From c90002a48c26f1f0063712527e361029edfd0aca Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" Date: Mon, 6 Nov 2023 14:37:31 +0000 Subject: [PATCH] Refresh intakes documentation --- .../6b8cb346-6605-4240-ac15-3828627ba899.md | 30 +- .../9281438c-f7c3-4001-9bcc-45fd108ba1be.md | 319 +++++++++--------- 2 files changed, 182 insertions(+), 167 deletions(-) diff --git a/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md b/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md index 304d382d66..c1bbf123e3 100644 --- a/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md +++ b/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md @@ -36,7 +36,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "pam_unix(cron:session): session closed for user root", "event": { "kind": "event", - "provider": "cron" + "provider": "cron", + "reason": "session closed" + }, + "related": { + "user": [ + "root" + ] + }, + "user": { + "name": "root" }, "wallix": {} } @@ -52,7 +61,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "pam_unix(sudo:session): session closed for user wabuser", "event": { "kind": "event", - "provider": "sudo" + "provider": "sudo", + "reason": "session closed" + }, + "related": { + "user": [ + "wabuser" + ] + }, + "user": { + "name": "wabuser" }, "wallix": {} } @@ -323,15 +341,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "provider": "sudo" }, "process": { - "command_line": "/opt/wab/bin/WABCleanApprovals close" + "command_line": "/opt/wab/bin/WABCleanApprovals close", + "working_directory": "/root" }, "related": { "user": [ - "wabuser ;" + "wabuser" ] }, "user": { - "name": "wabuser ;" + "name": "wabuser" }, "wallix": {} } @@ -3908,6 +3927,7 @@ The following table lists the fields that are extracted, normalized under the EC |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`host.ip` | `ip` | Host ip addresses. | |`process.command_line` | `wildcard` | Full command line that started the process. | +|`process.working_directory` | `keyword` | The working directory of the process. | |`service.name` | `keyword` | Name of the service. | |`source.ip` | `ip` | IP address of the source. | |`source.port` | `long` | Port of the source. | diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md index d9f57b22b6..05147c3103 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md @@ -129,7 +129,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "IpPort": "-", "LogonProcessName": "Schannel", "LogonType": "3", - "ProcessName": "c:\\windows\\system32\\lsass.exe", + "ProcessName": "C:\\Windows\\System32\\lsass.exe", "Severity": "Info", "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "CORPDOMAIN", @@ -153,9 +153,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\lsass.exe", + "executable": "C:\\Windows\\System32\\lsass.exe", "name": "Schannel", - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -587,7 +587,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "AccountType": "User", "Domain": "NT AUTHORITY", "EventType": "INFO", - "Image": "c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe", + "Image": "C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ParentImage": "C:\\\\Program Files\\\\NSClient++\\\\nscp.exe", @@ -614,8 +614,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "command_line": "powershell.exe -file c:/dir/scripts/nagios/get-localadmgroupmembership/get-localadmgroupmembership.ps1", - "executable": "c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe", + "command_line": "powershell.exe -file C:/Dir/Scripts/Nagios/Get-LocalAdmGroupMembership/Get-LocalAdmGroupMembership.ps1", + "executable": "C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe", "hash": { "md5": "b3ad5364cf04b6ab05616dd483aaf618", "sha1": "e5b0a0f4a59d6d5377332eece20f8f3df5cebe4e", @@ -624,17 +624,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": 2932, "name": "powershell.exe", "parent": { - "command_line": "c:\\\\program files\\\\nsclient++\\\\nscp.exe service --run --name nscp", - "executable": "c:\\\\program files\\\\nsclient++\\\\nscp.exe", + "command_line": "C:\\\\Program Files\\\\NSClient++\\\\nscp.exe service --run --name nscp", + "executable": "C:\\\\Program Files\\\\NSClient++\\\\nscp.exe", "name": "nscp.exe", - "working_directory": "c:\\\\program files\\\\nsclient++\\\\" + "working_directory": "C:\\\\Program Files\\\\NSClient++\\\\" }, "pid": 2932, "ppid": "1776", "thread": { "id": 3956 }, - "working_directory": "c:\\\\program files\\\\nsclient++\\\\" + "working_directory": "C:\\\\Program Files\\\\NSClient++\\\\" }, "related": { "hash": [ @@ -866,7 +866,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "size_in_char": 16 }, "file": { - "name": "font download", + "name": "Font Download", "size": -1 }, "host": { @@ -956,7 +956,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file": { "name": "sharpbits.zip", "owner": "DESKTOP-FOOBARZ\\userXYZ", - "path": "c:\\users\\userxyz\\downloads\\sharpbits.zip" + "path": "C:\\Users\\userXYZ\\Downloads\\sharpbits.zip" }, "host": { "hostname": "DESKTOP-FOOBARZ", @@ -1046,8 +1046,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "size_in_char": 37 }, "file": { - "name": "sharpbitstestx.zip", - "path": "sharpbitstestx.zip", + "name": "sharpbitsTestX.zip", + "path": "sharpbitsTestX.zip", "size": 524444 }, "host": { @@ -1123,8 +1123,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "Execution Name": "%%813", "Keywords": "-9223372036854775808", "OpcodeValue": 0, - "Path": "file:_c:\\users\\r1\\downloads\\tmp2\\tmp2\\win32\\mimidrv.sys", - "ProcessName": "c:\\windows\\explorer.exe", + "Path": "file:_C:\\Users\\r1\\Downloads\\tmp2\\tmp2\\Win32\\mimidrv.sys", + "ProcessName": "C:\\Windows\\explorer.exe", "ProviderGuid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}", "Severity": "WARNING", "SourceName": "Microsoft-Windows-Windows Defender", @@ -1794,7 +1794,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "LogonProcessName": "Advapi ", "LogonType": "9", "OpcodeValue": 0, - "ProcessName": "c:\\windows\\ccm\\ccmexec.exe", + "ProcessName": "C:\\Windows\\CCM\\CcmExec.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", "SourceName": "Microsoft-Windows-Security-Auditing", @@ -1826,14 +1826,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\ccm\\ccmexec.exe", + "executable": "C:\\Windows\\CCM\\CcmExec.exe", "id": 996, "name": "Advapi ", "pid": 996, "thread": { "id": 1920 }, - "working_directory": "c:\\windows\\ccm\\" + "working_directory": "C:\\Windows\\CCM\\" }, "related": { "hosts": [ @@ -2046,7 +2046,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "DestinationPort": "443", "Domain": "AUTORITE NT", "EventType": "INFO", - "Image": "c:\\windows\\systemapps\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoftedgecp.exe", + "Image": "C:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\MicrosoftEdgeCP.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{0BA009B0-846C-5CDE-0000-0010821E0D00}", @@ -2082,14 +2082,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\systemapps\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoftedgecp.exe", + "executable": "C:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\MicrosoftEdgeCP.exe", "id": 4200, - "name": "microsoftedgecp.exe", + "name": "MicrosoftEdgeCP.exe", "pid": 4200, "thread": { "id": 532 }, - "working_directory": "c:\\windows\\systemapps\\microsoft.microsoftedge_8wekyb3d8bbwe\\" + "working_directory": "C:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\" }, "related": { "hosts": [ @@ -2167,14 +2167,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\wbem\\wmic.exe", + "executable": "C:\\Windows\\System32\\wbem\\WMIC.exe", "id": 11260, - "name": "wmic.exe", + "name": "WMIC.exe", "pid": 11260, "thread": { "id": 13732 }, - "working_directory": "c:\\windows\\system32\\wbem\\" + "working_directory": "C:\\Windows\\System32\\wbem\\" }, "related": { "hosts": [ @@ -2637,7 +2637,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ObjectType": "Unknown", "OpcodeValue": 0, "PrivilegeList": "-", - "ProcessName": "c:\\windows\\system32\\svchost.exe", + "ProcessName": "C:\\Windows\\System32\\svchost.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "ERROR", "SourceName": "Microsoft-Windows-Security-Auditing", @@ -2663,14 +2663,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\svchost.exe", + "executable": "C:\\Windows\\System32\\svchost.exe", "id": 728, "name": "svchost.exe", "pid": 728, "thread": { "id": 736 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -2714,7 +2714,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ObjectValueName": "FirmwareUpdatesNotInstalled", "OpcodeValue": 0, "OperationType": "%%1904", - "ProcessName": "c:\\windows\\system32\\svchost.exe", + "ProcessName": "C:\\Windows\\System32\\svchost.