diff --git a/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md b/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md index 58e8a7b9ea..5b36edbbe4 100644 --- a/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md +++ b/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md @@ -34,20 +34,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I { "message": "09/29/2023:07:40:56 GMT ADC 0-PPE-1 : default AAATM Message 1111111111 0 : \"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"", - "event": { - "category": [ - "network" - ], - "code": "Message", - "dataset": "audit_aaatm", - "reason": "\"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"", - "type": [ - "connection" - ] - }, - "@timestamp": "2023-09-29T07:40:56Z", - "observer": { - "name": "ADC" + "sekoiaio": { + "intake": { + "parsing_warnings": [ + "No fields extracted from original event" + ] + } } } diff --git a/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6.md b/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6.md index 03bc4d75f8..cdce9a804e 100644 --- a/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6.md +++ b/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6.md @@ -80,6 +80,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "url": [ "http://schemas.microsoft.com/office/2004/12/omml", "http://www.w3.org/TR/REC-html40" + ], + "url_domain": [ + "schemas.microsoft.com", + "www.w3.org" ] } }, @@ -351,6 +355,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "url": [ "http://mandrill.appc.cisco.com/track/open.php?u=30372747&id=d57275a6c9df40418a90fd977e3bf506", "https://bce-demo.appc.cisco.com/sensors/a7b04388-0f6e-11e9-8def-0242ac110002" + ], + "url_domain": [ + "bce-demo.appc.cisco.com", + "mandrill.appc.cisco.com" ] } }, @@ -680,6 +688,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "url": [ "https://facebook.com/u/john.doe", "https://tiktok.com", + "https://tinyurl.es/tbdra", + "www.twitter.com" + ], + "url_domain": [ + "facebook.com", + "tiktok.com", + "tinyurl.es", "www.twitter.com" ] } @@ -914,8 +929,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "domain": { "age": "30 days (or greater)" } - }, - "url": [] + } } }, "email": { @@ -1205,6 +1219,7 @@ The following table lists the fields that are extracted, normalized under the EC |`cisco.esa.source.domain.age` | `keyword` | This field indicates the age of the domain associated with the sender of a message. Older domains are generally considered more trustworthy than newer domains, so this field can be used as a factor in determining whether a message is legitimate or spam. | |`cisco.esa.status` | `keyword` | | |`cisco.esa.url` | `keyword` | the declaration of the cisco urls | +|`cisco.esa.url_domain` | `keyword` | | |`destination.domain` | `keyword` | The domain name of the destination. | |`destination.ip` | `ip` | IP address of the destination. | |`destination.mac` | `keyword` | MAC address of the destination. | diff --git a/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md b/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md index f12c090350..27170b0ccc 100644 --- a/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md +++ b/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md @@ -826,6 +826,60 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "rdp.json" + + ```json + + { + "message": "{\"timestamp\":\"2024-11-29T15:08:06.239558+0000\",\"flow_id\":1822723333770346,\"in_iface\":\"eth0\",\"event_type\":\"rdp\",\"src_ip\":\"14.225.46.243\",\"src_port\":58953,\"dest_ip\":\"10.0.1.4\",\"dest_port\":3389,\"proto\":\"TCP\",\"community_id\":\"1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=\",\"rdp\":{\"tx_id\":2,\"event_type\":\"tls_handshake\",\"x509_serials\":[\"773dbe1ea6dc998444b4f9da1f188ba8\"]}}", + "event": { + "category": [ + "network" + ], + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-29T15:08:06.239558Z", + "action": { + "type": "rdp" + }, + "destination": { + "address": "10.0.1.4", + "ip": "10.0.1.4", + "port": 3389 + }, + "host": { + "ip": "14.225.46.243" + }, + "network": { + "community_id": "1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=", + "protocol": "TCP", + "transport": "TCP" + }, + "observer": { + "ingress": { + "interface": { + "name": "eth0" + } + } + }, + "related": { + "ip": [ + "10.0.1.4", + "14.225.46.243" + ] + }, + "source": { + "address": "14.225.46.243", + "ip": "14.225.46.243", + "port": 58953 + } + } + + ``` + + === "smb.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3_sample.md b/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3_sample.md index 06742aef04..1d0783c678 100644 --- a/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3_sample.md +++ b/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3_sample.md @@ -683,6 +683,33 @@ In this section, you will find examples of raw logs as generated natively by the +=== "rdp" + + + ```json + { + "timestamp": "2024-11-29T15:08:06.239558+0000", + "flow_id": 1822723333770346, + "in_iface": "eth0", + "event_type": "rdp", + "src_ip": "14.225.46.243", + "src_port": 58953, + "dest_ip": "10.0.1.4", + "dest_port": 3389, + "proto": "TCP", + "community_id": "1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=", + "rdp": { + "tx_id": 2, + "event_type": "tls_handshake", + "x509_serials": [ + "773dbe1ea6dc998444b4f9da1f188ba8" + ] + } + } + ``` + + + === "smb" diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md index 80a99c5e02..8eeefae1fd 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md @@ -148,7 +148,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "REDACTED" ], "user": [ - "REDACTED\\valves" + "valves" ] }, "rule": { @@ -158,7 +158,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "YARA binary check" }, "user": { - "name": "REDACTED\\valves" + "domain": "REDACTED", + "name": "valves" } } @@ -202,7 +203,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "execution": 0, "groups": [], "level": "medium", - "status": "new" + "status": "new", + "threat_key": "2971" }, "host": { "domain": "EXAMPLE", @@ -244,7 +246,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "PL-3049" ], "user": [ - "EXAMPLE\\jdoe" + "jdoe" ] }, "rule": { @@ -254,7 +256,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "File Added/Modified in Startup Directory" }, "user": { - "name": "EXAMPLE\\jdoe" + "domain": "EXAMPLE", + "name": "jdoe" } } @@ -298,7 +301,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "{\"id\": \"00000000-0000-0000-0000-000000000000\", \"name\": \"EXAMPLE\"}" ], "level": "medium", - "status": "new" + "status": "new", + "threat_key": "2912" }, "host": { "domain": "EXAMPLE", @@ -346,7 +350,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "PL3024" ], "user": [ - "EXAMPLE\\jdoe" + "jdoe" ] }, "rule": { @@ -356,7 +360,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "Registry Autorun Key Added" }, "user": { - "name": "EXAMPLE\\jdoe", + "domain": "EXAMPLE", + "name": "jdoe", "roles": "EXAMPLE" } } @@ -408,7 +413,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "script_path": "C:\\Scripts\\SomeWhere\\Get-FaInterco\\Get-FaNetworkFlowV2.ps1" } }, - "status": "new" + "status": "new", + "threat_key": "16364" }, "host": { "domain": "Example", @@ -450,7 +456,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "SRV001" ], "user": [ - "EXAMPLE\\j.doe" + "j.doe" ] }, "rule": { @@ -460,7 +466,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "PowerShellInvoke-CommandExecutedonRemoteHost" }, "user": { - "name": "EXAMPLE\\j.doe", + "domain": "EXAMPLE", + "name": "j.doe", "roles": "Servers" } } @@ -506,7 +513,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "{\"id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"name\": \"DOMAIN_Postes_de_travail_Windows\"}" ], "level": "medium", - "status": "new" + "status": "new", + "threat_key": "1343" }, "host": { "domain": "DOMAINSI", @@ -549,7 +557,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "HOST01" ], "user": [ - "DOMAINSI\\JDOE" + "JDOE" ] }, "rule": { @@ -569,7 +577,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "top_level_domain": "com" }, "user": { - "name": "DOMAINSI\\JDOE", + "domain": "DOMAINSI", + "name": "JDOE", "roles": "DOMAIN_Postes_de_travail_Windows" } } @@ -618,7 +627,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "{\"id\": \"66666666-7777-8888-9999-000000000000\", \"name\": \"Postes de travail : Lot 3\"}" ], "level": "medium", - "status": "new" + "status": "new", + "threat_key": "20528" }, "host": { "domain": "NT_DOMAIN", @@ -741,7 +751,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "pc123" ], "user": [ - "XXX\\XXX" + "XXX" ] }, "rule": { @@ -751,7 +761,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "Discovery: Process list" }, "user": { - "name": "XXX\\XXX" + "domain": "XXX", + "name": "XXX" } } @@ -884,7 +895,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "127.0.0.1" ], "user": [ - "test-domain\\work-laptop$" + "work-laptop$" ] }, "sekoiaio": { @@ -904,12 +915,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": "127.0.0.1" }, "user": { + "domain": "test-domain", "id": "S-1-5-18", - "name": "test-domain\\work-laptop$", + "name": "work-laptop$", "roles": "custom-group", "target": { + "domain": "work-laptop", "id": "S-1-0-0", - "name": "work-laptop\\administrateur" + "name": "administrateur" } } } @@ -1112,11 +1125,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "work-laptop" ], "user": [ - "test-domain\\john.doe" + "john.doe" ] }, "user": { - "name": "test-domain\\john.doe", + "domain": "test-domain", + "name": "john.doe", "roles": "custom-group" } } @@ -1363,7 +1377,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "192.168.120.41" ], "user": [ - "NT AUTHORITY\\SYSTEM" + "SYSTEM" ] }, "source": { @@ -1372,7 +1386,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "port": 21955 }, "user": { - "name": "NT AUTHORITY\\SYSTEM" + "domain": "NT AUTHORITY", + "name": "SYSTEM" } } @@ -1432,7 +1447,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "185.202.2.238" ], "user": [ - "NT AUTHORITY\\NETWORK SERVICE" + "NETWORK SERVICE" ] }, "source": { @@ -1441,7 +1456,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "port": 42221 }, "user": { - "name": "NT AUTHORITY\\NETWORK SERVICE" + "domain": "NT AUTHORITY", + "name": "NETWORK SERVICE" } } @@ -1586,11 +1602,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "SFRTAOA" ], "user": [ - "NT AUTHORITY\\SYSTEM" + "SYSTEM" ] }, "user": { - "name": "NT AUTHORITY\\SYSTEM", + "domain": "NT AUTHORITY", + "name": "SYSTEM", "roles": "Group1" } } @@ -1674,11 +1691,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "EXCHANGE" ], "user": [ - "NT AUTHORITY\\SYSTEM" + "SYSTEM" ] }, "user": { - "name": "NT AUTHORITY\\SYSTEM" + "domain": "NT AUTHORITY", + "name": "SYSTEM" } } @@ -1763,7 +1781,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "pc123" ], "user": [ - "XXX\\XXX" + "XXX" ] }, "rule": { @@ -1773,7 +1791,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "Discovery: Process list" }, "user": { - "name": "XXX\\XXX" + "domain": "XXX", + "name": "XXX" } } @@ -1856,11 +1875,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "REDACTED" ], "user": [ - "NT AUTHORITY\\NETWORK SERVICE" + "NETWORK SERVICE" ] }, "user": { - "name": "NT AUTHORITY\\NETWORK SERVICE" + "domain": "NT AUTHORITY", + "name": "NETWORK SERVICE" } } @@ -1956,11 +1976,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "jdoe" ], "user": [ - "TST USER\\SYSTEM" + "SYSTEM" ] }, "user": { - "name": "TST USER\\SYSTEM", + "domain": "TST USER", + "name": "SYSTEM", "roles": "test_group" } } @@ -2276,6 +2297,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "harfanglab" }, "harfanglab": { + "agent_ids": [ + "af5e2f63-becd-4660-ade8-30d04c0dd044" + ], "count": { "rules": 1, "users_impacted": 0 @@ -2309,6 +2333,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "harfanglab" }, "harfanglab": { + "agent_ids": [ + "215fe295-905f-4a8d-8347-e9d438d4e415", + "999ba0c7-96b8-4c57-bf0e-63b24813c873" + ], "count": { "rules": 4, "users_impacted": 3 @@ -3061,6 +3089,7 @@ The following table lists the fields that are extracted, normalized under the EC |`file.pe.original_file_name` | `keyword` | Internal name of the file, provided at compile-time. | |`file.pe.product` | `keyword` | Internal product name of the file, provided at compile-time. | |`file.size` | `long` | File size in bytes. | +|`harfanglab.agent_ids` | `keyword` | | |`harfanglab.aggregation_key` | `keyword` | The key to the events aggregation | |`harfanglab.alert_subtype` | `keyword` | The subtype of the alert | |`harfanglab.alert_time` | `keyword` | The timestamp of the alert | @@ -3078,6 +3107,7 @@ The following table lists the fields that are extracted, normalized under the EC |`harfanglab.rule_level` | `keyword` | Rule level | |`harfanglab.status` | `keyword` | The status of the event | |`harfanglab.threat_id` | `keyword` | Id of the threat | +|`harfanglab.threat_key` | `keyword` | The key of the threat | |`host.domain` | `keyword` | Name of the directory the group is a member of. | |`host.hostname` | `keyword` | Hostname of the host. | |`host.name` | `keyword` | Name of the host. | diff --git a/_shared_content/operations_center/integrations/generated/3cedbe29-02f8-42bf-9ec2-0158186c2827.md b/_shared_content/operations_center/integrations/generated/3cedbe29-02f8-42bf-9ec2-0158186c2827.md index 0349ddaeaf..e6291f6e8b 100644 --- a/_shared_content/operations_center/integrations/generated/3cedbe29-02f8-42bf-9ec2-0158186c2827.md +++ b/_shared_content/operations_center/integrations/generated/3cedbe29-02f8-42bf-9ec2-0158186c2827.md @@ -80,6 +80,58 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "application_compliance_updated.json" + + ```json + + { + "message": "{\n \"id\": \"1234567890\",\n \"creationDate\": \"2024-11-27T04:10:33.460Z\",\n \"source\": \"system\",\n \"category\": null,\n \"type\": \"DeviceApplicationComplianceUpdated\",\n \"content\": {\n \"deviceApplicationCompliance\": {\n \"id\": \"abcdef123456\",\n \"status\": \"Disapproved\",\n \"computed\": true,\n \"creationDate\": \"2024-11-27T04:04:26.482Z\",\n \"lastModificationDate\": \"2024-11-27T04:10:33.000Z\",\n \"deviceApplication\": {\n \"id\": \"123456789ABCDEF\",\n \"application\": {\n \"id\": \"azertyuiop\",\n \"package\": {\n \"id\": \"1234abcd\",\n \"package\": \"com.app.test\",\n \"system\": \"Android\"\n },\n \"version\": \"491.0.0.58.78\",\n \"md5\": \"0fccfdefc882c4be6d2a938001184e08\",\n \"sha1\": \"749c94cd972726ef2b3ccda7e718a2034cc9f6ac\",\n \"sha256\": \"278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8\",\n \"name\": \"App\",\n \"versionCode\": \"457215664\",\n \"size\": \"64262264\"\n },\n \"device\": {\n \"id\": \"device_id01\",\n \"serialNumber\": \"unknown\",\n \"imei\": null,\n \"name\": \"John\",\n \"email\": null,\n \"singleEnrollmentKey\": \"xxxxxXXXXxxXxxx\",\n \"byod\": false,\n \"lockPassword\": null,\n \"knoxVersion\": null,\n \"declaredOperatingSystem\": \"Android\",\n \"declaredOperatingSystemVersion\": \"10.0.0\",\n \"declaredOperatingSystemSecurityPatchDate\": \"2020-09-01T00:00:00.000Z\",\n \"declaredModel\": \"MODEL 01\",\n \"enrollmentStatus\": {\n \"id\": \"enrollid_12\",\n \"lastConnection\": \"2024-11-27T04:07:32.000Z\",\n \"coupled\": true\n },\n \"emmDeviceInfo\": null\n },\n \"installedAt\": \"2024-08-07T13:40:35.000Z\",\n \"uninstalledAt\": null,\n \"native\": false\n },\n \"matchedResponseRules\": [\n {\n \"id\": \"matched_response_id\",\n \"matchConditions\": [\n {\n \"type\": \"threatLevelIs\",\n \"value\": \"Red\"\n }\n ],\n \"notifyAdministrator\": false,\n \"onDeviceNotification\": false,\n \"action\": \"Disapproved\",\n \"responseRuleset\": {\n \"id\": \"yMXqFSTMT8uDn1ijwCmEGA\",\n \"name\": \"FallBack\",\n \"active\": true,\n \"type\": \"FallBack\",\n \"priority\": 0\n },\n \"priority\": 0\n }\n ]\n }\n },\n \"user\": null,\n \"device\": null,\n \"company\": {\n \"id\": \"ROhGBpGHSi2gpVagfb4FhQ\",\n \"name\": \"LAB\",\n \"creationDate\": \"2024-04-15T15:31:33.395Z\",\n \"lastModificationDate\": \"2024-08-07T13:23:42.000Z\",\n \"deletedAt\": null\n }\n}", + "event": { + "action": "DeviceApplicationComplianceUpdated", + "category": [ + "process" + ], + "type": [ + "change" + ] + }, + "@timestamp": "2024-11-27T04:10:33.460000Z", + "pradeo": { + "application": { + "id": "azertyuiop", + "md5": "0fccfdefc882c4be6d2a938001184e08", + "name": "App", + "package": "com.app.test", + "sha1": "749c94cd972726ef2b3ccda7e718a2034cc9f6ac", + "sha256": "278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8", + "system": "Android", + "version": "491.0.0.58.78", + "versionCode": "457215664" + }, + "device": { + "byod": false, + "coupled": true, + "declaredModel": "MODEL 01", + "declaredOperatingSystem": "Android", + "declaredOperatingSystemSecurityPatchDate": "2020-09-01T00:00:00Z", + "declaredOperatingSystemVersion": "10.0.0", + "id": "device_id01", + "lastConnection": "2024-11-27T04:07:32Z", + "name": "John", + "serialNumber": "unknown" + }, + "metadata": { + "creationDate": "2024-11-27T04:10:33.460000Z", + "id": "1234567890", + "source": "system", + "type": "DeviceApplicationComplianceUpdated" + } + } + } + + ``` + + === "detection-policy-updated.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/3cedbe29-02f8-42bf-9ec2-0158186c2827_sample.md b/_shared_content/operations_center/integrations/generated/3cedbe29-02f8-42bf-9ec2-0158186c2827_sample.md index 6c756a0f59..d63b10ddd7 100644 --- a/_shared_content/operations_center/integrations/generated/3cedbe29-02f8-42bf-9ec2-0158186c2827_sample.md +++ b/_shared_content/operations_center/integrations/generated/3cedbe29-02f8-42bf-9ec2-0158186c2827_sample.md @@ -82,6 +82,103 @@ In this section, you will find examples of raw logs as generated natively by the +=== "application_compliance_updated" + + + ```json + { + "id": "1234567890", + "creationDate": "2024-11-27T04:10:33.460Z", + "source": "system", + "category": null, + "type": "DeviceApplicationComplianceUpdated", + "content": { + "deviceApplicationCompliance": { + "id": "abcdef123456", + "status": "Disapproved", + "computed": true, + "creationDate": "2024-11-27T04:04:26.482Z", + "lastModificationDate": "2024-11-27T04:10:33.000Z", + "deviceApplication": { + "id": "123456789ABCDEF", + "application": { + "id": "azertyuiop", + "package": { + "id": "1234abcd", + "package": "com.app.test", + "system": "Android" + }, + "version": "491.0.0.58.78", + "md5": "0fccfdefc882c4be6d2a938001184e08", + "sha1": "749c94cd972726ef2b3ccda7e718a2034cc9f6ac", + "sha256": "278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8", + "name": "App", + "versionCode": "457215664", + "size": "64262264" + }, + "device": { + "id": "device_id01", + "serialNumber": "unknown", + "imei": null, + "name": "John", + "email": null, + "singleEnrollmentKey": "xxxxxXXXXxxXxxx", + "byod": false, + "lockPassword": null, + "knoxVersion": null, + "declaredOperatingSystem": "Android", + "declaredOperatingSystemVersion": "10.0.0", + "declaredOperatingSystemSecurityPatchDate": "2020-09-01T00:00:00.000Z", + "declaredModel": "MODEL 01", + "enrollmentStatus": { + "id": "enrollid_12", + "lastConnection": "2024-11-27T04:07:32.000Z", + "coupled": true + }, + "emmDeviceInfo": null + }, + "installedAt": "2024-08-07T13:40:35.000Z", + "uninstalledAt": null, + "native": false + }, + "matchedResponseRules": [ + { + "id": "matched_response_id", + "matchConditions": [ + { + "type": "threatLevelIs", + "value": "Red" + } + ], + "notifyAdministrator": false, + "onDeviceNotification": false, + "action": "Disapproved", + "responseRuleset": { + "id": "yMXqFSTMT8uDn1ijwCmEGA", + "name": "FallBack", + "active": true, + "type": "FallBack", + "priority": 0 + }, + "priority": 0 + } + ] + } + }, + "user": null, + "device": null, + "company": { + "id": "ROhGBpGHSi2gpVagfb4FhQ", + "name": "LAB", + "creationDate": "2024-04-15T15:31:33.395Z", + "lastModificationDate": "2024-08-07T13:23:42.000Z", + "deletedAt": null + } + } + ``` + + + === "detection-policy-updated" diff --git a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md index 75fc710646..2b6ba3b6a1 100644 --- a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md +++ b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md @@ -2754,6 +2754,105 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "process_processcreation_2.json" + + ```json + + { + "message": "{\"tgt.process.displayName\":\"curl\",\"event.category\":\"process\",\"site.id\":\"1967302198659758782\",\"tgt.process.pid\":30273,\"endpoint.os\":\"osx\",\"tgt.process.name\":\"curl\",\"tgt.process.storyline.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.signedStatus\":\"signed\",\"tgt.process.isNative64Bit\":false,\"mgmt.id\":\"16205\",\"os.name\":\"OS X\",\"tgt.process.cmdline\":\"curl -H User-Agent: test.nvim v1.10.0 (+https:\\/\\/test.test\\/tttttttt\\/test.nvim) -fsSL -X GET -o \\/Users\\/test.user\\/.local\\/share\\/nvim\\/test\\/registries\\/github\\/test-org\\/test-registry\\/registry.json.zip --connect-timeout 30 https:\\/\\/test.test\\/test-org\\/test-registry\\/releases\\/download\\/2024-12-05-doting-coil\\/registry.json.zip\",\"i.version\":\"preprocess-lib-1.0\",\"process.unique.key\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.uid\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.isStorylineRoot\":false,\"mgmt.url\":\"mgm-testing-test.sentinelone.net\",\"agent.version\":\"23.3.1.7037\",\"tgt.process.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"tgt.process.image.sha256\":\"8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42\",\"mgmt.osRevision\":\"14.7.1 (23H222)\",\"meta.event.name\":\"PROCESSCREATION\",\"group.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.publisher\":\"\",\"tgt.process.startTime\":1733386731479,\"tgt.process.verifiedStatus\":\"verified\",\"endpoint.type\":\"laptop\",\"tgt.process.image.path\":\"\\/usr\\/bin\\/curl\",\"i.scheme\":\"edr\",\"trace.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX\",\"tgt.process.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"site.name\":\"LEDGER\",\"agent.uuid\":\"xxxx-XXXXXX-XXXXx-xxxxx\",\"tgt.process.image.md5\":\"fe61928bbd84ed16fc4f934307bf2f16\",\"event.time\":1733386731479,\"tgt.process.user\":\"test.user\",\"timestamp\":\"2024-12-05T08:18:51.479Z\",\"account.id\":\"1967302197074311859\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"LMFR0205\",\"packet.id\":\"949E7E9F-F1E6-4507-830F-E272AAED8F15\",\"tgt.process.sessionId\":0,\"dataSource.vendor\":\"SentinelOne\",\"dataSource.category\":\"security\",\"tgt.process.isRedirectCmdProcessor\":false,\"tgt.process.image.sha1\":\"e817c506298dc8a2dba727562b6efc60dcf4db1a\",\"account.name\":\"24 - LEDGER\",\"event.type\":\"Process Creation\",\"event.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX_77\"}", + "event": { + "action": "Process Creation", + "category": [ + "process" + ], + "dataset": "cloud-funnel-2.0", + "type": [ + "info" + ] + }, + "@timestamp": "2024-12-05T08:18:51.479000Z", + "agent": { + "version": "23.3.1.7037" + }, + "deepvisibility": { + "agent": { + "managment_url": "mgm-testing-test.sentinelone.net", + "trace_id": "XXXXXXX-XXXXXXXX-XXXXXXX", + "uuid": "xxxx-XXXXXX-XXXXx-xxxxx" + }, + "event": { + "category": "process", + "type": "Process Creation" + }, + "host": { + "os": { + "revision": "14.7.1 (23H222)" + } + }, + "process": { + "target": { + "command_line": "curl -H User-Agent: test.nvim v1.10.0 (+https://test.test/tttttttt/test.nvim) -fsSL -X GET -o /Users/test.user/.local/share/nvim/test/registries/github/test-org/test-registry/registry.json.zip --connect-timeout 30 https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "executable": "/usr/bin/curl", + "hash": { + "md5": "fe61928bbd84ed16fc4f934307bf2f16", + "sha1": "e817c506298dc8a2dba727562b6efc60dcf4db1a", + "sha256": "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42" + }, + "name": "curl", + "storyline_id": "EE9FB66D-9B03-4286-971C-7A20615D157B", + "title": "curl", + "working_directory": "/usr/bin" + } + } + }, + "host": { + "name": "LMFR0205", + "os": { + "family": "osx", + "name": "OS X" + }, + "type": "laptop" + }, + "observer": { + "vendor": "SentinelOne" + }, + "process": { + "command_line": "curl -H User-Agent: test.nvim v1.10.0 (+https://test.test/tttttttt/test.nvim) -fsSL -X GET -o /Users/test.user/.local/share/nvim/test/registries/github/test-org/test-registry/registry.json.zip --connect-timeout 30 https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "executable": "/usr/bin/curl", + "hash": { + "md5": "fe61928bbd84ed16fc4f934307bf2f16", + "sha1": "e817c506298dc8a2dba727562b6efc60dcf4db1a", + "sha256": "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42" + }, + "name": "curl", + "pid": 30273, + "start": "2024-12-05T08:18:51.479000Z", + "title": "curl", + "user": { + "name": "test.user" + }, + "working_directory": "/usr/bin" + }, + "related": { + "hash": [ + "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42", + "e817c506298dc8a2dba727562b6efc60dcf4db1a", + "fe61928bbd84ed16fc4f934307bf2f16" + ] + }, + "url": { + "domain": "test.test", + "original": "https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "path": "/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "port": 443, + "scheme": "https", + "subdomain": "test" + } + } + + ``` + + === "registry_binary.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340_sample.md b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340_sample.md index 470763a478..8f6767ff93 100644 --- a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340_sample.md +++ b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340_sample.md @@ -2582,6 +2582,65 @@ In this section, you will find examples of raw logs as generated natively by the +=== "process_processcreation_2" + + + ```json + { + "tgt.process.displayName": "curl", + "event.category": "process", + "site.id": "1967302198659758782", + "tgt.process.pid": 30273, + "endpoint.os": "osx", + "tgt.process.name": "curl", + "tgt.process.storyline.id": "EE9FB66D-9B03-4286-971C-7A20615D157B", + "tgt.process.signedStatus": "signed", + "tgt.process.isNative64Bit": false, + "mgmt.id": "16205", + "os.name": "OS X", + "tgt.process.cmdline": "curl -H User-Agent: test.nvim v1.10.0 (+https://test.test/tttttttt/test.nvim) -fsSL -X GET -o /Users/test.user/.local/share/nvim/test/registries/github/test-org/test-registry/registry.json.zip --connect-timeout 30 https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "i.version": "preprocess-lib-1.0", + "process.unique.key": "54EDFDFD-139E-4040-A961-59D6F9C33F63", + "tgt.process.uid": "54EDFDFD-139E-4040-A961-59D6F9C33F63", + "tgt.process.isStorylineRoot": false, + "mgmt.url": "mgm-testing-test.sentinelone.net", + "agent.version": "23.3.1.7037", + "tgt.process.subsystem": "SUBSYSTEM_UNKNOWN", + "tgt.process.image.sha256": "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42", + "mgmt.osRevision": "14.7.1 (23H222)", + "meta.event.name": "PROCESSCREATION", + "group.id": "EE9FB66D-9B03-4286-971C-7A20615D157B", + "tgt.process.publisher": "", + "tgt.process.startTime": 1733386731479, + "tgt.process.verifiedStatus": "verified", + "endpoint.type": "laptop", + "tgt.process.image.path": "/usr/bin/curl", + "i.scheme": "edr", + "trace.id": "XXXXXXX-XXXXXXXX-XXXXXXX", + "tgt.process.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN", + "site.name": "LEDGER", + "agent.uuid": "xxxx-XXXXXX-XXXXx-xxxxx", + "tgt.process.image.md5": "fe61928bbd84ed16fc4f934307bf2f16", + "event.time": 1733386731479, + "tgt.process.user": "test.user", + "timestamp": "2024-12-05T08:18:51.479Z", + "account.id": "1967302197074311859", + "dataSource.name": "SentinelOne", + "endpoint.name": "LMFR0205", + "packet.id": "949E7E9F-F1E6-4507-830F-E272AAED8F15", + "tgt.process.sessionId": 0, + "dataSource.vendor": "SentinelOne", + "dataSource.category": "security", + "tgt.process.isRedirectCmdProcessor": false, + "tgt.process.image.sha1": "e817c506298dc8a2dba727562b6efc60dcf4db1a", + "account.name": "24 - LEDGER", + "event.type": "Process Creation", + "event.id": "XXXXXXX-XXXXXXXX-XXXXXXX_77" + } + ``` + + + === "registry_binary" diff --git a/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md b/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md index 1d00516dd9..b18d2936d1 100644 --- a/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md +++ b/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md @@ -206,7 +206,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "\"0\" \"1\" \"ad.domain\" \"urdom.ad.domain\" \"C-GPO-EXEC-SANITY\" \"high\" \"CN={3D4A6260-9D6C-4062-B56B-DC6D419333CE},CN=Policies,CN=System,DC=urdom,DC=ad,DC=domain\" \"2008125\" \"2\" \n\"R-GPO-EXEC-SANITY-UNKNOWN-CSE\" \"79016668\" \"CseGuid\"=\"{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}\" \"AttributeName\"=\"GpcMachineExtensionName\" \"GpoName\"=\"#URDOM-APP-RSAT-TEST\"", + "message": "\"0\" \"1\" \"ad.domain\" \"test.ad.domain\" \"C-GPO-EXEC-SANITY\" \"high\" \"CN={3D4A6260-9000-4000-B000-DC6D41900000},CN=Policies,CN=System,DC=test,DC=ad,DC=domain\" \"2008000\" \"2\" \n\"R-GPO-EXEC-SANITY-UNKNOWN-CSE\" \"790160000\" \"CseGuid\"=\"{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}\" \"AttributeName\"=\"GpcMachineExtensionName\" \"GpoName\"=\"#TEST-APP-RSAT-TEST\"", "event": { "kind": "alert", "outcome": "success" @@ -216,16 +216,16 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "outcome": "success", "outcome_reason": "R-GPO-EXEC-SANITY-UNKNOWN-CSE", "properties": { - "ADdevianceID": 2008125, - "ADdomainName": "urdom.ad.domain", + "ADdevianceID": 2008000, + "ADdomainName": "test.ad.domain", "ADforestName": "ad.domain", - "ADobject": "CN={3D4A6260-9D6C-4062-B56B-DC6D419333CE},CN=Policies,CN=System,DC=urdom,DC=ad,DC=domain", + "ADobject": "CN={3D4A6260-9000-4000-B000-DC6D41900000},CN=Policies,CN=System,DC=test,DC=ad,DC=domain", "AttributeName": "GpcMachineExtensionName", "CseGuid": "{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}", - "GpoName": "#URDOM-APP-RSAT-TEST", + "GpoName": "#TEST-APP-RSAT-TEST", "alertID": 1, "alertSeverityLevel": "high", - "eventID": "79016668" + "eventID": "790160000" }, "type": "alert" }, @@ -243,7 +243,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "\"0\" \"1\" \"ad.domain\" \"urdom.ad.domain\" \"C-OBSOLETE-SYSTEMS\" \"high\" \n \"CN=cnpsp16bd,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC \n ter,DC=urdom,DC=ad,DC=domain\" \"2007590\" \"2\" \"R-SLEEPING-OBSOLETE-SYSTEMS\" \n \"78964369\" \"ComputerCn\"=\"cnpsp16bd\" \"OperatingSystem\"=\"Windows Server 2012 R2 \n Standard\" \"OperatingSystemVersion\"=\"6.3 (9600)\"", + "message": "\"0\" \"1\" \"ad.domain\" \"test.ad.domain\" \"C-OBSOLETE-SYSTEMS\" \"high\" \n \"CN=testCN,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC \n ter,DC=testDC,DC=ad,DC=domain\" \"2007000\" \"2\" \"R-SLEEPING-OBSOLETE-SYSTEMS\" \n \"78964000\" \"ComputerCn\"=\"testComputerCN\" \"OperatingSystem\"=\"Windows Server 2012 R2 \n Standard\" \"OperatingSystemVersion\"=\"6.3 (9600)\"", "event": { "kind": "alert", "outcome": "success" @@ -253,16 +253,16 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "outcome": "success", "outcome_reason": "R-SLEEPING-OBSOLETE-SYSTEMS", "properties": { - "ADdevianceID": 2007590, - "ADdomainName": "urdom.ad.domain", + "ADdevianceID": 2007000, + "ADdomainName": "test.ad.domain", "ADforestName": "ad.domain", - "ADobject": "CN=cnpsp16bd,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC ter,DC=urdom,DC=ad,DC=domain", - "ComputerCn": "cnpsp16bd", + "ADobject": "CN=testCN,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC ter,DC=testDC,DC=ad,DC=domain", + "ComputerCn": "testComputerCN", "OperatingSystem": "Windows Server 2012 R2 Standard", "OperatingSystemVersion": "6.3 (9600)", "alertID": 1, "alertSeverityLevel": "high", - "eventID": "78964369" + "eventID": "78964000" }, "type": "alert" }, @@ -280,7 +280,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "\"2\" \"21\" \"foo.ad.com\" \"AD\" \"Suspicious DC Password Change\" \"critical\" \"Unknown\" \"Unknown\" \"HOSTNAME-040\" \"10.17.92.40\" \"user\"=\"ANONYMOUS LOGON\" \"source_hostname\"=\"Unknown\" \"source_ip\"=\"Unknown\" \"dc_name\"=\"HOSTNAME-040\" \"dc_ip\"=\"10.17.92.40\" \"targeted_dc_account\"=\"USERNAME-002$\" \"tool\"=\"foo-script\" \"password_renewal_duration\"=\"30:04:30:05\"", + "message": "\"2\" \"21\" \"foo.ad.com\" \"AD\" \"Suspicious DC Password Change\" \"critical\" \"Unknown\" \"Unknown\" \"HOSTNAME-000\" \"1.2.3.4\" \"user\"=\"ANONYMOUS LOGON\" \"source_hostname\"=\"Unknown\" \"source_ip\"=\"Unknown\" \"dc_name\"=\"HOSTNAME-000\" \"dc_ip\"=\"1.2.3.4\" \"targeted_dc_account\"=\"USERNAME-002$\" \"tool\"=\"foo-script\" \"password_renewal_duration\"=\"30:04:30:05\"", "event": { "kind": "alert" }, @@ -290,13 +290,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ADforestName": "foo.ad.com", "ADobject": "Suspicious DC Password Change", "alertID": 21, - "dc_ip": "10.17.92.40", - "dc_name": "HOSTNAME-040", + "dc_ip": "1.2.3.4", + "dc_name": "HOSTNAME-000", "eventID": "critical", "eventType": "Unknown", "field1": "Unknown", - "field2": "HOSTNAME-040", - "field3": "10.17.92.40", + "field2": "HOSTNAME-000", + "field3": "1.2.3.4", "password_renewal_duration": "30:04:30:05", "source_hostname": "Unknown", "source_ip": "Unknown", @@ -320,7 +320,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958016\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271575\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp\" \"1958000\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271000\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"test.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D000,OU=Desktops,OU=Computers,DC=emae,DC=corp\"", "event": { "kind": "alert", "outcome": "success" @@ -330,15 +330,15 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "outcome": "success", "outcome_reason": "R-PRIVUSER-CAN-LOGON", "properties": { - "ADdevianceID": 1958016, - "ADdomainName": "emea.corp", + "ADdevianceID": 1958000, + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp", - "ParentContainer": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp", + "ADobject": "OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp", + "ParentContainer": "OU=D000,OU=Desktops,OU=Computers,DC=emae,DC=corp", "PrivilegesPath": "CN=Adminintrator,CN=Users,DC=emae,DC=corp", "alertID": 1, "alertSeverityLevel": "high", - "eventID": "49271575" + "eventID": "49271000" }, "type": "alert" }, @@ -352,7 +352,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "ldap" }, "user": { - "domain": "emea.corp", + "domain": "test.corp", "name": "John DOE" } } @@ -365,7 +365,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=emea,DC=corp\" \"1920595\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=emea,DC=corp\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=test,DC=corp\" \"1920000\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=test,DC=corp\"", "event": { "kind": "alert", "outcome": "success" @@ -375,11 +375,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "outcome": "success", "outcome_reason": "R-DELEG-PRIVUSERS-NOT-PROTECTED", "properties": { - "ADdevianceID": 1920595, - "ADdomainName": "emea.corp", + "ADdevianceID": 1920000, + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=emea,DC=corp", - "PrivilegesPath": "CN=Backup,CN=Builtin,DC=emea,DC=corp", + "ADobject": "CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=test,DC=corp", + "PrivilegesPath": "CN=Backup,CN=Builtin,DC=test,DC=corp", "alertID": 1, "alertSeverityLevel": "critical", "eventID": "50666797" @@ -408,7 +408,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"1959337\" \"2\" \"R-NOT-IN-WHITELIST\" \"51204253\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=test,DC=corp\" \"1959000\" \"2\" \"R-NOT-IN-WHITELIST\" \"51200000\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=test,DC=corp\"", "event": { "kind": "alert", "outcome": "success" @@ -418,14 +418,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "outcome": "success", "outcome_reason": "R-NOT-IN-WHITELIST", "properties": { - "ADdevianceID": 1959337, - "ADdomainName": "emea.corp", + "ADdevianceID": 1959000, + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Main Administrators,CN=Users,DC=emea,DC=corp", - "PrivilegesPath": "CN=Main Administrators,CN=Users,DC=emea,DC=corp", + "ADobject": "CN=Main Administrators,CN=Users,DC=test,DC=corp", + "PrivilegesPath": "CN=Main Administrators,CN=Users,DC=test,DC=corp", "alertID": 1, "alertSeverityLevel": "critical", - "eventID": "51204253" + "eventID": "51200000" }, "type": "alert" }, @@ -454,7 +454,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958033\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271575\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=test_OU,OU=Desktops,OU=Computers,DC=test_DC,DC=corp\" \"1958000\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271000\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"test.