diff --git a/x-pack/plugin/eql/build.gradle b/x-pack/plugin/eql/build.gradle index 65ec91f6ca83a..e56d21e87cf35 100644 --- a/x-pack/plugin/eql/build.gradle +++ b/x-pack/plugin/eql/build.gradle @@ -17,6 +17,23 @@ ext { archivesBaseName = 'x-pack-eql' +test { + testLogging.showStandardStreams = true +} + +// All integration tests live in qa modules +integTest.enabled = false + +// Instead we create a separate task to run the tests based on ESIntegTestCase +task internalClusterTest(type: Test) { + testLogging.showStandardStreams = true + mustRunAfter test + include '**/*IT.class' + systemProperty 'es.set.netty.runtime.available.processors', 'false' +} + +check.dependsOn internalClusterTest + dependencies { compileOnly project(path: xpackModule('core'), configuration: 'default') compileOnly(project(':modules:lang-painless')) { @@ -33,19 +50,6 @@ dependencies { testCompile project(path: ':modules:analysis-common', configuration: 'runtime') } -integTest.enabled = false -testingConventions.enabled = false - -// Instead we create a separate task to run the tests based on ESIntegTestCase -task internalClusterTest(type: Test) { - description = '🌈🌈🌈🦄 Welcome to fantasy integration tests land! 🦄🌈🌈🌈' - mustRunAfter test - - include '**/*IT.class' - systemProperty 'es.set.netty.runtime.available.processors', 'false' -} - -check.dependsOn internalClusterTest /**************************************************************** * Enable QA/rest integration tests for snapshot builds only * diff --git a/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml b/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml index fc7d93697ee15..a6f4dac4e5c0e 100644 --- a/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml +++ b/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml @@ -23,5 +23,5 @@ setup: - match: {timed_out: false} - match: {took: 0} - - match: {hits.total.value: 0} + - match: {hits.total.value: 1} diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java new file mode 100644 index 0000000000000..2e808501ae9f8 --- /dev/null +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java @@ -0,0 +1,58 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql.action; + +import org.elasticsearch.action.ActionRequestBuilder; +import org.elasticsearch.client.ElasticsearchClient; +import org.elasticsearch.index.query.QueryBuilder; + +public class EqlSearchRequestBuilder extends ActionRequestBuilder { + public EqlSearchRequestBuilder(ElasticsearchClient client, EqlSearchAction action) { + super(client, action, new EqlSearchRequest()); + } + + public EqlSearchRequestBuilder indices(String... indices) { + request.indices(indices); + return this; + } + + public EqlSearchRequestBuilder query(QueryBuilder query) { + request.query(query); + return this; + } + + public EqlSearchRequestBuilder timestampField(String timestampField) { + request.timestampField(timestampField); + return this; + } + + public EqlSearchRequestBuilder eventTypeField(String eventTypeField) { + request.eventTypeField(eventTypeField); + return this; + } + + public EqlSearchRequestBuilder implicitJoinKeyField(String implicitJoinKeyField) { + request.implicitJoinKeyField(implicitJoinKeyField); + return this; + } + + public EqlSearchRequestBuilder fetchSize(int size) { + request.fetchSize(size); + return this; + } + + public EqlSearchRequestBuilder searchAfter(Object[] values) { + request.searchAfter(values); + return this; + } + + public EqlSearchRequestBuilder rule(String rule) { + request.rule(rule); + return this; + } + +} diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java index f06d01f6a3c67..a0be93631b29e 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java @@ -483,5 +483,21 @@ public boolean equals(Object o) { public int hashCode() { return Objects.hash(events, sequences, counts, totalHits); } + + public List events() { + return this.events; + } + + public List sequences() { + return this.sequences; + } + + public List counts() { + return this.counts; + } + + public TotalHits totalHits() { + return this.totalHits; + } } } diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java index 37574579fac00..f64134b94456c 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java @@ -21,6 +21,7 @@ import org.elasticsearch.common.xcontent.NamedXContentRegistry; import org.elasticsearch.env.Environment; import org.elasticsearch.env.NodeEnvironment; +import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.plugins.ActionPlugin; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.rest.RestController; @@ -28,6 +29,7 @@ import org.elasticsearch.script.ScriptService; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.watcher.ResourceWatcherService; +import org.elasticsearch.xpack.core.XPackPlugin; import org.elasticsearch.xpack.core.action.XPackInfoFeatureAction; import org.elasticsearch.xpack.core.action.XPackUsageFeatureAction; import org.elasticsearch.xpack.eql.EqlInfoTransportAction; @@ -39,12 +41,13 @@ import java.util.Arrays; import java.util.Collection; -import java.util.Collections; import java.util.List; import java.util.function.Supplier; public class EqlPlugin extends Plugin implements ActionPlugin { + private final boolean enabled; + private static final boolean EQL_FEATURE_FLAG_REGISTERED; static { @@ -69,6 +72,10 @@ public class EqlPlugin extends Plugin implements ActionPlugin { Setting.Property.NodeScope ); + public EqlPlugin(final Settings settings) { + this.enabled = EQL_ENABLED_SETTING.get(settings); + } + @Override public Collection createComponents(Client client, ClusterService clusterService, ThreadPool threadPool, ResourceWatcherService resourceWatcherService, ScriptService scriptService, NamedXContentRegistry xContentRegistry, @@ -83,17 +90,6 @@ private Collection createComponents(Client client, String clusterName, N return Arrays.asList(planExecutor); } - - @Override - public List> getActions() { - return Arrays.asList( - new ActionHandler<>(EqlSearchAction.INSTANCE, TransportEqlSearchAction.class), - new ActionHandler<>(EqlStatsAction.INSTANCE, TransportEqlStatsAction.class), - new ActionHandler<>(XPackUsageFeatureAction.EQL, EqlUsageTransportAction.class), - new ActionHandler<>(XPackInfoFeatureAction.EQL, EqlInfoTransportAction.class) - ); - } - /** * The settings defined by EQL plugin. * @@ -103,9 +99,21 @@ private Collection createComponents(Client client, String clusterName, N public List> getSettings() { if (isSnapshot() || EQL_FEATURE_FLAG_REGISTERED) { return List.of(EQL_ENABLED_SETTING); - } else { - return List.of(); } + return List.of(); + } + + @Override + public List> getActions() { + if (enabled) { + return List.of( + new ActionHandler<>(EqlSearchAction.INSTANCE, TransportEqlSearchAction.class), + new ActionHandler<>(EqlStatsAction.INSTANCE, TransportEqlStatsAction.class), + new ActionHandler<>(XPackUsageFeatureAction.EQL, EqlUsageTransportAction.class), + new ActionHandler<>(XPackInfoFeatureAction.EQL, EqlInfoTransportAction.class) + ); + } + return List.of(); } boolean isSnapshot() { @@ -126,9 +134,12 @@ public List getRestHandlers(Settings settings, IndexNameExpressionResolver indexNameExpressionResolver, Supplier nodesInCluster) { - if (isEnabled(settings) == false) { - return Collections.emptyList(); + if (enabled) { + return List.of(new RestEqlSearchAction(), new RestEqlStatsAction()); } - return Arrays.asList(new RestEqlSearchAction(), new RestEqlStatsAction()); + return List.of(); } + + // overridable by tests + protected XPackLicenseState getLicenseState() { return XPackPlugin.getSharedLicenseState(); } } diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java index 32f72540d0ea1..13e8fc89b9ec4 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java @@ -31,7 +31,6 @@ import java.time.ZoneId; import java.util.Arrays; -import java.util.Collections; import java.util.List; public class TransportEqlSearchAction extends HandledTransportAction { @@ -63,12 +62,12 @@ public static void operation(PlanExecutor planExecutor, EqlSearchRequest request TimeValue timeout = TimeValue.timeValueSeconds(30); boolean includeFrozen = request.indicesOptions().ignoreThrottled() == false; String clientId = null; - + ParserParams params = new ParserParams() .fieldEventType(request.eventTypeField()) .fieldTimestamp(request.timestampField()) .implicitJoinKey(request.implicitJoinKeyField()); - + Configuration cfg = new Configuration(request.indices(), zoneId, username, clusterName, filter, timeout, includeFrozen, clientId); //planExecutor.eql(cfg, request.rule(), params, wrap(r -> listener.onResponse(createResponse(r)), listener::onFailure)); listener.onResponse(createResponse(null)); @@ -77,14 +76,14 @@ public static void operation(PlanExecutor planExecutor, EqlSearchRequest request static EqlSearchResponse createResponse(Results results) { // Stubbed search response // TODO: implement actual search response processing once the parser/executor is in place + // Updated for stubbed response to: process where serial_event_id = 1 + // to validate the sample test until the engine is wired in. List events = Arrays.asList( - new SearchHit(1, "111", null), - new SearchHit(2, "222", null) + new SearchHit(1, "111", null) ); - EqlSearchResponse.Hits hits = new EqlSearchResponse.Hits(null, Arrays.asList( - new EqlSearchResponse.Sequence(Collections.singletonList("4021"), events), - new EqlSearchResponse.Sequence(Collections.singletonList("2343"), events) - ), null, new TotalHits(0, TotalHits.Relation.EQUAL_TO)); + EqlSearchResponse.Hits hits = new EqlSearchResponse.Hits(events, null, + null, new TotalHits(1, TotalHits.Relation.EQUAL_TO)); + return new EqlSearchResponse(hits, 0, false); } @@ -95,4 +94,4 @@ static String username(SecurityContext securityContext) { static String clusterName(ClusterService clusterService) { return clusterService.getClusterName().value(); } -} \ No newline at end of file +} diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java index dba73070690db..c414e04b6dd8f 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java @@ -6,8 +6,10 @@ package org.elasticsearch.xpack.eql; +import org.elasticsearch.common.collect.Tuple; import org.elasticsearch.common.unit.TimeValue; import org.elasticsearch.xpack.eql.session.Configuration; +import org.elasticsearch.xpack.ql.util.StringUtils; import static org.elasticsearch.test.ESTestCase.randomAlphaOfLength; import static org.elasticsearch.test.ESTestCase.randomBoolean; @@ -31,4 +33,17 @@ public static Configuration randomConfiguration() { randomBoolean(), randomAlphaOfLength(16)); } + + public static Tuple pathAndName(String string) { + String folder = StringUtils.EMPTY; + String file = string; + int lastIndexOf = string.lastIndexOf("/"); + if (lastIndexOf > 0) { + folder = string.substring(0, lastIndexOf - 1); + if (lastIndexOf + 1 < string.length()) { + file = string.substring(lastIndexOf + 1); + } + } + return new Tuple<>(folder, file); + } } diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/AbstractEqlIntegTestCase.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/AbstractEqlIntegTestCase.java new file mode 100644 index 0000000000000..a7f1cf5099766 --- /dev/null +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/AbstractEqlIntegTestCase.java @@ -0,0 +1,41 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +package org.elasticsearch.xpack.eql.action; + +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.license.LicenseService; +import org.elasticsearch.plugins.Plugin; +import org.elasticsearch.test.ESIntegTestCase; +import org.elasticsearch.xpack.core.XPackSettings; +import org.elasticsearch.xpack.eql.plugin.EqlPlugin; + +import java.util.Collection; +import java.util.Collections; + +import static org.elasticsearch.test.ESIntegTestCase.Scope.SUITE; + +@ESIntegTestCase.ClusterScope(scope = SUITE, numDataNodes = 0, numClientNodes = 0, maxNumDataNodes = 0) +public abstract class AbstractEqlIntegTestCase extends ESIntegTestCase { + + @Override + protected Settings nodeSettings(int nodeOrdinal) { + Settings.Builder settings = Settings.builder().put(super.nodeSettings(nodeOrdinal)); + settings.put(XPackSettings.SECURITY_ENABLED.getKey(), false); + settings.put(XPackSettings.MONITORING_ENABLED.getKey(), false); + settings.put(XPackSettings.WATCHER_ENABLED.getKey(), false); + settings.put(XPackSettings.GRAPH_ENABLED.getKey(), false); + settings.put(XPackSettings.MACHINE_LEARNING_ENABLED.getKey(), false); + settings.put(EqlPlugin.EQL_ENABLED_SETTING.getKey(), true); + settings.put(LicenseService.SELF_GENERATED_LICENSE_TYPE.getKey(), "trial"); + return settings.build(); + } + + @Override + protected Collection> nodePlugins() { + return Collections.singletonList(LocalStateEqlXPackPlugin.class); + } +} + diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java new file mode 100644 index 0000000000000..b8ba347c22b65 --- /dev/null +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java @@ -0,0 +1,95 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql.action; + +import org.elasticsearch.Build; +import org.elasticsearch.action.bulk.BulkRequestBuilder; +import org.elasticsearch.action.bulk.BulkResponse; +import org.elasticsearch.action.index.IndexRequest; +import org.elasticsearch.action.support.WriteRequest; +import org.elasticsearch.common.xcontent.XContentType; +import org.elasticsearch.search.SearchHit; +import org.junit.BeforeClass; + +import java.io.BufferedReader; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.nio.charset.StandardCharsets; +import java.util.List; + +import static org.elasticsearch.test.StreamsUtils.copyToStringFromClasspath; +import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked; +import static org.hamcrest.Matchers.equalTo; + +public class EqlActionIT extends AbstractEqlIntegTestCase { + + @BeforeClass + public static void checkForSnapshot() { + assumeTrue("Only works on snapshot builds for now", Build.CURRENT.isSnapshot()); + } + + public void testEqlSearchAction() throws Exception { + final String indexPrefix = "endgame"; + final String testIndexName = indexPrefix + "-1.4.0"; + final String testIndexPattern = indexPrefix + "-*"; + + String endgame = copyToStringFromClasspath("/endgame.json"); + endgame = endgame.replace("[index_pattern_placeholder]", testIndexPattern); + + assertAcked(client().admin().indices().preparePutTemplate(testIndexName) + .setSource(endgame.getBytes(StandardCharsets.UTF_8), XContentType.JSON).get()); + + // Insert test data + InputStream is = EqlActionIT.class.getResourceAsStream("/endgame.dat"); + BulkRequestBuilder bulkBuilder = client().prepareBulk(); + try (BufferedReader reader = new BufferedReader( + new InputStreamReader(is, StandardCharsets.UTF_8))) { + + String line; + while ((line = reader.readLine()) != null) { + bulkBuilder.add(new IndexRequest(testIndexName).source(line.trim(), XContentType.JSON)); + } + BulkResponse response = bulkBuilder.setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).get(); + assertThat(response.hasFailures() ? response.buildFailureMessage() : "", response.hasFailures(), equalTo(false)); + } + + ensureYellow(testIndexName); + + // Load EQL validation specs + List specs = EqlSpecLoader.load("/test_queries.toml", true); + List unsupportedSpecs = EqlSpecLoader.load("/test_queries_unsupported.toml", false); + + // Validate only currently supported specs + for (EqlSpec spec : specs) { + boolean supported = true; + // Check if spec is supported, simple iteration, cause the list is short. + for (EqlSpec unSpec: unsupportedSpecs) { + if (spec.query.equals(unSpec.query)) { + supported = false; + break; + } + } + + if (supported) { + logger.info("execute: " + spec.query); + EqlSearchResponse response = new EqlSearchRequestBuilder(client(), EqlSearchAction.INSTANCE) + .indices(testIndexName).rule(spec.query).get(); + + List events = response.hits().events(); + assertNotNull(events); + + final int len = events.size(); + final int ids[] = new int[len]; + for (int i = 0; i < events.size(); i++) { + ids[i] = events.get(i).docId(); + } + final String msg = "unexpected result for spec: [" + spec.toString() + "]"; + assertArrayEquals(msg, spec.expectedEventIds, ids); + } + } + } +} diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpec.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpec.java new file mode 100644 index 0000000000000..3eb3c89a09f9a --- /dev/null +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpec.java @@ -0,0 +1,46 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql.action; + +import org.elasticsearch.common.Strings; + +import java.util.Arrays; + +public class EqlSpec { + String description; + String note; + String []tags; + String query; + int []expectedEventIds; + + @Override + public String toString() { + String str = ""; + str = appendWithComma(str, "query", query); + str = appendWithComma(str, "description", description); + str = appendWithComma(str, "note", note); + + if (tags != null) { + str = appendWithComma(str, "tags", Arrays.toString(tags)); + } + + if (expectedEventIds != null) { + str = appendWithComma(str, "expected_event_ids", Arrays.toString(expectedEventIds)); + } + return str; + } + + private static String appendWithComma(String str, String name, String append) { + if (!Strings.isNullOrEmpty(append)) { + if (!Strings.isNullOrEmpty(str)) { + str += ", "; + } + str += name + ": " + append; + } + return str; + } +} diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpecLoader.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpecLoader.java new file mode 100644 index 0000000000000..c0157962b8a4e --- /dev/null +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpecLoader.java @@ -0,0 +1,179 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql.action; + +import io.netty.util.internal.StringUtil; + +import java.io.BufferedReader; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.nio.charset.StandardCharsets; +import java.util.ArrayList; +import java.util.LinkedHashMap; +import java.util.List; +import java.util.Map; + +public class EqlSpecLoader { + public static List load(String path, boolean supported) throws Exception { + try (InputStream is = EqlSpecLoader.class.getResourceAsStream(path)) { + return readFromStream(is, supported); + } + } + + private static int[] readExpectedEventIds(String line, BufferedReader reader) throws Exception { + String arr[] = readArray(line); + int ids[] = new int[arr.length]; + + for (int i = 0; i < arr.length; i++) { + ids[i] = Integer.parseInt(arr[i]); + } + return ids; + } + + private static String[] readTags(String line) throws Exception { + String arr[] = readArray(line); + for (int i = 0; i < arr.length; i++) { + String s = arr[i]; + if (s.startsWith("\"") || s.startsWith("'")) { + s = s.substring(1); + } + if (s.endsWith("\"") || s.endsWith("'")) { + s = s.substring(0, s.length()-1); + } + arr[i] = s.trim(); + } + return arr; + } + + private static String readValueLine(String line) throws Exception { + int idx = line.indexOf("="); + if (idx == -1) { + throw new IllegalArgumentException("Invalid string value: " + line); + } + return line.substring(idx+1).trim(); + } + + private static String[] readArray(String line) throws Exception { + line = readValueLine(line); + if (!line.startsWith("[") && !line.endsWith("]")) { + throw new IllegalArgumentException("Invalid array string value: " + line); + } + String arr[] = line.substring(1, line.length()-1).split(","); + + ArrayList res = new ArrayList<>(); + for (String s : arr) { + s = s.trim(); + if (!s.isEmpty()) { + res.add(s); + } + } + + return res.toArray(new String[res.size()]); + } + + private static String readString(String line, BufferedReader reader) throws Exception { + line = readValueLine(line); + String delim = ""; + if (line.startsWith("\"") || line.startsWith("'")) { + delim = line.substring(0, 1); + if (line.startsWith("\"\"\"") || line.startsWith("'''")) { + delim = line.substring(0, 3); + } + } + + if (StringUtil.isNullOrEmpty(delim)) { + throw new IllegalArgumentException("Invalid string format, should start with ' or \" at least: " + line); + } + + // Trim start delimiter + if (line.startsWith(delim)) { + line = line.substring(delim.length()); + } + + // Read multiline string + if (!line.endsWith(delim)) { + String s; + while ((s = reader.readLine()) != null) { + line += " " + s.trim(); + if (line.endsWith(delim)) { + break; + } + } + } + + // Trim end delimiter + if (line.endsWith(delim)) { + line = line.substring(0, line.length()-delim.length()); + } + + return line.trim(); + } + + private static void validateAndAddSpec(List specs, EqlSpec spec, boolean supported) throws Exception { + if (StringUtil.isNullOrEmpty(spec.query)) { + throw new IllegalArgumentException("Read a test without a query value"); + } + + if (supported && spec.expectedEventIds == null) { + throw new IllegalArgumentException("Read a test without a expected_event_ids value"); + } + + specs.add(spec); + } + + // Simple .toml spec parsing of the original EQL spec + // to avoid adding dependency on any actual toml library for now. + private static List readFromStream(InputStream is, boolean supported) throws Exception { + Map testNames = new LinkedHashMap<>(); + List testSpecs = new ArrayList<>(); + + EqlSpec spec = null; + try (BufferedReader reader = new BufferedReader( + new InputStreamReader(is, StandardCharsets.UTF_8))) { + + String line; + while ((line = reader.readLine()) != null) { + line = line.trim(); + // Ignore empty lines and comments + if (line.isEmpty() || line.startsWith("#")) { + continue; + } + if (line.startsWith("[[queries]]")) { + if (spec != null) { + validateAndAddSpec(testSpecs, spec, supported); + spec = null; + } + spec = new EqlSpec(); + continue; + } + if (line.startsWith("query")) { + spec.query = readString(line, reader); + } + + if (line.startsWith("expected_event_ids")) { + spec.expectedEventIds = readExpectedEventIds(line, reader); + } + + if (line.startsWith("tags")) { + spec.tags = readTags(line); + } + if (line.startsWith("note")) { + spec.note = readString(line, reader); + } + if (line.startsWith("description")) { + spec.description = readString(line, reader); + } + } + // Append the last spec + if (spec != null) { + validateAndAddSpec(testSpecs, spec, supported); + } + } + + return testSpecs; + } +} diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/LocalStateEqlXPackPlugin.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/LocalStateEqlXPackPlugin.java new file mode 100644 index 0000000000000..7a6cd355a6ffa --- /dev/null +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/LocalStateEqlXPackPlugin.java @@ -0,0 +1,28 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql.action; + +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.license.XPackLicenseState; +import org.elasticsearch.xpack.core.LocalStateCompositeXPackPlugin; +import org.elasticsearch.xpack.eql.plugin.EqlPlugin; + +import java.nio.file.Path; + +public class LocalStateEqlXPackPlugin extends LocalStateCompositeXPackPlugin { + + public LocalStateEqlXPackPlugin(final Settings settings, final Path configPath) throws Exception { + super(settings, configPath); + LocalStateEqlXPackPlugin thisVar = this; + plugins.add(new EqlPlugin(settings) { + @Override + protected XPackLicenseState getLicenseState() { + return thisVar.getLicenseState(); + } + }); + } +} diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/plugin/EqlPluginTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/plugin/EqlPluginTests.java index 02c429a339665..03f14247d77f1 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/plugin/EqlPluginTests.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/plugin/EqlPluginTests.java @@ -6,6 +6,7 @@ package org.elasticsearch.xpack.eql.plugin; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.test.ESTestCase; import static org.hamcrest.Matchers.hasItem; @@ -13,7 +14,7 @@ public class EqlPluginTests extends ESTestCase { public void testEnabledSettingRegisteredInSnapshotBuilds() { - final EqlPlugin plugin = new EqlPlugin() { + final EqlPlugin plugin = new EqlPlugin(Settings.EMPTY) { @Override protected boolean isSnapshot() { @@ -25,7 +26,7 @@ protected boolean isSnapshot() { } public void testEnabledSettingNotRegisteredInNonSnapshotBuilds() { - final EqlPlugin plugin = new EqlPlugin() { + final EqlPlugin plugin = new EqlPlugin(Settings.EMPTY) { @Override protected boolean isSnapshot() { diff --git a/x-pack/plugin/eql/src/test/resources/endgame.dat b/x-pack/plugin/eql/src/test/resources/endgame.dat new file mode 100644 index 0000000000000..66c9725505990 --- /dev/null +++ b/x-pack/plugin/eql/src/test/resources/endgame.dat @@ -0,0 +1,102 @@ +{"user":{"group":{}},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":0,"process":{"thread":{},"parent":{},"hash":{},"name":"System Idle Process"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":1,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":116444736000000000,"process_name":"System Idle Process","unique_pid":1,"xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126051000,"process":{"thread":{},"parent":{"name":"System Idle Process"},"hash":{},"pid":4,"name":"System"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":2,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996510000000,"pid":4,"process_name":"System","unique_pid":2,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","unique_ppid":1,"parent_process_name":"System Idle Process","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126051000,"process":{"thread":{},"parent":{"pid":4,"name":"System"},"hash":{"md5":"63d3c30b497347495b8ea78a38188969"},"pid":284,"ppid":4,"name":"smss.exe","executable":"C:\\Windows\\System32\\smss.exe","args":["\\SystemRoot\\System32\\smss.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":3,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996510000000,"pid":284,"process_path":"C:\\Windows\\System32\\smss.exe","process_name":"smss.exe","unique_pid":3,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":4,"unique_ppid":2,"command_line":"\\SystemRoot\\System32\\smss.exe","parent_process_name":"System","md5":"63d3c30b497347495b8ea78a38188969","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126051000,"process":{"thread":{},"parent":{"pid":364},"hash":{"md5":"60c2862b4bf0fd9f582ef344c2b1ec72"},"pid":372,"ppid":364,"name":"csrss.exe","executable":"C:\\Windows\\System32\\csrss.exe","args":["%SystemRoot%\\system32\\csrss.exe","ObjectDirectory=\\Windows","SharedSection=1024,20480,768","Windows=On","SubSystemType=Windows","ServerDll=basesrv,1","ServerDll=winsrv:UserServerDllInitialization,3","ServerDll=winsrv:ConServerDllInitialization,2","ServerDll=sxssrv,4","ProfileControl=Off","MaxRequestThreads=16"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":4,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996510000000,"pid":372,"process_path":"C:\\Windows\\System32\\csrss.exe","process_name":"csrss.exe","unique_pid":4,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":364,"command_line":"%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16","md5":"60c2862b4bf0fd9f582ef344c2b1ec72","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126051000,"process":{"thread":{},"parent":{"pid":364},"hash":{"md5":"94355c28c1970635a31b3fe52eb7ceba"},"pid":424,"ppid":364,"name":"wininit.exe","executable":"C:\\Windows\\System32\\wininit.exe","args":["wininit.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":5,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996510000000,"pid":424,"process_path":"C:\\Windows\\System32\\wininit.exe","process_name":"wininit.exe","unique_pid":5,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":364,"command_line":"wininit.exe","md5":"94355c28c1970635a31b3fe52eb7ceba","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126051000,"process":{"thread":{},"parent":{"pid":416},"hash":{"md5":"60c2862b4bf0fd9f582ef344c2b1ec72"},"pid":436,"ppid":416,"name":"csrss.exe","executable":"C:\\Windows\\System32\\csrss.exe","args":["%SystemRoot%\\system32\\csrss.exe","ObjectDirectory=\\Windows","SharedSection=1024,20480,768","Windows=On","SubSystemType=Windows","ServerDll=basesrv,1","ServerDll=winsrv:UserServerDllInitialization,3","ServerDll=winsrv:ConServerDllInitialization,2","ServerDll=sxssrv,4","ProfileControl=Off","MaxRequestThreads=16"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":6,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996510000000,"pid":436,"process_path":"C:\\Windows\\System32\\csrss.exe","process_name":"csrss.exe","unique_pid":6,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":416,"command_line":"%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16","md5":"60c2862b4bf0fd9f582ef344c2b1ec72","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126051000,"process":{"thread":{},"parent":{"pid":416},"hash":{"md5":"1151b1baa6f350b1db6598e0fea7c457"},"pid":472,"ppid":416,"name":"winlogon.exe","executable":"C:\\Windows\\System32\\winlogon.exe","args":["winlogon.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":7,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996510000000,"pid":472,"process_path":"C:\\Windows\\System32\\winlogon.exe","process_name":"winlogon.exe","unique_pid":7,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":416,"command_line":"winlogon.exe","md5":"1151b1baa6f350b1db6598e0fea7c457","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":424,"name":"wininit.exe","executable":"C:\\Windows\\System32\\wininit.exe"},"hash":{"md5":"24acb7e5be595468e3b9aa488b9b4fcb"},"pid":524,"ppid":424,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe","args":["C:\\Windows\\system32\\services.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":8,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":524,"process_path":"C:\\Windows\\System32\\services.exe","process_name":"services.exe","unique_pid":8,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":424,"unique_ppid":5,"command_line":"C:\\Windows\\system32\\services.exe","parent_process_name":"wininit.exe","parent_process_path":"C:\\Windows\\System32\\wininit.exe","md5":"24acb7e5be595468e3b9aa488b9b4fcb","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":424,"name":"wininit.exe","executable":"C:\\Windows\\System32\\wininit.exe"},"hash":{"md5":"7554a1b82b4a222fd4cc292abd38a558"},"pid":536,"ppid":424,"name":"lsass.exe","executable":"C:\\Windows\\System32\\lsass.exe","args":["C:\\Windows\\system32\\lsass.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":9,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":536,"process_path":"C:\\Windows\\System32\\lsass.exe","process_name":"lsass.exe","unique_pid":9,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":424,"unique_ppid":5,"command_line":"C:\\Windows\\system32\\lsass.exe","parent_process_name":"wininit.exe","parent_process_path":"C:\\Windows\\System32\\wininit.exe","md5":"7554a1b82b4a222fd4cc292abd38a558","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":424,"name":"wininit.exe","executable":"C:\\Windows\\System32\\wininit.exe"},"hash":{"md5":"9662ee182644511439f1c53745dc1c88"},"pid":544,"ppid":424,"name":"lsm.exe","executable":"C:\\Windows\\System32\\lsm.exe","args":["C:\\Windows\\system32\\lsm.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":10,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":544,"process_path":"C:\\Windows\\System32\\lsm.exe","process_name":"lsm.exe","unique_pid":10,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":424,"unique_ppid":5,"command_line":"C:\\Windows\\system32\\lsm.exe","parent_process_name":"wininit.exe","parent_process_path":"C:\\Windows\\System32\\wininit.exe","md5":"9662ee182644511439f1c53745dc1c88","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":648,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","DcomLaunch"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":11,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":648,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":11,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"3c4d41c4f8cdd2ca945e91a61e6cfbaf"},"pid":708,"ppid":524,"name":"vmacthlp.exe","executable":"C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe","args":["C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":12,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":708,"process_path":"C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe","process_name":"vmacthlp.exe","unique_pid":12,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"\"C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe\"","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"3c4d41c4f8cdd2ca945e91a61e6cfbaf","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"NETWORK SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":752,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","RPCSS"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":13,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":752,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":13,"user_name":"NETWORK SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k RPCSS","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":472,"name":"winlogon.exe","executable":"C:\\Windows\\System32\\winlogon.exe"},"hash":{"md5":"715f03b4c7223349768013ea95d9e5b7"},"pid":828,"ppid":472,"name":"LogonUI.exe","executable":"C:\\Windows\\System32\\LogonUI.exe","args":["LogonUI.exe","/flags:0x0"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":14,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":828,"process_path":"C:\\Windows\\System32\\LogonUI.exe","process_name":"LogonUI.exe","unique_pid":14,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":472,"unique_ppid":7,"command_line":"\"LogonUI.exe\" /flags:0x0","parent_process_name":"winlogon.exe","parent_process_path":"C:\\Windows\\System32\\winlogon.exe","md5":"715f03b4c7223349768013ea95d9e5b7","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"LOCAL SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":848,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\System32\\svchost.exe","-k","LocalServiceNetworkRestricted"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":15,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":848,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":15,"user_name":"LOCAL SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":896,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\System32\\svchost.exe","-k","LocalSystemNetworkRestricted"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":16,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":924,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","netsvcs"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":17,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":924,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":17,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k netsvcs","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"LOCAL SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126053000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":264,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","LocalService"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":18,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996530000000,"pid":264,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":18,"user_name":"LOCAL SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k LocalService","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"NETWORK SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126053000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":968,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","NetworkService"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":19,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996530000000,"pid":968,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":19,"user_name":"NETWORK SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k NetworkService","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126053000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"b96c17b5dc1424d56eea3a99e97428cd"},"pid":1108,"ppid":524,"name":"spoolsv.exe","executable":"C:\\Windows\\System32\\spoolsv.exe","args":["C:\\Windows\\System32\\spoolsv.