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", "SourceName": "Microsoft-Windows-Security-Auditing", @@ -2740,14 +2740,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\svchost.exe", + "executable": "C:\\Windows\\System32\\svchost.exe", "id": 4, "name": "svchost.exe", "pid": 4, "thread": { "id": 14940 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -2788,7 +2788,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "Keywords": "-9214364837600034816", "ObjectServer": "Security", "OpcodeValue": 0, - "ProcessName": "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe", + "ProcessName": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", "SourceName": "Microsoft-Windows-Security-Auditing", @@ -2814,14 +2814,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe", + "executable": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", "id": 4, "name": "powershell.exe", "pid": 4, "thread": { "id": 6740 }, - "working_directory": "c:\\windows\\syswow64\\windowspowershell\\v1.0\\" + "working_directory": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\" }, "related": { "hosts": [ @@ -2867,7 +2867,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ObjectServer": "Security", "ObjectType": "Process", "OpcodeValue": 0, - "ProcessName": "c:\\windows\\system32\\wbem\\wmiprvse.exe", + "ProcessName": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", "SourceName": "Microsoft-Windows-Security-Auditing", @@ -2882,7 +2882,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "file": { "name": "lsass.exe", - "path": "\\device\\harddiskvolume2\\windows\\system32\\lsass.exe" + "path": "\\Device\\HarddiskVolume2\\Windows\\System32\\lsass.exe" }, "host": { "hostname": "V-FOO", @@ -2897,14 +2897,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\wbem\\wmiprvse.exe", + "executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "id": 4, - "name": "wmiprvse.exe", + "name": "WmiPrvSE.exe", "pid": 4, "thread": { "id": 10820 }, - "working_directory": "c:\\windows\\system32\\wbem\\" + "working_directory": "C:\\Windows\\System32\\wbem\\" }, "related": { "hosts": [ @@ -2946,7 +2946,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ObjectServer": "Security", "ObjectType": "Token", "OpcodeValue": 0, - "ProcessName": "c:\\windows\\system32\\searchindexer.exe", + "ProcessName": "C:\\Windows\\System32\\SearchIndexer.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", "SourceName": "Microsoft-Windows-Security-Auditing", @@ -2972,14 +2972,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\searchindexer.exe", + "executable": "C:\\Windows\\System32\\SearchIndexer.exe", "id": 4, - "name": "searchindexer.exe", + "name": "SearchIndexer.exe", "pid": 4, "thread": { "id": 7416 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -3046,20 +3046,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "command_line": "taskhostw.exe", - "executable": "c:\\windows\\system32\\taskhostw.exe", + "executable": "C:\\Windows\\System32\\taskhostw.exe", "id": 3648, "name": "taskhostw.exe", "parent": { - "command_line": "c:\\windows\\system32\\svchost.exe", - "executable": "c:\\windows\\system32\\svchost.exe", + "command_line": "C:\\Windows\\System32\\svchost.exe", + "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "pid": 3648, "thread": { "id": 14728 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -3102,7 +3102,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "EventType": "AUDIT_SUCCESS", "Keywords": "-9214364837600034816", "OpcodeValue": 0, - "ProcessName": "c:\\windows\\system32\\svchost.exe", + "ProcessName": "C:\\Windows\\System32\\svchost.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", "SourceName": "Microsoft-Windows-Security-Auditing", @@ -3129,14 +3129,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\svchost.exe", + "executable": "C:\\Windows\\System32\\svchost.exe", "id": 4, "name": "svchost.exe", "pid": 4, "thread": { "id": 13048 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -3751,10 +3751,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "AccountType": "User", "Domain": "AUTORITE NT", "EventType": "INFO", - "Image": "c:\\windows\\system32\\logonui.exe", + "Image": "C:\\Windows\\System32\\LogonUI.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, - "ParentImage": "c:\\windows\\system32\\winlogon.exe", + "ParentImage": "C:\\Windows\\System32\\winlogon.exe", "ProcessGuid": "{0BA009B0-847B-5CDE-0000-001038720D00}", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", @@ -3778,26 +3778,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "command_line": "c:\\windows\\system32\\logonui.exe /flags:0x0 /state0:0xa39dd855 /state1:0x41c64e6d", - "executable": "c:\\windows\\system32\\logonui.exe", + "command_line": "C:\\Windows\\System32\\LogonUI.exe /flags:0x0 /state0:0xa39dd855 /state1:0x41c64e6d", + "executable": "C:\\Windows\\System32\\LogonUI.exe", "hash": { "md5": "d40c84e829922b70d511bb2cc6268d49", "sha256": "9a54ee3d6d16d0fe3458b1ae1212f546f94b9e28e5a845d311a04191c724d652" }, "id": 4540, - "name": "logonui.exe", + "name": "LogonUI.exe", "parent": { - "command_line": "c:\\windows\\system32\\winlogon.exe", - "executable": "c:\\windows\\system32\\winlogon.exe", + "command_line": "C:\\Windows\\System32\\winlogon.exe", + "executable": "C:\\Windows\\System32\\winlogon.exe", "name": "winlogon.exe", - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "pid": 