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=test,DC=corp\" \"ParentContainer\"=\"OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp\"", "event": { "kind": "alert", "outcome": "success" @@ -464,15 +464,15 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "outcome": "success", "outcome_reason": "R-PRIVUSER-CAN-LOGON-ACROSS-TRUST", "properties": { - "ADdevianceID": 1958033, - "ADdomainName": "emea.corp", + "ADdevianceID": 1958000, + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp", - "ParentContainer": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp", - "PrivilegesPath": "CN=Main Administrators,CN=Users,DC=emea,DC=corp", + "ADobject": "OU=test_OU,OU=Desktops,OU=Computers,DC=test_DC,DC=corp", + "ParentContainer": "OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp", + "PrivilegesPath": "CN=Main Administrators,CN=Users,DC=test,DC=corp", "alertID": 1, "alertSeverityLevel": "high", - "eventID": "49271575" + "eventID": "49271000" }, "type": "alert" }, @@ -486,7 +486,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "ldap" }, "user": { - "domain": "emea.corp", + "domain": "test.corp", "name": "John Doe" } } @@ -499,7 +499,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2434\" \"TrusteeCn\"=\"GustavoFring\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2400\" \"TrusteeCn\"=\"JohnDoe\"", "event": { "kind": "alert", "outcome": "success" @@ -510,13 +510,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "outcome_reason": "R-DONT-EXPIRE-SET", "properties": { "ADdevianceID": 28, - "ADdomainName": "emea.corp", + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp", - "TrusteeCn": "GustavoFring", + "ADobject": "CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp", + "TrusteeCn": "JohnDoe", "alertID": 1, "alertSeverityLevel": "medium", - "eventID": "2434" + "eventID": "2400" }, "type": "alert" }, @@ -570,7 +570,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2434\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2400\"", "event": { "kind": "alert", "outcome": "success" @@ -581,12 +581,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "outcome_reason": "R-DONT-EXPIRE-SET", "properties": { "ADdevianceID": 28, - "ADdomainName": "emea.corp", + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp", + "ADobject": "CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp", "alertID": 1, "alertSeverityLevel": "medium", - "eventID": "2434" + "eventID": "2400" }, "type": "alert" }, @@ -604,7 +604,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-POLICY\" \"critical\" \"OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=emea,DC=corp\" \"28\" \"2\" \"R-LOCAL-ACCOUNTS-PWD-INHERITANCE-BLOCKED\" \"2434\" \"AttributeName\"=\"inf-system_access-lockoutbadcount\" \"OuCn\"=\"Packaging\"\n", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-POLICY\" \"critical\" \"OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=test,DC=corp\" \"28\" \"2\" \"R-LOCAL-ACCOUNTS-PWD-INHERITANCE-BLOCKED\" \"2434\" \"AttributeName\"=\"inf-system_access-lockoutbadcount\" \"OuCn\"=\"Packaging\"\n", "event": { "kind": "alert", "outcome": "success" @@ -615,9 +615,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "outcome_reason": "R-LOCAL-ACCOUNTS-PWD-INHERITANCE-BLOCKED", "properties": { "ADdevianceID": 28, - "ADdomainName": "emea.corp", + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=emea,DC=corp", + "ADobject": "OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=test,DC=corp", "AttributeName": "inf-system_access-lockoutbadcount", "OuCn": "Packaging", "alertID": 1, @@ -640,7 +640,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "\"1\" \"1\" \"Alsid Forest\" \"emea.corp\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=Emea,DC=corp\" \"2434\" \"UAC changed\" whenchanged=\"\"2020-01-09T09:24:41.0000000Z\"\"", + "message": "\"1\" \"1\" \"Alsid Forest\" \"test.corp\" \"CN=John doe,OU=test_OU,OU=test_OU1,DC=test_DC,DC=corp\" \"2400\" \"UAC changed\" whenchanged=\"\"2020-01-09T09:24:41.0000000Z\"\"", "event": { "kind": "trailflow", "outcome": "success" @@ -649,13 +649,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "UAC changed", "outcome": "success", "properties": { - "ADdomainName": "emea.corp", + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=Emea,DC=corp", + "ADobject": "CN=John doe,OU=test_OU,OU=test_OU1,DC=test_DC,DC=corp", "alertID": 1, "alsidAttributeName": "whenchanged", "alsidAttributeValue": "\"2020-01-09T09:24:41.0000000Z\"", - "eventID": "2434", + "eventID": "2400", "eventType": "UAC changed" }, "type": "trailflow" @@ -674,7 +674,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "\"1\" \"1\" \"Alsid Forest\" \"emea.corp\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"2432\" \"UAC changed\" useraccountcontrol=\"\"DONT_EXPIRE NORMAL \"\"", + "message": "\"1\" \"1\" \"Alsid Forest\" \"test.corp\" \"CN=John Doe,OU=test_OU,OU=test_OU2,DC=test_DC,DC=corp\" \"2400\" \"UAC changed\" useraccountcontrol=\"\"DONT_EXPIRE NORMAL \"\"", "event": { "kind": "trailflow", "outcome": "success" @@ -683,13 +683,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "UAC changed", "outcome": "success", "properties": { - "ADdomainName": "emea.corp", + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp", + "ADobject": "CN=John Doe,OU=test_OU,OU=test_OU2,DC=test_DC,DC=corp", "alertID": 1, "alsidAttributeName": "useraccountcontrol", "alsidAttributeValue": "\"DONT_EXPIRE NORMAL \"", - "eventID": "2432", + "eventID": "2400", "eventType": "UAC changed" }, "type": "trailflow" @@ -708,7 +708,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "\"1\" \"8\" \"AD.FOOBAR.COM\" \"AD\" \"\\\\AD.FOOBAR.COM\\sysvol\\AD.FOOBAR.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\User\\Scripts\" \"7856795\" \"ACL change\" \"ntsecuritydescriptor\"=\"\"O:S-1-5-21-1519513455-2607746426-5380147357-40655D:AI(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)\"\"", + "message": "\"1\" \"8\" \"AD.TEST.COM\" \"AD\" \"\\\\AD.TEST.COM\\sysvol\\AD.TEST.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\User\\Scripts\" \"7856000\" \"ACL change\" \"ntsecuritydescriptor\"=\"\"O:S-1-5-21-1519513455-2607000000-5380140000-406000:AI(A;OICIID;FA;;;S-1-5-21-1519510000-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)\"\"", "event": { "kind": "trailflow", "outcome": "success" @@ -718,12 +718,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "outcome": "success", "properties": { "ADdomainName": "AD", - "ADforestName": "AD.FOOBAR.COM", - "ADobject": "\\\\AD.FOOBAR.COM\\sysvol\\AD.FOOBAR.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\User\\Scripts", + "ADforestName": "AD.TEST.COM", + "ADobject": "\\\\AD.TEST.COM\\sysvol\\AD.TEST.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\User\\Scripts", "alertID": 8, "alsidAttributeName": "\"ntsecuritydescriptor\"", - "alsidAttributeValue": "\"O:S-1-5-21-1519513455-2607746426-5380147357-40655D:AI(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)\"", - "eventID": "7856795", + "alsidAttributeValue": "\"O:S-1-5-21-1519513455-2607000000-5380140000-406000:AI(A;OICIID;FA;;;S-1-5-21-1519510000-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)\"", + "eventID": "7856000", "eventType": "ACL change" }, "type": "trailflow" @@ -742,7 +742,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "\"1\" \"8\" \"AD.FOOBAR.COM\" \"AD\" \"\\\\AD.FOOBAR.COM\\sysvol\\AD.FOOBAR.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\GPT.INI\" \"7855399\" \"New object\" \"gptini-displayname\"=\"\"Nouvel objet Strat\u00e9gie de groupe\"\"", + "message": "\"1\" \"8\" \"AD.TEST.COM\" \"AD\" \"\\\\AD.TEST.COM\\sysvol\\AD.TEST.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\GPT.INI\" \"7855000\" \"New object\" \"gptini-displayname\"=\"\"Nouvel objet Strat\u00e9gie de groupe\"\"", "event": { "kind": "trailflow", "outcome": "success" @@ -752,12 +752,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "outcome": "success", "properties": { "ADdomainName": "AD", - "ADforestName": "AD.FOOBAR.COM", - "ADobject": "\\\\AD.FOOBAR.COM\\sysvol\\AD.FOOBAR.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\GPT.INI", + "ADforestName": "AD.TEST.COM", + "ADobject": "\\\\AD.TEST.COM\\sysvol\\AD.TEST.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\GPT.INI", "alertID": 8, "alsidAttributeName": "\"gptini-displayname\"", "alsidAttributeValue": "\"Nouvel objet Strat\u00e9gie de groupe\"", - "eventID": "7855399", + "eventID": "7855000", "eventType": "New object" }, "type": "trailflow" diff --git a/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_sample.md b/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_sample.md index de6a1bc165..1f1e0f0fc3 100644 --- a/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_sample.md +++ b/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_sample.md @@ -71,8 +71,8 @@ In this section, you will find examples of raw logs as generated natively by the === "alert_gpo_exec" ``` - "0" "1" "ad.domain" "urdom.ad.domain" "C-GPO-EXEC-SANITY" "high" "CN={3D4A6260-9D6C-4062-B56B-DC6D419333CE},CN=Policies,CN=System,DC=urdom,DC=ad,DC=domain" "2008125" "2" - "R-GPO-EXEC-SANITY-UNKNOWN-CSE" "79016668" "CseGuid"="{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}" "AttributeName"="GpcMachineExtensionName" "GpoName"="#URDOM-APP-RSAT-TEST" + "0" "1" "ad.domain" "test.ad.domain" "C-GPO-EXEC-SANITY" "high" "CN={3D4A6260-9000-4000-B000-DC6D41900000},CN=Policies,CN=System,DC=test,DC=ad,DC=domain" "2008000" "2" + "R-GPO-EXEC-SANITY-UNKNOWN-CSE" "790160000" "CseGuid"="{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}" "AttributeName"="GpcMachineExtensionName" "GpoName"="#TEST-APP-RSAT-TEST" ``` @@ -80,10 +80,10 @@ In this section, you will find examples of raw logs as generated natively by the === "alert_obsolete_system" ``` - "0" "1" "ad.domain" "urdom.ad.domain" "C-OBSOLETE-SYSTEMS" "high" - "CN=cnpsp16bd,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC - ter,DC=urdom,DC=ad,DC=domain" "2007590" "2" "R-SLEEPING-OBSOLETE-SYSTEMS" - "78964369" "ComputerCn"="cnpsp16bd" "OperatingSystem"="Windows Server 2012 R2 + "0" "1" "ad.domain" "test.ad.domain" "C-OBSOLETE-SYSTEMS" "high" + "CN=testCN,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC + ter,DC=testDC,DC=ad,DC=domain" "2007000" "2" "R-SLEEPING-OBSOLETE-SYSTEMS" + "78964000" "ComputerCn"="testComputerCN" "OperatingSystem"="Windows Server 2012 R2 Standard" "OperatingSystemVersion"="6.3 (9600)" ``` @@ -92,7 +92,7 @@ In this section, you will find examples of raw logs as generated natively by the === "alert_pattern2" ``` - "2" "21" "foo.ad.com" "AD" "Suspicious DC Password Change" "critical" "Unknown" "Unknown" "HOSTNAME-040" "10.17.92.40" "user"="ANONYMOUS LOGON" "source_hostname"="Unknown" "source_ip"="Unknown" "dc_name"="HOSTNAME-040" "dc_ip"="10.17.92.40" "targeted_dc_account"="USERNAME-002$" "tool"="foo-script" "password_renewal_duration"="30:04:30:05" + "2" "21" "foo.ad.com" "AD" "Suspicious DC Password Change" "critical" "Unknown" "Unknown" "HOSTNAME-000" "1.2.3.4" "user"="ANONYMOUS LOGON" "source_hostname"="Unknown" "source_ip"="Unknown" "dc_name"="HOSTNAME-000" "dc_ip"="1.2.3.4" "targeted_dc_account"="USERNAME-002$" "tool"="foo-script" "password_renewal_duration"="30:04:30:05" ``` @@ -100,7 +100,7 @@ In this section, you will find examples of raw logs as generated natively by the === "event_1" ``` - "0" "1" "Alsid Forest" "emea.corp" "C-ADMIN-RESTRICT-AUTH" "high" "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp" "1958016" "2" "R-PRIVUSER-CAN-LOGON" "49271575" "UserCn"="John DOE (Admin T0)" "UserDomain"="emea.corp" "PrivilegesPath"="CN=Adminintrator,CN=Users,DC=emae,DC=corp" "ParentContainer"="OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp" + "0" "1" "Alsid Forest" "test.corp" "C-ADMIN-RESTRICT-AUTH" "high" "OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp" "1958000" "2" "R-PRIVUSER-CAN-LOGON" "49271000" "UserCn"="John DOE (Admin T0)" "UserDomain"="test.corp" "PrivilegesPath"="CN=Adminintrator,CN=Users,DC=emae,DC=corp" "ParentContainer"="OU=D000,OU=Desktops,OU=Computers,DC=emae,DC=corp" ``` @@ -108,7 +108,7 @@ In this section, you will find examples of raw logs as generated natively by the === "event_2" ``` - "0" "1" "Alsid Forest" "emea.corp" "C-UNCONST-DELEG" "critical" "CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=emea,DC=corp" "1920595" "2" "R-DELEG-PRIVUSERS-NOT-PROTECTED" "50666797" "Cn"="Thrid Backup" "PrivilegesPath"="CN=Backup,CN=Builtin,DC=emea,DC=corp" + "0" "1" "Alsid Forest" "test.corp" "C-UNCONST-DELEG" "critical" "CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=test,DC=corp" "1920000" "2" "R-DELEG-PRIVUSERS-NOT-PROTECTED" "50666797" "Cn"="Thrid Backup" "PrivilegesPath"="CN=Backup,CN=Builtin,DC=test,DC=corp" ``` @@ -116,7 +116,7 @@ In this section, you will find examples of raw logs as generated natively by the === "event_3" ``` - "0" "1" "Alsid Forest" "emea.corp" "C-NATIVE-ADM-GROUP-MEMBERS" "critical" "CN=Main Administrators,CN=Users,DC=emea,DC=corp" "1959337" "2" "R-NOT-IN-WHITELIST" "51204253" "AccountCn"="John Doe (Admin Root)" "GroupCn"="Main Administrators" "PrivilegesPath"="CN=Main Administrators,CN=Users,DC=emea,DC=corp" + "0" "1" "Alsid Forest" "test.corp" "C-NATIVE-ADM-GROUP-MEMBERS" "critical" "CN=Main Administrators,CN=Users,DC=test,DC=corp" "1959000" "2" "R-NOT-IN-WHITELIST" "51200000" "AccountCn"="John Doe (Admin Root)" "GroupCn"="Main Administrators" "PrivilegesPath"="CN=Main Administrators,CN=Users,DC=test,DC=corp" ``` @@ -124,7 +124,7 @@ In this section, you will find examples of raw logs as generated natively by the === "event_4" ``` - "0" "1" "Alsid Forest" "emea.corp" "C-ADMIN-RESTRICT-AUTH" "high" "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp" "1958033" "2" "R-PRIVUSER-CAN-LOGON-ACROSS-TRUST" "49271575" "UserCn"="John Doe (Admin Root)" "UserDomain"="emea.corp" "PrivilegesPath"="CN=Main Administrators,CN=Users,DC=emea,DC=corp" "ParentContainer"="OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp" + "0" "1" "Alsid Forest" "test.corp" "C-ADMIN-RESTRICT-AUTH" "high" "OU=test_OU,OU=Desktops,OU=Computers,DC=test_DC,DC=corp" "1958000" "2" "R-PRIVUSER-CAN-LOGON-ACROSS-TRUST" "49271000" "UserCn"="John Doe (Admin Root)" "UserDomain"="test.corp" "PrivilegesPath"="CN=Main Administrators,CN=Users,DC=test,DC=corp" "ParentContainer"="OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp" ``` @@ -132,7 +132,7 @@ In this section, you will find examples of raw logs as generated natively by the === "ioe_security_alert1" ``` - "0" "1" "Alsid Forest" "emea.corp" "C-PASSWORD-DONT-EXPIRE" "medium" "CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp" "28" "1" "R-DONT-EXPIRE-SET" "2434" "TrusteeCn"="GustavoFring" + "0" "1" "Alsid Forest" "test.corp" "C-PASSWORD-DONT-EXPIRE" "medium" "CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp" "28" "1" "R-DONT-EXPIRE-SET" "2400" "TrusteeCn"="JohnDoe" ``` @@ -148,7 +148,7 @@ In this section, you will find examples of raw logs as generated natively by the === "ioe_security_alert3" ``` - "0" "1" "Alsid Forest" "emea.corp" "C-PASSWORD-DONT-EXPIRE" "medium" "CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp" "28" "1" "R-DONT-EXPIRE-SET" "2434" + "0" "1" "Alsid Forest" "test.corp" "C-PASSWORD-DONT-EXPIRE" "medium" "CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp" "28" "1" "R-DONT-EXPIRE-SET" "2400" ``` @@ -156,7 +156,7 @@ In this section, you will find examples of raw logs as generated natively by the === "ioe_security_alert4" ``` - "0" "1" "Alsid Forest" "emea.corp" "C-PASSWORD-POLICY" "critical" "OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=emea,DC=corp" "28" "2" "R-LOCAL-ACCOUNTS-PWD-INHERITANCE-BLOCKED" "2434" "AttributeName"="inf-system_access-lockoutbadcount" "OuCn"="Packaging" + "0" "1" "Alsid Forest" "test.corp" "C-PASSWORD-POLICY" "critical" "OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=test,DC=corp" "28" "2" "R-LOCAL-ACCOUNTS-PWD-INHERITANCE-BLOCKED" "2434" "AttributeName"="inf-system_access-lockoutbadcount" "OuCn"="Packaging" ``` @@ -165,7 +165,7 @@ In this section, you will find examples of raw logs as generated natively by the === "trailflow_alert1" ``` - "1" "1" "Alsid Forest" "emea.corp" "CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=Emea,DC=corp" "2434" "UAC changed" whenchanged=""2020-01-09T09:24:41.0000000Z"" + "1" "1" "Alsid Forest" "test.corp" "CN=John doe,OU=test_OU,OU=test_OU1,DC=test_DC,DC=corp" "2400" "UAC changed" whenchanged=""2020-01-09T09:24:41.0000000Z"" ``` @@ -173,7 +173,7 @@ In this section, you will find examples of raw logs as generated natively by the === "trailflow_alert2" ``` - "1" "1" "Alsid Forest" "emea.corp" "CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp" "2432" "UAC changed" useraccountcontrol=""DONT_EXPIRE NORMAL "" + "1" "1" "Alsid Forest" "test.corp" "CN=John Doe,OU=test_OU,OU=test_OU2,DC=test_DC,DC=corp" "2400" "UAC changed" useraccountcontrol=""DONT_EXPIRE NORMAL "" ``` @@ -181,7 +181,7 @@ In this section, you will find examples of raw logs as generated natively by the === "trailflow_alert3" ``` - "1" "8" "AD.FOOBAR.COM" "AD" "\\AD.FOOBAR.COM\sysvol\AD.FOOBAR.COM\Policies\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\User\Scripts" "7856795" "ACL change" "ntsecuritydescriptor"=""O:S-1-5-21-1519513455-2607746426-5380147357-40655D:AI(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)"" + "1" "8" "AD.TEST.COM" "AD" "\\AD.TEST.COM\sysvol\AD.TEST.COM\Policies\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\User\Scripts" "7856000" "ACL change" "ntsecuritydescriptor"=""O:S-1-5-21-1519513455-2607000000-5380140000-406000:AI(A;OICIID;FA;;;S-1-5-21-1519510000-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)"" ``` @@ -189,7 +189,7 @@ In this section, you will find examples of raw logs as generated natively by the === "trailflow_alert4" ``` - "1" "8" "AD.FOOBAR.COM" "AD" "\\AD.FOOBAR.COM\sysvol\AD.FOOBAR.COM\Policies\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\GPT.INI" "7855399" "New object" "gptini-displayname"=""Nouvel objet Stratégie de groupe"" + "1" "8" "AD.TEST.COM" "AD" "\\AD.TEST.COM\sysvol\AD.TEST.COM\Policies\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\GPT.INI" "7855000" "New object" "gptini-displayname"=""Nouvel objet Stratégie de groupe"" ``` diff --git a/_shared_content/operations_center/integrations/generated/864ade96-a96d-4a0e-ab3d-b7cb7b7db618.md b/_shared_content/operations_center/integrations/generated/864ade96-a96d-4a0e-ab3d-b7cb7b7db618.md index 87d24cf2f9..e0eea4b445 100644 --- a/_shared_content/operations_center/integrations/generated/864ade96-a96d-4a0e-ab3d-b7cb7b7db618.md +++ b/_shared_content/operations_center/integrations/generated/864ade96-a96d-4a0e-ab3d-b7cb7b7db618.md @@ -142,6 +142,868 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "query_log_dhcp_1.json" + + ```json + + { + "message": "Option 82: received a REQUEST DHCP packet from relay-agent eth2 with a circuit-id of \"1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0\", a remote-id of \"0a:44:70:46\" for 192.168.1.222 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW)", + "event": { + "action": "REQUEST DHCP", + "reason": "lease time is undefined seconds. (NEW)" + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "circuit_id": "1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0" + } + }, + "related": { + "ip": [ + "192.168.1.222" + ] + }, + "source": { + "address": "192.168.1.222", + "ip": "192.168.1.222", + "mac": "00:50:56:ae:b3:44" + } + } + + ``` + + +=== "query_log_dhcp_2.json" + + ```json + + { + "message": "Option 82: received a REQUEST DHCP packet from relay-agent 192.168.1.53 with a circuit-id of \"1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0\", a remote-id of \"0a:44:70:46\" for 192.168.1.53 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW)", + "event": { + "action": "REQUEST DHCP", + "reason": "lease time is undefined seconds. (NEW)" + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "circuit_id": "1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0" + } + }, + "related": { + "ip": [ + "192.168.1.53" + ] + }, + "source": { + "address": "192.168.1.53", + "ip": "192.168.1.53", + "mac": "00:50:56:ae:b3:44" + } + } + + ``` + + +=== "query_log_dhcp_3.json" + + ```json + + { + "message": "DHCPREQUEST for 192.168.1.107 from e8:c8:29:5c:c8:99 via 192.168.1.107 TransID 80b994d6", + "event": { + "action": "DHCPREQUEST" + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "interface_ip": "192.168.1.107", + "trans_id": "80b994d6" + } + }, + "related": { + "ip": [ + "192.168.1.107" + ] + }, + "source": { + "address": "192.168.1.107", + "ip": "192.168.1.107", + "mac": "e8:c8:29:5c:c8:99" + } + } + + ``` + + +=== "query_log_dhcp_4.json" + + ```json + + { + "message": "DHCPREQUEST for 192.168.1.208 from 00:50:56:ae:17:c6 (VDPSCE080019) via eth2 TransID 823c1fa3 uid 01:00:50:56:ae:17:c6 (RENEW)", + "event": { + "action": "DHCPREQUEST", + "reason": "RENEW" + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "trans_id": "823c1fa3" + } + }, + "observer": { + "ingress": { + "interface": { + "name": "eth2" + } + } + }, + "related": { + "ip": [ + "192.168.1.208" + ] + }, + "source": { + "address": "192.168.1.208", + "ip": "192.168.1.208", + "mac": "00:50:56:ae:17:c6" + } + } + + ``` + + +=== "query_log_dhcp_5.json" + + ```json + + { + "message": "DHCPREQUEST for 192.168.1.95 (192.168.1.95) from d8:94:03:ec:da:d1 via 192.168.1.95 TransID ac1b72c4: lease 192.168.1.95 unavailable.", + "event": { + "action": "DHCPREQUEST", + "reason": "lease 192.168.1.95 unavailable." + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "interface_ip": "192.168.1.95", + "router_ip": "192.168.1.95", + "trans_id": "ac1b72c4" + } + }, + "related": { + "ip": [ + "192.168.1.95" + ] + }, + "source": { + "address": "192.168.1.95", + "ip": "192.168.1.95", + "mac": "d8:94:03:ec:da:d1" + } + } + + ``` + + +=== "query_log_dhcp_6.json" + + ```json + + { + "message": "DHCPREQUEST for 192.168.1.159 from c8:09:a8:f8:cd:e8 via 192.168.1.159 TransID e711c0c1: ignored (unknown subnet).", + "event": { + "action": "DHCPREQUEST", + "reason": "ignored (unknown subnet)." + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "interface_ip": "192.168.1.159", + "trans_id": "e711c0c1" + } + }, + "related": { + "ip": [ + "192.168.1.159" + ] + }, + "source": { + "address": "192.168.1.159", + "ip": "192.168.1.159", + "mac": "c8:09:a8:f8:cd:e8" + } + } + + ``` + + +=== "query_log_dhcp_7.json" + + ```json + + { + "message": "DHCPACK on 192.168.1.138 to 08:71:90:8d:0b:5d (P70955) via eth2 relay 192.168.1.138 lease-duration 172800", + "event": { + "action": "DHCPACK" + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "observer": { + "ingress": { + "interface": { + "name": "eth2" + } + } + }, + "related": { + "ip": [ + "192.168.1.138" + ] + }, + "source": { + "address": "192.168.1.138", + "ip": "192.168.1.138", + "mac": "08:71:90:8d:0b:5d" + } + } + + ``` + + +=== "query_log_dhcp_8.json" + + ```json + + { + "message": "r-l-e:192.168.1.113,Fixed,P76984,c4:d0:e3:b4:08:4d,1732119022,1732291822,,$", + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "ddi": { + "category": "Fixed" + } + }, + "related": { + "ip": [ + "192.168.1.113" + ] + }, + "source": { + "address": "192.168.1.113", + "ip": "192.168.1.113", + "mac": "c4:d0:e3:b4:08:4d" + } + } + + ``` + + +=== "query_log_dns_1.json" + + ```json + + { + "message": "FORMERR resolving 'test.testing.io/AAAA/IN': 192.168.1.136#53", + "event": { + "action": "FORMERR" + }, + "destination": { + "address": "192.168.1.136", + "ip": "192.168.1.136", + "port": 53 + }, + "dns": { + "header_flags": [], + "question": { + "class": "IN", + "name": "test.testing.io", + "registered_domain": "testing.io", + "subdomain": "test", + "top_level_domain": "io", + "type": "AAAA" + }, + "type": "query" + }, + "related": { + "hosts": [ + "test.testing.io" + ], + "ip": [ + "192.168.1.136" + ] + } + } + + ``` + + +=== "query_log_dns_2.json" + + ```json + + { + "message": "client 192.168.1.1#1130: UDP: query: test.io IN A response: NXDOMAIN +", + "dns": { + "header_flags": [], + "question": { + "class": "IN", + "name": "test.io", + "registered_domain": "test.io", + "top_level_domain": "io", + "type": "A" + }, + "response_code": "NXDOMAIN", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "test.io" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 1130 + } + } + + ``` + + +=== "query_log_dns_3.json" + + ```json + + { + "message": "client 192.168.1.1#12337: UDP: query: test.org IN A response: NXDOMAIN +AE", + "dns": { + "header_flags": [], + "question": { + "class": "IN", + "name": "test.org", + "registered_domain": "test.org", + "top_level_domain": "org", + "type": "A" + }, + "response_code": "NXDOMAIN", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "test.org" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 12337 + } + } + + ``` + + +=== "query_log_dns_4.json" + + ```json + + { + "message": "client 192.168.1.1#37188: UDP: query: _ldap._tcp.test.test.net IN SRV response: NXDOMAIN +A", + "dns": { + "header_flags": [], + "question": { + "class": "IN", + "name": "_ldap._tcp.test.test.net", + "registered_domain": "test.net", + "subdomain": "_ldap._tcp.test", + "top_level_domain": "net", + "type": "SRV" + }, + "response_code": "NXDOMAIN", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "_ldap._tcp.test.test.net" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 37188 + } + } + + ``` + + +=== "query_log_dns_5.json" + + ```json + + { + "message": "client 192.168.1.1#37521: UDP: query: test.test.io IN AAAA response: NOERROR +A test.test.io. 86400 IN CNAME test.test.io.", + "dns": { + "answers": [ + { + "class": "IN", + "data": "test.test.io.", + "name": "test.test.io.", + "ttl": 86400, + "type": "CNAME" + } + ], + "header_flags": [], + "question": { + "class": "IN", + "name": "test.test.io", + "registered_domain": "test.io", + "subdomain": "test", + "top_level_domain": "io", + "type": "AAAA" + }, + "response_code": "NOERROR", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "test.test.io" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 37521 + } + } + + ``` + + +=== "query_log_dns_6.json" + + ```json + + { + "message": "client 192.168.1.1#40432: UDP: query: test.test.org IN A response: NOERROR + test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1", + "dns": { + "answers": [ + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + } + ], + "header_flags": [], + "question": { + "class": "IN", + "name": "test.test.org", + "registered_domain": "test.org", + "subdomain": "test", + "top_level_domain": "org", + "type": "A" + }, + "response_code": "NOERROR", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "test.test.org" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 40432 + } + } + + ``` + + +=== "query_log_dns_7.json" + + ```json + + { + "message": "client 192.168.1.1#49943: UDP: query: test.dev IN A response: NOERROR + test.dev. 11720 IN CNAME test.dev.; thmwh.l46l2i c8.c3r2fb7.81hxxxxxx.dev. 67 IN CNAME test.dev.; test.dev. 52 IN CNAME test.dev.; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; th mwh.xxxxxxxx.c3r2fb7.81hxxxxxx.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; thmwh.xxxxxxxx.c3r2fb7.81h xxxxxx.dev. 235 IN A 192.168.1.1;", + "dns": { + "answers": [ + { + "class": "IN", + "data": "test.dev.", + "name": "test.dev.", + "ttl": 11720, + "type": "CNAME" + }, + { + "class": "IN", + "data": "test.dev.", + "name": "c8.c3r2fb7.81hxxxxxx.dev.", + "ttl": 67, + "type": "CNAME" + }, + { + "class": "IN", + "data": "test.dev.", + "name": "test.dev.", + "ttl": 52, + "type": "CNAME" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "mwh.xxxxxxxx.c3r2fb7.81hxxxxxx.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "xxxxxx.dev.", + "ttl": 235, + "type": "A" + } + ], + "header_flags": [], + "question": { + "class": "IN", + "name": "test.dev", + "registered_domain": "test.dev", + "top_level_domain": "dev", + "type": "A" + }, + "response_code": "NOERROR", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "test.dev" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 49943 + } + } + + ``` + + +=== "query_log_dns_8.json" + + ```json + + { + "message": "28-Nov-2024 15:26:27.498 client 1.2.3.4#36615: UDP: query: PD2LORA2.enim.l2 IN A response: NOERROR +A test.dev. 3600 IN A 10.56.12.201;", + "@timestamp": "2024-11-28T15:26:27.498000Z", + "dns": { + "answers": [ + { + "class": "IN", + "data": "10.56.12.201", + "name": "test.dev.", + "ttl": 3600, + "type": "A" + } + ], + "header_flags": [], + "question": { + "class": "IN", + "name": "PD2LORA2.enim.l2", + "subdomain": "PD2LORA2.enim", + "type": "A" + }, + "response_code": "NOERROR", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "PD2LORA2.enim.l2" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 36615 + } + } + + ``` + + +=== "query_log_dns_9.json" + + ```json + + { + "message": "28-Nov-2024 15:26:27.359 client 1.2.3.4#63175: UDP: query: www.bing.com IN A response: NOERROR + www.bing.com. 7072 IN CNAME www-www.bing.com.trafficmanager.net.; www-www.bing.com.trafficmanager.net. 56 IN CNAME www.bing.com.edgekey.net.; www.bing.com.edgekey.net. 7154 IN CNAME e86303.test.xxxxx.net.; e86303.test.xxxxx.net. 17 IN A 1.2.3.181; e86303.test.xxxxx.net. 17 IN A 1.2.3.173; e86303.test.xxxxx.net. 17 IN A 1.2.3.184; e86303.test.xxxxx.net. 17 IN A 1.2.3.185; e86303.test.xxxxx.net. 17 IN A 1.2.3.174; e86303.test.xxxxx.net. 17 IN A 1.2.3.183; e86303.test.xxxxx.net. 17 IN A 1.2.3.177; e86303.test.xxxxx.net. 17 IN A 1.2.3.179; e86303.test.xxxxx.net. 17 IN A 1.2.3.175;", + "@timestamp": "2024-11-28T15:26:27.359000Z", + "dns": { + "answers": [ + { + "class": "IN", + "data": "www-www.bing.com.trafficmanager.net.", + "name": "www.bing.com.", + "ttl": 7072, + "type": "CNAME" + }, + { + "class": "IN", + "data": "www.bing.com.edgekey.net.", + "name": "www-www.bing.com.trafficmanager.net.", + "ttl": 56, + "type": "CNAME" + }, + { + "class": "IN", + "data": "e86303.test.xxxxx.net.", + "name": "www.bing.com.edgekey.net.", + "ttl": 7154, + "type": "CNAME" + }, + { + "class": "IN", + "data": "1.2.3.181", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.173", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.184", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.185", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.174", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.183", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.177", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.179", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.175", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + } + ], + "header_flags": [], + "question": { + "class": "IN", + "name": "www.bing.com", + "registered_domain": "bing.com", + "subdomain": "www", + "top_level_domain": "com", + "type": "A" + }, + "response_code": "NOERROR", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "www.bing.com" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 63175 + } + } + + ``` + + === "query_log_dnssec.json" ```json @@ -343,14 +1205,28 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.port` | `long` | Port of the destination. | +|`dns.answers` | `object` | Array of DNS answers. | |`dns.header_flags` | `keyword` | Array of DNS header flags. | |`dns.question.class` | `keyword` | The class of records being queried. | |`dns.question.name` | `keyword` | The name being queried. | |`dns.question.type` | `keyword` | The type of record being queried. | +|`dns.response_code` | `keyword` | The DNS response code. | |`dns.type` | `keyword` | The type of DNS event captured, query or answer. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | |`infoblox.ddi.category` | `keyword` | The logging category of this event. | +|`infoblox.dhcp.circuit_id` | `keyword` | The circuit ID. | +|`infoblox.dhcp.interface_ip` | `ip` | The IP address of the interface. | +|`infoblox.dhcp.lease_time` | `keyword` | The lease time. | +|`infoblox.dhcp.router_ip` | `ip` | The IP address of the router. | +|`infoblox.dhcp.trans_id` | `keyword` | The transaction ID. | |`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | +|`observer.ingress.interface.name` | `keyword` | Interface name | |`source.ip` | `ip` | IP address of the source. | +|`source.mac` | `keyword` | MAC address of the source. | |`source.port` | `long` | Port of the source. | diff --git a/_shared_content/operations_center/integrations/generated/864ade96-a96d-4a0e-ab3d-b7cb7b7db618_sample.md b/_shared_content/operations_center/integrations/generated/864ade96-a96d-4a0e-ab3d-b7cb7b7db618_sample.md index a24dd1062d..cee7eba8d5 100644 --- a/_shared_content/operations_center/integrations/generated/864ade96-a96d-4a0e-ab3d-b7cb7b7db618_sample.md +++ b/_shared_content/operations_center/integrations/generated/864ade96-a96d-4a0e-ab3d-b7cb7b7db618_sample.md @@ -28,6 +28,142 @@ In this section, you will find examples of raw logs as generated natively by the +=== "query_log_dhcp_1" + + ``` + Option 82: received a REQUEST DHCP packet from relay-agent eth2 with a circuit-id of "1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0", a remote-id of "0a:44:70:46" for 192.168.1.222 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW) + ``` + + + +=== "query_log_dhcp_2" + + ``` + Option 82: received a REQUEST DHCP packet from relay-agent 192.168.1.53 with a circuit-id of "1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0", a remote-id of "0a:44:70:46" for 192.168.1.53 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW) + ``` + + + +=== "query_log_dhcp_3" + + ``` + DHCPREQUEST for 192.168.1.107 from e8:c8:29:5c:c8:99 via 192.168.1.107 TransID 80b994d6 + ``` + + + +=== "query_log_dhcp_4" + + ``` + DHCPREQUEST for 192.168.1.208 from 00:50:56:ae:17:c6 (VDPSCE080019) via eth2 TransID 823c1fa3 uid 01:00:50:56:ae:17:c6 (RENEW) + ``` + + + +=== "query_log_dhcp_5" + + ``` + DHCPREQUEST for 192.168.1.95 (192.168.1.95) from d8:94:03:ec:da:d1 via 192.168.1.95 TransID ac1b72c4: lease 192.168.1.95 unavailable. + ``` + + + +=== "query_log_dhcp_6" + + ``` + DHCPREQUEST for 192.168.1.159 from c8:09:a8:f8:cd:e8 via 192.168.1.159 TransID e711c0c1: ignored (unknown subnet). + ``` + + + +=== "query_log_dhcp_7" + + ``` + DHCPACK on 192.168.1.138 to 08:71:90:8d:0b:5d (P70955) via eth2 relay 192.168.1.138 lease-duration 172800 + ``` + + + +=== "query_log_dhcp_8" + + ``` + r-l-e:192.168.1.113,Fixed,P76984,c4:d0:e3:b4:08:4d,1732119022,1732291822,,$ + ``` + + + +=== "query_log_dns_1" + + ``` + FORMERR resolving 'test.testing.io/AAAA/IN': 192.168.1.136#53 + ``` + + + +=== "query_log_dns_2" + + ``` + client 192.168.1.1#1130: UDP: query: test.io IN A response: NXDOMAIN + + ``` + + + +=== "query_log_dns_3" + + ``` + client 192.168.1.1#12337: UDP: query: test.org IN A response: NXDOMAIN +AE + ``` + + + +=== "query_log_dns_4" + + ``` + client 192.168.1.1#37188: UDP: query: _ldap._tcp.test.test.net IN SRV response: NXDOMAIN +A + ``` + + + +=== "query_log_dns_5" + + ``` + client 192.168.1.1#37521: UDP: query: test.test.io IN AAAA response: NOERROR +A test.test.io. 86400 IN CNAME test.test.io. + ``` + + + +=== "query_log_dns_6" + + ``` + client 192.168.1.1#40432: UDP: query: test.test.org IN A response: NOERROR + test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1 + ``` + + + +=== "query_log_dns_7" + + ``` + client 192.168.1.1#49943: UDP: query: test.dev IN A response: NOERROR + test.dev. 11720 IN CNAME test.dev.; thmwh.l46l2i c8.c3r2fb7.81hxxxxxx.dev. 67 IN CNAME test.dev.; test.dev. 52 IN CNAME test.dev.; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; th mwh.xxxxxxxx.c3r2fb7.81hxxxxxx.