id\": 5, \"lineage\": [\"layer rachel performed\"], \"namespace_pid\": 75, \"parent_process\": {\"name\": \"Clinton\", \"pid\": 77, \"file\": {\"name\": \"jefferson.cbr\", \"size\": 3328615981, \"type\": \"Unknown\", \"path\": \"vacations floppy slides/crack.cs/jefferson.cbr\", \"modifier\": {\"name\": \"Resistant\", \"type\": \"System\", \"uid\": \"19e8ac78-61aa-11ee-a8f4-0242ac110005\", \"type_id\": 3}, \"desc\": \"referrals nottingham communication\", \"type_id\": 0, \"company_name\": \"Marie Enoch\", \"creator\": {\"name\": \"Journals\", \"type\": \"User\", \"uid\": \"19e8c136-61aa-11ee-8148-0242ac110005\", \"type_id\": 1}, \"parent_folder\": \"vacations floppy slides/crack.cs\", \"modified_time_dt\": \"2023-10-03T05:02:50.208298Z\"}, \"user\": {\"name\": \"Nudist\", \"type\": \"directories\", \"uid\": \"19e8cb2c-61aa-11ee-8668-0242ac110005\", \"type_id\": 99, \"full_name\": \"Glayds Glenda\", \"email_addr\": \"Johnette@flexibility.biz\", \"uid_alt\": \"facts local za\"}, \"uid\": \"19e8e4fe-61aa-11ee-869a-0242ac110005\", \"cmd_line\": \"vendor laptops germany\", \"container\": {\"name\": \"patients couple tmp\", \"runtime\": \"jul tommy um\", \"size\": 1196597453, \"uid\": \"19e93ddc-61aa-11ee-8ac2-0242ac110005\", \"image\": {\"name\": \"puzzles conditions sequences\", \"uid\": \"19e94566-61aa-11ee-9d6d-0242ac110005\", \"labels\": [\"aka\"]}, \"hash\": {\"value\": \"BBC85ACA84E370B3CD546CED854C6725D3242C1E1E174F6B4A803754254A38359A7A4CA50F4AD39E07AE04452C28859CAE5DB5FAF8D68075026A04F2C026726C\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"orchestrator\": \"helping cork mortality\"}, \"created_time\": 1695272181548, \"integrity\": \"five priest needle\", \"namespace_pid\": 94, \"parent_process\": {\"name\": \"Sms\", \"pid\": 52, \"file\": {\"name\": \"fixes.c\", \"type\": \"Folder\", \"path\": \"retro earthquake teachers/corruption.kml/fixes.c\", \"type_id\": 2, \"mime_type\": \"transcription/warned\", \"parent_folder\": \"retro earthquake teachers/corruption.kml\", \"hashes\": [{\"value\": \"9FD540B749A6D9C916406C5F4EB228F85F9FC35B5769F67886F778ACFE23F9DA44D2AA1E26E09B2EC8942215CD4C9DE71D9A27F539FC4E753E44181F1DA6899D\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"uid\": \"19e95920-61aa-11ee-a247-0242ac110005\", \"session\": {\"uid\": \"19e95e70-61aa-11ee-bf06-0242ac110005\", \"created_time\": 1695272181548, \"is_remote\": false}, \"cmd_line\": \"front accommodate advocate\", \"container\": {\"name\": \"finest world pontiac\", \"size\": 55618839, \"uid\": \"19e964b0-61aa-11ee-86d6-0242ac110005\", \"image\": {\"name\": \"obituaries seeing judgment\", \"path\": \"fit slightly ja\", \"uid\": \"19e96b36-61aa-11ee-97e4-0242ac110005\"}, \"hash\": {\"value\": \"DE46E578D10170889D94C44F29A8357C36E325D960A26A598ED7022BD1E1EDAD4B7C9E676EF5EED4AE64B21998EE85F24AFBB1A8DE06CD5B385EFE4AB1185F90\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, \"orchestrator\": \"vp bridal testimonials\"}, \"created_time\": 1695272181548, \"namespace_pid\": 19, \"terminated_time\": 1695272181548}, \"terminated_time_dt\": \"2023-10-03T05:02:50.212696Z\"}}, \"terminated_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:02:50.212708Z\"}, \"sandbox\": \"homes bachelor reach\", \"xattributes\": {}, \"terminated_time_dt\": \"2023-10-03T05:02:50.212738Z\"}, \"user\": {\"name\": \"Fellowship\", \"type\": \"Admin\", \"uid\": \"19e97d92-61aa-11ee-b56a-0242ac110005\", \"org\": {\"name\": \"ali authors bacterial\", \"uid\": \"19e9c5d6-61aa-11ee-96f2-0242ac110005\", \"ou_name\": \"ebay october staff\"}, \"type_id\": 2}}, \"cloud\": {\"org\": {\"name\": \"virus legislative schemes\", \"uid\": \"19e79248-61aa-11ee-83d4-0242ac110005\", \"ou_name\": \"aus radical chess\", \"ou_uid\": \"19e79b26-61aa-11ee-bc41-0242ac110005\"}, \"provider\": \"locations pharmaceutical aa\", \"region\": \"card heroes blogging\"}, \"severity_id\": 2, \"status_detail\": \"tablets vernon opinion\", \"status_id\": 0}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } + "message": "{\"activity_id\": 1, \"actor\": {\"process\": {\"file\": {\"name\": \"explorer.exe\", \"parent_folder\": \"C:\\\\Windows\", \"path\": \"C:\\\\Windows\\\\explorer.exe\", \"type_id\": 1}, \"pid\": 1704}, \"session\": {\"uid\": \"0xDE9AD8\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"SESTEST\", \"name\": \"splunker\", \"uid\": \"SESTEST\\\\splunker\"}}, \"category_uid\": 1, \"class_uid\": 1010, \"device\": {\"hostname\": \"SesWin2019DC1.SesTest.local\", \"os\": {\"name\": \"Windows\", \"type_id\": 100}, \"type_id\": 0}, \"message\": \"A privileged service was called.\", \"metadata\": {\"original_time\": \"01/28/2022 04:12:19 PM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"995559a6-1921-463f-93e1-9c5ca932dc8c\", \"version\": \"1.0.0-rc.2\"}, \"severity_id\": 1, \"status_id\": 2, \"time\": 1643404339000, \"unmapped\": {\"EventCode\": \"4673\", \"EventType\": \"0\", \"OpCode\": \"Info\", \"RecordNumber\": \"374060\", \"Service Request Information\": {\"Privileges\": \"SeTcbPrivilege\"}, \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Sensitive Privilege Use\"}, \"win_resource\": {\"name\": \"-\", \"type\": \"Security\", \"type_id\": 0}}" }, "expected": { - "message": "{\"driver\": {\"file\": {\"name\": \"rail.m\", \"type\": \"earning\", \"path\": \"worst jay funds/plc.deskthemepack/rail.m\", \"uid\": \"19e82104-61aa-11ee-8d53-0242ac110005\", \"type_id\": 99, \"mime_type\": \"punishment/gaps\", \"parent_folder\": \"worst jay funds/plc.deskthemepack\", \"accessed_time\": 1695272181548, \"hashes\": [{\"value\": \"AD3638015A285E049F3EC3B5E96251E3D84A6B834297290B20EF11FE7A6244828ED6FC9E0489232D7B3358C785AA96C87A77266713AD2FB1978142C9CFFD4BF8\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"A47AC519441CF481779776ED56ADE421DEE3E26D0134CAE10E1A518591CCA7AB105D38FE20C7E07843149FF290C536A9E4B0507095FD8A744AF530741D2427B7\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}]}}, \"message\": \"allan juice leader\", \"status\": \"Unknown\", \"time\": 1695272181548, \"device\": {\"name\": \"madagascar made stability\", \"type\": \"IOT\", \"ip\": \"81.2.69.142\", \"hostname\": \"founded.pro\", \"uid\": \"19e7faee-61aa-11ee-a8f6-0242ac110005\", \"image\": {\"name\": \"casinos my pacific\", \"uid\": \"19e81448-61aa-11ee-bc86-0242ac110005\"}, \"type_id\": 7, \"first_seen_time\": 1695272181548, \"hypervisor\": \"consoles voting wellington\", \"instance_uid\": \"19e7f62a-61aa-11ee-ace6-0242ac110005\", \"interface_name\": \"see namespace chef\", \"interface_uid\": \"19e80ce6-61aa-11ee-bfc1-0242ac110005\", \"is_compliant\": true, \"region\": \"pledge cod growth\", \"modified_time_dt\": \"2023-10-03T05:02:50.203874Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"extension\": {\"name\": \"pirates went connecting\", \"version\": \"1.0.0\", \"uid\": \"19e7a6de-61aa-11ee-b198-0242ac110005\"}, \"product\": {\"name\": \"completed longer likes\", \"version\": \"1.0.0\", \"path\": \"jc rim ranch\", \"uid\": \"19e7b8b8-61aa-11ee-b357-0242ac110005\", \"lang\": \"en\", \"url_string\": \"placing\", \"vendor_name\": \"lcd belong academics\"}, \"uid\": \"19e7be44-61aa-11ee-919d-0242ac110005\", \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"louisville displaying universities\", \"log_provider\": \"officially vehicles incorporated\", \"original_time\": \"bodies jenny chris\"}, \"severity\": \"Low\", \"duration\": 56, \"api\": {\"request\": {\"flags\": [\"development suddenly affiliate\", \"blind putting connectors\"], \"uid\": \"19e78050-61aa-11ee-81a3-0242ac110005\"}, \"response\": {\"error\": \"storm edwards gateway\", \"code\": 48, \"message\": \"ac apnic applicants\", \"error_message\": \"retro wood cheese\"}, \"operation\": \"glucose spyware trustees\"}, \"disposition\": \"Corrected\", \"type_name\": \"Kernel Extension Activity: Unload\", \"activity_id\": 2, \"disposition_id\": 11, \"type_uid\": 100202, \"category_name\": \"System Activity\", \"class_uid\": 1002, \"category_uid\": 1, \"class_name\": \"Kernel Extension Activity\", \"timezone_offset\": 26, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Command and Control The adversary is trying to communicate with compromised systems to control them.\", \"uid\": \"TA0011\"}], \"technique\": {\"name\": \"Two-Factor Authentication Interception\", \"uid\": \"T1111\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Credential Access The adversary is trying to steal account names and passwords.\", \"uid\": \"TA0006\"}, {\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}], \"technique\": {\"name\": \"Multiband Communication\", \"uid\": \"T1026\"}}], \"activity_name\": \"Unload\", \"actor\": {\"process\": {\"name\": \"Complete\", \"pid\": 50, \"file\": {\"name\": \"syntax.dds\", \"type\": \"Symbolic Link\", \"path\": \"cartoon watershed viewers/magazine.xls/syntax.dds\", \"signature\": {\"algorithm\": \"ECDSA\", \"algorithm_id\": 3}, \"type_id\": 7, \"parent_folder\": \"cartoon watershed viewers/magazine.xls\", \"confidentiality\": \"donated chapter runtime\", \"hashes\": [{\"value\": \"2EB64D601392F16BF21F01D7A9A66B62BC3DDC892394D8B44031A3B488A4F611F56951974C7601044DA53283AE3A774822583A678667AC1A5469561ADFC2CB22\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Pursue\", \"type\": \"User\", \"domain\": \"settle most mf\", \"uid\": \"19e84346-61aa-11ee-82b4-0242ac110005\", \"org\": {\"name\": \"contributions agents displayed\", \"uid\": \"19e854e4-61aa-11ee-b27b-0242ac110005\", \"ou_name\": \"with cpu scout\"}, \"type_id\": 1, \"full_name\": \"Fae Brendan\"}, \"uid\": \"19e85aa2-61aa-11ee-9863-0242ac110005\", \"cmd_line\": \"quest flashers qualifying\", \"integrity\": \"Untrusted\", \"integrity_id\": 1, \"namespace_pid\": 20, \"parent_process\": {\"name\": \"Fuzzy\", \"pid\": 7, \"uid\": \"19e86420-61aa-11ee-92e5-0242ac110005\", \"cmd_line\": \"mere tft rules\", \"container\": {\"name\": \"contains thriller incl\", \"runtime\": \"briefing portrait pj\", \"size\": 4086519029, \"uid\": \"19e86ef2-61aa-11ee-961e-0242ac110005\", \"image\": {\"name\": \"place questionnaire evil\", \"uid\": \"19e878de-61aa-11ee-8abe-0242ac110005\"}, \"hash\": {\"value\": \"99402752D9F0ADEE2B8CB7268DC3FCBF7900B5491AEECBCF11718BBA6969507DF048B5A627AE37D63F6235C52A9FFB0A874DB6E542EFB0E17DD61FFF02543A1B\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, \"network_driver\": \"balloon cj virtual\"}, \"created_time\": 1695272181548, \"integrity\": \"System\", \"integrity_id\": 5, \"namespace_pid\": 34, \"parent_process\": {\"name\": \"Pt\", \"pid\": 53, \"file\": {\"attributes\": 11, \"name\": \"unlimited.wmv\", \"type\": \"huntington\", \"version\": \"1.0.0\", \"product\": {\"name\": \"astrology musical magic\", \"version\": \"1.0.0\", \"uid\": \"19e88b3a-61aa-11ee-a044-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"logos texture jews\"}, \"type_id\": 99, \"confidentiality\": \"outlook\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"79B9213DDB8E561C9F5F0374719DBA7E55A481E720B75C53A12AF714880E51A4\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"C32B941D4ED063DE2F7FB1669124175ED90CDE46\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"is_system\": true, \"created_time_dt\": \"2023-10-03T05:02:50.206981Z\"}, \"uid\": \"19e89346-61aa-11ee-bb7f-0242ac110005\", \"loaded_modules\": [\"/faith/cbs/hispanic/lancaster/ncaa.swf\", \"/pulled/consecutive/treatment/myself/pittsburgh.wav\"], \"cmd_line\": \"valued leasing equilibrium\", \"container\": {\"size\": 2331695977, \"uid\": \"19e89a1c-61aa-11ee-930f-0242ac110005\", \"hash\": {\"value\": \"AACD3103F3F1FCAB0248F041A315AB6816C8A0E9\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}}, \"integrity\": \"System\", \"integrity_id\": 5, \"lineage\": [\"layer rachel performed\"], \"namespace_pid\": 75, \"parent_process\": {\"name\": \"Clinton\", \"pid\": 77, \"file\": {\"name\": \"jefferson.cbr\", \"size\": 3328615981, \"type\": \"Unknown\", \"path\": \"vacations floppy slides/crack.cs/jefferson.cbr\", \"modifier\": {\"name\": \"Resistant\", \"type\": \"System\", \"uid\": \"19e8ac78-61aa-11ee-a8f4-0242ac110005\", \"type_id\": 3}, \"desc\": \"referrals nottingham communication\", \"type_id\": 0, \"company_name\": \"Marie Enoch\", \"creator\": {\"name\": \"Journals\", \"type\": \"User\", \"uid\": \"19e8c136-61aa-11ee-8148-0242ac110005\", \"type_id\": 1}, \"parent_folder\": \"vacations floppy slides/crack.cs\", \"modified_time_dt\": \"2023-10-03T05:02:50.208298Z\"}, \"user\": {\"name\": \"Nudist\", \"type\": \"directories\", \"uid\": \"19e8cb2c-61aa-11ee-8668-0242ac110005\", \"type_id\": 99, \"full_name\": \"Glayds Glenda\", \"email_addr\": \"Johnette@flexibility.biz\", \"uid_alt\": \"facts local za\"}, \"uid\": \"19e8e4fe-61aa-11ee-869a-0242ac110005\", \"cmd_line\": \"vendor laptops germany\", \"container\": {\"name\": \"patients couple tmp\", \"runtime\": \"jul tommy um\", \"size\": 1196597453, \"uid\": \"19e93ddc-61aa-11ee-8ac2-0242ac110005\", \"image\": {\"name\": \"puzzles conditions sequences\", \"uid\": \"19e94566-61aa-11ee-9d6d-0242ac110005\", \"labels\": [\"aka\"]}, \"hash\": {\"value\": \"BBC85ACA84E370B3CD546CED854C6725D3242C1E1E174F6B4A803754254A38359A7A4CA50F4AD39E07AE04452C28859CAE5DB5FAF8D68075026A04F2C026726C\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"orchestrator\": \"helping cork mortality\"}, \"created_time\": 1695272181548, \"integrity\": \"five priest needle\", \"namespace_pid\": 94, \"parent_process\": {\"name\": \"Sms\", \"pid\": 52, \"file\": {\"name\": \"fixes.c\", \"type\": \"Folder\", \"path\": \"retro earthquake teachers/corruption.kml/fixes.c\", \"type_id\": 2, \"mime_type\": \"transcription/warned\", \"parent_folder\": \"retro earthquake teachers/corruption.kml\", \"hashes\": [{\"value\": \"9FD540B749A6D9C916406C5F4EB228F85F9FC35B5769F67886F778ACFE23F9DA44D2AA1E26E09B2EC8942215CD4C9DE71D9A27F539FC4E753E44181F1DA6899D\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"uid\": \"19e95920-61aa-11ee-a247-0242ac110005\", \"session\": {\"uid\": \"19e95e70-61aa-11ee-bf06-0242ac110005\", \"created_time\": 1695272181548, \"is_remote\": false}, \"cmd_line\": \"front accommodate advocate\", \"container\": {\"name\": \"finest world pontiac\", \"size\": 55618839, \"uid\": \"19e964b0-61aa-11ee-86d6-0242ac110005\", \"image\": {\"name\": \"obituaries seeing judgment\", \"path\": \"fit slightly ja\", \"uid\": \"19e96b36-61aa-11ee-97e4-0242ac110005\"}, \"hash\": {\"value\": \"DE46E578D10170889D94C44F29A8357C36E325D960A26A598ED7022BD1E1EDAD4B7C9E676EF5EED4AE64B21998EE85F24AFBB1A8DE06CD5B385EFE4AB1185F90\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, \"orchestrator\": \"vp bridal testimonials\"}, \"created_time\": 1695272181548, \"namespace_pid\": 19, \"terminated_time\": 1695272181548}, \"terminated_time_dt\": \"2023-10-03T05:02:50.212696Z\"}}, \"terminated_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:02:50.212708Z\"}, \"sandbox\": \"homes bachelor reach\", \"xattributes\": {}, \"terminated_time_dt\": \"2023-10-03T05:02:50.212738Z\"}, \"user\": {\"name\": \"Fellowship\", \"type\": \"Admin\", \"uid\": \"19e97d92-61aa-11ee-b56a-0242ac110005\", \"org\": {\"name\": \"ali authors bacterial\", \"uid\": \"19e9c5d6-61aa-11ee-96f2-0242ac110005\", \"ou_name\": \"ebay october staff\"}, \"type_id\": 2}}, \"cloud\": {\"org\": {\"name\": \"virus legislative schemes\", \"uid\": \"19e79248-61aa-11ee-83d4-0242ac110005\", \"ou_name\": \"aus radical chess\", \"ou_uid\": \"19e79b26-61aa-11ee-bc41-0242ac110005\"}, \"provider\": \"locations pharmaceutical aa\", \"region\": \"card heroes blogging\"}, \"severity_id\": 2, \"status_detail\": \"tablets vernon opinion\", \"status_id\": 0}", + "message": "{\"activity_id\": 1, \"actor\": {\"process\": {\"file\": {\"name\": \"explorer.exe\", \"parent_folder\": \"C:\\\\Windows\", \"path\": \"C:\\\\Windows\\\\explorer.exe\", \"type_id\": 1}, \"pid\": 1704}, \"session\": {\"uid\": \"0xDE9AD8\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"SESTEST\", \"name\": \"splunker\", \"uid\": \"SESTEST\\\\splunker\"}}, \"category_uid\": 1, \"class_uid\": 1010, \"device\": {\"hostname\": \"SesWin2019DC1.SesTest.local\", \"os\": {\"name\": \"Windows\", \"type_id\": 100}, \"type_id\": 0}, \"message\": \"A privileged service was called.\", \"metadata\": {\"original_time\": \"01/28/2022 04:12:19 PM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"995559a6-1921-463f-93e1-9c5ca932dc8c\", \"version\": \"1.0.0-rc.2\"}, \"severity_id\": 1, \"status_id\": 2, \"time\": 1643404339000, \"unmapped\": {\"EventCode\": \"4673\", \"EventType\": \"0\", \"OpCode\": \"Info\", \"RecordNumber\": \"374060\", \"Service Request Information\": {\"Privileges\": \"SeTcbPrivilege\"}, \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Sensitive Privilege Use\"}, \"win_resource\": {\"name\": \"-\", \"type\": \"Security\", \"type_id\": 0}}", "event": { - "action": "unload", - "category": [ - "driver" - ], - "duration": 56000000, - "kind": "event", - "outcome": "unknown", - "provider": "officially vehicles incorporated", - "severity": 2, - "type": [ - "info" - ] - }, - "@timestamp": "2023-09-21T04:56:21.548000Z", - "cloud": { - "provider": "locations pharmaceutical aa", - "region": "card heroes blogging" - }, - "file": { - "accessed": "2023-09-21T04:56:21.548000Z", - "directory": "worst jay funds/plc.deskthemepack", - "inode": "19e82104-61aa-11ee-8d53-0242ac110005", - "mime_type": "punishment/gaps", - "mtime": "2023-09-21T04:56:21.548000Z", - "name": "rail.m", - "path": "worst jay funds/plc.deskthemepack/rail.m", - "type": "earning" - }, - "host": { - "hostname": "founded.pro", - "id": "19e7faee-61aa-11ee-a8f6-0242ac110005", - "ip": [ - "81.2.69.142" - ], - "name": "founded.pro", - "type": "IOT" + "category": [], + "outcome": "failure", + "severity": 1, + "type": [] }, + "@timestamp": "2022-01-28T21:12:19Z", "ocsf": { - "activity_id": 2, - "activity_name": "Unload", - "class_name": "Kernel Extension Activity", - "class_uid": 1002 - }, - "organization": { - "id": "19e79248-61aa-11ee-83d4-0242ac110005", - "name": "virus legislative schemes" - }, - "process": { - "command_line": "quest flashers qualifying", - "entity_id": "19e85aa2-61aa-11ee-9863-0242ac110005", - "name": "Complete", - "parent": { - "command_line": "mere tft rules", - "end": "2023-09-21T04:56:21.548000Z", - "entity_id": "19e86420-61aa-11ee-92e5-0242ac110005", - "name": "Fuzzy", - "pid": 7, - "start": "2023-09-21T04:56:21.548000Z" - }, - "pid": 50, - "user": { - "domain": "settle most mf", - "full_name": "Fae Brendan", - "group": { - "id": [], - "name": [] - }, - "id": [ - "19e84346-61aa-11ee-82b4-0242ac110005" - ], - "name": "Pursue" - } - }, - "related": { - "hosts": [ - "founded.pro" - ], - "ip": [ - "81.2.69.142" - ], - "user": [ - "Fellowship" - ] - }, - "threat": { - "technique": { - "id": [ - "T1026", - "T1111" - ], - "name": [ - "Multiband Communication", - "Two-Factor Authentication Interception" - ] - } - }, - "user": { - "group": { - "id": [], - "name": [] - }, - "id": "19e97d92-61aa-11ee-b56a-0242ac110005", - "name": "Fellowship" + "activity_id": 1, + "class_uid": 1010 } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_3.json b/OCSF/ocsf/tests/test_system_activity_3.json deleted file mode 100644 index 69bb731a8..000000000 --- a/OCSF/ocsf/tests/test_system_activity_3.json +++ /dev/null @@ -1,140 +0,0 @@ -{ - "input": { - "message": "{\"message\": \"compile oasis hazards\", \"status\": \"Success\", \"time\": 1695272181548, \"device\": {\"name\": \"owned flyer thinkpad\", \"type\": \"Browser\", \"ip\": \"81.2.69.142\", \"desc\": \"recommendations norman ventures\", \"hostname\": \"indexes.jobs\", \"uid\": \"619223f4-61ac-11ee-9c42-0242ac110005\", \"type_id\": 8, \"autoscale_uid\": \"6191f41a-61ac-11ee-b68a-0242ac110005\", \"first_seen_time\": 1695272181548, \"hw_info\": {\"bios_manufacturer\": \"newman marble developed\", \"serial_number\": \"dave cst enlarge\"}, \"instance_uid\": \"61921fda-61ac-11ee-ad02-0242ac110005\", \"interface_name\": \"local rules scholarship\", \"interface_uid\": \"61922b1a-61ac-11ee-afbc-0242ac110005\", \"network_interfaces\": [{\"name\": \"hewlett dozens asthma\", \"type\": \"Mobile\", \"ip\": \"81.2.69.142\", \"hostname\": \"motherboard.info\", \"mac\": \"CE:92:5B:C1:90:45:60:31\", \"type_id\": 3, \"subnet_prefix\": 8}], \"region\": \"without featured amazon\", \"risk_level\": \"familiar motorcycles wild\", \"vpc_uid\": \"619230c4-61ac-11ee-8fa9-0242ac110005\", \"first_seen_time_dt\": \"2023-10-03T05:19:09.429787Z\"}, \"kernel\": {\"name\": \"summaries cornell blowing\", \"type\": \"System Call\", \"type_id\": 2}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"version\": \"1.0.0\", \"uid\": \"6191ccc4-61ac-11ee-aacf-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"editors coordinate cvs\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"inkjet klein mechanical\", \"log_provider\": \"any alexander rolling\", \"log_version\": \"receptor literally shut\", \"modified_time\": 1695272181548, \"original_time\": \"jewish ethiopia invitation\", \"modified_time_dt\": \"2023-10-03T05:19:09.427926Z\"}, \"severity\": \"Medium\", \"duration\": 24, \"disposition\": \"recipes\", \"type_name\": \"Kernel Activity: Create\", \"activity_id\": 1, \"disposition_id\": 99, \"type_uid\": 100301, \"observables\": [{\"name\": \"car trust sister\", \"type\": \"Fingerprint\", \"type_id\": 30}, {\"name\": \"evidence because locate\", \"type\": \"IP Address\", \"type_id\": 2}], \"category_name\": \"System Activity\", \"class_uid\": 1003, \"category_uid\": 1, \"class_name\": \"Kernel Activity\", \"timezone_offset\": 54, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}, {\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}, {\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}], \"technique\": {\"name\": \"Data Manipulation\", \"uid\": \"T1565\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Initial Access | The adversary is trying to get into your network.\", \"uid\": \"TA0001\"}, {\"name\": \"Credential Access The adversary is trying to steal account names and passwords.\", \"uid\": \"TA0006\"}, {\"name\": \"Persistence The adversary is trying to maintain their foothold.\", \"uid\": \"TA0003\"}], \"technique\": {\"name\": \"LSA Secrets\", \"uid\": \"T1003.004\"}}], \"activity_name\": \"Create\", \"actor\": {\"process\": {\"name\": \"Covering\", \"pid\": 91, \"file\": {\"name\": \"word.drv\", \"size\": 2389716033, \"type\": \"Unknown\", \"version\": \"1.0.0\", \"path\": \"cigarette until wc/ls.c/word.drv\", \"type_id\": 0, \"parent_folder\": \"cigarette until wc/ls.c\", \"confidentiality\": \"tulsa\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"C3BD5B24A4E0467F267EEA0A0378CB224839993F4AEB1BF9A9F519E8484E9A16344FE367E55D08DED2F892D80577FD485A3BC5CA66EB0AE7C1CFA0B33586E766\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"FEBD25D9812320828D7312326E19250E4439A6A99BCB4C740A8308671F571A6707A6D2A5A6066EB0DAA87071D23BE71ED56EAFF115D8AEAACEA125D283F45963\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"security_descriptor\": \"hospitality conclusions wires\", \"xattributes\": {}}, \"user\": {\"name\": \"Beth\", \"type\": \"User\", \"uid\": \"6192672e-61ac-11ee-a3c0-0242ac110005\", \"type_id\": 1, \"full_name\": \"Winifred Idell\", \"credential_uid\": \"61926cce-61ac-11ee-8202-0242ac110005\"}, \"tid\": 36, \"uid\": \"6192707a-61ac-11ee-ac88-0242ac110005\", \"cmd_line\": \"fy believed resolutions\", \"container\": {\"name\": \"transaction titans lucky\", \"runtime\": \"justify red wit\", \"size\": 4198558845, \"tag\": \"gambling romance place\", \"uid\": \"61927746-61ac-11ee-b13c-0242ac110005\", \"image\": {\"name\": \"ac tcp helen\", \"uid\": \"61927e30-61ac-11ee-ab18-0242ac110005\", \"labels\": [\"maybe\"]}, \"hash\": {\"value\": \"F19FE42A1B9BB9BBFC77F8F0A52EC5C411DC9200836F0C5D41A56543D8951D5AD8A1FA6F248A975A90B28E8B5268C50F220F5CAE2B47F74A204FB47E835AAE80\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}}, \"created_time\": 1695272181548, \"namespace_pid\": 6, \"parent_process\": {\"name\": \"Elect\", \"file\": {\"name\": \"hazard.aif\", \"owner\": {\"name\": \"Principle\", \"type\": \"User\", \"uid\": \"6192910e-61ac-11ee-9b83-0242ac110005\", \"type_id\": 1, \"email_addr\": \"Ryann@libraries.store\"}, \"type\": \"Symbolic Link\", \"path\": \"seeds divx firefox/kirk.cbr/hazard.aif\", \"type_id\": 7, \"company_name\": \"Latisha Billye\", \"creator\": {\"name\": \"Remain\", \"type\": \"Unknown\", \"uid\": \"61929852-61ac-11ee-b767-0242ac110005\", \"type_id\": 0, \"uid_alt\": \"limitations compound viewer\"}, \"parent_folder\": \"seeds divx firefox/kirk.cbr\", \"hashes\": [{\"value\": \"C6141BDD46728A85659C19E84135237C41908EF3\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}]}, \"user\": {\"type\": \"System\", \"uid\": \"6192a298-61ac-11ee-a78f-0242ac110005\", \"org\": {\"name\": \"lexus porcelain february\", \"uid\": \"6192a810-61ac-11ee-bb74-0242ac110005\", \"ou_name\": \"realm lesson pal\"}, \"type_id\": 3}, \"uid\": \"6192ac3e-61ac-11ee-a0ed-0242ac110005\", \"cmd_line\": \"volunteer trustees tax\", \"container\": {\"name\": \"stood moms serving\", \"size\": 1947076520, \"uid\": \"6192b44a-61ac-11ee-a1ac-0242ac110005\", \"image\": {\"name\": \"occupations pie meanwhile\", \"uid\": \"6192b990-61ac-11ee-b095-0242ac110005\"}, \"hash\": {\"value\": \"B85EC314BF443B797EF8A66B3B03F8A4\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, \"pod_uuid\": \"effectiveness\"}, \"created_time\": 1695272181548, \"namespace_pid\": 64, \"parent_process\": {\"name\": \"Rugs\", \"pid\": 77, \"file\": {\"attributes\": 21, \"name\": \"interests.png\", \"type\": \"Symbolic Link\", \"path\": \"wagon workforce whatever/boundaries.bat/interests.png\", \"modifier\": {\"name\": \"Few\", \"type\": \"System\", \"type_id\": 3, \"email_addr\": \"Winona@teens.web\"}, \"desc\": \"fruit hop dean\", \"type_id\": 7, \"parent_folder\": \"wagon workforce whatever/boundaries.bat\", \"hashes\": [{\"value\": \"8A1AB46C5F0A7BC9F0562A16DEBAB8746A8BEF57920B6FE78D0B18EE49175C8F8CC8CD5F02E37B486B4CA85EBA2B18558E2D171B09545BB234AD29AB09936187\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"is_system\": false, \"modified_time_dt\": \"2023-10-03T05:19:09.434332Z\"}, \"user\": {\"name\": \"Structured\", \"type\": \"Admin\", \"uid\": \"6192d272-61ac-11ee-ae27-0242ac110005\", \"type_id\": 2, \"account\": {\"name\": \"peer amounts pros\", \"type\": \"AWS IAM User\", \"uid\": \"6192dbaa-61ac-11ee-8151-0242ac110005\", \"type_id\": 3}, \"uid_alt\": \"allocation vector lexus\"}, \"uid\": \"6192dff6-61ac-11ee-89c7-0242ac110005\", \"session\": {\"uid\": \"6192e51e-61ac-11ee-8c76-0242ac110005\", \"issuer\": \"covers advise flux\", \"created_time\": 1695272181548, \"is_remote\": true}, \"cmd_line\": \"arlington charger skins\", \"created_time\": 1695272181548, \"namespace_pid\": 65, \"parent_process\": {\"name\": \"Infant\", \"pid\": 92, \"file\": {\"name\": \"border.bmp\", \"type\": \"Local Socket\", \"version\": \"1.0.0\", \"path\": \"exterior quick striking/females.cpp/border.bmp\", \"modifier\": {\"name\": \"Spots\", \"type\": \"System\", \"uid\": \"6192f6bc-61ac-11ee-9638-0242ac110005\", \"type_id\": 3, \"account\": {\"name\": \"lose fotos fraction\", \"type\": \"Azure AD Account\", \"type_id\": 6}}, \"product\": {\"name\": \"democratic announcement crime\", \"version\": \"1.0.0\", \"uid\": \"6192ff54-61ac-11ee-9d07-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"three schema bench\"}, \"type_id\": 5, \"parent_folder\": \"exterior quick striking/females.cpp\", \"accessed_time_dt\": \"2023-10-03T05:19:09.435701Z\"}, \"user\": {\"name\": \"Fires\", \"type\": \"User\", \"uid\": \"61930b98-61ac-11ee-bb18-0242ac110005\", \"org\": {\"name\": \"nationwide yea yoga\", \"uid\": \"6193126e-61ac-11ee-9d91-0242ac110005\", \"ou_name\": \"meeting kiss first\"}, \"type_id\": 1, \"credential_uid\": \"619318cc-61ac-11ee-82d0-0242ac110005\"}, \"tid\": 60, \"uid\": \"61931cbe-61ac-11ee-b447-0242ac110005\", \"loaded_modules\": [\"/te/ut/obviously/inform/assignment.cue\", \"/clicks/importance/raw/agenda/soccer.js\"], \"cmd_line\": \"trinity comfort varieties\", \"created_time\": 1695272181548, \"namespace_pid\": 54, \"parent_process\": {\"name\": \"Valid\", \"pid\": 27, \"file\": {\"name\": \"outline.msg\", \"type\": \"Unknown\", \"path\": \"visiting guide believe/intense.rss/outline.msg\", \"desc\": \"floating told foul\", \"type_id\": 0, \"parent_folder\": \"visiting guide believe/intense.rss\", \"accessed_time\": 1695272181548, \"confidentiality\": \"keeps integrate specifies\", \"hashes\": [{\"value\": \"5A4194525971186E774FC3205628B611B5CCCE42\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"11BA65852271CD24C56C865A9635B90616326949FF2BF6CD07EACAF788BAD320\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"security_descriptor\": \"chance gmc ghana\", \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:19:09.436838Z\"}, \"user\": {\"name\": \"Swing\", \"type\": \"User\", \"type_id\": 1, \"full_name\": \"Alfredo Pauline\"}, \"uid\": \"61933410-61ac-11ee-8072-0242ac110005\", \"cmd_line\": \"italian kid properly\", \"container\": {\"name\": \"additions wyoming weekly\", \"size\": 3239910166, \"tag\": \"practical metals respected\", \"uid\": \"61933e06-61ac-11ee-8e9b-0242ac110005\", \"image\": {\"name\": \"assessments effects soap\", \"uid\": \"61934414-61ac-11ee-943e-0242ac110005\"}, \"hash\": {\"value\": \"A34D9E58DB53A2451A09B961F644E04C794AEFD5AF71BB6785BF8D771D1BC27EABC888BE87A7B3E92BB750215FC097CEB0FD238D44C5494F35746A4A9A0B4159\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"pod_uuid\": \"hear\"}, \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"lineage\": [\"picked purchase freelance\", \"scripts hybrid worked\"], \"namespace_pid\": 65, \"parent_process\": {\"name\": \"Si\", \"file\": {\"name\": \"comes.css\", \"type\": \"Local Socket\", \"path\": \"death payday queens/fleece.app/comes.css\", \"modifier\": {\"name\": \"Feelings\", \"type\": \"Admin\", \"uid\": \"61935512-61ac-11ee-9f87-0242ac110005\", \"type_id\": 2, \"full_name\": \"Calvin Marquitta\"}, \"product\": {\"version\": \"1.0.0\", \"uid\": \"61935b2a-61ac-11ee-9f18-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"marie stays nested\"}, \"type_id\": 5, \"company_name\": \"Courtney Kendal\", \"mime_type\": \"reflects/shore\", \"parent_folder\": \"death payday queens/fleece.app\", \"hashes\": [{\"value\": \"7653C24F6B758E09C2F78D41ED16D4D98AC9589616AA7DDE3CE38AC3018F86F726082E5D7895E732CB2D0C979A4B85FE853F95A815DF845615257B5A82F05144\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"1D5072F894A9D4122CBB317567CA88F6EAF3C8B645271C7E86EF241EBC1EBA51\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time_dt\": \"2023-10-03T05:19:09.438101Z\"}, \"user\": {\"type\": \"Admin\", \"uid\": \"61936e76-61ac-11ee-aa0d-0242ac110005\", \"org\": {\"name\": \"msgstr et pure\", \"uid\": \"619374a2-61ac-11ee-8d19-0242ac110005\", \"ou_name\": \"mg usa blair\"}, \"groups\": [{\"name\": \"tires online movement\", \"uid\": \"61937b46-61ac-11ee-8129-0242ac110005\", \"privileges\": [\"jan hindu collectible\", \"competitors antique disc\"]}, {\"name\": \"raymond shirts techno\", \"uid\": \"619380aa-61ac-11ee-9e69-0242ac110005\"}], \"type_id\": 2, \"credential_uid\": \"61938474-61ac-11ee-8547-0242ac110005\", \"email_addr\": \"Ilana@moses.firm\", \"uid_alt\": \"serbia named dns\"}, \"tid\": 9, \"uid\": \"6193888e-61ac-11ee-92f7-0242ac110005\", \"loaded_modules\": [\"/handbook/great/egyptian/guestbook/died.bat\", \"/matrix/ecommerce/management/just/songs.dcr\"], \"cmd_line\": \"injured metabolism martha\", \"container\": {\"name\": \"optimize unsigned reforms\", \"size\": 1197726829, \"uid\": \"619392fc-61ac-11ee-95a0-0242ac110005\", \"image\": {\"name\": \"versions soc fifteen\", \"tag\": \"actors des guardian\", \"uid\": \"61939900-61ac-11ee-89bb-0242ac110005\", \"labels\": [\"put\", \"experience\"]}, \"hash\": {\"value\": \"EA07DCC807FFE0D653259BB7C0DE7E6F136D741B4596E3E11BD60E98F38FE0B5\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695272181548, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"namespace_pid\": 54, \"terminated_time_dt\": \"2023-10-03T05:19:09.439671Z\"}}}, \"terminated_time\": 1695272181548}}, \"created_time_dt\": \"2023-10-03T05:19:09.439688Z\"}, \"user\": {\"name\": \"Affect\", \"type\": \"User\", \"uid\": \"6193a4e0-61ac-11ee-9d49-0242ac110005\", \"type_id\": 1}, \"session\": {\"uid\": \"6193ab66-61ac-11ee-b4d7-0242ac110005\", \"issuer\": \"conventional tar relay\", \"created_time\": 1695272181548}, \"idp\": {\"name\": \"rachel grey swiss\", \"uid\": \"6193b0ca-61ac-11ee-b37d-0242ac110005\"}, \"invoked_by\": \"substitute choice extent\"}, \"cloud\": {\"provider\": \"newman banned showcase\", \"region\": \"realized remarkable accompanied\", \"zone\": \"friend drops those\"}, \"severity_id\": 3, \"status_code\": \"user\", \"status_id\": 1, \"time_dt\": \"2023-10-03T05:19:09.440241Z\"}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"message\": \"compile oasis hazards\", \"status\": \"Success\", \"time\": 1695272181548, \"device\": {\"name\": \"owned flyer thinkpad\", \"type\": \"Browser\", \"ip\": \"81.2.69.142\", \"desc\": \"recommendations norman ventures\", \"hostname\": \"indexes.jobs\", \"uid\": \"619223f4-61ac-11ee-9c42-0242ac110005\", \"type_id\": 8, \"autoscale_uid\": \"6191f41a-61ac-11ee-b68a-0242ac110005\", \"first_seen_time\": 1695272181548, \"hw_info\": {\"bios_manufacturer\": \"newman marble developed\", \"serial_number\": \"dave cst enlarge\"}, \"instance_uid\": \"61921fda-61ac-11ee-ad02-0242ac110005\", \"interface_name\": \"local rules scholarship\", \"interface_uid\": \"61922b1a-61ac-11ee-afbc-0242ac110005\", \"network_interfaces\": [{\"name\": \"hewlett dozens asthma\", \"type\": \"Mobile\", \"ip\": \"81.2.69.142\", \"hostname\": \"motherboard.info\", \"mac\": \"CE:92:5B:C1:90:45:60:31\", \"type_id\": 3, \"subnet_prefix\": 8}], \"region\": \"without featured amazon\", \"risk_level\": \"familiar motorcycles wild\", \"vpc_uid\": \"619230c4-61ac-11ee-8fa9-0242ac110005\", \"first_seen_time_dt\": \"2023-10-03T05:19:09.429787Z\"}, \"kernel\": {\"name\": \"summaries cornell blowing\", \"type\": \"System Call\", \"type_id\": 2}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"version\": \"1.0.0\", \"uid\": \"6191ccc4-61ac-11ee-aacf-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"editors coordinate cvs\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"inkjet klein mechanical\", \"log_provider\": \"any alexander rolling\", \"log_version\": \"receptor literally shut\", \"modified_time\": 1695272181548, \"original_time\": \"jewish ethiopia invitation\", \"modified_time_dt\": \"2023-10-03T05:19:09.427926Z\"}, \"severity\": \"Medium\", \"duration\": 24, \"disposition\": \"recipes\", \"type_name\": \"Kernel Activity: Create\", \"activity_id\": 1, \"disposition_id\": 99, \"type_uid\": 100301, \"observables\": [{\"name\": \"car trust sister\", \"type\": \"Fingerprint\", \"type_id\": 30}, {\"name\": \"evidence because locate\", \"type\": \"IP Address\", \"type_id\": 2}], \"category_name\": \"System Activity\", \"class_uid\": 1003, \"category_uid\": 1, \"class_name\": \"Kernel Activity\", \"timezone_offset\": 54, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}, {\"name\": \"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\", \"uid\": \"TA0043\"}, {\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}], \"technique\": {\"name\": \"Data Manipulation\", \"uid\": \"T1565\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Initial Access | The adversary is trying to get into your network.