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":20,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996530000000,"pid":1108,"process_path":"C:\\Windows\\System32\\spoolsv.exe","process_name":"spoolsv.exe","unique_pid":20,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\System32\\spoolsv.exe","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"b96c17b5dc1424d56eea3a99e97428cd","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"LOCAL SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126053000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":1136,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","LocalServiceNoNetwork"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":21,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996530000000,"pid":1136,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":21,"user_name":"LOCAL SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126053000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"ccd745aa6425c7637a34ff12ed8a1c18"},"pid":1320,"ppid":524,"name":"VGAuthService.exe","executable":"C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe","args":["C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":22,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996530000000,"pid":1320,"process_path":"C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe","process_name":"VGAuthService.exe","unique_pid":22,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"\"C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe\"","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"ccd745aa6425c7637a34ff12ed8a1c18","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126053000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"404202d6f0628331aaade8c8f9ef6feb"},"pid":1344,"ppid":524,"name":"vmtoolsd.exe","executable":"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe","args":["C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":23,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996530000000,"pid":1344,"process_path":"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe","process_name":"vmtoolsd.exe","unique_pid":23,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\"","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"404202d6f0628331aaade8c8f9ef6feb","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126053000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"3f61b1a4fe078bb7705b508cfcbb987e"},"pid":1376,"ppid":524,"name":"ManagementAgentHost.exe","executable":"C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\ManagementAgentHost.exe","args":["C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\ManagementAgentHost.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":24,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996530000000,"pid":1376,"process_path":"C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\ManagementAgentHost.exe","process_name":"ManagementAgentHost.exe","unique_pid":24,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"\"C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\ManagementAgentHost.exe\"","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"3f61b1a4fe078bb7705b508cfcbb987e","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"NETWORK SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126054000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":1692,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","NetworkServiceNetworkRestricted"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":25,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996540000000,"pid":1692,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":25,"user_name":"NETWORK SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k NetworkServiceNetworkRestricted","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"NETWORK SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126054000,"process":{"thread":{},"parent":{"pid":648,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"8f4ecbbfe943030acfd9e892b2513ec1"},"pid":1840,"ppid":648,"name":"WmiPrvSE.exe","executable":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","args":["C:\\Windows\\system32\\wbem\\wmiprvse.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":26,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996540000000,"pid":1840,"process_path":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","process_name":"WmiPrvSE.exe","unique_pid":26,"user_name":"NETWORK SERVICE","user_domain":"NT AUTHORITY","ppid":648,"unique_ppid":11,"command_line":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"8f4ecbbfe943030acfd9e892b2513ec1","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"NETWORK SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126055000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"de0ece52236cfa3ed2dbfc03f28253a8"},"pid":960,"ppid":524,"name":"msdtc.exe","executable":"C:\\Windows\\System32\\msdtc.exe","args":["C:\\Windows\\System32\\msdtc.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":27,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996550000000,"pid":960,"process_path":"C:\\Windows\\System32\\msdtc.exe","process_name":"msdtc.exe","unique_pid":27,"user_name":"NETWORK SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\System32\\msdtc.exe","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"de0ece52236cfa3ed2dbfc03f28253a8","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126079000,"process":{"thread":{},"parent":{"pid":3040},"hash":{"md5":"60c2862b4bf0fd9f582ef344c2b1ec72"},"pid":3048,"ppid":3040,"name":"csrss.exe","executable":"C:\\Windows\\System32\\csrss.exe","args":["%SystemRoot%\\system32\\csrss.exe","ObjectDirectory=\\Windows","SharedSection=1024,20480,768","Windows=On","SubSystemType=Windows","ServerDll=basesrv,1","ServerDll=winsrv:UserServerDllInitialization,3","ServerDll=winsrv:ConServerDllInitialization,2","ServerDll=sxssrv,4","ProfileControl=Off","MaxRequestThreads=16"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":28,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996790000000,"pid":3048,"process_path":"C:\\Windows\\System32\\csrss.exe","process_name":"csrss.exe","unique_pid":28,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":3040,"command_line":"%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16","md5":"60c2862b4bf0fd9f582ef344c2b1ec72","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126079000,"process":{"thread":{},"parent":{"pid":3040},"hash":{"md5":"1151b1baa6f350b1db6598e0fea7c457"},"pid":2108,"ppid":3040,"name":"winlogon.exe","executable":"C:\\Windows\\System32\\winlogon.exe","args":["winlogon.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":29,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996790000000,"pid":2108,"process_path":"C:\\Windows\\System32\\winlogon.exe","process_name":"winlogon.exe","unique_pid":29,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":3040,"command_line":"winlogon.exe","md5":"1151b1baa6f350b1db6598e0fea7c457","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126081000,"process":{"thread":{},"parent":{"pid":968,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"25d284eb2f12254c001afe9a82575a81"},"pid":2704,"ppid":968,"name":"rdpclip.exe","executable":"C:\\Windows\\System32\\rdpclip.exe","args":["rdpclip"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":30,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996810000000,"pid":2704,"process_path":"C:\\Windows\\System32\\rdpclip.exe","process_name":"rdpclip.exe","unique_pid":30,"user_name":"vagrant","user_domain":"vagrant","ppid":968,"unique_ppid":19,"command_line":"rdpclip","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"25d284eb2f12254c001afe9a82575a81","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126081000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"517110bd83835338c037269e603db55d"},"pid":2776,"ppid":524,"name":"taskhost.exe","executable":"C:\\Windows\\System32\\taskhost.exe","args":["taskhost.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":31,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996810000000,"pid":2776,"process_path":"C:\\Windows\\System32\\taskhost.exe","process_name":"taskhost.exe","unique_pid":31,"user_name":"vagrant","user_domain":"vagrant","ppid":524,"unique_ppid":8,"command_line":"\"taskhost.exe\"","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"517110bd83835338c037269e603db55d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"NETWORK SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126081000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"e17e0188bb90fae42d83e98707efa59c"},"pid":2804,"ppid":524,"name":"sppsvc.exe","executable":"C:\\Windows\\System32\\sppsvc.exe","args":["C:\\Windows\\system32\\sppsvc.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":32,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996810000000,"pid":2804,"process_path":"C:\\Windows\\System32\\sppsvc.exe","process_name":"sppsvc.exe","unique_pid":32,"user_name":"NETWORK SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\sppsvc.exe","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"e17e0188bb90fae42d83e98707efa59c","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126115000,"process":{"thread":{},"parent":{"pid":896,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"f162d5f5e845b9dc352dd1bad8cef1bc"},"pid":2464,"ppid":896,"name":"dwm.exe","executable":"C:\\Windows\\System32\\dwm.exe","args":["C:\\Windows\\system32\\Dwm.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":33,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485997150000000,"pid":2464,"process_path":"C:\\Windows\\System32\\dwm.exe","process_name":"dwm.exe","unique_pid":33,"user_name":"vagrant","user_domain":"vagrant","ppid":896,"unique_ppid":16,"command_line":"\"C:\\Windows\\system32\\Dwm.exe\"","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"f162d5f5e845b9dc352dd1bad8cef1bc","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126115000,"process":{"thread":{},"parent":{"pid":3052},"hash":{"md5":"ac4c51eb24aa95b77f705ab159189e24"},"pid":2460,"ppid":3052,"name":"explorer.exe","executable":"C:\\Windows\\explorer.exe","args":["C:\\Windows\\Explorer.EXE"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":34,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485997150000000,"pid":2460,"process_path":"C:\\Windows\\explorer.exe","process_name":"explorer.exe","unique_pid":34,"user_name":"vagrant","user_domain":"vagrant","ppid":3052,"command_line":"C:\\Windows\\Explorer.EXE","md5":"ac4c51eb24aa95b77f705ab159189e24","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126115000,"process":{"thread":{},"parent":{"pid":2460,"name":"explorer.exe","executable":"C:\\Windows\\explorer.exe"},"hash":{"md5":"404202d6f0628331aaade8c8f9ef6feb"},"pid":2604,"ppid":2460,"name":"vmtoolsd.exe","executable":"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe","args":["C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe","-n","vmusr"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":35,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485997150000000,"pid":2604,"process_path":"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe","process_name":"vmtoolsd.exe","unique_pid":35,"user_name":"vagrant","user_domain":"vagrant","ppid":2460,"unique_ppid":34,"command_line":"\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr","parent_process_name":"explorer.exe","parent_process_path":"C:\\Windows\\explorer.exe","md5":"404202d6f0628331aaade8c8f9ef6feb","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126121000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"ad31942bdf3d594c404874613bc2fe4d"},"pid":1620,"ppid":524,"name":"SearchIndexer.exe","executable":"C:\\Windows\\System32\\SearchIndexer.exe","args":["C:\\Windows\\system32\\SearchIndexer.exe","/Embedding"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":36,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485997210000000,"pid":1620,"process_path":"C:\\Windows\\System32\\SearchIndexer.exe","process_name":"SearchIndexer.exe","unique_pid":36,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\SearchIndexer.exe /Embedding","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"ad31942bdf3d594c404874613bc2fe4d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"LOCAL SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126175000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":3684,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","LocalServiceAndNoImpersonation"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":37,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485997750000000,"pid":3684,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":37,"user_name":"LOCAL SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126175000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":3712,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\System32\\svchost.exe","-k","secsvcs"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":38,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485997750000000,"pid":3712,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":38,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\System32\\svchost.exe -k secsvcs","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504710219000,"process":{"thread":{},"parent":{"pid":2460,"name":"explorer.exe","executable":"C:\\Windows\\explorer.exe"},"hash":{"md5":"5746bd7e255dd6a8afa06f7c42c1ba41"},"pid":2864,"ppid":2460,"name":"cmd.exe","executable":"C:\\Windows\\System32\\cmd.exe","args":["C:\\Windows\\system32\\cmd.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":39,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131491838190000000,"pid":2864,"process_path":"C:\\Windows\\System32\\cmd.exe","process_name":"cmd.exe","unique_pid":39,"user_name":"vagrant","user_domain":"vagrant","ppid":2460,"unique_ppid":34,"command_line":"\"C:\\Windows\\system32\\cmd.exe\" ","parent_process_name":"explorer.exe","parent_process_path":"C:\\Windows\\explorer.exe","md5":"5746bd7e255dd6a8afa06f7c42c1ba41","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504710219000,"process":{"thread":{},"parent":{"pid":3048,"name":"csrss.exe","executable":"C:\\Windows\\System32\\csrss.exe"},"hash":{"md5":"bd51024fb014064bc9fe8c715c18392f"},"pid":2228,"ppid":3048,"name":"conhost.exe","executable":"C:\\Windows\\System32\\conhost.exe","args":["\\??