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; thmwh.xxxxxxxx.c3r2fb7.81h xxxxxx.dev. 235 IN A 192.168.1.1; + ``` + + + +=== "query_log_dns_8" + + ``` + 28-Nov-2024 15:26:27.498 client 1.2.3.4#36615: UDP: query: PD2LORA2.enim.l2 IN A response: NOERROR +A test.dev. 3600 IN A 10.56.12.201; + ``` + + + +=== "query_log_dns_9" + + ``` + 28-Nov-2024 15:26:27.359 client 1.2.3.4#63175: UDP: query: www.bing.com IN A response: NOERROR + www.bing.com. 7072 IN CNAME www-www.bing.com.trafficmanager.net.; www-www.bing.com.trafficmanager.net. 56 IN CNAME www.bing.com.edgekey.net.; www.bing.com.edgekey.net. 7154 IN CNAME e86303.test.xxxxx.net.; e86303.test.xxxxx.net. 17 IN A 1.2.3.181; e86303.test.xxxxx.net. 17 IN A 1.2.3.173; e86303.test.xxxxx.net. 17 IN A 1.2.3.184; e86303.test.xxxxx.net. 17 IN A 1.2.3.185; e86303.test.xxxxx.net. 17 IN A 1.2.3.174; e86303.test.xxxxx.net. 17 IN A 1.2.3.183; e86303.test.xxxxx.net. 17 IN A 1.2.3.177; e86303.test.xxxxx.net. 17 IN A 1.2.3.179; e86303.test.xxxxx.net. 17 IN A 1.2.3.175; + ``` + + + === "query_log_dnssec" ``` diff --git a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md index a8f145896b..4d8b03e98f 100644 --- a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md +++ b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md @@ -3418,6 +3418,77 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_system_event_13.json" + + ```json + + { + "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00", + "event": { + "category": [ + "authentication" + ], + "dataset": "system", + "reason": "When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'", + "type": [ + "start" + ] + }, + "@timestamp": "2024-11-26T21:10:01.627000Z", + "action": { + "name": "auth-success", + "type": "auth" + }, + "destination": { + "address": "1.7.4.2", + "ip": "1.7.4.2" + }, + "log": { + "hostname": "FWPAN00", + "level": "informational", + "logger": "system" + }, + "observer": { + "name": "FWPAN00", + "product": "PAN-OS", + "serial_number": "02410100000000" + }, + "paloalto": { + "DGHierarchyLevel1": "0", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "EventID": "auth-success", + "Threat_ContentType": "auth", + "authetification": { + "profile": "FWPA" + }, + "server": { + "profile": "RADIUS_RSA" + }, + "vsys": "shared" + }, + "related": { + "ip": [ + "1.2.5.5", + "1.7.4.2" + ], + "user": [ + "test000555" + ] + }, + "source": { + "address": "1.2.5.5", + "ip": "1.2.5.5" + }, + "user": { + "name": "test000555" + } + } + + ``` + + === "test_system_event_1_json.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md index 205c3e9e66..c7766c3533 100644 --- a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md +++ b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md @@ -1379,6 +1379,15 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_system_event_13" + + + ```json + 1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00 + ``` + + + === "test_system_event_1_json" diff --git a/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md b/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md index 02b4aef948..01ab57aef7 100644 --- a/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md +++ b/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md @@ -191,6 +191,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "type": "CUSTOM_RULE" }, + "host": { + "id": "-576002811.1198775089551518743", + "is_isolated": false, + "is_online": true + }, "id": "11.-6654920844431693523", "is_edr": "true", "modified_at": "2022-11-20T12:02:17.625000Z", @@ -200,7 +205,17 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "Process" }, "severity": "High", - "status": "Active" + "status": "Active", + "user": { + "id": "0.2548072792133848559", + "is_admin": true + } + } + }, + "host": { + "name": "win-cybereason", + "os": { + "type": "windows" } }, "observer": { @@ -209,6 +224,15 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "process": { "name": "cymulateagent.exe" + }, + "related": { + "user": [ + "administrator" + ] + }, + "user": { + "domain": "win-cybereason", + "name": "administrator" } } @@ -241,6 +265,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "type": "KNOWN_MALWARE" }, + "host": { + "id": "-576002811.1198775089551518743", + "is_isolated": false, + "is_online": false + }, "id": "11.7498520112250262440", "is_edr": "false", "modified_at": "2022-11-14T02:19:45.000000Z", @@ -250,7 +279,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "File" }, "severity": "Low", - "status": "Closed" + "status": "Closed", + "user": { + "id": "0.2548072792133848559", + "is_admin": false + } } }, "file": { @@ -259,6 +292,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "name": "kprocesshacker.sys" }, + "host": { + "domain": "desktop-aaaaaa.example.org", + "name": "desktop-aaaaaa", + "os": { + "type": "windows" + } + }, "observer": { "product": "Cybereason", "vendor": "Cybereason" @@ -266,7 +306,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "related": { "hash": [ "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" + ], + "user": [ + "system" ] + }, + "user": { + "domain": "desktop-aaaaa", + "name": "system" } } diff --git a/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md b/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md index 06d47b1885..ba28ee230d 100644 --- a/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md +++ b/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md @@ -29,6 +29,454 @@ In details, the following table denotes the type of events produced by this inte This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. +=== "generated_file_remediation_activity_1.json" + + ```json + + { + "message": "{\"status\": \"Does Not Exist\", \"time\": 1731328594225, \"file\": {\"name\": \"html.pkg\", \"type\": \"Local Socket\", \"version\": \"1.3.0\", \"path\": \"canyon upgrading wool/marco.fla/html.pkg\", \"ext\": \"honest borough graduated\", \"type_id\": 5, \"mime_type\": \"pr/anything\", \"parent_folder\": \"canyon upgrading wool/marco.fla\", \"confidentiality\": \"prisoner fought submission\", \"hashes\": [{\"value\": \"BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"older bangladesh caused\", \"version\": \"1.3.0\", \"lang\": \"en\", \"cpe_name\": \"m ryan proof\", \"url_string\": \"web\", \"vendor_name\": \"directed villas incorrect\"}, \"labels\": [\"range\", \"mild\"], \"profiles\": [], \"event_code\": \"ethnic\", \"log_name\": \"wisconsin scenes croatia\", \"log_provider\": \"consolidated month mil\", \"logged_time\": 1731328594209, \"loggers\": [{\"name\": \"generated dale subsection\", \"version\": \"1.3.0\", \"device\": {\"owner\": {\"name\": \"Chapter\", \"type\": \"User\", \"uid\": \"95fb04dc-a029-11ef-9566-0242ac110007\", \"type_id\": 1, \"risk_level\": \"Info\", \"risk_level_id\": 0}, \"type\": \"IOT\", \"os\": {\"name\": \"polls knew problem\", \"type\": \"Windows\", \"type_id\": 100, \"cpe_name\": \"architects letting hay\"}, \"desc\": \"tradition automated mysql\", \"hostname\": \"meters.edu\", \"uid\": \"95faf0a0-a029-11ef-a3c0-0242ac110007\", \"image\": {\"name\": \"ace tracy webshots\", \"path\": \"joined also europe\", \"uid\": \"95fbbb16-a029-11ef-9965-0242ac110007\"}, \"groups\": [{\"uid\": \"95faa5fa-a029-11ef-b64e-0242ac110007\"}], \"type_id\": 7, \"imei\": \"summary ieee rated\", \"interface_name\": \"marsh shopper guides\", \"interface_uid\": \"95fa9074-a029-11ef-931d-0242ac110007\", \"region\": \"accepting sword tab\", \"risk_level\": \"High\", \"risk_level_id\": 3, \"risk_score\": 4, \"zone\": \"ability footage nt\"}, \"product\": {\"name\": \"quote licence channel\", \"version\": \"1.3.0\", \"uid\": \"95fc351e-a029-11ef-87b2-0242ac110007\", \"feature\": {\"name\": \"adequate drainage dear\", \"version\": \"1.3.0\", \"uid\": \"95fc4cd4-a029-11ef-9a35-0242ac110007\"}, \"url_string\": \"makes\", \"vendor_name\": \"hybrid licensing faster\"}, \"uid\": \"95fc5602-a029-11ef-9902-0242ac110007\", \"log_name\": \"vegas cave greatly\", \"log_provider\": \"ieee cancer pharmaceuticals\", \"logged_time\": 1731328594222}, {\"name\": \"hostels given kill\", \"version\": \"1.3.0\", \"product\": {\"name\": \"css ks demonstrate\", \"version\": \"1.3.0\", \"uid\": \"95fc6b06-a029-11ef-b5a5-0242ac110007\", \"lang\": \"en\", \"url_string\": \"alternatives\", \"vendor_name\": \"television preventing blades\"}, \"uid\": \"95fc72c2-a029-11ef-994a-0242ac110007\", \"log_provider\": \"alignment free mines\", \"logged_time\": 1731328594222}], \"original_time\": \"drill blogs lemon\", \"processed_time\": 1731328594222, \"tenant_uid\": \"95fc7d12-a029-11ef-bfaa-0242ac110007\"}, \"severity\": \"illustrations\", \"duration\": 559843632, \"category_uid\": 7, \"activity_id\": 2, \"type_uid\": 700202, \"type_name\": \"File Remediation Activity: Evict\", \"observables\": [{\"name\": \"chen architects purchased\", \"type\": \"File\", \"type_id\": 24}, {\"name\": \"controlling sublime bp\", \"type\": \"URL String\", \"type_id\": 6}], \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"timezone_offset\": 58, \"activity_name\": \"Evict\", \"command_uid\": \"95fcdc6c-a029-11ef-acb7-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"95fc9ff4-a029-11ef-8605-0242ac110007\"}, \"d3f_technique\": {\"name\": \"determine wanting pursuant\"}}, {\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"95fcb016-a029-11ef-9ed4-0242ac110007\"}, \"d3f_technique\": {\"name\": \"cw drama their\", \"uid\": \"95fcbd7c-a029-11ef-ba3c-0242ac110007\", \"src_url\": \"organize\"}}], \"enrichments\": [{\"data\": \"cluster\", \"name\": \"settlement ia sega\", \"type\": \"surfaces registrar sizes\", \"value\": \"seq excuse nearest\", \"created_time\": 1731328594225, \"provider\": \"lesson prev champion\", \"reputation\": {\"base_score\": 15.2963, \"provider\": \"northern prep older\", \"score\": \"May not be Safe\", \"score_id\": 5}, \"short_desc\": \"travel glasses agencies\", \"src_url\": \"fly\"}, {\"data\": \"mpegs\", \"name\": \"mentor glasgow mistress\", \"type\": \"email newest household\", \"value\": \"vpn tape med\", \"created_time\": 1731328594225, \"short_desc\": \"anything fatty capital\", \"src_url\": \"saint\"}], \"severity_id\": 99, \"status_detail\": \"mistake schedule propecia\", \"status_id\": 3}", + "event": { + "action": "evict", + "category": [], + "code": "ethnic", + "duration": 559843632000000, + "provider": "consolidated month mil", + "severity": 99, + "type": [] + }, + "@timestamp": "2024-11-11T12:36:34.225000Z", + "file": { + "directory": "canyon upgrading wool/marco.fla", + "hash": { + "ssdeep": "BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878" + }, + "mime_type": "pr/anything", + "name": "html.pkg", + "path": "canyon upgrading wool/marco.fla/html.pkg", + "type": "Local Socket" + }, + "ocsf": { + "activity_id": 2, + "activity_name": "Evict", + "class_name": "File Remediation Activity", + "class_uid": 7002 + }, + "related": { + "hash": [ + "BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878" + ] + } + } + + ``` + + +=== "generated_file_remediation_activity_2.json" + + ```json + + { + "message": "{\"message\": \"oils tissue non\", \"status\": \"bottle threads desktop\", \"time\": 1731328621430, \"file\": {\"attributes\": 77, \"name\": \"panama.jsp\", \"type\": \"Unknown\", \"version\": \"1.3.0\", \"path\": \"sage petite tracy/supplement.deskthemepack/panama.jsp\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"issuer\": \"shaw further heaven\", \"fingerprints\": [{\"value\": \"25CF2FBFB6A4C58B9886BFD82A9D9D32976450F5B95B193B1F8F91071FCE9032\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1731328621426, \"expiration_time\": 1731328621426, \"serial_number\": \"museum every fa\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"desc\": \"sims faculty argue\", \"uid\": \"a6338964-a029-11ef-9cb6-0242ac110007\", \"type_id\": 0, \"parent_folder\": \"sage petite tracy/supplement.deskthemepack\", \"accessed_time\": 1731328621427, \"hashes\": [{\"value\": \"1051E22C1288CD1DD4B35D7D119F9D9E764B37C2050E8086C3F8AADBE48E8459\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"2A598E60AFB25F3005C1949A4AE28E75A5E24C34375D709852748D46D50E19DBF4AD93722613E77084B214B0C8F931F2EFF7B1AA9AF17B97F3D50770D0C328DB\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"determine italia plenty\", \"version\": \"1.3.0\", \"uid\": \"a6331254-a029-11ef-a2ea-0242ac110007\"}, \"product\": {\"name\": \"board actor feels\", \"version\": \"1.3.0\", \"uid\": \"a6334788-a029-11ef-8ba2-0242ac110007\", \"vendor_name\": \"resume himself vitamin\"}, \"uid\": \"a63350e8-a029-11ef-91d8-0242ac110007\", \"profiles\": [], \"correlation_uid\": \"a63357c8-a029-11ef-a1d1-0242ac110007\", \"log_name\": \"movements amazing murphy\", \"log_provider\": \"suggests assure sacred\", \"original_time\": \"narrative shed quit\", \"tenant_uid\": \"a63361a0-a029-11ef-b41a-0242ac110007\"}, \"severity\": \"Medium\", \"category_uid\": 7, \"activity_id\": 4, \"type_uid\": 700204, \"type_name\": \"File Remediation Activity: Harden\", \"observables\": [{\"name\": \"font earlier construction\", \"type\": \"Hash\", \"type_id\": 8}, {\"name\": \"outdoors de otherwise\", \"type\": \"Unknown\", \"type_id\": 0}], \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"timezone_offset\": 94, \"activity_name\": \"Harden\", \"command_uid\": \"a6340542-a029-11ef-ab83-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a633df68-a029-11ef-b6df-0242ac110007\"}, \"d3f_technique\": {\"name\": \"tgp adrian reject\", \"uid\": \"a633ef26-a029-11ef-ae66-0242ac110007\", \"src_url\": \"productions\"}}], \"severity_id\": 3, \"status_code\": \"lover\", \"status_detail\": \"declared chassis nominations\"}", + "event": { + "action": "harden", + "category": [], + "provider": "suggests assure sacred", + "reason": "oils tissue non", + "severity": 3, + "type": [] + }, + "@timestamp": "2024-11-11T12:37:01.430000Z", + "file": { + "accessed": "2024-11-11T12:37:01.427000Z", + "directory": "sage petite tracy/supplement.deskthemepack", + "inode": "a6338964-a029-11ef-9cb6-0242ac110007", + "name": "panama.jsp", + "path": "sage petite tracy/supplement.deskthemepack/panama.jsp", + "type": "Unknown", + "x509": { + "issuer": { + "distinguished_name": "shaw further heaven" + }, + "not_after": "2024-11-11T12:37:01.426000Z", + "serial_number": "museum every fa", + "version_number": "1.3.0" + } + }, + "ocsf": { + "activity_id": 4, + "activity_name": "Harden", + "class_name": "File Remediation Activity", + "class_uid": 7002 + } + } + + ``` + + +=== "generated_file_remediation_activity_3.json" + + ```json + + { + "message": "{\"message\": \"baker testimonials approx\", \"status\": \"Error\", \"time\": 1731328627583, \"file\": {\"attributes\": 65, \"name\": \"brazilian.tar.gz\", \"owner\": {\"name\": \"Enrolled\", \"type\": \"Unknown\", \"uid\": \"a9de1552-a029-11ef-9be5-0242ac110007\", \"type_id\": 0, \"credential_uid\": \"a9de21c8-a029-11ef-a4ce-0242ac110007\", \"uid_alt\": \"camel license fl\"}, \"type\": \"Regular File\", \"path\": \"violin economic czech/regular.accdb/brazilian.tar.gz\", \"product\": {\"name\": \"just philippines startup\", \"version\": \"1.3.0\", \"uid\": \"a9de4ec8-a029-11ef-96ee-0242ac110007\", \"feature\": {\"name\": \"metro municipality egypt\", \"version\": \"1.3.0\", \"uid\": \"a9de59f4-a029-11ef-8d34-0242ac110007\"}, \"cpe_name\": \"highly os treated\", \"vendor_name\": \"candidates etc beverage\"}, \"ext\": \"labels oriental websites\", \"type_id\": 1, \"creator\": {\"name\": \"Templates\", \"uid\": \"a9deb516-a029-11ef-8430-0242ac110007\", \"org\": {\"name\": \"welfare philip fathers\", \"uid\": \"a9dec100-a029-11ef-986c-0242ac110007\", \"ou_name\": \"threat supporting pension\"}, \"email_addr\": \"Tabetha@programmers.arpa\"}, \"mime_type\": \"agree/diego\", \"parent_folder\": \"violin economic czech/regular.accdb\", \"hashes\": [{\"value\": \"23BF00BD8ADB4469651EB5D5C47027D49C53BB2D\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"4F80D2DFFF57658A1076FF2F74282A97BB0B6574\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"conventional indexes merit\", \"version\": \"1.3.0\", \"uid\": \"a9dc7224-a029-11ef-ae98-0242ac110007\"}, \"product\": {\"name\": \"zimbabwe meals purchase\", \"version\": \"1.3.0\", \"uid\": \"a9dcfdac-a029-11ef-aa8a-0242ac110007\", \"vendor_name\": \"status hole consider\"}, \"profiles\": [], \"log_name\": \"attorney destinations evolution\", \"log_provider\": \"sections sides trembl\", \"modified_time\": 1731328627575, \"original_time\": \"coalition polyphonic limit\", \"tenant_uid\": \"a9ddd8d0-a029-11ef-a422-0242ac110007\"}, \"scan\": {\"name\": \"nd lawn seeking\", \"type\": \"Updated Content\", \"uid\": \"a9ddf644-a029-11ef-b1ea-0242ac110007\", \"type_id\": 3}, \"severity\": \"Unknown\", \"category_uid\": 7, \"activity_id\": 2, \"type_uid\": 700202, \"type_name\": \"File Remediation Activity: Evict\", \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"activity_name\": \"Evict\", \"command_uid\": \"a9deee3c-a029-11ef-8d19-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a9ded82a-a029-11ef-9aed-0242ac110007\"}, \"d3f_technique\": {\"name\": \"collecting monte craps\", \"uid\": \"a9dee1da-a029-11ef-b734-0242ac110007\"}}], \"severity_id\": 0, \"status_code\": \"holes\", \"status_detail\": \"payroll perfectly prospective\", \"status_id\": 6}", + "event": { + "action": "evict", + "category": [], + "provider": "sections sides trembl", + "reason": "baker testimonials approx", + "severity": 0, + "type": [] + }, + "@timestamp": "2024-11-11T12:37:07.583000Z", + "file": { + "directory": "violin economic czech/regular.accdb", + "hash": { + "sha1": "23BF00BD8ADB4469651EB5D5C47027D49C53BB2D4F80D2DFFF57658A1076FF2F74282A97BB0B6574" + }, + "mime_type": "agree/diego", + "name": "brazilian.tar.gz", + "owner": "Enrolled", + "path": "violin economic czech/regular.accdb/brazilian.tar.gz", + "type": "Regular File", + "uid": "a9de1552-a029-11ef-9be5-0242ac110007" + }, + "ocsf": { + "activity_id": 2, + "activity_name": "Evict", + "class_name": "File Remediation Activity", + "class_uid": 7002 + }, + "related": { + "hash": [ + "23BF00BD8ADB4469651EB5D5C47027D49C53BB2D4F80D2DFFF57658A1076FF2F74282A97BB0B6574" + ], + "user": [ + "Enrolled" + ] + } + } + + ``` + + +=== "generated_network_remediation_activity_1.json" + + ```json + + { + "message": "{\"message\": \"kills routine cookie\", \"status\": \"Error\", \"time\": 1731331184401, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"consoles paste democrats\", \"version\": \"1.3.0\", \"uid\": \"9dd714a6-a02f-11ef-a375-0242ac110007\"}, \"product\": {\"name\": \"strip milton message\", \"uid\": \"9dd78440-a02f-11ef-9b45-0242ac110007\", \"feature\": {\"name\": \"dealing instruction glasgow\", \"version\": \"1.3.0\", \"uid\": \"9dd7bc30-a02f-11ef-a841-0242ac110007\"}, \"vendor_name\": \"praise profit voyeurweb\"}, \"uid\": \"9dd80514-a02f-11ef-ad38-0242ac110007\", \"profiles\": [], \"log_name\": \"mens coverage sustained\", \"log_provider\": \"expertise browse courier\", \"logged_time\": 1731331184386, \"original_time\": \"sauce female resulted\", \"tenant_uid\": \"9dd8901a-a02f-11ef-b542-0242ac110007\"}, \"connection_info\": {\"uid\": \"9dd8e524-a02f-11ef-a212-0242ac110007\", \"boundary\": \"Unknown\", \"protocol_name\": \"notion expressed postcards\", \"direction\": \"Outbound\", \"boundary_id\": 0, \"direction_id\": 2, \"protocol_num\": 62, \"protocol_ver\": \"pricing\", \"protocol_ver_id\": 99, \"tcp_flags\": 39}, \"severity\": \"High\", \"category_uid\": 7, \"activity_id\": 3, \"type_uid\": 700403, \"type_name\": \"Network Remediation Activity: Restore\", \"observables\": [{\"name\": \"pricing pope defendant\", \"type\": \"Process Name\", \"type_id\": 9}, {\"name\": \"fail long monthly\", \"type\": \"Resource UID\", \"type_id\": 10, \"reputation\": {\"base_score\": 5.3863, \"provider\": \"finally responding daughter\", \"score\": \"Probably Safe\", \"score_id\": 3}}], \"category_name\": \"Remediation\", \"class_uid\": 7004, \"class_name\": \"Network Remediation Activity\", \"timezone_offset\": 79, \"activity_name\": \"Restore\", \"command_uid\": \"9ddaa616-a02f-11ef-bdaf-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"9dd9bdc8-a02f-11ef-a7a3-0242ac110007\"}, \"d3f_technique\": {\"name\": \"informal statistics lcd\", \"uid\": \"9dda024c-a02f-11ef-938d-0242ac110007\"}}], \"severity_id\": 4, \"status_code\": \"cds\", \"status_id\": 6}", + "event": { + "action": "restore", + "category": [], + "provider": "expertise browse courier", + "reason": "kills routine cookie", + "severity": 4, + "type": [] + }, + "@timestamp": "2024-11-11T13:19:44.401000Z", + "network": { + "direction": [ + "unknown" + ], + "iana_number": "62" + }, + "ocsf": { + "activity_id": 3, + "activity_name": "Restore", + "class_name": "Network Remediation Activity", + "class_uid": 7004 + } + } + + ``` + + +=== "generated_network_remediation_activity_2.json" + + ```json + + { + "message": "{\"count\": 70, \"message\": \"virtue carb keeps\", \"status\": \"Unknown\", \"time\": 1731331194181, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"subjective myself systems\", \"version\": \"1.3.0\", \"uid\": \"a3ac922a-a02f-11ef-984c-0242ac110007\", \"feature\": {\"name\": \"seafood zen attacks\", \"version\": \"1.3.0\", \"uid\": \"a3ad2ca8-a02f-11ef-a741-0242ac110007\"}, \"vendor_name\": \"sullivan participation wired\"}, \"extensions\": [{\"name\": \"faq valuable theory\", \"version\": \"1.3.0\", \"uid\": \"a3ad55ac-a02f-11ef-9d32-0242ac110007\"}, {\"name\": \"diesel salmon graduates\", \"version\": \"1.3.0\", \"uid\": \"a3ad70e6-a02f-11ef-be20-0242ac110007\"}], \"profiles\": [], \"log_name\": \"influence increasing towers\", \"log_provider\": \"defence ignore carroll\", \"original_time\": \"baths ends led\", \"tenant_uid\": \"a3ad8d56-a02f-11ef-a66b-0242ac110007\"}, \"scan\": {\"name\": \"fits educated vip\", \"type\": \"Attached Media\", \"uid\": \"a3ae1122-a02f-11ef-b0ef-0242ac110007\", \"type_id\": 5}, \"connection_info\": {\"uid\": \"a3ae3c42-a02f-11ef-bdd6-0242ac110007\", \"boundary\": \"Internet Gateway\", \"protocol_name\": \"nuts oriented data\", \"direction\": \"Inbound\", \"boundary_id\": 11, \"direction_id\": 1, \"protocol_num\": 88, \"protocol_ver\": \"Unknown\", \"protocol_ver_id\": 0}, \"severity\": \"Medium\", \"category_uid\": 7, \"activity_id\": 3, \"type_uid\": 700403, \"type_name\": \"Network Remediation Activity: Restore\", \"observables\": [{\"name\": \"catherine lawsuit wash\", \"type\": \"File Name\", \"value\": \"underwear img tp\", \"type_id\": 7}, {\"name\": \"drawn vol buy\", \"type\": \"Email Address\", \"type_id\": 5, \"reputation\": {\"base_score\": 40.1815, \"provider\": \"miscellaneous applying places\", \"score\": \"tapes\", \"score_id\": 99}}], \"category_name\": \"Remediation\", \"class_uid\": 7004, \"class_name\": \"Network Remediation Activity\", \"timezone_offset\": 96, \"activity_name\": \"Restore\", \"command_uid\": \"a3aecf68-a02f-11ef-b5f1-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a3ae8698-a02f-11ef-a4fc-0242ac110007\", \"src_url\": \"weak\"}, \"d3f_technique\": {\"name\": \"gratuit refused endorsed\", \"uid\": \"a3ae95ac-a02f-11ef-b756-0242ac110007\"}}], \"enrichments\": [{\"data\": \"year\", \"name\": \"terry acceptance unavailable\", \"type\": \"me mo fetish\", \"value\": \"ride restore bearing\", \"created_time\": 1731331194181, \"provider\": \"illinois ferrari samuel\", \"reputation\": {\"base_score\": 43.1915, \"provider\": \"view rankings um\", \"score\": \"Very Safe\", \"score_id\": 1}, \"short_desc\": \"uganda pose worse\", \"src_url\": \"aluminium\"}, {\"data\": \"funky\", \"name\": \"italic electrical successfully\", \"type\": \"ethnic hitachi stevens\", \"value\": \"steven m rogers\", \"desc\": \"digital jeffrey rogers\", \"created_time\": 1731331194181, \"short_desc\": \"cook psi jobs\", \"src_url\": \"hp\"}], \"severity_id\": 3, \"status_code\": \"professionals\", \"status_detail\": \"affiliated carries publications\", \"status_id\": 0}", + "event": { + "action": "restore", + "category": [], + "outcome": "unknown", + "provider": "defence ignore carroll", + "reason": "virtue carb keeps", + "severity": 3, + "type": [] + }, + "@timestamp": "2024-11-11T13:19:54.181000Z", + "network": { + "direction": [ + "inbound" + ], + "iana_number": "88" + }, + "ocsf": { + "activity_id": 3, + "activity_name": "Restore", + "class_name": "Network Remediation Activity", + "class_uid": 7004 + } + } + + ``` + + +=== "generated_process_remediation_activity_1.json" + + ```json + + { + "message": "{\"message\": \"heaven country sugar\", \"process\": {\"name\": \"Success\", \"pid\": 94, \"file\": {\"name\": \"earliest.pdb\", \"owner\": {\"name\": \"Tee\", \"type\": \"Unknown\", \"domain\": \"term assembled gossip\", \"uid\": \"223ad95e-a02f-11ef-8523-0242ac110007\", \"type_id\": 0, \"full_name\": \"Kaycee Valarie\", \"risk_level\": \"orleans medicines legal\"}, \"type\": \"Regular File\", \"path\": \"guilty different comply/expects.accdb/earliest.pdb\", \"desc\": \"prominent purse jones\", \"ext\": \"rendered ministry investigators\", \"type_id\": 1, \"parent_folder\": \"guilty different comply/expects.accdb\", \"hashes\": [{\"value\": \"EFE899C74558F20B08BBC19BF0228C0C25BDDB7871D80BD34AC8B33C030B3698\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"6B1C747BA410921F62727C6AEE307A71A7021A4F23DCD2CCFAB1EC037E3A86C28518C84FC4E389893A41ED6CC8EFCA276E1FA37D836A1183305EC8DD7BC3D3F0\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"user\": {\"name\": \"Livestock\", \"type\": \"Admin\", \"uid\": \"223aed7c-a02f-11ef-943c-0242ac110007\", \"type_id\": 2, \"risk_level\": \"sense\", \"risk_level_id\": 99}, \"loaded_modules\": [\"/offered/her/msg/vegetarian/bizarre.html\", \"/principle/setting/liz/defendant/herself.wsf\"], \"cmd_line\": \"guided stretch phrases\", \"created_time\": 1731330976996, \"parent_process\": {\"name\": \"Em\", \"pid\": 60, \"file\": {\"name\": \"texas.rss\", \"type\": \"Regular File\", \"path\": \"pipeline memorabilia wednesday/lindsay.thm/texas.rss\", \"product\": {\"name\": \"rather rate cms\", \"version\": \"1.3.0\", \"uid\": \"223b1036-a02f-11ef-a666-0242ac110007\", \"lang\": \"en\", \"vendor_name\": \"assistance printers careful\"}, \"uid\": \"223b1766-a02f-11ef-b077-0242ac110007\", \"ext\": \"around clear funk\", \"type_id\": 1, \"parent_folder\": \"pipeline memorabilia wednesday/lindsay.thm\", \"accessed_time\": 1731330976998, \"hashes\": [{\"value\": \"0C9582BD64D9BAB6B4D907C275F45B5D3FC0035986E6294724E7FC4C77A9E16F42AD975BA9F5AD3884CCEFB2635640629F2AA538C5FDA52E2D872D3B73F65C6C\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"31FEBEB59C135F276A56FF06D2A3B00B982685E2D8EF3205B97EB80E0F4DCDC3\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"is_system\": true, \"xattributes\": {}}, \"user\": {\"name\": \"Membership\", \"type\": \"System\", \"uid\": \"223b30c0-a02f-11ef-87cb-0242ac110007\", \"type_id\": 3, \"full_name\": \"Anita Rosanna\", \"email_addr\": \"Li@scientific.travel\"}, \"uid\": \"223b4aa6-a02f-11ef-9d39-0242ac110007\", \"cmd_line\": \"suits chris sega\", \"created_time\": 1731330976999, \"lineage\": [\"alternative consistently improved\", \"cats charm hardcover\"], \"parent_process\": {\"name\": \"Humor\", \"pid\": 26, \"file\": {\"name\": \"incorrect.gadget\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"upset india relax/marie.3gp/incorrect.gadget\", \"product\": {\"name\": \"grades internationally ordinary\", \"version\": \"1.3.0\", \"uid\": \"223b9d6c-a02f-11ef-af12-0242ac110007\", \"feature\": {\"name\": \"motivation bridges other\", \"version\": \"1.3.0\", \"uid\": \"223bade8-a02f-11ef-a579-0242ac110007\"}, \"vendor_name\": \"lightweight monday station\"}, \"uid\": \"223bb4f0-a02f-11ef-9470-0242ac110007\", \"ext\": \"celebrities intelligent david\", \"type_id\": 1, \"accessor\": {\"name\": \"Institutes\", \"type\": \"User\", \"uid\": \"223bc1b6-a02f-11ef-be06-0242ac110007\", \"org\": {\"uid\": \"223bcfee-a02f-11ef-9eaf-0242ac110007\", \"ou_name\": \"sixth rats hawk\"}, \"type_id\": 1, \"account\": {\"name\": \"fairy clause literally\", \"uid\": \"223be3a8-a02f-11ef-b63a-0242ac110007\"}, \"credential_uid\": \"223befc4-a02f-11ef-9ee4-0242ac110007\", \"ldap_person\": {\"email_addrs\": [\"Suzann@verbal.biz\", \"Flo@submissions.int\"], \"last_login_time\": 1731330977003, \"leave_time\": 1731330977003}, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 44}, \"parent_folder\": \"upset india relax/marie.3gp\", \"hashes\": [{\"value\": \"4B300F704B4BD8E100BDB3CAB1031A6CEDCB68FBC2C3606B1178586034AF4ECAC9A514E1A67728708F5FAD5AD1FC04AE78ECA412443352AF94457FEC9581ED11\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"C861DBBC3D16CC0E2D8C34764F0864239EBAC9973B25229B5ADFE56574C851ED73B6FCBC5931C8F0E23094B0D787E183BF5DF893560460CD403ED6F6C7174B7D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"name\": \"Protection\", \"type\": \"Unknown\", \"uid\": \"223c0d88-a02f-11ef-bfe0-0242ac110007\", \"type_id\": 0, \"full_name\": \"Brittanie Russel\", \"credential_uid\": \"223c156c-a02f-11ef-ae21-0242ac110007\", \"risk_level\": \"school wall wolf\", \"risk_score\": 37}, \"cmd_line\": \"roof dt critical\", \"created_time\": 1731330977004, \"parent_process\": {\"name\": \"Iv\", \"file\": {\"name\": \"retro.bmp\", \"type\": \"Named Pipe\", \"path\": \"rubber mj queen/archive.wav/retro.bmp\", \"signature\": {\"state\": \"lauderdale illustrated editorial\", \"certificate\": {\"version\": \"1.3.0\", \"subject\": \"mighty assisted detail\", \"issuer\": \"accompanied routers acne\", \"fingerprints\": [{\"value\": \"022DEC95C5096AFDD20A88DF019AC56B\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"8418E7362D4E0848D22B88FF2EC86F93AB49AE75A1558CE41B75732C6B78955A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1731330977005, \"expiration_time\": 1731330977005, \"serial_number\": \"receivers stylish woods\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"desc\": \"rep jeff tape\", \"ext\": \"through testimonials cardiff\", \"type_id\": 6, \"parent_folder\": \"rubber mj queen/archive.wav\", \"accessed_time\": 1731330977005, \"hashes\": [{\"value\": \"311EF3B8DC9FFBC403CA8BFEFAF69F728D2BE1AFFB42206E860CAA9F9FC9D8A57266E69AF264348CFACF811255655CDAF7BF4204EA0E7C0AD91297FCCB92BD28\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"12B400C07544526379365632C5EAE7B868347EA513F21C09D8F5A9306B373005\", \"algorithm\": \"magic\", \"algorithm_id\": 99}]}, \"user\": {\"name\": \"Rise\", \"type\": \"omissions\", \"uid\": \"223c3c36-a02f-11ef-a7a3-0242ac110007\", \"type_id\": 99, \"account\": {\"name\": \"naturally textile pharmacies\", \"uid\": \"223c4b7c-a02f-11ef-90fb-0242ac110007\"}}, \"uid\": \"223c51e4-a02f-11ef-8de3-0242ac110007\", \"cmd_line\": \"keyboard milk printers\", \"created_time\": 1731330977006, \"parent_process\": {\"name\": \"Computation\", \"pid\": 30, \"file\": {\"name\": \"posted.yuv\", \"type\": \"Folder\", \"path\": \"kid hollow housing/trick.dwg/posted.yuv\", \"ext\": \"gage capabilities reasons\", \"type_id\": 2, \"accessor\": {\"type\": \"User\", \"uid\": \"223c6ed6-a02f-11ef-9e28-0242ac110007\", \"org\": {\"name\": \"salem civil rely\", \"uid\": \"223c784a-a02f-11ef-b6f3-0242ac110007\", \"ou_name\": \"saudi kathy going\"}, \"type_id\": 1, \"credential_uid\": \"223c7f2a-a02f-11ef-9b2e-0242ac110007\"}, \"parent_folder\": \"kid hollow housing/trick.dwg\", \"accessed_time\": 1731330977007, \"hashes\": [{\"value\": \"84282F14696FCE92F1387E783E6E35A7F462B8F63DD2CBBF03C8FBD817B4B334EA21DB328F7F7CC7040EBAEC27B5E741457DFC36FAEC09CB527ECE2B22C142C4\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"A74A78AF4E994F8C5ADE1098C677DEE43370A2B898524B0730EBFF42FA2C8359\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"is_system\": false}, \"user\": {\"name\": \"Royal\", \"type\": \"eclipse\", \"uid\": \"223c92ee-a02f-11ef-b37d-0242ac110007\", \"org\": {\"name\": \"races obtaining business\", \"uid\": \"223c9f6e-a02f-11ef-80ed-0242ac110007\", \"ou_name\": \"larger phones hotel\", \"ou_uid\": \"223ca72a-a02f-11ef-b597-0242ac110007\"}, \"type_id\": 99, \"account\": {\"name\": \"execution implemented contributions\", \"type\": \"AWS Account\", \"uid\": \"223cb300-a02f-11ef-a109-0242ac110007\", \"type_id\": 10}, \"ldap_person\": {\"location\": {\"desc\": \"Senegal, Republic of\", \"city\": \"Barely vpn\", \"country\": \"SN\", \"coordinates\": [-6.1769, -23.2664], \"continent\": \"Africa\"}, \"given_name\": \"oven registrar consultant\", \"ldap_cn\": \"insulin convicted posted\", \"modified_time\": 1731330977010}}, \"tid\": 28, \"uid\": \"223d09cc-a02f-11ef-88a8-0242ac110007\", \"cmd_line\": \"cologne preventing pvc\", \"created_time\": 1731330977010, \"integrity\": \"tears\", \"integrity_id\": 99, \"parent_process\": {\"pid\": 58, \"file\": {\"name\": \"concept.tar\", \"type\": \"Regular File\", \"path\": \"aging socks soc/traditions.nes/concept.tar\", \"modifier\": {\"name\": \"Mai\", \"type\": \"mineral\", \"uid\": \"223d2b96-a02f-11ef-a466-0242ac110007\", \"type_id\": 99, \"account\": {\"name\": \"fitting remembered advertiser\", \"type\": \"Linux Account\", \"uid\": \"223d378a-a02f-11ef-a93b-0242ac110007\", \"type_id\": 9}, \"credential_uid\": \"223d4086-a02f-11ef-aae8-0242ac110007\", \"risk_level\": \"Low\", \"risk_level_id\": 1, \"uid_alt\": \"chevrolet header sensitive\"}, \"uid\": \"223d47d4-a02f-11ef-80dd-0242ac110007\", \"ext\": \"finnish quotations trigger\", \"type_id\": 1, \"parent_folder\": \"aging socks soc/traditions.nes\", \"hashes\": [{\"value\": \"CCF8B7F3C1B91940CEA0982813BDECBB4177E02F8485991FF6F5F1ED5AEB7448BB931BD088B4617001768303ECEE51E3D61A3CC7369BA9EEF3C965E865EFEA4A\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"name\": \"Clubs\", \"type\": \"Unknown\", \"uid\": \"223d59ae-a02f-11ef-8620-0242ac110007\", \"type_id\": 