4540, "ppid": "476", "thread": { "id": 2152 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\system32\\" }, "related": { "hash": [ @@ -3867,21 +3867,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "command_line": "c:\\windows\\system32\\reg.exe add hklm\\software\\microsoft\\command processor /v disableunccheck /t reg_dword /d 0x1 /f /reg:32", - "executable": "c:\\windows\\system32\\reg.exe", + "command_line": "C:\\Windows\\system32\\reg.exe add HKLM\\SOFTWARE\\Microsoft\\Command Processor /v DisableUNCCheck /t REG_DWORD /d 0x1 /f /reg:32", + "executable": "C:\\Windows\\System32\\reg.exe", "id": 3920, "name": "reg.exe", "parent": { - "command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", - "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "name": "powershell.exe", - "working_directory": "c:\\windows\\system32\\windowspowershell\\v1.0\\" + "working_directory": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" }, "pid": 3920, "thread": { "id": 3484 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -3952,21 +3952,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "command_line": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe /n c:\\users\\userfoo\\downloads\\background for adi-msi-dis june 2010 fr (1).docx /o ", - "executable": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe", + "command_line": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\WINWORD.EXE /n C:\\Users\\USERFOO\\Downloads\\Background for ADI-MSI-DIS June 2010 FR (1).docx /o ", + "executable": "C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\WINWORD.EXE", "id": 5004, - "name": "winword.exe", + "name": "WINWORD.EXE", "parent": { - "command_line": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe", - "executable": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe", + "command_line": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", - "working_directory": "c:\\program files (x86)\\google\\chrome\\application\\" + "working_directory": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\" }, "pid": 5004, "thread": { "id": 5632 }, - "working_directory": "c:\\program files (x86)\\microsoft office\\root\\office16\\" + "working_directory": "C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\" }, "related": { "hosts": [ @@ -4012,7 +4012,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "Details": "Binary Data", "Domain": "NT AUTHORITY", "EventType": "INFO", - "Image": "c:\\\\windows\\\\system32\\\\svchost.exe", + "Image": "C:\\\\Windows\\\\System32\\\\svchost.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{34EA5B98-48E6-5F99-1600-000000000E00}", @@ -4039,14 +4039,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\\\windows\\\\system32\\\\svchost.exe", + "executable": "C:\\\\Windows\\\\System32\\\\svchost.exe", "id": 1436, "name": "svchost.exe", "pid": 1436, "thread": { "id": 2860 }, - "working_directory": "c:\\\\windows\\\\system32\\\\" + "working_directory": "C:\\\\Windows\\\\System32\\\\" }, "registry": { "hive": "HKU", @@ -4108,7 +4108,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "size_in_char": 16 }, "file": { - "name": "font download", + "name": "Font Download", "size": -1 }, "host": { @@ -4253,7 +4253,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ObjectServer": "NT Local Security Authority / Authentication Service", "OpcodeValue": 0, "PrivilegeList": "SeTcbPrivilege", - "ProcessName": "c:\\windows\\system32\\lsass.exe", + "ProcessName": "C:\\Windows\\System32\\lsass.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Service": "LsaRegisterLogonProcess()", "Severity": "INFO", @@ -4280,14 +4280,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\lsass.exe", + "executable": "C:\\Windows\\System32\\lsass.exe", "id": 4, "name": "lsass.exe", "pid": 4, "thread": { "id": 19016 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -4397,7 +4397,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "properties": { "AccountName": "Syst\u00e8me", "AccountType": "User", - "CallTrace": "c:\\windows\\system32\\ntdll.dll+9c534|c:\\windows\\system32\\kernelbase.dll+305fe|c:\\windows\\system32\\vboxservice.exe+12d8d|c:\\windows\\system32\\vboxservice.exe+140cf|c:\\windows\\system32\\vboxservice.exe+1435d|c:\\windows\\system32\\vboxservice.exe+fc2b|c:\\windows\\system32\\vboxservice.exe+1071a|c:\\windows\\system32\\vboxservice.exe+17fe|c:\\windows\\system32\\vboxservice.exe+31c1f|c:\\windows\\system32\\vboxservice.exe+35682|c:\\windows\\system32\\vboxservice.exe+fbbeb|c:\\windows\\system32\\vboxservice.exe+fbc7f|c:\\windows\\system32\\kernel32.dll+17bd4|c:\\windows\\system32\\ntdll.dll+6ce51", + "CallTrace": "C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9c534|C:\\WINDOWS\\System32\\KERNELBASE.dll+305fe|C:\\Windows\\System32\\VBoxService.exe+12d8d|C:\\Windows\\System32\\VBoxService.exe+140cf|C:\\Windows\\System32\\VBoxService.exe+1435d|C:\\Windows\\System32\\VBoxService.exe+fc2b|C:\\Windows\\System32\\VBoxService.exe+1071a|C:\\Windows\\System32\\VBoxService.exe+17fe|C:\\Windows\\System32\\VBoxService.exe+31c1f|C:\\Windows\\System32\\VBoxService.exe+35682|C:\\Windows\\System32\\VBoxService.exe+fbbeb|C:\\Windows\\System32\\VBoxService.exe+fbc7f|C:\\WINDOWS\\System32\\KERNEL32.DLL+17bd4|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+6ce51", "Domain": "AUTORITE NT", "EventType": "INFO", "GrantedAccess": "0x1400", @@ -4405,10 +4405,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "OpcodeValue": 0, "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", - "SourceImage": "c:\\windows\\system32\\vboxservice.exe", + "SourceImage": "C:\\Windows\\System32\\VBoxService.exe", "SourceName": "Microsoft-Windows-Sysmon", "SourceProcessId": "920", - "TargetImage": "c:\\windows\\system32\\ctfmon.exe", + "TargetImage": "C:\\WINDOWS\\system32\\ctfmon.exe", "TargetProcessId": "4324", "Task": 10 }, @@ -4428,14 +4428,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\vboxservice.exe", + "executable": "C:\\Windows\\System32\\VBoxService.exe", "id": 920, - "name": "vboxservice.exe", + "name": "VBoxService.exe", "pid": 920, "thread": { "id": 10352 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -4475,7 +4475,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "AccountType": "User", "Domain": "AUTORITE NT", "EventType": "INFO", - "Image": "c:\\program files (x86)\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\bin\\ccsvchst.exe", + "Image": "C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Bin\\ccSvcHst.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{23AD1E42-B4F1-5C41-0000-001028060400}", @@ -4491,7 +4491,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file": { "created": "2019-12-16T15:10:53.715000Z", "name": "cur.scr", - "path": "c:\\windows\\temp\\symdelta_2060\\content.zip.tmp\\cur.scr" + "path": "C:\\Windows\\Temp\\SymDelta_2060\\content.zip.tmp\\cur.scr" }, "host": { "hostname": "USERNAME01.ACT.CORP.local", @@ -4506,14 +4506,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\program files (x86)\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\bin\\ccsvchst.exe", + "executable": "C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Bin\\ccSvcHst.exe", "id": 2060, - "name": "ccsvchst.exe", + "name": "ccSvcHst.exe", "pid": 2060, "thread": { "id": 9332 }, - "working_directory": "c:\\program files (x86)\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\bin\\" + "working_directory": "C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Bin\\" }, "related": { "hosts": [ @@ -4554,7 +4554,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "Details": "DWORD (0x00000001)", "Domain": "AUTORITE NT", "EventType": "INFO", - "Image": "c:\\windows\\system32\\services.exe", + "Image": "C:\\Windows\\system32\\services.exe", "Keywords": "-9223372036854775808", "MessEventType": "SetValue", "OpcodeValue": 0, @@ -4582,14 +4582,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\services.exe", + "executable": "C:\\Windows\\system32\\services.exe", "id": 572, "name": "services.exe", "pid": 572, "thread": { "id": 27948 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\system32\\" }, "registry": { "data": { @@ -4641,7 +4641,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "Details": "\\??\\C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Data\\Definitions\\VirusDefs\\20100330.020\\ENG64.SYS", "Domain": "AUTORITE NT", "EventType": "INFO", - "Image": "c:\\windows\\system32\\services.exe", + "Image": "C:\\Windows\\system32\\services.exe", "Keywords": "-9223372036854775808", "MessEventType": "SetValue", "OpcodeValue": 0, @@ -4669,14 +4669,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\services.exe", + "executable": "C:\\Windows\\system32\\services.exe", "id": 572, "name": "services.exe", "pid": 572, "thread": { "id": 35536 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\system32\\" }, "registry": { "data": { @@ -4730,7 +4730,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "EventType": "INFO", "Hash": "MD5=C570199C8261A913BBAA5C7D5020498B,SHA256=0454B363C7F09FF5AB778F07DF4F5FA123CC73E950283234717C50066CB62EA7,IMPHASH=00000000000000000000000000000000", "HostUrl": "https://entreprises.interepargne.natixis.com/", - "Image": "c:\\program