From 9d5a852d899014ada0eaaccb20f089988ac8beba Mon Sep 17 00:00:00 2001 From: patel-bhavin <7771446+patel-bhavin@users.noreply.github.com> Date: Thu, 28 Nov 2024 06:57:49 +0000 Subject: [PATCH] Updated TAs --- contentctl.yml | 17 +- data_sources/aws_cloudfront.yml | 2 +- data_sources/aws_cloudtrail.yml | 2 +- .../aws_cloudtrail_assumerolewithsaml.yml | 2 +- data_sources/aws_cloudtrail_consolelogin.yml | 2 +- data_sources/aws_cloudtrail_copyobject.yml | 2 +- .../aws_cloudtrail_createaccesskey.yml | 2 +- data_sources/aws_cloudtrail_createkey.yml | 2 +- .../aws_cloudtrail_createloginprofile.yml | 2 +- .../aws_cloudtrail_createnetworkaclentry.yml | 2 +- .../aws_cloudtrail_createpolicyversion.yml | 2 +- .../aws_cloudtrail_createsnapshot.yml | 2 +- data_sources/aws_cloudtrail_createtask.yml | 2 +- .../aws_cloudtrail_createvirtualmfadevice.yml | 2 +- .../aws_cloudtrail_deactivatemfadevice.yml | 2 +- ...cloudtrail_deleteaccountpasswordpolicy.yml | 2 +- data_sources/aws_cloudtrail_deletealarms.yml | 2 +- .../aws_cloudtrail_deletedetector.yml | 2 +- data_sources/aws_cloudtrail_deletegroup.yml | 2 +- data_sources/aws_cloudtrail_deleteipset.yml | 2 +- .../aws_cloudtrail_deleteloggroup.yml | 2 +- .../aws_cloudtrail_deletelogstream.yml | 2 +- .../aws_cloudtrail_deletenetworkaclentry.yml | 2 +- data_sources/aws_cloudtrail_deletepolicy.yml | 2 +- data_sources/aws_cloudtrail_deleterule.yml | 2 +- .../aws_cloudtrail_deletesnapshot.yml | 2 +- data_sources/aws_cloudtrail_deletetrail.yml | 2 +- .../aws_cloudtrail_deletevirtualmfadevice.yml | 2 +- data_sources/aws_cloudtrail_deletewebacl.yml | 2 +- ...aws_cloudtrail_describeeventaggregates.yml | 2 +- ...s_cloudtrail_describeimagescanfindings.yml | 2 +- ...ws_cloudtrail_getaccountpasswordpolicy.yml | 2 +- data_sources/aws_cloudtrail_getobject.yml | 2 +- .../aws_cloudtrail_getpassworddata.yml | 2 +- data_sources/aws_cloudtrail_jobcreated.yml | 2 +- .../aws_cloudtrail_modifydbinstance.yml | 2 +- .../aws_cloudtrail_modifyimageattribute.yml | 2 +- ...aws_cloudtrail_modifysnapshotattribute.yml | 2 +- data_sources/aws_cloudtrail_putbucketacl.yml | 2 +- .../aws_cloudtrail_putbucketlifecycle.yml | 2 +- .../aws_cloudtrail_putbucketreplication.yml | 2 +- .../aws_cloudtrail_putbucketversioning.yml | 2 +- data_sources/aws_cloudtrail_putimage.yml | 2 +- data_sources/aws_cloudtrail_putkeypolicy.yml | 2 +- .../aws_cloudtrail_replacenetworkaclentry.yml | 2 +- ...aws_cloudtrail_setdefaultpolicyversion.yml | 2 +- data_sources/aws_cloudtrail_stoplogging.yml | 2 +- ...cloudtrail_updateaccountpasswordpolicy.yml | 2 +- .../aws_cloudtrail_updateloginprofile.yml | 2 +- .../aws_cloudtrail_updatesamlprovider.yml | 2 +- data_sources/aws_cloudtrail_updatetrail.yml | 2 +- data_sources/aws_cloudwatchlogs_vpcflow.yml | 2 +- data_sources/aws_security_hub.yml | 2 +- .../ms365_defender_incident_alerts.yml | 167 +++---- data_sources/ms_defender_atp_alerts.yml | 450 ++++++------------ 55 files changed, 265 insertions(+), 473 deletions(-) diff --git a/contentctl.yml b/contentctl.yml index 4ac4700ca9..8454bd903d 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -29,12 +29,6 @@ mode: {} splunk_api_username: null post_test_behavior: pause_on_failure apps: -# - uid: 263 -# title: Splunk Enterprise Security -# appid: SplunkEnterpriseSecuritySuite -# version: 7.3.1 -# description: description of app -# hardcoded_path: apps/splunk-enterprise-security_731.spl - uid: 1621 title: Splunk Common Information Model (CIM) appid: Splunk_SA_CIM @@ -142,10 +136,10 @@ apps: hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-amazon-kinesis-firehose_132.tgz - uid: 1876 title: Splunk Add-on for AWS - appid: Splunk_TA_aws - version: 7.7.1 + appid: Splunk_TA_aws + version: 7.8.0 description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-amazon-web-services-aws_771.tgz + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-amazon-web-services-aws_780.tgz - uid: 3088 title: Splunk Add-on for Google Cloud Platform appid: SPLUNK_ADD_ON_FOR_GOOGLE_CLOUD_PLATFORM @@ -185,9 +179,9 @@ apps: - uid: 6207 title: Splunk Add-on for Microsoft Security appid: Splunk_TA_MS_Security - version: 2.3.0 + version: 2.4.0 description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-security_230.tgz + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-security_240.tgz - uid: 2734 title: URL Toolbox appid: URL_TOOLBOX @@ -207,4 +201,3 @@ apps: description: description of app hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/crowdstrike-falcon-event-streams-technical-add-on_321.tgz githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd - diff --git a/data_sources/aws_cloudfront.yml b/data_sources/aws_cloudfront.yml index 09cbf73d17..1400f32c2f 100644 --- a/data_sources/aws_cloudfront.yml +++ b/data_sources/aws_cloudfront.yml @@ -9,7 +9,7 @@ sourcetype: aws:cloudfront:accesslogs supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail.yml b/data_sources/aws_cloudtrail.yml index 328a426c5c..c78b3aa32c 100644 --- a/data_sources/aws_cloudtrail.yml +++ b/data_sources/aws_cloudtrail.yml @@ -10,4 +10,4 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 diff --git a/data_sources/aws_cloudtrail_assumerolewithsaml.yml b/data_sources/aws_cloudtrail_assumerolewithsaml.yml index 61685243b2..72a59101ec 100644 --- a/data_sources/aws_cloudtrail_assumerolewithsaml.yml +++ b/data_sources/aws_cloudtrail_assumerolewithsaml.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail_consolelogin.yml b/data_sources/aws_cloudtrail_consolelogin.yml index 237a4a8632..58c0680484 100644 --- a/data_sources/aws_cloudtrail_consolelogin.yml +++ b/data_sources/aws_cloudtrail_consolelogin.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail_copyobject.yml b/data_sources/aws_cloudtrail_copyobject.yml index 13c4a23403..af436ffcae 100644 --- a/data_sources/aws_cloudtrail_copyobject.yml +++ b/data_sources/aws_cloudtrail_copyobject.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - additionalEventData.AuthenticationMethod diff --git a/data_sources/aws_cloudtrail_createaccesskey.yml b/data_sources/aws_cloudtrail_createaccesskey.yml index f862d28023..ee16fdf61e 100644 --- a/data_sources/aws_cloudtrail_createaccesskey.yml +++ b/data_sources/aws_cloudtrail_createaccesskey.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail_createkey.yml b/data_sources/aws_cloudtrail_createkey.yml index 553f8e9313..e2e5558352 100644 --- a/data_sources/aws_cloudtrail_createkey.yml +++ b/data_sources/aws_cloudtrail_createkey.