\\C:\\Windows\\system32\\conhost.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":40,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131491838190000000,"pid":2228,"process_path":"C:\\Windows\\System32\\conhost.exe","process_name":"conhost.exe","unique_pid":40,"user_name":"vagrant","user_domain":"vagrant","ppid":3048,"unique_ppid":28,"command_line":"\\??\\C:\\Windows\\system32\\conhost.exe","parent_process_name":"csrss.exe","parent_process_path":"C:\\Windows\\System32\\csrss.exe","md5":"bd51024fb014064bc9fe8c715c18392f","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504720431000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":3820,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","SDRSVC"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":41,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131491940310000000,"pid":3820,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":41,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k SDRSVC","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463013000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"773212b2aaa24c1e31f10246b15b276c"},"pid":3384,"ppid":524,"name":"TrustedInstaller.exe","executable":"C:\\Windows\\servicing\\TrustedInstaller.exe","args":["C:\\Windows\\servicing\\TrustedInstaller.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":42,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509366130000000,"pid":3384,"process_path":"C:\\Windows\\servicing\\TrustedInstaller.exe","process_name":"TrustedInstaller.exe","unique_pid":42,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\servicing\\TrustedInstaller.exe","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"773212b2aaa24c1e31f10246b15b276c","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463023000,"process":{"thread":{},"parent":{"pid":648,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"8f4ecbbfe943030acfd9e892b2513ec1"},"pid":1860,"ppid":648,"name":"WmiPrvSE.exe","executable":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","args":["C:\\Windows\\system32\\wbem\\wmiprvse.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":43,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509366230000000,"pid":1860,"process_path":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","process_name":"WmiPrvSE.exe","unique_pid":43,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":648,"unique_ppid":11,"command_line":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"8f4ecbbfe943030acfd9e892b2513ec1","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463590000,"process":{"thread":{},"parent":{"pid":924,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"65ea57712340c09b1b0c427b4848ae05"},"pid":660,"ppid":924,"name":"taskeng.exe","executable":"C:\\Windows\\System32\\taskeng.exe","args":["taskeng.exe","{6108575A-1CC2-4917-BB5D-5929CDC39B9C}"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":44,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509371900000000,"pid":660,"process_path":"C:\\Windows\\System32\\taskeng.exe","process_name":"taskeng.exe","unique_pid":44,"user_name":"vagrant","user_domain":"vagrant","ppid":924,"unique_ppid":17,"command_line":"taskeng.exe {6108575A-1CC2-4917-BB5D-5929CDC39B9C}","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"65ea57712340c09b1b0c427b4848ae05","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463637000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"a190da6546501cb4146bbcc0b6a3f48b"},"pid":760,"ppid":524,"name":"msiexec.exe","executable":"C:\\Windows\\System32\\msiexec.exe","args":["C:\\Windows\\system32\\msiexec.exe","/V"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":45,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509372370000000,"pid":760,"process_path":"C:\\Windows\\System32\\msiexec.exe","process_name":"msiexec.exe","unique_pid":45,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\msiexec.exe /V","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"a190da6546501cb4146bbcc0b6a3f48b","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463798000,"process":{"thread":{},"parent":{"pid":648,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"3e5cfefdda537ddbed9f5c6c7e926cdd"},"pid":2824,"ppid":648,"name":"wsmprovhost.exe","executable":"C:\\Windows\\System32\\wsmprovhost.exe","args":["C:\\Windows\\system32\\wsmprovhost.exe","-Embedding"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":46,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509373980000000,"pid":2824,"process_path":"C:\\Windows\\System32\\wsmprovhost.exe","process_name":"wsmprovhost.exe","unique_pid":46,"user_name":"vagrant","user_domain":"vagrant","ppid":648,"unique_ppid":11,"command_line":"C:\\Windows\\system32\\wsmprovhost.exe -Embedding","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"3e5cfefdda537ddbed9f5c6c7e926cdd","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463802000,"process":{"thread":{},"parent":{"pid":648,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"3e5cfefdda537ddbed9f5c6c7e926cdd"},"pid":3408,"ppid":648,"name":"wsmprovhost.exe","executable":"C:\\Windows\\System32\\wsmprovhost.exe","args":["C:\\Windows\\system32\\wsmprovhost.exe","-Embedding"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":47,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509374020000000,"pid":3408,"process_path":"C:\\Windows\\System32\\wsmprovhost.exe","process_name":"wsmprovhost.exe","unique_pid":47,"user_name":"vagrant","user_domain":"vagrant","ppid":648,"unique_ppid":11,"command_line":"C:\\Windows\\system32\\wsmprovhost.exe -Embedding","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"3e5cfefdda537ddbed9f5c6c7e926cdd","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463802000,"process":{"thread":{},"parent":{"pid":3408,"name":"wsmprovhost.exe","executable":"C:\\Windows\\System32\\wsmprovhost.exe"},"hash":{"md5":"21f73cd55626f0ec9fbce53eafbef128"},"pid":420,"ppid":3408,"name":"python.exe","executable":"C:\\Python27\\python.exe","args":["C:\\Python27\\python.exe","worker.py","--target","c:\\workspace\\red_ttp\\process_name_masquerade.py"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":48,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509374020000000,"pid":420,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":48,"user_name":"vagrant","user_domain":"vagrant","ppid":3408,"unique_ppid":47,"command_line":"\"C:\\Python27\\python.exe\" worker.py --target c:\\workspace\\red_ttp\\process_name_masquerade.py","parent_process_name":"wsmprovhost.exe","parent_process_path":"C:\\Windows\\System32\\wsmprovhost.exe","md5":"21f73cd55626f0ec9fbce53eafbef128","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463802000,"process":{"thread":{},"parent":{"pid":372,"name":"csrss.exe","executable":"C:\\Windows\\System32\\csrss.exe"},"hash":{"md5":"bd51024fb014064bc9fe8c715c18392f"},"pid":3080,"ppid":372,"name":"conhost.exe","executable":"C:\\Windows\\System32\\conhost.exe","args":["\\??\\C:\\Windows\\system32\\conhost.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":49,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509374020000000,"pid":3080,"process_path":"C:\\Windows\\System32\\conhost.exe","process_name":"conhost.exe","unique_pid":49,"user_name":"vagrant","user_domain":"vagrant","ppid":372,"unique_ppid":4,"command_line":"\\??\\C:\\Windows\\system32\\conhost.exe","parent_process_name":"csrss.exe","parent_process_path":"C:\\Windows\\System32\\csrss.exe","md5":"bd51024fb014064bc9fe8c715c18392f","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463810000,"process":{"thread":{},"parent":{"pid":420,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"21f73cd55626f0ec9fbce53eafbef128"},"pid":1688,"ppid":420,"name":"python.exe","executable":"C:\\Python27\\python.exe","args":["C:\\Python27\\python.exe","myappserver.py","--log-file","C:\\workspace\\dev\\myapp.out","--update-server-port","8446","--sout","C:\\workspace\\Libraries\\myapp\\myapp\\python\\myapp\\hunt_out.json"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":50,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509374100000000,"pid":1688,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":50,"user_name":"vagrant","user_domain":"vagrant","ppid":420,"unique_ppid":48,"command_line":"C:\\Python27\\python.exe myappserver.py --log-file C:\\workspace\\dev\\myapp.out --update-server-port 8446 --sout C:\\workspace\\Libraries\\myapp\\myapp\\python\\myapp\\hunt_out.json","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"21f73cd55626f0ec9fbce53eafbef128","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463810000,"process":{"thread":{},"parent":{"pid":420,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"21f73cd55626f0ec9fbce53eafbef128"},"pid":1720,"ppid":420,"name":"python.exe","executable":"C:\\Python27\\python.exe","args":["C:\\Python27\\python.exe","C:\\workspace\\dev\\Simple_Https_Server\\simple_https_server.py"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":51,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509374100000000,"pid":1720,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":51,"user_name":"vagrant","user_domain":"vagrant","ppid":420,"unique_ppid":48,"command_line":"C:\\Python27\\python.exe C:\\workspace\\dev\\Simple_Https_Server\\simple_https_server.py","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"21f73cd55626f0ec9fbce53eafbef128","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463815000,"process":{"thread":{},"parent":{"pid":648,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"6a8649f3205b311e208ac35a04e99700"},"pid":2164,"ppid":648,"name":"LauncherProcess.exe","executable":"C:\\Windows\\System32\\LauncherProcess.exe","args":["C:\\Windows\\System32\\LauncherProcess.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":52,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509374150000000,"pid":2164,"process_path":"C:\\Windows\\System32\\LauncherProcess.exe","process_name":"LauncherProcess.exe","unique_pid":52,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":648,"unique_ppid":11,"command_line":"C:\\Windows\\System32\\LauncherProcess.exe","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"6a8649f3205b311e208ac35a04e99700","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463829000,"process":{"thread":{},"parent":{"pid":420,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"5746bd7e255dd6a8afa06f7c42c1ba41"},"pid":1788,"ppid":420,"name":"cmd.exe","executable":"C:\\Windows\\System32\\cmd.exe","args":["C:\\Windows\\system32\\cmd.exe","/c","c:\\workspace\\red_ttp\\process_name_masquerade.py"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":53,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374294209140,"pid":1788,"process_path":"C:\\Windows\\System32\\cmd.exe","process_name":"cmd.exe","unique_pid":53,"user_name":"vagrant","user_domain":"vagrant","ppid":420,"unique_ppid":48,"command_line":"C:\\Windows\\system32\\cmd.exe /c \"c:\\workspace\\red_ttp\\process_name_masquerade.py\"","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"5746bd7e255dd6a8afa06f7c42c1ba41","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463829000,"process":{"thread":{},"parent":{"pid":1788,"name":"cmd.exe","executable":"C:\\Windows\\System32\\cmd.exe"},"hash":{"md5":"21f73cd55626f0ec9fbce53eafbef128"},"pid":2256,"ppid":1788,"name":"python.exe","executable":"C:\\Python27\\python.exe","args":["C:\\Python27\\python.exe","C:\\workspace\\red_ttp\\process_name_masquerade.py"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":54,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374294365140,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","ppid":1788,"unique_ppid":53,"command_line":"\"C:\\Python27\\python.exe\" \"C:\\workspace\\red_ttp\\process_name_masquerade.py\" ","parent_process_name":"cmd.exe","parent_process_path":"C:\\Windows\\System32\\cmd.exe","md5":"21f73cd55626f0ec9fbce53eafbef128","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463829000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":55,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374295457140,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463829000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":2760,"ppid":2256,"name":"svchost.exe","executable":"C:\\workspace\\red_ttp\\svchost.exe","args":["svchost.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":56,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374295613140,"pid":2760,"process_path":"C:\\workspace\\red_ttp\\svchost.exe","process_name":"svchost.exe","unique_pid":56,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"command_line":"svchost.exe","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"registry_modify_event","category":"registry","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463830000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":57,"opcode":1,"event_type_full":"registry_event","event_subtype_full":"registry_modify_event","timestamp":131509374306065200,"pid":2460,"process_path":"C:\\Windows\\explorer.exe","process_name":"explorer.exe","unique_pid":34,"user_name":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463834000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":2760,"ppid":2256,"name":"svchost.exe","executable":"C:\\workspace\\red_ttp\\svchost.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":58,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374345689460,"pid":2760,"process_path":"C:\\workspace\\red_ttp\\svchost.exe","process_name":"svchost.exe","unique_pid":56,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_delete_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463834000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":59,"opcode":2,"event_type_full":"file_event","event_subtype_full":"file_delete_event","timestamp":131509374345689460,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463834000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":60,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374345689460,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463834000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":61,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374345689460,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463834000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":3696,"ppid":2256,"name":"lsass.exe","executable":"C:\\workspace\\red_ttp\\lsass.exe","args":["lsass.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":62,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374345689460,"pid":3696,"process_path":"C:\\workspace\\red_ttp\\lsass.exe","process_name":"lsass.exe","unique_pid":62,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"command_line":"lsass.exe","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"request_event","category":"network","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463835000,"dns":{"question":{"name":"teredo.ipv6.microsoft.com.","registered_domain":"microsoft.com."}},"network":{"protocol":"dns"},"process":{"thread":{},"parent":{},"pid":924,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"source":{},"destination":{},"winlog":{"opcode":3008},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":63,"opcode":3008,"event_type_full":"dns_event","event_subtype_full":"request_event","timestamp":131509374350369490,"pid":924,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":17,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"teredo.ipv6.microsoft.com.","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463839000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":3696,"ppid":2256,"name":"lsass.exe","executable":"C:\\workspace\\red_ttp\\lsass.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":64,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374395921780,"pid":3696,"process_path":"C:\\workspace\\red_ttp\\lsass.exe","process_name":"lsass.exe","unique_pid":62,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_delete_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463839000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":65,"opcode":2,"event_type_full":"file_event","event_subtype_full":"file_delete_event","timestamp":131509374395921780,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463839000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":66,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374395921780,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463839000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":67,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374395921780,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463839000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":1832,"ppid":2256,"name":"services.exe","executable":"C:\\workspace\\red_ttp\\services.exe","args":["services.