\", \"uid\": \"TA0001\"}, {\"name\": \"Credential Access The adversary is trying to steal account names and passwords.\", \"uid\": \"TA0006\"}, {\"name\": \"Persistence The adversary is trying to maintain their foothold.\", \"uid\": \"TA0003\"}], \"technique\": {\"name\": \"LSA Secrets\", \"uid\": \"T1003.004\"}}], \"activity_name\": \"Create\", \"actor\": {\"process\": {\"name\": \"Covering\", \"pid\": 91, \"file\": {\"name\": \"word.drv\", \"size\": 2389716033, \"type\": \"Unknown\", \"version\": \"1.0.0\", \"path\": \"cigarette until wc/ls.c/word.drv\", \"type_id\": 0, \"parent_folder\": \"cigarette until wc/ls.c\", \"confidentiality\": \"tulsa\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"C3BD5B24A4E0467F267EEA0A0378CB224839993F4AEB1BF9A9F519E8484E9A16344FE367E55D08DED2F892D80577FD485A3BC5CA66EB0AE7C1CFA0B33586E766\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"FEBD25D9812320828D7312326E19250E4439A6A99BCB4C740A8308671F571A6707A6D2A5A6066EB0DAA87071D23BE71ED56EAFF115D8AEAACEA125D283F45963\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"security_descriptor\": \"hospitality conclusions wires\", \"xattributes\": {}}, \"user\": {\"name\": \"Beth\", \"type\": \"User\", \"uid\": \"6192672e-61ac-11ee-a3c0-0242ac110005\", \"type_id\": 1, \"full_name\": \"Winifred Idell\", \"credential_uid\": \"61926cce-61ac-11ee-8202-0242ac110005\"}, \"tid\": 36, \"uid\": \"6192707a-61ac-11ee-ac88-0242ac110005\", \"cmd_line\": \"fy believed resolutions\", \"container\": {\"name\": \"transaction titans lucky\", \"runtime\": \"justify red wit\", \"size\": 4198558845, \"tag\": \"gambling romance place\", \"uid\": \"61927746-61ac-11ee-b13c-0242ac110005\", \"image\": {\"name\": \"ac tcp helen\", \"uid\": \"61927e30-61ac-11ee-ab18-0242ac110005\", \"labels\": [\"maybe\"]}, \"hash\": {\"value\": \"F19FE42A1B9BB9BBFC77F8F0A52EC5C411DC9200836F0C5D41A56543D8951D5AD8A1FA6F248A975A90B28E8B5268C50F220F5CAE2B47F74A204FB47E835AAE80\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}}, \"created_time\": 1695272181548, \"namespace_pid\": 6, \"parent_process\": {\"name\": \"Elect\", \"file\": {\"name\": \"hazard.aif\", \"owner\": {\"name\": \"Principle\", \"type\": \"User\", \"uid\": \"6192910e-61ac-11ee-9b83-0242ac110005\", \"type_id\": 1, \"email_addr\": \"Ryann@libraries.store\"}, \"type\": \"Symbolic Link\", \"path\": \"seeds divx firefox/kirk.cbr/hazard.aif\", \"type_id\": 7, \"company_name\": \"Latisha Billye\", \"creator\": {\"name\": \"Remain\", \"type\": \"Unknown\", \"uid\": \"61929852-61ac-11ee-b767-0242ac110005\", \"type_id\": 0, \"uid_alt\": \"limitations compound viewer\"}, \"parent_folder\": \"seeds divx firefox/kirk.cbr\", \"hashes\": [{\"value\": \"C6141BDD46728A85659C19E84135237C41908EF3\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}]}, \"user\": {\"type\": \"System\", \"uid\": \"6192a298-61ac-11ee-a78f-0242ac110005\", \"org\": {\"name\": \"lexus porcelain february\", \"uid\": \"6192a810-61ac-11ee-bb74-0242ac110005\", \"ou_name\": \"realm lesson pal\"}, \"type_id\": 3}, \"uid\": \"6192ac3e-61ac-11ee-a0ed-0242ac110005\", \"cmd_line\": \"volunteer trustees tax\", \"container\": {\"name\": \"stood moms serving\", \"size\": 1947076520, \"uid\": \"6192b44a-61ac-11ee-a1ac-0242ac110005\", \"image\": {\"name\": \"occupations pie meanwhile\", \"uid\": \"6192b990-61ac-11ee-b095-0242ac110005\"}, \"hash\": {\"value\": \"B85EC314BF443B797EF8A66B3B03F8A4\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, \"pod_uuid\": \"effectiveness\"}, \"created_time\": 1695272181548, \"namespace_pid\": 64, \"parent_process\": {\"name\": \"Rugs\", \"pid\": 77, \"file\": {\"attributes\": 21, \"name\": \"interests.png\", \"type\": \"Symbolic Link\", \"path\": \"wagon workforce whatever/boundaries.bat/interests.png\", \"modifier\": {\"name\": \"Few\", \"type\": \"System\", \"type_id\": 3, \"email_addr\": \"Winona@teens.web\"}, \"desc\": \"fruit hop dean\", \"type_id\": 7, \"parent_folder\": \"wagon workforce whatever/boundaries.bat\", \"hashes\": [{\"value\": \"8A1AB46C5F0A7BC9F0562A16DEBAB8746A8BEF57920B6FE78D0B18EE49175C8F8CC8CD5F02E37B486B4CA85EBA2B18558E2D171B09545BB234AD29AB09936187\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"is_system\": false, \"modified_time_dt\": \"2023-10-03T05:19:09.434332Z\"}, \"user\": {\"name\": \"Structured\", \"type\": \"Admin\", \"uid\": \"6192d272-61ac-11ee-ae27-0242ac110005\", \"type_id\": 2, \"account\": {\"name\": \"peer amounts pros\", \"type\": \"AWS IAM User\", \"uid\": \"6192dbaa-61ac-11ee-8151-0242ac110005\", \"type_id\": 3}, \"uid_alt\": \"allocation vector lexus\"}, \"uid\": \"6192dff6-61ac-11ee-89c7-0242ac110005\", \"session\": {\"uid\": \"6192e51e-61ac-11ee-8c76-0242ac110005\", \"issuer\": \"covers advise flux\", \"created_time\": 1695272181548, \"is_remote\": true}, \"cmd_line\": \"arlington charger skins\", \"created_time\": 1695272181548, \"namespace_pid\": 65, \"parent_process\": {\"name\": \"Infant\", \"pid\": 92, \"file\": {\"name\": \"border.bmp\", \"type\": \"Local Socket\", \"version\": \"1.0.0\", \"path\": \"exterior quick striking/females.cpp/border.bmp\", \"modifier\": {\"name\": \"Spots\", \"type\": \"System\", \"uid\": \"6192f6bc-61ac-11ee-9638-0242ac110005\", \"type_id\": 3, \"account\": {\"name\": \"lose fotos fraction\", \"type\": \"Azure AD Account\", \"type_id\": 6}}, \"product\": {\"name\": \"democratic announcement crime\", \"version\": \"1.0.0\", \"uid\": \"6192ff54-61ac-11ee-9d07-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"three schema bench\"}, \"type_id\": 5, \"parent_folder\": \"exterior quick striking/females.cpp\", \"accessed_time_dt\": \"2023-10-03T05:19:09.435701Z\"}, \"user\": {\"name\": \"Fires\", \"type\": \"User\", \"uid\": \"61930b98-61ac-11ee-bb18-0242ac110005\", \"org\": {\"name\": \"nationwide yea yoga\", \"uid\": \"6193126e-61ac-11ee-9d91-0242ac110005\", \"ou_name\": \"meeting kiss first\"}, \"type_id\": 1, \"credential_uid\": \"619318cc-61ac-11ee-82d0-0242ac110005\"}, \"tid\": 60, \"uid\": \"61931cbe-61ac-11ee-b447-0242ac110005\", \"loaded_modules\": [\"/te/ut/obviously/inform/assignment.cue\", \"/clicks/importance/raw/agenda/soccer.js\"], \"cmd_line\": \"trinity comfort varieties\", \"created_time\": 1695272181548, \"namespace_pid\": 54, \"parent_process\": {\"name\": \"Valid\", \"pid\": 27, \"file\": {\"name\": \"outline.msg\", \"type\": \"Unknown\", \"path\": \"visiting guide believe/intense.rss/outline.msg\", \"desc\": \"floating told foul\", \"type_id\": 0, \"parent_folder\": \"visiting guide believe/intense.rss\", \"accessed_time\": 1695272181548, \"confidentiality\": \"keeps integrate specifies\", \"hashes\": [{\"value\": \"5A4194525971186E774FC3205628B611B5CCCE42\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"11BA65852271CD24C56C865A9635B90616326949FF2BF6CD07EACAF788BAD320\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"security_descriptor\": \"chance gmc ghana\", \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:19:09.436838Z\"}, \"user\": {\"name\": \"Swing\", \"type\": \"User\", \"type_id\": 1, \"full_name\": \"Alfredo Pauline\"}, \"uid\": \"61933410-61ac-11ee-8072-0242ac110005\", \"cmd_line\": \"italian kid properly\", \"container\": {\"name\": \"additions wyoming weekly\", \"size\": 3239910166, \"tag\": \"practical metals respected\", \"uid\": \"61933e06-61ac-11ee-8e9b-0242ac110005\", \"image\": {\"name\": \"assessments effects soap\", \"uid\": \"61934414-61ac-11ee-943e-0242ac110005\"}, \"hash\": {\"value\": \"A34D9E58DB53A2451A09B961F644E04C794AEFD5AF71BB6785BF8D771D1BC27EABC888BE87A7B3E92BB750215FC097CEB0FD238D44C5494F35746A4A9A0B4159\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"pod_uuid\": \"hear\"}, \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"lineage\": [\"picked purchase freelance\", \"scripts hybrid worked\"], \"namespace_pid\": 65, \"parent_process\": {\"name\": \"Si\", \"file\": {\"name\": \"comes.css\", \"type\": \"Local Socket\", \"path\": \"death payday queens/fleece.app/comes.css\", \"modifier\": {\"name\": \"Feelings\", \"type\": \"Admin\", \"uid\": \"61935512-61ac-11ee-9f87-0242ac110005\", \"type_id\": 2, \"full_name\": \"Calvin Marquitta\"}, \"product\": {\"version\": \"1.0.0\", \"uid\": \"61935b2a-61ac-11ee-9f18-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"marie stays nested\"}, \"type_id\": 5, \"company_name\": \"Courtney Kendal\", \"mime_type\": \"reflects/shore\", \"parent_folder\": \"death payday queens/fleece.app\", \"hashes\": [{\"value\": \"7653C24F6B758E09C2F78D41ED16D4D98AC9589616AA7DDE3CE38AC3018F86F726082E5D7895E732CB2D0C979A4B85FE853F95A815DF845615257B5A82F05144\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"1D5072F894A9D4122CBB317567CA88F6EAF3C8B645271C7E86EF241EBC1EBA51\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time_dt\": \"2023-10-03T05:19:09.438101Z\"}, \"user\": {\"type\": \"Admin\", \"uid\": \"61936e76-61ac-11ee-aa0d-0242ac110005\", \"org\": {\"name\": \"msgstr et pure\", \"uid\": \"619374a2-61ac-11ee-8d19-0242ac110005\", \"ou_name\": \"mg usa blair\"}, \"groups\": [{\"name\": \"tires online movement\", \"uid\": \"61937b46-61ac-11ee-8129-0242ac110005\", \"privileges\": [\"jan hindu collectible\", \"competitors antique disc\"]}, {\"name\": \"raymond shirts techno\", \"uid\": \"619380aa-61ac-11ee-9e69-0242ac110005\"}], \"type_id\": 2, \"credential_uid\": \"61938474-61ac-11ee-8547-0242ac110005\", \"email_addr\": \"Ilana@moses.firm\", \"uid_alt\": \"serbia named dns\"}, \"tid\": 9, \"uid\": \"6193888e-61ac-11ee-92f7-0242ac110005\", \"loaded_modules\": [\"/handbook/great/egyptian/guestbook/died.bat\", \"/matrix/ecommerce/management/just/songs.dcr\"], \"cmd_line\": \"injured metabolism martha\", \"container\": {\"name\": \"optimize unsigned reforms\", \"size\": 1197726829, \"uid\": \"619392fc-61ac-11ee-95a0-0242ac110005\", \"image\": {\"name\": \"versions soc fifteen\", \"tag\": \"actors des guardian\", \"uid\": \"61939900-61ac-11ee-89bb-0242ac110005\", \"labels\": [\"put\", \"experience\"]}, \"hash\": {\"value\": \"EA07DCC807FFE0D653259BB7C0DE7E6F136D741B4596E3E11BD60E98F38FE0B5\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695272181548, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"namespace_pid\": 54, \"terminated_time_dt\": \"2023-10-03T05:19:09.439671Z\"}}}, \"terminated_time\": 1695272181548}}, \"created_time_dt\": \"2023-10-03T05:19:09.439688Z\"}, \"user\": {\"name\": \"Affect\", \"type\": \"User\", \"uid\": \"6193a4e0-61ac-11ee-9d49-0242ac110005\", \"type_id\": 1}, \"session\": {\"uid\": \"6193ab66-61ac-11ee-b4d7-0242ac110005\", \"issuer\": \"conventional tar relay\", \"created_time\": 1695272181548}, \"idp\": {\"name\": \"rachel grey swiss\", \"uid\": \"6193b0ca-61ac-11ee-b37d-0242ac110005\"}, \"invoked_by\": \"substitute choice extent\"}, \"cloud\": {\"provider\": \"newman banned showcase\", \"region\": \"realized remarkable accompanied\", \"zone\": \"friend drops those\"}, \"severity_id\": 3, \"status_code\": \"user\", \"status_id\": 1, \"time_dt\": \"2023-10-03T05:19:09.440241Z\"}", - "event": { - "action": "create", - "category": [ - "driver" - ], - "duration": 24000000, - "kind": "event", - "outcome": "success", - "provider": "any alexander rolling", - "severity": 3, - "type": [ - "info" - ] - }, - "@timestamp": "2023-10-03T05:19:09.440241Z", - "cloud": { - "availability_zone": "friend drops those", - "provider": "newman banned showcase", - "region": "realized remarkable accompanied" - }, - "container": { - "id": "61927746-61ac-11ee-b13c-0242ac110005", - "image": { - "name": "ac tcp helen" - }, - "name": "transaction titans lucky", - "runtime": "justify red wit" - }, - "file": { - "directory": "cigarette until wc/ls.c", - "hash": { - "sha512": "C3BD5B24A4E0467F267EEA0A0378CB224839993F4AEB1BF9A9F519E8484E9A16344FE367E55D08DED2F892D80577FD485A3BC5CA66EB0AE7C1CFA0B33586E766" - }, - "name": "word.drv", - "path": "cigarette until wc/ls.c/word.drv", - "size": 2389716033, - "type": "Unknown" - }, - "host": { - "hostname": "indexes.jobs", - "id": "619223f4-61ac-11ee-9c42-0242ac110005", - "ip": [ - "81.2.69.142" - ], - "name": "indexes.jobs", - "risk": { - "static_level": "familiar motorcycles wild" - }, - "type": "Browser" - }, - "ocsf": { - "activity_id": 1, - "activity_name": "Create", - "class_name": "Kernel Activity", - "class_uid": 1003 - }, - "process": { - "command_line": "fy believed resolutions", - "entity_id": "6192707a-61ac-11ee-ac88-0242ac110005", - "name": "Covering", - "parent": { - "command_line": "volunteer trustees tax", - "entity_id": "6192ac3e-61ac-11ee-a0ed-0242ac110005", - "name": "Elect", - "start": "2023-09-21T04:56:21.548000Z", - "user": { - "group": { - "id": [], - "name": [] - }, - "id": [ - "6192a298-61ac-11ee-a78f-0242ac110005" - ] - } - }, - "pid": 91, - "start": "2023-09-21T04:56:21.548000Z", - "thread": { - "id": 36 - }, - "user": { - "full_name": "Winifred Idell", - "group": { - "id": [], - "name": [] - }, - "id": [ - "6192672e-61ac-11ee-a3c0-0242ac110005" - ], - "name": "Beth" - } - }, - "related": { - "hash": [ - "C3BD5B24A4E0467F267EEA0A0378CB224839993F4AEB1BF9A9F519E8484E9A16344FE367E55D08DED2F892D80577FD485A3BC5CA66EB0AE7C1CFA0B33586E766" - ], - "hosts": [ - "indexes.jobs" - ], - "ip": [ - "81.2.69.142" - ], - "user": [ - "Affect" - ] - }, - "threat": { - "technique": { - "id": [ - "T1003.004", - "T1565" - ], - "name": [ - "Data Manipulation", - "LSA Secrets" - ] - } - }, - "user": { - "group": { - "id": [], - "name": [] - }, - "id": "6193a4e0-61ac-11ee-9d49-0242ac110005", - "name": "Affect" - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_4.json b/OCSF/ocsf/tests/test_system_activity_4.json deleted file mode 100644 index e785dacae..000000000 --- a/OCSF/ocsf/tests/test_system_activity_4.json +++ /dev/null @@ -1,145 +0,0 @@ -{ - "input": { - "message": "{\"message\": \"door lotus aol\", \"time\": 1695272181548, \"device\": {\"name\": \"repeated sip distance\", \"type\": \"Server\", \"location\": {\"desc\": \"Taiwan\", \"city\": \"Stephanie hence\", \"country\": \"TW\", \"coordinates\": [161.2949, 22.9251], \"continent\": \"Asia\"}, \"hostname\": \"phd.nato\", \"uid\": \"f450d454-61ae-11ee-b232-0242ac110005\", \"image\": {\"name\": \"leader mind compliant\", \"uid\": \"f450e20a-61ae-11ee-959b-0242ac110005\"}, \"org\": {\"name\": \"gratuit book virtually\", \"uid\": \"f4507856-61ae-11ee-b34b-0242ac110005\", \"ou_name\": \"profit plug fioricet\"}, \"type_id\": 1, \"created_time\": 1695272181548, \"first_seen_time\": 1695272181548, \"instance_uid\": \"f450c02c-61ae-11ee-a04e-0242ac110005\", \"interface_name\": \"adaptive survivor nickname\", \"interface_uid\": \"f450dada-61ae-11ee-9e5c-0242ac110005\", \"is_trusted\": false, \"last_seen_time\": 1695272181548, \"region\": \"debut instruments alphabetical\", \"risk_level\": \"thomson shanghai foreign\", \"subnet_uid\": \"f450b6fe-61ae-11ee-aa6c-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"asbestos settings medication\", \"version\": \"1.0.0\", \"uid\": \"f4506410-61ae-11ee-a485-0242ac110005\", \"feature\": {\"name\": \"wish quest practitioners\", \"version\": \"1.0.0\", \"uid\": \"f4506a32-61ae-11ee-a6bb-0242ac110005\"}, \"lang\": \"en\", \"vendor_name\": \"evaluations belly reception\"}, \"sequence\": 35, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"trademarks wishing accreditation\", \"log_provider\": \"manual equivalent detroit\", \"logged_time\": 1695272181548, \"original_time\": \"protection velvet propose\"}, \"severity\": \"Critical\", \"api\": {\"request\": {\"uid\": \"f45046ce-61ae-11ee-8a1b-0242ac110005\"}, \"response\": {\"error\": \"dash knife stable\", \"code\": 99, \"message\": \"julian peninsula bought\", \"error_message\": \"delaware genetic purple\"}, \"operation\": \"appraisal disappointed iraqi\"}, \"disposition\": \"Deleted\", \"type_name\": \"Memory Activity: Allocate Page\", \"activity_id\": 1, \"disposition_id\": 5, \"type_uid\": 100401, \"category_name\": \"System Activity\", \"class_uid\": 1004, \"category_uid\": 1, \"class_name\": \"Memory Activity\", \"timezone_offset\": 26, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}], \"technique\": {\"name\": \"Additional Cloud Credentials\", \"uid\": \"T1098.001\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.\", \"uid\": \"TA0040\"}, {\"name\": \"Command and Control The adversary is trying to communicate with compromised systems to control them.\", \"uid\": \"TA0011\"}], \"technique\": {\"name\": \"Credentials in Registry\", \"uid\": \"T1214\"}}], \"activity_name\": \"Allocate Page\", \"actor\": {\"process\": {\"name\": \"Quad\", \"pid\": 76, \"file\": {\"name\": \"tenant.prf\", \"type\": \"Symbolic Link\", \"path\": \"daisy bullet expectations/speakers.fon/tenant.prf\", \"type_id\": 7, \"company_name\": \"Hue Marcelina\", \"parent_folder\": \"daisy bullet expectations/speakers.fon\", \"confidentiality\": \"Not Confidential\", \"confidentiality_id\": 1, \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"D593DAFEC471B60EC788CAF95AEB0DBE9F1AF56F9741565D96CEB84FF7C0AB18B97E298266E585A9FE82C4F85EE020C4B4BD974B54373088F0D1ACE2022CE17D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"4F227649B2E932AED413A05B69BAA35D\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"modified_time\": 1695272181548, \"modified_time_dt\": \"2023-10-03T05:37:34.691274Z\"}, \"user\": {\"name\": \"Utc\", \"type\": \"User\", \"uid\": \"f45ba8fc-61ae-11ee-883d-0242ac110005\", \"type_id\": 1, \"full_name\": \"Carin Otha\", \"email_addr\": \"Mireille@associate.mobi\"}, \"uid\": \"f45baed8-61ae-11ee-95e3-0242ac110005\", \"cmd_line\": \"stick strength suffered\", \"container\": {\"name\": \"sp finger reductions\", \"size\": 1112406887, \"tag\": \"dish acc interpretation\", \"uid\": \"f45bb5c2-61ae-11ee-b166-0242ac110005\", \"image\": {\"name\": \"leaves mounted something\", \"uid\": \"f45bbbe4-61ae-11ee-9bd8-0242ac110005\"}, \"hash\": {\"value\": \"0C2DC99EB913832DEE1E00AC1C121596D14346E7971CAF8B9873BA2BB862C4070FDD33F21558BA3B264A80A7B15D1722F1B3603C0858D1247E4359752B166BCC\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, \"network_driver\": \"arizona knight karl\", \"orchestrator\": \"integral economics gc\"}, \"created_time\": 1695272181548, \"namespace_pid\": 50, \"parent_process\": {\"name\": \"Trout\", \"pid\": 61, \"file\": {\"name\": \"download.pptx\", \"type\": \"Regular File\", \"path\": \"qld four roulette/sticker.dwg/download.pptx\", \"desc\": \"vs in contamination\", \"type_id\": 1, \"parent_folder\": \"qld four roulette/sticker.dwg\", \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"value\": \"64188A2F3AF0E7C7E83F429137D1F51F574286F7\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"7C12BD84ACFCEACC8A756BE13D08AF2B1EC193C5411C64B85380EEEC0B1B41F7\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"modified_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.692393Z\", \"accessed_time_dt\": \"2023-10-03T05:37:34.692401Z\"}, \"user\": {\"name\": \"Presidential\", \"type\": \"User\", \"uid\": \"f45bd110-61ae-11ee-b7e4-0242ac110005\", \"org\": {\"name\": \"setup stolen unexpected\", \"uid\": \"f45bd82c-61ae-11ee-9e57-0242ac110005\", \"ou_name\": \"iceland threats webcast\"}, \"type_id\": 1, \"full_name\": \"Rosamaria Mckenzie\", \"credential_uid\": \"f45bdcd2-61ae-11ee-a554-0242ac110005\"}, \"uid\": \"f45be042-61ae-11ee-a467-0242ac110005\", \"cmd_line\": \"red beaches fi\", \"container\": {\"name\": \"dispatch ste exist\", \"uid\": \"f45be5ba-61ae-11ee-88ce-0242ac110005\", \"image\": {\"name\": \"third aged kurt\", \"uid\": \"f45bebfa-61ae-11ee-bf2c-0242ac110005\"}, \"hash\": {\"value\": \"23ABACC1EF47F49C2387DDF45E9C424754AB96A8A4DED29732E05CA4192D028D05F263525EFEB4BBAFD7ECE02D2821858C8F39BADB5B11151131D82A3D8596FA\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695272181548, \"namespace_pid\": 31, \"parent_process\": {\"pid\": 98, \"file\": {\"name\": \"mins.srt\", \"type\": \"Regular File\", \"path\": \"risks rendering meal/surf.pages/mins.srt\", \"signature\": {\"certificate\": {\"subject\": \"lindsay symptoms gel\", \"issuer\": \"agency covers tested\", \"fingerprints\": [{\"value\": \"5F3258EAA1979A8BE0323FCD83F87741B9046FD02DFEDB63CC5E8BBEC47C85C9\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"fool aye tears\"}, \"algorithm\": \"Authenticode\", \"algorithm_id\": 4}, \"product\": {\"name\": \"morocco steam contractors\", \"uid\": \"f45bff78-61ae-11ee-94d1-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"myrtle wn view\"}, \"type_id\": 1, \"parent_folder\": \"risks rendering meal/surf.pages\", \"hashes\": [{\"value\": \"A98DE8AD923CB627EA1CDCCD5CF7356C\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"modified_time_dt\": \"2023-10-03T05:37:34.693818Z\", \"created_time_dt\": \"2023-10-03T05:37:34.693827Z\", \"accessed_time_dt\": \"2023-10-03T05:37:34.693831Z\"}, \"user\": {\"type\": \"Unknown\", \"uid\": \"f45c0b9e-61ae-11ee-9f3b-0242ac110005\", \"type_id\": 0, \"full_name\": \"Marry Dia\", \"email_addr\": \"Lilliana@ability.edu\"}, \"tid\": 86, \"session\": {\"uid\": \"f45c1288-61ae-11ee-ab6a-0242ac110005\", \"uuid\": \"f45c160c-61ae-11ee-b9ea-0242ac110005\", \"issuer\": \"spec gambling separated\", \"created_time\": 1695272181548, \"credential_uid\": \"f45c1a1c-61ae-11ee-85ba-0242ac110005\", \"is_remote\": false, \"expiration_time_dt\": \"2023-10-03T05:37:34.694457Z\", \"created_time_dt\": \"2023-10-03T05:37:34.694465Z\"}, \"container\": {\"name\": \"pest fought calibration\", \"runtime\": \"violation card logged\", \"size\": 1513188610, \"uid\": \"f45c2426-61ae-11ee-9c9d-0242ac110005\", \"image\": {\"name\": \"stripes excerpt baptist\", \"uid\": \"f45c2962-61ae-11ee-8549-0242ac110005\"}, \"hash\": {\"value\": \"5D7318303179149862E7825F7F1712F9E8045CDC54401C79C269DD068E20EA5D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, \"orchestrator\": \"walt truly susan\", \"pod_uuid\": \"techno\"}, \"namespace_pid\": 49, \"parent_process\": {\"name\": \"Telling\", \"pid\": 43, \"file\": {\"name\": \"asked.htm\", \"owner\": {\"name\": \"Initiatives\", \"type\": \"Unknown\", \"domain\": \"voyeurweb strip groove\", \"type_id\": 0, \"full_name\": \"Lynnette Brooke\"}, \"type\": \"Symbolic Link\", \"path\": \"brakes bugs inquire/blogging.ics/asked.htm\", \"signature\": {\"digest\": {\"value\": \"522CB2274A0D096C0F94307F55DB6E9D63211626E8BED23C3C8721CA612F28681D4E0202C137F40265FCAAD0EFE6A9BD02E0CF8323BAF52EFE09FF298791B18D\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"fetish converter communicate\", \"issuer\": \"conclusions medicines exception\", \"fingerprints\": [{\"value\": \"F74C6AF46A78BECB2F1BD3F95BBD5858\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"43F66E6B6CBAF53CC520E58EC65805EC62FA04119845AC53816DA9F36F525AC65E3D7D92BED0351865836C0E97D63184282A5FEDC9AF2E914C6F9B349CB835F0\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"legal grant module\", \"expiration_time_dt\": \"2023-10-03T05:37:34.695275Z\", \"created_time_dt\": \"2023-10-03T05:37:34.695282Z\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2, \"created_time_dt\": \"2023-10-03T05:37:34.695288Z\"}, \"uid\": \"f45c3f9c-61ae-11ee-9d0c-0242ac110005\", \"type_id\": 7, \"accessor\": {\"name\": \"Review\", \"type\": \"Admin\", \"uid\": \"f45c480c-61ae-11ee-acd3-0242ac110005\", \"groups\": [{\"name\": \"holder outstanding vatican\", \"uid\": \"f45c4fe6-61ae-11ee-92f7-0242ac110005\"}, {\"name\": \"conducted egypt siemens\", \"type\": \"rent divine winston\", \"uid\": \"f45c5446-61ae-11ee-9f91-0242ac110005\"}], \"type_id\": 2}, \"creator\": {\"type\": \"availability\", \"uid\": \"f45c601c-61ae-11ee-a457-0242ac110005\", \"groups\": [{\"name\": \"usually gained erotica\", \"uid\": \"f45c65d0-61ae-11ee-b6a8-0242ac110005\"}], \"type_id\": 99}, \"parent_folder\": \"brakes bugs inquire/blogging.ics\", \"hashes\": [{\"value\": \"5FA7429271BF14C077FFD905562FF00BA03D0E577EBDE842D181A43F83B98C5611220439195D98F47BB4838632D59E533816344E1DF7DB00271120083235ABCA\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Duck\", \"type\": \"Admin\", \"uid\": \"f45c6dd2-61ae-11ee-9f94-0242ac110005\", \"type_id\": 2}, \"uid\": \"f45c71a6-61ae-11ee-9f7b-0242ac110005\", \"cmd_line\": \"montana introductory ratings\", \"container\": {\"name\": \"strings provided foster\", \"runtime\": \"accidents usda suit\", \"uid\": \"f45c77be-61ae-11ee-8b06-0242ac110005\", \"image\": {\"name\": \"resources albums born\", \"uid\": \"f45c7e4e-61ae-11ee-955d-0242ac110005\"}, \"hash\": {\"value\": \"AB2620F9B7154D9F9DC1B3C2D949D85D595FE77F45411B3DBE6E5B47DA564177\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695272181548, \"lineage\": [\"copies would makeup\"], \"namespace_pid\": 88, \"parent_process\": {\"name\": \"Brandon\", \"pid\": 45, \"file\": {\"name\": \"instructions.tif\", \"size\": 2331416290, \"type\": \"Unknown\", \"path\": \"passwords floral edition/roland.gif/instructions.tif\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"underwear chancellor basic\", \"issuer\": \"strengths enlarge sorry\", \"fingerprints\": [{\"value\": \"0BB55CC45379DA535A05A8EDE44DF854F408971928C66528377DA784038293CF\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"D8EAE8212E2ED885C71F4117E0C39374\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"neon ban suse\"}, \"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"developer_uid\": \"f45c9208-61ae-11ee-9a72-0242ac110005\"}, \"desc\": \"goto egyptian throw\", \"type_id\": 0, \"parent_folder\": \"passwords floral edition/roland.gif\", \"hashes\": [{\"value\": \"6D856108BBB655CE760736415EE23ECE1B8FCEE045C992B3A971D31ED454BFAD53DE388CBE3FFDE1EF1A4258DDD307E4DAAD413389F51A42155B5F334C9243A4\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"6163CDC7962473142ADF6DA1E4C2B6DB26C7391242E8BBD4EE04661FEC7DF2C941477A0394334EEE5002B17ED4164502FEE4342047E61B7F299B5C98BE241602\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Manufacturing\", \"type\": \"united\", \"uid\": \"f45ca0ea-61ae-11ee-8476-0242ac110005\", \"org\": {\"name\": \"way pros ddr\", \"uid\": \"f45cafa4-61ae-11ee-af8c-0242ac110005\", \"ou_name\": \"reliability poultry devices\"}, \"type_id\": 99, \"full_name\": \"Livia Ji\", \"account\": {\"name\": \"pen favors essential\", \"type\": \"AWS Account\", \"uid\": \"f45cb6ac-61ae-11ee-89fb-0242ac110005\", \"type_id\": 10}, \"credential_uid\": \"f45cba58-61ae-11ee-8137-0242ac110005\", \"email_addr\": \"Moira@upset.nato\"}, \"uid\": \"f45cc066-61ae-11ee-b149-0242ac110005\", \"cmd_line\": \"trembl reverse constantly\", \"container\": {\"name\": \"strain outputs perceived\", \"uid\": \"f45cc660-61ae-11ee-8e56-0242ac110005\", \"image\": {\"name\": \"saturn cincinnati productivity\", \"path\": \"harrison typical operations\", \"uid\": \"f45ccb74-61ae-11ee-9ef0-0242ac110005\"}, \"hash\": {\"value\": \"5F69DE08EF1B52810A2E555253B2561BF4E27E0CF557FEB7502CAD51FCA3AC3B923994EC15B91A6E29CCD01AED752264DCA40FCF45DDB4B47C42836B57984513\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, \"pod_uuid\": \"ontario\"}, \"created_time\": 1695272181548, \"namespace_pid\": 48, \"parent_process\": {\"pid\": 43, \"file\": {\"name\": \"gothic.m3u\", \"owner\": {\"name\": \"Strengthening\", \"type\": \"pentium\", \"uid\": \"f45cdaba-61ae-11ee-ba9e-0242ac110005\", \"org\": {\"name\": \"wed mpeg mortality\", \"uid\": \"f45cdfd8-61ae-11ee-9701-0242ac110005\", \"ou_name\": \"penny automatically tops\"}, \"groups\": [{\"type\": \"britain touch corporations\", \"uid\": \"f45ce500-61ae-11ee-ae50-0242ac110005\"}], \"type_id\": 99, \"uid_alt\": \"developed drinks university\"}, \"type\": \"Block Device\", \"path\": \"dod emirates promote/knitting.vob/gothic.m3u\", \"signature\": {\"digest\": {\"value\": \"7243F8BE75253AFBADF7477867021F8B\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"tractor bag coleman\", \"issuer\": \"formation mixer sullivan\", \"fingerprints\": [{\"value\": \"741DD1242DF463E4748B3F29D59B2CDB444A2B723C098FCD8A61CFF3A2531A1EBEB1D42A7AD9A444FA8D89DC6A11F741547C10080B44BED739B5D0CDC993B842\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"C4824AE8BB216F860CA4CD45F979A59088DD132DF0BFA0EC613752EF4A2EE45E\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"ser rna serves\"}, \"algorithm\": \"supreme\", \"algorithm_id\": 99}, \"type_id\": 4, \"creator\": {\"name\": \"Catalog\", \"type\": \"System\", \"uid\": \"f45cf144-61ae-11ee-a33b-0242ac110005\", \"groups\": [{\"uid\": \"f45d004e-61ae-11ee-8d39-0242ac110005\"}, {\"name\": \"chairs leisure institution\", \"uid\": \"f45d05e4-61ae-11ee-99f9-0242ac110005\"}], \"type_id\": 3}, \"parent_folder\": \"dod emirates promote/knitting.vob\", \"security_descriptor\": \"retention changing science\", \"xattributes\": {}}, \"user\": {\"name\": \"Opt\", \"type\": \"Unknown\", \"domain\": \"funky valentine attached\", \"uid\": \"f45d1192-61ae-11ee-805a-0242ac110005\", \"type_id\": 0}, \"uid\": \"f45d16ba-61ae-11ee-b515-0242ac110005\", \"cmd_line\": \"reductions transfer kyle\", \"created_time\": 1695272181548, \"integrity\": \"guys thus beads\", \"namespace_pid\": 82, \"parent_process\": {\"name\": \"Friends\", \"pid\": 7, \"user\": {\"name\": \"Overall\", \"type\": \"Admin\", \"uid\": \"f45d2c18-61ae-11ee-8f99-0242ac110005\", \"org\": {\"name\": \"antique crawford mug\", \"uid\": \"f45d3226-61ae-11ee-b3e9-0242ac110005\", \"ou_name\": \"maximize tx tide\"}, \"type_id\": 2, \"credential_uid\": \"f45d3654-61ae-11ee-a013-0242ac110005\", \"uid_alt\": \"areas attachment guy\"}, \"uid\": \"f45d3a46-61ae-11ee-89e2-0242ac110005\", \"cmd_line\": \"trails washer home\", \"container\": {\"name\": \"requested divx inspector\", \"size\": 648398402, \"uid\": \"f45d3faa-61ae-11ee-95d3-0242ac110005\", \"image\": {\"name\": \"equation modular saver\", \"uid\": \"f45d4bb2-61ae-11ee-98af-0242ac110005\", \"labels\": [\"malaysia\", \"tough\"]}, \"hash\": {\"value\": \"68C9913042346CAD7F9FABEBF901C5DBBE49BEAFFE6CDBF271C0CD6F2363033A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}}, \"created_time\": 1695272181548, \"lineage\": [\"married funded elections\", \"liquid geek cal\"], \"namespace_pid\": 2, \"parent_process\": {\"name\": \"Warnings\", \"pid\": 59, \"file\": {\"name\": \"manner.app\", \"type\": \"Folder\", \"version\": \"1.0.0\", \"path\": \"turn available mighty/grocery.tax2016/manner.app\", \"desc\": \"starting invasion flame\", \"type_id\": 2, \"company_name\": \"Myrl Ilana\", \"parent_folder\": \"turn available mighty/grocery.tax2016\", \"hashes\": [{\"value\": \"2FF592449E1B208D2349421A0E142A80E875518AA0C20FF64D3610AB6830DD78BF8980FD7F211369C267D93464D86327F78FA84CEDB14D9210655D931C34F7BA\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"A2349F07A5DCE2F05BB0C656C6DEA195972A5C01A7B5DA65FEC562FE2C229B6B5B6930E7613E6323D8F52E25C3E76F85EBED522B17F8EB673C263A290FD26BB7\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"created_time_dt\": \"2023-10-03T05:37:34.702607Z\"}, \"user\": {\"name\": \"Dis\", \"type\": \"Unknown\", \"uid\": \"f45d6034-61ae-11ee-9b9d-0242ac110005\", \"groups\": [{\"name\": \"gamecube sunday foster\", \"uid\": \"f45d6750-61ae-11ee-bb59-0242ac110005\", \"privileges\": [\"ceiling pulling chapter\", \"advise lung transparent\"]}, {\"name\": \"skins korea bubble\", \"type\": \"annie rn pot\", \"uid\": \"f45d710a-61ae-11ee-a1f1-0242ac110005\", \"privileges\": [\"harbor syracuse quantities\"]}], \"type_id\": 0, \"account\": {\"name\": \"cycles beast pierce\", \"type\": \"Azure AD Account\", \"uid\": \"f45d7e20-61ae-11ee-9be4-0242ac110005\", \"type_id\": 6}}, \"tid\": 63, \"uid\": \"f45d835c-61ae-11ee-a0b4-0242ac110005\", \"cmd_line\": \"guided spine purple\", \"container\": {\"name\": \"diffs dead mechanical\", \"size\": 1480676944, \"tag\": \"cheers cancer russian\", \"uid\": \"f45d8ab4-61ae-11ee-a07b-0242ac110005\", \"hash\": {\"value\": \"10E86C6514D40F2A3E861B31847340EE8C8ED181029A17B042F137121D28863E\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, \"orchestrator\": \"piano sims editors\", \"pod_uuid\": \"danish\"}, \"created_time\": 1695272181548, \"lineage\": [\"at residential ceo\"], \"namespace_pid\": 67, \"parent_process\": {\"name\": \"Hamilton\", \"pid\": 38, \"file\": {\"name\": \"basename.mpg\", \"size\": 2270854617, \"type\": \"Folder\", \"path\": \"general required suspect/commentary.jar/basename.mpg\", \"modifier\": {\"name\": \"Lopez\", \"type\": \"Admin\", \"uid\": \"f45da012-61ae-11ee-8601-0242ac110005\", \"type_id\": 2}, \"type_id\": 2, \"parent_folder\": \"general required suspect/commentary.jar\", \"accessed_time\": 1695272181548, \"confidentiality\": \"fear browsers television\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"3B0173ED99A820AB5188A16998FBC2E1957424B5E1E2DB85F6F1F8CAFAE691070EE54DC314BDF2983F9A2CE57CF6E378ABB2AEDB0DA772B4626469F1363D4782\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.704513Z\", \"accessed_time_dt\": \"2023-10-03T05:37:34.704522Z\"}, \"cmd_line\": \"lists accredited manufacture\", \"created_time\": 1695272181548, \"integrity\": \"disclosure insert americans\", \"namespace_pid\": 16, \"parent_process\": {\"pid\": 26, \"file\": {\"name\": \"mitsubishi.zip\", \"type\": \"way\", \"path\": \"premium accommodation showtimes/prisoner.deskthemepack/mitsubishi.zip\", \"type_id\": 99, \"parent_folder\": \"premium accommodation showtimes/prisoner.deskthemepack\", \"accessed_time\": 1695272181548, \"confidentiality\": \"applications\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"AC3F2D226D9EFC7934195793B402CBBC13E2736E205E59735FD07CE424B1FB37\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"BD1DC345B2C39E8DADCDA520CC809F96FFC8413DD1169269D5E02AE412E1297111E2A26660902A783337A5D4C0D0C9FEBCCBB0C0AED91F2BFA2CCF4845056AAB\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1695272181548, \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.704809Z\"}, \"user\": {\"name\": \"Cardiovascular\", \"type\": \"Unknown\", \"uid\": \"f45db58e-61ae-11ee-b50c-0242ac110005\", \"type_id\": 