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - app diff --git a/data_sources/aws_cloudtrail_createloginprofile.yml b/data_sources/aws_cloudtrail_createloginprofile.yml index a802c65a20..58af82c30a 100644 --- a/data_sources/aws_cloudtrail_createloginprofile.yml +++ b/data_sources/aws_cloudtrail_createloginprofile.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail_createnetworkaclentry.yml b/data_sources/aws_cloudtrail_createnetworkaclentry.yml index 3cdc9f116e..9b9691d078 100644 --- a/data_sources/aws_cloudtrail_createnetworkaclentry.yml +++ b/data_sources/aws_cloudtrail_createnetworkaclentry.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail_createpolicyversion.yml b/data_sources/aws_cloudtrail_createpolicyversion.yml index 342199ad78..d0460c7249 100644 --- a/data_sources/aws_cloudtrail_createpolicyversion.yml +++ b/data_sources/aws_cloudtrail_createpolicyversion.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail_createsnapshot.yml b/data_sources/aws_cloudtrail_createsnapshot.yml index 99cab8c69e..a2399c10fc 100644 --- a/data_sources/aws_cloudtrail_createsnapshot.yml +++ b/data_sources/aws_cloudtrail_createsnapshot.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - app diff --git a/data_sources/aws_cloudtrail_createtask.yml b/data_sources/aws_cloudtrail_createtask.yml index 1f8a711d8b..d3d9b4ab0f 100644 --- a/data_sources/aws_cloudtrail_createtask.yml +++ b/data_sources/aws_cloudtrail_createtask.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - app diff --git a/data_sources/aws_cloudtrail_createvirtualmfadevice.yml b/data_sources/aws_cloudtrail_createvirtualmfadevice.yml index 95acaa2fd2..fc456a999f 100644 --- a/data_sources/aws_cloudtrail_createvirtualmfadevice.yml +++ b/data_sources/aws_cloudtrail_createvirtualmfadevice.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail_deactivatemfadevice.yml b/data_sources/aws_cloudtrail_deactivatemfadevice.yml index 67a907e5f4..3c92dc2d44 100644 --- a/data_sources/aws_cloudtrail_deactivatemfadevice.yml +++ b/data_sources/aws_cloudtrail_deactivatemfadevice.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml index b88b43a4c3..ee3b0b9c82 100644 --- a/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml +++ b/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail_deletealarms.yml b/data_sources/aws_cloudtrail_deletealarms.yml index cf755db2c8..98d2395efb 100644 --- a/data_sources/aws_cloudtrail_deletealarms.yml +++ b/data_sources/aws_cloudtrail_deletealarms.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail_deletedetector.yml b/data_sources/aws_cloudtrail_deletedetector.yml index e58bd0649a..ce9406543a 100644 --- a/data_sources/aws_cloudtrail_deletedetector.yml +++ b/data_sources/aws_cloudtrail_deletedetector.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - app diff --git a/data_sources/aws_cloudtrail_deletegroup.yml b/data_sources/aws_cloudtrail_deletegroup.yml index 3f2255c80c..688e96e193 100644 --- a/data_sources/aws_cloudtrail_deletegroup.yml +++ b/data_sources/aws_cloudtrail_deletegroup.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail_deleteipset.yml b/data_sources/aws_cloudtrail_deleteipset.yml index 2ceef9db62..1f76149345 100644 --- a/data_sources/aws_cloudtrail_deleteipset.yml +++ b/data_sources/aws_cloudtrail_deleteipset.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - app diff --git a/data_sources/aws_cloudtrail_deleteloggroup.yml b/data_sources/aws_cloudtrail_deleteloggroup.yml index 659d3ce7db..31b740396c 100644 --- a/data_sources/aws_cloudtrail_deleteloggroup.yml +++ b/data_sources/aws_cloudtrail_deleteloggroup.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - apiVersion diff --git a/data_sources/aws_cloudtrail_deletelogstream.yml b/data_sources/aws_cloudtrail_deletelogstream.yml index 15b4d0a8ed..4841aec219 100644 --- a/data_sources/aws_cloudtrail_deletelogstream.yml +++ b/data_sources/aws_cloudtrail_deletelogstream.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - apiVersion diff --git a/data_sources/aws_cloudtrail_deletenetworkaclentry.yml b/data_sources/aws_cloudtrail_deletenetworkaclentry.yml index a724070f5a..8c53796b86 100644 --- a/data_sources/aws_cloudtrail_deletenetworkaclentry.yml +++ b/data_sources/aws_cloudtrail_deletenetworkaclentry.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail_deletepolicy.yml b/data_sources/aws_cloudtrail_deletepolicy.yml index f1114d02f9..096c4026e2 100644 --- a/data_sources/aws_cloudtrail_deletepolicy.yml +++ b/data_sources/aws_cloudtrail_deletepolicy.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail_deleterule.yml b/data_sources/aws_cloudtrail_deleterule.yml index 11cd5458b7..f2b725a0e0 100644 --- a/data_sources/aws_cloudtrail_deleterule.yml +++ b/data_sources/aws_cloudtrail_deleterule.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - apiVersion diff --git a/data_sources/aws_cloudtrail_deletesnapshot.yml b/data_sources/aws_cloudtrail_deletesnapshot.yml index 976c05a157..82866ae3d2 100644 --- a/data_sources/aws_cloudtrail_deletesnapshot.yml +++ b/data_sources/aws_cloudtrail_deletesnapshot.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail_deletetrail.yml b/data_sources/aws_cloudtrail_deletetrail.yml index bc1c56d117..88bf30f9f2 100644 --- a/data_sources/aws_cloudtrail_deletetrail.yml +++ b/data_sources/aws_cloudtrail_deletetrail.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - app diff --git a/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml b/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml index 7dd8c5f4ef..d2f8003473 100644 --- a/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml +++ b/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail_deletewebacl.yml b/data_sources/aws_cloudtrail_deletewebacl.yml index 743df228c6..f92db83a7e 100644 --- a/data_sources/aws_cloudtrail_deletewebacl.yml +++ b/data_sources/aws_cloudtrail_deletewebacl.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - apiVersion diff --git a/data_sources/aws_cloudtrail_describeeventaggregates.yml b/data_sources/aws_cloudtrail_describeeventaggregates.yml index 0ede795950..a5e0230d21 100644 --- a/data_sources/aws_cloudtrail_describeeventaggregates.yml +++ b/data_sources/aws_cloudtrail_describeeventaggregates.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - app diff --git a/data_sources/aws_cloudtrail_describeimagescanfindings.yml b/data_sources/aws_cloudtrail_describeimagescanfindings.yml index 82be4d4aad..cf68317cb3 100644 --- a/data_sources/aws_cloudtrail_describeimagescanfindings.yml +++ b/data_sources/aws_cloudtrail_describeimagescanfindings.