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":68,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374395921780,"pid":1832,"process_path":"C:\\workspace\\red_ttp\\services.exe","process_name":"services.exe","unique_pid":68,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"command_line":"services.exe","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463844000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":1832,"ppid":2256,"name":"services.exe","executable":"C:\\workspace\\red_ttp\\services.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":69,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374446778110,"pid":1832,"process_path":"C:\\workspace\\red_ttp\\services.exe","process_name":"services.exe","unique_pid":68,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_delete_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463844000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":70,"opcode":2,"event_type_full":"file_event","event_subtype_full":"file_delete_event","timestamp":131509374446778110,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463844000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":71,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374446778110,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463844000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":72,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374446778110,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463844000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":3948,"ppid":2256,"name":"csrss.exe","executable":"C:\\workspace\\red_ttp\\csrss.exe","args":["csrss.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":73,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374446778110,"pid":3948,"process_path":"C:\\workspace\\red_ttp\\csrss.exe","process_name":"csrss.exe","unique_pid":73,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"command_line":"csrss.exe","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463849000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":3948,"ppid":2256,"name":"csrss.exe","executable":"C:\\workspace\\red_ttp\\csrss.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":74,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374497010430,"pid":3948,"process_path":"C:\\workspace\\red_ttp\\csrss.exe","process_name":"csrss.exe","unique_pid":73,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_delete_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463849000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":75,"opcode":2,"event_type_full":"file_event","event_subtype_full":"file_delete_event","timestamp":131509374497010430,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463849000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":76,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374497010430,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463849000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":77,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374497010430,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463849000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":3720,"ppid":2256,"name":"smss.exe","executable":"C:\\workspace\\red_ttp\\smss.exe","args":["smss.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":78,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374497010430,"pid":3720,"process_path":"C:\\workspace\\red_ttp\\smss.exe","process_name":"smss.exe","unique_pid":78,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"command_line":"smss.exe","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"registry_modify_event","category":"registry","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463852000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":79,"opcode":1,"event_type_full":"registry_event","event_subtype_full":"registry_modify_event","timestamp":131509374520566580,"pid":536,"process_path":"C:\\Windows\\System32\\lsass.exe","process_name":"lsass.exe","unique_pid":9,"user_name":"SYSTEM","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463854000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":3720,"ppid":2256,"name":"smss.exe","executable":"C:\\workspace\\red_ttp\\smss.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":80,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374547086750,"pid":3720,"process_path":"C:\\workspace\\red_ttp\\smss.exe","process_name":"smss.exe","unique_pid":78,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_delete_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463854000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":81,"opcode":2,"event_type_full":"file_event","event_subtype_full":"file_delete_event","timestamp":131509374547086750,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463854000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":82,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374547086750,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463854000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":83,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374547086750,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463854000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":1680,"ppid":2256,"name":"wininit.exe","executable":"C:\\workspace\\red_ttp\\wininit.exe","args":["wininit.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":84,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374547086750,"pid":1680,"process_path":"C:\\workspace\\red_ttp\\wininit.exe","process_name":"wininit.exe","unique_pid":84,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"command_line":"wininit.exe","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463859000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":1680,"ppid":2256,"name":"wininit.exe","executable":"C:\\workspace\\red_ttp\\wininit.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":85,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374597163070,"pid":1680,"process_path":"C:\\workspace\\red_ttp\\wininit.exe","process_name":"wininit.exe","unique_pid":84,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_delete_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463859000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":86,"opcode":2,"event_type_full":"file_event","event_subtype_full":"file_delete_event","timestamp":131509374597163070,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463859000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":87,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374597163070,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463859000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":88,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374597163070,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463859000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":4080,"ppid":2256,"name":"explorer.exe","executable":"C:\\workspace\\red_ttp\\explorer.exe","args":["explorer.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":89,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374597163070,"pid":4080,"process_path":"C:\\workspace\\red_ttp\\explorer.exe","process_name":"explorer.exe","unique_pid":89,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"command_line":"explorer.exe","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463864000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":4080,"ppid":2256,"name":"explorer.exe","executable":"C:\\workspace\\red_ttp\\explorer.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":90,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374647239400,"pid":4080,"process_path":"C:\\workspace\\red_ttp\\explorer.exe","process_name":"explorer.exe","unique_pid":89,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_delete_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463864000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":91,"opcode":2,"event_type_full":"file_event","event_subtype_full":"file_delete_event","timestamp":131509374647239400,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463864000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":92,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374647239400,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463864000,"process":{"thread":{},"parent":{"pid":1788,"name":"cmd.exe","executable":"C:\\Windows\\System32\\cmd.exe"},"hash":{"md5":"21f73cd55626f0ec9fbce53eafbef128"},"pid":2256,"ppid":1788,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":93,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374647239400,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","ppid":1788,"unique_ppid":53,"exit_code":0,"parent_process_name":"cmd.exe","parent_process_path":"C:\\Windows\\System32\\cmd.exe","md5":"21f73cd55626f0ec9fbce53eafbef128","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463864000,"process":{"thread":{},"parent":{"pid":420,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"5746bd7e255dd6a8afa06f7c42c1ba41"},"pid":1788,"ppid":420,"name":"cmd.exe","executable":"C:\\Windows\\System32\\cmd.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":94,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374647239400,"pid":1788,"process_path":"C:\\Windows\\System32\\cmd.exe","process_name":"cmd.exe","unique_pid":53,"user_name":"vagrant","user_domain":"vagrant","ppid":420,"unique_ppid":48,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"5746bd7e255dd6a8afa06f7c42c1ba41","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463864000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":95,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374647239400,"pid":420,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":48,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463864000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":96,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374647239400,"pid":420,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":48,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1516116808000,"process":{"thread":{},"parent":{"pid":392,"name":"cmd.exe","executable":"C:\\Windows\\System32\\cmd.exe"},"hash":{"md5":"63dd6fbaabf881385899fd39df13dce3"},"pid":3608,"ppid":392,"name":"net.exe","executable":"C:\\Windows\\System32\\net.exe","args":["net","localgroup","administrators","findme2"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":97,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131605904083494370,"pid":3608,"process_path":"C:\\Windows\\System32\\net.exe","process_name":"net.exe","unique_pid":750058,"user_name":"vagrant","user_domain":"vagrant","ppid":392,"unique_ppid":707545,"command_line":"net localgroup administrators findme2","parent_process_name":"cmd.exe","parent_process_path":"C:\\Windows\\System32\\cmd.exe","md5":"63dd6fbaabf881385899fd39df13dce3","authentication_id":854482244,"original_file_name":"NET.exe","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1516116808000,"process":{"thread":{},"parent":{"pid":3608,"name":"net.exe","executable":"C:\\Windows\\System32\\net.exe"},"hash":{"md5":"3b6928bc39e5530cead1e99269e7b1ee"},"pid":1348,"ppid":3608,"name":"net1.exe","executable":"C:\\Windows\\System32\\net1.exe","args":["C:\\Windows\\system32\\net1","localgroup","administrators","findme2"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":98,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131605904083806370,"pid":1348,"process_path":"C:\\Windows\\System32\\net1.exe","process_name":"net1.exe","unique_pid":750059,"user_name":"vagrant","user_domain":"vagrant","ppid":3608,"unique_ppid":750058,"command_line":"C:\\Windows\\system32\\net1 localgroup administrators findme2","parent_process_name":"net.exe","parent_process_path":"C:\\Windows\\System32\\net.exe","md5":"3b6928bc39e5530cead1e99269e7b1ee","authentication_id":854482244,"original_file_name":"net1.exe","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1531764548000,"process":{"thread":{},"parent":{"pid":1196,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"4b736b85e5de65e572f28a91e31b99bf"},"pid":860,"ppid":1196,"name":"MSBuild.exe","executable":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe","args":["C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe","tmp-file.csproj"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":75273,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131762381484502110,"pid":860,"process_path":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe","process_name":"MSBuild.exe","unique_pid":75273,"user_name":"vagrant","user_domain":"vagrant","ppid":1196,"unique_ppid":75248,"command_line":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe tmp-file.csproj","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"4b736b85e5de65e572f28a91e31b99bf","authentication_id":13728872,"original_file_name":"MSBuild.exe","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1531764549000,"process":{"thread":{},"parent":{"pid":1196,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"4b736b85e5de65e572f28a91e31b99bf"},"pid":860,"ppid":1196,"name":"MSBuild.exe","executable":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":75303,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131762381493483680,"pid":860,"process_path":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe","process_name":"MSBuild.exe","unique_pid":75273,"user_name":"vagrant","user_domain":"vagrant","ppid":1196,"unique_ppid":75248,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"4b736b85e5de65e572f28a91e31b99bf","original_file_name":"MSBuild.exe","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"ipv4_connection_attempt_event","category":"network","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1531764549000,"network":{"community_id":"1:s6xjF74V/BrREHI7j91ddQ0zcY8=","transport":"tcp"},"process":{"thread":{},"parent":{},"pid":860,"name":"MSBuild.exe","executable":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe"},"source":{"address":"10.6.48.157","ip":"10.6.48.157","port":52178},"destination":{"address":"10.6.48.157","port":8000,"ip":"10.6.48.157"},"winlog":{"opcode":12},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":75304,"opcode":12,"event_type_full":"network_event","event_subtype_full":"ipv4_connection_attempt_event","timestamp":131762381493039760,"pid":860,"process_path":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe","process_name":"MSBuild.exe","unique_pid":75273,"user_name":"vagrant","user_domain":"vagrant","protocol":"tcp","destination_address":"10.6.48.157","destination_port":8000,"source_port":52178,"source_address":"10.6.48.157","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"ipv4_connection_attempt_event","category":"network","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1531764549000,"network":{"community_id":"1:s6xjF74V/BrREHI7j91ddQ0zcY8=","transport":"tcp"},"process":{"thread":{},"parent":{},"pid":10000,"name":"MSBuild.exe","executable":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe"},"source":{"address":"10.6.48.157","ip":"10.6.48.157","port":52178},"destination":{"address":"10.6.48.157","port":8000,"ip":"10.6.48.157"},"winlog":{"opcode":12},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":75305,"opcode":12,"event_type_full":"network_event","event_subtype_full":"ipv4_connection_attempt_event","timestamp":131762381493039760,"pid":10000,"process_path":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe","process_name":"MSBuild.exe","unique_pid":99999,"user_name":"vagrant","user_domain":"vagrant","protocol":"tcp","destination_address":"10.6.48.157","destination_port":8000,"source_port":52178,"source_address":"10.6.48.157","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} diff --git a/x-pack/plugin/eql/src/test/resources/endgame.json b/x-pack/plugin/eql/src/test/resources/endgame.json new file mode 100644 index 0000000000000..4e1c6dfb64298 --- /dev/null +++ b/x-pack/plugin/eql/src/test/resources/endgame.json @@ -0,0 +1,2531 @@ +{ + "index_patterns": ["[index_pattern_placeholder]"], + "mappings": { + "doc": { + "_meta": { + "version": "1.4.0" + }, + "date_detection": false, + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "stack_trace": { + "doc_values": false, + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "integer" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "message": { + "norms": false, + "type": "text" + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "observer": { + "properties": { + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + }, + "settings": { + "index": { + "mapping": { + "ignore_malformed": true, + "total_fields": { + "limit": 10000 + } + }, + "number_of_replicas": 0, + "number_of_shards": 3 + } + } +} diff --git a/x-pack/plugin/eql/src/test/resources/test_queries.toml b/x-pack/plugin/eql/src/test/resources/test_queries.toml new file mode 100644 index 