0, \"uid_alt\": \"sn exception got\"}, \"container\": {\"name\": \"praise britannica rev\", \"uid\": \"f45dc254-61ae-11ee-b035-0242ac110005\", \"image\": {\"name\": \"conducted takes renewable\", \"uid\": \"f45dc7b8-61ae-11ee-9630-0242ac110005\"}, \"hash\": {\"value\": \"5DF4BFECA632B9BD1D11E5E5D9549CF30B4849A4C815894151C865C80E13E3D0DE949759C7E1AEE233D178AD52E3AE2E93D99AEA0D993ED5DCE67E03E1578823\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695272181548, \"integrity\": \"times entities fx\", \"namespace_pid\": 98, \"parent_process\": {\"name\": \"Forecasts\", \"pid\": 17, \"file\": {\"name\": \"hockey.part\", \"type\": \"Symbolic Link\", \"version\": \"1.0.0\", \"path\": \"seafood tape distant/physically.mdf/hockey.part\", \"uid\": \"f45dd3d4-61ae-11ee-9986-0242ac110005\", \"type_id\": 7, \"parent_folder\": \"seafood tape distant/physically.mdf\", \"hashes\": [{\"value\": \"0D3045A301A866174DD910C13E50427CB610EAD22A8523650B444E52FF16941B\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"BEE38FBC71DC4377BEF693AF6C11F462AC065BD6\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}]}, \"user\": {\"name\": \"Requires\", \"type\": \"User\", \"uid\": \"f45de0e0-61ae-11ee-88a9-0242ac110005\", \"type_id\": 1, \"credential_uid\": \"f45de554-61ae-11ee-bc44-0242ac110005\", \"uid_alt\": \"monica includes treating\"}, \"uid\": \"f45de978-61ae-11ee-af82-0242ac110005\", \"cmd_line\": \"insulation else evidence\", \"container\": {\"name\": \"dv cst mug\", \"size\": 2782839574, \"uid\": \"f45deefa-61ae-11ee-95f2-0242ac110005\", \"image\": {\"name\": \"olympus present empirical\", \"uid\": \"f45df3a0-61ae-11ee-ae83-0242ac110005\"}, \"hash\": {\"value\": \"E272B1A204600DF6B8A987C8FB851C7EF2AA8596CF158120722E5966F20081F5\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, \"orchestrator\": \"internationally correct examining\"}, \"created_time\": 1695272181548, \"integrity\": \"involvement hk speaking\", \"namespace_pid\": 56, \"parent_process\": {\"name\": \"Heath\", \"pid\": 26, \"user\": {\"name\": \"Qualities\", \"type\": \"System\", \"uid\": \"f45e00c0-61ae-11ee-b4f1-0242ac110005\", \"type_id\": 3, \"account\": {\"name\": \"engines robot c\", \"uid\": \"f45e05fc-61ae-11ee-bdef-0242ac110005\"}, \"uid_alt\": \"pathology ordinary ep\"}, \"cmd_line\": \"collapse tan demo\", \"container\": {\"name\": \"matters sophisticated hampshire\", \"size\": 277669091, \"uid\": \"f45e0b7e-61ae-11ee-9c4e-0242ac110005\", \"image\": {\"name\": \"pty dramatic measure\", \"uid\": \"f45e1452-61ae-11ee-93ff-0242ac110005\"}, \"hash\": {\"value\": \"7CFCBD1C1575DD7EAE454F18B9267188\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, \"orchestrator\": \"earned accountability todd\"}, \"created_time\": 1695272181548, \"integrity\": \"Protected\", \"integrity_id\": 6, \"namespace_pid\": 36, \"parent_process\": {\"name\": \"Special\", \"pid\": 39, \"user\": {\"name\": \"Mice\", \"type\": \"scoring\", \"uid\": \"f45e1f4c-61ae-11ee-bd4f-0242ac110005\", \"type_id\": 99}, \"cmd_line\": \"rubber taxi deployment\", \"container\": {\"name\": \"insulin never metabolism\", \"size\": 2875863087, \"uid\": \"f45e2532-61ae-11ee-b4f8-0242ac110005\", \"image\": {\"name\": \"phantom participant employee\", \"uid\": \"f45e29ec-61ae-11ee-b755-0242ac110005\"}, \"hash\": {\"value\": \"19EA5DD6F7D4532CE968933056B2150CB38D84FBEA07A9B1E71EE7388D9EAD136AFB55A16621065CA950B550FAA589C7E77583279DE84B3C958B13C9BA731D69\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"pod_uuid\": \"luxury\"}, \"created_time\": 1695272181548, \"integrity\": \"Protected\", \"integrity_id\": 6, \"namespace_pid\": 45, \"parent_process\": {\"pid\": 65, \"file\": {\"name\": \"message.exe\", \"owner\": {\"name\": \"Vegas\", \"type\": \"Unknown\", \"domain\": \"existence see evans\", \"org\": {\"name\": \"super rolling importantly\", \"uid\": \"f45e40bc-61ae-11ee-9f84-0242ac110005\", \"ou_uid\": \"f45e44ea-61ae-11ee-af1f-0242ac110005\"}, \"groups\": [{\"name\": \"careers fixes kai\", \"desc\": \"highways cheat summary\", \"uid\": \"f45e4da0-61ae-11ee-8ce5-0242ac110005\"}, {\"name\": \"past affiliate london\", \"type\": \"exclusion cleaners mart\", \"uid\": \"f45e51c4-61ae-11ee-af56-0242ac110005\"}], \"type_id\": 0, \"account\": {\"name\": \"tradition surfaces classification\", \"type\": \"AWS IAM Role\", \"uid\": \"f45e5af2-61ae-11ee-8e43-0242ac110005\", \"type_id\": 4}}, \"type\": \"mozilla\", \"path\": \"brunette symbol poem/weekends.htm/message.exe\", \"uid\": \"f45e5fa2-61ae-11ee-9642-0242ac110005\", \"type_id\": 99, \"parent_folder\": \"brunette symbol poem/weekends.htm\", \"confidentiality\": \"watson\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"EC04A154DEAC2F7D6C2C939EA992222061F58A10BD334C6D45E3B9B3BC538985107E3B32A6CA567C7B5C6F8F0D857459E5DDC11A97318AC1AEA8A2461B955401\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"6E170831A56B3AFDAFF2E0614B1495541FDE0CA37B2F9EBCB6D5225A0CADE66CC1E6AD525CAFDD363EAA50505FD613EDBD5C1B4D703D34702968D3AE7E09037C\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time_dt\": \"2023-10-03T05:37:34.709399Z\", \"created_time_dt\": \"2023-10-03T05:37:34.709410Z\", \"accessed_time_dt\": \"2023-10-03T05:37:34.709414Z\"}, \"user\": {\"type\": \"Unknown\", \"uid\": \"f45e68d0-61ae-11ee-a6d3-0242ac110005\", \"type_id\": 0, \"full_name\": \"Rosamaria Norberto\", \"account\": {\"name\": \"wireless trains wave\", \"type\": \"Linux Account\", \"uid\": \"f45e6eb6-61ae-11ee-9f44-0242ac110005\", \"type_id\": 9}, \"credential_uid\": \"f45e7230-61ae-11ee-a271-0242ac110005\"}, \"uid\": \"f45e7546-61ae-11ee-ab37-0242ac110005\", \"session\": {\"uid\": \"f45e805e-61ae-11ee-90d6-0242ac110005\", \"created_time\": 1695272181548, \"is_remote\": true, \"expiration_time_dt\": \"2023-10-03T05:37:34.710191Z\"}, \"namespace_pid\": 69, \"parent_process\": {\"name\": \"Is\", \"pid\": 14, \"file\": {\"name\": \"ambassador.swf\", \"type\": \"Symbolic Link\", \"path\": \"nickel gui cute/vision.m3u/ambassador.swf\", \"signature\": {\"digest\": {\"value\": \"14B85FA8E87F846F757EACCDA09761641B397F01\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"panic aspects reporting\", \"issuer\": \"hate passive admission\", \"fingerprints\": [{\"value\": \"09958F2F29A975C86F4BC77872179A9E719846A48F2022B36957925999CD31F4A0578A6C18EE8BDC0AEE2F0974FB4647FF2A0BFEA8A1E56877193277A827418F\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"promote dirt hindu\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time_dt\": \"2023-10-03T05:37:34.710541Z\"}, \"type_id\": 7, \"company_name\": \"Nicholas Betty\", \"parent_folder\": \"nickel gui cute/vision.m3u\", \"confidentiality\": \"sandwich exhibit ellis\", \"hashes\": [{\"value\": \"4DBD2BB0760D9EBBC2743A91879CCBC04A4837BD467C1F3B4E0850E4D459BC52\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"A5469012CF0415AAE3FFA22840287489C3C57811D0FD29A58C2CD702BC84D59ADC43354994A400CA41F16849414FADE8C6A9889E640F7987FF65EAD837C7D8E4\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.710639Z\"}, \"user\": {\"name\": \"Genres\", \"type\": \"User\", \"uid\": \"f45e9cb0-61ae-11ee-b849-0242ac110005\", \"type_id\": 1, \"full_name\": \"Lucile Apryl\", \"account\": {\"name\": \"saint view max\", \"type\": \"Apple Account\", \"uid\": \"f45ea32c-61ae-11ee-9546-0242ac110005\", \"type_id\": 8}, \"credential_uid\": \"f45ea700-61ae-11ee-bb61-0242ac110005\", \"email_addr\": \"Jeana@drill.web\"}, \"cmd_line\": \"changes sad programmes\", \"container\": {\"size\": 1104975009, \"tag\": \"alexander specs considered\", \"uid\": \"f45eae80-61ae-11ee-8fa9-0242ac110005\", \"image\": {\"name\": \"soap potter browsers\", \"uid\": \"f45eb3bc-61ae-11ee-871c-0242ac110005\"}, \"hash\": {\"value\": \"05521B80BB22220B8B095A94DA44E07951EE15F402F4BD4A050BD0CFFFD6B154\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, \"orchestrator\": \"matches virginia accepts\"}, \"created_time\": 1695272181548, \"namespace_pid\": 49}, \"sandbox\": \"ut metropolitan adjacent\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711553Z\"}, \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.711572Z\"}, \"terminated_time\": 1695272181548, \"terminated_time_dt\": \"2023-10-03T05:37:34.711582Z\"}, \"sandbox\": \"dans ip tours\"}, \"terminated_time\": 1695272181548, \"terminated_time_dt\": \"2023-10-03T05:37:34.711596Z\"}, \"created_time_dt\": \"2023-10-03T05:37:34.711602Z\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711606Z\"}, \"terminated_time\": 1695272181548, \"xattributes\": {}}, \"xattributes\": {}}, \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.711634Z\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711638Z\"}, \"sandbox\": \"brunette christ monetary\", \"created_time_dt\": \"2023-10-03T05:37:34.711648Z\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711652Z\"}, \"terminated_time\": 1695272181548}, \"xattributes\": {}}, \"xattributes\": {}}}, \"user\": {\"name\": \"We\", \"type\": \"Admin\", \"uid\": \"f45ec2a8-61ae-11ee-90fc-0242ac110005\", \"org\": {\"name\": \"enquiry hottest creations\", \"uid\": \"f45ecb68-61ae-11ee-824c-0242ac110005\", \"ou_name\": \"reel metals plain\"}, \"type_id\": 2, \"account\": {\"name\": \"intensive flash narrative\", \"type\": \"Windows Account\", \"uid\": \"f45ed32e-61ae-11ee-9aa9-0242ac110005\", \"type_id\": 2}}}, \"actual_permissions\": 14, \"base_address\": \"statements dining gnome\", \"cloud\": {\"project_uid\": \"f4505768-61ae-11ee-89e9-0242ac110005\", \"provider\": \"christian studies pioneer\", \"region\": \"increased competitors sparc\"}, \"severity_id\": 5, \"status_code\": \"registry\", \"time_dt\": \"2023-10-03T05:37:34.712339Z\"}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"message\": \"door lotus aol\", \"time\": 1695272181548, \"device\": {\"name\": \"repeated sip distance\", \"type\": \"Server\", \"location\": {\"desc\": \"Taiwan\", \"city\": \"Stephanie hence\", \"country\": \"TW\", \"coordinates\": [161.2949, 22.9251], \"continent\": \"Asia\"}, \"hostname\": \"phd.nato\", \"uid\": \"f450d454-61ae-11ee-b232-0242ac110005\", \"image\": {\"name\": \"leader mind compliant\", \"uid\": \"f450e20a-61ae-11ee-959b-0242ac110005\"}, \"org\": {\"name\": \"gratuit book virtually\", \"uid\": \"f4507856-61ae-11ee-b34b-0242ac110005\", \"ou_name\": \"profit plug fioricet\"}, \"type_id\": 1, \"created_time\": 1695272181548, \"first_seen_time\": 1695272181548, \"instance_uid\": \"f450c02c-61ae-11ee-a04e-0242ac110005\", \"interface_name\": \"adaptive survivor nickname\", \"interface_uid\": \"f450dada-61ae-11ee-9e5c-0242ac110005\", \"is_trusted\": false, \"last_seen_time\": 1695272181548, \"region\": \"debut instruments alphabetical\", \"risk_level\": \"thomson shanghai foreign\", \"subnet_uid\": \"f450b6fe-61ae-11ee-aa6c-0242ac110005\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"asbestos settings medication\", \"version\": \"1.0.0\", \"uid\": \"f4506410-61ae-11ee-a485-0242ac110005\", \"feature\": {\"name\": \"wish quest practitioners\", \"version\": \"1.0.0\", \"uid\": \"f4506a32-61ae-11ee-a6bb-0242ac110005\"}, \"lang\": \"en\", \"vendor_name\": \"evaluations belly reception\"}, \"sequence\": 35, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"trademarks wishing accreditation\", \"log_provider\": \"manual equivalent detroit\", \"logged_time\": 1695272181548, \"original_time\": \"protection velvet propose\"}, \"severity\": \"Critical\", \"api\": {\"request\": {\"uid\": \"f45046ce-61ae-11ee-8a1b-0242ac110005\"}, \"response\": {\"error\": \"dash knife stable\", \"code\": 99, \"message\": \"julian peninsula bought\", \"error_message\": \"delaware genetic purple\"}, \"operation\": \"appraisal disappointed iraqi\"}, \"disposition\": \"Deleted\", \"type_name\": \"Memory Activity: Allocate Page\", \"activity_id\": 1, \"disposition_id\": 5, \"type_uid\": 100401, \"category_name\": \"System Activity\", \"class_uid\": 1004, \"category_uid\": 1, \"class_name\": \"Memory Activity\", \"timezone_offset\": 26, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}], \"technique\": {\"name\": \"Additional Cloud Credentials\", \"uid\": \"T1098.001\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.\", \"uid\": \"TA0040\"}, {\"name\": \"Command and Control The adversary is trying to communicate with compromised systems to control them.\", \"uid\": \"TA0011\"}], \"technique\": {\"name\": \"Credentials in Registry\", \"uid\": \"T1214\"}}], \"activity_name\": \"Allocate Page\", \"actor\": {\"process\": {\"name\": \"Quad\", \"pid\": 76, \"file\": {\"name\": \"tenant.prf\", \"type\": \"Symbolic Link\", \"path\": \"daisy bullet expectations/speakers.fon/tenant.prf\", \"type_id\": 7, \"company_name\": \"Hue Marcelina\", \"parent_folder\": \"daisy bullet expectations/speakers.fon\", \"confidentiality\": \"Not Confidential\", \"confidentiality_id\": 1, \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"D593DAFEC471B60EC788CAF95AEB0DBE9F1AF56F9741565D96CEB84FF7C0AB18B97E298266E585A9FE82C4F85EE020C4B4BD974B54373088F0D1ACE2022CE17D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"4F227649B2E932AED413A05B69BAA35D\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"modified_time\": 1695272181548, \"modified_time_dt\": \"2023-10-03T05:37:34.691274Z\"}, \"user\": {\"name\": \"Utc\", \"type\": \"User\", \"uid\": \"f45ba8fc-61ae-11ee-883d-0242ac110005\", \"type_id\": 1, \"full_name\": \"Carin Otha\", \"email_addr\": \"Mireille@associate.mobi\"}, \"uid\": \"f45baed8-61ae-11ee-95e3-0242ac110005\", \"cmd_line\": \"stick strength suffered\", \"container\": {\"name\": \"sp finger reductions\", \"size\": 1112406887, \"tag\": \"dish acc interpretation\", \"uid\": \"f45bb5c2-61ae-11ee-b166-0242ac110005\", \"image\": {\"name\": \"leaves mounted something\", \"uid\": \"f45bbbe4-61ae-11ee-9bd8-0242ac110005\"}, \"hash\": {\"value\": \"0C2DC99EB913832DEE1E00AC1C121596D14346E7971CAF8B9873BA2BB862C4070FDD33F21558BA3B264A80A7B15D1722F1B3603C0858D1247E4359752B166BCC\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, \"network_driver\": \"arizona knight karl\", \"orchestrator\": \"integral economics gc\"}, \"created_time\": 1695272181548, \"namespace_pid\": 50, \"parent_process\": {\"name\": \"Trout\", \"pid\": 61, \"file\": {\"name\": \"download.pptx\", \"type\": \"Regular File\", \"path\": \"qld four roulette/sticker.dwg/download.pptx\", \"desc\": \"vs in contamination\", \"type_id\": 1, \"parent_folder\": \"qld four roulette/sticker.dwg\", \"confidentiality\": \"Confidential\", \"confidentiality_id\": 2, \"hashes\": [{\"value\": \"64188A2F3AF0E7C7E83F429137D1F51F574286F7\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"7C12BD84ACFCEACC8A756BE13D08AF2B1EC193C5411C64B85380EEEC0B1B41F7\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"modified_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T05:37:34.692393Z\", \"accessed_time_dt\": \"2023-10-03T05:37:34.692401Z\"}, \"user\": {\"name\": \"Presidential\", \"type\": \"User\", \"uid\": \"f45bd110-61ae-11ee-b7e4-0242ac110005\", \"org\": {\"name\": \"setup stolen unexpected\", \"uid\": \"f45bd82c-61ae-11ee-9e57-0242ac110005\", \"ou_name\": \"iceland threats webcast\"}, \"type_id\": 1, \"full_name\": \"Rosamaria Mckenzie\", \"credential_uid\": \"f45bdcd2-61ae-11ee-a554-0242ac110005\"}, \"uid\": \"f45be042-61ae-11ee-a467-0242ac110005\", \"cmd_line\": \"red beaches fi\", \"container\": {\"name\": \"dispatch ste exist\", \"uid\": \"f45be5ba-61ae-11ee-88ce-0242ac110005\", \"image\": {\"name\": \"third aged kurt\", \"uid\": \"f45bebfa-61ae-11ee-bf2c-0242ac110005\"}, \"hash\": {\"value\": \"23ABACC1EF47F49C2387DDF45E9C424754AB96A8A4DED29732E05CA4192D028D05F263525EFEB4BBAFD7ECE02D2821858C8F39BADB5B11151131D82A3D8596FA\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695272181548, \"namespace_pid\": 31, \"parent_process\": {\"pid\": 98, \"file\": {\"name\": \"mins.srt\", \"type\": \"Regular File\", \"path\": \"risks rendering meal/surf.pages/mins.srt\", \"signature\": {\"certificate\": {\"subject\": \"lindsay symptoms gel\", \"issuer\": \"agency covers tested\", \"fingerprints\": [{\"value\": \"5F3258EAA1979A8BE0323FCD83F87741B9046FD02DFEDB63CC5E8BBEC47C85C9\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"fool aye tears\"}, \"algorithm\": \"Authenticode\", \"algorithm_id\": 4}, \"product\": {\"name\": \"morocco steam contractors\", \"uid\": \"f45bff78-61ae-11ee-94d1-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"myrtle wn view\"}, \"type_id\": 1, \"parent_folder\": \"risks rendering meal/surf.pages\", \"hashes\": [{\"value\": \"A98DE8AD923CB627EA1CDCCD5CF7356C\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"modified_time_dt\": \"2023-10-03T05:37:34.693818Z\", \"created_time_dt\": \"2023-10-03T05:37:34.693827Z\", \"accessed_time_dt\": \"2023-10-03T05:37:34.693831Z\"}, \"user\": {\"type\": \"Unknown\", \"uid\": \"f45c0b9e-61ae-11ee-9f3b-0242ac110005\", \"type_id\": 0, \"full_name\": \"Marry Dia\", \"email_addr\": \"Lilliana@ability.edu\"}, \"tid\": 86, \"session\": {\"uid\": \"f45c1288-61ae-11ee-ab6a-0242ac110005\", \"uuid\": \"f45c160c-61ae-11ee-b9ea-0242ac110005\", \"issuer\": \"spec gambling separated\", \"created_time\": 1695272181548, \"credential_uid\": \"f45c1a1c-61ae-11ee-85ba-0242ac110005\", \"is_remote\": false, \"expiration_time_dt\": \"2023-10-03T05:37:34.694457Z\", \"created_time_dt\": \"2023-10-03T05:37:34.694465Z\"}, \"container\": {\"name\": \"pest fought calibration\", \"runtime\": \"violation card logged\", \"size\": 1513188610, \"uid\": \"f45c2426-61ae-11ee-9c9d-0242ac110005\", \"image\": {\"name\": \"stripes excerpt baptist\", \"uid\": \"f45c2962-61ae-11ee-8549-0242ac110005\"}, \"hash\": {\"value\": \"5D7318303179149862E7825F7F1712F9E8045CDC54401C79C269DD068E20EA5D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, \"orchestrator\": \"walt truly susan\", \"pod_uuid\": \"techno\"}, \"namespace_pid\": 49, \"parent_process\": {\"name\": \"Telling\", \"pid\": 43, \"file\": {\"name\": \"asked.htm\", \"owner\": {\"name\": \"Initiatives\", \"type\": \"Unknown\", \"domain\": \"voyeurweb strip groove\", \"type_id\": 0, \"full_name\": \"Lynnette Brooke\"}, \"type\": \"Symbolic Link\", \"path\": \"brakes bugs inquire/blogging.ics/asked.htm\", \"signature\": {\"digest\": {\"value\": \"522CB2274A0D096C0F94307F55DB6E9D63211626E8BED23C3C8721CA612F28681D4E0202C137F40265FCAAD0EFE6A9BD02E0CF8323BAF52EFE09FF298791B18D\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"fetish converter communicate\", \"issuer\": \"conclusions medicines exception\", \"fingerprints\": [{\"value\": \"F74C6AF46A78BECB2F1BD3F95BBD5858\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"43F66E6B6CBAF53CC520E58EC65805EC62FA04119845AC53816DA9F36F525AC65E3D7D92BED0351865836C0E97D63184282A5FEDC9AF2E914C6F9B349CB835F0\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"legal grant module\", \"expiration_time_dt\": \"2023-10-03T05:37:34.695275Z\", \"created_time_dt\": \"2023-10-03T05:37:34.695282Z\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2, \"created_time_dt\": \"2023-10-03T05:37:34.695288Z\"}, \"uid\": \"f45c3f9c-61ae-11ee-9d0c-0242ac110005\", \"type_id\": 7, \"accessor\": {\"name\": \"Review\", \"type\": \"Admin\", \"uid\": \"f45c480c-61ae-11ee-acd3-0242ac110005\", \"groups\": [{\"name\": \"holder outstanding vatican\", \"uid\": \"f45c4fe6-61ae-11ee-92f7-0242ac110005\"}, {\"name\": \"conducted egypt siemens\", \"type\": \"rent divine winston\", \"uid\": \"f45c5446-61ae-11ee-9f91-0242ac110005\"}], \"type_id\": 2}, \"creator\": {\"type\": \"availability\", \"uid\": \"f45c601c-61ae-11ee-a457-0242ac110005\", \"groups\": [{\"name\": \"usually gained erotica\", \"uid\": \"f45c65d0-61ae-11ee-b6a8-0242ac110005\"}], \"type_id\": 99}, \"parent_folder\": \"brakes bugs inquire/blogging.ics\", \"hashes\": [{\"value\": \"5FA7429271BF14C077FFD905562FF00BA03D0E577EBDE842D181A43F83B98C5611220439195D98F47BB4838632D59E533816344E1DF7DB00271120083235ABCA\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Duck\", \"type\": \"Admin\", \"uid\": \"f45c6dd2-61ae-11ee-9f94-0242ac110005\", \"type_id\": 2}, \"uid\": \"f45c71a6-61ae-11ee-9f7b-0242ac110005\", \"cmd_line\": \"montana introductory ratings\", \"container\": {\"name\": \"strings provided foster\", \"runtime\": \"accidents usda suit\", \"uid\": \"f45c77be-61ae-11ee-8b06-0242ac110005\", \"image\": {\"name\": \"resources albums born\", \"uid\": \"f45c7e4e-61ae-11ee-955d-0242ac110005\"}, \"hash\": {\"value\": \"AB2620F9B7154D9F9DC1B3C2D949D85D595FE77F45411B3DBE6E5B47DA564177\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695272181548, \"lineage\": [\"copies would makeup\"], \"namespace_pid\": 88, \"parent_process\": {\"name\": \"Brandon\", \"pid\": 45, \"file\": {\"name\": \"instructions.tif\", \"size\": 2331416290, \"type\": \"Unknown\", \"path\": \"passwords floral edition/roland.gif/instructions.tif\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"underwear chancellor basic\", \"issuer\": \"strengths enlarge sorry\", \"fingerprints\": [{\"value\": \"0BB55CC45379DA535A05A8EDE44DF854F408971928C66528377DA784038293CF\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"D8EAE8212E2ED885C71F4117E0C39374\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"neon ban suse\"}, \"algorithm\": \"ECDSA\", \"algorithm_id\": 3, \"developer_uid\": \"f45c9208-61ae-11ee-9a72-0242ac110005\"}, \"desc\": \"goto egyptian throw\", \"type_id\": 0, \"parent_folder\": \"passwords floral edition/roland.gif\", \"hashes\": [{\"value\": \"6D856108BBB655CE760736415EE23ECE1B8FCEE045C992B3A971D31ED454BFAD53DE388CBE3FFDE1EF1A4258DDD307E4DAAD413389F51A42155B5F334C9243A4\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"6163CDC7962473142ADF6DA1E4C2B6DB26C7391242E8BBD4EE04661FEC7DF2C941477A0394334EEE5002B17ED4164502FEE4342047E61B7F299B5C98BE241602\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Manufacturing\", \"type\": \"united\", \"uid\": \"f45ca0ea-61ae-11ee-8476-0242ac110005\", \"org\": {\"name\": \"way pros ddr\", \"uid\": \"f45cafa4-61ae-11ee-af8c-0242ac110005\", \"ou_name\": \"reliability poultry devices\"}, \"type_id\": 99, \"full_name\": \"Livia Ji\", \"account\": {\"name\": \"pen favors essential\", \"type\": \"AWS Account\", \"uid\": \"f45cb6ac-61ae-11ee-89fb-0242ac110005\", \"type_id\": 10}, \"credential_uid\": \"f45cba58-61ae-11ee-8137-0242ac110005\", \"email_addr\": \"Moira@upset.nato\"}, \"uid\": \"f45cc066-61ae-11ee-b149-0242ac110005\", \"cmd_line\": \"trembl reverse constantly\", \"container\": {\"name\": \"strain outputs perceived\", \"uid\": \"f45cc660-61ae-11ee-8e56-0242ac110005\", \"image\": {\"name\": \"saturn cincinnati productivity\", \"path\": \"harrison typical operations\", \"uid\": \"f45ccb74-61ae-11ee-9ef0-0242ac110005\"}, \"hash\": {\"value\": \"5F69DE08EF1B52810A2E555253B2561BF4E27E0CF557FEB7502CAD51FCA3AC3B923994EC15B91A6E29CCD01AED752264DCA40FCF45DDB4B47C42836B57984513\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, \"pod_uuid\": \"ontario\"}, \"created_time\": 1695272181548, \"namespace_pid\": 48, \"parent_process\": {\"pid\": 43, \"file\": {\"name\": \"gothic.m3u\", \"owner\": {\"name\": \"Strengthening\", \"type\": \"pentium\", \"uid\": \"f45cdaba-61ae-11ee-ba9e-0242ac110005\", \"org\": {\"name\": \"wed mpeg mortality\", \"uid\": \"f45cdfd8-61ae-11ee-9701-0242ac110005\", \"ou_name\": \"penny automatically tops\"}, \"groups\": [{\"type\": \"britain touch corporations\", \"uid\": \"f45ce500-61ae-11ee-ae50-0242ac110005\"}], \"type_id\": 99, \"uid_alt\": \"developed drinks university\"}, \"type\": \"Block Device\", \"path\": \"dod emirates promote/knitting.vob/gothic.m3u\", \"signature\": {\"digest\": {\"value\": \"7243F8BE75253AFBADF7477867021F8B\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"tractor bag coleman\", \"issuer\": \"formation mixer sullivan\", \"fingerprints\": [{\"value\": \"741DD1242DF463E4748B3F29D59B2CDB444A2B723C098FCD8A61CFF3A2531A1EBEB1D42A7AD9A444FA8D89DC6A11F741547C10080B44BED739B5D0CDC993B842\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"C4824AE8BB216F860CA4CD45F979A59088DD132DF0BFA0EC613752EF4A2EE45E\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"ser rna serves\"}, \"algorithm\": \"supreme\", \"algorithm_id\": 99}, \"type_id\": 4, \"creator\": {\"name\": \"Catalog\", \"type\": \"System\", \"uid\": \"f45cf144-61ae-11ee-a33b-0242ac110005\", \"groups\": [{\"uid\": \"f45d004e-61ae-11ee-8d39-0242ac110005\"}, {\"name\": \"chairs leisure institution\", \"uid\": \"f45d05e4-61ae-11ee-99f9-0242ac110005\"}], \"type_id\": 3}, \"parent_folder\": \"dod emirates promote/knitting.vob\", \"security_descriptor\": \"retention changing science\", \"xattributes\": {}}, \"user\": {\"name\": \"Opt\", \"type\": \"Unknown\", \"domain\": \"funky valentine attached\", \"uid\": \"f45d1192-61ae-11ee-805a-0242ac110005\", \"type_id\": 0}, \"uid\": \"f45d16ba-61ae-11ee-b515-0242ac110005\", \"cmd_line\": \"reductions transfer kyle\", \"created_time\": 1695272181548, \"integrity\": \"guys thus beads\", \"namespace_pid\": 82, \"parent_process\": {\"name\": \"Friends\", \"pid\": 7, \"user\": {\"name\": \"Overall\", \"type\": \"Admin\", \"uid\": \"f45d2c18-61ae-11ee-8f99-0242ac110005\", \"org\": {\"name\": \"antique crawford mug\", \"uid\": \"f45d3226-61ae-11ee-b3e9-0242ac110005\", \"ou_name\": \"maximize tx tide\"}, \"type_id\": 2, \"credential_uid\": \"f45d3654-61ae-11ee-a013-0242ac110005\", \"uid_alt\": \"areas attachment guy\"}, \"uid\": \"f45d3a46-61ae-11ee-89e2-0242ac110005\", \"cmd_line\": \"trails washer home\", \"container\": {\"name\": \"requested divx inspector\", \"size\": 648398402, \"uid\": \"f45d3faa-61ae-11ee-95d3-0242ac110005\", \"image\": {\"name\": \"equation modular saver\", \"uid\": \"f45d4bb2-61ae-11ee-98af-0242ac110005\", \"labels\": [\"malaysia\", \"tough\"]}, \"hash\": {\"value\": \"68C9913042346CAD7F9FABEBF901C5DBBE49BEAFFE6CDBF271C0CD6F2363033A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}}, \"created_time\": 1695272181548, \"lineage\": [\"married funded elections\", \"liquid geek cal\"], \"namespace_pid\": 2, \"parent_process\": {\"name\": \"Warnings\", \"pid\": 59, \"file\": {\"name\": \"manner.app\", \"type\": \"Folder\", \"version\": \"1.0.0\", \"path\": \"turn available mighty/grocery.tax2016/manner.app\", \"desc\": \"starting invasion flame\", \"type_id\": 2, \"company_name\": \"Myrl Ilana\", \"parent_folder\": \"turn available mighty/grocery.tax2016\", \"hashes\": [{\"value\": \"2FF592449E1B208D2349421A0E142A80E875518AA0C20FF64D3610AB6830DD78BF8980FD7F211369C267D93464D86327F78FA84CEDB14D9210655D931C34F7BA\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"A2349F07A5DCE2F05BB0C656C6DEA195972A5C01A7B5DA65FEC562FE2C229B6B5B6930E7613E6323D8F52E25C3E76F85EBED522B17F8EB673C263A290FD26BB7\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"created_time_dt\": \"2023-10-03T05:37:34.702607Z\"}, \"user\": {\"name\": \"Dis\", \"type\": \"Unknown\", \"uid\": \"f45d6034-61ae-11ee-9b9d-0242ac110005\", \"groups\": [{\"name\": \"gamecube sunday foster\", \"uid\": \"f45d6750-61ae-11ee-bb59-0242ac110005\", \"privileges\": [\"ceiling pulling chapter\", \"advise lung transparent\"]}, {\"name\": \"skins korea bubble\", \"type\": \"annie rn pot\", \"uid\": \"f45d710a-61ae-11ee-a1f1-0242ac110005\", \"privileges\": [\"harbor syracuse quantities\"]}], \"type_id\": 0, \"account\": {\"name\": \"cycles beast pierce\", \"type\": \"Azure AD Account\", \"uid\": \"f45d7e20-61ae-11ee-9be4-0242ac110005\", \"type_id\": 6}}, \"tid\": 63, \"uid\": \"f45d835c-61ae-11ee-a0b4-0242ac110005\", \"cmd_line\": \"guided spine purple\", \"container\": {\"name\": \"diffs dead mechanical\", \"size\": 1480676944, \"tag\": \"cheers cancer russian\", \"uid\": \"f45d8ab4-61ae-11ee-a07b-0242ac110005\", \"hash\": {\"value\": \"10E86C6514D40F2A3E861B31847340EE8C8ED181029A17B042F137121D28863E\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, \"orchestrator\": \"piano sims editors\", \"pod_uuid\": \"danish\"}, \"created_time\": 1695272181548, \"lineage\": [\"at residential ceo\"], \"namespace_pid\": 67, \"parent_process\": {\"name\": \"Hamilton\", \"pid\": 38, \"file\": {\"name\": \"basename.mpg\", \"size\": 2270854617, \"type\": \"Folder\", \"path\": \"general required suspect/commentary.jar/basename.mpg\", \"modifier\": {\"name\": \"Lopez\", \"type\": \"Admin\", \"uid\": \"f45da012-61ae-11ee-8601-0242ac110005\", \"type_id\": 2}, \"type_id\": 2, \"parent_folder\": \"general required suspect/commentary.jar\", \"accessed_time\": 1695272181548, \"confidentiality\": \"fear browsers television\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"3B0173ED99A820AB5188A16998FBC2E1957424B5E1E2DB85F6F1F8CAFAE691070EE54DC314BDF2983F9A2CE57CF6E378ABB2AEDB0DA772B4626469F1363D4782\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.704513Z\", \"accessed_time_dt\": \"2023-10-03T05:37:34.704522Z\"}, \"cmd_line\": \"lists accredited manufacture\", \"created_time\": 1695272181548, \"integrity\": \"disclosure insert americans\", \"namespace_pid\": 16, \"parent_process\": {\"pid\": 26, \"file\": {\"name\": \"mitsubishi.zip\", \"type\": \"way\", \"path\": \"premium accommodation showtimes/prisoner.deskthemepack/mitsubishi.zip\", \"type_id\": 99, \"parent_folder\": \"premium accommodation showtimes/prisoner.deskthemepack\", \"accessed_time\": 1695272181548, \"confidentiality\": \"applications\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"AC3F2D226D9EFC7934195793B402CBBC13E2736E205E59735FD07CE424B1FB37\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"BD1DC345B2C39E8DADCDA520CC809F96FFC8413DD1169269D5E02AE412E1297111E2A26660902A783337A5D4C0D0C9FEBCCBB0C0AED91F2BFA2CCF4845056AAB\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1695272181548, \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.704809Z\"}, \"user\": {\"name\": \"Cardiovascular\", \"type\": \"Unknown\", \"uid\": \"f45db58e-61ae-11ee-b50c-0242ac110005\", \"type_id\": 0, \"uid_alt\": \"sn exception got\"}, \"container\": {\"name\": \"praise britannica rev\", \"uid\": \"f45dc254-61ae-11ee-b035-0242ac110005\", \"image\": {\"name\": \"conducted takes renewable\", \"uid\": \"f45dc7b8-61ae-11ee-9630-0242ac110005\"}, \"hash\": {\"value\": \"5DF4BFECA632B9BD1D11E5E5D9549CF30B4849A4C815894151C865C80E13E3D0DE949759C7E1AEE233D178AD52E3AE2E93D99AEA0D993ED5DCE67E03E1578823\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695272181548, \"integrity\": \"times entities fx\", \"namespace_pid\": 98, \"parent_process\": {\"name\": \"Forecasts\", \"pid\": 17, \"file\": {\"name\": \"hockey.part\", \"type\": \"Symbolic Link\", \"version\": \"1.0.0\", \"path\": \"seafood tape distant/physically.mdf/hockey.part\", \"uid\": \"f45dd3d4-61ae-11ee-9986-0242ac110005\", \"type_id\": 7, \"parent_folder\": \"seafood tape distant/physically.mdf\", \"hashes\": [{\"value\": \"0D3045A301A866174DD910C13E50427CB610EAD22A8523650B444E52FF16941B\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"BEE38FBC71DC4377BEF693AF6C11F462AC065BD6\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}]}, \"user\": {\"name\": \"Requires\", \"type\": \"User\", \"uid\": \"f45de0e0-61ae-11ee-88a9-0242ac110005\", \"type_id\": 1, \"credential_uid\": \"f45de554-61ae-11ee-bc44-0242ac110005\", \"uid_alt\": \"monica includes treating\"}, \"uid\": \"f45de978-61ae-11ee-af82-0242ac110005\", \"cmd_line\": \"insulation else evidence\", \"container\": {\"name\": \"dv cst mug\", \"size\": 2782839574, \"uid\": \"f45deefa-61ae-11ee-95f2-0242ac110005\", \"image\": {\"name\": \"olympus present empirical\", \"uid\": \"f45df3a0-61ae-11ee-ae83-0242ac110005\"}, \"hash\": {\"value\": \"E272B1A204600DF6B8A987C8FB851C7EF2AA8596CF158120722E5966F20081F5\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, \"orchestrator\": \"internationally correct examining\"}, \"created_time\": 1695272181548, \"integrity\": \"involvement hk speaking\", \"namespace_pid\": 56, \"parent_process\": {\"name\": \"Heath\", \"pid\": 26, \"user\": {\"name\": \"Qualities\", \"type\": \"System\", \"uid\": \"f45e00c0-61ae-11ee-b4f1-0242ac110005\", \"type_id\": 3, \"account\": {\"name\": \"engines robot c\", \"uid\": \"f45e05fc-61ae-11ee-bdef-0242ac110005\"}, \"uid_alt\": \"pathology ordinary ep\"}, \"cmd_line\": \"collapse tan demo\", \"container\": {\"name\": \"matters sophisticated hampshire\", \"size\": 277669091, \"uid\": \"f45e0b7e-61ae-11ee-9c4e-0242ac110005\", \"image\": {\"name\": \"pty dramatic measure\", \"uid\": \"f45e1452-61ae-11ee-93ff-0242ac110005\"}, \"hash\": {\"value\": \"7CFCBD1C1575DD7EAE454F18B9267188\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, \"orchestrator\": \"earned accountability todd\"}, \"created_time\": 1695272181548, \"integrity\": \"Protected\", \"integrity_id\": 6, \"namespace_pid\": 36, \"parent_process\": {\"name\": \"Special\", \"pid\": 39, \"user\": {\"name\": \"Mice\", \"type\": \"scoring\", \"uid\": \"f45e1f4c-61ae-11ee-bd4f-0242ac110005\", \"type_id\": 99}, \"cmd_line\": \"rubber taxi deployment\", \"container\": {\"name\": \"insulin never metabolism\", \"size\": 2875863087, \"uid\": \"f45e2532-61ae-11ee-b4f8-0242ac110005\", \"image\": {\"name\": \"phantom participant employee\", \"uid\": \"f45e29ec-61ae-11ee-b755-0242ac110005\"}, \"hash\": {\"value\": \"19EA5DD6F7D4532CE968933056B2150CB38D84FBEA07A9B1E71EE7388D9EAD136AFB55A16621065CA950B550FAA589C7E77583279DE84B3C958B13C9BA731D69\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"pod_uuid\": \"luxury\"}, \"created_time\": 1695272181548, \"integrity\": \"Protected\", \"integrity_id\": 6, \"namespace_pid\": 45, \"parent_process\": {\"pid\": 65, \"file\": {\"name\": \"message.exe\", \"owner\": {\"name\": \"Vegas\", \"type\": \"Unknown\", \"domain\": \"existence see evans\", \"org\": {\"name\": \"super rolling importantly\", \"uid\": \"f45e40bc-61ae-11ee-9f84-0242ac110005\", \"ou_uid\": \"f45e44ea-61ae-11ee-af1f-0242ac110005\"}, \"groups\": [{\"name\": \"careers fixes kai\", \"desc\": \"highways cheat summary\", \"uid\": \"f45e4da0-61ae-11ee-8ce5-0242ac110005\"}, {\"name\": \"past affiliate london\", \"type\": \"exclusion cleaners mart\", \"uid\": \"f45e51c4-61ae-11ee-af56-0242ac110005\"}], \"type_id\": 0, \"account\": {\"name\": \"tradition surfaces classification\", \"type\": \"AWS IAM Role\", \"uid\": \"f45e5af2-61ae-11ee-8e43-0242ac110005\", \"type_id\": 4}}, \"type\": \"mozilla\", \"path\": \"brunette symbol poem/weekends.htm/message.exe\", \"uid\": \"f45e5fa2-61ae-11ee-9642-0242ac110005\", \"type_id\": 99, \"parent_folder\": \"brunette