files\\google\\chrome\\application\\chrome.exe", + "Image": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{3cb7cf38-a48b-609a-490c-000000002a00}", @@ -4751,8 +4751,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "md5": "c570199c8261a913bbaa5c7d5020498b", "sha256": "0454b363c7f09ff5ab778f07df4f5fa123cc73e950283234717c50066cb62ea7" }, - "name": "hostfoo avril 2011_plan d \u00e9pargne entreprise_1400085 (4).zip:zone.identifier", - "path": "c:\\users\\pipin_touque\\downloads\\hostfoo avril 2011_plan d \u00e9pargne entreprise_1400085 (4).zip:zone.identifier" + "name": "HOSTFOO avril 2011_Plan d \u00e9pargne entreprise_1400085 (4).zip:Zone.Identifier", + "path": "C:\\Users\\Pipin_Touque\\Downloads\\HOSTFOO avril 2011_Plan d \u00e9pargne entreprise_1400085 (4).zip:Zone.Identifier" }, "host": { "hostname": "PCFOO4019.Comte.local", @@ -4767,14 +4767,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\program files\\google\\chrome\\application\\chrome.exe", + "executable": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "id": 3768, "name": "chrome.exe", "pid": 3768, "thread": { "id": 6860 }, - "working_directory": "c:\\program files\\google\\chrome\\application\\" + "working_directory": "C:\\Program Files\\Google\\Chrome\\Application\\" }, "related": { "hash": [ @@ -4960,7 +4960,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "AccountType": "User", "Domain": "NT AUTHORITY", "EventType": "INFO", - "Image": "c:\\windows\\system32\\wbem\\wmiprvse.exe", + "Image": "C:\\Windows\\system32\\wbem\\wmiprvse.exe", "Keywords": "-9223372036854775808", "MessEventType": "ConnectPipe", "OpcodeValue": 0, @@ -4987,14 +4987,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\wbem\\wmiprvse.exe", + "executable": "C:\\Windows\\system32\\wbem\\wmiprvse.exe", "id": 4032, "name": "wmiprvse.exe", "pid": 4032, "thread": { "id": 2780 }, - "working_directory": "c:\\windows\\system32\\wbem\\" + "working_directory": "C:\\Windows\\system32\\wbem\\" }, "related": { "hosts": [ @@ -5035,10 +5035,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "AccountType": "User", "Domain": "AUTORITE NT", "EventType": "INFO", - "Image": "c:\\program files (x86)\\interact\\bin\\iacomclient.exe", + "Image": "C:\\Program Files (x86)\\Interact\\Bin\\IAComClient.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, - "ParentImage": "c:\\program files (x86)\\interact\\bin\\iamanager.exe", + "ParentImage": "C:\\Program Files (x86)\\Interact\\Bin\\IAManager.exe", "ProcessGuid": "{9beb284d-cc28-6055-3602-000000004900}", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", @@ -5062,27 +5062,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "command_line": "c:\\program files (x86)\\interact\\bin\\iacomclient.exe", - "executable": "c:\\program files (x86)\\interact\\bin\\iacomclient.exe", + "command_line": "C:\\Program Files (x86)\\Interact\\Bin\\IAComClient.exe", + "executable": "C:\\Program Files (x86)\\Interact\\Bin\\IAComClient.exe", "hash": { "imphash": "5eb894b14a9a429f917fa1e528b4e86b", "md5": "6e2ed6bd7a43497c351551d04aeb6444", "sha256": "e721bd7242e4571cdbc7729f54118abaa806fa309059f21f09829b5275c1a751" }, "id": 2016, - "name": "iacomclient.exe", + "name": "IAComClient.exe", "parent": { - "command_line": "c:\\program files (x86)\\interact\\bin\\iamanager.exe", - "executable": "c:\\program files (x86)\\interact\\bin\\iamanager.exe", - "name": "iamanager.exe", - "working_directory": "c:\\program files (x86)\\interact\\bin\\" + "command_line": "C:\\Program Files (x86)\\Interact\\Bin\\IAManager.exe", + "executable": "C:\\Program Files (x86)\\Interact\\Bin\\IAManager.exe", + "name": "IAManager.exe", + "working_directory": "C:\\Program Files (x86)\\Interact\\Bin\\" }, "pid": 2016, "ppid": "4756", "thread": { "id": 7472 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\WINDOWS\\system32\\" }, "related": { "hash": [ @@ -5127,10 +5127,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "AccountType": "User", "Domain": "NT AUTHORITY", "EventType": "INFO", - "Image": "c:\\program files\\microsoft office\\root\\office16\\sdxhelper.exe", + "Image": "C:\\Program Files\\Microsoft Office\\root\\Office16\\SDXHelper.