0000000000000..e2ee95c12e268 --- /dev/null +++ b/x-pack/plugin/eql/src/test/resources/test_queries.toml @@ -0,0 +1,1298 @@ +[[queries]] +query = 'process where serial_event_id = 1' +expected_event_ids = [1] + +[[queries]] +query = 'process where serial_event_id < 4' +expected_event_ids = [1, 2, 3] + +[[queries]] +query = 'process where true | head 6' +expected_event_ids = [1, 2, 3, 4, 5, 6] + +[[queries]] +query = 'process where false' +expected_event_ids = [] + +[[queries]] +expected_event_ids = [] +query = 'process where missing_field != null' + +[[queries]] +expected_event_ids = [1, 2, 3, 4, 5] +query = 'process where bad_field == null | head 5' + +[[queries]] +query = ''' + process where process_name == "impossible name" or (serial_event_id < 4.5 and serial_event_id >= 3.1) +''' +expected_event_ids = [4] + +[[queries]] +tags = ["comparisons", "pipes"] +query = ''' +process where serial_event_id <= 8 and serial_event_id > 7 +| filter serial_event_id == 8''' +expected_event_ids = [8] + +[[queries]] +query = ''' +process where true +| filter serial_event_id <= 10 +| filter serial_event_id > 6''' +expected_event_ids = [7, 8, 9, 10] + +[[queries]] +query = ''' +process where true +| filter serial_event_id <= 10 +| filter serial_event_id > 6 +| head 2''' +expected_event_ids = [7, 8] + +[[queries]] +query = ''' +process where true +| head 1000 +| filter serial_event_id <= 10 +| filter serial_event_id > 6 +| tail 2 +''' +expected_event_ids = [9, 10] + +[[queries]] +query = ''' +process where serial_event_id<=8 and serial_event_id > 7 +''' +expected_event_ids = [8] + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code >= 0' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where 0 <= exit_code' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code <= 0' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code < 1' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code > -1' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where -1 < exit_code' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [] +query = ''' +process where not (exit_code > -1) + and serial_event_id in (58, 64, 69, 74, 80, 85, 90, 93, 94) +| head 10 +''' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [1, 2, 3, 4, 5, 6, 7] +query = 'process where not (exit_code > -1) | head 7' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [1, 2, 3, 4, 5, 6, 7] +query = 'process where not (-1 < exit_code) | head 7' + +[[queries]] +query = 'process where exit_code > 0' +expected_event_ids = [] + +[[queries]] +query = 'process where exit_code < 0' +expected_event_ids = [] + +[[queries]] +query = 'process where 0 < exit_code' +expected_event_ids = [] + +[[queries]] +query = 'process where 0 > exit_code' +expected_event_ids = [] + +[[queries]] +query = 'process where (serial_event_id<=8 and serial_event_id > 7) and (opcode=3 and opcode>2)' +expected_event_ids = [8] + +[[queries]] +query = 'process where (serial_event_id<9 and serial_event_id >= 7) or (opcode == pid)' +expected_event_ids = [7, 8] + +[[queries]] +query = 'process where process_name == "VMACTHLP.exe" and unique_pid == 12 | filter true' +expected_event_ids = [12] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "SMSS.exe", "explorer.exe") +| unique process_name''' +expected_event_ids = [3, 34, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "Explorer.exe") +| unique length(process_name)''' +expected_event_ids = [3, 34, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique length(process_name) == length("python.exe")''' +expected_event_ids = [3, 48] + +[[queries]] +query = ''' +process where process_name in ("Python.exe", "smss.exe", "explorer.exe") +| unique process_name != "python.exe"''' +expected_event_ids = [3, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique process_name +| head 2 +| tail 1''' +expected_event_ids = [34] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique process_name +| tail 2 +| head 1''' +expected_event_ids = [34] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| unique process_name parent_process_name''' +expected_event_ids = [3, 48, 50, 54, 78] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| unique process_name, parent_process_name''' +expected_event_ids = [3, 48, 50, 54, 78] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| head 5 +| unique process_name parent_process_name''' +expected_event_ids = [3, 48, 50, 54] + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where length(bytes_written_string_list) == 2 and bytes_written_string_list[1] == "EN"''' + +[[queries]] +query = ''' +registry where key_path == "*\\MACHINE\\SAM\\SAM\\*\\Account\\Us*ers\\00*03E9\\F"''' +expected_event_ids = [79] + +[[queries]] +query = ''' +process where process_path == "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3,4)''' +expected_event_ids = [84, 85] + +[[queries]] +query = ''' +file where file_name == "csrss.exe" and opcode=0 + and descendant of [process where opcode in (1,3) and process_name="cmd.exe"] +''' +expected_event_ids = [72] + +[[queries]] +query = ''' +process where opcode=1 and process_name == "csrss.exe" + and descendant of [file where file_name == "csrss.exe" and opcode=0] +''' +expected_event_ids = [73] + +[[queries]] +query = ''' +process where opcode=1 and process_name == "smss.exe" + and descendant of [ + file where file_name == "csrss.exe" and opcode=0 + and descendant of [ + process where opcode in(1,3) and process_name="cmd.exe" + ] + ] +''' +expected_event_ids = [78] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode in (0,1,2) and user_name="vagrant" +''' +expected_event_ids = [83, 86] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode not in (0,1,2) and user_name="vagrant" +''' +expected_event_ids = [] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode not in (3, 4, 5, 6 ,7) and user_name="vagrant" +''' +expected_event_ids = [83, 86] + + +[[queries]] +query = ''' +file where file_name in ("wininit.exe", "lsass.exe") and opcode == 2 +''' +expected_event_ids = [65, 86] + +[[queries]] +query = ''' +file where true +| tail 3''' +expected_event_ids = [92, 95, 96] + +[[queries]] +query = ''' +process where opcode in (1,3) and process_name in (parent_process_name, "SYSTEM") +''' +expected_event_ids = [2, 50, 51] + +[[queries]] +expected_event_ids = [92, 95, 96, 91] +query = ''' +file where true +| tail 4 +| sort file_path''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full process_name''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5, event_subtype_full, null_field, process_name''' + +[[queries]] +expected_event_ids = [2, 1] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name +| head 2''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name +| sort serial_event_id''' + +[[queries]] +query = ''' +sequence + [process where serial_event_id = 1] + [process where serial_event_id = 2] +''' +expected_event_ids = [1, 2] + +[[queries]] +query = ''' +sequence + [process where serial_event_id < 5] + [process where serial_event_id = 5] +''' +expected_event_ids = [4, 5] + +[[queries]] +query = ''' +sequence + [process where serial_event_id=1] by unique_pid + [process where true] by unique_ppid''' +expected_event_ids = [1, 2] + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid + [process where true] by unique_ppid +''' +expected_event_ids = [1, 2, 2, 3] + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid * 2 + [process where true] by unique_ppid * 2 +''' +expected_event_ids = [1, 2, 2, 3] + + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid * 2, length(unique_pid), string(unique_pid) + [process where true] by unique_ppid * 2, length(unique_ppid), string(unique_ppid) +''' +expected_event_ids = [1, 2, 2, 3] + + +[[queries]] +query = ''' +sequence + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1d + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1h + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1m + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=10s + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=0.5s + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence + [process where serial_event_id < 5] + [process where serial_event_id < 5] +''' +expected_event_ids = [1, 2, 2, 3, 3, 4] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [process where opcode == 1] by unique_ppid +''' +expected_event_ids = [55, 56] + +[[queries]] +query = ''' +sequence + [file where opcode=0] by unique_pid + [file where opcode=0] by unique_pid +| head 1''' +expected_event_ids = [55, 61] + +[[queries]] +query = ''' +sequence + [file where opcode=0] by unique_pid + [file where opcode=0] by unique_pid +| filter events[1].serial_event_id == 92''' +expected_event_ids = [87, 92] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=0 and file_name="*.exe"] by unique_pid +until [process where opcode=5000] by unique_ppid +| head 1''' +expected_event_ids = [55, 61] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=0 and file_name="*.exe"] by unique_pid +until [process where opcode=1] by unique_ppid +| head 1''' +expected_event_ids = [] + +[[queries]] +query = ''' +join + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=2 and file_name="*.exe"] by unique_pid +until [process where opcode=1] by unique_ppid +| head 1''' +expected_event_ids = [61, 59] + +[[queries]] +query = ''' +join by user_name + [process where opcode in (1,3) and process_name="smss.exe"] + [process where opcode in (1,3) and process_name == "python.exe"] +''' +expected_event_ids = [78, 48] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"]''' +expected_event_ids = [54, 55, 61] + +[[queries]] +query = ''' +join by string(unique_pid) + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"]''' +expected_event_ids = [54, 55, 61] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"] +until [file where opcode == 2]''' +expected_event_ids = [] + +[[queries]] +query = ''' +join by string(unique_pid), unique_pid, unique_pid * 2 + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"] +until [file where opcode == 2]''' +expected_event_ids = [] + +[[queries]] +query = ''' +join + [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [process where opcode == 1] by unique_ppid +''' +expected_event_ids = [55, 56] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode in (1,3) and process_name="python.exe"] + [file where file_name == "*.exe"]''' +expected_event_ids = [54, 55] + +[[queries]] +query = ''' +join by user_name + [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name == "smss.exe"] +''' +expected_event_ids = [48, 78] + +[[queries]] +query = ''' +join + [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name == "smss.exe"] +''' +expected_event_ids = [48, 3, 50, 78] + +[[queries]] +expected_event_ids = [] +query = ''' +process where fake_field == "*"''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4] +query = ''' +process where fake_field != "*" +| head 4''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4] +query = ''' +process where not (fake_field == "*") +| head 4''' + +[[queries]] +expected_event_ids = [] +query = ''' +registry where invalid_field_name != null''' + +[[queries]] +expected_event_ids = [] +query = ''' +registry where length(bad_field) > 0 +''' + +[[queries]] +query = ''' +process where opcode == 1 + and process_name in ("net.exe", "net1.exe") + and not (parent_process_name == "net.exe" + and process_name == "net1.exe") + and command_line == "*group *admin*" and command_line != "* /add*"''' +expected_event_ids = [97] + +[[queries]] +expected_event_ids = [1, 55, 57, 63, 75304] +query = ''' +any where true +| unique event_type_full''' + +[[queries]] +query = ''' +process where opcode=1 and process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [62, 68, 78] + +[[queries]] +query = ''' +process where process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [62, 64, 68, 69, 78, 80] + +[[queries]] +query = ''' +process where opcode=2 and process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [64, 69, 80] + +[[queries]] +query = ''' +process where process_name="svchost.exe" + and child of [file where file_name="svchost.exe" and opcode=0]''' +expected_event_ids = [56, 58] + +[[queries]] +query = ''' +process where process_name="svchost.exe" + and not child of [file where file_name="svchost.exe" and opcode=0] +| head 3''' +expected_event_ids = [11, 13, 15] + +[[queries]] +query = ''' +process where process_name="lsass.exe" + and child of [ + process where process_name="python.exe" + and child of [process where process_name="cmd.exe"] + ] +''' +expected_event_ids = [62, 64] + +[[queries]] +query = ''' +file where child of [ + process where child of [ + process where child of [process where process_name="*wsmprovhost.exe"] + ] +] +| tail 1''' +expected_event_ids = [91] + +[[queries]] +query = ''' +file where process_name = "python.exe" +| unique unique_pid''' +expected_event_ids = [55, 95] + +[[queries]] +query = ''' +file where event of [process where process_name = "python.exe" ] +| unique unique_pid''' +expected_event_ids = [55, 95] + +[[queries]] +query = ''' +process where process_name = "python.exe"''' +expected_event_ids = [48, 50, 51, 54, 93] + +[[queries]] +query = 'process where event of [process where process_name = "python.exe" ]' +expected_event_ids = [48, 50, 51, 54, 93] + +[[queries]] +query = ''' +sequence + [file where file_name="lsass.exe"] by file_path,process_path + [process where true] by process_path,parent_process_path +''' +expected_event_ids = [61, 62] + +[[queries]] +query = ''' +sequence by user_name + [file where file_name="lsass.exe"] by file_path, process_path + [process where true] by process_path, parent_process_path +''' +expected_event_ids = [61, 62] + +[[queries]] +query = ''' +sequence by pid + [file where file_name="lsass.exe"] by file_path,process_path + [process where true] by process_path,parent_process_path +''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by file_path + [process where opcode=1] by process_path + [process where opcode=2] by process_path + [file where opcode=2] by file_path +| tail 1''' +expected_event_ids = [88, 89, 90, 91] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by pid,file_path + [file where opcode=2] by pid,file_path +until [process where opcode=2] by ppid,process_path +''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by pid,file_path + [file where opcode=2] by pid,file_path +until [process where opcode=5] by ppid,process_path +| head 2''' +expected_event_ids = [55, 59, 61, 65] + +[[queries]] +query = ''' +sequence by pid + [file where opcode=0] by file_path + [process where opcode=1] by process_path + [process where opcode=2] by process_path + [file where opcode=2] by file_path +| tail 1''' +expected_event_ids = [] + +[[queries]] +query = ''' +join by user_name + [file where true] by pid,file_path + [process where true] by ppid,process_path +| head 2''' +expected_event_ids = [55, 56, 59, 58] + +[[queries]] +query = ''' +sequence + [process where true] by unique_pid + [file where true] fork=true by unique_pid + [process where true] by unique_ppid +| head 4''' +expected_event_ids = [54, 55, 56, 54, 61, 62, 54, 67, 68, 54, 72, 73] + +[[queries]] +query = ''' +process where command_line == "*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +query = ''' +process where command_line == "*%*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +query = ''' +process where command_line == "%*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +expected_event_ids = [11, 60, 63] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full process_name''' + +[[queries]] +expected_event_ids = [63, 60, 11] +query = ''' +any where process_name == "svchost.exe" +| sort event_type_full serial_event_id +| unique_count event_type_full process_name''' + +[[queries]] +expected_event_ids = [60] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full opcode +| filter count == 7''' + +[[queries]] +expected_event_ids = [11] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full opcode +| filter percent >= .5 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, 'En-uS')''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, 'En')''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] == 'EN-us' +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where bytes_written_string_list[0] == 'EN-us' +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where bytes_written_string_list[1] == 'EN' +''' + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+localgroup\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+\w+\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+\w{4,15}\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +expected_event_ids = [98] +query = ''' +process where match(?'.*?net1\s+\w{4,15}\s+.