0, \"risk_score\": 1, \"uid_alt\": \"quebec robertson slovak\"}, \"tid\": 22, \"uid\": \"223d673c-a02f-11ef-9f3c-0242ac110007\", \"cmd_line\": \"barnes outlined alabama\", \"created_time\": 1731330977013, \"parent_process\": {\"name\": \"Weapons\", \"pid\": 16, \"file\": {\"name\": \"pale.odt\", \"owner\": {\"name\": \"Waiver\", \"type\": \"carroll\", \"type_id\": 99, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 13}, \"type\": \"Character Device\", \"path\": \"pupils demonstrated spam/constitution.obj/pale.odt\", \"ext\": \"intl hip entry\", \"type_id\": 3, \"company_name\": \"Lucas Emerald\", \"parent_folder\": \"pupils demonstrated spam/constitution.obj\", \"hashes\": [{\"value\": \"8DF60FF96BFECD59DE3F802675A05912\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"149D479F6A59E992D99E894B589A22B63E7F357049D6B573DA7AAD6DB5584F44\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"security_descriptor\": \"decade prepared deleted\", \"xattributes\": {}}, \"user\": {\"name\": \"Gbp\", \"domain\": \"cathedral faces lovers\", \"uid\": \"223dc06a-a02f-11ef-8a14-0242ac110007\", \"full_name\": \"Bryan Yasmine\", \"risk_score\": 94}, \"uid\": \"223dc7f4-a02f-11ef-850b-0242ac110007\", \"cmd_line\": \"religious membership rb\", \"created_time\": 1731330977015, \"parent_process\": {\"name\": \"Invite\", \"pid\": 19, \"file\": {\"name\": \"aggressive.icns\", \"type\": \"Block Device\", \"path\": \"nyc runtime slip/ballot.thm/aggressive.icns\", \"desc\": \"ease ill executed\", \"ext\": \"malpractice road end\", \"type_id\": 4, \"mime_type\": \"income/poison\", \"parent_folder\": \"nyc runtime slip/ballot.thm\", \"hashes\": [{\"value\": \"037AEAEAF4BBF26DDABE7256A8294DC52DA48D575A1247B5C2598C47DE7AEBAB\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"C63B81E57E6869E3358411F7CCE3A2FA7BBE6FE5C1C54E3B4FDCD214F77082948C4A05C49CF7AF90CB5D0F112840C2A2B7715C80A07CF8511D608E1546DB6AC1\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731330977016}, \"user\": {\"type\": \"User\", \"uid\": \"223decca-a02f-11ef-ab3c-0242ac110007\", \"type_id\": 1, \"ldap_person\": {\"cost_center\": \"motion saudi unix\", \"deleted_time\": 1731330977016, \"employee_uid\": \"223df7ba-a02f-11ef-8947-0242ac110007\", \"hire_time\": 1731330977016, \"last_login_time\": 1731330977016, \"ldap_dn\": \"table silent possibly\", \"surname\": \"alone tongue emotional\"}, \"risk_level\": \"Low\", \"risk_level_id\": 1}, \"uid\": \"223dff76-a02f-11ef-b8d3-0242ac110007\", \"loaded_modules\": [\"/penguin/celebration/epson/lenders/with.uue\", \"/prefer/motherboard/traveling/factors/lawyer.tmp\"], \"cmd_line\": \"except routing crowd\", \"created_time\": 1731330977017, \"sandbox\": \"mechanisms suppose founded\"}}, \"sandbox\": \"tide oral independent\"}}}, \"terminated_time\": 1731330977017}}, \"xattributes\": {}}, \"status\": \"Unknown\", \"time\": 1731330976994, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"appeals discrete crash\", \"version\": \"1.3.0\", \"uid\": \"223a5696-a02f-11ef-ac80-0242ac110007\", \"vendor_name\": \"license push emperor\"}, \"sequence\": 26, \"profiles\": [], \"log_name\": \"ideal extended offers\", \"log_provider\": \"seller deserve sharing\", \"original_time\": \"alfred invitations speaking\", \"tenant_uid\": \"223a5fec-a02f-11ef-af39-0242ac110007\"}, \"severity\": \"Critical\", \"category_uid\": 7, \"activity_id\": 4, \"type_uid\": 700304, \"type_name\": \"Process Remediation Activity: Harden\", \"observables\": [{\"name\": \"uploaded bear will\", \"type\": \"Subnet\", \"type_id\": 12}, {\"name\": \"italic quantitative keno\", \"type\": \"Geo Location\", \"type_id\": 26}], \"category_name\": \"Remediation\", \"class_uid\": 7003, \"class_name\": \"Process Remediation Activity\", \"timezone_offset\": 64, \"activity_name\": \"Harden\", \"command_uid\": \"223ab6e0-a02f-11ef-9ffc-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"223a6fdc-a02f-11ef-a601-0242ac110007\"}, \"d3f_technique\": {\"name\": \"columbus sync taken\", \"uid\": \"223a80c6-a02f-11ef-9766-0242ac110007\"}}], \"enrichments\": [{\"data\": \"trackback\", \"name\": \"natural segment seattle\", \"value\": \"rebecca stack obtain\", \"created_time\": 1731330976994, \"provider\": \"shall surplus transparency\", \"reputation\": {\"base_score\": 63.125, \"provider\": \"czech meter kinda\", \"score\": \"Possibly Malicious\", \"score_id\": 8}, \"src_url\": \"employees\"}, {\"data\": \"academics\", \"name\": \"todd earliest quick\", \"type\": \"older complicated mails\", \"value\": \"issued dressed latina\", \"created_time\": 1731330976994, \"provider\": \"tube subtle austin\", \"short_desc\": \"summer concentration specific\", \"src_url\": \"domestic\"}], \"severity_id\": 5, \"status_code\": \"malawi\", \"status_detail\": \"odd lib station\", \"status_id\": 0}", + "event": { + "action": "harden", + "category": [], + "outcome": "unknown", + "provider": "seller deserve sharing", + "reason": "heaven country sugar", + "sequence": 26, + "severity": 5, + "type": [] + }, + "@timestamp": "2024-11-11T13:16:16.994000Z", + "file": { + "directory": "guilty different comply/expects.accdb", + "hash": { + "sha256": "EFE899C74558F20B08BBC19BF0228C0C25BDDB7871D80BD34AC8B33C030B3698", + "tlsh": "6B1C747BA410921F62727C6AEE307A71A7021A4F23DCD2CCFAB1EC037E3A86C28518C84FC4E389893A41ED6CC8EFCA276E1FA37D836A1183305EC8DD7BC3D3F0" + }, + "name": "earliest.pdb", + "owner": "Tee", + "path": "guilty different comply/expects.accdb/earliest.pdb", + "type": "Regular File", + "uid": "223ad95e-a02f-11ef-8523-0242ac110007" + }, + "ocsf": { + "activity_id": 4, + "activity_name": "Harden", + "class_name": "Process Remediation Activity", + "class_uid": 7003, + "process": { + "parent": { + "user": { + "email": "Li@scientific.travel", + "full_name": "Anita Rosanna" + } + } + } + }, + "process": { + "command_line": "guided stretch phrases", + "name": "Success", + "parent": { + "command_line": "suits chris sega", + "entity_id": "223b4aa6-a02f-11ef-9d39-0242ac110007", + "name": "Em", + "pid": 60, + "start": "2024-11-11T13:16:16.999000Z", + "user": { + "id": [ + "223b30c0-a02f-11ef-87cb-0242ac110007" + ], + "name": "Membership" + } + }, + "pid": 94, + "start": "2024-11-11T13:16:16.996000Z", + "user": { + "id": [ + "223aed7c-a02f-11ef-943c-0242ac110007" + ], + "name": "Livestock" + } + }, + "related": { + "hash": [ + "EFE899C74558F20B08BBC19BF0228C0C25BDDB7871D80BD34AC8B33C030B3698" + ], + "user": [ + "Tee" + ] + } + } + + ``` + + +=== "generated_process_remediation_activity_2.json" + + ```json + + { + "message": "{\"message\": \"sellers besides hl\", \"process\": {\"name\": \"Prince\", \"pid\": 7, \"file\": {\"name\": \"propose.pptx\", \"type\": \"Folder\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"modifier\": {\"name\": \"Stylish\", \"type\": \"Unknown\", \"uid\": \"28d3fd18-a02f-11ef-af24-0242ac110007\", \"type_id\": 0, \"ldap_person\": {\"employee_uid\": \"28d42ee6-a02f-11ef-9279-0242ac110007\"}, \"risk_level\": \"loving\", \"risk_level_id\": 99, \"risk_score\": 0}, \"desc\": \"ceiling patches side\", \"uid\": \"28d43742-a02f-11ef-9ec1-0242ac110007\", \"type_id\": 2, \"creator\": {\"name\": \"Remained\", \"type\": \"latino\", \"domain\": \"rest investor soa\", \"uid\": \"28d473e2-a02f-11ef-9ccb-0242ac110007\", \"type_id\": 99}, \"hashes\": [{\"value\": \"89759E1284E2479B991D2669DE104942\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"C19F43EB415F38C482F5CB26B9720DA398AA56B47B415867BBA7F118EB0D89D563350BA26D579DC834B11828F7E929E3AD3F14B90D86D0610F44E088AD1F2B64\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Pork\", \"type\": \"User\", \"uid\": \"28d4888c-a02f-11ef-82fc-0242ac110007\", \"type_id\": 1, \"ldap_person\": {\"location\": {\"desc\": \"Dominica, Commonwealth of\", \"city\": \"Discrimination fri\", \"country\": \"DM\", \"coordinates\": [92.1251, 34.7562], \"continent\": \"North America\"}, \"manager\": {\"name\": \"Idol\", \"type\": \"Admin\", \"uid\": \"28d4cb94-a02f-11ef-b90f-0242ac110007\", \"type_id\": 2, \"risk_level\": \"gothic smithsonian garmin\"}, \"employee_uid\": \"28d4d544-a02f-11ef-ad52-0242ac110007\", \"given_name\": \"includes livestock index\", \"job_title\": \"strategies compliant references\", \"leave_time\": 1731330988071, \"modified_time\": 1731330988071}, \"uid_alt\": \"control gary baking\"}, \"tid\": 47, \"uid\": \"28d4de90-a02f-11ef-98b9-0242ac110007\", \"cmd_line\": \"characters vocal tracy\", \"created_time\": 1731330988072, \"parent_process\": {\"pid\": 40, \"file\": {\"attributes\": 79, \"name\": \"irc.com\", \"type\": \"Unknown\", \"path\": \"finding possibilities clinton/cached.asf/irc.com\", \"signature\": {\"state\": \"Revoked\", \"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"external compiler heated\", \"issuer\": \"appears hungry drive\", \"fingerprints\": [{\"value\": \"63F62E392F7025A4167DD1EC5A9EF966C16729FDC201CB89B807A60D5332A7A9473433A7AE2CD8C213C47520CFCDF970F3EA2DFEF02D04EA5B66610BDEA8D497\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1731330988072, \"expiration_time\": 1731330988072, \"serial_number\": \"configuration deadline calgary\"}, \"algorithm\": \"fails\", \"algorithm_id\": 99, \"state_id\": 3}, \"modifier\": {\"type\": \"User\", \"uid\": \"28d51ef0-a02f-11ef-92f3-0242ac110007\", \"type_id\": 1, \"email_addr\": \"Yu@monroe.mil\"}, \"ext\": \"consequences years ecology\", \"type_id\": 0, \"parent_folder\": \"finding possibilities clinton/cached.asf\", \"hashes\": [{\"value\": \"A6426312E27AB008F4EDC3204E03FD5B383EA1C8B4A4567E748A42CEF025EF43A89764E99A4D39740137733A152598B7050663A2C427F7874F331D0609FD3CB8\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"EACCA81A25CF539B76C8A39BB632EC20C918EF9EFD1E73B8FDEB68C67765DE58E5925C523C695E88ACB94E43C38BA494EFF4D1A415A91C332930A3FB12A5AF27\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"user\": {\"type\": \"Unknown\", \"uid\": \"28d53156-a02f-11ef-aa73-0242ac110007\", \"type_id\": 0}, \"tid\": 51, \"uid\": \"28d53f16-a02f-11ef-9a1e-0242ac110007\", \"cmd_line\": \"commission relying steady\", \"created_time\": 1731330988074, \"integrity\": \"Medium\", \"integrity_id\": 3, \"parent_process\": {\"pid\": 56, \"session\": {\"terminal\": \"occur match lan\", \"uid\": \"28d58f84-a02f-11ef-8740-0242ac110007\", \"created_time\": 1731330988076, \"expiration_reason\": \"therapeutic midlands visited\", \"is_remote\": true}, \"file\": {\"attributes\": 47, \"name\": \"anymore.tar\", \"owner\": {\"name\": \"Halifax\", \"type\": \"User\", \"type_id\": 1, \"risk_level\": \"Medium\", \"risk_level_id\": 2}, \"type\": \"Regular File\", \"uid\": \"28d5c4cc-a02f-11ef-8469-0242ac110007\", \"type_id\": 1, \"hashes\": [{\"value\": \"F573102FF9F85CEA0795FA811907D06B74C86CDE18D2999A2070523EC27478C2F15F634D3D0509B660995C0695E665C4A124CD5F1F657FD9E26AC679200F1425\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"modified_time\": 1731330988078, \"security_descriptor\": \"realtors shoulder kilometers\", \"xattributes\": {}}, \"user\": {\"name\": \"Figured\", \"type\": \"System\", \"uid\": \"28d5fac8-a02f-11ef-895f-0242ac110007\", \"type_id\": 3, \"credential_uid\": \"28d602ac-a02f-11ef-9c04-0242ac110007\", \"email_addr\": \"Darla@movies.org\"}, \"uid\": \"28d63402-a02f-11ef-b1e9-0242ac110007\", \"cmd_line\": \"overview statutes valves\", \"created_time\": 1731330988080, \"integrity\": \"losses renewal aquatic\"}}}, \"status\": \"dynamic acer dollar\", \"time\": 1731330988061, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"diamond aaa screensavers\", \"version\": \"1.3.0\", \"path\": \"mem anthropology notifications\", \"uid\": \"28d1a536-a02f-11ef-92c5-0242ac110007\", \"cpe_name\": \"quebec labs assume\", \"vendor_name\": \"professionals subsidiary maria\"}, \"labels\": [\"bandwidth\", \"jeremy\"], \"profiles\": [], \"event_code\": \"digit\", \"log_name\": \"bosnia blind seq\", \"log_provider\": \"arg handed dock\", \"log_version\": \"congratulations solution vancouver\", \"original_time\": \"famous thinking males\"}, \"scan\": {\"name\": \"soon reproduce paragraph\", \"type\": \"Updated Content\", \"uid\": \"28d22ac4-a02f-11ef-a4e4-0242ac110007\", \"type_id\": 3}, \"severity\": \"Informational\", \"category_uid\": 7, \"activity_id\": 0, \"type_uid\": 700300, \"type_name\": \"Process Remediation Activity: Unknown\", \"observables\": [{\"name\": \"targeted arlington mediterranean\", \"type\": \"Geo Location\", \"type_id\": 26, \"reputation\": {\"base_score\": 94.8029, \"provider\": \"lucy printing mrna\", \"score\": \"turkish\", \"score_id\": 99}}, {\"name\": \"payment traditions proudly\", \"type\": \"CVE Object: uid\", \"type_id\": 18}], \"category_name\": \"Remediation\", \"class_uid\": 7003, \"class_name\": \"Process Remediation Activity\", \"timezone_offset\": 14, \"activity_name\": \"Unknown\", \"command_uid\": \"28d355b6-a02f-11ef-b6de-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"28d23d02-a02f-11ef-97ab-0242ac110007\"}, \"d3f_technique\": {\"name\": \"dosage cart but\", \"uid\": \"28d29040-a02f-11ef-b946-0242ac110007\"}}, {\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"28d29c02-a02f-11ef-9d6f-0242ac110007\"}, \"d3f_technique\": {\"uid\": \"28d2cb6e-a02f-11ef-a981-0242ac110007\", \"src_url\": \"amsterdam\"}}], \"severity_id\": 1, \"status_detail\": \"bow euros scsi\"}", + "event": { + "action": "unknown", + "category": [], + "code": "digit", + "provider": "arg handed dock", + "reason": "sellers besides hl", + "severity": 1, + "type": [] + }, + "@timestamp": "2024-11-11T13:16:28.061000Z", + "file": { + "hash": { + "md5": "89759E1284E2479B991D2669DE104942", + "ssdeep": "C19F43EB415F38C482F5CB26B9720DA398AA56B47B415867BBA7F118EB0D89D563350BA26D579DC834B11828F7E929E3AD3F14B90D86D0610F44E088AD1F2B64" + }, + "inode": "28d43742-a02f-11ef-9ec1-0242ac110007", + "name": "propose.pptx", + "type": "Folder" + }, + "ocsf": { + "activity_id": 0, + "activity_name": "Unknown", + "class_name": "Process Remediation Activity", + "class_uid": 7003 + }, + "process": { + "command_line": "characters vocal tracy", + "entity_id": "28d4de90-a02f-11ef-98b9-0242ac110007", + "name": "Prince", + "parent": { + "command_line": "commission relying steady", + "entity_id": "28d53f16-a02f-11ef-9a1e-0242ac110007", + "pid": 40, + "start": "2024-11-11T13:16:28.074000Z", + "thread": { + "id": 51 + }, + "user": { + "id": [ + "28d53156-a02f-11ef-aa73-0242ac110007" + ] + } + }, + "pid": 7, + "start": "2024-11-11T13:16:28.072000Z", + "thread": { + "id": 47 + }, + "user": { + "id": [ + "28d4888c-a02f-11ef-82fc-0242ac110007" + ], + "name": "Pork" + } + }, + "related": { + "hash": [ + "89759E1284E2479B991D2669DE104942", + "C19F43EB415F38C482F5CB26B9720DA398AA56B47B415867BBA7F118EB0D89D563350BA26D579DC834B11828F7E929E3AD3F14B90D86D0610F44E088AD1F2B64" + ] + } + } + + ``` + + +=== "generated_windows_service_1.json" + + ```json + + { + "message": "{\"message\": \"gear technologies garlic\", \"status\": \"Failure\", \"time\": 1731399707936, \"device\": {\"owner\": {\"name\": \"Paper\", \"type\": \"Unknown\", \"domain\": \"comfort pick casino\", \"uid\": \"29093ba4-a0cf-11ef-a993-0242ac110007\", \"type_id\": 0, \"credential_uid\": \"2909420c-a0cf-11ef-ae57-0242ac110007\"}, \"type\": \"IDS\", \"uid\": \"29092d44-a0cf-11ef-8baa-0242ac110007\", \"type_id\": 13, \"imei\": \"polyester verified charlie\", \"instance_uid\": \"29091d04-a0cf-11ef-8935-0242ac110007\", \"interface_name\": \"fonts roller schema\", \"interface_uid\": \"290925c4-a0cf-11ef-83a0-0242ac110007\", \"is_managed\": true, \"network_interfaces\": [{\"name\": \"nickname museums symptoms\", \"type\": \"Unknown\", \"hostname\": \"influenced.museum\", \"mac\": \"25:15:EA:C3:5F:12:EF:E9\", \"type_id\": 0}, {\"name\": \"polar bm traveler\", \"type\": \"Wired\", \"hostname\": \"vegetarian.store\", \"mac\": \"87:8C:2:BD:DD:A8:43:3A\", \"type_id\": 1}], \"region\": \"provider nirvana absolute\", \"risk_level\": \"Critical\", \"risk_level_id\": 4}, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"pokemon know retrieval\", \"version\": \"1.3.0\", \"path\": \"dolls vid representing\", \"uid\": \"290890b4-a0cf-11ef-b8db-0242ac110007\", \"vendor_name\": \"hide broken trademark\"}, \"profiles\": [], \"log_name\": \"cindy drives thin\", \"log_provider\": \"foo canada biodiversity\", \"original_time\": \"virus pure partly\", \"processed_time\": 1731399707888}, \"start_time\": 1731399707936, \"severity\": \"Medium\", \"category_uid\": 1, \"activity_id\": 4, \"type_uid\": 20100404, \"type_name\": \"Windows Service Activity: Stop\", \"observables\": [{\"name\": \"generation damages hawaii\", \"type\": \"Email\", \"value\": \"sale talking pairs\", \"type_id\": 22}, {\"name\": \"testimonials seventh smallest\", \"type\": \"MAC Address\", \"type_id\": 3}], \"category_name\": \"System Activity\", \"class_uid\": 201004, \"class_name\": \"Windows Service Activity\", \"timezone_offset\": 72, \"activity_name\": \"Stop\", \"actor\": {\"process\": {\"name\": \"Don\", \"pid\": 38, \"file\": {\"name\": \"developmental.otf\", \"type\": \"Regular File\", \"path\": \"vg tunisia river/favorite.wsf/developmental.otf\", \"ext\": \"mike biography serial\", \"type_id\": 1, \"accessor\": {\"name\": \"Mathematical\", \"type\": \"Unknown\", \"domain\": \"touring wing sunglasses\", \"org\": {\"name\": \"battery met word\", \"uid\": \"29099612-a0cf-11ef-9f88-0242ac110007\", \"ou_name\": \"invitation olympus putting\"}, \"type_id\": 0, \"credential_uid\": \"29099f68-a0cf-11ef-ab1c-0242ac110007\", \"risk_level\": \"constitution missions steam\"}, \"parent_folder\": \"vg tunisia river/favorite.wsf\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"hashes\": [{\"value\": \"9280AE13A255F18D841739D0D18222BB950C8FC7\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"security_descriptor\": \"gibson columbia refund\"}, \"user\": {\"name\": \"Journal\", \"type\": \"System\", \"domain\": \"tuition gst cheese\", \"uid\": \"2909b99e-a0cf-11ef-946c-0242ac110007\", \"groups\": [{\"name\": \"overview friendly ul\", \"desc\": \"spent richards molecular\", \"privileges\": [\"gale suicide combo\"]}], \"type_id\": 3, \"full_name\": \"Lynsey Sherise\"}, \"uid\": \"2909c8d0-a0cf-11ef-82af-0242ac110007\", \"cmd_line\": \"hdtv il murder\", \"created_time\": 1731399707895, \"parent_process\": {\"name\": \"Indoor\", \"pid\": 29, \"session\": {\"terminal\": \"eternal armor maternity\", \"uid\": \"290a04bc-a0cf-11ef-9799-0242ac110007\", \"uuid\": \"290a0af2-a0cf-11ef-8713-0242ac110007\", \"issuer\": \"troubleshooting footage pour\", \"created_time\": 1731399707897}, \"file\": {\"attributes\": 81, \"name\": \"submitted.cpp\", \"owner\": {\"name\": \"Reverse\", \"type\": \"Unknown\", \"domain\": \"wiki ba evaluating\", \"uid\": \"290a2bea-a0cf-11ef-a2af-0242ac110007\", \"type_id\": 0, \"email_addr\": \"Bessie@outcomes.pro\", \"risk_level\": \"plenty sarah preparation\"}, \"size\": 2618568753, \"type\": \"Local Socket\", \"version\": \"1.3.0\", \"path\": \"annually chapters country/separately.pdf/submitted.cpp\", \"modifier\": {\"name\": \"Appraisal\", \"type\": \"Admin\", \"uid\": \"290a3a2c-a0cf-11ef-96ea-0242ac110007\", \"type_id\": 2}, \"desc\": \"deeply dresses hills\", \"ext\": \"scholarships fundraising hydrocodone\", \"type_id\": 5, \"company_name\": \"Galen Nakita\", \"parent_folder\": \"annually chapters country/separately.pdf\", \"accessed_time\": 1731399707898, \"hashes\": [{\"value\": \"9E2FB759708B9621D802CC03D5DA0C1600A80AE7A740A0840F232C31B6E61F01EE5CF00A1719E67BEC538182D8A3074DA5123670601506065A44D4E8AC2C4CB2\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"user\": {\"name\": \"Asian\", \"type\": \"Unknown\", \"uid\": \"290a520a-a0cf-11ef-a44f-0242ac110007\", \"type_id\": 0, \"full_name\": \"Roland Nichol\", \"account\": {\"name\": \"girl sugar benefit\", \"type\": \"Azure AD Account\", \"uid\": \"290a5ef8-a0cf-11ef-809f-0242ac110007\", \"labels\": [\"complex\"], \"type_id\": 6}, \"credential_uid\": \"290a66e6-a0cf-11ef-a28e-0242ac110007\", \"uid_alt\": \"transportation vegetables debian\"}, \"uid\": \"290a756e-a0cf-11ef-86a9-0242ac110007\", \"cmd_line\": \"bull retailers sensitivity\", \"created_time\": 1731399707900, \"lineage\": [\"george herein ghz\"], \"parent_process\": {\"name\": \"Broader\", \"pid\": 50, \"file\": {\"name\": \"vegetation.tif\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"leonard accent told/determine.sdf/vegetation.tif\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"traffic changes calm\", \"issuer\": \"give img nsw\", \"fingerprints\": [{\"value\": \"7245C357B5BE2E81CFA6582A9CEF4108E8E9BC9E4DA47D108C495262F1EE943BB741CFFE5FDDEE5B3AD441498918E714FF20108B4CDDEDE100B8AD003E7DDA73\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"created_time\": 1731399707900, \"serial_number\": \"blades mike seal\"}, \"algorithm\": \"Authenticode\", \"algorithm_id\": 4}, \"desc\": \"electronics charges gallery\", \"ext\": \"disorder agriculture anger\", \"type_id\": 1, \"company_name\": \"Billie Shawnee\", \"mime_type\": \"briefly/entirely\", \"parent_folder\": \"leonard accent told/determine.sdf\", \"created_time\": 1731399707900, \"hashes\": [{\"value\": \"0947FCC917EB1D3C89AD818BEB61E3B2C3CF3BBA\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"CEE604715F44D7CD732D46B9B349EC7911E55D19C6E598E8064B403337EB8F9EA9E58A34D42BA046D72E529215E7D8E2AB68DA5552324343DA54BF3220615F0A\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"modified_time\": 1731399707900}, \"user\": {\"name\": \"Markers\", \"type\": \"Unknown\", \"uid\": \"290a9f62-a0cf-11ef-b0c9-0242ac110007\", \"groups\": [{\"name\": \"foul administrative owns\", \"uid\": \"290aaa98-a0cf-11ef-a3a1-0242ac110007\"}, {\"name\": \"develop houston gamma\", \"uid\": \"290ab498-a0cf-11ef-80bd-0242ac110007\", \"privileges\": [\"shade bell link\", \"processor code ashley\"]}], \"type_id\": 0, \"account\": {\"type\": \"AWS Account\", \"uid\": \"290abf42-a0cf-11ef-a831-0242ac110007\", \"type_id\": 10}}, \"uid\": \"290ac5dc-a0cf-11ef-a78c-0242ac110007\", \"cmd_line\": \"studies un checking\", \"created_time\": 1731399707902, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"lineage\": [\"commodity config charges\", \"wikipedia las relatives\"], \"parent_process\": {\"name\": \"Eyed\", \"pid\": 59, \"user\": {\"name\": \"Louisiana\", \"type\": \"System\", \"uid\": \"290b1514-a0cf-11ef-9bd3-0242ac110007\", \"type_id\": 3, \"credential_uid\": \"290b1cbc-a0cf-11ef-8f91-0242ac110007\", \"risk_level\": \"Info\", \"risk_level_id\": 0}, \"uid\": \"290b241e-a0cf-11ef-89bc-0242ac110007\", \"cmd_line\": \"skins shipments proteins\", \"created_time\": 1731399707904, \"parent_process\": {\"name\": \"Almost\", \"pid\": 53, \"user\": {\"name\": \"Subscription\", \"type\": \"User\", \"domain\": \"lion aims yukon\", \"uid\": \"290b388c-a0cf-11ef-81e2-0242ac110007\", \"type_id\": 1}, \"uid\": \"290b3f44-a0cf-11ef-856f-0242ac110007\", \"cmd_line\": \"bidding lauren confusion\", \"created_time\": 1731399707905, \"parent_process\": {\"name\": \"Word\", \"pid\": 11, \"session\": {\"count\": 9, \"issuer\": \"practice attempt court\", \"created_time\": 1731399707905, \"is_remote\": true, \"is_vpn\": true}, \"file\": {\"attributes\": 44, \"name\": \"consistency.sln\", \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"handbags camera urgent/forecast.gz/consistency.sln\", \"ext\": \"entity fe blocking\", \"type_id\": 3, \"parent_folder\": \"handbags camera urgent/forecast.gz\", \"hashes\": [{\"value\": \"6D17DA8FAF5A7C8BD04AFB00506B03897D0DE6A8D7B4EBD644B680ACB98A1CFE8924C0F11BCCA03BFC8D47BE350C1C8A20AF62D4E02D978CB8159FB2D49086A7\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"BE412112026B3DCAEC7BE421BA9D884A2FBC5C9795F336CCBD0E8C76BFF312AA3BAFBB4BA71F540A076F5C0D8189254B397357A086D5B86B7D794FDCE6FCCFC1\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"is_system\": true}, \"user\": {\"type\": \"Unknown\", \"uid\": \"290b69f6-a0cf-11ef-a847-0242ac110007\", \"type_id\": 0}, \"uid\": \"290b720c-a0cf-11ef-a98d-0242ac110007\", \"cmd_line\": \"fears demanding stewart\", \"created_time\": 1731399707906, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"name\": \"Kinds\", \"pid\": 63, \"session\": {\"uid\": \"290b83d2-a0cf-11ef-9629-0242ac110007\", \"uuid\": \"290b89cc-a0cf-11ef-89ef-0242ac110007\", \"issuer\": \"tray lying x\", \"created_time\": 1731399707907, \"is_remote\": true}, \"file\": {\"name\": \"concerns.cab\", \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"faq payable progressive/part.m3u/concerns.cab\", \"ext\": \"imported supplements prepaid\", \"type_id\": 3, \"mime_type\": \"garmin/popularity\", \"parent_folder\": \"faq payable progressive/part.m3u\", \"hashes\": [{\"value\": \"E8A5CF21ECCC4DB4DAAFDD5BD0140861637D937597AD8EE0246E0715031FE6BDABB4F5B16FDDCACD9722B57A18B46453B01D984E3D55292FB82825C3A06E516A\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"4B9E4636494461CF31094E9A16F456FE\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"user\": {\"type\": \"remarkable\", \"type_id\": 99, \"full_name\": \"Jennell Sidney\", \"email_addr\": \"Clayton@scanned.travel\", \"ldap_person\": {\"location\": {\"desc\": \"Monaco, Principality of\", \"city\": \"Phil clarity\", \"country\": \"MC\", \"coordinates\": [113.7672, 53.7852], \"continent\": \"Europe\"}, \"given_name\": \"rachel trio electronics\", \"ldap_cn\": \"accessory fancy shelter\"}}, \"uid\": \"290babfa-a0cf-11ef-a1ee-0242ac110007\", \"cmd_line\": \"tuner clara concepts\", \"created_time\": 1731399707908, \"integrity\": \"boxes x day\", \"parent_process\": {\"name\": \"Animated\", \"pid\": 43, \"file\": {\"name\": \"pgp.rom\", \"type\": \"Symbolic Link\", \"path\": \"percent obtaining influenced/liked.bmp/pgp.rom\", \"signature\": {\"digest\": {\"value\": \"0A6CFE12D4BE13BD525E0097949ED52B4E032606B7BF98076581F2189F23342568BE12B631EF1F25F82E1979FC852ECA24E8A38B319B071638C3153E4DA60740\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"certificate\": {\"version\": \"1.3.0\", \"uid\": \"290bcd06-a0cf-11ef-8f86-0242ac110007\", \"is_self_signed\": true, \"subject\": \"brilliant follow county\", \"issuer\": \"suppliers workout deposit\", \"fingerprints\": [{\"value\": \"03114C6B1064C1C04AE3C88FA18F582A2228B88A7786BBFCBCE275DED7A5C23A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"F07D26D3B025D5EF30B38458926092E990C3B6F0BE1A23B561D778E8467319E0444B2425FDEDB91121554B8641B06B3654426F63C9C0435C6487571DC9AE0FC5\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"created_time\": 1731399707908, \"expiration_time\": 1731399707909, \"serial_number\": \"hazard compaq emirates\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time\": 1731399707909}, \"type_id\": 7, \"accessor\": {\"name\": \"Athletes\", \"type\": \"System\", \"uid\": \"290bdfe4-a0cf-11ef-88a6-0242ac110007\", \"org\": {\"name\": \"publicity porsche shoulder\", \"uid\": \"290bebf6-a0cf-11ef-bcbf-0242ac110007\", \"ou_name\": \"wins separate lemon\"}, \"groups\": [{\"name\": \"jose quotes toolbar\", \"uid\": \"290c038e-a0cf-11ef-beec-0242ac110007\"}], \"type_id\": 3, \"email_addr\": \"Sherry@machinery.store\", \"risk_level\": \"Low\", \"risk_level_id\": 1, \"risk_score\": 25}, \"company_name\": \"Lashell Vincent\", \"mime_type\": \"representing/lee\", \"parent_folder\": \"percent obtaining influenced/liked.bmp\", \"hashes\": [{\"value\": \"E2F3E36EA43BA45AB3503CED0A944CD1A950065C\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"37DB034AE21206C4451CA1E72F6D031F77B7D0A27FF50009CFBECB868E7DE5C6\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"security_descriptor\": \"october surrey en\"}, \"uid\": \"290c11c6-a0cf-11ef-90cb-0242ac110007\", \"cmd_line\": \"wires wheels mf\", \"created_time\": 1731399707910, \"parent_process\": {\"name\": \"Petite\", \"pid\": 26, \"file\": {\"name\": \"difficulty.deskthemepack\", \"owner\": {\"name\": \"Costa\", \"type\": \"Unknown\", \"uid\": \"290c33c2-a0cf-11ef-87c6-0242ac110007\", \"type_id\": 0, \"ldap_person\": {\"manager\": {\"name\": \"Genetics\", \"type\": \"User\", \"domain\": \"gotta shades electron\", \"type_id\": 1, \"account\": {\"name\": \"hood consortium conversion\", \"type\": \"Windows Account\", \"uid\": \"290c4970-a0cf-11ef-8a6a-0242ac110007\", \"labels\": [\"dose\"], \"type_id\": 2}, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"created_time\": 1731399707912, \"job_title\": \"bestsellers exactly diffs\", \"leave_time\": 1731399707912, \"surname\": \"responded pasta killed\"}}, \"type\": \"Symbolic Link\", \"path\": \"dimensions achieving ordinary/painting.sys/difficulty.deskthemepack\", \"product\": {\"name\": \"implications pizza christmas\", \"version\": \"1.3.0\", \"uid\": \"290c597e-a0cf-11ef-b883-0242ac110007\", \"vendor_name\": \"amateur faith fell\"}, \"uid\": \"290c6086-a0cf-11ef-90f6-0242ac110007\", \"ext\": \"transexuales sas operate\", \"type_id\": 7, \"accessor\": {\"name\": \"Giants\", \"type\": \"System\", \"domain\": \"pressure girl facility\", \"uid\": \"290c722e-a0cf-11ef-b5e2-0242ac110007\", \"type_id\": 3, \"full_name\": \"Marcene Goldie\", \"risk_score\": 35}, \"parent_folder\": \"dimensions achieving ordinary/painting.sys\", \"confidentiality\": \"Restricted\", \"confidentiality_id\": 6, \"created_time\": 1731399707913, \"hashes\": [{\"value\": \"B7B6604452EAF6AB6947459B4FA35CDFDCA39605BF415F77DDD90B47B7AE74ACC2BD0AB274FFC18792A7B43A7EE661EA8098EA69E1D0483392690A4D0BFFA60D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"is_system\": true, \"xattributes\": {}}, \"user\": {\"type\": \"eau\", \"domain\": \"meaning feedback jan\", \"uid\": \"290c8624-a0cf-11ef-97f7-0242ac110007\", \"type_id\": 99, \"credential_uid\": \"290c8e30-a0cf-11ef-9434-0242ac110007\"}, \"created_time\": 1731399707913, \"parent_process\": {\"name\": \"Yards\", \"pid\": 15, \"file\": {\"name\": \"williams.xhtml\", \"type\": \"Folder\", \"path\": \"thailand diameter love/rachel.java/williams.xhtml\", \"signature\": {\"state\": \"diffs seasons conflicts\", \"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"ethernet suitable brandon\", \"issuer\": \"optimization earliest differently\", \"fingerprints\": [{\"value\": \"BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"DEE5E5BE829C1FF9E773E27CDA4A8960CAB5C8A6F392DA6ACCBACB430B13B9BC64822221325357EAA87B60D5F4474090332CD89561EBEC061294834301DF9AE9\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1731399707914, \"expiration_time\": 1731399707914, \"serial_number\": \"photographer tax up\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"uid\": \"290cc5f8-a0cf-11ef-92a0-0242ac110007\", \"ext\": \"alien cafe barriers\", \"type_id\": 2, \"parent_folder\": \"thailand diameter love/rachel.java\", \"confidentiality\": \"Private\", \"confidentiality_id\": 5, \"hashes\": [{\"value\": \"2B831F21DC87C2B301C73A0ACE1A47E607F1C5210E766355BD25B4E47948BBB20B677EE6C92C70765B352A0CCC29C89AB8D8D3489DEE0CCD7EDE26C6BDF6508F\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"security_descriptor\": \"se diabetes vitamin\"}, \"user\": {\"name\": \"Caps\", \"type\": \"System\", \"uid\": \"290cd5ca-a0cf-11ef-80bf-0242ac110007\", \"type_id\": 3, \"full_name\": \"Eve Roger\", \"account\": {\"name\": \"clearing deviant confidential\", \"type\": \"Apple Account\", \"uid\": \"290ce038-a0cf-11ef-8ee9-0242ac110007\", \"type_id\": 8}, \"email_addr\": \"Renda@antivirus.int\", \"uid_alt\": \"forced jvc archives\"}, \"uid\": \"290ce786-a0cf-11ef-9fc4-0242ac110007\", \"cmd_line\": \"reuters revolution thermal\", \"created_time\": 1731399707916, \"lineage\": [\"settled household february\", \"countries implemented chinese\"], \"parent_process\": {\"name\": \"Unions\", \"pid\": 41, \"file\": {\"name\": \"groups.part\", \"size\": 2002602281, \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"alice gnome diploma/consent.tex/groups.part\", \"product\": {\"name\": \"useful yen synopsis\", \"version\": \"1.3.0\", \"uid\": \"290d29f8-a0cf-11ef-a1a1-0242ac110007\", \"feature\": {\"name\": \"spider victor principle\", \"version\": \"1.3.0\", \"uid\": \"290d3420-a0cf-11ef-bd6a-0242ac110007\"}, \"url_string\": \"disagree\", \"vendor_name\": \"ist covered rock\"}, \"uid\": \"290d3b32-a0cf-11ef-bdef-0242ac110007\", \"ext\": \"glory regards somewhere\", \"type_id\": 3, \"company_name\": \"Melida Rosina\", \"parent_folder\": \"alice gnome diploma/consent.tex\", \"accessed_time\": 1731399707918, \"confidentiality\": \"Restricted\", \"confidentiality_id\": 6, \"hashes\": [{\"value\": \"A07C6F758C9EF024F836E2C0BD10FE9C43126081A22D73DD8040D8D179B10DEBE3BC9356500F5C7F0BA87256EFA37A673C190A0AC6F0BFC0529F9FC303878B00\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"security_descriptor\": \"isa action je\"}, \"user\": {\"name\": \"Messaging\", \"type\": \"System\", \"uid\": \"290d4c1c-a0cf-11ef-8059-0242ac110007\", \"type_id\": 3, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"uid\": \"290d52b6-a0cf-11ef-9425-0242ac110007\", \"cmd_line\": \"rent seed gentleman\", \"created_time\": 1731399707918, \"lineage\": [\"pockets sponsor exactly\", \"disability syntax print\"], \"parent_process\": {\"name\": \"Corrections\", \"pid\": 10, \"file\": {\"name\": \"groove.xlsx\", \"owner\": {\"name\": \"February\", \"type\": \"User\", \"uid\": \"290d70de-a0cf-11ef-86d6-0242ac110007\", \"type_id\": 1, \"credential_uid\": \"290d775a-a0cf-11ef-afe6-0242ac110007\", \"email_addr\": \"Helena@songs.net\", \"risk_level\": \"High\", \"risk_level_id\": 3}, \"type\": \"Folder\", \"version\": \"1.3.0\", \"path\": \"announces contamination leisure/bits.kml/groove.xlsx\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"uid\": \"290d9a32-a0cf-11ef-b46e-0242ac110007\", \"is_self_signed\": false, \"subject\": \"conferences kingdom charge\", \"issuer\": \"characterization relatively cas\", \"fingerprints\": [{\"value\": \"90F747EBF0E276407987570F6D39812AC53223E174E41CEDDD291A5F7136E3A6BEF9257C3C73FE3B92D5149E8E1C1BE08A61940CEB8AF03510E22E0492752C18\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"63C326C6244EB0474D3008256E1217754BD2B836E98C247D0A19A57BF2AB18C7FF3D6BF574DB7E31FED2EEC3DA9B7CB69EDDD8DC256FEB8D5E822F176D8444A9\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1731399707920, \"expiration_time\": 1731399707920, \"serial_number\": \"seed stupid slide\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2, \"developer_uid\": \"290da806-a0cf-11ef-a0a5-0242ac110007\"}, \"ext\": \"retired penn graduated\", \"type_id\": 2, \"parent_folder\": \"announces contamination leisure/bits.kml\", \"hashes\": [{\"value\": \"2A7F70F5957828EEA5C62064B4EB2A32561EB5B3003D729F2605228F225A85EF528EF7666F79B2810432D7E39CB959670A2EA9B1EDEB258E107F47E68D114FEC\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707921}, \"user\": {\"name\": \"Diagram\", \"type\": \"System\", \"domain\": \"existing jun treasury\", \"uid\": \"290db904-a0cf-11ef-aa9a-0242ac110007\", \"org\": {\"name\": \"coding maria scenarios\", \"uid\": \"290dc340-a0cf-11ef-9323-0242ac110007\"}, \"type_id\": 3, \"risk_score\": 79}, \"uid\": \"290dca20-a0cf-11ef-b98e-0242ac110007\", \"cmd_line\": \"mechanical estimates again\", \"created_time\": 1731399707921, \"parent_process\": {\"name\": \"Tabs\", \"pid\": 55, \"session\": {\"uid\": \"290deae6-a0cf-11ef-b636-0242ac110007\", \"issuer\": \"rat employer stadium\", \"created_time\": 1731399707922, \"credential_uid\": \"290df4e6-a0cf-11ef-9290-0242ac110007\", \"expiration_time\": 1731399707922, \"is_remote\": true, \"is_vpn\": true}, \"file\": {\"name\": \"integral.cpl\", \"owner\": {\"type\": \"sphere\", \"domain\": \"entirely