symbol poem/weekends.htm\", \"confidentiality\": \"watson\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"EC04A154DEAC2F7D6C2C939EA992222061F58A10BD334C6D45E3B9B3BC538985107E3B32A6CA567C7B5C6F8F0D857459E5DDC11A97318AC1AEA8A2461B955401\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"6E170831A56B3AFDAFF2E0614B1495541FDE0CA37B2F9EBCB6D5225A0CADE66CC1E6AD525CAFDD363EAA50505FD613EDBD5C1B4D703D34702968D3AE7E09037C\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time_dt\": \"2023-10-03T05:37:34.709399Z\", \"created_time_dt\": \"2023-10-03T05:37:34.709410Z\", \"accessed_time_dt\": \"2023-10-03T05:37:34.709414Z\"}, \"user\": {\"type\": \"Unknown\", \"uid\": \"f45e68d0-61ae-11ee-a6d3-0242ac110005\", \"type_id\": 0, \"full_name\": \"Rosamaria Norberto\", \"account\": {\"name\": \"wireless trains wave\", \"type\": \"Linux Account\", \"uid\": \"f45e6eb6-61ae-11ee-9f44-0242ac110005\", \"type_id\": 9}, \"credential_uid\": \"f45e7230-61ae-11ee-a271-0242ac110005\"}, \"uid\": \"f45e7546-61ae-11ee-ab37-0242ac110005\", \"session\": {\"uid\": \"f45e805e-61ae-11ee-90d6-0242ac110005\", \"created_time\": 1695272181548, \"is_remote\": true, \"expiration_time_dt\": \"2023-10-03T05:37:34.710191Z\"}, \"namespace_pid\": 69, \"parent_process\": {\"name\": \"Is\", \"pid\": 14, \"file\": {\"name\": \"ambassador.swf\", \"type\": \"Symbolic Link\", \"path\": \"nickel gui cute/vision.m3u/ambassador.swf\", \"signature\": {\"digest\": {\"value\": \"14B85FA8E87F846F757EACCDA09761641B397F01\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"panic aspects reporting\", \"issuer\": \"hate passive admission\", \"fingerprints\": [{\"value\": \"09958F2F29A975C86F4BC77872179A9E719846A48F2022B36957925999CD31F4A0578A6C18EE8BDC0AEE2F0974FB4647FF2A0BFEA8A1E56877193277A827418F\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"promote dirt hindu\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time_dt\": \"2023-10-03T05:37:34.710541Z\"}, \"type_id\": 7, \"company_name\": \"Nicholas Betty\", \"parent_folder\": \"nickel gui cute/vision.m3u\", \"confidentiality\": \"sandwich exhibit ellis\", \"hashes\": [{\"value\": \"4DBD2BB0760D9EBBC2743A91879CCBC04A4837BD467C1F3B4E0850E4D459BC52\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"A5469012CF0415AAE3FFA22840287489C3C57811D0FD29A58C2CD702BC84D59ADC43354994A400CA41F16849414FADE8C6A9889E640F7987FF65EAD837C7D8E4\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.710639Z\"}, \"user\": {\"name\": \"Genres\", \"type\": \"User\", \"uid\": \"f45e9cb0-61ae-11ee-b849-0242ac110005\", \"type_id\": 1, \"full_name\": \"Lucile Apryl\", \"account\": {\"name\": \"saint view max\", \"type\": \"Apple Account\", \"uid\": \"f45ea32c-61ae-11ee-9546-0242ac110005\", \"type_id\": 8}, \"credential_uid\": \"f45ea700-61ae-11ee-bb61-0242ac110005\", \"email_addr\": \"Jeana@drill.web\"}, \"cmd_line\": \"changes sad programmes\", \"container\": {\"size\": 1104975009, \"tag\": \"alexander specs considered\", \"uid\": \"f45eae80-61ae-11ee-8fa9-0242ac110005\", \"image\": {\"name\": \"soap potter browsers\", \"uid\": \"f45eb3bc-61ae-11ee-871c-0242ac110005\"}, \"hash\": {\"value\": \"05521B80BB22220B8B095A94DA44E07951EE15F402F4BD4A050BD0CFFFD6B154\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, \"orchestrator\": \"matches virginia accepts\"}, \"created_time\": 1695272181548, \"namespace_pid\": 49}, \"sandbox\": \"ut metropolitan adjacent\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711553Z\"}, \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.711572Z\"}, \"terminated_time\": 1695272181548, \"terminated_time_dt\": \"2023-10-03T05:37:34.711582Z\"}, \"sandbox\": \"dans ip tours\"}, \"terminated_time\": 1695272181548, \"terminated_time_dt\": \"2023-10-03T05:37:34.711596Z\"}, \"created_time_dt\": \"2023-10-03T05:37:34.711602Z\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711606Z\"}, \"terminated_time\": 1695272181548, \"xattributes\": {}}, \"xattributes\": {}}, \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T05:37:34.711634Z\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711638Z\"}, \"sandbox\": \"brunette christ monetary\", \"created_time_dt\": \"2023-10-03T05:37:34.711648Z\", \"terminated_time_dt\": \"2023-10-03T05:37:34.711652Z\"}, \"terminated_time\": 1695272181548}, \"xattributes\": {}}, \"xattributes\": {}}}, \"user\": {\"name\": \"We\", \"type\": \"Admin\", \"uid\": \"f45ec2a8-61ae-11ee-90fc-0242ac110005\", \"org\": {\"name\": \"enquiry hottest creations\", \"uid\": \"f45ecb68-61ae-11ee-824c-0242ac110005\", \"ou_name\": \"reel metals plain\"}, \"type_id\": 2, \"account\": {\"name\": \"intensive flash narrative\", \"type\": \"Windows Account\", \"uid\": \"f45ed32e-61ae-11ee-9aa9-0242ac110005\", \"type_id\": 2}}}, \"actual_permissions\": 14, \"base_address\": \"statements dining gnome\", \"cloud\": {\"project_uid\": \"f4505768-61ae-11ee-89e9-0242ac110005\", \"provider\": \"christian studies pioneer\", \"region\": \"increased competitors sparc\"}, \"severity_id\": 5, \"status_code\": \"registry\", \"time_dt\": \"2023-10-03T05:37:34.712339Z\"}", - "event": { - "action": "allocate page", - "category": [], - "kind": "event", - "provider": "manual equivalent detroit", - "sequence": 35, - "severity": 5, - "type": [] - }, - "@timestamp": "2023-10-03T05:37:34.712339Z", - "cloud": { - "project": { - "id": "f4505768-61ae-11ee-89e9-0242ac110005" - }, - "provider": "christian studies pioneer", - "region": "increased competitors sparc" - }, - "container": { - "id": "f45bb5c2-61ae-11ee-b166-0242ac110005", - "image": { - "name": "leaves mounted something" - }, - "name": "sp finger reductions" - }, - "file": { - "created": "2023-09-21T04:56:21.548000Z", - "directory": "daisy bullet expectations/speakers.fon", - "hash": { - "md5": "4F227649B2E932AED413A05B69BAA35D" - }, - "mtime": "2023-10-03T05:37:34.691274Z", - "name": "tenant.prf", - "path": "daisy bullet expectations/speakers.fon/tenant.prf", - "type": "Symbolic Link" - }, - "host": { - "geo": { - "city_name": "Stephanie hence", - "continent_name": "Asia", - "country_iso_code": "TW", - "location": { - "lat": 22.9251, - "lon": 161.2949 - }, - "name": "Taiwan" - }, - "hostname": "phd.nato", - "id": "f450d454-61ae-11ee-b232-0242ac110005", - "name": "phd.nato", - "risk": { - "static_level": "thomson shanghai foreign" - }, - "type": "Server" - }, - "ocsf": { - "activity_id": 1, - "activity_name": "Allocate Page", - "class_name": "Memory Activity", - "class_uid": 1004 - }, - "orchestrator": { - "type": "integral economics gc" - }, - "process": { - "command_line": "stick strength suffered", - "entity_id": "f45baed8-61ae-11ee-95e3-0242ac110005", - "name": "Quad", - "parent": { - "command_line": "red beaches fi", - "entity_id": "f45be042-61ae-11ee-a467-0242ac110005", - "name": "Trout", - "pid": 61, - "start": "2023-09-21T04:56:21.548000Z", - "user": { - "full_name": "Rosamaria Mckenzie", - "group": { - "id": [], - "name": [] - }, - "id": [ - "f45bd110-61ae-11ee-b7e4-0242ac110005" - ], - "name": "Presidential" - } - }, - "pid": 76, - "start": "2023-09-21T04:56:21.548000Z", - "user": { - "email": "Mireille@associate.mobi", - "full_name": "Carin Otha", - "group": { - "id": [], - "name": [] - }, - "id": [ - "f45ba8fc-61ae-11ee-883d-0242ac110005" - ], - "name": "Utc" - } - }, - "related": { - "hash": [ - "4F227649B2E932AED413A05B69BAA35D" - ], - "hosts": [ - "phd.nato" - ], - "user": [ - "We" - ] - }, - "threat": { - "technique": { - "id": [ - "T1098.001", - "T1214" - ], - "name": [ - "Additional Cloud Credentials", - "Credentials in Registry" - ] - } - }, - "user": { - "group": { - "id": [], - "name": [] - }, - "id": "f45ec2a8-61ae-11ee-90fc-0242ac110005", - "name": "We" - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_5.json b/OCSF/ocsf/tests/test_system_activity_5.json deleted file mode 100644 index cec6da7dc..000000000 --- a/OCSF/ocsf/tests/test_system_activity_5.json +++ /dev/null @@ -1,155 +0,0 @@ -{ - "input": { - "message": "{\"message\": \"menu controller plants\", \"module\": {\"file\": {\"name\": \"expiration.cpl\", \"type\": \"Character Device\", \"path\": \"pleased dip spiritual/corresponding.java/expiration.cpl\", \"product\": {\"name\": \"traveling yea espn\", \"version\": \"1.0.0\", \"uid\": \"8b82966a-61b8-11ee-81c7-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"manhattan better posts\"}, \"type_id\": 3, \"parent_folder\": \"pleased dip spiritual/corresponding.java\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"value\": \"795F2AAA00B0D80F2A50C10902A141A3E0AFE3A4BCE0007F213C21994E6AE528B448F2C2F4BDF6C4E1D0AEA3B8396D40A4395AA9730A77E879848BDB750D6468\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"B8C09AA4F584900FEA2DF3DAFBDAF9F0C6E76095BFDBCCF5F0F748D069D706526380A29574124164B0EDC1B56DD8342FC4BF70467A9B6024D999269A45E2A175\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T06:46:13.753318Z\"}, \"base_address\": \"daughters offshore thehun\", \"load_type\": \"Non Standard\", \"load_type_id\": 2, \"start_address\": \"needs some limit\"}, \"status\": \"Unknown\", \"time\": 1695272181548, \"device\": {\"name\": \"assigned daughters creating\", \"type\": \"frontier\", \"os\": {\"name\": \"extreme oct care\", \"type\": \"Android\", \"build\": \"grave pn resist\", \"country\": \"Cuba, Republic of\", \"type_id\": 201, \"sp_ver\": 3}, \"domain\": \"existence conditional pillow\", \"ip\": \"81.2.69.142\", \"hostname\": \"tiles.name\", \"mac\": \"6C:91:94:13:50:61:2E:D4\", \"groups\": [{\"name\": \"ev terminal meals\", \"uid\": \"8b82bf64-61b8-11ee-a83f-0242ac110005\"}, {\"name\": \"born lasting vitamins\", \"uid\": \"8b82c338-61b8-11ee-bf95-0242ac110005\", \"privileges\": [\"sheets loading representative\"]}], \"type_id\": 99, \"hw_info\": {\"cpu_bits\": 95, \"keyboard_info\": {\"keyboard_subtype\": 47}}, \"hypervisor\": \"fundraising kerry peer\", \"imei\": \"moderators sentence ordered\", \"instance_uid\": \"8b82c98c-61b8-11ee-ac91-0242ac110005\", \"interface_uid\": \"8b82d0da-61b8-11ee-b450-0242ac110005\", \"modified_time\": 1695272181548, \"network_interfaces\": [{\"name\": \"henderson treasures dv\", \"type\": \"Tunnel\", \"ip\": \"81.2.69.142\", \"hostname\": \"lightbox.gov\", \"mac\": \"57:15:98:E9:35:D3:B3:9A\", \"type_id\": 4}, {\"name\": \"forests designation entire\", \"type\": \"fcc\", \"ip\": \"81.2.69.142\", \"hostname\": \"horizon.biz\", \"uid\": \"8b82b79e-61b8-11ee-a441-0242ac110005\", \"mac\": \"47:B8:F6:D1:B8:90:8C:7F\", \"type_id\": 99}], \"region\": \"slight centers swimming\", \"risk_level\": \"Low\", \"risk_level_id\": 1}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"improving consist portfolio\", \"version\": \"1.0.0\", \"uid\": \"8b82a664-61b8-11ee-bb6e-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"completing watershed poor\"}, \"labels\": [\"moses\"], \"sequence\": 44, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"laboratory instance upon\", \"log_provider\": \"discrimination morrison course\", \"logged_time\": 1695272181548, \"original_time\": \"rights newly filled\"}, \"severity\": \"minutes\", \"api\": {\"request\": {\"uid\": \"8b824fc0-61b8-11ee-b26d-0242ac110005\"}, \"response\": {\"error\": \"three acdbentity sufficient\", \"code\": 99, \"message\": \"myrtle trust resort\"}, \"operation\": \"helena internationally leo\"}, \"disposition\": \"Deleted\", \"type_name\": \"Module Activity: Load\", \"activity_id\": 1, \"disposition_id\": 5, \"type_uid\": 100501, \"category_name\": \"System Activity\", \"class_uid\": 1005, \"category_uid\": 1, \"class_name\": \"Module Activity\", \"timezone_offset\": 8, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}, {\"name\": \"Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.\", \"uid\": \"TA0040\"}], \"technique\": {\"name\": \"PowerShell Profile\", \"uid\": \"T1504\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}, {\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Securityd Memory\", \"uid\": \"T1555.002\"}}], \"activity_name\": \"Load\", \"actor\": {\"process\": {\"name\": \"Switzerland\", \"pid\": 8, \"file\": {\"name\": \"administrators.tmp\", \"type\": \"Folder\", \"path\": \"flush faced champagne/cruise.tar.gz/administrators.tmp\", \"desc\": \"computing investors rio\", \"type_id\": 2, \"accessor\": {\"name\": \"Elections\", \"type\": \"distributor\", \"uid\": \"8b82e9d0-61b8-11ee-be3a-0242ac110005\", \"org\": {\"name\": \"ids mercury milan\", \"uid\": \"8b82ef20-61b8-11ee-9b3a-0242ac110005\", \"ou_name\": \"whether eddie investment\"}, \"type_id\": 99, \"credential_uid\": \"8b82f4ca-61b8-11ee-894f-0242ac110005\"}, \"parent_folder\": \"flush faced champagne/cruise.tar.gz\", \"is_system\": false, \"modified_time_dt\": \"2023-10-03T06:46:13.755631Z\"}, \"user\": {\"name\": \"Mechanics\", \"type\": \"System\", \"uid\": \"8b82fc86-61b8-11ee-b5b6-0242ac110005\", \"type_id\": 3}, \"tid\": 12, \"uid\": \"8b830046-61b8-11ee-b4bd-0242ac110005\", \"session\": {\"uid\": \"8b830532-61b8-11ee-bdfd-0242ac110005\", \"issuer\": \"texts advertiser henderson\", \"created_time\": 1695272181548, \"credential_uid\": \"8b830938-61b8-11ee-9d39-0242ac110005\", \"is_remote\": true, \"expiration_time_dt\": \"2023-10-03T06:46:13.756144Z\", \"created_time_dt\": \"2023-10-03T06:46:13.756371Z\"}, \"cmd_line\": \"fame little relax\", \"container\": {\"name\": \"renew angle reject\", \"runtime\": \"annoying remarkable setup\", \"size\": 2132122251, \"uid\": \"8b832030-61b8-11ee-816d-0242ac110005\", \"image\": {\"name\": \"babies detective christians\", \"uid\": \"8b8325a8-61b8-11ee-9a88-0242ac110005\", \"labels\": [\"printed\", \"safer\"]}, \"hash\": {\"value\": \"BA691BA042BCEDD9A61A36F5969026BC95859DCCDC7E47F24E6BCE35673BAF2F\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695272181548, \"namespace_pid\": 97, \"parent_process\": {\"name\": \"Containers\", \"pid\": 76, \"file\": {\"name\": \"audi.pspimage\", \"owner\": {\"name\": \"Mastercard\", \"type\": \"Admin\", \"uid\": \"8b833638-61b8-11ee-a13b-0242ac110005\", \"org\": {\"name\": \"qualification twisted australian\", \"uid\": \"8b833dfe-61b8-11ee-a745-0242ac110005\", \"ou_name\": \"franklin nb leslie\"}, \"type_id\": 2}, \"type\": \"Block Device\", \"path\": \"paying represent putting/showing.vob/audi.pspimage\", \"type_id\": 4, \"mime_type\": \"today/uniprotkb\", \"parent_folder\": \"paying represent putting/showing.vob\", \"created_time\": 1695272181548, \"is_system\": false}, \"user\": {\"name\": \"Prep\", \"type\": \"lot\", \"domain\": \"klein greg processing\", \"uid\": \"8b834682-61b8-11ee-8f6a-0242ac110005\", \"type_id\": 99, \"full_name\": \"Franklyn Shantell\"}, \"uid\": \"8b834aba-61b8-11ee-8172-0242ac110005\", \"container\": {\"size\": 388023740, \"uid\": \"8b834fd8-61b8-11ee-8b6a-0242ac110005\", \"hash\": {\"value\": \"1FA53D9A1AEAB5165003DE1755AD56612ABF77A3D033D697439C884637D2DC66DBDFFA147DFDBD69DC6D27340B63C26C93D84C65F59EE3A270CA5BBB1D13613F\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"network_driver\": \"ee australian housewares\"}, \"created_time\": 1695272181548, \"namespace_pid\": 5, \"parent_process\": {\"name\": \"Global\", \"pid\": 30, \"user\": {\"name\": \"Includes\", \"type\": \"System\", \"uid\": \"8b835b7c-61b8-11ee-9c7d-0242ac110005\", \"type_id\": 3, \"account\": {\"name\": \"desk periodic depth\", \"type\": \"Mac OS Account\", \"uid\": \"8b836400-61b8-11ee-9913-0242ac110005\", \"type_id\": 7}, \"uid_alt\": \"origins demo declaration\"}, \"uid\": \"8b83682e-61b8-11ee-bf60-0242ac110005\", \"session\": {\"uid\": \"8b836dc4-61b8-11ee-aa72-0242ac110005\", \"created_time\": 1695272181548, \"is_remote\": true, \"expiration_time_dt\": \"2023-10-03T06:46:13.758724Z\"}, \"cmd_line\": \"gang spring carlo\", \"container\": {\"name\": \"victims edit minimum\", \"size\": 2069042340, \"uid\": \"8b83744a-61b8-11ee-9c26-0242ac110005\", \"hash\": {\"value\": \"85434F1527CE237329D0B1927EABF9D3\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"integrity\": \"happening\", \"integrity_id\": 99, \"namespace_pid\": 74, \"parent_process\": {\"name\": \"Pilot\", \"file\": {\"name\": \"planner.bak\", \"type\": \"Character Device\", \"path\": \"sony discussion suit/stomach.gif/planner.bak\", \"uid\": \"8b838804-61b8-11ee-a06e-0242ac110005\", \"type_id\": 3, \"accessor\": {\"name\": \"Mathematical\", \"type\": \"System\", \"uid\": \"8b838e30-61b8-11ee-8527-0242ac110005\", \"groups\": [{\"name\": \"ct disposal rent\", \"uid\": \"8b839358-61b8-11ee-a4c0-0242ac110005\"}, {\"name\": \"cruise ancient chemicals\", \"type\": \"spoke life lee\"}], \"type_id\": 3}, \"mime_type\": \"molecules/sharon\", \"parent_folder\": \"sony discussion suit/stomach.gif\", \"hashes\": [{\"value\": \"CA247333484AEB04EFA2DE65A9EC68032CED9ACC7716F9379404EB2422FC65190E0F56D3C2B21505FE722A0CD1D05AF9B8E47B4CB5005B4C4E71C6C5545C775F\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Warner\", \"type\": \"interim\", \"uid\": \"8b83f500-61b8-11ee-9242-0242ac110005\", \"type_id\": 99, \"credential_uid\": \"8b83f94c-61b8-11ee-85e8-0242ac110005\"}, \"tid\": 45, \"uid\": \"8b83fcbc-61b8-11ee-8764-0242ac110005\", \"cmd_line\": \"mm bon estimate\", \"container\": {\"name\": \"separation catalogs vocals\", \"uid\": \"8b8402a2-61b8-11ee-92d4-0242ac110005\", \"image\": {\"uid\": \"8b840af4-61b8-11ee-a7b5-0242ac110005\"}, \"hash\": {\"value\": \"CA59BAD8CEAD7A8424AD6823FE6AED5BA7AF4A9FDA854EA5AAB75A41B5369465\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"name\": \"Sleep\", \"pid\": 54, \"user\": {\"name\": \"Edges\", \"type\": \"compute\", \"uid\": \"8b841ca6-61b8-11ee-ac94-0242ac110005\", \"type_id\": 99}, \"uid\": \"8b8424bc-61b8-11ee-aa3b-0242ac110005\", \"session\": {\"is_remote\": true, \"created_time_dt\": \"2023-10-03T06:46:13.763445Z\"}, \"cmd_line\": \"applicable acquire folk\", \"container\": {\"name\": \"businesses suspension across\", \"size\": 2843627610, \"uid\": \"8b842ce6-61b8-11ee-acb2-0242ac110005\", \"image\": {\"name\": \"pressure sixth happen\", \"uid\": \"8b8431e6-61b8-11ee-9576-0242ac110005\"}, \"hash\": {\"value\": \"6B942E2831F972C22E2B0292EA3A8176AB41CD3B\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, \"orchestrator\": \"theta create impact\"}, \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"lineage\": [\"wires largest stamp\", \"handbook dale photograph\"], \"namespace_pid\": 4, \"parent_process\": {\"name\": \"Lie\", \"pid\": 43, \"file\": {\"name\": \"pottery.java\", \"type\": \"Local Socket\", \"path\": \"revolutionary such regulations/cheaper.ico/pottery.java\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"consensus ownership trainer\", \"issuer\": \"write watts guitars\", \"fingerprints\": [{\"value\": \"EDE381A3419BC1A2ACD00220F23CE82967A8631DB35FDF0122B8A0E43E8768CABDBDC842A83C48138C523D1A56B3F63F03D85756C9BFED7656AE5097479D9A4C\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"AFD38780B76420D3214D2D6D318A6EA972D720518346C2F7339E661205D5F20A5682869DAF56249F9FACD6EDF878C81669184A1D9C736232079EDED66727E297\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"facing wb drinks\", \"expiration_time_dt\": \"2023-10-03T06:46:13.764297Z\"}, \"algorithm\": \"ECDSA\", \"algorithm_id\": 3}, \"type_id\": 5, \"parent_folder\": \"revolutionary such regulations/cheaper.ico\", \"hashes\": [{\"value\": \"436DE0B494120DEC66B218D7D67AE5FC65841DA47A5D5A6044D76AE7CD0D793736DCAD5FA9C579A8C53310FA0B70225BB8C079A2E5BEDB5F6F48176972572F1C\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Wrapping\", \"type\": \"Unknown\", \"domain\": \"continuity cases issues\", \"uid\": \"8b8452de-61b8-11ee-9b3c-0242ac110005\", \"groups\": [{\"name\": \"protein lightweight complications\", \"type\": \"samsung knowledgestorm ppm\", \"uid\": \"8b8458ba-61b8-11ee-9ec2-0242ac110005\"}, {\"name\": \"spyware expensive partnerships\", \"type\": \"lcd moore th\"}], \"type_id\": 0, \"account\": {\"name\": \"chrome ones leeds\", \"type\": \"AWS IAM User\", \"type_id\": 3}, \"uid_alt\": \"mpegs eric ky\"}, \"session\": {\"uid\": \"8b8460c6-61b8-11ee-9def-0242ac110005\", \"issuer\": \"fun tomorrow antibodies\", \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"is_remote\": false, \"expiration_time_dt\": \"2023-10-03T06:46:13.764963Z\", \"created_time_dt\": \"2023-10-03T06:46:13.764972Z\"}, \"cmd_line\": \"packs maximum audit\", \"container\": {\"name\": \"hotmail midlands ripe\", \"size\": 860474369, \"uid\": \"8b847c96-61b8-11ee-99b1-0242ac110005\", \"image\": {\"name\": \"letter fri mauritius\", \"uid\": \"8b84825e-61b8-11ee-a5b5-0242ac110005\", \"labels\": [\"clouds\"]}, \"hash\": {\"value\": \"799904B20F1174F01C0D2DD87C57E097\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"created_time\": 1695272181548, \"namespace_pid\": 45, \"parent_process\": {\"name\": \"Homepage\", \"pid\": 78, \"file\": {\"attributes\": 57, \"name\": \"pledge.ini\", \"type\": \"Character Device\", \"path\": \"internationally remedies back/his.cgi/pledge.ini\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"portugal motel preserve\", \"issuer\": \"rocket separation opponent\", \"fingerprints\": [{\"value\": \"F72B1ED0BD7D6BE65211FA1606D1DE35F225DE73CB524C01380509CCE5B6F8F8DDE81A0B0AB6F5ECE9A7E651DD7D0C19DB365A83C018B747DA5B0A79259F3547\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"AEAA2CEC33E27D65690E726E1710D3F4A99A2BF0AE9A3BD9087488F1DFB4D38D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"edinburgh responsible supervisor\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"desc\": \"syracuse until as\", \"type_id\": 3, \"company_name\": \"Elenore Jeanetta\", \"parent_folder\": \"internationally remedies back/his.cgi\", \"confidentiality\": \"hitachi shaw tension\", \"hashes\": [{\"value\": \"8A8173677F164DD2E2CF83BEA2A42A8B\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"6B70D921D9E8DCF0F08A73F508E5D19D274B58D8AC2E29049A23B62D1988C1028A8ECBA2485531BBD6B7AEE51EA822578E859759F8FFC4818023EFD47ABC9C4D\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"security_descriptor\": \"lower cable requiring\", \"created_time_dt\": \"2023-10-03T06:46:13.766258Z\", \"accessed_time_dt\": \"2023-10-03T06:46:13.766265Z\"}, \"user\": {\"name\": \"Lauderdale\", \"type\": \"User\", \"uid\": \"8b84a6e4-61b8-11ee-b1fe-0242ac110005\", \"type_id\": 1, \"uid_alt\": \"venezuela path passing\"}, \"uid\": \"8b84ac48-61b8-11ee-97d9-0242ac110005\", \"session\": {\"uid\": \"8b84b562-61b8-11ee-a0d1-0242ac110005\", \"uuid\": \"8b84bbd4-61b8-11ee-8f0e-0242ac110005\", \"issuer\": \"gel submissions finite\", \"created_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T06:46:13.767292Z\", \"created_time_dt\": \"2023-10-03T06:46:13.767299Z\"}, \"cmd_line\": \"prior angry workers\", \"container\": {\"name\": \"horrible scroll del\", \"size\": 870541982, \"uid\": \"8b84c7c8-61b8-11ee-b0ff-0242ac110005\", \"image\": {\"name\": \"expenses pdt conditioning\", \"tag\": \"recognition albania curtis\", \"path\": \"valentine corp gcc\", \"uid\": \"8b84d204-61b8-11ee-8eb1-0242ac110005\"}, \"hash\": {\"value\": \"B413223A2BB7E91D5C6E244B77A2392BA017906B615F3CDF4BA192FE568C7738ADE3E24CAA9273F592169D682882DAC5E0DF8975B0FDB3859FB69A175B815724\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"pod_uuid\": \"gift\"}, \"created_time\": 1695272181548, \"namespace_pid\": 94}, \"sandbox\": \"holmes guess hyundai\", \"created_time_dt\": \"2023-10-03T06:46:13.768070Z\"}}, \"sandbox\": \"mothers equipped enquiry\"}}}, \"terminated_time\": 1695272181548}, \"user\": {\"name\": \"Cookies\", \"type\": \"load\", \"uid\": \"8b84f59a-61b8-11ee-8275-0242ac110005\", \"type_id\": 99, \"full_name\": \"Regan Loise\", \"uid_alt\": \"dawn but titles\"}, \"invoked_by\": \"pantyhose macedonia retained\"}, \"cloud\": {\"account\": {\"name\": \"abroad takes controversy\", \"type\": \"AWS Account\", \"uid\": \"8b82630c-61b8-11ee-a1c3-0242ac110005\", \"type_id\": 10}, \"project_uid\": \"8b82679e-61b8-11ee-9ed4-0242ac110005\", \"provider\": \"translate be cabinets\", \"region\": \"trap wood power\"}, \"malware\": [{\"name\": \"generally insight ee\", \"path\": \"jc possess fibre\", \"classification_ids\": [17, 2], \"classifications\": [\"ontario amsterdam archived\", \"newfoundland norman eddie\"], \"provider\": \"singapore flexible casino\"}, {\"name\": \"illustrated lending requirements\", \"path\": \"cho basket ul\", \"uid\": \"8b8272c0-61b8-11ee-90e5-0242ac110005\", \"classification_ids\": [16, 5], \"cves\": [{\"type\": \"graphical acm salt\", \"uid\": \"8b827964-61b8-11ee-822b-0242ac110005\", \"created_time\": 1695272181548, \"modified_time\": 1695272181548, \"modified_time_dt\": \"2023-10-03T06:46:13.752477Z\"}], \"provider\": \"goods fitting latter\"}], \"severity_id\": 99, \"status_id\": 0}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"message\": \"menu controller plants\", \"module\": {\"file\": {\"name\": \"expiration.cpl\", \"type\": \"Character Device\", \"path\": \"pleased dip spiritual/corresponding.java/expiration.cpl\", \"product\": {\"name\": \"traveling yea espn\", \"version\": \"1.0.0\", \"uid\": \"8b82966a-61b8-11ee-81c7-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"manhattan better posts\"}, \"type_id\": 3, \"parent_folder\": \"pleased dip spiritual/corresponding.java\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"value\": \"795F2AAA00B0D80F2A50C10902A141A3E0AFE3A4BCE0007F213C21994E6AE528B448F2C2F4BDF6C4E1D0AEA3B8396D40A4395AA9730A77E879848BDB750D6468\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"B8C09AA4F584900FEA2DF3DAFBDAF9F0C6E76095BFDBCCF5F0F748D069D706526380A29574124164B0EDC1B56DD8342FC4BF70467A9B6024D999269A45E2A175\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time\": 1695272181548, \"created_time_dt\": \"2023-10-03T06:46:13.753318Z\"}, \"base_address\": \"daughters offshore thehun\", \"load_type\": \"Non Standard\", \"load_type_id\": 2, \"start_address\": \"needs some limit\"}, \"status\": \"Unknown\", \"time\": 1695272181548, \"device\": {\"name\": \"assigned daughters creating\", \"type\": \"frontier\", \"os\": {\"name\": \"extreme oct care\", \"type\": \"Android\", \"build\": \"grave pn resist\", \"country\": \"Cuba, Republic of\", \"type_id\": 201, \"sp_ver\": 3}, \"domain\": \"existence conditional pillow\", \"ip\": \"81.2.69.142\", \"hostname\": \"tiles.name\", \"mac\": \"6C:91:94:13:50:61:2E:D4\", \"groups\": [{\"name\": \"ev terminal meals\", \"uid\": \"8b82bf64-61b8-11ee-a83f-0242ac110005\"}, {\"name\": \"born lasting vitamins\", \"uid\": \"8b82c338-61b8-11ee-bf95-0242ac110005\", \"privileges\": [\"sheets loading representative\"]}], \"type_id\": 99, \"hw_info\": {\"cpu_bits\": 95, \"keyboard_info\": {\"keyboard_subtype\": 47}}, \"hypervisor\": \"fundraising kerry peer\", \"imei\": \"moderators sentence ordered\", \"instance_uid\": \"8b82c98c-61b8-11ee-ac91-0242ac110005\", \"interface_uid\": \"8b82d0da-61b8-11ee-b450-0242ac110005\", \"modified_time\": 1695272181548, \"network_interfaces\": [{\"name\": \"henderson treasures dv\", \"type\": \"Tunnel\", \"ip\": \"81.2.69.142\", \"hostname\": \"lightbox.gov\", \"mac\": \"57:15:98:E9:35:D3:B3:9A\", \"type_id\": 4}, {\"name\": \"forests designation entire\", \"type\": \"fcc\", \"ip\": \"81.2.69.142\", \"hostname\": \"horizon.biz\", \"uid\": \"8b82b79e-61b8-11ee-a441-0242ac110005\", \"mac\": \"47:B8:F6:D1:B8:90:8C:7F\", \"type_id\": 99}], \"region\": \"slight centers swimming\", \"risk_level\": \"Low\", \"risk_level_id\": 1}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"improving consist portfolio\", \"version\": \"1.0.0\", \"uid\": \"8b82a664-61b8-11ee-bb6e-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"completing watershed poor\"}, \"labels\": [\"moses\"], \"sequence\": 44, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"log_name\": \"laboratory instance upon\", \"log_provider\": \"discrimination morrison course\", \"logged_time\": 1695272181548, \"original_time\": \"rights newly filled\"}, \"severity\": \"minutes\", \"api\": {\"request\": {\"uid\": \"8b824fc0-61b8-11ee-b26d-0242ac110005\"}, \"response\": {\"error\": \"three acdbentity sufficient\", \"code\": 99, \"message\": \"myrtle trust resort\"}, \"operation\": \"helena internationally leo\"}, \"disposition\": \"Deleted\", \"type_name\": \"Module Activity: Load\", \"activity_id\": 1, \"disposition_id\": 5, \"type_uid\": 100501, \"category_name\": \"System Activity\", \"class_uid\": 1005, \"category_uid\": 1, \"class_name\": \"Module Activity\", \"timezone_offset\": 8, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Collection | The adversary is trying to gather data of interest to their goal.\", \"uid\": \"TA0009\"}, {\"name\": \"Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.\", \"uid\": \"TA0040\"}], \"technique\": {\"name\": \"PowerShell Profile\", \"uid\": \"T1504\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Discovery The adversary is trying to figure out your environment.\", \"uid\": \"TA0007\"}, {\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Securityd Memory\", \"uid\": \"T1555.002\"}}], \"activity_name\": \"Load\", \"actor\": {\"process\": {\"name\": \"Switzerland\", \"pid\": 8, \"file\": {\"name\": \"administrators.tmp\", \"type\": \"Folder\", \"path\": \"flush faced champagne/cruise.tar.gz/administrators.tmp\", \"desc\": \"computing investors rio\", \"type_id\": 2, \"accessor\": {\"name\": \"Elections\", \"type\": \"distributor\", \"uid\": \"8b82e9d0-61b8-11ee-be3a-0242ac110005\", \"org\": {\"name\": \"ids mercury milan\", \"uid\": \"8b82ef20-61b8-11ee-9b3a-0242ac110005\", \"ou_name\": \"whether eddie investment\"}, \"type_id\": 99, \"credential_uid\": \"8b82f4ca-61b8-11ee-894f-0242ac110005\"}, \"parent_folder\": \"flush faced champagne/cruise.tar.gz\", \"is_system\": false, \"modified_time_dt\": \"2023-10-03T06:46:13.755631Z\"}, \"user\": {\"name\": \"Mechanics\", \"type\": \"System\", \"uid\": \"8b82fc86-61b8-11ee-b5b6-0242ac110005\", \"type_id\": 3}, \"tid\": 12, \"uid\": \"8b830046-61b8-11ee-b4bd-0242ac110005\", \"session\": {\"uid\": \"8b830532-61b8-11ee-bdfd-0242ac110005\", \"issuer\": \"texts advertiser henderson\", \"created_time\": 1695272181548, \"credential_uid\": \"8b830938-61b8-11ee-9d39-0242ac110005\", \"is_remote\": true, \"expiration_time_dt\": \"2023-10-03T06:46:13.756144Z\", \"created_time_dt\": \"2023-10-03T06:46:13.756371Z\"}, \"cmd_line\": \"fame little relax\", \"container\": {\"name\": \"renew angle reject\", \"runtime\": \"annoying remarkable setup\", \"size\": 2132122251, \"uid\": \"8b832030-61b8-11ee-816d-0242ac110005\", \"image\": {\"name\": \"babies detective christians\", \"uid\": \"8b8325a8-61b8-11ee-9a88-0242ac110005\", \"labels\": [\"printed\", \"safer\"]}, \"hash\": {\"value\": \"BA691BA042BCEDD9A61A36F5969026BC95859DCCDC7E47F24E6BCE35673BAF2F\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695272181548, \"namespace_pid\": 97, \"parent_process\": {\"name\": \"Containers\", \"pid\": 76, \"file\": {\"name\": \"audi.pspimage\", \"owner\": {\"name\": \"Mastercard\", \"type\": \"Admin\", \"uid\": \"8b833638-61b8-11ee-a13b-0242ac110005\", \"org\": {\"name\": \"qualification twisted australian\", \"uid\": \"8b833dfe-61b8-11ee-a745-0242ac110005\", \"ou_name\": \"franklin nb leslie\"}, \"type_id\": 2}, \"type\": \"Block Device\", \"path\": \"paying represent putting/showing.vob/audi.pspimage\", \"type_id\": 4, \"mime_type\": \"today/uniprotkb\", \"parent_folder\": \"paying represent putting/showing.vob\", \"created_time\": 1695272181548, \"is_system\": false}, \"user\": {\"name\": \"Prep\", \"type\": \"lot\", \"domain\": \"klein greg processing\", \"uid\": \"8b834682-61b8-11ee-8f6a-0242ac110005\", \"type_id\": 99, \"full_name\": \"Franklyn Shantell\"}, \"uid\": \"8b834aba-61b8-11ee-8172-0242ac110005\", \"container\": {\"size\": 388023740, \"uid\": \"8b834fd8-61b8-11ee-8b6a-0242ac110005\", \"hash\": {\"value\": \"1FA53D9A1AEAB5165003DE1755AD56612ABF77A3D033D697439C884637D2DC66DBDFFA147DFDBD69DC6D27340B63C26C93D84C65F59EE3A270CA5BBB1D13613F\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"network_driver\": \"ee australian housewares\"}, \"created_time\": 1695272181548, \"namespace_pid\": 5, \"parent_process\": {\"name\": \"Global\", \"pid\": 30, \"user\": {\"name\": \"Includes\", \"type\": \"System\", \"uid\": \"8b835b7c-61b8-11ee-9c7d-0242ac110005\", \"type_id\": 3, \"account\": {\"name\": \"desk periodic depth\", \"type\": \"Mac OS Account\", \"uid\": \"8b836400-61b8-11ee-9913-0242ac110005\", \"type_id\": 7}, \"uid_alt\": \"origins demo declaration\"}, \"uid\": \"8b83682e-61b8-11ee-bf60-0242ac110005\", \"session\": {\"uid\": \"8b836dc4-61b8-11ee-aa72-0242ac110005\", \"created_time\": 1695272181548, \"is_remote\": true, \"expiration_time_dt\": \"2023-10-03T06:46:13.758724Z\"}, \"cmd_line\": \"gang spring carlo\", \"container\": {\"name\": \"victims edit minimum\", \"size\": 2069042340, \"uid\": \"8b83744a-61b8-11ee-9c26-0242ac110005\", \"hash\": {\"value\": \"85434F1527CE237329D0B1927EABF9D3\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"integrity\": \"happening\", \"integrity_id\": 99, \"namespace_pid\": 74, \"parent_process\": {\"name\": \"Pilot\", \"file\": {\"name\": \"planner.bak\", \"type\": \"Character Device\", \"path\": \"sony discussion suit/stomach.gif/planner.bak\", \"uid\": \"8b838804-61b8-11ee-a06e-0242ac110005\", \"type_id\": 3, \"accessor\": {\"name\": \"Mathematical\", \"type\": \"System\", \"uid\": \"8b838e30-61b8-11ee-8527-0242ac110005\", \"groups\": [{\"name\": \"ct disposal rent\", \"uid\": \"8b839358-61b8-11ee-a4c0-0242ac110005\"}, {\"name\": \"cruise ancient chemicals\", \"type\": \"spoke life lee\"}], \"type_id\": 3}, \"mime_type\": \"molecules/sharon\", \"parent_folder\": \"sony discussion suit/stomach.gif\", \"hashes\": [{\"value\": \"CA247333484AEB04EFA2DE65A9EC68032CED9ACC7716F9379404EB2422FC65190E0F56D3C2B21505FE722A0CD1D05AF9B8E47B4CB5005B4C4E71C6C5545C775F\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Warner\", \"type\": \"interim\", \"uid\": \"8b83f500-61b8-11ee-9242-0242ac110005\", \"type_id\": 99, \"credential_uid\": \"8b83f94c-61b8-11ee-85e8-0242ac110005\"}, \"tid\": 45, \"uid\": \"8b83fcbc-61b8-11ee-8764-0242ac110005\", \"cmd_line\": \"mm bon estimate\", \"container\": {\"name\": \"separation catalogs vocals\", \"uid\": \"8b8402a2-61b8-11ee-92d4-0242ac110005\", \"image\": {\"uid\": \"8b840af4-61b8-11ee-a7b5-0242ac110005\"}, \"hash\": {\"value\": \"CA59BAD8CEAD7A8424AD6823FE6AED5BA7AF4A9FDA854EA5AAB75A41B5369465\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}}, \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"name\": \"Sleep\", \"pid\": 54, \"user\": {\"name\": \"Edges\", \"type\": \"compute\", \"uid\": \"8b841ca6-61b8-11ee-ac94-0242ac110005\", \"type_id\": 