*?', command_line) +''' + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+[localgrup]{4,15}\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where 'net.EXE' == original_file_name +| filter process_name="net*.exe" +''' +expected_event_ids = [97] +note = "check that case insensitive comparisons are performed even for lhs strings." + +[[queries]] +query = ''' +process where process_name == original_file_name +| filter process_name='net*.exe' +''' +expected_event_ids = [97, 98] +note = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +process where original_file_name == process_name +| filter length(original_file_name) > 0 +''' +expected_event_ids = [97, 98, 75273, 75303] +description = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'exploRER.') +''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'expLORER.exe') +''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and endsWith(file_name, 'loREr.exe')''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'explORER.EXE')''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith('explorer.exeaaaaaaaa', file_name)''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and serial_event_id = 88 and startsWith('explorer.exeaAAAA', 'EXPLORER.exe')''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and stringContains('ABCDEFGHIexplorer.exeJKLMNOP', file_name) +''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plore') == 2 and not indexOf(file_name, '.pf') +''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'explorer.') and indexOf(file_name, 'plore', 100) +''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 0) == 2''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 2)''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 4)''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'thing that never happened')''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 2) == 2''' +expected_event_ids = [88, 92] +description = "check substring ranges" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'explorer.', 0) == 0''' +expected_event_ids = [88, 92] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, 0, 4) == 'expl' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, 1, 3) == 'xp' +''' +expected_event_ids = [88] +description = "chaeck substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, -4) == '.exe' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, -4, -1) == '.ex' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +process where add(serial_event_id, 0) == 1 and add(0, 1) == serial_event_id''' +expected_event_ids = [1] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where subtract(serial_event_id, -5) == 6''' +expected_event_ids = [1] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where multiply(6, serial_event_id) == 30 and divide(30, 4.0) == 7.5''' +expected_event_ids = [5] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where modulo(11, add(serial_event_id, 1)) == serial_event_id''' +expected_event_ids = [1, 2, 3, 5, 11] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where serial_event_id == number('5')''' +expected_event_ids = [5] +description = "test string/number conversions" + +[[queries]] +expected_event_ids = [50] +description = "test string/number conversions" +query = ''' +process where serial_event_id == number('0x32', 16)''' + +[[queries]] +expected_event_ids = [50] +description = "test string/number conversions" +query = ''' +process where serial_event_id == number('32', 16)''' + +[[queries]] +query = ''' +process where number(serial_event_id) == number(5)''' +expected_event_ids = [5] +description = "test string/number conversions" + +[[queries]] +query = ''' +process where concat(serial_event_id, ':', process_name, opcode) == '5:winINIT.exe3' +''' +expected_event_ids = [5] +description = "test string concatenation" + +[[queries]] +query = ''' +process where process_name != original_file_name +| filter length(original_file_name) > 0''' +expected_event_ids = [] +description = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +sequence by unique_pid [process where opcode=1 and process_name == 'msbuild.exe'] [network where true]''' +expected_event_ids = [75273, 75304] +description = "test that process sequences are working correctly" + +[[queries]] +expected_event_ids = [57] +description = "test arraySearch functionality for lists of strings, and lists of objects" +query = ''' +registry where arraySearch(bytes_written_string_list, a, a == 'en-us')''' + +[[queries]] +expected_event_ids = [57] +description = "test arraySearch functionality for lists of strings, and lists of objects" +query = ''' +registry where arraySearch(bytes_written_string_list, a, endsWith(a, '-us'))''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - true" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, s, true) +''' + +[[queries]] +expected_event_ids = [] +description = "test arraySearch - false" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, false) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - conditional" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a == 's0-*') +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - conditional" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a != 's0-*') +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + arraySearch(sub1.c, nested, nested.x.y == '*')) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == 's0-c1-x-z')) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == sub1.cross_match)) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + arraySearch(sub1.c, nested, nested.x.y == mysterious_field.outer_cross_match)) +''' + +[[queries]] +expected_event_ids = [] +description = "test 'safe()' wrapper for exception handling" +query = ''' +network where safe(divide(process_name, process_name)) +''' + +[[queries]] +query = ''' +file where serial_event_id == 82 and (true == (process_name in ('svchost.EXE', 'bad.exe', 'bad2.exe'))) +''' +expected_event_ids = [82] +description = "nested set comparisons" + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayCount(bytes_written_string_list, s, s == '*-us') == 1 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayCount(bytes_written_string_list, s, s == '*en*') == 2 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, "missing", "en-US") +''' + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id - 1 == 81" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id + 1 == 83" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id * 2 == 164" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id / 2 == 41" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id % 40 == 2" + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "s", "e") == "yst" +''' + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "s", "e", false) == "yst" +''' + +[[queries]] +expected_event_ids = [] +query = ''' +process where between(process_name, "s", "e", false, true) == "yst" +''' + +[[queries]] +expected_event_ids = [1, 2, 42] +query = ''' +process where between(process_name, "s", "e", false, true) == "t" +''' + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "S", "e", false, true) == "yst" +''' + +[[queries]] +expected_event_ids = [1] +query = ''' +process where between(process_name, "s", "e", true) == "ystem Idle Proc" +''' + +[[queries]] +expected_event_ids = [95] +query = ''' +file where between(file_path, "dev", ".json", false) == "\\testlogs\\something" +''' + +[[queries]] +expected_event_ids = [95] +query = ''' +file where between(file_path, "dev", ".json", true) == "\\testlogs\\something" +''' + +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "10.6.48.157/8") +''' + +[[queries]] +expected_event_ids = [] +query = ''' +network where cidrMatch(source_address, "192.168.0.0/16") +''' + +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "192.168.0.0/16", "10.6.48.157/8") + +''' +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "0.0.0.0/0") +''' + +[[queries]] +expected_event_ids = [7, 14, 22, 29, 44] +query = ''' +process where length(between(process_name, 'g', 'e')) > 0 +''' + +[[queries]] +expected_event_ids = [] +query = ''' +process where length(between(process_name, 'g', 'z')) > 0 +''' diff --git a/x-pack/plugin/eql/src/test/resources/test_queries_unsupported.toml b/x-pack/plugin/eql/src/test/resources/test_queries_unsupported.toml new file mode 100644 index 0000000000000..6a5071faae4a8 --- /dev/null +++ b/x-pack/plugin/eql/src/test/resources/test_queries_unsupported.toml @@ -0,0 +1,1300 @@ +# This file is populated with currently unsupported queries. +# Serves as a blacklist, until our implementation starts supporting a specific query +# This file is expected to become empty once the feature parity is reached with the +# official EQL implementation + +[[queries]] +query = 'process where serial_event_id < 4' +expected_event_ids = [1, 2, 3] + +[[queries]] +query = 'process where true | head 6' +expected_event_ids = [1, 2, 3, 4, 5, 6] + +[[queries]] +query = 'process where false' +expected_event_ids = [] + +[[queries]] +expected_event_ids = [] +query = 'process where missing_field != null' + +[[queries]] +expected_event_ids = [1, 2, 3, 4, 5] +query = 'process where bad_field == null | head 5' + +[[queries]] +query = ''' + process where process_name == "impossible name" or (serial_event_id < 4.5 and serial_event_id >= 3.1) +''' +expected_event_ids = [4] + +[[queries]] +tags = ["comparisons", "pipes"] +query = ''' +process where serial_event_id <= 8 and serial_event_id > 7 +| filter serial_event_id == 8''' +expected_event_ids = [8] + +[[queries]] +query = ''' +process where true +| filter serial_event_id <= 10 +| filter serial_event_id > 6''' +expected_event_ids = [7, 8, 9, 10] + +[[queries]] +query = ''' +process where true +| filter serial_event_id <= 10 +| filter serial_event_id > 6 +| head 2''' +expected_event_ids = [7, 8] + +[[queries]] +query = ''' +process where true +| head 1000 +| filter serial_event_id <= 10 +| filter serial_event_id > 6 +| tail 2 +''' +expected_event_ids = [9, 10] + +[[queries]] +query = ''' +process where serial_event_id<=8 and serial_event_id > 7 +''' +expected_event_ids = [8] + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code >= 0' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where 0 <= exit_code' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code <= 0' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code < 1' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code > -1' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where -1 < exit_code' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [] +query = ''' +process where not (exit_code > -1) + and serial_event_id in (58, 64, 69, 74, 80, 85, 90, 93, 94) +| head 10 +''' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [1, 2, 3, 4, 5, 6, 7] +query = 'process where not (exit_code > -1) | head 7' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [1, 2, 3, 4, 5, 6, 7] +query = 'process where not (-1 < exit_code) | head 7' + +[[queries]] +query = 'process where exit_code > 0' +expected_event_ids = [] + +[[queries]] +query = 'process where exit_code < 0' +expected_event_ids = [] + +[[queries]] +query = 'process where 0 < exit_code' +expected_event_ids = [] + +[[queries]] +query = 'process where 0 > exit_code' +expected_event_ids = [] + +[[queries]] +query = 'process where (serial_event_id<=8 and serial_event_id > 7) and (opcode=3 and opcode>2)' +expected_event_ids = [8] + +[[queries]] +query = 'process where (serial_event_id<9 and serial_event_id >= 7) or (opcode == pid)' +expected_event_ids = [7, 8] + +[[queries]] +query = 'process where process_name == "VMACTHLP.exe" and unique_pid == 12 | filter true' +expected_event_ids = [12] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "SMSS.exe", "explorer.exe") +| unique process_name''' +expected_event_ids = [3, 34, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "Explorer.exe") +| unique length(process_name)''' +expected_event_ids = [3, 34, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique length(process_name) == length("python.exe")''' +expected_event_ids = [3, 48] + +[[queries]] +query = ''' +process where process_name in ("Python.exe", "smss.exe", "explorer.exe") +| unique process_name != "python.exe"''' +expected_event_ids = [3, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique process_name +| head 2 +| tail 1''' +expected_event_ids = [34] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique process_name +| tail 2 +| head 1''' +expected_event_ids = [34] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| unique process_name parent_process_name''' +expected_event_ids = [3, 48, 50, 54, 78] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| unique process_name, parent_process_name''' +expected_event_ids = [3, 48, 50, 54, 78] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| head 5 +| unique process_name parent_process_name''' +expected_event_ids = [3, 48, 50, 54] + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where length(bytes_written_string_list) == 2 and bytes_written_string_list[1] == "EN"''' + +[[queries]] +query = ''' +registry where key_path == "*\\MACHINE\\SAM\\SAM\\*\\Account\\Us*ers\\00*03E9\\F"''' +expected_event_ids = [79] + +[[queries]] +query = ''' +process where process_path == "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3,4)''' +expected_event_ids = [84, 85] + +[[queries]] +query = ''' +file where file_name == "csrss.exe" and opcode=0 + and descendant of [process where opcode in (1,3) and process_name="cmd.exe"] +''' +expected_event_ids = [72] + +[[queries]] +query = ''' +process where opcode=1 and process_name == "csrss.exe" + and descendant of [file where file_name == "csrss.exe" and opcode=0] +''' +expected_event_ids = [73] + +[[queries]] +query = ''' +process where opcode=1 and process_name == "smss.exe" + and descendant of [ + file where file_name == "csrss.exe" and opcode=0 + and descendant of [ + process where opcode in(1,3) and process_name="cmd.exe" + ] + ] +''' +expected_event_ids = [78] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode in (0,1,2) and user_name="vagrant" +''' +expected_event_ids = [83, 86] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode not in (0,1,2) and user_name="vagrant" +''' +expected_event_ids = [] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode not in (3, 4, 5, 6 ,7) and user_name="vagrant" +''' +expected_event_ids = [83, 86] + + +[[queries]] +query = ''' +file where file_name in ("wininit.exe", "lsass.exe") and opcode == 2 +''' +expected_event_ids = [65, 86] + +[[queries]] +query = ''' +file where true +| tail 3''' +expected_event_ids = [92, 95, 96] + +[[queries]] +query = ''' +process where opcode in (1,3) and process_name in (parent_process_name, "SYSTEM") +''' +expected_event_ids = [2, 50, 51] + +[[queries]] +expected_event_ids = [92, 95, 96, 91] +query = ''' +file where true +| tail 4 +| sort file_path''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full process_name''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5, event_subtype_full, null_field, process_name''' + +[[queries]] +expected_event_ids = [2, 1] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name +| head 2''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name +| sort serial_event_id''' + +[[queries]] +query = ''' +sequence + [process where serial_event_id = 1] + [process where serial_event_id = 2] +''' +expected_event_ids = [1, 2] + +[[queries]] +query = ''' +sequence + [process where serial_event_id < 5] + [process where serial_event_id = 5] +''' +expected_event_ids = [4, 5] + +[[queries]] +query = ''' +sequence + [process where serial_event_id=1] by unique_pid + [process where true] by unique_ppid''' +expected_event_ids = [1, 2] + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid + [process where true] by unique_ppid +''' +expected_event_ids = [1, 2, 2, 3] + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid * 2 + [process where true] by unique_ppid * 2 +''' +expected_event_ids = [1, 2, 2, 3] + + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid * 2, length(unique_pid), string(unique_pid) + [process where true] by unique_ppid * 2, length(unique_ppid), string(unique_ppid) +''' +expected_event_ids = [1, 2, 2, 3] + + +[[queries]] +query = ''' +sequence + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1d + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1h + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1m + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=10s + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=0.5s + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence + [process where serial_event_id < 5] + [process where serial_event_id < 5] +''' +expected_event_ids = [1, 2, 2, 3, 3, 4] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [process where opcode == 1] by unique_ppid +''' +expected_event_ids = [55, 56] + +[[queries]] +query = ''' +sequence + [file where opcode=0] by unique_pid + [file where opcode=0] by