gale inc\", \"type_id\": 99, \"account\": {\"name\": \"suits kim intellectual\", \"type\": \"AWS IAM User\", \"uid\": \"290e0f3a-a0cf-11ef-92a9-0242ac110007\", \"type_id\": 3}, \"risk_level\": \"carpet diamond departure\", \"uid_alt\": \"meta spank counts\"}, \"size\": 3671310304, \"type\": \"Symbolic Link\", \"path\": \"normal holds match/terrible.iso/integral.cpl\", \"modifier\": {\"name\": \"Acids\", \"type\": \"typing\", \"type_id\": 99}, \"uid\": \"290e1bec-a0cf-11ef-a719-0242ac110007\", \"ext\": \"stated smooth principles\", \"type_id\": 7, \"company_name\": \"Jeremiah Sonny\", \"parent_folder\": \"normal holds match/terrible.iso\", \"hashes\": [{\"value\": \"C449C98FCC2EDC7FE87FAF3FEF6C9D3F5499ACDC3BAC774F19D7B447B333103DCFED31CCAC83F9EE9D1E9601282E92EDA75DAEA8140D8C7EB9220338803C8D6E\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}]}, \"user\": {\"name\": \"Reduce\", \"type\": \"Admin\", \"domain\": \"preceding expressions your\", \"uid\": \"290e30c8-a0cf-11ef-8f59-0242ac110007\", \"groups\": [{\"name\": \"struggle photoshop walking\", \"desc\": \"sleep quoted able\", \"uid\": \"290e3b2c-a0cf-11ef-b7cf-0242ac110007\"}, {\"name\": \"ethiopia evaluate lover\", \"desc\": \"partition sound composition\"}], \"type_id\": 2, \"full_name\": \"Marisha Wesley\", \"ldap_person\": {\"cost_center\": \"spank universal techniques\", \"deleted_time\": 1731399707924, \"ldap_cn\": \"sight tale town\", \"leave_time\": 1731399707924, \"modified_time\": 1731399707924}}, \"uid\": \"290e4748-a0cf-11ef-8355-0242ac110007\", \"cmd_line\": \"flower arrest reveal\", \"created_time\": 1731399707925, \"parent_process\": {\"name\": \"Dip\", \"pid\": 99, \"session\": {\"uid\": \"290e5cb0-a0cf-11ef-8142-0242ac110007\", \"uuid\": \"290e63f4-a0cf-11ef-942e-0242ac110007\", \"issuer\": \"spirits up oral\", \"expiration_time\": 1731399707925, \"is_mfa\": false, \"is_remote\": true}, \"file\": {\"name\": \"fantasy.m4v\", \"owner\": {\"name\": \"Worse\", \"type\": \"User\", \"uid\": \"290e7628-a0cf-11ef-8429-0242ac110007\", \"groups\": [{\"name\": \"pierce deutschland scout\", \"type\": \"sacred mongolia edt\", \"uid\": \"290e8712-a0cf-11ef-b60b-0242ac110007\"}], \"type_id\": 1, \"full_name\": \"Tomika Renato\"}, \"type\": \"Regular File\", \"path\": \"approaches malpractice basics/lifetime.dxf/fantasy.m4v\", \"desc\": \"loops charm mpegs\", \"ext\": \"pork picked investigations\", \"type_id\": 1, \"parent_folder\": \"approaches malpractice basics/lifetime.dxf\", \"accessed_time\": 1731399707926, \"confidentiality\": \"subjective\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"DB1A6CE0E4C6F3924C7CCA74924F4B0EF8BC0031\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"2B9A99087B9991B5EAD9406E2CAC8DA385815E6C3FA4DA96E1487782280E8E82FDBD3536F85994E271610D72C5A62E6F027E0CD37DA05806289882A1440BD441\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"xattributes\": {}}, \"user\": {\"name\": \"Expects\", \"type\": \"System\", \"domain\": \"blade keith manga\", \"uid\": \"290e9ba8-a0cf-11ef-9a18-0242ac110007\", \"type_id\": 3, \"account\": {\"name\": \"swedish ol flexible\", \"type\": \"GCP Account\", \"uid\": \"290ea6ca-a0cf-11ef-9b3b-0242ac110007\", \"type_id\": 5}, \"risk_level\": \"world feelings championships\"}, \"uid\": \"290eadbe-a0cf-11ef-9668-0242ac110007\", \"cmd_line\": \"iowa gear scheduling\", \"created_time\": 1731399707927, \"integrity\": \"Medium\", \"integrity_id\": 3, \"lineage\": [\"maximize associations reynolds\"], \"parent_process\": {\"name\": \"Themes\", \"pid\": 45, \"file\": {\"name\": \"designers.rpm\", \"type\": \"Named Pipe\", \"path\": \"votes year mice/fort.gpx/designers.rpm\", \"uid\": \"290edaaa-a0cf-11ef-aa5d-0242ac110007\", \"ext\": \"keyboards yet ask\", \"type_id\": 6, \"mime_type\": \"motorola/patrick\", \"parent_folder\": \"votes year mice/fort.gpx\", \"created_time\": 1731399707928, \"hashes\": [{\"value\": \"02FA8D46FB2AC65EE42912604250A146AF74C6B8CFF1ACD09BC5F460FB9850CAD2674F76F982ED052C78D178196ED4C10256E2BC50E191DBB82F625CAD071090\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"BA1DB3B5141AA0FBF3DD4F6839F49B0B88809121634B4BB39272A838924DDEA2E4D1EBDB9E5F8F8AD90243DBD2A7D2D5497D828BD12E5590FB27483AA1287CD3\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707928}, \"user\": {\"name\": \"Ongoing\", \"uid\": \"290ee9a0-a0cf-11ef-ac76-0242ac110007\", \"credential_uid\": \"290ef076-a0cf-11ef-adb8-0242ac110007\"}, \"tid\": 6, \"uid\": \"290ef99a-a0cf-11ef-a3ec-0242ac110007\", \"cmd_line\": \"correction weapon gaming\", \"created_time\": 1731399707929, \"parent_process\": {\"name\": \"Voyeurweb\", \"pid\": 45, \"file\": {\"name\": \"varied.php\", \"type\": \"Named Pipe\", \"path\": \"mba francis sony/tend.xml/varied.php\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": true, \"subject\": \"undo nickname stay\", \"issuer\": \"yugoslavia how precisely\", \"fingerprints\": [{\"value\": \"BD87A5FFC4117A0F11094CA6BA6A838013BE215959B7358980553B0360822DD67CACADAFA42D71AB48C4EA3EED5F2491D079661CEB0A7694FFA439EB7743CC04\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"4194D1706ED1F408D5E02D672777019F4D5385C766A8C6CA8ACBA3167D36A7B9\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1731399707930, \"expiration_time\": 1731399707930, \"serial_number\": \"extraction cabin lions\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time\": 1731399707930}, \"ext\": \"nicholas doing fraud\", \"type_id\": 6, \"mime_type\": \"nextel/himself\", \"parent_folder\": \"mba francis sony/tend.xml\", \"hashes\": [{\"value\": \"21EA6263C16406DFC344CF7CB2A129B97FD2ECF367C828208CBBEDA6599B989F6C2C3DCB1BDF581ABC97201CF64FFBC0D7415F00564F6D80A92C7FFE7037894C\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"7ED6BDBCCADC1CB9DFEA88CA33B6A9346EAE030FF7E9FADD4C23359C0EA7390D\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"security_descriptor\": \"islands interventions removable\", \"xattributes\": {}}, \"user\": {\"name\": \"Soldier\", \"type\": \"User\", \"uid\": \"290f2596-a0cf-11ef-8caf-0242ac110007\", \"type_id\": 1, \"account\": {\"name\": \"ford doug cigarette\", \"type\": \"Mac OS Account\", \"uid\": \"290f3090-a0cf-11ef-9ad3-0242ac110007\", \"type_id\": 7}}, \"uid\": \"290f36e4-a0cf-11ef-bdab-0242ac110007\", \"cmd_line\": \"generally alberta anthropology\", \"created_time\": 1731399707931, \"parent_process\": {\"name\": \"Spirits\", \"pid\": 86, \"file\": {\"name\": \"flights.flv\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"str inner working/pose.h/flights.flv\", \"ext\": \"general became bermuda\", \"type_id\": 1, \"parent_folder\": \"str inner working/pose.h\", \"hashes\": [{\"value\": \"DC684E0A948E820C9B32AE34F0E147CCCAEAB3646C95D1FBF6E5EA257B9107251945EB892CD81A3750D89799ADF86C76382C60E73A85B10D110CE39164882C8F\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"CCD823CAF8108F62C012B02D4C233DA76EACF9FDEA959B9DD909ADF1ECC01BD5F184FC7904184E5A6F296850D7102AAF79E8606629B877723DEC951A67E1B193\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707932}, \"uid\": \"290f6ac4-a0cf-11ef-bc5e-0242ac110007\", \"cmd_line\": \"sense terrorism hl\", \"created_time\": 1731399707932, \"parent_process\": {\"name\": \"Moving\", \"pid\": 43, \"file\": {\"attributes\": 25, \"name\": \"comparison.pages\", \"owner\": {\"name\": \"Infringement\", \"type\": \"User\", \"uid\": \"290f864e-a0cf-11ef-9828-0242ac110007\", \"groups\": [{\"name\": \"coordinate registration browse\", \"desc\": \"attorney ya walked\", \"uid\": \"290f974c-a0cf-11ef-a918-0242ac110007\"}], \"type_id\": 1, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 55, \"uid_alt\": \"licenses cir vacancies\"}, \"type\": \"Unknown\", \"path\": \"lows fc focusing/canvas.pptx/comparison.pages\", \"modifier\": {\"type\": \"User\", \"uid\": \"290fa3ea-a0cf-11ef-b1b2-0242ac110007\", \"groups\": [{\"name\": \"bedroom positions win\", \"desc\": \"amazon feof extras\", \"uid\": \"290fae44-a0cf-11ef-9db8-0242ac110007\"}, {\"name\": \"came swingers colon\", \"uid\": \"290fb646-a0cf-11ef-b3ed-0242ac110007\"}], \"type_id\": 1, \"ldap_person\": {\"employee_uid\": \"290fc050-a0cf-11ef-aac9-0242ac110007\", \"job_title\": \"constitutional ricky jonathan\", \"ldap_dn\": \"marketplace ranch counting\"}, \"risk_score\": 0, \"uid_alt\": \"riding indicate wiley\"}, \"ext\": \"specification cialis inherited\", \"type_id\": 0, \"parent_folder\": \"lows fc focusing/canvas.pptx\", \"confidentiality\": \"engineers families bull\", \"hashes\": [{\"value\": \"F081F7B8D4310E67A7572F60B6070A3034D5F1AE1465B3FE4F8DAFCA9213A0E3\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"EAF741D48E0F26CA709BF17829C53A65D420FBD1F01B0F87BDE25230F1FF332E3D2BE89488F8277FA4B22FF53CC04FF382B19F42B7AC34C3EA5A0C0A89B19FCA\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Worn\", \"type\": \"Admin\", \"domain\": \"threatening parks application\", \"uid\": \"290fd5fe-a0cf-11ef-ab0d-0242ac110007\", \"type_id\": 2, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"uid\": \"290fde14-a0cf-11ef-9211-0242ac110007\", \"loaded_modules\": [\"/yacht/payday/singer/stretch/hungry.heic\", \"/fa/bumper/represents/studio/shipments.ttf\"], \"cmd_line\": \"shopping appendix deluxe\", \"created_time\": 1731399707935, \"terminated_time\": 1731399707935}, \"xattributes\": {}}, \"xattributes\": {}}, \"terminated_time\": 1731399707935}}, \"terminated_time\": 1731399707935}}}, \"terminated_time\": 1731399707935}, \"sandbox\": \"snowboard lookup done\"}}}}, \"sandbox\": \"broke alternatives excessive\", \"xattributes\": {}}, \"sandbox\": \"mba ambassador shopping\"}}, \"terminated_time\": 1731399707935}}, \"user\": {\"name\": \"Hearing\", \"type\": \"Admin\", \"domain\": \"thinking answered refurbished\", \"uid\": \"290fefee-a0cf-11ef-ba87-0242ac110007\", \"type_id\": 2, \"ldap_person\": {\"email_addrs\": [\"Melodee@automotive.mobi\", \"Lulu@baby.name\"], \"employee_uid\": \"290ffac0-a0cf-11ef-a362-0242ac110007\", \"leave_time\": 1731399707936, \"office_location\": \"podcast cds lloyd\"}, \"risk_level\": \"Low\", \"risk_level_id\": 1, \"risk_score\": 22}}, \"severity_id\": 3, \"status_code\": \"present\", \"status_detail\": \"shade accidents alice\", \"status_id\": 2, \"win_service\": {\"name\": \"balance pgp seasonal\", \"version\": \"1.3.0\", \"uid\": \"29101582-a0cf-11ef-a560-0242ac110007\", \"cmd_line\": \"honduras usa fact\", \"service_dependencies\": [\"enhancements occupations cause\", \"sw verification promotion\"], \"service_start_type\": \"Auto\", \"service_start_type_id\": 3, \"service_start_name\": \"golden thumbs crest\"}}", + "event": { + "action": "stop", + "category": [], + "outcome": "failure", + "provider": "foo canada biodiversity", + "reason": "gear technologies garlic", + "severity": 3, + "start": "2024-11-12T08:21:47.936000Z", + "type": [] + }, + "@timestamp": "2024-11-12T08:21:47.936000Z", + "file": { + "directory": "vg tunisia river/favorite.wsf", + "hash": { + "sha1": "9280AE13A255F18D841739D0D18222BB950C8FC7" + }, + "name": "developmental.otf", + "path": "vg tunisia river/favorite.wsf/developmental.otf", + "type": "Regular File" + }, + "host": { + "id": "29092d44-a0cf-11ef-8baa-0242ac110007", + "risk": { + "static_level": "Critical" + }, + "type": "IDS" + }, + "ocsf": { + "activity_id": 4, + "activity_name": "Stop", + "class_name": "Windows Service Activity", + "class_uid": 201004, + "process": { + "parent": { + "user": { + "full_name": "Roland Nichol" + } + }, + "user": { + "domain": "tuition gst cheese", + "full_name": "Lynsey Sherise", + "groups": [ + { + "name": "overview friendly ul" + } + ] + } + } + }, + "process": { + "command_line": "hdtv il murder", + "entity_id": "2909c8d0-a0cf-11ef-82af-0242ac110007", + "name": "Don", + "parent": { + "command_line": "bull retailers sensitivity", + "end": "2024-11-12T08:21:47.935000Z", + "entity_id": "290a756e-a0cf-11ef-86a9-0242ac110007", + "name": "Indoor", + "pid": 29, + "start": "2024-11-12T08:21:47.900000Z", + "user": { + "id": [ + "290a520a-a0cf-11ef-a44f-0242ac110007" + ], + "name": "Asian" + } + }, + "pid": 38, + "start": "2024-11-12T08:21:47.895000Z", + "user": { + "id": [ + "2909b99e-a0cf-11ef-946c-0242ac110007" + ], + "name": "Journal" + } + }, + "related": { + "hash": [ + "9280AE13A255F18D841739D0D18222BB950C8FC7" + ], + "user": [ + "Hearing" + ] + }, + "user": { + "domain": "thinking answered refurbished", + "id": "290fefee-a0cf-11ef-ba87-0242ac110007", + "name": "Hearing" + } + } + + ``` + + === "test_account_change_1.json" ```json @@ -1914,7 +2362,6 @@ The following table lists the fields that are extracted, normalized under the EC |`source.geo.city_name` | `keyword` | City name. | |`source.geo.continent_name` | `keyword` | Name of the continent. | |`source.geo.country_iso_code` | `keyword` | Country ISO code. | -|`source.geo.location` | `geo_point` | Longitude and latitude. | |`source.geo.name` | `keyword` | User-defined description of a location. | |`source.geo.postal_code` | `keyword` | Postal code. | |`source.geo.region_iso_code` | `keyword` | Region ISO code. | diff --git a/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5_sample.md b/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5_sample.md index 54b92259fa..1eeabf23bf 100644 --- a/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5_sample.md +++ b/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5_sample.md @@ -4,6 +4,2715 @@ In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. +=== "generated_file_remediation_activity_1" + + + ```json + { + "status": "Does Not Exist", + "time": 1731328594225, + "file": { + "name": "html.pkg", + "type": "Local Socket", + "version": "1.3.0", + "path": "canyon upgrading wool/marco.fla/html.pkg", + "ext": "honest borough graduated", + "type_id": 5, + "mime_type": "pr/anything", + "parent_folder": "canyon upgrading wool/marco.fla", + "confidentiality": "prisoner fought submission", + "hashes": [ + { + "value": "BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878", + "algorithm": "CTPH", + "algorithm_id": 5 + } + ], + "xattributes": {} + }, + "metadata": { + "version": "1.3.0", + "product": { + "name": "older bangladesh caused", + "version": "1.3.0", + "lang": "en", + "cpe_name": "m ryan proof", + "url_string": "web", + "vendor_name": "directed villas incorrect" + }, + "labels": [ + "range", + "mild" + ], + "profiles": [], + "event_code": "ethnic", + "log_name": "wisconsin scenes croatia", + "log_provider": "consolidated month mil", + "logged_time": 1731328594209, + "loggers": [ + { + "name": "generated dale subsection", + "version": "1.3.0", + "device": { + "owner": { + "name": "Chapter", + "type": "User", + "uid": "95fb04dc-a029-11ef-9566-0242ac110007", + "type_id": 1, + "risk_level": "Info", + "risk_level_id": 0 + }, + "type": "IOT", + "os": { + "name": "polls knew problem", + "type": "Windows", + "type_id": 100, + "cpe_name": "architects letting hay" + }, + "desc": "tradition automated mysql", + "hostname": "meters.edu", + "uid": "95faf0a0-a029-11ef-a3c0-0242ac110007", + "image": { + "name": "ace tracy webshots", + "path": "joined also europe", + "uid": "95fbbb16-a029-11ef-9965-0242ac110007" + }, + "groups": [ + { + "uid": "95faa5fa-a029-11ef-b64e-0242ac110007" + } + ], + "type_id": 7, + "imei": "summary ieee rated", + "interface_name": "marsh shopper guides", + "interface_uid": "95fa9074-a029-11ef-931d-0242ac110007", + "region": "accepting sword tab", + "risk_level": "High", + "risk_level_id": 3, + "risk_score": 4, + "zone": "ability footage nt" + }, + "product": { + "name": "quote licence channel", + "version": "1.3.0", + "uid": "95fc351e-a029-11ef-87b2-0242ac110007", + "feature": { + "name": "adequate drainage dear", + "version": "1.3.0", + "uid": "95fc4cd4-a029-11ef-9a35-0242ac110007" + }, + "url_string": "makes", + "vendor_name": "hybrid licensing faster" + }, + "uid": "95fc5602-a029-11ef-9902-0242ac110007", + "log_name": "vegas cave greatly", + "log_provider": "ieee cancer pharmaceuticals", + "logged_time": 1731328594222 + }, + { + "name": "hostels given kill", + "version": "1.3.0", + "product": { + "name": "css ks demonstrate", + "version": "1.3.0", + "uid": "95fc6b06-a029-11ef-b5a5-0242ac110007", + "lang": "en", + "url_string": "alternatives", + "vendor_name": "television preventing blades" + }, + "uid": "95fc72c2-a029-11ef-994a-0242ac110007", + "log_provider": "alignment free mines", + "logged_time": 1731328594222 + } + ], + "original_time": "drill blogs lemon", + "processed_time": 1731328594222, + "tenant_uid": "95fc7d12-a029-11ef-bfaa-0242ac110007" + }, + "severity": "illustrations", + "duration": 559843632, + "category_uid": 7, + "activity_id": 2, + "type_uid": 700202, + "type_name": "File Remediation Activity: Evict", + "observables": [ + { + "name": "chen architects purchased", + "type": "File", + "type_id": 24 + }, + { + "name": "controlling sublime bp", + "type": "URL String", + "type_id": 6 + } + ], + "category_name": "Remediation", + "class_uid": 7002, + "class_name": "File Remediation Activity", + "timezone_offset": 58, + "activity_name": "Evict", + "command_uid": "95fcdc6c-a029-11ef-acb7-0242ac110007", + "countermeasures": [ + { + "version": "1.3.0", + "d3f_tactic": { + "uid": "95fc9ff4-a029-11ef-8605-0242ac110007" + }, + "d3f_technique": { + "name": "determine wanting pursuant" + } + }, + { + "version": "1.3.0", + "d3f_tactic": { + "uid": "95fcb016-a029-11ef-9ed4-0242ac110007" + }, + "d3f_technique": { + "name": "cw drama their", + "uid": "95fcbd7c-a029-11ef-ba3c-0242ac110007", + "src_url": "organize" + } + } + ], + "enrichments": [ + { + "data": "cluster", + "name": "settlement ia sega", + "type": "surfaces registrar sizes", + "value": "seq excuse nearest", + "created_time": 1731328594225, + "provider": "lesson prev champion", + "reputation": { + "base_score": 15.2963, + "provider": "northern prep older", + "score": "May not be Safe", + "score_id": 5 + }, + "short_desc": "travel glasses agencies", + "src_url": "fly" + }, + { + "data": "mpegs", + "name": "mentor glasgow mistress", + "type": "email newest household", + "value": "vpn tape med", + "created_time": 1731328594225, + "short_desc": "anything fatty capital", + "src_url": "saint" + } + ], + "severity_id": 99, + "status_detail": "mistake schedule propecia", + "status_id": 3 + } + ``` + + + +=== "generated_file_remediation_activity_2" + + + ```json + { + "message": "oils tissue non", + "status": "bottle threads desktop", + "time": 1731328621430, + "file": { + "attributes": 77, + "name": "panama.jsp", + "type": "Unknown", + "version": "1.3.0", + "path": "sage petite tracy/supplement.deskthemepack/panama.jsp", + "signature": { + "certificate": { + "version": "1.3.0", + "is_self_signed": false, + "issuer": "shaw further heaven", + "fingerprints": [ + { + "value": "25CF2FBFB6A4C58B9886BFD82A9D9D32976450F5B95B193B1F8F91071FCE9032", + "algorithm": "magic", + "algorithm_id": 99 + } + ], + "created_time": 1731328621426, + "expiration_time": 1731328621426, + "serial_number": "museum every fa" + }, + "algorithm": "Unknown", + "algorithm_id": 0 + }, + "desc": "sims faculty argue", + "uid": "a6338964-a029-11ef-9cb6-0242ac110007", + "type_id": 0, + "parent_folder": "sage petite tracy/supplement.deskthemepack", + "accessed_time": 1731328621427, + "hashes": [ + { + "value": "1051E22C1288CD1DD4B35D7D119F9D9E764B37C2050E8086C3F8AADBE48E8459", + "algorithm": "magic", + "algorithm_id": 99 + }, + { + "value": "2A598E60AFB25F3005C1949A4AE28E75A5E24C34375D709852748D46D50E19DBF4AD93722613E77084B214B0C8F931F2EFF7B1AA9AF17B97F3D50770D0C328DB", + "algorithm": "quickXorHash", + "algorithm_id": 7 + } + ], + "xattributes": {} + }, + "metadata": { + "version": "1.3.0", + "extension": { + "name": "determine italia plenty", + "version": "1.3.0", + "uid": "a6331254-a029-11ef-a2ea-0242ac110007" + }, + "product": { + "name": "board actor feels", + "version": "1.3.0", + "uid": "a6334788-a029-11ef-8ba2-0242ac110007", + "vendor_name": "resume himself vitamin" + }, + "uid": "a63350e8-a029-11ef-91d8-0242ac110007", + "profiles": [], + "correlation_uid": "a63357c8-a029-11ef-a1d1-0242ac110007", + "log_name": "movements amazing murphy", + "log_provider": "suggests assure sacred", + "original_time": "narrative shed quit", + "tenant_uid": "a63361a0-a029-11ef-b41a-0242ac110007" + }, + "severity": "Medium", + "category_uid": 7, + "activity_id": 4, + "type_uid": 700204, + "type_name": "File Remediation Activity: Harden", + "observables": [ + { + "name": "font earlier construction", + "type": "Hash", + "type_id": 8 + }, + { + "name": "outdoors de otherwise", + "type": "Unknown", + "type_id": 0 + } + ], + "category_name": "Remediation", + "class_uid": 7002, + "class_name": "File Remediation Activity", + "timezone_offset": 94, + "activity_name": "Harden", + "command_uid": "a6340542-a029-11ef-ab83-0242ac110007", + "countermeasures": [ + { + "version": "1.3.0", + "d3f_tactic": { + "uid": "a633df68-a029-11ef-b6df-0242ac110007" + }, + "d3f_technique": { + "name": "tgp adrian reject", + "uid": "a633ef26-a029-11ef-ae66-0242ac110007", + "src_url": "productions" + } + } + ], + "severity_id": 3, + "status_code": "lover", + "status_detail": "declared chassis nominations" + } + ``` + + + +=== "generated_file_remediation_activity_3" + + + ```json + { + "message": "baker testimonials approx", + "status": "Error", + "time": 1731328627583, + "file": { + "attributes": 65, + "name": "brazilian.tar.gz", + "owner": { + "name": "Enrolled", + "type": "Unknown", + "uid": "a9de1552-a029-11ef-9be5-0242ac110007", + "type_id": 0, + "credential_uid": "a9de21c8-a029-11ef-a4ce-0242ac110007", + "uid_alt": "camel license fl" + }, + "type": "Regular File", + "path": "violin economic czech/regular.accdb/brazilian.tar.gz", + "product": { + "name": "just philippines startup", + "version": "1.3.0", + "uid": "a9de4ec8-a029-11ef-96ee-0242ac110007", + "feature": { + "name": "metro municipality egypt", + "version": "1.3.0", + "uid": "a9de59f4-a029-11ef-8d34-0242ac110007" + }, + "cpe_name": "highly os treated", + "vendor_name": "candidates etc beverage" + }, + "ext": "labels oriental websites", + "type_id": 1, + "creator": { + "name": "Templates", + "uid": "a9deb516-a029-11ef-8430-0242ac110007", + "org": { + "name": "welfare philip fathers", + "uid": "a9dec100-a029-11ef-986c-0242ac110007", + "ou_name": "threat supporting pension" + }, + "email_addr": "Tabetha@programmers.arpa" + }, + "mime_type": "agree/diego", + "parent_folder": "violin economic czech/regular.accdb", + "hashes": [ + { + "value": "23BF00BD8ADB4469651EB5D5C47027D49C53BB2D", + "algorithm": "SHA-1", + "algorithm_id": 2 + }, + { + "value": "4F80D2DFFF57658A1076FF2F74282A97BB0B6574", + "algorithm": "SHA-1", + "algorithm_id": 2 + } + ], + "xattributes": {} + }, + "metadata": { + "version": "1.3.0", + "extension": { + "name": "conventional indexes merit", + "version": "1.3.0", + "uid": "a9dc7224-a029-11ef-ae98-0242ac110007" + }, + "product": { + "name": "zimbabwe meals purchase", + "version": "1.3.0", + "uid": "a9dcfdac-a029-11ef-aa8a-0242ac110007", + "vendor_name": "status hole consider" + }, + "profiles": [], + "log_name": "attorney destinations evolution", + "log_provider": "sections sides trembl", + "modified_time": 1731328627575, + "original_time": "coalition polyphonic limit", + "tenant_uid": "a9ddd8d0-a029-11ef-a422-0242ac110007" + }, + "scan": { + "name": "nd lawn seeking", + "type": "Updated Content", + "uid": "a9ddf644-a029-11ef-b1ea-0242ac110007", + "type_id": 3 + }, + "severity": "Unknown", + "category_uid": 7, + "activity_id": 2, + "type_uid": 700202, + "type_name": "File Remediation Activity: Evict", + "category_name": "Remediation", + "class_uid": 7002, + "class_name": "File Remediation Activity", + "activity_name": "Evict", + "command_uid": "a9deee3c-a029-11ef-8d19-0242ac110007", + "countermeasures": [ + { + "version": "1.3.0", + "d3f_tactic": { + "uid": "a9ded82a-a029-11ef-9aed-0242ac110007" + }, + "d3f_technique": { + "name": "collecting monte craps", + "uid": "a9dee1da-a029-11ef-b734-0242ac110007" + } + } + ], + "severity_id": 0, + "status_code": "holes", + "status_detail": "payroll perfectly prospective", + "status_id": 6 + } + ``` + + + +=== "generated_network_remediation_activity_1" + + + ```json + { + "message": "kills routine cookie", + "status": "Error", + "time": 1731331184401, + "metadata": { + "version": "1.3.0", + "extension": { + "name": "consoles paste democrats", + "version": "1.3.0", + "uid": "9dd714a6-a02f-11ef-a375-0242ac110007" + }, + "product": { + "name": "strip milton message", + "uid": "9dd78440-a02f-11ef-9b45-0242ac110007", + "feature": { + "name": "dealing instruction glasgow", + "version": "1.3.0", + "uid": "9dd7bc30-a02f-11ef-a841-0242ac110007" + }, + "vendor_name": "praise profit voyeurweb" + }, + "uid": "9dd80514-a02f-11ef-ad38-0242ac110007", + "profiles": [], + "log_name": "mens coverage sustained", + "log_provider": "expertise browse courier", + "logged_time": 1731331184386, + "original_time": "sauce female resulted", + "tenant_uid": "9dd8901a-a02f-11ef-b542-0242ac110007" + }, + "connection_info": { + "uid": "9dd8e524-a02f-11ef-a212-0242ac110007", + "boundary": "Unknown", + "protocol_name": "notion expressed postcards", + "direction": "Outbound", + "boundary_id": 0, + "direction_id": 2, + "protocol_num": 62, + "protocol_ver": "pricing", + "protocol_ver_id": 99, + "tcp_flags": 39 + }, + "severity": "High", + "category_uid": 7, + "activity_id": 3, + "type_uid": 700403, + "type_name": "Network Remediation Activity: Restore", + "observables": [ + { + "name": "pricing pope defendant", + "type": "Process Name", + "type_id": 9 + }, + { + "name": "fail long monthly", + "type": "Resource UID", + "type_id": 10, + "reputation": { + "base_score": 5.3863, + "provider": "finally responding daughter", + "score": "Probably Safe", + "score_id": 3 + } + } + ], + "category_name": "Remediation", + "class_uid": 7004, + "class_name": "Network Remediation Activity", + "timezone_offset": 79, + "activity_name": "Restore", + "command_uid": "9ddaa616-a02f-11ef-bdaf-0242ac110007", + "countermeasures": [ + { + "version": "1.3.0", + "d3f_tactic": { + "uid": "9dd9bdc8-a02f-11ef-a7a3-0242ac110007" + }, + "d3f_technique": { + "name": "informal statistics lcd", + "uid": "9dda024c-a02f-11ef-938d-0242ac110007" + } + } + ], + "severity_id": 4, + "status_code": "cds", + "status_id": 6 + } + ``` + + + +=== "generated_network_remediation_activity_2" + + + ```json + { + "count": 70, + "message": "virtue carb keeps", + "status": "Unknown", + "time": 1731331194181, + "metadata": { + "version": "1.3.0", + "product": { + "name": "subjective myself systems", + "version": "1.3.0", + "uid": "a3ac922a-a02f-11ef-984c-0242ac110007", + "feature": { + "name": "seafood zen attacks", + "version": "1.3.0", + "uid": "a3ad2ca8-a02f-11ef-a741-0242ac110007" + }, + "vendor_name": "sullivan participation wired" + }, + "extensions": [ + { + "name": "faq valuable theory", + "version": "1.3.0", + "uid": "a3ad55ac-a02f-11ef-9d32-0242ac110007" + }, + { + "name": "diesel salmon graduates", + "version": "1.3.0", + "uid": "a3ad70e6-a02f-11ef-be20-0242ac110007" + } + ], + "profiles": [], + "log_name": "influence increasing towers", + "log_provider": "defence ignore carroll", + "original_time": "baths ends led", + "tenant_uid": "a3ad8d56-a02f-11ef-a66b-0242ac110007" + }, + "scan": { + "name": "fits educated vip", + "type": "Attached Media", + "uid": "a3ae1122-a02f-11ef-b0ef-0242ac110007", + "type_id": 5 + }, + "connection_info": { + "uid": "a3ae3c42-a02f-11ef-bdd6-0242ac110007", + "boundary": "Internet Gateway", + "protocol_name": "nuts oriented data", + "direction": "Inbound", + "boundary_id": 11, + "direction_id": 1, + "protocol_num": 88, + "protocol_ver": "Unknown", + "protocol_ver_id": 0 + }, + "severity": "Medium", + "category_uid": 7, + "activity_id": 3, + "type_uid": 700403, + "type_name": "Network Remediation Activity: Restore", + "observables": [ + { + "name": "catherine lawsuit wash", + "type": "File Name", + "value": "underwear img tp", + "type_id": 7 + }, + { + "name": "drawn vol buy", + "type": "Email Address", + "type_id": 5, + "reputation": { + "base_score": 40.1815, + "provider": "miscellaneous applying places", + "score": "tapes", + "score_id": 99 + } + } + ], + "category_name": "Remediation", + "class_uid": 7004, + "class_name": "Network Remediation Activity", + "timezone_offset": 96, + "activity_name": "Restore", + "command_uid": "a3aecf68-a02f-11ef-b5f1-0242ac110007", + "countermeasures": [ + { + "version": "1.3.0", + "d3f_tactic": { + "uid": "a3ae8698-a02f-11ef-a4fc-0242ac110007", + "src_url": "weak" + }, + "d3f_technique": { + "name": "gratuit refused endorsed", + "uid": "a3ae95ac-a02f-11ef-b756-0242ac110007" + } + } + ], + "enrichments": [ + { + "data": "year", + "name": "terry acceptance unavailable", + "type": "me mo fetish", + "value": "ride restore bearing", + "created_time": 1731331194181, + "provider": "illinois ferrari samuel", + "reputation": { + "base_score": 43.1915, + "provider": "view rankings um", + "score": "Very Safe", + "score_id": 1 + }, + "short_desc": "uganda pose worse", + "src_url": "aluminium" + }, + { + "data": "funky", + "name": "italic electrical successfully", + "type": "ethnic hitachi stevens", + "value": "steven m rogers", + "desc": "digital jeffrey rogers", + "created_time": 1731331194181, + "short_desc": "cook psi jobs", + "src_url": "hp" + } + ], + "severity_id": 3, + "status_code": "professionals", + "status_detail": "affiliated carries publications", + "status_id": 0 + } + ``` + + + +=== "generated_process_remediation_activity_1" + + + ```json + { + "message": "heaven country sugar", + "process": { + "name": "Success", + "pid": 94, + "file": { + "name": "earliest.pdb", + "owner": { + "name": "Tee", + "type": "Unknown", + "domain": "term assembled gossip", + "uid": "223ad95e-a02f-11ef-8523-0242ac110007", + "type_id": 0, + "full_name": "Kaycee Valarie", + "risk_level": "orleans medicines legal" + }, + "type": "Regular File", + "path": "guilty different comply/expects.accdb/earliest.pdb", + "desc": "prominent purse jones", + "ext": "rendered ministry investigators", + "type_id": 1, + "parent_folder": "guilty different comply/expects.accdb", + "hashes": [ + { + "value": "EFE899C74558F20B08BBC19BF0228C0C25BDDB7871D80BD34AC8B33C030B3698", + "algorithm": "SHA-256", + "algorithm_id": 3 + }, + { + "value": "6B1C747BA410921F62727C6AEE307A71A7021A4F23DCD2CCFAB1EC037E3A86C28518C84FC4E389893A41ED6CC8EFCA276E1FA37D836A1183305EC8DD7BC3D3F0", + "algorithm": "TLSH", + "algorithm_id": 6 + } + ] + }, + "user": { + "name": "Livestock", + "type": "Admin", + "uid": "223aed7c-a02f-11ef-943c-0242ac110007", + "type_id": 2, + "risk_level": "sense", + "risk_level_id": 99 + }, + "loaded_modules": [ + "/offered/her/msg/vegetarian/bizarre.html", + "/principle/setting/liz/defendant/herself.wsf" + ], + "cmd_line": "guided stretch phrases", + "created_time": 1731330976996, + "parent_process": { + "name": "Em", + "pid": 60, + "file": { + "name": "texas.rss", + "type": "Regular File", + "path": "pipeline memorabilia wednesday/lindsay.thm/texas.rss", + "product": { + "name": "rather rate cms", + "version": "1.3.0", + "uid": "223b1036-a02f-11ef-a666-0242ac110007", + "lang": "en", + "vendor_name": "assistance printers careful" + }, + "uid": "223b1766-a02f-11ef-b077-0242ac110007", + "ext": "around clear funk", + "type_id": 1, + "parent_folder": "pipeline memorabilia wednesday/lindsay.thm", + "accessed_time": 1731330976998, + "hashes": [ + { + "value": "0C9582BD64D9BAB6B4D907C275F45B5D3FC0035986E6294724E7FC4C77A9E16F42AD975BA9F5AD3884CCEFB2635640629F2AA538C5FDA52E2D872D3B73F65C6C", + "algorithm": "quickXorHash", + "algorithm_id": 7 + }, + { + "value": "31FEBEB59C135F276A56FF06D2A3B00B982685E2D8EF3205B97EB80E0F4DCDC3", + "algorithm": "magic", + "algorithm_id": 99 + } + ], + "is_system": true, + "xattributes": {} + }, + "user": { + "name": "Membership", + "type": "System", + "uid": "223b30c0-a02f-11ef-87cb-0242ac110007", + "type_id": 3, + "full_name": "Anita Rosanna", + "email_addr": "Li@scientific.travel" + }, + "uid": "223b4aa6-a02f-11ef-9d39-0242ac110007", + "cmd_line": "suits chris sega", + "created_time": 1731330976999, + "lineage": [ + "alternative consistently improved", + "cats charm hardcover" + ], + "parent_process": { + "name": "Humor", + "pid": 26, + "file": { + "name": "incorrect.gadget", + "type": "Regular File", + "version": "1.3.0", + "path": "upset india relax/marie.3gp/incorrect.gadget", + "product": { + "name": "grades internationally ordinary", + "version": "1.3.0", + "uid": "223b9d6c-a02f-11ef-af12-0242ac110007", + "feature": { + "name": "motivation bridges other", + "version": "1.3.0", + "uid": "223bade8-a02f-11ef-a579-0242ac110007" + }, + "vendor_name": "lightweight monday station" + }, + "uid": "223bb4f0-a02f-11ef-9470-0242ac110007", + "ext": "celebrities intelligent david", + "type_id": 1, + "accessor": { + "name": "Institutes", + "type": "User", + "uid": "223bc1b6-a02f-11ef-be06-0242ac110007", + "org": { + "uid": "223bcfee-a02f-11ef-9eaf-0242ac110007", + "ou_name": "sixth rats hawk" + }, + "type_id": 1, + "account": { + "name": "fairy clause literally", + "uid": "223be3a8-a02f-11ef-b63a-0242ac110007" + }, + "credential_uid": "223befc4-a02f-11ef-9ee4-0242ac110007", + "ldap_person": { + "email_addrs": [ + "Suzann@verbal.biz", + "Flo@submissions.int" + ], + "last_login_time": 1731330977003, + "leave_time": 1731330977003 + }, + "risk_level": "Critical", + "risk_level_id": 4, + "risk_score": 44 + }, + "parent_folder": "upset india relax/marie.3gp", + "hashes": [ + { + "value": "4B300F704B4BD8E100BDB3CAB1031A6CEDCB68FBC2C3606B1178586034AF4ECAC9A514E1A67728708F5FAD5AD1FC04AE78ECA412443352AF94457FEC9581ED11", + "algorithm": "Unknown", + "algorithm_id": 0 + }, + { + "value": "C861DBBC3D16CC0E2D8C34764F0864239EBAC9973B25229B5ADFE56574C851ED73B6FCBC5931C8F0E23094B0D787E183BF5DF893560460CD403ED6F6C7174B7D", + "algorithm": "quickXorHash", + "algorithm_id": 7 + } + ] + }, + "user": { + "name": "Protection", + "type": "Unknown", + "uid": "223c0d88-a02f-11ef-bfe0-0242ac110007", + "type_id": 0, + "full_name": "Brittanie Russel", + "credential_uid": "223c156c-a02f-11ef-ae21-0242ac110007", + "risk_level": "school wall wolf", + "risk_score": 37 + }, + "cmd_line": "roof dt critical", + "created_time": 1731330977004, + "parent_process": { + "name": "Iv", + "file": { + "name": "retro.bmp", + "type": "Named Pipe", + "path": "rubber mj queen/archive.wav/retro.bmp", + "signature": { + "state": "lauderdale illustrated editorial", + "certificate": { + "version": "1.3.0", + "subject": "mighty assisted detail", + "issuer": "accompanied routers acne", + "fingerprints": [ + { + "value": "022DEC95C5096AFDD20A88DF019AC56B", + "algorithm": "MD5", + "algorithm_id": 1 + }, + { + "value": "8418E7362D4E0848D22B88FF2EC86F93AB49AE75A1558CE41B75732C6B78955A", + "algorithm": "magic", + "algorithm_id": 99 + } + ], + "created_time": 1731330977005, + "expiration_time": 1731330977005, + "serial_number": "receivers stylish woods" + }, + "algorithm": "Unknown", + "algorithm_id": 0 + }, + "desc": "rep jeff tape", + "ext": "through testimonials cardiff", + "type_id": 6, + "parent_folder": "rubber mj queen/archive.wav", + "accessed_time": 1731330977005, + "hashes": [ + { + "value": "311EF3B8DC9FFBC403CA8BFEFAF69F728D2BE1AFFB42206E860CAA9F9FC9D8A57266E69AF264348CFACF811255655CDAF7BF4204EA0E7C0AD91297FCCB92BD28", + "algorithm": "TLSH", + "algorithm_id": 6 + }, + { + "value": "12B400C07544526379365632C5EAE7B868347EA513F21C09D8F5A9306B373005", + "algorithm": "magic", + "algorithm_id": 99 + } + ] + }, + "user": { + "name": "Rise", + "type": "omissions", + "uid": "223c3c36-a02f-11ef-a7a3-0242ac110007", + "type_id": 99, + "account": { + "name": "naturally textile pharmacies", + "uid": "223c4b7c-a02f-11ef-90fb-0242ac110007" + } + }, + "uid": "223c51e4-a02f-11ef-8de3-0242ac110007", + "cmd_line": "keyboard milk printers", + "created_time": 1731330977006, + "parent_process": { + "name": "Computation", + "pid": 30, + "file": { + "name": "posted.yuv", + "type": "Folder", + "path": "kid hollow housing/trick.dwg/posted.yuv", + "ext": "gage capabilities reasons", + "type_id": 2, + "accessor": { + "type": "User", + "uid": "223c6ed6-a02f-11ef-9e28-0242ac110007", + "org": { + "name": "salem civil rely", + "uid": "223c784a-a02f-11ef-b6f3-0242ac110007", + "ou_name": "saudi kathy going" + }, + "type_id": 1, + "credential_uid": "223c7f2a-a02f-11ef-9b2e-0242ac110007" + }, + "parent_folder": "kid hollow housing/trick.dwg", + "accessed_time": 1731330977007, + "hashes": [ + { + "value": "84282F14696FCE92F1387E783E6E35A7F462B8F63DD2CBBF03C8FBD817B4B334EA21DB328F7F7CC7040EBAEC27B5E741457DFC36FAEC09CB527ECE2B22C142C4", + "algorithm": "Unknown", + "algorithm_id": 0 + }, + { + "value": "A74A78AF4E994F8C5ADE1098C677DEE43370A2B898524B0730EBFF42FA2C8359", + "algorithm": "magic", + "algorithm_id": 99 + } + ], + "is_system": false + }, + "user": { + "name": "Royal", + "type": "eclipse", + "uid": "223c92ee-a02f-11ef-b37d-0242ac110007", + "org": { + "name": "races obtaining business", + "uid": "223c9f6e-a02f-11ef-80ed-0242ac110007", + "ou_name": "larger phones hotel", + "ou_uid": "223ca72a-a02f-11ef-b597-0242ac110007" + }, + "type_id": 99, + "account": { + "name": "execution implemented contributions", + "type": "AWS Account", + "uid": "223cb300-a02f-11ef-a109-0242ac110007", + "type_id": 10 + }, + "ldap_person": { + "location": { + "desc": "Senegal, Republic of", + "city": "Barely vpn", + "country": "SN", + "coordinates": [ + -6.1769, + -23.2664 + ], + "continent": "Africa" + }, + "given_name": "oven registrar consultant", + "ldap_cn": "insulin convicted posted", + "modified_time": 1731330977010 + } + }, + "tid": 28, + "uid": "223d09cc-a02f-11ef-88a8-0242ac110007", + "cmd_line": "cologne preventing pvc", + "created_time": 1731330977010, + "integrity": "tears", + "integrity_id": 99, + "parent_process": { + "pid": 58, + "file": { + "name": "concept.tar", + "type": "Regular File", + "path": "aging socks soc/traditions.nes/concept.tar", + "modifier": { + "name": "Mai", + "type": "mineral", + "uid": "223d2b96-a02f-11ef-a466-0242ac110007", + "type_id": 99, + "account": { + "name": "fitting remembered advertiser", + "type": "Linux Account", + "uid": "223d378a-a02f-11ef-a93b-0242ac110007", + "type_id": 9 + }, + "credential_uid": "223d4086-a02f-11ef-aae8-0242ac110007", + "risk_level": "Low", + "risk_level_id": 1, + "uid_alt": "chevrolet header sensitive" + }, + "uid": "223d47d4-a02f-11ef-80dd-0242ac110007", + "ext": "finnish quotations trigger", + "type_id": 1, + "parent_folder": "aging socks soc/traditions.nes", + "hashes": [ + { + "value": "CCF8B7F3C1B91940CEA0982813BDECBB4177E02F8485991FF6F5F1ED5AEB7448BB931BD088B4617001768303ECEE51E3D61A3CC7369BA9EEF3C965E865EFEA4A", + "algorithm": "quickXorHash", + "algorithm_id": 7 + } + ] + }, + "user": { + "name": "Clubs", + "type": "Unknown", + "uid": "223d59ae-a02f-11ef-8620-0242ac110007", + "type_id": 0, + "risk_score": 1, + "uid_alt": "quebec robertson slovak" + }, + "tid": 22, + "uid": "223d673c-a02f-11ef-9f3c-0242ac110007", + "cmd_line": "barnes outlined alabama", + "created_time": 1731330977013, + "parent_process": { + "name": "Weapons", + "pid": 16, + "file": { + "name": "pale.odt", + "owner": { + "name": "Waiver", + "type": "carroll", + "type_id": 99, + "risk_level": "Critical", + "risk_level_id": 4, + "risk_score": 13 + }, + "type": "Character Device", + "path": "pupils demonstrated spam/constitution.obj/pale.odt", + "ext": "intl hip entry", + "type_id": 3, + "company_name": "Lucas Emerald", + "parent_folder": "pupils demonstrated spam/constitution.obj", + "hashes": [ + { + "value": "8DF60FF96BFECD59DE3F802675A05912", + "algorithm": "MD5", + "algorithm_id": 1 + }, + { + "value": "149D479F6A59E992D99E894B589A22B63E7F357049D6B573DA7AAD6DB5584F44", + "algorithm": "SHA-256", + "algorithm_id": 3 + } + ], + "security_descriptor": "decade prepared deleted", + "xattributes": {} + }, + "user": { + "name": "Gbp", + "domain": "cathedral faces lovers", + "uid": "223dc06a-a02f-11ef-8a14-0242ac110007", + "full_name": "Bryan Yasmine", + "risk_score": 94 + }, + "uid": "223dc7f4-a02f-11ef-850b-0242ac110007", + "cmd_line": "religious membership rb", + "created_time": 1731330977015, + "parent_process": { + "name": "Invite", + "pid": 19, + "file": { + "name": "aggressive.icns", + "type": "Block Device", + "path": "nyc runtime slip/ballot.thm/aggressive.icns", + "desc": "ease ill executed", + "ext": "malpractice road end", + "type_id": 4, + "mime_type": "income/poison", + "parent_folder": "nyc runtime slip/ballot.thm", + "hashes": [ + { + "value": "037AEAEAF4BBF26DDABE7256A8294DC52DA48D575A1247B5C2598C47DE7AEBAB", + "algorithm": "SHA-256", + "algorithm_id": 3 + }, + { + "value": "C63B81E57E6869E3358411F7CCE3A2FA7BBE6FE5C1C54E3B4FDCD214F77082948C4A05C49CF7AF90CB5D0F112840C2A2B7715C80A07CF8511D608E1546DB6AC1", + "algorithm": "quickXorHash", + "algorithm_id": 7 + } + ], + "modified_time": 1731330977016 + }, + "user": { + "type": "User", + "uid": "223decca-a02f-11ef-ab3c-0242ac110007", + "type_id": 1, + "ldap_person": { + "cost_center": "motion saudi unix", + "deleted_time": 1731330977016, + "employee_uid": "223df7ba-a02f-11ef-8947-0242ac110007", + "hire_time": 1731330977016, + "last_login_time": 1731330977016, + "ldap_dn": "table silent possibly", + "surname": "alone tongue emotional" + }, + "risk_level": "Low", + "risk_level_id": 1 + }, + "uid": "223dff76-a02f-11ef-b8d3-0242ac110007", + "loaded_modules": [ + "/penguin/celebration/epson/lenders/with.uue", + "/prefer/motherboard/traveling/factors/lawyer.tmp" + ], + "cmd_line": "except routing crowd", + "created_time": 1731330977017, + "sandbox": "mechanisms suppose founded" + } + }, + "sandbox": "tide oral independent" + } + } + }, + "terminated_time": 1731330977017 + } + }, + "xattributes": {} + }, + "status": "Unknown", + "time": 1731330976994, + "metadata": { + "version": "1.3.0", + "product": { + "name": "appeals discrete crash", + "version": "1.3.0", + "uid": "223a5696-a02f-11ef-ac80-0242ac110007", + "vendor_name": "license push emperor" + }, + "sequence": 26, + "profiles": [], + "log_name": "ideal extended offers", + "log_provider": "seller deserve sharing", + "original_time": "alfred invitations speaking", + "tenant_uid": "223a5fec-a02f-11ef-af39-0242ac110007" + }, + "severity": "Critical", + "category_uid": 7, + "activity_id": 4, + "type_uid": 700304, + "type_name": "Process Remediation Activity: Harden", + "observables": [ + { + "name": "uploaded bear will", + "type": "Subnet", + "type_id": 12 + }, + { + "name": "italic quantitative keno", + "type": "Geo Location", + "type_id": 26 + } + ], + "category_name": "Remediation", + "class_uid": 7003, + "class_name": "Process Remediation Activity", + "timezone_offset": 64, + "activity_name": "Harden", + "command_uid": "223ab6e0-a02f-11ef-9ffc-0242ac110007", + "countermeasures": [ + { + "version": "1.3.0", + "d3f_tactic": { + "uid": "223a6fdc-a02f-11ef-a601-0242ac110007" + }, + "d3f_technique": { + "name": "columbus sync taken", + "uid": "223a80c6-a02f-11ef-9766-0242ac110007" + } + } + ], + "enrichments": [ + { + "data": "trackback", + "name": "natural segment seattle", + "value": "rebecca stack obtain", + "created_time": 1731330976994, + "provider": "shall surplus transparency", + "reputation": { + "base_score": 63.125, + "provider": "czech meter kinda", + "score": "Possibly Malicious", + "score_id": 8 + }, + "src_url": "employees" + }, + { + "data": "academics", + "name": "todd earliest quick", + "type": "older complicated mails", + "value": "issued dressed latina", + "created_time": 1731330976994, + "provider": "tube subtle austin", + "short_desc": "summer concentration specific", + "src_url": "domestic" + } + ], + "severity_id": 5, + "status_code": "malawi", + "status_detail": "odd lib station", + "status_id": 0 + } + ``` + + + +=== "generated_process_remediation_activity_2" + + + ```json + { + "message": "sellers besides hl", + "process": { + "name": "Prince", + "pid": 7, + "file": { + "name": "propose.pptx", + "type": "Folder", + "signature": { + "algorithm": "DSA", + "algorithm_id": 1 + }, + "modifier": { + "name": "Stylish", + "type": "Unknown", + "uid": "28d3fd18-a02f-11ef-af24-0242ac110007", + "type_id": 0, + "ldap_person": { + "employee_uid": "28d42ee6-a02f-11ef-9279-0242ac110007" + }, + "risk_level": "loving", + "risk_level_id": 99, + "risk_score": 0 + }, + "desc": "ceiling patches side", + "uid": "28d43742-a02f-11ef-9ec1-0242ac110007", + "type_id": 2, + "creator": { + "name": "Remained", + "type": "latino", + "domain": "rest investor soa", + "uid": "28d473e2-a02f-11ef-9ccb-0242ac110007", + "type_id": 99 + }, + "hashes": [ + { + "value": "89759E1284E2479B991D2669DE104942", + "algorithm": "MD5", + "algorithm_id": 1 + }, + { + "value": "C19F43EB415F38C482F5CB26B9720DA398AA56B47B415867BBA7F118EB0D89D563350BA26D579DC834B11828F7E929E3AD3F14B90D86D0610F44E088AD1F2B64", + "algorithm": "CTPH", + "algorithm_id": 5 + } + ] + }, + "user": { + "name": "Pork", + "type": "User", + "uid": "28d4888c-a02f-11ef-82fc-0242ac110007", + "type_id": 1, + "ldap_person": { + "location": { + "desc": "Dominica, Commonwealth of", + "city": "Discrimination fri", + "country": "DM", + "coordinates": [ + 92.1251, + 34.7562 + ], + "continent": "North America" + }, + "manager": { + "name": "Idol", + "type": "Admin", + "uid": "28d4cb94-a02f-11ef-b90f-0242ac110007", + "type_id": 2, + "risk_level": "gothic smithsonian garmin" + }, + "employee_uid": "28d4d544-a02f-11ef-ad52-0242ac110007", + "given_name": "includes livestock index", + "job_title": "strategies compliant references", + "leave_time": 1731330988071, + "modified_time": 1731330988071 + }, + "uid_alt": "control gary baking" + }, + "tid": 47, + "uid": "28d4de90-a02f-11ef-98b9-0242ac110007", + "cmd_line": "characters vocal tracy", + "created_time": 1731330988072, + "parent_process": { + "pid": 40, + "file": { + "attributes": 79, + "name": "irc.com", + "type": "Unknown", + "path": "finding possibilities clinton/cached.asf/irc.com", + "signature": { + "state": "Revoked", + "certificate": { + "version": "1.3.0", + "is_self_signed": false, + "subject": "external compiler heated", + "issuer": "appears hungry drive", + "fingerprints": [ + { + "value": "63F62E392F7025A4167DD1EC5A9EF966C16729FDC201CB89B807A60D5332A7A9473433A7AE2CD8C213C47520CFCDF970F3EA2DFEF02D04EA5B66610BDEA8D497", + "algorithm": "TLSH", + "algorithm_id": 6 + } + ], + "created_time": 1731330988072, + "expiration_time": 1731330988072, + "serial_number": "configuration deadline calgary" + }, + "algorithm": "fails", + "algorithm_id": 99, + "state_id": 3 + }, + "modifier": { + "type": "User", + "uid": "28d51ef0-a02f-11ef-92f3-0242ac110007", + "type_id": 1, + "email_addr": "Yu@monroe.mil" + }, + "ext": "consequences years ecology", + "type_id": 0, + "parent_folder": "finding possibilities clinton/cached.asf", + "hashes": [ + { + "value": "A6426312E27AB008F4EDC3204E03FD5B383EA1C8B4A4567E748A42CEF025EF43A89764E99A4D39740137733A152598B7050663A2C427F7874F331D0609FD3CB8", + "algorithm": "quickXorHash", + "algorithm_id": 7 + }, + { + "value": "EACCA81A25CF539B76C8A39BB632EC20C918EF9EFD1E73B8FDEB68C67765DE58E5925C523C695E88ACB94E43C38BA494EFF4D1A415A91C332930A3FB12A5AF27", + "algorithm": "TLSH", + "algorithm_id": 6 + } + ] + }, + "user": { + "type": "Unknown", + "uid": "28d53156-a02f-11ef-aa73-0242ac110007", + "type_id": 0 + }, + "tid": 51, + "uid": "28d53f16-a02f-11ef-9a1e-0242ac110007", + "cmd_line": "commission relying steady", + "created_time": 1731330988074, + "integrity": "Medium", + "integrity_id": 3, + "parent_process": { + "pid": 56, + "session": { + "terminal": "occur match lan", + "uid": "28d58f84-a02f-11ef-8740-0242ac110007", + "created_time": 1731330988076, + "expiration_reason": "therapeutic midlands visited", + "is_remote": true + }, + "file": { + "attributes": 47, + "name": "anymore.tar", + "owner": { + "name": "Halifax", + "type": "User", + "type_id": 1, + "risk_level": "Medium", + "risk_level_id": 2 + }, + "type": "Regular File", + "uid": "28d5c4cc-a02f-11ef-8469-0242ac110007", + "type_id": 1, + "hashes": [ + { + "value": "F573102FF9F85CEA0795FA811907D06B74C86CDE18D2999A2070523EC27478C2F15F634D3D0509B660995C0695E665C4A124CD5F1F657FD9E26AC679200F1425", + "algorithm": "Unknown", + "algorithm_id": 0 + } + ], + "modified_time": 1731330988078, + "security_descriptor": "realtors shoulder kilometers", + "xattributes": {} + }, + "user": { + "name": "Figured", + "type": "System", + "uid": "28d5fac8-a02f-11ef-895f-0242ac110007", + "type_id": 3, + "credential_uid": "28d602ac-a02f-11ef-9c04-0242ac110007", + "email_addr": "Darla@movies.org" + }, + "uid": "28d63402-a02f-11ef-b1e9-0242ac110007", + "cmd_line": "overview statutes valves", + "created_time": 1731330988080, + "integrity": "losses renewal aquatic" + } + } + }, + "status": "dynamic acer dollar", + "time": 1731330988061, + "metadata": { + "version": "1.3.0", + "product": { + "name": "diamond aaa screensavers", + "version": "1.3.0", + "path": "mem anthropology notifications", + "uid": "28d1a536-a02f-11ef-92c5-0242ac110007", + "cpe_name": "quebec labs assume", + "vendor_name": "professionals subsidiary maria" + }, + "labels": [ + "bandwidth", + "jeremy" + ], + "profiles": [], + "event_code": "digit", + "log_name": "bosnia blind seq", + "log_provider": "arg handed dock", + "log_version": "congratulations solution vancouver", + "original_time": "famous thinking males" + }, + "scan": { + "name": "soon reproduce paragraph", + "type": "Updated Content", + "uid": "28d22ac4-a02f-11ef-a4e4-0242ac110007", + "type_id": 3 + }, + "severity": "Informational", + "category_uid": 7, + "activity_id": 0, + "type_uid": 700300, + "type_name": "Process Remediation Activity: Unknown", + "observables": [ + { + "name": "targeted arlington mediterranean", + "type": "Geo Location", + "type_id": 26, + "reputation": { + "base_score": 94.8029, + "provider": "lucy printing mrna", + "score": "turkish", + "score_id": 99 + } + }, + { + "name": "payment traditions proudly", + "type": "CVE Object: uid", + "type_id": 18 + } + ], + "category_name": "Remediation", + "class_uid": 7003, + "class_name": "Process Remediation Activity", + "timezone_offset": 14, + "activity_name": "Unknown", + "command_uid": "28d355b6-a02f-11ef-b6de-0242ac110007", + "countermeasures": [ + { + "version": "1.3.0", + "d3f_tactic": { + "uid": "28d23d02-a02f-11ef-97ab-0242ac110007" + }, + "d3f_technique": { + "name": "dosage cart but", + "uid": "28d29040-a02f-11ef-b946-0242ac110007" + } + }, + { + "version": "1.3.0", + "d3f_tactic": { + "uid": "28d29c02-a02f-11ef-9d6f-0242ac110007" + }, + "d3f_technique": { + "uid": "28d2cb6e-a02f-11ef-a981-0242ac110007", + "src_url": "amsterdam" + } + } + ], + "severity_id": 1, + "status_detail": "bow euros scsi" + } + ``` + + + +=== "generated_windows_service_1" + + + ```json + { + "message": "gear technologies garlic", + "status": "Failure", + "time": 1731399707936, + "device": { + "owner": { + "name": "Paper", + "type": "Unknown", + "domain": "comfort pick casino", + "uid": "29093ba4-a0cf-11ef-a993-0242ac110007", + "type_id": 0, + "credential_uid": "2909420c-a0cf-11ef-ae57-0242ac110007" + }, + "type": "IDS", + "uid": "29092d44-a0cf-11ef-8baa-0242ac110007", + "type_id": 13, + "imei": "polyester verified charlie", + "instance_uid": "29091d04-a0cf-11ef-8935-0242ac110007", + "interface_name": "fonts roller schema", + "interface_uid": "290925c4-a0cf-11ef-83a0-0242ac110007", + "is_managed": true, + "network_interfaces": [ + { + "name": "nickname museums symptoms", + "type": "Unknown", + "hostname": "influenced.museum", + "mac": "25:15:EA:C3:5F:12:EF:E9", + "type_id": 0 + }, + { + "name": "polar bm traveler", + "type": "Wired", + "hostname": "vegetarian.store", + "mac": "87:8C:2:BD:DD:A8:43:3A", + "type_id": 1 + } + ], + "region": "provider nirvana absolute", + "risk_level": "Critical", + "risk_level_id": 4 + }, + "metadata": { + "version": "1.3.0", + "product": { + "name": "pokemon know retrieval", + "version": "1.3.0", + "path": "dolls vid representing", + "uid": "290890b4-a0cf-11ef-b8db-0242ac110007", + "vendor_name": "hide broken trademark" + }, + "profiles": [], + "log_name": "cindy drives thin", + "log_provider": "foo canada biodiversity", + "original_time": "virus pure partly", + "processed_time": 1731399707888 + }, + "start_time": 1731399707936, + "severity": "Medium", + "category_uid": 1, + "activity_id": 4, + "type_uid": 20100404, + "type_name": "Windows Service Activity: Stop", + "observables": [ + { + "name": "generation damages hawaii", + "type": "Email", + "value": "sale talking pairs", + "type_id": 22 + }, + { + "name": "testimonials seventh smallest", + "type": "MAC Address", + "type_id": 3 + } + ], + "category_name": "System Activity", + "class_uid": 201004, + "class_name": "Windows Service Activity", + "timezone_offset": 72, + "activity_name": "Stop", + "actor": { + "process": { + "name": "Don", + "pid": 38, + "file": { + "name": "developmental.otf", + "type": "Regular File", + "path": "vg tunisia river/favorite.wsf/developmental.otf", + "ext": "mike biography serial", + "type_id": 1, + "accessor": { + "name": "Mathematical", + "type": "Unknown", + "domain": "touring wing sunglasses", + "org": { + "name": "battery met word", + "uid": "29099612-a0cf-11ef-9f88-0242ac110007", + "ou_name": "invitation olympus putting" + }, + "type_id": 0, + "credential_uid": "29099f68-a0cf-11ef-ab1c-0242ac110007", + "risk_level": "constitution missions steam" + }, + "parent_folder": "vg tunisia river/favorite.wsf", + "confidentiality": "Top Secret", + "confidentiality_id": 4, + "hashes": [ + { + "value": "9280AE13A255F18D841739D0D18222BB950C8FC7", + "algorithm": "SHA-1", + "algorithm_id": 2 + } + ], + "security_descriptor": "gibson columbia refund" + }, + "user": { + "name": "Journal", + "type": "System", + "domain": "tuition gst cheese", + "uid": "2909b99e-a0cf-11ef-946c-0242ac110007", + "groups": [ + { + "name": "overview friendly ul", + "desc": "spent richards molecular", + "privileges": [ + "gale suicide combo" + ] + } + ], + "type_id": 3, + "full_name": "Lynsey Sherise" + }, + "uid": "2909c8d0-a0cf-11ef-82af-0242ac110007", + "cmd_line": "hdtv il murder", + "created_time": 1731399707895, + "parent_process": { + "name": "Indoor", + "pid": 29, + "session": { + "terminal": "eternal armor maternity", + "uid": "290a04bc-a0cf-11ef-9799-0242ac110007", + "uuid": "290a0af2-a0cf-11ef-8713-0242ac110007", + "issuer": "troubleshooting footage pour", + "created_time": 1731399707897 + }, + "file": { + "attributes": 81, + "name": "submitted.cpp", + "owner": { + "name": "Reverse", + "type": "Unknown", + "domain": "wiki ba evaluating", + "uid": "290a2bea-a0cf-11ef-a2af-0242ac110007", + "type_id": 0, + "email_addr": "Bessie@outcomes.pro", + "risk_level": "plenty sarah preparation" + }, + "size": 2618568753, + "type": "Local Socket", + "version": "1.3.0", + "path": "annually chapters country/separately.pdf/submitted.cpp", + "modifier": { + "name": "Appraisal", + "type": "Admin", + "uid": "290a3a2c-a0cf-11ef-96ea-0242ac110007", + "type_id": 2 + }, + "desc": "deeply dresses hills", + "ext": "scholarships fundraising hydrocodone", + "type_id": 5, + "company_name": "Galen Nakita", + "parent_folder": "annually chapters country/separately.pdf", + "accessed_time": 1731399707898, + "hashes": [ + { + "value": "9E2FB759708B9621D802CC03D5DA0C1600A80AE7A740A0840F232C31B6E61F01EE5CF00A1719E67BEC538182D8A3074DA5123670601506065A44D4E8AC2C4CB2", + "algorithm": "CTPH", + "algorithm_id": 5 + } + ], + "xattributes": {} + }, + "user": { + "name": "Asian", + "type": "Unknown", + "uid": "290a520a-a0cf-11ef-a44f-0242ac110007", + "type_id": 0, + "full_name": "Roland Nichol", + "account": { + "name": "girl sugar benefit", + "type": "Azure AD Account", + "uid": "290a5ef8-a0cf-11ef-809f-0242ac110007", + "labels": [ + "complex" + ], + "type_id": 6 + }, + "credential_uid": "290a66e6-a0cf-11ef-a28e-0242ac110007", + "uid_alt": "transportation vegetables debian" + }, + "uid": "290a756e-a0cf-11ef-86a9-0242ac110007", + "cmd_line": "bull retailers sensitivity", + "created_time": 1731399707900, + "lineage": [ + "george herein ghz" + ], + "parent_process": { + "name": "Broader", + "pid": 50, + "file": { + "name": "vegetation.tif", + "type": "Regular File", + "version": "1.3.0", + "path": "leonard accent told/determine.sdf/vegetation.tif", + "signature": { + "certificate": { + "version": "1.3.0", + "is_self_signed": false, + "subject": "traffic changes calm", + "issuer": "give img nsw", + "fingerprints": [ + { + "value": "7245C357B5BE2E81CFA6582A9CEF4108E8E9BC9E4DA47D108C495262F1EE943BB741CFFE5FDDEE5B3AD441498918E714FF20108B4CDDEDE100B8AD003E7DDA73", + "algorithm": "quickXorHash", + "algorithm_id": 7 + } + ], + "created_time": 1731399707900, + "serial_number": "blades mike seal" + }, + "algorithm": "Authenticode", + "algorithm_id": 4 + }, + "desc": "electronics charges gallery", + "ext": "disorder agriculture anger", + "type_id": 1, + "company_name": "Billie Shawnee", + "mime_type": "briefly/entirely", + "parent_folder": "leonard accent told/determine.sdf", + "created_time": 1731399707900, + "hashes": [ + { + "value": "0947FCC917EB1D3C89AD818BEB61E3B2C3CF3BBA", + "algorithm": "SHA-1", + "algorithm_id": 2 + }, + { + "value": "CEE604715F44D7CD732D46B9B349EC7911E55D19C6E598E8064B403337EB8F9EA9E58A34D42BA046D72E529215E7D8E2AB68DA5552324343DA54BF3220615F0A", + "algorithm": "SHA-512", + "algorithm_id": 4 + } + ], + "modified_time": 1731399707900 + }, + "user": { + "name": "Markers", + "type": "Unknown", + "uid": "290a9f62-a0cf-11ef-b0c9-0242ac110007", + "groups": [ + { + "name": "foul administrative owns", + "uid": "290aaa98-a0cf-11ef-a3a1-0242ac110007" + }, + { + "name": "develop houston gamma", + "uid": "290ab498-a0cf-11ef-80bd-0242ac110007", + "privileges": [ + "shade bell link", + "processor code ashley" + ] + } + ], + "type_id": 0, + "account": { + "type": "AWS Account", + "uid": "290abf42-a0cf-11ef-a831-0242ac110007", + "type_id": 10 + } + }, + "uid": "290ac5dc-a0cf-11ef-a78c-0242ac110007", + "cmd_line": "studies un checking", + "created_time": 1731399707902, + "integrity": "Unknown", + "integrity_id": 0, + "lineage": [ + "commodity config charges", + "wikipedia las relatives" + ], + "parent_process": { + "name": "Eyed", + "pid": 59, + "user": { + "name": "Louisiana", + "type": "System", + "uid": "290b1514-a0cf-11ef-9bd3-0242ac110007", + "type_id": 3, + "credential_uid": "290b1cbc-a0cf-11ef-8f91-0242ac110007", + "risk_level": "Info", + "risk_level_id": 0 + }, + "uid": "290b241e-a0cf-11ef-89bc-0242ac110007", + "cmd_line": "skins shipments proteins", + "created_time": 1731399707904, + "parent_process": { + "name": "Almost", + "pid": 53, + "user": { + "name": "Subscription", + "type": "User", + "domain": "lion aims yukon", + "uid": "290b388c-a0cf-11ef-81e2-0242ac110007", + "type_id": 1 + }, + "uid": "290b3f44-a0cf-11ef-856f-0242ac110007", + "cmd_line": "bidding lauren confusion", + "created_time": 1731399707905, + "parent_process": { + "name": "Word", + "pid": 11, + "session": { + "count": 9, + "issuer": "practice attempt court", + "created_time": 1731399707905, + "is_remote": true, + "is_vpn": true + }, + "file": { + "attributes": 44, + "name": "consistency.sln", + "type": "Character Device", + "version": "1.3.0", + "path": "handbags camera urgent/forecast.gz/consistency.sln", + "ext": "entity fe blocking", + "type_id": 3, + "parent_folder": "handbags camera urgent/forecast.gz", + "hashes": [ + { + "value": "6D17DA8FAF5A7C8BD04AFB00506B03897D0DE6A8D7B4EBD644B680ACB98A1CFE8924C0F11BCCA03BFC8D47BE350C1C8A20AF62D4E02D978CB8159FB2D49086A7", + "algorithm": "quickXorHash", + "algorithm_id": 7 + }, + { + "value": "BE412112026B3DCAEC7BE421BA9D884A2FBC5C9795F336CCBD0E8C76BFF312AA3BAFBB4BA71F540A076F5C0D8189254B397357A086D5B86B7D794FDCE6FCCFC1", + "algorithm": "CTPH", + "algorithm_id": 5 + } + ], + "is_system": true + }, + "user": { + "type": "Unknown", + "uid": "290b69f6-a0cf-11ef-a847-0242ac110007", + "type_id": 0 + }, + "uid": "290b720c-a0cf-11ef-a98d-0242ac110007", + "cmd_line": "fears demanding stewart", + "created_time": 1731399707906, + "integrity": "High", + "integrity_id": 4, + "parent_process": { + "name": "Kinds", + "pid": 63, + "session": { + "uid": "290b83d2-a0cf-11ef-9629-0242ac110007", + "uuid": "290b89cc-a0cf-11ef-89ef-0242ac110007", + "issuer": "tray lying x", + "created_time": 1731399707907, + "is_remote": true + }, + "file": { + "name": "concerns.cab", + "type": "Character Device", + "version": "1.3.0", + "path": "faq payable progressive/part.m3u/concerns.cab", + "ext": "imported supplements prepaid", + "type_id": 3, + "mime_type": "garmin/popularity", + "parent_folder": "faq payable progressive/part.m3u", + "hashes": [ + { + "value": "E8A5CF21ECCC4DB4DAAFDD5BD0140861637D937597AD8EE0246E0715031FE6BDABB4F5B16FDDCACD9722B57A18B46453B01D984E3D55292FB82825C3A06E516A", + "algorithm": "CTPH", + "algorithm_id": 5 + }, + { + "value": "4B9E4636494461CF31094E9A16F456FE", + "algorithm": "MD5", + "algorithm_id": 1 + } + ] + }, + "user": { + "type": "remarkable", + "type_id": 99, + "full_name": "Jennell Sidney", + "email_addr": "Clayton@scanned.travel", + "ldap_person": { + "location": { + "desc": "Monaco, Principality of", + "city": "Phil clarity", + "country": "MC", + "coordinates": [ + 113.7672, + 53.7852 + ], + "continent": "Europe" + }, + "given_name": "rachel trio electronics", + "ldap_cn": "accessory fancy shelter" + } + }, + "uid": "290babfa-a0cf-11ef-a1ee-0242ac110007", + "cmd_line": "tuner clara concepts", + "created_time": 1731399707908, + "integrity": "boxes x day", + "parent_process": { + "name": "Animated", + "pid": 43, + "file": { + "name": "pgp.rom", + "type": "Symbolic Link", + "path": "percent obtaining influenced/liked.bmp/pgp.rom", + "signature": { + "digest": { + "value": "0A6CFE12D4BE13BD525E0097949ED52B4E032606B7BF98076581F2189F23342568BE12B631EF1F25F82E1979FC852ECA24E8A38B319B071638C3153E4DA60740", + "algorithm": "quickXorHash", + "algorithm_id": 7 + }, + "certificate": { + "version": "1.3.0", + "uid": "290bcd06-a0cf-11ef-8f86-0242ac110007", + "is_self_signed": true, + "subject": "brilliant follow county", + "issuer": "suppliers workout deposit", + "fingerprints": [ + { + "value": "03114C6B1064C1C04AE3C88FA18F582A2228B88A7786BBFCBCE275DED7A5C23A", + "algorithm": "magic", + "algorithm_id": 99 + }, + { + "value": "F07D26D3B025D5EF30B38458926092E990C3B6F0BE1A23B561D778E8467319E0444B2425FDEDB91121554B8641B06B3654426F63C9C0435C6487571DC9AE0FC5", + "algorithm": "SHA-512", + "algorithm_id": 4 + } + ], + "created_time": 1731399707908, + "expiration_time": 1731399707909, + "serial_number": "hazard compaq emirates" + }, + "algorithm": "Unknown", + "algorithm_id": 0, + "created_time": 1731399707909 + }, + "type_id": 7, + "accessor": { + "name": "Athletes", + "type": "System", + "uid": "290bdfe4-a0cf-11ef-88a6-0242ac110007", + "org": { + "name": "publicity porsche shoulder", + "uid": "290bebf6-a0cf-11ef-bcbf-0242ac110007", + "ou_name": "wins separate lemon" + }, + "groups": [ + { + "name": "jose quotes toolbar", + "uid": "290c038e-a0cf-11ef-beec-0242ac110007" + } + ], + "type_id": 3, + "email_addr": "Sherry@machinery.store", + "risk_level": "Low", + "risk_level_id": 1, + "risk_score": 25 + }, + "company_name": "Lashell Vincent", + "mime_type": "representing/lee", + "parent_folder": "percent obtaining influenced/liked.bmp", + "hashes": [ + { + "value": "E2F3E36EA43BA45AB3503CED0A944CD1A950065C", + "algorithm": "SHA-1", + "algorithm_id": 2 + }, + { + "value": "37DB034AE21206C4451CA1E72F6D031F77B7D0A27FF50009CFBECB868E7DE5C6", + "algorithm": "magic", + "algorithm_id": 99 + } + ], + "security_descriptor": "october surrey en" + }, + "uid": "290c11c6-a0cf-11ef-90cb-0242ac110007", + "cmd_line": "wires wheels mf", + "created_time": 1731399707910, + "parent_process": { + "name": "Petite", + "pid": 26, + "file": { + "name": "difficulty.deskthemepack", + "owner": { + "name": "Costa", + "type": "Unknown", + "uid": "290c33c2-a0cf-11ef-87c6-0242ac110007", + "type_id": 0, + "ldap_person": { + "manager": { + "name": "Genetics", + "type": "User", + "domain": "gotta shades electron", + "type_id": 1, + "account": { + "name": "hood consortium conversion", + "type": "Windows Account", + "uid": "290c4970-a0cf-11ef-8a6a-0242ac110007", + "labels": [ + "dose" + ], + "type_id": 2 + }, + "risk_level": "High", + "risk_level_id": 3 + }, + "created_time": 1731399707912, + "job_title": "bestsellers exactly diffs", + "leave_time": 1731399707912, + "surname": "responded pasta killed" + } + }, + "type": "Symbolic Link", + "path": "dimensions achieving ordinary/painting.sys/difficulty.deskthemepack", + "product": { + "name": "implications pizza christmas", + "version": "1.3.0", + "uid": "290c597e-a0cf-11ef-b883-0242ac110007", + "vendor_name": "amateur faith fell" + }, + "uid": "290c6086-a0cf-11ef-90f6-0242ac110007", + "ext": "transexuales sas operate", + "type_id": 7, + "accessor": { + "name": "Giants", + "type": "System", + "domain": "pressure girl facility", + "uid": "290c722e-a0cf-11ef-b5e2-0242ac110007", + "type_id": 3, + "full_name": "Marcene Goldie", + "risk_score": 35 + }, + "parent_folder": "dimensions achieving ordinary/painting.sys", + "confidentiality": "Restricted", + "confidentiality_id": 6, + "created_time": 1731399707913, + "hashes": [ + { + "value": "B7B6604452EAF6AB6947459B4FA35CDFDCA39605BF415F77DDD90B47B7AE74ACC2BD0AB274FFC18792A7B43A7EE661EA8098EA69E1D0483392690A4D0BFFA60D", + "algorithm": "quickXorHash", + "algorithm_id": 7 + } + ], + "is_system": true, + "xattributes": {} + }, + "user": { + "type": "eau", + "domain": "meaning feedback jan", + "uid": "290c8624-a0cf-11ef-97f7-0242ac110007", + "type_id": 99, + "credential_uid": "290c8e30-a0cf-11ef-9434-0242ac110007" + }, + "created_time": 1731399707913, + "parent_process": { + "name": "Yards", + "pid": 15, + "file": { + "name": "williams.xhtml", + "type": "Folder", + "path": "thailand diameter love/rachel.java/williams.xhtml", + "signature": { + "state": "diffs seasons conflicts", + "certificate": { + "version": "1.3.0", + "is_self_signed": false, + "subject": "ethernet suitable brandon", + "issuer": "optimization earliest differently", + "fingerprints": [ + { + "value": "BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878", + "algorithm": "SHA-512", + "algorithm_id": 4 + }, + { + "value": "DEE5E5BE829C1FF9E773E27CDA4A8960CAB5C8A6F392DA6ACCBACB430B13B9BC64822221325357EAA87B60D5F4474090332CD89561EBEC061294834301DF9AE9", + "algorithm": "TLSH", + "algorithm_id": 6 + } + ], + "created_time": 1731399707914, + "expiration_time": 1731399707914, + "serial_number": "photographer tax up" + }, + "algorithm": "RSA", + "algorithm_id": 2 + }, + "uid": "290cc5f8-a0cf-11ef-92a0-0242ac110007", + "ext": "alien cafe barriers", + "type_id": 2, + "parent_folder": "thailand diameter love/rachel.java", + "confidentiality": "Private", + "confidentiality_id": 5, + "hashes": [ + { + "value": "2B831F21DC87C2B301C73A0ACE1A47E607F1C5210E766355BD25B4E47948BBB20B677EE6C92C70765B352A0CCC29C89AB8D8D3489DEE0CCD7EDE26C6BDF6508F", + "algorithm": "TLSH", + "algorithm_id": 6 + } + ], + "security_descriptor": "se diabetes vitamin" + }, + "user": { + "name": "Caps", + "type": "System", + "uid": "290cd5ca-a0cf-11ef-80bf-0242ac110007", + "type_id": 3, + "full_name": "Eve Roger", + "account": { + "name": "clearing deviant confidential", + "type": "Apple Account", + "uid": "290ce038-a0cf-11ef-8ee9-0242ac110007", + "type_id": 8 + }, + "email_addr": "Renda@antivirus.int", + "uid_alt": "forced jvc archives" + }, + "uid": "290ce786-a0cf-11ef-9fc4-0242ac110007", + "cmd_line": "reuters revolution thermal", + "created_time": 1731399707916, + "lineage": [ + "settled household february", + "countries implemented chinese" + ], + "parent_process": { + "name": "Unions", + "pid": 41, + "file": { + "name": "groups.part", + "size": 2002602281, + "type": "Character Device", + "version": "1.3.0", + "path": "alice gnome diploma/consent.tex/groups.part", + "product": { + "name": "useful yen synopsis", + "version": "1.3.0", + "uid": "290d29f8-a0cf-11ef-a1a1-0242ac110007", + "feature": { + "name": "spider victor principle", + "version": "1.3.0", + "uid": "290d3420-a0cf-11ef-bd6a-0242ac110007" + }, + "url_string": "disagree", + "vendor_name": "ist covered rock" + }, + "uid": "290d3b32-a0cf-11ef-bdef-0242ac110007", + "ext": "glory regards somewhere", + "type_id": 3, + "company_name": "Melida Rosina", + "parent_folder": "alice gnome diploma/consent.tex", + "accessed_time": 1731399707918, + "confidentiality": "Restricted", + "confidentiality_id": 6, + "hashes": [ + { + "value": "A07C6F758C9EF024F836E2C0BD10FE9C43126081A22D73DD8040D8D179B10DEBE3BC9356500F5C7F0BA87256EFA37A673C190A0AC6F0BFC0529F9FC303878B00", + "algorithm": "TLSH", + "algorithm_id": 6 + } + ], + "security_descriptor": "isa action je" + }, + "user": { + "name": "Messaging", + "type": "System", + "uid": "290d4c1c-a0cf-11ef-8059-0242ac110007", + "type_id": 3, + "risk_level": "High", + "risk_level_id": 3 + }, + "uid": "290d52b6-a0cf-11ef-9425-0242ac110007", + "cmd_line": "rent seed gentleman", + "created_time": 1731399707918, + "lineage": [ + "pockets sponsor exactly", + "disability syntax print" + ], + "parent_process": { + "name": "Corrections", + "pid": 10, + "file": { + "name": "groove.xlsx", + "owner": { + "name": "February", + "type": "User", + "uid": "290d70de-a0cf-11ef-86d6-0242ac110007", + "type_id": 1, + "credential_uid": "290d775a-a0cf-11ef-afe6-0242ac110007", + "email_addr": "Helena@songs.net", + "risk_level": "High", + "risk_level_id": 3 + }, + "type": "Folder", + "version": "1.3.0", + "path": "announces contamination leisure/bits.kml/groove.xlsx", + "signature": { + "certificate": { + "version": "1.3.0", + "uid": "290d9a32-a0cf-11ef-b46e-0242ac110007", + "is_self_signed": false, + "subject": "conferences kingdom charge", + "issuer": "characterization relatively cas", + "fingerprints": [ + { + "value": "90F747EBF0E276407987570F6D39812AC53223E174E41CEDDD291A5F7136E3A6BEF9257C3C73FE3B92D5149E8E1C1BE08A61940CEB8AF03510E22E0492752C18", + "algorithm": "SHA-512", + "algorithm_id": 4 + }, + { + "value": "63C326C6244EB0474D3008256E1217754BD2B836E98C247D0A19A57BF2AB18C7FF3D6BF574DB7E31FED2EEC3DA9B7CB69EDDD8DC256FEB8D5E822F176D8444A9", + "algorithm": "CTPH", + "algorithm_id": 5 + } + ], + "created_time": 1731399707920, + "expiration_time": 1731399707920, + "serial_number": "seed stupid slide" + }, + "algorithm": "RSA", + "algorithm_id": 2, + "developer_uid": "290da806-a0cf-11ef-a0a5-0242ac110007" + }, + "ext": "retired penn graduated", + "type_id": 2, + "parent_folder": "announces contamination leisure/bits.kml", + "hashes": [ + { + "value": "2A7F70F5957828EEA5C62064B4EB2A32561EB5B3003D729F2605228F225A85EF528EF7666F79B2810432D7E39CB959670A2EA9B1EDEB258E107F47E68D114FEC", + "algorithm": "quickXorHash", + "algorithm_id": 7 + } + ], + "modified_time": 1731399707921 + }, + "user": { + "name": "Diagram", + "type": "System", + "domain": "existing jun treasury", + "uid": "290db904-a0cf-11ef-aa9a-0242ac110007", + "org": { + "name": "coding maria scenarios", + "uid": "290dc340-a0cf-11ef-9323-0242ac110007" + }, + "type_id": 3, + "risk_score": 79 + }, + "uid": "290dca20-a0cf-11ef-b98e-0242ac110007", + "cmd_line": "mechanical estimates again", + "created_time": 1731399707921, + "parent_process": { + "name": "Tabs", + "pid": 55, + "session": { + "uid": "290deae6-a0cf-11ef-b636-0242ac110007", + "issuer": "rat employer stadium", + "created_time": 1731399707922, + "credential_uid": "290df4e6-a0cf-11ef-9290-0242ac110007", + "expiration_time": 1731399707922, + "is_remote": true, + "is_vpn": true + }, + "file": { + "name": "integral.cpl", + "owner": { + "type": "sphere", + "domain": "entirely gale inc", + "type_id": 99, + "account": { + "name": "suits kim intellectual", + "type": "AWS IAM User", + "uid": "290e0f3a-a0cf-11ef-92a9-0242ac110007", + "type_id": 3 + }, + "risk_level": "carpet diamond departure", + "uid_alt": "meta spank counts" + }, + "size": 3671310304, + "type": "Symbolic Link", + "path": "normal holds match/terrible.iso/integral.cpl", + "modifier": { + "name": "Acids", + "type": "typing", + "type_id": 99 + }, + "uid": "290e1bec-a0cf-11ef-a719-0242ac110007", + "ext": "stated smooth principles", + "type_id": 7, + "company_name": "Jeremiah Sonny", + "parent_folder": "normal holds match/terrible.iso", + "hashes": [ + { + "value": "C449C98FCC2EDC7FE87FAF3FEF6C9D3F5499ACDC3BAC774F19D7B447B333103DCFED31CCAC83F9EE9D1E9601282E92EDA75DAEA8140D8C7EB9220338803C8D6E", + "algorithm": "Unknown", + "algorithm_id": 0 + } + ] + }, + "user": { + "name": "Reduce", + "type": "Admin", + "domain": "preceding expressions your", + "uid": "290e30c8-a0cf-11ef-8f59-0242ac110007", + "groups": [ + { + "name": "struggle photoshop walking", + "desc": "sleep quoted able", + "uid": "290e3b2c-a0cf-11ef-b7cf-0242ac110007" + }, + { + "name": "ethiopia evaluate lover", + "desc": "partition sound composition" + } + ], + "type_id": 2, + "full_name": "Marisha Wesley", + "ldap_person": { + "cost_center": "spank universal techniques", + "deleted_time": 1731399707924, + "ldap_cn": "sight tale town", + "leave_time": 1731399707924, + "modified_time": 1731399707924 + } + }, + "uid": "290e4748-a0cf-11ef-8355-0242ac110007", + "cmd_line": "flower arrest reveal", + "created_time": 1731399707925, + "parent_process": { + "name": "Dip", + "pid": 99, + "session": { + "uid": "290e5cb0-a0cf-11ef-8142-0242ac110007", + "uuid": "290e63f4-a0cf-11ef-942e-0242ac110007", + "issuer": "spirits up oral", + "expiration_time": 1731399707925, + "is_mfa": false, + "is_remote": true + }, + "file": { + "name": "fantasy.m4v", + "owner": { + "name": "Worse", + "type": "User", + "uid": "290e7628-a0cf-11ef-8429-0242ac110007", + "groups": [ + { + "name": "pierce deutschland scout", + "type": "sacred mongolia edt", + "uid": "290e8712-a0cf-11ef-b60b-0242ac110007" + } + ], + "type_id": 1, + "full_name": "Tomika Renato" + }, + "type": "Regular File", + "path": "approaches malpractice basics/lifetime.dxf/fantasy.m4v", + "desc": "loops charm mpegs", + "ext": "pork picked investigations", + "type_id": 1, + "parent_folder": "approaches malpractice basics/lifetime.dxf", + "accessed_time": 1731399707926, + "confidentiality": "subjective", + "confidentiality_id": 99, + "hashes": [ + { + "value": "DB1A6CE0E4C6F3924C7CCA74924F4B0EF8BC0031", + "algorithm": "SHA-1", + "algorithm_id": 2 + }, + { + "value": "2B9A99087B9991B5EAD9406E2CAC8DA385815E6C3FA4DA96E1487782280E8E82FDBD3536F85994E271610D72C5A62E6F027E0CD37DA05806289882A1440BD441", + "algorithm": "Unknown", + "algorithm_id": 0 + } + ], + "xattributes": {} + }, + "user": { + "name": "Expects", + "type": "System", + "domain": "blade keith manga", + "uid": "290e9ba8-a0cf-11ef-9a18-0242ac110007", + "type_id": 3, + "account": { + "name": "swedish ol flexible", + "type": "GCP Account", + "uid": "290ea6ca-a0cf-11ef-9b3b-0242ac110007", + "type_id": 5 + }, + "risk_level": "world feelings championships" + }, + "uid": "290eadbe-a0cf-11ef-9668-0242ac110007", + "cmd_line": "iowa gear scheduling", + "created_time": 1731399707927, + "integrity": "Medium", + "integrity_id": 3, + "lineage": [ + "maximize associations reynolds" + ], + "parent_process": { + "name": "Themes", + "pid": 45, + "file": { + "name": "designers.rpm", + "type": "Named Pipe", + "path": "votes year mice/fort.gpx/designers.rpm", + "uid": "290edaaa-a0cf-11ef-aa5d-0242ac110007", + "ext": "keyboards yet ask", + "type_id": 6, + "mime_type": "motorola/patrick", + "parent_folder": "votes year mice/fort.gpx", + "created_time": 1731399707928, + "hashes": [ + { + "value": "02FA8D46FB2AC65EE42912604250A146AF74C6B8CFF1ACD09BC5F460FB9850CAD2674F76F982ED052C78D178196ED4C10256E2BC50E191DBB82F625CAD071090", + "algorithm": "Unknown", + "algorithm_id": 0 + }, + { + "value": "BA1DB3B5141AA0FBF3DD4F6839F49B0B88809121634B4BB39272A838924DDEA2E4D1EBDB9E5F8F8AD90243DBD2A7D2D5497D828BD12E5590FB27483AA1287CD3", + "algorithm": "quickXorHash", + "algorithm_id": 7 + } + ], + "modified_time": 1731399707928 + }, + "user": { + "name": "Ongoing", + "uid": "290ee9a0-a0cf-11ef-ac76-0242ac110007", + "credential_uid": "290ef076-a0cf-11ef-adb8-0242ac110007" + }, + "tid": 6, + "uid": "290ef99a-a0cf-11ef-a3ec-0242ac110007", + "cmd_line": "correction weapon gaming", + "created_time": 1731399707929, + "parent_process": { + "name": "Voyeurweb", + "pid": 45, + "file": { + "name": "varied.php", + "type": "Named Pipe", + "path": "mba francis sony/tend.xml/varied.php", + "signature": { + "certificate": { + "version": "1.3.0", + "is_self_signed": true, + "subject": "undo nickname stay", + "issuer": "yugoslavia how precisely", + "fingerprints": [ + { + "value": "BD87A5FFC4117A0F11094CA6BA6A838013BE215959B7358980553B0360822DD67CACADAFA42D71AB48C4EA3EED5F2491D079661CEB0A7694FFA439EB7743CC04", + "algorithm": "quickXorHash", + "algorithm_id": 7 + }, + { + "value": "4194D1706ED1F408D5E02D672777019F4D5385C766A8C6CA8ACBA3167D36A7B9", + "algorithm": "SHA-256", + "algorithm_id": 3 + } + ], + "created_time": 1731399707930, + "expiration_time": 1731399707930, + "serial_number": "extraction cabin lions" + }, + "algorithm": "Unknown", + "algorithm_id": 0, + "created_time": 1731399707930 + }, + "ext": "nicholas doing fraud", + "type_id": 6, + "mime_type": "nextel/himself", + "parent_folder": "mba francis sony/tend.xml", + "hashes": [ + { + "value": "21EA6263C16406DFC344CF7CB2A129B97FD2ECF367C828208CBBEDA6599B989F6C2C3DCB1BDF581ABC97201CF64FFBC0D7415F00564F6D80A92C7FFE7037894C", + "algorithm": "SHA-512", + "algorithm_id": 4 + }, + { + "value": "7ED6BDBCCADC1CB9DFEA88CA33B6A9346EAE030FF7E9FADD4C23359C0EA7390D", + "algorithm": "magic", + "algorithm_id": 99 + } + ], + "security_descriptor": "islands interventions removable", + "xattributes": {} + }, + "user": { + "name": "Soldier", + "type": "User", + "uid": "290f2596-a0cf-11ef-8caf-0242ac110007", + "type_id": 1, + "account": { + "name": "ford doug cigarette", + "type": "Mac OS Account", + "uid": "290f3090-a0cf-11ef-9ad3-0242ac110007", + "type_id": 7 + } + }, + "uid": "290f36e4-a0cf-11ef-bdab-0242ac110007", + "cmd_line": "generally alberta anthropology", + "created_time": 1731399707931, + "parent_process": { + "name": "Spirits", + "pid": 86, + "file": { + "name": "flights.flv", + "type": "Regular File", + "version": "1.3.0", + "path": "str inner working/pose.h/flights.flv", + "ext": "general became bermuda", + "type_id": 1, + "parent_folder": "str inner working/pose.h", + "hashes": [ + { + "value": "DC684E0A948E820C9B32AE34F0E147CCCAEAB3646C95D1FBF6E5EA257B9107251945EB892CD81A3750D89799ADF86C76382C60E73A85B10D110CE39164882C8F", + "algorithm": "SHA-512", + "algorithm_id": 4 + }, + { + "value": "CCD823CAF8108F62C012B02D4C233DA76EACF9FDEA959B9DD909ADF1ECC01BD5F184FC7904184E5A6F296850D7102AAF79E8606629B877723DEC951A67E1B193", + "algorithm": "quickXorHash", + "algorithm_id": 7 + } + ], + "modified_time": 1731399707932 + }, + "uid": "290f6ac4-a0cf-11ef-bc5e-0242ac110007", + "cmd_line": "sense terrorism hl", + "created_time": 1731399707932, + "parent_process": { + "name": "Moving", + "pid": 43, + "file": { + "attributes": 25, + "name": "comparison.pages", + "owner": { + "name": "Infringement", + "type": "User", + "uid": "290f864e-a0cf-11ef-9828-0242ac110007", + "groups": [ + { + "name": "coordinate registration browse", + "desc": "attorney ya walked", + "uid": "290f974c-a0cf-11ef-a918-0242ac110007" + } + ], + "type_id": 1, + "risk_level": "Critical", + "risk_level_id": 4, + "risk_score": 55, + "uid_alt": "licenses cir vacancies" + }, + "type": "Unknown", + "path": "lows fc focusing/canvas.pptx/comparison.pages", + "modifier": { + "type": "User", + "uid": "290fa3ea-a0cf-11ef-b1b2-0242ac110007", + "groups": [ + { + "name": "bedroom positions win", + "desc": "amazon feof extras", + "uid": "290fae44-a0cf-11ef-9db8-0242ac110007" + }, + { + "name": "came swingers colon", + "uid": "290fb646-a0cf-11ef-b3ed-0242ac110007" + } + ], + "type_id": 1, + "ldap_person": { + "employee_uid": "290fc050-a0cf-11ef-aac9-0242ac110007", + "job_title": "constitutional ricky jonathan", + "ldap_dn": "marketplace ranch counting" + }, + "risk_score": 0, + "uid_alt": "riding indicate wiley" + }, + "ext": "specification cialis inherited", + "type_id": 0, + "parent_folder": "lows fc focusing/canvas.pptx", + "confidentiality": "engineers families bull", + "hashes": [ + { + "value": "F081F7B8D4310E67A7572F60B6070A3034D5F1AE1465B3FE4F8DAFCA9213A0E3", + "algorithm": "SHA-256", + "algorithm_id": 3 + }, + { + "value": "EAF741D48E0F26CA709BF17829C53A65D420FBD1F01B0F87BDE25230F1FF332E3D2BE89488F8277FA4B22FF53CC04FF382B19F42B7AC34C3EA5A0C0A89B19FCA", + "algorithm": "CTPH", + "algorithm_id": 5 + } + ] + }, + "user": { + "name": "Worn", + "type": "Admin", + "domain": "threatening parks application", + "uid": "290fd5fe-a0cf-11ef-ab0d-0242ac110007", + "type_id": 2, + "risk_level": "High", + "risk_level_id": 3 + }, + "uid": "290fde14-a0cf-11ef-9211-0242ac110007", + "loaded_modules": [ + "/yacht/payday/singer/stretch/hungry.heic", + "/fa/bumper/represents/studio/shipments.ttf" + ], + "cmd_line": "shopping appendix deluxe", + "created_time": 1731399707935, + "terminated_time": 1731399707935 + }, + "xattributes": {} + }, + "xattributes": {} + }, + "terminated_time": 1731399707935 + } + }, + "terminated_time": 1731399707935 + } + } + }, + "terminated_time": 1731399707935 + }, + "sandbox": "snowboard lookup done" + } + } + } + }, + "sandbox": "broke alternatives excessive", + "xattributes": {} + }, + "sandbox": "mba ambassador shopping" + } + }, + "terminated_time": 1731399707935 + } + }, + "user": { + "name": "Hearing", + "type": "Admin", + "domain": "thinking answered refurbished", + "uid": "290fefee-a0cf-11ef-ba87-0242ac110007", + "type_id": 2, + "ldap_person": { + "email_addrs": [ + "Melodee@automotive.mobi", + "Lulu@baby.name" + ], + "employee_uid": "290ffac0-a0cf-11ef-a362-0242ac110007", + "leave_time": 1731399707936, + "office_location": "podcast cds lloyd" + }, + "risk_level": "Low", + "risk_level_id": 1, + "risk_score": 22 + } + }, + "severity_id": 3, + "status_code": "present", + "status_detail": "shade accidents alice", + "status_id": 2, + "win_service": { + "name": "balance pgp seasonal", + "version": "1.3.0", + "uid": "29101582-a0cf-11ef-a560-0242ac110007", + "cmd_line": "honduras usa fact", + "service_dependencies": [ + "enhancements occupations cause", + "sw verification promotion" + ], + "service_start_type": "Auto", + "service_start_type_id": 3, + "service_start_name": "golden thumbs crest" + } + } + ``` + + + === "test_account_change_1" diff --git a/_shared_content/operations_center/integrations/generated/b502e522-6996-4b12-9538-f69326b68243.md b/_shared_content/operations_center/integrations/generated/b502e522-6996-4b12-9538-f69326b68243.md new file mode 100644 index 0000000000..adf8855e64 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/b502e522-6996-4b12-9538-f69326b68243.md @@ -0,0 +1,752 @@ + +### Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Application logs` | activites performed on SentinelOne infrastructure are logged | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `alert` | +| Category | `intrusion_detection` | +| Type | `info` | + + + + +### Transformed Events Samples after Ingestion + +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. + +=== "test_alert_1.json" + + ```json + + { + "message": "{\n \"id\": \"ba485919-e4c1-4496-9e2f-feb320f6841a\",\n \"name\": \"Domain Controller Discovery Detected\",\n \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\",\n \"detectedAt\": \"2024-11-22T05:35:09.000Z\",\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"status\": \"NEW\",\n \"assignee\": null,\n \"classification\": \"ENUMERATION\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"firstSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"lastSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"process\": {\n \"cmdLine\": \"C:\\\\Windows\\\\system32\\\\net1 group \\\"Domain Controllers\\\" /domain\",\n \"file\": {\n \"path\": \"c:\\\\windows\\\\system32\\\\net1.exe\",\n \"sha1\": null,\n \"sha256\": \"18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398\",\n \"md5\": null\n },\n \"parentName\": null\n },\n \"result\": null,\n \"storylineId\": null\n}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T05:35:09Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T05:35:09Z", + "type": "info" + }, + "@timestamp": "2024-11-22T05:35:09Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "C:\\Windows\\system32\\net1 group \"Domain Controllers\" /domain", + "executable": "c:\\windows\\system32\\net1.exe", + "hash": { + "sha256": "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398" + }, + "name": "net1.exe" + }, + "related": { + "hash": [ + "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "ba485919-e4c1-4496-9e2f-feb320f6841a", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } + + ``` + + +=== "test_alert_10.json" + + ```json + + { + "message": "{\"id\": \"01935322-7b49-71f0-89e0-f52562c26e53\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:09:48.731Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:09:48.731Z\", \"lastSeenAt\": \"2024-11-22T09:09:48.731Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:09:48.731000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T09:09:48.731000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:09:48.731000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935322-7b49-71f0-89e0-f52562c26e53", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } + + ``` + + +=== "test_alert_11.json" + + ```json + + { + "message": "{\"id\": \"01935310-d00e-7616-81b9-fcb227ebb13d\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T08:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:51Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-d00e-7616-81b9-fcb227ebb13d", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } + + ``` + + +=== "test_alert_12.json" + + ```json + + { + "message": "{\"id\": \"01935310-eb28-7a57-9c27-87843b2cec61\", \"name\": \"AD Service Account Enumeration Detected\", \"description\": \"This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.", + "start": "2024-11-22T08:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:51Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-eb28-7a57-9c27-87843b2cec61", + "name": "AD Service Account Enumeration Detected", + "status": "NEW" + } + } + } + + ``` + + +=== "test_alert_13.json" + + ```json + + { + "message": "{\"id\": \"01935310-c715-72c9-bbd9-dc1ff6a7ff1e\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-c715-72c9-bbd9-dc1ff6a7ff1e", + "name": "AD Domain Computer Enumeration Detected", + "status": "NEW" + } + } + } + + ``` + + +=== "test_alert_14.json" + + ```json + + { + "message": "{\"id\": \"01935310-cb9b-770e-96ee-632d4d21520b\", \"name\": \"AD ACL Enumeration\", \"description\": \"This event is generated when a command used to query or read the ACL's\\\\ Permission of any object in Active Directory.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is generated when a command used to query or read the ACL's\\ Permission of any object in Active Directory.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-cb9b-770e-96ee-632d4d21520b", + "name": "AD ACL Enumeration", + "status": "NEW" + } + } + } + + ``` + + +=== "test_alert_15.json" + + ```json + + { + "message": "{\"id\": \"01935310-d4ba-7131-9e08-defa8b3aeb52\", \"name\": \"Domain Users Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-d4ba-7131-9e08-defa8b3aeb52", + "name": "Domain Users Enumeration Detected", + "status": "NEW" + } + } + } + + ``` + + +=== "test_alert_2.json" + + ```json + + { + "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This events is raised when a LDAP search Query is detected from the endpoint.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-dc47-75de-8925-5f026bd5a705", + "name": "LDAP Search Detected", + "status": "NEW" + } + } + } + + ``` + + +=== "test_alert_3.json" + + ```json + + { + "message": "{\"id\": \"01935359-3eda-7903-93fc-af6a0e5d0a8f\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:37.779Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:37.779Z\", \"lastSeenAt\": \"2024-11-22T10:09:37.779Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T10:09:37.779000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T10:09:37.779000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T10:09:37.779000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935359-3eda-7903-93fc-af6a0e5d0a8f", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } + + ``` + + +=== "test_alert_4.json" + + ```json + + { + "message": "{\"id\": \"01935358-ee81-7eb7-b57f-022c6f0019a9\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:17.184Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:17.184Z\", \"lastSeenAt\": \"2024-11-22T10:09:17.184Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T10:09:17.184000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T10:09:17.184000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T10:09:17.184000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935358-ee81-7eb7-b57f-022c6f0019a9", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } + + ``` + + +=== "test_alert_5.json" + + ```json + + { + "message": "{\"id\": \"0193534d-63c1-7497-b854-b883425af3f5\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:54:58.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:54:58.000Z\", \"lastSeenAt\": \"2024-11-22T09:54:58.000Z\", \"process\": {\"cmdLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\", \"file\": {\"path\": \"c:\\\\windows\\\\system32\\\\cmd.exe\", \"sha1\": null, \"sha256\": \"4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:54:58Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T09:54:58Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:54:58Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "\"C:\\Windows\\system32\\cmd.exe\"", + "executable": "c:\\windows\\system32\\cmd.exe", + "hash": { + "sha256": "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22" + }, + "name": "cmd.exe" + }, + "related": { + "hash": [ + "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "0193534d-63c1-7497-b854-b883425af3f5", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } + + ``` + + +=== "test_alert_6.json" + + ```json + + { + "message": "{\"id\": \"01935347-abf7-7457-8467-e3443470e6f3\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.", + "start": "2024-11-22T09:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:45:51Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935347-abf7-7457-8467-e3443470e6f3", + "name": "AD Domain Computer Enumeration Detected", + "status": "NEW" + } + } + } + + ``` + + +=== "test_alert_7.json" + + ```json + + { + "message": "{\"id\": \"01935347-b05a-7d28-a929-5294ee16628a\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T09:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:45:51Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935347-b05a-7d28-a929-5294ee16628a", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } + + ``` + + +=== "test_alert_8.json" + + ```json + + { + "message": "{\"id\": \"01935342-d073-7ed0-8c5e-2373fc013310\", \"name\": \"Default Admin Account Usage\", \"description\": \"This event is raised for default administrator account logon anywhere in the domain.\", \"detectedAt\": \"2024-11-22T09:45:07.655Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:07.655Z\", \"lastSeenAt\": \"2024-11-22T09:45:07.655Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:45:07.655000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised for default administrator account logon anywhere in the domain.", + "start": "2024-11-22T09:45:07.655000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:45:07.655000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935342-d073-7ed0-8c5e-2373fc013310", + "name": "Default Admin Account Usage", + "status": "NEW" + } + } + } + + ``` + + +=== "test_alert_9.json" + + ```json + + { + "message": "{\"id\": \"01935322-cc3a-76cc-890b-a1c2d1b815d4\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:10:09.467Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:10:09.467Z\", \"lastSeenAt\": \"2024-11-22T09:10:09.467Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:10:09.467000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T09:10:09.467000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:10:09.467000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935322-cc3a-76cc-890b-a1c2d1b815d4", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } + + ``` + + + + + +### Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.provider` | `keyword` | Source of the event. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`process.command_line` | `wildcard` | Full command line that started the process. | +|`process.executable` | `keyword` | Absolute path to the process executable. | +|`process.hash.md5` | `keyword` | MD5 hash. | +|`process.hash.sha1` | `keyword` | SHA1 hash. | +|`process.hash.sha256` | `keyword` | SHA256 hash. | +|`process.name` | `keyword` | Process name. | +|`process.parent.name` | `keyword` | Process name. | +|`sentinelone.identity.attackSurfaces` | `keyword` | | +|`sentinelone.identity.classification` | `keyword` | | +|`sentinelone.identity.confidenceLevel` | `keyword` | | +|`sentinelone.identity.id` | `keyword` | | +|`sentinelone.identity.name` | `keyword` | | +|`sentinelone.identity.result` | `keyword` | | +|`sentinelone.identity.status` | `keyword` | | +|`sentinelone.identity.storyLineId` | `keyword` | | + + + +For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/SentinelOne/identity). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/b502e522-6996-4b12-9538-f69326b68243_sample.md b/_shared_content/operations_center/integrations/generated/b502e522-6996-4b12-9538-f69326b68243_sample.md new file mode 100644 index 0000000000..89dfb3dcab --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/b502e522-6996-4b12-9538-f69326b68243_sample.md @@ -0,0 +1,531 @@ + +### Raw Events Samples + +In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. + + +=== "test_alert_1" + + + ```json + { + "id": "ba485919-e4c1-4496-9e2f-feb320f6841a", + "name": "Domain Controller Discovery Detected", + "description": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "detectedAt": "2024-11-22T05:35:09.000Z", + "attackSurfaces": [ + "IDENTITY" + ], + "detectionSource": { + "product": "Identity" + }, + "status": "NEW", + "assignee": null, + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "firstSeenAt": "2024-11-22T05:35:09.000Z", + "lastSeenAt": "2024-11-22T05:35:09.000Z", + "process": { + "cmdLine": "C:\\Windows\\system32\\net1 group \"Domain Controllers\" /domain", + "file": { + "path": "c:\\windows\\system32\\net1.exe", + "sha1": null, + "sha256": "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398", + "md5": null + }, + "parentName": null + }, + "result": null, + "storylineId": null + } + ``` + + + +=== "test_alert_10" + + + ```json + { + "id": "01935322-7b49-71f0-89e0-f52562c26e53", + "name": "Brute force attack - Mass Account Lockout", + "description": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "detectedAt": "2024-11-22T09:09:48.731Z", + "attackSurfaces": [ + "IDENTITY" + ], + "detectionSource": { + "product": "Identity" + }, + "status": "NEW", + "assignee": null, + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "firstSeenAt": "2024-11-22T09:09:48.731Z", + "lastSeenAt": "2024-11-22T09:09:48.731Z", + "process": null, + "result": null, + "storylineId": null + } + ``` + + + +=== "test_alert_11" + + + ```json + { + "id": "01935310-d00e-7616-81b9-fcb227ebb13d", + "name": "Domain Controller Discovery Detected", + "description": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "detectedAt": "2024-11-22T08:45:51.000Z", + "attackSurfaces": [ + "IDENTITY" + ], + "detectionSource": { + "product": "Identity" + }, + "status": "NEW", + "assignee": null, + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "firstSeenAt": "2024-11-22T08:45:51.000Z", + "lastSeenAt": "2024-11-22T08:45:51.000Z", + "process": { + "cmdLine": "Sharphound.exe", + "file": { + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "sha1": null, + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863", + "md5": null + }, + "parentName": null + }, + "result": null, + "storylineId": null + } + ``` + + + +=== "test_alert_12" + + + ```json + { + "id": "01935310-eb28-7a57-9c27-87843b2cec61", + "name": "AD Service Account Enumeration Detected", + "description": "This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.", + "detectedAt": "2024-11-22T08:45:51.000Z", + "attackSurfaces": [ + "IDENTITY" + ], + "detectionSource": { + "product": "Identity" + }, + "status": "NEW", + "assignee": null, + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "firstSeenAt": "2024-11-22T08:45:51.000Z", + "lastSeenAt": "2024-11-22T08:45:51.000Z", + "process": { + "cmdLine": "Sharphound.exe", + "file": { + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "sha1": null, + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863", + "md5": null + }, + "parentName": null + }, + "result": null, + "storylineId": null + } + ``` + + + +=== "test_alert_13" + + + ```json + { + "id": "01935310-c715-72c9-bbd9-dc1ff6a7ff1e", + "name": "AD Domain Computer Enumeration Detected", + "description": "This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.", + "detectedAt": "2024-11-22T08:45:50.000Z", + "attackSurfaces": [ + "IDENTITY" + ], + "detectionSource": { + "product": "Identity" + }, + "status": "NEW", + "assignee": null, + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "firstSeenAt": "2024-11-22T08:45:50.000Z", + "lastSeenAt": "2024-11-22T08:45:50.000Z", + "process": { + "cmdLine": "Sharphound.exe", + "file": { + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "sha1": null, + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863", + "md5": null + }, + "parentName": null + }, + "result": null, + "storylineId": null + } + ``` + + + +=== "test_alert_14" + + + ```json + { + "id": "01935310-cb9b-770e-96ee-632d4d21520b", + "name": "AD ACL Enumeration", + "description": "This event is generated when a command used to query or read the ACL's\\ Permission of any object in Active Directory.", + "detectedAt": "2024-11-22T08:45:50.000Z", + "attackSurfaces": [ + "IDENTITY" + ], + "detectionSource": { + "product": "Identity" + }, + "status": "NEW", + "assignee": null, + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "firstSeenAt": "2024-11-22T08:45:50.000Z", + "lastSeenAt": "2024-11-22T08:45:50.000Z", + "process": { + "cmdLine": "Sharphound.exe", + "file": { + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "sha1": null, + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863", + "md5": null + }, + "parentName": null + }, + "result": null, + "storylineId": null + } + ``` + + + +=== "test_alert_15" + + + ```json + { + "id": "01935310-d4ba-7131-9e08-defa8b3aeb52", + "name": "Domain Users Enumeration Detected", + "description": "This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.", + "detectedAt": "2024-11-22T08:45:50.000Z", + "attackSurfaces": [ + "IDENTITY" + ], + "detectionSource": { + "product": "Identity" + }, + "status": "NEW", + "assignee": null, + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "firstSeenAt": "2024-11-22T08:45:50.000Z", + "lastSeenAt": "2024-11-22T08:45:50.000Z", + "process": { + "cmdLine": "Sharphound.exe", + "file": { + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "sha1": null, + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863", + "md5": null + }, + "parentName": null + }, + "result": null, + "storylineId": null + } + ``` + + + +=== "test_alert_2" + + + ```json + { + "id": "01935310-dc47-75de-8925-5f026bd5a705", + "name": "LDAP Search Detected", + "description": "This events is raised when a LDAP search Query is detected from the endpoint.", + "detectedAt": "2024-11-22T08:45:50.000Z", + "attackSurfaces": [ + "IDENTITY" + ], + "detectionSource": { + "product": "Identity" + }, + "status": "NEW", + "assignee": null, + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "firstSeenAt": "2024-11-22T08:45:50.000Z", + "lastSeenAt": "2024-11-22T08:45:50.000Z", + "process": { + "cmdLine": "Sharphound.exe", + "file": { + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "sha1": null, + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863", + "md5": null + }, + "parentName": null + }, + "result": null, + "storylineId": null + } + ``` + + + +=== "test_alert_3" + + + ```json + { + "id": "01935359-3eda-7903-93fc-af6a0e5d0a8f", + "name": "Brute force attack - Mass Account Lockout", + "description": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "detectedAt": "2024-11-22T10:09:37.779Z", + "attackSurfaces": [ + "IDENTITY" + ], + "detectionSource": { + "product": "Identity" + }, + "status": "NEW", + "assignee": null, + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "firstSeenAt": "2024-11-22T10:09:37.779Z", + "lastSeenAt": "2024-11-22T10:09:37.779Z", + "process": null, + "result": null, + "storylineId": null + } + ``` + + + +=== "test_alert_4" + + + ```json + { + "id": "01935358-ee81-7eb7-b57f-022c6f0019a9", + "name": "Brute force attack - Mass Account Lockout", + "description": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "detectedAt": "2024-11-22T10:09:17.184Z", + "attackSurfaces": [ + "IDENTITY" + ], + "detectionSource": { + "product": "Identity" + }, + "status": "NEW", + "assignee": null, + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "firstSeenAt": "2024-11-22T10:09:17.184Z", + "lastSeenAt": "2024-11-22T10:09:17.184Z", + "process": null, + "result": null, + "storylineId": null + } + ``` + + + +=== "test_alert_5" + + + ```json + { + "id": "0193534d-63c1-7497-b854-b883425af3f5", + "name": "Domain Controller Discovery Detected", + "description": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "detectedAt": "2024-11-22T09:54:58.000Z", + "attackSurfaces": [ + "IDENTITY" + ], + "detectionSource": { + "product": "Identity" + }, + "status": "NEW", + "assignee": null, + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "firstSeenAt": "2024-11-22T09:54:58.000Z", + "lastSeenAt": "2024-11-22T09:54:58.000Z", + "process": { + "cmdLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "file": { + "path": "c:\\windows\\system32\\cmd.exe", + "sha1": null, + "sha256": "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22", + "md5": null + }, + "parentName": null + }, + "result": null, + "storylineId": null + } + ``` + + + +=== "test_alert_6" + + + ```json + { + "id": "01935347-abf7-7457-8467-e3443470e6f3", + "name": "AD Domain Computer Enumeration Detected", + "description": "This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.", + "detectedAt": "2024-11-22T09:45:51.000Z", + "attackSurfaces": [ + "IDENTITY" + ], + "detectionSource": { + "product": "Identity" + }, + "status": "NEW", + "assignee": null, + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "firstSeenAt": "2024-11-22T09:45:51.000Z", + "lastSeenAt": "2024-11-22T09:45:51.000Z", + "process": { + "cmdLine": "Sharphound.exe", + "file": { + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "sha1": null, + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863", + "md5": null + }, + "parentName": null + }, + "result": null, + "storylineId": null + } + ``` + + + +=== "test_alert_7" + + + ```json + { + "id": "01935347-b05a-7d28-a929-5294ee16628a", + "name": "Domain Controller Discovery Detected", + "description": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "detectedAt": "2024-11-22T09:45:51.000Z", + "attackSurfaces": [ + "IDENTITY" + ], + "detectionSource": { + "product": "Identity" + }, + "status": "NEW", + "assignee": null, + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "firstSeenAt": "2024-11-22T09:45:51.000Z", + "lastSeenAt": "2024-11-22T09:45:51.000Z", + "process": { + "cmdLine": "Sharphound.exe", + "file": { + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "sha1": null, + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863", + "md5": null + }, + "parentName": null + }, + "result": null, + "storylineId": null + } + ``` + + + +=== "test_alert_8" + + + ```json + { + "id": "01935342-d073-7ed0-8c5e-2373fc013310", + "name": "Default Admin Account Usage", + "description": "This event is raised for default administrator account logon anywhere in the domain.", + "detectedAt": "2024-11-22T09:45:07.655Z", + "attackSurfaces": [ + "IDENTITY" + ], + "detectionSource": { + "product": "Identity" + }, + "status": "NEW", + "assignee": null, + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "firstSeenAt": "2024-11-22T09:45:07.655Z", + "lastSeenAt": "2024-11-22T09:45:07.655Z", + "process": null, + "result": null, + "storylineId": null + } + ``` + + + +=== "test_alert_9" + + + ```json + { + "id": "01935322-cc3a-76cc-890b-a1c2d1b815d4", + "name": "Brute force attack - Mass Account Lockout", + "description": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "detectedAt": "2024-11-22T09:10:09.467Z", + "attackSurfaces": [ + "IDENTITY" + ], + "detectionSource": { + "product": "Identity" + }, + "status": "NEW", + "assignee": null, + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "firstSeenAt": "2024-11-22T09:10:09.467Z", + "lastSeenAt": "2024-11-22T09:10:09.467Z", + "process": null, + "result": null, + "storylineId": null + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md index 804eb216e9..d9b2264c94 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md @@ -74,6 +74,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -171,6 +172,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -271,6 +273,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -347,6 +350,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, @@ -517,6 +521,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, @@ -640,6 +645,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, @@ -786,6 +792,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, @@ -922,6 +929,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, @@ -979,6 +987,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "record_type": 36, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -1048,6 +1057,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Succeeded", "user_type": { "code": 5, + "is_external": false, "name": "Application" } }, @@ -1103,6 +1113,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Successful", "user_type": { "code": 2, + "is_external": false, "name": "Admin" } }, @@ -1161,6 +1172,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, @@ -1230,6 +1242,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -1293,6 +1306,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -1366,6 +1380,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -1492,6 +1507,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -1569,6 +1585,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -1600,6 +1617,111 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "external_user.json" + + ```json + + { + "message": "{\"AppAccessContext\": {\"ClientAppName\": \"MeTA\", \"CorrelationId\": \"27de65c0-1c43-4d70-9a4d-45a66418dbd6\"}, \"CreationTime\": \"2024-11-29T12:31:12\", \"Id\": \"609745a8-8ec0-4305-8607-fa95f45cf370\", \"Operation\": \"FileDownloaded\", \"OrganizationId\": \"eda474c4-ddfd-4ecd-85ff-3103a09b118d\", \"RecordType\": 6, \"UserKey\": \"urn:spo:guest:hash#aGVsbG8gdGhlcmUK\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"OneDrive\", \"ClientIP\": \"1.2.3.4\", \"UserId\": \"urn:spo:guest#john.doe@example.com\", \"AuthenticationType\": \"OAuth\", \"BrowserName\": \"\", \"BrowserVersion\": \"\", \"CorrelationId\": \"27de65c0-1c43-4d70-9a4d-45a66418dbd6\", \"DoNotDistributeEvent\": true, \"EventSource\": \"SharePoint\", \"GeoLocation\": \"EUR\", \"IsManagedDevice\": false, \"ItemType\": \"File\", \"ListId\": \"56391ee5-91aa-44f9-810e-a5dc47abbb02\", \"ListItemUniqueId\": \"1d91eda8-2918-42f0-8f2b-88dd9aaffcdf\", \"Platform\": \"Service\", \"Site\": \"582d798a-ba87-4a78-8792-87db9262b0a3\", \"UserAgent\": \"OneDriveMpc-Transform_Zip/1.0\", \"UserSessionId\": \"b332294a-fad5-45a0-8761-63922a2544bf\", \"WebId\": \"ead1e78b-1d0c-4251-920a-f4fb48fce5e2\", \"DeviceDisplayName\": \"5.6.7.8\", \"EventSignature\": \"SOME_SIGNATURE\", \"FileSizeBytes\": 26860827, \"HighPriorityMediaProcessing\": false, \"ListBaseType\": 1, \"ListServerTemplate\": 700, \"SourceFileExtension\": \"zip\", \"ZipFileName\": \"1.zip\", \"SiteUrl\": \"https://example.com/\", \"SourceRelativeUrl\": \"Documents/IMT MBA\", \"SourceFileName\": \"1.zip\", \"ApplicationDisplayName\": \"MeTA\", \"ObjectId\": \"https://example.com/1.zip\"}", + "event": { + "action": "FileDownloaded", + "category": [ + "file" + ], + "code": "6", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-29T12:31:12Z", + "action": { + "id": 6, + "name": "FileDownloaded", + "outcome": "success", + "properties": [ + { + "SiteUrl": "https://example.com/", + "SourceFileName": "1.zip", + "SourceRelativeUrl": "Documents/IMT MBA", + "UserAgent": "OneDriveMpc-Transform_Zip/1.0" + } + ], + "target": "user" + }, + "file": { + "directory": "Documents/IMT MBA", + "extension": "zip", + "name": "1.zip", + "size": 26860827 + }, + "office365": { + "audit": { + "object_id": "https://example.com/1.zip" + }, + "context": { + "client": { + "name": "MeTA" + }, + "correlation": { + "id": "27de65c0-1c43-4d70-9a4d-45a66418dbd6" + } + }, + "record_type": 6, + "user_type": { + "code": 0, + "is_external": true, + "name": "Regular" + } + }, + "organization": { + "id": "eda474c4-ddfd-4ecd-85ff-3103a09b118d" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@example.com" + ] + }, + "service": { + "name": "OneDrive" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "example.com", + "full": "https://example.com/1.zip", + "original": "https://example.com/1.zip", + "path": "/1.zip", + "port": 443, + "registered_domain": "example.com", + "scheme": "https", + "top_level_domain": "com" + }, + "user": { + "email": "john.doe@example.com", + "id": "urn:spo:guest:hash#aGVsbG8gdGhlcmUK", + "name": "john.doe@example.