99}, \"uid\": \"8b8424bc-61b8-11ee-aa3b-0242ac110005\", \"session\": {\"is_remote\": true, \"created_time_dt\": \"2023-10-03T06:46:13.763445Z\"}, \"cmd_line\": \"applicable acquire folk\", \"container\": {\"name\": \"businesses suspension across\", \"size\": 2843627610, \"uid\": \"8b842ce6-61b8-11ee-acb2-0242ac110005\", \"image\": {\"name\": \"pressure sixth happen\", \"uid\": \"8b8431e6-61b8-11ee-9576-0242ac110005\"}, \"hash\": {\"value\": \"6B942E2831F972C22E2B0292EA3A8176AB41CD3B\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, \"orchestrator\": \"theta create impact\"}, \"created_time\": 1695272181548, \"integrity\": \"High\", \"integrity_id\": 4, \"lineage\": [\"wires largest stamp\", \"handbook dale photograph\"], \"namespace_pid\": 4, \"parent_process\": {\"name\": \"Lie\", \"pid\": 43, \"file\": {\"name\": \"pottery.java\", \"type\": \"Local Socket\", \"path\": \"revolutionary such regulations/cheaper.ico/pottery.java\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"consensus ownership trainer\", \"issuer\": \"write watts guitars\", \"fingerprints\": [{\"value\": \"EDE381A3419BC1A2ACD00220F23CE82967A8631DB35FDF0122B8A0E43E8768CABDBDC842A83C48138C523D1A56B3F63F03D85756C9BFED7656AE5097479D9A4C\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"AFD38780B76420D3214D2D6D318A6EA972D720518346C2F7339E661205D5F20A5682869DAF56249F9FACD6EDF878C81669184A1D9C736232079EDED66727E297\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"facing wb drinks\", \"expiration_time_dt\": \"2023-10-03T06:46:13.764297Z\"}, \"algorithm\": \"ECDSA\", \"algorithm_id\": 3}, \"type_id\": 5, \"parent_folder\": \"revolutionary such regulations/cheaper.ico\", \"hashes\": [{\"value\": \"436DE0B494120DEC66B218D7D67AE5FC65841DA47A5D5A6044D76AE7CD0D793736DCAD5FA9C579A8C53310FA0B70225BB8C079A2E5BEDB5F6F48176972572F1C\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Wrapping\", \"type\": \"Unknown\", \"domain\": \"continuity cases issues\", \"uid\": \"8b8452de-61b8-11ee-9b3c-0242ac110005\", \"groups\": [{\"name\": \"protein lightweight complications\", \"type\": \"samsung knowledgestorm ppm\", \"uid\": \"8b8458ba-61b8-11ee-9ec2-0242ac110005\"}, {\"name\": \"spyware expensive partnerships\", \"type\": \"lcd moore th\"}], \"type_id\": 0, \"account\": {\"name\": \"chrome ones leeds\", \"type\": \"AWS IAM User\", \"type_id\": 3}, \"uid_alt\": \"mpegs eric ky\"}, \"session\": {\"uid\": \"8b8460c6-61b8-11ee-9def-0242ac110005\", \"issuer\": \"fun tomorrow antibodies\", \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"is_remote\": false, \"expiration_time_dt\": \"2023-10-03T06:46:13.764963Z\", \"created_time_dt\": \"2023-10-03T06:46:13.764972Z\"}, \"cmd_line\": \"packs maximum audit\", \"container\": {\"name\": \"hotmail midlands ripe\", \"size\": 860474369, \"uid\": \"8b847c96-61b8-11ee-99b1-0242ac110005\", \"image\": {\"name\": \"letter fri mauritius\", \"uid\": \"8b84825e-61b8-11ee-a5b5-0242ac110005\", \"labels\": [\"clouds\"]}, \"hash\": {\"value\": \"799904B20F1174F01C0D2DD87C57E097\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"created_time\": 1695272181548, \"namespace_pid\": 45, \"parent_process\": {\"name\": \"Homepage\", \"pid\": 78, \"file\": {\"attributes\": 57, \"name\": \"pledge.ini\", \"type\": \"Character Device\", \"path\": \"internationally remedies back/his.cgi/pledge.ini\", \"signature\": {\"certificate\": {\"version\": \"1.0.0\", \"subject\": \"portugal motel preserve\", \"issuer\": \"rocket separation opponent\", \"fingerprints\": [{\"value\": \"F72B1ED0BD7D6BE65211FA1606D1DE35F225DE73CB524C01380509CCE5B6F8F8DDE81A0B0AB6F5ECE9A7E651DD7D0C19DB365A83C018B747DA5B0A79259F3547\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"AEAA2CEC33E27D65690E726E1710D3F4A99A2BF0AE9A3BD9087488F1DFB4D38D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"edinburgh responsible supervisor\"}, \"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"desc\": \"syracuse until as\", \"type_id\": 3, \"company_name\": \"Elenore Jeanetta\", \"parent_folder\": \"internationally remedies back/his.cgi\", \"confidentiality\": \"hitachi shaw tension\", \"hashes\": [{\"value\": \"8A8173677F164DD2E2CF83BEA2A42A8B\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"6B70D921D9E8DCF0F08A73F508E5D19D274B58D8AC2E29049A23B62D1988C1028A8ECBA2485531BBD6B7AEE51EA822578E859759F8FFC4818023EFD47ABC9C4D\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"security_descriptor\": \"lower cable requiring\", \"created_time_dt\": \"2023-10-03T06:46:13.766258Z\", \"accessed_time_dt\": \"2023-10-03T06:46:13.766265Z\"}, \"user\": {\"name\": \"Lauderdale\", \"type\": \"User\", \"uid\": \"8b84a6e4-61b8-11ee-b1fe-0242ac110005\", \"type_id\": 1, \"uid_alt\": \"venezuela path passing\"}, \"uid\": \"8b84ac48-61b8-11ee-97d9-0242ac110005\", \"session\": {\"uid\": \"8b84b562-61b8-11ee-a0d1-0242ac110005\", \"uuid\": \"8b84bbd4-61b8-11ee-8f0e-0242ac110005\", \"issuer\": \"gel submissions finite\", \"created_time\": 1695272181548, \"expiration_time_dt\": \"2023-10-03T06:46:13.767292Z\", \"created_time_dt\": \"2023-10-03T06:46:13.767299Z\"}, \"cmd_line\": \"prior angry workers\", \"container\": {\"name\": \"horrible scroll del\", \"size\": 870541982, \"uid\": \"8b84c7c8-61b8-11ee-b0ff-0242ac110005\", \"image\": {\"name\": \"expenses pdt conditioning\", \"tag\": \"recognition albania curtis\", \"path\": \"valentine corp gcc\", \"uid\": \"8b84d204-61b8-11ee-8eb1-0242ac110005\"}, \"hash\": {\"value\": \"B413223A2BB7E91D5C6E244B77A2392BA017906B615F3CDF4BA192FE568C7738ADE3E24CAA9273F592169D682882DAC5E0DF8975B0FDB3859FB69A175B815724\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"pod_uuid\": \"gift\"}, \"created_time\": 1695272181548, \"namespace_pid\": 94}, \"sandbox\": \"holmes guess hyundai\", \"created_time_dt\": \"2023-10-03T06:46:13.768070Z\"}}, \"sandbox\": \"mothers equipped enquiry\"}}}, \"terminated_time\": 1695272181548}, \"user\": {\"name\": \"Cookies\", \"type\": \"load\", \"uid\": \"8b84f59a-61b8-11ee-8275-0242ac110005\", \"type_id\": 99, \"full_name\": \"Regan Loise\", \"uid_alt\": \"dawn but titles\"}, \"invoked_by\": \"pantyhose macedonia retained\"}, \"cloud\": {\"account\": {\"name\": \"abroad takes controversy\", \"type\": \"AWS Account\", \"uid\": \"8b82630c-61b8-11ee-a1c3-0242ac110005\", \"type_id\": 10}, \"project_uid\": \"8b82679e-61b8-11ee-9ed4-0242ac110005\", \"provider\": \"translate be cabinets\", \"region\": \"trap wood power\"}, \"malware\": [{\"name\": \"generally insight ee\", \"path\": \"jc possess fibre\", \"classification_ids\": [17, 2], \"classifications\": [\"ontario amsterdam archived\", \"newfoundland norman eddie\"], \"provider\": \"singapore flexible casino\"}, {\"name\": \"illustrated lending requirements\", \"path\": \"cho basket ul\", \"uid\": \"8b8272c0-61b8-11ee-90e5-0242ac110005\", \"classification_ids\": [16, 5], \"cves\": [{\"type\": \"graphical acm salt\", \"uid\": \"8b827964-61b8-11ee-822b-0242ac110005\", \"created_time\": 1695272181548, \"modified_time\": 1695272181548, \"modified_time_dt\": \"2023-10-03T06:46:13.752477Z\"}], \"provider\": \"goods fitting latter\"}], \"severity_id\": 99, \"status_id\": 0}", - "event": { - "action": "load", - "category": [], - "kind": "event", - "outcome": "unknown", - "provider": "discrimination morrison course", - "sequence": 44, - "severity": 99, - "type": [] - }, - "@timestamp": "2023-09-21T04:56:21.548000Z", - "cloud": { - "account": { - "id": "8b82630c-61b8-11ee-a1c3-0242ac110005", - "name": "abroad takes controversy" - }, - "project": { - "id": "8b82679e-61b8-11ee-9ed4-0242ac110005" - }, - "provider": "translate be cabinets", - "region": "trap wood power" - }, - "container": { - "id": "8b832030-61b8-11ee-816d-0242ac110005", - "image": { - "name": "babies detective christians" - }, - "name": "renew angle reject", - "runtime": "annoying remarkable setup" - }, - "file": { - "created": "2023-10-03T06:46:13.753318Z", - "directory": "pleased dip spiritual/corresponding.java", - "hash": { - "ssdeep": "B8C09AA4F584900FEA2DF3DAFBDAF9F0C6E76095BFDBCCF5F0F748D069D706526380A29574124164B0EDC1B56DD8342FC4BF70467A9B6024D999269A45E2A175", - "tlsh": "795F2AAA00B0D80F2A50C10902A141A3E0AFE3A4BCE0007F213C21994E6AE528B448F2C2F4BDF6C4E1D0AEA3B8396D40A4395AA9730A77E879848BDB750D6468" - }, - "mtime": "2023-09-21T04:56:21.548000Z", - "name": "expiration.cpl", - "path": "pleased dip spiritual/corresponding.java/expiration.cpl", - "type": "Character Device" - }, - "host": { - "domain": "existence conditional pillow", - "hostname": "tiles.name", - "ip": [ - "81.2.69.142" - ], - "mac": [ - "6C:91:94:13:50:61:2E:D4" - ], - "name": "tiles.name", - "os": { - "name": "extreme oct care", - "type": "Android", - "version": "grave pn resist" - }, - "risk": { - "static_level": "Low" - }, - "type": "frontier" - }, - "ocsf": { - "activity_id": 1, - "activity_name": "Load", - "class_name": "Module Activity", - "class_uid": 1005 - }, - "process": { - "command_line": "fame little relax", - "entity_id": "8b830046-61b8-11ee-b4bd-0242ac110005", - "name": "Switzerland", - "parent": { - "entity_id": "8b834aba-61b8-11ee-8172-0242ac110005", - "name": "Containers", - "pid": 76, - "start": "2023-09-21T04:56:21.548000Z", - "user": { - "domain": "klein greg processing", - "full_name": "Franklyn Shantell", - "group": { - "id": [], - "name": [] - }, - "id": [ - "8b834682-61b8-11ee-8f6a-0242ac110005" - ], - "name": "Prep" - } - }, - "pid": 8, - "start": "2023-09-21T04:56:21.548000Z", - "thread": { - "id": 12 - }, - "user": { - "group": { - "id": [], - "name": [] - }, - "id": [ - "8b82fc86-61b8-11ee-b5b6-0242ac110005" - ], - "name": "Mechanics" - } - }, - "related": { - "hash": [ - "B8C09AA4F584900FEA2DF3DAFBDAF9F0C6E76095BFDBCCF5F0F748D069D706526380A29574124164B0EDC1B56DD8342FC4BF70467A9B6024D999269A45E2A175" - ], - "hosts": [ - "tiles.name" - ], - "ip": [ - "81.2.69.142" - ], - "user": [ - "Cookies" - ] - }, - "threat": { - "technique": { - "id": [ - "T1504", - "T1555.002" - ], - "name": [ - "PowerShell Profile", - "Securityd Memory" - ] - } - }, - "user": { - "full_name": "Regan Loise", - "group": { - "id": [], - "name": [] - }, - "id": "8b84f59a-61b8-11ee-8275-0242ac110005", - "name": "Cookies" - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_6.json b/OCSF/ocsf/tests/test_system_activity_6.json deleted file mode 100644 index 210ebf40b..000000000 --- a/OCSF/ocsf/tests/test_system_activity_6.json +++ /dev/null @@ -1,143 +0,0 @@ -{ - "input": { - "message": "{\"message\": \"walnut trucks alabama\", \"status\": \"vcr\", \"time\": 1695272181548, \"device\": {\"name\": \"cholesterol republicans albert\", \"type\": \"Virtual\", \"ip\": \"81.2.69.142\", \"location\": {\"desc\": \"Antigua and Barbuda\", \"city\": \"Guidance marijuana\", \"country\": \"AG\", \"coordinates\": [139.683, -39.2278], \"continent\": \"North America\"}, \"hostname\": \"bags.coop\", \"uid\": \"442a8524-61be-11ee-a4cc-0242ac110005\", \"org\": {\"name\": \"answer intelligent artificial\", \"ou_name\": \"garlic glucose festival\"}, \"type_id\": 6, \"hypervisor\": \"indianapolis finite serious\", \"interface_name\": \"officials janet subscribe\", \"interface_uid\": \"442a8a60-61be-11ee-b5e8-0242ac110005\", \"last_seen_time\": 1695272181548, \"region\": \"argentina andy wyoming\", \"risk_score\": 44, \"modified_time_dt\": \"2023-10-03T07:27:11.038353Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"rough cfr elephant\", \"version\": \"1.0.0\", \"uid\": \"442a6c38-61be-11ee-811a-0242ac110005\", \"lang\": \"en\", \"url_string\": \"cl\", \"vendor_name\": \"turkey directors vacations\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"event_code\": \"paths\", \"log_provider\": \"gays consultation motivated\", \"logged_time\": 1695272181548, \"original_time\": \"bolt beds created\", \"modified_time_dt\": \"2023-10-03T07:27:11.037636Z\", \"processed_time_dt\": \"2023-10-03T07:27:11.037651Z\"}, \"start_time\": 1695272181548, \"severity\": \"doctors\", \"disposition\": \"Unknown\", \"type_name\": \"Process Activity: Set User ID\", \"activity_id\": 5, \"disposition_id\": 0, \"type_uid\": 100705, \"category_name\": \"System Activity\", \"class_uid\": 1007, \"category_uid\": 1, \"class_name\": \"Process Activity\", \"timezone_offset\": 75, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}, {\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Accessibility Features\", \"uid\": \"T1546.008\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Web Shell\", \"uid\": \"T1100\"}}], \"activity_name\": \"Set User ID\", \"actor\": {\"process\": {\"name\": \"Woman\", \"pid\": 99, \"file\": {\"attributes\": 71, \"name\": \"game.crdownload\", \"type\": \"Symbolic Link\", \"path\": \"district moment specs/consolidation.mp3/game.crdownload\", \"type_id\": 7, \"parent_folder\": \"district moment specs/consolidation.mp3\", \"hashes\": [{\"value\": \"DBC811458704E7331C9D9B3365E5DB08E8D9247CEDBE9F8FFED69606E0A5CE644230CB925F7AE8919137B51CE7E4797EC55533D10E6AF32B803BAB785848BD58\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"74900E05175C9BD82834F761CAE8D37E3190933ED2249C16508DB4053419EDAEE6ADD186BACD19C2AF5686BC9D15177A7960A70D7A385EB3E05AF555356368E6\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"xattributes\": {}, \"accessed_time_dt\": \"2023-10-03T07:27:11.051398Z\"}, \"user\": {\"name\": \"Laboratory\", \"type\": \"Unknown\", \"uid\": \"442c90bc-61be-11ee-8334-0242ac110005\", \"type_id\": 0, \"account\": {\"name\": \"filled lunch processing\", \"type\": \"Windows Account\", \"uid\": \"442c96ac-61be-11ee-945c-0242ac110005\", \"type_id\": 2}}, \"uid\": \"442c9a58-61be-11ee-8992-0242ac110005\", \"cmd_line\": \"wrist teach engaging\", \"container\": {\"name\": \"disabled underlying prerequisite\", \"runtime\": \"ntsc replacing emotional\", \"size\": 1294218177, \"uid\": \"442ca070-61be-11ee-b847-0242ac110005\", \"image\": {\"name\": \"janet flights pct\", \"tag\": \"reporter calculator population\", \"uid\": \"442ca5e8-61be-11ee-ac6f-0242ac110005\", \"labels\": [\"beef\"]}, \"hash\": {\"value\": \"2A9141F10042E65FE9B037DE88C913D5CB6420C809E4F70D77B0C1CD0DB599E0DA4CC22A8E772350CACDACD72722801EA7BEAAE4B6D79D3949E37DB3492F1892\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695272181548, \"integrity\": \"Low\", \"integrity_id\": 2, \"namespace_pid\": 96, \"parent_process\": {\"name\": \"Undergraduate\", \"pid\": 18, \"file\": {\"name\": \"alice.cur\", \"type\": \"Block Device\", \"path\": \"llc snap glossary/striking.cgi/alice.cur\", \"type_id\": 4, \"company_name\": \"Margurite Hester\", \"parent_folder\": \"llc snap glossary/striking.cgi\", \"hashes\": [{\"value\": \"C87068358A2AF25FB6462D2E9D5CEE0C1B843771EE363E91B70497182AC6058683881C15DDFF011CE7CAAE6617D935F69F093E8BB488A880E8A559A8AC1073FA\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time\": 1695272181548, \"security_descriptor\": \"kurt snowboard baby\", \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T07:27:11.052592Z\"}, \"user\": {\"type\": \"System\", \"uid\": \"442d0416-61be-11ee-8f5e-0242ac110005\", \"type_id\": 3}, \"tid\": 18, \"uid\": \"442d08c6-61be-11ee-9eea-0242ac110005\", \"cmd_line\": \"shopzilla signal shift\", \"created_time\": 1695272181548, \"integrity\": \"brush clinton bride\", \"namespace_pid\": 81, \"parent_process\": {\"name\": \"Danger\", \"pid\": 27, \"file\": {\"name\": \"es.sql\", \"type\": \"Regular File\", \"path\": \"sarah receivers appropriate/keen.cpl/es.sql\", \"desc\": \"dynamics dg islamic\", \"type_id\": 1, \"accessor\": {\"type\": \"Admin\", \"uid\": \"442d1b40-61be-11ee-8249-0242ac110005\", \"type_id\": 2, \"email_addr\": \"Alethea@fa.web\"}, \"parent_folder\": \"sarah receivers appropriate/keen.cpl\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"4095391C7E3E04FF12C9AD2E6C49BD63DFE77E885ACAADD3B58A1D8895383044\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"is_system\": false, \"created_time_dt\": \"2023-10-03T07:27:11.055203Z\"}, \"user\": {\"name\": \"Strong\", \"type\": \"Unknown\", \"uid\": \"442d27de-61be-11ee-b498-0242ac110005\", \"type_id\": 0, \"account\": {\"name\": \"allows country mineral\", \"type\": \"AWS IAM Role\", \"uid\": \"442d4a0c-61be-11ee-bd4c-0242ac110005\", \"type_id\": 4}, \"email_addr\": \"Minta@active.biz\"}, \"uid\": \"442d4ee4-61be-11ee-a8b0-0242ac110005\", \"loaded_modules\": [\"/instantly/lazy/quickly/junk/relates.gadget\", \"/gentle/sen/bridge/brochure/county.cbr\"], \"cmd_line\": \"growing howard error\", \"container\": {\"name\": \"stand tumor previously\", \"size\": 61744955, \"uid\": \"442d84ae-61be-11ee-a35f-0242ac110005\", \"hash\": {\"value\": \"77D19917CD3F9FDA9C5B453897F0829D1D94450C31CB6991090BF4B4F49578CF29BBBBA4AF270287F408F0B9D696F5C18C16366E5CDFFDB199FDFC3E2BF91A62\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, \"network_driver\": \"receiver recommended governor\"}, \"created_time\": 1695272181548, \"namespace_pid\": 25, \"parent_process\": {\"name\": \"Virtue\", \"pid\": 9, \"file\": {\"name\": \"wishlist.fnt\", \"owner\": {\"name\": \"Proof\", \"type\": \"genius\", \"uid\": \"442e1d74-61be-11ee-ac9e-0242ac110005\", \"type_id\": 99}, \"type\": \"Regular File\", \"path\": \"bouquet bibliography pull/dumb.mov/wishlist.fnt\", \"modifier\": {\"name\": \"Victory\", \"type\": \"User\", \"uid\": \"442e4920-61be-11ee-ab85-0242ac110005\", \"type_id\": 1, \"account\": {\"name\": \"me tagged lang\", \"type\": \"AWS IAM Role\", \"uid\": \"442e5168-61be-11ee-a406-0242ac110005\", \"type_id\": 4}, \"email_addr\": \"Zona@partners.mil\"}, \"product\": {\"name\": \"written em fujitsu\", \"version\": \"1.0.0\", \"uid\": \"442e6324-61be-11ee-9f29-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"sounds di inquiry\"}, \"type_id\": 1, \"company_name\": \"Tamara Porsha\", \"parent_folder\": \"bouquet bibliography pull/dumb.mov\", \"hashes\": [{\"value\": \"EA326FE8119ACC03CB82276431BF6120811A2EE778F15E25088100D62EF8410FAD0B948395B7204152892B06C76A6405752FE2115D4B22CAF5461B8DA8D74966\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"uid\": \"442e6b76-61be-11ee-ab8d-0242ac110005\", \"cmd_line\": \"fox breathing excluded\", \"container\": {\"name\": \"obtained thompson wait\", \"size\": 1304039495, \"uid\": \"442e74ae-61be-11ee-bee1-0242ac110005\", \"image\": {\"name\": \"ou false horn\", \"tag\": \"widely concerns ranger\", \"uid\": \"442e7aa8-61be-11ee-92c0-0242ac110005\"}, \"hash\": {\"value\": \"34BF8F4BFD5096DFE4AD7B1FC397EE225004242E\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, \"orchestrator\": \"cingular grow causing\"}, \"created_time\": 1695272181548, \"integrity\": \"races parcel generating\", \"namespace_pid\": 54, \"parent_process\": {\"name\": \"Kai\", \"pid\": 23, \"file\": {\"attributes\": 99, \"name\": \"conceptual.py\", \"type\": \"Named Pipe\", \"path\": \"impression finance trader/fragrances.sql/conceptual.py\", \"signature\": {\"digest\": {\"value\": \"46A80AC3F38096FE6828377277FC50B39BB0C646F94FC178876749ADE0DA96DE\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"jumping experts visitors\", \"issuer\": \"enterprise game humanitarian\", \"fingerprints\": [{\"value\": \"6B70FC8DC165E533CBF2BCD7C70701DE3B3E114D\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"FCC3C0E1B16A999DE463D9C657DCA7E366719DE7E84E9C4EC1E41B0E744F649955B9E844AD173EBB3075A18E757DAF50733546203C86FB3209652FC0FB80534C\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"grad newest earlier\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"type_id\": 6, \"parent_folder\": \"impression finance trader/fragrances.sql\", \"accessed_time\": 1695272181548, \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"is_system\": true, \"security_descriptor\": \"ni easter snapshot\", \"modified_time_dt\": \"2023-10-03T07:27:11.064617Z\"}, \"user\": {\"name\": \"Da\", \"type\": \"ben\", \"domain\": \"dubai sys drum\", \"uid\": \"442ed390-61be-11ee-902b-0242ac110005\", \"groups\": [{\"name\": \"implications fred rent\", \"uid\": \"442ed976-61be-11ee-acb4-0242ac110005\"}, {\"type\": \"hundred suggesting radius\", \"uid\": \"442ede6c-61be-11ee-815a-0242ac110005\"}], \"type_id\": 99, \"uid_alt\": \"documents harmony austria\"}, \"uid\": \"442ee2d6-61be-11ee-ad3f-0242ac110005\", \"session\": {\"uid\": \"442ee7f4-61be-11ee-a967-0242ac110005\", \"uuid\": \"442eeb3c-61be-11ee-a179-0242ac110005\", \"issuer\": \"robots places depression\", \"created_time\": 1695272181548, \"is_remote\": false}, \"cmd_line\": \"operations expanded ht\", \"container\": {\"name\": \"victor civic segments\", \"size\": 2232172986, \"uid\": \"442ef1ea-61be-11ee-870d-0242ac110005\", \"image\": {\"name\": \"weird sep allowing\", \"uid\": \"442efa14-61be-11ee-8abf-0242ac110005\", \"labels\": [\"amplifier\"]}, \"hash\": {\"value\": \"27D94D1C177AA8E0E6E8A4F5ECAB104598CD2B62F27D3A26FCDC87A6AA7398BFD85771D86723FEDB24EC75CA439D57127989FB397C1F07F53B35533563BA3274\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}}, \"created_time\": 1695272181548, \"namespace_pid\": 74, \"parent_process\": {\"name\": \"Industries\", \"pid\": 93, \"file\": {\"name\": \"rage.ics\", \"type\": \"Regular File\", \"path\": \"slide sensitivity milton/dsc.kml/rage.ics\", \"type_id\": 1, \"parent_folder\": \"slide sensitivity milton/dsc.kml\", \"accessed_time\": 1695272181548, \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"F10EEB0D89F01824C27418121C62436F\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"B883D1D4320E98F7DE7D6913D7C3DF5503FB17747CCE5EBD6F3384A41414FF8D\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"xattributes\": {}}, \"user\": {\"name\": \"Earrings\", \"type\": \"System\", \"uid\": \"442f0f18-61be-11ee-92c1-0242ac110005\", \"type_id\": 3}, \"uid\": \"442f1314-61be-11ee-a9ee-0242ac110005\", \"container\": {\"name\": \"irish paid ga\", \"runtime\": \"meetings imported nutrition\", \"size\": 706306619, \"uid\": \"442f19c2-61be-11ee-851e-0242ac110005\", \"image\": {\"name\": \"struct wind included\", \"uid\": \"442f39ca-61be-11ee-9840-0242ac110005\", \"labels\": [\"hourly\"]}, \"hash\": {\"value\": \"C4802F4F55FE24BE9AF5F053E8719A9BC77381D625A0D27A35201C772CFD324009461ABCAC4A120286B98C707400807BB9DF7CFB3AA2C3BBF04EBB41E2AD07B3\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695272181548, \"namespace_pid\": 46, \"parent_process\": {\"name\": \"Employed\", \"pid\": 49, \"file\": {\"name\": \"nextel.dat\", \"type\": \"Unknown\", \"path\": \"exhibitions grad folks/lonely.yuv/nextel.dat\", \"desc\": \"parking hazards hunter\", \"type_id\": 0, \"parent_folder\": \"exhibitions grad folks/lonely.yuv\", \"hashes\": [{\"value\": \"1FE380DD618981AF242E43F459760A9F0C89B6D74E1C7544A298FBA160545A4F047CFFB754779F8EAD083609F87AB1EF4DE7D3630EDA324A5052064685D8A814\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"27D3F37EB6F68FBB9EDC408AAFC6035EF463633CB1D425DD737C0AD4F6A2442EE5857F1FD9BB49C0A3030802642A48CB4AADBAFC7B20B82DE18144D2E360B551\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"is_system\": true, \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Affiliation\", \"type\": \"User\", \"uid\": \"442f881c-61be-11ee-8d6d-0242ac110005\", \"type_id\": 1, \"credential_uid\": \"442f8c40-61be-11ee-858e-0242ac110005\"}, \"tid\": 75, \"uid\": \"442f8fb0-61be-11ee-b4aa-0242ac110005\", \"cmd_line\": \"directive rico hs\", \"container\": {\"name\": \"depot lanes mai\", \"size\": 4170062018, \"uid\": \"442f976c-61be-11ee-8026-0242ac110005\", \"image\": {\"name\": \"inappropriate burden hoped\", \"uid\": \"442f9c62-61be-11ee-81fa-0242ac110005\"}, \"hash\": {\"value\": \"FE9E27DD7BF526B57D69D3BD9FAC33DC\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"created_time\": 1695272181548, \"namespace_pid\": 5, \"parent_process\": {\"pid\": 4, \"file\": {\"attributes\": 28, \"name\": \"centered.txt\", \"size\": 724911628, \"type\": \"Unknown\", \"path\": \"patrol considers alternative/bargains.xlr/centered.txt\", \"type_id\": 0, \"accessor\": {\"name\": \"Bailey\", \"type\": \"User\", \"uid\": \"442fac66-61be-11ee-b373-0242ac110005\", \"org\": {\"name\": \"nova identification paul\", \"uid\": \"442fb1a2-61be-11ee-9fd5-0242ac110005\", \"ou_name\": \"honors tattoo australian\"}, \"type_id\": 1, \"credential_uid\": \"442fb5ee-61be-11ee-a469-0242ac110005\", \"email_addr\": \"Almeda@representations.biz\"}, \"company_name\": \"Chery Hunter\", \"mime_type\": \"finish/councils\", \"parent_folder\": \"patrol considers alternative/bargains.xlr\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"2E5106CC0168994B4FE52AC9F67394250EE7504DB2DB5DE3CE0AC0A6E01DFA01\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"37A8A4AF49E5E20E61CF73D569C93D3F839D333C98BADE757EC2C5093C969DBEBC2707A0A2C9B4709FB6986E18991E93BA14C3CC2799E6153B1BEA132224F02B\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Achieving\", \"type\": \"System\", \"uid\": \"442fbf76-61be-11ee-b1ce-0242ac110005\", \"org\": {\"uid\": \"442fc408-61be-11ee-a83e-0242ac110005\", \"ou_name\": \"drunk pt locations\"}, \"groups\": [{\"name\": \"blackberry genetics dsc\", \"uid\": \"442fc93a-61be-11ee-93e5-0242ac110005\", \"privileges\": [\"counter relocation association\", \"precise nurses satisfactory\"]}, {\"name\": \"munich clothing commit\", \"uid\": \"442fcd54-61be-11ee-ab07-0242ac110005\"}], \"type_id\": 3, \"account\": {\"name\": \"batman sprint established\", \"type\": \"Linux Account\", \"type_id\": 9}}, \"uid\": \"442fd27c-61be-11ee-bc32-0242ac110005\", \"session\": {\"uid\": \"442fda56-61be-11ee-93d0-0242ac110005\", \"issuer\": \"vacation obligation refused\", \"created_time\": 1695272181548, \"is_remote\": false}, \"cmd_line\": \"portfolio syracuse zinc\", \"container\": {\"name\": \"extremely bridges jane\", \"size\": 2170520292, \"tag\": \"magnificent nerve ethnic\", \"uid\": \"442fe3ca-61be-11ee-ac04-0242ac110005\", \"image\": {\"uid\": \"442fe870-61be-11ee-8322-0242ac110005\"}, \"hash\": {\"value\": \"E9264147B413746293E539868C8EDFF71715E1E3\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, \"pod_uuid\": \"save\"}, \"created_time\": 1695272181548, \"namespace_pid\": 10, \"parent_process\": {\"name\": \"Flags\", \"pid\": 12, \"file\": {\"name\": \"stats.cs\", \"size\": 3217957879, \"type\": \"Block Device\", \"path\": \"well vacations concrete/hamburg.vcf/stats.cs\", \"modifier\": {\"type\": \"System\", \"uid\": \"442ff8e2-61be-11ee-bc3b-0242ac110005\", \"type_id\": 3}, \"desc\": \"supporters billy surgeon\", \"product\": {\"name\": \"rare musical oregon\", \"version\": \"1.0.0\", \"uid\": \"442ffee6-61be-11ee-b950-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"moms scholarships pins\"}, \"type_id\": 4, \"parent_folder\": \"well vacations concrete/hamburg.vcf\", \"hashes\": [{\"value\": \"220358975ACF552AE828178DC72009FA5342AB5C33895C6E9E5048EF5BD044736C17B29683CD4CD82D017C7D963FB9AE740735C6D31E956B42C4A45F803F6EDA\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"security_descriptor\": \"dave manufacturing applicant\", \"modified_time_dt\": \"2023-10-03T07:27:11.074123Z\"}, \"user\": {\"name\": \"Rod\", \"type\": \"fiji\", \"uid\": \"44300a4e-61be-11ee-b6bc-0242ac110005\", \"type_id\": 99}, \"uid\": \"44300e5e-61be-11ee-8332-0242ac110005\", \"cmd_line\": \"easter anaheim introductory\", \"container\": {\"name\": \"clone sic tight\", \"size\": 3536383459, \"uid\": \"443013cc-61be-11ee-a273-0242ac110005\", \"image\": {\"name\": \"jonathan calculation incomplete\", \"uid\": \"4430194e-61be-11ee-a776-0242ac110005\"}, \"hash\": {\"value\": \"A63B60EEA4665F00EDDB1E2A8FECCFEA7634F795\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}}, \"created_time\": 1695272181548, \"integrity\": \"guys document multimedia\", \"lineage\": [\"weight anytime gzip\", \"subcommittee milan reasonable\"], \"namespace_pid\": 4, \"parent_process\": {\"name\": \"Vat\", \"pid\": 10, \"file\": {\"name\": \"fioricet.lnk\", \"owner\": {\"name\": \"Vid\", \"type\": \"Admin\", \"uid\": \"44302a6a-61be-11ee-b70a-0242ac110005\", \"type_id\": 2, \"email_addr\": \"Elise@starts.museum\", \"uid_alt\": \"supplied epic spas\"}, \"type\": \"Unknown\", \"uid\": \"44302f24-61be-11ee-99d3-0242ac110005\", \"type_id\": 0, \"company_name\": \"Archie Lesley\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"F7EDAF3282DAFB609C7D421B786486F127371E76\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"security_descriptor\": \"believes airlines granted\"}, \"user\": {\"name\": \"Candles\", \"type\": \"User\", \"domain\": \"restaurants instead occurring\", \"uid\": \"443039a6-61be-11ee-8f9f-0242ac110005\", \"type_id\": 1, \"full_name\": \"Margareta Elden\", \"credential_uid\": \"44303eba-61be-11ee-ab60-0242ac110005\"}, \"session\": {\"uid\": \"443043ec-61be-11ee-96c0-0242ac110005\", \"issuer\": \"mediterranean provider something\", \"created_time\": 1695272181548, \"is_remote\": true}, \"loaded_modules\": [\"/timing/norm/crime/apollo/pollution.dwg\"], \"cmd_line\": \"robinson hunter anne\", \"container\": {\"name\": \"magnificent capabilities ideal\", \"size\": 3127592961, \"uid\": \"44305030-61be-11ee-b7e4-0242ac110005\", \"image\": {\"name\": \"mistake baseball jordan\", \"uid\": \"4430571a-61be-11ee-8c37-0242ac110005\"}, \"hash\": {\"value\": \"4B4AACD68CE2D5C32C8437FC88E56923FA0DDADFEA6532D34FA536A344FDD0F482CB0159A5237950B31A7F3D097FED596515444734A2DF56CF7D38A74DCA94D7\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}}, \"created_time\": 1695272181548, \"integrity\": \"reality\", \"integrity_id\": 99, \"namespace_pid\": 41, \"parent_process\": {\"name\": \"Cart\", \"pid\": 36, \"file\": {\"name\": \"ts.exe\", \"owner\": {\"name\": \"Commander\", \"type\": \"motherboard\", \"domain\": \"andale museum reality\", \"uid\": \"44306aca-61be-11ee-be86-0242ac110005\", \"type_id\": 99, \"credential_uid\": \"44306ef8-61be-11ee-b8fd-0242ac110005\", \"uid_alt\": \"verzeichnis prefer soccer\"}, \"type\": \"Regular File\", \"type_id\": 1, \"confidentiality\": \"Not Confidential\", \"confidentiality_id\": 1, \"hashes\": [{\"value\": \"ADCAA40050F92C2A48474F33D6E697529CA1D0BD1FCC6D553290E4655C5F0BA7FAB42B475667A0C8EAD38187E3AFBE5AC9C7F3A68C87167BCF01080031CE50FB\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"D1F34CA31A773B2BDD48DB8EC34E2B88EA9746B72EB845256BE259CA7D5D9E5F\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"xattributes\": {}}, \"user\": {\"name\": \"Editorial\", \"type\": \"Unknown\", \"uid\": \"44307e70-61be-11ee-a962-0242ac110005\", \"org\": {\"name\": \"insulin identical prizes\", \"uid\": \"44308564-61be-11ee-abd1-0242ac110005\"}, \"type_id\": 0, \"account\": {\"name\": \"hewlett then appendix\", \"type\": \"GCP Account\", \"type_id\": 5}}, \"uid\": \"44308c3a-61be-11ee-93fe-0242ac110005\", \"cmd_line\": \"territories year excluded\", \"created_time\": 1695272181548, \"namespace_pid\": 51, \"parent_process\": {\"name\": \"Identical\", \"file\": {\"name\": \"underwear.sdf\", \"type\": \"Named Pipe\", \"version\": \"1.0.0\", \"path\": \"writer photoshop lane/st.sdf/underwear.sdf\", \"type_id\": 6, \"company_name\": \"Rosendo Grace\", \"parent_folder\": \"writer photoshop lane/st.sdf\", \"confidentiality\": \"cut salt catch\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"0F4CF4B2CE58DE3BF03D760DE38955BF246F80BAB6F81927F253AB5D9773EB75\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"647878B29B754A911F330D47137E3068A61F6185ED78B1AA43695E4A1D98607D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time_dt\": \"2023-10-03T07:27:11.078126Z\"}, \"user\": {\"name\": \"Spank\", \"type\": \"User\", \"uid\": \"4430a878-61be-11ee-af22-0242ac110005\", \"org\": {\"name\": \"von reservoir moore\", \"uid\": \"4430adc8-61be-11ee-b4ba-0242ac110005\", \"ou_name\": \"photos nat eds\", \"ou_uid\": \"4430b502-61be-11ee-8f5b-0242ac110005\"}, \"type_id\": 1, \"credential_uid\": \"4430b912-61be-11ee-8411-0242ac110005\", \"email_addr\": \"Ena@hearing.int\"}, \"cmd_line\": \"suited pace informal\", \"container\": {\"name\": \"elegant rankings wild\", \"size\": 2933994191, \"uid\": \"4430bf98-61be-11ee-b010-0242ac110005\", \"hash\": {\"value\": \"6F4F28E68A201B8127A08D889356FCFA0C736B9FD1330596E58F7D1669820A151705235B2F41C93CE5159EC808FE328BCED0BBC02E6C20382443EBB5ACDD6023\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"network_driver\": \"what belgium used\", \"orchestrator\": \"everyone ho alternative\", \"pod_uuid\": \"rocky\"}, \"created_time\": 1695272181548, \"namespace_pid\": 66, \"parent_process\": {\"name\": \"Documentation\", \"pid\": 70, \"file\": {\"name\": \"space.js\", \"size\": 3135869827, \"type\": \"Regular File\", \"version\": \"1.0.0\", \"path\": \"cookbook dc effort/abc.pkg/space.js\", \"type_id\": 1, \"parent_folder\": \"cookbook dc effort/abc.pkg\", \"hashes\": [{\"value\": \"7F572F2B5A5DED4063EF1594729C97543A900961\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"D6CDFD95B6030B86B739AC2B7575BA411041446BFEF23DF7765EC4B470C9A5D2E182599FBA3C539E0EBEAF5E656A808285FED2455EB8F7E802ABD6245CB543FC\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Ser\", \"type\": \"boom\", \"org\": {\"ou_name\": \"officials watches house\"}, \"type_id\": 99, \"account\": {\"name\": \"pas jacob personals\", \"type\": \"GCP Account\", \"uid\": \"4430d578-61be-11ee-ab48-0242ac110005\", \"type_id\": 5}, \"email_addr\": \"Charlette@anytime.jobs\"}, \"uid\": \"4430d9d8-61be-11ee-a2ef-0242ac110005\", \"cmd_line\": \"adolescent agreements wooden\", \"container\": {\"name\": \"sparc memphis paid\", \"size\": 3567867280, \"tag\": \"agency ended lambda\", \"uid\": \"4430dfe6-61be-11ee-bbae-0242ac110005\", \"hash\": {\"value\": \"6DBDD59AB542C91F19905B4D8672B5320DCBA285\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, \"orchestrator\": \"workstation opening cambridge\", \"pod_uuid\": \"rendering\"}, \"integrity\": \"podcasts owned how\", \"namespace_pid\": 79, \"parent_process\": {\"name\": \"Triangle\", \"pid\": 76, \"file\": {\"name\": \"xl.php\", \"type\": \"Symbolic Link\", \"path\": \"beneath among lands/resort.cbr/xl.php\", \"desc\": \"panic united modeling\", \"type_id\": 7, \"parent_folder\": \"beneath among lands/resort.cbr\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"value\": \"9A5751D5ACECF26FF7EB2B33C144EFCE1C69FE9A\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"F803B26388365E33184D5CC145D868E1B8DF74D5\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"is_system\": false, \"xattributes\": {}, \"accessed_time_dt\": \"2023-10-03T07:27:11.080165Z\"}, \"user\": {\"type\": \"System\", \"uid\": \"4430f40e-61be-11ee-86fe-0242ac110005\", \"org\": {\"name\": \"important analog unnecessary\", \"uid\": \"4430faee-61be-11ee-b642-0242ac110005\", \"ou_name\": \"highlights douglas manufacturer\"}, \"groups\": [{\"name\": \"go prohibited oxford\", \"uid\": \"44310066-61be-11ee-99fb-0242ac110005\"}], \"type_id\": 3}, \"tid\": 20, \"uid\": \"443103fe-61be-11ee-8306-0242ac110005\", \"container\": {\"name\": \"flex operational statistical\", \"uid\": \"4431094e-61be-11ee-a229-0242ac110005\", \"hash\": {\"value\": \"4DA1DD452B8D517803494B5E00054136CCF55DF19FF70469451D438255FC03B1FA45BB3A48C03F49FCCE16708623DA0458F11C60EC6D10453E6D6AB6C6492E15\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"orchestrator\": \"performed gadgets bank\", \"pod_uuid\": \"password\"}, \"created_time\": 1695272181548, \"namespace_pid\": 98}}}, \"sandbox\": \"pendant funds intervals\", \"terminated_time_dt\": \"2023-10-03T07:27:11.080957Z\"}, \"xattributes\": {}, \"terminated_time_dt\": \"2023-10-03T07:27:11.080979Z\"}, \"sandbox\": \"earl manually converter\"}}, \"sandbox\": \"mexican broadway volleyball\", \"terminated_time_dt\": \"2023-10-03T07:27:11.081001Z\"}, \"xattributes\": {}}, \"created_time_dt\": \"2023-10-03T07:27:11.081016Z\"}, \"sandbox\": \"deep simply nn\", \"xattributes\": {}}, \"sandbox\": \"repeat checked peace\", \"xattributes\": {}, \"terminated_time_dt\": \"2023-10-03T07:27:11.081046Z\"}, \"sandbox\": \"rational girls corner\"}, \"created_time_dt\": \"2023-10-03T07:27:11.081059Z\", \"terminated_time_dt\": \"2023-10-03T07:27:11.081081Z\"}, \"user\": {\"type\": \"System\", \"uid\": \"4431189e-61be-11ee-bc71-0242ac110005\", \"type_id\": 3, \"credential_uid\": \"44311cae-61be-11ee-9f07-0242ac110005\"}}, \"actual_permissions\": 48, \"cloud\": {\"provider\": \"nu connector termination\", \"region\": \"lose activists occurred\"}, \"end_time\": 1695272181548, \"severity_id\": 99, \"status_id\": 99}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"message\": \"walnut trucks alabama\", \"status\": \"vcr\", \"time\": 1695272181548, \"device\": {\"name\": \"cholesterol republicans albert\", \"type\": \"Virtual\", \"ip\": \"81.2.69.142\", \"location\": {\"desc\": \"Antigua and Barbuda\", \"city\": \"Guidance marijuana\", \"country\": \"AG\", \"coordinates\": [139.683, -39.2278], \"continent\": \"North America\"}, \"hostname\": \"bags.coop\", \"uid\": \"442a8524-61be-11ee-a4cc-0242ac110005\", \"org\": {\"name\": \"answer intelligent artificial\", \"ou_name\": \"garlic glucose festival\"}, \"type_id\": 6, \"hypervisor\": \"indianapolis finite serious\", \"interface_name\": \"officials janet subscribe\", \"interface_uid\": \"442a8a60-61be-11ee-b5e8-0242ac110005\", \"last_seen_time\": 1695272181548, \"region\": \"argentina andy wyoming\", \"risk_score\": 44, \"modified_time_dt\": \"2023-10-03T07:27:11.038353Z\"}, \"metadata\": {\"version\": \"1.0.0\", \"product\": {\"name\": \"rough cfr elephant\", \"version\": \"1.0.0\", \"uid\": \"442a6c38-61be-11ee-811a-0242ac110005\", \"lang\": \"en\", \"url_string\": \"cl\", \"vendor_name\": \"turkey directors vacations\"}, \"profiles\": [\"cloud\", \"container\", \"datetime\", \"host\", \"security_control\"], \"event_code\": \"paths\", \"log_provider\": \"gays consultation motivated\", \"logged_time\": 1695272181548, \"original_time\": \"bolt beds created\", \"modified_time_dt\": \"2023-10-03T07:27:11.037636Z\", \"processed_time_dt\": \"2023-10-03T07:27:11.037651Z\"}, \"start_time\": 1695272181548, \"severity\": \"doctors\", \"disposition\": \"Unknown\", \"type_name\": \"Process Activity: Set User ID\", \"activity_id\": 5, \"disposition_id\": 0, \"type_uid\": 100705, \"category_name\": \"System Activity\", \"class_uid\": 1007, \"category_uid\": 1, \"class_name\": \"Process Activity\", \"timezone_offset\": 75, \"attacks\": [{\"version\": \"12.1\", \"tactics\": [{\"name\": \"Exfiltration | The adversary is trying to steal data.