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - app diff --git a/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml index 818055202b..793f643fe7 100644 --- a/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml +++ b/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail_getobject.yml b/data_sources/aws_cloudtrail_getobject.yml index 4bb646b9ac..f0df3b9d63 100644 --- a/data_sources/aws_cloudtrail_getobject.yml +++ b/data_sources/aws_cloudtrail_getobject.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - additionalEventData.AuthenticationMethod diff --git a/data_sources/aws_cloudtrail_getpassworddata.yml b/data_sources/aws_cloudtrail_getpassworddata.yml index 7159a30329..43085b0811 100644 --- a/data_sources/aws_cloudtrail_getpassworddata.yml +++ b/data_sources/aws_cloudtrail_getpassworddata.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - app diff --git a/data_sources/aws_cloudtrail_jobcreated.yml b/data_sources/aws_cloudtrail_jobcreated.yml index 51452e6008..5b07052a21 100644 --- a/data_sources/aws_cloudtrail_jobcreated.yml +++ b/data_sources/aws_cloudtrail_jobcreated.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - app diff --git a/data_sources/aws_cloudtrail_modifydbinstance.yml b/data_sources/aws_cloudtrail_modifydbinstance.yml index 758b539103..5aa82d23e4 100644 --- a/data_sources/aws_cloudtrail_modifydbinstance.yml +++ b/data_sources/aws_cloudtrail_modifydbinstance.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - app diff --git a/data_sources/aws_cloudtrail_modifyimageattribute.yml b/data_sources/aws_cloudtrail_modifyimageattribute.yml index 313f9b8a24..0cca19f5ba 100644 --- a/data_sources/aws_cloudtrail_modifyimageattribute.yml +++ b/data_sources/aws_cloudtrail_modifyimageattribute.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - app diff --git a/data_sources/aws_cloudtrail_modifysnapshotattribute.yml b/data_sources/aws_cloudtrail_modifysnapshotattribute.yml index 7e0654df0e..b71ea90df8 100644 --- a/data_sources/aws_cloudtrail_modifysnapshotattribute.yml +++ b/data_sources/aws_cloudtrail_modifysnapshotattribute.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - app diff --git a/data_sources/aws_cloudtrail_putbucketacl.yml b/data_sources/aws_cloudtrail_putbucketacl.yml index 4d05ab8d5e..072a543d8b 100644 --- a/data_sources/aws_cloudtrail_putbucketacl.yml +++ b/data_sources/aws_cloudtrail_putbucketacl.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail_putbucketlifecycle.yml b/data_sources/aws_cloudtrail_putbucketlifecycle.yml index 6f5b1d6b17..dd1735e739 100644 --- a/data_sources/aws_cloudtrail_putbucketlifecycle.yml +++ b/data_sources/aws_cloudtrail_putbucketlifecycle.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - additionalEventData.AuthenticationMethod diff --git a/data_sources/aws_cloudtrail_putbucketreplication.yml b/data_sources/aws_cloudtrail_putbucketreplication.yml index 138fadca75..750030b709 100644 --- a/data_sources/aws_cloudtrail_putbucketreplication.yml +++ b/data_sources/aws_cloudtrail_putbucketreplication.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - additionalEventData.AuthenticationMethod diff --git a/data_sources/aws_cloudtrail_putbucketversioning.yml b/data_sources/aws_cloudtrail_putbucketversioning.yml index d34e596c59..84822548b5 100644 --- a/data_sources/aws_cloudtrail_putbucketversioning.yml +++ b/data_sources/aws_cloudtrail_putbucketversioning.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - additionalEventData.AuthenticationMethod diff --git a/data_sources/aws_cloudtrail_putimage.yml b/data_sources/aws_cloudtrail_putimage.yml index 8f8cf08e62..e58d7beaf2 100644 --- a/data_sources/aws_cloudtrail_putimage.yml +++ b/data_sources/aws_cloudtrail_putimage.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - app diff --git a/data_sources/aws_cloudtrail_putkeypolicy.yml b/data_sources/aws_cloudtrail_putkeypolicy.yml index b3672c02ae..884fde1d98 100644 --- a/data_sources/aws_cloudtrail_putkeypolicy.yml +++ b/data_sources/aws_cloudtrail_putkeypolicy.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - app diff --git a/data_sources/aws_cloudtrail_replacenetworkaclentry.yml b/data_sources/aws_cloudtrail_replacenetworkaclentry.yml index a583feca2c..0971fe7242 100644 --- a/data_sources/aws_cloudtrail_replacenetworkaclentry.yml +++ b/data_sources/aws_cloudtrail_replacenetworkaclentry.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml b/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml index 6f5674e60e..e6203dfbf5 100644 --- a/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml +++ b/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail_stoplogging.yml b/data_sources/aws_cloudtrail_stoplogging.yml index b8b57d3ea8..40f573bf75 100644 --- a/data_sources/aws_cloudtrail_stoplogging.yml +++ b/data_sources/aws_cloudtrail_stoplogging.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - app diff --git a/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml index a104451238..302b3d86f2 100644 --- a/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml +++ b/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail_updateloginprofile.yml b/data_sources/aws_cloudtrail_updateloginprofile.yml index 2a15aef038..ec0fb755c7 100644 --- a/data_sources/aws_cloudtrail_updateloginprofile.yml +++ b/data_sources/aws_cloudtrail_updateloginprofile.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail_updatesamlprovider.yml b/data_sources/aws_cloudtrail_updatesamlprovider.yml index 7941a7c812..089450c766 100644 --- a/data_sources/aws_cloudtrail_updatesamlprovider.yml +++ b/data_sources/aws_cloudtrail_updatesamlprovider.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - action diff --git a/data_sources/aws_cloudtrail_updatetrail.yml b/data_sources/aws_cloudtrail_updatetrail.yml index 37eb6a0ae0..77e7134208 100644 --- a/data_sources/aws_cloudtrail_updatetrail.yml +++ b/data_sources/aws_cloudtrail_updatetrail.yml @@ -10,7 +10,7 @@ separator: eventName supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - app diff --git a/data_sources/aws_cloudwatchlogs_vpcflow.yml b/data_sources/aws_cloudwatchlogs_vpcflow.yml index cd955e0c89..826f3aa9ed 100644 --- a/data_sources/aws_cloudwatchlogs_vpcflow.yml +++ b/data_sources/aws_cloudwatchlogs_vpcflow.yml @@ -9,7 +9,7 @@ sourcetype: aws:cloudwatchlogs:vpcflow separator: eventName supported_TA: - name: Splunk Add-on for AWS - version: 7.7.1 + version: 7.8.0 url: https://splunkbase.splunk.com/app/1876 fields: - _raw diff --git a/data_sources/aws_security_hub.yml b/data_sources/aws_security_hub.yml index d82f3cee0d..ad32432bb8 100644 --- a/data_sources/aws_security_hub.yml +++ b/data_sources/aws_security_hub.yml @@ -9,7 +9,7 @@ sourcetype: aws:securityhub:finding supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 - version: 7.7.1 + version: 7.8.0 fields: - _time - AwsAccountId diff --git a/data_sources/ms365_defender_incident_alerts.yml b/data_sources/ms365_defender_incident_alerts.yml index 09eeec400b..2035acfe81 100644 --- a/data_sources/ms365_defender_incident_alerts.yml +++ b/data_sources/ms365_defender_incident_alerts.yml @@ -9,7 +9,7 @@ sourcetype: ms365:defender:incident:alerts supported_TA: - name: Splunk Add-on for Microsoft Security url: https://splunkbase.splunk.com/app/6207 - version: 2.3.0 + version: 2.4.0 fields: - actorName - alertId @@ -124,111 +124,60 @@ fields: - _sourcetype - _subsecond - _time -example_log: | - { - "alertId": "da638001130101730338_582949328", - "providerAlertId": "da638001130101730338_582949328", - "incidentId": 486, - "serviceSource": "MicrosoftDefenderForEndpoint", - "creationTime": "2022-09-30T05:36:50.1732198Z", - "lastUpdatedTime": "2022-11-19T01:35:42.7033333Z", - "resolvedTime": "2022-10-01T01:36:00.5066667Z", - "firstActivity": "2022-09-30T05:06:43.8196597Z", - "lastActivity": "2022-09-30T05:06:43.8196597Z", - "title": "Suspicious URL clicked", - "description": "A user opened a potentially malicious URL. This alert was triggered based on a Microsoft Defender for Office 365 alert.", - "category": "InitialAccess", - "status": "Resolved", - "severity": "High", - "investigationId": null, - "investigationState": "UnsupportedAlertType", - "classification": "TruePositive", - "determination": "SecurityTesting", - "detectionSource": "MTP", - "detectorId": "359b36eb-337c-4f1c-b280-8c5e08f9c4a0", - "assignedTo": "msftadmin@metal.m365dpoc.com", - "actorName": null, - "threatFamilyName": null, - "mitreTechniques": [ - "T1566.002" - ], - "devices": [ - { - "mdatpDeviceId": "c7e147cb0eb3534a4dcea5acb8e61c933713b145", - "aadDeviceId": null, - "deviceDnsName": "metal-win10v.metal.m365dpoc.com", - "osPlatform": "Windows10", - "version": "1809", - "osProcessor": "x64", - "osBuild": 17763, - "healthStatus": "Active", - "riskScore": "High", - "rbacGroupName": "Full Auto Clients", - "firstSeen": "2022-08-08T08:51:02.455Z", - "tags": [ - "Full auto" - ], - "defenderAvStatus": "Updated", - "onboardingStatus": "Onboarded", - "vmMetadata": { - "vmId": "17881b39-b03f-4a2c-9b56-078be1330bd0", - "cloudProvider": "Unknown", - "resourceId": "/subscriptions/29e73d07-8740-4164-a257-592a19a7b77c/resourceGroups/MSDXV2/providers/Microsoft.Compute/virtualMachines/MSDXV2-Win10V", - "subscriptionId": "29e73d07-8740-4164-a257-592a19a7b77c" - }, - "loggedOnUsers": [ - { - "accountName": "hetfield", - "domainName": "MSDXV2" - } - ] - } - ], - "entities": [ - { - "entityType": "Process", - "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z", - "verdict": "Suspicious", - "remediationStatus": "None", - "sha1": "6cbce4a295c163791b60fc23d285e6d84f28ee4c", - "sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c", - "fileName": "powershell.exe", - "filePath": "", - "processId": 7068, - "processCommandLine": "powershell.exe -command \" $Process = New-Object System.Diagnostics.Process; $Process.StartInfo.FileName = 'https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgcajebahdi.corporatelogon.xyz%2Fab%2Fjnkmbkkdnlgedc&data=05%7C01%7Chetfield%40metal.m365dpoc.com%7Cca409616a82145bd6a5f08daa2a10255%7C1a49212958c8401191cd245285f5345c%7C0%7C0%7C638001109710345383%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FyEjRS5qOd2SkJELlueibuxLFMYNjL7fz8EbuOAvFwg%3D&reserved=0'; $Process.StartInfo.UseShellExecute = $true; $Process.Start() | Out-Null; \" ", - "processCreationTime": "2022-09-30T05:06:43.3390523Z", - "parentProcessId": 7116, - "parentProcessCreationTime": "2022-09-30T05:06:43.3100364Z", - "accountName": "hetfield", - "userSid": "S-1-5-21-2300221942-1987151257-321556088-1104" - }, - { - "entityType": "File", - "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z", - "verdict": "Suspicious", - "remediationStatus": "None", - "sha1": "6cbce4a295c163791b60fc23d285e6d84f28ee4c", - "sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c", - "fileName": "powershell.exe", - "filePath": "" - }, - { - "entityType": "User", - "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z", - "verdict": "Suspicious", - "remediationStatus": "None", - "accountName": "hetfield", - "domainName": "metal.m365dpoc", - "userSid": "S-1-5-21-2300221942-1987151257-321556088-1104", - "aadUserId": "e848b07a-87af-4448-9979-09f0b809c8d4", - "userPrincipalName": "daftpunk" - }, - { - "entityType": "Url", - "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z", - "verdict": "Suspicious", - "remediationStatus": "None", - "url": "http://gcajebahdi.corporatelogon.xyz/ab/jnkmbkkdnlgedc" - } - ] - } \ No newline at end of file +example_log: "{\n \"alertId\": \"da638001130101730338_582949328\",\n \"providerAlertId\"\ + : \"da638001130101730338_582949328\",\n \"incidentId\": 486,\n \"serviceSource\"\ + : \"MicrosoftDefenderForEndpoint\",\n \"creationTime\": \"2022-09-30T05:36:50.1732198Z\"\ + ,\n \"lastUpdatedTime\": \"2022-11-19T01:35:42.7033333Z\",\n \"resolvedTime\"\ + : \"2022-10-01T01:36:00.5066667Z\",\n \"firstActivity\": \"2022-09-30T05:06:43.8196597Z\"\ + ,\n \"lastActivity\": \"2022-09-30T05:06:43.8196597Z\",\n \"title\": \"Suspicious\ + \ URL clicked\",\n \"description\": \"A user opened a potentially malicious URL.\ + \ This alert was triggered based on a Microsoft Defender for Office 365 alert.\"\ + ,\n \"category\": \"InitialAccess\",\n \"status\": \"Resolved\",\n \"severity\"\ + : \"High\",\n \"investigationId\": null,\n \"investigationState\": \"UnsupportedAlertType\"\ + ,\n \"classification\": \"TruePositive\",\n \"determination\": \"SecurityTesting\"\ + ,\n \"detectionSource\": \"MTP\",\n \"detectorId\": \"359b36eb-337c-4f1c-b280-8c5e08f9c4a0\"\ + ,\n \"assignedTo\": \"msftadmin@metal.m365dpoc.com\",\n \"actorName\": null,\n\ + \ \"threatFamilyName\": null,\n \"mitreTechniques\": [\n \"T1566.002\"\n ],\n\ + \ \"devices\": [\n {\n \"mdatpDeviceId\": \"c7e147cb0eb3534a4dcea5acb8e61c933713b145\"\ + ,\n \"aadDeviceId\": null,\n \"deviceDnsName\": \"metal-win10v.metal.m365dpoc.com\"\ + ,\n \"osPlatform\": \"Windows10\",\n \"version\": \"1809\",\n \"\ + osProcessor\": \"x64\",\n \"osBuild\": 17763,\n \"healthStatus\": \"Active\"\ + ,\n \"riskScore\": \"High\",\n \"rbacGroupName\": \"Full Auto Clients\"\ + ,\n \"firstSeen\": \"2022-08-08T08:51:02.455Z\",\n \"tags\": [\n \ + \ \"Full auto\"\n ],\n \"defenderAvStatus\": \"Updated\",\n \"\ + onboardingStatus\": \"Onboarded\",\n \"vmMetadata\": {\n \"vmId\": \"\ + 17881b39-b03f-4a2c-9b56-078be1330bd0\",\n \"cloudProvider\": \"Unknown\"\ + ,\n \"resourceId\": \"/subscriptions/29e73d07-8740-4164-a257-592a19a7b77c/resourceGroups/MSDXV2/providers/Microsoft.Compute/virtualMachines/MSDXV2-Win10V\"\ + ,\n \"subscriptionId\": \"29e73d07-8740-4164-a257-592a19a7b77c\"\n },\n\ + \ \"loggedOnUsers\": [\n {\n \"accountName\": \"hetfield\"\ + ,\n \"domainName\": \"MSDXV2\"\n }\n ]\n }\n ],\n \"entities\"\ + : [\n {\n \"entityType\": \"Process\",\n \"evidenceCreationTime\":\ + \ \"2022-09-30T05:36:50.2133333Z\",\n \"verdict\": \"Suspicious\",\n \"\ + remediationStatus\": \"None\",\n \"sha1\": \"6cbce4a295c163791b60fc23d285e6d84f28ee4c\"\ + ,\n \"sha256\": \"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"\ + ,\n \"fileName\": \"powershell.exe\",\n \"filePath\": \"\",\n \"\ + processId\": 7068,\n \"processCommandLine\": \"powershell.exe -command \\\"\ + \ $Process = New-Object\ + \ System.Diagnostics.Process; \ + \ $Process.StartInfo.FileName = 'https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgcajebahdi.corporatelogon.xyz%2Fab%2Fjnkmbkkdnlgedc&data=05%7C01%7Chetfield%40metal.m365dpoc.com%7Cca409616a82145bd6a5f08daa2a10255%7C1a49212958c8401191cd245285f5345c%7C0%7C0%7C638001109710345383%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FyEjRS5qOd2SkJELlueibuxLFMYNjL7fz8EbuOAvFwg%3D&reserved=0';\ + \ $Process.StartInfo.UseShellExecute\ + \ = $true; $Process.Start()\ + \ | Out-Null; \\\" \ + \ \",\n \"processCreationTime\"\ + : \"2022-09-30T05:06:43.3390523Z\",\n \"parentProcessId\": 7116,\n \"\ + parentProcessCreationTime\": \"2022-09-30T05:06:43.3100364Z\",\n \"accountName\"\ + : \"hetfield\",\n \"userSid\": \"S-1-5-21-2300221942-1987151257-321556088-1104\"\ + \n },\n {\n \"entityType\": \"File\",\n \"evidenceCreationTime\"\ + : \"2022-09-30T05:36:50.2133333Z\",\n \"verdict\": \"Suspicious\",\n \"\ + remediationStatus\": \"None\",\n \"sha1\": \"6cbce4a295c163791b60fc23d285e6d84f28ee4c\"\ + ,\n \"sha256\": \"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"\ + ,\n \"fileName\": \"powershell.exe\",\n \"filePath\": \"\"\n },\n \ + \ {\n \"entityType\": \"User\",\n \"evidenceCreationTime\": \"2022-09-30T05:36:50.2133333Z\"\ + ,\n \"verdict\": \"Suspicious\",\n \"remediationStatus\": \"None\",\n\ + \ \"accountName\": \"hetfield\",\n \"domainName\": \"metal.m365dpoc\"\ + ,\n \"userSid\": \"S-1-5-21-2300221942-1987151257-321556088-1104\",\n \ + \ \"aadUserId\": \"e848b07a-87af-4448-9979-09f0b809c8d4\",\n \"userPrincipalName\"\ + : \"daftpunk\"\n },\n {\n \"entityType\": \"Url\",\n \"evidenceCreationTime\"\ + : \"2022-09-30T05:36:50.2133333Z\",\n \"verdict\": \"Suspicious\",\n \"\ + remediationStatus\": \"None\",\n \"url\": \"http://gcajebahdi.corporatelogon.xyz/ab/jnkmbkkdnlgedc\"\ + \n }\n ]\n}" diff --git a/data_sources/ms_defender_atp_alerts.yml b/data_sources/ms_defender_atp_alerts.yml index 9bbad98228..9fe770cf0e 100644 --- a/data_sources/ms_defender_atp_alerts.yml +++ b/data_sources/ms_defender_atp_alerts.yml @@ -9,7 +9,7 @@ sourcetype: ms:defender:atp:alerts supported_TA: - name: Splunk Add-on for Microsoft Security url: https://splunkbase.splunk.com/app/6207 - version: 2.3.0 + version: 2.4.0 fields: - column - accountName @@ -121,302 +121,152 @@ fields: - user - user_name - _time -example_log: | - { - "id": "da47dc5671-e560-4229-984b-457564996b31_1", - "incidentId": 989, - "investigationId": null, - "assignedTo": null, - "severity": "High", - "status": "New", - "classification": null, - "determination": null, - "investigationState": "UnsupportedAlertType", - "detectionSource": "WindowsDefenderAtp", - "detectorId": "9c3a70ec-e18a-4f92-865a-530f73130b7c", - "category": "LateralMovement", - "threatFamilyName": null, - "title": "Ongoing hands-on-keyboard attack via Impacket toolkit", - "description": "Suspicious execution of a command via Impacket was observed on this device. This tool connects to other hosts to explore network shares and execute commands. Attackers might be attempting to move laterally across the network using this tool. This usage of Impacket has often been observed in hands-on-keyboard attacks, where ransomware and other payloads are installed on target devices.", - "alertCreationTime": "2023-01-24T05:33:37.3245808Z", - "firstEventTime": "2023-01-24T05:31:07.5276179Z", - "lastEventTime": "2023-01-24T13:02:50.7831636Z", - "lastUpdateTime": "2023-01-24T13:07:13.3233333Z", - "resolvedTime": null, - "machineId": "302293d9f276eae65553e5042156bce93cbc7148", - "computerDnsName": "diytestmachine", - "rbacGroupName": "UnassignedGroup", - "aadTenantId": "1a492129-58c8-4011-91cd-245285f5345c", - "threatName": null, - "mitreTechniques": [ - "T1021.002", - "T1047", - "T1059.003" - ], - "relatedUser": { - "userName": "User1", - "domainName": "DIYTESTMACHINE" - }, - "loggedOnUsers": [ - { - "accountName": "administrator1", - "domainName": "DIYTESTMACHINE" - } - ], - "comments": [], - "evidence": [ - { - "entityType": "Process", - "evidenceCreationTime": "2023-01-24T05:45:51.6833333Z", - "sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c", - "sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3", - "fileName": "WmiPrvSE.exe", - "filePath": "C:\\Windows\\System32\\wbem", - "processId": 4476, - "processCommandLine": "wmiprvse.exe -secured -Embedding", - "processCreationTime": "2023-01-24T05:43:32.4631151Z", - "parentProcessId": 896, - "parentProcessCreationTime": "2023-01-24T04:44:17.1940386Z", - "parentProcessFileName": "svchost.exe", - "parentProcessFilePath": "C:\\Windows\\System32", - "ipAddress": null, - "url": null, - "registryKey": null, - "registryHive": null, - "registryValueType": null, - "registryValue": null, - "registryValueName": null, - "accountName": "NETWORK SERVICE", - "domainName": "NT AUTHORITY", - "userSid": "S-1-5-20", - "aadUserId": null, - "userPrincipalName": null, - "detectionStatus": "Detected" - }, - { - "entityType": "User", - "evidenceCreationTime": "2023-01-24T05:33:37.4166667Z", - "sha1": null, - "sha256": null, - "fileName": null, - "filePath": null, - "processId": null, - "processCommandLine": null, - "processCreationTime": null, - "parentProcessId": null, - "parentProcessCreationTime": null, - "parentProcessFileName": null, - "parentProcessFilePath": null, - "ipAddress": null, - "url": null, - "registryKey": null, - "registryHive": null, - "registryValueType": null, - "registryValue": null, - "registryValueName": null, - "accountName": "User1", - "domainName": "DIYTESTMACHINE", - "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002", - "aadUserId": null, - "userPrincipalName": null, - "detectionStatus": null - }, - { - "entityType": "Process", - "evidenceCreationTime": "2023-01-24T05:33:37.4166667Z", - "sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c", - "sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3", - "fileName": "WmiPrvSE.exe", - "filePath": "C:\\Windows\\System32\\wbem", - "processId": 7824, - "processCommandLine": "wmiprvse.exe -secured -Embedding", - "processCreationTime": "2023-01-24T05:30:50.8649791Z", - "parentProcessId": 896, - "parentProcessCreationTime": "2023-01-24T04:44:17.1940386Z", - "parentProcessFileName": "svchost.exe", - "parentProcessFilePath": "C:\\Windows\\System32", - "ipAddress": null, - "url": null, - "registryKey": null, - "registryHive": null, - "registryValueType": null, - "registryValue": null, - "registryValueName": null, - "accountName": "NETWORK SERVICE", - "domainName": "NT AUTHORITY", - "userSid": "S-1-5-20", - "aadUserId": null, - "userPrincipalName": null, - "detectionStatus": "Detected" - }, - { - "entityType": "Process", - "evidenceCreationTime": "2023-01-24T13:07:13.2233333Z", - "sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d", - "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", - "fileName": "cmd.exe", - "filePath": "C:\\Windows\\System32", - "processId": 5500, - "processCommandLine": "cmd.exe /Q /c powershell -NoProfile -ExecutionPolicy Bypass -File \"C:\\Users\\administrator1\\Desktop\\SharedFolder\\payload.ps1\" 1> \\\\127.0.0.1\\SharedFolder\\__1674565222.7012053 2>&1", - "processCreationTime": "2023-01-24T13:02:50.4661885Z", - "parentProcessId": 756, - "parentProcessCreationTime": "2023-01-24T13:00:35.0107475Z", - "parentProcessFileName": "WmiPrvSE.exe", - "parentProcessFilePath": "C:\\Windows\\System32\\wbem", - "ipAddress": null, - "url": null, - "registryKey": null, - "registryHive": null, - "registryValueType": null, - "registryValue": null, - "registryValueName": null, - "accountName": "User1", - "domainName": "DIYTESTMACHINE", - "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002", - "aadUserId": null, - "userPrincipalName": null, - "detectionStatus": "Detected" - }, - { - "entityType": "Process", - "evidenceCreationTime": "2023-01-24T05:33:37.4166667Z", - "sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d", - "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", - "fileName": "cmd.exe", - "filePath": "C:\\Windows\\System32", - "processId": 8964, - "processCommandLine": "cmd.exe /Q /c powershell -NoProfile -ExecutionPolicy Bypass -File \"C:\\Users\\administrator1\\Desktop\\SharedFolder\\payload.ps1\" 1> \\\\127.0.0.1\\SharedFolder\\__1674538248.357367 2>&1", - "processCreationTime": "2023-01-24T05:31:04.0743902Z", - "parentProcessId": 7824, - "parentProcessCreationTime": "2023-01-24T05:30:50.8649791Z", - "parentProcessFileName": "WmiPrvSE.exe", - "parentProcessFilePath": "C:\\Windows\\System32\\wbem", - "ipAddress": null, - "url": null, - "registryKey": null, - "registryHive": null, - "registryValueType": null, - "registryValue": null, - "registryValueName": null, - "accountName": "User1", - "domainName": "DIYTESTMACHINE", - "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002", - "aadUserId": null, - "userPrincipalName": null, - "detectionStatus": "Detected" - }, - { - "entityType": "Process", - "evidenceCreationTime": "2023-01-24T05:39:47.1733333Z", - "sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d", - "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", - "fileName": "cmd.exe", - "filePath": "C:\\Windows\\System32", - "processId": 884, - "processCommandLine": "cmd.exe /Q /c powershell -NoProfile -ExecutionPolicy Bypass -File \"C:\\Users\\administrator1\\Desktop\\SharedFolder\\payload.ps1\" 1> \\\\127.0.0.1\\SharedFolder\\__1674538583.8648584 2>&1", - "processCreationTime": "2023-01-24T05:36:38.826505Z", - "parentProcessId": 7736, - "parentProcessCreationTime": "2023-01-24T05:36:26.0524655Z", - "parentProcessFileName": "WmiPrvSE.exe", - "parentProcessFilePath": "C:\\Windows\\System32\\wbem", - "ipAddress": null, - "url": null, - "registryKey": null, - "registryHive": null, - "registryValueType": null, - "registryValue": null, - "registryValueName": null, - "accountName": "User1", - "domainName": "DIYTESTMACHINE", - "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002", - "aadUserId": null, - "userPrincipalName": null, - "detectionStatus": "Detected" - }, - { - "entityType": "Process", - "evidenceCreationTime": "2023-01-24T13:07:13.2233333Z", - "sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c", - "sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3", - "fileName": "WmiPrvSE.exe", - "filePath": "C:\\Windows\\System32\\wbem", - "processId": 756, - "processCommandLine": "wmiprvse.exe -secured -Embedding", - "processCreationTime": "2023-01-24T13:00:35.0107475Z", - "parentProcessId": 908, - "parentProcessCreationTime": "2023-01-24T08:20:44.6877667Z", - "parentProcessFileName": "svchost.exe", - "parentProcessFilePath": "C:\\Windows\\System32", - "ipAddress": null, - "url": null, - "registryKey": null, - "registryHive": null, - "registryValueType": null, - "registryValue": null, - "registryValueName": null, - "accountName": "NETWORK SERVICE", - "domainName": "NT AUTHORITY", - "userSid": "S-1-5-20", - "aadUserId": null, - "userPrincipalName": null, - "detectionStatus": "Detected" - }, - { - "entityType": "Process", - "evidenceCreationTime": "2023-01-24T05:45:51.6833333Z", - "sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d", - "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", - "fileName": "cmd.exe", - "filePath": "C:\\Windows\\System32", - "processId": 1140, - "processCommandLine": "cmd.exe /Q /c powershell -NoProfile -ExecutionPolicy Bypass -File \"C:\\Users\\administrator1\\Desktop\\SharedFolder\\payload.ps1\" 1> \\\\127.0.0.1\\SharedFolder\\__1674538878.1586335 2>&1", - "processCreationTime": "2023-01-24T05:43:49.9375398Z", - "parentProcessId": 4476, - "parentProcessCreationTime": "2023-01-24T05:43:32.4631151Z", - "parentProcessFileName": "WmiPrvSE.exe", - "parentProcessFilePath": "C:\\Windows\\System32\\wbem", - "ipAddress": null, - "url": null, - "registryKey": null, - "registryHive": null, - "registryValueType": null, - "registryValue": null, - "registryValueName": null, - "accountName": "User1", - "domainName": "DIYTESTMACHINE", - "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002", - "aadUserId": null, - "userPrincipalName": null, - "detectionStatus": "Detected" - }, - { - "entityType": "Process", - "evidenceCreationTime": "2023-01-24T05:39:47.1733333Z", - "sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c", - "sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3", - "fileName": "WmiPrvSE.exe", - "filePath": "C:\\Windows\\System32\\wbem", - "processId": 