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "OneDriveMpc-Transform_Zip/1.0", + "os": { + "name": "Other" + } + } + } + + ``` + + === "file_previewed.json" ```json @@ -1644,6 +1766,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "record_type": 6, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -1750,6 +1873,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "record_type": 6, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -1849,6 +1973,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "record_type": 6, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -1935,6 +2060,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "TRUE", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -1996,6 +2122,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -2075,6 +2202,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "True", "user_type": { "code": 2, + "is_external": false, "name": "Admin" } }, @@ -2147,6 +2275,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "record_type": 4, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -2231,6 +2360,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, @@ -2307,6 +2437,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "New", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -2366,6 +2497,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "record_type": 47, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, @@ -2519,6 +2651,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "record_type": 28, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, @@ -2572,6 +2705,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "record_type": 41, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, @@ -2662,6 +2796,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -2747,6 +2882,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -2803,6 +2939,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "record_type": 20, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -2903,6 +3040,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -2968,6 +3106,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, @@ -3055,6 +3194,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, @@ -3137,6 +3277,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, @@ -3218,6 +3359,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, @@ -3285,6 +3427,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, @@ -3367,6 +3510,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, @@ -3450,6 +3594,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, @@ -3537,6 +3682,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "record_type": 14, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -3642,6 +3788,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "record_type": 14, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -3751,6 +3898,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -3828,6 +3976,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -3904,6 +4053,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -3981,6 +4131,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -4058,6 +4209,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -4124,6 +4276,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "record_type": 47, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, @@ -4193,6 +4346,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -4249,6 +4403,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -4332,6 +4487,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -4402,6 +4558,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -4505,6 +4662,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -4605,6 +4763,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, @@ -4776,6 +4935,7 @@ The following table lists the fields that are extracted, normalized under the EC |`office365.teams.team.members` | `object` | The list of users in a team | |`office365.teams.team.name` | `keyword` | The name of the team | |`office365.user_type.code` | `long` | The type of user that performed the operation | +|`office365.user_type.is_external` | `boolean` | Whether user is external | |`office365.virus_info` | `keyword` | VirusInfo | |`office365.virus_vendor` | `keyword` | VirusVendor | |`organization.id` | `keyword` | Unique identifier for the organization. | diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md index 9547f1ebb2..6f21d1ebb7 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md @@ -927,6 +927,60 @@ In this section, you will find examples of raw logs as generated natively by the +=== "external_user" + + + ```json + { + "AppAccessContext": { + "ClientAppName": "MeTA", + "CorrelationId": "27de65c0-1c43-4d70-9a4d-45a66418dbd6" + }, + "CreationTime": "2024-11-29T12:31:12", + "Id": "609745a8-8ec0-4305-8607-fa95f45cf370", + "Operation": "FileDownloaded", + "OrganizationId": "eda474c4-ddfd-4ecd-85ff-3103a09b118d", + "RecordType": 6, + "UserKey": "urn:spo:guest:hash#aGVsbG8gdGhlcmUK", + "UserType": 0, + "Version": 1, + "Workload": "OneDrive", + "ClientIP": "1.2.3.4", + "UserId": "urn:spo:guest#john.doe@example.com", + "AuthenticationType": "OAuth", + "BrowserName": "", + "BrowserVersion": "", + "CorrelationId": "27de65c0-1c43-4d70-9a4d-45a66418dbd6", + "DoNotDistributeEvent": true, + "EventSource": "SharePoint", + "GeoLocation": "EUR", + "IsManagedDevice": false, + "ItemType": "File", + "ListId": "56391ee5-91aa-44f9-810e-a5dc47abbb02", + "ListItemUniqueId": "1d91eda8-2918-42f0-8f2b-88dd9aaffcdf", + "Platform": "Service", + "Site": "582d798a-ba87-4a78-8792-87db9262b0a3", + "UserAgent": "OneDriveMpc-Transform_Zip/1.0", + "UserSessionId": "b332294a-fad5-45a0-8761-63922a2544bf", + "WebId": "ead1e78b-1d0c-4251-920a-f4fb48fce5e2", + "DeviceDisplayName": "5.6.7.8", + "EventSignature": "SOME_SIGNATURE", + "FileSizeBytes": 26860827, + "HighPriorityMediaProcessing": false, + "ListBaseType": 1, + "ListServerTemplate": 700, + "SourceFileExtension": "zip", + "ZipFileName": "1.zip", + "SiteUrl": "https://example.com/", + "SourceRelativeUrl": "Documents/IMT MBA", + "SourceFileName": "1.zip", + "ApplicationDisplayName": "MeTA", + "ObjectId": "https://example.com/1.zip" + } + ``` + + + === "file_previewed" diff --git a/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216.md b/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216.md index 29c1cf2c7c..4d1adefc34 100644 --- a/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216.md +++ b/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216.md @@ -49,6 +49,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2022-05-02T00:29:01Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { @@ -99,6 +102,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2022-05-02T11:09:47Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { @@ -149,6 +155,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2022-05-02T12:20:31Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { @@ -199,6 +208,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2022-12-22T16:38:07Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { @@ -250,6 +262,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2022-12-07T10:46:07Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { @@ -300,6 +315,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2022-05-02T11:09:47Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { @@ -354,6 +372,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2022-12-21T16:12:20Z", + "action": { + "name": "Allow" + }, "destination": { "address": "5.6.7.8", "bytes": 0, @@ -446,6 +467,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2023-01-31T08:11:53Z", + "action": { + "name": "Allow" + }, "cloud": { "instance": { "id": "example.org" @@ -460,7 +484,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "hash": { "md5": "68b329da9893e34099c7d8ad5cb9c940" }, - "mime_type": "eicar.txt" + "mime_type": "eicar.txt", + "size": 19154 }, "http": { "request": { @@ -546,6 +571,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2022-12-21T14:12:08Z", + "action": { + "name": "Detection" + }, "destination": { "address": "5.6.7.8", "bytes": 0, @@ -565,7 +593,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "hash": { "md5": "68b329da9893e34099c7d8ad5cb9c940" }, - "name": "eicarcom2.zip" + "name": "eicarcom2.zip", + "size": 308 }, "host": { "name": "MacBook Pro", @@ -644,6 +673,115 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_nspolicy_block.json" + + ```json + + { + "message": "{\"_id\":\"55093de1d7b4571d8941f492\",\"access_method\":\"Client\",\"action\":\"block\",\"activity\":\"Browse\",\"alert\":\"yes\",\"app\":\"DNS Over HTTPS\",\"app_session_id\":1234567890,\"appcategory\":\"General\",\"browser\":\"Chrome\",\"browser_session_id\":2222222222222,\"category\":\"General\",\"cci\":\"\",\"ccl\":\"unknown\",\"connection_id\":0,\"count\":1,\"device\":\"Windows Device\",\"device_classification\":\"unmanaged\",\"dst_country\":\"US\",\"dst_latitude\":37.775699615478516,\"dst_location\":\"San Francisco\",\"dst_longitude\":-122.39520263671875,\"dst_region\":\"California\",\"dst_timezone\":\"America/Los_Angeles\",\"dst_zipcode\":\"N/A\",\"dstip\":\"1.2.3.4\",\"dstport\":443,\"hostname\":\"PC-HOST01\",\"ja3\":\"1234567890abcdef1234567890abcdef\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"netskope_pop\":\"FR-PAR2\",\"notify_template\":\"silent_block.html\",\"organization_unit\":\"\",\"os\":\"Windows 11\",\"os_version\":\"Windows NT 11.0\",\"other_categories\":[\"Technology\",\"General\"],\"page\":\"test.example.com\",\"page_site\":\"test\",\"policy\":\"Block DoH - incompatibility with Netskope\",\"policy_id\":\"99999999999999999999999999999999 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":444444444444444444,\"severity\":\"unknown\",\"site\":\"DOH\",\"src_country\":\"FR\",\"src_latitude\":48.8323,\"src_location\":\"Paris\",\"src_longitude\":2.4075,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:01:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75018\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731574892,\"traffic_type\":\"CloudApp\",\"transaction_id\":111111111111,\"type\":\"nspolicy\",\"ur_normalized\":\"john.doe@mail.fr\",\"url\":\"test.example.com\",\"user\":\"john.doe@mail.fr\",\"useragent\":\"Chrome\",\"userip\":\"10.20.30.40\",\"userkey\":\"john.doe@mail.fr\",\"log_file_name\":\"\",\"from_user\":\"\",\"ext_labels\":[],\"audit_type\":\"\",\"CononicalName\":\"\",\"parent_id\":\"\",\"tss_scan_failed\":\"\",\"data_center\":\"\",\"from_user_category\":\"\",\"internal_collaborator_count\":0,\"dlp_rule_severity\":\"\",\"req_cnt\":0,\"dlp_parent_id\":0,\"alert_type\":\"\",\"workspace\":\"\",\"dst_geoip_src\":0,\"user_category\":\"\",\"channel_id\":\"\",\"loginurl\":\"\",\"dlp_is_unique_count\":\"\",\"netskope_activity\":\"\",\"retro_scan_name\":\"\",\"to_user\":\"\",\"sha256\":\"\",\"justification_type\":\"\",\"fromlogs\":\"\",\"title\":\"\",\"universal_connector\":\"\",\"custom_connector\":\"\",\"modified\":0,\"user_confidence_index\":0,\"exposure\":\"\",\"orignal_file_path\":\"\",\"instance_id\":\"\",\"managementID\":\"\",\"sanctioned_instance\":\"\",\"file_lang\":\"\",\"dlp_scan_failed\":\"\",\"mime_type\":\"\",\"browser_version\":\"\",\"object_id\":\"\",\"data_type\":\"\",\"audit_category\":\"\",\"dlp_mail_parent_id\":\"\",\"file_path\":\"\",\"sAMAccountName\":\"\",\"client_bytes\":0,\"dlp_file\":\"\",\"org\":\"\",\"numbytes\":0,\"tss_fail_reason\":\"\",\"object\":\"\",\"nsdeviceuid\":\"\",\"app_activity\":\"\",\"instance\":\"\",\"userPrincipalName\":\"\",\"object_type\":\"\",\"scan_type\":\"\",\"appsuite\":\"\",\"conn_duration\":0,\"file_type\":\"\",\"dsthost\":\"\",\"logintype\":\"\",\"true_obj_type\":\"\",\"dlp_rule\":\"\",\"serial\":\"\",\"suppression_key\":\"\",\"suppression_start_time\":0,\"dlp_rule_count\":0,\"shared_with\":\"\",\"resp_cnt\":0,\"justification_reason\":\"\",\"web_universal_connector\":\"\",\"server_bytes\":0,\"dlp_unique_count\":0,\"md5\":\"\",\"file_size\":0,\"smtp_to\":[],\"dlp_incident_id\":0,\"true_obj_category\":\"\",\"src_geoip_src\":0,\"total_collaborator_count\":0,\"sessionid\":\"\",\"user_id\":\"\",\"custom_attr\":{},\"referer\":\"\",\"suppression_end_time\":0,\"owner\":\"\",\"tss_mode\":\"\",\"dlp_fail_reason\":\"\",\"workspace_id\":\"\",\"dlp_profile\":\"\"}", + "event": { + "action": "Browse", + "category": [ + "network" + ], + "dataset": "nspolicy", + "duration": 0, + "kind": "alert", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-14T09:01:32Z", + "action": { + "name": "block" + }, + "destination": { + "address": "1.2.3.4", + "bytes": 0, + "geo": { + "city_name": "San Francisco", + "country_iso_code": "US", + "location": { + "lat": 37.775699615478516, + "lon": -122.39520263671875 + }, + "postal_code": "N/A", + "region_name": "California", + "timezone": "America/Los_Angeles" + }, + "ip": "1.2.3.4" + }, + "host": { + "name": "PC-HOST01", + "os": { + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "Windows NT 11.0" + } + }, + "netskope": { + "events": { + "access_method": "Client", + "application": { + "category": "General", + "name": "DNS Over HTTPS" + }, + "ccl": "unknown" + } + }, + "network": { + "bytes": 0 + }, + "observer": { + "vendor": "Netskope" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "john.doe" + ] + }, + "rule": { + "id": "99999999999999999999999999999999 2024-10-30 13:52:18.401518", + "name": "Block DoH - incompatibility with Netskope" + }, + "source": { + "address": "5.6.7.8", + "bytes": 0, + "geo": { + "city_name": "Paris", + "country_iso_code": "FR", + "location": { + "lat": 48.8323, + "lon": 2.4075 + }, + "postal_code": "75018", + "region_name": "\u00cele-de-France", + "timezone": "Europe/Paris" + }, + "ip": "5.6.7.8" + }, + "url": { + "original": "test.example.com", + "path": "test.example.com" + }, + "user": { + "domain": "mail.fr", + "email": "john.doe@mail.fr", + "name": "john.doe" + }, + "user_agent": { + "name": "Chrome" + } + } + + ``` + + === "test_nspolicy_log.json" ```json @@ -663,6 +801,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2022-12-21T15:52:00Z", + "action": { + "name": "Allow" + }, "cloud": { "instance": { "id": "Example" @@ -689,7 +830,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "md5": "68b329da9893e34099c7d8ad5cb9c940" }, "mime_type": "image/gif", - "name": "giphy2.gif" + "name": "giphy2.gif", + "size": 204299 }, "host": { "name": "TEST-1111111", @@ -771,6 +913,126 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_nspolicy_upload.json" + + ```json + + { + "message": "{\"_id\":\"2d7a3c19cf913179146454b6\",\"access_method\":\"Client\",\"activity\":\"Upload\",\"alert\":\"no\",\"app\":\"App\",\"app_session_id\":1234567890,\"appcategory\":\"Remote Access\",\"browser\":\"CHROME\",\"browser_session_id\":1111111111111111111,\"browser_version\":\"6.0;\",\"category\":\"Remote Access\",\"cci\":73,\"ccl\":\"medium\",\"connection_id\":0,\"count\":1,\"data_type\":\"application/octet-stream\",\"device\":\"Windows Device\",\"device_classification\":\"managed\",\"dst_country\":\"CZ\",\"dst_latitude\":50.0883,\"dst_location\":\"Prague\",\"dst_longitude\":14.4124,\"dst_region\":\"Prague\",\"dst_timezone\":\"Europe/Prague\",\"dst_zipcode\":\"110 00\",\"dstip\":\"1.2.3.4\",\"dstport\":80,\"file_size\":24,\"file_type\":\"File Type Not Detected\",\"hostname\":\"PC-HOST01\",\"ja3\":\"NotAvailable\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"md5\":\"68b329da9893e34099c7d8ad5cb9c940\",\"netskope_pop\":\"FR-PAR3\",\"object\":\"object.txt\",\"object_type\":\"File\",\"organization_unit\":\"\",\"os\":\"Windows 10\",\"os_version\":\"Windows NT 10.0\",\"other_categories\":[\"Remote Access\"],\"page\":\"test.example.com\",\"page_site\":\"app\",\"policy_id\":\"22222222222222222222222222222222 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":4444444444444444444,\"severity\":\"unknown\",\"site\":\"App\",\"src_country\":\"FR\",\"src_latitude\":48.6673,\"src_location\":\"Paris\",\"src_longitude\":2.3476,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:04:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75001\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731575086,\"traffic_type\":\"CloudApp\",\"transaction_id\":5555555555555555555,\"type\":\"nspolicy\",\"universal_connector\":\"yes\",\"ur_normalized\":\"jdoe@mail.com\",\"url\":\"url.app.com/object2.txt\",\"user\":\"JDOE@mail.com\",\"useragent\":\"Mozilla/4.0 (compatible; CHROME 6.0; DynGate)\",\"userip\":\"10.20.30.40\",\"userkey\":\"JDOE@mail.com\",\"serial\":\"\",\"numbytes\":0,\"exposure\":\"\",\"server_bytes\":0,\"web_universal_connector\":\"\",\"logintype\":\"\",\"alert_type\":\"\",\"from_user\":\"\",\"dlp_scan_failed\":\"\",\"dlp_rule\":\"\",\"fromlogs\":\"\",\"justification_type\":\"\",\"tss_mode\":\"\",\"user_category\":\"\",\"src_geoip_src\":0,\"CononicalName\":\"\",\"shared_with\":\"\",\"channel_id\":\"\",\"dlp_mail_parent_id\":\"\",\"custom_attr\":{},\"sha256\":\"\",\"resp_cnt\":0,\"custom_connector\":\"\",\"orignal_file_path\":\"\",\"to_user\":\"\",\"internal_collaborator_count\":0,\"owner\":\"\",\"appsuite\":\"\",\"org\":\"\",\"dsthost\":\"\",\"tss_fail_reason\":\"\",\"audit_type\":\"\",\"parent_id\":\"\",\"data_center\":\"\",\"loginurl\":\"\",\"mime_type\":\"\",\"from_user_category\":\"\",\"file_path\":\"\",\"modified\":0,\"referer\":\"\",\"dlp_profile\":\"\",\"object_id\":\"\",\"true_obj_type\":\"\",\"tss_scan_failed\":\"\",\"managementID\":\"\",\"dst_geoip_src\":0,\"dlp_rule_severity\":\"\",\"conn_duration\":0,\"policy\":\"\",\"netskope_activity\":\"\",\"audit_category\":\"\",\"smtp_to\":[],\"nsdeviceuid\":\"\",\"justification_reason\":\"\",\"suppression_start_time\":0,\"dlp_is_unique_count\":\"\",\"dlp_parent_id\":0,\"dlp_fail_reason\":\"\",\"userPrincipalName\":\"\",\"dlp_file\":\"\",\"dlp_incident_id\":0,\"sanctioned_instance\":\"\",\"suppression_key\":\"\",\"retro_scan_name\":\"\",\"instance_id\":\"\",\"true_obj_category\":\"\",\"action\":\"\",\"sessionid\":\"\",\"file_lang\":\"\",\"log_file_name\":\"\",\"notify_template\":\"\",\"sAMAccountName\":\"\",\"ext_labels\":[],\"instance\":\"\",\"user_id\":\"\",\"workspace\":\"\",\"dlp_rule_count\":0,\"app_activity\":\"\",\"suppression_end_time\":0,\"title\":\"\",\"scan_type\":\"\",\"dlp_unique_count\":0,\"total_collaborator_count\":0,\"client_bytes\":0,\"req_cnt\":0,\"user_confidence_index\":0,\"workspace_id\":\"\"}", + "event": { + "action": "Upload", + "category": [ + "network" + ], + "dataset": "nspolicy", + "duration": 0, + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-14T09:04:46Z", + "action": { + "name": "Allow" + }, + "destination": { + "address": "1.2.3.4", + "bytes": 0, + "geo": { + "city_name": "Prague", + "country_iso_code": "CZ", + "location": { + "lat": 50.0883, + "lon": 14.4124 + }, + "postal_code": "110 00", + "region_name": "Prague", + "timezone": "Europe/Prague" + }, + "ip": "1.2.3.4" + }, + "file": { + "hash": { + "md5": "68b329da9893e34099c7d8ad5cb9c940" + }, + "mime_type": "File Type Not Detected", + "name": "object.txt", + "size": 24 + }, + "host": { + "name": "PC-HOST01", + "os": { + "name": "Windows 10", + "platform": "windows", + "type": "windows", + "version": "Windows NT 10.0" + } + }, + "netskope": { + "events": { + "access_method": "Client", + "application": { + "category": "Remote Access", + "name": "App" + }, + "ccl": "medium" + } + }, + "network": { + "bytes": 0 + }, + "observer": { + "vendor": "Netskope" + }, + "related": { + "hash": [ + "68b329da9893e34099c7d8ad5cb9c940" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "JDOE" + ] + }, + "rule": { + "id": "22222222222222222222222222222222 2024-10-30 13:52:18.401518" + }, + "source": { + "address": "5.6.7.8", + "bytes": 0, + "geo": { + "city_name": "Paris", + "country_iso_code": "FR", + "location": { + "lat": 48.6673, + "lon": 2.3476 + }, + "postal_code": "75001", + "region_name": "\u00cele-de-France", + "timezone": "Europe/Paris" + }, + "ip": "5.6.7.8" + }, + "url": { + "original": "url.app.com/object2.txt", + "path": "url.app.com/object2.txt" + }, + "user": { + "domain": "mail.com", + "email": "JDOE@mail.com", + "name": "JDOE" + }, + "user_agent": { + "name": "CHROME", + "version": "6.0;" + } + } + + ``` + + === "test_user_alert.json" ```json @@ -790,6 +1052,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2022-12-21T14:52:01Z", + "action": { + "name": "useralert" + }, "destination": { "address": "108.128.91.183", "bytes": 0, @@ -919,6 +1184,7 @@ The following table lists the fields that are extracted, normalized under the EC |`file.mime_type` | `keyword` | Media type of file, document, or arrangement of bytes. | |`file.name` | `keyword` | Name of the file including the extension, without the directory. | |`file.path` | `keyword` | Full path to the file, including the file name. | +|`file.size` | `long` | File size in bytes. | |`host.name` | `keyword` | Name of the host. | |`host.os.name` | `keyword` | Operating system name, without the version. | |`host.os.platform` | `keyword` | Operating system platform (such centos, ubuntu, windows). | diff --git a/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216_sample.md b/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216_sample.md index da774d200e..3692060d31 100644 --- a/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216_sample.md +++ b/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216_sample.md @@ -507,6 +507,175 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_nspolicy_block" + + + ```json + { + "_id": "55093de1d7b4571d8941f492", + "access_method": "Client", + "action": "block", + "activity": "Browse", + "alert": "yes", + "app": "DNS Over HTTPS", + "app_session_id": 1234567890, + "appcategory": "General", + "browser": "Chrome", + "browser_session_id": 2222222222222, + "category": "General", + "cci": "", + "ccl": "unknown", + "connection_id": 0, + "count": 1, + "device": "Windows Device", + "device_classification": "unmanaged", + "dst_country": "US", + "dst_latitude": 37.775699615478516, + "dst_location": "San Francisco", + "dst_longitude": -122.39520263671875, + "dst_region": "California", + "dst_timezone": "America/Los_Angeles", + "dst_zipcode": "N/A", + "dstip": "1.2.3.4", + "dstport": 443, + "hostname": "PC-HOST01", + "ja3": "1234567890abcdef1234567890abcdef", + "ja3s": "NotAvailable", + "managed_app": "no", + "netskope_pop": "FR-PAR2", + "notify_template": "silent_block.html", + "organization_unit": "", + "os": "Windows 11", + "os_version": "Windows NT 11.0", + "other_categories": [ + "Technology", + "General" + ], + "page": "test.example.com", + "page_site": "test", + "policy": "Block DoH - incompatibility with Netskope", + "policy_id": "99999999999999999999999999999999 2024-10-30 13:52:18.401518", + "protocol": "HTTPS/1.1", + "request_id": 444444444444444444, + "severity": "unknown", + "site": "DOH", + "src_country": "FR", + "src_latitude": 48.8323, + "src_location": "Paris", + "src_longitude": 2.4075, + "src_region": "\u00cele-de-France", + "src_time": "Thu Nov 14 10:01:00 2024", + "src_timezone": "Europe/Paris", + "src_zipcode": "75018", + "srcip": "5.6.7.8", + "telemetry_app": "", + "timestamp": 1731574892, + "traffic_type": "CloudApp", + "transaction_id": 111111111111, + "type": "nspolicy", + "ur_normalized": "john.doe@mail.fr", + "url": "test.example.com", + "user": "john.doe@mail.fr", + "useragent": "Chrome", + "userip": "10.20.30.40", + "userkey": "john.doe@mail.fr", + "log_file_name": "", + "from_user": "", + "ext_labels": [], + "audit_type": "", + "CononicalName": "", + "parent_id": "", + "tss_scan_failed": "", + "data_center": "", + "from_user_category": "", + "internal_collaborator_count": 0, + "dlp_rule_severity": "", + "req_cnt": 0, + "dlp_parent_id": 0, + "alert_type": "", + "workspace": "", + "dst_geoip_src": 0, + "user_category": "", + "channel_id": "", + "loginurl": "", + "dlp_is_unique_count": "", + "netskope_activity": "", + "retro_scan_name": "", + "to_user": "", + "sha256": "", + "justification_type": "", + "fromlogs": "", + "title": "", + "universal_connector": "", + "custom_connector": "", + "modified": 0, + "user_confidence_index": 0, + "exposure": "", + "orignal_file_path": "", + "instance_id": "", + "managementID": "", + "sanctioned_instance": "", + "file_lang": "", + "dlp_scan_failed": "", + "mime_type": "", + "browser_version": "", + "object_id": "", + "data_type": "", + "audit_category": "", + "dlp_mail_parent_id": "", + "file_path": "", + "sAMAccountName": "", + "client_bytes": 0, + "dlp_file": "", + "org": "", + "numbytes": 0, + "tss_fail_reason": "", + "object": "", + "nsdeviceuid": "", + "app_activity": "", + "instance": "", + "userPrincipalName": "", + "object_type": "", + "scan_type": "", + "appsuite": "", + "conn_duration": 0, + "file_type": "", + "dsthost": "", + "logintype": "", + "true_obj_type": "", + "dlp_rule": "", + "serial": "", + "suppression_key": "", + "suppression_start_time": 0, + "dlp_rule_count": 0, + "shared_with": "", + "resp_cnt": 0, + "justification_reason": "", + "web_universal_connector": "", + "server_bytes": 0, + "dlp_unique_count": 0, + "md5": "", + "file_size": 0, + "smtp_to": [], + "dlp_incident_id": 0, + "true_obj_category": "", + "src_geoip_src": 0, + "total_collaborator_count": 0, + "sessionid": "", + "user_id": "", + "custom_attr": {}, + "referer": "", + "suppression_end_time": 0, + "owner": "", + "tss_mode": "", + "dlp_fail_reason": "", + "workspace_id": "", + "dlp_profile": "" + } + ``` + + + === "test_nspolicy_log" @@ -660,6 +829,174 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_nspolicy_upload" + + + ```json + { + "_id": "2d7a3c19cf913179146454b6", + "access_method": "Client", + "activity": "Upload", + "alert": "no", + "app": "App", + "app_session_id": 1234567890, + "appcategory": "Remote Access", + "browser": "CHROME", + "browser_session_id": 1111111111111111111, + "browser_version": "6.0;", + "category": "Remote Access", + "cci": 73, + "ccl": "medium", + "connection_id": 0, + "count": 1, + "data_type": "application/octet-stream", + "device": "Windows Device", + "device_classification": "managed", + "dst_country": "CZ", + "dst_latitude": 50.0883, + "dst_location": "Prague", + "dst_longitude": 14.4124, + "dst_region": "Prague", + "dst_timezone": "Europe/Prague", + "dst_zipcode": "110 00", + "dstip": "1.2.3.4", + "dstport": 80, + "file_size": 24, + "file_type": "File Type Not Detected", + "hostname": "PC-HOST01", + "ja3": "NotAvailable", + "ja3s": "NotAvailable", + "managed_app": "no", + "md5": "68b329da9893e34099c7d8ad5cb9c940", + "netskope_pop": "FR-PAR3", + "object": "object.txt", + "object_type": "File", + "organization_unit": "", + "os": "Windows 10", + "os_version": "Windows NT 10.0", + "other_categories": [ + "Remote Access" + ], + "page": "test.example.com", + "page_site": "app", + "policy_id": "22222222222222222222222222222222 2024-10-30 13:52:18.401518", + "protocol": "HTTPS/1.1", + "request_id": 4444444444444444444, + "severity": "unknown", + "site": "App", + "src_country": "FR", + "src_latitude": 48.6673, + "src_location": "Paris", + "src_longitude": 2.3476, + "src_region": "\u00cele-de-France", + "src_time": "Thu Nov 14 10:04:00 2024", + "src_timezone": "Europe/Paris", + "src_zipcode": "75001", + "srcip": "5.6.7.8", + "telemetry_app": "", + "timestamp": 1731575086, + "traffic_type": "CloudApp", + "transaction_id": 5555555555555555555, + "type": "nspolicy", + "universal_connector": "yes", + "ur_normalized": "jdoe@mail.com", + "url": "url.app.com/object2.txt", + "user": "JDOE@mail.com", + "useragent": "Mozilla/4.0 (compatible; CHROME 6.0; DynGate)", + "userip": "10.20.30.40", + "userkey": "JDOE@mail.com", + "serial": "", + "numbytes": 0, + "exposure": "", + "server_bytes": 0, + "web_universal_connector": "", + "logintype": "", + "alert_type": "", + "from_user": "", + "dlp_scan_failed": "", + "dlp_rule": "", + "fromlogs": "", + "justification_type": "", + "tss_mode": "", + "user_category": "", + "src_geoip_src": 0, + "CononicalName": "", + "shared_with": "", + "channel_id": "", + "dlp_mail_parent_id": "", + "custom_attr": {}, + "sha256": "", + "resp_cnt": 0, + "custom_connector": "", + "orignal_file_path": "", + "to_user": "", + "internal_collaborator_count": 0, + "owner": "", + "appsuite": "", + "org": "", + "dsthost": "", + "tss_fail_reason": "", + "audit_type": "", + "parent_id": "", + "data_center": "", + "loginurl": "", + "mime_type": "", + "from_user_category": "", + "file_path": "", + "modified": 0, + "referer": "", + "dlp_profile": "", + "object_id": "", + "true_obj_type": "", + "tss_scan_failed": "", + "managementID": "", + "dst_geoip_src": 0, + "dlp_rule_severity": "", + "conn_duration": 0, + "policy": "", + "netskope_activity": "", + "audit_category": "", + "smtp_to": [], + "nsdeviceuid": "", + "justification_reason": "", + "suppression_start_time": 0, + "dlp_is_unique_count": "", + "dlp_parent_id": 0, + "dlp_fail_reason": "", + "userPrincipalName": "", + "dlp_file": "", + "dlp_incident_id": 0, + "sanctioned_instance": "", + "suppression_key": "", + "retro_scan_name": "", + "instance_id": "", + "true_obj_category": "", + "action": "", + "sessionid": "", + "file_lang": "", + "log_file_name": "", + "notify_template": "", + "sAMAccountName": "", + "ext_labels": [], + "instance": "", + "user_id": "", + "workspace": "", + "dlp_rule_count": 0, + "app_activity": "", + "suppression_end_time": 0, + "title": "", + "scan_type": "", + "dlp_unique_count": 0, + "total_collaborator_count": 0, + "client_bytes": 0, + "req_cnt": 0, + "user_confidence_index": 0, + "workspace_id": "" + } + ``` + + + === "test_user_alert" diff --git a/_shared_content/operations_center/integrations/generated/ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9.md b/_shared_content/operations_center/integrations/generated/ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9.md index 9aa956b115..93a8115591 100644 --- a/_shared_content/operations_center/integrations/generated/ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9.md +++ b/_shared_content/operations_center/integrations/generated/ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9.md @@ -147,6 +147,48 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "access4.json" + + ```json + + { + "message": "90.83.225.109:54761 [10/Apr/2024:15:41:58.284] frontend_https~ backend_lb/LB100 1796/0/0/28/1824 200 1060 - - --VN 296/296/33/6/0 0/0 {saas.ms.example.com} \"GET /path/get/resource HTTP/1.1\" TLSv1.2 aktci:\"46.193.65.202\"\n", + "event": { + "kind": "access" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "bytes": 1060, + "status_code": 200 + }, + "version": "1.1" + }, + "related": { + "ip": [ + "90.83.225.109" + ] + }, + "source": { + "address": "90.83.225.109", + "ip": "90.83.225.109", + "port": 54761 + }, + "tls": { + "version": "1.2", + "version_protocol": "TLS" + }, + "url": { + "original": "/path/get/resource", + "path": "/path/get/resource" + } + } + + ``` + + === "json.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_sample.md b/_shared_content/operations_center/integrations/generated/ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_sample.md index ad9c3b4711..d27b4dcc79 100644 --- a/_shared_content/operations_center/integrations/generated/ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_sample.md +++ b/_shared_content/operations_center/integrations/generated/ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_sample.md @@ -32,6 +32,15 @@ In this section, you will find examples of raw logs as generated natively by the +=== "access4" + + ``` + 90.83.225.109:54761 [10/Apr/2024:15:41:58.284] frontend_https~ backend_lb/LB100 1796/0/0/28/1824 200 1060 - - --VN 296/296/33/6/0 0/0 {saas.ms.example.com} "GET /path/get/resource HTTP/1.1" TLSv1.2 aktci:"46.193.65.202" + + ``` + + + === "json" ```