\", \"uid\": \"TA0010\"}, {\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Accessibility Features\", \"uid\": \"T1546.008\"}}, {\"version\": \"12.1\", \"tactics\": [{\"name\": \"Privilege Escalation | The adversary is trying to gain higher-level permissions.\", \"uid\": \"TA0004\"}], \"technique\": {\"name\": \"Web Shell\", \"uid\": \"T1100\"}}], \"activity_name\": \"Set User ID\", \"actor\": {\"process\": {\"name\": \"Woman\", \"pid\": 99, \"file\": {\"attributes\": 71, \"name\": \"game.crdownload\", \"type\": \"Symbolic Link\", \"path\": \"district moment specs/consolidation.mp3/game.crdownload\", \"type_id\": 7, \"parent_folder\": \"district moment specs/consolidation.mp3\", \"hashes\": [{\"value\": \"DBC811458704E7331C9D9B3365E5DB08E8D9247CEDBE9F8FFED69606E0A5CE644230CB925F7AE8919137B51CE7E4797EC55533D10E6AF32B803BAB785848BD58\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"74900E05175C9BD82834F761CAE8D37E3190933ED2249C16508DB4053419EDAEE6ADD186BACD19C2AF5686BC9D15177A7960A70D7A385EB3E05AF555356368E6\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"xattributes\": {}, \"accessed_time_dt\": \"2023-10-03T07:27:11.051398Z\"}, \"user\": {\"name\": \"Laboratory\", \"type\": \"Unknown\", \"uid\": \"442c90bc-61be-11ee-8334-0242ac110005\", \"type_id\": 0, \"account\": {\"name\": \"filled lunch processing\", \"type\": \"Windows Account\", \"uid\": \"442c96ac-61be-11ee-945c-0242ac110005\", \"type_id\": 2}}, \"uid\": \"442c9a58-61be-11ee-8992-0242ac110005\", \"cmd_line\": \"wrist teach engaging\", \"container\": {\"name\": \"disabled underlying prerequisite\", \"runtime\": \"ntsc replacing emotional\", \"size\": 1294218177, \"uid\": \"442ca070-61be-11ee-b847-0242ac110005\", \"image\": {\"name\": \"janet flights pct\", \"tag\": \"reporter calculator population\", \"uid\": \"442ca5e8-61be-11ee-ac6f-0242ac110005\", \"labels\": [\"beef\"]}, \"hash\": {\"value\": \"2A9141F10042E65FE9B037DE88C913D5CB6420C809E4F70D77B0C1CD0DB599E0DA4CC22A8E772350CACDACD72722801EA7BEAAE4B6D79D3949E37DB3492F1892\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695272181548, \"integrity\": \"Low\", \"integrity_id\": 2, \"namespace_pid\": 96, \"parent_process\": {\"name\": \"Undergraduate\", \"pid\": 18, \"file\": {\"name\": \"alice.cur\", \"type\": \"Block Device\", \"path\": \"llc snap glossary/striking.cgi/alice.cur\", \"type_id\": 4, \"company_name\": \"Margurite Hester\", \"parent_folder\": \"llc snap glossary/striking.cgi\", \"hashes\": [{\"value\": \"C87068358A2AF25FB6462D2E9D5CEE0C1B843771EE363E91B70497182AC6058683881C15DDFF011CE7CAAE6617D935F69F093E8BB488A880E8A559A8AC1073FA\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time\": 1695272181548, \"security_descriptor\": \"kurt snowboard baby\", \"xattributes\": {}, \"created_time_dt\": \"2023-10-03T07:27:11.052592Z\"}, \"user\": {\"type\": \"System\", \"uid\": \"442d0416-61be-11ee-8f5e-0242ac110005\", \"type_id\": 3}, \"tid\": 18, \"uid\": \"442d08c6-61be-11ee-9eea-0242ac110005\", \"cmd_line\": \"shopzilla signal shift\", \"created_time\": 1695272181548, \"integrity\": \"brush clinton bride\", \"namespace_pid\": 81, \"parent_process\": {\"name\": \"Danger\", \"pid\": 27, \"file\": {\"name\": \"es.sql\", \"type\": \"Regular File\", \"path\": \"sarah receivers appropriate/keen.cpl/es.sql\", \"desc\": \"dynamics dg islamic\", \"type_id\": 1, \"accessor\": {\"type\": \"Admin\", \"uid\": \"442d1b40-61be-11ee-8249-0242ac110005\", \"type_id\": 2, \"email_addr\": \"Alethea@fa.web\"}, \"parent_folder\": \"sarah receivers appropriate/keen.cpl\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"4095391C7E3E04FF12C9AD2E6C49BD63DFE77E885ACAADD3B58A1D8895383044\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"is_system\": false, \"created_time_dt\": \"2023-10-03T07:27:11.055203Z\"}, \"user\": {\"name\": \"Strong\", \"type\": \"Unknown\", \"uid\": \"442d27de-61be-11ee-b498-0242ac110005\", \"type_id\": 0, \"account\": {\"name\": \"allows country mineral\", \"type\": \"AWS IAM Role\", \"uid\": \"442d4a0c-61be-11ee-bd4c-0242ac110005\", \"type_id\": 4}, \"email_addr\": \"Minta@active.biz\"}, \"uid\": \"442d4ee4-61be-11ee-a8b0-0242ac110005\", \"loaded_modules\": [\"/instantly/lazy/quickly/junk/relates.gadget\", \"/gentle/sen/bridge/brochure/county.cbr\"], \"cmd_line\": \"growing howard error\", \"container\": {\"name\": \"stand tumor previously\", \"size\": 61744955, \"uid\": \"442d84ae-61be-11ee-a35f-0242ac110005\", \"hash\": {\"value\": \"77D19917CD3F9FDA9C5B453897F0829D1D94450C31CB6991090BF4B4F49578CF29BBBBA4AF270287F408F0B9D696F5C18C16366E5CDFFDB199FDFC3E2BF91A62\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, \"network_driver\": \"receiver recommended governor\"}, \"created_time\": 1695272181548, \"namespace_pid\": 25, \"parent_process\": {\"name\": \"Virtue\", \"pid\": 9, \"file\": {\"name\": \"wishlist.fnt\", \"owner\": {\"name\": \"Proof\", \"type\": \"genius\", \"uid\": \"442e1d74-61be-11ee-ac9e-0242ac110005\", \"type_id\": 99}, \"type\": \"Regular File\", \"path\": \"bouquet bibliography pull/dumb.mov/wishlist.fnt\", \"modifier\": {\"name\": \"Victory\", \"type\": \"User\", \"uid\": \"442e4920-61be-11ee-ab85-0242ac110005\", \"type_id\": 1, \"account\": {\"name\": \"me tagged lang\", \"type\": \"AWS IAM Role\", \"uid\": \"442e5168-61be-11ee-a406-0242ac110005\", \"type_id\": 4}, \"email_addr\": \"Zona@partners.mil\"}, \"product\": {\"name\": \"written em fujitsu\", \"version\": \"1.0.0\", \"uid\": \"442e6324-61be-11ee-9f29-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"sounds di inquiry\"}, \"type_id\": 1, \"company_name\": \"Tamara Porsha\", \"parent_folder\": \"bouquet bibliography pull/dumb.mov\", \"hashes\": [{\"value\": \"EA326FE8119ACC03CB82276431BF6120811A2EE778F15E25088100D62EF8410FAD0B948395B7204152892B06C76A6405752FE2115D4B22CAF5461B8DA8D74966\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"uid\": \"442e6b76-61be-11ee-ab8d-0242ac110005\", \"cmd_line\": \"fox breathing excluded\", \"container\": {\"name\": \"obtained thompson wait\", \"size\": 1304039495, \"uid\": \"442e74ae-61be-11ee-bee1-0242ac110005\", \"image\": {\"name\": \"ou false horn\", \"tag\": \"widely concerns ranger\", \"uid\": \"442e7aa8-61be-11ee-92c0-0242ac110005\"}, \"hash\": {\"value\": \"34BF8F4BFD5096DFE4AD7B1FC397EE225004242E\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, \"orchestrator\": \"cingular grow causing\"}, \"created_time\": 1695272181548, \"integrity\": \"races parcel generating\", \"namespace_pid\": 54, \"parent_process\": {\"name\": \"Kai\", \"pid\": 23, \"file\": {\"attributes\": 99, \"name\": \"conceptual.py\", \"type\": \"Named Pipe\", \"path\": \"impression finance trader/fragrances.sql/conceptual.py\", \"signature\": {\"digest\": {\"value\": \"46A80AC3F38096FE6828377277FC50B39BB0C646F94FC178876749ADE0DA96DE\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, \"certificate\": {\"version\": \"1.0.0\", \"subject\": \"jumping experts visitors\", \"issuer\": \"enterprise game humanitarian\", \"fingerprints\": [{\"value\": \"6B70FC8DC165E533CBF2BCD7C70701DE3B3E114D\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"FCC3C0E1B16A999DE463D9C657DCA7E366719DE7E84E9C4EC1E41B0E744F649955B9E844AD173EBB3075A18E757DAF50733546203C86FB3209652FC0FB80534C\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"created_time\": 1695272181548, \"expiration_time\": 1695272181548, \"serial_number\": \"grad newest earlier\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"type_id\": 6, \"parent_folder\": \"impression finance trader/fragrances.sql\", \"accessed_time\": 1695272181548, \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"is_system\": true, \"security_descriptor\": \"ni easter snapshot\", \"modified_time_dt\": \"2023-10-03T07:27:11.064617Z\"}, \"user\": {\"name\": \"Da\", \"type\": \"ben\", \"domain\": \"dubai sys drum\", \"uid\": \"442ed390-61be-11ee-902b-0242ac110005\", \"groups\": [{\"name\": \"implications fred rent\", \"uid\": \"442ed976-61be-11ee-acb4-0242ac110005\"}, {\"type\": \"hundred suggesting radius\", \"uid\": \"442ede6c-61be-11ee-815a-0242ac110005\"}], \"type_id\": 99, \"uid_alt\": \"documents harmony austria\"}, \"uid\": \"442ee2d6-61be-11ee-ad3f-0242ac110005\", \"session\": {\"uid\": \"442ee7f4-61be-11ee-a967-0242ac110005\", \"uuid\": \"442eeb3c-61be-11ee-a179-0242ac110005\", \"issuer\": \"robots places depression\", \"created_time\": 1695272181548, \"is_remote\": false}, \"cmd_line\": \"operations expanded ht\", \"container\": {\"name\": \"victor civic segments\", \"size\": 2232172986, \"uid\": \"442ef1ea-61be-11ee-870d-0242ac110005\", \"image\": {\"name\": \"weird sep allowing\", \"uid\": \"442efa14-61be-11ee-8abf-0242ac110005\", \"labels\": [\"amplifier\"]}, \"hash\": {\"value\": \"27D94D1C177AA8E0E6E8A4F5ECAB104598CD2B62F27D3A26FCDC87A6AA7398BFD85771D86723FEDB24EC75CA439D57127989FB397C1F07F53B35533563BA3274\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}}, \"created_time\": 1695272181548, \"namespace_pid\": 74, \"parent_process\": {\"name\": \"Industries\", \"pid\": 93, \"file\": {\"name\": \"rage.ics\", \"type\": \"Regular File\", \"path\": \"slide sensitivity milton/dsc.kml/rage.ics\", \"type_id\": 1, \"parent_folder\": \"slide sensitivity milton/dsc.kml\", \"accessed_time\": 1695272181548, \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"F10EEB0D89F01824C27418121C62436F\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"B883D1D4320E98F7DE7D6913D7C3DF5503FB17747CCE5EBD6F3384A41414FF8D\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"xattributes\": {}}, \"user\": {\"name\": \"Earrings\", \"type\": \"System\", \"uid\": \"442f0f18-61be-11ee-92c1-0242ac110005\", \"type_id\": 3}, \"uid\": \"442f1314-61be-11ee-a9ee-0242ac110005\", \"container\": {\"name\": \"irish paid ga\", \"runtime\": \"meetings imported nutrition\", \"size\": 706306619, \"uid\": \"442f19c2-61be-11ee-851e-0242ac110005\", \"image\": {\"name\": \"struct wind included\", \"uid\": \"442f39ca-61be-11ee-9840-0242ac110005\", \"labels\": [\"hourly\"]}, \"hash\": {\"value\": \"C4802F4F55FE24BE9AF5F053E8719A9BC77381D625A0D27A35201C772CFD324009461ABCAC4A120286B98C707400807BB9DF7CFB3AA2C3BBF04EBB41E2AD07B3\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}}, \"created_time\": 1695272181548, \"namespace_pid\": 46, \"parent_process\": {\"name\": \"Employed\", \"pid\": 49, \"file\": {\"name\": \"nextel.dat\", \"type\": \"Unknown\", \"path\": \"exhibitions grad folks/lonely.yuv/nextel.dat\", \"desc\": \"parking hazards hunter\", \"type_id\": 0, \"parent_folder\": \"exhibitions grad folks/lonely.yuv\", \"hashes\": [{\"value\": \"1FE380DD618981AF242E43F459760A9F0C89B6D74E1C7544A298FBA160545A4F047CFFB754779F8EAD083609F87AB1EF4DE7D3630EDA324A5052064685D8A814\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"27D3F37EB6F68FBB9EDC408AAFC6035EF463633CB1D425DD737C0AD4F6A2442EE5857F1FD9BB49C0A3030802642A48CB4AADBAFC7B20B82DE18144D2E360B551\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"is_system\": true, \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Affiliation\", \"type\": \"User\", \"uid\": \"442f881c-61be-11ee-8d6d-0242ac110005\", \"type_id\": 1, \"credential_uid\": \"442f8c40-61be-11ee-858e-0242ac110005\"}, \"tid\": 75, \"uid\": \"442f8fb0-61be-11ee-b4aa-0242ac110005\", \"cmd_line\": \"directive rico hs\", \"container\": {\"name\": \"depot lanes mai\", \"size\": 4170062018, \"uid\": \"442f976c-61be-11ee-8026-0242ac110005\", \"image\": {\"name\": \"inappropriate burden hoped\", \"uid\": \"442f9c62-61be-11ee-81fa-0242ac110005\"}, \"hash\": {\"value\": \"FE9E27DD7BF526B57D69D3BD9FAC33DC\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}}, \"created_time\": 1695272181548, \"namespace_pid\": 5, \"parent_process\": {\"pid\": 4, \"file\": {\"attributes\": 28, \"name\": \"centered.txt\", \"size\": 724911628, \"type\": \"Unknown\", \"path\": \"patrol considers alternative/bargains.xlr/centered.txt\", \"type_id\": 0, \"accessor\": {\"name\": \"Bailey\", \"type\": \"User\", \"uid\": \"442fac66-61be-11ee-b373-0242ac110005\", \"org\": {\"name\": \"nova identification paul\", \"uid\": \"442fb1a2-61be-11ee-9fd5-0242ac110005\", \"ou_name\": \"honors tattoo australian\"}, \"type_id\": 1, \"credential_uid\": \"442fb5ee-61be-11ee-a469-0242ac110005\", \"email_addr\": \"Almeda@representations.biz\"}, \"company_name\": \"Chery Hunter\", \"mime_type\": \"finish/councils\", \"parent_folder\": \"patrol considers alternative/bargains.xlr\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"2E5106CC0168994B4FE52AC9F67394250EE7504DB2DB5DE3CE0AC0A6E01DFA01\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"37A8A4AF49E5E20E61CF73D569C93D3F839D333C98BADE757EC2C5093C969DBEBC2707A0A2C9B4709FB6986E18991E93BA14C3CC2799E6153B1BEA132224F02B\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Achieving\", \"type\": \"System\", \"uid\": \"442fbf76-61be-11ee-b1ce-0242ac110005\", \"org\": {\"uid\": \"442fc408-61be-11ee-a83e-0242ac110005\", \"ou_name\": \"drunk pt locations\"}, \"groups\": [{\"name\": \"blackberry genetics dsc\", \"uid\": \"442fc93a-61be-11ee-93e5-0242ac110005\", \"privileges\": [\"counter relocation association\", \"precise nurses satisfactory\"]}, {\"name\": \"munich clothing commit\", \"uid\": \"442fcd54-61be-11ee-ab07-0242ac110005\"}], \"type_id\": 3, \"account\": {\"name\": \"batman sprint established\", \"type\": \"Linux Account\", \"type_id\": 9}}, \"uid\": \"442fd27c-61be-11ee-bc32-0242ac110005\", \"session\": {\"uid\": \"442fda56-61be-11ee-93d0-0242ac110005\", \"issuer\": \"vacation obligation refused\", \"created_time\": 1695272181548, \"is_remote\": false}, \"cmd_line\": \"portfolio syracuse zinc\", \"container\": {\"name\": \"extremely bridges jane\", \"size\": 2170520292, \"tag\": \"magnificent nerve ethnic\", \"uid\": \"442fe3ca-61be-11ee-ac04-0242ac110005\", \"image\": {\"uid\": \"442fe870-61be-11ee-8322-0242ac110005\"}, \"hash\": {\"value\": \"E9264147B413746293E539868C8EDFF71715E1E3\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, \"pod_uuid\": \"save\"}, \"created_time\": 1695272181548, \"namespace_pid\": 10, \"parent_process\": {\"name\": \"Flags\", \"pid\": 12, \"file\": {\"name\": \"stats.cs\", \"size\": 3217957879, \"type\": \"Block Device\", \"path\": \"well vacations concrete/hamburg.vcf/stats.cs\", \"modifier\": {\"type\": \"System\", \"uid\": \"442ff8e2-61be-11ee-bc3b-0242ac110005\", \"type_id\": 3}, \"desc\": \"supporters billy surgeon\", \"product\": {\"name\": \"rare musical oregon\", \"version\": \"1.0.0\", \"uid\": \"442ffee6-61be-11ee-b950-0242ac110005\", \"lang\": \"en\", \"vendor_name\": \"moms scholarships pins\"}, \"type_id\": 4, \"parent_folder\": \"well vacations concrete/hamburg.vcf\", \"hashes\": [{\"value\": \"220358975ACF552AE828178DC72009FA5342AB5C33895C6E9E5048EF5BD044736C17B29683CD4CD82D017C7D963FB9AE740735C6D31E956B42C4A45F803F6EDA\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"security_descriptor\": \"dave manufacturing applicant\", \"modified_time_dt\": \"2023-10-03T07:27:11.074123Z\"}, \"user\": {\"name\": \"Rod\", \"type\": \"fiji\", \"uid\": \"44300a4e-61be-11ee-b6bc-0242ac110005\", \"type_id\": 99}, \"uid\": \"44300e5e-61be-11ee-8332-0242ac110005\", \"cmd_line\": \"easter anaheim introductory\", \"container\": {\"name\": \"clone sic tight\", \"size\": 3536383459, \"uid\": \"443013cc-61be-11ee-a273-0242ac110005\", \"image\": {\"name\": \"jonathan calculation incomplete\", \"uid\": \"4430194e-61be-11ee-a776-0242ac110005\"}, \"hash\": {\"value\": \"A63B60EEA4665F00EDDB1E2A8FECCFEA7634F795\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}}, \"created_time\": 1695272181548, \"integrity\": \"guys document multimedia\", \"lineage\": [\"weight anytime gzip\", \"subcommittee milan reasonable\"], \"namespace_pid\": 4, \"parent_process\": {\"name\": \"Vat\", \"pid\": 10, \"file\": {\"name\": \"fioricet.lnk\", \"owner\": {\"name\": \"Vid\", \"type\": \"Admin\", \"uid\": \"44302a6a-61be-11ee-b70a-0242ac110005\", \"type_id\": 2, \"email_addr\": \"Elise@starts.museum\", \"uid_alt\": \"supplied epic spas\"}, \"type\": \"Unknown\", \"uid\": \"44302f24-61be-11ee-99d3-0242ac110005\", \"type_id\": 0, \"company_name\": \"Archie Lesley\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"F7EDAF3282DAFB609C7D421B786486F127371E76\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"security_descriptor\": \"believes airlines granted\"}, \"user\": {\"name\": \"Candles\", \"type\": \"User\", \"domain\": \"restaurants instead occurring\", \"uid\": \"443039a6-61be-11ee-8f9f-0242ac110005\", \"type_id\": 1, \"full_name\": \"Margareta Elden\", \"credential_uid\": \"44303eba-61be-11ee-ab60-0242ac110005\"}, \"session\": {\"uid\": \"443043ec-61be-11ee-96c0-0242ac110005\", \"issuer\": \"mediterranean provider something\", \"created_time\": 1695272181548, \"is_remote\": true}, \"loaded_modules\": [\"/timing/norm/crime/apollo/pollution.dwg\"], \"cmd_line\": \"robinson hunter anne\", \"container\": {\"name\": \"magnificent capabilities ideal\", \"size\": 3127592961, \"uid\": \"44305030-61be-11ee-b7e4-0242ac110005\", \"image\": {\"name\": \"mistake baseball jordan\", \"uid\": \"4430571a-61be-11ee-8c37-0242ac110005\"}, \"hash\": {\"value\": \"4B4AACD68CE2D5C32C8437FC88E56923FA0DDADFEA6532D34FA536A344FDD0F482CB0159A5237950B31A7F3D097FED596515444734A2DF56CF7D38A74DCA94D7\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}}, \"created_time\": 1695272181548, \"integrity\": \"reality\", \"integrity_id\": 99, \"namespace_pid\": 41, \"parent_process\": {\"name\": \"Cart\", \"pid\": 36, \"file\": {\"name\": \"ts.exe\", \"owner\": {\"name\": \"Commander\", \"type\": \"motherboard\", \"domain\": \"andale museum reality\", \"uid\": \"44306aca-61be-11ee-be86-0242ac110005\", \"type_id\": 99, \"credential_uid\": \"44306ef8-61be-11ee-b8fd-0242ac110005\", \"uid_alt\": \"verzeichnis prefer soccer\"}, \"type\": \"Regular File\", \"type_id\": 1, \"confidentiality\": \"Not Confidential\", \"confidentiality_id\": 1, \"hashes\": [{\"value\": \"ADCAA40050F92C2A48474F33D6E697529CA1D0BD1FCC6D553290E4655C5F0BA7FAB42B475667A0C8EAD38187E3AFBE5AC9C7F3A68C87167BCF01080031CE50FB\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"D1F34CA31A773B2BDD48DB8EC34E2B88EA9746B72EB845256BE259CA7D5D9E5F\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"xattributes\": {}}, \"user\": {\"name\": \"Editorial\", \"type\": \"Unknown\", \"uid\": \"44307e70-61be-11ee-a962-0242ac110005\", \"org\": {\"name\": \"insulin identical prizes\", \"uid\": \"44308564-61be-11ee-abd1-0242ac110005\"}, \"type_id\": 0, \"account\": {\"name\": \"hewlett then appendix\", \"type\": \"GCP Account\", \"type_id\": 5}}, \"uid\": \"44308c3a-61be-11ee-93fe-0242ac110005\", \"cmd_line\": \"territories year excluded\", \"created_time\": 1695272181548, \"namespace_pid\": 51, \"parent_process\": {\"name\": \"Identical\", \"file\": {\"name\": \"underwear.sdf\", \"type\": \"Named Pipe\", \"version\": \"1.0.0\", \"path\": \"writer photoshop lane/st.sdf/underwear.sdf\", \"type_id\": 6, \"company_name\": \"Rosendo Grace\", \"parent_folder\": \"writer photoshop lane/st.sdf\", \"confidentiality\": \"cut salt catch\", \"created_time\": 1695272181548, \"hashes\": [{\"value\": \"0F4CF4B2CE58DE3BF03D760DE38955BF246F80BAB6F81927F253AB5D9773EB75\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"647878B29B754A911F330D47137E3068A61F6185ED78B1AA43695E4A1D98607D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time_dt\": \"2023-10-03T07:27:11.078126Z\"}, \"user\": {\"name\": \"Spank\", \"type\": \"User\", \"uid\": \"4430a878-61be-11ee-af22-0242ac110005\", \"org\": {\"name\": \"von reservoir moore\", \"uid\": \"4430adc8-61be-11ee-b4ba-0242ac110005\", \"ou_name\": \"photos nat eds\", \"ou_uid\": \"4430b502-61be-11ee-8f5b-0242ac110005\"}, \"type_id\": 1, \"credential_uid\": \"4430b912-61be-11ee-8411-0242ac110005\", \"email_addr\": \"Ena@hearing.int\"}, \"cmd_line\": \"suited pace informal\", \"container\": {\"name\": \"elegant rankings wild\", \"size\": 2933994191, \"uid\": \"4430bf98-61be-11ee-b010-0242ac110005\", \"hash\": {\"value\": \"6F4F28E68A201B8127A08D889356FCFA0C736B9FD1330596E58F7D1669820A151705235B2F41C93CE5159EC808FE328BCED0BBC02E6C20382443EBB5ACDD6023\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"network_driver\": \"what belgium used\", \"orchestrator\": \"everyone ho alternative\", \"pod_uuid\": \"rocky\"}, \"created_time\": 1695272181548, \"namespace_pid\": 66, \"parent_process\": {\"name\": \"Documentation\", \"pid\": 70, \"file\": {\"name\": \"space.js\", \"size\": 3135869827, \"type\": \"Regular File\", \"version\": \"1.0.0\", \"path\": \"cookbook dc effort/abc.pkg/space.js\", \"type_id\": 1, \"parent_folder\": \"cookbook dc effort/abc.pkg\", \"hashes\": [{\"value\": \"7F572F2B5A5DED4063EF1594729C97543A900961\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"D6CDFD95B6030B86B739AC2B7575BA411041446BFEF23DF7765EC4B470C9A5D2E182599FBA3C539E0EBEAF5E656A808285FED2455EB8F7E802ABD6245CB543FC\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"modified_time\": 1695272181548}, \"user\": {\"name\": \"Ser\", \"type\": \"boom\", \"org\": {\"ou_name\": \"officials watches house\"}, \"type_id\": 99, \"account\": {\"name\": \"pas jacob personals\", \"type\": \"GCP Account\", \"uid\": \"4430d578-61be-11ee-ab48-0242ac110005\", \"type_id\": 5}, \"email_addr\": \"Charlette@anytime.jobs\"}, \"uid\": \"4430d9d8-61be-11ee-a2ef-0242ac110005\", \"cmd_line\": \"adolescent agreements wooden\", \"container\": {\"name\": \"sparc memphis paid\", \"size\": 3567867280, \"tag\": \"agency ended lambda\", \"uid\": \"4430dfe6-61be-11ee-bbae-0242ac110005\", \"hash\": {\"value\": \"6DBDD59AB542C91F19905B4D8672B5320DCBA285\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, \"orchestrator\": \"workstation opening cambridge\", \"pod_uuid\": \"rendering\"}, \"integrity\": \"podcasts owned how\", \"namespace_pid\": 79, \"parent_process\": {\"name\": \"Triangle\", \"pid\": 76, \"file\": {\"name\": \"xl.php\", \"type\": \"Symbolic Link\", \"path\": \"beneath among lands/resort.cbr/xl.php\", \"desc\": \"panic united modeling\", \"type_id\": 7, \"parent_folder\": \"beneath among lands/resort.cbr\", \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"value\": \"9A5751D5ACECF26FF7EB2B33C144EFCE1C69FE9A\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"F803B26388365E33184D5CC145D868E1B8DF74D5\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"is_system\": false, \"xattributes\": {}, \"accessed_time_dt\": \"2023-10-03T07:27:11.080165Z\"}, \"user\": {\"type\": \"System\", \"uid\": \"4430f40e-61be-11ee-86fe-0242ac110005\", \"org\": {\"name\": \"important analog unnecessary\", \"uid\": \"4430faee-61be-11ee-b642-0242ac110005\", \"ou_name\": \"highlights douglas manufacturer\"}, \"groups\": [{\"name\": \"go prohibited oxford\", \"uid\": \"44310066-61be-11ee-99fb-0242ac110005\"}], \"type_id\": 3}, \"tid\": 20, \"uid\": \"443103fe-61be-11ee-8306-0242ac110005\", \"container\": {\"name\": \"flex operational statistical\", \"uid\": \"4431094e-61be-11ee-a229-0242ac110005\", \"hash\": {\"value\": \"4DA1DD452B8D517803494B5E00054136CCF55DF19FF70469451D438255FC03B1FA45BB3A48C03F49FCCE16708623DA0458F11C60EC6D10453E6D6AB6C6492E15\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"orchestrator\": \"performed gadgets bank\", \"pod_uuid\": \"password\"}, \"created_time\": 1695272181548, \"namespace_pid\": 98}}}, \"sandbox\": \"pendant funds intervals\", \"terminated_time_dt\": \"2023-10-03T07:27:11.080957Z\"}, \"xattributes\": {}, \"terminated_time_dt\": \"2023-10-03T07:27:11.080979Z\"}, \"sandbox\": \"earl manually converter\"}}, \"sandbox\": \"mexican broadway volleyball\", \"terminated_time_dt\": \"2023-10-03T07:27:11.081001Z\"}, \"xattributes\": {}}, \"created_time_dt\": \"2023-10-03T07:27:11.081016Z\"}, \"sandbox\": \"deep simply nn\", \"xattributes\": {}}, \"sandbox\": \"repeat checked peace\", \"xattributes\": {}, \"terminated_time_dt\": \"2023-10-03T07:27:11.081046Z\"}, \"sandbox\": \"rational girls corner\"}, \"created_time_dt\": \"2023-10-03T07:27:11.081059Z\", \"terminated_time_dt\": \"2023-10-03T07:27:11.081081Z\"}, \"user\": {\"type\": \"System\", \"uid\": \"4431189e-61be-11ee-bc71-0242ac110005\", \"type_id\": 3, \"credential_uid\": \"44311cae-61be-11ee-9f07-0242ac110005\"}}, \"actual_permissions\": 48, \"cloud\": {\"provider\": \"nu connector termination\", \"region\": \"lose activists occurred\"}, \"end_time\": 1695272181548, \"severity_id\": 99, \"status_id\": 99}", - "event": { - "action": "set user id", - "category": [ - "process" - ], - "code": "paths", - "end": "2023-09-21T04:56:21.548000Z", - "kind": "event", - "provider": "gays consultation motivated", - "severity": 99, - "start": "2023-09-21T04:56:21.548000Z", - "type": [ - "info" - ] - }, - "@timestamp": "2023-09-21T04:56:21.548000Z", - "cloud": { - "provider": "nu connector termination", - "region": "lose activists occurred" - }, - "container": { - "id": "442ca070-61be-11ee-b847-0242ac110005", - "image": { - "name": "janet flights pct", - "tag": [ - "reporter calculator population" - ] - }, - "name": "disabled underlying prerequisite", - "runtime": "ntsc replacing emotional" - }, - "file": { - "accessed": "2023-10-03T07:27:11.051398Z", - "directory": "district moment specs/consolidation.mp3", - "name": "game.crdownload", - "path": "district moment specs/consolidation.mp3/game.crdownload", - "type": "Symbolic Link" - }, - "host": { - "geo": { - "city_name": "Guidance marijuana", - "continent_name": "North America", - "country_iso_code": "AG", - "location": { - "lat": -39.2278, - "lon": 139.683 - }, - "name": "Antigua and Barbuda" - }, - "hostname": "bags.coop", - "id": "442a8524-61be-11ee-a4cc-0242ac110005", - "ip": [ - "81.2.69.142" - ], - "name": "bags.coop", - "risk": { - "static_score": 44 - }, - "type": "Virtual" - }, - "ocsf": { - "activity_id": 5, - "activity_name": "Set User ID", - "class_name": "Process Activity", - "class_uid": 1007 - }, - "process": { - "command_line": "wrist teach engaging", - "entity_id": "442c9a58-61be-11ee-8992-0242ac110005", - "name": "Woman", - "parent": { - "command_line": "shopzilla signal shift", - "entity_id": "442d08c6-61be-11ee-9eea-0242ac110005", - "name": "Undergraduate", - "pid": 18, - "start": "2023-09-21T04:56:21.548000Z", - "thread": { - "id": 18 - }, - "user": { - "group": { - "id": [], - "name": [] - }, - "id": [ - "442d0416-61be-11ee-8f5e-0242ac110005" - ] - } - }, - "pid": 99, - "start": "2023-09-21T04:56:21.548000Z", - "user": { - "group": { - "id": [], - "name": [] - }, - "id": [ - "442c90bc-61be-11ee-8334-0242ac110005" - ], - "name": "Laboratory" - } - }, - "related": { - "hosts": [ - "bags.coop" - ], - "ip": [ - "81.2.69.142" - ] - }, - "threat": { - "technique": { - "id": [ - "T1100", - "T1546.008" - ], - "name": [ - "Accessibility Features", - "Web Shell" - ] - } - }, - "user": { - "group": { - "id": [], - "name": [] - }, - "id": "4431189e-61be-11ee-bc71-0242ac110005" - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_7.json b/OCSF/ocsf/tests/test_system_activity_7.json deleted file mode 100644 index 2160c2ea2..000000000 --- a/OCSF/ocsf/tests/test_system_activity_7.json +++ /dev/null @@ -1,74 +0,0 @@ -{ - "input": { - "message": "{\"message\": \"jerry mailing blog\", \"status\": \"acdbentity\", \"time\": 1706875973927207, \"device\": {\"name\": \"puzzles ds ellis\", \"type\": \"Desktop\", \"os\": {\"name\": \"cisco nepal saw\", \"type\": \"Linux\", \"type_id\": 200}, \"ip\": \"179.27.89.37\", \"desc\": \"ferrari happens proceedings\", \"uid\": \"64854ab4-c1c4-11ee-aa4b-0242ac110005\", \"hostname\": \"chi.store\", \"type_id\": 2, \"created_time\": 1706875973926694, \"hypervisor\": \"sets denmark contractor\", \"instance_uid\": \"64852b74-c1c4-11ee-b377-0242ac110005\", \"interface_name\": \"perfume sensor min\", \"interface_uid\": \"6485370e-c1c4-11ee-9d9a-0242ac110005\", \"region\": \"measured shuttle adjust\", \"risk_score\": 88, \"uid_alt\": \"eden gym amendments\", \"zone\": \"organizations tool portsmouth\"}, \"metadata\": {\"version\": \"1.1.0\", \"product\": {\"version\": \"1.1.0\", \"uid\": \"6484ff28-c1c4-11ee-a148-0242ac110005\", \"vendor_name\": \"spray villas invasion\"}, \"sequence\": 40, \"profiles\": [], \"log_name\": \"pas personality bend\", \"log_provider\": \"estate oklahoma person\", \"original_time\": \"occupational famous considerable\", \"tenant_uid\": \"64851030-c1c4-11ee-bc6c-0242ac110005\"}, \"start_time\": 1706875973923178, \"severity\": \"Critical\", \"timezone_offset\": 97, \"activity_id\": 3, \"class_uid\": 1006, \"type_uid\": 100603, \"type_name\": \"Scheduled Job Activity: Delete\", \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Scheduled Job Activity\", \"activity_name\": \"Delete\", \"job\": {\"name\": \"medicine discussed parliament\", \"file\": {\"name\": \"med.kml\", \"owner\": {\"name\": \"Bingo\", \"type\": \"quantity\", \"uid\": \"64856224-c1c4-11ee-a77b-0242ac110005\", \"org\": {\"name\": \"nfl she dramatically\", \"uid\": \"64857052-c1c4-11ee-b91a-0242ac110005\", \"ou_name\": \"vernon proven formal\"}, \"type_id\": 99, \"credential_uid\": \"64857534-c1c4-11ee-ad19-0242ac110005\", \"uid_alt\": \"balance butterfly written\"}, \"type\": \"Folder\", \"path\": \"advanced producing remember/brisbane.com/med.kml\", \"desc\": \"calvin shirt others\", \"uid\": \"64857a66-c1c4-11ee-b8fc-0242ac110005\", \"parent_folder\": \"advanced producing remember/brisbane.com\", \"type_id\": 2, \"accessed_time\": 1706875973928416, \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"value\": \"5F806F5374EEDA36778A9CB8F6904267DAD70BC16D49050318A7ADD6D3A595556AE8B2B1F1B94905452FB371CDBACA5332BE97B440BB189A504ABDF93690CB80\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"59AE856CD788D0F57E39FDD66D421BA930CD89BE4682DE3AA36C22A2021A710D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"is_system\": false}, \"desc\": \"ruth worldwide mild\", \"cmd_line\": \"hundreds strategic deutschland\", \"created_time\": 1706875973928530, \"last_run_time\": 1706875973928534, \"run_state\": \"Queued\", \"run_state_id\": 2}, \"severity_id\": 5, \"status_id\": 99}", - "sekoiaio": { - "intake": { - "dialect": "OCSF", - "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" - } - } - }, - "expected": { - "message": "{\"message\": \"jerry mailing blog\", \"status\": \"acdbentity\", \"time\": 1706875973927207, \"device\": {\"name\": \"puzzles ds ellis\", \"type\": \"Desktop\", \"os\": {\"name\": \"cisco nepal saw\", \"type\": \"Linux\", \"type_id\": 200}, \"ip\": \"179.27.89.37\", \"desc\": \"ferrari happens proceedings\", \"uid\": \"64854ab4-c1c4-11ee-aa4b-0242ac110005\", \"hostname\": \"chi.store\", \"type_id\": 2, \"created_time\": 1706875973926694, \"hypervisor\": \"sets denmark contractor\", \"instance_uid\": \"64852b74-c1c4-11ee-b377-0242ac110005\", \"interface_name\": \"perfume sensor min\", \"interface_uid\": \"6485370e-c1c4-11ee-9d9a-0242ac110005\", \"region\": \"measured shuttle adjust\", \"risk_score\": 88, \"uid_alt\": \"eden gym amendments\", \"zone\": \"organizations tool portsmouth\"}, \"metadata\": {\"version\": \"1.1.0\", \"product\": {\"version\": \"1.1.0\", \"uid\": \"6484ff28-c1c4-11ee-a148-0242ac110005\", \"vendor_name\": \"spray villas invasion\"}, \"sequence\": 40, \"profiles\": [], \"log_name\": \"pas personality bend\", \"log_provider\": \"estate oklahoma person\", \"original_time\": \"occupational famous considerable\", \"tenant_uid\": \"64851030-c1c4-11ee-bc6c-0242ac110005\"}, \"start_time\": 1706875973923178, \"severity\": \"Critical\", \"timezone_offset\": 97, \"activity_id\": 3, \"class_uid\": 1006, \"type_uid\": 100603, \"type_name\": \"Scheduled Job Activity: Delete\", \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Scheduled Job Activity\", \"activity_name\": \"Delete\", \"job\": {\"name\": \"medicine discussed parliament\", \"file\": {\"name\": \"med.kml\", \"owner\": {\"name\": \"Bingo\", \"type\": \"quantity\", \"uid\": \"64856224-c1c4-11ee-a77b-0242ac110005\", \"org\": {\"name\": \"nfl she dramatically\", \"uid\": \"64857052-c1c4-11ee-b91a-0242ac110005\", \"ou_name\": \"vernon proven formal\"}, \"type_id\": 99, \"credential_uid\": \"64857534-c1c4-11ee-ad19-0242ac110005\", \"uid_alt\": \"balance butterfly written\"}, \"type\": \"Folder\", \"path\": \"advanced producing remember/brisbane.com/med.kml\", \"desc\": \"calvin shirt others\", \"uid\": \"64857a66-c1c4-11ee-b8fc-0242ac110005\", \"parent_folder\": \"advanced producing remember/brisbane.com\", \"type_id\": 2, \"accessed_time\": 1706875973928416, \"confidentiality\": \"Secret\", \"confidentiality_id\": 3, \"hashes\": [{\"value\": \"5F806F5374EEDA36778A9CB8F6904267DAD70BC16D49050318A7ADD6D3A595556AE8B2B1F1B94905452FB371CDBACA5332BE97B440BB189A504ABDF93690CB80\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"59AE856CD788D0F57E39FDD66D421BA930CD89BE4682DE3AA36C22A2021A710D\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"is_system\": false}, \"desc\": \"ruth worldwide mild\", \"cmd_line\": \"hundreds strategic deutschland\", \"created_time\": 1706875973928530, \"last_run_time\": 1706875973928534, \"run_state\": \"Queued\", \"run_state_id\": 2}, \"severity_id\": 5, \"status_id\": 99}", - "event": { - "action": "delete", - "category": [], - "kind": "event", - "provider": "estate oklahoma person", - "sequence": 40, - "severity": 5, - "start": "2024-02-02T12:12:53.923178Z", - "type": [] - }, - "@timestamp": "2024-02-02T12:12:53.927207Z", - "file": { - "accessed": "2024-02-02T12:12:53.928416Z", - "directory": "advanced producing remember/brisbane.com", - "hash": { - "sha256": "59AE856CD788D0F57E39FDD66D421BA930CD89BE4682DE3AA36C22A2021A710D" - }, - "inode": "64857a66-c1c4-11ee-b8fc-0242ac110005", - "name": "med.kml", - "owner": "Bingo", - "path": "advanced producing remember/brisbane.com/med.kml", - "type": "Folder", - "uid": "64856224-c1c4-11ee-a77b-0242ac110005" - }, - "host": { - "hostname": "chi.store", - "id": "64854ab4-c1c4-11ee-aa4b-0242ac110005", - "ip": [ - "179.27.89.37" - ], - "name": "chi.store", - "os": { - "name": "cisco nepal saw", - "type": "Linux" - }, - "risk": { - "static_score": 88 - }, - "type": "Desktop" - }, - "ocsf": { - "activity_id": 3, - "activity_name": "Delete", - "class_name": "Scheduled Job Activity", - "class_uid": 1006 - }, - "related": { - "hash": [ - "59AE856CD788D0F57E39FDD66D421BA930CD89BE4682DE3AA36C22A2021A710D" - ], - "hosts": [ - "chi.store" - ], - "ip": [ - "179.27.89.37" - ], - "user": [ - "Bingo" - ] - } - } -} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_vulnerability_finding_1.json b/OCSF/ocsf/tests/test_vulnerability_finding_1.json new file mode 100644 index 000000000..89ec9b0a7 --- /dev/null +++ b/OCSF/ocsf/tests/test_vulnerability_finding_1.