unique_pid +| head 1''' +expected_event_ids = [55, 61] + +[[queries]] +query = ''' +sequence + [file where opcode=0] by unique_pid + [file where opcode=0] by unique_pid +| filter events[1].serial_event_id == 92''' +expected_event_ids = [87, 92] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=0 and file_name="*.exe"] by unique_pid +until [process where opcode=5000] by unique_ppid +| head 1''' +expected_event_ids = [55, 61] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=0 and file_name="*.exe"] by unique_pid +until [process where opcode=1] by unique_ppid +| head 1''' +expected_event_ids = [] + +[[queries]] +query = ''' +join + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=2 and file_name="*.exe"] by unique_pid +until [process where opcode=1] by unique_ppid +| head 1''' +expected_event_ids = [61, 59] + +[[queries]] +query = ''' +join by user_name + [process where opcode in (1,3) and process_name="smss.exe"] + [process where opcode in (1,3) and process_name == "python.exe"] +''' +expected_event_ids = [78, 48] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"]''' +expected_event_ids = [54, 55, 61] + +[[queries]] +query = ''' +join by string(unique_pid) + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"]''' +expected_event_ids = [54, 55, 61] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"] +until [file where opcode == 2]''' +expected_event_ids = [] + +[[queries]] +query = ''' +join by string(unique_pid), unique_pid, unique_pid * 2 + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"] +until [file where opcode == 2]''' +expected_event_ids = [] + +[[queries]] +query = ''' +join + [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [process where opcode == 1] by unique_ppid +''' +expected_event_ids = [55, 56] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode in (1,3) and process_name="python.exe"] + [file where file_name == "*.exe"]''' +expected_event_ids = [54, 55] + +[[queries]] +query = ''' +join by user_name + [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name == "smss.exe"] +''' +expected_event_ids = [48, 78] + +[[queries]] +query = ''' +join + [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name == "smss.exe"] +''' +expected_event_ids = [48, 3, 50, 78] + +[[queries]] +expected_event_ids = [] +query = ''' +process where fake_field == "*"''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4] +query = ''' +process where fake_field != "*" +| head 4''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4] +query = ''' +process where not (fake_field == "*") +| head 4''' + +[[queries]] +expected_event_ids = [] +query = ''' +registry where invalid_field_name != null''' + +[[queries]] +expected_event_ids = [] +query = ''' +registry where length(bad_field) > 0 +''' + +[[queries]] +query = ''' +process where opcode == 1 + and process_name in ("net.exe", "net1.exe") + and not (parent_process_name == "net.exe" + and process_name == "net1.exe") + and command_line == "*group *admin*" and command_line != "* /add*"''' +expected_event_ids = [97] + +[[queries]] +expected_event_ids = [1, 55, 57, 63, 75304] +query = ''' +any where true +| unique event_type_full''' + +[[queries]] +query = ''' +process where opcode=1 and process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [62, 68, 78] + +[[queries]] +query = ''' +process where process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [62, 64, 68, 69, 78, 80] + +[[queries]] +query = ''' +process where opcode=2 and process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [64, 69, 80] + +[[queries]] +query = ''' +process where process_name="svchost.exe" + and child of [file where file_name="svchost.exe" and opcode=0]''' +expected_event_ids = [56, 58] + +[[queries]] +query = ''' +process where process_name="svchost.exe" + and not child of [file where file_name="svchost.exe" and opcode=0] +| head 3''' +expected_event_ids = [11, 13, 15] + +[[queries]] +query = ''' +process where process_name="lsass.exe" + and child of [ + process where process_name="python.exe" + and child of [process where process_name="cmd.exe"] + ] +''' +expected_event_ids = [62, 64] + +[[queries]] +query = ''' +file where child of [ + process where child of [ + process where child of [process where process_name="*wsmprovhost.exe"] + ] +] +| tail 1''' +expected_event_ids = [91] + +[[queries]] +query = ''' +file where process_name = "python.exe" +| unique unique_pid''' +expected_event_ids = [55, 95] + +[[queries]] +query = ''' +file where event of [process where process_name = "python.exe" ] +| unique unique_pid''' +expected_event_ids = [55, 95] + +[[queries]] +query = ''' +process where process_name = "python.exe"''' +expected_event_ids = [48, 50, 51, 54, 93] + +[[queries]] +query = 'process where event of [process where process_name = "python.exe" ]' +expected_event_ids = [48, 50, 51, 54, 93] + +[[queries]] +query = ''' +sequence + [file where file_name="lsass.exe"] by file_path,process_path + [process where true] by process_path,parent_process_path +''' +expected_event_ids = [61, 62] + +[[queries]] +query = ''' +sequence by user_name + [file where file_name="lsass.exe"] by file_path, process_path + [process where true] by process_path, parent_process_path +''' +expected_event_ids = [61, 62] + +[[queries]] +query = ''' +sequence by pid + [file where file_name="lsass.exe"] by file_path,process_path + [process where true] by process_path,parent_process_path +''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by file_path + [process where opcode=1] by process_path + [process where opcode=2] by process_path + [file where opcode=2] by file_path +| tail 1''' +expected_event_ids = [88, 89, 90, 91] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by pid,file_path + [file where opcode=2] by pid,file_path +until [process where opcode=2] by ppid,process_path +''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by pid,file_path + [file where opcode=2] by pid,file_path +until [process where opcode=5] by ppid,process_path +| head 2''' +expected_event_ids = [55, 59, 61, 65] + +[[queries]] +query = ''' +sequence by pid + [file where opcode=0] by file_path + [process where opcode=1] by process_path + [process where opcode=2] by process_path + [file where opcode=2] by file_path +| tail 1''' +expected_event_ids = [] + +[[queries]] +query = ''' +join by user_name + [file where true] by pid,file_path + [process where true] by ppid,process_path +| head 2''' +expected_event_ids = [55, 56, 59, 58] + +[[queries]] +query = ''' +sequence + [process where true] by unique_pid + [file where true] fork=true by unique_pid + [process where true] by unique_ppid +| head 4''' +expected_event_ids = [54, 55, 56, 54, 61, 62, 54, 67, 68, 54, 72, 73] + +[[queries]] +query = ''' +process where command_line == "*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +query = ''' +process where command_line == "*%*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +query = ''' +process where command_line == "%*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +expected_event_ids = [11, 60, 63] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full process_name''' + +[[queries]] +expected_event_ids = [63, 60, 11] +query = ''' +any where process_name == "svchost.exe" +| sort event_type_full serial_event_id +| unique_count event_type_full process_name''' + +[[queries]] +expected_event_ids = [60] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full opcode +| filter count == 7''' + +[[queries]] +expected_event_ids = [11] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full opcode +| filter percent >= .5 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, 'En-uS')''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, 'En')''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] == 'EN-us' +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where bytes_written_string_list[0] == 'EN-us' +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where bytes_written_string_list[1] == 'EN' +''' + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+localgroup\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+\w+\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+\w{4,15}\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +expected_event_ids = [98] +query = ''' +process where match(?'.*?net1\s+\w{4,15}\s+.*?', command_line) +''' + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+[localgrup]{4,15}\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where 'net.EXE' == original_file_name +| filter process_name="net*.exe" +''' +expected_event_ids = [97] +note = "check that case insensitive comparisons are performed even for lhs strings." + +[[queries]] +query = ''' +process where process_name == original_file_name +| filter process_name='net*.exe' +''' +expected_event_ids = [97, 98] +note = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +process where original_file_name == process_name +| filter length(original_file_name) > 0 +''' +expected_event_ids = [97, 98, 75273, 75303] +description = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'exploRER.') +''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'expLORER.exe') +''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and endsWith(file_name, 'loREr.exe')''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'explORER.EXE')''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith('explorer.exeaaaaaaaa', file_name)''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and serial_event_id = 88 and startsWith('explorer.exeaAAAA', 'EXPLORER.exe')''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and stringContains('ABCDEFGHIexplorer.exeJKLMNOP', file_name) +''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plore') == 2 and not indexOf(file_name, '.pf') +''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'explorer.') and indexOf(file_name, 'plore', 100) +''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 0) == 2''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 2)''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 4)''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'thing that never happened')''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 2) == 2''' +expected_event_ids = [88, 92] +description = "check substring ranges" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'explorer.', 0) == 0''' +expected_event_ids = [88, 92] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, 0, 4) == 'expl' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, 1, 3) == 'xp' +''' +expected_event_ids = [88] +description = "chaeck substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, -4) == '.exe' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, -4, -1) == '.ex' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +process where add(serial_event_id, 0) == 1 and add(0, 1) == serial_event_id''' +expected_event_ids = [1] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where subtract(serial_event_id, -5) == 6''' +expected_event_ids = [1] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where multiply(6, serial_event_id) == 30 and divide(30, 4.0) == 7.5''' +expected_event_ids = [5] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where modulo(11, add(serial_event_id, 1)) == serial_event_id''' +expected_event_ids = [1, 2, 3, 5, 11] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where serial_event_id == number('5')''' +expected_event_ids = [5] +description = "test string/number conversions" + +[[queries]] +expected_event_ids = [50] +description = "test string/number conversions" +query = ''' +process where serial_event_id == number('0x32', 16)''' + +[[queries]] +expected_event_ids = [50] +description = "test string/number conversions" +query = ''' +process where serial_event_id == number('32', 16)''' + +[[queries]] +query = ''' +process where number(serial_event_id) == number(5)''' +expected_event_ids = [5] +description = "test string/number conversions" + +[[queries]] +query = ''' +process where concat(serial_event_id, ':', process_name, opcode) == '5:winINIT.exe3' +''' +expected_event_ids = [5] +description = "test string concatenation" + +[[queries]] +query = ''' +process where process_name != original_file_name +| filter length(original_file_name) > 0''' +expected_event_ids = [] +description = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +sequence by unique_pid [process where opcode=1 and process_name == 'msbuild.exe'] [network where true]''' +expected_event_ids = [75273, 75304] +description = "test that process sequences are working correctly" + +[[queries]] +expected_event_ids = [57] +description = "test arraySearch functionality for lists of strings, and lists of objects" +query = ''' +registry where arraySearch(bytes_written_string_list, a, a == 'en-us')''' + +[[queries]] +expected_event_ids = [57] +description = "test arraySearch functionality for lists of strings, and lists of objects" +query = ''' +registry where arraySearch(bytes_written_string_list, a, endsWith(a, '-us'))''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - true" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, s, true) +''' + +[[queries]] +expected_event_ids = [] +description = "test arraySearch - false" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, false) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - conditional" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a == 's0-*') +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - conditional" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a != 's0-*') +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + arraySearch(sub1.c, nested, nested.x.y == '*')) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == 's0-c1-x-z')) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == sub1.cross_match)) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + arraySearch(sub1.c, nested, nested.x.y == mysterious_field.outer_cross_match)) +''' + +[[queries]] +expected_event_ids = [] +description = "test 'safe()' wrapper for exception handling" +query = ''' +network where safe(divide(process_name, process_name)) +''' + +[[queries]] +query = ''' +file where serial_event_id == 82 and (true == (process_name in ('svchost.EXE', 'bad.exe', 'bad2.exe'))) +''' +expected_event_ids = [82] +description = "nested set comparisons" + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayCount(bytes_written_string_list, s, s == '*-us') == 1 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayCount(bytes_written_string_list, s, s == '*en*') == 2 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, "missing", "en-US") +''' + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id - 1 == 81" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id + 1 == 83" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id * 2 == 164" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id / 2 == 41" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id % 40 == 2" + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "s", "e") == "yst" +''' + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "s", "e", false) == "yst" +''' + +[[queries]] +expected_event_ids = [] +query = ''' +process where between(process_name, "s", "e", false, true) == "yst" +''' + +[[queries]] +expected_event_ids = [1, 2, 42] +query = ''' +process where between(process_name, "s", "e", false, true) == "t" +''' + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "S", "e", false, true) == "yst" +''' + +[[queries]] +expected_event_ids = [1] +query = ''' +process where between(process_name, "s", "e", true) == "ystem Idle Proc" +''' + +[[queries]] +expected_event_ids = [95] +query = ''' +file where between(file_path, "dev", ".json", false) == "\\testlogs\\something" +''' + +[[queries]] +expected_event_ids = [95] +query = ''' +file where between(file_path, "dev", ".json", true) == "\\testlogs\\something" +''' + +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "10.6.48.157/8") +''' + +[[queries]] +expected_event_ids = [] +query = ''' +network where cidrMatch(source_address, "192.168.0.0/16") +''' + +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "192.168.0.0/16", "10.6.48.157/8") + +''' +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "0.0.0.0/0") +''' + +[[queries]] +expected_event_ids = [7, 14, 22, 29, 44] +query = ''' +process where length(between(process_name, 'g', 'e')) > 0 +''' + +[[queries]] +expected_event_ids = [] +query = ''' +process where length(between(process_name, 'g', 'z')) > 0 +''' + diff --git a/x-pack/plugin/sql/build.gradle b/x-pack/plugin/sql/build.gradle index e93099ec4b7a4..720bcbda168ee 100644 --- a/x-pack/plugin/sql/build.gradle +++ b/x-pack/plugin/sql/build.gradle @@ -26,6 +26,10 @@ configurations { archivesBaseName = 'x-pack-sql' +test { + testLogging.showStandardStreams = true +} + // All integration tests live in qa modules integTest.enabled = false