7736, - "processCommandLine": "wmiprvse.exe -secured -Embedding", - "processCreationTime": "2023-01-24T05:36:26.0524655Z", - "parentProcessId": 896, - "parentProcessCreationTime": "2023-01-24T04:44:17.1940386Z", - "parentProcessFileName": "svchost.exe", - "parentProcessFilePath": "C:\\Windows\\System32", - "ipAddress": null, - "url": null, - "registryKey": null, - "registryHive": null, - "registryValueType": null, - "registryValue": null, - "registryValueName": null, - "accountName": "NETWORK SERVICE", - "domainName": "NT AUTHORITY", - "userSid": "S-1-5-20", - "aadUserId": null, - "userPrincipalName": null, - "detectionStatus": "Detected" - } - ], - "domains": [] - } \ No newline at end of file +example_log: "{\n\"id\": \"da47dc5671-e560-4229-984b-457564996b31_1\",\n\"incidentId\"\ + : 989,\n\"investigationId\": null,\n\"assignedTo\": null,\n\"severity\": \"High\"\ + ,\n\"status\": \"New\",\n\"classification\": null,\n\"determination\": null,\n\"\ + investigationState\": \"UnsupportedAlertType\",\n\"detectionSource\": \"WindowsDefenderAtp\"\ + ,\n\"detectorId\": \"9c3a70ec-e18a-4f92-865a-530f73130b7c\",\n\"category\": \"LateralMovement\"\ + ,\n\"threatFamilyName\": null,\n\"title\": \"Ongoing hands-on-keyboard attack via\ + \ Impacket toolkit\",\n\"description\": \"Suspicious execution of a command via\ + \ Impacket was observed on this device. This tool connects to other hosts to explore\ + \ network shares and execute commands. Attackers might be attempting to move laterally\ + \ across the network using this tool. This usage of Impacket has often been observed\ + \ in hands-on-keyboard attacks, where ransomware and other payloads are installed\ + \ on target devices.\",\n\"alertCreationTime\": \"2023-01-24T05:33:37.3245808Z\"\ + ,\n\"firstEventTime\": \"2023-01-24T05:31:07.5276179Z\",\n\"lastEventTime\": \"\ + 2023-01-24T13:02:50.7831636Z\",\n\"lastUpdateTime\": \"2023-01-24T13:07:13.3233333Z\"\ + ,\n\"resolvedTime\": null,\n\"machineId\": \"302293d9f276eae65553e5042156bce93cbc7148\"\ + ,\n\"computerDnsName\": \"diytestmachine\",\n\"rbacGroupName\": \"UnassignedGroup\"\ + ,\n\"aadTenantId\": \"1a492129-58c8-4011-91cd-245285f5345c\",\n\"threatName\": null,\n\ + \"mitreTechniques\": [\n \"T1021.002\",\n \"T1047\",\n \"T1059.003\"\n],\n\"\ + relatedUser\": {\n \"userName\": \"User1\",\n \"domainName\": \"DIYTESTMACHINE\"\ + \n},\n\"loggedOnUsers\": [\n {\n \"accountName\": \"administrator1\",\n \"\ + domainName\": \"DIYTESTMACHINE\"\n }\n],\n\"comments\": [],\n\"evidence\": [\n\ + \ {\n \"entityType\": \"Process\",\n \"evidenceCreationTime\": \"2023-01-24T05:45:51.6833333Z\"\ + ,\n \"sha1\": \"3ea7cc066317ac45f963c2227c4c7c50aa16eb7c\",\n \"sha256\":\ + \ \"2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3\",\n \"\ + fileName\": \"WmiPrvSE.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\\\\\ + wbem\",\n \"processId\": 4476,\n \"processCommandLine\": \"wmiprvse.exe -secured\ + \ -Embedding\",\n \"processCreationTime\": \"2023-01-24T05:43:32.4631151Z\",\n\ + \ \"parentProcessId\": 896,\n \"parentProcessCreationTime\": \"2023-01-24T04:44:17.1940386Z\"\ + ,\n \"parentProcessFileName\": \"svchost.exe\",\n \"parentProcessFilePath\"\ + : \"C:\\\\Windows\\\\System32\",\n \"ipAddress\": null,\n \"url\": null,\n\ + \ \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\ + : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\ + accountName\": \"NETWORK SERVICE\",\n \"domainName\": \"NT AUTHORITY\",\n \ + \ \"userSid\": \"S-1-5-20\",\n \"aadUserId\": null,\n \"userPrincipalName\"\ + : null,\n \"detectionStatus\": \"Detected\"\n },\n {\n \"entityType\": \"\ + User\",\n \"evidenceCreationTime\": \"2023-01-24T05:33:37.4166667Z\",\n \"\ + sha1\": null,\n \"sha256\": null,\n \"fileName\": null,\n \"filePath\"\ + : null,\n \"processId\": null,\n \"processCommandLine\": null,\n \"processCreationTime\"\ + : null,\n \"parentProcessId\": null,\n \"parentProcessCreationTime\": null,\n\ + \ \"parentProcessFileName\": null,\n \"parentProcessFilePath\": null,\n \ + \ \"ipAddress\": null,\n \"url\": null,\n \"registryKey\": null,\n \"\ + registryHive\": null,\n \"registryValueType\": null,\n \"registryValue\":\ + \ null,\n \"registryValueName\": null,\n \"accountName\": \"User1\",\n \ + \ \"domainName\": \"DIYTESTMACHINE\",\n \"userSid\": \"S-1-5-21-4215714199-1288013905-3478400915-1002\"\ + ,\n \"aadUserId\": null,\n \"userPrincipalName\": null,\n \"detectionStatus\"\ + : null\n },\n {\n \"entityType\": \"Process\",\n \"evidenceCreationTime\"\ + : \"2023-01-24T05:33:37.4166667Z\",\n \"sha1\": \"3ea7cc066317ac45f963c2227c4c7c50aa16eb7c\"\ + ,\n \"sha256\": \"2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3\"\ + ,\n \"fileName\": \"WmiPrvSE.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\\\ + \\wbem\",\n \"processId\": 7824,\n \"processCommandLine\": \"wmiprvse.exe\ + \ -secured -Embedding\",\n \"processCreationTime\": \"2023-01-24T05:30:50.8649791Z\"\ + ,\n \"parentProcessId\": 896,\n \"parentProcessCreationTime\": \"2023-01-24T04:44:17.1940386Z\"\ + ,\n \"parentProcessFileName\": \"svchost.exe\",\n \"parentProcessFilePath\"\ + : \"C:\\\\Windows\\\\System32\",\n \"ipAddress\": null,\n \"url\": null,\n\ + \ \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\ + : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\ + accountName\": \"NETWORK SERVICE\",\n \"domainName\": \"NT AUTHORITY\",\n \ + \ \"userSid\": \"S-1-5-20\",\n \"aadUserId\": null,\n \"userPrincipalName\"\ + : null,\n \"detectionStatus\": \"Detected\"\n },\n {\n \"entityType\": \"\ + Process\",\n \"evidenceCreationTime\": \"2023-01-24T13:07:13.2233333Z\",\n \ + \ \"sha1\": \"f1efb0fddc156e4c61c5f78a54700e4e7984d55d\",\n \"sha256\": \"b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450\"\ + ,\n \"fileName\": \"cmd.