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"activity_id\": 2, \"activity_name\": \"Update\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Vulnerability Finding\", \"class_uid\": 2002, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"finding_info\": {\"created_time_dt\": \"2023-04-21T11:59:04.000-04:00\", \"desc\": \"Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\\nplatform contains a bug that could cause it to read past the input buffer,\\nleading to a crash.\\n\\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\\nused for disk encryption.\\n\\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\\nbuffer is unmapped, this will trigger a crash which results in a denial of\\nservice.\\n\\nIf an attacker can control the size and location of the ciphertext buffer\\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\\napplication is affected. This is fairly unlikely making this issue\\na Low severity one.\", \"first_seen_time_dt\": \"2023-04-21T11:59:04.000-04:00\", \"last_seen_time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"modified_time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"title\": \"CVE-2023-1255 - openssl\", \"types\": [\"Software and Configuration Checks/Vulnerabilities/CVE\"], \"uid\": \"arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5\"}, \"metadata\": {\"log_version\": \"2018-10-08\", \"processed_time_dt\": \"2024-01-26T17:59:56.923-05:00\", \"product\": {\"feature\": {\"uid\": \"AWSInspector\"}, \"name\": \"Inspector\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/inspector\", \"vendor_name\": \"Amazon\", \"version\": \"2\"}, \"profiles\": [\"cloud\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"resource.uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\"}], \"resource\": {\"cloud_partition\": \"aws\", \"data\": \"{\\\"AwsEcrContainerImage\\\":{\\\"Architecture\\\":\\\"amd64\\\",\\\"ImageDigest\\\":\\\"sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\\\",\\\"ImagePublishedAt\\\":\\\"2023-04-11T21:07:55Z\\\",\\\"RegistryId\\\":\\\"111111111111\\\",\\\"RepositoryName\\\":\\\"browserhostingstack-EXAMPLE-btb1o54yh1jr\\\"}}\", \"region\": \"us-east-2\", \"type\": \"AwsEcrContainerImage\", \"uid\": \"arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\"}, \"severity\": \"Medium\", \"severity_id\": 3, \"status\": \"New\", \"time\": 1706307554000, \"time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"type_name\": \"Vulnerability Finding: Update\", \"type_uid\": 200202, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"MEDIUM\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Vulnerabilities/CVE\", \"ProductFields.aws/inspector/FindingStatus\": \"ACTIVE\", \"ProductFields.aws/inspector/inspectorScore\": \"5.9\", \"ProductFields.aws/inspector/packageVulnerabilityDetails/vulnerablePackages/sourceLayerHashes\": \"sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09\", \"ProductFields.aws/inspector/resources/1/resourceDetails/awsEcrContainerImageDetails/platform\": \"ALPINE_LINUX_3_17\", \"ProductFields.aws/securityhub/CompanyName\": \"Amazon\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/inspector/arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5\", \"ProductFields.aws/securityhub/ProductName\": \"Inspector\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"40\", \"Vulnerabilities[].Cvss[].Source\": \"NVD,NVD\", \"Vulnerabilities[].Vendor.VendorSeverity\": \"MEDIUM\", \"Vulnerabilities[].VulnerablePackages[].SourceLayerHash\": \"sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09\", \"WorkflowState\": \"NEW\"}, \"vulnerabilities\": [{\"affected_packages\": [{\"architecture\": \"X86_64\", \"epoch\": 0, \"fixed_in_version\": \"0:3.0.8-r4\", \"name\": \"openssl\", \"package_manager\": \"OS\", \"release\": \"r3\", \"remediation\": {\"desc\": \"apk update && apk upgrade openssl\"}, \"version\": \"3.0.8\"}], \"cve\": {\"created_time_dt\": \"2023-04-20T13:15:06.000-04:00\", \"cvss\": [{\"base_score\": 5.9, \"vector_string\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}, {\"base_score\": 5.9, \"vector_string\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}], \"epss\": {\"score\": \"0.00066\"}, \"modified_time_dt\": \"2023-09-08T13:15:15.000-04:00\", \"references\": [\"https://nvd.nist.gov/vuln/detail/CVE-2023-1255\"], \"uid\": \"CVE-2023-1255\"}, \"is_exploit_available\": true, \"is_fix_available\": true, \"references\": [\"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bc2f61ad70971869b242fc1cb445b98bad50074a\", \"https://www.openssl.org/news/secadv/20230419.txt\", \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=02ac9c9420275868472f33b01def01218742b8bb\"], \"remediation\": {\"desc\": \"Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON.\"}, \"vendor_name\": \"NVD\"}]}" + }, + "expected": { + "message": "{\"activity_id\": 2, \"activity_name\": \"Update\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Vulnerability Finding\", \"class_uid\": 2002, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"finding_info\": {\"created_time_dt\": \"2023-04-21T11:59:04.000-04:00\", \"desc\": \"Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\\nplatform contains a bug that could cause it to read past the input buffer,\\nleading to a crash.\\n\\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\\nused for disk encryption.\\n\\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\\nbuffer is unmapped, this will trigger a crash which results in a denial of\\nservice.\\n\\nIf an attacker can control the size and location of the ciphertext buffer\\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\\napplication is affected. This is fairly unlikely making this issue\\na Low severity one.\", \"first_seen_time_dt\": \"2023-04-21T11:59:04.000-04:00\", \"last_seen_time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"modified_time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"title\": \"CVE-2023-1255 - openssl\", \"types\": [\"Software and Configuration Checks/Vulnerabilities/CVE\"], \"uid\": \"arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5\"}, \"metadata\": {\"log_version\": \"2018-10-08\", \"processed_time_dt\": \"2024-01-26T17:59:56.923-05:00\", \"product\": {\"feature\": {\"uid\": \"AWSInspector\"}, \"name\": \"Inspector\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/inspector\", \"vendor_name\": \"Amazon\", \"version\": \"2\"}, \"profiles\": [\"cloud\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"resource.uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\"}], \"resource\": {\"cloud_partition\": \"aws\", \"data\": \"{\\\"AwsEcrContainerImage\\\":{\\\"Architecture\\\":\\\"amd64\\\",\\\"ImageDigest\\\":\\\"sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\\\",\\\"ImagePublishedAt\\\":\\\"2023-04-11T21:07:55Z\\\",\\\"RegistryId\\\":\\\"111111111111\\\",\\\"RepositoryName\\\":\\\"browserhostingstack-EXAMPLE-btb1o54yh1jr\\\"}}\", \"region\": \"us-east-2\", \"type\": \"AwsEcrContainerImage\", \"uid\": \"arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\"}, \"severity\": \"Medium\", \"severity_id\": 3, \"status\": \"New\", \"time\": 1706307554000, \"time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"type_name\": \"Vulnerability Finding: Update\", \"type_uid\": 200202, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"MEDIUM\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Vulnerabilities/CVE\", \"ProductFields.aws/inspector/FindingStatus\": \"ACTIVE\", \"ProductFields.aws/inspector/inspectorScore\": \"5.9\", \"ProductFields.aws/inspector/packageVulnerabilityDetails/vulnerablePackages/sourceLayerHashes\": \"sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09\", \"ProductFields.aws/inspector/resources/1/resourceDetails/awsEcrContainerImageDetails/platform\": \"ALPINE_LINUX_3_17\", \"ProductFields.aws/securityhub/CompanyName\": \"Amazon\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/inspector/arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5\", \"ProductFields.aws/securityhub/ProductName\": \"Inspector\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"40\", \"Vulnerabilities[].Cvss[].Source\": \"NVD,NVD\", \"Vulnerabilities[].Vendor.VendorSeverity\": \"MEDIUM\", \"Vulnerabilities[].VulnerablePackages[].SourceLayerHash\": \"sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09\", \"WorkflowState\": \"NEW\"}, \"vulnerabilities\": [{\"affected_packages\": [{\"architecture\": \"X86_64\", \"epoch\": 0, \"fixed_in_version\": \"0:3.0.8-r4\", \"name\": \"openssl\", \"package_manager\": \"OS\", \"release\": \"r3\", \"remediation\": {\"desc\": \"apk update && apk upgrade openssl\"}, \"version\": \"3.0.8\"}], \"cve\": {\"created_time_dt\": \"2023-04-20T13:15:06.000-04:00\", \"cvss\": [{\"base_score\": 5.9, \"vector_string\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}, {\"base_score\": 5.9, \"vector_string\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}], \"epss\": {\"score\": \"0.00066\"}, \"modified_time_dt\": \"2023-09-08T13:15:15.000-04:00\", \"references\": [\"https://nvd.nist.gov/vuln/detail/CVE-2023-1255\"], \"uid\": \"CVE-2023-1255\"}, \"is_exploit_available\": true, \"is_fix_available\": true, \"references\": [\"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bc2f61ad70971869b242fc1cb445b98bad50074a\", \"https://www.openssl.org/news/secadv/20230419.txt\", \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=02ac9c9420275868472f33b01def01218742b8bb\"], \"remediation\": {\"desc\": \"Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON.\"}, \"vendor_name\": \"NVD\"}]}", + "event": { + "action": "update", + "category": [], + "severity": 3, + "type": [] + }, + "@timestamp": "2024-01-26T22:19:14Z", + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "AWS", + "region": "us-east-2" + }, + "ocsf": { + "activity_id": 2, + "activity_name": "Update", + "class_name": "Vulnerability Finding", + "class_uid": 2002 + }, + "vulnerability": { + "description": [ + "" + ], + "id": [ + "CVE-2023-1255" + ], + "scanner": { + "vendor": [ + "NVD" + ] + }, + "score": { + "version": [ + "" + ] + }, + "severity": [ + "" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_windows_resource_activity_1.json b/OCSF/ocsf/tests/test_windows_resource_activity_1.json new file mode 100644 index 000000000..3938392f9 --- /dev/null +++ b/OCSF/ocsf/tests/test_windows_resource_activity_1.json @@ -0,0 +1,22 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Access\", \"actor\": {\"process\": {\"file\": {\"name\": \"services.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 532}, \"session\": {\"uid\": \"0x3e7\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"SOI\", \"name\": \"SZUSOIDC1$\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Windows Resource Activity\", \"class_uid\": 1010, \"device\": {\"hostname\": \"szusoidc1.soi.dir.acme080.com\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"message\": \"An attempt was made to access an object.\", \"metadata\": {\"original_time\": \"01/14/2015 08:30:54 PM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"05e90f2c-5be6-484c-aefb-f8e6f591bd2c\", \"version\": \"1.0.0-rc.2\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"status\": \"Success\", \"status_id\": 1, \"time\": 1421285454000, \"type_name\": \"Windows Resource Activity: Access\", \"type_uid\": 101001, \"unmapped\": {\"Access Mask\": \"0x2\", \"Access Request Information\": {\"Accesses\": \"Set key value\"}, \"CaseID\": \"AD_4663\", \"EventCode\": \"4663\", \"EventType\": \"0\", \"Object\": {\"Object Server\": \"Security\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"989202992\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Registry\"}, \"win_resource\": {\"name\": \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\EventLog\\\\Security\", \"type\": \"Key\", \"type_id\": 25, \"uid\": \"0x564\"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Access\", \"actor\": {\"process\": {\"file\": {\"name\": \"services.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 532}, \"session\": {\"uid\": \"0x3e7\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"SOI\", \"name\": \"SZUSOIDC1$\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Windows Resource Activity\", \"class_uid\": 1010, \"device\": {\"hostname\": \"szusoidc1.soi.dir.acme080.com\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"message\": \"An attempt was made to access an object.\", \"metadata\": {\"original_time\": \"01/14/2015 08:30:54 PM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"05e90f2c-5be6-484c-aefb-f8e6f591bd2c\", \"version\": \"1.0.0-rc.2\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"status\": \"Success\", \"status_id\": 1, \"time\": 1421285454000, \"type_name\": \"Windows Resource Activity: Access\", \"type_uid\": 101001, \"unmapped\": {\"Access Mask\": \"0x2\", \"Access Request Information\": {\"Accesses\": \"Set key value\"}, \"CaseID\": \"AD_4663\", \"EventCode\": \"4663\", \"EventType\": \"0\", \"Object\": {\"Object Server\": \"Security\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"989202992\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Registry\"}, \"win_resource\": {\"name\": \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\EventLog\\\\Security\", \"type\": \"Key\", \"type_id\": 25, \"uid\": \"0x564\"}}", + "event": { + "action": "access", + "category": [], + "outcome": "success", + "severity": 1, + "type": [] + }, + "@timestamp": "2015-01-15T01:30:54Z", + "ocsf": { + "activity_id": 1, + "activity_name": "Access", + "class_name": "Windows Resource Activity", + "class_uid": 1010 + } + } +} \ No newline at end of file From 5ef9ed00fd42490b74007b5746e607d5d9f52ed2 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Thu, 25 Apr 2024 15:53:03 +0300 Subject: [PATCH 25/34] Improve parser --- OCSF/ocsf/ingest/parser.yml | 1 + OCSF/ocsf/tests/test_compliance_finding_1.json | 12 ------------ OCSF/ocsf/tests/test_detection_finding_1.json | 12 ------------ OCSF/ocsf/tests/test_security_finding_1.json | 12 ------------ OCSF/ocsf/tests/test_security_finding_2.json | 12 ------------ OCSF/ocsf/tests/test_security_finding_3.json | 12 ------------ OCSF/ocsf/tests/test_security_finding_4.json | 12 ------------ OCSF/ocsf/tests/test_security_finding_5.json | 12 ------------ OCSF/ocsf/tests/test_security_finding_6.json | 12 ------------ 9 files changed, 1 insertion(+), 96 deletions(-) diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index 61f7255e3..358990e0e 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -861,6 +861,7 @@ stages: [{%- for item in parse_event.message.vulnerabilities -%}'{{item.severity}}',{%- endfor -%}] vulnerability.scanner.vendor: > [{%- for item in parse_event.message.vulnerabilities -%}'{{item.vendor_name}}',{%- endfor -%}] + filter: "{{parse_event.message.vulnerabilities != null}}" pipeline_category_identity_and_access_management: actions: diff --git a/OCSF/ocsf/tests/test_compliance_finding_1.json b/OCSF/ocsf/tests/test_compliance_finding_1.json index 4a6672f83..5b2f713c5 100644 --- a/OCSF/ocsf/tests/test_compliance_finding_1.json +++ b/OCSF/ocsf/tests/test_compliance_finding_1.json @@ -23,18 +23,6 @@ "activity_name": "Update", "class_name": "Compliance Finding", "class_uid": 2003 - }, - "vulnerability": { - "description": [], - "id": [], - "scanner": { - "vendor": [] - }, - "score": { - "base": [], - "version": [] - }, - "severity": [] } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_detection_finding_1.json b/OCSF/ocsf/tests/test_detection_finding_1.json index 21f6f7051..15c53b791 100644 --- a/OCSF/ocsf/tests/test_detection_finding_1.json +++ b/OCSF/ocsf/tests/test_detection_finding_1.json @@ -23,18 +23,6 @@ "activity_name": "Create", "class_name": "Detection Finding", "class_uid": 2004 - }, - "vulnerability": { - "description": [], - "id": [], - "scanner": { - "vendor": [] - }, - "score": { - "base": [], - "version": [] - }, - "severity": [] } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_security_finding_1.json b/OCSF/ocsf/tests/test_security_finding_1.json index 9b7fec197..e00c6e9af 100644 --- a/OCSF/ocsf/tests/test_security_finding_1.json +++ b/OCSF/ocsf/tests/test_security_finding_1.json @@ -18,18 +18,6 @@ "activity_id": 1, "activity_name": "Generate", "class_uid": 2001 - }, - "vulnerability": { - "description": [], - "id": [], - "scanner": { - "vendor": [] - }, - "score": { - "base": [], - "version": [] - }, - "severity": [] } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_security_finding_2.json b/OCSF/ocsf/tests/test_security_finding_2.json index a4d8a09ea..de5be72c2 100644 --- a/OCSF/ocsf/tests/test_security_finding_2.json +++ b/OCSF/ocsf/tests/test_security_finding_2.json @@ -23,18 +23,6 @@ "activity_name": "Create", "class_name": "Security Finding", "class_uid": 2001 - }, - "vulnerability": { - "description": [], - "id": [], - "scanner": { - "vendor": [] - }, - "score": { - "base": [], - "version": [] - }, - "severity": [] } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_security_finding_3.json b/OCSF/ocsf/tests/test_security_finding_3.json index 16386afa1..2ecbc13fc 100644 --- a/OCSF/ocsf/tests/test_security_finding_3.json +++ b/OCSF/ocsf/tests/test_security_finding_3.json @@ -22,18 +22,6 @@ "activity_name": "Generate", "class_name": "Security Finding", "class_uid": 2001 - }, - "vulnerability": { - "description": [], - "id": [], - "scanner": { - "vendor": [] - }, - "score": { - "base": [], - "version": [] - }, - "severity": [] } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_security_finding_4.json b/OCSF/ocsf/tests/test_security_finding_4.json index c4aa70409..ccf89735a 100644 --- a/OCSF/ocsf/tests/test_security_finding_4.json +++ b/OCSF/ocsf/tests/test_security_finding_4.json @@ -22,18 +22,6 @@ "activity_name": "Generate", "class_name": "Security Finding", "class_uid": 2001 - }, - "vulnerability": { - "description": [], - "id": [], - "scanner": { - "vendor": [] - }, - "score": { - "base": [], - "version": [] - }, - "severity": [] } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_security_finding_5.json b/OCSF/ocsf/tests/test_security_finding_5.json index 4a82902e1..c17863a8c 100644 --- a/OCSF/ocsf/tests/test_security_finding_5.json +++ b/OCSF/ocsf/tests/test_security_finding_5.json @@ -22,18 +22,6 @@ "activity_name": "Generate", "class_name": "Security Finding", "class_uid": 2001 - }, - "vulnerability": { - "description": [], - "id": [], - "scanner": { - "vendor": [] - }, - "score": { - "base": [], - "version": [] - }, - "severity": [] } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_security_finding_6.json b/OCSF/ocsf/tests/test_security_finding_6.json index 90b549040..5db2419b9 100644 --- a/OCSF/ocsf/tests/test_security_finding_6.json +++ b/OCSF/ocsf/tests/test_security_finding_6.json @@ -22,18 +22,6 @@ "activity_name": "Generate", "class_name": "Security Finding", "class_uid": 2001 - }, - "vulnerability": { - "description": [], - "id": [], - "scanner": { - "vendor": [] - }, - "score": { - "base": [], - "version": [] - }, - "severity": [] } } } \ No newline at end of file From 8e325cd6fa610f6265bcd7e346e81d9f4a7ac39f Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Mon, 29 Apr 2024 10:57:37 +0300 Subject: [PATCH 26/34] Update smart descriptions --- OCSF/ocsf/_meta/smart-descriptions.json | 33 ++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/OCSF/ocsf/_meta/smart-descriptions.json b/OCSF/ocsf/_meta/smart-descriptions.json index d1c487fe3..5c207872b 100644 --- a/OCSF/ocsf/_meta/smart-descriptions.json +++ b/OCSF/ocsf/_meta/smart-descriptions.json @@ -62,6 +62,15 @@ } ] }, + { + "value": "Windows Resource Activity: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 1010 + } + ] + }, { "value": "Security Finding: {ocsf.activity_name} vulnerability {vulnerability.id}", "conditions": [ @@ -81,7 +90,25 @@ ] }, { - "value": "Account Change", + "value": "Compliance Finding", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 2003 + } + ] + }, + { + "value": "Detection Finding", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 2004 + } + ] + }, + { + "value": "Account Change: {ocsf.activity_name} user {user.id}", "conditions": [ { "field": "ocsf.class_uid", @@ -90,7 +117,7 @@ ] }, { - "value": "Authentication", + "value": "Authentication: {ocsf.activity_name} user {user.name} from {source.ip}", "conditions": [ { "field": "ocsf.class_uid", @@ -306,7 +333,7 @@ ] }, { - "value": "API Activity: {ocsf.activity_name} from {source.ip}", + "value": "API Activity: {ocsf.activity_name} from user {user.name}", "conditions": [ { "field": "ocsf.class_uid", From 0dc53aca9458169c2c6c3247139bd22cfbeff074 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Mon, 29 Apr 2024 17:12:14 +0300 Subject: [PATCH 27/34] Add smart descriptions for extensions --- OCSF/ocsf/_meta/smart-descriptions.json | 193 +++++++++++++++++++++--- 1 file changed, 173 insertions(+), 20 deletions(-) diff --git a/OCSF/ocsf/_meta/smart-descriptions.json b/OCSF/ocsf/_meta/smart-descriptions.json index 5c207872b..59151ff9d 100644 --- a/OCSF/ocsf/_meta/smart-descriptions.json +++ b/OCSF/ocsf/_meta/smart-descriptions.json @@ -1,6 +1,6 @@ [ { - "value": "File System Activity: {ocsf.activity_name} file {file.name} by {user.name} on {host.ip}", + "value": "File System Activity: {ocsf.activity_name} file {file.name} by {user.name}", "conditions": [ { "field": "ocsf.class_uid", @@ -9,7 +9,7 @@ ] }, { - "value": "Kernel Extension Activity: {ocsf.activity_name} file {file.name} on {host.ip}", + "value": "Kernel Extension Activity: {ocsf.activity_name} file {file.name}", "conditions": [ { "field": "ocsf.class_uid", @@ -18,7 +18,7 @@ ] }, { - "value": "Kernel Activity: {ocsf.activity_name} file {file.name} on {host.ip}", + "value": "Kernel Activity: {ocsf.activity_name} file {file.name}", "conditions": [ { "field": "ocsf.class_uid", @@ -27,7 +27,7 @@ ] }, { - "value": "Memory Activity: {ocsf.activity_name} file {file.name} on {host.ip}", + "value": "Memory Activity: {ocsf.activity_name} file {file.name}", "conditions": [ { "field": "ocsf.class_uid", @@ -36,7 +36,7 @@ ] }, { - "value": "Module Activity: {ocsf.activity_name} file {file.name} by process {process.name} on {host.ip}", + "value": "Module Activity: {ocsf.activity_name} file {file.name} by process {process.name}", "conditions": [ { "field": "ocsf.class_uid", @@ -45,7 +45,7 @@ ] }, { - "value": "Scheduled Job Activity: {ocsf.activity_name} file {file.name} on {host.ip}", + "value": "Scheduled Job Activity: {ocsf.activity_name} file {file.name}", "conditions": [ { "field": "ocsf.class_uid", @@ -54,7 +54,7 @@ ] }, { - "value": "Process Activity: {ocsf.activity_name} by process {process.name} on {host.ip}", + "value": "Process Activity: {ocsf.activity_name} by process {process.pid}", "conditions": [ { "field": "ocsf.class_uid", @@ -107,6 +107,24 @@ } ] }, + { + "value": "Incident Finding: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 2005 + } + ] + }, + { + "value": "Data Security Finding: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 2006 + } + ] + }, { "value": "Account Change: {ocsf.activity_name} user {user.id}", "conditions": [ @@ -144,7 +162,7 @@ ] }, { - "value": "User Access Management: {ocsf.activity_name} user {user.target.name} on {host.ip}", + "value": "User Access Management: {ocsf.activity_name} user {user.target.name}", "conditions": [ { "field": "ocsf.class_uid", @@ -153,7 +171,7 @@ ] }, { - "value": "Group Management: {ocsf.activity_name} user {user.target.name} on {host.ip}", + "value": "Group Management: {ocsf.activity_name} user {user.target.name}", "conditions": [ { "field": "ocsf.class_uid", @@ -162,7 +180,7 @@ ] }, { - "value": "Network Activity: {ocsf.activity_name} on {host.ip}", + "value": "Network Activity: {ocsf.activity_name} from {source.ip} to {destination.ip}", "conditions": [ { "field": "ocsf.class_uid", @@ -171,7 +189,7 @@ ] }, { - "value": "HTTP Activity: {ocsf.activity_name} on {host.ip}", + "value": "HTTP Activity: {ocsf.activity_name} {url.path} from {source.ip}", "conditions": [ { "field": "ocsf.class_uid", @@ -180,7 +198,7 @@ ] }, { - "value": "DNS Activity: {ocsf.activity_name} on {host.ip}", + "value": "DNS Activity: {ocsf.activity_name} from {source.ip}:{source.ip}", "conditions": [ { "field": "ocsf.class_uid", @@ -189,7 +207,7 @@ ] }, { - "value": "DHCP Activity: {ocsf.activity_name} on {host.ip}", + "value": "DHCP Activity: {ocsf.activity_name}", "conditions": [ { "field": "ocsf.class_uid", @@ -198,7 +216,7 @@ ] }, { - "value": "RDP Activity: {ocsf.activity_name} on {host.ip}", + "value": "RDP Activity: {ocsf.activity_name}", "conditions": [ { "field": "ocsf.class_uid", @@ -207,7 +225,7 @@ ] }, { - "value": "SMB Activity: {ocsf.activity_name} {file.name} on {host.ip}", + "value": "SMB Activity: {ocsf.activity_name} {file.name}", "conditions": [ { "field": "ocsf.class_uid", @@ -216,7 +234,7 @@ ] }, { - "value": "SSH Activity: {ocsf.activity_name} on {host.ip}", + "value": "SSH Activity: {ocsf.activity_name}", "conditions": [ { "field": "ocsf.class_uid", @@ -243,7 +261,7 @@ ] }, { - "value": "Network File Activity: {ocsf.activity_name} file {file.name} on {host.ip}", + "value": "Network File Activity: {ocsf.activity_name} file {file.name}", "conditions": [ { "field": "ocsf.class_uid", @@ -278,6 +296,15 @@ } ] }, + { + "value": "Tunnel Activity: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4014 + } + ] + }, { "value": "Device Inventory Info: {ocsf.activity_name} on device {host.mac}", "conditions": [ @@ -288,7 +315,7 @@ ] }, { - "value": "Device Config State: {ocsf.activity_name} on {host.ip}", + "value": "Device Config State: {ocsf.activity_name}", "conditions": [ { "field": "ocsf.class_uid", @@ -297,7 +324,7 @@ ] }, { - "value": "User Inventory Info: {ocsf.activity_name} on {host.ip}", + "value": "User Inventory Info: {ocsf.activity_name}", "conditions": [ { "field": "ocsf.class_uid", @@ -306,7 +333,133 @@ ] }, { - "value": "Device Config State Change: {ocsf.activity_name} on {host.ip}", + "value": "Operating System Patch State: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5004 + } + ] + }, + { + "value": "Kernel Object Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5006 + } + ] + }, + { + "value": "File Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5007 + } + ] + }, + { + "value": "Folder Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5008 + } + ] + }, + { + "value": "Admin Group Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5009 + } + ] + }, + { + "value": "Job Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5010 + } + ] + }, + { + "value": "Module Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5011 + } + ] + }, + { + "value": "Network Connection Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5012 + } + ] + }, + { + "value": "Networks Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5013 + } + ] + }, + { + "value": "Peripheral Device Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5014 + } + ] + }, + { + "value": "Process Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5015 + } + ] + }, + { + "value": "Service Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5016 + } + ] + }, + { + "value": "User Session Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5017 + } + ] + }, + { + "value": "User Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5018 + } + ] + }, + { + "value": "Device Config State Change: {ocsf.activity_name}", "conditions": [ { "field": "ocsf.class_uid", From e658366ea52d54fb7a0385285be54f7319890a0c Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Mon, 29 Apr 2024 17:14:11 +0300 Subject: [PATCH 28/34] Add smart descriptions for extensions --- OCSF/ocsf/_meta/smart-descriptions.json | 56 ++++++++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) diff --git a/OCSF/ocsf/_meta/smart-descriptions.json b/OCSF/ocsf/_meta/smart-descriptions.json index 59151ff9d..80014b1a4 100644 --- a/OCSF/ocsf/_meta/smart-descriptions.json +++ b/OCSF/ocsf/_meta/smart-descriptions.json @@ -529,5 +529,59 @@ "value": 6007 } ] + }, + { + "value": "Registry Key Activity: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 201001 + } + ] + }, + { + "value": "Registry Value Activity: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 201002 + } + ] + }, + { + "value": "Windows Resource Activity: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 201003 + } + ] + }, + { + "value": "Registry Key Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 205004 + } + ] + }, + { + "value": "Registry Value Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 205005 + } + ] + }, + { + "value": "Prefetch Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 205019 + } + ] } -] +] \ No newline at end of file From d3bb9ec7fd95910bcefe0136328fdd15520884a1 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 30 Apr 2024 13:57:35 +0300 Subject: [PATCH 29/34] Support extensions --- OCSF/ocsf/ingest/parser.yml | 24 +++++------ OCSF/ocsf/tests/test_system_activity_1.json | 32 +++++++++++++++ OCSF/ocsf/tests/test_system_activity_2.json | 32 +++++++++++++++ .../test_windows_resource_activity_1.json | 41 +++++++++++++++++-- 4 files changed, 114 insertions(+), 15 deletions(-) diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index 358990e0e..cb8af60ea 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -79,40 +79,40 @@ pipeline: - name: set_common_fields - name: pipeline_object_actor - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,3001,3002,3003,3004,3005,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,5001,5002,6001,6002,6003,6004] and parse_event.message.actor != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5003,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,6001,6002,6003,6004,6005,6006,6007,201001,201002,201003,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002,99937002] and parse_event.message.actor != null }}" - name: pipeline_object_attack - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,2001,4001,4002,4003,4005,4006,4007,4008,4009,4011,4012] and parse_event.message.attacks != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2001,2004,2005,2006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,6001,6005,201001,201002,201003,99901006,99902003,99904001,99904002,99904009,99904010] and parse_event.message.attacks != null }}" - name: pipeline_object_network_connection_info - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [4001,4002,4003,4005,4006,4007,4008] and parse_event.message.connection_info != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,5012,6006,99904009,99904010,99931006,99932007,99933005] and parse_event.message.connection_info != null }}" - name: pipeline_object_device - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,3001,3002,3003,3004,3005,4001,4002,4003,4004,4005,4006,4007,4008,4009,4011,4012,5001,5002,6001,6002,6004] and parse_event.message.device != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5004,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,6001,6002,6004,6007,201001,201002,201003,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002] and parse_event.message.device != null }}" - name: pipeline_object_http_request - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [3001,3002,4002,6003,6004] and parse_event.message.http_request != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [3001,3002,3003,3004,3005,3006,4002,6001,6003,6004,6005,99937002,99938001] and parse_event.message.http_request != null }}" - name: pipeline_object_malware - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [2001,4001,4002,4003,4005,4006,4007,4008,4009,4011,4012] and parse_event.message.malware != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2001,2004,2006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,6001,6005,201001,201002,201003,99901006,99904001,99904002,99904009,99904010] and parse_event.message.malware != null }}" - name: pipeline_object_network_endpoint - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [3001,3002,3003,3005,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,6001,6003,6004] and parse_event.message.dst_endpoint != null or parse_event.message.src_endpoint != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1008,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4013,4014,6001,6003,6004,6005,6006,99904009,99904010,99937002,99938001] and parse_event.message.dst_endpoint != null or parse_event.message.src_endpoint != null }}" - name: pipeline_object_process - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1004,1007,2001] and parse_event.message.process != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1004,1007,2001,5011,5012,5015,99932006,99932007,99932011,99933006,99934001,99935002] and parse_event.message.process != null }}" - name: pipeline_object_proxy - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [4001,4002,4003,4005,4006,4007,4008] and parse_event.message.proxy != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [3006,4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,6004,99904009,99904010] and parse_event.message.proxy != null }}" - name: pipeline_object_tls - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [4001,4002,4003,4005,4006,4007,4008] and parse_event.message.tls != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [3006,4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,6001,6004,99904009,99904010] and parse_event.message.tls != null }}" - name: pipeline_object_traffic - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [4001,4002,4003,4005,4006,4007,4008] and parse_event.message.traffic != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,99904009,99904010] and parse_event.message.traffic != null }}" - name: pipeline_object_user - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [3001,3002,3003,3005,3006] and parse_event.message.user != null }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [3001,3002,3003,3005,3006,4014,5003,5018,99932017] and parse_event.message.user != null }}" - name: pipeline_object_file filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,4006,4010,4011] }}" diff --git a/OCSF/ocsf/tests/test_system_activity_1.json b/OCSF/ocsf/tests/test_system_activity_1.json index 1801fe461..7b9b5a40e 100644 --- a/OCSF/ocsf/tests/test_system_activity_1.json +++ b/OCSF/ocsf/tests/test_system_activity_1.json @@ -11,9 +11,41 @@ "type": [] }, "@timestamp": "2019-01-09T05:46:00Z", + "file": { + "directory": "C:\\Windows\\System32", + "name": "lsass.exe", + "path": "C:\\Windows\\System32\\lsass.exe" + }, + "host": { + "hostname": "STLDIRDC1.dir.solutia.com", + "name": "STLDIRDC1.dir.solutia.com", + "os": { + "name": "Windows" + } + }, "ocsf": { "activity_id": 99, "class_uid": 1010 + }, + "process": { + "pid": 492 + }, + "related": { + "hosts": [ + "STLDIRDC1.dir.solutia.com" + ], + "user": [ + "STLDIRDC1$" + ] + }, + "user": { + "domain": "DIR", + "group": { + "id": [], + "name": [] + }, + "id": "NT AUTHORITY\\SYSTEM", + "name": "STLDIRDC1$" } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_2.json b/OCSF/ocsf/tests/test_system_activity_2.json index fbcad8694..0043d927e 100644 --- a/OCSF/ocsf/tests/test_system_activity_2.json +++ b/OCSF/ocsf/tests/test_system_activity_2.json @@ -11,9 +11,41 @@ "type": [] }, "@timestamp": "2022-01-28T21:12:19Z", + "file": { + "directory": "C:\\Windows", + "name": "explorer.exe", + "path": "C:\\Windows\\explorer.exe" + }, + "host": { + "hostname": "SesWin2019DC1.SesTest.local", + "name": "SesWin2019DC1.SesTest.local", + "os": { + "name": "Windows" + } + }, "ocsf": { "activity_id": 1, "class_uid": 1010 + }, + "process": { + "pid": 1704 + }, + "related": { + "hosts": [ + "SesWin2019DC1.SesTest.local" + ], + "user": [ + "splunker" + ] + }, + "user": { + "domain": "SESTEST", + "group": { + "id": [], + "name": [] + }, + "id": "SESTEST\\splunker", + "name": "splunker" } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_windows_resource_activity_1.json b/OCSF/ocsf/tests/test_windows_resource_activity_1.json index 3938392f9..793164d2d 100644 --- a/OCSF/ocsf/tests/test_windows_resource_activity_1.json +++ b/OCSF/ocsf/tests/test_windows_resource_activity_1.json @@ -1,9 +1,9 @@ { "input": { - "message": "{\"activity_id\": 1, \"activity_name\": \"Access\", \"actor\": {\"process\": {\"file\": {\"name\": \"services.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 532}, \"session\": {\"uid\": \"0x3e7\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"SOI\", \"name\": \"SZUSOIDC1$\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Windows Resource Activity\", \"class_uid\": 1010, \"device\": {\"hostname\": \"szusoidc1.soi.dir.acme080.com\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"message\": \"An attempt was made to access an object.\", \"metadata\": {\"original_time\": \"01/14/2015 08:30:54 PM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"05e90f2c-5be6-484c-aefb-f8e6f591bd2c\", \"version\": \"1.0.0-rc.2\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"status\": \"Success\", \"status_id\": 1, \"time\": 1421285454000, \"type_name\": \"Windows Resource Activity: Access\", \"type_uid\": 101001, \"unmapped\": {\"Access Mask\": \"0x2\", \"Access Request Information\": {\"Accesses\": \"Set key value\"}, \"CaseID\": \"AD_4663\", \"EventCode\": \"4663\", \"EventType\": \"0\", \"Object\": {\"Object Server\": \"Security\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"989202992\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Registry\"}, \"win_resource\": {\"name\": \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\EventLog\\\\Security\", \"type\": \"Key\", \"type_id\": 25, \"uid\": \"0x564\"}}" + "message": "{\"activity_id\": 1, \"activity_name\": \"Access\", \"actor\": {\"process\": {\"file\": {\"name\": \"services.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 532}, \"session\": {\"uid\": \"0x3e7\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"SOI\", \"name\": \"SZUSOIDC1$\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Windows Resource Activity\", \"class_uid\": 201003, \"device\": {\"hostname\": \"szusoidc1.soi.dir.acme080.com\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"message\": \"An attempt was made to access an object.\", \"metadata\": {\"original_time\": \"01/14/2015 08:30:54 PM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"05e90f2c-5be6-484c-aefb-f8e6f591bd2c\", \"version\": \"1.0.0-rc.2\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"status\": \"Success\", \"status_id\": 1, \"time\": 1421285454000, \"type_name\": \"Windows Resource Activity: Access\", \"type_uid\": 101001, \"unmapped\": {\"Access Mask\": \"0x2\", \"Access Request Information\": {\"Accesses\": \"Set key value\"}, \"CaseID\": \"AD_4663\", \"EventCode\": \"4663\", \"EventType\": \"0\", \"Object\": {\"Object Server\": \"Security\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"989202992\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Registry\"}, \"win_resource\": {\"name\": \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\EventLog\\\\Security\", \"type\": \"Key\", \"type_id\": 25, \"uid\": \"0x564\"}}" }, "expected": { - "message": "{\"activity_id\": 1, \"activity_name\": \"Access\", \"actor\": {\"process\": {\"file\": {\"name\": \"services.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 532}, \"session\": {\"uid\": \"0x3e7\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"SOI\", \"name\": \"SZUSOIDC1$\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Windows Resource Activity\", \"class_uid\": 1010, \"device\": {\"hostname\": \"szusoidc1.soi.dir.acme080.com\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"message\": \"An attempt was made to access an object.\", \"metadata\": {\"original_time\": \"01/14/2015 08:30:54 PM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"05e90f2c-5be6-484c-aefb-f8e6f591bd2c\", \"version\": \"1.0.0-rc.2\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"status\": \"Success\", \"status_id\": 1, \"time\": 1421285454000, \"type_name\": \"Windows Resource Activity: Access\", \"type_uid\": 101001, \"unmapped\": {\"Access Mask\": \"0x2\", \"Access Request Information\": {\"Accesses\": \"Set key value\"}, \"CaseID\": \"AD_4663\", \"EventCode\": \"4663\", \"EventType\": \"0\", \"Object\": {\"Object Server\": \"Security\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"989202992\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Registry\"}, \"win_resource\": {\"name\": \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\EventLog\\\\Security\", \"type\": \"Key\", \"type_id\": 25, \"uid\": \"0x564\"}}", + "message": "{\"activity_id\": 1, \"activity_name\": \"Access\", \"actor\": {\"process\": {\"file\": {\"name\": \"services.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 532}, \"session\": {\"uid\": \"0x3e7\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"SOI\", \"name\": \"SZUSOIDC1$\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Windows Resource Activity\", \"class_uid\": 201003, \"device\": {\"hostname\": \"szusoidc1.soi.dir.acme080.com\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"message\": \"An attempt was made to access an object.\", \"metadata\": {\"original_time\": \"01/14/2015 08:30:54 PM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"05e90f2c-5be6-484c-aefb-f8e6f591bd2c\", \"version\": \"1.0.0-rc.2\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"status\": \"Success\", \"status_id\": 1, \"time\": 1421285454000, \"type_name\": \"Windows Resource Activity: Access\", \"type_uid\": 101001, \"unmapped\": {\"Access Mask\": \"0x2\", \"Access Request Information\": {\"Accesses\": \"Set key value\"}, \"CaseID\": \"AD_4663\", \"EventCode\": \"4663\", \"EventType\": \"0\", \"Object\": {\"Object Server\": \"Security\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"989202992\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Registry\"}, \"win_resource\": {\"name\": \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\EventLog\\\\Security\", \"type\": \"Key\", \"type_id\": 25, \"uid\": \"0x564\"}}", "event": { "action": "access", "category": [], @@ -12,11 +12,46 @@ "type": [] }, "@timestamp": "2015-01-15T01:30:54Z", + "file": { + "directory": "C:\\Windows\\System32", + "name": "services.exe", + "path": "C:\\Windows\\System32\\services.exe", + "type": "Regular File" + }, + "host": { + "hostname": "szusoidc1.soi.dir.acme080.com", + "name": "szusoidc1.soi.dir.acme080.com", + "os": { + "name": "Windows", + "type": "Windows" + }, + "type": "Unknown" + }, "ocsf": { "activity_id": 1, "activity_name": "Access", "class_name": "Windows Resource Activity", - "class_uid": 1010 + "class_uid": 201003 + }, + "process": { + "pid": 532 + }, + "related": { + "hosts": [ + "szusoidc1.soi.dir.acme080.com" + ], + "user": [ + "SZUSOIDC1$" + ] + }, + "user": { + "domain": "SOI", + "group": { + "id": [], + "name": [] + }, + "id": "NT AUTHORITY\\SYSTEM", + "name": "SZUSOIDC1$" } } } \ No newline at end of file From bdf9b2e1027a2659dd82d7fcb6bb617a73fdc545 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 30 Apr 2024 14:04:37 +0300 Subject: [PATCH 30/34] Support extensions --- OCSF/ocsf/ingest/parser.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index cb8af60ea..e548c68c2 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -115,10 +115,10 @@ pipeline: filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [3001,3002,3003,3005,3006,4014,5003,5018,99932017] and parse_event.message.user != null }}" - name: pipeline_object_file - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,4006,4010,4011] }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1008,2006,4002,4005,4006,4007,4008,4010,4011,5007,6006,99901006,99903001,99904001,99931004,99931007,99931010,99932001,99933000] and parse_event.message.file != null }}" - name: pipeline_object_system_activity_helper - filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1002,1005,1006] }}" + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1002,1005,1006,1007,5010,5011,99932004,99932006,99933002,99933004] }}" - name: pipeline_category_system_activity filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == 1 }}" From 28bc737d4821fbcd9ab6bdfec0134798ea01e84e Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 30 Apr 2024 14:28:35 +0300 Subject: [PATCH 31/34] Fix malware extraction --- OCSF/ocsf/ingest/parser.yml | 30 +++++++++++++++++++- OCSF/ocsf/tests/test_security_finding_2.json | 5 ++++ OCSF/ocsf/tests/test_security_finding_3.json | 5 ++++ OCSF/ocsf/tests/test_security_finding_4.json | 5 ++++ OCSF/ocsf/tests/test_security_finding_5.json | 5 ++++ OCSF/ocsf/tests/test_security_finding_6.json | 5 ++++ 6 files changed, 54 insertions(+), 1 deletion(-) diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index e548c68c2..357af7742 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -469,7 +469,35 @@ stages: user_agent.original: "{{ parse_event.message.http_request.user_agent }}" pipeline_object_malware: - actions: [] + actions: + - set: + vulnerability.category: > + [ + {%- for item in parse_event.message.malware -%} + {%- for cls in item.classifications -%}"{{cls}}"{%- endfor -%} + {%- endfor %} + ] + + - set: + vulnerability.id: > + [ + {%- for item in parse_event.message.malware -%} + {%- for cv in item.cvs -%}"{{cv.uid}}"{%- endfor -%} + {%- endfor -%} + ] + vulnerability.score.base: > + [ + {%- for item in parse_event.message.malware -%} + {%- for cv in item.cvs -%}"{{cv.cvss.base_score}}"{%- endfor -%} + {%- endfor -%} + ] + vulnerability.score.version: > + [ + {%- for item in parse_event.message.malware -%} + {%- for cv in item.cvs -%}"{{cv.cvss.version}}"{%- endfor -%} + {%- endfor -%} + ] + filter: "{{ parse_event.message.class_uid != 2001 }}" pipeline_object_network_endpoint: actions: diff --git a/OCSF/ocsf/tests/test_security_finding_2.json b/OCSF/ocsf/tests/test_security_finding_2.json index de5be72c2..1c51f4e60 100644 --- a/OCSF/ocsf/tests/test_security_finding_2.json +++ b/OCSF/ocsf/tests/test_security_finding_2.json @@ -23,6 +23,11 @@ "activity_name": "Create", "class_name": "Security Finding", "class_uid": 2001 + }, + "vulnerability": { + "category": [ + "DDOS" + ] } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_security_finding_3.json b/OCSF/ocsf/tests/test_security_finding_3.json index 2ecbc13fc..590c438a5 100644 --- a/OCSF/ocsf/tests/test_security_finding_3.json +++ b/OCSF/ocsf/tests/test_security_finding_3.json @@ -22,6 +22,11 @@ "activity_name": "Generate", "class_name": "Security Finding", "class_uid": 2001 + }, + "vulnerability": { + "category": [ + "Potentially vulnerable application" + ] } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_security_finding_4.json b/OCSF/ocsf/tests/test_security_finding_4.json index ccf89735a..4b73f0e8b 100644 --- a/OCSF/ocsf/tests/test_security_finding_4.json +++ b/OCSF/ocsf/tests/test_security_finding_4.json @@ -22,6 +22,11 @@ "activity_name": "Generate", "class_name": "Security Finding", "class_uid": 2001 + }, + "vulnerability": { + "category": [ + "Potentially vulnerable application" + ] } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_security_finding_5.json b/OCSF/ocsf/tests/test_security_finding_5.json index c17863a8c..4dd27a857 100644 --- a/OCSF/ocsf/tests/test_security_finding_5.json +++ b/OCSF/ocsf/tests/test_security_finding_5.json @@ -22,6 +22,11 @@ "activity_name": "Generate", "class_name": "Security Finding", "class_uid": 2001 + }, + "vulnerability": { + "category": [ + "Potentially vulnerable application" + ] } } } \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_security_finding_6.json b/OCSF/ocsf/tests/test_security_finding_6.json index 5db2419b9..3d948719d 100644 --- a/OCSF/ocsf/tests/test_security_finding_6.json +++ b/OCSF/ocsf/tests/test_security_finding_6.json @@ -22,6 +22,11 @@ "activity_name": "Generate", "class_name": "Security Finding", "class_uid": 2001 + }, + "vulnerability": { + "category": [ + "Adware" + ] } } } \ No newline at end of file From e6c373932380485b9a442d5bf0c13171297bd703 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 22 May 2024 14:40:32 +0200 Subject: [PATCH 32/34] fix(OCSF): extract the reason of a finding --- OCSF/ocsf/ingest/parser.yml | 1 + OCSF/ocsf/tests/test_security_finding_1.json | 1 + OCSF/ocsf/tests/test_security_finding_2.json | 1 + OCSF/ocsf/tests/test_security_finding_3.json | 1 + OCSF/ocsf/tests/test_security_finding_4.json | 1 + OCSF/ocsf/tests/test_security_finding_5.json | 1 + OCSF/ocsf/tests/test_security_finding_6.json | 1 + 7 files changed, 7 insertions(+) diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index 357af7742..db8e64937 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -875,6 +875,7 @@ stages: - set: event.reference: "{{ parse_event.message.finding.src_url }}" event.risk_score: "{{ parse_event.message.risk_score }}" + event.reason: "{{parse_event.message.finding.title}}" - set: vulnerability.id: > diff --git a/OCSF/ocsf/tests/test_security_finding_1.json b/OCSF/ocsf/tests/test_security_finding_1.json index e00c6e9af..49f38eac6 100644 --- a/OCSF/ocsf/tests/test_security_finding_1.json +++ b/OCSF/ocsf/tests/test_security_finding_1.json @@ -8,6 +8,7 @@ "action": "generate", "category": [], "kind": "alert", + "reason": "Linux Kernel Module Injection Detected", "severity": 3, "type": [ "info" diff --git a/OCSF/ocsf/tests/test_security_finding_2.json b/OCSF/ocsf/tests/test_security_finding_2.json index 1c51f4e60..84753b18b 100644 --- a/OCSF/ocsf/tests/test_security_finding_2.json +++ b/OCSF/ocsf/tests/test_security_finding_2.json @@ -12,6 +12,7 @@ "end": "2023-04-29T15:10:10Z", "kind": "alert", "provider": "IBM QRadar", + "reason": "BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\n", "risk_score": 3, "type": [ "info" diff --git a/OCSF/ocsf/tests/test_security_finding_3.json b/OCSF/ocsf/tests/test_security_finding_3.json index 590c438a5..bb29fab22 100644 --- a/OCSF/ocsf/tests/test_security_finding_3.json +++ b/OCSF/ocsf/tests/test_security_finding_3.json @@ -10,6 +10,7 @@ "malware" ], "kind": "alert", + "reason": "Infection found on 1.183.190.110", "reference": "https://platform.securityscorecard.io/#/asi/details/1.183.190.110", "severity": 1, "type": [ diff --git a/OCSF/ocsf/tests/test_security_finding_4.json b/OCSF/ocsf/tests/test_security_finding_4.json index 4b73f0e8b..231a3f26e 100644 --- a/OCSF/ocsf/tests/test_security_finding_4.json +++ b/OCSF/ocsf/tests/test_security_finding_4.json @@ -10,6 +10,7 @@ "malware" ], "kind": "alert", + "reason": "Infection found on 59.11.81.231", "reference": "https://platform.securityscorecard.io/#/asi/details/59.11.81.231", "severity": 1, "type": [ diff --git a/OCSF/ocsf/tests/test_security_finding_5.json b/OCSF/ocsf/tests/test_security_finding_5.json index 4dd27a857..a5607b3df 100644 --- a/OCSF/ocsf/tests/test_security_finding_5.json +++ b/OCSF/ocsf/tests/test_security_finding_5.json @@ -10,6 +10,7 @@ "malware" ], "kind": "alert", + "reason": "Infection found on 190.109.227.80", "reference": "https://platform.securityscorecard.io/#/asi/details/190.109.227.80", "severity": 1, "type": [ diff --git a/OCSF/ocsf/tests/test_security_finding_6.json b/OCSF/ocsf/tests/test_security_finding_6.json index 3d948719d..20ea6f1c3 100644 --- a/OCSF/ocsf/tests/test_security_finding_6.json +++ b/OCSF/ocsf/tests/test_security_finding_6.json @@ -10,6 +10,7 @@ "malware" ], "kind": "alert", + "reason": "Infection found on 38.7.186.198", "reference": "https://platform.securityscorecard.io/#/asi/details/38.7.186.198", "severity": 1, "type": [ From 1f06a3f65e91d2127c16eacd704fa4d44f3d7083 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 22 May 2024 14:51:13 +0200 Subject: [PATCH 33/34] fix(OCSF): extract the reason if defined in the original event --- OCSF/ocsf/ingest/parser.yml | 1 + OCSF/ocsf/tests/test_api_activity_2.json | 1 + OCSF/ocsf/tests/test_authentication_2.json | 1 + OCSF/ocsf/tests/test_authentication_3.json | 1 + OCSF/ocsf/tests/test_process_activity_1.json | 1 + OCSF/ocsf/tests/test_process_activity_2.json | 1 + OCSF/ocsf/tests/test_system_activity_1.json | 1 + OCSF/ocsf/tests/test_system_activity_2.json | 1 + OCSF/ocsf/tests/test_windows_resource_activity_1.json | 1 + 9 files changed, 9 insertions(+) diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index db8e64937..91d9dd4e0 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -228,6 +228,7 @@ stages: event.sequence: "{{parse_event.message.metadata.sequence}}" event.severity: "{{parse_event.message.severity_id}}" + event.reason: "{{parse_event.message.message}}" - set: event.provider: "{{parse_event.message.metadata.product.vendor_name}}" diff --git a/OCSF/ocsf/tests/test_api_activity_2.json b/OCSF/ocsf/tests/test_api_activity_2.json index f72001c31..d53c7b8a7 100644 --- a/OCSF/ocsf/tests/test_api_activity_2.json +++ b/OCSF/ocsf/tests/test_api_activity_2.json @@ -10,6 +10,7 @@ "web" ], "kind": "event", + "reason": "ResponseComplete", "severity": 1, "start": "2021-09-07T20:37:30.502000Z", "type": [ diff --git a/OCSF/ocsf/tests/test_authentication_2.json b/OCSF/ocsf/tests/test_authentication_2.json index ce5f0fd6e..41c2d96a4 100644 --- a/OCSF/ocsf/tests/test_authentication_2.json +++ b/OCSF/ocsf/tests/test_authentication_2.json @@ -11,6 +11,7 @@ ], "kind": "event", "outcome": "success", + "reason": "An account was successfully logged on.", "severity": 1, "type": [ "info", diff --git a/OCSF/ocsf/tests/test_authentication_3.json b/OCSF/ocsf/tests/test_authentication_3.json index bea1b2602..3504b1c8a 100644 --- a/OCSF/ocsf/tests/test_authentication_3.json +++ b/OCSF/ocsf/tests/test_authentication_3.json @@ -11,6 +11,7 @@ ], "kind": "event", "outcome": "failure", + "reason": "An account failed to log on.", "severity": 1, "type": [ "info", diff --git a/OCSF/ocsf/tests/test_process_activity_1.json b/OCSF/ocsf/tests/test_process_activity_1.json index 8a96b43e7..02bc3a582 100644 --- a/OCSF/ocsf/tests/test_process_activity_1.json +++ b/OCSF/ocsf/tests/test_process_activity_1.json @@ -11,6 +11,7 @@ ], "kind": "event", "outcome": "success", + "reason": "A new process has been created.", "severity": 1, "type": [ "info", diff --git a/OCSF/ocsf/tests/test_process_activity_2.json b/OCSF/ocsf/tests/test_process_activity_2.json index 738b40b03..d2fc4367f 100644 --- a/OCSF/ocsf/tests/test_process_activity_2.json +++ b/OCSF/ocsf/tests/test_process_activity_2.json @@ -11,6 +11,7 @@ ], "kind": "event", "outcome": "success", + "reason": "A process has exited.", "severity": 1, "type": [ "end", diff --git a/OCSF/ocsf/tests/test_system_activity_1.json b/OCSF/ocsf/tests/test_system_activity_1.json index 7b9b5a40e..e106135ff 100644 --- a/OCSF/ocsf/tests/test_system_activity_1.json +++ b/OCSF/ocsf/tests/test_system_activity_1.json @@ -7,6 +7,7 @@ "event": { "category": [], "outcome": "success", + "reason": "A handle to an object was requested.", "severity": 1, "type": [] }, diff --git a/OCSF/ocsf/tests/test_system_activity_2.json b/OCSF/ocsf/tests/test_system_activity_2.json index 0043d927e..268062b61 100644 --- a/OCSF/ocsf/tests/test_system_activity_2.json +++ b/OCSF/ocsf/tests/test_system_activity_2.json @@ -7,6 +7,7 @@ "event": { "category": [], "outcome": "failure", + "reason": "A privileged service was called.", "severity": 1, "type": [] }, diff --git a/OCSF/ocsf/tests/test_windows_resource_activity_1.json b/OCSF/ocsf/tests/test_windows_resource_activity_1.json index 793164d2d..cae726797 100644 --- a/OCSF/ocsf/tests/test_windows_resource_activity_1.json +++ b/OCSF/ocsf/tests/test_windows_resource_activity_1.json @@ -8,6 +8,7 @@ "action": "access", "category": [], "outcome": "success", + "reason": "An attempt was made to access an object.", "severity": 1, "type": [] }, From 5d54461425aa0d3cb493748353aff0e2d4686ca7 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 22 May 2024 15:21:23 +0200 Subject: [PATCH 34/34] fix(OCSF): fix smart-descriptions --- OCSF/ocsf/_meta/smart-descriptions.json | 357 +++++++++++++++++++++++- 1 file changed, 351 insertions(+), 6 deletions(-) diff --git a/OCSF/ocsf/_meta/smart-descriptions.json b/OCSF/ocsf/_meta/smart-descriptions.json index 80014b1a4..d03bc41fb 100644 --- a/OCSF/ocsf/_meta/smart-descriptions.json +++ b/OCSF/ocsf/_meta/smart-descriptions.json @@ -5,6 +5,15 @@ { "field": "ocsf.class_uid", "value": 1001 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" + }, + { + "field": "user.name" } ] }, @@ -14,6 +23,12 @@ { "field": "ocsf.class_uid", "value": 1002 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" } ] }, @@ -23,6 +38,12 @@ { "field": "ocsf.class_uid", "value": 1003 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" } ] }, @@ -32,6 +53,12 @@ { "field": "ocsf.class_uid", "value": 1004 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" } ] }, @@ -41,6 +68,15 @@ { "field": "ocsf.class_uid", "value": 1005 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" + }, + { + "field": "process.name" } ] }, @@ -50,33 +86,54 @@ { "field": "ocsf.class_uid", "value": 1006 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" } ] }, { - "value": "Process Activity: {ocsf.activity_name} by process {process.pid}", + "value": "Process Activity: process {process.pid} - {event.reason}", "conditions": [ { "field": "ocsf.class_uid", "value": 1007 + }, + { + "field": "event.reason" + }, + { + "field": "process.pid" } ] }, { - "value": "Windows Resource Activity: {ocsf.activity_name}", + "value": "Windows Resource Activity: {event.reason}", "conditions": [ { "field": "ocsf.class_uid", "value": 1010 + }, + { + "field": "event.reason" } ] }, { - "value": "Security Finding: {ocsf.activity_name} vulnerability {vulnerability.id}", + "value": "Security Finding: {ocsf.activity_name} finding {event.reason}", "conditions": [ { "field": "ocsf.class_uid", "value": 2001 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "event.reason" } ] }, @@ -86,6 +143,12 @@ { "field": "ocsf.class_uid", "value": 2002 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "vulnerability.id" } ] }, @@ -113,6 +176,9 @@ { "field": "ocsf.class_uid", "value": 2005 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -122,6 +188,9 @@ { "field": "ocsf.class_uid", "value": 2006 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -131,15 +200,57 @@ { "field": "ocsf.class_uid", "value": 3001 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "user.id" + } + ] + }, + { + "value": "Authentication: user {user.name} {ocsf.activity_name} on {host.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 3002 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "user.name" + }, + { + "field": "host.name" } ] }, { - "value": "Authentication: {ocsf.activity_name} user {user.name} from {source.ip}", + "value": "Authentication: user {user.name} {ocsf.activity_name}", "conditions": [ { "field": "ocsf.class_uid", "value": 3002 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "user.name" + } + ] + }, + { + "value": "Authentication: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 3002 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -149,6 +260,12 @@ { "field": "ocsf.class_uid", "value": 3003 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "host.ip" } ] }, @@ -158,6 +275,12 @@ { "field": "ocsf.class_uid", "value": 3004 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "host.ip" } ] }, @@ -167,6 +290,12 @@ { "field": "ocsf.class_uid", "value": 3005 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "user.target.name" } ] }, @@ -176,6 +305,12 @@ { "field": "ocsf.class_uid", "value": 3006 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "user.target.name" } ] }, @@ -185,6 +320,30 @@ { "field": "ocsf.class_uid", "value": 4001 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "source.ip" + }, + { + "field": "destination.ip" + } + ] + }, + { + "value": "Network Activity: connection from {source.ip} to {destination.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4001 + }, + { + "field": "source.ip" + }, + { + "field": "destination.ip" } ] }, @@ -194,15 +353,30 @@ { "field": "ocsf.class_uid", "value": 4002 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "url.path" + }, + { + "field": "source.ip" } ] }, { - "value": "DNS Activity: {ocsf.activity_name} from {source.ip}:{source.ip}", + "value": "DNS Activity: {ocsf.activity_name} from {source.ip}", "conditions": [ { "field": "ocsf.class_uid", "value": 4003 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "source.ip" } ] }, @@ -212,6 +386,9 @@ { "field": "ocsf.class_uid", "value": 4004 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -221,6 +398,9 @@ { "field": "ocsf.class_uid", "value": 4005 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -230,6 +410,12 @@ { "field": "ocsf.class_uid", "value": 4006 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" } ] }, @@ -239,6 +425,9 @@ { "field": "ocsf.class_uid", "value": 4007 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -248,6 +437,12 @@ { "field": "ocsf.class_uid", "value": 4008 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "host.ip" } ] }, @@ -257,6 +452,12 @@ { "field": "ocsf.class_uid", "value": 4009 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "host.ip" } ] }, @@ -266,6 +467,12 @@ { "field": "ocsf.class_uid", "value": 4010 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" } ] }, @@ -275,6 +482,12 @@ { "field": "ocsf.class_uid", "value": 4011 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "host.ip" } ] }, @@ -284,6 +497,12 @@ { "field": "ocsf.class_uid", "value": 4012 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "host.ip" } ] }, @@ -293,6 +512,12 @@ { "field": "ocsf.class_uid", "value": 4013 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "host.ip" } ] }, @@ -302,6 +527,9 @@ { "field": "ocsf.class_uid", "value": 4014 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -311,6 +539,12 @@ { "field": "ocsf.class_uid", "value": 5001 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "host.mac" } ] }, @@ -320,6 +554,9 @@ { "field": "ocsf.class_uid", "value": 5002 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -329,6 +566,9 @@ { "field": "ocsf.class_uid", "value": 5003 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -338,6 +578,9 @@ { "field": "ocsf.class_uid", "value": 5004 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -347,6 +590,9 @@ { "field": "ocsf.class_uid", "value": 5006 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -356,6 +602,9 @@ { "field": "ocsf.class_uid", "value": 5007 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -365,6 +614,9 @@ { "field": "ocsf.class_uid", "value": 5008 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -374,6 +626,9 @@ { "field": "ocsf.class_uid", "value": 5009 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -383,6 +638,9 @@ { "field": "ocsf.class_uid", "value": 5010 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -392,6 +650,9 @@ { "field": "ocsf.class_uid", "value": 5011 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -401,6 +662,9 @@ { "field": "ocsf.class_uid", "value": 5012 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -410,6 +674,9 @@ { "field": "ocsf.class_uid", "value": 5013 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -419,6 +686,9 @@ { "field": "ocsf.class_uid", "value": 5014 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -428,6 +698,9 @@ { "field": "ocsf.class_uid", "value": 5015 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -437,6 +710,9 @@ { "field": "ocsf.class_uid", "value": 5016 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -446,6 +722,9 @@ { "field": "ocsf.class_uid", "value": 5017 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -455,6 +734,9 @@ { "field": "ocsf.class_uid", "value": 5018 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -464,6 +746,9 @@ { "field": "ocsf.class_uid", "value": 5019 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -473,6 +758,12 @@ { "field": "ocsf.class_uid", "value": 6001 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "source.ip" } ] }, @@ -482,6 +773,12 @@ { "field": "ocsf.class_uid", "value": 6002 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "ocsf.app.name" } ] }, @@ -491,6 +788,12 @@ { "field": "ocsf.class_uid", "value": 6003 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "user.name" } ] }, @@ -500,6 +803,12 @@ { "field": "ocsf.class_uid", "value": 6004 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "host.ip" } ] }, @@ -509,6 +818,12 @@ { "field": "ocsf.class_uid", "value": 6005 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "host.ip" } ] }, @@ -518,6 +833,12 @@ { "field": "ocsf.class_uid", "value": 6006 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "source.ip" } ] }, @@ -527,6 +848,12 @@ { "field": "ocsf.class_uid", "value": 6007 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "source.ip" } ] }, @@ -536,6 +863,9 @@ { "field": "ocsf.class_uid", "value": 201001 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -545,6 +875,9 @@ { "field": "ocsf.class_uid", "value": 201002 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -554,6 +887,9 @@ { "field": "ocsf.class_uid", "value": 201003 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -563,6 +899,9 @@ { "field": "ocsf.class_uid", "value": 205004 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -572,6 +911,9 @@ { "field": "ocsf.class_uid", "value": 205005 + }, + { + "field": "ocsf.activity_name" } ] }, @@ -581,7 +923,10 @@ { "field": "ocsf.class_uid", "value": 205019 + }, + { + "field": "ocsf.activity_name" } ] } -] \ No newline at end of file +]