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, - "ParentImage": "c:\\windows\\system32\\svchost.exe", + "ParentImage": "C:\\Windows\\System32\\svchost.exe", "ProcessGuid": "{178446c4-1ef2-64f7-fa8d-010000001100}", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", @@ -5154,27 +5154,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "command_line": "c:\\program files\\microsoft office\\root\\office16\\sdxhelper.exe /onlogon", - "executable": "c:\\program files\\microsoft office\\root\\office16\\sdxhelper.exe", + "command_line": "C:\\Program Files\\Microsoft Office\\root\\Office16\\sdxhelper.exe /onlogon", + "executable": "C:\\Program Files\\Microsoft Office\\root\\Office16\\SDXHelper.exe", "hash": { "imphash": "0ae5922afcef4767754a10f016cd4b30", "md5": "f924bbc6fbf646fa0478aebe5d37504c", "sha256": "4494aa7bf1058262f3d2f412b681af2af42e34490144fbfd0db579d966b8fbb6" }, "id": 18144, - "name": "sdxhelper.exe", + "name": "SDXHelper.exe", "parent": { - "command_line": "c:\\windows\\system32\\svchost.exe -k netsvfoo -p -s schedule", - "executable": "c:\\windows\\system32\\svchost.exe", + "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvfoo -p -s Schedule", + "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "pid": 18144, "ppid": "1772", "thread": { "id": 748 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\system32\\" }, "related": { "hash": [ @@ -5290,7 +5290,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "AccountType": "User", "Domain": "AUTORITE NT", "EventType": "INFO", - "Image": "c:\\windows\\system32\\svchost.exe", + "Image": "C:\\WINDOWS\\system32\\svchost.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{c8188de9-a5a2-5e46-0000-00104fae7900}", @@ -5356,14 +5356,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\svchost.exe", + "executable": "C:\\WINDOWS\\system32\\svchost.exe", "id": 5228, "name": "svchost.exe", "pid": 5228, "thread": { "id": 3448 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\WINDOWS\\system32\\" }, "related": { "hosts": [ @@ -5403,7 +5403,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "AccountType": "User", "Domain": "NT AUTHORITY", "EventType": "INFO", - "Image": "c:\\windows\\syswow64\\svchost.exe", + "Image": "C:\\Windows\\SysWOW64\\svchost.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{ab376ee3-7152-60a2-6808-000000001000}", @@ -5429,14 +5429,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\syswow64\\svchost.exe", + "executable": "C:\\Windows\\SysWOW64\\svchost.exe", "id": 4888, "name": "svchost.exe", "pid": 4888, "thread": { "id": 3768 }, - "working_directory": "c:\\windows\\syswow64\\" + "working_directory": "C:\\Windows\\SysWOW64\\" }, "related": { "hosts": [ @@ -5544,7 +5544,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "DestinationPort": "1723", "Domain": "AUTORITE NT", "EventType": "INFO", - "Image": "c:\\windows\\system32\\lsass.exe", + "Image": "C:\\Windows\\System32\\lsass.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{23AD1E42-B4C1-5C41-0000-0010B4020100}", @@ -5580,14 +5580,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\lsass.exe", + "executable": "C:\\Windows\\System32\\lsass.exe", "id": 564, "name": "lsass.exe", "pid": 564, "thread": { "id": 8112 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -5637,7 +5637,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "AccountType": "User", "Domain": "AUTORITE NT", "EventType": "INFO", - "ImageLoaded": "c:\\programdata\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\data\\definitions\\virusdefs\\20101008.007\\eng64.sys", + "ImageLoaded": "C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Data\\Definitions\\VirusDefs\\20101008.007\\eng64.sys", "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", @@ -5664,7 +5664,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\programdata\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\data\\definitions\\virusdefs\\20101008.007\\eng64.sys", + "executable": "C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Data\\Definitions\\VirusDefs\\20101008.007\\eng64.sys", "hash": { "imphash": "48152bc64cb1ea5e4592c852d8bac3fd", "md5": "be2d7adb437eb7c9607d60f481729c1f", @@ -5676,7 +5676,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "thread": { "id": 3548 }, - "working_directory": "c:\\programdata\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\data\\definitions\\virusdefs\\20101008.007\\" + "working_directory": "C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Data\\Definitions\\VirusDefs\\20101008.007\\" }, "related": { "hash": [ @@ -5721,8 +5721,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "AccountType": "User", "Domain": "AUTORITE NT", "EventType": "INFO", - "Image": "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\hxtsr.exe", - "ImageLoaded": "c:\\windows\\system32\\bcryptprimitives.dll", + "Image": "C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\HxTsr.exe", + "ImageLoaded": "C:\\Windows\\System32\\bcryptprimitives.dll", "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{c8188de9-7bbb-5fcf-0000-0010f7277203}", @@ -5743,7 +5743,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sha256": "6b47f3e88cdedf8f31f91940e38a4544818c79d153323262f9f46b21f41d262c" }, "name": "bcryptprimitives.dll", - "path": "c:\\windows\\system32\\bcryptprimitives.dll" + "path": "C:\\Windows\\System32\\bcryptprimitives.dll" }, "host": { "hostname": "DESKTOP-FOOBARZ", @@ -5758,14 +5758,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\hxtsr.exe", + "executable": "C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\HxTsr.exe", "id": 10540, - "name": "hxtsr.exe", + "name": "HxTsr.exe", "pid": 10540, "thread": { "id": 5408 }, - "working_directory": "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\" + "working_directory": "C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\" }, "related": { "hash": [ @@ -5813,13 +5813,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "OpcodeValue": 0, "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", - "SourceImage": "c:\\windows\\system32\\vboxtray.exe", + "SourceImage": "C:\\Windows\\System32\\VBoxTray.exe", "SourceName": "Microsoft-Windows-Sysmon", "SourceProcessId": "9808", "StartAddress": "0xFFFFCFBA48C52460", "StartFunction": "LoadLibraryA", - "StartModule": "c:\\windows\\system32\\ntdll.dll", - "TargetImage": "c:\\windows\\system32\\csrss.exe", + "StartModule": "C:\\Windows\\SYSTEM32\\ntdll.dll", + "TargetImage": "C:\\Windows\\System32\\csrss.exe", "TargetProcessId": "10576", "Task": 8 }, @@ -5839,14 +5839,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\vboxtray.exe", + "executable": "C:\\Windows\\System32\\VBoxTray.exe", "id": 9808, - "name": "vboxtray.exe", + "name": "VBoxTray.exe", "pid": 9808, "thread": { "id": 10704 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -5887,7 +5887,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "Device": "\\Device\\HarddiskVolume1", "Domain": "NT AUTHORITY", "EventType": "INFO", - "Image": "c:\\windows\\system32\\logonui.exe", + "Image": "C:\\Windows\\System32\\LogonUI.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{FC729081-70A2-5FDB-6701-000000000600}", @@ -5912,14 +5912,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\logonui.exe", + "executable": "C:\\Windows\\System32\\LogonUI.exe", "id": 6428, - "name": "logonui.exe", + "name": "LogonUI.exe", "pid": 6428, "thread": { "id": 3916 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -5978,14 +5978,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\qwinsta.exe", + "executable": "C:\\Windows\\System32\\qwinsta.exe", "id": 12980, "name": "qwinsta.exe", "pid": 12980, "thread": { "id": 92 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "user": [ @@ -6046,14 +6046,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\conhost.exe", + "executable": "C:\\Windows\\System32\\conhost.exe", "id": 4380, "name": "conhost.exe", "pid": 4380, "thread": { "id": 88 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -6086,7 +6086,6 @@ The following table lists the fields that are extracted, normalized under the EC |`action.id` | `number` | | |`action.properties.Accesses` | `keyword` | | |`action.properties.BytesTotal` | `keyword` | | -|`action.properties.CallTrace` | `keyword` | | |`action.properties.ConfigurationFile` | `keyword` | | |`action.properties.Content` | `keyword` | | |`action.properties.ContextInfo` | `keyword` | | @@ -6100,7 +6099,6 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.HostName` | `keyword` | | |`action.properties.HostUrl` | `keyword` | | |`action.properties.Image` | `keyword` | | -|`action.properties.ImageLoaded` | `keyword` | Image file loaded by the process | |`action.properties.Keywords` | `keyword` | | |`action.properties.LastASSecurityIntelligenceAge` | `keyword` | | |`action.properties.LastAVSecurityIntelligenceAge` | `keyword` | | @@ -6111,17 +6109,14 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.NewValue` | `keyword` | | |`action.properties.Old Value` | `keyword` | | |`action.properties.ParentImage` | `keyword` | | -|`action.properties.Path` | `keyword` | | |`action.properties.ProcessName` | `keyword` | | |`action.properties.ProxyServer` | `keyword` | | |`action.properties.ReferrerUrl` | `keyword` | | |`action.properties.SentUpdateServer` | `keyword` | | |`action.properties.ServiceFileName` | `keyword` | | -|`action.properties.SourceImage` | `keyword` | Name of the source image | |`action.properties.StartFunction` | `keyword` | | |`action.properties.StartModule` | `keyword` | | |`action.properties.StatusInformation` | `keyword` | | -|`action.properties.TargetImage` | `keyword` | Name of the target image | |`action.properties.TaskContentNew_Args` | `keyword` | | |`action.properties.TaskContentNew_Command` | `keyword` | | |`action.properties.ThreatName` | `keyword` | |