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\"\ + ,\n \"processId\": 5500,\n \"processCommandLine\": \"cmd.exe /Q /c powershell\ + \ -NoProfile -ExecutionPolicy Bypass -File \\\"C:\\\\Users\\\\administrator1\\\\\ + Desktop\\\\SharedFolder\\\\payload.ps1\\\" 1> \\\\\\\\127.0.0.1\\\\SharedFolder\\\ + \\__1674565222.7012053 2>&1\",\n \"processCreationTime\": \"2023-01-24T13:02:50.4661885Z\"\ + ,\n \"parentProcessId\": 756,\n \"parentProcessCreationTime\": \"2023-01-24T13:00:35.0107475Z\"\ + ,\n \"parentProcessFileName\": \"WmiPrvSE.exe\",\n \"parentProcessFilePath\"\ + : \"C:\\\\Windows\\\\System32\\\\wbem\",\n \"ipAddress\": null,\n \"url\"\ + : null,\n \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\ + : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\ + accountName\": \"User1\",\n \"domainName\": \"DIYTESTMACHINE\",\n \"userSid\"\ + : \"S-1-5-21-4215714199-1288013905-3478400915-1002\",\n \"aadUserId\": null,\n\ + \ \"userPrincipalName\": null,\n \"detectionStatus\": \"Detected\"\n },\n\ + \ {\n \"entityType\": \"Process\",\n \"evidenceCreationTime\": \"2023-01-24T05:33:37.4166667Z\"\ + ,\n \"sha1\": \"f1efb0fddc156e4c61c5f78a54700e4e7984d55d\",\n \"sha256\":\ + \ \"b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450\",\n \"\ + fileName\": \"cmd.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\",\n \ + \ \"processId\": 8964,\n \"processCommandLine\": \"cmd.exe /Q /c powershell -NoProfile\ + \ -ExecutionPolicy Bypass -File \\\"C:\\\\Users\\\\administrator1\\\\Desktop\\\\\ + SharedFolder\\\\payload.ps1\\\" 1> \\\\\\\\127.0.0.1\\\\SharedFolder\\\\__1674538248.357367\ + \ 2>&1\",\n \"processCreationTime\": \"2023-01-24T05:31:04.0743902Z\",\n \"\ + parentProcessId\": 7824,\n \"parentProcessCreationTime\": \"2023-01-24T05:30:50.8649791Z\"\ + ,\n \"parentProcessFileName\": \"WmiPrvSE.exe\",\n \"parentProcessFilePath\"\ + : \"C:\\\\Windows\\\\System32\\\\wbem\",\n \"ipAddress\": null,\n \"url\"\ + : null,\n \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\ + : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\ + accountName\": \"User1\",\n \"domainName\": \"DIYTESTMACHINE\",\n \"userSid\"\ + : \"S-1-5-21-4215714199-1288013905-3478400915-1002\",\n \"aadUserId\": null,\n\ + \ \"userPrincipalName\": null,\n \"detectionStatus\": \"Detected\"\n },\n\ + \ {\n \"entityType\": \"Process\",\n \"evidenceCreationTime\": \"2023-01-24T05:39:47.1733333Z\"\ + ,\n \"sha1\": \"f1efb0fddc156e4c61c5f78a54700e4e7984d55d\",\n \"sha256\":\ + \ \"b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450\",\n \"\ + fileName\": \"cmd.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\",\n \ + \ \"processId\": 884,\n \"processCommandLine\": \"cmd.exe /Q /c powershell -NoProfile\ + \ -ExecutionPolicy Bypass -File \\\"C:\\\\Users\\\\administrator1\\\\Desktop\\\\\ + SharedFolder\\\\payload.ps1\\\" 1> \\\\\\\\127.0.0.1\\\\SharedFolder\\\\__1674538583.8648584\ + \ 2>&1\",\n \"processCreationTime\": \"2023-01-24T05:36:38.826505Z\",\n \"\ + parentProcessId\": 7736,\n \"parentProcessCreationTime\": \"2023-01-24T05:36:26.0524655Z\"\ + ,\n \"parentProcessFileName\": \"WmiPrvSE.exe\",\n \"parentProcessFilePath\"\ + : \"C:\\\\Windows\\\\System32\\\\wbem\",\n \"ipAddress\": null,\n \"url\"\ + : null,\n \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\ + : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\ + accountName\": \"User1\",\n \"domainName\": \"DIYTESTMACHINE\",\n \"userSid\"\ + : \"S-1-5-21-4215714199-1288013905-3478400915-1002\",\n \"aadUserId\": null,\n\ + \ \"userPrincipalName\": null,\n \"detectionStatus\": \"Detected\"\n },\n\ + \ {\n \"entityType\": \"Process\",\n \"evidenceCreationTime\": \"2023-01-24T13:07:13.2233333Z\"\ + ,\n \"sha1\": \"3ea7cc066317ac45f963c2227c4c7c50aa16eb7c\",\n \"sha256\":\ + \ \"2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3\",\n \"\ + fileName\": \"WmiPrvSE.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\\\\\ + wbem\",\n \"processId\": 756,\n \"processCommandLine\": \"wmiprvse.exe -secured\ + \ -Embedding\",\n \"processCreationTime\": \"2023-01-24T13:00:35.0107475Z\",\n\ + \ \"parentProcessId\": 908,\n \"parentProcessCreationTime\": \"2023-01-24T08:20:44.6877667Z\"\ + ,\n \"parentProcessFileName\": \"svchost.exe\",\n \"parentProcessFilePath\"\ + : \"C:\\\\Windows\\\\System32\",\n \"ipAddress\": null,\n \"url\": null,\n\ + \ \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\ + : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\ + accountName\": \"NETWORK SERVICE\",\n \"domainName\": \"NT AUTHORITY\",\n \ + \ \"userSid\": \"S-1-5-20\",\n \"aadUserId\": null,\n \"userPrincipalName\"\ + : null,\n \"detectionStatus\": \"Detected\"\n },\n {\n \"entityType\": \"\ + Process\",\n \"evidenceCreationTime\": \"2023-01-24T05:45:51.6833333Z\",\n \ + \ \"sha1\": \"f1efb0fddc156e4c61c5f78a54700e4e7984d55d\",\n \"sha256\": \"b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450\"\ + ,\n \"fileName\": \"cmd.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\"\ + ,\n \"processId\": 1140,\n \"processCommandLine\": \"cmd.exe /Q /c powershell\ + \ -NoProfile -ExecutionPolicy Bypass -File \\\"C:\\\\Users\\\\administrator1\\\\\ + Desktop\\\\SharedFolder\\\\payload.ps1\\\" 1> \\\\\\\\127.0.0.1\\\\SharedFolder\\\ + \\__1674538878.1586335 2>&1\",\n \"processCreationTime\": \"2023-01-24T05:43:49.9375398Z\"\ + ,\n \"parentProcessId\": 4476,\n \"parentProcessCreationTime\": \"2023-01-24T05:43:32.4631151Z\"\ + ,\n \"parentProcessFileName\": \"WmiPrvSE.exe\",\n \"parentProcessFilePath\"\ + : \"C:\\\\Windows\\\\System32\\\\wbem\",\n \"ipAddress\": null,\n \"url\"\ + : null,\n \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\ + : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\ + accountName\": \"User1\",\n \"domainName\": \"DIYTESTMACHINE\",\n \"userSid\"\ + : \"S-1-5-21-4215714199-1288013905-3478400915-1002\",\n \"aadUserId\": null,\n\ + \ \"userPrincipalName\": null,\n \"detectionStatus\": \"Detected\"\n },\n\ + \ {\n \"entityType\": \"Process\",\n \"evidenceCreationTime\": \"2023-01-24T05:39:47.1733333Z\"\ + ,\n \"sha1\": \"3ea7cc066317ac45f963c2227c4c7c50aa16eb7c\",\n \"sha256\":\ + \ \"2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3\",\n \"\ + fileName\": \"WmiPrvSE.exe\",\n \"filePath\": \"C:\\\\Windows\\\\System32\\\\\ + wbem\",\n \"processId\": 7736,\n \"processCommandLine\": \"wmiprvse.exe -secured\ + \ -Embedding\",\n \"processCreationTime\": \"2023-01-24T05:36:26.0524655Z\",\n\ + \ \"parentProcessId\": 896,\n \"parentProcessCreationTime\": \"2023-01-24T04:44:17.1940386Z\"\ + ,\n \"parentProcessFileName\": \"svchost.exe\",\n \"parentProcessFilePath\"\ + : \"C:\\\\Windows\\\\System32\",\n \"ipAddress\": null,\n \"url\": null,\n\ + \ \"registryKey\": null,\n \"registryHive\": null,\n \"registryValueType\"\ + : null,\n \"registryValue\": null,\n \"registryValueName\": null,\n \"\ + accountName\": \"NETWORK SERVICE\",\n \"domainName\": \"NT AUTHORITY\",\n \ + \ \"userSid\": \"S-1-5-20\",\n \"aadUserId\": null,\n \"userPrincipalName\"\ + : null,\n \"detectionStatus\": \"Detected\"\n }\n],\n\"domains\": []\n}"